296
230
if config is None:
298
232
logger.debug(u"Creating client %r", self.name)
233
self.use_dbus = False # During __init__
299
234
# Uppercase and remove spaces from fingerprint for later
300
235
# comparison purposes with return value from the fingerprint()
302
self.fingerprint = (config[u"fingerprint"].upper()
237
self.fingerprint = (config["fingerprint"].upper()
303
238
.replace(u" ", u""))
304
239
logger.debug(u" Fingerprint: %s", self.fingerprint)
305
if u"secret" in config:
306
self.secret = config[u"secret"].decode(u"base64")
307
elif u"secfile" in config:
308
with open(os.path.expanduser(os.path.expandvars
309
(config[u"secfile"])),
240
if "secret" in config:
241
self.secret = config["secret"].decode(u"base64")
242
elif "secfile" in config:
243
with closing(open(os.path.expanduser
245
(config["secfile"])))) as secfile:
311
246
self.secret = secfile.read()
313
248
raise TypeError(u"No secret or secfile for client %s"
315
self.host = config.get(u"host", u"")
250
self.host = config.get("host", "")
316
251
self.created = datetime.datetime.utcnow()
317
252
self.enabled = False
318
253
self.last_enabled = None
319
254
self.last_checked_ok = None
320
self.timeout = string_to_delta(config[u"timeout"])
321
self.interval = string_to_delta(config[u"interval"])
255
self.timeout = string_to_delta(config["timeout"])
256
self.interval = string_to_delta(config["interval"])
322
257
self.disable_hook = disable_hook
323
258
self.checker = None
324
259
self.checker_initiator_tag = None
325
260
self.disable_initiator_tag = None
326
261
self.checker_callback_tag = None
327
self.checker_command = config[u"checker"]
262
self.checker_command = config["checker"]
328
263
self.current_checker_command = None
329
264
self.last_connect = None
330
self._approved = None
331
self.approved_by_default = config.get(u"approved_by_default",
333
self.approvals_pending = 0
334
self.approved_delay = string_to_delta(
335
config[u"approved_delay"])
336
self.approved_duration = string_to_delta(
337
config[u"approved_duration"])
338
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
265
# Only now, when this client is initialized, can it show up on
267
self.use_dbus = use_dbus
269
self.dbus_object_path = (dbus.ObjectPath
271
+ self.name.replace(".", "_")))
272
dbus.service.Object.__init__(self, bus,
273
self.dbus_object_path)
340
def send_changedstate(self):
341
self.changedstate.acquire()
342
self.changedstate.notify_all()
343
self.changedstate.release()
345
275
def enable(self):
346
276
"""Start this client's checker and timeout hooks"""
347
if getattr(self, u"enabled", False):
350
self.send_changedstate()
351
277
self.last_enabled = datetime.datetime.utcnow()
352
278
# Schedule a new checker to be started an 'interval' from now,
353
279
# and every interval from then on.
354
280
self.checker_initiator_tag = (gobject.timeout_add
355
281
(self.interval_milliseconds(),
356
282
self.start_checker))
283
# Also start a new checker *right now*.
357
285
# Schedule a disable() when 'timeout' has passed
358
286
self.disable_initiator_tag = (gobject.timeout_add
359
287
(self.timeout_milliseconds(),
361
289
self.enabled = True
362
# Also start a new checker *right now*.
292
self.PropertyChanged(dbus.String(u"enabled"),
293
dbus.Boolean(True, variant_level=1))
294
self.PropertyChanged(dbus.String(u"last_enabled"),
295
(_datetime_to_dbus(self.last_enabled,
365
def disable(self, quiet=True):
366
299
"""Disable this client."""
367
300
if not getattr(self, "enabled", False):
370
self.send_changedstate()
372
logger.info(u"Disabling client %s", self.name)
373
if getattr(self, u"disable_initiator_tag", False):
302
logger.info(u"Disabling client %s", self.name)
303
if getattr(self, "disable_initiator_tag", False):
374
304
gobject.source_remove(self.disable_initiator_tag)
375
305
self.disable_initiator_tag = None
376
if getattr(self, u"checker_initiator_tag", False):
306
if getattr(self, "checker_initiator_tag", False):
377
307
gobject.source_remove(self.checker_initiator_tag)
378
308
self.checker_initiator_tag = None
379
309
self.stop_checker()
380
310
if self.disable_hook:
381
311
self.disable_hook(self)
382
312
self.enabled = False
315
self.PropertyChanged(dbus.String(u"enabled"),
316
dbus.Boolean(False, variant_level=1))
383
317
# Do not run this again if called by a gobject.timeout_add
494
444
if self.checker_callback_tag:
495
445
gobject.source_remove(self.checker_callback_tag)
496
446
self.checker_callback_tag = None
497
if getattr(self, u"checker", None) is None:
447
if getattr(self, "checker", None) is None:
499
449
logger.debug(u"Stopping checker for %(name)s", vars(self))
501
451
os.kill(self.checker.pid, signal.SIGTERM)
503
453
#if self.checker.poll() is None:
504
454
# os.kill(self.checker.pid, signal.SIGKILL)
505
455
except OSError, error:
506
456
if error.errno != errno.ESRCH: # No such process
508
458
self.checker = None
510
def dbus_service_property(dbus_interface, signature=u"v",
511
access=u"readwrite", byte_arrays=False):
512
"""Decorators for marking methods of a DBusObjectWithProperties to
513
become properties on the D-Bus.
515
The decorated method will be called with no arguments by "Get"
516
and with one argument by "Set".
518
The parameters, where they are supported, are the same as
519
dbus.service.method, except there is only "signature", since the
520
type from Get() and the type sent to Set() is the same.
