To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 317
- compare with another revision
- download diff
- download tarball
- view history from revision 317
- Committer: Teddy Hogeborn
- Date: 2009-02-14 18:07:05 UTC
- Revision ID: teddy@fukt.bsnet.se-20090214180705-vu6b7j4i2v2hibgg
Use "getconf" to get correct LFS compile and link flags.
* Makefile (GPGME_CFLAGS): Added output of "getconf LFS_CFLAGS".
(GPGME_LIBS): Added output of "getconf LFS_LIBS" and
"getconf LFS_LDFLAGS".
* plugins.d/mandos-client.c: Only define "_LARGEFILE_SOURCE" and
"_FILE_OFFSET_BITS" if they are not
already defined.
* Makefile (GPGME_CFLAGS): Added output of "getconf LFS_CFLAGS".
(GPGME_LIBS): Added output of "getconf LFS_LIBS" and
"getconf LFS_LDFLAGS".
* plugins.d/mandos-client.c: Only define "_LARGEFILE_SOURCE" and
"_FILE_OFFSET_BITS" if they are not
already defined.
- files removed:
- DBUS-API
- debian/source
- files modified:
- .bzrignore
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2011 Teddy Hogeborn
15
# Copyright © 2008-2011 Björn Påhlsson
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
31
31
# Contact the authors at <mandos@fukt.bsnet.se>.
32
32
#
33
33
34
from __future__ import (division, absolute_import, print_function,
35
unicode_literals)
34
from __future__ import division, with_statement, absolute_import
36
35
37
import SocketServer as socketserver
36
import SocketServer
38
37
import socket
39
import argparse
38
import optparse
40
39
import datetime
41
40
import errno
42
41
import gnutls.crypto
45
44
import gnutls.library.functions
46
45
import gnutls.library.constants
47
46
import gnutls.library.types
48
import ConfigParser as configparser
47
import ConfigParser
49
48
import sys
50
49
import re
51
50
import os
52
51
import signal
52
from sets import Set
53
53
import subprocess
54
54
import atexit
55
55
import stat
56
56
import logging
57
57
import logging.handlers
58
58
import pwd
59
import contextlib
60
import struct
61
import fcntl
62
import functools
63
import cPickle as pickle
64
import multiprocessing
59
from contextlib import closing
65
60
66
61
import dbus
67
62
import dbus.service
70
65
from dbus.mainloop.glib import DBusGMainLoop
71
66
import ctypes
72
67
import ctypes.util
73
import xml.dom.minidom
74
import inspect
75
76
try:
77
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
78
except AttributeError:
79
try:
80
from IN import SO_BINDTODEVICE
81
except ImportError:
82
SO_BINDTODEVICE = None
83
84
85
version = "1.3.1"
86
87
#logger = logging.getLogger('mandos')
68
69
version = "1.0.6"
70
88
71
logger = logging.Logger('mandos')
89
72
syslogger = (logging.handlers.SysLogHandler
90
73
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
91
address = str("/dev/log")))
74
address = "/dev/log"))
92
75
syslogger.setFormatter(logging.Formatter
93
76
('Mandos [%(process)d]: %(levelname)s:'
94
77
' %(message)s'))
96
79
97
80
console = logging.StreamHandler()
98
81
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
99
' %(levelname)s:'
100
' %(message)s'))
82
' %(levelname)s: %(message)s'))
101
83
logger.addHandler(console)
102
84
103
85
class AvahiError(Exception):
116
98
117
99
class AvahiService(object):
118
100
"""An Avahi (Zeroconf) service.
119
120
101
Attributes:
121
102
interface: integer; avahi.IF_UNSPEC or an interface index.
122
103
Used to optionally bind to the specified interface.
130
111
max_renames: integer; maximum number of renames
131
112
rename_count: integer; counter so we only rename after collisions
132
113
a sensible number of times
133
group: D-Bus Entry Group
134
server: D-Bus Server
135
bus: dbus.SystemBus()
136
114
"""
137
115
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
138
116
servicetype = None, port = None, TXT = None,
139
117
domain = "", host = "", max_renames = 32768,
140
protocol = avahi.PROTO_UNSPEC, bus = None):
118
protocol = avahi.PROTO_UNSPEC):
141
119
self.interface = interface
142
120
self.name = name
143
121
self.type = servicetype
148
126
self.rename_count = 0
149
127
self.max_renames = max_renames
150
128
self.protocol = protocol
151
self.group = None # our entry group
152
self.server = None
153
self.bus = bus
154
self.entry_group_state_changed_match = None
155
129
def rename(self):
156
130
"""Derived from the Avahi example code"""
157
131
if self.rename_count >= self.max_renames:
158
logger.critical("No suitable Zeroconf service name found"
159
" after %i retries, exiting.",
132
logger.critical(u"No suitable Zeroconf service name found"
133
u" after %i retries, exiting.",
160
134
self.rename_count)
161
raise AvahiServiceError("Too many renames")
162
self.name = unicode(self.server.GetAlternativeServiceName(self.name))
163
logger.info("Changing Zeroconf service name to %r ...",
164
self.name)
135
raise AvahiServiceError(u"Too many renames")
136
self.name = server.GetAlternativeServiceName(self.name)
137
logger.info(u"Changing Zeroconf service name to %r ...",
138
str(self.name))
165
139
syslogger.setFormatter(logging.Formatter
166
('Mandos (%s) [%%(process)d]:'
167
' %%(levelname)s: %%(message)s'
168
% self.name))
140
('Mandos (%s): %%(levelname)s:'
141
' %%(message)s' % self.name))
169
142
self.remove()
170
try:
171
self.add()
172
except dbus.exceptions.DBusException as error:
173
logger.critical("DBusException: %s", error)
174
self.cleanup()
175
os._exit(1)
143
self.add()
176
144
self.rename_count += 1
177
145
def remove(self):
178
146
"""Derived from the Avahi example code"""
179
if self.entry_group_state_changed_match is not None:
180
self.entry_group_state_changed_match.remove()
181
self.entry_group_state_changed_match = None
182
if self.group is not None:
183
self.group.Reset()
147
if group is not None:
148
group.Reset()
184
149
def add(self):
185
150
"""Derived from the Avahi example code"""
186
self.remove()
187
if self.group is None:
188
self.group = dbus.Interface(
189
self.bus.get_object(avahi.DBUS_NAME,
190
self.server.EntryGroupNew()),
191
avahi.DBUS_INTERFACE_ENTRY_GROUP)
192
self.entry_group_state_changed_match = (
193
self.group.connect_to_signal(
194
'StateChanged', self .entry_group_state_changed))
195
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
196
self.name, self.type)
197
self.group.AddService(
198
self.interface,
199
self.protocol,
200
dbus.UInt32(0), # flags
201
self.name, self.type,
202
self.domain, self.host,
203
dbus.UInt16(self.port),
204
avahi.string_array_to_txt_array(self.TXT))
205
self.group.Commit()
206
def entry_group_state_changed(self, state, error):
207
"""Derived from the Avahi example code"""
208
logger.debug("Avahi entry group state change: %i", state)
209
210
if state == avahi.ENTRY_GROUP_ESTABLISHED:
211
logger.debug("Zeroconf service established.")
212
elif state == avahi.ENTRY_GROUP_COLLISION:
213
logger.info("Zeroconf service name collision.")
214
self.rename()
215
elif state == avahi.ENTRY_GROUP_FAILURE:
216
logger.critical("Avahi: Error in group state changed %s",
217
unicode(error))
218
raise AvahiGroupError("State changed: %s"
219
% unicode(error))
220
def cleanup(self):
221
"""Derived from the Avahi example code"""
222
if self.group is not None:
223
try:
224
self.group.Free()
225
except (dbus.exceptions.UnknownMethodException,
226
dbus.exceptions.DBusException) as e:
227
pass
228
self.group = None
229
self.remove()
230
def server_state_changed(self, state, error=None):
231
"""Derived from the Avahi example code"""
232
logger.debug("Avahi server state change: %i", state)
233
bad_states = { avahi.SERVER_INVALID:
234
"Zeroconf server invalid",
235
avahi.SERVER_REGISTERING: None,
236
avahi.SERVER_COLLISION:
237
"Zeroconf server name collision",
238
avahi.SERVER_FAILURE:
239
"Zeroconf server failure" }
240
if state in bad_states:
241
if bad_states[state] is not None:
242
if error is None:
243
logger.error(bad_states[state])
244
else:
245
logger.error(bad_states[state] + ": %r", error)
246
self.cleanup()
247
elif state == avahi.SERVER_RUNNING:
248
self.add()
249
else:
250
if error is None:
251
logger.debug("Unknown state: %r", state)
252
else:
253
logger.debug("Unknown state: %r: %r", state, error)
254
def activate(self):
255
"""Derived from the Avahi example code"""
256
if self.server is None:
257
self.server = dbus.Interface(
258
self.bus.get_object(avahi.DBUS_NAME,
259
avahi.DBUS_PATH_SERVER,
260
follow_name_owner_changes=True),
261
avahi.DBUS_INTERFACE_SERVER)
262
self.server.connect_to_signal("StateChanged",
263
self.server_state_changed)
264
self.server_state_changed(self.server.GetState())
265
266
267
def _timedelta_to_milliseconds(td):
268
"Convert a datetime.timedelta() to milliseconds"
269
return ((td.days * 24 * 60 * 60 * 1000)
270
+ (td.seconds * 1000)
271
+ (td.microseconds // 1000))
272
273
class Client(object):
151
global group
152
if group is None:
153
group = dbus.Interface(bus.get_object
154
(avahi.DBUS_NAME,
155
server.EntryGroupNew()),
156
avahi.DBUS_INTERFACE_ENTRY_GROUP)
157
group.connect_to_signal('StateChanged',
158
entry_group_state_changed)
159
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
160
service.name, service.type)
161
group.AddService(
162
self.interface, # interface
163
self.protocol, # protocol
164
dbus.UInt32(0), # flags
165
self.name, self.type,
166
self.domain, self.host,
167
dbus.UInt16(self.port),
168
avahi.string_array_to_txt_array(self.TXT))
169
group.Commit()
170
171
# From the Avahi example code:
172
group = None # our entry group
173
# End of Avahi example code
174
175
176
def _datetime_to_dbus(dt, variant_level=0):
177
"""Convert a UTC datetime.datetime() to a D-Bus type."""
178
return dbus.String(dt.isoformat(), variant_level=variant_level)
179
180
181
class Client(dbus.service.Object):
274
182
"""A representation of a client host served by this server.
275
276
183
Attributes:
277
_approved: bool(); 'None' if not yet approved/disapproved
278
approval_delay: datetime.timedelta(); Time to wait for approval
279
approval_duration: datetime.timedelta(); Duration of one approval
184
name: string; from the config file, used in log messages and
185
D-Bus identifiers
186
fingerprint: string (40 or 32 hexadecimal digits); used to
187
uniquely identify the client
188
secret: bytestring; sent verbatim (over TLS) to client
189
host: string; available for use by the checker command
190
created: datetime.datetime(); (UTC) object creation
191
last_enabled: datetime.datetime(); (UTC)
192
enabled: bool()
193
last_checked_ok: datetime.datetime(); (UTC) or None
194
timeout: datetime.timedelta(); How long from last_checked_ok
195
until this client is invalid
196
interval: datetime.timedelta(); How often to start a new checker
197
disable_hook: If set, called by disable() as disable_hook(self)
280
198
checker: subprocess.Popen(); a running checker process used
281
199
to see if the client lives.
282
200
'None' if no process is running.
283
checker_callback_tag: a gobject event source tag, or None
284
checker_command: string; External command which is run to check
285
if client lives. %() expansions are done at
201
checker_initiator_tag: a gobject event source tag, or None
202
disable_initiator_tag: - '' -
203
checker_callback_tag: - '' -
204
checker_command: string; External command which is run to check if
205
client lives. %() expansions are done at
286
206
runtime with vars(self) as dict, so that for
287
207
instance %(name)s can be used in the command.
