157
144
u" after %i retries, exiting.",
158
145
self.rename_count)
159
146
raise AvahiServiceError(u"Too many renames")
160
self.name = self.server.GetAlternativeServiceName(self.name)
147
self.name = server.GetAlternativeServiceName(self.name)
161
148
logger.info(u"Changing Zeroconf service name to %r ...",
163
150
syslogger.setFormatter(logging.Formatter
164
(u'Mandos (%s) [%%(process)d]:'
165
u' %%(levelname)s: %%(message)s'
151
('Mandos (%s) [%%(process)d]:'
152
' %%(levelname)s: %%(message)s'
169
156
self.rename_count += 1
170
157
def remove(self):
171
158
"""Derived from the Avahi example code"""
172
if self.group is not None:
159
if group is not None:
175
162
"""Derived from the Avahi example code"""
176
if self.group is None:
177
self.group = dbus.Interface(
178
self.bus.get_object(avahi.DBUS_NAME,
179
self.server.EntryGroupNew()),
180
avahi.DBUS_INTERFACE_ENTRY_GROUP)
181
self.group.connect_to_signal('StateChanged',
183
.entry_group_state_changed)
165
group = dbus.Interface(bus.get_object
167
server.EntryGroupNew()),
168
avahi.DBUS_INTERFACE_ENTRY_GROUP)
169
group.connect_to_signal('StateChanged',
170
entry_group_state_changed)
184
171
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
185
self.name, self.type)
186
self.group.AddService(
189
dbus.UInt32(0), # flags
190
self.name, self.type,
191
self.domain, self.host,
192
dbus.UInt16(self.port),
193
avahi.string_array_to_txt_array(self.TXT))
195
def entry_group_state_changed(self, state, error):
196
"""Derived from the Avahi example code"""
197
logger.debug(u"Avahi state change: %i", state)
199
if state == avahi.ENTRY_GROUP_ESTABLISHED:
200
logger.debug(u"Zeroconf service established.")
201
elif state == avahi.ENTRY_GROUP_COLLISION:
202
logger.warning(u"Zeroconf service name collision.")
204
elif state == avahi.ENTRY_GROUP_FAILURE:
205
logger.critical(u"Avahi: Error in group state changed %s",
207
raise AvahiGroupError(u"State changed: %s"
210
"""Derived from the Avahi example code"""
211
if self.group is not None:
214
def server_state_changed(self, state):
215
"""Derived from the Avahi example code"""
216
if state == avahi.SERVER_COLLISION:
217
logger.error(u"Zeroconf server name collision")
219
elif state == avahi.SERVER_RUNNING:
222
"""Derived from the Avahi example code"""
223
if self.server is None:
224
self.server = dbus.Interface(
225
self.bus.get_object(avahi.DBUS_NAME,
226
avahi.DBUS_PATH_SERVER),
227
avahi.DBUS_INTERFACE_SERVER)
228
self.server.connect_to_signal(u"StateChanged",
229
self.server_state_changed)
230
self.server_state_changed(self.server.GetState())
172
service.name, service.type)
174
self.interface, # interface
175
self.protocol, # protocol
176
dbus.UInt32(0), # flags
177
self.name, self.type,
178
self.domain, self.host,
179
dbus.UInt16(self.port),
180
avahi.string_array_to_txt_array(self.TXT))
183
# From the Avahi example code:
184
group = None # our entry group
185
# End of Avahi example code
188
def _datetime_to_dbus(dt, variant_level=0):
189
"""Convert a UTC datetime.datetime() to a D-Bus type."""
190
return dbus.String(dt.isoformat(), variant_level=variant_level)
233
193
class Client(object):
246
206
last_checked_ok: datetime.datetime(); (UTC) or None
247
207
timeout: datetime.timedelta(); How long from last_checked_ok
248
until this client is disabled
208
until this client is invalid
249
209
interval: datetime.timedelta(); How often to start a new checker
250
210
disable_hook: If set, called by disable() as disable_hook(self)
251
211
checker: subprocess.Popen(); a running checker process used
252
212
to see if the client lives.
253
213
'None' if no process is running.
254
214
checker_initiator_tag: a gobject event source tag, or None
255
disable_initiator_tag: - '' -
215
disable_initiator_tag: - '' -
256
216
checker_callback_tag: - '' -
257
217
checker_command: string; External command which is run to check if
258
218
client lives. %() expansions are done at
259
219
runtime with vars(self) as dict, so that for
260
220
instance %(name)s can be used in the command.
261
221
current_checker_command: string; current running checker_command
262
approved_delay: datetime.timedelta(); Time to wait for approval
263
_approved: bool(); 'None' if not yet approved/disapproved
264
approved_duration: datetime.timedelta(); Duration of one approval
268
def _timedelta_to_milliseconds(td):
269
"Convert a datetime.timedelta() to milliseconds"
270
return ((td.days * 24 * 60 * 60 * 1000)
271
+ (td.seconds * 1000)
272
+ (td.microseconds // 1000))
274
223
def timeout_milliseconds(self):
275
224
"Return the 'timeout' attribute in milliseconds"
276
return self._timedelta_to_milliseconds(self.timeout)
225
return ((self.timeout.days * 24 * 60 * 60 * 1000)
226
+ (self.timeout.seconds * 1000)
227
+ (self.timeout.microseconds // 1000))
278
229
def interval_milliseconds(self):
279
230
"Return the 'interval' attribute in milliseconds"
280
return self._timedelta_to_milliseconds(self.interval)
282
def approved_delay_milliseconds(self):
283
return self._timedelta_to_milliseconds(self.approved_delay)
231
return ((self.interval.days * 24 * 60 * 60 * 1000)
232
+ (self.interval.seconds * 1000)
233
+ (self.interval.microseconds // 1000))
285
235
def __init__(self, name = None, disable_hook=None, config=None):
286
236
"""Note: the 'checker' key in 'config' sets the
293
243
# Uppercase and remove spaces from fingerprint for later
294
244
# comparison purposes with return value from the fingerprint()
296
self.fingerprint = (config[u"fingerprint"].upper()
246
self.fingerprint = (config["fingerprint"].upper()
297
247
.replace(u" ", u""))
298
248
logger.debug(u" Fingerprint: %s", self.fingerprint)
299
if u"secret" in config:
300
self.secret = config[u"secret"].decode(u"base64")
301
elif u"secfile" in config:
302
with open(os.path.expanduser(os.path.expandvars
303
(config[u"secfile"])),
249
if "secret" in config:
250
self.secret = config["secret"].decode(u"base64")
251
elif "secfile" in config:
252
with closing(open(os.path.expanduser
254
(config["secfile"])))) as secfile:
305
255
self.secret = secfile.read()
307
#XXX Need to allow secret on demand!
308
257
raise TypeError(u"No secret or secfile for client %s"
310
self.host = config.get(u"host", u"")
259
self.host = config.get("host", "")
311
260
self.created = datetime.datetime.utcnow()
312
261
self.enabled = False
313
262
self.last_enabled = None
314
263
self.last_checked_ok = None
315
self.timeout = string_to_delta(config[u"timeout"])
316
self.interval = string_to_delta(config[u"interval"])
264
self.timeout = string_to_delta(config["timeout"])
265
self.interval = string_to_delta(config["interval"])
317
266
self.disable_hook = disable_hook
318
267
self.checker = None
319
268
self.checker_initiator_tag = None
320
269
self.disable_initiator_tag = None
321
270
self.checker_callback_tag = None
322
self.checker_command = config[u"checker"]
271
self.checker_command = config["checker"]
323
272
self.current_checker_command = None
324
273
self.last_connect = None
325
self._approved = None
326
self.approved_by_default = config.get(u"approved_by_default",
328
self.approvals_pending = 0
329
self.approved_delay = string_to_delta(
330
config[u"approved_delay"])
331
self.approved_duration = string_to_delta(
332
config[u"approved_duration"])
333
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
335
def send_changedstate(self):
336
self.changedstate.acquire()
337
self.changedstate.notify_all()
338
self.changedstate.release()
340
275
def enable(self):
341
276
"""Start this client's checker and timeout hooks"""
342
if getattr(self, u"enabled", False):
345
self.send_changedstate()
346
277
self.last_enabled = datetime.datetime.utcnow()
347
278
# Schedule a new checker to be started an 'interval' from now,
348
279
# and every interval from then on.
349
280
self.checker_initiator_tag = (gobject.timeout_add
350
281
(self.interval_milliseconds(),
351
282
self.start_checker))
283
# Also start a new checker *right now*.
352
285
# Schedule a disable() when 'timeout' has passed
353
286
self.disable_initiator_tag = (gobject.timeout_add
354
287
(self.timeout_milliseconds(),
356
289
self.enabled = True
357
# Also start a new checker *right now*.
360
def disable(self, quiet=True):
361
292
"""Disable this client."""