522
# Encoding deeply encoded byte arrays is not supported yet by the
523
# "Set" method, so we fail early here:
524
if byte_arrays and signature != u"ay":
525
raise ValueError(u"Byte arrays not supported for non-'ay'"
526
u" signature %r" % signature)
528
func._dbus_is_property = True
529
func._dbus_interface = dbus_interface
530
func._dbus_signature = signature
531
func._dbus_access = access
532
func._dbus_name = func.__name__
533
if func._dbus_name.endswith(u"_dbus_property"):
534
func._dbus_name = func._dbus_name[:-14]
535
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
540
class DBusPropertyException(dbus.exceptions.DBusException):
541
"""A base class for D-Bus property-related exceptions
543
def __unicode__(self):
544
return unicode(str(self))
547
class DBusPropertyAccessException(DBusPropertyException):
548
"""A property's access permissions disallows an operation.
553
class DBusPropertyNotFound(DBusPropertyException):
554
"""An attempt was made to access a non-existing property.
559
class DBusObjectWithProperties(dbus.service.Object):
560
"""A D-Bus object with properties.
562
Classes inheriting from this can use the dbus_service_property
563
decorator to expose methods as D-Bus properties. It exposes the
564
standard Get(), Set(), and GetAll() methods on the D-Bus.
568
def _is_dbus_property(obj):
569
return getattr(obj, u"_dbus_is_property", False)
571
def _get_all_dbus_properties(self):
572
"""Returns a generator of (name, attribute) pairs
574
return ((prop._dbus_name, prop)
576
inspect.getmembers(self, self._is_dbus_property))
578
def _get_dbus_property(self, interface_name, property_name):
579
"""Returns a bound method if one exists which is a D-Bus
580
property with the specified name and interface.
582
for name in (property_name,
583
property_name + u"_dbus_property"):
584
prop = getattr(self, name, None)
586
or not self._is_dbus_property(prop)
587
or prop._dbus_name != property_name
588
or (interface_name and prop._dbus_interface
589
and interface_name != prop._dbus_interface)):
593
raise DBusPropertyNotFound(self.dbus_object_path + u":"
594
+ interface_name + u"."
597
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
599
def Get(self, interface_name, property_name):
600
"""Standard D-Bus property Get() method, see D-Bus standard.
602
prop = self._get_dbus_property(interface_name, property_name)
603
if prop._dbus_access == u"write":
604
raise DBusPropertyAccessException(property_name)
606
if not hasattr(value, u"variant_level"):
608
return type(value)(value, variant_level=value.variant_level+1)
610
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
611
def Set(self, interface_name, property_name, value):
612
"""Standard D-Bus property Set() method, see D-Bus standard.
614
prop = self._get_dbus_property(interface_name, property_name)
615
if prop._dbus_access == u"read":
616
raise DBusPropertyAccessException(property_name)
617
if prop._dbus_get_args_options[u"byte_arrays"]:
618
# The byte_arrays option is not supported yet on
619
# signatures other than "ay".
620
if prop._dbus_signature != u"ay":
622
value = dbus.ByteArray(''.join(unichr(byte)
626
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
627
out_signature=u"a{sv}")
628
def GetAll(self, interface_name):
629
"""Standard D-Bus property GetAll() method, see D-Bus
632
Note: Will not include properties with access="write".
635
for name, prop in self._get_all_dbus_properties():
637
and interface_name != prop._dbus_interface):
638
# Interface non-empty but did not match
640
# Ignore write-only properties
641
if prop._dbus_access == u"write":
644
if not hasattr(value, u"variant_level"):
647
all[name] = type(value)(value, variant_level=
648
value.variant_level+1)
649
return dbus.Dictionary(all, signature=u"sv")
651
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
653
path_keyword='object_path',
654
connection_keyword='connection')
655
def Introspect(self, object_path, connection):
656
"""Standard D-Bus method, overloaded to insert property tags.
658
xmlstring = dbus.service.Object.Introspect(self, object_path,
661
document = xml.dom.minidom.parseString(xmlstring)
662
def make_tag(document, name, prop):
663
e = document.createElement(u"property")
664
e.setAttribute(u"name", name)
665
e.setAttribute(u"type", prop._dbus_signature)
666
e.setAttribute(u"access", prop._dbus_access)
668
for if_tag in document.getElementsByTagName(u"interface"):
669
for tag in (make_tag(document, name, prop)
671
in self._get_all_dbus_properties()
672
if prop._dbus_interface
673
== if_tag.getAttribute(u"name")):
674
if_tag.appendChild(tag)
675
# Add the names to the return values for the
676
# "org.freedesktop.DBus.Properties" methods
677
if (if_tag.getAttribute(u"name")
678
== u"org.freedesktop.DBus.Properties"):
679
for cn in if_tag.getElementsByTagName(u"method"):
680
if cn.getAttribute(u"name") == u"Get":
681
for arg in cn.getElementsByTagName(u"arg"):
682
if (arg.getAttribute(u"direction")
684
arg.setAttribute(u"name", u"value")
685
elif cn.getAttribute(u"name") == u"GetAll":
686
for arg in cn.getElementsByTagName(u"arg"):
687
if (arg.getAttribute(u"direction")
689
arg.setAttribute(u"name", u"props")
690
xmlstring = document.toxml(u"utf-8")
692
except (AttributeError, xml.dom.DOMException,
693
xml.parsers.expat.ExpatError), error:
694
logger.error(u"Failed to override Introspection method",
699
class ClientDBus(Client, DBusObjectWithProperties):
700
"""A Client class using D-Bus
703
dbus_object_path: dbus.ObjectPath
704
bus: dbus.SystemBus()
