257
126
self.rename_count = 0
258
127
self.max_renames = max_renames
259
128
self.protocol = protocol
260
self.group = None # our entry group
263
self.entry_group_state_changed_match = None
264
129
def rename(self):
265
130
"""Derived from the Avahi example code"""
266
131
if self.rename_count >= self.max_renames:
267
logger.critical("No suitable Zeroconf service name found"
268
" after %i retries, exiting.",
132
logger.critical(u"No suitable Zeroconf service name found"
133
u" after %i retries, exiting.",
269
134
self.rename_count)
270
raise AvahiServiceError("Too many renames")
271
self.name = unicode(self.server
272
.GetAlternativeServiceName(self.name))
273
logger.info("Changing Zeroconf service name to %r ...",
135
raise AvahiServiceError(u"Too many renames")
136
self.name = server.GetAlternativeServiceName(self.name)
137
logger.info(u"Changing Zeroconf service name to %r ...",
139
syslogger.setFormatter(logging.Formatter
140
('Mandos (%s): %%(levelname)s:'
141
' %%(message)s' % self.name))
278
except dbus.exceptions.DBusException as error:
279
logger.critical("DBusException: %s", error)
282
144
self.rename_count += 1
283
145
def remove(self):
284
146
"""Derived from the Avahi example code"""
285
if self.entry_group_state_changed_match is not None:
286
self.entry_group_state_changed_match.remove()
287
self.entry_group_state_changed_match = None
288
if self.group is not None:
147
if group is not None:
291
150
"""Derived from the Avahi example code"""
293
if self.group is None:
294
self.group = dbus.Interface(
295
self.bus.get_object(avahi.DBUS_NAME,
296
self.server.EntryGroupNew()),
297
avahi.DBUS_INTERFACE_ENTRY_GROUP)
298
self.entry_group_state_changed_match = (
299
self.group.connect_to_signal(
300
'StateChanged', self.entry_group_state_changed))
301
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
302
self.name, self.type)
303
self.group.AddService(
306
dbus.UInt32(0), # flags
307
self.name, self.type,
308
self.domain, self.host,
309
dbus.UInt16(self.port),
310
avahi.string_array_to_txt_array(self.TXT))
312
def entry_group_state_changed(self, state, error):
313
"""Derived from the Avahi example code"""
314
logger.debug("Avahi entry group state change: %i", state)
316
if state == avahi.ENTRY_GROUP_ESTABLISHED:
317
logger.debug("Zeroconf service established.")
318
elif state == avahi.ENTRY_GROUP_COLLISION:
319
logger.info("Zeroconf service name collision.")
321
elif state == avahi.ENTRY_GROUP_FAILURE:
322
logger.critical("Avahi: Error in group state changed %s",
324
raise AvahiGroupError("State changed: %s"
327
"""Derived from the Avahi example code"""
328
if self.group is not None:
331
except (dbus.exceptions.UnknownMethodException,
332
dbus.exceptions.DBusException):
336
def server_state_changed(self, state, error=None):
337
"""Derived from the Avahi example code"""
338
logger.debug("Avahi server state change: %i", state)
339
bad_states = { avahi.SERVER_INVALID:
340
"Zeroconf server invalid",
341
avahi.SERVER_REGISTERING: None,
342
avahi.SERVER_COLLISION:
343
"Zeroconf server name collision",
344
avahi.SERVER_FAILURE:
345
"Zeroconf server failure" }
346
if state in bad_states:
347
if bad_states[state] is not None:
349
logger.error(bad_states[state])
351
logger.error(bad_states[state] + ": %r", error)
353
elif state == avahi.SERVER_RUNNING:
357
logger.debug("Unknown state: %r", state)
359
logger.debug("Unknown state: %r: %r", state, error)
361
"""Derived from the Avahi example code"""
362
if self.server is None:
363
self.server = dbus.Interface(
364
self.bus.get_object(avahi.DBUS_NAME,
365
avahi.DBUS_PATH_SERVER,
366
follow_name_owner_changes=True),
367
avahi.DBUS_INTERFACE_SERVER)
368
self.server.connect_to_signal("StateChanged",
369
self.server_state_changed)
370
self.server_state_changed(self.server.GetState())
372
class AvahiServiceToSyslog(AvahiService):
374
"""Add the new name to the syslog messages"""
375
ret = AvahiService.rename(self)
376
syslogger.setFormatter(logging.Formatter
377
('Mandos (%s) [%%(process)d]:'
378
' %%(levelname)s: %%(message)s'
382
def timedelta_to_milliseconds(td):
383
"Convert a datetime.timedelta() to milliseconds"
384
return ((td.days * 24 * 60 * 60 * 1000)
385
+ (td.seconds * 1000)
386
+ (td.microseconds // 1000))
388
class Client(object):
153
group = dbus.Interface(bus.get_object
155
server.EntryGroupNew()),
156
avahi.DBUS_INTERFACE_ENTRY_GROUP)
157
group.connect_to_signal('StateChanged',
158
entry_group_state_changed)
159
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
160
service.name, service.type)
162
self.interface, # interface
163
self.protocol, # protocol
164
dbus.UInt32(0), # flags
165
self.name, self.type,
166
self.domain, self.host,
167
dbus.UInt16(self.port),
168
avahi.string_array_to_txt_array(self.TXT))
171
# From the Avahi example code:
172
group = None # our entry group
173
# End of Avahi example code
176
def _datetime_to_dbus(dt, variant_level=0):
177
"""Convert a UTC datetime.datetime() to a D-Bus type."""
178
return dbus.String(dt.isoformat(), variant_level=variant_level)
181
class Client(dbus.service.Object):
389
182
"""A representation of a client host served by this server.
392
approved: bool(); 'None' if not yet approved/disapproved
393
approval_delay: datetime.timedelta(); Time to wait for approval
394
approval_duration: datetime.timedelta(); Duration of one approval
184
name: string; from the config file, used in log messages and
186
fingerprint: string (40 or 32 hexadecimal digits); used to
187
uniquely identify the client
188
secret: bytestring; sent verbatim (over TLS) to client
189
host: string; available for use by the checker command
190
created: datetime.datetime(); (UTC) object creation
191
last_enabled: datetime.datetime(); (UTC)
193
last_checked_ok: datetime.datetime(); (UTC) or None
194
timeout: datetime.timedelta(); How long from last_checked_ok
195
until this client is invalid
196
interval: datetime.timedelta(); How often to start a new checker
197
disable_hook: If set, called by disable() as disable_hook(self)
395
198
checker: subprocess.Popen(); a running checker process used
396
199
to see if the client lives.
397
200
'None' if no process is running.
398
checker_callback_tag: a gobject event source tag, or None
399
checker_command: string; External command which is run to check
400
if client lives. %() expansions are done at
201
checker_initiator_tag: a gobject event source tag, or None
202
disable_initiator_tag: - '' -
203
checker_callback_tag: - '' -
204
checker_command: string; External command which is run to check if
205
client lives. %() expansions are done at
401
206
runtime with vars(self) as dict, so that for
402
207
instance %(name)s can be used in the command.
403
checker_initiator_tag: a gobject event source tag, or None
404
created: datetime.datetime(); (UTC) object creation
405
client_structure: Object describing what attributes a client has
406
and is used for storing the client at exit
407
208
current_checker_command: string; current running checker_command
408
disable_initiator_tag: a gobject event source tag, or None
410
fingerprint: string (40 or 32 hexadecimal digits); used to
411
uniquely identify the client
412
host: string; available for use by the checker command
413
interval: datetime.timedelta(); How often to start a new checker
414
last_approval_request: datetime.datetime(); (UTC) or None
415
last_checked_ok: datetime.datetime(); (UTC) or None
416
last_checker_status: integer between 0 and 255 reflecting exit
417
status of last checker. -1 reflects crashed
418
checker, -2 means no checker completed yet.