288
checker_initiator_tag: a gobject event source tag, or None
289
created: datetime.datetime(); (UTC) object creation
290
208
current_checker_command: string; current running checker_command
291
disable_hook: If set, called by disable() as disable_hook(self)
292
disable_initiator_tag: a gobject event source tag, or None
293
enabled: bool()
294
fingerprint: string (40 or 32 hexadecimal digits); used to
295
uniquely identify the client
296
host: string; available for use by the checker command
297
interval: datetime.timedelta(); How often to start a new checker
298
last_approval_request: datetime.datetime(); (UTC) or None
299
last_checked_ok: datetime.datetime(); (UTC) or None
300
last_enabled: datetime.datetime(); (UTC)
301
name: string; from the config file, used in log messages and
302
D-Bus identifiers
303
secret: bytestring; sent verbatim (over TLS) to client
304
timeout: datetime.timedelta(); How long from last_checked_ok
305
until this client is disabled
306
extended_timeout: extra long timeout when password has been sent
307
runtime_expansions: Allowed attributes for runtime expansion.
308
expires: datetime.datetime(); time (UTC) when a client will be
309
disabled, or None
209
use_dbus: bool(); Whether to provide D-Bus interface and signals
210
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
310
211
"""
311
312
runtime_expansions = ("approval_delay", "approval_duration",
313
"created", "enabled", "fingerprint",
314
"host", "interval", "last_checked_ok",
315
"last_enabled", "name", "timeout")
316
317
212
def timeout_milliseconds(self):
318
213
"Return the 'timeout' attribute in milliseconds"
319
return _timedelta_to_milliseconds(self.timeout)
320
321
def extended_timeout_milliseconds(self):
322
"Return the 'extended_timeout' attribute in milliseconds"
323
return _timedelta_to_milliseconds(self.extended_timeout)
214
return ((self.timeout.days * 24 * 60 * 60 * 1000)
215
+ (self.timeout.seconds * 1000)
216
+ (self.timeout.microseconds // 1000))
324
217
325
218
def interval_milliseconds(self):
326
219
"Return the 'interval' attribute in milliseconds"
327
return _timedelta_to_milliseconds(self.interval)
328
329
def approval_delay_milliseconds(self):
330
return _timedelta_to_milliseconds(self.approval_delay)
331
332
def __init__(self, name = None, disable_hook=None, config=None):
220
return ((self.interval.days * 24 * 60 * 60 * 1000)
221
+ (self.interval.seconds * 1000)
222
+ (self.interval.microseconds // 1000))
223
224
def __init__(self, name = None, disable_hook=None, config=None,
225
use_dbus=True):
333
226
"""Note: the 'checker' key in 'config' sets the
334
227
'checker_command' attribute and *not* the 'checker'
335
228
attribute."""
336
229
self.name = name
337
230
if config is None:
338
231
config = {}
339
logger.debug("Creating client %r", self.name)
232
logger.debug(u"Creating client %r", self.name)
233
self.use_dbus = False # During __init__
340
234
# Uppercase and remove spaces from fingerprint for later
341
235
# comparison purposes with return value from the fingerprint()
342
236
# function
343
237
self.fingerprint = (config["fingerprint"].upper()
344
.replace(" ", ""))
345
logger.debug(" Fingerprint: %s", self.fingerprint)
238
.replace(u" ", u""))
239
logger.debug(u" Fingerprint: %s", self.fingerprint)
346
240
if "secret" in config:
347
self.secret = config["secret"].decode("base64")
241
self.secret = config["secret"].decode(u"base64")
348
242
elif "secfile" in config:
349
with open(os.path.expanduser(os.path.expandvars
350
(config["secfile"])),
351
"rb") as secfile:
243
with closing(open(os.path.expanduser
244
(os.path.expandvars
245
(config["secfile"])))) as secfile:
352
246
self.secret = secfile.read()
353
247
else:
354
raise TypeError("No secret or secfile for client %s"
248
raise TypeError(u"No secret or secfile for client %s"
355
249
% self.name)
356
250
self.host = config.get("host", "")
357
251
self.created = datetime.datetime.utcnow()
358
252
self.enabled = False
359
self.last_approval_request = None
360
253
self.last_enabled = None
361
254
self.last_checked_ok = None
362
255
self.timeout = string_to_delta(config["timeout"])
363
self.extended_timeout = string_to_delta(config["extended_timeout"])
364
256
self.interval = string_to_delta(config["interval"])
365
257
self.disable_hook = disable_hook
366
258
self.checker = None
367
259
self.checker_initiator_tag = None
368
260
self.disable_initiator_tag = None
369
self.expires = None
370
261
self.checker_callback_tag = None
371
262
self.checker_command = config["checker"]
372
263
self.current_checker_command = None
373
264
self.last_connect = None
374
self._approved = None
375
self.approved_by_default = config.get("approved_by_default",
376
True)
377
self.approvals_pending = 0
378
self.approval_delay = string_to_delta(
379
config["approval_delay"])
380
self.approval_duration = string_to_delta(
381
config["approval_duration"])
382
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
265
# Only now, when this client is initialized, can it show up on
266
# the D-Bus
267
self.use_dbus = use_dbus
268
if self.use_dbus:
269
self.dbus_object_path = (dbus.ObjectPath
270
("/clients/"
271
+ self.name.replace(".", "_")))
272
dbus.service.Object.__init__(self, bus,
273
self.dbus_object_path)
383
274
384
def send_changedstate(self):
385
self.changedstate.acquire()
386
self.changedstate.notify_all()
387
self.changedstate.release()
388
389
275
def enable(self):
390
276
"""Start this client's checker and timeout hooks"""
391
if getattr(self, "enabled", False):
392
# Already enabled
393
return
394
self.send_changedstate()
277
self.last_enabled = datetime.datetime.utcnow()
395
278
# Schedule a new checker to be started an 'interval' from now,
396
279
# and every interval from then on.
397
280
self.checker_initiator_tag = (gobject.timeout_add
398
281
(self.interval_milliseconds(),
399
282
self.start_checker))
283
# Also start a new checker *right now*.
284
self.start_checker()
400
285
# Schedule a disable() when 'timeout' has passed
401
self.expires = datetime.datetime.utcnow() + self.timeout
402
286
self.disable_initiator_tag = (gobject.timeout_add
403
287
(self.timeout_milliseconds(),
404
288
self.disable))
405
289
self.enabled = True
406
self.last_enabled = datetime.datetime.utcnow()
407
# Also start a new checker *right now*.
408
self.start_checker()
290
if self.use_dbus:
291
# Emit D-Bus signals
292
self.PropertyChanged(dbus.String(u"enabled"),
293
dbus.Boolean(True, variant_level=1))
294
self.PropertyChanged(dbus.String(u"last_enabled"),
295
(_datetime_to_dbus(self.last_enabled,
296
variant_level=1)))
409
297
410
def disable(self, quiet=True):
298
def disable(self):
411
299
"""Disable this client."""
412
300
if not getattr(self, "enabled", False):
413
301
return False
414
if not quiet:
415
self.send_changedstate()
416
if not quiet:
417
logger.info("Disabling client %s", self.name)
302
logger.info(u"Disabling client %s", self.name)
418
303
if getattr(self, "disable_initiator_tag", False):
419
304
gobject.source_remove(self.disable_initiator_tag)
420
305
self.disable_initiator_tag = None
421
self.expires = None
422
306
if getattr(self, "checker_initiator_tag", False):
423
307
gobject.source_remove(self.checker_initiator_tag)
424
308
self.checker_initiator_tag = None
426
310
if self.disable_hook:
427
311
self.disable_hook(self)
428
312
self.enabled = False
313
if self.use_dbus:
314
# Emit D-Bus signal
315
self.PropertyChanged(dbus.String(u"enabled"),
316
dbus.Boolean(False, variant_level=1))
429
317
# Do not run this again if called by a gobject.timeout_add
430
318
return False
431
319
437
325
"""The checker has completed, so take appropriate actions."""
438
326
self.checker_callback_tag = None
439
327
self.checker = None
328
if self.use_dbus:
329
# Emit D-Bus signal
330
self.PropertyChanged(dbus.String(u"checker_running"),
331
dbus.Boolean(False, variant_level=1))
440
332
if os.WIFEXITED(condition):
441
333
exitstatus = os.WEXITSTATUS(condition)
442
334
if exitstatus == 0:
443
logger.info("Checker for %(name)s succeeded",
335
logger.info(u"Checker for %(name)s succeeded",
444
336
vars(self))
445
337
self.checked_ok()
446
338
else:
447
logger.info("Checker for %(name)s failed",
339
logger.info(u"Checker for %(name)s failed",
448
340
vars(self))
341
if self.use_dbus:
342
# Emit D-Bus signal
343
self.CheckerCompleted(dbus.Int16(exitstatus),
344
dbus.Int64(condition),
345
dbus.String(command))
449
346
else:
450
logger.warning("Checker for %(name)s crashed?",
347
logger.warning(u"Checker for %(name)s crashed?",
451
348
vars(self))
349
if self.use_dbus:
350
# Emit D-Bus signal
351
self.CheckerCompleted(dbus.Int16(-1),
352
dbus.Int64(condition),
353
dbus.String(command))
452
354
453
def checked_ok(self, timeout=None):
355
def checked_ok(self):
454
356
"""Bump up the timeout for this client.
455
456
357
This should only be called when the client has been seen,
457
358
alive and well.
458
359
"""
459
if timeout is None:
460
timeout = self.timeout
461
360
self.last_checked_ok = datetime.datetime.utcnow()
462
361
gobject.source_remove(self.disable_initiator_tag)
463
self.expires = datetime.datetime.utcnow() + timeout
464
362
self.disable_initiator_tag = (gobject.timeout_add
465
(_timedelta_to_milliseconds(timeout),
363
(self.timeout_milliseconds(),
466
364
self.disable))
467
468
def need_approval(self):
469
self.last_approval_request = datetime.datetime.utcnow()
365
if self.use_dbus:
366
# Emit D-Bus signal
367
self.PropertyChanged(
368
dbus.String(u"last_checked_ok"),
369
(_datetime_to_dbus(self.last_checked_ok,
370
variant_level=1)))
470
371
471
372
def start_checker(self):
472
373
"""Start a new checker subprocess if one is not running.
473
474
374
If a checker already exists, leave it running and do
475
375
nothing."""