706
# dbus.service.Object doesn't use super(), so we can't either.
708
def __init__(self, bus = None, *args, **kwargs):
709
self._approvals_pending = 0
711
Client.__init__(self, *args, **kwargs)
712
# Only now, when this client is initialized, can it show up on
714
self.dbus_object_path = (dbus.ObjectPath
716
+ self.name.replace(u".", u"_")))
717
DBusObjectWithProperties.__init__(self, self.bus,
718
self.dbus_object_path)
720
def _get_approvals_pending(self):
721
return self._approvals_pending
722
def _set_approvals_pending(self, value):
723
old_value = self._approvals_pending
724
self._approvals_pending = value
726
if (hasattr(self, "dbus_object_path")
727
and bval is not bool(old_value)):
728
dbus_bool = dbus.Boolean(bval, variant_level=1)
729
self.PropertyChanged(dbus.String(u"approved_pending"),
732
approvals_pending = property(_get_approvals_pending,
733
_set_approvals_pending)
734
del _get_approvals_pending, _set_approvals_pending
737
def _datetime_to_dbus(dt, variant_level=0):
738
"""Convert a UTC datetime.datetime() to a D-Bus type."""
739
return dbus.String(dt.isoformat(),
740
variant_level=variant_level)
743
oldstate = getattr(self, u"enabled", False)
744
r = Client.enable(self)
745
if oldstate != self.enabled:
747
self.PropertyChanged(dbus.String(u"enabled"),
748
dbus.Boolean(True, variant_level=1))
749
self.PropertyChanged(
750
dbus.String(u"last_enabled"),
751
self._datetime_to_dbus(self.last_enabled,
755
def disable(self, quiet = False):
756
oldstate = getattr(self, u"enabled", False)
757
r = Client.disable(self, quiet=quiet)
758
if not quiet and oldstate != self.enabled:
760
self.PropertyChanged(dbus.String(u"enabled"),
761
dbus.Boolean(False, variant_level=1))
764
def __del__(self, *args, **kwargs):
766
self.remove_from_connection()
769
if hasattr(DBusObjectWithProperties, u"__del__"):
770
DBusObjectWithProperties.__del__(self, *args, **kwargs)
771
Client.__del__(self, *args, **kwargs)
773
def checker_callback(self, pid, condition, command,
775
self.checker_callback_tag = None
778
self.PropertyChanged(dbus.String(u"checker_running"),
779
dbus.Boolean(False, variant_level=1))
780
if os.WIFEXITED(condition):
781
exitstatus = os.WEXITSTATUS(condition)
783
self.CheckerCompleted(dbus.Int16(exitstatus),
784
dbus.Int64(condition),
785
dbus.String(command))
788
self.CheckerCompleted(dbus.Int16(-1),
789
dbus.Int64(condition),
790
dbus.String(command))
792
return Client.checker_callback(self, pid, condition, command,
795
def checked_ok(self, *args, **kwargs):
796
r = Client.checked_ok(self, *args, **kwargs)
798
self.PropertyChanged(
799
dbus.String(u"last_checked_ok"),
800
(self._datetime_to_dbus(self.last_checked_ok,
804
def start_checker(self, *args, **kwargs):
805
old_checker = self.checker
806
if self.checker is not None:
807
old_checker_pid = self.checker.pid
809
old_checker_pid = None
810
r = Client.start_checker(self, *args, **kwargs)
811
# Only if new checker process was started
812
if (self.checker is not None
813
and old_checker_pid != self.checker.pid):
815
self.CheckerStarted(self.current_checker_command)
816
self.PropertyChanged(
817
dbus.String(u"checker_running"),
818
dbus.Boolean(True, variant_level=1))
821
def stop_checker(self, *args, **kwargs):
822
old_checker = getattr(self, u"checker", None)
823
r = Client.stop_checker(self, *args, **kwargs)
824
if (old_checker is not None
825
and getattr(self, u"checker", None) is None):
826
460
self.PropertyChanged(dbus.String(u"checker_running"),
827
461
dbus.Boolean(False, variant_level=1))
830
def _reset_approved(self):
831
self._approved = None
834
def approve(self, value=True):
835
self.send_changedstate()
836
self._approved = value
837
gobject.timeout_add(self._timedelta_to_milliseconds(self.approved_duration),
838
self._reset_approved)
841
## D-Bus methods, signals & properties
463
def still_valid(self):
464
"""Has the timeout not yet passed for this client?"""