419
last_enabled: datetime.datetime(); (UTC) or None
420
name: string; from the config file, used in log messages and
422
secret: bytestring; sent verbatim (over TLS) to client
423
timeout: datetime.timedelta(); How long from last_checked_ok
424
until this client is disabled
425
extended_timeout: extra long timeout when secret has been sent
426
runtime_expansions: Allowed attributes for runtime expansion.
427
expires: datetime.datetime(); time (UTC) when a client will be
209
use_dbus: bool(); Whether to provide D-Bus interface and signals
210
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
431
runtime_expansions = ("approval_delay", "approval_duration",
432
"created", "enabled", "fingerprint",
433
"host", "interval", "last_checked_ok",
434
"last_enabled", "name", "timeout")
435
client_defaults = { "timeout": "5m",
436
"extended_timeout": "15m",
438
"checker": "fping -q -- %%(host)s",
440
"approval_delay": "0s",
441
"approval_duration": "1s",
442
"approved_by_default": "True",
446
212
def timeout_milliseconds(self):
447
213
"Return the 'timeout' attribute in milliseconds"
448
return timedelta_to_milliseconds(self.timeout)
450
def extended_timeout_milliseconds(self):
451
"Return the 'extended_timeout' attribute in milliseconds"
452
return timedelta_to_milliseconds(self.extended_timeout)
214
return ((self.timeout.days * 24 * 60 * 60 * 1000)
215
+ (self.timeout.seconds * 1000)
216
+ (self.timeout.microseconds // 1000))
454
218
def interval_milliseconds(self):
455
219
"Return the 'interval' attribute in milliseconds"
456
return timedelta_to_milliseconds(self.interval)
220
return ((self.interval.days * 24 * 60 * 60 * 1000)
221
+ (self.interval.seconds * 1000)
222
+ (self.interval.microseconds // 1000))
458
def approval_delay_milliseconds(self):
459
return timedelta_to_milliseconds(self.approval_delay)
462
def config_parser(config):
463
"""Construct a new dict of client settings of this form:
464
{ client_name: {setting_name: value, ...}, ...}
465
with exceptions for any special settings as defined above.
466
NOTE: Must be a pure function. Must return the same result
467
value given the same arguments.
470
for client_name in config.sections():
471
section = dict(config.items(client_name))
472
client = settings[client_name] = {}
474
client["host"] = section["host"]
475
# Reformat values from string types to Python types
476
client["approved_by_default"] = config.getboolean(
477
client_name, "approved_by_default")
478
client["enabled"] = config.getboolean(client_name,
481
client["fingerprint"] = (section["fingerprint"].upper()
483
if "secret" in section:
484
client["secret"] = section["secret"].decode("base64")
485
elif "secfile" in section:
486
with open(os.path.expanduser(os.path.expandvars
487
(section["secfile"])),
489
client["secret"] = secfile.read()
491
raise TypeError("No secret or secfile for section %s"
493
client["timeout"] = string_to_delta(section["timeout"])
494
client["extended_timeout"] = string_to_delta(
495
section["extended_timeout"])
496
client["interval"] = string_to_delta(section["interval"])
497
client["approval_delay"] = string_to_delta(
498
section["approval_delay"])
499
client["approval_duration"] = string_to_delta(
500
section["approval_duration"])
501
client["checker_command"] = section["checker"]
502
client["last_approval_request"] = None
503
client["last_checked_ok"] = None
504
client["last_checker_status"] = -2
509
def __init__(self, settings, name = None):
224
def __init__(self, name = None, disable_hook=None, config=None,
510
226
"""Note: the 'checker' key in 'config' sets the
511
227
'checker_command' attribute and *not* the 'checker'
514
# adding all client settings
515
for setting, value in settings.iteritems():
516
setattr(self, setting, value)
519
if not hasattr(self, "last_enabled"):
520
self.last_enabled = datetime.datetime.utcnow()
521
if not hasattr(self, "expires"):
522
self.expires = (datetime.datetime.utcnow()
525
self.last_enabled = None
528
logger.debug("Creating client %r", self.name)
232
logger.debug(u"Creating client %r", self.name)
233
self.use_dbus = False # During __init__
529
234
# Uppercase and remove spaces from fingerprint for later
530
235
# comparison purposes with return value from the fingerprint()
532
logger.debug(" Fingerprint: %s", self.fingerprint)
533
self.created = settings.get("created",
534
datetime.datetime.utcnow())
536
# attributes specific for this server instance
237
self.fingerprint = (config["fingerprint"].upper()
239
logger.debug(u" Fingerprint: %s", self.fingerprint)
240
if "secret" in config:
241
self.secret = config["secret"].decode(u"base64")
242
elif "secfile" in config:
243
with closing(open(os.path.expanduser
245
(config["secfile"])))) as secfile:
246
self.secret = secfile.read()
248
raise TypeError(u"No secret or secfile for client %s"
250
self.host = config.get("host", "")
251
self.created = datetime.datetime.utcnow()
253
self.last_enabled = None
254
self.last_checked_ok = None
255
self.timeout = string_to_delta(config["timeout"])
256
self.interval = string_to_delta(config["interval"])
257
self.disable_hook = disable_hook
537
258
self.checker = None
538
259
self.checker_initiator_tag = None
539
260
self.disable_initiator_tag = None
540
261
self.checker_callback_tag = None
262
self.checker_command = config["checker"]
541
263
self.current_checker_command = None
543
self.approvals_pending = 0
544
self.changedstate = (multiprocessing_manager
545
.Condition(multiprocessing_manager
547
self.client_structure = [attr for attr in
548
self.__dict__.iterkeys()
549
if not attr.startswith("_")]
550
self.client_structure.append("client_structure")
552
for name, t in inspect.getmembers(type(self),
556
if not name.startswith("_"):
557
self.client_structure.append(name)
559
# Send notice to process children that client state has changed
560
def send_changedstate(self):
561
with self.changedstate:
562
self.changedstate.notify_all()
264
self.last_connect = None
265
# Only now, when this client is initialized, can it show up on
267
self.use_dbus = use_dbus
269
self.dbus_object_path = (dbus.ObjectPath
271
+ self.name.replace(".", "_")))
272
dbus.service.Object.__init__(self, bus,
273
self.dbus_object_path)
564
275
def enable(self):
565
276
"""Start this client's checker and timeout hooks"""
566
if getattr(self, "enabled", False):
569
self.send_changedstate()
570
self.expires = datetime.datetime.utcnow() + self.timeout
572
277
self.last_enabled = datetime.datetime.utcnow()
575
def disable(self, quiet=True):
576
"""Disable this client."""
577
if not getattr(self, "enabled", False):
580
self.send_changedstate()
582
logger.info("Disabling client %s", self.name)
583
if getattr(self, "disable_initiator_tag", False):
584
gobject.source_remove(self.disable_initiator_tag)
585
self.disable_initiator_tag = None
587
if getattr(self, "checker_initiator_tag", False):
588
gobject.source_remove(self.checker_initiator_tag)
589
self.checker_initiator_tag = None
592
# Do not run this again if called by a gobject.timeout_add
598
def init_checker(self):
599
278
# Schedule a new checker to be started an 'interval' from now,
600
279
# and every interval from then on.
601
280
self.checker_initiator_tag = (gobject.timeout_add
602
281
(self.interval_milliseconds(),
603
282
self.start_checker))
283
# Also start a new checker *right now*.
604
285
# Schedule a disable() when 'timeout' has passed
605
286
self.disable_initiator_tag = (gobject.timeout_add
606
287
(self.timeout_milliseconds(),
608
# Also start a new checker *right now*.
292
self.PropertyChanged(dbus.String(u"enabled"),
293
dbus.Boolean(True, variant_level=1))
294
self.PropertyChanged(dbus.String(u"last_enabled"),
295
(_datetime_to_dbus(self.last_enabled,
299
"""Disable this client."""