476
376
# The reason for not killing a running checker is that if we
479
379
# client would inevitably timeout, since no checker would get
480
380
# a chance to run to completion. If we instead leave running
481
381
# checkers alone, the checker would have to take more time
482
# than 'timeout' for the client to be disabled, which is as it
483
# should be.
382
# than 'timeout' for the client to be declared invalid, which
383
# is as it should be.
484
384
485
385
# If a checker exists, make sure it is not a zombie
486
try:
386
if self.checker is not None:
487
387
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
488
except (AttributeError, OSError) as error:
489
if (isinstance(error, OSError)
490
and error.errno != errno.ECHILD):
491
raise error
492
else:
493
388
if pid:
494
389
logger.warning("Checker was a zombie")
495
390
gobject.source_remove(self.checker_callback_tag)
502
397
command = self.checker_command % self.host
503
398
except TypeError:
504
399
# Escape attributes for the shell
505
escaped_attrs = dict(
506
(attr,
507
re.escape(unicode(str(getattr(self, attr, "")),
508
errors=
509
'replace')))
510
for attr in
511
self.runtime_expansions)
512
400
escaped_attrs = dict((key, re.escape(str(val)))
401
for key, val in
402
vars(self).iteritems())
513
403
try:
514
404
command = self.checker_command % escaped_attrs
515
except TypeError as error:
516
logger.error('Could not format string "%s":'
517
' %s', self.checker_command, error)
405
except TypeError, error:
406
logger.error(u'Could not format string "%s":'
407
u' %s', self.checker_command, error)
518
408
return True # Try again later
519
self.current_checker_command = command
409
self.current_checker_command = command
520
410
try:
521
logger.info("Starting checker %r for %s",
411
logger.info(u"Starting checker %r for %s",
522
412
command, self.name)
523
413
# We don't need to redirect stdout and stderr, since
524
414
# in normal mode, that is already done by daemon(),
527
417
self.checker = subprocess.Popen(command,
528
418
close_fds=True,
529
419
shell=True, cwd="/")
420
if self.use_dbus:
421
# Emit D-Bus signal
422
self.CheckerStarted(command)
423
self.PropertyChanged(
424
dbus.String("checker_running"),
425
dbus.Boolean(True, variant_level=1))
530
426
self.checker_callback_tag = (gobject.child_watch_add
531
427
(self.checker.pid,
532
428
self.checker_callback,
537
433
if pid:
538
434
gobject.source_remove(self.checker_callback_tag)
539
435
self.checker_callback(pid, status, command)
540
except OSError as error:
541
logger.error("Failed to start subprocess: %s",
436
except OSError, error:
437
logger.error(u"Failed to start subprocess: %s",
542
438
error)
543
439
# Re-run this periodically if run by gobject.timeout_add
544
440
return True
550
446
self.checker_callback_tag = None
551
447
if getattr(self, "checker", None) is None:
552
448
return
553
logger.debug("Stopping checker for %(name)s", vars(self))
449
logger.debug(u"Stopping checker for %(name)s", vars(self))
554
450
try:
555
451
os.kill(self.checker.pid, signal.SIGTERM)
556
#time.sleep(0.5)
452
#os.sleep(0.5)
557
453
#if self.checker.poll() is None:
558
454
# os.kill(self.checker.pid, signal.SIGKILL)
559
except OSError as error:
455
except OSError, error:
560
456
if error.errno != errno.ESRCH: # No such process
561
457
raise
562
458
self.checker = None
563
564
565
def dbus_service_property(dbus_interface, signature="v",
566
access="readwrite", byte_arrays=False):
567
"""Decorators for marking methods of a DBusObjectWithProperties to
568
become properties on the D-Bus.
569
570
The decorated method will be called with no arguments by "Get"
571
and with one argument by "Set".
572
573
The parameters, where they are supported, are the same as
574
dbus.service.method, except there is only "signature", since the
575
type from Get() and the type sent to Set() is the same.
576
"""
577
# Encoding deeply encoded byte arrays is not supported yet by the
578
# "Set" method, so we fail early here:
579
if byte_arrays and signature != "ay":
580
raise ValueError("Byte arrays not supported for non-'ay'"
581
" signature %r" % signature)
582
def decorator(func):
583
func._dbus_is_property = True
584
func._dbus_interface = dbus_interface
585
func._dbus_signature = signature
586
func._dbus_access = access
587
func._dbus_name = func.__name__
588
if func._dbus_name.endswith("_dbus_property"):
589
func._dbus_name = func._dbus_name[:-14]
590
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
591
return func
592
return decorator
593
594
595
class DBusPropertyException(dbus.exceptions.DBusException):
596
"""A base class for D-Bus property-related exceptions
597
"""
598
def __unicode__(self):
599
return unicode(str(self))
600
601
602
class DBusPropertyAccessException(DBusPropertyException):
603
"""A property's access permissions disallows an operation.
604
"""
605
pass
606
607
608
class DBusPropertyNotFound(DBusPropertyException):
609
"""An attempt was made to access a non-existing property.
610
"""
611
pass
612
613
614
class DBusObjectWithProperties(dbus.service.Object):
615
"""A D-Bus object with properties.
616
617
Classes inheriting from this can use the dbus_service_property
618
decorator to expose methods as D-Bus properties. It exposes the
619
standard Get(), Set(), and GetAll() methods on the D-Bus.
620
"""
621
622
@staticmethod
623
def _is_dbus_property(obj):
624
return getattr(obj, "_dbus_is_property", False)
625
626
def _get_all_dbus_properties(self):
627
"""Returns a generator of (name, attribute) pairs
628
"""
629
return ((prop._dbus_name, prop)
630
for name, prop in
631
inspect.getmembers(self, self._is_dbus_property))
632
633
def _get_dbus_property(self, interface_name, property_name):
634
"""Returns a bound method if one exists which is a D-Bus
635
property with the specified name and interface.
636
"""
637
for name in (property_name,
638
property_name + "_dbus_property"):
639
prop = getattr(self, name, None)
640
if (prop is None
641
or not self._is_dbus_property(prop)
642
or prop._dbus_name != property_name
643
or (interface_name and prop._dbus_interface
644
and interface_name != prop._dbus_interface)):
645
continue
646
return prop
647
# No such property
648
raise DBusPropertyNotFound(self.dbus_object_path + ":"
649
+ interface_name + "."
650
+ property_name)
651
652
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
653
out_signature="v")
654
def Get(self, interface_name, property_name):
655
"""Standard D-Bus property Get() method, see D-Bus standard.
656
"""
657
prop = self._get_dbus_property(interface_name, property_name)
658
if prop._dbus_access == "write":
659
raise DBusPropertyAccessException(property_name)
660
value = prop()
661
if not hasattr(value, "variant_level"):
662
return value
663
return type(value)(value, variant_level=value.variant_level+1)
664
665
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
666
def Set(self, interface_name, property_name, value):
667
"""Standard D-Bus property Set() method, see D-Bus standard.
668
"""
669
prop = self._get_dbus_property(interface_name, property_name)
670
if prop._dbus_access == "read":
671
raise DBusPropertyAccessException(property_name)
672
if prop._dbus_get_args_options["byte_arrays"]:
673
# The byte_arrays option is not supported yet on
674
# signatures other than "ay".
675
if prop._dbus_signature != "ay":
676
raise ValueError
677
value = dbus.ByteArray(''.join(unichr(byte)
678
for byte in value))
679
prop(value)
680
681
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
682
out_signature="a{sv}")
683
def GetAll(self, interface_name):
684
"""Standard D-Bus property GetAll() method, see D-Bus
685
standard.
686
687
Note: Will not include properties with access="write".
688
"""
689
all = {}
690
for name, prop in self._get_all_dbus_properties():
691
if (interface_name
692
and interface_name != prop._dbus_interface):
693
# Interface non-empty but did not match
694
continue
695
# Ignore write-only properties
696
if prop._dbus_access == "write":
697
continue
698
value = prop()
699
if not hasattr(value, "variant_level"):
700
all[name] = value
701
continue
702
all[name] = type(value)(value, variant_level=
703
value.variant_level+1)
704
return dbus.Dictionary(all, signature="sv")
705
706
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
707
out_signature="s",
708
path_keyword='object_path',
709
connection_keyword='connection')
710
def Introspect(self, object_path, connection):
711
"""Standard D-Bus method, overloaded to insert property tags.
712
"""
713
xmlstring = dbus.service.Object.Introspect(self, object_path,
714
connection)
715
try:
716
document = xml.dom.minidom.parseString(xmlstring)
717
def make_tag(document, name, prop):
718
e = document.createElement("property")
719
e.setAttribute("name", name)
720
e.setAttribute("type", prop._dbus_signature)
721
e.setAttribute("access", prop._dbus_access)
722
return e
723
for if_tag in document.getElementsByTagName("interface"):
724
for tag in (make_tag(document, name, prop)
725
for name, prop
726
in self._get_all_dbus_properties()
727
if prop._dbus_interface
728
== if_tag.getAttribute("name")):
729
if_tag.appendChild(tag)
730
# Add the names to the return values for the
731
# "org.freedesktop.DBus.Properties" methods
732
if (if_tag.getAttribute("name")
733
== "org.freedesktop.DBus.Properties"):
734
for cn in if_tag.getElementsByTagName("method"):
735
if cn.getAttribute("name") == "Get":
736
for arg in cn.getElementsByTagName("arg"):
737
if (arg.getAttribute("direction")
738
== "out"):
739
arg.setAttribute("name", "value")
740
elif cn.getAttribute("name") == "GetAll":
741
for arg in cn.getElementsByTagName("arg"):
742
if (arg.getAttribute("direction")
743
== "out"):
744
arg.setAttribute("name", "props")
745
xmlstring = document.toxml("utf-8")
746
document.unlink()
747
except (AttributeError, xml.dom.DOMException,
748
xml.parsers.expat.ExpatError) as error:
749
logger.error("Failed to override Introspection method",
750
error)
751
return xmlstring
752
753
754
def datetime_to_dbus (dt, variant_level=0):
755
"""Convert a UTC datetime.datetime() to a D-Bus type."""
756
if dt is None:
757
return dbus.String("", variant_level = variant_level)
758
return dbus.String(dt.isoformat(),
759
variant_level=variant_level)
760
761
762
class ClientDBus(Client, DBusObjectWithProperties):
763
"""A Client class using D-Bus
764
765
Attributes:
766
dbus_object_path: dbus.ObjectPath
767
bus: dbus.SystemBus()
768
"""
769
770
runtime_expansions = (Client.runtime_expansions
771
+ ("dbus_object_path",))
772
773
# dbus.service.Object doesn't use super(), so we can't either.
774
775
def __init__(self, bus = None, *args, **kwargs):
776
self._approvals_pending = 0
777
self.bus = bus
778
Client.__init__(self, *args, **kwargs)
779
# Only now, when this client is initialized, can it show up on
780
# the D-Bus
781
client_object_name = unicode(self.name).translate(
782
{ord("."): ord("_"),
783
ord("-"): ord("_")})
784
self.dbus_object_path = (dbus.ObjectPath
785
("/clients/" + client_object_name))
786
DBusObjectWithProperties.__init__(self, self.bus,
787
self.dbus_object_path)
788
789
def notifychangeproperty(transform_func,
790
dbus_name, type_func=lambda x: x,
791
variant_level=1):
792
""" Modify a variable so that its a property that announce its
793
changes to DBus.
794
transform_fun: Function that takes a value and transform it to
795
DBus type.