362
293
if not getattr(self, "enabled", False):
365
self.send_changedstate()
367
logger.info(u"Disabling client %s", self.name)
368
if getattr(self, u"disable_initiator_tag", False):
295
logger.info(u"Disabling client %s", self.name)
296
if getattr(self, "disable_initiator_tag", False):
369
297
gobject.source_remove(self.disable_initiator_tag)
370
298
self.disable_initiator_tag = None
371
if getattr(self, u"checker_initiator_tag", False):
299
if getattr(self, "checker_initiator_tag", False):
372
300
gobject.source_remove(self.checker_initiator_tag)
373
301
self.checker_initiator_tag = None
374
302
self.stop_checker()
489
409
if self.checker_callback_tag:
490
410
gobject.source_remove(self.checker_callback_tag)
491
411
self.checker_callback_tag = None
492
if getattr(self, u"checker", None) is None:
412
if getattr(self, "checker", None) is None:
494
414
logger.debug(u"Stopping checker for %(name)s", vars(self))
496
416
os.kill(self.checker.pid, signal.SIGTERM)
498
418
#if self.checker.poll() is None:
499
419
# os.kill(self.checker.pid, signal.SIGKILL)
500
420
except OSError, error:
501
421
if error.errno != errno.ESRCH: # No such process
503
423
self.checker = None
505
def dbus_service_property(dbus_interface, signature=u"v",
506
access=u"readwrite", byte_arrays=False):
507
"""Decorators for marking methods of a DBusObjectWithProperties to
508
become properties on the D-Bus.
510
The decorated method will be called with no arguments by "Get"
511
and with one argument by "Set".
513
The parameters, where they are supported, are the same as
514
dbus.service.method, except there is only "signature", since the
515
type from Get() and the type sent to Set() is the same.
517
# Encoding deeply encoded byte arrays is not supported yet by the
518
# "Set" method, so we fail early here:
519
if byte_arrays and signature != u"ay":
520
raise ValueError(u"Byte arrays not supported for non-'ay'"
521
u" signature %r" % signature)
523
func._dbus_is_property = True
524
func._dbus_interface = dbus_interface
525
func._dbus_signature = signature
526
func._dbus_access = access
527
func._dbus_name = func.__name__
528
if func._dbus_name.endswith(u"_dbus_property"):
529
func._dbus_name = func._dbus_name[:-14]
530
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
535
class DBusPropertyException(dbus.exceptions.DBusException):
536
"""A base class for D-Bus property-related exceptions
538
def __unicode__(self):
539
return unicode(str(self))
542
class DBusPropertyAccessException(DBusPropertyException):
543
"""A property's access permissions disallows an operation.
548
class DBusPropertyNotFound(DBusPropertyException):
549
"""An attempt was made to access a non-existing property.
554
class DBusObjectWithProperties(dbus.service.Object):
555
"""A D-Bus object with properties.
557
Classes inheriting from this can use the dbus_service_property
558
decorator to expose methods as D-Bus properties. It exposes the
559
standard Get(), Set(), and GetAll() methods on the D-Bus.
563
def _is_dbus_property(obj):
564
return getattr(obj, u"_dbus_is_property", False)
566
def _get_all_dbus_properties(self):
567
"""Returns a generator of (name, attribute) pairs
569
return ((prop._dbus_name, prop)
571
inspect.getmembers(self, self._is_dbus_property))
573
def _get_dbus_property(self, interface_name, property_name):
574
"""Returns a bound method if one exists which is a D-Bus
575
property with the specified name and interface.
577
for name in (property_name,
578
property_name + u"_dbus_property"):
579
prop = getattr(self, name, None)
581
or not self._is_dbus_property(prop)
582
or prop._dbus_name != property_name
583
or (interface_name and prop._dbus_interface
584
and interface_name != prop._dbus_interface)):
588
raise DBusPropertyNotFound(self.dbus_object_path + u":"
589
+ interface_name + u"."
592
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
594
def Get(self, interface_name, property_name):
595
"""Standard D-Bus property Get() method, see D-Bus standard.
597
prop = self._get_dbus_property(interface_name, property_name)
598
if prop._dbus_access == u"write":
599
raise DBusPropertyAccessException(property_name)
601
if not hasattr(value, u"variant_level"):
603
return type(value)(value, variant_level=value.variant_level+1)
605
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
606
def Set(self, interface_name, property_name, value):
607
"""Standard D-Bus property Set() method, see D-Bus standard.
609
prop = self._get_dbus_property(interface_name, property_name)
610
if prop._dbus_access == u"read":
611
raise DBusPropertyAccessException(property_name)
612
if prop._dbus_get_args_options[u"byte_arrays"]:
613
# The byte_arrays option is not supported yet on
614
# signatures other than "ay".
615
if prop._dbus_signature != u"ay":
617
value = dbus.ByteArray(''.join(unichr(byte)
621
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
622
out_signature=u"a{sv}")
623
def GetAll(self, interface_name):
624
"""Standard D-Bus property GetAll() method, see D-Bus
627
Note: Will not include properties with access="write".
630
for name, prop in self._get_all_dbus_properties():
632
and interface_name != prop._dbus_interface):
633
# Interface non-empty but did not match
635
# Ignore write-only properties
636
if prop._dbus_access == u"write":
639
if not hasattr(value, u"variant_level"):
642
all[name] = type(value)(value, variant_level=
643
value.variant_level+1)
644
return dbus.Dictionary(all, signature=u"sv")
646
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
648
path_keyword='object_path',
649
connection_keyword='connection')
650
def Introspect(self, object_path, connection):
651
"""Standard D-Bus method, overloaded to insert property tags.
653
xmlstring = dbus.service.Object.Introspect(self, object_path,
656
document = xml.dom.minidom.parseString(xmlstring)
657
def make_tag(document, name, prop):
658
e = document.createElement(u"property")
659
e.setAttribute(u"name", name)
660
e.setAttribute(u"type", prop._dbus_signature)
661
e.setAttribute(u"access", prop._dbus_access)
663
for if_tag in document.getElementsByTagName(u"interface"):
664
for tag in (make_tag(document, name, prop)
666
in self._get_all_dbus_properties()
667
if prop._dbus_interface
668
== if_tag.getAttribute(u"name")):
669
if_tag.appendChild(tag)
670
# Add the names to the return values for the
671
# "org.freedesktop.DBus.Properties" methods
672
if (if_tag.getAttribute(u"name")
673
== u"org.freedesktop.DBus.Properties"):
674
for cn in if_tag.getElementsByTagName(u"method"):
675
if cn.getAttribute(u"name") == u"Get":
676
for arg in cn.getElementsByTagName(u"arg"):
677
if (arg.getAttribute(u"direction")
679
arg.setAttribute(u"name", u"value")
680
elif cn.getAttribute(u"name") == u"GetAll":
681
for arg in cn.getElementsByTagName(u"arg"):
682
if (arg.getAttribute(u"direction")
684
arg.setAttribute(u"name", u"props")
685
xmlstring = document.toxml(u"utf-8")
687
except (AttributeError, xml.dom.DOMException,
688
xml.parsers.expat.ExpatError), error:
689
logger.error(u"Failed to override Introspection method",
694
class ClientDBus(Client, DBusObjectWithProperties):
425
def still_valid(self):
426
"""Has the timeout not yet passed for this client?"""