300
if not getattr(self, "enabled", False):
302
logger.info(u"Disabling client %s", self.name)
303
if getattr(self, "disable_initiator_tag", False):
304
gobject.source_remove(self.disable_initiator_tag)
305
self.disable_initiator_tag = None
306
if getattr(self, "checker_initiator_tag", False):
307
gobject.source_remove(self.checker_initiator_tag)
308
self.checker_initiator_tag = None
310
if self.disable_hook:
311
self.disable_hook(self)
315
self.PropertyChanged(dbus.String(u"enabled"),
316
dbus.Boolean(False, variant_level=1))
317
# Do not run this again if called by a gobject.timeout_add
321
self.disable_hook = None
611
324
def checker_callback(self, pid, condition, command):
612
325
"""The checker has completed, so take appropriate actions."""
613
326
self.checker_callback_tag = None
614
327
self.checker = None
330
self.PropertyChanged(dbus.String(u"checker_running"),
331
dbus.Boolean(False, variant_level=1))
615
332
if os.WIFEXITED(condition):
616
self.last_checker_status = os.WEXITSTATUS(condition)
617
if self.last_checker_status == 0:
618
logger.info("Checker for %(name)s succeeded",
333
exitstatus = os.WEXITSTATUS(condition)
335
logger.info(u"Checker for %(name)s succeeded",
620
337
self.checked_ok()
622
logger.info("Checker for %(name)s failed",
339
logger.info(u"Checker for %(name)s failed",
343
self.CheckerCompleted(dbus.Int16(exitstatus),
344
dbus.Int64(condition),
345
dbus.String(command))
625
self.last_checker_status = -1
626
logger.warning("Checker for %(name)s crashed?",
347
logger.warning(u"Checker for %(name)s crashed?",
351
self.CheckerCompleted(dbus.Int16(-1),
352
dbus.Int64(condition),
353
dbus.String(command))
629
355
def checked_ok(self):
630
"""Assert that the client has been seen, alive and well."""
356
"""Bump up the timeout for this client.
357
This should only be called when the client has been seen,
631
360
self.last_checked_ok = datetime.datetime.utcnow()
632
self.last_checker_status = 0
635
def bump_timeout(self, timeout=None):
636
"""Bump up the timeout for this client."""
638
timeout = self.timeout
639
if self.disable_initiator_tag is not None:
640
gobject.source_remove(self.disable_initiator_tag)
641
if getattr(self, "enabled", False):
642
self.disable_initiator_tag = (gobject.timeout_add
643
(timedelta_to_milliseconds
644
(timeout), self.disable))
645
self.expires = datetime.datetime.utcnow() + timeout
647
def need_approval(self):
648
self.last_approval_request = datetime.datetime.utcnow()
361
gobject.source_remove(self.disable_initiator_tag)
362
self.disable_initiator_tag = (gobject.timeout_add
363
(self.timeout_milliseconds(),
367
self.PropertyChanged(
368
dbus.String(u"last_checked_ok"),
369
(_datetime_to_dbus(self.last_checked_ok,
650
372
def start_checker(self):
651
373
"""Start a new checker subprocess if one is not running.
653
374
If a checker already exists, leave it running and do
655
376
# The reason for not killing a running checker is that if we
729
446
self.checker_callback_tag = None
730
447
if getattr(self, "checker", None) is None:
732
logger.debug("Stopping checker for %(name)s", vars(self))
449
logger.debug(u"Stopping checker for %(name)s", vars(self))
734
451
os.kill(self.checker.pid, signal.SIGTERM)
736
453
#if self.checker.poll() is None:
737
454
# os.kill(self.checker.pid, signal.SIGKILL)
738
except OSError as error:
455
except OSError, error:
739
456
if error.errno != errno.ESRCH: # No such process
741
458
self.checker = None
744
def dbus_service_property(dbus_interface, signature="v",
745
access="readwrite", byte_arrays=False):
746
"""Decorators for marking methods of a DBusObjectWithProperties to
747
become properties on the D-Bus.
749
The decorated method will be called with no arguments by "Get"
750
and with one argument by "Set".
752
The parameters, where they are supported, are the same as
753
dbus.service.method, except there is only "signature", since the
754
type from Get() and the type sent to Set() is the same.
756
# Encoding deeply encoded byte arrays is not supported yet by the
757
# "Set" method, so we fail early here:
758
if byte_arrays and signature != "ay":
759
raise ValueError("Byte arrays not supported for non-'ay'"
760
" signature %r" % signature)
762
func._dbus_is_property = True
763
func._dbus_interface = dbus_interface
764
func._dbus_signature = signature
765
func._dbus_access = access
766
func._dbus_name = func.__name__
767
if func._dbus_name.endswith("_dbus_property"):
768
func._dbus_name = func._dbus_name[:-14]
769
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
774
class DBusPropertyException(dbus.exceptions.DBusException):
775
"""A base class for D-Bus property-related exceptions
777
def __unicode__(self):
778
return unicode(str(self))
781
class DBusPropertyAccessException(DBusPropertyException):
782
"""A property's access permissions disallows an operation.
787
class DBusPropertyNotFound(DBusPropertyException):
788
"""An attempt was made to access a non-existing property.
793
class DBusObjectWithProperties(dbus.service.Object):
794
"""A D-Bus object with properties.
796
Classes inheriting from this can use the dbus_service_property
797
decorator to expose methods as D-Bus properties. It exposes the
798
standard Get(), Set(), and GetAll() methods on the D-Bus.
802
def _is_dbus_property(obj):
803
return getattr(obj, "_dbus_is_property", False)
805
def _get_all_dbus_properties(self):
806
"""Returns a generator of (name, attribute) pairs
808
return ((prop.__get__(self)._dbus_name, prop.__get__(self))
809
for cls in self.__class__.__mro__
811
inspect.getmembers(cls, self._is_dbus_property))
813
def _get_dbus_property(self, interface_name, property_name):
814
"""Returns a bound method if one exists which is a D-Bus
815
property with the specified name and interface.
817
for cls in self.__class__.__mro__:
818
for name, value in (inspect.getmembers
819
(cls, self._is_dbus_property)):
820
if (value._dbus_name == property_name
821
and value._dbus_interface == interface_name):
822
return value.__get__(self)
825
raise DBusPropertyNotFound(self.dbus_object_path + ":"
826
+ interface_name + "."
829
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
831
def Get(self, interface_name, property_name):
832
"""Standard D-Bus property Get() method, see D-Bus standard.
834
prop = self._get_dbus_property(interface_name, property_name)
835
if prop._dbus_access == "write":
836
raise DBusPropertyAccessException(property_name)
838
if not hasattr(value, "variant_level"):
840
return type(value)(value, variant_level=value.variant_level+1)
842
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
843
def Set(self, interface_name, property_name, value):
844
"""Standard D-Bus property Set() method, see D-Bus standard.
846
prop = self._get_dbus_property(interface_name, property_name)
847
if prop._dbus_access == "read":
848
raise DBusPropertyAccessException(property_name)
849
if prop._dbus_get_args_options["byte_arrays"]:
850
# The byte_arrays option is not supported yet on
851
# signatures other than "ay".
852
if prop._dbus_signature != "ay":
854
value = dbus.ByteArray(b''.join(chr(byte)
858
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
859
out_signature="a{sv}")
860
def GetAll(self, interface_name):
861
"""Standard D-Bus property GetAll() method, see D-Bus
864
Note: Will not include properties with access="write".