796
dbus_name: DBus name of the variable
797
type_func: Function that transform the value before sending it
798
to DBus
799
variant_level: DBus variant level. default: 1
800
"""
801
real_value = [None,]
802
def setter(self, value):
803
old_value = real_value[0]
804
real_value[0] = value
805
if hasattr(self, "dbus_object_path"):
806
if type_func(old_value) != type_func(real_value[0]):
807
dbus_value = transform_func(type_func(real_value[0]),
808
variant_level)
809
self.PropertyChanged(dbus.String(dbus_name),
810
dbus_value)
811
812
return property(lambda self: real_value[0], setter)
813
814
815
expires = notifychangeproperty(datetime_to_dbus, "Expires")
816
approvals_pending = notifychangeproperty(dbus.Boolean,
817
"ApprovalPending",
818
type_func = bool)
819
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
820
last_enabled = notifychangeproperty(datetime_to_dbus,
821
"LastEnabled")
822
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
823
type_func = lambda checker: checker is not None)
824
last_checked_ok = notifychangeproperty(datetime_to_dbus,
825
"LastCheckedOK")
826
last_approval_request = notifychangeproperty(datetime_to_dbus,
827
"LastApprovalRequest")
828
approved_by_default = notifychangeproperty(dbus.Boolean,
829
"ApprovedByDefault")
830
approval_delay = notifychangeproperty(dbus.UInt16, "ApprovalDelay",
831
type_func = _timedelta_to_milliseconds)
832
approval_duration = notifychangeproperty(dbus.UInt16, "ApprovalDuration",
833
type_func = _timedelta_to_milliseconds)
834
host = notifychangeproperty(dbus.String, "Host")
835
timeout = notifychangeproperty(dbus.UInt16, "Timeout",
836
type_func = _timedelta_to_milliseconds)
837
extended_timeout = notifychangeproperty(dbus.UInt16, "ExtendedTimeout",
838
type_func = _timedelta_to_milliseconds)
839
interval = notifychangeproperty(dbus.UInt16, "Interval",
840
type_func = _timedelta_to_milliseconds)
841
checker_command = notifychangeproperty(dbus.String, "Checker")
842
843
del notifychangeproperty
844
845
def __del__(self, *args, **kwargs):
846
try:
847
self.remove_from_connection()
848
except LookupError:
849
pass
850
if hasattr(DBusObjectWithProperties, "__del__"):
851
DBusObjectWithProperties.__del__(self, *args, **kwargs)
852
Client.__del__(self, *args, **kwargs)
853
854
def checker_callback(self, pid, condition, command,
855
*args, **kwargs):
856
self.checker_callback_tag = None
857
self.checker = None
858
if os.WIFEXITED(condition):
859
exitstatus = os.WEXITSTATUS(condition)
860
# Emit D-Bus signal
861
self.CheckerCompleted(dbus.Int16(exitstatus),
862
dbus.Int64(condition),
863
dbus.String(command))
864
else:
865
# Emit D-Bus signal
866
self.CheckerCompleted(dbus.Int16(-1),
867
dbus.Int64(condition),
868
dbus.String(command))
869
870
return Client.checker_callback(self, pid, condition, command,
871
*args, **kwargs)
872
873
def start_checker(self, *args, **kwargs):
874
old_checker = self.checker
875
if self.checker is not None:
876
old_checker_pid = self.checker.pid
877
else:
878
old_checker_pid = None
879
r = Client.start_checker(self, *args, **kwargs)
880
# Only if new checker process was started
881
if (self.checker is not None
882
and old_checker_pid != self.checker.pid):
883
# Emit D-Bus signal
884
self.CheckerStarted(self.current_checker_command)
885
return r
886
887
def _reset_approved(self):
888
self._approved = None
889
return False
890
891
def approve(self, value=True):
892
self.send_changedstate()
893
self._approved = value
894
gobject.timeout_add(_timedelta_to_milliseconds
895
(self.approval_duration),
896
self._reset_approved)
897
898
899
## D-Bus methods, signals & properties
900
_interface = "se.bsnet.fukt.Mandos.Client"
901
902
## Signals
459
if self.use_dbus:
460
self.PropertyChanged(dbus.String(u"checker_running"),
461
dbus.Boolean(False, variant_level=1))
462
463
def still_valid(self):
464
"""Has the timeout not yet passed for this client?"""
465
if not getattr(self, "enabled", False):
466
return False
467
now = datetime.datetime.utcnow()
468
if self.last_checked_ok is None:
469
return now < (self.created + self.timeout)
470
else:
471
return now < (self.last_checked_ok + self.timeout)
472
473
## D-Bus methods & signals
474
_interface = u"se.bsnet.fukt.Mandos.Client"
475
476
# CheckedOK - method
477
CheckedOK = dbus.service.method(_interface)(checked_ok)
478
CheckedOK.__name__ = "CheckedOK"
903
479
904
480
# CheckerCompleted - signal
905
481
@dbus.service.signal(_interface, signature="nxs")
913
489
"D-Bus signal"
914
490
pass
915
491
492
# GetAllProperties - method
493
@dbus.service.method(_interface, out_signature="a{sv}")
494
def GetAllProperties(self):
495
"D-Bus method"
496
return dbus.Dictionary({
497
dbus.String("name"):
498
dbus.String(self.name, variant_level=1),
499
dbus.String("fingerprint"):
500
dbus.String(self.fingerprint, variant_level=1),
501
dbus.String("host"):
502
dbus.String(self.host, variant_level=1),
503
dbus.String("created"):
504
_datetime_to_dbus(self.created, variant_level=1),
505
dbus.String("last_enabled"):
506
(_datetime_to_dbus(self.last_enabled,
507
variant_level=1)
508
if self.last_enabled is not None
509
else dbus.Boolean(False, variant_level=1)),
510
dbus.String("enabled"):
511
dbus.Boolean(self.enabled, variant_level=1),
512
dbus.String("last_checked_ok"):
513
(_datetime_to_dbus(self.last_checked_ok,
514
variant_level=1)
515
if self.last_checked_ok is not None
516
else dbus.Boolean (False, variant_level=1)),
517
dbus.String("timeout"):
518
dbus.UInt64(self.timeout_milliseconds(),
519
variant_level=1),
520
dbus.String("interval"):
521
dbus.UInt64(self.interval_milliseconds(),
522
variant_level=1),
523
dbus.String("checker"):
524
dbus.String(self.checker_command,
525
variant_level=1),
526
dbus.String("checker_running"):
527
dbus.Boolean(self.checker is not None,
528
variant_level=1),
529
dbus.String("object_path"):
530
dbus.ObjectPath(self.dbus_object_path,
531
variant_level=1)
532
}, signature="sv")
533
534
# IsStillValid - method
535
IsStillValid = (dbus.service.method(_interface, out_signature="b")
536
(still_valid))
537
IsStillValid.__name__ = "IsStillValid"
538
916
539
# PropertyChanged - signal
917
540
@dbus.service.signal(_interface, signature="sv")
918
541
def PropertyChanged(self, property, value):
919
542
"D-Bus signal"
920
543
pass
921
544
922
# GotSecret - signal
923
@dbus.service.signal(_interface)
924
def GotSecret(self):
925
"""D-Bus signal
926
Is sent after a successful transfer of secret from the Mandos
927
server to mandos-client
928
"""
929
pass
930
931
# Rejected - signal
932
@dbus.service.signal(_interface, signature="s")
933
def Rejected(self, reason):
934
"D-Bus signal"
935
pass
936
937
# NeedApproval - signal
938
@dbus.service.signal(_interface, signature="tb")
939
def NeedApproval(self, timeout, default):
940
"D-Bus signal"
941
return self.need_approval()
942
943
## Methods
944
945
# Approve - method
946
@dbus.service.method(_interface, in_signature="b")
947
def Approve(self, value):
948
self.approve(value)
949
950
# CheckedOK - method
951
@dbus.service.method(_interface)
952
def CheckedOK(self):
953
self.checked_ok()
545
# SetChecker - method
546
@dbus.service.method(_interface, in_signature="s")
547
def SetChecker(self, checker):
548
"D-Bus setter method"
549
self.checker_command = checker
550
# Emit D-Bus signal
551
self.PropertyChanged(dbus.String(u"checker"),
552
dbus.String(self.checker_command,
553
variant_level=1))
554
555
# SetHost - method
556
@dbus.service.method(_interface, in_signature="s")
557
def SetHost(self, host):
558
"D-Bus setter method"
559
self.host = host
560
# Emit D-Bus signal
561
self.PropertyChanged(dbus.String(u"host"),
562
dbus.String(self.host, variant_level=1))
563
564
# SetInterval - method
565
@dbus.service.method(_interface, in_signature="t")
566
def SetInterval(self, milliseconds):
567
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
568
# Emit D-Bus signal
569
self.PropertyChanged(dbus.String(u"interval"),
570
(dbus.UInt64(self.interval_milliseconds(),
571
variant_level=1)))
572
573
# SetSecret - method
574
@dbus.service.method(_interface, in_signature="ay",
575
byte_arrays=True)
576
def SetSecret(self, secret):
577
"D-Bus setter method"
578
self.secret = str(secret)
579
580
# SetTimeout - method
581
@dbus.service.method(_interface, in_signature="t")
582
def SetTimeout(self, milliseconds):
583
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
584
# Emit D-Bus signal
585
self.PropertyChanged(dbus.String(u"timeout"),
586
(dbus.UInt64(self.timeout_milliseconds(),
587
variant_level=1)))
954
588
955
589
# Enable - method
956
@dbus.service.method(_interface)
957
def Enable(self):
958
"D-Bus method"
959
self.enable()
590
Enable = dbus.service.method(_interface)(enable)
591
Enable.__name__ = "Enable"
960
592
961
593
# StartChecker - method
962
594
@dbus.service.method(_interface)
971
603
self.disable()
972
604
973
605
# StopChecker - method
974
@dbus.service.method(_interface)
975
def StopChecker(self):
976
self.stop_checker()
977
978
## Properties
979
980
# ApprovalPending - property
981
@dbus_service_property(_interface, signature="b", access="read")
982
def ApprovalPending_dbus_property(self):
983
return dbus.Boolean(bool(self.approvals_pending))
984
985
# ApprovedByDefault - property
986
@dbus_service_property(_interface, signature="b",
987
access="readwrite")
988
def ApprovedByDefault_dbus_property(self, value=None):
989
if value is None: # get
990
return dbus.Boolean(self.approved_by_default)
991
self.approved_by_default = bool(value)
992
993
# ApprovalDelay - property
994
@dbus_service_property(_interface, signature="t",
995
access="readwrite")
996
def ApprovalDelay_dbus_property(self, value=None):
997
if value is None: # get
998
return dbus.UInt64(self.approval_delay_milliseconds())
999
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1000
1001
# ApprovalDuration - property
1002
@dbus_service_property(_interface, signature="t",
1003
access="readwrite")
1004
def ApprovalDuration_dbus_property(self, value=None):
1005
if value is None: # get
1006
return dbus.UInt64(_timedelta_to_milliseconds(
1007
self.approval_duration))
1008
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1009
1010
# Name - property
1011
@dbus_service_property(_interface, signature="s", access="read")
1012
def Name_dbus_property(self):
1013
return dbus.String(self.name)
1014
1015
# Fingerprint - property
1016
@dbus_service_property(_interface, signature="s", access="read")
1017
def Fingerprint_dbus_property(self):
1018
return dbus.String(self.fingerprint)
1019
1020
# Host - property
1021
@dbus_service_property(_interface, signature="s",
1022
access="readwrite")
1023
def Host_dbus_property(self, value=None):
1024
if value is None: # get
1025
return dbus.String(self.host)
1026
self.host = value
1027
1028
# Created - property
1029
@dbus_service_property(_interface, signature="s", access="read")
1030
def Created_dbus_property(self):
1031
return dbus.String(datetime_to_dbus(self.created))
1032
1033
# LastEnabled - property
1034
@dbus_service_property(_interface, signature="s", access="read")
1035
def LastEnabled_dbus_property(self):
1036
return datetime_to_dbus(self.last_enabled)
1037
1038
# Enabled - property
1039
@dbus_service_property(_interface, signature="b",
1040
access="readwrite")
1041
def Enabled_dbus_property(self, value=None):
1042
if value is None: # get
1043
return dbus.Boolean(self.enabled)
1044
if value:
1045
self.enable()
1046
else:
1047
self.disable()
1048
1049
# LastCheckedOK - property
1050
@dbus_service_property(_interface, signature="s",
1051
access="readwrite")
1052
def LastCheckedOK_dbus_property(self, value=None):
1053
if value is not None:
1054
self.checked_ok()
1055
return
1056
return datetime_to_dbus(self.last_checked_ok)
1057
1058
# Expires - property
1059
@dbus_service_property(_interface, signature="s", access="read")
1060
def Expires_dbus_property(self):
1061
return datetime_to_dbus(self.expires)
1062
1063
# LastApprovalRequest - property
1064
@dbus_service_property(_interface, signature="s", access="read")
1065
def LastApprovalRequest_dbus_property(self):
1066
return datetime_to_dbus(self.last_approval_request)
1067
1068
# Timeout - property
1069
@dbus_service_property(_interface, signature="t",
1070
access="readwrite")
1071
def Timeout_dbus_property(self, value=None):
1072
if value is None: # get
1073
return dbus.UInt64(self.timeout_milliseconds())
1074
self.timeout = datetime.timedelta(0, 0, 0, value)
1075
if getattr(self, "disable_initiator_tag", None) is None:
1076
return
1077
# Reschedule timeout
1078
gobject.source_remove(self.disable_initiator_tag)
1079
self.disable_initiator_tag = None
1080
self.expires = None
1081
time_to_die = (self.
