To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 335
- compare with another revision
- download diff
- download tarball
- view history from revision 335
- Committer: Teddy Hogeborn
- Date: 2009-04-16 06:47:28 UTC
- Revision ID: teddy@fukt.bsnet.se-20090416064728-c3d36mvgxo5q9aoh
* mandos: Import "SocketServer" as "socketserver" and "ConfigParser"
as "configparser". All users changed.
as "configparser". All users changed.
- files removed:
- DBUS-API
- debian/source
- network-hooks.d
- files modified:
- .bzrignore
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2011 Teddy Hogeborn
15
# Copyright © 2008-2011 Björn Påhlsson
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
28
28
# along with this program. If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
30
#
31
# Contact the authors at <mandos@recompile.se>.
31
# Contact the authors at <mandos@fukt.bsnet.se>.
32
32
#
33
33
34
from __future__ import (division, absolute_import, print_function,
35
unicode_literals)
34
from __future__ import division, with_statement, absolute_import
36
35
37
36
import SocketServer as socketserver
38
37
import socket
39
import argparse
38
import optparse
40
39
import datetime
41
40
import errno
42
41
import gnutls.crypto
56
55
import logging
57
56
import logging.handlers
58
57
import pwd
59
import contextlib
58
from contextlib import closing
60
59
import struct
61
60
import fcntl
62
import functools
63
import cPickle as pickle
64
import multiprocessing
65
import types
66
import binascii
67
import tempfile
68
61
69
62
import dbus
70
63
import dbus.service
73
66
from dbus.mainloop.glib import DBusGMainLoop
74
67
import ctypes
75
68
import ctypes.util
76
import xml.dom.minidom
77
import inspect
78
import GnuPGInterface
79
69
80
70
try:
81
71
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
83
73
try:
84
74
from IN import SO_BINDTODEVICE
85
75
except ImportError:
86
SO_BINDTODEVICE = None
87
88
version = "1.4.1"
89
stored_state_file = "clients.pickle"
90
91
logger = logging.getLogger()
76
# From /usr/include/asm/socket.h
77
SO_BINDTODEVICE = 25
78
79
80
version = "1.0.8"
81
82
logger = logging.Logger(u'mandos')
92
83
syslogger = (logging.handlers.SysLogHandler
93
84
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
94
address = str("/dev/log")))
95
96
try:
97
if_nametoindex = (ctypes.cdll.LoadLibrary
98
(ctypes.util.find_library("c"))
99
.if_nametoindex)
100
except (OSError, AttributeError):
101
def if_nametoindex(interface):
102
"Get an interface index the hard way, i.e. using fcntl()"
103
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
104
with contextlib.closing(socket.socket()) as s:
105
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
106
struct.pack(str("16s16x"),
107
interface))
108
interface_index = struct.unpack(str("I"),
109
ifreq[16:20])[0]
110
return interface_index
111
112
113
def initlogger(debug, level=logging.WARNING):
114
"""init logger and add loglevel"""
115
116
syslogger.setFormatter(logging.Formatter
117
('Mandos [%(process)d]: %(levelname)s:'
118
' %(message)s'))
119
logger.addHandler(syslogger)
120
121
if debug:
122
console = logging.StreamHandler()
123
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
124
' [%(process)d]:'
125
' %(levelname)s:'
126
' %(message)s'))
127
logger.addHandler(console)
128
logger.setLevel(level)
129
130
131
class PGPError(Exception):
132
"""Exception if encryption/decryption fails"""
133
pass
134
135
136
class PGPEngine(object):
137
"""A simple class for OpenPGP symmetric encryption & decryption"""
138
def __init__(self):
139
self.gnupg = GnuPGInterface.GnuPG()
140
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
141
self.gnupg = GnuPGInterface.GnuPG()
142
self.gnupg.options.meta_interactive = False
143
self.gnupg.options.homedir = self.tempdir
144
self.gnupg.options.extra_args.extend(['--force-mdc',
145
'--quiet'])
146
147
def __enter__(self):
148
return self
149
150
def __exit__ (self, exc_type, exc_value, traceback):
151
self._cleanup()
152
return False
153
154
def __del__(self):
155
self._cleanup()
156
157
def _cleanup(self):
158
if self.tempdir is not None:
159
# Delete contents of tempdir
160
for root, dirs, files in os.walk(self.tempdir,
161
topdown = False):
162
for filename in files:
163
os.remove(os.path.join(root, filename))
164
for dirname in dirs:
165
os.rmdir(os.path.join(root, dirname))
166
# Remove tempdir
167
os.rmdir(self.tempdir)
168
self.tempdir = None
169
170
def password_encode(self, password):
171
# Passphrase can not be empty and can not contain newlines or
172
# NUL bytes. So we prefix it and hex encode it.
173
return b"mandos" + binascii.hexlify(password)
174
175
def encrypt(self, data, password):
176
self.gnupg.passphrase = self.password_encode(password)
177
with open(os.devnull) as devnull:
178
try:
179
proc = self.gnupg.run(['--symmetric'],
180
create_fhs=['stdin', 'stdout'],
181
attach_fhs={'stderr': devnull})
182
with contextlib.closing(proc.handles['stdin']) as f:
183
f.write(data)
184
with contextlib.closing(proc.handles['stdout']) as f:
185
ciphertext = f.read()
186
proc.wait()
187
except IOError as e:
188
raise PGPError(e)
189
self.gnupg.passphrase = None
190
return ciphertext
191
192
def decrypt(self, data, password):
193
self.gnupg.passphrase = self.password_encode(password)
194
with open(os.devnull) as devnull:
195
try:
196
proc = self.gnupg.run(['--decrypt'],
197
create_fhs=['stdin', 'stdout'],
198
attach_fhs={'stderr': devnull})
199
with contextlib.closing(proc.handles['stdin'] ) as f:
200
f.write(data)
201
with contextlib.closing(proc.handles['stdout']) as f:
202
decrypted_plaintext = f.read()
203
proc.wait()
204
except IOError as e:
205
raise PGPError(e)
206
self.gnupg.passphrase = None
207
return decrypted_plaintext
208
209
85
address = "/dev/log"))
86
syslogger.setFormatter(logging.Formatter
87
(u'Mandos [%(process)d]: %(levelname)s:'
88
u' %(message)s'))
89
logger.addHandler(syslogger)
90
91
console = logging.StreamHandler()
92
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
93
u' %(levelname)s:'
94
u' %(message)s'))
95
logger.addHandler(console)
210
96
211
97
class AvahiError(Exception):
212
98
def __init__(self, value, *args, **kwargs):
228
114
Attributes:
229
115
interface: integer; avahi.IF_UNSPEC or an interface index.
230
116
Used to optionally bind to the specified interface.
231
name: string; Example: 'Mandos'
232
type: string; Example: '_mandos._tcp'.
117
name: string; Example: u'Mandos'
118
type: string; Example: u'_mandos._tcp'.
233
119
See <http://www.dns-sd.org/ServiceTypes.html>
234
120
port: integer; what port to announce
235
121
TXT: list of strings; TXT record for the service
238
124
max_renames: integer; maximum number of renames
239
125
rename_count: integer; counter so we only rename after collisions
240
126
a sensible number of times
241
group: D-Bus Entry Group
242
server: D-Bus Server
243
bus: dbus.SystemBus()
244
127
"""
245
128
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
246
129
servicetype = None, port = None, TXT = None,
247
domain = "", host = "", max_renames = 32768,
248
protocol = avahi.PROTO_UNSPEC, bus = None):
130
domain = u"", host = u"", max_renames = 32768,
131
protocol = avahi.PROTO_UNSPEC):
249
132
self.interface = interface
250
133
self.name = name
251
134
self.type = servicetype
256
139
self.rename_count = 0
257
140
self.max_renames = max_renames
258
141
self.protocol = protocol
259
self.group = None # our entry group
260
self.server = None
261
self.bus = bus
262
self.entry_group_state_changed_match = None
263
142
def rename(self):
264
143
"""Derived from the Avahi example code"""
265
144
if self.rename_count >= self.max_renames:
266
logger.critical("No suitable Zeroconf service name found"
267
" after %i retries, exiting.",
145
logger.critical(u"No suitable Zeroconf service name found"
146
u" after %i retries, exiting.",
268
147
self.rename_count)
269
raise AvahiServiceError("Too many renames")
270
self.name = unicode(self.server
271
.GetAlternativeServiceName(self.name))
272
logger.info("Changing Zeroconf service name to %r ...",
148
raise AvahiServiceError(u"Too many renames")
149
self.name = server.GetAlternativeServiceName(self.name)
150
logger.info(u"Changing Zeroconf service name to %r ...",
273
151
self.name)
152
syslogger.setFormatter(logging.Formatter
153
(u'Mandos (%s) [%%(process)d]:'
154
u' %%(levelname)s: %%(message)s'
155
% self.name))
274
156
self.remove()
275
try:
276
self.add()
277
except dbus.exceptions.DBusException as error:
278
logger.critical("DBusException: %s", error)
279
self.cleanup()
280
os._exit(1)
157
self.add()
281
158
self.rename_count += 1
282
159
def remove(self):
283
160
"""Derived from the Avahi example code"""
284
if self.entry_group_state_changed_match is not None:
285
self.entry_group_state_changed_match.remove()
286
self.entry_group_state_changed_match = None
287
if self.group is not None:
288
self.group.Reset()
161
if group is not None:
162
group.Reset()
289
163
def add(self):
290
164
"""Derived from the Avahi example code"""
291
self.remove()
292
if self.group is None:
293
self.group = dbus.Interface(
294
self.bus.get_object(avahi.DBUS_NAME,
295
self.server.EntryGroupNew()),
296
avahi.DBUS_INTERFACE_ENTRY_GROUP)
297
self.entry_group_state_changed_match = (
298
self.group.connect_to_signal(
299
'StateChanged', self.entry_group_state_changed))
300
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
301
self.name, self.type)
302
self.group.AddService(
303
self.interface,
304
self.protocol,
305
dbus.UInt32(0), # flags
306
self.name, self.type,
307
self.domain, self.host,
308
dbus.UInt16(self.port),
309
avahi.string_array_to_txt_array(self.TXT))
310
self.group.Commit()
311
def entry_group_state_changed(self, state, error):
312
"""Derived from the Avahi example code"""
313
logger.debug("Avahi entry group state change: %i", state)
314
315
if state == avahi.ENTRY_GROUP_ESTABLISHED:
316
logger.debug("Zeroconf service established.")
317
elif state == avahi.ENTRY_GROUP_COLLISION:
318
logger.info("Zeroconf service name collision.")
319
self.rename()
320
elif state == avahi.ENTRY_GROUP_FAILURE:
321
logger.critical("Avahi: Error in group state changed %s",
322
unicode(error))
323
raise AvahiGroupError("State changed: %s"
324
% unicode(error))
325
def cleanup(self):
326
"""Derived from the Avahi example code"""
327
if self.group is not None:
328
try:
329
self.group.Free()
330
except (dbus.exceptions.UnknownMethodException,
331
dbus.exceptions.DBusException):
332
pass
333
self.group = None
334
self.remove()
335
def server_state_changed(self, state, error=None):
336
"""Derived from the Avahi example code"""
337
logger.debug("Avahi server state change: %i", state)
338
bad_states = { avahi.SERVER_INVALID:
339
"Zeroconf server invalid",
340
avahi.SERVER_REGISTERING: None,
341
avahi.SERVER_COLLISION:
342
"Zeroconf server name collision",
343
avahi.SERVER_FAILURE:
344
"Zeroconf server failure" }
345
if state in bad_states:
346
if bad_states[state] is not None:
347
if error is None:
348
logger.error(bad_states[state])
349
else:
350
logger.error(bad_states[state] + ": %r", error)
351
self.cleanup()
352
elif state == avahi.SERVER_RUNNING:
353
self.add()
354
else:
355
if error is None:
356
logger.debug("Unknown state: %r", state)
357
else:
358
logger.debug("Unknown state: %r: %r", state, error)
359
def activate(self):
360
"""Derived from the Avahi example code"""
361
if self.server is None:
362
self.server = dbus.Interface(
363
self.bus.get_object(avahi.DBUS_NAME,
364
avahi.DBUS_PATH_SERVER,
365
follow_name_owner_changes=True),
366
avahi.DBUS_INTERFACE_SERVER)
367
self.server.connect_to_signal("StateChanged",
368
self.server_state_changed)
369
self.server_state_changed(self.server.GetState())
370
371
class AvahiServiceToSyslog(AvahiService):
372
def rename(self):
373
"""Add the new name to the syslog messages"""
374
ret = AvahiService.rename(self)
375
syslogger.setFormatter(logging.Formatter
376
('Mandos (%s) [%%(process)d]:'
377
' %%(levelname)s: %%(message)s'
378
% self.name))
379
return ret
380
381
def timedelta_to_milliseconds(td):
382
"Convert a datetime.timedelta() to milliseconds"
383
return ((td.days * 24 * 60 * 60 * 1000)
384
+ (td.seconds * 1000)
385
+ (td.microseconds // 1000))
386
165
global group
166
if group is None:
167
group = dbus.Interface(bus.get_object
168
(avahi.DBUS_NAME,
169
server.EntryGroupNew()),
170
avahi.DBUS_INTERFACE_ENTRY_GROUP)
171
group.connect_to_signal('StateChanged',
172
entry_group_state_changed)
173
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
174
service.name, service.type)
175
group.AddService(
176
self.interface, # interface
177
self.protocol, # protocol
178
dbus.UInt32(0), # flags
179
self.name, self.type,
180
self.domain, self.host,
181
dbus.UInt16(self.port),
182
avahi.string_array_to_txt_array(self.TXT))
183
group.Commit()
184
185
# From the Avahi example code:
186
group = None # our entry group
187
# End of Avahi example code
188
189
190
def _datetime_to_dbus(dt, variant_level=0):
191
"""Convert a UTC datetime.datetime() to a D-Bus type."""
192
return dbus.String(dt.isoformat(), variant_level=variant_level)
193
194
387
195
class Client(object):
388
196
"""A representation of a client host served by this server.