867
for name, prop in self._get_all_dbus_properties():
869
and interface_name != prop._dbus_interface):
870
# Interface non-empty but did not match
872
# Ignore write-only properties
873
if prop._dbus_access == "write":
876
if not hasattr(value, "variant_level"):
877
properties[name] = value
879
properties[name] = type(value)(value, variant_level=
880
value.variant_level+1)
881
return dbus.Dictionary(properties, signature="sv")
883
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
885
path_keyword='object_path',
886
connection_keyword='connection')
887
def Introspect(self, object_path, connection):
888
"""Standard D-Bus method, overloaded to insert property tags.
890
xmlstring = dbus.service.Object.Introspect(self, object_path,
893
document = xml.dom.minidom.parseString(xmlstring)
894
def make_tag(document, name, prop):
895
e = document.createElement("property")
896
e.setAttribute("name", name)
897
e.setAttribute("type", prop._dbus_signature)
898
e.setAttribute("access", prop._dbus_access)
900
for if_tag in document.getElementsByTagName("interface"):
901
for tag in (make_tag(document, name, prop)
903
in self._get_all_dbus_properties()
904
if prop._dbus_interface
905
== if_tag.getAttribute("name")):
906
if_tag.appendChild(tag)
907
# Add the names to the return values for the
908
# "org.freedesktop.DBus.Properties" methods
909
if (if_tag.getAttribute("name")
910
== "org.freedesktop.DBus.Properties"):
911
for cn in if_tag.getElementsByTagName("method"):
912
if cn.getAttribute("name") == "Get":
913
for arg in cn.getElementsByTagName("arg"):
914
if (arg.getAttribute("direction")
916
arg.setAttribute("name", "value")
917
elif cn.getAttribute("name") == "GetAll":
918
for arg in cn.getElementsByTagName("arg"):
919
if (arg.getAttribute("direction")
921
arg.setAttribute("name", "props")
922
xmlstring = document.toxml("utf-8")
924
except (AttributeError, xml.dom.DOMException,
925
xml.parsers.expat.ExpatError) as error:
926
logger.error("Failed to override Introspection method",
931
def datetime_to_dbus (dt, variant_level=0):
932
"""Convert a UTC datetime.datetime() to a D-Bus type."""
934
return dbus.String("", variant_level = variant_level)
935
return dbus.String(dt.isoformat(),
936
variant_level=variant_level)
939
class AlternateDBusNamesMetaclass(DBusObjectWithProperties
941
"""Applied to an empty subclass of a D-Bus object, this metaclass
942
will add additional D-Bus attributes matching a certain pattern.
944
def __new__(mcs, name, bases, attr):
945
# Go through all the base classes which could have D-Bus
946
# methods, signals, or properties in them
947
for base in (b for b in bases
948
if issubclass(b, dbus.service.Object)):
949
# Go though all attributes of the base class
950
for attrname, attribute in inspect.getmembers(base):
951
# Ignore non-D-Bus attributes, and D-Bus attributes
952
# with the wrong interface name
953
if (not hasattr(attribute, "_dbus_interface")
954
or not attribute._dbus_interface
955
.startswith("se.recompile.Mandos")):
957
# Create an alternate D-Bus interface name based on
959
alt_interface = (attribute._dbus_interface
960
.replace("se.recompile.Mandos",
961
"se.bsnet.fukt.Mandos"))
962
# Is this a D-Bus signal?
963
if getattr(attribute, "_dbus_is_signal", False):
964
# Extract the original non-method function by
966
nonmethod_func = (dict(
967
zip(attribute.func_code.co_freevars,
968
attribute.__closure__))["func"]
970
# Create a new, but exactly alike, function
971
# object, and decorate it to be a new D-Bus signal
972
# with the alternate D-Bus interface name
973
new_function = (dbus.service.signal
975
attribute._dbus_signature)
977
nonmethod_func.func_code,
978
nonmethod_func.func_globals,
979
nonmethod_func.func_name,
980
nonmethod_func.func_defaults,
981
nonmethod_func.func_closure)))
982
# Define a creator of a function to call both the
983
# old and new functions, so both the old and new
984
# signals gets sent when the function is called
985
def fixscope(func1, func2):
986
"""This function is a scope container to pass
987
func1 and func2 to the "call_both" function
988
outside of its arguments"""
989
def call_both(*args, **kwargs):
990
"""This function will emit two D-Bus
991
signals by calling func1 and func2"""
992
func1(*args, **kwargs)
993
func2(*args, **kwargs)
995
# Create the "call_both" function and add it to
997
attr[attrname] = fixscope(attribute,
999
# Is this a D-Bus method?
1000
elif getattr(attribute, "_dbus_is_method", False):
1001
# Create a new, but exactly alike, function
1002
# object. Decorate it to be a new D-Bus method
1003
# with the alternate D-Bus interface name. Add it
1005
attr[attrname] = (dbus.service.method
1007
attribute._dbus_in_signature,
1008
attribute._dbus_out_signature)
1010
(attribute.func_code,
1011
attribute.func_globals,
1012
attribute.func_name,
1013
attribute.func_defaults,
1014
attribute.func_closure)))
1015
# Is this a D-Bus property?
1016
elif getattr(attribute, "_dbus_is_property", False):
1017
# Create a new, but exactly alike, function
1018
# object, and decorate it to be a new D-Bus
1019
# property with the alternate D-Bus interface
1020
# name. Add it to the class.
1021
attr[attrname] = (dbus_service_property
1023
attribute._dbus_signature,
1024
attribute._dbus_access,
1026
._dbus_get_args_options
1029
(attribute.func_code,
1030
attribute.func_globals,
1031
attribute.func_name,
1032
attribute.func_defaults,
1033
attribute.func_closure)))
1034
return type.__new__(mcs, name, bases, attr)
1037
class ClientDBus(Client, DBusObjectWithProperties):
1038
"""A Client class using D-Bus
1041
dbus_object_path: dbus.ObjectPath
1042
bus: dbus.SystemBus()
1045
runtime_expansions = (Client.runtime_expansions
1046
+ ("dbus_object_path",))
1048
# dbus.service.Object doesn't use super(), so we can't either.
1050
def __init__(self, bus = None, *args, **kwargs):
1052
Client.__init__(self, *args, **kwargs)
1053
# Only now, when this client is initialized, can it show up on
1055
client_object_name = unicode(self.name).translate(
1056
{ord("."): ord("_"),
1057
ord("-"): ord("_")})
1058
self.dbus_object_path = (dbus.ObjectPath
1059
("/clients/" + client_object_name))
1060
DBusObjectWithProperties.__init__(self, self.bus,
1061
self.dbus_object_path)
1063
def notifychangeproperty(transform_func,
1064
dbus_name, type_func=lambda x: x,
1066
""" Modify a variable so that it's a property which announces
1067
its changes to DBus.
1069
transform_fun: Function that takes a value and a variant_level
1070
and transforms it to a D-Bus type.