465
if not getattr(self, "enabled", False):
467
now = datetime.datetime.utcnow()
468
if self.last_checked_ok is None:
469
return now < (self.created + self.timeout)
471
return now < (self.last_checked_ok + self.timeout)
473
## D-Bus methods & signals
842
474
_interface = u"se.bsnet.fukt.Mandos.Client"
477
CheckedOK = dbus.service.method(_interface)(checked_ok)
478
CheckedOK.__name__ = "CheckedOK"
846
480
# CheckerCompleted - signal
847
@dbus.service.signal(_interface, signature=u"nxs")
481
@dbus.service.signal(_interface, signature="nxs")
848
482
def CheckerCompleted(self, exitcode, waitstatus, command):
852
486
# CheckerStarted - signal
853
@dbus.service.signal(_interface, signature=u"s")
487
@dbus.service.signal(_interface, signature="s")
854
488
def CheckerStarted(self, command):
492
# GetAllProperties - method
493
@dbus.service.method(_interface, out_signature="a{sv}")
494
def GetAllProperties(self):
496
return dbus.Dictionary({
498
dbus.String(self.name, variant_level=1),
499
dbus.String("fingerprint"):
500
dbus.String(self.fingerprint, variant_level=1),
502
dbus.String(self.host, variant_level=1),
503
dbus.String("created"):
504
_datetime_to_dbus(self.created, variant_level=1),
505
dbus.String("last_enabled"):
506
(_datetime_to_dbus(self.last_enabled,
508
if self.last_enabled is not None
509
else dbus.Boolean(False, variant_level=1)),
510
dbus.String("enabled"):
511
dbus.Boolean(self.enabled, variant_level=1),
512
dbus.String("last_checked_ok"):
513
(_datetime_to_dbus(self.last_checked_ok,
515
if self.last_checked_ok is not None
516
else dbus.Boolean (False, variant_level=1)),
517
dbus.String("timeout"):
518
dbus.UInt64(self.timeout_milliseconds(),
520
dbus.String("interval"):
521
dbus.UInt64(self.interval_milliseconds(),
523
dbus.String("checker"):
524
dbus.String(self.checker_command,
526
dbus.String("checker_running"):
527
dbus.Boolean(self.checker is not None,
529
dbus.String("object_path"):
530
dbus.ObjectPath(self.dbus_object_path,
534
# IsStillValid - method
535
IsStillValid = (dbus.service.method(_interface, out_signature="b")
537
IsStillValid.__name__ = "IsStillValid"
858
539
# PropertyChanged - signal
859
@dbus.service.signal(_interface, signature=u"sv")
540
@dbus.service.signal(_interface, signature="sv")
860
541
def PropertyChanged(self, property, value):
865
@dbus.service.signal(_interface)
868
Is sent after a successful transfer of secret from the Mandos
869
server to mandos-client
874
@dbus.service.signal(_interface, signature=u"s")
875
def Rejected(self, reason):
879
# NeedApproval - signal
880
@dbus.service.signal(_interface, signature=u"db")
881
def NeedApproval(self, timeout, default):
888
@dbus.service.method(_interface, in_signature=u"b")
889
def Approve(self, value):
893
@dbus.service.method(_interface)
895
return self.checked_ok()
545
# SetChecker - method
546
@dbus.service.method(_interface, in_signature="s")
547
def SetChecker(self, checker):
548
"D-Bus setter method"
549
self.checker_command = checker
551
self.PropertyChanged(dbus.String(u"checker"),
552
dbus.String(self.checker_command,
556
@dbus.service.method(_interface, in_signature="s")
557
def SetHost(self, host):
558
"D-Bus setter method"
561
self.PropertyChanged(dbus.String(u"host"),
562
dbus.String(self.host, variant_level=1))
564
# SetInterval - method
565
@dbus.service.method(_interface, in_signature="t")
566
def SetInterval(self, milliseconds):
567
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
569
self.PropertyChanged(dbus.String(u"interval"),
570
(dbus.UInt64(self.interval_milliseconds(),
574
@dbus.service.method(_interface, in_signature="ay",
576
def SetSecret(self, secret):
577
"D-Bus setter method"
578
self.secret = str(secret)
580
# SetTimeout - method
581
@dbus.service.method(_interface, in_signature="t")
582
def SetTimeout(self, milliseconds):
583
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
585
self.PropertyChanged(dbus.String(u"timeout"),
586
(dbus.UInt64(self.timeout_milliseconds(),
897
589
# Enable - method
898
@dbus.service.method(_interface)
590
Enable = dbus.service.method(_interface)(enable)
591
Enable.__name__ = "Enable"
903
593
# StartChecker - method
904
594
@dbus.service.method(_interface)
915
605
# StopChecker - method
916
@dbus.service.method(_interface)
917
def StopChecker(self):
922
# approved_pending - property
923
@dbus_service_property(_interface, signature=u"b", access=u"read")
924
def approved_pending_dbus_property(self):
925
return dbus.Boolean(bool(self.approvals_pending))
927
# approved_by_default - property
928
@dbus_service_property(_interface, signature=u"b",
930
def approved_by_default_dbus_property(self):
931
return dbus.Boolean(self.approved_by_default)
933
# approved_delay - property
934
@dbus_service_property(_interface, signature=u"t",
936
def approved_delay_dbus_property(self):
937
return dbus.UInt64(self.approved_delay_milliseconds())
939
# approved_duration - property
940
@dbus_service_property(_interface, signature=u"t",
942
def approved_duration_dbus_property(self):
943
return dbus.UInt64(self._timedelta_to_milliseconds(
944
self.approved_duration))
947
@dbus_service_property(_interface, signature=u"s", access=u"read")
948
def name_dbus_property(self):
949
return dbus.String(self.name)
951
# fingerprint - property
952
@dbus_service_property(_interface, signature=u"s", access=u"read")
953
def fingerprint_dbus_property(self):
954
return dbus.String(self.fingerprint)
957
@dbus_service_property(_interface, signature=u"s",
959
def host_dbus_property(self, value=None):
960
if value is None: # get
961
return dbus.String(self.host)
964
self.PropertyChanged(dbus.String(u"host"),
965
dbus.String(value, variant_level=1))
968
@dbus_service_property(_interface, signature=u"s", access=u"read")
969
def created_dbus_property(self):
970
return dbus.String(self._datetime_to_dbus(self.created))
972
# last_enabled - property
973
@dbus_service_property(_interface, signature=u"s", access=u"read")
974
def last_enabled_dbus_property(self):
975
if self.last_enabled is None:
976
return dbus.String(u"")
977
return dbus.String(self._datetime_to_dbus(self.last_enabled))
980
@dbus_service_property(_interface, signature=u"b",
982
def enabled_dbus_property(self, value=None):
983
if value is None: # get
984
return dbus.Boolean(self.enabled)
990
# last_checked_ok - property
991
@dbus_service_property(_interface, signature=u"s",
993
def last_checked_ok_dbus_property(self, value=None):
994
if value is not None:
997
if self.last_checked_ok is None:
998
return dbus.String(u"")
999
return dbus.String(self._datetime_to_dbus(self
1002
# timeout - property
1003
@dbus_service_property(_interface, signature=u"t",
1004
access=u"readwrite")
1005
def timeout_dbus_property(self, value=None):
1006
if value is None: # get
1007
return dbus.UInt64(self.timeout_milliseconds())
1008
self.timeout = datetime.timedelta(0, 0, 0, value)
1010
self.PropertyChanged(dbus.String(u"timeout"),
1011
dbus.UInt64(value, variant_level=1))
1012
if getattr(self, u"disable_initiator_tag", None) is None:
1014
# Reschedule timeout
1015
gobject.source_remove(self.disable_initiator_tag)
1016
self.disable_initiator_tag = None
1017
time_to_die = (self.