1082
_timedelta_to_milliseconds((self
1083
.last_checked_ok
1084
+ self.timeout)
1085
- datetime.datetime
1086
.utcnow()))
1087
if time_to_die <= 0:
1088
# The timeout has passed
1089
self.disable()
1090
else:
1091
self.expires = (datetime.datetime.utcnow()
1092
+ datetime.timedelta(milliseconds = time_to_die))
1093
self.disable_initiator_tag = (gobject.timeout_add
1094
(time_to_die, self.disable))
1095
1096
# ExtendedTimeout - property
1097
@dbus_service_property(_interface, signature="t",
1098
access="readwrite")
1099
def ExtendedTimeout_dbus_property(self, value=None):
1100
if value is None: # get
1101
return dbus.UInt64(self.extended_timeout_milliseconds())
1102
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1103
1104
# Interval - property
1105
@dbus_service_property(_interface, signature="t",
1106
access="readwrite")
1107
def Interval_dbus_property(self, value=None):
1108
if value is None: # get
1109
return dbus.UInt64(self.interval_milliseconds())
1110
self.interval = datetime.timedelta(0, 0, 0, value)
1111
if getattr(self, "checker_initiator_tag", None) is None:
1112
return
1113
# Reschedule checker run
1114
gobject.source_remove(self.checker_initiator_tag)
1115
self.checker_initiator_tag = (gobject.timeout_add
1116
(value, self.start_checker))
1117
self.start_checker() # Start one now, too
1118
1119
# Checker - property
1120
@dbus_service_property(_interface, signature="s",
1121
access="readwrite")
1122
def Checker_dbus_property(self, value=None):
1123
if value is None: # get
1124
return dbus.String(self.checker_command)
1125
self.checker_command = value
1126
1127
# CheckerRunning - property
1128
@dbus_service_property(_interface, signature="b",
1129
access="readwrite")
1130
def CheckerRunning_dbus_property(self, value=None):
1131
if value is None: # get
1132
return dbus.Boolean(self.checker is not None)
1133
if value:
1134
self.start_checker()
1135
else:
1136
self.stop_checker()
1137
1138
# ObjectPath - property
1139
@dbus_service_property(_interface, signature="o", access="read")
1140
def ObjectPath_dbus_property(self):
1141
return self.dbus_object_path # is already a dbus.ObjectPath
1142
1143
# Secret = property
1144
@dbus_service_property(_interface, signature="ay",
1145
access="write", byte_arrays=True)
1146
def Secret_dbus_property(self, value):
1147
self.secret = str(value)
606
StopChecker = dbus.service.method(_interface)(stop_checker)
607
StopChecker.__name__ = "StopChecker"
1148
608
1149
609
del _interface
1150
610
1151
611
1152
class ProxyClient(object):
1153
def __init__(self, child_pipe, fpr, address):
1154
self._pipe = child_pipe
1155
self._pipe.send(('init', fpr, address))
1156
if not self._pipe.recv():
1157
raise KeyError()
1158
1159
def __getattribute__(self, name):
1160
if(name == '_pipe'):
1161
return super(ProxyClient, self).__getattribute__(name)
1162
self._pipe.send(('getattr', name))
1163
data = self._pipe.recv()
1164
if data[0] == 'data':
1165
return data[1]
1166
if data[0] == 'function':
1167
def func(*args, **kwargs):
1168
self._pipe.send(('funcall', name, args, kwargs))
1169
return self._pipe.recv()[1]
1170
return func
1171
1172
def __setattr__(self, name, value):
1173
if(name == '_pipe'):
1174
return super(ProxyClient, self).__setattr__(name, value)
1175
self._pipe.send(('setattr', name, value))
1176
1177
1178
class ClientHandler(socketserver.BaseRequestHandler, object):
1179
"""A class to handle client connections.
1180
1181
Instantiated once for each connection to handle it.
612
def peer_certificate(session):
613
"Return the peer's OpenPGP certificate as a bytestring"
614
# If not an OpenPGP certificate...
615
if (gnutls.library.functions
616
.gnutls_certificate_type_get(session._c_object)
617
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
618
# ...do the normal thing
619
return session.peer_certificate
620
list_size = ctypes.c_uint(1)
621
cert_list = (gnutls.library.functions
622
.gnutls_certificate_get_peers
623
(session._c_object, ctypes.byref(list_size)))
624
if not bool(cert_list) and list_size.value != 0:
625
raise gnutls.errors.GNUTLSError("error getting peer"
626
" certificate")
627
if list_size.value == 0:
628
return None
629
cert = cert_list[0]
630
return ctypes.string_at(cert.data, cert.size)
631
632
633
def fingerprint(openpgp):
634
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
635
# New GnuTLS "datum" with the OpenPGP public key
636
datum = (gnutls.library.types
637
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
638
ctypes.POINTER
639
(ctypes.c_ubyte)),
640
ctypes.c_uint(len(openpgp))))
641
# New empty GnuTLS certificate
642
crt = gnutls.library.types.gnutls_openpgp_crt_t()
643
(gnutls.library.functions
644
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
645
# Import the OpenPGP public key into the certificate
646
(gnutls.library.functions
647
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
648
gnutls.library.constants
649
.GNUTLS_OPENPGP_FMT_RAW))
650
# Verify the self signature in the key
651
crtverify = ctypes.c_uint()
652
(gnutls.library.functions
653
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
654
if crtverify.value != 0:
655
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
656
raise gnutls.errors.CertificateSecurityError("Verify failed")
657
# New buffer for the fingerprint
658
buf = ctypes.create_string_buffer(20)
659
buf_len = ctypes.c_size_t()
660
# Get the fingerprint from the certificate into the buffer
661
(gnutls.library.functions
662
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
663
ctypes.byref(buf_len)))
664
# Deinit the certificate
665
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
666
# Convert the buffer to a Python bytestring
667
fpr = ctypes.string_at(buf, buf_len.value)
668
# Convert the bytestring to hexadecimal notation
669
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
670
return hex_fpr
671
672
673
class TCP_handler(SocketServer.BaseRequestHandler, object):
674
"""A TCP request handler class.
675
Instantiated by IPv6_TCPServer for each request to handle it.
1182
676
Note: This will run in its own forked process."""
1183
677
1184
678
def handle(self):
1185
with contextlib.closing(self.server.child_pipe) as child_pipe:
1186
logger.info("TCP connection from: %s",
1187
unicode(self.client_address))
1188
logger.debug("Pipe FD: %d",
1189
self.server.child_pipe.fileno())
1190
1191
session = (gnutls.connection
1192
.ClientSession(self.request,
1193
gnutls.connection
1194
.X509Credentials()))
1195
1196
# Note: gnutls.connection.X509Credentials is really a
1197
# generic GnuTLS certificate credentials object so long as
1198
# no X.509 keys are added to it. Therefore, we can use it
1199
# here despite using OpenPGP certificates.
1200
1201
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1202
# "+AES-256-CBC", "+SHA1",
1203
# "+COMP-NULL", "+CTYPE-OPENPGP",
1204
# "+DHE-DSS"))
1205
# Use a fallback default, since this MUST be set.
1206
priority = self.server.gnutls_priority
1207
if priority is None:
1208
priority = "NORMAL"
1209
(gnutls.library.functions
1210
.gnutls_priority_set_direct(session._c_object,
1211
priority, None))
1212
1213
# Start communication using the Mandos protocol
1214
# Get protocol number
1215
line = self.request.makefile().readline()
1216
logger.debug("Protocol version: %r", line)
1217
try:
1218
if int(line.strip().split()[0]) > 1:
1219
raise RuntimeError
1220
except (ValueError, IndexError, RuntimeError) as error:
1221
logger.error("Unknown protocol version: %s", error)
1222
return
1223
1224
# Start GnuTLS connection
1225
try:
1226
session.handshake()
1227
except gnutls.errors.GNUTLSError as error:
1228
logger.warning("Handshake failed: %s", error)
1229
# Do not run session.bye() here: the session is not
1230
# established. Just abandon the request.
1231
return
1232
logger.debug("Handshake succeeded")
1233
1234
approval_required = False
1235
try:
1236
try:
1237
fpr = self.fingerprint(self.peer_certificate
1238
(session))
1239
except (TypeError,
1240
gnutls.errors.GNUTLSError) as error:
1241
logger.warning("Bad certificate: %s", error)
1242
return
1243
logger.debug("Fingerprint: %s", fpr)
1244
1245
try:
1246
client = ProxyClient(child_pipe, fpr,
1247
self.client_address)
1248
except KeyError:
1249
return
1250
1251
if client.approval_delay:
1252
delay = client.approval_delay
1253
client.approvals_pending += 1
1254
approval_required = True
1255
1256
while True:
1257
if not client.enabled:
1258
logger.info("Client %s is disabled",
1259
client.name)
1260
if self.server.use_dbus:
1261
# Emit D-Bus signal
1262
client.Rejected("Disabled")
1263
return
1264
1265
if client._approved or not client.approval_delay:
1266
#We are approved or approval is disabled
1267
break
1268
elif client._approved is None:
1269
logger.info("Client %s needs approval",
1270
client.name)
1271
if self.server.use_dbus:
1272
# Emit D-Bus signal
1273
client.NeedApproval(
1274
client.approval_delay_milliseconds(),
1275
client.approved_by_default)
1276
else:
1277
logger.warning("Client %s was not approved",
1278
client.name)
1279
if self.server.use_dbus:
1280
# Emit D-Bus signal
1281
client.Rejected("Denied")
1282
return
1283
1284
#wait until timeout or approved
1285
#x = float(client._timedelta_to_milliseconds(delay))
1286
time = datetime.datetime.now()
1287
client.changedstate.acquire()
1288
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1289
client.changedstate.release()
1290
time2 = datetime.datetime.now()
1291
if (time2 - time) >= delay:
1292
if not client.approved_by_default:
1293
logger.warning("Client %s timed out while"
1294
" waiting for approval",
1295
client.name)
1296
if self.server.use_dbus:
1297
# Emit D-Bus signal
1298
client.Rejected("Approval timed out")
1299
return
1300
else:
1301
break
1302
else:
1303
delay -= time2 - time
1304
1305
sent_size = 0
1306
while sent_size < len(client.secret):
1307
try:
1308
sent = session.send(client.secret[sent_size:])
1309
except gnutls.errors.GNUTLSError as error:
1310
logger.warning("gnutls send failed")
1311
return
1312
logger.debug("Sent: %d, remaining: %d",
1313
sent, len(client.secret)
1314
- (sent_size + sent))
1315
sent_size += sent
1316
1317
logger.info("Sending secret to %s", client.name)
1318
# bump the timeout as if seen
1319
client.checked_ok(client.extended_timeout)
1320
if self.server.use_dbus:
1321
# Emit D-Bus signal
1322
client.GotSecret()
1323
1324
finally:
1325
if approval_required:
1326
client.approvals_pending -= 1
1327
try:
1328
session.bye()
1329
except gnutls.errors.GNUTLSError as error:
1330
logger.warning("GnuTLS bye failed")
1331
1332
@staticmethod
1333
def peer_certificate(session):
1334
"Return the peer's OpenPGP certificate as a bytestring"