1071
dbus_name: D-Bus name of the variable
1072
type_func: Function that transform the value before sending it
1073
to the D-Bus. Default: no transform
1074
variant_level: D-Bus variant level. Default: 1
1076
attrname = "_{0}".format(dbus_name)
1077
def setter(self, value):
1078
if hasattr(self, "dbus_object_path"):
1079
if (not hasattr(self, attrname) or
1080
type_func(getattr(self, attrname, None))
1081
!= type_func(value)):
1082
dbus_value = transform_func(type_func(value),
1085
self.PropertyChanged(dbus.String(dbus_name),
1087
setattr(self, attrname, value)
1089
return property(lambda self: getattr(self, attrname), setter)
1092
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1093
approvals_pending = notifychangeproperty(dbus.Boolean,
1096
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1097
last_enabled = notifychangeproperty(datetime_to_dbus,
1099
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1100
type_func = lambda checker:
1101
checker is not None)
1102
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1104
last_checker_status = notifychangeproperty(dbus.Int16,
1105
"LastCheckerStatus")
1106
last_approval_request = notifychangeproperty(
1107
datetime_to_dbus, "LastApprovalRequest")
1108
approved_by_default = notifychangeproperty(dbus.Boolean,
1109
"ApprovedByDefault")
1110
approval_delay = notifychangeproperty(dbus.UInt64,
1113
timedelta_to_milliseconds)
1114
approval_duration = notifychangeproperty(
1115
dbus.UInt64, "ApprovalDuration",
1116
type_func = timedelta_to_milliseconds)
1117
host = notifychangeproperty(dbus.String, "Host")
1118
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1120
timedelta_to_milliseconds)
1121
extended_timeout = notifychangeproperty(
1122
dbus.UInt64, "ExtendedTimeout",
1123
type_func = timedelta_to_milliseconds)
1124
interval = notifychangeproperty(dbus.UInt64,
1127
timedelta_to_milliseconds)
1128
checker_command = notifychangeproperty(dbus.String, "Checker")
1130
del notifychangeproperty
1132
def __del__(self, *args, **kwargs):
1134
self.remove_from_connection()
1137
if hasattr(DBusObjectWithProperties, "__del__"):
1138
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1139
Client.__del__(self, *args, **kwargs)
1141
def checker_callback(self, pid, condition, command,
1143
self.checker_callback_tag = None
1145
if os.WIFEXITED(condition):
1146
exitstatus = os.WEXITSTATUS(condition)
1148
self.CheckerCompleted(dbus.Int16(exitstatus),
1149
dbus.Int64(condition),
1150
dbus.String(command))
1153
self.CheckerCompleted(dbus.Int16(-1),
1154
dbus.Int64(condition),
1155
dbus.String(command))
1157
return Client.checker_callback(self, pid, condition, command,
1160
def start_checker(self, *args, **kwargs):
1161
old_checker = self.checker
1162
if self.checker is not None:
1163
old_checker_pid = self.checker.pid
1165
old_checker_pid = None
1166
r = Client.start_checker(self, *args, **kwargs)
1167
# Only if new checker process was started
1168
if (self.checker is not None
1169
and old_checker_pid != self.checker.pid):
1171
self.CheckerStarted(self.current_checker_command)
1174
def _reset_approved(self):
1175
self.approved = None
1178
def approve(self, value=True):
1179
self.send_changedstate()
1180
self.approved = value
1181
gobject.timeout_add(timedelta_to_milliseconds
1182
(self.approval_duration),
1183
self._reset_approved)
1186
## D-Bus methods, signals & properties
1187
_interface = "se.recompile.Mandos.Client"
460
self.PropertyChanged(dbus.String(u"checker_running"),
461
dbus.Boolean(False, variant_level=1))
463
def still_valid(self):
464
"""Has the timeout not yet passed for this client?"""
465
if not getattr(self, "enabled", False):
467
now = datetime.datetime.utcnow()
468
if self.last_checked_ok is None:
469
return now < (self.created + self.timeout)
471
return now < (self.last_checked_ok + self.timeout)
473
## D-Bus methods & signals
474
_interface = u"se.bsnet.fukt.Mandos.Client"
477
CheckedOK = dbus.service.method(_interface)(checked_ok)
478
CheckedOK.__name__ = "CheckedOK"
1191
480
# CheckerCompleted - signal
1192
481
@dbus.service.signal(_interface, signature="nxs")
1260
605
# StopChecker - method
1261
@dbus.service.method(_interface)
1262
def StopChecker(self):
1267
# ApprovalPending - property
1268
@dbus_service_property(_interface, signature="b", access="read")
1269
def ApprovalPending_dbus_property(self):
1270
return dbus.Boolean(bool(self.approvals_pending))
1272
# ApprovedByDefault - property
1273
@dbus_service_property(_interface, signature="b",
1275
def ApprovedByDefault_dbus_property(self, value=None):
1276
if value is None: # get
1277
return dbus.Boolean(self.approved_by_default)
1278
self.approved_by_default = bool(value)
1280
# ApprovalDelay - property
1281
@dbus_service_property(_interface, signature="t",
1283
def ApprovalDelay_dbus_property(self, value=None):
1284
if value is None: # get
1285
return dbus.UInt64(self.approval_delay_milliseconds())
1286
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1288
# ApprovalDuration - property
1289
@dbus_service_property(_interface, signature="t",
1291
def ApprovalDuration_dbus_property(self, value=None):
1292
if value is None: # get
1293
return dbus.UInt64(timedelta_to_milliseconds(
1294
self.approval_duration))
1295
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1298
@dbus_service_property(_interface, signature="s", access="read")
1299
def Name_dbus_property(self):
1300
return dbus.String(self.name)
1302
# Fingerprint - property
1303
@dbus_service_property(_interface, signature="s", access="read")
1304
def Fingerprint_dbus_property(self):
1305
return dbus.String(self.fingerprint)
1308
@dbus_service_property(_interface, signature="s",
1310
def Host_dbus_property(self, value=None):
1311
if value is None: # get
1312
return dbus.String(self.host)
1313
self.host = unicode(value)
1315
# Created - property
1316
@dbus_service_property(_interface, signature="s", access="read")
1317
def Created_dbus_property(self):
1318
return datetime_to_dbus(self.created)
1320
# LastEnabled - property
1321
@dbus_service_property(_interface, signature="s", access="read")
1322
def LastEnabled_dbus_property(self):
1323
return datetime_to_dbus(self.last_enabled)
1325
# Enabled - property
1326
@dbus_service_property(_interface, signature="b",
1328
def Enabled_dbus_property(self, value=None):
1329
if value is None: # get
1330
return dbus.Boolean(self.enabled)
1336
# LastCheckedOK - property
1337
@dbus_service_property(_interface, signature="s",
1339
def LastCheckedOK_dbus_property(self, value=None):
1340
if value is not None:
1343
return datetime_to_dbus(self.last_checked_ok)
1345
# LastCheckerStatus - property
1346
@dbus_service_property(_interface, signature="n",
1348
def LastCheckerStatus_dbus_property(self):
1349
return dbus.Int16(self.last_checker_status)
1351
# Expires - property
1352
@dbus_service_property(_interface, signature="s", access="read")
1353
def Expires_dbus_property(self):
1354
return datetime_to_dbus(self.expires)
1356
# LastApprovalRequest - property
1357
@dbus_service_property(_interface, signature="s", access="read")
1358
def LastApprovalRequest_dbus_property(self):
1359
return datetime_to_dbus(self.last_approval_request)
1361
# Timeout - property
1362
@dbus_service_property(_interface, signature="t",