389
197
390
198
Attributes:
391
approved: bool(); 'None' if not yet approved/disapproved
392
approval_delay: datetime.timedelta(); Time to wait for approval
393
approval_duration: datetime.timedelta(); Duration of one approval
199
name: string; from the config file, used in log messages and
200
D-Bus identifiers
201
fingerprint: string (40 or 32 hexadecimal digits); used to
202
uniquely identify the client
203
secret: bytestring; sent verbatim (over TLS) to client
204
host: string; available for use by the checker command
205
created: datetime.datetime(); (UTC) object creation
206
last_enabled: datetime.datetime(); (UTC)
207
enabled: bool()
208
last_checked_ok: datetime.datetime(); (UTC) or None
209
timeout: datetime.timedelta(); How long from last_checked_ok
210
until this client is invalid
211
interval: datetime.timedelta(); How often to start a new checker
212
disable_hook: If set, called by disable() as disable_hook(self)
394
213
checker: subprocess.Popen(); a running checker process used
395
214
to see if the client lives.
396
215
'None' if no process is running.
397
checker_callback_tag: a gobject event source tag, or None
398
checker_command: string; External command which is run to check
399
if client lives. %() expansions are done at
216
checker_initiator_tag: a gobject event source tag, or None
217
disable_initiator_tag: - '' -
218
checker_callback_tag: - '' -
219
checker_command: string; External command which is run to check if
220
client lives. %() expansions are done at
400
221
runtime with vars(self) as dict, so that for
401
222
instance %(name)s can be used in the command.
402
checker_initiator_tag: a gobject event source tag, or None
403
created: datetime.datetime(); (UTC) object creation
404
client_structure: Object describing what attributes a client has
405
and is used for storing the client at exit
406
223
current_checker_command: string; current running checker_command
407
disable_initiator_tag: a gobject event source tag, or None
408
enabled: bool()
409
fingerprint: string (40 or 32 hexadecimal digits); used to
410
uniquely identify the client
411
host: string; available for use by the checker command
412
interval: datetime.timedelta(); How often to start a new checker
413
last_approval_request: datetime.datetime(); (UTC) or None
414
last_checked_ok: datetime.datetime(); (UTC) or None
415
last_checker_status: integer between 0 and 255 reflecting exit
416
status of last checker. -1 reflects crashed
417
checker, or None.
418
last_enabled: datetime.datetime(); (UTC) or None
419
name: string; from the config file, used in log messages and
420
D-Bus identifiers
421
secret: bytestring; sent verbatim (over TLS) to client
422
timeout: datetime.timedelta(); How long from last_checked_ok
423
until this client is disabled
424
extended_timeout: extra long timeout when password has been sent
425
runtime_expansions: Allowed attributes for runtime expansion.
426
expires: datetime.datetime(); time (UTC) when a client will be
427
disabled, or None
428
224
"""
429
225
430
runtime_expansions = ("approval_delay", "approval_duration",
431
"created", "enabled", "fingerprint",
432
"host", "interval", "last_checked_ok",
433
"last_enabled", "name", "timeout")
434
client_defaults = { "timeout": "5m",
435
"extended_timeout": "15m",
436
"interval": "2m",
437
"checker": "fping -q -- %%(host)s",
438
"host": "",
439
"approval_delay": "0s",
440
"approval_duration": "1s",
441
"approved_by_default": "True",
442
"enabled": "True",
443
}
226
@staticmethod
227
def _datetime_to_milliseconds(dt):
228
"Convert a datetime.datetime() to milliseconds"
229
return ((dt.days * 24 * 60 * 60 * 1000)
230
+ (dt.seconds * 1000)
231
+ (dt.microseconds // 1000))
444
232
445
233
def timeout_milliseconds(self):
446
234
"Return the 'timeout' attribute in milliseconds"
447
return timedelta_to_milliseconds(self.timeout)
448
449
def extended_timeout_milliseconds(self):
450
"Return the 'extended_timeout' attribute in milliseconds"
451
return timedelta_to_milliseconds(self.extended_timeout)
235
return self._datetime_to_milliseconds(self.timeout)
452
236
453
237
def interval_milliseconds(self):
454
238
"Return the 'interval' attribute in milliseconds"
455
return timedelta_to_milliseconds(self.interval)
239
return self._datetime_to_milliseconds(self.interval)
456
240
457
def approval_delay_milliseconds(self):
458
return timedelta_to_milliseconds(self.approval_delay)
459
460
@staticmethod
461
def config_parser(config):
462
""" Construct a new dict of client settings of this form:
463
{ client_name: {setting_name: value, ...}, ...}
464
with exceptions for any special settings as defined above"""
465
settings = {}
466
for client_name in config.sections():
467
section = dict(config.items(client_name))
468
client = settings[client_name] = {}
469
470
client["host"] = section["host"]
471
# Reformat values from string types to Python types
472
client["approved_by_default"] = config.getboolean(
473
client_name, "approved_by_default")
474
client["enabled"] = config.getboolean(client_name, "enabled")
475
476
client["fingerprint"] = (section["fingerprint"].upper()
477
.replace(" ", ""))
478
if "secret" in section:
479
client["secret"] = section["secret"].decode("base64")
480
elif "secfile" in section:
481
with open(os.path.expanduser(os.path.expandvars
482
(section["secfile"])),
483
"rb") as secfile:
484
client["secret"] = secfile.read()
485
else:
486
raise TypeError("No secret or secfile for section %s"
487
% section)
488
client["timeout"] = string_to_delta(section["timeout"])
489
client["extended_timeout"] = string_to_delta(
490
section["extended_timeout"])
491
client["interval"] = string_to_delta(section["interval"])
492
client["approval_delay"] = string_to_delta(
493
section["approval_delay"])
494
client["approval_duration"] = string_to_delta(
495
section["approval_duration"])
496
client["checker_command"] = section["checker"]
497
client["last_approval_request"] = None
498
client["last_checked_ok"] = None
499
client["last_checker_status"] = None
500
if client["enabled"]:
501
client["last_enabled"] = datetime.datetime.utcnow()
502
client["expires"] = (datetime.datetime.utcnow()
503
+ client["timeout"])
504
else:
505
client["last_enabled"] = None
506
client["expires"] = None
507
508
return settings
509
510
511
def __init__(self, settings, name = None):
241
def __init__(self, name = None, disable_hook=None, config=None):
512
242
"""Note: the 'checker' key in 'config' sets the
513
243
'checker_command' attribute and *not* the 'checker'
514
244
attribute."""
515
245
self.name = name
516
# adding all client settings
517
for setting, value in settings.iteritems():
518
setattr(self, setting, value)
519
520
logger.debug("Creating client %r", self.name)
246
if config is None:
247
config = {}
248
logger.debug(u"Creating client %r", self.name)
521
249
# Uppercase and remove spaces from fingerprint for later
522
250
# comparison purposes with return value from the fingerprint()
523
251
# function
524
logger.debug(" Fingerprint: %s", self.fingerprint)
525
self.created = settings.get("created", datetime.datetime.utcnow())
526
527
# attributes specific for this server instance
252
self.fingerprint = (config[u"fingerprint"].upper()
253
.replace(u" ", u""))
254
logger.debug(u" Fingerprint: %s", self.fingerprint)
255
if u"secret" in config:
256
self.secret = config[u"secret"].decode(u"base64")
257
elif u"secfile" in config:
258
with closing(open(os.path.expanduser
259
(os.path.expandvars
260
(config[u"secfile"])))) as secfile:
261
self.secret = secfile.read()
262
else:
263
raise TypeError(u"No secret or secfile for client %s"
264
% self.name)
265
self.host = config.get(u"host", u"")
266
self.created = datetime.datetime.utcnow()
267
self.enabled = False
268
self.last_enabled = None
269
self.last_checked_ok = None
270
self.timeout = string_to_delta(config[u"timeout"])
271
self.interval = string_to_delta(config[u"interval"])
272
self.disable_hook = disable_hook
528
273
self.checker = None
529
274
self.checker_initiator_tag = None
530
275
self.disable_initiator_tag = None
531
276
self.checker_callback_tag = None
277
self.checker_command = config[u"checker"]
532
278
self.current_checker_command = None
533
self.approved = None
534
self.approvals_pending = 0
535
self.changedstate = (multiprocessing_manager
536
.Condition(multiprocessing_manager
537
.Lock()))
538
self.client_structure = [attr for attr in
539
self.__dict__.iterkeys()
540
if not attr.startswith("_")]
541
self.client_structure.append("client_structure")
542
543
for name, t in inspect.getmembers(type(self),
544
lambda obj:
545
isinstance(obj,
546
property)):
547
if not name.startswith("_"):
548
self.client_structure.append(name)
549
550
# Send notice to process children that client state has changed
551
def send_changedstate(self):
552
with self.changedstate:
553
self.changedstate.notify_all()
279
self.last_connect = None
554
280
555
281
def enable(self):
556
282
"""Start this client's checker and timeout hooks"""
557
if getattr(self, "enabled", False):
558
# Already enabled
559
return
560
self.send_changedstate()
561
self.expires = datetime.datetime.utcnow() + self.timeout
562
self.enabled = True
563
283
self.last_enabled = datetime.datetime.utcnow()
564
self.init_checker()
565
566
def disable(self, quiet=True):
567
"""Disable this client."""
568
if not getattr(self, "enabled", False):
569
return False
570
if not quiet:
571
self.send_changedstate()
572
if not quiet:
573
logger.info("Disabling client %s", self.name)
574
if getattr(self, "disable_initiator_tag", False):
575
gobject.source_remove(self.disable_initiator_tag)
576
self.disable_initiator_tag = None
577
self.expires = None
578
if getattr(self, "checker_initiator_tag", False):
579
gobject.source_remove(self.checker_initiator_tag)
580
self.checker_initiator_tag = None
581
self.stop_checker()
582
self.enabled = False
583
# Do not run this again if called by a gobject.timeout_add
584
return False
585
586
def __del__(self):
587
self.disable()
588
589
def init_checker(self):
590
284
# Schedule a new checker to be started an 'interval' from now,
591
285
# and every interval from then on.
592
286
self.checker_initiator_tag = (gobject.timeout_add
593
287
(self.interval_milliseconds(),
594
288
self.start_checker))
289
# Also start a new checker *right now*.
290
self.start_checker()
595
291
# Schedule a disable() when 'timeout' has passed
596
292
self.disable_initiator_tag = (gobject.timeout_add
597
293
(self.timeout_milliseconds(),
598
294
self.disable))
599
# Also start a new checker *right now*.
600
self.start_checker()
295
self.enabled = True
296
297
def disable(self):
298
"""Disable this client."""
299
if not getattr(self, "enabled", False):
300
return False
301
logger.info(u"Disabling client %s", self.name)
302
if getattr(self, u"disable_initiator_tag", False):
303
gobject.source_remove(self.disable_initiator_tag)
304
self.disable_initiator_tag = None
305
if getattr(self, u"checker_initiator_tag", False):
306
gobject.source_remove(self.checker_initiator_tag)
307
self.checker_initiator_tag = None
308
self.stop_checker()
309
if self.disable_hook:
310
self.disable_hook(self)
311
self.enabled = False
312
# Do not run this again if called by a gobject.timeout_add
313
return False
314
315
def __del__(self):
316
self.disable_hook = None
317
self.disable()
601
318
602
319
def checker_callback(self, pid, condition, command):
603
320
"""The checker has completed, so take appropriate actions."""
604
321
self.checker_callback_tag = None
605
322
self.checker = None
606
323
if os.WIFEXITED(condition):
607
self.last_checker_status = os.WEXITSTATUS(condition)
608
if self.last_checker_status == 0:
609
logger.info("Checker for %(name)s succeeded",
324
exitstatus = os.WEXITSTATUS(condition)
325
if exitstatus == 0:
326
logger.info(u"Checker for %(name)s succeeded",
610
327
vars(self))
611
328
self.checked_ok()
612
329
else:
613
logger.info("Checker for %(name)s failed",
330
logger.info(u"Checker for %(name)s failed",
614
331
vars(self))
615
332
else:
616
self.last_checker_status = -1
617
logger.warning("Checker for %(name)s crashed?",
333
logger.warning(u"Checker for %(name)s crashed?",
618
334
vars(self))
619
335
620
def checked_ok(self, timeout=None):
336
def checked_ok(self):
621
337
"""Bump up the timeout for this client.
622
338
623
339
This should only be called when the client has been seen,
624
340
alive and well.
625
341
"""
626
if timeout is None:
627
timeout = self.timeout
628
342
self.last_checked_ok = datetime.datetime.utcnow()
629
if self.disable_initiator_tag is not None:
630
gobject.source_remove(self.disable_initiator_tag)
631
if getattr(self, "enabled", False):
632
self.disable_initiator_tag = (gobject.timeout_add
633
(timedelta_to_milliseconds
634
(timeout), self.disable))
635
self.expires = datetime.datetime.utcnow() + timeout
636
637
def need_approval(self):
638
self.last_approval_request = datetime.datetime.utcnow()
343
gobject.source_remove(self.disable_initiator_tag)
344
self.disable_initiator_tag = (gobject.timeout_add
345
(self.timeout_milliseconds(),
346
self.disable))
639
347
640
348
def start_checker(self):
641
349
"""Start a new checker subprocess if one is not running.
648
356
# client would inevitably timeout, since no checker would get
649
357
# a chance to run to completion. If we instead leave running
650
358
# checkers alone, the checker would have to take more time
651
# than 'timeout' for the client to be disabled, which is as it
652
# should be.
359
# than 'timeout' for the client to be declared invalid, which
360
# is as it should be.
653
361
654
362
# If a checker exists, make sure it is not a zombie
655
try:
363
if self.checker is not None:
656
364
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
657
except (AttributeError, OSError) as error:
658
if (isinstance(error, OSError)
659
and error.errno != errno.ECHILD):
660
raise error
661
else:
662
365
if pid:
663
logger.warning("Checker was a zombie")
366
logger.warning(u"Checker was a zombie")
664
367
gobject.source_remove(self.checker_callback_tag)
665
368
self.checker_callback(pid, status,
666
369
self.current_checker_command)
671
374
command = self.checker_command % self.host
672
375
except TypeError:
673
376
# Escape attributes for the shell
674
escaped_attrs = dict(
675
(attr,
676
re.escape(unicode(str(getattr(self, attr, "")),
677
errors=
678
'replace')))
679
for attr in
680
self.runtime_expansions)
681
377
escaped_attrs = dict((key,
378
re.escape(unicode(str(val),
379
errors=
380
u'replace')))
381
for key, val in
382
vars(self).iteritems())
682
383
try:
683
384
command = self.checker_command % escaped_attrs
684
except TypeError as error:
685
logger.error('Could not format string "%s":'
686
' %s', self.checker_command, error)
385
except TypeError, error:
386
logger.error(u'Could not format string "%s":'
387
u' %s', self.checker_command, error)
687
388
return True # Try again later
688
389
self.current_checker_command = command
689
390
try:
690
logger.info("Starting checker %r for %s",
391
logger.info(u"Starting checker %r for %s",
691
392
command, self.name)
692
393
# We don't need to redirect stdout and stderr, since
693
394
# in normal mode, that is already done by daemon(),
695
396
# always replaced by /dev/null.)
696
397
self.checker = subprocess.Popen(command,
697
398
close_fds=True,
698
shell=True, cwd="/")
399
shell=True, cwd=u"/")
699
400
self.checker_callback_tag = (gobject.child_watch_add
700
401
(self.checker.pid,
701
402
self.checker_callback,
706
407
if pid:
707
408
gobject.source_remove(self.checker_callback_tag)
708
409
self.checker_callback(pid, status, command)
709
except OSError as error:
710
logger.error("Failed to start subprocess: %s",
410
except OSError, error:
411
logger.error(u"Failed to start subprocess: %s",
711
412
error)
712
413
# Re-run this periodically if run by gobject.timeout_add
713
414
return True
717
418
if self.checker_callback_tag:
718
419
gobject.source_remove(self.checker_callback_tag)
719
420
self.checker_callback_tag = None
720
if getattr(self, "checker", None) is None:
421
if getattr(self, u"checker", None) is None:
721
422
return
722
logger.debug("Stopping checker for %(name)s", vars(self))
423
logger.debug(u"Stopping checker for %(name)s", vars(self))
723
424
try:
724
425
os.kill(self.checker.pid, signal.SIGTERM)
725
#time.sleep(0.5)
426
#os.sleep(0.5)
726
427
#if self.checker.poll() is None:
727
428
# os.kill(self.checker.pid, signal.SIGKILL)
728
except OSError as error:
429
except OSError, error:
729
430
if error.errno != errno.ESRCH: # No such process
730
431
raise
731
432
self.checker = None
732
733
734
def dbus_service_property(dbus_interface, signature="v",
735
access="readwrite", byte_arrays=False):
736
"""Decorators for marking methods of a DBusObjectWithProperties to
737
become properties on the D-Bus.
738
739
The decorated method will be called with no arguments by "Get"
740
and with one argument by "Set".
741
742
The parameters, where they are supported, are the same as
743
dbus.service.method, except there is only "signature", since the
744
type from Get() and the type sent to Set() is the same.
745
"""
746
# Encoding deeply encoded byte arrays is not supported yet by the
747
# "Set" method, so we fail early here:
748
if byte_arrays and signature != "ay":
749
raise ValueError("Byte arrays not supported for non-'ay'"
750
" signature %r" % signature)
751
def decorator(func):
752
func._dbus_is_property = True
753
func._dbus_interface = dbus_interface
754
func._dbus_signature = signature
755
func._dbus_access = access
756
func._dbus_name = func.__name__
757
if func._dbus_name.endswith("_dbus_property"):
758
func._dbus_name = func._dbus_name[:-14]
759
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
760
return func
761
return decorator
762
763
764
class DBusPropertyException(dbus.exceptions.DBusException):
765
"""A base class for D-Bus property-related exceptions
766
"""
767
def __unicode__(self):
768
return unicode(str(self))
769
770
771
class DBusPropertyAccessException(DBusPropertyException):
772
"""A property's access permissions disallows an operation.
773
"""
774
pass
775
776
777
class DBusPropertyNotFound(DBusPropertyException):
778
"""An attempt was made to access a non-existing property.
779
"""
780
pass
781
782
783
class DBusObjectWithProperties(dbus.service.Object):
784
"""A D-Bus object with properties.
785
786
Classes inheriting from this can use the dbus_service_property
787
decorator to expose methods as D-Bus properties. It exposes the
788
standard Get(), Set(), and GetAll() methods on the D-Bus.
789
"""
790
791
@staticmethod
792
def _is_dbus_property(obj):
793
return getattr(obj, "_dbus_is_property", False)
794
795
def _get_all_dbus_properties(self):
796
"""Returns a generator of (name, attribute) pairs
797
"""
798
return ((prop.__get__(self)._dbus_name, prop.__get__(self))
799
for cls in self.__class__.__mro__
800
for name, prop in
801
inspect.getmembers(cls, self._is_dbus_property))
802
803
def _get_dbus_property(self, interface_name, property_name):
804
"""Returns a bound method if one exists which is a D-Bus
805
property with the specified name and interface.
806
"""
807
for cls in self.__class__.__mro__:
808
for name, value in (inspect.getmembers
809
(cls, self._is_dbus_property)):
810
if (value._dbus_name == property_name
811
and value._dbus_interface == interface_name):
812
return value.__get__(self)
813
814
# No such property
815
raise DBusPropertyNotFound(self.dbus_object_path + ":"
816
+ interface_name + "."
817
+ property_name)
818
819
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
820
out_signature="v")
821
def Get(self, interface_name, property_name):
822
"""Standard D-Bus property Get() method, see D-Bus standard.
823
"""
824
prop = self._get_dbus_property(interface_name, property_name)
825
if prop._dbus_access == "write":
826
raise DBusPropertyAccessException(property_name)
827
value = prop()
828
if not hasattr(value, "variant_level"):
829
return value
830
return type(value)(value, variant_level=value.variant_level+1)
831
832
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
833
def Set(self, interface_name, property_name, value):
834
"""Standard D-Bus property Set() method, see D-Bus standard.
835
"""
836
prop = self._get_dbus_property(interface_name, property_name)
837
if prop._dbus_access == "read":
838
raise DBusPropertyAccessException(property_name)
839
if prop._dbus_get_args_options["byte_arrays"]:
840
# The byte_arrays option is not supported yet on
841
# signatures other than "ay".
842
if prop._dbus_signature != "ay":
843
raise ValueError
844
value = dbus.ByteArray(''.join(unichr(byte)
845
for byte in value))
846
prop(value)
847
848
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
849
out_signature="a{sv}")
850
def GetAll(self, interface_name):
851
"""Standard D-Bus property GetAll() method, see D-Bus
852
standard.
853
854
Note: Will not include properties with access="write".
855
"""
856
properties = {}
857
for name, prop in self._get_all_dbus_properties():
858
if (interface_name
859
and interface_name != prop._dbus_interface):
860
# Interface non-empty but did not match
861
continue
862
# Ignore write-only properties
863
if prop._dbus_access == "write":
864
continue
865
value = prop()
866
if not hasattr(value, "variant_level"):
867
properties[name] = value
868
continue
869
properties[name] = type(value)(value, variant_level=
870
value.variant_level+1)
871
return dbus.Dictionary(properties, signature="sv")
872
873
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
874
out_signature="s",
875
path_keyword='object_path',
876
connection_keyword='connection')
877
def Introspect(self, object_path, connection):
878
"""Standard D-Bus method, overloaded to insert property tags.
879
"""
880
xmlstring = dbus.service.Object.Introspect(self, object_path,
881
connection)
882
try:
883
document = xml.dom.minidom.parseString(xmlstring)
884
def make_tag(document, name, prop):
885
e = document.createElement("property")
886
e.setAttribute("name", name)
887
e.setAttribute("type", prop._dbus_signature)
888
e.setAttribute("access", prop._dbus_access)
889
return e
890
for if_tag in document.getElementsByTagName("interface"):
891
for tag in (make_tag(document, name, prop)
892
for name, prop
893
in self._get_all_dbus_properties()
894
if prop._dbus_interface
895
== if_tag.getAttribute("name")):
896
if_tag.appendChild(tag)
897
# Add the names to the return values for the
898
# "org.freedesktop.DBus.Properties" methods
899
if (if_tag.getAttribute("name")
900
== "org.freedesktop.DBus.Properties"):
901
for cn in if_tag.getElementsByTagName("method"):
902
if cn.getAttribute("name") == "Get":
903
for arg in cn.getElementsByTagName("arg"):
904
if (arg.getAttribute("direction")
905
== "out"):
906
arg.setAttribute("name", "value")
907
elif cn.getAttribute("name") == "GetAll":
908
for arg in cn.getElementsByTagName("arg"):
909
if (arg.getAttribute("direction")
910
== "out"):
911
arg.setAttribute("name", "props")
912
xmlstring = document.toxml("utf-8")
913
document.unlink()
914
except (AttributeError, xml.dom.DOMException,
915
xml.parsers.expat.ExpatError) as error:
916
logger.error("Failed to override Introspection method",
917
error)
918
return xmlstring
919
920
921
def datetime_to_dbus (dt, variant_level=0):
922
"""Convert a UTC datetime.datetime() to a D-Bus type."""
923
if dt is None:
924
return dbus.String("", variant_level = variant_level)
925
return dbus.String(dt.isoformat(),
926
variant_level=variant_level)
927
928
929
class AlternateDBusNamesMetaclass(DBusObjectWithProperties
930
.__metaclass__):
931
"""Applied to an empty subclass of a D-Bus object, this metaclass
932
will add additional D-Bus attributes matching a certain pattern.
933
"""
934
def __new__(mcs, name, bases, attr):
935
# Go through all the base classes which could have D-Bus
936
# methods, signals, or properties in them
937
for base in (b for b in bases
938
if issubclass(b, dbus.service.Object)):
939
# Go though all attributes of the base class
940
for attrname, attribute in inspect.getmembers(base):
941
# Ignore non-D-Bus attributes, and D-Bus attributes
942
# with the wrong interface name
943
if (not hasattr(attribute, "_dbus_interface")
944
or not attribute._dbus_interface
945
.startswith("se.recompile.Mandos")):
946
continue
947
# Create an alternate D-Bus interface name based on
948
# the current name
949
alt_interface = (attribute._dbus_interface
950
.replace("se.recompile.Mandos",
951
"se.bsnet.fukt.Mandos"))
952
# Is this a D-Bus signal?
953
if getattr(attribute, "_dbus_is_signal", False):
954
# Extract the original non-method function by
955
# black magic
956
nonmethod_func = (dict(
957
zip(attribute.func_code.co_freevars,
958
attribute.__closure__))["func"]
959
.cell_contents)
960
# Create a new, but exactly alike, function
961
# object, and decorate it to be a new D-Bus signal
962
# with the alternate D-Bus interface name
963
new_function = (dbus.service.signal
964
(alt_interface,
965
attribute._dbus_signature)
966
(types.FunctionType(
967
nonmethod_func.func_code,
968
nonmethod_func.func_globals,
969
nonmethod_func.func_name,
970
nonmethod_func.func_defaults,
971
nonmethod_func.func_closure)))
972
# Define a creator of a function to call both the
973
# old and new functions, so both the old and new
974
# signals gets sent when the function is called
975
def fixscope(func1, func2):
976
"""This function is a scope container to pass
977
func1 and func2 to the "call_both" function
978
outside of its arguments"""
979
def call_both(*args, **kwargs):
980
"""This function will emit two D-Bus
981
signals by calling func1 and func2"""
982
func1(*args, **kwargs)
983
func2(*args, **kwargs)
984
return call_both
985
# Create the "call_both" function and add it to
986
# the class
987
attr[attrname] = fixscope(attribute,
988
new_function)
989
# Is this a D-Bus method?
990
elif getattr(attribute, "_dbus_is_method", False):
991
# Create a new, but exactly alike, function
992
# object. Decorate it to be a new D-Bus method
993
# with the alternate D-Bus interface name. Add it
994
# to the class.
995
attr[attrname] = (dbus.service.method
996
(alt_interface,
997
attribute._dbus_in_signature,
998
attribute._dbus_out_signature)
999
(types.FunctionType
1000
(attribute.func_code,
1001
attribute.func_globals,
1002
attribute.func_name,
1003
attribute.func_defaults,
1004
attribute.func_closure)))
1005
# Is this a D-Bus property?
1006
elif getattr(attribute, "_dbus_is_property", False):
1007
# Create a new, but exactly alike, function
1008
# object, and decorate it to be a new D-Bus
1009
# property with the alternate D-Bus interface
1010
# name. Add it to the class.
1011
attr[attrname] = (dbus_service_property
1012
(alt_interface,
1013
attribute._dbus_signature,
1014
attribute._dbus_access,
1015
attribute
1016
._dbus_get_args_options
1017
["byte_arrays"])
1018
(types.FunctionType
1019
(attribute.func_code,
1020
attribute.func_globals,
1021
attribute.func_name,
1022
attribute.func_defaults,
1023
attribute.func_closure)))
1024
return type.__new__(mcs, name, bases, attr)
1025
1026
1027
class ClientDBus(Client, DBusObjectWithProperties):
433
434
def still_valid(self):
435
"""Has the timeout not yet passed for this client?"""
436
if not getattr(self, u"enabled", False):
437
return False
438
now = datetime.datetime.utcnow()
439
if self.last_checked_ok is None:
440
return now < (self.created + self.timeout)
441
else:
442
return now < (self.last_checked_ok + self.timeout)
443
444
445
class ClientDBus(Client, dbus.service.Object):
1028
446
"""A Client class using D-Bus
1029
447
1030
448
Attributes:
1031
dbus_object_path: dbus.ObjectPath
1032
bus: dbus.SystemBus()
449
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
1033
450
"""
1034
1035
runtime_expansions = (Client.runtime_expansions
1036
+ ("dbus_object_path",))
1037
1038
451
# dbus.service.Object doesn't use super(), so we can't either.
1039
452
1040
def __init__(self, bus = None, *args, **kwargs):
1041
self.bus = bus
453
def __init__(self, *args, **kwargs):
1042
454
Client.__init__(self, *args, **kwargs)
1043
self._approvals_pending = 0
1044
1045
self._approvals_pending = 0
1046
455
# Only now, when this client is initialized, can it show up on
1047
456
# the D-Bus
1048
client_object_name = unicode(self.name).translate(
1049
{ord("."): ord("_"),
1050
ord("-"): ord("_")})
1051
457
self.dbus_object_path = (dbus.ObjectPath
1052
("/clients/" + client_object_name))
1053
DBusObjectWithProperties.__init__(self, self.bus,
1054
self.dbus_object_path)
1055
1056
def notifychangeproperty(transform_func,
1057
dbus_name, type_func=lambda x: x,
1058
variant_level=1):
1059
""" Modify a variable so that it's a property which announces
1060
its changes to DBus.
1061
1062
transform_fun: Function that takes a value and a variant_level
1063
and transforms it to a D-Bus type.
1064
dbus_name: D-Bus name of the variable
1065
type_func: Function that transform the value before sending it
1066
to the D-Bus. Default: no transform
1067
variant_level: D-Bus variant level. Default: 1
1068
"""
1069
attrname = "_{0}".format(dbus_name)
1070
def setter(self, value):
1071
if hasattr(self, "dbus_object_path"):
1072
if (not hasattr(self, attrname) or
1073
type_func(getattr(self, attrname, None))
1074
!= type_func(value)):
1075
dbus_value = transform_func(type_func(value),
1076
variant_level
1077
=variant_level)
1078
self.PropertyChanged(dbus.String(dbus_name),
1079
dbus_value)
1080
setattr(self, attrname, value)
1081
1082
return property(lambda self: getattr(self, attrname), setter)
1083
1084
1085
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1086
approvals_pending = notifychangeproperty(dbus.Boolean,
1087
"ApprovalPending",
1088
type_func = bool)
1089
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1090
last_enabled = notifychangeproperty(datetime_to_dbus,
1091
"LastEnabled")
1092
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1093
type_func = lambda checker:
1094
checker is not None)
1095
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1096
"LastCheckedOK")
1097
last_approval_request = notifychangeproperty(
1098
datetime_to_dbus, "LastApprovalRequest")
1099
approved_by_default = notifychangeproperty(dbus.Boolean,
1100
"ApprovedByDefault")
1101
approval_delay = notifychangeproperty(dbus.UInt64,
1102
"ApprovalDelay",
1103
type_func =
1104
timedelta_to_milliseconds)
1105
approval_duration = notifychangeproperty(
1106
dbus.UInt64, "ApprovalDuration",
1107
type_func = timedelta_to_milliseconds)
1108
host = notifychangeproperty(dbus.String, "Host")
1109
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1110
type_func =
1111
timedelta_to_milliseconds)
1112
extended_timeout = notifychangeproperty(
1113
dbus.UInt64, "ExtendedTimeout",
1114
type_func = timedelta_to_milliseconds)
1115
interval = notifychangeproperty(dbus.UInt64,
1116
"Interval",
1117
type_func =
1118
timedelta_to_milliseconds)
1119
checker_command = notifychangeproperty(dbus.String, "Checker")
1120
1121
del notifychangeproperty
458
(u"/clients/"
459
+ self.name.replace(u".", u"_")))
460
dbus.service.Object.__init__(self, bus,
461
self.dbus_object_path)
462
def enable(self):
463
oldstate = getattr(self, u"enabled", False)
464
r = Client.enable(self)
465
if oldstate != self.enabled:
466
# Emit D-Bus signals
467
self.PropertyChanged(dbus.String(u"enabled"),
468
dbus.Boolean(True, variant_level=1))
469
self.PropertyChanged(dbus.String(u"last_enabled"),
470
(_datetime_to_dbus(self.last_enabled,
471
variant_level=1)))
472
return r
473
474
def disable(self, signal = True):
475
oldstate = getattr(self, u"enabled", False)
476
r = Client.disable(self)
477
if signal and oldstate != self.enabled:
478
# Emit D-Bus signal
479
self.PropertyChanged(dbus.String(u"enabled"),
480
dbus.Boolean(False, variant_level=1))
481
return r
1122
482
1123
483
def __del__(self, *args, **kwargs):
1124
484
try:
1125
485
self.remove_from_connection()
1126
486
except LookupError:
1127
487
pass
1128
if hasattr(DBusObjectWithProperties, "__del__"):
1129
DBusObjectWithProperties.__del__(self, *args, **kwargs)
488
if hasattr(dbus.service.Object, u"__del__"):
489
dbus.service.Object.__del__(self, *args, **kwargs)
1130
490
Client.__del__(self, *args, **kwargs)
1131
491
1132
492
def checker_callback(self, pid, condition, command,
1133
493
*args, **kwargs):
1134
494
self.checker_callback_tag = None
1135
495
self.checker = None
496
# Emit D-Bus signal
497
self.PropertyChanged(dbus.String(u"checker_running"),
498
dbus.Boolean(False, variant_level=1))
1136
499
if os.WIFEXITED(condition):
1137
500
exitstatus = os.WEXITSTATUS(condition)
1138
501
# Emit D-Bus signal
1148
511
return Client.checker_callback(self, pid, condition, command,
1149
512
*args, **kwargs)
1150
513
514
def checked_ok(self, *args, **kwargs):
515
r = Client.checked_ok(self, *args, **kwargs)
516
# Emit D-Bus signal
517
self.PropertyChanged(
518
dbus.String(u"last_checked_ok"),
519
(_datetime_to_dbus(self.last_checked_ok,
520
variant_level=1)))
521
return r
522
1151
523
def start_checker(self, *args, **kwargs):
1152
524
old_checker = self.checker
1153
525
if self.checker is not None:
1160
532
and old_checker_pid != self.checker.pid):
1161
533
# Emit D-Bus signal
1162
534
self.CheckerStarted(self.current_checker_command)
1163
return r
1164
1165
def _reset_approved(self):
1166
self.approved = None
1167
return False
1168
1169
def approve(self, value=True):
1170
self.send_changedstate()
1171
self.approved = value
1172
gobject.timeout_add(timedelta_to_milliseconds
1173
(self.approval_duration),
1174
self._reset_approved)
1175
1176
1177
## D-Bus methods, signals & properties
1178
_interface = "se.recompile.Mandos.Client"
1179
1180
## Signals
535
self.PropertyChanged(
536
dbus.String(u"checker_running"),
537
dbus.Boolean(True, variant_level=1))
538
return r
539
540
def stop_checker(self, *args, **kwargs):
541
old_checker = getattr(self, u"checker", None)
542
r = Client.stop_checker(self, *args, **kwargs)
543
if (old_checker is not None
544
and getattr(self, u"checker", None) is None):
545
self.PropertyChanged(dbus.String(u"checker_running"),
546
dbus.Boolean(False, variant_level=1))
547
return r
548
549
## D-Bus methods & signals
550
_interface = u"se.bsnet.fukt.Mandos.Client"
551
552
# CheckedOK - method
553
@dbus.service.method(_interface)
554
def CheckedOK(self):
555
return self.checked_ok()
1181
556
1182
557
# CheckerCompleted - signal
1183
@dbus.service.signal(_interface, signature="nxs")
558
@dbus.service.signal(_interface, signature=u"nxs")
1184
559
def CheckerCompleted(self, exitcode, waitstatus, command):
1185
560
"D-Bus signal"
1186
561
pass
1187
562
1188
563
# CheckerStarted - signal
1189
@dbus.service.signal(_interface, signature="s")
564
@dbus.service.signal(_interface, signature=u"s")
1190
565
def CheckerStarted(self, command):
1191
566
"D-Bus signal"
1192
567
pass
1193
568
569
# GetAllProperties - method
570
@dbus.service.method(_interface, out_signature=u"a{sv}")
571
def GetAllProperties(self):
572
"D-Bus method"
573
return dbus.Dictionary({
574
dbus.String(u"name"):
575
dbus.String(self.name, variant_level=1),
576
dbus.String(u"fingerprint"):
577
dbus.String(self.fingerprint, variant_level=1),
578
dbus.String(u"host"):
579
dbus.String(self.host, variant_level=1),
580
dbus.String(u"created"):
581
_datetime_to_dbus(self.created, variant_level=1),
582
dbus.String(u"last_enabled"):
583
(_datetime_to_dbus(self.last_enabled,
584
variant_level=1)
585
if self.last_enabled is not None
586
else dbus.Boolean(False, variant_level=1)),
587
dbus.String(u"enabled"):
588
dbus.Boolean(self.enabled, variant_level=1),
589
dbus.String(u"last_checked_ok"):
590
(_datetime_to_dbus(self.last_checked_ok,
591
variant_level=1)
592
if self.last_checked_ok is not None
593
else dbus.Boolean (False, variant_level=1)),
594
dbus.String(u"timeout"):
595
dbus.UInt64(self.timeout_milliseconds(),
596
variant_level=1),
597
dbus.String(u"interval"):
598
dbus.UInt64(self.interval_milliseconds(),
599
variant_level=1),
600
dbus.String(u"checker"):
601
dbus.String(self.checker_command,
602
variant_level=1),
603
dbus.String(u"checker_running"):
604
dbus.Boolean(self.checker is not None,
605
variant_level=1),
606
dbus.String(u"object_path"):
607
dbus.ObjectPath(self.dbus_object_path,
608
variant_level=1)
609
}, signature=u"sv")
610
611
# IsStillValid - method
612
@dbus.service.method(_interface, out_signature=u"b")
613
def IsStillValid(self):
614
return self.still_valid()
615
1194
616
# PropertyChanged - signal
1195
@dbus.service.signal(_interface, signature="sv")
617
@dbus.service.signal(_interface, signature=u"sv")
1196
618
def PropertyChanged(self, property, value):
1197
619
"D-Bus signal"
1198
620
pass
1199
621
1200
# GotSecret - signal
622
# ReceivedSecret - signal
1201
623
@dbus.service.signal(_interface)
1202
def GotSecret(self):
1203
"""D-Bus signal
1204
Is sent after a successful transfer of secret from the Mandos
1205
server to mandos-client
1206
"""
624
def ReceivedSecret(self):
625
"D-Bus signal"
1207
626
pass
1208
627
1209
628
# Rejected - signal
1210
@dbus.service.signal(_interface, signature="s")
1211
def Rejected(self, reason):
1212
"D-Bus signal"
1213
pass
1214
1215
# NeedApproval - signal
1216
@dbus.service.signal(_interface, signature="tb")
1217
def NeedApproval(self, timeout, default):
1218
"D-Bus signal"
1219
return self.need_approval()
1220
1221
# NeRwequest - signal
1222
@dbus.service.signal(_interface, signature="s")
1223
def NewRequest(self, ip):
1224
"""D-Bus signal
1225
Is sent after a client request a password.
1226
"""
1227
pass
1228
1229
## Methods
1230
1231
# Approve - method
1232
@dbus.service.method(_interface, in_signature="b")
1233
def Approve(self, value):
1234
self.approve(value)
1235
1236
# CheckedOK - method
1237
@dbus.service.method(_interface)
1238
def CheckedOK(self):
1239
self.checked_ok()
629
@dbus.service.signal(_interface)
630
def Rejected(self):
631
"D-Bus signal"
632
pass
633
634
# SetChecker - method
635
@dbus.service.method(_interface, in_signature=u"s")
636
def SetChecker(self, checker):
637
"D-Bus setter method"
638
self.checker_command = checker
639
# Emit D-Bus signal
640
self.PropertyChanged(dbus.String(u"checker"),
641
dbus.String(self.checker_command,
642
variant_level=1))
643
644
# SetHost - method
645
@dbus.service.method(_interface, in_signature=u"s")
646
def SetHost(self, host):
647
"D-Bus setter method"
648
self.host = host
649
# Emit D-Bus signal
650
self.PropertyChanged(dbus.String(u"host"),
651
dbus.String(self.host, variant_level=1))
652
653
# SetInterval - method
654
@dbus.service.method(_interface, in_signature=u"t")
655
def SetInterval(self, milliseconds):
656
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
657
# Emit D-Bus signal
658
self.PropertyChanged(dbus.String(u"interval"),
659
(dbus.UInt64(self.interval_milliseconds(),
660
variant_level=1)))
661
662
# SetSecret - method
663
@dbus.service.method(_interface, in_signature=u"ay",
664
byte_arrays=True)
665
def SetSecret(self, secret):
666
"D-Bus setter method"
667
self.secret = str(secret)
668
669
# SetTimeout - method
670
@dbus.service.method(_interface, in_signature=u"t")
671
def SetTimeout(self, milliseconds):
672
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
673
# Emit D-Bus signal
674
self.PropertyChanged(dbus.String(u"timeout"),
675
(dbus.UInt64(self.timeout_milliseconds(),
676
variant_level=1)))
1240
677
1241
678
# Enable - method
1242
679
@dbus.service.method(_interface)
1261
698
def StopChecker(self):
1262
699
self.stop_checker()
1263
700
1264
## Properties
1265
1266
# ApprovalPending - property
1267
@dbus_service_property(_interface, signature="b", access="read")
1268
def ApprovalPending_dbus_property(self):
1269
return dbus.Boolean(bool(self.approvals_pending))
1270
1271
# ApprovedByDefault - property
1272
@dbus_service_property(_interface, signature="b",
1273
access="readwrite")
1274
def ApprovedByDefault_dbus_property(self, value=None):
1275
if value is None: # get
1276
return dbus.Boolean(self.approved_by_default)
1277
self.approved_by_default = bool(value)
1278
1279
# ApprovalDelay - property
1280
@dbus_service_property(_interface, signature="t",
1281
access="readwrite")
1282
def ApprovalDelay_dbus_property(self, value=None):
1283
if value is None: # get
1284
return dbus.UInt64(self.approval_delay_milliseconds())
1285
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1286
1287
# ApprovalDuration - property
1288
@dbus_service_property(_interface, signature="t",
1289
access="readwrite")
1290
def ApprovalDuration_dbus_property(self, value=None):
1291
if value is None: # get
1292
return dbus.UInt64(timedelta_to_milliseconds(
1293
self.approval_duration))
1294
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1295
1296
# Name - property
1297
@dbus_service_property(_interface, signature="s", access="read")
1298
def Name_dbus_property(self):
1299
return dbus.String(self.name)
1300
1301
# Fingerprint - property
1302
@dbus_service_property(_interface, signature="s", access="read")
1303
def Fingerprint_dbus_property(self):
1304
return dbus.String(self.fingerprint)
1305
1306
# Host - property
1307
@dbus_service_property(_interface, signature="s",
1308
access="readwrite")
1309
def Host_dbus_property(self, value=None):
1310
if value is None: # get
1311
return dbus.String(self.host)
1312
self.host = unicode(value)
1313
1314
# Created - property
1315
@dbus_service_property(_interface, signature="s", access="read")
1316
def Created_dbus_property(self):
1317
return datetime_to_dbus(self.created)
1318
1319
# LastEnabled - property
1320
@dbus_service_property(_interface, signature="s", access="read")
1321
def LastEnabled_dbus_property(self):
1322
return datetime_to_dbus(self.last_enabled)
1323
1324
# Enabled - property
1325
@dbus_service_property(_interface, signature="b",
1326
access="readwrite")
1327
def Enabled_dbus_property(self, value=None):
1328
if value is None: # get
1329
return dbus.Boolean(self.enabled)
1330
if value:
1331
self.enable()
1332
else:
1333
self.disable()
1334
1335
# LastCheckedOK - property
1336
@dbus_service_property(_interface, signature="s",
1337
access="readwrite")
1338
def LastCheckedOK_dbus_property(self, value=None):
1339
if value is not None:
1340
self.checked_ok()
1341
return
1342
return datetime_to_dbus(self.last_checked_ok)
1343
1344
# Expires - property
1345
@dbus_service_property(_interface, signature="s", access="read")
1346
def Expires_dbus_property(self):
1347
return datetime_to_dbus(self.expires)
1348
1349
# LastApprovalRequest - property
1350
@dbus_service_property(_interface, signature="s", access="read")
1351
def LastApprovalRequest_dbus_property(self):
1352
return datetime_to_dbus(self.last_approval_request)
1353
1354
# Timeout - property
1355
@dbus_service_property(_interface, signature="t",
1356
access="readwrite")
1357
def Timeout_dbus_property(self, value=None):
1358
if value is None: # get
1359
return dbus.UInt64(self.timeout_milliseconds())
1360
self.timeout = datetime.timedelta(0, 0, 0, value)
1361
if getattr(self, "disable_initiator_tag", None) is None:
1362
return
1363
# Reschedule timeout
1364
gobject.source_remove(self.disable_initiator_tag)
1365
self.disable_initiator_tag = None
1366
self.expires = None
1367
time_to_die = timedelta_to_milliseconds((self
1368
.last_checked_ok
1369
+ self.timeout)
1370
- datetime.datetime
1371
.utcnow())
1372
if time_to_die <= 0:
1373
# The timeout has passed
1374
self.disable()
1375
else:
1376
self.expires = (datetime.datetime.utcnow()
1377
+ datetime.timedelta(milliseconds =
1378
time_to_die))
1379
self.disable_initiator_tag = (gobject.timeout_add
1380
(time_to_die, self.disable))
1381
1382
# ExtendedTimeout - property
1383
@dbus_service_property(_interface, signature="t",
1384
access="readwrite")
1385
def ExtendedTimeout_dbus_property(self, value=None):
1386
if value is None: # get
1387
return dbus.UInt64(self.extended_timeout_milliseconds())
1388
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1389
1390
# Interval - property
1391
@dbus_service_property(_interface, signature="t",
1392
access="readwrite")
1393
def Interval_dbus_property(self, value=None):
1394
if value is None: # get
1395
return dbus.UInt64(self.interval_milliseconds())
1396
self.interval = datetime.timedelta(0, 0, 0, value)
1397
if getattr(self, "checker_initiator_tag", None) is None:
1398
return
1399
if self.enabled:
1400
# Reschedule checker run
1401
gobject.source_remove(self.checker_initiator_tag)
1402
self.checker_initiator_tag = (gobject.timeout_add
1403
(value, self.start_checker))
1404
self.start_checker() # Start one now, too
1405
1406
# Checker - property
1407
@dbus_service_property(_interface, signature="s",
1408
access="readwrite")
1409
def Checker_dbus_property(self, value=None):
1410
if value is None: # get
1411
return dbus.String(self.checker_command)
1412
self.checker_command = unicode(value)
1413
1414
# CheckerRunning - property
1415
@dbus_service_property(_interface, signature="b",
1416
access="readwrite")
1417
def CheckerRunning_dbus_property(self, value=None):
1418
if value is None: # get
1419
return dbus.Boolean(self.checker is not None)
1420
if value:
1421
self.start_checker()
1422
else:
1423
self.stop_checker()
1424
1425
# ObjectPath - property
1426
@dbus_service_property(_interface, signature="o", access="read")
1427
def ObjectPath_dbus_property(self):
1428
return self.dbus_object_path # is already a dbus.ObjectPath
1429
1430
# Secret = property
1431
@dbus_service_property(_interface, signature="ay",
1432
access="write", byte_arrays=True)
1433
def Secret_dbus_property(self, value):
1434
self.secret = str(value)
1435
1436
701
del _interface
1437
702
1438
703
1439
class ProxyClient(object):
1440
def __init__(self, child_pipe, fpr, address):
1441
self._pipe = child_pipe
1442
self._pipe.send(('init', fpr, address))
1443
if not self._pipe.recv():
1444
raise KeyError()
1445
1446
def __getattribute__(self, name):
1447
if name == '_pipe':
1448
return super(ProxyClient, self).__getattribute__(name)
1449
self._pipe.send(('getattr', name))
1450
data = self._pipe.recv()
1451
if data[0] == 'data':
1452
return data[1]
1453
if data[0] == 'function':
1454
def func(*args, **kwargs):
1455
self._pipe.send(('funcall', name, args, kwargs))
1456
return self._pipe.recv()[1]
1457
return func
1458
1459
def __setattr__(self, name, value):
1460
if name == '_pipe':
1461
return super(ProxyClient, self).__setattr__(name, value)
1462
self._pipe.send(('setattr', name, value))
1463
1464
1465
class ClientDBusTransitional(ClientDBus):
1466
__metaclass__ = AlternateDBusNamesMetaclass
1467
1468
1469
704
class ClientHandler(socketserver.BaseRequestHandler, object):
1470
705
"""A class to handle client connections.
1471
706
1473
708
Note: This will run in its own forked process."""
1474
709
1475
710
def handle(self):
1476
with contextlib.closing(self.server.child_pipe) as child_pipe:
1477
logger.info("TCP connection from: %s",
1478
unicode(self.client_address))
1479
logger.debug("Pipe FD: %d",
1480
self.server.child_pipe.fileno())
1481
711
logger.info(u"TCP connection from: %s",
712
unicode(self.client_address))
713
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
714
# Open IPC pipe to parent process
715
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
1482
716
session = (gnutls.connection
1483
717
.ClientSession(self.request,
1484
718
gnutls.connection
1485
719
.X509Credentials()))
1486
720
721
line = self.request.makefile().readline()
722
logger.debug(u"Protocol version: %r", line)
723
try:
724
if int(line.strip().split()[0]) > 1:
725
raise RuntimeError
726
except (ValueError, IndexError, RuntimeError), error:
727
logger.error(u"Unknown protocol version: %s", error)
728
return
729
1487
730
# Note: gnutls.connection.X509Credentials is really a
1488
731
# generic GnuTLS certificate credentials object so long as
1489
732
# no X.509 keys are added to it. Therefore, we can use it
1490
733
# here despite using OpenPGP certificates.
1491
734
1492
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1493
# "+AES-256-CBC", "+SHA1",
1494
# "+COMP-NULL", "+CTYPE-OPENPGP",
1495
# "+DHE-DSS"))
735
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
736
# u"+AES-256-CBC", u"+SHA1",
737
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
738
# u"+DHE-DSS"))
1496
739
# Use a fallback default, since this MUST be set.
1497
740
priority = self.server.gnutls_priority
1498
741
if priority is None:
1499
priority = "NORMAL"
742
priority = u"NORMAL"
1500
743
(gnutls.library.functions
1501
744
.gnutls_priority_set_direct(session._c_object,
1502
745
priority, None))
1503
746
1504
# Start communication using the Mandos protocol
1505
# Get protocol number
1506
line = self.request.makefile().readline()
1507
logger.debug("Protocol version: %r", line)
1508
try:
1509
if int(line.strip().split()[0]) > 1:
1510
raise RuntimeError
1511
except (ValueError, IndexError, RuntimeError) as error:
1512
logger.error("Unknown protocol version: %s", error)
1513
return
1514
1515
# Start GnuTLS connection
1516
747
try:
1517
748
session.handshake()
1518
except gnutls.errors.GNUTLSError as error:
1519
logger.warning("Handshake failed: %s", error)
749
except gnutls.errors.GNUTLSError, error:
750
logger.warning(u"Handshake failed: %s", error)
1520
751
# Do not run session.bye() here: the session is not
1521
752
# established. Just abandon the request.
1522
753
return
1523
logger.debug("Handshake succeeded")
1524
1525
approval_required = False
754
logger.debug(u"Handshake succeeded")
1526
755
try:
1527
try:
1528
fpr = self.fingerprint(self.peer_certificate
1529
(session))
1530
except (TypeError,
1531
gnutls.errors.GNUTLSError) as error:
1532
logger.warning("Bad certificate: %s", error)
1533
return
1534
logger.debug("Fingerprint: %s", fpr)
1535
1536
try:
1537
client = ProxyClient(child_pipe, fpr,
1538
self.client_address)
1539
except KeyError:
1540
return
1541
1542
if self.server.use_dbus:
1543
# Emit D-Bus signal
1544
client.NewRequest(str(self.client_address))
1545
1546
if client.approval_delay:
1547
delay = client.approval_delay
1548
client.approvals_pending += 1
1549
approval_required = True
1550
1551
while True:
1552
if not client.enabled:
1553
logger.info("Client %s is disabled",
1554
client.name)
1555
if self.server.use_dbus:
1556
# Emit D-Bus signal
1557
client.Rejected("Disabled")
1558
return
1559
1560
if client.approved or not client.approval_delay:
1561
#We are approved or approval is disabled
1562
break
1563
elif client.approved is None:
1564
logger.info("Client %s needs approval",
1565
client.name)
1566
if self.server.use_dbus:
1567
# Emit D-Bus signal
1568
client.NeedApproval(
1569
client.approval_delay_milliseconds(),
1570
client.approved_by_default)
1571
else:
1572
logger.warning("Client %s was not approved",
1573
client.name)
1574
if self.server.use_dbus:
1575
# Emit D-Bus signal
1576
client.Rejected("Denied")
1577
return
1578
1579
#wait until timeout or approved
1580
time = datetime.datetime.now()
1581
client.changedstate.acquire()
1582
(client.changedstate.wait
1583
(float(client.timedelta_to_milliseconds(delay)
1584
/ 1000)))
1585
client.changedstate.release()
1586
time2 = datetime.datetime.now()
1587
if (time2 - time) >= delay:
1588
if not client.approved_by_default:
1589
logger.warning("Client %s timed out while"
1590
" waiting for approval",
1591
client.name)
1592
if self.server.use_dbus:
1593
# Emit D-Bus signal
1594
client.Rejected("Approval timed out")
1595
return
1596
else:
1597
break
1598
else:
1599
delay -= time2 - time
1600
1601
sent_size = 0
1602
while sent_size < len(client.secret):
1603
try:
1604
sent = session.send(client.secret[sent_size:])
1605
except gnutls.errors.GNUTLSError as error:
1606
logger.warning("gnutls send failed")
1607
return
1608
logger.debug("Sent: %d, remaining: %d",
1609
sent, len(client.secret)
1610
- (sent_size + sent))
1611
sent_size += sent
1612
1613
logger.info("Sending secret to %s", client.name)
1614
# bump the timeout using extended_timeout
1615
client.checked_ok(client.extended_timeout)
1616
if self.server.use_dbus:
1617
# Emit D-Bus signal
1618
client.GotSecret()
756
fpr = self.fingerprint(self.peer_certificate(session))
757
except (TypeError, gnutls.errors.GNUTLSError), error:
758
logger.warning(u"Bad certificate: %s", error)
759
session.bye()
760
return
761
logger.debug(u"Fingerprint: %s", fpr)
1619
762
1620
finally:
1621
if approval_required:
1622
client.approvals_pending -= 1
1623
try:
1624
session.bye()
1625
except gnutls.errors.GNUTLSError as error:
1626
logger.warning("GnuTLS bye failed")
763
for c in self.server.clients:
764
if c.fingerprint == fpr:
765
client = c
766
break
767
else:
768
ipc.write(u"NOTFOUND %s\n" % fpr)
769
session.bye()
770
return
771
# Have to check if client.still_valid(), since it is
772
# possible that the client timed out while establishing
773
# the GnuTLS session.
774
if not client.still_valid():
775
ipc.write(u"INVALID %s\n" % client.name)
776
session.bye()
777
return
778
ipc.write(u"SENDING %s\n" % client.name)
779
sent_size = 0
780
while sent_size < len(client.secret):
781
sent = session.send(client.secret[sent_size:])
782
logger.debug(u"Sent: %d, remaining: %d",
783
sent, len(client.secret)
784
- (sent_size + sent))
785
sent_size += sent
786
session.bye()
1627
787
1628
788
@staticmethod
1629
789
def peer_certificate(session):
1639
799
.gnutls_certificate_get_peers
1640
800
(session._c_object, ctypes.byref(list_size)))
1641
801
if not bool(cert_list) and list_size.value != 0:
1642
raise gnutls.errors.GNUTLSError("error getting peer"
1643
" certificate")
802
raise gnutls.errors.GNUTLSError(u"error getting peer"
803
u" certificate")
1644
804
if list_size.value == 0:
1645
805
return None
1646
806
cert = cert_list[0]
1672
832
if crtverify.value != 0:
1673
833
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1674
834
raise (gnutls.errors.CertificateSecurityError
1675
("Verify failed"))
835
(u"Verify failed"))
1676
836
# New buffer for the fingerprint
1677
837
buf = ctypes.create_string_buffer(20)
1678
838
buf_len = ctypes.c_size_t()
1685
845
# Convert the buffer to a Python bytestring
1686
846
fpr = ctypes.string_at(buf, buf_len.value)
1687
847
# Convert the bytestring to hexadecimal notation
1688
hex_fpr = binascii.hexlify(fpr).upper()
848
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1689
849
return hex_fpr
1690
850
1691
851
1692
class MultiprocessingMixIn(object):
1693
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1694
def sub_process_main(self, request, address):
1695
try:
1696
self.finish_request(request, address)
1697
except Exception:
1698
self.handle_error(request, address)
1699
self.close_request(request)
852
class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):
853
"""Like socketserver.ForkingMixIn, but also pass a pipe.
1700
854
1701
def process_request(self, request, address):
1702
"""Start a new process to process the request."""
1703
proc = multiprocessing.Process(target = self.sub_process_main,
1704
args = (request,
1705
address))
1706
proc.start()
1707
return proc
1708
1709
1710
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1711
""" adds a pipe to the MixIn """
855
Assumes a gobject.MainLoop event loop.
856
"""
1712
857
def process_request(self, request, client_address):
1713
858
"""Overrides and wraps the original process_request().
1714
859
1715
This function creates a new pipe in self.pipe
860
This function creates a new pipe in self.pipe
1716
861
"""
1717
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1718
1719
proc = MultiprocessingMixIn.process_request(self, request,
1720
client_address)
1721
self.child_pipe.close()
1722
self.add_pipe(parent_pipe, proc)
1723
1724
def add_pipe(self, parent_pipe, proc):
862
self.pipe = os.pipe()
863
super(ForkingMixInWithPipe,
864
self).process_request(request, client_address)
865
os.close(self.pipe[1]) # close write end
866
# Call "handle_ipc" for both data and EOF events
867
gobject.io_add_watch(self.pipe[0],
868
gobject.IO_IN | gobject.IO_HUP,
869
self.handle_ipc)
870
def handle_ipc(source, condition):
1725
871
"""Dummy function; override as necessary"""
1726
raise NotImplementedError
1727
1728
1729
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
872
os.close(source)
873
return False
874
875
876
class IPv6_TCPServer(ForkingMixInWithPipe,
1730
877
socketserver.TCPServer, object):
1731
878
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1732
879
1734
881
enabled: Boolean; whether this server is activated yet
1735
882
interface: None or a network interface name (string)
1736
883
use_ipv6: Boolean; to use IPv6 or not
884
----
885
clients: set of Client objects
886
gnutls_priority GnuTLS priority string
887
use_dbus: Boolean; to emit D-Bus signals or not
1737
888
"""
1738
889
def __init__(self, server_address, RequestHandlerClass,
1739
interface=None, use_ipv6=True):
890
interface=None, use_ipv6=True, clients=None,
891
gnutls_priority=None, use_dbus=True):
892
self.enabled = False
1740
893
self.interface = interface
1741
894
if use_ipv6:
1742
895
self.address_family = socket.AF_INET6
896
self.clients = clients
897
self.use_dbus = use_dbus
898
self.gnutls_priority = gnutls_priority
1743
899
socketserver.TCPServer.__init__(self, server_address,
1744
900
RequestHandlerClass)
1745
901
def server_bind(self):
1747
903
to bind to an interface if one was specified, and also NOT to
1748
904
bind to an address or port if they were not specified."""
1749
905
if self.interface is not None:
1750
if SO_BINDTODEVICE is None:
1751
logger.error("SO_BINDTODEVICE does not exist;"
1752
" cannot bind to interface %s",
1753
self.interface)
1754
else:
1755
try:
1756
self.socket.setsockopt(socket.SOL_SOCKET,
1757
SO_BINDTODEVICE,
1758
str(self.interface
1759
+ '\0'))
1760
except socket.error as error:
1761
if error[0] == errno.EPERM:
1762
logger.error("No permission to"
1763
" bind to interface %s",
1764
self.interface)
1765
elif error[0] == errno.ENOPROTOOPT:
1766
logger.error("SO_BINDTODEVICE not available;"
1767
" cannot bind to interface %s",
1768
self.interface)
1769
else:
1770
raise
906
try:
907
self.socket.setsockopt(socket.SOL_SOCKET,
908
SO_BINDTODEVICE,
909
str(self.interface + u'\0'))
910
except socket.error, error:
911
if error[0] == errno.EPERM:
912
logger.error(u"No permission to"
913
u" bind to interface %s",
914
self.interface)
915
else:
916
raise
1771
917
# Only bind(2) the socket if we really need to.
1772
918
if self.server_address[0] or self.server_address[1]:
1773
919
if not self.server_address[0]:
1774
920
if self.address_family == socket.AF_INET6:
1775
any_address = "::" # in6addr_any
921
any_address = u"::" # in6addr_any
1776
922
else:
1777
923
any_address = socket.INADDR_ANY
1778
924
self.server_address = (any_address,
1787
933
# if_nametoindex
1788
934
# (self.interface))
1789
935
return socketserver.TCPServer.server_bind(self)
1790
1791
1792
class MandosServer(IPv6_TCPServer):
1793
"""Mandos server.
1794
1795
Attributes:
1796
clients: set of Client objects
1797
gnutls_priority GnuTLS priority string
1798
use_dbus: Boolean; to emit D-Bus signals or not
1799
1800
Assumes a gobject.MainLoop event loop.
1801
"""
1802
def __init__(self, server_address, RequestHandlerClass,
1803
interface=None, use_ipv6=True, clients=None,
1804
gnutls_priority=None, use_dbus=True):
1805
self.enabled = False
1806
self.clients = clients
1807
if self.clients is None:
1808
self.clients = {}
1809
self.use_dbus = use_dbus
1810
self.gnutls_priority = gnutls_priority
1811
IPv6_TCPServer.__init__(self, server_address,
1812
RequestHandlerClass,
1813
interface = interface,
1814
use_ipv6 = use_ipv6)
1815
936
def server_activate(self):
1816
937
if self.enabled:
1817
938
return socketserver.TCPServer.server_activate(self)
1818
1819
939
def enable(self):
1820
940
self.enabled = True
1821
1822
def add_pipe(self, parent_pipe, proc):
1823
# Call "handle_ipc" for both data and EOF events
1824
gobject.io_add_watch(parent_pipe.fileno(),
1825
gobject.IO_IN | gobject.IO_HUP,
1826
functools.partial(self.handle_ipc,
1827
parent_pipe =
1828
parent_pipe,
1829
proc = proc))
1830
1831
def handle_ipc(self, source, condition, parent_pipe=None,
1832
proc = None, client_object=None):
941
def handle_ipc(self, source, condition, file_objects={}):
1833
942
condition_names = {
1834
gobject.IO_IN: "IN", # There is data to read.
1835
gobject.IO_OUT: "OUT", # Data can be written (without
943
gobject.IO_IN: u"IN", # There is data to read.
944
gobject.IO_OUT: u"OUT", # Data can be written (without
1836
945
# blocking).
1837
gobject.IO_PRI: "PRI", # There is urgent data to read.
1838
gobject.IO_ERR: "ERR", # Error condition.
1839
gobject.IO_HUP: "HUP" # Hung up (the connection has been
946
gobject.IO_PRI: u"PRI", # There is urgent data to read.
947
gobject.IO_ERR: u"ERR", # Error condition.
948
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1840
949
# broken, usually for pipes and
1841
950
# sockets).
1842
951
}
1844
953
for cond, name in
1845
954
condition_names.iteritems()
1846
955
if cond & condition)
1847
# error, or the other end of multiprocessing.Pipe has closed
1848
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1849
# Wait for other process to exit
1850
proc.join()
1851
return False
1852
1853
# Read a request from the child
1854
request = parent_pipe.recv()
1855
command = request[0]
1856
1857
if command == 'init':
1858
fpr = request[1]
1859
address = request[2]
1860
1861
for c in self.clients.itervalues():
1862
if c.fingerprint == fpr:
1863
client = c
1864
break
1865
else:
1866
logger.info("Client not found for fingerprint: %s, ad"
1867
"dress: %s", fpr, address)
1868
if self.use_dbus:
1869
# Emit D-Bus signal
1870
mandos_dbus_service.ClientNotFound(fpr,
1871
address[0])
1872
parent_pipe.send(False)
1873
return False
1874
1875
gobject.io_add_watch(parent_pipe.fileno(),
1876
gobject.IO_IN | gobject.IO_HUP,
1877
functools.partial(self.handle_ipc,
1878
parent_pipe =
1879
parent_pipe,
1880
proc = proc,
1881
client_object =
1882
client))
1883
parent_pipe.send(True)
1884
# remove the old hook in favor of the new above hook on
1885
# same fileno
1886
return False
1887
if command == 'funcall':
1888
funcname = request[1]
1889
args = request[2]
1890
kwargs = request[3]
1891
1892
parent_pipe.send(('data', getattr(client_object,
1893
funcname)(*args,
1894
**kwargs)))
1895
1896
if command == 'getattr':
1897
attrname = request[1]
1898
if callable(client_object.__getattribute__(attrname)):
1899
parent_pipe.send(('function',))
1900
else:
1901
parent_pipe.send(('data', client_object
1902
.__getattribute__(attrname)))
1903
1904
if command == 'setattr':
1905
attrname = request[1]
1906
value = request[2]
1907
setattr(client_object, attrname, value)
1908
956
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
957
conditions_string)
958
959
# Turn the pipe file descriptor into a Python file object
960
if source not in file_objects:
961
file_objects[source] = os.fdopen(source, u"r", 1)
962
963
# Read a line from the file object
964
cmdline = file_objects[source].readline()
965
if not cmdline: # Empty line means end of file
966
# close the IPC pipe
967
file_objects[source].close()
968
del file_objects[source]
969
970
# Stop calling this function
971
return False
972
973
logger.debug(u"IPC command: %r", cmdline)
974
975
# Parse and act on command
976
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
977
978
if cmd == u"NOTFOUND":
979
logger.warning(u"Client not found for fingerprint: %s",
980
args)
981
if self.use_dbus:
982
# Emit D-Bus signal
983
mandos_dbus_service.ClientNotFound(args)
984
elif cmd == u"INVALID":
985
for client in self.clients:
986
if client.name == args:
987
logger.warning(u"Client %s is invalid", args)
988
if self.use_dbus:
989
# Emit D-Bus signal
990
client.Rejected()
991
break
992
else:
993
logger.error(u"Unknown client %s is invalid", args)
994
elif cmd == u"SENDING":
995
for client in self.clients:
996
if client.name == args:
997
logger.info(u"Sending secret to %s", client.name)
998
client.checked_ok()
999
if self.use_dbus:
1000
# Emit D-Bus signal
1001
client.ReceivedSecret()
1002
break
1003
else:
1004
logger.error(u"Sending secret to unknown client %s",
1005
args)
1006
else:
1007
logger.error(u"Unknown IPC command: %r", cmdline)
1008
1009
# Keep calling this function
1909
1010
return True
1910
1011
1911
1012
1912
1013
def string_to_delta(interval):
1913
1014
"""Parse a string and return a datetime.timedelta
1914
1015
1915
>>> string_to_delta('7d')
1016
>>> string_to_delta(u'7d')
1916
1017
datetime.timedelta(7)
1917
>>> string_to_delta('60s')
1018
>>> string_to_delta(u'60s')
1918
1019
datetime.timedelta(0, 60)
1919
>>> string_to_delta('60m')
1020
>>> string_to_delta(u'60m')
1920
1021
datetime.timedelta(0, 3600)
1921
>>> string_to_delta('24h')
1022
>>> string_to_delta(u'24h')
1922
1023
datetime.timedelta(1)
1923
>>> string_to_delta('1w')
1024
>>> string_to_delta(u'1w')
1924
1025
datetime.timedelta(7)
1925
>>> string_to_delta('5m 30s')
1026
>>> string_to_delta(u'5m 30s')
1926
1027
datetime.timedelta(0, 330)
1927
1028
"""
1928
1029
timevalue = datetime.timedelta(0)
1930
1031
try:
1931
1032
suffix = unicode(s[-1])
1932
1033
value = int(s[:-1])
1933
if suffix == "d":
1034
if suffix == u"d":
1934
1035
delta = datetime.timedelta(value)
1935
elif suffix == "s":
1036
elif suffix == u"s":
1936
1037
delta = datetime.timedelta(0, value)
1937
elif suffix == "m":
1038
elif suffix == u"m":
1938
1039
delta = datetime.timedelta(0, 0, 0, 0, value)
1939
elif suffix == "h":
1040
elif suffix == u"h":
1940
1041
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
1941
elif suffix == "w":
1042
elif suffix == u"w":
1942
1043
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1943
1044
else:
1944
raise ValueError("Unknown suffix %r" % suffix)
1945
except (ValueError, IndexError) as e:
1946
raise ValueError(*(e.args))
1045
raise ValueError
1046
except (ValueError, IndexError):
1047
raise ValueError
1947
1048
timevalue += delta
1948
1049
return timevalue
1949
1050
1950
1051
1052
def server_state_changed(state):
1053
"""Derived from the Avahi example code"""
1054
if state == avahi.SERVER_COLLISION:
1055
logger.error(u"Zeroconf server name collision")
1056
service.remove()
1057
elif state == avahi.SERVER_RUNNING:
1058
service.add()
1059
1060
1061
def entry_group_state_changed(state, error):
1062
"""Derived from the Avahi example code"""
1063
logger.debug(u"Avahi state change: %i", state)
1064
1065
if state == avahi.ENTRY_GROUP_ESTABLISHED:
1066
logger.debug(u"Zeroconf service established.")
1067
elif state == avahi.ENTRY_GROUP_COLLISION:
1068
logger.warning(u"Zeroconf service name collision.")
1069
service.rename()
1070
elif state == avahi.ENTRY_GROUP_FAILURE:
1071
logger.critical(u"Avahi: Error in group state changed %s",
1072
unicode(error))
1073
raise AvahiGroupError(u"State changed: %s" % unicode(error))
1074
1075
def if_nametoindex(interface):
1076
"""Call the C function if_nametoindex(), or equivalent
1077
1078
Note: This function cannot accept a unicode string."""
1079
global if_nametoindex
1080
try:
1081
if_nametoindex = (ctypes.cdll.LoadLibrary
1082
(ctypes.util.find_library(u"c"))
1083
.if_nametoindex)
1084
except (OSError, AttributeError):
1085
logger.warning(u"Doing if_nametoindex the hard way")
1086
def if_nametoindex(interface):
1087
"Get an interface index the hard way, i.e. using fcntl()"
1088
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1089
with closing(socket.socket()) as s:
1090
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1091
struct.pack(str(u"16s16x"),
1092
interface))
1093
interface_index = struct.unpack(str(u"I"),
1094
ifreq[16:20])[0]
1095
return interface_index
1096
return if_nametoindex(interface)
1097
1098
1951
1099
def daemon(nochdir = False, noclose = False):
1952
1100
"""See daemon(3). Standard BSD Unix function.
1953
1101
1956
1104
sys.exit()
1957
1105
os.setsid()
1958
1106
if not nochdir:
1959
os.chdir("/")
1107
os.chdir(u"/")
1960
1108
if os.fork():
1961
1109
sys.exit()
1962
1110
if not noclose:
1964
1112
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1965
1113
if not stat.S_ISCHR(os.fstat(null).st_mode):
1966
1114
raise OSError(errno.ENODEV,
1967
"%s not a character device"
1968
% os.path.devnull)
1115
u"/dev/null not a character device")
1969
1116
os.dup2(null, sys.stdin.fileno())
1970
1117
os.dup2(null, sys.stdout.fileno())
1971
1118
os.dup2(null, sys.stderr.fileno())
1975
1122
1976
1123
def main():
1977
1124
1978
##################################################################
1125
######################################################################
1979
1126
# Parsing of options, both command line and config file
1980
1127
1981
parser = argparse.ArgumentParser()
1982
parser.add_argument("-v", "--version", action="version",
1983
version = "%%(prog)s %s" % version,
1984
help="show version number and exit")
1985
parser.add_argument("-i", "--interface", metavar="IF",
1986
help="Bind to interface IF")
1987
parser.add_argument("-a", "--address",
1988
help="Address to listen for requests on")
1989
parser.add_argument("-p", "--port", type=int,
1990
help="Port number to receive requests on")
1991
parser.add_argument("--check", action="store_true",
1992
help="Run self-test")
1993
parser.add_argument("--debug", action="store_true",
1994
help="Debug mode; run in foreground and log"
1995
" to terminal")
1996
parser.add_argument("--debuglevel", metavar="LEVEL",
1997
help="Debug level for stdout output")
1998
parser.add_argument("--priority", help="GnuTLS"
1999
" priority string (see GnuTLS documentation)")
2000
parser.add_argument("--servicename",
2001
metavar="NAME", help="Zeroconf service name")
2002
parser.add_argument("--configdir",
2003
default="/etc/mandos", metavar="DIR",
2004
help="Directory to search for configuration"
2005
" files")
2006
parser.add_argument("--no-dbus", action="store_false",
2007
dest="use_dbus", help="Do not provide D-Bus"
2008
" system bus interface")
2009
parser.add_argument("--no-ipv6", action="store_false",
2010
dest="use_ipv6", help="Do not use IPv6")
2011
parser.add_argument("--no-restore", action="store_false",
2012
dest="restore", help="Do not restore stored"
2013
" state")
2014
parser.add_argument("--statedir", metavar="DIR",
2015
help="Directory to save/restore state in")
2016
2017
options = parser.parse_args()
1128
parser = optparse.OptionParser(version = "%%prog %s" % version)
1129
parser.add_option("-i", u"--interface", type=u"string",
1130
metavar="IF", help=u"Bind to interface IF")
1131
parser.add_option("-a", u"--address", type=u"string",
1132
help=u"Address to listen for requests on")
1133
parser.add_option("-p", u"--port", type=u"int",
1134
help=u"Port number to receive requests on")
1135
parser.add_option("--check", action=u"store_true",
1136
help=u"Run self-test")
1137
parser.add_option("--debug", action=u"store_true",
1138
help=u"Debug mode; run in foreground and log to"
1139
u" terminal")
1140
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1141
u" priority string (see GnuTLS documentation)")
1142
parser.add_option("--servicename", type=u"string",
1143
metavar=u"NAME", help=u"Zeroconf service name")
1144
parser.add_option("--configdir", type=u"string",
1145
default=u"/etc/mandos", metavar=u"DIR",
1146
help=u"Directory to search for configuration"
1147
u" files")
1148
parser.add_option("--no-dbus", action=u"store_false",
1149
dest=u"use_dbus", help=u"Do not provide D-Bus"
1150
u" system bus interface")
1151
parser.add_option("--no-ipv6", action=u"store_false",
1152
dest=u"use_ipv6", help=u"Do not use IPv6")
1153
options = parser.parse_args()[0]
2018
1154
2019
1155
if options.check:
2020
1156
import doctest
2022
1158
sys.exit()
2023
1159
2024
1160
# Default values for config file for server-global settings
2025
server_defaults = { "interface": "",
2026
"address": "",
2027
"port": "",
2028
"debug": "False",
2029
"priority":
2030
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
2031
"servicename": "Mandos",
2032
"use_dbus": "True",
2033
"use_ipv6": "True",
2034
"debuglevel": "",
2035
"restore": "True",
2036
"statedir": "/var/lib/mandos"
1161
server_defaults = { u"interface": u"",
1162
u"address": u"",
1163
u"port": u"",
1164
u"debug": u"False",
1165
u"priority":
1166
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1167
u"servicename": u"Mandos",
1168
u"use_dbus": u"True",
1169
u"use_ipv6": u"True",
2037
1170
}
2038
1171
2039
1172
# Parse config file for server-global settings
2040
1173
server_config = configparser.SafeConfigParser(server_defaults)
2041
1174
del server_defaults
2042
1175
server_config.read(os.path.join(options.configdir,
2043
"mandos.conf"))
1176
u"mandos.conf"))
2044
1177
# Convert the SafeConfigParser object to a dict
2045
1178
server_settings = server_config.defaults()
2046
1179
# Use the appropriate methods on the non-string config options
2047
for option in ("debug", "use_dbus", "use_ipv6"):
2048
server_settings[option] = server_config.getboolean("DEFAULT",
1180
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1181
server_settings[option] = server_config.getboolean(u"DEFAULT",
2049
1182
option)
2050
1183
if server_settings["port"]:
2051
server_settings["port"] = server_config.getint("DEFAULT",
2052
"port")
1184
server_settings["port"] = server_config.getint(u"DEFAULT",
1185
u"port")
2053
1186
del server_config
2054
1187
2055
1188
# Override the settings from the config file with command line
2056
1189
# options, if set.
2057
for option in ("interface", "address", "port", "debug",
2058
"priority", "servicename", "configdir",
2059
"use_dbus", "use_ipv6", "debuglevel", "restore",
2060
"statedir"):
1190
for option in (u"interface", u"address", u"port", u"debug",
1191
u"priority", u"servicename", u"configdir",
1192
u"use_dbus", u"use_ipv6"):
2061
1193
value = getattr(options, option)
2062
1194
if value is not None:
2063
1195
server_settings[option] = value
2071
1203
##################################################################
2072
1204
2073
1205
# For convenience
2074
debug = server_settings["debug"]
2075
debuglevel = server_settings["debuglevel"]
2076
use_dbus = server_settings["use_dbus"]
2077
use_ipv6 = server_settings["use_ipv6"]
2078
stored_state_path = os.path.join(server_settings["statedir"],
2079
stored_state_file)
2080
2081
if debug:
2082
initlogger(debug, logging.DEBUG)
2083
else:
2084
if not debuglevel:
2085
initlogger(debug)
2086
else:
2087
level = getattr(logging, debuglevel.upper())
2088
initlogger(debug, level)
2089
2090
if server_settings["servicename"] != "Mandos":
1206
debug = server_settings[u"debug"]
1207
use_dbus = server_settings[u"use_dbus"]
1208
use_ipv6 = server_settings[u"use_ipv6"]
1209
1210
if not debug:
1211
syslogger.setLevel(logging.WARNING)
1212
console.setLevel(logging.WARNING)
1213
1214
if server_settings[u"servicename"] != u"Mandos":
2091
1215
syslogger.setFormatter(logging.Formatter
2092
('Mandos (%s) [%%(process)d]:'
2093
' %%(levelname)s: %%(message)s'
2094
% server_settings["servicename"]))
1216
(u'Mandos (%s) [%%(process)d]:'
1217
u' %%(levelname)s: %%(message)s'
1218
% server_settings[u"servicename"]))
2095
1219
2096
1220
# Parse config file with clients
2097
client_config = configparser.SafeConfigParser(Client.client_defaults)
2098
client_config.read(os.path.join(server_settings["configdir"],
2099
"clients.conf"))
1221
client_defaults = { u"timeout": u"1h",
1222
u"interval": u"5m",
1223
u"checker": u"fping -q -- %%(host)s",
1224
u"host": u"",
1225
}
1226
client_config = configparser.SafeConfigParser(client_defaults)
1227
client_config.read(os.path.join(server_settings[u"configdir"],
1228
u"clients.conf"))
2100
1229
2101
1230
global mandos_dbus_service
2102
1231
mandos_dbus_service = None
2103
1232
2104
tcp_server = MandosServer((server_settings["address"],
2105
server_settings["port"]),
2106
ClientHandler,
2107
interface=(server_settings["interface"]
2108
or None),
2109
use_ipv6=use_ipv6,
2110
gnutls_priority=
2111
server_settings["priority"],
2112
use_dbus=use_dbus)
2113
if not debug:
2114
pidfilename = "/var/run/mandos.pid"
2115
try:
2116
pidfile = open(pidfilename, "w")
2117
except IOError:
2118
logger.error("Could not open file %r", pidfilename)
1233
clients = set()
1234
tcp_server = IPv6_TCPServer((server_settings[u"address"],
1235
server_settings[u"port"]),
1236
ClientHandler,
1237
interface=
1238
server_settings[u"interface"],
1239
use_ipv6=use_ipv6,
1240
clients=clients,
1241
gnutls_priority=
1242
server_settings[u"priority"],
1243
use_dbus=use_dbus)
1244
pidfilename = u"/var/run/mandos.pid"
1245
try:
1246
pidfile = open(pidfilename, u"w")
1247
except IOError:
1248
logger.error(u"Could not open file %r", pidfilename)
2119
1249
2120
1250
try:
2121
uid = pwd.getpwnam("_mandos").pw_uid
2122
gid = pwd.getpwnam("_mandos").pw_gid
1251
uid = pwd.getpwnam(u"_mandos").pw_uid
1252
gid = pwd.getpwnam(u"_mandos").pw_gid
2123
1253
except KeyError:
2124
1254
try:
2125
uid = pwd.getpwnam("mandos").pw_uid
2126
gid = pwd.getpwnam("mandos").pw_gid
1255
uid = pwd.getpwnam(u"mandos").pw_uid
1256
gid = pwd.getpwnam(u"mandos").pw_gid
2127
1257
except KeyError:
2128
1258
try:
2129
uid = pwd.getpwnam("nobody").pw_uid
2130
gid = pwd.getpwnam("nobody").pw_gid
1259
uid = pwd.getpwnam(u"nobody").pw_uid
1260
gid = pwd.getpwnam(u"nobody").pw_gid
2131
1261
except KeyError:
2132
1262
uid = 65534
2133
1263
gid = 65534
2134
1264
try:
2135
1265
os.setgid(gid)
2136
1266
os.setuid(uid)
2137
except OSError as error:
1267
except OSError, error:
2138
1268
if error[0] != errno.EPERM:
2139
1269
raise error
2140
1270
1271
# Enable all possible GnuTLS debugging
2141
1272
if debug:
2142
# Enable all possible GnuTLS debugging
2143
2144
1273
# "Use a log level over 10 to enable all debugging options."
2145
1274
# - GnuTLS manual
2146
1275
gnutls.library.functions.gnutls_global_set_log_level(11)
2147
1276
2148
1277
@gnutls.library.types.gnutls_log_func
2149
1278
def debug_gnutls(level, string):
2150
logger.debug("GnuTLS: %s", string[:-1])
1279
logger.debug(u"GnuTLS: %s", string[:-1])
2151
1280
2152
1281
(gnutls.library.functions
2153
1282
.gnutls_global_set_log_function(debug_gnutls))
2154
2155
# Redirect stdin so all checkers get /dev/null
2156
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2157
os.dup2(null, sys.stdin.fileno())
2158
if null > 2:
2159
os.close(null)
2160
2161
# Need to fork before connecting to D-Bus
2162
if not debug:
2163
# Close all input and output, do double fork, etc.
2164
daemon()
2165
2166
gobject.threads_init()
1283
1284
global service
1285
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1286
service = AvahiService(name = server_settings[u"servicename"],
1287
servicetype = u"_mandos._tcp",
1288
protocol = protocol)
1289
if server_settings["interface"]:
1290
service.interface = (if_nametoindex
1291
(str(server_settings[u"interface"])))
2167
1292
2168
1293
global main_loop
1294
global bus
1295
global server
2169
1296
# From the Avahi example code
2170
1297
DBusGMainLoop(set_as_default=True )
2171
1298
main_loop = gobject.MainLoop()
2172
1299
bus = dbus.SystemBus()
1300
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1301
avahi.DBUS_PATH_SERVER),
1302
avahi.DBUS_INTERFACE_SERVER)
2173
1303
# End of Avahi example code
2174
1304
if use_dbus:
2175
try:
2176
bus_name = dbus.service.BusName("se.recompile.Mandos",
2177
bus, do_not_queue=True)
2178
old_bus_name = (dbus.service.BusName
2179
("se.bsnet.fukt.Mandos", bus,
2180
do_not_queue=True))
2181
except dbus.exceptions.NameExistsException as e:
2182
logger.error(unicode(e) + ", disabling D-Bus")
2183
use_dbus = False
2184
server_settings["use_dbus"] = False
2185
tcp_server.use_dbus = False
2186
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2187
service = AvahiServiceToSyslog(name =
2188
server_settings["servicename"],
2189
servicetype = "_mandos._tcp",
2190
protocol = protocol, bus = bus)
2191
if server_settings["interface"]:
2192
service.interface = (if_nametoindex
2193
(str(server_settings["interface"])))
2194
2195
global multiprocessing_manager
2196
multiprocessing_manager = multiprocessing.Manager()
1305
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
2197
1306
2198
1307
client_class = Client
2199
1308
if use_dbus:
2200
client_class = functools.partial(ClientDBusTransitional,
2201
bus = bus)
2202
2203
client_settings = Client.config_parser(client_config)
2204
old_client_settings = {}
2205
clients_data = {}
2206
2207
# Get client data and settings from last running state.
2208
if server_settings["restore"]:
2209
try:
2210
with open(stored_state_path, "rb") as stored_state:
2211
clients_data, old_client_settings = (pickle.load
2212
(stored_state))
2213
os.remove(stored_state_path)
2214
except IOError as e:
2215
logger.warning("Could not load persistent state: {0}"
2216
.format(e))
2217
if e.errno != errno.ENOENT:
2218
raise
2219
except EOFError as e:
2220
logger.warning("Could not load persistent state: "
2221
"EOFError: {0}".format(e))
2222
2223
with PGPEngine() as pgp:
2224
for client_name, client in clients_data.iteritems():
2225
# Decide which value to use after restoring saved state.
2226
# We have three different values: Old config file,
2227
# new config file, and saved state.
2228
# New config value takes precedence if it differs from old
2229
# config value, otherwise use saved state.
2230
for name, value in client_settings[client_name].items():
2231
try:
2232
# For each value in new config, check if it
2233
# differs from the old config value (Except for
2234
# the "secret" attribute)
2235
if (name != "secret" and
2236
value != old_client_settings[client_name]
2237
[name]):
2238
client[name] = value
2239
except KeyError:
2240
pass
2241
2242
# Clients who has passed its expire date can still be
2243
# enabled if its last checker was successful. Clients
2244
# whose checker failed before we stored its state is
2245
# assumed to have failed all checkers during downtime.
2246
if client["enabled"]:
2247
if datetime.datetime.utcnow() >= client["expires"]:
2248
if not client["last_checked_ok"]:
2249
logger.warning(
2250
"disabling client {0} - Client never "
2251
"performed a successfull checker"
2252
.format(client["name"]))
2253
client["enabled"] = False
2254
elif client["last_checker_status"] != 0:
2255
logger.warning(
2256
"disabling client {0} - Client "
2257
"last checker failed with error code {1}"
2258
.format(client["name"],
2259
client["last_checker_status"]))
2260
client["enabled"] = False
2261
else:
2262
client["expires"] = (datetime.datetime
2263
.utcnow()
2264
+ client["timeout"])
2265
2266
try:
2267
client["secret"] = (
2268
pgp.decrypt(client["encrypted_secret"],
2269
client_settings[client_name]
2270
["secret"]))
2271
except PGPError:
2272
# If decryption fails, we use secret from new settings
2273
logger.debug("Failed to decrypt {0} old secret"
2274
.format(client_name))
2275
client["secret"] = (
2276
client_settings[client_name]["secret"])
2277
2278
2279
# Add/remove clients based on new changes made to config
2280
for client_name in set(old_client_settings) - set(client_settings):
2281
del clients_data[client_name]
2282
for client_name in set(client_settings) - set(old_client_settings):
2283
clients_data[client_name] = client_settings[client_name]
2284
2285
# Create clients all clients
2286
for client_name, client in clients_data.iteritems():
2287
tcp_server.clients[client_name] = client_class(
2288
name = client_name, settings = client)
2289
2290
if not tcp_server.clients:
2291
logger.warning("No clients defined")
1309
client_class = ClientDBus
1310
clients.update(set(
1311
client_class(name = section,
1312
config= dict(client_config.items(section)))
1313
for section in client_config.sections()))
1314
if not clients:
1315
logger.warning(u"No clients defined")
1316
1317
if debug:
1318
# Redirect stdin so all checkers get /dev/null
1319
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1320
os.dup2(null, sys.stdin.fileno())
1321
if null > 2:
1322
os.close(null)
1323
else:
1324
# No console logging
1325
logger.removeHandler(console)
1326
# Close all input and output, do double fork, etc.
1327
daemon()
1328
1329
try:
1330
with closing(pidfile):
1331
pid = os.getpid()
1332
pidfile.write(str(pid) + "\n")
1333
del pidfile
1334
except IOError:
1335
logger.error(u"Could not write to file %r with PID %d",
1336
pidfilename, pid)
1337
except NameError:
1338
# "pidfile" was never created
1339
pass
1340
del pidfilename
1341
1342
def cleanup():
1343
"Cleanup function; run on exit"
1344
global group
1345
# From the Avahi example code
1346
if not group is None:
1347
group.Free()
1348
group = None
1349
# End of Avahi example code
2292
1350
1351
while clients:
1352
client = clients.pop()
1353
client.disable_hook = None
1354
client.disable()
1355
1356
atexit.register(cleanup)
1357
2293
1358
if not debug:
2294
try:
2295
with pidfile:
2296
pid = os.getpid()
2297
pidfile.write(str(pid) + "\n".encode("utf-8"))
2298
del pidfile
2299
except IOError:
2300
logger.error("Could not write to file %r with PID %d",
2301
pidfilename, pid)
2302
except NameError:
2303
# "pidfile" was never created
2304
pass
2305
del pidfilename
2306
1359
signal.signal(signal.SIGINT, signal.SIG_IGN)
2307
2308
1360
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2309
1361
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2310
1362
2312
1364
class MandosDBusService(dbus.service.Object):
2313
1365
"""A D-Bus proxy object"""
2314
1366
def __init__(self):
2315
dbus.service.Object.__init__(self, bus, "/")
2316
_interface = "se.recompile.Mandos"
2317
2318
@dbus.service.signal(_interface, signature="o")
2319
def ClientAdded(self, objpath):
2320
"D-Bus signal"
2321
pass
2322
2323
@dbus.service.signal(_interface, signature="ss")
2324
def ClientNotFound(self, fingerprint, address):
2325
"D-Bus signal"
2326
pass
2327
2328
@dbus.service.signal(_interface, signature="os")
1367
dbus.service.Object.__init__(self, bus, u"/")
1368
_interface = u"se.bsnet.fukt.Mandos"
1369
1370
@dbus.service.signal(_interface, signature=u"oa{sv}")
1371
def ClientAdded(self, objpath, properties):
1372
"D-Bus signal"
1373
pass
1374
1375
@dbus.service.signal(_interface, signature=u"s")
1376
def ClientNotFound(self, fingerprint):
1377
"D-Bus signal"
1378
pass
1379
1380
@dbus.service.signal(_interface, signature=u"os")
2329
1381
def ClientRemoved(self, objpath, name):
2330
1382
"D-Bus signal"
2331
1383
pass
2332
1384
2333
@dbus.service.method(_interface, out_signature="ao")
1385
@dbus.service.method(_interface, out_signature=u"ao")
2334
1386
def GetAllClients(self):
2335
1387
"D-Bus method"
2336
return dbus.Array(c.dbus_object_path
2337
for c in
2338
tcp_server.clients.itervalues())
1388
return dbus.Array(c.dbus_object_path for c in clients)
2339
1389
2340
1390
@dbus.service.method(_interface,
2341
out_signature="a{oa{sv}}")
1391
out_signature=u"a{oa{sv}}")
2342
1392
def GetAllClientsWithProperties(self):
2343
1393
"D-Bus method"
2344
1394
return dbus.Dictionary(
2345
((c.dbus_object_path, c.GetAll(""))
2346
for c in tcp_server.clients.itervalues()),
2347
signature="oa{sv}")
1395
((c.dbus_object_path, c.GetAllProperties())
1396
for c in clients),
1397
signature=u"oa{sv}")
2348
1398
2349
@dbus.service.method(_interface, in_signature="o")
1399
@dbus.service.method(_interface, in_signature=u"o")
2350
1400
def RemoveClient(self, object_path):
2351
1401
"D-Bus method"
2352
for c in tcp_server.clients.itervalues():
1402
for c in clients:
2353
1403
if c.dbus_object_path == object_path:
2354
del tcp_server.clients[c.name]
1404
clients.remove(c)
2355
1405
c.remove_from_connection()
2356
1406
# Don't signal anything except ClientRemoved
2357
c.disable(quiet=True)
1407
c.disable(signal=False)
2358
1408
# Emit D-Bus signal
2359
1409
self.ClientRemoved(object_path, c.name)
2360
1410
return
2361
raise KeyError(object_path)
1411
raise KeyError
2362
1412
2363
1413
del _interface
2364
1414
2365
class MandosDBusServiceTransitional(MandosDBusService):
2366
__metaclass__ = AlternateDBusNamesMetaclass
2367
mandos_dbus_service = MandosDBusServiceTransitional()
2368
2369
def cleanup():
2370
"Cleanup function; run on exit"
2371
service.cleanup()
2372
2373
multiprocessing.active_children()
2374
if not (tcp_server.clients or client_settings):
2375
return
2376
2377
# Store client before exiting. Secrets are encrypted with key
2378
# based on what config file has. If config file is
2379
# removed/edited, old secret will thus be unrecovable.
2380
clients = {}
2381
with PGPEngine() as pgp:
2382
for client in tcp_server.clients.itervalues():
2383
key = client_settings[client.name]["secret"]
2384
client.encrypted_secret = pgp.encrypt(client.secret,
2385
key)
2386
client_dict = {}
2387
2388
# A list of attributes that can not be pickled
2389
# + secret.
2390
exclude = set(("bus", "changedstate", "secret",
2391
"checker"))
2392
for name, typ in (inspect.getmembers
2393
(dbus.service.Object)):
2394
exclude.add(name)
2395
2396
client_dict["encrypted_secret"] = (client
2397
.encrypted_secret)
2398
for attr in client.client_structure:
2399
if attr not in exclude:
2400
client_dict[attr] = getattr(client, attr)
2401
2402
clients[client.name] = client_dict
2403
del client_settings[client.name]["secret"]
2404
2405
try:
2406
tempfd, tempname = tempfile.mkstemp(suffix=".pickle",
2407
prefix="clients-",
2408
dir=os.path.dirname
2409
(stored_state_path))
2410
with os.fdopen(tempfd, "wb") as stored_state:
2411
pickle.dump((clients, client_settings), stored_state)
2412
os.rename(tempname, stored_state_path)
2413
except (IOError, OSError) as e:
2414
logger.warning("Could not save persistent state: {0}"
2415
.format(e))
2416
if not debug:
2417
try:
2418
os.remove(tempname)
2419
except NameError:
2420
pass
2421
if e.errno not in set((errno.ENOENT, errno.EACCES,
2422
errno.EEXIST)):
2423
raise e
2424
2425
# Delete all clients, and settings from config
2426
while tcp_server.clients:
2427
name, client = tcp_server.clients.popitem()
2428
if use_dbus:
2429
client.remove_from_connection()
2430
# Don't signal anything except ClientRemoved
2431
client.disable(quiet=True)
2432
if use_dbus:
2433
# Emit D-Bus signal
2434
mandos_dbus_service.ClientRemoved(client
2435
.dbus_object_path,
2436
client.name)
2437
client_settings.clear()
2438
2439
atexit.register(cleanup)
2440
2441
for client in tcp_server.clients.itervalues():
1415
mandos_dbus_service = MandosDBusService()
1416
1417
for client in clients:
2442
1418
if use_dbus:
2443
1419
# Emit D-Bus signal
2444
mandos_dbus_service.ClientAdded(client.dbus_object_path)
2445
# Need to initiate checking of clients
2446
if client.enabled:
2447
client.init_checker()
1420
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1421
client.GetAllProperties())
1422
client.enable()
2448
1423
2449
1424
tcp_server.enable()
2450
1425
tcp_server.server_activate()
2452
1427
# Find out what port we got
2453
1428
service.port = tcp_server.socket.getsockname()[1]
2454
1429
if use_ipv6:
2455
logger.info("Now listening on address %r, port %d,"
1430
logger.info(u"Now listening on address %r, port %d,"
2456
1431
" flowinfo %d, scope_id %d"
2457
1432
% tcp_server.socket.getsockname())
2458
1433
else: # IPv4
2459
logger.info("Now listening on address %r, port %d"
1434
logger.info(u"Now listening on address %r, port %d"
2460
1435
% tcp_server.socket.getsockname())
2461
1436
2462
1437
#service.interface = tcp_server.socket.getsockname()[3]
2463
1438
2464
1439
try:
2465
1440
# From the Avahi example code
1441
server.connect_to_signal(u"StateChanged", server_state_changed)
2466
1442
try:
2467
service.activate()
2468
except dbus.exceptions.DBusException as error:
2469
logger.critical("DBusException: %s", error)
2470
cleanup()
1443
server_state_changed(server.GetState())
1444
except dbus.exceptions.DBusException, error:
1445
logger.critical(u"DBusException: %s", error)
2471
1446
sys.exit(1)
2472
1447
# End of Avahi example code
2473
1448
2476
1451
(tcp_server.handle_request
2477
1452
(*args[2:], **kwargs) or True))
2478
1453
2479
logger.debug("Starting main loop")
1454
logger.debug(u"Starting main loop")
2480
1455
main_loop.run()
2481
except AvahiError as error:
2482
logger.critical("AvahiError: %s", error)
2483
cleanup()
1456
except AvahiError, error:
1457
logger.critical(u"AvahiError: %s", error)
2484
1458
sys.exit(1)
2485
1459
except KeyboardInterrupt:
2486
1460
if debug:
2487
print("", file=sys.stderr)
2488
logger.debug("Server received KeyboardInterrupt")
2489
logger.debug("Server exiting")
2490
# Must run before the D-Bus bus name gets deregistered
2491
cleanup()
1461
print >> sys.stderr
1462
logger.debug(u"Server received KeyboardInterrupt")
1463
logger.debug(u"Server exiting")
2492
1464
2493
1465
if __name__ == '__main__':
2494
1466
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0