1018
_timedelta_to_milliseconds((self
1023
if time_to_die <= 0:
1024
# The timeout has passed
1027
self.disable_initiator_tag = (gobject.timeout_add
1028
(time_to_die, self.disable))
1030
# interval - property
1031
@dbus_service_property(_interface, signature=u"t",
1032
access=u"readwrite")
1033
def interval_dbus_property(self, value=None):
1034
if value is None: # get
1035
return dbus.UInt64(self.interval_milliseconds())
1036
self.interval = datetime.timedelta(0, 0, 0, value)
1038
self.PropertyChanged(dbus.String(u"interval"),
1039
dbus.UInt64(value, variant_level=1))
1040
if getattr(self, u"checker_initiator_tag", None) is None:
1042
# Reschedule checker run
1043
gobject.source_remove(self.checker_initiator_tag)
1044
self.checker_initiator_tag = (gobject.timeout_add
1045
(value, self.start_checker))
1046
self.start_checker() # Start one now, too
1048
# checker - property
1049
@dbus_service_property(_interface, signature=u"s",
1050
access=u"readwrite")
1051
def checker_dbus_property(self, value=None):
1052
if value is None: # get
1053
return dbus.String(self.checker_command)
1054
self.checker_command = value
1056
self.PropertyChanged(dbus.String(u"checker"),
1057
dbus.String(self.checker_command,
1060
# checker_running - property
1061
@dbus_service_property(_interface, signature=u"b",
1062
access=u"readwrite")
1063
def checker_running_dbus_property(self, value=None):
1064
if value is None: # get
1065
return dbus.Boolean(self.checker is not None)
1067
self.start_checker()
1071
# object_path - property
1072
@dbus_service_property(_interface, signature=u"o", access=u"read")
1073
def object_path_dbus_property(self):
1074
return self.dbus_object_path # is already a dbus.ObjectPath
1077
@dbus_service_property(_interface, signature=u"ay",
1078
access=u"write", byte_arrays=True)
1079
def secret_dbus_property(self, value):
1080
self.secret = str(value)
606
StopChecker = dbus.service.method(_interface)(stop_checker)
607
StopChecker.__name__ = "StopChecker"
1085
class ProxyClient(object):
1086
def __init__(self, child_pipe, fpr, address):
1087
self._pipe = child_pipe
1088
self._pipe.send(('init', fpr, address))
1089
if not self._pipe.recv():
1092
def __getattribute__(self, name):
1093
if(name == '_pipe'):
1094
return super(ProxyClient, self).__getattribute__(name)
1095
self._pipe.send(('getattr', name))
1096
data = self._pipe.recv()
1097
if data[0] == 'data':
1099
if data[0] == 'function':
1100
def func(*args, **kwargs):
1101
self._pipe.send(('funcall', name, args, kwargs))
1102
return self._pipe.recv()[1]
1105
def __setattr__(self, name, value):
1106
if(name == '_pipe'):
1107
return super(ProxyClient, self).__setattr__(name, value)
1108
self._pipe.send(('setattr', name, value))
1111
class ClientHandler(socketserver.BaseRequestHandler, object):
1112
"""A class to handle client connections.
1114
Instantiated once for each connection to handle it.
612
def peer_certificate(session):
613
"Return the peer's OpenPGP certificate as a bytestring"
614
# If not an OpenPGP certificate...
615
if (gnutls.library.functions
616
.gnutls_certificate_type_get(session._c_object)
617
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
618
# ...do the normal thing
619
return session.peer_certificate
620
list_size = ctypes.c_uint(1)
621
cert_list = (gnutls.library.functions
622
.gnutls_certificate_get_peers
623
(session._c_object, ctypes.byref(list_size)))
624
if not bool(cert_list) and list_size.value != 0:
625
raise gnutls.errors.GNUTLSError("error getting peer"
627
if list_size.value == 0:
630
return ctypes.string_at(cert.data, cert.size)
633
def fingerprint(openpgp):
634
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
635
# New GnuTLS "datum" with the OpenPGP public key
636
datum = (gnutls.library.types
637
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
640
ctypes.c_uint(len(openpgp))))
641
# New empty GnuTLS certificate
642
crt = gnutls.library.types.gnutls_openpgp_crt_t()
643
(gnutls.library.functions
644
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
645
# Import the OpenPGP public key into the certificate
646
(gnutls.library.functions
647
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
648
gnutls.library.constants
649
.GNUTLS_OPENPGP_FMT_RAW))
650
# Verify the self signature in the key
651
crtverify = ctypes.c_uint()
652
(gnutls.library.functions
653
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
654
if crtverify.value != 0:
655
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
656
raise gnutls.errors.CertificateSecurityError("Verify failed")
657
# New buffer for the fingerprint
658
buf = ctypes.create_string_buffer(20)
659
buf_len = ctypes.c_size_t()
660
# Get the fingerprint from the certificate into the buffer
661
(gnutls.library.functions
662
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
663
ctypes.byref(buf_len)))
664
# Deinit the certificate
665
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
666
# Convert the buffer to a Python bytestring
667
fpr = ctypes.string_at(buf, buf_len.value)
668
# Convert the bytestring to hexadecimal notation
669
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
673
class TCP_handler(SocketServer.BaseRequestHandler, object):
674
"""A TCP request handler class.