1364
def Timeout_dbus_property(self, value=None):
1365
if value is None: # get
1366
return dbus.UInt64(self.timeout_milliseconds())
1367
self.timeout = datetime.timedelta(0, 0, 0, value)
1368
# Reschedule timeout
1370
now = datetime.datetime.utcnow()
1371
time_to_die = timedelta_to_milliseconds(
1372
(self.last_checked_ok + self.timeout) - now)
1373
if time_to_die <= 0:
1374
# The timeout has passed
1377
self.expires = (now +
1378
datetime.timedelta(milliseconds =
1380
if (getattr(self, "disable_initiator_tag", None)
1383
gobject.source_remove(self.disable_initiator_tag)
1384
self.disable_initiator_tag = (gobject.timeout_add
1388
# ExtendedTimeout - property
1389
@dbus_service_property(_interface, signature="t",
1391
def ExtendedTimeout_dbus_property(self, value=None):
1392
if value is None: # get
1393
return dbus.UInt64(self.extended_timeout_milliseconds())
1394
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1396
# Interval - property
1397
@dbus_service_property(_interface, signature="t",
1399
def Interval_dbus_property(self, value=None):
1400
if value is None: # get
1401
return dbus.UInt64(self.interval_milliseconds())
1402
self.interval = datetime.timedelta(0, 0, 0, value)
1403
if getattr(self, "checker_initiator_tag", None) is None:
1406
# Reschedule checker run
1407
gobject.source_remove(self.checker_initiator_tag)
1408
self.checker_initiator_tag = (gobject.timeout_add
1409
(value, self.start_checker))
1410
self.start_checker() # Start one now, too
1412
# Checker - property
1413
@dbus_service_property(_interface, signature="s",
1415
def Checker_dbus_property(self, value=None):
1416
if value is None: # get
1417
return dbus.String(self.checker_command)
1418
self.checker_command = unicode(value)
1420
# CheckerRunning - property
1421
@dbus_service_property(_interface, signature="b",
1423
def CheckerRunning_dbus_property(self, value=None):
1424
if value is None: # get
1425
return dbus.Boolean(self.checker is not None)
1427
self.start_checker()
1431
# ObjectPath - property
1432
@dbus_service_property(_interface, signature="o", access="read")
1433
def ObjectPath_dbus_property(self):
1434
return self.dbus_object_path # is already a dbus.ObjectPath
1437
@dbus_service_property(_interface, signature="ay",
1438
access="write", byte_arrays=True)
1439
def Secret_dbus_property(self, value):
1440
self.secret = str(value)
606
StopChecker = dbus.service.method(_interface)(stop_checker)
607
StopChecker.__name__ = "StopChecker"
1445
class ProxyClient(object):
1446
def __init__(self, child_pipe, fpr, address):
1447
self._pipe = child_pipe
1448
self._pipe.send(('init', fpr, address))
1449
if not self._pipe.recv():
1452
def __getattribute__(self, name):
1454
return super(ProxyClient, self).__getattribute__(name)
1455
self._pipe.send(('getattr', name))
1456
data = self._pipe.recv()
1457
if data[0] == 'data':
1459
if data[0] == 'function':
1460
def func(*args, **kwargs):
1461
self._pipe.send(('funcall', name, args, kwargs))
1462
return self._pipe.recv()[1]
1465
def __setattr__(self, name, value):
1467
return super(ProxyClient, self).__setattr__(name, value)
1468
self._pipe.send(('setattr', name, value))
1471
class ClientDBusTransitional(ClientDBus):
1472
__metaclass__ = AlternateDBusNamesMetaclass
1475
class ClientHandler(socketserver.BaseRequestHandler, object):
1476
"""A class to handle client connections.
1478
Instantiated once for each connection to handle it.
612
def peer_certificate(session):
613
"Return the peer's OpenPGP certificate as a bytestring"
614
# If not an OpenPGP certificate...
615
if (gnutls.library.functions
616
.gnutls_certificate_type_get(session._c_object)
617
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
618
# ...do the normal thing
619
return session.peer_certificate
620
list_size = ctypes.c_uint(1)
621
cert_list = (gnutls.library.functions
622
.gnutls_certificate_get_peers
623
(session._c_object, ctypes.byref(list_size)))
624
if not bool(cert_list) and list_size.value != 0:
625
raise gnutls.errors.GNUTLSError("error getting peer"
627
if list_size.value == 0:
630
return ctypes.string_at(cert.data, cert.size)
633
def fingerprint(openpgp):
634
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
635
# New GnuTLS "datum" with the OpenPGP public key
636
datum = (gnutls.library.types
637
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
640
ctypes.c_uint(len(openpgp))))
641
# New empty GnuTLS certificate
642
crt = gnutls.library.types.gnutls_openpgp_crt_t()
643
(gnutls.library.functions
644
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
645
# Import the OpenPGP public key into the certificate
646
(gnutls.library.functions
647
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
648
gnutls.library.constants
649
.GNUTLS_OPENPGP_FMT_RAW))
650
# Verify the self signature in the key
651
crtverify = ctypes.c_uint()
652
(gnutls.library.functions
653
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
654
if crtverify.value != 0:
655
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
656
raise gnutls.errors.CertificateSecurityError("Verify failed")
657
# New buffer for the fingerprint
658
buf = ctypes.create_string_buffer(20)
659
buf_len = ctypes.c_size_t()
660
# Get the fingerprint from the certificate into the buffer
661
(gnutls.library.functions
662
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
663
ctypes.byref(buf_len)))
664
# Deinit the certificate
665
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
666
# Convert the buffer to a Python bytestring
667
fpr = ctypes.string_at(buf, buf_len.value)
668
# Convert the bytestring to hexadecimal notation
669
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
673
class TCP_handler(SocketServer.BaseRequestHandler, object):
674
"""A TCP request handler class.
675
Instantiated by IPv6_TCPServer for each request to handle it.
1479
676
Note: This will run in its own forked process."""
1481
678
def handle(self):
1482
with contextlib.closing(self.server.child_pipe) as child_pipe:
1483
logger.info("TCP connection from: %s",
1484
unicode(self.client_address))
1485
logger.debug("Pipe FD: %d",
1486
self.server.child_pipe.fileno())
1488
session = (gnutls.connection
1489
.ClientSession(self.request,
1491
.X509Credentials()))
1493
# Note: gnutls.connection.X509Credentials is really a
1494
# generic GnuTLS certificate credentials object so long as
1495
# no X.509 keys are added to it. Therefore, we can use it
1496
# here despite using OpenPGP certificates.
1498
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1499
# "+AES-256-CBC", "+SHA1",
1500
# "+COMP-NULL", "+CTYPE-OPENPGP",
1502
# Use a fallback default, since this MUST be set.
1503
priority = self.server.gnutls_priority
1504
if priority is None:
1506
(gnutls.library.functions
1507
.gnutls_priority_set_direct(session._c_object,
1510
# Start communication using the Mandos protocol
1511
# Get protocol number
1512
line = self.request.makefile().readline()
1513
logger.debug("Protocol version: %r", line)
1515
if int(line.strip().split()[0]) > 1:
1517
except (ValueError, IndexError, RuntimeError) as error:
1518
logger.error("Unknown protocol version: %s", error)
1521
# Start GnuTLS connection
1524
except gnutls.errors.GNUTLSError as error:
1525
logger.warning("Handshake failed: %s", error)