427
if not getattr(self, "enabled", False):
429
now = datetime.datetime.utcnow()
430
if self.last_checked_ok is None:
431
return now < (self.created + self.timeout)
433
return now < (self.last_checked_ok + self.timeout)
436
class ClientDBus(Client, dbus.service.Object):
695
437
"""A Client class using D-Bus
698
dbus_object_path: dbus.ObjectPath
699
bus: dbus.SystemBus()
440
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
701
442
# dbus.service.Object doesn't use super(), so we can't either.
703
def __init__(self, bus = None, *args, **kwargs):
704
self._approvals_pending = 0
444
def __init__(self, *args, **kwargs):
706
445
Client.__init__(self, *args, **kwargs)
707
446
# Only now, when this client is initialized, can it show up on
709
448
self.dbus_object_path = (dbus.ObjectPath
711
+ self.name.replace(u".", u"_")))
712
DBusObjectWithProperties.__init__(self, self.bus,
713
self.dbus_object_path)
715
#Could possible return a bool(self._approvals_pending),
716
#but this could mess up approvals_pending += 1 XXX
717
def _get_approvals_pending(self):
718
return self._approvals_pending
719
def _set_approvals_pending(self, value):
720
old_value = self._approvals_pending
721
self._approvals_pending = value
723
if (hasattr(self, "dbus_object_path")
724
and bval is not bool(old_value)):
725
dbus_bool = dbus.Boolean(bval, variant_level=1)
726
self.PropertyChanged(dbus.String(u"approved_pending"),
729
approvals_pending = property(_get_approvals_pending,
730
_set_approvals_pending)
731
del _get_approvals_pending, _set_approvals_pending
734
def _datetime_to_dbus(dt, variant_level=0):
735
"""Convert a UTC datetime.datetime() to a D-Bus type."""
736
return dbus.String(dt.isoformat(),
737
variant_level=variant_level)
450
+ self.name.replace(".", "_")))
451
dbus.service.Object.__init__(self, bus,
452
self.dbus_object_path)
739
453
def enable(self):
740
oldstate = getattr(self, u"enabled", False)
454
oldstate = getattr(self, "enabled", False)
741
455
r = Client.enable(self)
742
456
if oldstate != self.enabled:
743
457
# Emit D-Bus signals
744
458
self.PropertyChanged(dbus.String(u"enabled"),
745
459
dbus.Boolean(True, variant_level=1))
746
self.PropertyChanged(
747
dbus.String(u"last_enabled"),
748
self._datetime_to_dbus(self.last_enabled,
460
self.PropertyChanged(dbus.String(u"last_enabled"),
461
(_datetime_to_dbus(self.last_enabled,
752
def disable(self, quiet = False):
753
oldstate = getattr(self, u"enabled", False)
754
r = Client.disable(self, quiet=quiet)
755
if not quiet and oldstate != self.enabled:
465
def disable(self, signal = True):
466
oldstate = getattr(self, "enabled", False)
467
r = Client.disable(self)
468
if signal and oldstate != self.enabled:
756
469
# Emit D-Bus signal
757
470
self.PropertyChanged(dbus.String(u"enabled"),
758
471
dbus.Boolean(False, variant_level=1))
811
524
# Emit D-Bus signal
812
525
self.CheckerStarted(self.current_checker_command)
813
526
self.PropertyChanged(
814
dbus.String(u"checker_running"),
527
dbus.String("checker_running"),
815
528
dbus.Boolean(True, variant_level=1))
818
531
def stop_checker(self, *args, **kwargs):
819
old_checker = getattr(self, u"checker", None)
532
old_checker = getattr(self, "checker", None)
820
533
r = Client.stop_checker(self, *args, **kwargs)
821
534
if (old_checker is not None
822
and getattr(self, u"checker", None) is None):
535
and getattr(self, "checker", None) is None):
823
536
self.PropertyChanged(dbus.String(u"checker_running"),
824
537
dbus.Boolean(False, variant_level=1))
827
def _reset_approved(self):
828
self._approved = None
831
def approve(self, value=True):
832
self.send_changedstate()
833
self._approved = value
834
gobject.timeout_add(self._timedelta_to_milliseconds(self.approved_duration),
835
self._reset_approved)
838
## D-Bus methods, signals & properties
540
## D-Bus methods & signals
839
541
_interface = u"se.bsnet.fukt.Mandos.Client"
544
CheckedOK = dbus.service.method(_interface)(checked_ok)
545
CheckedOK.__name__ = "CheckedOK"
843
547
# CheckerCompleted - signal
844
@dbus.service.signal(_interface, signature=u"nxs")
548
@dbus.service.signal(_interface, signature="nxs")
845
549
def CheckerCompleted(self, exitcode, waitstatus, command):
849
553
# CheckerStarted - signal
850
@dbus.service.signal(_interface, signature=u"s")
554
@dbus.service.signal(_interface, signature="s")
851
555
def CheckerStarted(self, command):
559
# GetAllProperties - method
560
@dbus.service.method(_interface, out_signature="a{sv}")
561
def GetAllProperties(self):
563
return dbus.Dictionary({
565
dbus.String(self.name, variant_level=1),
566
dbus.String("fingerprint"):
567
dbus.String(self.fingerprint, variant_level=1),
569
dbus.String(self.host, variant_level=1),
570
dbus.String("created"):
571
_datetime_to_dbus(self.created, variant_level=1),
572
dbus.String("last_enabled"):
573
(_datetime_to_dbus(self.last_enabled,
575
if self.last_enabled is not None
576
else dbus.Boolean(False, variant_level=1)),
577
dbus.String("enabled"):
578
dbus.Boolean(self.enabled, variant_level=1),
579
dbus.String("last_checked_ok"):
580
(_datetime_to_dbus(self.last_checked_ok,
582
if self.last_checked_ok is not None
583
else dbus.Boolean (False, variant_level=1)),
584
dbus.String("timeout"):
585
dbus.UInt64(self.timeout_milliseconds(),
587
dbus.String("interval"):
588
dbus.UInt64(self.interval_milliseconds(),
590
dbus.String("checker"):
591
dbus.String(self.checker_command,
593
dbus.String("checker_running"):
594
dbus.Boolean(self.checker is not None,
596
dbus.String("object_path"):
597
dbus.ObjectPath(self.dbus_object_path,
601
# IsStillValid - method
602
@dbus.service.method(_interface, out_signature="b")
603
def IsStillValid(self):
604
return self.still_valid()
855
606
# PropertyChanged - signal
856
@dbus.service.signal(_interface, signature=u"sv")
607
@dbus.service.signal(_interface, signature="sv")
857
608
def PropertyChanged(self, property, value):
862
# XXXTEDDY Is sent after succesfull transfer of secret from mandos-server to mandos-client
612
# ReceivedSecret - signal
863
613
@dbus.service.signal(_interface)
614
def ReceivedSecret(self):
868
618
# Rejected - signal
869
@dbus.service.signal(_interface, signature=u"s")
870
def Rejected(self, reason):
874
# NeedApproval - signal
875
@dbus.service.signal(_interface, signature=u"db")
876
def NeedApproval(self, timeout, default):
883
@dbus.service.method(_interface, in_signature=u"b")
884
def Approve(self, value):
888
@dbus.service.method(_interface)
890
return self.checked_ok()
619
@dbus.service.signal(_interface)
624
# SetChecker - method
625
@dbus.service.method(_interface, in_signature="s")
626
def SetChecker(self, checker):
627
"D-Bus setter method"
628
self.checker_command = checker
630
self.PropertyChanged(dbus.String(u"checker"),
631
dbus.String(self.checker_command,
635
@dbus.service.method(_interface, in_signature="s")
636
def SetHost(self, host):
637
"D-Bus setter method"
640
self.PropertyChanged(dbus.String(u"host"),
641
dbus.String(self.host, variant_level=1))
643
# SetInterval - method
644
@dbus.service.method(_interface, in_signature="t")
645
def SetInterval(self, milliseconds):
646
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
648
self.PropertyChanged(dbus.String(u"interval"),
649
(dbus.UInt64(self.interval_milliseconds(),
653
@dbus.service.method(_interface, in_signature="ay",
655
def SetSecret(self, secret):
656
"D-Bus setter method"
657
self.secret = str(secret)
659
# SetTimeout - method
660
@dbus.service.method(_interface, in_signature="t")
661
def SetTimeout(self, milliseconds):
662
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
664
self.PropertyChanged(dbus.String(u"timeout"),
665
(dbus.UInt64(self.timeout_milliseconds(),
892
668
# Enable - method
893
@dbus.service.method(_interface)
669
Enable = dbus.service.method(_interface)(enable)
670
Enable.__name__ = "Enable"
898
672
# StartChecker - method
899
673
@dbus.service.method(_interface)
910
684
# StopChecker - method
911
@dbus.service.method(_interface)
912
def StopChecker(self):
917
# approved_pending - property
918
@dbus_service_property(_interface, signature=u"b", access=u"read")
919
def approved_pending_dbus_property(self):
920
return dbus.Boolean(bool(self.approvals_pending))
922
# approved_by_default - property
923
@dbus_service_property(_interface, signature=u"b",
925
def approved_by_default_dbus_property(self):
926
return dbus.Boolean(self.approved_by_default)
928
# approved_delay - property
929
@dbus_service_property(_interface, signature=u"t",
931
def approved_delay_dbus_property(self):
932
return dbus.UInt64(self.approved_delay_milliseconds())
934
# approved_duration - property
935
@dbus_service_property(_interface, signature=u"t",
937
def approved_duration_dbus_property(self):
938
return dbus.UInt64(self._timedelta_to_milliseconds(
939
self.approved_duration))
942
@dbus_service_property(_interface, signature=u"s", access=u"read")
943
def name_dbus_property(self):
944
return dbus.String(self.name)
946
# fingerprint - property
947
@dbus_service_property(_interface, signature=u"s", access=u"read")
948
def fingerprint_dbus_property(self):
949
return dbus.String(self.fingerprint)
952
@dbus_service_property(_interface, signature=u"s",
954
def host_dbus_property(self, value=None):
955
if value is None: # get
956
return dbus.String(self.host)
959
self.PropertyChanged(dbus.String(u"host"),
960
dbus.String(value, variant_level=1))
963
@dbus_service_property(_interface, signature=u"s", access=u"read")
964
def created_dbus_property(self):
965
return dbus.String(self._datetime_to_dbus(self.created))
967
# last_enabled - property
968
@dbus_service_property(_interface, signature=u"s", access=u"read")
969
def last_enabled_dbus_property(self):
970
if self.last_enabled is None:
971
return dbus.String(u"")
972
return dbus.String(self._datetime_to_dbus(self.last_enabled))
975
@dbus_service_property(_interface, signature=u"b",
977
def enabled_dbus_property(self, value=None):
978
if value is None: # get
979
return dbus.Boolean(self.enabled)
985
# last_checked_ok - property
986
@dbus_service_property(_interface, signature=u"s",
988
def last_checked_ok_dbus_property(self, value=None):
989
if value is not None:
992
if self.last_checked_ok is None:
993
return dbus.String(u"")
994
return dbus.String(self._datetime_to_dbus(self
998
@dbus_service_property(_interface, signature=u"t",
1000
def timeout_dbus_property(self, value=None):
1001
if value is None: # get
1002
return dbus.UInt64(self.timeout_milliseconds())
1003
self.timeout = datetime.timedelta(0, 0, 0, value)
1005
self.PropertyChanged(dbus.String(u"timeout"),
1006
dbus.UInt64(value, variant_level=1))
1007
if getattr(self, u"disable_initiator_tag", None) is None:
1009
# Reschedule timeout
1010
gobject.source_remove(self.disable_initiator_tag)
1011
self.disable_initiator_tag = None
1012
time_to_die = (self.
1013
_timedelta_to_milliseconds((self
1018
if time_to_die <= 0:
1019
# The timeout has passed
1022
self.disable_initiator_tag = (gobject.timeout_add
1023
(time_to_die, self.disable))
1025
# interval - property
1026
@dbus_service_property(_interface, signature=u"t",
1027
access=u"readwrite")
1028
def interval_dbus_property(self, value=None):
1029
if value is None: # get
1030
return dbus.UInt64(self.interval_milliseconds())
1031
self.interval = datetime.timedelta(0, 0, 0, value)
1033
self.PropertyChanged(dbus.String(u"interval"),
1034
dbus.UInt64(value, variant_level=1))
1035
if getattr(self, u"checker_initiator_tag", None) is None:
1037
# Reschedule checker run
1038
gobject.source_remove(self.checker_initiator_tag)
1039
self.checker_initiator_tag = (gobject.timeout_add
1040
(value, self.start_checker))
1041
self.start_checker() # Start one now, too
1043
# checker - property
1044
@dbus_service_property(_interface, signature=u"s",
1045
access=u"readwrite")
1046
def checker_dbus_property(self, value=None):
1047
if value is None: # get
1048
return dbus.String(self.checker_command)
1049
self.checker_command = value
1051
self.PropertyChanged(dbus.String(u"checker"),
1052
dbus.String(self.checker_command,
1055
# checker_running - property
1056
@dbus_service_property(_interface, signature=u"b",
1057
access=u"readwrite")
1058
def checker_running_dbus_property(self, value=None):
1059
if value is None: # get
1060
return dbus.Boolean(self.checker is not None)
1062
self.start_checker()
1066
# object_path - property
1067
@dbus_service_property(_interface, signature=u"o", access=u"read")
1068
def object_path_dbus_property(self):
1069
return self.dbus_object_path # is already a dbus.ObjectPath
1072
@dbus_service_property(_interface, signature=u"ay",
1073
access=u"write", byte_arrays=True)
1074
def secret_dbus_property(self, value):
1075
self.secret = str(value)
685
StopChecker = dbus.service.method(_interface)(stop_checker)
686
StopChecker.__name__ = "StopChecker"
1080
class ProxyClient(object):
1081
def __init__(self, child_pipe, fpr, address):
1082
self._pipe = child_pipe
1083
self._pipe.send(('init', fpr, address))
1084
if not self._pipe.recv():
1087
def __getattribute__(self, name):
1088
if(name == '_pipe'):
1089
return super(ProxyClient, self).__getattribute__(name)
1090
self._pipe.send(('getattr', name))
1091
data = self._pipe.recv()
1092
if data[0] == 'data':
1094
if data[0] == 'function':
1095
def func(*args, **kwargs):
1096
self._pipe.send(('funcall', name, args, kwargs))
1097
return self._pipe.recv()[1]
1100
def __setattr__(self, name, value):
1101
if(name == '_pipe'):
1102
return super(ProxyClient, self).__setattr__(name, value)
1103
self._pipe.send(('setattr', name, value))
1106
class ClientHandler(socketserver.BaseRequestHandler, object):
691
class ClientHandler(SocketServer.BaseRequestHandler, object):
1107
692
"""A class to handle client connections.
1109
694
Instantiated once for each connection to handle it.
1110
695
Note: This will run in its own forked process."""
1112
697
def handle(self):
1113
with contextlib.closing(self.server.child_pipe) as child_pipe:
1114
logger.info(u"TCP connection from: %s",
1115
unicode(self.client_address))
1116
logger.debug(u"Pipe FD: %d",
1117
self.server.child_pipe.fileno())
698
logger.info(u"TCP connection from: %s",
699
unicode(self.client_address))
700
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
701
# Open IPC pipe to parent process
702
with closing(os.fdopen(self.server.pipe[1], "w", 1)) as ipc:
1119
703
session = (gnutls.connection
1120
704
.ClientSession(self.request,
1121
705
gnutls.connection
1122
706
.X509Credentials()))
708
line = self.request.makefile().readline()
709
logger.debug(u"Protocol version: %r", line)
711
if int(line.strip().split()[0]) > 1:
713
except (ValueError, IndexError, RuntimeError), error:
714
logger.error(u"Unknown protocol version: %s", error)
1124
717
# Note: gnutls.connection.X509Credentials is really a
1125
718
# generic GnuTLS certificate credentials object so long as
1126
719
# no X.509 keys are added to it. Therefore, we can use it
1127
720
# here despite using OpenPGP certificates.
1129
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1130
# u"+AES-256-CBC", u"+SHA1",
1131
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
722
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
723
# "+AES-256-CBC", "+SHA1",
724
# "+COMP-NULL", "+CTYPE-OPENPGP",
1133
726
# Use a fallback default, since this MUST be set.
1134
727
priority = self.server.gnutls_priority
1135
728
if priority is None:
1136
priority = u"NORMAL"
1137
730
(gnutls.library.functions
1138
731
.gnutls_priority_set_direct(session._c_object,
1139
732
priority, None))
1141
# Start communication using the Mandos protocol
1142
# Get protocol number
1143
line = self.request.makefile().readline()
1144
logger.debug(u"Protocol version: %r", line)
1146
if int(line.strip().split()[0]) > 1:
1148
except (ValueError, IndexError, RuntimeError), error:
1149
logger.error(u"Unknown protocol version: %s", error)
1152
# Start GnuTLS connection
1154
735
session.handshake()
1155
736
except gnutls.errors.GNUTLSError, error:
1158
739
# established. Just abandon the request.
1160
741
logger.debug(u"Handshake succeeded")
1162
approval_required = False
1165
fpr = self.fingerprint(self.peer_certificate
1167
except (TypeError, gnutls.errors.GNUTLSError), error:
1168
logger.warning(u"Bad certificate: %s", error)
1170
logger.debug(u"Fingerprint: %s", fpr)
1173
client = ProxyClient(child_pipe, fpr,
1174
self.client_address)
1178
if client.approved_delay:
1179
delay = client.approved_delay
1180
client.approvals_pending += 1
1181
approval_required = True
1184
if not client.enabled:
1185
logger.warning(u"Client %s is disabled",
1187
if self.server.use_dbus:
1189
client.Rejected("Disabled")
1192
if client._approved or not client.approved_delay:
1193
#We are approved or approval is disabled
1195
elif client._approved is None:
1196
logger.info(u"Client %s need approval",
1198
if self.server.use_dbus:
1200
client.NeedApproval(
1201
client.approved_delay_milliseconds(),
1202
client.approved_by_default)
1204
logger.warning(u"Client %s was not approved",
1206
if self.server.use_dbus:
1208
client.Rejected("Disapproved")
1211
#wait until timeout or approved
1212
#x = float(client._timedelta_to_milliseconds(delay))
1213
time = datetime.datetime.now()
1214
client.changedstate.acquire()
1215
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1216
client.changedstate.release()
1217
time2 = datetime.datetime.now()
1218
if (time2 - time) >= delay:
1219
if not client.approved_by_default:
1220
logger.warning("Client %s timed out while"
1221
" waiting for approval",
1223
if self.server.use_dbus:
1225
client.Rejected("Time out")
1230
delay -= time2 - time
1233
while sent_size < len(client.secret):
1234
# XXX handle session exception
1235
sent = session.send(client.secret[sent_size:])
1236
logger.debug(u"Sent: %d, remaining: %d",
1237
sent, len(client.secret)
1238
- (sent_size + sent))
1241
logger.info(u"Sending secret to %s", client.name)
1242
# bump the timeout as if seen
1244
if self.server.use_dbus:
743
fpr = self.fingerprint(self.peer_certificate(session))
744
except (TypeError, gnutls.errors.GNUTLSError), error:
745
logger.warning(u"Bad certificate: %s", error)
748
logger.debug(u"Fingerprint: %s", fpr)
1249
if approval_required:
1250
client.approvals_pending -= 1
750
for c in self.server.clients:
751
if c.fingerprint == fpr:
755
ipc.write("NOTFOUND %s\n" % fpr)
758
# Have to check if client.still_valid(), since it is
759
# possible that the client timed out while establishing
760
# the GnuTLS session.
761
if not client.still_valid():
762
ipc.write("INVALID %s\n" % client.name)
765
ipc.write("SENDING %s\n" % client.name)
767
while sent_size < len(client.secret):
768
sent = session.send(client.secret[sent_size:])
769
logger.debug(u"Sent: %d, remaining: %d",
770
sent, len(client.secret)
771
- (sent_size + sent))
1254
776
def peer_certificate(session):
1317
class MultiprocessingMixIn(object):
1318
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1319
def sub_process_main(self, request, address):
1321
self.finish_request(request, address)
1323
self.handle_error(request, address)
1324
self.close_request(request)
1326
def process_request(self, request, address):
1327
"""Start a new process to process the request."""
1328
multiprocessing.Process(target = self.sub_process_main,
1329
args = (request, address)).start()
1331
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1332
""" adds a pipe to the MixIn """
839
class ForkingMixInWithPipe(SocketServer.ForkingMixIn, object):
840
"""Like SocketServer.ForkingMixIn, but also pass a pipe.
842
Assumes a gobject.MainLoop event loop.
1333
844
def process_request(self, request, client_address):
1334
845
"""Overrides and wraps the original process_request().
1336
This function creates a new pipe in self.pipe
847
This function creates a new pipe in self.pipe
1338
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1340
super(MultiprocessingMixInWithPipe,
849
self.pipe = os.pipe()
850
super(ForkingMixInWithPipe,
1341
851
self).process_request(request, client_address)
1342
self.child_pipe.close()
1343
self.add_pipe(parent_pipe)
1345
def add_pipe(self, parent_pipe):
852
os.close(self.pipe[1]) # close write end
853
# Call "handle_ipc" for both data and EOF events
854
gobject.io_add_watch(self.pipe[0],
855
gobject.IO_IN | gobject.IO_HUP,
857
def handle_ipc(source, condition):
1346
858
"""Dummy function; override as necessary"""
1349
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1350
socketserver.TCPServer, object):
863
class IPv6_TCPServer(ForkingMixInWithPipe,
864
SocketServer.TCPServer, object):
1351
865
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1354
868
enabled: Boolean; whether this server is activated yet
1355
869
interface: None or a network interface name (string)
1356
870
use_ipv6: Boolean; to use IPv6 or not
872
clients: Set() of Client objects
873
gnutls_priority GnuTLS priority string
874
use_dbus: Boolean; to emit D-Bus signals or not
1358
876
def __init__(self, server_address, RequestHandlerClass,
1359
interface=None, use_ipv6=True):
877
interface=None, use_ipv6=True, clients=None,
878
gnutls_priority=None, use_dbus=True):
1360
880
self.interface = interface
1362
882
self.address_family = socket.AF_INET6
1363
socketserver.TCPServer.__init__(self, server_address,
883
self.clients = clients
884
self.use_dbus = use_dbus
885
self.gnutls_priority = gnutls_priority
886
SocketServer.TCPServer.__init__(self, server_address,
1364
887
RequestHandlerClass)
1365
888
def server_bind(self):
1366
889
"""This overrides the normal server_bind() function
1367
890
to bind to an interface if one was specified, and also NOT to
1368
891
bind to an address or port if they were not specified."""
1369
892
if self.interface is not None:
1370
if SO_BINDTODEVICE is None:
1371
logger.error(u"SO_BINDTODEVICE does not exist;"
1372
u" cannot bind to interface %s",
1376
self.socket.setsockopt(socket.SOL_SOCKET,
1380
except socket.error, error:
1381
if error[0] == errno.EPERM:
1382
logger.error(u"No permission to"
1383
u" bind to interface %s",
1385
elif error[0] == errno.ENOPROTOOPT:
1386
logger.error(u"SO_BINDTODEVICE not available;"
1387
u" cannot bind to interface %s",
894
self.socket.setsockopt(socket.SOL_SOCKET,
896
self.interface + '\0')
897
except socket.error, error:
898
if error[0] == errno.EPERM:
899
logger.error(u"No permission to"
900
u" bind to interface %s",
1391
904
# Only bind(2) the socket if we really need to.
1392
905
if self.server_address[0] or self.server_address[1]:
1393
906
if not self.server_address[0]:
1394
907
if self.address_family == socket.AF_INET6:
1395
any_address = u"::" # in6addr_any
908
any_address = "::" # in6addr_any
1397
910
any_address = socket.INADDR_ANY
1398
911
self.server_address = (any_address,
1407
920
# if_nametoindex
1408
921
# (self.interface))
1409
return socketserver.TCPServer.server_bind(self)
1412
class MandosServer(IPv6_TCPServer):
1416
clients: set of Client objects
1417
gnutls_priority GnuTLS priority string
1418
use_dbus: Boolean; to emit D-Bus signals or not
1420
Assumes a gobject.MainLoop event loop.
1422
def __init__(self, server_address, RequestHandlerClass,
1423
interface=None, use_ipv6=True, clients=None,
1424
gnutls_priority=None, use_dbus=True):
1425
self.enabled = False
1426
self.clients = clients
1427
if self.clients is None:
1428
self.clients = set()
1429
self.use_dbus = use_dbus
1430
self.gnutls_priority = gnutls_priority
1431
IPv6_TCPServer.__init__(self, server_address,
1432
RequestHandlerClass,
1433
interface = interface,
1434
use_ipv6 = use_ipv6)
922
return SocketServer.TCPServer.server_bind(self)
1435
923
def server_activate(self):
1436
924
if self.enabled:
1437
return socketserver.TCPServer.server_activate(self)
925
return SocketServer.TCPServer.server_activate(self)
1438
926
def enable(self):
1439
927
self.enabled = True
1440
def add_pipe(self, parent_pipe):
1441
# Call "handle_ipc" for both data and EOF events
1442
gobject.io_add_watch(parent_pipe.fileno(),
1443
gobject.IO_IN | gobject.IO_HUP,
1444
functools.partial(self.handle_ipc,
1445
parent_pipe = parent_pipe))
1447
def handle_ipc(self, source, condition, parent_pipe=None,
1448
client_object=None):
928
def handle_ipc(self, source, condition, file_objects={}):
1449
929
condition_names = {
1450
gobject.IO_IN: u"IN", # There is data to read.
1451
gobject.IO_OUT: u"OUT", # Data can be written (without
1453
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1454
gobject.IO_ERR: u"ERR", # Error condition.
1455
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1456
# broken, usually for pipes and
930
gobject.IO_IN: "IN", # There is data to read.
931
gobject.IO_OUT: "OUT", # Data can be written (without
933
gobject.IO_PRI: "PRI", # There is urgent data to read.
934
gobject.IO_ERR: "ERR", # Error condition.
935
gobject.IO_HUP: "HUP" # Hung up (the connection has been
936
# broken, usually for pipes and
1459
939
conditions_string = ' | '.join(name
1460
940
for cond, name in
1461
941
condition_names.iteritems()
1462
942
if cond & condition)
1463
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
943
logger.debug("Handling IPC: FD = %d, condition = %s", source,
1464
944
conditions_string)
1466
# XXXTEDDY error or the other end of multiprocessing.Pipe has closed
1467
if condition & gobject.IO_HUP or condition & gobject.IO_ERR:
1470
# Read a request from the child
1471
request = parent_pipe.recv()
1472
logger.debug(u"IPC request: %s", repr(request))
1473
command = request[0]
1475
if command == 'init':
1477
address = request[2]
1479
for c in self.clients:
1480
if c.fingerprint == fpr:
1484
logger.warning(u"Client not found for fingerprint: %s, ad"
1485
u"dress: %s", fpr, address)
1488
mandos_dbus_service.ClientNotFound(fpr, address)
1489
parent_pipe.send(False)
1492
gobject.io_add_watch(parent_pipe.fileno(),
1493
gobject.IO_IN | gobject.IO_HUP,
1494
functools.partial(self.handle_ipc,
1495
parent_pipe = parent_pipe,
1496
client_object = client))
1497
parent_pipe.send(True)
1498
# remove the old hook in favor of the new above hook on same fileno
1500
if command == 'funcall':
1501
funcname = request[1]
1505
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1507
if command == 'getattr':
1508
attrname = request[1]
1509
if callable(client_object.__getattribute__(attrname)):
1510
parent_pipe.send(('function',))
1512
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
1514
if command == 'setattr':
1515
attrname = request[1]
1517
setattr(client_object, attrname, value)
946
# Turn the pipe file descriptor into a Python file object
947
if source not in file_objects:
948
file_objects[source] = os.fdopen(source, "r", 1)
950
# Read a line from the file object
951
cmdline = file_objects[source].readline()
952
if not cmdline: # Empty line means end of file
954
file_objects[source].close()
955
del file_objects[source]
957
# Stop calling this function
960
logger.debug("IPC command: %r", cmdline)
962
# Parse and act on command
963
cmd, args = cmdline.rstrip("\r\n").split(None, 1)
965
if cmd == "NOTFOUND":
966
logger.warning(u"Client not found for fingerprint: %s",
970
mandos_dbus_service.ClientNotFound(args)
971
elif cmd == "INVALID":
972
for client in self.clients:
973
if client.name == args:
974
logger.warning(u"Client %s is invalid", args)
980
logger.error(u"Unknown client %s is invalid", args)
981
elif cmd == "SENDING":
982
for client in self.clients:
983
if client.name == args:
984
logger.info(u"Sending secret to %s", client.name)
988
client.ReceivedSecret()
991
logger.error(u"Sending secret to unknown client %s",
994
logger.error("Unknown IPC command: %r", cmdline)
996
# Keep calling this function
1522
1000
def string_to_delta(interval):
1523
1001
"""Parse a string and return a datetime.timedelta
1525
>>> string_to_delta(u'7d')
1003
>>> string_to_delta('7d')
1526
1004
datetime.timedelta(7)
1527
>>> string_to_delta(u'60s')
1005
>>> string_to_delta('60s')
1528
1006
datetime.timedelta(0, 60)
1529
>>> string_to_delta(u'60m')
1007
>>> string_to_delta('60m')
1530
1008
datetime.timedelta(0, 3600)
1531
>>> string_to_delta(u'24h')
1009
>>> string_to_delta('24h')
1532
1010
datetime.timedelta(1)
1533
1011
>>> string_to_delta(u'1w')
1534
1012
datetime.timedelta(7)
1535
>>> string_to_delta(u'5m 30s')
1013
>>> string_to_delta('5m 30s')
1536
1014
datetime.timedelta(0, 330)
1538
1016
timevalue = datetime.timedelta(0)
1551
1029
elif suffix == u"w":
1552
1030
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1554
raise ValueError(u"Unknown suffix %r" % suffix)
1555
except (ValueError, IndexError), e:
1556
raise ValueError(e.message)
1033
except (ValueError, IndexError):
1557
1035
timevalue += delta
1558
1036
return timevalue
1039
def server_state_changed(state):
1040
"""Derived from the Avahi example code"""
1041
if state == avahi.SERVER_COLLISION:
1042
logger.error(u"Zeroconf server name collision")
1044
elif state == avahi.SERVER_RUNNING:
1048
def entry_group_state_changed(state, error):
1049
"""Derived from the Avahi example code"""
1050
logger.debug(u"Avahi state change: %i", state)
1052
if state == avahi.ENTRY_GROUP_ESTABLISHED:
1053
logger.debug(u"Zeroconf service established.")
1054
elif state == avahi.ENTRY_GROUP_COLLISION:
1055
logger.warning(u"Zeroconf service name collision.")
1057
elif state == avahi.ENTRY_GROUP_FAILURE:
1058
logger.critical(u"Avahi: Error in group state changed %s",
1060
raise AvahiGroupError(u"State changed: %s" % unicode(error))
1561
1062
def if_nametoindex(interface):
1562
"""Call the C function if_nametoindex(), or equivalent
1564
Note: This function cannot accept a unicode string."""
1063
"""Call the C function if_nametoindex(), or equivalent"""
1565
1064
global if_nametoindex
1567
1066
if_nametoindex = (ctypes.cdll.LoadLibrary
1568
(ctypes.util.find_library(u"c"))
1067
(ctypes.util.find_library("c"))
1569
1068
.if_nametoindex)
1570
1069
except (OSError, AttributeError):
1571
logger.warning(u"Doing if_nametoindex the hard way")
1070
if "struct" not in sys.modules:
1072
if "fcntl" not in sys.modules:
1572
1074
def if_nametoindex(interface):
1573
1075
"Get an interface index the hard way, i.e. using fcntl()"
1574
1076
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1575
with contextlib.closing(socket.socket()) as s:
1077
with closing(socket.socket()) as s:
1576
1078
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1577
struct.pack(str(u"16s16x"),
1579
interface_index = struct.unpack(str(u"I"),
1079
struct.pack("16s16x", interface))
1080
interface_index = struct.unpack("I", ifreq[16:20])[0]
1581
1081
return interface_index
1582
1082
return if_nametoindex(interface)
1612
##################################################################
1111
######################################################################
1613
1112
# Parsing of options, both command line and config file
1615
1114
parser = optparse.OptionParser(version = "%%prog %s" % version)
1616
parser.add_option("-i", u"--interface", type=u"string",
1617
metavar="IF", help=u"Bind to interface IF")
1618
parser.add_option("-a", u"--address", type=u"string",
1619
help=u"Address to listen for requests on")
1620
parser.add_option("-p", u"--port", type=u"int",
1621
help=u"Port number to receive requests on")
1622
parser.add_option("--check", action=u"store_true",
1623
help=u"Run self-test")
1624
parser.add_option("--debug", action=u"store_true",
1625
help=u"Debug mode; run in foreground and log to"
1627
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1628
u" priority string (see GnuTLS documentation)")
1629
parser.add_option("--servicename", type=u"string",
1630
metavar=u"NAME", help=u"Zeroconf service name")
1631
parser.add_option("--configdir", type=u"string",
1632
default=u"/etc/mandos", metavar=u"DIR",
1633
help=u"Directory to search for configuration"
1635
parser.add_option("--no-dbus", action=u"store_false",
1636
dest=u"use_dbus", help=u"Do not provide D-Bus"
1637
u" system bus interface")
1638
parser.add_option("--no-ipv6", action=u"store_false",
1639
dest=u"use_ipv6", help=u"Do not use IPv6")
1115
parser.add_option("-i", "--interface", type="string",
1116
metavar="IF", help="Bind to interface IF")
1117
parser.add_option("-a", "--address", type="string",
1118
help="Address to listen for requests on")
1119
parser.add_option("-p", "--port", type="int",
1120
help="Port number to receive requests on")
1121
parser.add_option("--check", action="store_true",
1122
help="Run self-test")
1123
parser.add_option("--debug", action="store_true",
1124
help="Debug mode; run in foreground and log to"
1126
parser.add_option("--priority", type="string", help="GnuTLS"
1127
" priority string (see GnuTLS documentation)")
1128
parser.add_option("--servicename", type="string", metavar="NAME",
1129
help="Zeroconf service name")
1130
parser.add_option("--configdir", type="string",
1131
default="/etc/mandos", metavar="DIR",
1132
help="Directory to search for configuration"
1134
parser.add_option("--no-dbus", action="store_false",
1136
help="Do not provide D-Bus system bus"
1138
parser.add_option("--no-ipv6", action="store_false",
1139
dest="use_ipv6", help="Do not use IPv6")
1640
1140
options = parser.parse_args()[0]
1642
1142
if options.check:
1647
1147
# Default values for config file for server-global settings
1648
server_defaults = { u"interface": u"",
1653
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1654
u"servicename": u"Mandos",
1655
u"use_dbus": u"True",
1656
u"use_ipv6": u"True",
1148
server_defaults = { "interface": "",
1153
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1154
"servicename": "Mandos",
1659
1159
# Parse config file for server-global settings
1660
server_config = configparser.SafeConfigParser(server_defaults)
1160
server_config = ConfigParser.SafeConfigParser(server_defaults)
1661
1161
del server_defaults
1662
server_config.read(os.path.join(options.configdir,
1162
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1664
1163
# Convert the SafeConfigParser object to a dict
1665
1164
server_settings = server_config.defaults()
1666
1165
# Use the appropriate methods on the non-string config options
1667
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1668
server_settings[option] = server_config.getboolean(u"DEFAULT",
1166
server_settings["debug"] = server_config.getboolean("DEFAULT",
1168
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
1170
server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",
1670
1172
if server_settings["port"]:
1671
server_settings["port"] = server_config.getint(u"DEFAULT",
1173
server_settings["port"] = server_config.getint("DEFAULT",
1673
1175
del server_config
1675
1177
# Override the settings from the config file with command line
1676
1178
# options, if set.
1677
for option in (u"interface", u"address", u"port", u"debug",
1678
u"priority", u"servicename", u"configdir",
1679
u"use_dbus", u"use_ipv6"):
1179
for option in ("interface", "address", "port", "debug",
1180
"priority", "servicename", "configdir",
1181
"use_dbus", "use_ipv6"):
1680
1182
value = getattr(options, option)
1681
1183
if value is not None:
1682
1184
server_settings[option] = value
1684
# Force all strings to be unicode
1685
for option in server_settings.keys():
1686
if type(server_settings[option]) is str:
1687
server_settings[option] = unicode(server_settings[option])
1688
1186
# Now we have our good server settings in "server_settings"
1690
1188
##################################################################
1692
1190
# For convenience
1693
debug = server_settings[u"debug"]
1694
use_dbus = server_settings[u"use_dbus"]
1695
use_ipv6 = server_settings[u"use_ipv6"]
1191
debug = server_settings["debug"]
1192
use_dbus = server_settings["use_dbus"]
1193
use_ipv6 = server_settings["use_ipv6"]
1698
1196
syslogger.setLevel(logging.WARNING)
1699
1197
console.setLevel(logging.WARNING)
1701
if server_settings[u"servicename"] != u"Mandos":
1199
if server_settings["servicename"] != "Mandos":
1702
1200
syslogger.setFormatter(logging.Formatter
1703
(u'Mandos (%s) [%%(process)d]:'
1704
u' %%(levelname)s: %%(message)s'
1705
% server_settings[u"servicename"]))
1201
('Mandos (%s) [%%(process)d]:'
1202
' %%(levelname)s: %%(message)s'
1203
% server_settings["servicename"]))
1707
1205
# Parse config file with clients
1708
client_defaults = { u"timeout": u"1h",
1710
u"checker": u"fping -q -- %%(host)s",
1712
u"approved_delay": u"0s",
1713
u"approved_duration": u"1s",
1206
client_defaults = { "timeout": "1h",
1208
"checker": "fping -q -- %%(host)s",
1715
client_config = configparser.SafeConfigParser(client_defaults)
1716
client_config.read(os.path.join(server_settings[u"configdir"],
1211
client_config = ConfigParser.SafeConfigParser(client_defaults)
1212
client_config.read(os.path.join(server_settings["configdir"],
1719
1215
global mandos_dbus_service
1720
1216
mandos_dbus_service = None
1722
tcp_server = MandosServer((server_settings[u"address"],
1723
server_settings[u"port"]),
1725
interface=server_settings[u"interface"],
1728
server_settings[u"priority"],
1730
pidfilename = u"/var/run/mandos.pid"
1219
tcp_server = IPv6_TCPServer((server_settings["address"],
1220
server_settings["port"]),
1223
server_settings["interface"],
1227
server_settings["priority"],
1229
pidfilename = "/var/run/mandos.pid"
1732
pidfile = open(pidfilename, u"w")
1231
pidfile = open(pidfilename, "w")
1733
1232
except IOError:
1734
logger.error(u"Could not open file %r", pidfilename)
1233
logger.error("Could not open file %r", pidfilename)
1737
uid = pwd.getpwnam(u"_mandos").pw_uid
1738
gid = pwd.getpwnam(u"_mandos").pw_gid
1236
uid = pwd.getpwnam("_mandos").pw_uid
1237
gid = pwd.getpwnam("_mandos").pw_gid
1739
1238
except KeyError:
1741
uid = pwd.getpwnam(u"mandos").pw_uid
1742
gid = pwd.getpwnam(u"mandos").pw_gid
1240
uid = pwd.getpwnam("mandos").pw_uid
1241
gid = pwd.getpwnam("mandos").pw_gid
1743
1242
except KeyError:
1745
uid = pwd.getpwnam(u"nobody").pw_uid
1746
gid = pwd.getpwnam(u"nobody").pw_gid
1244
uid = pwd.getpwnam("nobody").pw_uid
1245
gid = pwd.getpwnam("nogroup").pw_gid
1747
1246
except KeyError:
1763
1262
@gnutls.library.types.gnutls_log_func
1764
1263
def debug_gnutls(level, string):
1765
logger.debug(u"GnuTLS: %s", string[:-1])
1264
logger.debug("GnuTLS: %s", string[:-1])
1767
1266
(gnutls.library.functions
1768
1267
.gnutls_global_set_log_function(debug_gnutls))
1270
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1271
service = AvahiService(name = server_settings["servicename"],
1272
servicetype = "_mandos._tcp",
1273
protocol = protocol)
1274
if server_settings["interface"]:
1275
service.interface = (if_nametoindex
1276
(server_settings["interface"]))
1770
1278
global main_loop
1771
1281
# From the Avahi example code
1772
1282
DBusGMainLoop(set_as_default=True )
1773
1283
main_loop = gobject.MainLoop()
1774
1284
bus = dbus.SystemBus()
1285
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1286
avahi.DBUS_PATH_SERVER),
1287
avahi.DBUS_INTERFACE_SERVER)
1775
1288
# End of Avahi example code
1778
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1779
bus, do_not_queue=True)
1780
except dbus.exceptions.NameExistsException, e:
1781
logger.error(unicode(e) + u", disabling D-Bus")
1783
server_settings[u"use_dbus"] = False
1784
tcp_server.use_dbus = False
1785
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1786
service = AvahiService(name = server_settings[u"servicename"],
1787
servicetype = u"_mandos._tcp",
1788
protocol = protocol, bus = bus)
1789
if server_settings["interface"]:
1790
service.interface = (if_nametoindex
1791
(str(server_settings[u"interface"])))
1793
global multiprocessing_manager
1794
multiprocessing_manager = multiprocessing.Manager()
1290
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1796
1292
client_class = Client
1798
client_class = functools.partial(ClientDBus, bus = bus)
1799
def client_config_items(config, section):
1800
special_settings = {
1801
"approved_by_default":
1802
lambda: config.getboolean(section,
1803
"approved_by_default"),
1805
for name, value in config.items(section):
1807
yield (name, special_settings[name]())
1811
tcp_server.clients.update(set(
1294
client_class = ClientDBus
1812
1296
client_class(name = section,
1813
config= dict(client_config_items(
1814
client_config, section)))
1297
config= dict(client_config.items(section)))
1815
1298
for section in client_config.sections()))
1816
if not tcp_server.clients:
1817
1300
logger.warning(u"No clients defined")
1850
1349
class MandosDBusService(dbus.service.Object):
1851
1350
"""A D-Bus proxy object"""
1852
1351
def __init__(self):
1853
dbus.service.Object.__init__(self, bus, u"/")
1352
dbus.service.Object.__init__(self, bus, "/")
1854
1353
_interface = u"se.bsnet.fukt.Mandos"
1856
@dbus.service.signal(_interface, signature=u"o")
1857
def ClientAdded(self, objpath):
1861
@dbus.service.signal(_interface, signature=u"ss")
1862
def ClientNotFound(self, fingerprint, address):
1866
@dbus.service.signal(_interface, signature=u"os")
1355
@dbus.service.signal(_interface, signature="oa{sv}")
1356
def ClientAdded(self, objpath, properties):
1360
@dbus.service.signal(_interface, signature="s")
1361
def ClientNotFound(self, fingerprint):
1365
@dbus.service.signal(_interface, signature="os")
1867
1366
def ClientRemoved(self, objpath, name):
1871
@dbus.service.method(_interface, out_signature=u"ao")
1370
@dbus.service.method(_interface, out_signature="ao")
1872
1371
def GetAllClients(self):
1874
return dbus.Array(c.dbus_object_path
1875
for c in tcp_server.clients)
1373
return dbus.Array(c.dbus_object_path for c in clients)
1877
@dbus.service.method(_interface,
1878
out_signature=u"a{oa{sv}}")
1375
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1879
1376
def GetAllClientsWithProperties(self):
1881
1378
return dbus.Dictionary(
1882
((c.dbus_object_path, c.GetAll(u""))
1883
for c in tcp_server.clients),
1884
signature=u"oa{sv}")
1379
((c.dbus_object_path, c.GetAllProperties())
1886
@dbus.service.method(_interface, in_signature=u"o")
1383
@dbus.service.method(_interface, in_signature="o")
1887
1384
def RemoveClient(self, object_path):
1889
for c in tcp_server.clients:
1890
1387
if c.dbus_object_path == object_path:
1891
tcp_server.clients.remove(c)
1892
1389
c.remove_from_connection()
1893
1390
# Don't signal anything except ClientRemoved
1894
c.disable(quiet=True)
1391
c.disable(signal=False)
1895
1392
# Emit D-Bus signal
1896
1393
self.ClientRemoved(object_path, c.name)
1898
raise KeyError(object_path)
1902
1399
mandos_dbus_service = MandosDBusService()
1905
"Cleanup function; run on exit"
1908
while tcp_server.clients:
1909
client = tcp_server.clients.pop()
1911
client.remove_from_connection()
1912
client.disable_hook = None
1913
# Don't signal anything except ClientRemoved
1914
client.disable(quiet=True)
1917
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1920
atexit.register(cleanup)
1922
for client in tcp_server.clients:
1401
for client in clients:
1924
1403
# Emit D-Bus signal
1925
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1404
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1405
client.GetAllProperties())
1926
1406
client.enable()
1928
1408
tcp_server.enable()