1335
# If not an OpenPGP certificate...
1336
if (gnutls.library.functions
1337
.gnutls_certificate_type_get(session._c_object)
1338
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1339
# ...do the normal thing
1340
return session.peer_certificate
1341
list_size = ctypes.c_uint(1)
1342
cert_list = (gnutls.library.functions
1343
.gnutls_certificate_get_peers
1344
(session._c_object, ctypes.byref(list_size)))
1345
if not bool(cert_list) and list_size.value != 0:
1346
raise gnutls.errors.GNUTLSError("error getting peer"
1347
" certificate")
1348
if list_size.value == 0:
1349
return None
1350
cert = cert_list[0]
1351
return ctypes.string_at(cert.data, cert.size)
1352
1353
@staticmethod
1354
def fingerprint(openpgp):
1355
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1356
# New GnuTLS "datum" with the OpenPGP public key
1357
datum = (gnutls.library.types
1358
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1359
ctypes.POINTER
1360
(ctypes.c_ubyte)),
1361
ctypes.c_uint(len(openpgp))))
1362
# New empty GnuTLS certificate
1363
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1364
(gnutls.library.functions
1365
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1366
# Import the OpenPGP public key into the certificate
1367
(gnutls.library.functions
1368
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1369
gnutls.library.constants
1370
.GNUTLS_OPENPGP_FMT_RAW))
1371
# Verify the self signature in the key
1372
crtverify = ctypes.c_uint()
1373
(gnutls.library.functions
1374
.gnutls_openpgp_crt_verify_self(crt, 0,
1375
ctypes.byref(crtverify)))
1376
if crtverify.value != 0:
1377
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1378
raise (gnutls.errors.CertificateSecurityError
1379
("Verify failed"))
1380
# New buffer for the fingerprint
1381
buf = ctypes.create_string_buffer(20)
1382
buf_len = ctypes.c_size_t()
1383
# Get the fingerprint from the certificate into the buffer
1384
(gnutls.library.functions
1385
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1386
ctypes.byref(buf_len)))
1387
# Deinit the certificate
1388
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1389
# Convert the buffer to a Python bytestring
1390
fpr = ctypes.string_at(buf, buf_len.value)
1391
# Convert the bytestring to hexadecimal notation
1392
hex_fpr = ''.join("%02X" % ord(char) for char in fpr)
1393
return hex_fpr
1394
1395
1396
class MultiprocessingMixIn(object):
1397
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1398
def sub_process_main(self, request, address):
1399
try:
1400
self.finish_request(request, address)
1401
except:
1402
self.handle_error(request, address)
1403
self.close_request(request)
1404
1405
def process_request(self, request, address):
1406
"""Start a new process to process the request."""
1407
multiprocessing.Process(target = self.sub_process_main,
1408
args = (request, address)).start()
1409
1410
1411
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1412
""" adds a pipe to the MixIn """
1413
def process_request(self, request, client_address):
1414
"""Overrides and wraps the original process_request().
1415
1416
This function creates a new pipe in self.pipe
1417
"""
1418
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1419
1420
super(MultiprocessingMixInWithPipe,
1421
self).process_request(request, client_address)
1422
self.child_pipe.close()
1423
self.add_pipe(parent_pipe)
1424
1425
def add_pipe(self, parent_pipe):
1426
"""Dummy function; override as necessary"""
1427
raise NotImplementedError
1428
1429
1430
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1431
socketserver.TCPServer, object):
679
logger.info(u"TCP connection from: %s",
680
unicode(self.client_address))
681
session = (gnutls.connection
682
.ClientSession(self.request,
683
gnutls.connection
684
.X509Credentials()))
685
686
line = self.request.makefile().readline()
687
logger.debug(u"Protocol version: %r", line)
688
try:
689
if int(line.strip().split()[0]) > 1:
690
raise RuntimeError
691
except (ValueError, IndexError, RuntimeError), error:
692
logger.error(u"Unknown protocol version: %s", error)
693
return
694
695
# Note: gnutls.connection.X509Credentials is really a generic
696
# GnuTLS certificate credentials object so long as no X.509
697
# keys are added to it. Therefore, we can use it here despite
698
# using OpenPGP certificates.
699
700
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
701
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
702
# "+DHE-DSS"))
703
# Use a fallback default, since this MUST be set.
704
priority = self.server.settings.get("priority", "NORMAL")
705
(gnutls.library.functions
706
.gnutls_priority_set_direct(session._c_object,
707
priority, None))
708
709
try:
710
session.handshake()
711
except gnutls.errors.GNUTLSError, error:
712
logger.warning(u"Handshake failed: %s", error)
713
# Do not run session.bye() here: the session is not
714
# established. Just abandon the request.
715
return
716
logger.debug(u"Handshake succeeded")
717
try:
718
fpr = fingerprint(peer_certificate(session))
719
except (TypeError, gnutls.errors.GNUTLSError), error:
720
logger.warning(u"Bad certificate: %s", error)
721
session.bye()
722
return
723
logger.debug(u"Fingerprint: %s", fpr)
724
725
for c in self.server.clients:
726
if c.fingerprint == fpr:
727
client = c
728
break
729
else:
730
logger.warning(u"Client not found for fingerprint: %s",
731
fpr)
732
session.bye()
733
return
734
# Have to check if client.still_valid(), since it is possible
735
# that the client timed out while establishing the GnuTLS
736
# session.
737
if not client.still_valid():
738
logger.warning(u"Client %(name)s is invalid",
739
vars(client))
740
session.bye()
741
return
742
## This won't work here, since we're in a fork.
743
# client.checked_ok()
744
sent_size = 0
745
while sent_size < len(client.secret):
746
sent = session.send(client.secret[sent_size:])
747
logger.debug(u"Sent: %d, remaining: %d",
748
sent, len(client.secret)
749
- (sent_size + sent))
750
sent_size += sent
751
session.bye()
752
753
754
class IPv6_TCPServer(SocketServer.ForkingMixIn,
755
SocketServer.TCPServer, object):
1432
756
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1433
1434
757
Attributes:
758
settings: Server settings
759
clients: Set() of Client objects
1435
760
enabled: Boolean; whether this server is activated yet
1436
interface: None or a network interface name (string)
1437
use_ipv6: Boolean; to use IPv6 or not
1438
761
"""
1439
def __init__(self, server_address, RequestHandlerClass,
1440
interface=None, use_ipv6=True):
1441
self.interface = interface
1442
if use_ipv6:
1443
self.address_family = socket.AF_INET6
1444
socketserver.TCPServer.__init__(self, server_address,
1445
RequestHandlerClass)
762
address_family = socket.AF_INET6
763
def __init__(self, *args, **kwargs):
764
if "settings" in kwargs:
765
self.settings = kwargs["settings"]
766
del kwargs["settings"]
767
if "clients" in kwargs:
768
self.clients = kwargs["clients"]
769
del kwargs["clients"]
770
if "use_ipv6" in kwargs:
771
if not kwargs["use_ipv6"]:
772
self.address_family = socket.AF_INET
773
del kwargs["use_ipv6"]
774
self.enabled = False
775
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1446
776
def server_bind(self):
1447
777
"""This overrides the normal server_bind() function
1448
778
to bind to an interface if one was specified, and also NOT to
1449
779
bind to an address or port if they were not specified."""
1450
if self.interface is not None:
1451
if SO_BINDTODEVICE is None:
1452
logger.error("SO_BINDTODEVICE does not exist;"
1453
" cannot bind to interface %s",
1454
self.interface)
1455
else:
1456
try:
1457
self.socket.setsockopt(socket.SOL_SOCKET,
1458
SO_BINDTODEVICE,
1459
str(self.interface
1460
+ '\0'))
1461
except socket.error as error:
1462
if error[0] == errno.EPERM:
1463
logger.error("No permission to"
1464
" bind to interface %s",
1465
self.interface)
1466
elif error[0] == errno.ENOPROTOOPT:
1467
logger.error("SO_BINDTODEVICE not available;"
1468
" cannot bind to interface %s",
1469
self.interface)
1470
else:
1471
raise
780
if self.settings["interface"]:
781
# 25 is from /usr/include/asm-i486/socket.h
782
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
783
try:
784
self.socket.setsockopt(socket.SOL_SOCKET,
785
SO_BINDTODEVICE,
786
self.settings["interface"])
787
except socket.error, error:
788
if error[0] == errno.EPERM:
789
logger.error(u"No permission to"
790
u" bind to interface %s",
791
self.settings["interface"])
792
else:
793
raise
1472
794
# Only bind(2) the socket if we really need to.
1473
795
if self.server_address[0] or self.server_address[1]:
1474
796
if not self.server_address[0]:
1481
803
elif not self.server_address[1]:
1482
804
self.server_address = (self.server_address[0],
1483
805
0)
1484
# if self.interface:
806
# if self.settings["interface"]:
1485
807
# self.server_address = (self.server_address[0],
1486
808
# 0, # port
1487
809
# 0, # flowinfo
1488
810
# if_nametoindex
1489
# (self.interface))
1490
return socketserver.TCPServer.server_bind(self)
1491
1492
1493
class MandosServer(IPv6_TCPServer):
1494
"""Mandos server.
1495
1496
Attributes:
1497
clients: set of Client objects
1498
gnutls_priority GnuTLS priority string
1499
use_dbus: Boolean; to emit D-Bus signals or not
1500
1501
Assumes a gobject.MainLoop event loop.
1502
"""
1503
def __init__(self, server_address, RequestHandlerClass,
1504
interface=None, use_ipv6=True, clients=None,
1505
gnutls_priority=None, use_dbus=True):
1506
self.enabled = False
1507
self.clients = clients
1508
if self.clients is None:
1509
self.clients = set()
1510
self.use_dbus = use_dbus
1511
self.gnutls_priority = gnutls_priority
1512
IPv6_TCPServer.__init__(self, server_address,
1513
RequestHandlerClass,
1514
interface = interface,
1515
use_ipv6 = use_ipv6)
811
# (self.settings
812
# ["interface"]))
813
return super(IPv6_TCPServer, self).server_bind()
1516
814
def server_activate(self):
1517
815
if self.enabled:
1518
return socketserver.TCPServer.server_activate(self)
816
return super(IPv6_TCPServer, self).server_activate()
1519
817
def enable(self):
1520
818
self.enabled = True
1521
def add_pipe(self, parent_pipe):
1522
# Call "handle_ipc" for both data and EOF events
1523
gobject.io_add_watch(parent_pipe.fileno(),
1524
gobject.IO_IN | gobject.IO_HUP,
1525
functools.partial(self.handle_ipc,
1526
parent_pipe = parent_pipe))
1527
1528
def handle_ipc(self, source, condition, parent_pipe=None,
1529
client_object=None):
1530
condition_names = {
1531
gobject.IO_IN: "IN", # There is data to read.
1532
gobject.IO_OUT: "OUT", # Data can be written (without
1533
# blocking).
1534
gobject.IO_PRI: "PRI", # There is urgent data to read.
1535
gobject.IO_ERR: "ERR", # Error condition.
1536
gobject.IO_HUP: "HUP" # Hung up (the connection has been
1537
# broken, usually for pipes and
1538
# sockets).
1539
}
1540
conditions_string = ' | '.join(name
1541
for cond, name in
1542
condition_names.iteritems()
1543
if cond & condition)
1544
# error or the other end of multiprocessing.Pipe has closed
1545
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1546
return False
1547
1548
# Read a request from the child
1549
request = parent_pipe.recv()
1550
command = request[0]
1551
1552
if command == 'init':
1553
fpr = request[1]
1554
address = request[2]
1555
1556
for c in self.clients:
1557
if c.fingerprint == fpr:
1558
client = c
1559
break
1560
else:
1561
logger.info("Client not found for fingerprint: %s, ad"
1562
"dress: %s", fpr, address)
1563
if self.use_dbus:
1564
# Emit D-Bus signal
1565
mandos_dbus_service.ClientNotFound(fpr, address[0])
1566
parent_pipe.send(False)
1567
return False
1568
1569
gobject.io_add_watch(parent_pipe.fileno(),
1570
gobject.IO_IN | gobject.IO_HUP,
1571
functools.partial(self.handle_ipc,
1572
parent_pipe = parent_pipe,
1573
client_object = client))
1574
parent_pipe.send(True)
1575
# remove the old hook in favor of the new above hook on same fileno
1576
return False
1577
if command == 'funcall':
1578
funcname = request[1]
1579
args = request[2]
1580
kwargs = request[3]
1581
1582
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1583
1584
if command == 'getattr':
1585
attrname = request[1]
1586
if callable(client_object.__getattribute__(attrname)):
1587
parent_pipe.send(('function',))
1588
else:
1589
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
1590
1591
if command == 'setattr':
1592
attrname = request[1]
1593
value = request[2]
1594
setattr(client_object, attrname, value)
1595
1596
return True
1597
819
1598
820
1599
821
def string_to_delta(interval):
1607
829
datetime.timedelta(0, 3600)
1608
830
>>> string_to_delta('24h')
1609
831
datetime.timedelta(1)
1610
>>> string_to_delta('1w')
832
>>> string_to_delta(u'1w')
1611
833
datetime.timedelta(7)
1612
834
>>> string_to_delta('5m 30s')
1613
835
datetime.timedelta(0, 330)
1617
839
try:
1618
840
suffix = unicode(s[-1])
1619
841
value = int(s[:-1])
1620
if suffix == "d":
842
if suffix == u"d":
1621
843
delta = datetime.timedelta(value)
1622
elif suffix == "s":
844
elif suffix == u"s":
1623
845
delta = datetime.timedelta(0, value)
1624
elif suffix == "m":
846
elif suffix == u"m":
1625
847
delta = datetime.timedelta(0, 0, 0, 0, value)
1626
elif suffix == "h":
848
elif suffix == u"h":
1627
849
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
1628
elif suffix == "w":
850
elif suffix == u"w":
1629
851
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1630
852
else:
1631
raise ValueError("Unknown suffix %r" % suffix)
1632
except (ValueError, IndexError) as e:
1633
raise ValueError(*(e.args))
853
raise ValueError
854
except (ValueError, IndexError):
855
raise ValueError
1634
856
timevalue += delta
1635
857
return timevalue
1636
858
1637
859
860
def server_state_changed(state):
861
"""Derived from the Avahi example code"""
862
if state == avahi.SERVER_COLLISION:
863
logger.error(u"Zeroconf server name collision")
864
service.remove()
865
elif state == avahi.SERVER_RUNNING:
866
service.add()
867
868
869
def entry_group_state_changed(state, error):
870
"""Derived from the Avahi example code"""
871
logger.debug(u"Avahi state change: %i", state)
872
873
if state == avahi.ENTRY_GROUP_ESTABLISHED:
874
logger.debug(u"Zeroconf service established.")
875
elif state == avahi.ENTRY_GROUP_COLLISION:
876
logger.warning(u"Zeroconf service name collision.")
877
service.rename()
878
elif state == avahi.ENTRY_GROUP_FAILURE:
879
logger.critical(u"Avahi: Error in group state changed %s",
880
unicode(error))
881
raise AvahiGroupError(u"State changed: %s" % unicode(error))
882
1638
883
def if_nametoindex(interface):
1639
"""Call the C function if_nametoindex(), or equivalent
1640
1641
Note: This function cannot accept a unicode string."""
884
"""Call the C function if_nametoindex(), or equivalent"""
1642
885
global if_nametoindex
1643
886
try:
1644
887
if_nametoindex = (ctypes.cdll.LoadLibrary
1645
888
(ctypes.util.find_library("c"))
1646
889
.if_nametoindex)
1647
890
except (OSError, AttributeError):
1648
logger.warning("Doing if_nametoindex the hard way")
891
if "struct" not in sys.modules:
892
import struct
893
if "fcntl" not in sys.modules:
894
import fcntl
1649
895
def if_nametoindex(interface):
1650
896
"Get an interface index the hard way, i.e. using fcntl()"
1651
897
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1652
with contextlib.closing(socket.socket()) as s:
898
with closing(socket.socket()) as s:
1653
899
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1654
struct.pack(str("16s16x"),
1655
interface))
1656
interface_index = struct.unpack(str("I"),
1657
ifreq[16:20])[0]
900
struct.pack("16s16x", interface))
901
interface_index = struct.unpack("I", ifreq[16:20])[0]
1658
902
return interface_index
1659
903
return if_nametoindex(interface)
1660
904
1661
905
1662
906
def daemon(nochdir = False, noclose = False):
1663
907
"""See daemon(3). Standard BSD Unix function.
1664
1665
908
This should really exist as os.daemon, but it doesn't (yet)."""
1666
909
if os.fork():
1667
910
sys.exit()
1675
918
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1676
919
if not stat.S_ISCHR(os.fstat(null).st_mode):
1677
920
raise OSError(errno.ENODEV,
1678
"%s not a character device"
1679
% os.path.devnull)
921
"/dev/null not a character device")
1680
922
os.dup2(null, sys.stdin.fileno())
1681
923
os.dup2(null, sys.stdout.fileno())
1682
924
os.dup2(null, sys.stderr.fileno())
1685
927
1686
928
1687
929
def main():
1688
1689
##################################################################
1690
# Parsing of options, both command line and config file
1691
1692
parser = argparse.ArgumentParser()
1693
parser.add_argument("-v", "--version", action="version",
1694
version = "%%(prog)s %s" % version,
1695
help="show version number and exit")
1696
parser.add_argument("-i", "--interface", metavar="IF",
1697
help="Bind to interface IF")
1698
parser.add_argument("-a", "--address",
1699
help="Address to listen for requests on")
1700
parser.add_argument("-p", "--port", type=int,
1701
help="Port number to receive requests on")
1702
parser.add_argument("--check", action="store_true",
1703
help="Run self-test")
1704
parser.add_argument("--debug", action="store_true",
1705
help="Debug mode; run in foreground and log"
1706
" to terminal")
1707
parser.add_argument("--debuglevel", metavar="LEVEL",
1708
help="Debug level for stdout output")
1709
parser.add_argument("--priority", help="GnuTLS"
1710
" priority string (see GnuTLS documentation)")
1711
parser.add_argument("--servicename",
1712
metavar="NAME", help="Zeroconf service name")
1713
parser.add_argument("--configdir",
1714
default="/etc/mandos", metavar="DIR",
1715
help="Directory to search for configuration"
1716
" files")
1717
parser.add_argument("--no-dbus", action="store_false",
1718
dest="use_dbus", help="Do not provide D-Bus"
1719
" system bus interface")
1720
parser.add_argument("--no-ipv6", action="store_false",
1721
dest="use_ipv6", help="Do not use IPv6")
1722
options = parser.parse_args()
930
parser = optparse.OptionParser(version = "%%prog %s" % version)
931
parser.add_option("-i", "--interface", type="string",
932
metavar="IF", help="Bind to interface IF")
933
parser.add_option("-a", "--address", type="string",
934
help="Address to listen for requests on")
935
parser.add_option("-p", "--port", type="int",
936
help="Port number to receive requests on")
937
parser.add_option("--check", action="store_true",
938
help="Run self-test")
939
parser.add_option("--debug", action="store_true",
940
help="Debug mode; run in foreground and log to"
941
" terminal")
942
parser.add_option("--priority", type="string", help="GnuTLS"
943
" priority string (see GnuTLS documentation)")
944
parser.add_option("--servicename", type="string", metavar="NAME",
945
help="Zeroconf service name")
946
parser.add_option("--configdir", type="string",
947
default="/etc/mandos", metavar="DIR",
948
help="Directory to search for configuration"
949
" files")
950
parser.add_option("--no-dbus", action="store_false",
951
dest="use_dbus",
952
help="Do not provide D-Bus system bus"
953
" interface")
954
parser.add_option("--no-ipv6", action="store_false",
955
dest="use_ipv6", help="Do not use IPv6")
956
options = parser.parse_args()[0]
1723
957
1724
958
if options.check:
1725
959
import doctest
1736
970
"servicename": "Mandos",
1737
971
"use_dbus": "True",
1738
972
"use_ipv6": "True",
1739
"debuglevel": "",
1740
973
}
1741
974
1742
975
# Parse config file for server-global settings
1743
server_config = configparser.SafeConfigParser(server_defaults)
976
server_config = ConfigParser.SafeConfigParser(server_defaults)
1744
977
del server_defaults
1745
server_config.read(os.path.join(options.configdir,
1746
"mandos.conf"))
978
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1747
979
# Convert the SafeConfigParser object to a dict
1748
980
server_settings = server_config.defaults()
1749
981
# Use the appropriate methods on the non-string config options
1750
for option in ("debug", "use_dbus", "use_ipv6"):
1751
server_settings[option] = server_config.getboolean("DEFAULT",
1752
option)
982
server_settings["debug"] = server_config.getboolean("DEFAULT",
983
"debug")
984
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
985
"use_dbus")
986
server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",
987
"use_ipv6")
1753
988
if server_settings["port"]:
1754
989
server_settings["port"] = server_config.getint("DEFAULT",
1755
990
"port")
1759
994
# options, if set.
1760
995
for option in ("interface", "address", "port", "debug",
1761
996
"priority", "servicename", "configdir",
1762
"use_dbus", "use_ipv6", "debuglevel"):
997
"use_dbus", "use_ipv6"):
1763
998
value = getattr(options, option)
1764
999
if value is not None:
1765
1000
server_settings[option] = value
1766
1001
del options
1767
# Force all strings to be unicode
1768
for option in server_settings.keys():
1769
if type(server_settings[option]) is str:
1770
server_settings[option] = unicode(server_settings[option])
1771
1002
# Now we have our good server settings in "server_settings"
1772
1003
1773
##################################################################
1774
1775
1004
# For convenience
1776
1005
debug = server_settings["debug"]
1777
debuglevel = server_settings["debuglevel"]
1778
1006
use_dbus = server_settings["use_dbus"]
1779
1007
use_ipv6 = server_settings["use_ipv6"]
1780
1008
1009
if not debug:
1010
syslogger.setLevel(logging.WARNING)
1011
console.setLevel(logging.WARNING)
1012
1781
1013
if server_settings["servicename"] != "Mandos":
1782
1014
syslogger.setFormatter(logging.Formatter
1783
('Mandos (%s) [%%(process)d]:'
1784
' %%(levelname)s: %%(message)s'
1015
('Mandos (%s): %%(levelname)s:'
1016
' %%(message)s'
1785
1017
% server_settings["servicename"]))
1786
1018
1787
1019
# Parse config file with clients
1788
client_defaults = { "timeout": "5m",
1789
"extended_timeout": "15m",
1790
"interval": "2m",
1020
client_defaults = { "timeout": "1h",
1021
"interval": "5m",
1791
1022
"checker": "fping -q -- %%(host)s",
1792
1023
"host": "",
1793
"approval_delay": "0s",
1794
"approval_duration": "1s",
1795
1024
}
1796
client_config = configparser.SafeConfigParser(client_defaults)
1025
client_config = ConfigParser.SafeConfigParser(client_defaults)
1797
1026
client_config.read(os.path.join(server_settings["configdir"],
1798
1027
"clients.conf"))
1799
1028
1800
global mandos_dbus_service
1801
mandos_dbus_service = None
1802
1803
tcp_server = MandosServer((server_settings["address"],
1804
server_settings["port"]),
1805
ClientHandler,
1806
interface=(server_settings["interface"]
1807
or None),
1808
use_ipv6=use_ipv6,
1809
gnutls_priority=
1810
server_settings["priority"],
1811
use_dbus=use_dbus)
1812
if not debug:
1813
pidfilename = "/var/run/mandos.pid"
1814
try:
1815
pidfile = open(pidfilename, "w")
1816
except IOError:
1817
logger.error("Could not open file %r", pidfilename)
1029
clients = Set()
1030
tcp_server = IPv6_TCPServer((server_settings["address"],
1031
server_settings["port"]),
1032
TCP_handler,
1033
settings=server_settings,
1034
clients=clients, use_ipv6=use_ipv6)
1035
pidfilename = "/var/run/mandos.pid"
1036
try:
1037
pidfile = open(pidfilename, "w")
1038
except IOError:
1039
logger.error("Could not open file %r", pidfilename)
1818
1040
1819
1041
try:
1820
1042
uid = pwd.getpwnam("_mandos").pw_uid
1826
1048
except KeyError:
1827
1049
try:
1828
1050
uid = pwd.getpwnam("nobody").pw_uid
1829
gid = pwd.getpwnam("nobody").pw_gid
1051
gid = pwd.getpwnam("nogroup").pw_gid
1830
1052
except KeyError:
1831
1053
uid = 65534
1832
1054
gid = 65534
1833
1055
try:
1834
1056
os.setgid(gid)
1835
1057
os.setuid(uid)
1836
except OSError as error:
1058
except OSError, error:
1837
1059
if error[0] != errno.EPERM:
1838
1060
raise error
1839
1061
1840
if not debug and not debuglevel:
1841
syslogger.setLevel(logging.WARNING)
1842
console.setLevel(logging.WARNING)
1843
if debuglevel:
1844
level = getattr(logging, debuglevel.upper())
1845
syslogger.setLevel(level)
1846
console.setLevel(level)
1847
1062
# Enable all possible GnuTLS debugging
1848
1063
if debug:
1849
# Enable all possible GnuTLS debugging
1850
1851
1064
# "Use a log level over 10 to enable all debugging options."
1852
1065
# - GnuTLS manual
1853
1066
gnutls.library.functions.gnutls_global_set_log_level(11)
1858
1071
1859
1072
(gnutls.library.functions
1860
1073
.gnutls_global_set_log_function(debug_gnutls))
1861
1074
1075
global service
1076
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1077
service = AvahiService(name = server_settings["servicename"],
1078
servicetype = "_mandos._tcp",
1079
protocol = protocol)
1080
if server_settings["interface"]:
1081
service.interface = (if_nametoindex
1082
(server_settings["interface"]))
1083
1084
global main_loop
1085
global bus
1086
global server
1087
# From the Avahi example code
1088
DBusGMainLoop(set_as_default=True )
1089
main_loop = gobject.MainLoop()
1090
bus = dbus.SystemBus()
1091
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1092
avahi.DBUS_PATH_SERVER),
1093
avahi.DBUS_INTERFACE_SERVER)
1094
# End of Avahi example code
1095
if use_dbus:
1096
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1097
1098
clients.update(Set(Client(name = section,
1099
config
1100
= dict(client_config.items(section)),
1101
use_dbus = use_dbus)
1102
for section in client_config.sections()))
1103
if not clients:
1104
logger.warning(u"No clients defined")
1105
1106
if debug:
1862
1107
# Redirect stdin so all checkers get /dev/null
1863
1108
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1864
1109
os.dup2(null, sys.stdin.fileno())
1867
1112
else:
1868
1113
# No console logging
1869
1114
logger.removeHandler(console)
1870
1871
# Need to fork before connecting to D-Bus
1872
if not debug:
1873
1115
# Close all input and output, do double fork, etc.
1874
1116
daemon()
1875
1117
1876
global main_loop
1877
# From the Avahi example code
1878
DBusGMainLoop(set_as_default=True )
1879
main_loop = gobject.MainLoop()
1880
bus = dbus.SystemBus()
1881
# End of Avahi example code
1882
if use_dbus:
1883
try:
1884
bus_name = dbus.service.BusName("se.bsnet.fukt.Mandos",
1885
bus, do_not_queue=True)
1886
except dbus.exceptions.NameExistsException as e:
1887
logger.error(unicode(e) + ", disabling D-Bus")
1888
use_dbus = False
1889
server_settings["use_dbus"] = False
1890
tcp_server.use_dbus = False
1891
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1892
service = AvahiService(name = server_settings["servicename"],
1893
servicetype = "_mandos._tcp",
1894
protocol = protocol, bus = bus)
1895
if server_settings["interface"]:
1896
service.interface = (if_nametoindex
1897
(str(server_settings["interface"])))
1898
1899
global multiprocessing_manager
1900
multiprocessing_manager = multiprocessing.Manager()
1901
1902
client_class = Client
1903
if use_dbus:
1904
client_class = functools.partial(ClientDBus, bus = bus)
1905
def client_config_items(config, section):
1906
special_settings = {
1907
"approved_by_default":
1908
lambda: config.getboolean(section,
1909
"approved_by_default"),
1910
}
1911
for name, value in config.items(section):
1912
try:
1913
yield (name, special_settings[name]())
1914
except KeyError:
1915
yield (name, value)
1916
1917
tcp_server.clients.update(set(
1918
client_class(name = section,
1919
config= dict(client_config_items(
1920
client_config, section)))
1921
for section in client_config.sections()))
1922
if not tcp_server.clients:
1923
logger.warning("No clients defined")
1118
try:
1119
pid = os.getpid()
1120
pidfile.write(str(pid) + "\n")
1121
pidfile.close()
1122
del pidfile
1123
except IOError:
1124
logger.error(u"Could not write to file %r with PID %d",
1125
pidfilename, pid)
1126
except NameError:
1127
# "pidfile" was never created
1128
pass
1129
del pidfilename
1130
1131
def cleanup():
1132
"Cleanup function; run on exit"
1133
global group
1134
# From the Avahi example code
1135
if not group is None:
1136
group.Free()
1137
group = None
1138
# End of Avahi example code
1924
1139
1140
while clients:
1141
client = clients.pop()
1142
client.disable_hook = None
1143
client.disable()
1144
1145
atexit.register(cleanup)
1146
1925
1147
if not debug:
1926
try:
1927
with pidfile:
1928
pid = os.getpid()
1929
pidfile.write(str(pid) + "\n".encode("utf-8"))
1930
del pidfile
1931
except IOError:
1932
logger.error("Could not write to file %r with PID %d",
1933
pidfilename, pid)
1934
except NameError:
1935
# "pidfile" was never created
1936
pass
1937
del pidfilename
1938
1939
1148
signal.signal(signal.SIGINT, signal.SIG_IGN)
1940
1941
1149
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1942
1150
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1943
1151
1944
1152
if use_dbus:
1945
class MandosDBusService(dbus.service.Object):
1153
class MandosServer(dbus.service.Object):
1946
1154
"""A D-Bus proxy object"""
1947
1155
def __init__(self):
1948
1156
dbus.service.Object.__init__(self, bus, "/")
1949
_interface = "se.bsnet.fukt.Mandos"
1950
1951
@dbus.service.signal(_interface, signature="o")
1952
def ClientAdded(self, objpath):
1953
"D-Bus signal"
1954
pass
1955
1956
@dbus.service.signal(_interface, signature="ss")
1957
def ClientNotFound(self, fingerprint, address):
1157
_interface = u"se.bsnet.fukt.Mandos"
1158
1159
@dbus.service.signal(_interface, signature="oa{sv}")
1160
def ClientAdded(self, objpath, properties):
1958
1161
"D-Bus signal"
1959
1162
pass
1960
1163
1966
1169
@dbus.service.method(_interface, out_signature="ao")
1967
1170
def GetAllClients(self):
1968
1171
"D-Bus method"
1969
return dbus.Array(c.dbus_object_path
1970
for c in tcp_server.clients)
1172
return dbus.Array(c.dbus_object_path for c in clients)
1971
1173
1972
@dbus.service.method(_interface,
1973
out_signature="a{oa{sv}}")
1174
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1974
1175
def GetAllClientsWithProperties(self):
1975
1176
"D-Bus method"
1976
1177
return dbus.Dictionary(
1977
((c.dbus_object_path, c.GetAll(""))
1978
for c in tcp_server.clients),
1178
((c.dbus_object_path, c.GetAllProperties())
1179
for c in clients),
1979
1180
signature="oa{sv}")
1980
1181
1981
1182
@dbus.service.method(_interface, in_signature="o")
1982
1183
def RemoveClient(self, object_path):
1983
1184
"D-Bus method"
1984
for c in tcp_server.clients:
1185
for c in clients:
1985
1186
if c.dbus_object_path == object_path:
1986
tcp_server.clients.remove(c)
1987
c.remove_from_connection()
1187
clients.remove(c)
1988
1188
# Don't signal anything except ClientRemoved
1989
c.disable(quiet=True)
1189
c.use_dbus = False
1190
c.disable()
1990
1191
# Emit D-Bus signal
1991
1192
self.ClientRemoved(object_path, c.name)
1992
1193
return
1993
raise KeyError(object_path)
1194
raise KeyError
1994
1195
1995
1196
del _interface
1996
1197
1997
mandos_dbus_service = MandosDBusService()
1998
1999
def cleanup():
2000
"Cleanup function; run on exit"
2001
service.cleanup()
2002
2003
while tcp_server.clients:
2004
client = tcp_server.clients.pop()
2005
if use_dbus:
2006
client.remove_from_connection()
2007
client.disable_hook = None
2008
# Don't signal anything except ClientRemoved
2009
client.disable(quiet=True)
2010
if use_dbus:
2011
# Emit D-Bus signal
2012
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
2013
client.name)
2014
2015
atexit.register(cleanup)
2016
2017
for client in tcp_server.clients:
1198
mandos_server = MandosServer()
1199
1200
for client in clients:
2018
1201
if use_dbus:
2019
1202
# Emit D-Bus signal
2020
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1203
mandos_server.ClientAdded(client.dbus_object_path,
1204
client.GetAllProperties())
2021
1205
client.enable()
2022
1206
2023
1207
tcp_server.enable()
2026
1210
# Find out what port we got
2027
1211
service.port = tcp_server.socket.getsockname()[1]
2028
1212
if use_ipv6:
2029
logger.info("Now listening on address %r, port %d,"
1213
logger.info(u"Now listening on address %r, port %d,"
2030
1214
" flowinfo %d, scope_id %d"
2031
1215
% tcp_server.socket.getsockname())
2032
1216
else: # IPv4
2033
logger.info("Now listening on address %r, port %d"
1217
logger.info(u"Now listening on address %r, port %d"
2034
1218
% tcp_server.socket.getsockname())
2035
1219
2036
1220
#service.interface = tcp_server.socket.getsockname()[3]
2037
1221
2038
1222
try:
2039
1223
# From the Avahi example code
1224
server.connect_to_signal("StateChanged", server_state_changed)
2040
1225
try:
2041
service.activate()
2042
except dbus.exceptions.DBusException as error:
2043
logger.critical("DBusException: %s", error)
2044
cleanup()
1226
server_state_changed(server.GetState())
1227
except dbus.exceptions.DBusException, error:
1228
logger.critical(u"DBusException: %s", error)
2045
1229
sys.exit(1)
2046
1230
# End of Avahi example code
2047
1231
2050
1234
(tcp_server.handle_request
2051
1235
(*args[2:], **kwargs) or True))
2052
1236
2053
logger.debug("Starting main loop")
1237
logger.debug(u"Starting main loop")
2054
1238
main_loop.run()
2055
except AvahiError as error:
2056
logger.critical("AvahiError: %s", error)
2057
cleanup()
1239
except AvahiError, error:
1240
logger.critical(u"AvahiError: %s", error)
2058
1241
sys.exit(1)
2059
1242
except KeyboardInterrupt:
2060
1243
if debug:
2061
print("", file=sys.stderr)
1244
print >> sys.stderr
2062
1245
logger.debug("Server received KeyboardInterrupt")
2063
1246
logger.debug("Server exiting")
2064
# Must run before the D-Bus bus name gets deregistered
2065
cleanup()
2066
2067
1247
2068
1248
if __name__ == '__main__':
2069
1249
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0