1526
# Do not run session.bye() here: the session is not
1527
# established. Just abandon the request.
1529
logger.debug("Handshake succeeded")
1531
approval_required = False
1534
fpr = self.fingerprint(self.peer_certificate
1537
gnutls.errors.GNUTLSError) as error:
1538
logger.warning("Bad certificate: %s", error)
1540
logger.debug("Fingerprint: %s", fpr)
1543
client = ProxyClient(child_pipe, fpr,
1544
self.client_address)
1548
if client.approval_delay:
1549
delay = client.approval_delay
1550
client.approvals_pending += 1
1551
approval_required = True
1554
if not client.enabled:
1555
logger.info("Client %s is disabled",
1557
if self.server.use_dbus:
1559
client.Rejected("Disabled")
1562
if client.approved or not client.approval_delay:
1563
#We are approved or approval is disabled
1565
elif client.approved is None:
1566
logger.info("Client %s needs approval",
1568
if self.server.use_dbus:
1570
client.NeedApproval(
1571
client.approval_delay_milliseconds(),
1572
client.approved_by_default)
1574
logger.warning("Client %s was not approved",
1576
if self.server.use_dbus:
1578
client.Rejected("Denied")
1581
#wait until timeout or approved
1582
time = datetime.datetime.now()
1583
client.changedstate.acquire()
1584
(client.changedstate.wait
1585
(float(client.timedelta_to_milliseconds(delay)
1587
client.changedstate.release()
1588
time2 = datetime.datetime.now()
1589
if (time2 - time) >= delay:
1590
if not client.approved_by_default:
1591
logger.warning("Client %s timed out while"
1592
" waiting for approval",
1594
if self.server.use_dbus:
1596
client.Rejected("Approval timed out")
1601
delay -= time2 - time
1604
while sent_size < len(client.secret):
1606
sent = session.send(client.secret[sent_size:])
1607
except gnutls.errors.GNUTLSError as error:
1608
logger.warning("gnutls send failed")
1610
logger.debug("Sent: %d, remaining: %d",
1611
sent, len(client.secret)
1612
- (sent_size + sent))
1615
logger.info("Sending secret to %s", client.name)
1616
# bump the timeout using extended_timeout
1617
client.bump_timeout(client.extended_timeout)
1618
if self.server.use_dbus:
1623
if approval_required:
1624
client.approvals_pending -= 1
1627
except gnutls.errors.GNUTLSError as error:
1628
logger.warning("GnuTLS bye failed")
1631
def peer_certificate(session):
1632
"Return the peer's OpenPGP certificate as a bytestring"
1633
# If not an OpenPGP certificate...
1634
if (gnutls.library.functions
1635
.gnutls_certificate_type_get(session._c_object)
1636
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1637
# ...do the normal thing
1638
return session.peer_certificate
1639
list_size = ctypes.c_uint(1)
1640
cert_list = (gnutls.library.functions
1641
.gnutls_certificate_get_peers
1642
(session._c_object, ctypes.byref(list_size)))
1643
if not bool(cert_list) and list_size.value != 0:
1644
raise gnutls.errors.GNUTLSError("error getting peer"
1646
if list_size.value == 0:
1649
return ctypes.string_at(cert.data, cert.size)
1652
def fingerprint(openpgp):
1653
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1654
# New GnuTLS "datum" with the OpenPGP public key
1655
datum = (gnutls.library.types
1656
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1659
ctypes.c_uint(len(openpgp))))
1660
# New empty GnuTLS certificate
1661
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1662
(gnutls.library.functions
1663
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1664
# Import the OpenPGP public key into the certificate
1665
(gnutls.library.functions
1666
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1667
gnutls.library.constants
1668
.GNUTLS_OPENPGP_FMT_RAW))
1669
# Verify the self signature in the key
1670
crtverify = ctypes.c_uint()
1671
(gnutls.library.functions
1672
.gnutls_openpgp_crt_verify_self(crt, 0,
1673
ctypes.byref(crtverify)))
1674
if crtverify.value != 0:
1675
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1676
raise (gnutls.errors.CertificateSecurityError
1678
# New buffer for the fingerprint
1679
buf = ctypes.create_string_buffer(20)
1680
buf_len = ctypes.c_size_t()
1681
# Get the fingerprint from the certificate into the buffer
1682
(gnutls.library.functions
1683
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1684
ctypes.byref(buf_len)))
1685
# Deinit the certificate
1686
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1687
# Convert the buffer to a Python bytestring
1688
fpr = ctypes.string_at(buf, buf_len.value)
1689
# Convert the bytestring to hexadecimal notation
1690
hex_fpr = binascii.hexlify(fpr).upper()
1694
class MultiprocessingMixIn(object):
1695
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1696
def sub_process_main(self, request, address):
1698
self.finish_request(request, address)
1700
self.handle_error(request, address)
1701
self.close_request(request)
1703
def process_request(self, request, address):
1704
"""Start a new process to process the request."""
1705
proc = multiprocessing.Process(target = self.sub_process_main,
1712
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1713
""" adds a pipe to the MixIn """
1714
def process_request(self, request, client_address):
1715
"""Overrides and wraps the original process_request().
1717
This function creates a new pipe in self.pipe
1719
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1721
proc = MultiprocessingMixIn.process_request(self, request,
1723
self.child_pipe.close()
1724
self.add_pipe(parent_pipe, proc)
1726
def add_pipe(self, parent_pipe, proc):
1727
"""Dummy function; override as necessary"""
1728
raise NotImplementedError
1731
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1732
socketserver.TCPServer, object):
679
logger.info(u"TCP connection from: %s",
680
unicode(self.client_address))
681
session = (gnutls.connection
682
.ClientSession(self.request,
686
line = self.request.makefile().readline()
687
logger.debug(u"Protocol version: %r", line)
689
if int(line.strip().split()[0]) > 1:
691
except (ValueError, IndexError, RuntimeError), error:
692
logger.error(u"Unknown protocol version: %s", error)
695
# Note: gnutls.connection.X509Credentials is really a generic
696
# GnuTLS certificate credentials object so long as no X.509
697
# keys are added to it. Therefore, we can use it here despite
698
# using OpenPGP certificates.
700
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
701
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
703
# Use a fallback default, since this MUST be set.
704
priority = self.server.settings.get("priority", "NORMAL")
705
(gnutls.library.functions
706
.gnutls_priority_set_direct(session._c_object,
711
except gnutls.errors.GNUTLSError, error:
712
logger.warning(u"Handshake failed: %s", error)
713
# Do not run session.bye() here: the session is not
714
# established. Just abandon the request.
716
logger.debug(u"Handshake succeeded")
718
fpr = fingerprint(peer_certificate(session))
719
except (TypeError, gnutls.errors.GNUTLSError), error:
720
logger.warning(u"Bad certificate: %s", error)
723
logger.debug(u"Fingerprint: %s", fpr)
725
for c in self.server.clients:
726
if c.fingerprint == fpr:
730
logger.warning(u"Client not found for fingerprint: %s",
734
# Have to check if client.still_valid(), since it is possible
735
# that the client timed out while establishing the GnuTLS
737
if not client.still_valid():
738
logger.warning(u"Client %(name)s is invalid",
742
## This won't work here, since we're in a fork.
743
# client.checked_ok()
745
while sent_size < len(client.secret):
746
sent = session.send(client.secret[sent_size:])
747
logger.debug(u"Sent: %d, remaining: %d",
748
sent, len(client.secret)
749
- (sent_size + sent))
754
class IPv6_TCPServer(SocketServer.ForkingMixIn,
755
SocketServer.TCPServer, object):
1733
756
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
758
settings: Server settings
759
clients: Set() of Client objects
1736
760
enabled: Boolean; whether this server is activated yet
1737
interface: None or a network interface name (string)
1738
use_ipv6: Boolean; to use IPv6 or not
1740
def __init__(self, server_address, RequestHandlerClass,
1741
interface=None, use_ipv6=True):
1742
self.interface = interface
1744
self.address_family = socket.AF_INET6
1745
socketserver.TCPServer.__init__(self, server_address,
1746
RequestHandlerClass)
762
address_family = socket.AF_INET6
763
def __init__(self, *args, **kwargs):
764
if "settings" in kwargs:
765
self.settings = kwargs["settings"]
766
del kwargs["settings"]
767
if "clients" in kwargs:
768
self.clients = kwargs["clients"]
769
del kwargs["clients"]
770
if "use_ipv6" in kwargs:
771
if not kwargs["use_ipv6"]:
772
self.address_family = socket.AF_INET
773
del kwargs["use_ipv6"]
775
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1747
776
def server_bind(self):
1748
777
"""This overrides the normal server_bind() function
1749
778
to bind to an interface if one was specified, and also NOT to
1750
779
bind to an address or port if they were not specified."""
1751
if self.interface is not None:
1752
if SO_BINDTODEVICE is None:
1753
logger.error("SO_BINDTODEVICE does not exist;"
1754
" cannot bind to interface %s",
1758
self.socket.setsockopt(socket.SOL_SOCKET,
1762
except socket.error as error:
1763
if error[0] == errno.EPERM:
1764
logger.error("No permission to"
1765
" bind to interface %s",
1767
elif error[0] == errno.ENOPROTOOPT:
1768
logger.error("SO_BINDTODEVICE not available;"
1769
" cannot bind to interface %s",
780
if self.settings["interface"]:
781
# 25 is from /usr/include/asm-i486/socket.h
782
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
784
self.socket.setsockopt(socket.SOL_SOCKET,
786
self.settings["interface"])
787
except socket.error, error:
788
if error[0] == errno.EPERM:
789
logger.error(u"No permission to"
790
u" bind to interface %s",
791
self.settings["interface"])
1773
794
# Only bind(2) the socket if we really need to.
1774
795
if self.server_address[0] or self.server_address[1]:
1775
796
if not self.server_address[0]:
2155
1072
(gnutls.library.functions
2156
1073
.gnutls_global_set_log_function(debug_gnutls))
2158
# Redirect stdin so all checkers get /dev/null
2159
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2160
os.dup2(null, sys.stdin.fileno())
2164
# Need to fork before connecting to D-Bus
2166
# Close all input and output, do double fork, etc.
2169
gobject.threads_init()
1076
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1077
service = AvahiService(name = server_settings["servicename"],
1078
servicetype = "_mandos._tcp",
1079
protocol = protocol)
1080
if server_settings["interface"]:
1081
service.interface = (if_nametoindex
1082
(server_settings["interface"]))
2171
1084
global main_loop
2172
1087
# From the Avahi example code
2173
1088
DBusGMainLoop(set_as_default=True )
2174
1089
main_loop = gobject.MainLoop()
2175
1090
bus = dbus.SystemBus()
1091
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1092
avahi.DBUS_PATH_SERVER),
1093
avahi.DBUS_INTERFACE_SERVER)
2176
1094
# End of Avahi example code
2179
bus_name = dbus.service.BusName("se.recompile.Mandos",
2180
bus, do_not_queue=True)
2181
old_bus_name = (dbus.service.BusName
2182
("se.bsnet.fukt.Mandos", bus,
2184
except dbus.exceptions.NameExistsException as e:
2185
logger.error(unicode(e) + ", disabling D-Bus")
2187
server_settings["use_dbus"] = False
2188
tcp_server.use_dbus = False
2189
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2190
service = AvahiServiceToSyslog(name =
2191
server_settings["servicename"],
2192
servicetype = "_mandos._tcp",
2193
protocol = protocol, bus = bus)
2194
if server_settings["interface"]:
2195
service.interface = (if_nametoindex
2196
(str(server_settings["interface"])))
2198
global multiprocessing_manager
2199
multiprocessing_manager = multiprocessing.Manager()
2201
client_class = Client
2203
client_class = functools.partial(ClientDBusTransitional,
2206
client_settings = Client.config_parser(client_config)
2207
old_client_settings = {}
2210
# Get client data and settings from last running state.
2211
if server_settings["restore"]:
2213
with open(stored_state_path, "rb") as stored_state:
2214
clients_data, old_client_settings = (pickle.load
2216
os.remove(stored_state_path)
2217
except IOError as e:
2218
logger.warning("Could not load persistent state: {0}"
2220
if e.errno != errno.ENOENT:
2222
except EOFError as e:
2223
logger.warning("Could not load persistent state: "
2224
"EOFError: {0}".format(e))
2226
with PGPEngine() as pgp:
2227
for client_name, client in clients_data.iteritems():
2228
# Decide which value to use after restoring saved state.
2229
# We have three different values: Old config file,
2230
# new config file, and saved state.
2231
# New config value takes precedence if it differs from old
2232
# config value, otherwise use saved state.
2233
for name, value in client_settings[client_name].items():
2235
# For each value in new config, check if it
2236
# differs from the old config value (Except for
2237
# the "secret" attribute)
2238
if (name != "secret" and
2239
value != old_client_settings[client_name]
2241
client[name] = value
2245
# Clients who has passed its expire date can still be
2246
# enabled if its last checker was successful. Clients
2247
# whose checker succeeded before we stored its state is
2248
# assumed to have successfully run all checkers during
2250
if client["enabled"]:
2251
if datetime.datetime.utcnow() >= client["expires"]:
2252
if not client["last_checked_ok"]:
2254
"disabling client {0} - Client never "
2255
"performed a successful checker"
2256
.format(client_name))
2257
client["enabled"] = False
2258
elif client["last_checker_status"] != 0:
2260
"disabling client {0} - Client "
2261
"last checker failed with error code {1}"
2262
.format(client_name,
2263
client["last_checker_status"]))
2264
client["enabled"] = False
2266
client["expires"] = (datetime.datetime
2268
+ client["timeout"])
2269
logger.debug("Last checker succeeded,"
2270
" keeping {0} enabled"
2271
.format(client_name))
2273
client["secret"] = (
2274
pgp.decrypt(client["encrypted_secret"],
2275
client_settings[client_name]
2278
# If decryption fails, we use secret from new settings
2279
logger.debug("Failed to decrypt {0} old secret"
2280
.format(client_name))
2281
client["secret"] = (
2282
client_settings[client_name]["secret"])
2285
# Add/remove clients based on new changes made to config
2286
for client_name in (set(old_client_settings)
2287
- set(client_settings)):
2288
del clients_data[client_name]
2289
for client_name in (set(client_settings)
2290
- set(old_client_settings)):
2291
clients_data[client_name] = client_settings[client_name]
2293
# Create all client objects
2294
for client_name, client in clients_data.iteritems():
2295
tcp_server.clients[client_name] = client_class(
2296
name = client_name, settings = client)
2298
if not tcp_server.clients:
2299
logger.warning("No clients defined")
1096
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1098
clients.update(Set(Client(name = section,
1100
= dict(client_config.items(section)),
1101
use_dbus = use_dbus)
1102
for section in client_config.sections()))
1104
logger.warning(u"No clients defined")
1107
# Redirect stdin so all checkers get /dev/null
1108
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1109
os.dup2(null, sys.stdin.fileno())
1113
# No console logging
1114
logger.removeHandler(console)
1115
# Close all input and output, do double fork, etc.
1120
pidfile.write(str(pid) + "\n")
1124
logger.error(u"Could not write to file %r with PID %d",
1127
# "pidfile" was never created
1132
"Cleanup function; run on exit"
1134
# From the Avahi example code
1135
if not group is None:
1138
# End of Avahi example code
1141
client = clients.pop()
1142
client.disable_hook = None
1145
atexit.register(cleanup)
2305
pidfile.write(str(pid) + "\n".encode("utf-8"))
2308
logger.error("Could not write to file %r with PID %d",
2311
# "pidfile" was never created
2314
1148
signal.signal(signal.SIGINT, signal.SIG_IGN)
2316
1149
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2317
1150
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2320
class MandosDBusService(dbus.service.Object):
1153
class MandosServer(dbus.service.Object):
2321
1154
"""A D-Bus proxy object"""
2322
1155
def __init__(self):
2323
1156
dbus.service.Object.__init__(self, bus, "/")
2324
_interface = "se.recompile.Mandos"
2326
@dbus.service.signal(_interface, signature="o")
2327
def ClientAdded(self, objpath):
2331
@dbus.service.signal(_interface, signature="ss")
2332
def ClientNotFound(self, fingerprint, address):
1157
_interface = u"se.bsnet.fukt.Mandos"
1159
@dbus.service.signal(_interface, signature="oa{sv}")
1160
def ClientAdded(self, objpath, properties):