To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 333
- compare with another revision
- download diff
- download tarball
- view history from revision 333
- Committer: Teddy Hogeborn
- Date: 2009-04-16 01:00:35 UTC
- Revision ID: teddy@fukt.bsnet.se-20090416010035-y7ta6ra2da4gf6mp
Minor code cleanup; one minor bug fix.
* initramfs-tools-hook: Bug fix: Use the primary group of the first
suitable user found, do not look for a
group separately.
* mandos: Unconditionally import "struct" and "fcntl". Use unicode
strings everywhere possible.
(Client._datetime_to_milliseconds): New static method.
(Client.timeout_milliseconds, Client.interval_milliseconds): Use
above
method.
(ClientDBus.CheckedOK,
ClientDBus.Enable, ClientDBus.StopChecker): Define normally.
(if_nametoindex): Document non-acceptance of unicode strings. All
callers adjusted. Do not import "struct" or
"fcntl". Log warning message if if_nametoindex
cannot be found using ctypes modules.
(main): Bug fix: Do not look for user named "nogroup".
* initramfs-tools-hook: Bug fix: Use the primary group of the first
suitable user found, do not look for a
group separately.
* mandos: Unconditionally import "struct" and "fcntl". Use unicode
strings everywhere possible.
(Client._datetime_to_milliseconds): New static method.
(Client.timeout_milliseconds, Client.interval_milliseconds): Use
above
method.
(ClientDBus.CheckedOK,
ClientDBus.Enable, ClientDBus.StopChecker): Define normally.
(if_nametoindex): Document non-acceptance of unicode strings. All
callers adjusted. Do not import "struct" or
"fcntl". Log warning message if if_nametoindex
cannot be found using ctypes modules.
(main): Bug fix: Do not look for user named "nogroup".
- files removed:
- DBUS-API
- debian/source
- files modified:
- .bzrignore
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2011 Teddy Hogeborn
15
# Copyright © 2008-2011 Björn Påhlsson
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
31
31
# Contact the authors at <mandos@fukt.bsnet.se>.
32
32
#
33
33
34
from __future__ import (division, absolute_import, print_function,
35
unicode_literals)
34
from __future__ import division, with_statement, absolute_import
36
35
37
import SocketServer as socketserver
36
import SocketServer
38
37
import socket
39
38
import optparse
40
39
import datetime
45
44
import gnutls.library.functions
46
45
import gnutls.library.constants
47
46
import gnutls.library.types
48
import ConfigParser as configparser
47
import ConfigParser
49
48
import sys
50
49
import re
51
50
import os
52
51
import signal
52
from sets import Set
53
53
import subprocess
54
54
import atexit
55
55
import stat
56
56
import logging
57
57
import logging.handlers
58
58
import pwd
59
import contextlib
59
from contextlib import closing
60
60
import struct
61
61
import fcntl
62
import functools
63
import cPickle as pickle
64
import multiprocessing
65
62
66
63
import dbus
67
64
import dbus.service
70
67
from dbus.mainloop.glib import DBusGMainLoop
71
68
import ctypes
72
69
import ctypes.util
73
import xml.dom.minidom
74
import inspect
75
70
76
71
try:
77
72
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
79
74
try:
80
75
from IN import SO_BINDTODEVICE
81
76
except ImportError:
82
SO_BINDTODEVICE = None
83
84
85
version = "1.2.3"
86
87
#logger = logging.getLogger('mandos')
88
logger = logging.Logger('mandos')
77
# From /usr/include/asm/socket.h
78
SO_BINDTODEVICE = 25
79
80
81
version = "1.0.8"
82
83
logger = logging.Logger(u'mandos')
89
84
syslogger = (logging.handlers.SysLogHandler
90
85
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
91
address = str("/dev/log")))
86
address = "/dev/log"))
92
87
syslogger.setFormatter(logging.Formatter
93
('Mandos [%(process)d]: %(levelname)s:'
94
' %(message)s'))
88
(u'Mandos [%(process)d]: %(levelname)s:'
89
u' %(message)s'))
95
90
logger.addHandler(syslogger)
96
91
97
92
console = logging.StreamHandler()
98
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
99
' %(levelname)s:'
100
' %(message)s'))
93
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
94
u' %(levelname)s:'
95
u' %(message)s'))
101
96
logger.addHandler(console)
102
97
103
98
class AvahiError(Exception):
120
115
Attributes:
121
116
interface: integer; avahi.IF_UNSPEC or an interface index.
122
117
Used to optionally bind to the specified interface.
123
name: string; Example: 'Mandos'
124
type: string; Example: '_mandos._tcp'.
118
name: string; Example: u'Mandos'
119
type: string; Example: u'_mandos._tcp'.
125
120
See <http://www.dns-sd.org/ServiceTypes.html>
126
121
port: integer; what port to announce
127
122
TXT: list of strings; TXT record for the service
130
125
max_renames: integer; maximum number of renames
131
126
rename_count: integer; counter so we only rename after collisions
132
127
a sensible number of times
133
group: D-Bus Entry Group
134
server: D-Bus Server
135
bus: dbus.SystemBus()
136
128
"""
137
129
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
138
130
servicetype = None, port = None, TXT = None,
139
domain = "", host = "", max_renames = 32768,
140
protocol = avahi.PROTO_UNSPEC, bus = None):
131
domain = u"", host = u"", max_renames = 32768,
132
protocol = avahi.PROTO_UNSPEC):
141
133
self.interface = interface
142
134
self.name = name
143
135
self.type = servicetype
148
140
self.rename_count = 0
149
141
self.max_renames = max_renames
150
142
self.protocol = protocol
151
self.group = None # our entry group
152
self.server = None
153
self.bus = bus
154
143
def rename(self):
155
144
"""Derived from the Avahi example code"""
156
145
if self.rename_count >= self.max_renames:
157
logger.critical("No suitable Zeroconf service name found"
158
" after %i retries, exiting.",
146
logger.critical(u"No suitable Zeroconf service name found"
147
u" after %i retries, exiting.",
159
148
self.rename_count)
160
raise AvahiServiceError("Too many renames")
161
self.name = unicode(self.server.GetAlternativeServiceName(self.name))
162
logger.info("Changing Zeroconf service name to %r ...",
149
raise AvahiServiceError(u"Too many renames")
150
self.name = server.GetAlternativeServiceName(self.name)
151
logger.info(u"Changing Zeroconf service name to %r ...",
163
152
self.name)
164
153
syslogger.setFormatter(logging.Formatter
165
('Mandos (%s) [%%(process)d]:'
166
' %%(levelname)s: %%(message)s'
154
(u'Mandos (%s) [%%(process)d]:'
155
u' %%(levelname)s: %%(message)s'
167
156
% self.name))
168
157
self.remove()
169
try:
170
self.add()
171
except dbus.exceptions.DBusException, error:
172
logger.critical("DBusException: %s", error)
173
self.cleanup()
174
os._exit(1)
158
self.add()
175
159
self.rename_count += 1
176
160
def remove(self):
177
161
"""Derived from the Avahi example code"""
178
if self.group is not None:
179
self.group.Reset()
162
if group is not None:
163
group.Reset()
180
164
def add(self):
181
165
"""Derived from the Avahi example code"""
182
if self.group is None:
183
self.group = dbus.Interface(
184
self.bus.get_object(avahi.DBUS_NAME,
185
self.server.EntryGroupNew()),
186
avahi.DBUS_INTERFACE_ENTRY_GROUP)
187
self.group.connect_to_signal('StateChanged',
188
self
189
.entry_group_state_changed)
190
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
191
self.name, self.type)
192
self.group.AddService(
193
self.interface,
194
self.protocol,
195
dbus.UInt32(0), # flags
196
self.name, self.type,
197
self.domain, self.host,
198
dbus.UInt16(self.port),
199
avahi.string_array_to_txt_array(self.TXT))
200
self.group.Commit()
201
def entry_group_state_changed(self, state, error):
202
"""Derived from the Avahi example code"""
203
logger.debug("Avahi entry group state change: %i", state)
204
205
if state == avahi.ENTRY_GROUP_ESTABLISHED:
206
logger.debug("Zeroconf service established.")
207
elif state == avahi.ENTRY_GROUP_COLLISION:
208
logger.info("Zeroconf service name collision.")
209
self.rename()
210
elif state == avahi.ENTRY_GROUP_FAILURE:
211
logger.critical("Avahi: Error in group state changed %s",
212
unicode(error))
213
raise AvahiGroupError("State changed: %s"
214
% unicode(error))
215
def cleanup(self):
216
"""Derived from the Avahi example code"""
217
if self.group is not None:
218
self.group.Free()
219
self.group = None
220
def server_state_changed(self, state):
221
"""Derived from the Avahi example code"""
222
logger.debug("Avahi server state change: %i", state)
223
if state == avahi.SERVER_COLLISION:
224
logger.error("Zeroconf server name collision")
225
self.remove()
226
elif state == avahi.SERVER_RUNNING:
227
self.add()
228
def activate(self):
229
"""Derived from the Avahi example code"""
230
if self.server is None:
231
self.server = dbus.Interface(
232
self.bus.get_object(avahi.DBUS_NAME,
233
avahi.DBUS_PATH_SERVER),
234
avahi.DBUS_INTERFACE_SERVER)
235
self.server.connect_to_signal("StateChanged",
236
self.server_state_changed)
237
self.server_state_changed(self.server.GetState())
166
global group
167
if group is None:
168
group = dbus.Interface(bus.get_object
169
(avahi.DBUS_NAME,
170
server.EntryGroupNew()),
171
avahi.DBUS_INTERFACE_ENTRY_GROUP)
172
group.connect_to_signal('StateChanged',
173
entry_group_state_changed)
174
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
175
service.name, service.type)
176
group.AddService(
177
self.interface, # interface
178
self.protocol, # protocol
179
dbus.UInt32(0), # flags
180
self.name, self.type,
181
self.domain, self.host,
182
dbus.UInt16(self.port),
183
avahi.string_array_to_txt_array(self.TXT))
184
group.Commit()
185
186
# From the Avahi example code:
187
group = None # our entry group
188
# End of Avahi example code
189
190
191
def _datetime_to_dbus(dt, variant_level=0):
192
"""Convert a UTC datetime.datetime() to a D-Bus type."""
193
return dbus.String(dt.isoformat(), variant_level=variant_level)
238
194
239
195
240
196
class Client(object):
241
197
"""A representation of a client host served by this server.
242
198
243
199
Attributes:
244
_approved: bool(); 'None' if not yet approved/disapproved
245
approval_delay: datetime.timedelta(); Time to wait for approval
246
approval_duration: datetime.timedelta(); Duration of one approval
200
name: string; from the config file, used in log messages and
201
D-Bus identifiers
202
fingerprint: string (40 or 32 hexadecimal digits); used to
203
uniquely identify the client
204
secret: bytestring; sent verbatim (over TLS) to client
205
host: string; available for use by the checker command
206
created: datetime.datetime(); (UTC) object creation
207
last_enabled: datetime.datetime(); (UTC)
208
enabled: bool()
209
last_checked_ok: datetime.datetime(); (UTC) or None
210
timeout: datetime.timedelta(); How long from last_checked_ok
211
until this client is invalid
212
interval: datetime.timedelta(); How often to start a new checker
213
disable_hook: If set, called by disable() as disable_hook(self)
247
214
checker: subprocess.Popen(); a running checker process used
248
215
to see if the client lives.
249
216
'None' if no process is running.
250
checker_callback_tag: a gobject event source tag, or None
251
checker_command: string; External command which is run to check
252
if client lives. %() expansions are done at
217
checker_initiator_tag: a gobject event source tag, or None
218
disable_initiator_tag: - '' -
219
checker_callback_tag: - '' -
220
checker_command: string; External command which is run to check if
221
client lives. %() expansions are done at
253
222
runtime with vars(self) as dict, so that for
254
223
instance %(name)s can be used in the command.
255
checker_initiator_tag: a gobject event source tag, or None
256
created: datetime.datetime(); (UTC) object creation
257
224
current_checker_command: string; current running checker_command
258
disable_hook: If set, called by disable() as disable_hook(self)
259
disable_initiator_tag: a gobject event source tag, or None
260
enabled: bool()
261
fingerprint: string (40 or 32 hexadecimal digits); used to
262
uniquely identify the client
263
host: string; available for use by the checker command
264
interval: datetime.timedelta(); How often to start a new checker
265
last_approval_request: datetime.datetime(); (UTC) or None
266
last_checked_ok: datetime.datetime(); (UTC) or None
267
last_enabled: datetime.datetime(); (UTC)
268
name: string; from the config file, used in log messages and
269
D-Bus identifiers
270
secret: bytestring; sent verbatim (over TLS) to client
271
timeout: datetime.timedelta(); How long from last_checked_ok
272
until this client is disabled
273
runtime_expansions: Allowed attributes for runtime expansion.
274
225
"""
275
226
276
runtime_expansions = ("approval_delay", "approval_duration",
277
"created", "enabled", "fingerprint",
278
"host", "interval", "last_checked_ok",
279
"last_enabled", "name", "timeout")
280
281
227
@staticmethod
282
def _timedelta_to_milliseconds(td):
283
"Convert a datetime.timedelta() to milliseconds"
284
return ((td.days * 24 * 60 * 60 * 1000)
285
+ (td.seconds * 1000)
286
+ (td.microseconds // 1000))
228
def _datetime_to_milliseconds(dt):
229
"Convert a datetime.datetime() to milliseconds"
230
return ((dt.days * 24 * 60 * 60 * 1000)
231
+ (dt.seconds * 1000)
232
+ (dt.microseconds // 1000))
287
233
288
234
def timeout_milliseconds(self):
289
235
"Return the 'timeout' attribute in milliseconds"
290
return self._timedelta_to_milliseconds(self.timeout)
236
return self._datetime_to_milliseconds(self.timeout)
291
237
292
238
def interval_milliseconds(self):
293
239
"Return the 'interval' attribute in milliseconds"
294
return self._timedelta_to_milliseconds(self.interval)
295
296
def approval_delay_milliseconds(self):
297
return self._timedelta_to_milliseconds(self.approval_delay)
240
return self._datetime_to_milliseconds(self.interval)
298
241
299
242
def __init__(self, name = None, disable_hook=None, config=None):
300
243
"""Note: the 'checker' key in 'config' sets the
303
246
self.name = name
304
247
if config is None:
305
248
config = {}
306
logger.debug("Creating client %r", self.name)
249
logger.debug(u"Creating client %r", self.name)
307
250
# Uppercase and remove spaces from fingerprint for later
308
251
# comparison purposes with return value from the fingerprint()
309
252
# function
310
self.fingerprint = (config["fingerprint"].upper()
311
.replace(" ", ""))
312
logger.debug(" Fingerprint: %s", self.fingerprint)
313
if "secret" in config:
314
self.secret = config["secret"].decode("base64")
315
elif "secfile" in config:
316
with open(os.path.expanduser(os.path.expandvars
317
(config["secfile"])),
318
"rb") as secfile:
253
self.fingerprint = (config[u"fingerprint"].upper()
254
.replace(u" ", u""))
255
logger.debug(u" Fingerprint: %s", self.fingerprint)
256
if u"secret" in config:
257
self.secret = config[u"secret"].decode(u"base64")
258
elif u"secfile" in config:
259
with closing(open(os.path.expanduser
260
(os.path.expandvars
261
(config[u"secfile"])))) as secfile:
319
262
self.secret = secfile.read()
320
263
else:
321
raise TypeError("No secret or secfile for client %s"
264
raise TypeError(u"No secret or secfile for client %s"
322
265
% self.name)
323
self.host = config.get("host", "")
266
self.host = config.get(u"host", u"")
324
267
self.created = datetime.datetime.utcnow()
325
268
self.enabled = False
326
self.last_approval_request = None
327
269
self.last_enabled = None
328
270
self.last_checked_ok = None
329
self.timeout = string_to_delta(config["timeout"])
330
self.interval = string_to_delta(config["interval"])
271
self.timeout = string_to_delta(config[u"timeout"])
272
self.interval = string_to_delta(config[u"interval"])
331
273
self.disable_hook = disable_hook
332
274
self.checker = None
333
275
self.checker_initiator_tag = None
334
276
self.disable_initiator_tag = None
335
277
self.checker_callback_tag = None
336
self.checker_command = config["checker"]
278
self.checker_command = config[u"checker"]
337
279
self.current_checker_command = None
338
280
self.last_connect = None
339
self._approved = None
340
self.approved_by_default = config.get("approved_by_default",
341
True)
342
self.approvals_pending = 0
343
self.approval_delay = string_to_delta(
344
config["approval_delay"])
345
self.approval_duration = string_to_delta(
346
config["approval_duration"])
347
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
348
281
349
def send_changedstate(self):
350
self.changedstate.acquire()
351
self.changedstate.notify_all()
352
self.changedstate.release()
353
354
282
def enable(self):
355
283
"""Start this client's checker and timeout hooks"""
356
if getattr(self, "enabled", False):
357
# Already enabled
358
return
359
self.send_changedstate()
360
284
self.last_enabled = datetime.datetime.utcnow()
361
285
# Schedule a new checker to be started an 'interval' from now,
362
286
# and every interval from then on.
363
287
self.checker_initiator_tag = (gobject.timeout_add
364
288
(self.interval_milliseconds(),
365
289
self.start_checker))
290
# Also start a new checker *right now*.
291
self.start_checker()
366
292
# Schedule a disable() when 'timeout' has passed
367
293
self.disable_initiator_tag = (gobject.timeout_add
368
294
(self.timeout_milliseconds(),
369
295
self.disable))
370
296
self.enabled = True
371
# Also start a new checker *right now*.
372
self.start_checker()
373
297
374
def disable(self, quiet=True):
298
def disable(self):
375
299
"""Disable this client."""
376
300
if not getattr(self, "enabled", False):
377
301
return False
378
if not quiet:
379
self.send_changedstate()
380
if not quiet:
381
logger.info("Disabling client %s", self.name)
382
if getattr(self, "disable_initiator_tag", False):
302
logger.info(u"Disabling client %s", self.name)
303
if getattr(self, u"disable_initiator_tag", False):
383
304
gobject.source_remove(self.disable_initiator_tag)
384
305
self.disable_initiator_tag = None
385
if getattr(self, "checker_initiator_tag", False):
306
if getattr(self, u"checker_initiator_tag", False):
386
307
gobject.source_remove(self.checker_initiator_tag)
387
308
self.checker_initiator_tag = None
388
309
self.stop_checker()
403
324
if os.WIFEXITED(condition):
404
325
exitstatus = os.WEXITSTATUS(condition)
405
326
if exitstatus == 0:
406
logger.info("Checker for %(name)s succeeded",
327
logger.info(u"Checker for %(name)s succeeded",
407
328
vars(self))
408
329
self.checked_ok()
409
330
else:
410
logger.info("Checker for %(name)s failed",
331
logger.info(u"Checker for %(name)s failed",
411
332
vars(self))
412
333
else:
413
logger.warning("Checker for %(name)s crashed?",
334
logger.warning(u"Checker for %(name)s crashed?",
414
335
vars(self))
415
336
416
337
def checked_ok(self):
425
346
(self.timeout_milliseconds(),
426
347
self.disable))
427
348
428
def need_approval(self):
429
self.last_approval_request = datetime.datetime.utcnow()
430
431
349
def start_checker(self):
432
350
"""Start a new checker subprocess if one is not running.
433
351
439
357
# client would inevitably timeout, since no checker would get
440
358
# a chance to run to completion. If we instead leave running
441
359
# checkers alone, the checker would have to take more time
442
# than 'timeout' for the client to be disabled, which is as it
443
# should be.
360
# than 'timeout' for the client to be declared invalid, which
361
# is as it should be.
444
362
445
363
# If a checker exists, make sure it is not a zombie
446
try:
364
if self.checker is not None:
447
365
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
448
except (AttributeError, OSError), error:
449
if (isinstance(error, OSError)
450
and error.errno != errno.ECHILD):
451
raise error
452
else:
453
366
if pid:
454
logger.warning("Checker was a zombie")
367
logger.warning(u"Checker was a zombie")
455
368
gobject.source_remove(self.checker_callback_tag)
456
369
self.checker_callback(pid, status,
457
370
self.current_checker_command)
462
375
command = self.checker_command % self.host
463
376
except TypeError:
464
377
# Escape attributes for the shell
465
escaped_attrs = dict(
466
(attr,
467
re.escape(unicode(str(getattr(self, attr, "")),
468
errors=
469
'replace')))
470
for attr in
471
self.runtime_expansions)
472
378
escaped_attrs = dict((key,
379
re.escape(unicode(str(val),
380
errors=
381
u'replace')))
382
for key, val in
383
vars(self).iteritems())
473
384
try:
474
385
command = self.checker_command % escaped_attrs
475
386
except TypeError, error:
476
logger.error('Could not format string "%s":'
477
' %s', self.checker_command, error)
387
logger.error(u'Could not format string "%s":'
388
u' %s', self.checker_command, error)
478
389
return True # Try again later
479
390
self.current_checker_command = command
480
391
try:
481
logger.info("Starting checker %r for %s",
392
logger.info(u"Starting checker %r for %s",
482
393
command, self.name)
483
394
# We don't need to redirect stdout and stderr, since
484
395
# in normal mode, that is already done by daemon(),
486
397
# always replaced by /dev/null.)
487
398
self.checker = subprocess.Popen(command,
488
399
close_fds=True,
489
shell=True, cwd="/")
400
shell=True, cwd=u"/")
490
401
self.checker_callback_tag = (gobject.child_watch_add
491
402
(self.checker.pid,
492
403
self.checker_callback,
498
409
gobject.source_remove(self.checker_callback_tag)
499
410
self.checker_callback(pid, status, command)
500
411
except OSError, error:
501
logger.error("Failed to start subprocess: %s",
412
logger.error(u"Failed to start subprocess: %s",
502
413
error)
503
414
# Re-run this periodically if run by gobject.timeout_add
504
415
return True
508
419
if self.checker_callback_tag:
509
420
gobject.source_remove(self.checker_callback_tag)
510
421
self.checker_callback_tag = None
511
if getattr(self, "checker", None) is None:
422
if getattr(self, u"checker", None) is None:
512
423
return
513
logger.debug("Stopping checker for %(name)s", vars(self))
424
logger.debug(u"Stopping checker for %(name)s", vars(self))
514
425
try:
515
426
os.kill(self.checker.pid, signal.SIGTERM)
516
#time.sleep(0.5)
427
#os.sleep(0.5)
517
428
#if self.checker.poll() is None:
518
429
# os.kill(self.checker.pid, signal.SIGKILL)
519
430
except OSError, error:
520
431
if error.errno != errno.ESRCH: # No such process
521
432
raise
522
433
self.checker = None
523
524
def dbus_service_property(dbus_interface, signature="v",
525
access="readwrite", byte_arrays=False):
526
"""Decorators for marking methods of a DBusObjectWithProperties to
527
become properties on the D-Bus.
528
529
The decorated method will be called with no arguments by "Get"
530
and with one argument by "Set".
531
532
The parameters, where they are supported, are the same as
533
dbus.service.method, except there is only "signature", since the
534
type from Get() and the type sent to Set() is the same.
535
"""
536
# Encoding deeply encoded byte arrays is not supported yet by the
537
# "Set" method, so we fail early here:
538
if byte_arrays and signature != "ay":
539
raise ValueError("Byte arrays not supported for non-'ay'"
540
" signature %r" % signature)
541
def decorator(func):
542
func._dbus_is_property = True
543
func._dbus_interface = dbus_interface
544
func._dbus_signature = signature
545
func._dbus_access = access
546
func._dbus_name = func.__name__
547
if func._dbus_name.endswith("_dbus_property"):
548
func._dbus_name = func._dbus_name[:-14]
549
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
550
return func
551
return decorator
552
553
554
class DBusPropertyException(dbus.exceptions.DBusException):
555
"""A base class for D-Bus property-related exceptions
556
"""
557
def __unicode__(self):
558
return unicode(str(self))
559
560
561
class DBusPropertyAccessException(DBusPropertyException):
562
"""A property's access permissions disallows an operation.
563
"""
564
pass
565
566
567
class DBusPropertyNotFound(DBusPropertyException):
568
"""An attempt was made to access a non-existing property.
569
"""
570
pass
571
572
573
class DBusObjectWithProperties(dbus.service.Object):
574
"""A D-Bus object with properties.
575
576
Classes inheriting from this can use the dbus_service_property
577
decorator to expose methods as D-Bus properties. It exposes the
578
standard Get(), Set(), and GetAll() methods on the D-Bus.
579
"""
580
581
@staticmethod
582
def _is_dbus_property(obj):
583
return getattr(obj, "_dbus_is_property", False)
584
585
def _get_all_dbus_properties(self):
586
"""Returns a generator of (name, attribute) pairs
587
"""
588
return ((prop._dbus_name, prop)
589
for name, prop in
590
inspect.getmembers(self, self._is_dbus_property))
591
592
def _get_dbus_property(self, interface_name, property_name):
593
"""Returns a bound method if one exists which is a D-Bus
594
property with the specified name and interface.
595
"""
596
for name in (property_name,
597
property_name + "_dbus_property"):
598
prop = getattr(self, name, None)
599
if (prop is None
600
or not self._is_dbus_property(prop)
601
or prop._dbus_name != property_name
602
or (interface_name and prop._dbus_interface
603
and interface_name != prop._dbus_interface)):
604
continue
605
return prop
606
# No such property
607
raise DBusPropertyNotFound(self.dbus_object_path + ":"
608
+ interface_name + "."
609
+ property_name)
610
611
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
612
out_signature="v")
613
def Get(self, interface_name, property_name):
614
"""Standard D-Bus property Get() method, see D-Bus standard.
615
"""
616
prop = self._get_dbus_property(interface_name, property_name)
617
if prop._dbus_access == "write":
618
raise DBusPropertyAccessException(property_name)
619
value = prop()
620
if not hasattr(value, "variant_level"):
621
return value
622
return type(value)(value, variant_level=value.variant_level+1)
623
624
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
625
def Set(self, interface_name, property_name, value):
626
"""Standard D-Bus property Set() method, see D-Bus standard.
627
"""
628
prop = self._get_dbus_property(interface_name, property_name)
629
if prop._dbus_access == "read":
630
raise DBusPropertyAccessException(property_name)
631
if prop._dbus_get_args_options["byte_arrays"]:
632
# The byte_arrays option is not supported yet on
633
# signatures other than "ay".
634
if prop._dbus_signature != "ay":
635
raise ValueError
636
value = dbus.ByteArray(''.join(unichr(byte)
637
for byte in value))
638
prop(value)
639
640
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
641
out_signature="a{sv}")
642
def GetAll(self, interface_name):
643
"""Standard D-Bus property GetAll() method, see D-Bus
644
standard.
645
646
Note: Will not include properties with access="write".
647
"""
648
all = {}
649
for name, prop in self._get_all_dbus_properties():
650
if (interface_name
651
and interface_name != prop._dbus_interface):
652
# Interface non-empty but did not match
653
continue
654
# Ignore write-only properties
655
if prop._dbus_access == "write":
656
continue
657
value = prop()
658
if not hasattr(value, "variant_level"):
659
all[name] = value
660
continue
661
all[name] = type(value)(value, variant_level=
662
value.variant_level+1)
663
return dbus.Dictionary(all, signature="sv")
664
665
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
666
out_signature="s",
667
path_keyword='object_path',
668
connection_keyword='connection')
669
def Introspect(self, object_path, connection):
670
"""Standard D-Bus method, overloaded to insert property tags.
671
"""
672
xmlstring = dbus.service.Object.Introspect(self, object_path,
673
connection)
674
try:
675
document = xml.dom.minidom.parseString(xmlstring)
676
def make_tag(document, name, prop):
677
e = document.createElement("property")
678
e.setAttribute("name", name)
679
e.setAttribute("type", prop._dbus_signature)
680
e.setAttribute("access", prop._dbus_access)
681
return e
682
for if_tag in document.getElementsByTagName("interface"):
683
for tag in (make_tag(document, name, prop)
684
for name, prop
685
in self._get_all_dbus_properties()
686
if prop._dbus_interface
687
== if_tag.getAttribute("name")):
688
if_tag.appendChild(tag)
689
# Add the names to the return values for the
690
# "org.freedesktop.DBus.Properties" methods
691
if (if_tag.getAttribute("name")
692
== "org.freedesktop.DBus.Properties"):
693
for cn in if_tag.getElementsByTagName("method"):
694
if cn.getAttribute("name") == "Get":
695
for arg in cn.getElementsByTagName("arg"):
696
if (arg.getAttribute("direction")
697
== "out"):
698
arg.setAttribute("name", "value")
699
elif cn.getAttribute("name") == "GetAll":
700
for arg in cn.getElementsByTagName("arg"):
701
if (arg.getAttribute("direction")
702
== "out"):
703
arg.setAttribute("name", "props")
704
xmlstring = document.toxml("utf-8")
705
document.unlink()
706
except (AttributeError, xml.dom.DOMException,
707
xml.parsers.expat.ExpatError), error:
708
logger.error("Failed to override Introspection method",
709
error)
710
return xmlstring
711
712
713
class ClientDBus(Client, DBusObjectWithProperties):
434
435
def still_valid(self):
436
"""Has the timeout not yet passed for this client?"""
437
if not getattr(self, u"enabled", False):
438
return False
439
now = datetime.datetime.utcnow()
440
if self.last_checked_ok is None:
441
return now < (self.created + self.timeout)
442
else:
443
return now < (self.last_checked_ok + self.timeout)
444
445
446
class ClientDBus(Client, dbus.service.Object):
714
447
"""A Client class using D-Bus
715
448
716
449
Attributes:
717
dbus_object_path: dbus.ObjectPath
718
bus: dbus.SystemBus()
450
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
719
451
"""
720
721
runtime_expansions = (Client.runtime_expansions
722
+ ("dbus_object_path",))
723
724
452
# dbus.service.Object doesn't use super(), so we can't either.
725
453
726
def __init__(self, bus = None, *args, **kwargs):
727
self._approvals_pending = 0
728
self.bus = bus
454
def __init__(self, *args, **kwargs):
729
455
Client.__init__(self, *args, **kwargs)
730
456
# Only now, when this client is initialized, can it show up on
731
457
# the D-Bus
732
client_object_name = unicode(self.name).translate(
733
{ord("."): ord("_"),
734
ord("-"): ord("_")})
735
458
self.dbus_object_path = (dbus.ObjectPath
736
("/clients/" + client_object_name))
737
DBusObjectWithProperties.__init__(self, self.bus,
738
self.dbus_object_path)
739
740
def _get_approvals_pending(self):
741
return self._approvals_pending
742
def _set_approvals_pending(self, value):
743
old_value = self._approvals_pending
744
self._approvals_pending = value
745
bval = bool(value)
746
if (hasattr(self, "dbus_object_path")
747
and bval is not bool(old_value)):
748
dbus_bool = dbus.Boolean(bval, variant_level=1)
749
self.PropertyChanged(dbus.String("ApprovalPending"),
750
dbus_bool)
751
752
approvals_pending = property(_get_approvals_pending,
753
_set_approvals_pending)
754
del _get_approvals_pending, _set_approvals_pending
755
756
@staticmethod
757
def _datetime_to_dbus(dt, variant_level=0):
758
"""Convert a UTC datetime.datetime() to a D-Bus type."""
759
return dbus.String(dt.isoformat(),
760
variant_level=variant_level)
761
459
(u"/clients/"
460
+ self.name.replace(u".", u"_")))
461
dbus.service.Object.__init__(self, bus,
462
self.dbus_object_path)
762
463
def enable(self):
763
oldstate = getattr(self, "enabled", False)
464
oldstate = getattr(self, u"enabled", False)
764
465
r = Client.enable(self)
765
466
if oldstate != self.enabled:
766
467
# Emit D-Bus signals
767
self.PropertyChanged(dbus.String("Enabled"),
468
self.PropertyChanged(dbus.String(u"enabled"),
768
469
dbus.Boolean(True, variant_level=1))
769
self.PropertyChanged(
770
dbus.String("LastEnabled"),
771
self._datetime_to_dbus(self.last_enabled,
772
variant_level=1))
470
self.PropertyChanged(dbus.String(u"last_enabled"),
471
(_datetime_to_dbus(self.last_enabled,
472
variant_level=1)))
773
473
return r
774
474
775
def disable(self, quiet = False):
776
oldstate = getattr(self, "enabled", False)
777
r = Client.disable(self, quiet=quiet)
778
if not quiet and oldstate != self.enabled:
475
def disable(self, signal = True):
476
oldstate = getattr(self, u"enabled", False)
477
r = Client.disable(self)
478
if signal and oldstate != self.enabled:
779
479
# Emit D-Bus signal
780
self.PropertyChanged(dbus.String("Enabled"),
480
self.PropertyChanged(dbus.String(u"enabled"),
781
481
dbus.Boolean(False, variant_level=1))
782
482
return r
783
483
786
486
self.remove_from_connection()
787
487
except LookupError:
788
488
pass
789
if hasattr(DBusObjectWithProperties, "__del__"):
790
DBusObjectWithProperties.__del__(self, *args, **kwargs)
489
if hasattr(dbus.service.Object, u"__del__"):
490
dbus.service.Object.__del__(self, *args, **kwargs)
791
491
Client.__del__(self, *args, **kwargs)
792
492
793
493
def checker_callback(self, pid, condition, command,
795
495
self.checker_callback_tag = None
796
496
self.checker = None
797
497
# Emit D-Bus signal
798
self.PropertyChanged(dbus.String("CheckerRunning"),
498
self.PropertyChanged(dbus.String(u"checker_running"),
799
499
dbus.Boolean(False, variant_level=1))
800
500
if os.WIFEXITED(condition):
801
501
exitstatus = os.WEXITSTATUS(condition)
816
516
r = Client.checked_ok(self, *args, **kwargs)
817
517
# Emit D-Bus signal
818
518
self.PropertyChanged(
819
dbus.String("LastCheckedOK"),
820
(self._datetime_to_dbus(self.last_checked_ok,
821
variant_level=1)))
822
return r
823
824
def need_approval(self, *args, **kwargs):
825
r = Client.need_approval(self, *args, **kwargs)
826
# Emit D-Bus signal
827
self.PropertyChanged(
828
dbus.String("LastApprovalRequest"),
829
(self._datetime_to_dbus(self.last_approval_request,
830
variant_level=1)))
519
dbus.String(u"last_checked_ok"),
520
(_datetime_to_dbus(self.last_checked_ok,
521
variant_level=1)))
831
522
return r
832
523
833
524
def start_checker(self, *args, **kwargs):
843
534
# Emit D-Bus signal
844
535
self.CheckerStarted(self.current_checker_command)
845
536
self.PropertyChanged(
846
dbus.String("CheckerRunning"),
537
dbus.String(u"checker_running"),
847
538
dbus.Boolean(True, variant_level=1))
848
539
return r
849
540
850
541
def stop_checker(self, *args, **kwargs):
851
old_checker = getattr(self, "checker", None)
542
old_checker = getattr(self, u"checker", None)
852
543
r = Client.stop_checker(self, *args, **kwargs)
853
544
if (old_checker is not None
854
and getattr(self, "checker", None) is None):
855
self.PropertyChanged(dbus.String("CheckerRunning"),
545
and getattr(self, u"checker", None) is None):
546
self.PropertyChanged(dbus.String(u"checker_running"),
856
547
dbus.Boolean(False, variant_level=1))
857
548
return r
858
859
def _reset_approved(self):
860
self._approved = None
861
return False
862
863
def approve(self, value=True):
864
self.send_changedstate()
865
self._approved = value
866
gobject.timeout_add(self._timedelta_to_milliseconds
867
(self.approval_duration),
868
self._reset_approved)
869
870
871
## D-Bus methods, signals & properties
872
_interface = "se.bsnet.fukt.Mandos.Client"
873
874
## Signals
549
550
## D-Bus methods & signals
551
_interface = u"se.bsnet.fukt.Mandos.Client"
552
553
# CheckedOK - method
554
@dbus.service.method(_interface)
555
def CheckedOK(self):
556
return self.checked_ok()
875
557
876
558
# CheckerCompleted - signal
877
@dbus.service.signal(_interface, signature="nxs")
559
@dbus.service.signal(_interface, signature=u"nxs")
878
560
def CheckerCompleted(self, exitcode, waitstatus, command):
879
561
"D-Bus signal"
880
562
pass
881
563
882
564
# CheckerStarted - signal
883
@dbus.service.signal(_interface, signature="s")
565
@dbus.service.signal(_interface, signature=u"s")
884
566
def CheckerStarted(self, command):
885
567
"D-Bus signal"
886
568
pass
887
569
570
# GetAllProperties - method
571
@dbus.service.method(_interface, out_signature=u"a{sv}")
572
def GetAllProperties(self):
573
"D-Bus method"
574
return dbus.Dictionary({
575
dbus.String(u"name"):
576
dbus.String(self.name, variant_level=1),
577
dbus.String(u"fingerprint"):
578
dbus.String(self.fingerprint, variant_level=1),
579
dbus.String(u"host"):
580
dbus.String(self.host, variant_level=1),
581
dbus.String(u"created"):
582
_datetime_to_dbus(self.created, variant_level=1),
583
dbus.String(u"last_enabled"):
584
(_datetime_to_dbus(self.last_enabled,
585
variant_level=1)
586
if self.last_enabled is not None
587
else dbus.Boolean(False, variant_level=1)),
588
dbus.String(u"enabled"):
589
dbus.Boolean(self.enabled, variant_level=1),
590
dbus.String(u"last_checked_ok"):
591
(_datetime_to_dbus(self.last_checked_ok,
592
variant_level=1)
593
if self.last_checked_ok is not None
594
else dbus.Boolean (False, variant_level=1)),
595
dbus.String(u"timeout"):
596
dbus.UInt64(self.timeout_milliseconds(),
597
variant_level=1),
598
dbus.String(u"interval"):
599
dbus.UInt64(self.interval_milliseconds(),
600
variant_level=1),
601
dbus.String(u"checker"):
602
dbus.String(self.checker_command,
603
variant_level=1),
604
dbus.String(u"checker_running"):
605
dbus.Boolean(self.checker is not None,
606
variant_level=1),
607
dbus.String(u"object_path"):
608
dbus.ObjectPath(self.dbus_object_path,
609
variant_level=1)
610
}, signature=u"sv")
611
612
# IsStillValid - method
613
@dbus.service.method(_interface, out_signature=u"b")
614
def IsStillValid(self):
615
return self.still_valid()
616
888
617
# PropertyChanged - signal
889
@dbus.service.signal(_interface, signature="sv")
618
@dbus.service.signal(_interface, signature=u"sv")
890
619
def PropertyChanged(self, property, value):
891
620
"D-Bus signal"
892
621
pass
893
622
894
# GotSecret - signal
623
# ReceivedSecret - signal
895
624
@dbus.service.signal(_interface)
896
def GotSecret(self):
897
"""D-Bus signal
898
Is sent after a successful transfer of secret from the Mandos
899
server to mandos-client
900
"""
625
def ReceivedSecret(self):
626
"D-Bus signal"
901
627
pass
902
628
903
629
# Rejected - signal
904
@dbus.service.signal(_interface, signature="s")
905
def Rejected(self, reason):
630
@dbus.service.signal(_interface)
631
def Rejected(self):
906
632
"D-Bus signal"
907
633
pass
908
634
909
# NeedApproval - signal
910
@dbus.service.signal(_interface, signature="tb")
911
def NeedApproval(self, timeout, default):
912
"D-Bus signal"
913
return self.need_approval()
914
915
## Methods
916
917
# Approve - method
918
@dbus.service.method(_interface, in_signature="b")
919
def Approve(self, value):
920
self.approve(value)
921
922
# CheckedOK - method
923
@dbus.service.method(_interface)
924
def CheckedOK(self):
925
return self.checked_ok()
635
# SetChecker - method
636
@dbus.service.method(_interface, in_signature=u"s")
637
def SetChecker(self, checker):
638
"D-Bus setter method"
639
self.checker_command = checker
640
# Emit D-Bus signal
641
self.PropertyChanged(dbus.String(u"checker"),
642
dbus.String(self.checker_command,
643
variant_level=1))
644
645
# SetHost - method
646
@dbus.service.method(_interface, in_signature=u"s")
647
def SetHost(self, host):
648
"D-Bus setter method"
649
self.host = host
650
# Emit D-Bus signal
651
self.PropertyChanged(dbus.String(u"host"),
652
dbus.String(self.host, variant_level=1))
653
654
# SetInterval - method
655
@dbus.service.method(_interface, in_signature=u"t")
656
def SetInterval(self, milliseconds):
657
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
658
# Emit D-Bus signal
659
self.PropertyChanged(dbus.String(u"interval"),
660
(dbus.UInt64(self.interval_milliseconds(),
661
variant_level=1)))
662
663
# SetSecret - method
664
@dbus.service.method(_interface, in_signature=u"ay",
665
byte_arrays=True)
666
def SetSecret(self, secret):
667
"D-Bus setter method"
668
self.secret = str(secret)
669
670
# SetTimeout - method
671
@dbus.service.method(_interface, in_signature=u"t")
672
def SetTimeout(self, milliseconds):
673
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
674
# Emit D-Bus signal
675
self.PropertyChanged(dbus.String(u"timeout"),
676
(dbus.UInt64(self.timeout_milliseconds(),
677
variant_level=1)))
926
678
927
679
# Enable - method
928
680
@dbus.service.method(_interface)
947
699
def StopChecker(self):
948
700
self.stop_checker()
949
701
950
## Properties
951
952
# ApprovalPending - property
953
@dbus_service_property(_interface, signature="b", access="read")
954
def ApprovalPending_dbus_property(self):
955
return dbus.Boolean(bool(self.approvals_pending))
956
957
# ApprovedByDefault - property
958
@dbus_service_property(_interface, signature="b",
959
access="readwrite")
960
def ApprovedByDefault_dbus_property(self, value=None):
961
if value is None: # get
962
return dbus.Boolean(self.approved_by_default)
963
self.approved_by_default = bool(value)
964
# Emit D-Bus signal
965
self.PropertyChanged(dbus.String("ApprovedByDefault"),
966
dbus.Boolean(value, variant_level=1))
967
968
# ApprovalDelay - property
969
@dbus_service_property(_interface, signature="t",
970
access="readwrite")
971
def ApprovalDelay_dbus_property(self, value=None):
972
if value is None: # get
973
return dbus.UInt64(self.approval_delay_milliseconds())
974
self.approval_delay = datetime.timedelta(0, 0, 0, value)
975
# Emit D-Bus signal
976
self.PropertyChanged(dbus.String("ApprovalDelay"),
977
dbus.UInt64(value, variant_level=1))
978
979
# ApprovalDuration - property
980
@dbus_service_property(_interface, signature="t",
981
access="readwrite")
982
def ApprovalDuration_dbus_property(self, value=None):
983
if value is None: # get
984
return dbus.UInt64(self._timedelta_to_milliseconds(
985
self.approval_duration))
986
self.approval_duration = datetime.timedelta(0, 0, 0, value)
987
# Emit D-Bus signal
988
self.PropertyChanged(dbus.String("ApprovalDuration"),
989
dbus.UInt64(value, variant_level=1))
990
991
# Name - property
992
@dbus_service_property(_interface, signature="s", access="read")
993
def Name_dbus_property(self):
994
return dbus.String(self.name)
995
996
# Fingerprint - property
997
@dbus_service_property(_interface, signature="s", access="read")
998
def Fingerprint_dbus_property(self):
999
return dbus.String(self.fingerprint)
1000
1001
# Host - property
1002
@dbus_service_property(_interface, signature="s",
1003
access="readwrite")
1004
def Host_dbus_property(self, value=None):
1005
if value is None: # get
1006
return dbus.String(self.host)
1007
self.host = value
1008
# Emit D-Bus signal
1009
self.PropertyChanged(dbus.String("Host"),
1010
dbus.String(value, variant_level=1))
1011
1012
# Created - property
1013
@dbus_service_property(_interface, signature="s", access="read")
1014
def Created_dbus_property(self):
1015
return dbus.String(self._datetime_to_dbus(self.created))
1016
1017
# LastEnabled - property
1018
@dbus_service_property(_interface, signature="s", access="read")
1019
def LastEnabled_dbus_property(self):
1020
if self.last_enabled is None:
1021
return dbus.String("")
1022
return dbus.String(self._datetime_to_dbus(self.last_enabled))
1023
1024
# Enabled - property
1025
@dbus_service_property(_interface, signature="b",
1026
access="readwrite")
1027
def Enabled_dbus_property(self, value=None):
1028
if value is None: # get
1029
return dbus.Boolean(self.enabled)
1030
if value:
1031
self.enable()
1032
else:
1033
self.disable()
1034
1035
# LastCheckedOK - property
1036
@dbus_service_property(_interface, signature="s",
1037
access="readwrite")
1038
def LastCheckedOK_dbus_property(self, value=None):
1039
if value is not None:
1040
self.checked_ok()
1041
return
1042
if self.last_checked_ok is None:
1043
return dbus.String("")
1044
return dbus.String(self._datetime_to_dbus(self
1045
.last_checked_ok))
1046
1047
# LastApprovalRequest - property
1048
@dbus_service_property(_interface, signature="s", access="read")
1049
def LastApprovalRequest_dbus_property(self):
1050
if self.last_approval_request is None:
1051
return dbus.String("")
1052
return dbus.String(self.
1053
_datetime_to_dbus(self
1054
.last_approval_request))
1055
1056
# Timeout - property
1057
@dbus_service_property(_interface, signature="t",
1058
access="readwrite")
1059
def Timeout_dbus_property(self, value=None):
1060
if value is None: # get
1061
return dbus.UInt64(self.timeout_milliseconds())
1062
self.timeout = datetime.timedelta(0, 0, 0, value)
1063
# Emit D-Bus signal
1064
self.PropertyChanged(dbus.String("Timeout"),
1065
dbus.UInt64(value, variant_level=1))
1066
if getattr(self, "disable_initiator_tag", None) is None:
1067
return
1068
# Reschedule timeout
1069
gobject.source_remove(self.disable_initiator_tag)
1070
self.disable_initiator_tag = None
1071
time_to_die = (self.
1072
_timedelta_to_milliseconds((self
1073
.last_checked_ok
1074
+ self.timeout)
1075
- datetime.datetime
1076
.utcnow()))
1077
if time_to_die <= 0:
1078
# The timeout has passed
1079
self.disable()
1080
else:
1081
self.disable_initiator_tag = (gobject.timeout_add
1082
(time_to_die, self.disable))
1083
1084
# Interval - property
1085
@dbus_service_property(_interface, signature="t",
1086
access="readwrite")
1087
def Interval_dbus_property(self, value=None):
1088
if value is None: # get
1089
return dbus.UInt64(self.interval_milliseconds())
1090
self.interval = datetime.timedelta(0, 0, 0, value)
1091
# Emit D-Bus signal
1092
self.PropertyChanged(dbus.String("Interval"),
1093
dbus.UInt64(value, variant_level=1))
1094
if getattr(self, "checker_initiator_tag", None) is None:
1095
return
1096
# Reschedule checker run
1097
gobject.source_remove(self.checker_initiator_tag)
1098
self.checker_initiator_tag = (gobject.timeout_add
1099
(value, self.start_checker))
1100
self.start_checker() # Start one now, too
1101
1102
# Checker - property
1103
@dbus_service_property(_interface, signature="s",
1104
access="readwrite")
1105
def Checker_dbus_property(self, value=None):
1106
if value is None: # get
1107
return dbus.String(self.checker_command)
1108
self.checker_command = value
1109
# Emit D-Bus signal
1110
self.PropertyChanged(dbus.String("Checker"),
1111
dbus.String(self.checker_command,
1112
variant_level=1))
1113
1114
# CheckerRunning - property
1115
@dbus_service_property(_interface, signature="b",
1116
access="readwrite")
1117
def CheckerRunning_dbus_property(self, value=None):
1118
if value is None: # get
1119
return dbus.Boolean(self.checker is not None)
1120
if value:
1121
self.start_checker()
1122
else:
1123
self.stop_checker()
1124
1125
# ObjectPath - property
1126
@dbus_service_property(_interface, signature="o", access="read")
1127
def ObjectPath_dbus_property(self):
1128
return self.dbus_object_path # is already a dbus.ObjectPath
1129
1130
# Secret = property
1131
@dbus_service_property(_interface, signature="ay",
1132
access="write", byte_arrays=True)
1133
def Secret_dbus_property(self, value):
1134
self.secret = str(value)
1135
1136
702
del _interface
1137
703
1138
704
1139
class ProxyClient(object):
1140
def __init__(self, child_pipe, fpr, address):
1141
self._pipe = child_pipe
1142
self._pipe.send(('init', fpr, address))
1143
if not self._pipe.recv():
1144
raise KeyError()
1145
1146
def __getattribute__(self, name):
1147
if(name == '_pipe'):
1148
return super(ProxyClient, self).__getattribute__(name)
1149
self._pipe.send(('getattr', name))
1150
data = self._pipe.recv()
1151
if data[0] == 'data':
1152
return data[1]
1153
if data[0] == 'function':
1154
def func(*args, **kwargs):
1155
self._pipe.send(('funcall', name, args, kwargs))
1156
return self._pipe.recv()[1]
1157
return func
1158
1159
def __setattr__(self, name, value):
1160
if(name == '_pipe'):
1161
return super(ProxyClient, self).__setattr__(name, value)
1162
self._pipe.send(('setattr', name, value))
1163
1164
1165
class ClientHandler(socketserver.BaseRequestHandler, object):
705
class ClientHandler(SocketServer.BaseRequestHandler, object):
1166
706
"""A class to handle client connections.
1167
707
1168
708
Instantiated once for each connection to handle it.
1169
709
Note: This will run in its own forked process."""
1170
710
1171
711
def handle(self):
1172
with contextlib.closing(self.server.child_pipe) as child_pipe:
1173
logger.info("TCP connection from: %s",
1174
unicode(self.client_address))
1175
logger.debug("Pipe FD: %d",
1176
self.server.child_pipe.fileno())
1177
712
logger.info(u"TCP connection from: %s",
713
unicode(self.client_address))
714
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
715
# Open IPC pipe to parent process
716
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
1178
717
session = (gnutls.connection
1179
718
.ClientSession(self.request,
1180
719
gnutls.connection
1181
720
.X509Credentials()))
1182
721
722
line = self.request.makefile().readline()
723
logger.debug(u"Protocol version: %r", line)
724
try:
725
if int(line.strip().split()[0]) > 1:
726
raise RuntimeError
727
except (ValueError, IndexError, RuntimeError), error:
728
logger.error(u"Unknown protocol version: %s", error)
729
return
730
1183
731
# Note: gnutls.connection.X509Credentials is really a
1184
732
# generic GnuTLS certificate credentials object so long as
1185
733
# no X.509 keys are added to it. Therefore, we can use it
1186
734
# here despite using OpenPGP certificates.
1187
1188
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1189
# "+AES-256-CBC", "+SHA1",
1190
# "+COMP-NULL", "+CTYPE-OPENPGP",
1191
# "+DHE-DSS"))
735
736
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
737
# u"+AES-256-CBC", u"+SHA1",
738
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
739
# u"+DHE-DSS"))
1192
740
# Use a fallback default, since this MUST be set.
1193
741
priority = self.server.gnutls_priority
1194
742
if priority is None:
1195
priority = "NORMAL"
743
priority = u"NORMAL"
1196
744
(gnutls.library.functions
1197
745
.gnutls_priority_set_direct(session._c_object,
1198
746
priority, None))
1199
1200
# Start communication using the Mandos protocol
1201
# Get protocol number
1202
line = self.request.makefile().readline()
1203
logger.debug("Protocol version: %r", line)
1204
try:
1205
if int(line.strip().split()[0]) > 1:
1206
raise RuntimeError
1207
except (ValueError, IndexError, RuntimeError), error:
1208
logger.error("Unknown protocol version: %s", error)
1209
return
1210
1211
# Start GnuTLS connection
747
1212
748
try:
1213
749
session.handshake()
1214
750
except gnutls.errors.GNUTLSError, error:
1215
logger.warning("Handshake failed: %s", error)
751
logger.warning(u"Handshake failed: %s", error)
1216
752
# Do not run session.bye() here: the session is not
1217
753
# established. Just abandon the request.
1218
754
return
1219
logger.debug("Handshake succeeded")
1220
1221
approval_required = False
755
logger.debug(u"Handshake succeeded")
1222
756
try:
1223
try:
1224
fpr = self.fingerprint(self.peer_certificate
1225
(session))
1226
except (TypeError, gnutls.errors.GNUTLSError), error:
1227
logger.warning("Bad certificate: %s", error)
1228
return
1229
logger.debug("Fingerprint: %s", fpr)
1230
1231
try:
1232
client = ProxyClient(child_pipe, fpr,
1233
self.client_address)
1234
except KeyError:
1235
return
1236
1237
if client.approval_delay:
1238
delay = client.approval_delay
1239
client.approvals_pending += 1
1240
approval_required = True
1241
1242
while True:
1243
if not client.enabled:
1244
logger.warning("Client %s is disabled",
1245
client.name)
1246
if self.server.use_dbus:
1247
# Emit D-Bus signal
1248
client.Rejected("Disabled")
1249
return
1250
1251
if client._approved or not client.approval_delay:
1252
#We are approved or approval is disabled
1253
break
1254
elif client._approved is None:
1255
logger.info("Client %s needs approval",
1256
client.name)
1257
if self.server.use_dbus:
1258
# Emit D-Bus signal
1259
client.NeedApproval(
1260
client.approval_delay_milliseconds(),
1261
client.approved_by_default)
1262
else:
1263
logger.warning("Client %s was not approved",
1264
client.name)
1265
if self.server.use_dbus:
1266
# Emit D-Bus signal
1267
client.Rejected("Denied")
1268
return
1269
1270
#wait until timeout or approved
1271
#x = float(client._timedelta_to_milliseconds(delay))
1272
time = datetime.datetime.now()
1273
client.changedstate.acquire()
1274
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1275
client.changedstate.release()
1276
time2 = datetime.datetime.now()
1277
if (time2 - time) >= delay:
1278
if not client.approved_by_default:
1279
logger.warning("Client %s timed out while"
1280
" waiting for approval",
1281
client.name)
1282
if self.server.use_dbus:
1283
# Emit D-Bus signal
1284
client.Rejected("Approval timed out")
1285
return
1286
else:
1287
break
1288
else:
1289
delay -= time2 - time
1290
1291
sent_size = 0
1292
while sent_size < len(client.secret):
1293
try:
1294
sent = session.send(client.secret[sent_size:])
1295
except (gnutls.errors.GNUTLSError), error:
1296
logger.warning("gnutls send failed")
1297
return
1298
logger.debug("Sent: %d, remaining: %d",
1299
sent, len(client.secret)
1300
- (sent_size + sent))
1301
sent_size += sent
1302
1303
logger.info("Sending secret to %s", client.name)
1304
# bump the timeout as if seen
1305
client.checked_ok()
1306
if self.server.use_dbus:
1307
# Emit D-Bus signal
1308
client.GotSecret()
757
fpr = self.fingerprint(self.peer_certificate(session))
758
except (TypeError, gnutls.errors.GNUTLSError), error:
759
logger.warning(u"Bad certificate: %s", error)
760
session.bye()
761
return
762
logger.debug(u"Fingerprint: %s", fpr)
1309
763
1310
finally:
1311
if approval_required:
1312
client.approvals_pending -= 1
1313
try:
1314
session.bye()
1315
except (gnutls.errors.GNUTLSError), error:
1316
logger.warning("GnuTLS bye failed")
764
for c in self.server.clients:
765
if c.fingerprint == fpr:
766
client = c
767
break
768
else:
769
ipc.write(u"NOTFOUND %s\n" % fpr)
770
session.bye()
771
return
772
# Have to check if client.still_valid(), since it is
773
# possible that the client timed out while establishing
774
# the GnuTLS session.
775
if not client.still_valid():
776
ipc.write(u"INVALID %s\n" % client.name)
777
session.bye()
778
return
779
ipc.write(u"SENDING %s\n" % client.name)
780
sent_size = 0
781
while sent_size < len(client.secret):
782
sent = session.send(client.secret[sent_size:])
783
logger.debug(u"Sent: %d, remaining: %d",
784
sent, len(client.secret)
785
- (sent_size + sent))
786
sent_size += sent
787
session.bye()
1317
788
1318
789
@staticmethod
1319
790
def peer_certificate(session):
1329
800
.gnutls_certificate_get_peers
1330
801
(session._c_object, ctypes.byref(list_size)))
1331
802
if not bool(cert_list) and list_size.value != 0:
1332
raise gnutls.errors.GNUTLSError("error getting peer"
1333
" certificate")
803
raise gnutls.errors.GNUTLSError(u"error getting peer"
804
u" certificate")
1334
805
if list_size.value == 0:
1335
806
return None
1336
807
cert = cert_list[0]
1362
833
if crtverify.value != 0:
1363
834
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1364
835
raise (gnutls.errors.CertificateSecurityError
1365
("Verify failed"))
836
(u"Verify failed"))
1366
837
# New buffer for the fingerprint
1367
838
buf = ctypes.create_string_buffer(20)
1368
839
buf_len = ctypes.c_size_t()
1375
846
# Convert the buffer to a Python bytestring
1376
847
fpr = ctypes.string_at(buf, buf_len.value)
1377
848
# Convert the bytestring to hexadecimal notation
1378
hex_fpr = ''.join("%02X" % ord(char) for char in fpr)
849
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1379
850
return hex_fpr
1380
851
1381
852
1382
class MultiprocessingMixIn(object):
1383
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1384
def sub_process_main(self, request, address):
1385
try:
1386
self.finish_request(request, address)
1387
except:
1388
self.handle_error(request, address)
1389
self.close_request(request)
1390
1391
def process_request(self, request, address):
1392
"""Start a new process to process the request."""
1393
multiprocessing.Process(target = self.sub_process_main,
1394
args = (request, address)).start()
1395
1396
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1397
""" adds a pipe to the MixIn """
853
class ForkingMixInWithPipe(SocketServer.ForkingMixIn, object):
854
"""Like SocketServer.ForkingMixIn, but also pass a pipe.
855
856
Assumes a gobject.MainLoop event loop.
857
"""
1398
858
def process_request(self, request, client_address):
1399
859
"""Overrides and wraps the original process_request().
1400
860
1401
This function creates a new pipe in self.pipe
861
This function creates a new pipe in self.pipe
1402
862
"""
1403
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1404
1405
super(MultiprocessingMixInWithPipe,
863
self.pipe = os.pipe()
864
super(ForkingMixInWithPipe,
1406
865
self).process_request(request, client_address)
1407
self.child_pipe.close()
1408
self.add_pipe(parent_pipe)
1409
1410
def add_pipe(self, parent_pipe):
866
os.close(self.pipe[1]) # close write end
867
# Call "handle_ipc" for both data and EOF events
868
gobject.io_add_watch(self.pipe[0],
869
gobject.IO_IN | gobject.IO_HUP,
870
self.handle_ipc)
871
def handle_ipc(source, condition):
1411
872
"""Dummy function; override as necessary"""
1412
raise NotImplementedError
1413
1414
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1415
socketserver.TCPServer, object):
873
os.close(source)
874
return False
875
876
877
class IPv6_TCPServer(ForkingMixInWithPipe,
878
SocketServer.TCPServer, object):
1416
879
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1417
880
1418
881
Attributes:
1419
882
enabled: Boolean; whether this server is activated yet
1420
883
interface: None or a network interface name (string)
1421
884
use_ipv6: Boolean; to use IPv6 or not
885
----
886
clients: Set() of Client objects
887
gnutls_priority GnuTLS priority string
888
use_dbus: Boolean; to emit D-Bus signals or not
1422
889
"""
1423
890
def __init__(self, server_address, RequestHandlerClass,
1424
interface=None, use_ipv6=True):
891
interface=None, use_ipv6=True, clients=None,
892
gnutls_priority=None, use_dbus=True):
893
self.enabled = False
1425
894
self.interface = interface
1426
895
if use_ipv6:
1427
896
self.address_family = socket.AF_INET6
1428
socketserver.TCPServer.__init__(self, server_address,
897
self.clients = clients
898
self.use_dbus = use_dbus
899
self.gnutls_priority = gnutls_priority
900
SocketServer.TCPServer.__init__(self, server_address,
1429
901
RequestHandlerClass)
1430
902
def server_bind(self):
1431
903
"""This overrides the normal server_bind() function
1432
904
to bind to an interface if one was specified, and also NOT to
1433
905
bind to an address or port if they were not specified."""
1434
906
if self.interface is not None:
1435
if SO_BINDTODEVICE is None:
1436
logger.error("SO_BINDTODEVICE does not exist;"
1437
" cannot bind to interface %s",
1438
self.interface)
1439
else:
1440
try:
1441
self.socket.setsockopt(socket.SOL_SOCKET,
1442
SO_BINDTODEVICE,
1443
str(self.interface
1444
+ '\0'))
1445
except socket.error, error:
1446
if error[0] == errno.EPERM:
1447
logger.error("No permission to"
1448
" bind to interface %s",
1449
self.interface)
1450
elif error[0] == errno.ENOPROTOOPT:
1451
logger.error("SO_BINDTODEVICE not available;"
1452
" cannot bind to interface %s",
1453
self.interface)
1454
else:
1455
raise
907
try:
908
self.socket.setsockopt(socket.SOL_SOCKET,
909
SO_BINDTODEVICE,
910
str(self.interface + u'\0'))
911
except socket.error, error:
912
if error[0] == errno.EPERM:
913
logger.error(u"No permission to"
914
u" bind to interface %s",
915
self.interface)
916
else:
917
raise
1456
918
# Only bind(2) the socket if we really need to.
1457
919
if self.server_address[0] or self.server_address[1]:
1458
920
if not self.server_address[0]:
1459
921
if self.address_family == socket.AF_INET6:
1460
any_address = "::" # in6addr_any
922
any_address = u"::" # in6addr_any
1461
923
else:
1462
924
any_address = socket.INADDR_ANY
1463
925
self.server_address = (any_address,
1471
933
# 0, # flowinfo
1472
934
# if_nametoindex
1473
935
# (self.interface))
1474
return socketserver.TCPServer.server_bind(self)
1475
1476
1477
class MandosServer(IPv6_TCPServer):
1478
"""Mandos server.
1479
1480
Attributes:
1481
clients: set of Client objects
1482
gnutls_priority GnuTLS priority string
1483
use_dbus: Boolean; to emit D-Bus signals or not
1484
1485
Assumes a gobject.MainLoop event loop.
1486
"""
1487
def __init__(self, server_address, RequestHandlerClass,
1488
interface=None, use_ipv6=True, clients=None,
1489
gnutls_priority=None, use_dbus=True):
1490
self.enabled = False
1491
self.clients = clients
1492
if self.clients is None:
1493
self.clients = set()
1494
self.use_dbus = use_dbus
1495
self.gnutls_priority = gnutls_priority
1496
IPv6_TCPServer.__init__(self, server_address,
1497
RequestHandlerClass,
1498
interface = interface,
1499
use_ipv6 = use_ipv6)
936
return SocketServer.TCPServer.server_bind(self)
1500
937
def server_activate(self):
1501
938
if self.enabled:
1502
return socketserver.TCPServer.server_activate(self)
939
return SocketServer.TCPServer.server_activate(self)
1503
940
def enable(self):
1504
941
self.enabled = True
1505
def add_pipe(self, parent_pipe):
1506
# Call "handle_ipc" for both data and EOF events
1507
gobject.io_add_watch(parent_pipe.fileno(),
1508
gobject.IO_IN | gobject.IO_HUP,
1509
functools.partial(self.handle_ipc,
1510
parent_pipe = parent_pipe))
1511
1512
def handle_ipc(self, source, condition, parent_pipe=None,
1513
client_object=None):
942
def handle_ipc(self, source, condition, file_objects={}):
1514
943
condition_names = {
1515
gobject.IO_IN: "IN", # There is data to read.
1516
gobject.IO_OUT: "OUT", # Data can be written (without
944
gobject.IO_IN: u"IN", # There is data to read.
945
gobject.IO_OUT: u"OUT", # Data can be written (without
1517
946
# blocking).
1518
gobject.IO_PRI: "PRI", # There is urgent data to read.
1519
gobject.IO_ERR: "ERR", # Error condition.
1520
gobject.IO_HUP: "HUP" # Hung up (the connection has been
947
gobject.IO_PRI: u"PRI", # There is urgent data to read.
948
gobject.IO_ERR: u"ERR", # Error condition.
949
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1521
950
# broken, usually for pipes and
1522
951
# sockets).
1523
952
}
1525
954
for cond, name in
1526
955
condition_names.iteritems()
1527
956
if cond & condition)
1528
# error or the other end of multiprocessing.Pipe has closed
1529
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1530
return False
1531
1532
# Read a request from the child
1533
request = parent_pipe.recv()
1534
command = request[0]
1535
1536
if command == 'init':
1537
fpr = request[1]
1538
address = request[2]
1539
1540
for c in self.clients:
1541
if c.fingerprint == fpr:
1542
client = c
1543
break
1544
else:
1545
logger.warning("Client not found for fingerprint: %s, ad"
1546
"dress: %s", fpr, address)
1547
if self.use_dbus:
1548
# Emit D-Bus signal
1549
mandos_dbus_service.ClientNotFound(fpr, address[0])
1550
parent_pipe.send(False)
1551
return False
1552
1553
gobject.io_add_watch(parent_pipe.fileno(),
1554
gobject.IO_IN | gobject.IO_HUP,
1555
functools.partial(self.handle_ipc,
1556
parent_pipe = parent_pipe,
1557
client_object = client))
1558
parent_pipe.send(True)
1559
# remove the old hook in favor of the new above hook on same fileno
1560
return False
1561
if command == 'funcall':
1562
funcname = request[1]
1563
args = request[2]
1564
kwargs = request[3]
1565
1566
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1567
1568
if command == 'getattr':
1569
attrname = request[1]
1570
if callable(client_object.__getattribute__(attrname)):
1571
parent_pipe.send(('function',))
1572
else:
1573
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
1574
1575
if command == 'setattr':
1576
attrname = request[1]
1577
value = request[2]
1578
setattr(client_object, attrname, value)
1579
957
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
958
conditions_string)
959
960
# Turn the pipe file descriptor into a Python file object
961
if source not in file_objects:
962
file_objects[source] = os.fdopen(source, u"r", 1)
963
964
# Read a line from the file object
965
cmdline = file_objects[source].readline()
966
if not cmdline: # Empty line means end of file
967
# close the IPC pipe
968
file_objects[source].close()
969
del file_objects[source]
970
971
# Stop calling this function
972
return False
973
974
logger.debug(u"IPC command: %r", cmdline)
975
976
# Parse and act on command
977
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
978
979
if cmd == u"NOTFOUND":
980
logger.warning(u"Client not found for fingerprint: %s",
981
args)
982
if self.use_dbus:
983
# Emit D-Bus signal
984
mandos_dbus_service.ClientNotFound(args)
985
elif cmd == u"INVALID":
986
for client in self.clients:
987
if client.name == args:
988
logger.warning(u"Client %s is invalid", args)
989
if self.use_dbus:
990
# Emit D-Bus signal
991
client.Rejected()
992
break
993
else:
994
logger.error(u"Unknown client %s is invalid", args)
995
elif cmd == u"SENDING":
996
for client in self.clients:
997
if client.name == args:
998
logger.info(u"Sending secret to %s", client.name)
999
client.checked_ok()
1000
if self.use_dbus:
1001
# Emit D-Bus signal
1002
client.ReceivedSecret()
1003
break
1004
else:
1005
logger.error(u"Sending secret to unknown client %s",
1006
args)
1007
else:
1008
logger.error(u"Unknown IPC command: %r", cmdline)
1009
1010
# Keep calling this function
1580
1011
return True
1581
1012
1582
1013
1583
1014
def string_to_delta(interval):
1584
1015
"""Parse a string and return a datetime.timedelta
1585
1016
1586
>>> string_to_delta('7d')
1017
>>> string_to_delta(u'7d')
1587
1018
datetime.timedelta(7)
1588
>>> string_to_delta('60s')
1019
>>> string_to_delta(u'60s')
1589
1020
datetime.timedelta(0, 60)
1590
>>> string_to_delta('60m')
1021
>>> string_to_delta(u'60m')
1591
1022
datetime.timedelta(0, 3600)
1592
>>> string_to_delta('24h')
1023
>>> string_to_delta(u'24h')
1593
1024
datetime.timedelta(1)
1594
>>> string_to_delta('1w')
1025
>>> string_to_delta(u'1w')
1595
1026
datetime.timedelta(7)
1596
>>> string_to_delta('5m 30s')
1027
>>> string_to_delta(u'5m 30s')
1597
1028
datetime.timedelta(0, 330)
1598
1029
"""
1599
1030
timevalue = datetime.timedelta(0)
1601
1032
try:
1602
1033
suffix = unicode(s[-1])
1603
1034
value = int(s[:-1])
1604
if suffix == "d":
1035
if suffix == u"d":
1605
1036
delta = datetime.timedelta(value)
1606
elif suffix == "s":
1037
elif suffix == u"s":
1607
1038
delta = datetime.timedelta(0, value)
1608
elif suffix == "m":
1039
elif suffix == u"m":
1609
1040
delta = datetime.timedelta(0, 0, 0, 0, value)
1610
elif suffix == "h":
1041
elif suffix == u"h":
1611
1042
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
1612
elif suffix == "w":
1043
elif suffix == u"w":
1613
1044
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1614
1045
else:
1615
raise ValueError("Unknown suffix %r" % suffix)
1616
except (ValueError, IndexError), e:
1617
raise ValueError(*(e.args))
1046
raise ValueError
1047
except (ValueError, IndexError):
1048
raise ValueError
1618
1049
timevalue += delta
1619
1050
return timevalue
1620
1051
1621
1052
1053
def server_state_changed(state):
1054
"""Derived from the Avahi example code"""
1055
if state == avahi.SERVER_COLLISION:
1056
logger.error(u"Zeroconf server name collision")
1057
service.remove()
1058
elif state == avahi.SERVER_RUNNING:
1059
service.add()
1060
1061
1062
def entry_group_state_changed(state, error):
1063
"""Derived from the Avahi example code"""
1064
logger.debug(u"Avahi state change: %i", state)
1065
1066
if state == avahi.ENTRY_GROUP_ESTABLISHED:
1067
logger.debug(u"Zeroconf service established.")
1068
elif state == avahi.ENTRY_GROUP_COLLISION:
1069
logger.warning(u"Zeroconf service name collision.")
1070
service.rename()
1071
elif state == avahi.ENTRY_GROUP_FAILURE:
1072
logger.critical(u"Avahi: Error in group state changed %s",
1073
unicode(error))
1074
raise AvahiGroupError(u"State changed: %s" % unicode(error))
1075
1622
1076
def if_nametoindex(interface):
1623
1077
"""Call the C function if_nametoindex(), or equivalent
1624
1078
1626
1080
global if_nametoindex
1627
1081
try:
1628
1082
if_nametoindex = (ctypes.cdll.LoadLibrary
1629
(ctypes.util.find_library("c"))
1083
(ctypes.util.find_library(u"c"))
1630
1084
.if_nametoindex)
1631
1085
except (OSError, AttributeError):
1632
logger.warning("Doing if_nametoindex the hard way")
1086
logger.warning(u"Doing if_nametoindex the hard way")
1633
1087
def if_nametoindex(interface):
1634
1088
"Get an interface index the hard way, i.e. using fcntl()"
1635
1089
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1636
with contextlib.closing(socket.socket()) as s:
1090
with closing(socket.socket()) as s:
1637
1091
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1638
struct.pack(str("16s16x"),
1092
struct.pack(str(u"16s16x"),
1639
1093
interface))
1640
interface_index = struct.unpack(str("I"),
1094
interface_index = struct.unpack(str(u"I"),
1641
1095
ifreq[16:20])[0]
1642
1096
return interface_index
1643
1097
return if_nametoindex(interface)
1651
1105
sys.exit()
1652
1106
os.setsid()
1653
1107
if not nochdir:
1654
os.chdir("/")
1108
os.chdir(u"/")
1655
1109
if os.fork():
1656
1110
sys.exit()
1657
1111
if not noclose:
1659
1113
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1660
1114
if not stat.S_ISCHR(os.fstat(null).st_mode):
1661
1115
raise OSError(errno.ENODEV,
1662
"%s not a character device"
1663
% os.path.devnull)
1116
u"/dev/null not a character device")
1664
1117
os.dup2(null, sys.stdin.fileno())
1665
1118
os.dup2(null, sys.stdout.fileno())
1666
1119
os.dup2(null, sys.stderr.fileno())
1670
1123
1671
1124
def main():
1672
1125
1673
##################################################################
1126
######################################################################
1674
1127
# Parsing of options, both command line and config file
1675
1128
1676
1129
parser = optparse.OptionParser(version = "%%prog %s" % version)
1677
parser.add_option("-i", "--interface", type="string",
1678
metavar="IF", help="Bind to interface IF")
1679
parser.add_option("-a", "--address", type="string",
1680
help="Address to listen for requests on")
1681
parser.add_option("-p", "--port", type="int",
1682
help="Port number to receive requests on")
1683
parser.add_option("--check", action="store_true",
1684
help="Run self-test")
1685
parser.add_option("--debug", action="store_true",
1686
help="Debug mode; run in foreground and log to"
1687
" terminal")
1688
parser.add_option("--debuglevel", type="string", metavar="LEVEL",
1689
help="Debug level for stdout output")
1690
parser.add_option("--priority", type="string", help="GnuTLS"
1691
" priority string (see GnuTLS documentation)")
1692
parser.add_option("--servicename", type="string",
1693
metavar="NAME", help="Zeroconf service name")
1694
parser.add_option("--configdir", type="string",
1695
default="/etc/mandos", metavar="DIR",
1696
help="Directory to search for configuration"
1697
" files")
1698
parser.add_option("--no-dbus", action="store_false",
1699
dest="use_dbus", help="Do not provide D-Bus"
1700
" system bus interface")
1701
parser.add_option("--no-ipv6", action="store_false",
1702
dest="use_ipv6", help="Do not use IPv6")
1130
parser.add_option("-i", u"--interface", type=u"string",
1131
metavar="IF", help=u"Bind to interface IF")
1132
parser.add_option("-a", u"--address", type=u"string",
1133
help=u"Address to listen for requests on")
1134
parser.add_option("-p", u"--port", type=u"int",
1135
help=u"Port number to receive requests on")
1136
parser.add_option("--check", action=u"store_true",
1137
help=u"Run self-test")
1138
parser.add_option("--debug", action=u"store_true",
1139
help=u"Debug mode; run in foreground and log to"
1140
u" terminal")
1141
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1142
u" priority string (see GnuTLS documentation)")
1143
parser.add_option("--servicename", type=u"string",
1144
metavar=u"NAME", help=u"Zeroconf service name")
1145
parser.add_option("--configdir", type=u"string",
1146
default=u"/etc/mandos", metavar=u"DIR",
1147
help=u"Directory to search for configuration"
1148
u" files")
1149
parser.add_option("--no-dbus", action=u"store_false",
1150
dest=u"use_dbus", help=u"Do not provide D-Bus"
1151
u" system bus interface")
1152
parser.add_option("--no-ipv6", action=u"store_false",
1153
dest=u"use_ipv6", help=u"Do not use IPv6")
1703
1154
options = parser.parse_args()[0]
1704
1155
1705
1156
if options.check:
1708
1159
sys.exit()
1709
1160
1710
1161
# Default values for config file for server-global settings
1711
server_defaults = { "interface": "",
1712
"address": "",
1713
"port": "",
1714
"debug": "False",
1715
"priority":
1716
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1717
"servicename": "Mandos",
1718
"use_dbus": "True",
1719
"use_ipv6": "True",
1720
"debuglevel": "",
1162
server_defaults = { u"interface": u"",
1163
u"address": u"",
1164
u"port": u"",
1165
u"debug": u"False",
1166
u"priority":
1167
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1168
u"servicename": u"Mandos",
1169
u"use_dbus": u"True",
1170
u"use_ipv6": u"True",
1721
1171
}
1722
1172
1723
1173
# Parse config file for server-global settings
1724
server_config = configparser.SafeConfigParser(server_defaults)
1174
server_config = ConfigParser.SafeConfigParser(server_defaults)
1725
1175
del server_defaults
1726
1176
server_config.read(os.path.join(options.configdir,
1727
"mandos.conf"))
1177
u"mandos.conf"))
1728
1178
# Convert the SafeConfigParser object to a dict
1729
1179
server_settings = server_config.defaults()
1730
1180
# Use the appropriate methods on the non-string config options
1731
for option in ("debug", "use_dbus", "use_ipv6"):
1732
server_settings[option] = server_config.getboolean("DEFAULT",
1181
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1182
server_settings[option] = server_config.getboolean(u"DEFAULT",
1733
1183
option)
1734
1184
if server_settings["port"]:
1735
server_settings["port"] = server_config.getint("DEFAULT",
1736
"port")
1185
server_settings["port"] = server_config.getint(u"DEFAULT",
1186
u"port")
1737
1187
del server_config
1738
1188
1739
1189
# Override the settings from the config file with command line
1740
1190
# options, if set.
1741
for option in ("interface", "address", "port", "debug",
1742
"priority", "servicename", "configdir",
1743
"use_dbus", "use_ipv6", "debuglevel"):
1191
for option in (u"interface", u"address", u"port", u"debug",
1192
u"priority", u"servicename", u"configdir",
1193
u"use_dbus", u"use_ipv6"):
1744
1194
value = getattr(options, option)
1745
1195
if value is not None:
1746
1196
server_settings[option] = value
1754
1204
##################################################################
1755
1205
1756
1206
# For convenience
1757
debug = server_settings["debug"]
1758
debuglevel = server_settings["debuglevel"]
1759
use_dbus = server_settings["use_dbus"]
1760
use_ipv6 = server_settings["use_ipv6"]
1761
1762
if server_settings["servicename"] != "Mandos":
1207
debug = server_settings[u"debug"]
1208
use_dbus = server_settings[u"use_dbus"]
1209
use_ipv6 = server_settings[u"use_ipv6"]
1210
1211
if not debug:
1212
syslogger.setLevel(logging.WARNING)
1213
console.setLevel(logging.WARNING)
1214
1215
if server_settings[u"servicename"] != u"Mandos":
1763
1216
syslogger.setFormatter(logging.Formatter
1764
('Mandos (%s) [%%(process)d]:'
1765
' %%(levelname)s: %%(message)s'
1766
% server_settings["servicename"]))
1217
(u'Mandos (%s) [%%(process)d]:'
1218
u' %%(levelname)s: %%(message)s'
1219
% server_settings[u"servicename"]))
1767
1220
1768
1221
# Parse config file with clients
1769
client_defaults = { "timeout": "1h",
1770
"interval": "5m",
1771
"checker": "fping -q -- %%(host)s",
1772
"host": "",
1773
"approval_delay": "0s",
1774
"approval_duration": "1s",
1222
client_defaults = { u"timeout": u"1h",
1223
u"interval": u"5m",
1224
u"checker": u"fping -q -- %%(host)s",
1225
u"host": u"",
1775
1226
}
1776
client_config = configparser.SafeConfigParser(client_defaults)
1777
client_config.read(os.path.join(server_settings["configdir"],
1778
"clients.conf"))
1227
client_config = ConfigParser.SafeConfigParser(client_defaults)
1228
client_config.read(os.path.join(server_settings[u"configdir"],
1229
u"clients.conf"))
1779
1230
1780
1231
global mandos_dbus_service
1781
1232
mandos_dbus_service = None
1782
1233
1783
tcp_server = MandosServer((server_settings["address"],
1784
server_settings["port"]),
1785
ClientHandler,
1786
interface=(server_settings["interface"]
1787
or None),
1788
use_ipv6=use_ipv6,
1789
gnutls_priority=
1790
server_settings["priority"],
1791
use_dbus=use_dbus)
1792
if not debug:
1793
pidfilename = "/var/run/mandos.pid"
1794
try:
1795
pidfile = open(pidfilename, "w")
1796
except IOError:
1797
logger.error("Could not open file %r", pidfilename)
1234
clients = Set()
1235
tcp_server = IPv6_TCPServer((server_settings[u"address"],
1236
server_settings[u"port"]),
1237
ClientHandler,
1238
interface=
1239
server_settings[u"interface"],
1240
use_ipv6=use_ipv6,
1241
clients=clients,
1242
gnutls_priority=
1243
server_settings[u"priority"],
1244
use_dbus=use_dbus)
1245
pidfilename = u"/var/run/mandos.pid"
1246
try:
1247
pidfile = open(pidfilename, u"w")
1248
except IOError:
1249
logger.error(u"Could not open file %r", pidfilename)
1798
1250
1799
1251
try:
1800
uid = pwd.getpwnam("_mandos").pw_uid
1801
gid = pwd.getpwnam("_mandos").pw_gid
1252
uid = pwd.getpwnam(u"_mandos").pw_uid
1253
gid = pwd.getpwnam(u"_mandos").pw_gid
1802
1254
except KeyError:
1803
1255
try:
1804
uid = pwd.getpwnam("mandos").pw_uid
1805
gid = pwd.getpwnam("mandos").pw_gid
1256
uid = pwd.getpwnam(u"mandos").pw_uid
1257
gid = pwd.getpwnam(u"mandos").pw_gid
1806
1258
except KeyError:
1807
1259
try:
1808
uid = pwd.getpwnam("nobody").pw_uid
1809
gid = pwd.getpwnam("nobody").pw_gid
1260
uid = pwd.getpwnam(u"nobody").pw_uid
1261
gid = pwd.getpwnam(u"nobody").pw_gid
1810
1262
except KeyError:
1811
1263
uid = 65534
1812
1264
gid = 65534
1817
1269
if error[0] != errno.EPERM:
1818
1270
raise error
1819
1271
1820
if not debug and not debuglevel:
1821
syslogger.setLevel(logging.WARNING)
1822
console.setLevel(logging.WARNING)
1823
if debuglevel:
1824
level = getattr(logging, debuglevel.upper())
1825
syslogger.setLevel(level)
1826
console.setLevel(level)
1827
1272
# Enable all possible GnuTLS debugging
1828
1273
if debug:
1829
# Enable all possible GnuTLS debugging
1830
1831
1274
# "Use a log level over 10 to enable all debugging options."
1832
1275
# - GnuTLS manual
1833
1276
gnutls.library.functions.gnutls_global_set_log_level(11)
1834
1277
1835
1278
@gnutls.library.types.gnutls_log_func
1836
1279
def debug_gnutls(level, string):
1837
logger.debug("GnuTLS: %s", string[:-1])
1280
logger.debug(u"GnuTLS: %s", string[:-1])
1838
1281
1839
1282
(gnutls.library.functions
1840
1283
.gnutls_global_set_log_function(debug_gnutls))
1841
1842
# Redirect stdin so all checkers get /dev/null
1843
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1844
os.dup2(null, sys.stdin.fileno())
1845
if null > 2:
1846
os.close(null)
1847
else:
1848
# No console logging
1849
logger.removeHandler(console)
1850
1284
1851
# Need to fork before connecting to D-Bus
1852
if not debug:
1853
# Close all input and output, do double fork, etc.
1854
daemon()
1285
global service
1286
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1287
service = AvahiService(name = server_settings[u"servicename"],
1288
servicetype = u"_mandos._tcp",
1289
protocol = protocol)
1290
if server_settings["interface"]:
1291
service.interface = (if_nametoindex
1292
(str(server_settings[u"interface"])))
1855
1293
1856
1294
global main_loop
1295
global bus
1296
global server
1857
1297
# From the Avahi example code
1858
1298
DBusGMainLoop(set_as_default=True )
1859
1299
main_loop = gobject.MainLoop()
1860
1300
bus = dbus.SystemBus()
1301
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1302
avahi.DBUS_PATH_SERVER),
1303
avahi.DBUS_INTERFACE_SERVER)
1861
1304
# End of Avahi example code
1862
1305
if use_dbus:
1863
try:
1864
bus_name = dbus.service.BusName("se.bsnet.fukt.Mandos",
1865
bus, do_not_queue=True)
1866
except dbus.exceptions.NameExistsException, e:
1867
logger.error(unicode(e) + ", disabling D-Bus")
1868
use_dbus = False
1869
server_settings["use_dbus"] = False
1870
tcp_server.use_dbus = False
1871
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1872
service = AvahiService(name = server_settings["servicename"],
1873
servicetype = "_mandos._tcp",
1874
protocol = protocol, bus = bus)
1875
if server_settings["interface"]:
1876
service.interface = (if_nametoindex
1877
(str(server_settings["interface"])))
1878
1879
global multiprocessing_manager
1880
multiprocessing_manager = multiprocessing.Manager()
1306
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1881
1307
1882
1308
client_class = Client
1883
1309
if use_dbus:
1884
client_class = functools.partial(ClientDBus, bus = bus)
1885
def client_config_items(config, section):
1886
special_settings = {
1887
"approved_by_default":
1888
lambda: config.getboolean(section,
1889
"approved_by_default"),
1890
}
1891
for name, value in config.items(section):
1892
try:
1893
yield (name, special_settings[name]())
1894
except KeyError:
1895
yield (name, value)
1896
1897
tcp_server.clients.update(set(
1310
client_class = ClientDBus
1311
clients.update(Set(
1898
1312
client_class(name = section,
1899
config= dict(client_config_items(
1900
client_config, section)))
1313
config= dict(client_config.items(section)))
1901
1314
for section in client_config.sections()))
1902
if not tcp_server.clients:
1903
logger.warning("No clients defined")
1315
if not clients:
1316
logger.warning(u"No clients defined")
1317
1318
if debug:
1319
# Redirect stdin so all checkers get /dev/null
1320
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1321
os.dup2(null, sys.stdin.fileno())
1322
if null > 2:
1323
os.close(null)
1324
else:
1325
# No console logging
1326
logger.removeHandler(console)
1327
# Close all input and output, do double fork, etc.
1328
daemon()
1329
1330
try:
1331
with closing(pidfile):
1332
pid = os.getpid()
1333
pidfile.write(str(pid) + "\n")
1334
del pidfile
1335
except IOError:
1336
logger.error(u"Could not write to file %r with PID %d",
1337
pidfilename, pid)
1338
except NameError:
1339
# "pidfile" was never created
1340
pass
1341
del pidfilename
1342
1343
def cleanup():
1344
"Cleanup function; run on exit"
1345
global group
1346
# From the Avahi example code
1347
if not group is None:
1348
group.Free()
1349
group = None
1350
# End of Avahi example code
1904
1351
1352
while clients:
1353
client = clients.pop()
1354
client.disable_hook = None
1355
client.disable()
1356
1357
atexit.register(cleanup)
1358
1905
1359
if not debug:
1906
try:
1907
with pidfile:
1908
pid = os.getpid()
1909
pidfile.write(str(pid) + "\n".encode("utf-8"))
1910
del pidfile
1911
except IOError:
1912
logger.error("Could not write to file %r with PID %d",
1913
pidfilename, pid)
1914
except NameError:
1915
# "pidfile" was never created
1916
pass
1917
del pidfilename
1918
1919
1360
signal.signal(signal.SIGINT, signal.SIG_IGN)
1920
1921
1361
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1922
1362
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1923
1363
1925
1365
class MandosDBusService(dbus.service.Object):
1926
1366
"""A D-Bus proxy object"""
1927
1367
def __init__(self):
1928
dbus.service.Object.__init__(self, bus, "/")
1929
_interface = "se.bsnet.fukt.Mandos"
1930
1931
@dbus.service.signal(_interface, signature="o")
1932
def ClientAdded(self, objpath):
1933
"D-Bus signal"
1934
pass
1935
1936
@dbus.service.signal(_interface, signature="ss")
1937
def ClientNotFound(self, fingerprint, address):
1938
"D-Bus signal"
1939
pass
1940
1941
@dbus.service.signal(_interface, signature="os")
1368
dbus.service.Object.__init__(self, bus, u"/")
1369
_interface = u"se.bsnet.fukt.Mandos"
1370
1371
@dbus.service.signal(_interface, signature=u"oa{sv}")
1372
def ClientAdded(self, objpath, properties):
1373
"D-Bus signal"
1374
pass
1375
1376
@dbus.service.signal(_interface, signature=u"s")
1377
def ClientNotFound(self, fingerprint):
1378
"D-Bus signal"
1379
pass
1380
1381
@dbus.service.signal(_interface, signature=u"os")
1942
1382
def ClientRemoved(self, objpath, name):
1943
1383
"D-Bus signal"
1944
1384
pass
1945
1385
1946
@dbus.service.method(_interface, out_signature="ao")
1386
@dbus.service.method(_interface, out_signature=u"ao")
1947
1387
def GetAllClients(self):
1948
1388
"D-Bus method"
1949
return dbus.Array(c.dbus_object_path
1950
for c in tcp_server.clients)
1389
return dbus.Array(c.dbus_object_path for c in clients)
1951
1390
1952
1391
@dbus.service.method(_interface,
1953
out_signature="a{oa{sv}}")
1392
out_signature=u"a{oa{sv}}")
1954
1393
def GetAllClientsWithProperties(self):
1955
1394
"D-Bus method"
1956
1395
return dbus.Dictionary(
1957
((c.dbus_object_path, c.GetAll(""))
1958
for c in tcp_server.clients),
1959
signature="oa{sv}")
1396
((c.dbus_object_path, c.GetAllProperties())
1397
for c in clients),
1398
signature=u"oa{sv}")
1960
1399
1961
@dbus.service.method(_interface, in_signature="o")
1400
@dbus.service.method(_interface, in_signature=u"o")
1962
1401
def RemoveClient(self, object_path):
1963
1402
"D-Bus method"
1964
for c in tcp_server.clients:
1403
for c in clients:
1965
1404
if c.dbus_object_path == object_path:
1966
tcp_server.clients.remove(c)
1405
clients.remove(c)
1967
1406
c.remove_from_connection()
1968
1407
# Don't signal anything except ClientRemoved
1969
c.disable(quiet=True)
1408
c.disable(signal=False)
1970
1409
# Emit D-Bus signal
1971
1410
self.ClientRemoved(object_path, c.name)
1972
1411
return
1973
raise KeyError(object_path)
1412
raise KeyError
1974
1413
1975
1414
del _interface
1976
1415
1977
1416
mandos_dbus_service = MandosDBusService()
1978
1417
1979
def cleanup():
1980
"Cleanup function; run on exit"
1981
service.cleanup()
1982
1983
while tcp_server.clients:
1984
client = tcp_server.clients.pop()
1985
if use_dbus:
1986
client.remove_from_connection()
1987
client.disable_hook = None
1988
# Don't signal anything except ClientRemoved
1989
client.disable(quiet=True)
1990
if use_dbus:
1991
# Emit D-Bus signal
1992
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1993
client.name)
1994
1995
atexit.register(cleanup)
1996
1997
for client in tcp_server.clients:
1418
for client in clients:
1998
1419
if use_dbus:
1999
1420
# Emit D-Bus signal
2000
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1421
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1422
client.GetAllProperties())
2001
1423
client.enable()
2002
1424
2003
1425
tcp_server.enable()
2006
1428
# Find out what port we got
2007
1429
service.port = tcp_server.socket.getsockname()[1]
2008
1430
if use_ipv6:
2009
logger.info("Now listening on address %r, port %d,"
1431
logger.info(u"Now listening on address %r, port %d,"
2010
1432
" flowinfo %d, scope_id %d"
2011
1433
% tcp_server.socket.getsockname())
2012
1434
else: # IPv4
2013
logger.info("Now listening on address %r, port %d"
1435
logger.info(u"Now listening on address %r, port %d"
2014
1436
% tcp_server.socket.getsockname())
2015
1437
2016
1438
#service.interface = tcp_server.socket.getsockname()[3]
2017
1439
2018
1440
try:
2019
1441
# From the Avahi example code
1442
server.connect_to_signal(u"StateChanged", server_state_changed)
2020
1443
try:
2021
service.activate()
1444
server_state_changed(server.GetState())
2022
1445
except dbus.exceptions.DBusException, error:
2023
logger.critical("DBusException: %s", error)
2024
cleanup()
1446
logger.critical(u"DBusException: %s", error)
2025
1447
sys.exit(1)
2026
1448
# End of Avahi example code
2027
1449
2030
1452
(tcp_server.handle_request
2031
1453
(*args[2:], **kwargs) or True))
2032
1454
2033
logger.debug("Starting main loop")
1455
logger.debug(u"Starting main loop")
2034
1456
main_loop.run()
2035
1457
except AvahiError, error:
2036
logger.critical("AvahiError: %s", error)
2037
cleanup()
1458
logger.critical(u"AvahiError: %s", error)
2038
1459
sys.exit(1)
2039
1460
except KeyboardInterrupt:
2040
1461
if debug:
2041
print("", file=sys.stderr)
2042
logger.debug("Server received KeyboardInterrupt")
2043
logger.debug("Server exiting")
2044
# Must run before the D-Bus bus name gets deregistered
2045
cleanup()
1462
print >> sys.stderr
1463
logger.debug(u"Server received KeyboardInterrupt")
1464
logger.debug(u"Server exiting")
2046
1465
2047
1466
if __name__ == '__main__':
2048
1467
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0