675
Instantiated by IPv6_TCPServer for each request to handle it.
1115
676
Note: This will run in its own forked process."""
1117
678
def handle(self):
1118
with contextlib.closing(self.server.child_pipe) as child_pipe:
1119
logger.info(u"TCP connection from: %s",
1120
unicode(self.client_address))
1121
logger.debug(u"Pipe FD: %d",
1122
self.server.child_pipe.fileno())
1124
session = (gnutls.connection
1125
.ClientSession(self.request,
1127
.X509Credentials()))
1129
# Note: gnutls.connection.X509Credentials is really a
1130
# generic GnuTLS certificate credentials object so long as
1131
# no X.509 keys are added to it. Therefore, we can use it
1132
# here despite using OpenPGP certificates.
1134
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1135
# u"+AES-256-CBC", u"+SHA1",
1136
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1138
# Use a fallback default, since this MUST be set.
1139
priority = self.server.gnutls_priority
1140
if priority is None:
1141
priority = u"NORMAL"
1142
(gnutls.library.functions
1143
.gnutls_priority_set_direct(session._c_object,
1146
# Start communication using the Mandos protocol
1147
# Get protocol number
1148
line = self.request.makefile().readline()
1149
logger.debug(u"Protocol version: %r", line)
1151
if int(line.strip().split()[0]) > 1:
1153
except (ValueError, IndexError, RuntimeError), error:
1154
logger.error(u"Unknown protocol version: %s", error)
1157
# Start GnuTLS connection
1160
except gnutls.errors.GNUTLSError, error:
1161
logger.warning(u"Handshake failed: %s", error)
1162
# Do not run session.bye() here: the session is not
1163
# established. Just abandon the request.
1165
logger.debug(u"Handshake succeeded")
1167
approval_required = False
1170
fpr = self.fingerprint(self.peer_certificate
1172
except (TypeError, gnutls.errors.GNUTLSError), error:
1173
logger.warning(u"Bad certificate: %s", error)
1175
logger.debug(u"Fingerprint: %s", fpr)
1178
client = ProxyClient(child_pipe, fpr,
1179
self.client_address)
1183
if client.approved_delay:
1184
delay = client.approved_delay
1185
client.approvals_pending += 1
1186
approval_required = True
1189
if not client.enabled:
1190
logger.warning(u"Client %s is disabled",
1192
if self.server.use_dbus:
1194
client.Rejected("Disabled")
1197
if client._approved or not client.approved_delay:
1198
#We are approved or approval is disabled
1200
elif client._approved is None:
1201
logger.info(u"Client %s need approval",
1203
if self.server.use_dbus:
1205
client.NeedApproval(
1206
client.approved_delay_milliseconds(),
1207
client.approved_by_default)
1209
logger.warning(u"Client %s was not approved",
1211
if self.server.use_dbus:
1213
client.Rejected("Disapproved")
1216
#wait until timeout or approved
1217
#x = float(client._timedelta_to_milliseconds(delay))
1218
time = datetime.datetime.now()
1219
client.changedstate.acquire()
1220
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1221
client.changedstate.release()
1222
time2 = datetime.datetime.now()
1223
if (time2 - time) >= delay:
1224
if not client.approved_by_default:
1225
logger.warning("Client %s timed out while"
1226
" waiting for approval",
1228
if self.server.use_dbus:
1230
client.Rejected("Time out")
1235
delay -= time2 - time
1238
while sent_size < len(client.secret):
1240
sent = session.send(client.secret[sent_size:])
1241
except (gnutls.errors.GNUTLSError), error:
1242
logger.warning("gnutls send failed")
1244
logger.debug(u"Sent: %d, remaining: %d",
1245
sent, len(client.secret)
1246
- (sent_size + sent))
1249
logger.info(u"Sending secret to %s", client.name)
1250
# bump the timeout as if seen
1252
if self.server.use_dbus:
1257
if approval_required:
1258
client.approvals_pending -= 1
1261
except (gnutls.errors.GNUTLSError), error:
1262
logger.warning("gnutls bye failed")
1265
def peer_certificate(session):
1266
"Return the peer's OpenPGP certificate as a bytestring"
1267
# If not an OpenPGP certificate...
1268
if (gnutls.library.functions
1269
.gnutls_certificate_type_get(session._c_object)
1270
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1271
# ...do the normal thing
1272
return session.peer_certificate
1273
list_size = ctypes.c_uint(1)
1274
cert_list = (gnutls.library.functions
1275
.gnutls_certificate_get_peers
1276
(session._c_object, ctypes.byref(list_size)))
1277
if not bool(cert_list) and list_size.value != 0:
1278
raise gnutls.errors.GNUTLSError(u"error getting peer"
1280
if list_size.value == 0:
1283
return ctypes.string_at(cert.data, cert.size)
1286
def fingerprint(openpgp):
1287
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1288
# New GnuTLS "datum" with the OpenPGP public key
1289
datum = (gnutls.library.types
1290
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1293
ctypes.c_uint(len(openpgp))))
1294
# New empty GnuTLS certificate
1295
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1296
(gnutls.library.functions
1297
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1298
# Import the OpenPGP public key into the certificate
1299
(gnutls.library.functions
1300
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1301
gnutls.library.constants
1302
.GNUTLS_OPENPGP_FMT_RAW))
1303
# Verify the self signature in the key
1304
crtverify = ctypes.c_uint()
1305
(gnutls.library.functions
1306
.gnutls_openpgp_crt_verify_self(crt, 0,
1307
ctypes.byref(crtverify)))
1308
if crtverify.value != 0:
1309
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1310
raise (gnutls.errors.CertificateSecurityError
1312
# New buffer for the fingerprint
1313
buf = ctypes.create_string_buffer(20)
1314
buf_len = ctypes.c_size_t()
1315
# Get the fingerprint from the certificate into the buffer
1316
(gnutls.library.functions
1317
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1318
ctypes.byref(buf_len)))
1319
# Deinit the certificate
1320
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1321
# Convert the buffer to a Python bytestring
1322
fpr = ctypes.string_at(buf, buf_len.value)
1323
# Convert the bytestring to hexadecimal notation
1324
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1328
class MultiprocessingMixIn(object):
1329
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1330
def sub_process_main(self, request, address):
1332
self.finish_request(request, address)
1334
self.handle_error(request, address)
1335
self.close_request(request)
1337
def process_request(self, request, address):
1338
"""Start a new process to process the request."""
1339
multiprocessing.Process(target = self.sub_process_main,
1340
args = (request, address)).start()
1342
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1343
""" adds a pipe to the MixIn """
1344
def process_request(self, request, client_address):
1345
"""Overrides and wraps the original process_request().
1347
This function creates a new pipe in self.pipe
1349
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1351
super(MultiprocessingMixInWithPipe,
1352
self).process_request(request, client_address)
1353
self.child_pipe.close()
1354
self.add_pipe(parent_pipe)
1356
def add_pipe(self, parent_pipe):
1357
"""Dummy function; override as necessary"""
1360
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1361
socketserver.TCPServer, object):
679
logger.info(u"TCP connection from: %s",
680
unicode(self.client_address))
681
session = (gnutls.connection
682
.ClientSession(self.request,
686
line = self.request.makefile().readline()
687
logger.debug(u"Protocol version: %r", line)
689
if int(line.strip().split()[0]) > 1:
691
except (ValueError, IndexError, RuntimeError), error:
692
logger.error(u"Unknown protocol version: %s", error)
695
# Note: gnutls.connection.X509Credentials is really a generic
696
# GnuTLS certificate credentials object so long as no X.509
697
# keys are added to it. Therefore, we can use it here despite
698
# using OpenPGP certificates.
700
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
701
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
703
# Use a fallback default, since this MUST be set.
704
priority = self.server.settings.get("priority", "NORMAL")
705
(gnutls.library.functions
706
.gnutls_priority_set_direct(session._c_object,
711
except gnutls.errors.GNUTLSError, error:
712
logger.warning(u"Handshake failed: %s", error)
713
# Do not run session.bye() here: the session is not
714
# established. Just abandon the request.
716
logger.debug(u"Handshake succeeded")
718
fpr = fingerprint(peer_certificate(session))
719
except (TypeError, gnutls.errors.GNUTLSError), error:
720
logger.warning(u"Bad certificate: %s", error)
723
logger.debug(u"Fingerprint: %s", fpr)
725
for c in self.server.clients:
726
if c.fingerprint == fpr:
730
logger.warning(u"Client not found for fingerprint: %s",
734
# Have to check if client.still_valid(), since it is possible
735
# that the client timed out while establishing the GnuTLS
737
if not client.still_valid():
738
logger.warning(u"Client %(name)s is invalid",
742
## This won't work here, since we're in a fork.
743
# client.checked_ok()
745
while sent_size < len(client.secret):
746
sent = session.send(client.secret[sent_size:])
747
logger.debug(u"Sent: %d, remaining: %d",
748
sent, len(client.secret)
749
- (sent_size + sent))
754
class IPv6_TCPServer(SocketServer.ForkingMixIn,
755
SocketServer.TCPServer, object):
1362
756
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
758
settings: Server settings
759
clients: Set() of Client objects
1365
760
enabled: Boolean; whether this server is activated yet
1366
interface: None or a network interface name (string)
1367
use_ipv6: Boolean; to use IPv6 or not
1369
def __init__(self, server_address, RequestHandlerClass,
1370
interface=None, use_ipv6=True):
1371
self.interface = interface
1373
self.address_family = socket.AF_INET6
1374
socketserver.TCPServer.__init__(self, server_address,
1375
RequestHandlerClass)
762
address_family = socket.AF_INET6
763
def __init__(self, *args, **kwargs):
764
if "settings" in kwargs:
765
self.settings = kwargs["settings"]
766
del kwargs["settings"]
767
if "clients" in kwargs:
768
self.clients = kwargs["clients"]
769
del kwargs["clients"]
770
if "use_ipv6" in kwargs:
771
if not kwargs["use_ipv6"]:
772
self.address_family = socket.AF_INET
773
del kwargs["use_ipv6"]
775
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1376
776
def server_bind(self):
1377
777
"""This overrides the normal server_bind() function
1378
778
to bind to an interface if one was specified, and also NOT to
1379
779
bind to an address or port if they were not specified."""
1380
if self.interface is not None:
1381
if SO_BINDTODEVICE is None:
1382
logger.error(u"SO_BINDTODEVICE does not exist;"
1383
u" cannot bind to interface %s",
1387
self.socket.setsockopt(socket.SOL_SOCKET,
1391
except socket.error, error:
1392
if error[0] == errno.EPERM:
1393
logger.error(u"No permission to"
1394
u" bind to interface %s",
1396
elif error[0] == errno.ENOPROTOOPT:
1397
logger.error(u"SO_BINDTODEVICE not available;"
1398
u" cannot bind to interface %s",
780
if self.settings["interface"]:
781
# 25 is from /usr/include/asm-i486/socket.h
782
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
784
self.socket.setsockopt(socket.SOL_SOCKET,
786
self.settings["interface"])
787
except socket.error, error:
788
if error[0] == errno.EPERM:
789
logger.error(u"No permission to"
790
u" bind to interface %s",
791
self.settings["interface"])
1402
794
# Only bind(2) the socket if we really need to.
1403
795
if self.server_address[0] or self.server_address[1]:
1404
796
if not self.server_address[0]:
1405
797
if self.address_family == socket.AF_INET6:
1406
any_address = u"::" # in6addr_any
798
any_address = "::" # in6addr_any
1408
800
any_address = socket.INADDR_ANY
1409
801
self.server_address = (any_address,
1660
963
# Default values for config file for server-global settings
1661
server_defaults = { u"interface": u"",
1666
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1667
u"servicename": u"Mandos",
1668
u"use_dbus": u"True",
1669
u"use_ipv6": u"True",
964
server_defaults = { "interface": "",
969
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
970
"servicename": "Mandos",
1673
975
# Parse config file for server-global settings
1674
server_config = configparser.SafeConfigParser(server_defaults)
976
server_config = ConfigParser.SafeConfigParser(server_defaults)
1675
977
del server_defaults
1676
server_config.read(os.path.join(options.configdir,
978
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1678
979
# Convert the SafeConfigParser object to a dict
1679
980
server_settings = server_config.defaults()
1680
981
# Use the appropriate methods on the non-string config options
1681
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1682
server_settings[option] = server_config.getboolean(u"DEFAULT",
982
server_settings["debug"] = server_config.getboolean("DEFAULT",
984
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
986
server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",
1684
988
if server_settings["port"]:
1685
server_settings["port"] = server_config.getint(u"DEFAULT",
989
server_settings["port"] = server_config.getint("DEFAULT",
1687
991
del server_config
1689
993
# Override the settings from the config file with command line
1690
994
# options, if set.
1691
for option in (u"interface", u"address", u"port", u"debug",
1692
u"priority", u"servicename", u"configdir",
1693
u"use_dbus", u"use_ipv6", u"debuglevel"):
995
for option in ("interface", "address", "port", "debug",
996
"priority", "servicename", "configdir",
997
"use_dbus", "use_ipv6"):
1694
998
value = getattr(options, option)
1695
999
if value is not None:
1696
1000
server_settings[option] = value
1698
# Force all strings to be unicode
1699
for option in server_settings.keys():
1700
if type(server_settings[option]) is str:
1701
server_settings[option] = unicode(server_settings[option])
1702
1002
# Now we have our good server settings in "server_settings"
1704
##################################################################
1706
1004
# For convenience
1707
debug = server_settings[u"debug"]
1708
debuglevel = server_settings[u"debuglevel"]
1709
use_dbus = server_settings[u"use_dbus"]
1710
use_ipv6 = server_settings[u"use_ipv6"]
1712
if server_settings[u"servicename"] != u"Mandos":
1005
debug = server_settings["debug"]
1006
use_dbus = server_settings["use_dbus"]
1007
use_ipv6 = server_settings["use_ipv6"]
1010
syslogger.setLevel(logging.WARNING)
1011
console.setLevel(logging.WARNING)
1013
if server_settings["servicename"] != "Mandos":
1713
1014
syslogger.setFormatter(logging.Formatter
1714
(u'Mandos (%s) [%%(process)d]:'
1715
u' %%(levelname)s: %%(message)s'
1716
% server_settings[u"servicename"]))
1015
('Mandos (%s): %%(levelname)s:'
1017
% server_settings["servicename"]))
1718
1019
# Parse config file with clients
1719
client_defaults = { u"timeout": u"1h",
1721
u"checker": u"fping -q -- %%(host)s",
1723
u"approved_delay": u"0s",
1724
u"approved_duration": u"1s",
1020
client_defaults = { "timeout": "1h",
1022
"checker": "fping -q -- %%(host)s",
1726
client_config = configparser.SafeConfigParser(client_defaults)
1727
client_config.read(os.path.join(server_settings[u"configdir"],
1730
global mandos_dbus_service
1731
mandos_dbus_service = None
1733
tcp_server = MandosServer((server_settings[u"address"],
1734
server_settings[u"port"]),
1736
interface=server_settings[u"interface"],
1739
server_settings[u"priority"],
1741
pidfilename = u"/var/run/mandos.pid"
1025
client_config = ConfigParser.SafeConfigParser(client_defaults)
1026
client_config.read(os.path.join(server_settings["configdir"],
1030
tcp_server = IPv6_TCPServer((server_settings["address"],
1031
server_settings["port"]),
1033
settings=server_settings,
1034
clients=clients, use_ipv6=use_ipv6)
1035
pidfilename = "/var/run/mandos.pid"
1743
pidfile = open(pidfilename, u"w")
1037
pidfile = open(pidfilename, "w")
1744
1038
except IOError:
1745
logger.error(u"Could not open file %r", pidfilename)
1039
logger.error("Could not open file %r", pidfilename)
1748
uid = pwd.getpwnam(u"_mandos").pw_uid
1749
gid = pwd.getpwnam(u"_mandos").pw_gid
1042
uid = pwd.getpwnam("_mandos").pw_uid
1043
gid = pwd.getpwnam("_mandos").pw_gid
1750
1044
except KeyError:
1752
uid = pwd.getpwnam(u"mandos").pw_uid
1753
gid = pwd.getpwnam(u"mandos").pw_gid
1046
uid = pwd.getpwnam("mandos").pw_uid
1047
gid = pwd.getpwnam("mandos").pw_gid
1754
1048
except KeyError:
1756
uid = pwd.getpwnam(u"nobody").pw_uid
1757
gid = pwd.getpwnam(u"nobody").pw_gid
1050
uid = pwd.getpwnam("nobody").pw_uid
1051
gid = pwd.getpwnam("nogroup").pw_gid
1758
1052
except KeyError: