To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 341
- compare with another revision
- download diff
- download tarball
- view history from revision 341
- Committer: Teddy Hogeborn
- Date: 2009-04-17 01:16:37 UTC
- Revision ID: teddy@fukt.bsnet.se-20090417011637-bcqjpm7fskm4370v
Code cleanup and one bug fix.
* mandos (Client.enable): Bug fix: Do not enable if already enabled.
(MandosServer.__init__): Create empty set of clients if none passed.
(main): Do not create clients set; do not pass a clients set to
MandosServer. Use tcp_server.clients throughout.
* mandos (Client.enable): Bug fix: Do not enable if already enabled.
(MandosServer.__init__): Create empty set of clients if none passed.
(main): Do not create clients set; do not pass a clients set to
MandosServer. Use tcp_server.clients throughout.
- files removed:
- DBUS-API
- debian/source
- network-hooks.d
- files modified:
- .bzrignore
added
removed
mandos
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2012 Teddy Hogeborn
15
# Copyright © 2008-2012 Björn Påhlsson
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
28
28
# along with this program. If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
30
#
31
# Contact the authors at <mandos@recompile.se>.
31
# Contact the authors at <mandos@fukt.bsnet.se>.
32
32
#
33
33
34
from __future__ import (division, absolute_import, print_function,
35
unicode_literals)
36
37
from future_builtins import *
34
from __future__ import division, with_statement, absolute_import
38
35
39
36
import SocketServer as socketserver
40
37
import socket
41
import argparse
38
import optparse
42
39
import datetime
43
40
import errno
44
41
import gnutls.crypto
58
55
import logging
59
56
import logging.handlers
60
57
import pwd
61
import contextlib
58
from contextlib import closing
62
59
import struct
63
60
import fcntl
64
61
import functools
65
import cPickle as pickle
66
import multiprocessing
67
import types
68
import binascii
69
import tempfile
70
import itertools
71
import collections
72
62
73
63
import dbus
74
64
import dbus.service
77
67
from dbus.mainloop.glib import DBusGMainLoop
78
68
import ctypes
79
69
import ctypes.util
80
import xml.dom.minidom
81
import inspect
82
import GnuPGInterface
83
70
84
71
try:
85
72
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
89
76
except ImportError:
90
77
SO_BINDTODEVICE = None
91
78
92
version = "1.6.0"
93
stored_state_file = "clients.pickle"
94
95
logger = logging.getLogger()
79
80
version = "1.0.8"
81
82
logger = logging.Logger(u'mandos')
96
83
syslogger = (logging.handlers.SysLogHandler
97
84
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
98
address = str("/dev/log")))
99
100
try:
101
if_nametoindex = (ctypes.cdll.LoadLibrary
102
(ctypes.util.find_library("c"))
103
.if_nametoindex)
104
except (OSError, AttributeError):
105
def if_nametoindex(interface):
106
"Get an interface index the hard way, i.e. using fcntl()"
107
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
108
with contextlib.closing(socket.socket()) as s:
109
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
110
struct.pack(str("16s16x"),
111
interface))
112
interface_index = struct.unpack(str("I"),
113
ifreq[16:20])[0]
114
return interface_index
115
116
117
def initlogger(debug, level=logging.WARNING):
118
"""init logger and add loglevel"""
119
120
syslogger.setFormatter(logging.Formatter
121
('Mandos [%(process)d]: %(levelname)s:'
122
' %(message)s'))
123
logger.addHandler(syslogger)
124
125
if debug:
126
console = logging.StreamHandler()
127
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
128
' [%(process)d]:'
129
' %(levelname)s:'
130
' %(message)s'))
131
logger.addHandler(console)
132
logger.setLevel(level)
133
134
135
class PGPError(Exception):
136
"""Exception if encryption/decryption fails"""
137
pass
138
139
140
class PGPEngine(object):
141
"""A simple class for OpenPGP symmetric encryption & decryption"""
142
def __init__(self):
143
self.gnupg = GnuPGInterface.GnuPG()
144
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
145
self.gnupg = GnuPGInterface.GnuPG()
146
self.gnupg.options.meta_interactive = False
147
self.gnupg.options.homedir = self.tempdir
148
self.gnupg.options.extra_args.extend(['--force-mdc',
149
'--quiet',
150
'--no-use-agent'])
151
152
def __enter__(self):
153
return self
154
155
def __exit__(self, exc_type, exc_value, traceback):
156
self._cleanup()
157
return False
158
159
def __del__(self):
160
self._cleanup()
161
162
def _cleanup(self):
163
if self.tempdir is not None:
164
# Delete contents of tempdir
165
for root, dirs, files in os.walk(self.tempdir,
166
topdown = False):
167
for filename in files:
168
os.remove(os.path.join(root, filename))
169
for dirname in dirs:
170
os.rmdir(os.path.join(root, dirname))
171
# Remove tempdir
172
os.rmdir(self.tempdir)
173
self.tempdir = None
174
175
def password_encode(self, password):
176
# Passphrase can not be empty and can not contain newlines or
177
# NUL bytes. So we prefix it and hex encode it.
178
return b"mandos" + binascii.hexlify(password)
179
180
def encrypt(self, data, password):
181
self.gnupg.passphrase = self.password_encode(password)
182
with open(os.devnull, "w") as devnull:
183
try:
184
proc = self.gnupg.run(['--symmetric'],
185
create_fhs=['stdin', 'stdout'],
186
attach_fhs={'stderr': devnull})
187
with contextlib.closing(proc.handles['stdin']) as f:
188
f.write(data)
189
with contextlib.closing(proc.handles['stdout']) as f:
190
ciphertext = f.read()
191
proc.wait()
192
except IOError as e:
193
raise PGPError(e)
194
self.gnupg.passphrase = None
195
return ciphertext
196
197
def decrypt(self, data, password):
198
self.gnupg.passphrase = self.password_encode(password)
199
with open(os.devnull, "w") as devnull:
200
try:
201
proc = self.gnupg.run(['--decrypt'],
202
create_fhs=['stdin', 'stdout'],
203
attach_fhs={'stderr': devnull})
204
with contextlib.closing(proc.handles['stdin']) as f:
205
f.write(data)
206
with contextlib.closing(proc.handles['stdout']) as f:
207
decrypted_plaintext = f.read()
208
proc.wait()
209
except IOError as e:
210
raise PGPError(e)
211
self.gnupg.passphrase = None
212
return decrypted_plaintext
213
85
address = "/dev/log"))
86
syslogger.setFormatter(logging.Formatter
87
(u'Mandos [%(process)d]: %(levelname)s:'
88
u' %(message)s'))
89
logger.addHandler(syslogger)
90
91
console = logging.StreamHandler()
92
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
93
u' %(levelname)s:'
94
u' %(message)s'))
95
logger.addHandler(console)
214
96
215
97
class AvahiError(Exception):
216
98
def __init__(self, value, *args, **kwargs):
232
114
Attributes:
233
115
interface: integer; avahi.IF_UNSPEC or an interface index.
234
116
Used to optionally bind to the specified interface.
235
name: string; Example: 'Mandos'
236
type: string; Example: '_mandos._tcp'.
117
name: string; Example: u'Mandos'
118
type: string; Example: u'_mandos._tcp'.
237
119
See <http://www.dns-sd.org/ServiceTypes.html>
238
120
port: integer; what port to announce
239
121
TXT: list of strings; TXT record for the service
246
128
server: D-Bus Server
247
129
bus: dbus.SystemBus()
248
130
"""
249
250
131
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
251
132
servicetype = None, port = None, TXT = None,
252
domain = "", host = "", max_renames = 32768,
133
domain = u"", host = u"", max_renames = 32768,
253
134
protocol = avahi.PROTO_UNSPEC, bus = None):
254
135
self.interface = interface
255
136
self.name = name
264
145
self.group = None # our entry group
265
146
self.server = None
266
147
self.bus = bus
267
self.entry_group_state_changed_match = None
268
269
148
def rename(self):
270
149
"""Derived from the Avahi example code"""
271
150
if self.rename_count >= self.max_renames:
272
logger.critical("No suitable Zeroconf service name found"
273
" after %i retries, exiting.",
151
logger.critical(u"No suitable Zeroconf service name found"
152
u" after %i retries, exiting.",
274
153
self.rename_count)
275
raise AvahiServiceError("Too many renames")
276
self.name = unicode(self.server
277
.GetAlternativeServiceName(self.name))
278
logger.info("Changing Zeroconf service name to %r ...",
279
self.name)
154
raise AvahiServiceError(u"Too many renames")
155
self.name = self.server.GetAlternativeServiceName(self.name)
156
logger.info(u"Changing Zeroconf service name to %r ...",
157
unicode(self.name))
158
syslogger.setFormatter(logging.Formatter
159
(u'Mandos (%s) [%%(process)d]:'
160
u' %%(levelname)s: %%(message)s'
161
% self.name))
280
162
self.remove()
281
try:
282
self.add()
283
except dbus.exceptions.DBusException as error:
284
logger.critical("D-Bus Exception", exc_info=error)
285
self.cleanup()
286
os._exit(1)
163
self.add()
287
164
self.rename_count += 1
288
289
165
def remove(self):
290
166
"""Derived from the Avahi example code"""
291
if self.entry_group_state_changed_match is not None:
292
self.entry_group_state_changed_match.remove()
293
self.entry_group_state_changed_match = None
294
167
if self.group is not None:
295
168
self.group.Reset()
296
297
169
def add(self):
298
170
"""Derived from the Avahi example code"""
299
self.remove()
300
171
if self.group is None:
301
172
self.group = dbus.Interface(
302
173
self.bus.get_object(avahi.DBUS_NAME,
303
174
self.server.EntryGroupNew()),
304
175
avahi.DBUS_INTERFACE_ENTRY_GROUP)
305
self.entry_group_state_changed_match = (
306
self.group.connect_to_signal(
307
'StateChanged', self.entry_group_state_changed))
308
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
176
self.group.connect_to_signal('StateChanged',
177
self.entry_group_state_changed)
178
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
309
179
self.name, self.type)
310
180
self.group.AddService(
311
181
self.interface,
316
186
dbus.UInt16(self.port),
317
187
avahi.string_array_to_txt_array(self.TXT))
318
188
self.group.Commit()
319
320
189
def entry_group_state_changed(self, state, error):
321
190
"""Derived from the Avahi example code"""
322
logger.debug("Avahi entry group state change: %i", state)
191
logger.debug(u"Avahi state change: %i", state)
323
192
324
193
if state == avahi.ENTRY_GROUP_ESTABLISHED:
325
logger.debug("Zeroconf service established.")
194
logger.debug(u"Zeroconf service established.")
326
195
elif state == avahi.ENTRY_GROUP_COLLISION:
327
logger.info("Zeroconf service name collision.")
196
logger.warning(u"Zeroconf service name collision.")
328
197
self.rename()
329
198
elif state == avahi.ENTRY_GROUP_FAILURE:
330
logger.critical("Avahi: Error in group state changed %s",
199
logger.critical(u"Avahi: Error in group state changed %s",
331
200
unicode(error))
332
raise AvahiGroupError("State changed: {0!s}"
333
.format(error))
334
201
raise AvahiGroupError(u"State changed: %s"
202
% unicode(error))
335
203
def cleanup(self):
336
204
"""Derived from the Avahi example code"""
337
205
if self.group is not None:
338
try:
339
self.group.Free()
340
except (dbus.exceptions.UnknownMethodException,
341
dbus.exceptions.DBusException):
342
pass
206
self.group.Free()
343
207
self.group = None
344
self.remove()
345
346
def server_state_changed(self, state, error=None):
208
def server_state_changed(self, state):
347
209
"""Derived from the Avahi example code"""
348
logger.debug("Avahi server state change: %i", state)
349
bad_states = { avahi.SERVER_INVALID:
350
"Zeroconf server invalid",
351
avahi.SERVER_REGISTERING: None,
352
avahi.SERVER_COLLISION:
353
"Zeroconf server name collision",
354
avahi.SERVER_FAILURE:
355
"Zeroconf server failure" }
356
if state in bad_states:
357
if bad_states[state] is not None:
358
if error is None:
359
logger.error(bad_states[state])
360
else:
361
logger.error(bad_states[state] + ": %r", error)
362
self.cleanup()
210
if state == avahi.SERVER_COLLISION:
211
logger.error(u"Zeroconf server name collision")
212
self.remove()
363
213
elif state == avahi.SERVER_RUNNING:
364
214
self.add()
365
else:
366
if error is None:
367
logger.debug("Unknown state: %r", state)
368
else:
369
logger.debug("Unknown state: %r: %r", state, error)
370
371
215
def activate(self):
372
216
"""Derived from the Avahi example code"""
373
217
if self.server is None:
374
218
self.server = dbus.Interface(
375
219
self.bus.get_object(avahi.DBUS_NAME,
376
avahi.DBUS_PATH_SERVER,
377
follow_name_owner_changes=True),
220
avahi.DBUS_PATH_SERVER),
378
221
avahi.DBUS_INTERFACE_SERVER)
379
self.server.connect_to_signal("StateChanged",
222
self.server.connect_to_signal(u"StateChanged",
380
223
self.server_state_changed)
381
224
self.server_state_changed(self.server.GetState())
382
225
383
226
384
class AvahiServiceToSyslog(AvahiService):
385
def rename(self):
386
"""Add the new name to the syslog messages"""
387
ret = AvahiService.rename(self)
388
syslogger.setFormatter(logging.Formatter
389
('Mandos ({0}) [%(process)d]:'
390
' %(levelname)s: %(message)s'
391
.format(self.name)))
392
return ret
393
394
395
def timedelta_to_milliseconds(td):
396
"Convert a datetime.timedelta() to milliseconds"
397
return ((td.days * 24 * 60 * 60 * 1000)
398
+ (td.seconds * 1000)
399
+ (td.microseconds // 1000))
400
401
402
227
class Client(object):
403
228
"""A representation of a client host served by this server.
404
229
405
230
Attributes:
406
approved: bool(); 'None' if not yet approved/disapproved
407
approval_delay: datetime.timedelta(); Time to wait for approval
408
approval_duration: datetime.timedelta(); Duration of one approval
231
name: string; from the config file, used in log messages and
232
D-Bus identifiers
233
fingerprint: string (40 or 32 hexadecimal digits); used to
234
uniquely identify the client
235
secret: bytestring; sent verbatim (over TLS) to client
236
host: string; available for use by the checker command
237
created: datetime.datetime(); (UTC) object creation
238
last_enabled: datetime.datetime(); (UTC)
239
enabled: bool()
240
last_checked_ok: datetime.datetime(); (UTC) or None
241
timeout: datetime.timedelta(); How long from last_checked_ok
242
until this client is invalid
243
interval: datetime.timedelta(); How often to start a new checker
244
disable_hook: If set, called by disable() as disable_hook(self)
409
245
checker: subprocess.Popen(); a running checker process used
410
246
to see if the client lives.
411
247
'None' if no process is running.
412
checker_callback_tag: a gobject event source tag, or None
413
checker_command: string; External command which is run to check
414
if client lives. %() expansions are done at
248
checker_initiator_tag: a gobject event source tag, or None
249
disable_initiator_tag: - '' -
250
checker_callback_tag: - '' -
251
checker_command: string; External command which is run to check if
252
client lives. %() expansions are done at
415
253
runtime with vars(self) as dict, so that for
416
254
instance %(name)s can be used in the command.
417
checker_initiator_tag: a gobject event source tag, or None
418
created: datetime.datetime(); (UTC) object creation
419
client_structure: Object describing what attributes a client has
420
and is used for storing the client at exit
421
255
current_checker_command: string; current running checker_command
422
disable_initiator_tag: a gobject event source tag, or None
423
enabled: bool()
424
fingerprint: string (40 or 32 hexadecimal digits); used to
425
uniquely identify the client
426
host: string; available for use by the checker command
427
interval: datetime.timedelta(); How often to start a new checker
428
last_approval_request: datetime.datetime(); (UTC) or None
429
last_checked_ok: datetime.datetime(); (UTC) or None
430
last_checker_status: integer between 0 and 255 reflecting exit
431
status of last checker. -1 reflects crashed
432
checker, -2 means no checker completed yet.
433
last_enabled: datetime.datetime(); (UTC) or None
434
name: string; from the config file, used in log messages and
435
D-Bus identifiers
436
secret: bytestring; sent verbatim (over TLS) to client
437
timeout: datetime.timedelta(); How long from last_checked_ok
438
until this client is disabled
439
extended_timeout: extra long timeout when secret has been sent
440
runtime_expansions: Allowed attributes for runtime expansion.
441
expires: datetime.datetime(); time (UTC) when a client will be
442
disabled, or None
443
256
"""
444
257
445
runtime_expansions = ("approval_delay", "approval_duration",
446
"created", "enabled", "expires",
447
"fingerprint", "host", "interval",
448
"last_approval_request", "last_checked_ok",
449
"last_enabled", "name", "timeout")
450
client_defaults = { "timeout": "PT5M",
451
"extended_timeout": "PT15M",
452
"interval": "PT2M",
453
"checker": "fping -q -- %%(host)s",
454
"host": "",
455
"approval_delay": "PT0S",
456
"approval_duration": "PT1S",
457
"approved_by_default": "True",
458
"enabled": "True",
459
}
258
@staticmethod
259
def _datetime_to_milliseconds(dt):
260
"Convert a datetime.datetime() to milliseconds"
261
return ((dt.days * 24 * 60 * 60 * 1000)
262
+ (dt.seconds * 1000)
263
+ (dt.microseconds // 1000))
460
264
461
265
def timeout_milliseconds(self):
462
266
"Return the 'timeout' attribute in milliseconds"
463
return timedelta_to_milliseconds(self.timeout)
464
465
def extended_timeout_milliseconds(self):
466
"Return the 'extended_timeout' attribute in milliseconds"
467
return timedelta_to_milliseconds(self.extended_timeout)
267
return self._datetime_to_milliseconds(self.timeout)
468
268
469
269
def interval_milliseconds(self):
470
270
"Return the 'interval' attribute in milliseconds"
471
return timedelta_to_milliseconds(self.interval)
472
473
def approval_delay_milliseconds(self):
474
return timedelta_to_milliseconds(self.approval_delay)
475
476
@staticmethod
477
def config_parser(config):
478
"""Construct a new dict of client settings of this form:
479
{ client_name: {setting_name: value, ...}, ...}
480
with exceptions for any special settings as defined above.
481
NOTE: Must be a pure function. Must return the same result
482
value given the same arguments.
483
"""
484
settings = {}
485
for client_name in config.sections():
486
section = dict(config.items(client_name))
487
client = settings[client_name] = {}
488
489
client["host"] = section["host"]
490
# Reformat values from string types to Python types
491
client["approved_by_default"] = config.getboolean(
492
client_name, "approved_by_default")
493
client["enabled"] = config.getboolean(client_name,
494
"enabled")
495
496
client["fingerprint"] = (section["fingerprint"].upper()
497
.replace(" ", ""))
498
if "secret" in section:
499
client["secret"] = section["secret"].decode("base64")
500
elif "secfile" in section:
501
with open(os.path.expanduser(os.path.expandvars
502
(section["secfile"])),
503
"rb") as secfile:
504
client["secret"] = secfile.read()
505
else:
506
raise TypeError("No secret or secfile for section {0}"
507
.format(section))
508
client["timeout"] = string_to_delta(section["timeout"])
509
client["extended_timeout"] = string_to_delta(
510
section["extended_timeout"])
511
client["interval"] = string_to_delta(section["interval"])
512
client["approval_delay"] = string_to_delta(
513
section["approval_delay"])
514
client["approval_duration"] = string_to_delta(
515
section["approval_duration"])
516
client["checker_command"] = section["checker"]
517
client["last_approval_request"] = None
518
client["last_checked_ok"] = None
519
client["last_checker_status"] = -2
520
521
return settings
522
523
def __init__(self, settings, name = None):
271
return self._datetime_to_milliseconds(self.interval)
272
273
def __init__(self, name = None, disable_hook=None, config=None):
274
"""Note: the 'checker' key in 'config' sets the
275
'checker_command' attribute and *not* the 'checker'
276
attribute."""
524
277
self.name = name
525
# adding all client settings
526
for setting, value in settings.iteritems():
527
setattr(self, setting, value)
528
529
if self.enabled:
530
if not hasattr(self, "last_enabled"):
531
self.last_enabled = datetime.datetime.utcnow()
532
if not hasattr(self, "expires"):
533
self.expires = (datetime.datetime.utcnow()
534
+ self.timeout)
535
else:
536
self.last_enabled = None
537
self.expires = None
538
539
logger.debug("Creating client %r", self.name)
278
if config is None:
279
config = {}
280
logger.debug(u"Creating client %r", self.name)
540
281
# Uppercase and remove spaces from fingerprint for later
541
282
# comparison purposes with return value from the fingerprint()
542
283
# function
543
logger.debug(" Fingerprint: %s", self.fingerprint)
544
self.created = settings.get("created",
545
datetime.datetime.utcnow())
546
547
# attributes specific for this server instance
284
self.fingerprint = (config[u"fingerprint"].upper()
285
.replace(u" ", u""))
286
logger.debug(u" Fingerprint: %s", self.fingerprint)
287
if u"secret" in config:
288
self.secret = config[u"secret"].decode(u"base64")
289
elif u"secfile" in config:
290
with closing(open(os.path.expanduser
291
(os.path.expandvars
292
(config[u"secfile"])))) as secfile:
293
self.secret = secfile.read()
294
else:
295
raise TypeError(u"No secret or secfile for client %s"
296
% self.name)
297
self.host = config.get(u"host", u"")
298
self.created = datetime.datetime.utcnow()
299
self.enabled = False
300
self.last_enabled = None
301
self.last_checked_ok = None
302
self.timeout = string_to_delta(config[u"timeout"])
303
self.interval = string_to_delta(config[u"interval"])
304
self.disable_hook = disable_hook
548
305
self.checker = None
549
306
self.checker_initiator_tag = None
550
307
self.disable_initiator_tag = None
551
308
self.checker_callback_tag = None
309
self.checker_command = config[u"checker"]
552
310
self.current_checker_command = None
553
self.approved = None
554
self.approvals_pending = 0
555
self.changedstate = (multiprocessing_manager
556
.Condition(multiprocessing_manager
557
.Lock()))
558
self.client_structure = [attr for attr in
559
self.__dict__.iterkeys()
560
if not attr.startswith("_")]
561
self.client_structure.append("client_structure")
562
563
for name, t in inspect.getmembers(type(self),
564
lambda obj:
565
isinstance(obj,
566
property)):
567
if not name.startswith("_"):
568
self.client_structure.append(name)
569
570
# Send notice to process children that client state has changed
571
def send_changedstate(self):
572
with self.changedstate:
573
self.changedstate.notify_all()
311
self.last_connect = None
574
312
575
313
def enable(self):
576
314
"""Start this client's checker and timeout hooks"""
577
if getattr(self, "enabled", False):
315
if getattr(self, u"enabled", False):
578
316
# Already enabled
579
317
return
580
self.expires = datetime.datetime.utcnow() + self.timeout
581
self.enabled = True
582
318
self.last_enabled = datetime.datetime.utcnow()
583
self.init_checker()
584
self.send_changedstate()
585
586
def disable(self, quiet=True):
587
"""Disable this client."""
588
if not getattr(self, "enabled", False):
589
return False
590
if not quiet:
591
logger.info("Disabling client %s", self.name)
592
if getattr(self, "disable_initiator_tag", None) is not None:
593
gobject.source_remove(self.disable_initiator_tag)
594
self.disable_initiator_tag = None
595
self.expires = None
596
if getattr(self, "checker_initiator_tag", None) is not None:
597
gobject.source_remove(self.checker_initiator_tag)
598
self.checker_initiator_tag = None
599
self.stop_checker()
600
self.enabled = False
601
if not quiet:
602
self.send_changedstate()
603
# Do not run this again if called by a gobject.timeout_add
604
return False
605
606
def __del__(self):
607
self.disable()
608
609
def init_checker(self):
610
319
# Schedule a new checker to be started an 'interval' from now,
611
320
# and every interval from then on.
612
if self.checker_initiator_tag is not None:
613
gobject.source_remove(self.checker_initiator_tag)
614
321
self.checker_initiator_tag = (gobject.timeout_add
615
322
(self.interval_milliseconds(),
616
323
self.start_checker))
324
# Also start a new checker *right now*.
325
self.start_checker()
617
326
# Schedule a disable() when 'timeout' has passed
618
if self.disable_initiator_tag is not None:
619
gobject.source_remove(self.disable_initiator_tag)
620
327
self.disable_initiator_tag = (gobject.timeout_add
621
328
(self.timeout_milliseconds(),
622
329
self.disable))
623
# Also start a new checker *right now*.
624
self.start_checker()
330
self.enabled = True
331
332
def disable(self):
333
"""Disable this client."""
334
if not getattr(self, "enabled", False):
335
return False
336
logger.info(u"Disabling client %s", self.name)
337
if getattr(self, u"disable_initiator_tag", False):
338
gobject.source_remove(self.disable_initiator_tag)
339
self.disable_initiator_tag = None
340
if getattr(self, u"checker_initiator_tag", False):
341
gobject.source_remove(self.checker_initiator_tag)
342
self.checker_initiator_tag = None
343
self.stop_checker()
344
if self.disable_hook:
345
self.disable_hook(self)
346
self.enabled = False
347
# Do not run this again if called by a gobject.timeout_add
348
return False
349
350
def __del__(self):
351
self.disable_hook = None
352
self.disable()
625
353
626
354
def checker_callback(self, pid, condition, command):
627
355
"""The checker has completed, so take appropriate actions."""
628
356
self.checker_callback_tag = None
629
357
self.checker = None
630
358
if os.WIFEXITED(condition):
631
self.last_checker_status = os.WEXITSTATUS(condition)
632
if self.last_checker_status == 0:
633
logger.info("Checker for %(name)s succeeded",
359
exitstatus = os.WEXITSTATUS(condition)
360
if exitstatus == 0:
361
logger.info(u"Checker for %(name)s succeeded",
634
362
vars(self))
635
363
self.checked_ok()
636
364
else:
637
logger.info("Checker for %(name)s failed",
365
logger.info(u"Checker for %(name)s failed",
638
366
vars(self))
639
367
else:
640
self.last_checker_status = -1
641
logger.warning("Checker for %(name)s crashed?",
368
logger.warning(u"Checker for %(name)s crashed?",
642
369
vars(self))
643
370
644
371
def checked_ok(self):
645
"""Assert that the client has been seen, alive and well."""
372
"""Bump up the timeout for this client.
373
374
This should only be called when the client has been seen,
375
alive and well.
376
"""
646
377
self.last_checked_ok = datetime.datetime.utcnow()
647
self.last_checker_status = 0
648
self.bump_timeout()
649
650
def bump_timeout(self, timeout=None):
651
"""Bump up the timeout for this client."""
652
if timeout is None:
653
timeout = self.timeout
654
if self.disable_initiator_tag is not None:
655
gobject.source_remove(self.disable_initiator_tag)
656
self.disable_initiator_tag = None
657
if getattr(self, "enabled", False):
658
self.disable_initiator_tag = (gobject.timeout_add
659
(timedelta_to_milliseconds
660
(timeout), self.disable))
661
self.expires = datetime.datetime.utcnow() + timeout
662
663
def need_approval(self):
664
self.last_approval_request = datetime.datetime.utcnow()
378
gobject.source_remove(self.disable_initiator_tag)
379
self.disable_initiator_tag = (gobject.timeout_add
380
(self.timeout_milliseconds(),
381
self.disable))
665
382
666
383
def start_checker(self):
667
384
"""Start a new checker subprocess if one is not running.
669
386
If a checker already exists, leave it running and do
670
387
nothing."""
671
388
# The reason for not killing a running checker is that if we
672
# did that, and if a checker (for some reason) started running
673
# slowly and taking more than 'interval' time, then the client
674
# would inevitably timeout, since no checker would get a
675
# chance to run to completion. If we instead leave running
389
# did that, then if a checker (for some reason) started
390
# running slowly and taking more than 'interval' time, the
391
# client would inevitably timeout, since no checker would get
392
# a chance to run to completion. If we instead leave running
676
393
# checkers alone, the checker would have to take more time
677
# than 'timeout' for the client to be disabled, which is as it
678
# should be.
394
# than 'timeout' for the client to be declared invalid, which
395
# is as it should be.
679
396
680
397
# If a checker exists, make sure it is not a zombie
681
try:
398
if self.checker is not None:
682
399
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
683
except (AttributeError, OSError) as error:
684
if (isinstance(error, OSError)
685
and error.errno != errno.ECHILD):
686
raise error
687
else:
688
400
if pid:
689
logger.warning("Checker was a zombie")
401
logger.warning(u"Checker was a zombie")
690
402
gobject.source_remove(self.checker_callback_tag)
691
403
self.checker_callback(pid, status,
692
404
self.current_checker_command)
693
405
# Start a new checker if needed
694
406
if self.checker is None:
695
# Escape attributes for the shell
696
escaped_attrs = dict(
697
(attr, re.escape(unicode(getattr(self, attr))))
698
for attr in
699
self.runtime_expansions)
700
407
try:
701
command = self.checker_command % escaped_attrs
702
except TypeError as error:
703
logger.error('Could not format string "%s"',
704
self.checker_command, exc_info=error)
705
return True # Try again later
408
# In case checker_command has exactly one % operator
409
command = self.checker_command % self.host
410
except TypeError:
411
# Escape attributes for the shell
412
escaped_attrs = dict((key,
413
re.escape(unicode(str(val),
414
errors=
415
u'replace')))
416
for key, val in
417
vars(self).iteritems())
418
try:
419
command = self.checker_command % escaped_attrs
420
except TypeError, error:
421
logger.error(u'Could not format string "%s":'
422
u' %s', self.checker_command, error)
423
return True # Try again later
706
424
self.current_checker_command = command
707
425
try:
708
logger.info("Starting checker %r for %s",
426
logger.info(u"Starting checker %r for %s",
709
427
command, self.name)
710
428
# We don't need to redirect stdout and stderr, since
711
429
# in normal mode, that is already done by daemon(),
713
431
# always replaced by /dev/null.)
714
432
self.checker = subprocess.Popen(command,
715
433
close_fds=True,
716
shell=True, cwd="/")
717
except OSError as error:
718
logger.error("Failed to start subprocess",
719
exc_info=error)
720
self.checker_callback_tag = (gobject.child_watch_add
721
(self.checker.pid,
722
self.checker_callback,
723
data=command))
724
# The checker may have completed before the gobject
725
# watch was added. Check for this.
726
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
727
if pid:
728
gobject.source_remove(self.checker_callback_tag)
729
self.checker_callback(pid, status, command)
434
shell=True, cwd=u"/")
435
self.checker_callback_tag = (gobject.child_watch_add
436
(self.checker.pid,
437
self.checker_callback,
438
data=command))
439
# The checker may have completed before the gobject
440
# watch was added. Check for this.
441
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
442
if pid:
443
gobject.source_remove(self.checker_callback_tag)
444
self.checker_callback(pid, status, command)
445
except OSError, error:
446
logger.error(u"Failed to start subprocess: %s",
447
error)
730
448
# Re-run this periodically if run by gobject.timeout_add
731
449
return True
732
450
735
453
if self.checker_callback_tag:
736
454
gobject.source_remove(self.checker_callback_tag)
737
455
self.checker_callback_tag = None
738
if getattr(self, "checker", None) is None:
456
if getattr(self, u"checker", None) is None:
739
457
return
740
logger.debug("Stopping checker for %(name)s", vars(self))
458
logger.debug(u"Stopping checker for %(name)s", vars(self))
741
459
try:
742
self.checker.terminate()
743
#time.sleep(0.5)
460
os.kill(self.checker.pid, signal.SIGTERM)
461
#os.sleep(0.5)
744
462
#if self.checker.poll() is None:
745
# self.checker.kill()
746
except OSError as error:
463
# os.kill(self.checker.pid, signal.SIGKILL)
464
except OSError, error:
747
465
if error.errno != errno.ESRCH: # No such process
748
466
raise
749
467
self.checker = None
750
751
752
def dbus_service_property(dbus_interface, signature="v",
753
access="readwrite", byte_arrays=False):
754
"""Decorators for marking methods of a DBusObjectWithProperties to
755
become properties on the D-Bus.
756
757
The decorated method will be called with no arguments by "Get"
758
and with one argument by "Set".
759
760
The parameters, where they are supported, are the same as
761
dbus.service.method, except there is only "signature", since the
762
type from Get() and the type sent to Set() is the same.
763
"""
764
# Encoding deeply encoded byte arrays is not supported yet by the
765
# "Set" method, so we fail early here:
766
if byte_arrays and signature != "ay":
767
raise ValueError("Byte arrays not supported for non-'ay'"
768
" signature {0!r}".format(signature))
769
def decorator(func):
770
func._dbus_is_property = True
771
func._dbus_interface = dbus_interface
772
func._dbus_signature = signature
773
func._dbus_access = access
774
func._dbus_name = func.__name__
775
if func._dbus_name.endswith("_dbus_property"):
776
func._dbus_name = func._dbus_name[:-14]
777
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
778
return func
779
return decorator
780
781
782
def dbus_interface_annotations(dbus_interface):
783
"""Decorator for marking functions returning interface annotations
784
785
Usage:
786
787
@dbus_interface_annotations("org.example.Interface")
788
def _foo(self): # Function name does not matter
789
return {"org.freedesktop.DBus.Deprecated": "true",
790
"org.freedesktop.DBus.Property.EmitsChangedSignal":
791
"false"}
792
"""
793
def decorator(func):
794
func._dbus_is_interface = True
795
func._dbus_interface = dbus_interface
796
func._dbus_name = dbus_interface
797
return func
798
return decorator
799
800
801
def dbus_annotations(annotations):
802
"""Decorator to annotate D-Bus methods, signals or properties
803
Usage:
804
805
@dbus_service_property("org.example.Interface", signature="b",
806
access="r")
807
@dbus_annotations({{"org.freedesktop.DBus.Deprecated": "true",
808
"org.freedesktop.DBus.Property."
809
"EmitsChangedSignal": "false"})
810
def Property_dbus_property(self):
811
return dbus.Boolean(False)
812
"""
813
def decorator(func):
814
func._dbus_annotations = annotations
815
return func
816
return decorator
817
818
819
class DBusPropertyException(dbus.exceptions.DBusException):
820
"""A base class for D-Bus property-related exceptions
821
"""
822
def __unicode__(self):
823
return unicode(str(self))
824
825
826
class DBusPropertyAccessException(DBusPropertyException):
827
"""A property's access permissions disallows an operation.
828
"""
829
pass
830
831
832
class DBusPropertyNotFound(DBusPropertyException):
833
"""An attempt was made to access a non-existing property.
834
"""
835
pass
836
837
838
class DBusObjectWithProperties(dbus.service.Object):
839
"""A D-Bus object with properties.
840
841
Classes inheriting from this can use the dbus_service_property
842
decorator to expose methods as D-Bus properties. It exposes the
843
standard Get(), Set(), and GetAll() methods on the D-Bus.
844
"""
845
846
@staticmethod
847
def _is_dbus_thing(thing):
848
"""Returns a function testing if an attribute is a D-Bus thing
849
850
If called like _is_dbus_thing("method") it returns a function
851
suitable for use as predicate to inspect.getmembers().
852
"""
853
return lambda obj: getattr(obj, "_dbus_is_{0}".format(thing),
854
False)
855
856
def _get_all_dbus_things(self, thing):
857
"""Returns a generator of (name, attribute) pairs
858
"""
859
return ((getattr(athing.__get__(self), "_dbus_name",
860
name),
861
athing.__get__(self))
862
for cls in self.__class__.__mro__
863
for name, athing in
864
inspect.getmembers(cls,
865
self._is_dbus_thing(thing)))
866
867
def _get_dbus_property(self, interface_name, property_name):
868
"""Returns a bound method if one exists which is a D-Bus
869
property with the specified name and interface.
870
"""
871
for cls in self.__class__.__mro__:
872
for name, value in (inspect.getmembers
873
(cls,
874
self._is_dbus_thing("property"))):
875
if (value._dbus_name == property_name
876
and value._dbus_interface == interface_name):
877
return value.__get__(self)
878
879
# No such property
880
raise DBusPropertyNotFound(self.dbus_object_path + ":"
881
+ interface_name + "."
882
+ property_name)
883
884
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
885
out_signature="v")
886
def Get(self, interface_name, property_name):
887
"""Standard D-Bus property Get() method, see D-Bus standard.
888
"""
889
prop = self._get_dbus_property(interface_name, property_name)
890
if prop._dbus_access == "write":
891
raise DBusPropertyAccessException(property_name)
892
value = prop()
893
if not hasattr(value, "variant_level"):
894
return value
895
return type(value)(value, variant_level=value.variant_level+1)
896
897
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
898
def Set(self, interface_name, property_name, value):
899
"""Standard D-Bus property Set() method, see D-Bus standard.
900
"""
901
prop = self._get_dbus_property(interface_name, property_name)
902
if prop._dbus_access == "read":
903
raise DBusPropertyAccessException(property_name)
904
if prop._dbus_get_args_options["byte_arrays"]:
905
# The byte_arrays option is not supported yet on
906
# signatures other than "ay".
907
if prop._dbus_signature != "ay":
908
raise ValueError
909
value = dbus.ByteArray(b''.join(chr(byte)
910
for byte in value))
911
prop(value)
912
913
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
914
out_signature="a{sv}")
915
def GetAll(self, interface_name):
916
"""Standard D-Bus property GetAll() method, see D-Bus
917
standard.
918
919
Note: Will not include properties with access="write".
920
"""
921
properties = {}
922
for name, prop in self._get_all_dbus_things("property"):
923
if (interface_name
924
and interface_name != prop._dbus_interface):
925
# Interface non-empty but did not match
926
continue
927
# Ignore write-only properties
928
if prop._dbus_access == "write":
929
continue
930
value = prop()
931
if not hasattr(value, "variant_level"):
932
properties[name] = value
933
continue
934
properties[name] = type(value)(value, variant_level=
935
value.variant_level+1)
936
return dbus.Dictionary(properties, signature="sv")
937
938
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
939
out_signature="s",
940
path_keyword='object_path',
941
connection_keyword='connection')
942
def Introspect(self, object_path, connection):
943
"""Overloading of standard D-Bus method.
944
945
Inserts property tags and interface annotation tags.
946
"""
947
xmlstring = dbus.service.Object.Introspect(self, object_path,
948
connection)
949
try:
950
document = xml.dom.minidom.parseString(xmlstring)
951
def make_tag(document, name, prop):
952
e = document.createElement("property")
953
e.setAttribute("name", name)
954
e.setAttribute("type", prop._dbus_signature)
955
e.setAttribute("access", prop._dbus_access)
956
return e
957
for if_tag in document.getElementsByTagName("interface"):
958
# Add property tags
959
for tag in (make_tag(document, name, prop)
960
for name, prop
961
in self._get_all_dbus_things("property")
962
if prop._dbus_interface
963
== if_tag.getAttribute("name")):
964
if_tag.appendChild(tag)
965
# Add annotation tags
966
for typ in ("method", "signal", "property"):
967
for tag in if_tag.getElementsByTagName(typ):
968
annots = dict()
969
for name, prop in (self.
970
_get_all_dbus_things(typ)):
971
if (name == tag.getAttribute("name")
972
and prop._dbus_interface
973
== if_tag.getAttribute("name")):
974
annots.update(getattr
975
(prop,
976
"_dbus_annotations",
977
{}))
978
for name, value in annots.iteritems():
979
ann_tag = document.createElement(
980
"annotation")
981
ann_tag.setAttribute("name", name)
982
ann_tag.setAttribute("value", value)
983
tag.appendChild(ann_tag)
984
# Add interface annotation tags
985
for annotation, value in dict(
986
itertools.chain.from_iterable(
987
annotations().iteritems()
988
for name, annotations in
989
self._get_all_dbus_things("interface")
990
if name == if_tag.getAttribute("name")
991
)).iteritems():
992
ann_tag = document.createElement("annotation")
993
ann_tag.setAttribute("name", annotation)
994
ann_tag.setAttribute("value", value)
995
if_tag.appendChild(ann_tag)
996
# Add the names to the return values for the
997
# "org.freedesktop.DBus.Properties" methods
998
if (if_tag.getAttribute("name")
999
== "org.freedesktop.DBus.Properties"):
1000
for cn in if_tag.getElementsByTagName("method"):
1001
if cn.getAttribute("name") == "Get":
1002
for arg in cn.getElementsByTagName("arg"):
1003
if (arg.getAttribute("direction")
1004
== "out"):
1005
arg.setAttribute("name", "value")
1006
elif cn.getAttribute("name") == "GetAll":
1007
for arg in cn.getElementsByTagName("arg"):
1008
if (arg.getAttribute("direction")
1009
== "out"):
1010
arg.setAttribute("name", "props")
1011
xmlstring = document.toxml("utf-8")
1012
document.unlink()
1013
except (AttributeError, xml.dom.DOMException,
1014
xml.parsers.expat.ExpatError) as error:
1015
logger.error("Failed to override Introspection method",
1016
exc_info=error)
1017
return xmlstring
1018
1019
1020
def datetime_to_dbus(dt, variant_level=0):
1021
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1022
if dt is None:
1023
return dbus.String("", variant_level = variant_level)
1024
return dbus.String(dt.isoformat(),
1025
variant_level=variant_level)
1026
1027
1028
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1029
"""A class decorator; applied to a subclass of
1030
dbus.service.Object, it will add alternate D-Bus attributes with
1031
interface names according to the "alt_interface_names" mapping.
1032
Usage:
1033
1034
@alternate_dbus_interfaces({"org.example.Interface":
1035
"net.example.AlternateInterface"})
1036
class SampleDBusObject(dbus.service.Object):
1037
@dbus.service.method("org.example.Interface")
1038
def SampleDBusMethod():
1039
pass
1040
1041
The above "SampleDBusMethod" on "SampleDBusObject" will be
1042
reachable via two interfaces: "org.example.Interface" and
1043
"net.example.AlternateInterface", the latter of which will have
1044
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1045
"true", unless "deprecate" is passed with a False value.
1046
1047
This works for methods and signals, and also for D-Bus properties
1048
(from DBusObjectWithProperties) and interfaces (from the
1049
dbus_interface_annotations decorator).
1050
"""
1051
def wrapper(cls):
1052
for orig_interface_name, alt_interface_name in (
1053
alt_interface_names.iteritems()):
1054
attr = {}
1055
interface_names = set()
1056
# Go though all attributes of the class
1057
for attrname, attribute in inspect.getmembers(cls):
1058
# Ignore non-D-Bus attributes, and D-Bus attributes
1059
# with the wrong interface name
1060
if (not hasattr(attribute, "_dbus_interface")
1061
or not attribute._dbus_interface
1062
.startswith(orig_interface_name)):
1063
continue
1064
# Create an alternate D-Bus interface name based on
1065
# the current name
1066
alt_interface = (attribute._dbus_interface
1067
.replace(orig_interface_name,
1068
alt_interface_name))
1069
interface_names.add(alt_interface)
1070
# Is this a D-Bus signal?
1071
if getattr(attribute, "_dbus_is_signal", False):
1072
# Extract the original non-method function by
1073
# black magic
1074
nonmethod_func = (dict(
1075
zip(attribute.func_code.co_freevars,
1076
attribute.__closure__))["func"]
1077
.cell_contents)
1078
# Create a new, but exactly alike, function
1079
# object, and decorate it to be a new D-Bus signal
1080
# with the alternate D-Bus interface name
1081
new_function = (dbus.service.signal
1082
(alt_interface,
1083
attribute._dbus_signature)
1084
(types.FunctionType(
1085
nonmethod_func.func_code,
1086
nonmethod_func.func_globals,
1087
nonmethod_func.func_name,
1088
nonmethod_func.func_defaults,
1089
nonmethod_func.func_closure)))
1090
# Copy annotations, if any
1091
try:
1092
new_function._dbus_annotations = (
1093
dict(attribute._dbus_annotations))
1094
except AttributeError:
1095
pass
1096
# Define a creator of a function to call both the
1097
# original and alternate functions, so both the
1098
# original and alternate signals gets sent when
1099
# the function is called
1100
def fixscope(func1, func2):
1101
"""This function is a scope container to pass
1102
func1 and func2 to the "call_both" function
1103
outside of its arguments"""
1104
def call_both(*args, **kwargs):
1105
"""This function will emit two D-Bus
1106
signals by calling func1 and func2"""
1107
func1(*args, **kwargs)
1108
func2(*args, **kwargs)
1109
return call_both
1110
# Create the "call_both" function and add it to
1111
# the class
1112
attr[attrname] = fixscope(attribute, new_function)
1113
# Is this a D-Bus method?
1114
elif getattr(attribute, "_dbus_is_method", False):
1115
# Create a new, but exactly alike, function
1116
# object. Decorate it to be a new D-Bus method
1117
# with the alternate D-Bus interface name. Add it
1118
# to the class.
1119
attr[attrname] = (dbus.service.method
1120
(alt_interface,
1121
attribute._dbus_in_signature,
1122
attribute._dbus_out_signature)
1123
(types.FunctionType
1124
(attribute.func_code,
1125
attribute.func_globals,
1126
attribute.func_name,
1127
attribute.func_defaults,
1128
attribute.func_closure)))
1129
# Copy annotations, if any
1130
try:
1131
attr[attrname]._dbus_annotations = (
1132
dict(attribute._dbus_annotations))
1133
except AttributeError:
1134
pass
1135
# Is this a D-Bus property?
1136
elif getattr(attribute, "_dbus_is_property", False):
1137
# Create a new, but exactly alike, function
1138
# object, and decorate it to be a new D-Bus
1139
# property with the alternate D-Bus interface
1140
# name. Add it to the class.
1141
attr[attrname] = (dbus_service_property
1142
(alt_interface,
1143
attribute._dbus_signature,
1144
attribute._dbus_access,
1145
attribute
1146
._dbus_get_args_options
1147
["byte_arrays"])
1148
(types.FunctionType
1149
(attribute.func_code,
1150
attribute.func_globals,
1151
attribute.func_name,
1152
attribute.func_defaults,
1153
attribute.func_closure)))
1154
# Copy annotations, if any
1155
try:
1156
attr[attrname]._dbus_annotations = (
1157
dict(attribute._dbus_annotations))
1158
except AttributeError:
1159
pass
1160
# Is this a D-Bus interface?
1161
elif getattr(attribute, "_dbus_is_interface", False):
1162
# Create a new, but exactly alike, function
1163
# object. Decorate it to be a new D-Bus interface
1164
# with the alternate D-Bus interface name. Add it
1165
# to the class.
1166
attr[attrname] = (dbus_interface_annotations
1167
(alt_interface)
1168
(types.FunctionType
1169
(attribute.func_code,
1170
attribute.func_globals,
1171
attribute.func_name,
1172
attribute.func_defaults,
1173
attribute.func_closure)))
1174
if deprecate:
1175
# Deprecate all alternate interfaces
1176
iname="_AlternateDBusNames_interface_annotation{0}"
1177
for interface_name in interface_names:
1178
@dbus_interface_annotations(interface_name)
1179
def func(self):
1180
return { "org.freedesktop.DBus.Deprecated":
1181
"true" }
1182
# Find an unused name
1183
for aname in (iname.format(i)
1184
for i in itertools.count()):
1185
if aname not in attr:
1186
attr[aname] = func
1187
break
1188
if interface_names:
1189
# Replace the class with a new subclass of it with
1190
# methods, signals, etc. as created above.
1191
cls = type(b"{0}Alternate".format(cls.__name__),
1192
(cls,), attr)
1193
return cls
1194
return wrapper
1195
1196
1197
@alternate_dbus_interfaces({"se.recompile.Mandos":
1198
"se.bsnet.fukt.Mandos"})
1199
class ClientDBus(Client, DBusObjectWithProperties):
468
469
def still_valid(self):
470
"""Has the timeout not yet passed for this client?"""
471
if not getattr(self, u"enabled", False):
472
return False
473
now = datetime.datetime.utcnow()
474
if self.last_checked_ok is None:
475
return now < (self.created + self.timeout)
476
else:
477
return now < (self.last_checked_ok + self.timeout)
478
479
480
class ClientDBus(Client, dbus.service.Object):
1200
481
"""A Client class using D-Bus
1201
482
1202
483
Attributes:
1203
484
dbus_object_path: dbus.ObjectPath
1204
485
bus: dbus.SystemBus()
1205
486
"""
1206
1207
runtime_expansions = (Client.runtime_expansions
1208
+ ("dbus_object_path",))
1209
1210
487
# dbus.service.Object doesn't use super(), so we can't either.
1211
488
1212
489
def __init__(self, bus = None, *args, **kwargs):
1214
491
Client.__init__(self, *args, **kwargs)
1215
492
# Only now, when this client is initialized, can it show up on
1216
493
# the D-Bus
1217
client_object_name = unicode(self.name).translate(
1218
{ord("."): ord("_"),
1219
ord("-"): ord("_")})
1220
494
self.dbus_object_path = (dbus.ObjectPath
1221
("/clients/" + client_object_name))
1222
DBusObjectWithProperties.__init__(self, self.bus,
1223
self.dbus_object_path)
1224
1225
def notifychangeproperty(transform_func,
1226
dbus_name, type_func=lambda x: x,
1227
variant_level=1):
1228
""" Modify a variable so that it's a property which announces
1229
its changes to DBus.
1230
1231
transform_fun: Function that takes a value and a variant_level
1232
and transforms it to a D-Bus type.
1233
dbus_name: D-Bus name of the variable
1234
type_func: Function that transform the value before sending it
1235
to the D-Bus. Default: no transform
1236
variant_level: D-Bus variant level. Default: 1
1237
"""
1238
attrname = "_{0}".format(dbus_name)
1239
def setter(self, value):
1240
if hasattr(self, "dbus_object_path"):
1241
if (not hasattr(self, attrname) or
1242
type_func(getattr(self, attrname, None))
1243
!= type_func(value)):
1244
dbus_value = transform_func(type_func(value),
1245
variant_level
1246
=variant_level)
1247
self.PropertyChanged(dbus.String(dbus_name),
1248
dbus_value)
1249
setattr(self, attrname, value)
1250
1251
return property(lambda self: getattr(self, attrname), setter)
1252
1253
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1254
approvals_pending = notifychangeproperty(dbus.Boolean,
1255
"ApprovalPending",
1256
type_func = bool)
1257
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1258
last_enabled = notifychangeproperty(datetime_to_dbus,
1259
"LastEnabled")
1260
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1261
type_func = lambda checker:
1262
checker is not None)
1263
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1264
"LastCheckedOK")
1265
last_checker_status = notifychangeproperty(dbus.Int16,
1266
"LastCheckerStatus")
1267
last_approval_request = notifychangeproperty(
1268
datetime_to_dbus, "LastApprovalRequest")
1269
approved_by_default = notifychangeproperty(dbus.Boolean,
1270
"ApprovedByDefault")
1271
approval_delay = notifychangeproperty(dbus.UInt64,
1272
"ApprovalDelay",
1273
type_func =
1274
timedelta_to_milliseconds)
1275
approval_duration = notifychangeproperty(
1276
dbus.UInt64, "ApprovalDuration",
1277
type_func = timedelta_to_milliseconds)
1278
host = notifychangeproperty(dbus.String, "Host")
1279
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1280
type_func =
1281
timedelta_to_milliseconds)
1282
extended_timeout = notifychangeproperty(
1283
dbus.UInt64, "ExtendedTimeout",
1284
type_func = timedelta_to_milliseconds)
1285
interval = notifychangeproperty(dbus.UInt64,
1286
"Interval",
1287
type_func =
1288
timedelta_to_milliseconds)
1289
checker_command = notifychangeproperty(dbus.String, "Checker")
1290
1291
del notifychangeproperty
495
(u"/clients/"
496
+ self.name.replace(u".", u"_")))
497
dbus.service.Object.__init__(self, self.bus,
498
self.dbus_object_path)
499
500
@staticmethod
501
def _datetime_to_dbus(dt, variant_level=0):
502
"""Convert a UTC datetime.datetime() to a D-Bus type."""
503
return dbus.String(dt.isoformat(),
504
variant_level=variant_level)
505
506
def enable(self):
507
oldstate = getattr(self, u"enabled", False)
508
r = Client.enable(self)
509
if oldstate != self.enabled:
510
# Emit D-Bus signals
511
self.PropertyChanged(dbus.String(u"enabled"),
512
dbus.Boolean(True, variant_level=1))
513
self.PropertyChanged(
514
dbus.String(u"last_enabled"),
515
self._datetime_to_dbus(self.last_enabled,
516
variant_level=1))
517
return r
518
519
def disable(self, signal = True):
520
oldstate = getattr(self, u"enabled", False)
521
r = Client.disable(self)
522
if signal and oldstate != self.enabled:
523
# Emit D-Bus signal
524
self.PropertyChanged(dbus.String(u"enabled"),
525
dbus.Boolean(False, variant_level=1))
526
return r
1292
527
1293
528
def __del__(self, *args, **kwargs):
1294
529
try:
1295
530
self.remove_from_connection()
1296
531
except LookupError:
1297
532
pass
1298
if hasattr(DBusObjectWithProperties, "__del__"):
1299
DBusObjectWithProperties.__del__(self, *args, **kwargs)
533
if hasattr(dbus.service.Object, u"__del__"):
534
dbus.service.Object.__del__(self, *args, **kwargs)
1300
535
Client.__del__(self, *args, **kwargs)
1301
536
1302
537
def checker_callback(self, pid, condition, command,
1303
538
*args, **kwargs):
1304
539
self.checker_callback_tag = None
1305
540
self.checker = None
541
# Emit D-Bus signal
542
self.PropertyChanged(dbus.String(u"checker_running"),
543
dbus.Boolean(False, variant_level=1))
1306
544
if os.WIFEXITED(condition):
1307
545
exitstatus = os.WEXITSTATUS(condition)
1308
546
# Emit D-Bus signal
1318
556
return Client.checker_callback(self, pid, condition, command,
1319
557
*args, **kwargs)
1320
558
559
def checked_ok(self, *args, **kwargs):
560
r = Client.checked_ok(self, *args, **kwargs)
561
# Emit D-Bus signal
562
self.PropertyChanged(
563
dbus.String(u"last_checked_ok"),
564
(self._datetime_to_dbus(self.last_checked_ok,
565
variant_level=1)))
566
return r
567
1321
568
def start_checker(self, *args, **kwargs):
1322
569
old_checker = self.checker
1323
570
if self.checker is not None:
1330
577
and old_checker_pid != self.checker.pid):
1331
578
# Emit D-Bus signal
1332
579
self.CheckerStarted(self.current_checker_command)
1333
return r
1334
1335
def _reset_approved(self):
1336
self.approved = None
1337
return False
1338
1339
def approve(self, value=True):
1340
self.approved = value
1341
gobject.timeout_add(timedelta_to_milliseconds
1342
(self.approval_duration),
1343
self._reset_approved)
1344
self.send_changedstate()
1345
1346
## D-Bus methods, signals & properties
1347
_interface = "se.recompile.Mandos.Client"
1348
1349
## Interfaces
1350
1351
@dbus_interface_annotations(_interface)
1352
def _foo(self):
1353
return { "org.freedesktop.DBus.Property.EmitsChangedSignal":
1354
"false"}
1355
1356
## Signals
580
self.PropertyChanged(
581
dbus.String(u"checker_running"),
582
dbus.Boolean(True, variant_level=1))
583
return r
584
585
def stop_checker(self, *args, **kwargs):
586
old_checker = getattr(self, u"checker", None)
587
r = Client.stop_checker(self, *args, **kwargs)
588
if (old_checker is not None
589
and getattr(self, u"checker", None) is None):
590
self.PropertyChanged(dbus.String(u"checker_running"),
591
dbus.Boolean(False, variant_level=1))
592
return r
593
594
## D-Bus methods & signals
595
_interface = u"se.bsnet.fukt.Mandos.Client"
596
597
# CheckedOK - method
598
@dbus.service.method(_interface)
599
def CheckedOK(self):
600
return self.checked_ok()
1357
601
1358
602
# CheckerCompleted - signal
1359
@dbus.service.signal(_interface, signature="nxs")
603
@dbus.service.signal(_interface, signature=u"nxs")
1360
604
def CheckerCompleted(self, exitcode, waitstatus, command):
1361
605
"D-Bus signal"
1362
606
pass
1363
607
1364
608
# CheckerStarted - signal
1365
@dbus.service.signal(_interface, signature="s")
609
@dbus.service.signal(_interface, signature=u"s")
1366
610
def CheckerStarted(self, command):
1367
611
"D-Bus signal"
1368
612
pass
1369
613
614
# GetAllProperties - method
615
@dbus.service.method(_interface, out_signature=u"a{sv}")
616
def GetAllProperties(self):
617
"D-Bus method"
618
return dbus.Dictionary({
619
dbus.String(u"name"):
620
dbus.String(self.name, variant_level=1),
621
dbus.String(u"fingerprint"):
622
dbus.String(self.fingerprint, variant_level=1),
623
dbus.String(u"host"):
624
dbus.String(self.host, variant_level=1),
625
dbus.String(u"created"):
626
self._datetime_to_dbus(self.created,
627
variant_level=1),
628
dbus.String(u"last_enabled"):
629
(self._datetime_to_dbus(self.last_enabled,
630
variant_level=1)
631
if self.last_enabled is not None
632
else dbus.Boolean(False, variant_level=1)),
633
dbus.String(u"enabled"):
634
dbus.Boolean(self.enabled, variant_level=1),
635
dbus.String(u"last_checked_ok"):
636
(self._datetime_to_dbus(self.last_checked_ok,
637
variant_level=1)
638
if self.last_checked_ok is not None
639
else dbus.Boolean (False, variant_level=1)),
640
dbus.String(u"timeout"):
641
dbus.UInt64(self.timeout_milliseconds(),
642
variant_level=1),
643
dbus.String(u"interval"):
644
dbus.UInt64(self.interval_milliseconds(),
645
variant_level=1),
646
dbus.String(u"checker"):
647
dbus.String(self.checker_command,
648
variant_level=1),
649
dbus.String(u"checker_running"):
650
dbus.Boolean(self.checker is not None,
651
variant_level=1),
652
dbus.String(u"object_path"):
653
dbus.ObjectPath(self.dbus_object_path,
654
variant_level=1)
655
}, signature=u"sv")
656
657
# IsStillValid - method
658
@dbus.service.method(_interface, out_signature=u"b")
659
def IsStillValid(self):
660
return self.still_valid()
661
1370
662
# PropertyChanged - signal
1371
@dbus.service.signal(_interface, signature="sv")
663
@dbus.service.signal(_interface, signature=u"sv")
1372
664
def PropertyChanged(self, property, value):
1373
665
"D-Bus signal"
1374
666
pass
1375
667
1376
# GotSecret - signal
668
# ReceivedSecret - signal
1377
669
@dbus.service.signal(_interface)
1378
def GotSecret(self):
1379
"""D-Bus signal
1380
Is sent after a successful transfer of secret from the Mandos
1381
server to mandos-client
1382
"""
670
def ReceivedSecret(self):
671
"D-Bus signal"
1383
672
pass
1384
673
1385
674
# Rejected - signal
1386
@dbus.service.signal(_interface, signature="s")
1387
def Rejected(self, reason):
675
@dbus.service.signal(_interface)
676
def Rejected(self):
1388
677
"D-Bus signal"
1389
678
pass
1390
679
1391
# NeedApproval - signal
1392
@dbus.service.signal(_interface, signature="tb")
1393
def NeedApproval(self, timeout, default):
1394
"D-Bus signal"
1395
return self.need_approval()
1396
1397
## Methods
1398
1399
# Approve - method
1400
@dbus.service.method(_interface, in_signature="b")
1401
def Approve(self, value):
1402
self.approve(value)
1403
1404
# CheckedOK - method
1405
@dbus.service.method(_interface)
1406
def CheckedOK(self):
1407
self.checked_ok()
680
# SetChecker - method
681
@dbus.service.method(_interface, in_signature=u"s")
682
def SetChecker(self, checker):
683
"D-Bus setter method"
684
self.checker_command = checker
685
# Emit D-Bus signal
686
self.PropertyChanged(dbus.String(u"checker"),
687
dbus.String(self.checker_command,
688
variant_level=1))
689
690
# SetHost - method
691
@dbus.service.method(_interface, in_signature=u"s")
692
def SetHost(self, host):
693
"D-Bus setter method"
694
self.host = host
695
# Emit D-Bus signal
696
self.PropertyChanged(dbus.String(u"host"),
697
dbus.String(self.host, variant_level=1))
698
699
# SetInterval - method
700
@dbus.service.method(_interface, in_signature=u"t")
701
def SetInterval(self, milliseconds):
702
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
703
# Emit D-Bus signal
704
self.PropertyChanged(dbus.String(u"interval"),
705
(dbus.UInt64(self.interval_milliseconds(),
706
variant_level=1)))
707
708
# SetSecret - method
709
@dbus.service.method(_interface, in_signature=u"ay",
710
byte_arrays=True)
711
def SetSecret(self, secret):
712
"D-Bus setter method"
713
self.secret = str(secret)
714
715
# SetTimeout - method
716
@dbus.service.method(_interface, in_signature=u"t")
717
def SetTimeout(self, milliseconds):
718
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
719
# Emit D-Bus signal
720
self.PropertyChanged(dbus.String(u"timeout"),
721
(dbus.UInt64(self.timeout_milliseconds(),
722
variant_level=1)))
1408
723
1409
724
# Enable - method
1410
725
@dbus.service.method(_interface)
1429
744
def StopChecker(self):
1430
745
self.stop_checker()
1431
746
1432
## Properties
1433
1434
# ApprovalPending - property
1435
@dbus_service_property(_interface, signature="b", access="read")
1436
def ApprovalPending_dbus_property(self):
1437
return dbus.Boolean(bool(self.approvals_pending))
1438
1439
# ApprovedByDefault - property
1440
@dbus_service_property(_interface, signature="b",
1441
access="readwrite")
1442
def ApprovedByDefault_dbus_property(self, value=None):
1443
if value is None: # get
1444
return dbus.Boolean(self.approved_by_default)
1445
self.approved_by_default = bool(value)
1446
1447
# ApprovalDelay - property
1448
@dbus_service_property(_interface, signature="t",
1449
access="readwrite")
1450
def ApprovalDelay_dbus_property(self, value=None):
1451
if value is None: # get
1452
return dbus.UInt64(self.approval_delay_milliseconds())
1453
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1454
1455
# ApprovalDuration - property
1456
@dbus_service_property(_interface, signature="t",
1457
access="readwrite")
1458
def ApprovalDuration_dbus_property(self, value=None):
1459
if value is None: # get
1460
return dbus.UInt64(timedelta_to_milliseconds(
1461
self.approval_duration))
1462
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1463
1464
# Name - property
1465
@dbus_service_property(_interface, signature="s", access="read")
1466
def Name_dbus_property(self):
1467
return dbus.String(self.name)
1468
1469
# Fingerprint - property
1470
@dbus_service_property(_interface, signature="s", access="read")
1471
def Fingerprint_dbus_property(self):
1472
return dbus.String(self.fingerprint)
1473
1474
# Host - property
1475
@dbus_service_property(_interface, signature="s",
1476
access="readwrite")
1477
def Host_dbus_property(self, value=None):
1478
if value is None: # get
1479
return dbus.String(self.host)
1480
self.host = unicode(value)
1481
1482
# Created - property
1483
@dbus_service_property(_interface, signature="s", access="read")
1484
def Created_dbus_property(self):
1485
return datetime_to_dbus(self.created)
1486
1487
# LastEnabled - property
1488
@dbus_service_property(_interface, signature="s", access="read")
1489
def LastEnabled_dbus_property(self):
1490
return datetime_to_dbus(self.last_enabled)
1491
1492
# Enabled - property
1493
@dbus_service_property(_interface, signature="b",
1494
access="readwrite")
1495
def Enabled_dbus_property(self, value=None):
1496
if value is None: # get
1497
return dbus.Boolean(self.enabled)
1498
if value:
1499
self.enable()
1500
else:
1501
self.disable()
1502
1503
# LastCheckedOK - property
1504
@dbus_service_property(_interface, signature="s",
1505
access="readwrite")
1506
def LastCheckedOK_dbus_property(self, value=None):
1507
if value is not None:
1508
self.checked_ok()
1509
return
1510
return datetime_to_dbus(self.last_checked_ok)
1511
1512
# LastCheckerStatus - property
1513
@dbus_service_property(_interface, signature="n",
1514
access="read")
1515
def LastCheckerStatus_dbus_property(self):
1516
return dbus.Int16(self.last_checker_status)
1517
1518
# Expires - property
1519
@dbus_service_property(_interface, signature="s", access="read")
1520
def Expires_dbus_property(self):
1521
return datetime_to_dbus(self.expires)
1522
1523
# LastApprovalRequest - property
1524
@dbus_service_property(_interface, signature="s", access="read")
1525
def LastApprovalRequest_dbus_property(self):
1526
return datetime_to_dbus(self.last_approval_request)
1527
1528
# Timeout - property
1529
@dbus_service_property(_interface, signature="t",
1530
access="readwrite")
1531
def Timeout_dbus_property(self, value=None):
1532
if value is None: # get
1533
return dbus.UInt64(self.timeout_milliseconds())
1534
old_timeout = self.timeout
1535
self.timeout = datetime.timedelta(0, 0, 0, value)
1536
# Reschedule disabling
1537
if self.enabled:
1538
now = datetime.datetime.utcnow()
1539
self.expires += self.timeout - old_timeout
1540
if self.expires <= now:
1541
# The timeout has passed
1542
self.disable()
1543
else:
1544
if (getattr(self, "disable_initiator_tag", None)
1545
is None):
1546
return
1547
gobject.source_remove(self.disable_initiator_tag)
1548
self.disable_initiator_tag = (
1549
gobject.timeout_add(
1550
timedelta_to_milliseconds(self.expires - now),
1551
self.disable))
1552
1553
# ExtendedTimeout - property
1554
@dbus_service_property(_interface, signature="t",
1555
access="readwrite")
1556
def ExtendedTimeout_dbus_property(self, value=None):
1557
if value is None: # get
1558
return dbus.UInt64(self.extended_timeout_milliseconds())
1559
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1560
1561
# Interval - property
1562
@dbus_service_property(_interface, signature="t",
1563
access="readwrite")
1564
def Interval_dbus_property(self, value=None):
1565
if value is None: # get
1566
return dbus.UInt64(self.interval_milliseconds())
1567
self.interval = datetime.timedelta(0, 0, 0, value)
1568
if getattr(self, "checker_initiator_tag", None) is None:
1569
return
1570
if self.enabled:
1571
# Reschedule checker run
1572
gobject.source_remove(self.checker_initiator_tag)
1573
self.checker_initiator_tag = (gobject.timeout_add
1574
(value, self.start_checker))
1575
self.start_checker() # Start one now, too
1576
1577
# Checker - property
1578
@dbus_service_property(_interface, signature="s",
1579
access="readwrite")
1580
def Checker_dbus_property(self, value=None):
1581
if value is None: # get
1582
return dbus.String(self.checker_command)
1583
self.checker_command = unicode(value)
1584
1585
# CheckerRunning - property
1586
@dbus_service_property(_interface, signature="b",
1587
access="readwrite")
1588
def CheckerRunning_dbus_property(self, value=None):
1589
if value is None: # get
1590
return dbus.Boolean(self.checker is not None)
1591
if value:
1592
self.start_checker()
1593
else:
1594
self.stop_checker()
1595
1596
# ObjectPath - property
1597
@dbus_service_property(_interface, signature="o", access="read")
1598
def ObjectPath_dbus_property(self):
1599
return self.dbus_object_path # is already a dbus.ObjectPath
1600
1601
# Secret = property
1602
@dbus_service_property(_interface, signature="ay",
1603
access="write", byte_arrays=True)
1604
def Secret_dbus_property(self, value):
1605
self.secret = str(value)
1606
1607
747
del _interface
1608
748
1609
749
1610
class ProxyClient(object):
1611
def __init__(self, child_pipe, fpr, address):
1612
self._pipe = child_pipe
1613
self._pipe.send(('init', fpr, address))
1614
if not self._pipe.recv():
1615
raise KeyError()
1616
1617
def __getattribute__(self, name):
1618
if name == '_pipe':
1619
return super(ProxyClient, self).__getattribute__(name)
1620
self._pipe.send(('getattr', name))
1621
data = self._pipe.recv()
1622
if data[0] == 'data':
1623
return data[1]
1624
if data[0] == 'function':
1625
def func(*args, **kwargs):
1626
self._pipe.send(('funcall', name, args, kwargs))
1627
return self._pipe.recv()[1]
1628
return func
1629
1630
def __setattr__(self, name, value):
1631
if name == '_pipe':
1632
return super(ProxyClient, self).__setattr__(name, value)
1633
self._pipe.send(('setattr', name, value))
1634
1635
1636
750
class ClientHandler(socketserver.BaseRequestHandler, object):
1637
751
"""A class to handle client connections.
1638
752
1640
754
Note: This will run in its own forked process."""
1641
755
1642
756
def handle(self):
1643
with contextlib.closing(self.server.child_pipe) as child_pipe:
1644
logger.info("TCP connection from: %s",
1645
unicode(self.client_address))
1646
logger.debug("Pipe FD: %d",
1647
self.server.child_pipe.fileno())
1648
757
logger.info(u"TCP connection from: %s",
758
unicode(self.client_address))
759
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
760
# Open IPC pipe to parent process
761
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
1649
762
session = (gnutls.connection
1650
763
.ClientSession(self.request,
1651
764
gnutls.connection
1652
765
.X509Credentials()))
1653
766
767
line = self.request.makefile().readline()
768
logger.debug(u"Protocol version: %r", line)
769
try:
770
if int(line.strip().split()[0]) > 1:
771
raise RuntimeError
772
except (ValueError, IndexError, RuntimeError), error:
773
logger.error(u"Unknown protocol version: %s", error)
774
return
775
1654
776
# Note: gnutls.connection.X509Credentials is really a
1655
777
# generic GnuTLS certificate credentials object so long as
1656
778
# no X.509 keys are added to it. Therefore, we can use it
1657
779
# here despite using OpenPGP certificates.
1658
780
1659
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1660
# "+AES-256-CBC", "+SHA1",
1661
# "+COMP-NULL", "+CTYPE-OPENPGP",
1662
# "+DHE-DSS"))
781
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
782
# u"+AES-256-CBC", u"+SHA1",
783
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
784
# u"+DHE-DSS"))
1663
785
# Use a fallback default, since this MUST be set.
1664
786
priority = self.server.gnutls_priority
1665
787
if priority is None:
1666
priority = "NORMAL"
788
priority = u"NORMAL"
1667
789
(gnutls.library.functions
1668
790
.gnutls_priority_set_direct(session._c_object,
1669
791
priority, None))
1670
792
1671
# Start communication using the Mandos protocol
1672
# Get protocol number
1673
line = self.request.makefile().readline()
1674
logger.debug("Protocol version: %r", line)
1675
try:
1676
if int(line.strip().split()[0]) > 1:
1677
raise RuntimeError
1678
except (ValueError, IndexError, RuntimeError) as error:
1679
logger.error("Unknown protocol version: %s", error)
1680
return
1681
1682
# Start GnuTLS connection
1683
793
try:
1684
794
session.handshake()
1685
except gnutls.errors.GNUTLSError as error:
1686
logger.warning("Handshake failed: %s", error)
795
except gnutls.errors.GNUTLSError, error:
796
logger.warning(u"Handshake failed: %s", error)
1687
797
# Do not run session.bye() here: the session is not
1688
798
# established. Just abandon the request.
1689
799
return
1690
logger.debug("Handshake succeeded")
1691
1692
approval_required = False
800
logger.debug(u"Handshake succeeded")
1693
801
try:
1694
try:
1695
fpr = self.fingerprint(self.peer_certificate
1696
(session))
1697
except (TypeError,
1698
gnutls.errors.GNUTLSError) as error:
1699
logger.warning("Bad certificate: %s", error)
1700
return
1701
logger.debug("Fingerprint: %s", fpr)
1702
1703
try:
1704
client = ProxyClient(child_pipe, fpr,
1705
self.client_address)
1706
except KeyError:
1707
return
1708
1709
if client.approval_delay:
1710
delay = client.approval_delay
1711
client.approvals_pending += 1
1712
approval_required = True
1713
1714
while True:
1715
if not client.enabled:
1716
logger.info("Client %s is disabled",
1717
client.name)
1718
if self.server.use_dbus:
1719
# Emit D-Bus signal
1720
client.Rejected("Disabled")
1721
return
1722
1723
if client.approved or not client.approval_delay:
1724
#We are approved or approval is disabled
1725
break
1726
elif client.approved is None:
1727
logger.info("Client %s needs approval",
1728
client.name)
1729
if self.server.use_dbus:
1730
# Emit D-Bus signal
1731
client.NeedApproval(
1732
client.approval_delay_milliseconds(),
1733
client.approved_by_default)
1734
else:
1735
logger.warning("Client %s was not approved",
1736
client.name)
1737
if self.server.use_dbus:
1738
# Emit D-Bus signal
1739
client.Rejected("Denied")
1740
return
1741
1742
#wait until timeout or approved
1743
time = datetime.datetime.now()
1744
client.changedstate.acquire()
1745
client.changedstate.wait(
1746
float(timedelta_to_milliseconds(delay)
1747
/ 1000))
1748
client.changedstate.release()
1749
time2 = datetime.datetime.now()
1750
if (time2 - time) >= delay:
1751
if not client.approved_by_default:
1752
logger.warning("Client %s timed out while"
1753
" waiting for approval",
1754
client.name)
1755
if self.server.use_dbus:
1756
# Emit D-Bus signal
1757
client.Rejected("Approval timed out")
1758
return
1759
else:
1760
break
1761
else:
1762
delay -= time2 - time
1763
1764
sent_size = 0
1765
while sent_size < len(client.secret):
1766
try:
1767
sent = session.send(client.secret[sent_size:])
1768
except gnutls.errors.GNUTLSError as error:
1769
logger.warning("gnutls send failed",
1770
exc_info=error)
1771
return
1772
logger.debug("Sent: %d, remaining: %d",
1773
sent, len(client.secret)
1774
- (sent_size + sent))
1775
sent_size += sent
1776
1777
logger.info("Sending secret to %s", client.name)
1778
# bump the timeout using extended_timeout
1779
client.bump_timeout(client.extended_timeout)
1780
if self.server.use_dbus:
1781
# Emit D-Bus signal
1782
client.GotSecret()
802
fpr = self.fingerprint(self.peer_certificate(session))
803
except (TypeError, gnutls.errors.GNUTLSError), error:
804
logger.warning(u"Bad certificate: %s", error)
805
session.bye()
806
return
807
logger.debug(u"Fingerprint: %s", fpr)
1783
808
1784
finally:
1785
if approval_required:
1786
client.approvals_pending -= 1
1787
try:
1788
session.bye()
1789
except gnutls.errors.GNUTLSError as error:
1790
logger.warning("GnuTLS bye failed",
1791
exc_info=error)
809
for c in self.server.clients:
810
if c.fingerprint == fpr:
811
client = c
812
break
813
else:
814
ipc.write(u"NOTFOUND %s\n" % fpr)
815
session.bye()
816
return
817
# Have to check if client.still_valid(), since it is
818
# possible that the client timed out while establishing
819
# the GnuTLS session.
820
if not client.still_valid():
821
ipc.write(u"INVALID %s\n" % client.name)
822
session.bye()
823
return
824
ipc.write(u"SENDING %s\n" % client.name)
825
sent_size = 0
826
while sent_size < len(client.secret):
827
sent = session.send(client.secret[sent_size:])
828
logger.debug(u"Sent: %d, remaining: %d",
829
sent, len(client.secret)
830
- (sent_size + sent))
831
sent_size += sent
832
session.bye()
1792
833
1793
834
@staticmethod
1794
835
def peer_certificate(session):
1804
845
.gnutls_certificate_get_peers
1805
846
(session._c_object, ctypes.byref(list_size)))
1806
847
if not bool(cert_list) and list_size.value != 0:
1807
raise gnutls.errors.GNUTLSError("error getting peer"
1808
" certificate")
848
raise gnutls.errors.GNUTLSError(u"error getting peer"
849
u" certificate")
1809
850
if list_size.value == 0:
1810
851
return None
1811
852
cert = cert_list[0]
1837
878
if crtverify.value != 0:
1838
879
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1839
880
raise (gnutls.errors.CertificateSecurityError
1840
("Verify failed"))
881
(u"Verify failed"))
1841
882
# New buffer for the fingerprint
1842
883
buf = ctypes.create_string_buffer(20)
1843
884
buf_len = ctypes.c_size_t()
1850
891
# Convert the buffer to a Python bytestring
1851
892
fpr = ctypes.string_at(buf, buf_len.value)
1852
893
# Convert the bytestring to hexadecimal notation
1853
hex_fpr = binascii.hexlify(fpr).upper()
894
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1854
895
return hex_fpr
1855
896
1856
897
1857
class MultiprocessingMixIn(object):
1858
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1859
def sub_process_main(self, request, address):
1860
try:
1861
self.finish_request(request, address)
1862
except Exception:
1863
self.handle_error(request, address)
1864
self.close_request(request)
1865
1866
def process_request(self, request, address):
1867
"""Start a new process to process the request."""
1868
proc = multiprocessing.Process(target = self.sub_process_main,
1869
args = (request, address))
1870
proc.start()
1871
return proc
1872
1873
1874
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1875
""" adds a pipe to the MixIn """
898
class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):
899
"""Like socketserver.ForkingMixIn, but also pass a pipe."""
1876
900
def process_request(self, request, client_address):
1877
901
"""Overrides and wraps the original process_request().
1878
902
1879
This function creates a new pipe in self.pipe
903
This function creates a new pipe in self.pipe
1880
904
"""
1881
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1882
1883
proc = MultiprocessingMixIn.process_request(self, request,
1884
client_address)
1885
self.child_pipe.close()
1886
self.add_pipe(parent_pipe, proc)
1887
1888
def add_pipe(self, parent_pipe, proc):
905
self.pipe = os.pipe()
906
super(ForkingMixInWithPipe,
907
self).process_request(request, client_address)
908
os.close(self.pipe[1]) # close write end
909
self.add_pipe(self.pipe[0])
910
def add_pipe(self, pipe):
1889
911
"""Dummy function; override as necessary"""
1890
raise NotImplementedError
1891
1892
1893
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
912
os.close(pipe)
913
914
915
class IPv6_TCPServer(ForkingMixInWithPipe,
1894
916
socketserver.TCPServer, object):
1895
917
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1896
918
1900
922
use_ipv6: Boolean; to use IPv6 or not
1901
923
"""
1902
924
def __init__(self, server_address, RequestHandlerClass,
1903
interface=None, use_ipv6=True, socketfd=None):
1904
"""If socketfd is set, use that file descriptor instead of
1905
creating a new one with socket.socket().
1906
"""
925
interface=None, use_ipv6=True):
1907
926
self.interface = interface
1908
927
if use_ipv6:
1909
928
self.address_family = socket.AF_INET6
1910
if socketfd is not None:
1911
# Save the file descriptor
1912
self.socketfd = socketfd
1913
# Save the original socket.socket() function
1914
self.socket_socket = socket.socket
1915
# To implement --socket, we monkey patch socket.socket.
1916
#
1917
# (When socketserver.TCPServer is a new-style class, we
1918
# could make self.socket into a property instead of monkey
1919
# patching socket.socket.)
1920
#
1921
# Create a one-time-only replacement for socket.socket()
1922
@functools.wraps(socket.socket)
1923
def socket_wrapper(*args, **kwargs):
1924
# Restore original function so subsequent calls are
1925
# not affected.
1926
socket.socket = self.socket_socket
1927
del self.socket_socket
1928
# This time only, return a new socket object from the
1929
# saved file descriptor.
1930
return socket.fromfd(self.socketfd, *args, **kwargs)
1931
# Replace socket.socket() function with wrapper
1932
socket.socket = socket_wrapper
1933
# The socketserver.TCPServer.__init__ will call
1934
# socket.socket(), which might be our replacement,
1935
# socket_wrapper(), if socketfd was set.
1936
929
socketserver.TCPServer.__init__(self, server_address,
1937
930
RequestHandlerClass)
1938
1939
931
def server_bind(self):
1940
932
"""This overrides the normal server_bind() function
1941
933
to bind to an interface if one was specified, and also NOT to
1942
934
bind to an address or port if they were not specified."""
1943
935
if self.interface is not None:
1944
936
if SO_BINDTODEVICE is None:
1945
logger.error("SO_BINDTODEVICE does not exist;"
1946
" cannot bind to interface %s",
937
logger.error(u"SO_BINDTODEVICE does not exist;"
938
u" cannot bind to interface %s",
1947
939
self.interface)
1948
940
else:
1949
941
try:
1950
942
self.socket.setsockopt(socket.SOL_SOCKET,
1951
943
SO_BINDTODEVICE,
1952
str(self.interface + '\0'))
1953
except socket.error as error:
1954
if error.errno == errno.EPERM:
1955
logger.error("No permission to bind to"
1956
" interface %s", self.interface)
1957
elif error.errno == errno.ENOPROTOOPT:
1958
logger.error("SO_BINDTODEVICE not available;"
1959
" cannot bind to interface %s",
1960
self.interface)
1961
elif error.errno == errno.ENODEV:
1962
logger.error("Interface %s does not exist,"
1963
" cannot bind", self.interface)
944
str(self.interface
945
+ u'\0'))
946
except socket.error, error:
947
if error[0] == errno.EPERM:
948
logger.error(u"No permission to"
949
u" bind to interface %s",
950
self.interface)
951
elif error[0] == errno.ENOPROTOOPT:
952
logger.error(u"SO_BINDTODEVICE not available;"
953
u" cannot bind to interface %s",
954
self.interface)
1964
955
else:
1965
956
raise
1966
957
# Only bind(2) the socket if we really need to.
1967
958
if self.server_address[0] or self.server_address[1]:
1968
959
if not self.server_address[0]:
1969
960
if self.address_family == socket.AF_INET6:
1970
any_address = "::" # in6addr_any
961
any_address = u"::" # in6addr_any
1971
962
else:
1972
963
any_address = socket.INADDR_ANY
1973
964
self.server_address = (any_address,
1991
982
clients: set of Client objects
1992
983
gnutls_priority GnuTLS priority string
1993
984
use_dbus: Boolean; to emit D-Bus signals or not
985
clients: set of Client objects
986
gnutls_priority GnuTLS priority string
987
use_dbus: Boolean; to emit D-Bus signals or not
1994
988
1995
989
Assumes a gobject.MainLoop event loop.
1996
990
"""
1997
991
def __init__(self, server_address, RequestHandlerClass,
1998
992
interface=None, use_ipv6=True, clients=None,
1999
gnutls_priority=None, use_dbus=True, socketfd=None):
993
gnutls_priority=None, use_dbus=True):
2000
994
self.enabled = False
2001
995
self.clients = clients
2002
996
if self.clients is None:
2003
self.clients = {}
997
self.clients = set()
2004
998
self.use_dbus = use_dbus
2005
999
self.gnutls_priority = gnutls_priority
2006
1000
IPv6_TCPServer.__init__(self, server_address,
2007
1001
RequestHandlerClass,
2008
1002
interface = interface,
2009
use_ipv6 = use_ipv6,
2010
socketfd = socketfd)
1003
use_ipv6 = use_ipv6)
2011
1004
def server_activate(self):
2012
1005
if self.enabled:
2013
1006
return socketserver.TCPServer.server_activate(self)
2014
2015
1007
def enable(self):
2016
1008
self.enabled = True
2017
2018
def add_pipe(self, parent_pipe, proc):
1009
def add_pipe(self, pipe):
2019
1010
# Call "handle_ipc" for both data and EOF events
2020
gobject.io_add_watch(parent_pipe.fileno(),
2021
gobject.IO_IN | gobject.IO_HUP,
2022
functools.partial(self.handle_ipc,
2023
parent_pipe =
2024
parent_pipe,
2025
proc = proc))
2026
2027
def handle_ipc(self, source, condition, parent_pipe=None,
2028
proc = None, client_object=None):
2029
# error, or the other end of multiprocessing.Pipe has closed
2030
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2031
# Wait for other process to exit
2032
proc.join()
2033
return False
2034
2035
# Read a request from the child
2036
request = parent_pipe.recv()
2037
command = request[0]
2038
2039
if command == 'init':
2040
fpr = request[1]
2041
address = request[2]
2042
2043
for c in self.clients.itervalues():
2044
if c.fingerprint == fpr:
2045
client = c
2046
break
2047
else:
2048
logger.info("Client not found for fingerprint: %s, ad"
2049
"dress: %s", fpr, address)
2050
if self.use_dbus:
2051
# Emit D-Bus signal
2052
mandos_dbus_service.ClientNotFound(fpr,
2053
address[0])
2054
parent_pipe.send(False)
2055
return False
2056
2057
gobject.io_add_watch(parent_pipe.fileno(),
2058
gobject.IO_IN | gobject.IO_HUP,
2059
functools.partial(self.handle_ipc,
2060
parent_pipe =
2061
parent_pipe,
2062
proc = proc,
2063
client_object =
2064
client))
2065
parent_pipe.send(True)
2066
# remove the old hook in favor of the new above hook on
2067
# same fileno
2068
return False
2069
if command == 'funcall':
2070
funcname = request[1]
2071
args = request[2]
2072
kwargs = request[3]
2073
2074
parent_pipe.send(('data', getattr(client_object,
2075
funcname)(*args,
2076
**kwargs)))
2077
2078
if command == 'getattr':
2079
attrname = request[1]
2080
if callable(client_object.__getattribute__(attrname)):
2081
parent_pipe.send(('function',))
2082
else:
2083
parent_pipe.send(('data', client_object
2084
.__getattribute__(attrname)))
2085
2086
if command == 'setattr':
2087
attrname = request[1]
2088
value = request[2]
2089
setattr(client_object, attrname, value)
2090
1011
gobject.io_add_watch(pipe, gobject.IO_IN | gobject.IO_HUP,
1012
self.handle_ipc)
1013
def handle_ipc(self, source, condition, file_objects={}):
1014
condition_names = {
1015
gobject.IO_IN: u"IN", # There is data to read.
1016
gobject.IO_OUT: u"OUT", # Data can be written (without
1017
# blocking).
1018
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1019
gobject.IO_ERR: u"ERR", # Error condition.
1020
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1021
# broken, usually for pipes and
1022
# sockets).
1023
}
1024
conditions_string = ' | '.join(name
1025
for cond, name in
1026
condition_names.iteritems()
1027
if cond & condition)
1028
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1029
conditions_string)
1030
1031
# Turn the pipe file descriptor into a Python file object
1032
if source not in file_objects:
1033
file_objects[source] = os.fdopen(source, u"r", 1)
1034
1035
# Read a line from the file object
1036
cmdline = file_objects[source].readline()
1037
if not cmdline: # Empty line means end of file
1038
# close the IPC pipe
1039
file_objects[source].close()
1040
del file_objects[source]
1041
1042
# Stop calling this function
1043
return False
1044
1045
logger.debug(u"IPC command: %r", cmdline)
1046
1047
# Parse and act on command
1048
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1049
1050
if cmd == u"NOTFOUND":
1051
logger.warning(u"Client not found for fingerprint: %s",
1052
args)
1053
if self.use_dbus:
1054
# Emit D-Bus signal
1055
mandos_dbus_service.ClientNotFound(args)
1056
elif cmd == u"INVALID":
1057
for client in self.clients:
1058
if client.name == args:
1059
logger.warning(u"Client %s is invalid", args)
1060
if self.use_dbus:
1061
# Emit D-Bus signal
1062
client.Rejected()
1063
break
1064
else:
1065
logger.error(u"Unknown client %s is invalid", args)
1066
elif cmd == u"SENDING":
1067
for client in self.clients:
1068
if client.name == args:
1069
logger.info(u"Sending secret to %s", client.name)
1070
client.checked_ok()
1071
if self.use_dbus:
1072
# Emit D-Bus signal
1073
client.ReceivedSecret()
1074
break
1075
else:
1076
logger.error(u"Sending secret to unknown client %s",
1077
args)
1078
else:
1079
logger.error(u"Unknown IPC command: %r", cmdline)
1080
1081
# Keep calling this function
2091
1082
return True
2092
1083
2093
1084
2094
def rfc3339_duration_to_delta(duration):
2095
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2096
2097
>>> rfc3339_duration_to_delta("P7D")
2098
datetime.timedelta(7)
2099
>>> rfc3339_duration_to_delta("PT60S")
2100
datetime.timedelta(0, 60)
2101
>>> rfc3339_duration_to_delta("PT60M")
2102
datetime.timedelta(0, 3600)
2103
>>> rfc3339_duration_to_delta("PT24H")
2104
datetime.timedelta(1)
2105
>>> rfc3339_duration_to_delta("P1W")
2106
datetime.timedelta(7)
2107
>>> rfc3339_duration_to_delta("PT5M30S")
2108
datetime.timedelta(0, 330)
2109
>>> rfc3339_duration_to_delta("P1DT3M20S")
2110
datetime.timedelta(1, 200)
2111
"""
2112
2113
# Parsing an RFC 3339 duration with regular expressions is not
2114
# possible - there would have to be multiple places for the same
2115
# values, like seconds. The current code, while more esoteric, is
2116
# cleaner without depending on a parsing library. If Python had a
2117
# built-in library for parsing we would use it, but we'd like to
2118
# avoid excessive use of external libraries.
2119
2120
# New type for defining tokens, syntax, and semantics all-in-one
2121
Token = collections.namedtuple("Token",
2122
("regexp", # To match token; if
2123
# "value" is not None,
2124
# must have a "group"
2125
# containing digits
2126
"value", # datetime.timedelta or
2127
# None
2128
"followers")) # Tokens valid after
2129
# this token
2130
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2131
# the "duration" ABNF definition in RFC 3339, Appendix A.
2132
token_end = Token(re.compile(r"$"), None, frozenset())
2133
token_second = Token(re.compile(r"(\d+)S"),
2134
datetime.timedelta(seconds=1),
2135
frozenset((token_end,)))
2136
token_minute = Token(re.compile(r"(\d+)M"),
2137
datetime.timedelta(minutes=1),
2138
frozenset((token_second, token_end)))
2139
token_hour = Token(re.compile(r"(\d+)H"),
2140
datetime.timedelta(hours=1),
2141
frozenset((token_minute, token_end)))
2142
token_time = Token(re.compile(r"T"),
2143
None,
2144
frozenset((token_hour, token_minute,
2145
token_second)))
2146
token_day = Token(re.compile(r"(\d+)D"),
2147
datetime.timedelta(days=1),
2148
frozenset((token_time, token_end)))
2149
token_month = Token(re.compile(r"(\d+)M"),
2150
datetime.timedelta(weeks=4),
2151
frozenset((token_day, token_end)))
2152
token_year = Token(re.compile(r"(\d+)Y"),
2153
datetime.timedelta(weeks=52),
2154
frozenset((token_month, token_end)))
2155
token_week = Token(re.compile(r"(\d+)W"),
2156
datetime.timedelta(weeks=1),
2157
frozenset((token_end,)))
2158
token_duration = Token(re.compile(r"P"), None,
2159
frozenset((token_year, token_month,
2160
token_day, token_time,
2161
token_week))),
2162
# Define starting values
2163
value = datetime.timedelta() # Value so far
2164
found_token = None
2165
followers = frozenset(token_duration,) # Following valid tokens
2166
s = duration # String left to parse
2167
# Loop until end token is found
2168
while found_token is not token_end:
2169
# Search for any currently valid tokens
2170
for token in followers:
2171
match = token.regexp.match(s)
2172
if match is not None:
2173
# Token found
2174
if token.value is not None:
2175
# Value found, parse digits
2176
factor = int(match.group(1), 10)
2177
# Add to value so far
2178
value += factor * token.value
2179
# Strip token from string
2180
s = token.regexp.sub("", s, 1)
2181
# Go to found token
2182
found_token = token
2183
# Set valid next tokens
2184
followers = found_token.followers
2185
break
2186
else:
2187
# No currently valid tokens were found
2188
raise ValueError("Invalid RFC 3339 duration")
2189
# End token found
2190
return value
2191
2192
2193
1085
def string_to_delta(interval):
2194
1086
"""Parse a string and return a datetime.timedelta
2195
1087
2196
>>> string_to_delta('7d')
1088
>>> string_to_delta(u'7d')
2197
1089
datetime.timedelta(7)
2198
>>> string_to_delta('60s')
1090
>>> string_to_delta(u'60s')
2199
1091
datetime.timedelta(0, 60)
2200
>>> string_to_delta('60m')
1092
>>> string_to_delta(u'60m')
2201
1093
datetime.timedelta(0, 3600)
2202
>>> string_to_delta('24h')
1094
>>> string_to_delta(u'24h')
2203
1095
datetime.timedelta(1)
2204
>>> string_to_delta('1w')
1096
>>> string_to_delta(u'1w')
2205
1097
datetime.timedelta(7)
2206
>>> string_to_delta('5m 30s')
1098
>>> string_to_delta(u'5m 30s')
2207
1099
datetime.timedelta(0, 330)
2208
1100
"""
2209
2210
try:
2211
return rfc3339_duration_to_delta(interval)
2212
except ValueError:
2213
pass
2214
2215
1101
timevalue = datetime.timedelta(0)
2216
1102
for s in interval.split():
2217
1103
try:
2218
1104
suffix = unicode(s[-1])
2219
1105
value = int(s[:-1])
2220
if suffix == "d":
1106
if suffix == u"d":
2221
1107
delta = datetime.timedelta(value)
2222
elif suffix == "s":
1108
elif suffix == u"s":
2223
1109
delta = datetime.timedelta(0, value)
2224
elif suffix == "m":
1110
elif suffix == u"m":
2225
1111
delta = datetime.timedelta(0, 0, 0, 0, value)
2226
elif suffix == "h":
1112
elif suffix == u"h":
2227
1113
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
2228
elif suffix == "w":
1114
elif suffix == u"w":
2229
1115
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
2230
1116
else:
2231
raise ValueError("Unknown suffix {0!r}"
2232
.format(suffix))
2233
except (ValueError, IndexError) as e:
2234
raise ValueError(*(e.args))
1117
raise ValueError
1118
except (ValueError, IndexError):
1119
raise ValueError
2235
1120
timevalue += delta
2236
1121
return timevalue
2237
1122
2238
1123
1124
def if_nametoindex(interface):
1125
"""Call the C function if_nametoindex(), or equivalent
1126
1127
Note: This function cannot accept a unicode string."""
1128
global if_nametoindex
1129
try:
1130
if_nametoindex = (ctypes.cdll.LoadLibrary
1131
(ctypes.util.find_library(u"c"))
1132
.if_nametoindex)
1133
except (OSError, AttributeError):
1134
logger.warning(u"Doing if_nametoindex the hard way")
1135
def if_nametoindex(interface):
1136
"Get an interface index the hard way, i.e. using fcntl()"
1137
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1138
with closing(socket.socket()) as s:
1139
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1140
struct.pack(str(u"16s16x"),
1141
interface))
1142
interface_index = struct.unpack(str(u"I"),
1143
ifreq[16:20])[0]
1144
return interface_index
1145
return if_nametoindex(interface)
1146
1147
2239
1148
def daemon(nochdir = False, noclose = False):
2240
1149
"""See daemon(3). Standard BSD Unix function.
2241
1150
2244
1153
sys.exit()
2245
1154
os.setsid()
2246
1155
if not nochdir:
2247
os.chdir("/")
1156
os.chdir(u"/")
2248
1157
if os.fork():
2249
1158
sys.exit()
2250
1159
if not noclose:
2251
1160
# Close all standard open file descriptors
2252
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
1161
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2253
1162
if not stat.S_ISCHR(os.fstat(null).st_mode):
2254
1163
raise OSError(errno.ENODEV,
2255
"{0} not a character device"
2256
.format(os.devnull))
1164
u"/dev/null not a character device")
2257
1165
os.dup2(null, sys.stdin.fileno())
2258
1166
os.dup2(null, sys.stdout.fileno())
2259
1167
os.dup2(null, sys.stderr.fileno())
2263
1171
2264
1172
def main():
2265
1173
2266
##################################################################
1174
######################################################################
2267
1175
# Parsing of options, both command line and config file
2268
1176
2269
parser = argparse.ArgumentParser()
2270
parser.add_argument("-v", "--version", action="version",
2271
version = "%(prog)s {0}".format(version),
2272
help="show version number and exit")
2273
parser.add_argument("-i", "--interface", metavar="IF",
2274
help="Bind to interface IF")
2275
parser.add_argument("-a", "--address",
2276
help="Address to listen for requests on")
2277
parser.add_argument("-p", "--port", type=int,
2278
help="Port number to receive requests on")
2279
parser.add_argument("--check", action="store_true",
2280
help="Run self-test")
2281
parser.add_argument("--debug", action="store_true",
2282
help="Debug mode; run in foreground and log"
2283
" to terminal")
2284
parser.add_argument("--debuglevel", metavar="LEVEL",
2285
help="Debug level for stdout output")
2286
parser.add_argument("--priority", help="GnuTLS"
2287
" priority string (see GnuTLS documentation)")
2288
parser.add_argument("--servicename",
2289
metavar="NAME", help="Zeroconf service name")
2290
parser.add_argument("--configdir",
2291
default="/etc/mandos", metavar="DIR",
2292
help="Directory to search for configuration"
2293
" files")
2294
parser.add_argument("--no-dbus", action="store_false",
2295
dest="use_dbus", help="Do not provide D-Bus"
2296
" system bus interface")
2297
parser.add_argument("--no-ipv6", action="store_false",
2298
dest="use_ipv6", help="Do not use IPv6")
2299
parser.add_argument("--no-restore", action="store_false",
2300
dest="restore", help="Do not restore stored"
2301
" state")
2302
parser.add_argument("--socket", type=int,
2303
help="Specify a file descriptor to a network"
2304
" socket to use instead of creating one")
2305
parser.add_argument("--statedir", metavar="DIR",
2306
help="Directory to save/restore state in")
2307
parser.add_argument("--foreground", action="store_true",
2308
help="Run in foreground")
2309
2310
options = parser.parse_args()
1177
parser = optparse.OptionParser(version = "%%prog %s" % version)
1178
parser.add_option("-i", u"--interface", type=u"string",
1179
metavar="IF", help=u"Bind to interface IF")
1180
parser.add_option("-a", u"--address", type=u"string",
1181
help=u"Address to listen for requests on")
1182
parser.add_option("-p", u"--port", type=u"int",
1183
help=u"Port number to receive requests on")
1184
parser.add_option("--check", action=u"store_true",
1185
help=u"Run self-test")
1186
parser.add_option("--debug", action=u"store_true",
1187
help=u"Debug mode; run in foreground and log to"
1188
u" terminal")
1189
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1190
u" priority string (see GnuTLS documentation)")
1191
parser.add_option("--servicename", type=u"string",
1192
metavar=u"NAME", help=u"Zeroconf service name")
1193
parser.add_option("--configdir", type=u"string",
1194
default=u"/etc/mandos", metavar=u"DIR",
1195
help=u"Directory to search for configuration"
1196
u" files")
1197
parser.add_option("--no-dbus", action=u"store_false",
1198
dest=u"use_dbus", help=u"Do not provide D-Bus"
1199
u" system bus interface")
1200
parser.add_option("--no-ipv6", action=u"store_false",
1201
dest=u"use_ipv6", help=u"Do not use IPv6")
1202
options = parser.parse_args()[0]
2311
1203
2312
1204
if options.check:
2313
1205
import doctest
2315
1207
sys.exit()
2316
1208
2317
1209
# Default values for config file for server-global settings
2318
server_defaults = { "interface": "",
2319
"address": "",
2320
"port": "",
2321
"debug": "False",
2322
"priority":
2323
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
2324
"servicename": "Mandos",
2325
"use_dbus": "True",
2326
"use_ipv6": "True",
2327
"debuglevel": "",
2328
"restore": "True",
2329
"socket": "",
2330
"statedir": "/var/lib/mandos",
2331
"foreground": "False",
1210
server_defaults = { u"interface": u"",
1211
u"address": u"",
1212
u"port": u"",
1213
u"debug": u"False",
1214
u"priority":
1215
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1216
u"servicename": u"Mandos",
1217
u"use_dbus": u"True",
1218
u"use_ipv6": u"True",
2332
1219
}
2333
1220
2334
1221
# Parse config file for server-global settings
2335
1222
server_config = configparser.SafeConfigParser(server_defaults)
2336
1223
del server_defaults
2337
1224
server_config.read(os.path.join(options.configdir,
2338
"mandos.conf"))
1225
u"mandos.conf"))
2339
1226
# Convert the SafeConfigParser object to a dict
2340
1227
server_settings = server_config.defaults()
2341
1228
# Use the appropriate methods on the non-string config options
2342
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
2343
server_settings[option] = server_config.getboolean("DEFAULT",
1229
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1230
server_settings[option] = server_config.getboolean(u"DEFAULT",
2344
1231
option)
2345
1232
if server_settings["port"]:
2346
server_settings["port"] = server_config.getint("DEFAULT",
2347
"port")
2348
if server_settings["socket"]:
2349
server_settings["socket"] = server_config.getint("DEFAULT",
2350
"socket")
2351
# Later, stdin will, and stdout and stderr might, be dup'ed
2352
# over with an opened os.devnull. But we don't want this to
2353
# happen with a supplied network socket.
2354
if 0 <= server_settings["socket"] <= 2:
2355
server_settings["socket"] = os.dup(server_settings
2356
["socket"])
1233
server_settings["port"] = server_config.getint(u"DEFAULT",
1234
u"port")
2357
1235
del server_config
2358
1236
2359
1237
# Override the settings from the config file with command line
2360
1238
# options, if set.
2361
for option in ("interface", "address", "port", "debug",
2362
"priority", "servicename", "configdir",
2363
"use_dbus", "use_ipv6", "debuglevel", "restore",
2364
"statedir", "socket", "foreground"):
1239
for option in (u"interface", u"address", u"port", u"debug",
1240
u"priority", u"servicename", u"configdir",
1241
u"use_dbus", u"use_ipv6"):
2365
1242
value = getattr(options, option)
2366
1243
if value is not None:
2367
1244
server_settings[option] = value
2370
1247
for option in server_settings.keys():
2371
1248
if type(server_settings[option]) is str:
2372
1249
server_settings[option] = unicode(server_settings[option])
2373
# Debug implies foreground
2374
if server_settings["debug"]:
2375
server_settings["foreground"] = True
2376
1250
# Now we have our good server settings in "server_settings"
2377
1251
2378
1252
##################################################################
2379
1253
2380
1254
# For convenience
2381
debug = server_settings["debug"]
2382
debuglevel = server_settings["debuglevel"]
2383
use_dbus = server_settings["use_dbus"]
2384
use_ipv6 = server_settings["use_ipv6"]
2385
stored_state_path = os.path.join(server_settings["statedir"],
2386
stored_state_file)
2387
foreground = server_settings["foreground"]
2388
2389
if debug:
2390
initlogger(debug, logging.DEBUG)
2391
else:
2392
if not debuglevel:
2393
initlogger(debug)
2394
else:
2395
level = getattr(logging, debuglevel.upper())
2396
initlogger(debug, level)
2397
2398
if server_settings["servicename"] != "Mandos":
1255
debug = server_settings[u"debug"]
1256
use_dbus = server_settings[u"use_dbus"]
1257
use_ipv6 = server_settings[u"use_ipv6"]
1258
1259
if not debug:
1260
syslogger.setLevel(logging.WARNING)
1261
console.setLevel(logging.WARNING)
1262
1263
if server_settings[u"servicename"] != u"Mandos":
2399
1264
syslogger.setFormatter(logging.Formatter
2400
('Mandos ({0}) [%(process)d]:'
2401
' %(levelname)s: %(message)s'
2402
.format(server_settings
2403
["servicename"])))
1265
(u'Mandos (%s) [%%(process)d]:'
1266
u' %%(levelname)s: %%(message)s'
1267
% server_settings[u"servicename"]))
2404
1268
2405
1269
# Parse config file with clients
2406
client_config = configparser.SafeConfigParser(Client
2407
.client_defaults)
2408
client_config.read(os.path.join(server_settings["configdir"],
2409
"clients.conf"))
1270
client_defaults = { u"timeout": u"1h",
1271
u"interval": u"5m",
1272
u"checker": u"fping -q -- %%(host)s",
1273
u"host": u"",
1274
}
1275
client_config = configparser.SafeConfigParser(client_defaults)
1276
client_config.read(os.path.join(server_settings[u"configdir"],
1277
u"clients.conf"))
2410
1278
2411
1279
global mandos_dbus_service
2412
1280
mandos_dbus_service = None
2413
1281
2414
tcp_server = MandosServer((server_settings["address"],
2415
server_settings["port"]),
1282
tcp_server = MandosServer((server_settings[u"address"],
1283
server_settings[u"port"]),
2416
1284
ClientHandler,
2417
interface=(server_settings["interface"]
2418
or None),
1285
interface=server_settings[u"interface"],
2419
1286
use_ipv6=use_ipv6,
2420
1287
gnutls_priority=
2421
server_settings["priority"],
2422
use_dbus=use_dbus,
2423
socketfd=(server_settings["socket"]
2424
or None))
2425
if not foreground:
2426
pidfilename = "/var/run/mandos.pid"
2427
pidfile = None
2428
try:
2429
pidfile = open(pidfilename, "w")
2430
except IOError as e:
2431
logger.error("Could not open file %r", pidfilename,
2432
exc_info=e)
1288
server_settings[u"priority"],
1289
use_dbus=use_dbus)
1290
pidfilename = u"/var/run/mandos.pid"
1291
try:
1292
pidfile = open(pidfilename, u"w")
1293
except IOError:
1294
logger.error(u"Could not open file %r", pidfilename)
2433
1295
2434
for name in ("_mandos", "mandos", "nobody"):
1296
try:
1297
uid = pwd.getpwnam(u"_mandos").pw_uid
1298
gid = pwd.getpwnam(u"_mandos").pw_gid
1299
except KeyError:
2435
1300
try:
2436
uid = pwd.getpwnam(name).pw_uid
2437
gid = pwd.getpwnam(name).pw_gid
2438
break
1301
uid = pwd.getpwnam(u"mandos").pw_uid
1302
gid = pwd.getpwnam(u"mandos").pw_gid
2439
1303
except KeyError:
2440
continue
2441
else:
2442
uid = 65534
2443
gid = 65534
1304
try:
1305
uid = pwd.getpwnam(u"nobody").pw_uid
1306
gid = pwd.getpwnam(u"nobody").pw_gid
1307
except KeyError:
1308
uid = 65534
1309
gid = 65534
2444
1310
try:
2445
1311
os.setgid(gid)
2446
1312
os.setuid(uid)
2447
except OSError as error:
2448
if error.errno != errno.EPERM:
1313
except OSError, error:
1314
if error[0] != errno.EPERM:
2449
1315
raise error
2450
1316
1317
# Enable all possible GnuTLS debugging
2451
1318
if debug:
2452
# Enable all possible GnuTLS debugging
2453
2454
1319
# "Use a log level over 10 to enable all debugging options."
2455
1320
# - GnuTLS manual
2456
1321
gnutls.library.functions.gnutls_global_set_log_level(11)
2457
1322
2458
1323
@gnutls.library.types.gnutls_log_func
2459
1324
def debug_gnutls(level, string):
2460
logger.debug("GnuTLS: %s", string[:-1])
1325
logger.debug(u"GnuTLS: %s", string[:-1])
2461
1326
2462
1327
(gnutls.library.functions
2463
1328
.gnutls_global_set_log_function(debug_gnutls))
2464
2465
# Redirect stdin so all checkers get /dev/null
2466
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2467
os.dup2(null, sys.stdin.fileno())
2468
if null > 2:
2469
os.close(null)
2470
2471
# Need to fork before connecting to D-Bus
2472
if not foreground:
2473
# Close all input and output, do double fork, etc.
2474
daemon()
2475
2476
# multiprocessing will use threads, so before we use gobject we
2477
# need to inform gobject that threads will be used.
2478
gobject.threads_init()
2479
1329
2480
1330
global main_loop
2481
1331
# From the Avahi example code
2482
DBusGMainLoop(set_as_default=True)
1332
DBusGMainLoop(set_as_default=True )
2483
1333
main_loop = gobject.MainLoop()
2484
1334
bus = dbus.SystemBus()
2485
1335
# End of Avahi example code
2486
1336
if use_dbus:
2487
try:
2488
bus_name = dbus.service.BusName("se.recompile.Mandos",
2489
bus, do_not_queue=True)
2490
old_bus_name = (dbus.service.BusName
2491
("se.bsnet.fukt.Mandos", bus,
2492
do_not_queue=True))
2493
except dbus.exceptions.NameExistsException as e:
2494
logger.error("Disabling D-Bus:", exc_info=e)
2495
use_dbus = False
2496
server_settings["use_dbus"] = False
2497
tcp_server.use_dbus = False
1337
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
2498
1338
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2499
service = AvahiServiceToSyslog(name =
2500
server_settings["servicename"],
2501
servicetype = "_mandos._tcp",
2502
protocol = protocol, bus = bus)
1339
service = AvahiService(name = server_settings[u"servicename"],
1340
servicetype = u"_mandos._tcp",
1341
protocol = protocol, bus = bus)
2503
1342
if server_settings["interface"]:
2504
1343
service.interface = (if_nametoindex
2505
(str(server_settings["interface"])))
2506
2507
global multiprocessing_manager
2508
multiprocessing_manager = multiprocessing.Manager()
1344
(str(server_settings[u"interface"])))
2509
1345
2510
1346
client_class = Client
2511
1347
if use_dbus:
2512
1348
client_class = functools.partial(ClientDBus, bus = bus)
2513
2514
client_settings = Client.config_parser(client_config)
2515
old_client_settings = {}
2516
clients_data = {}
2517
2518
# Get client data and settings from last running state.
2519
if server_settings["restore"]:
2520
try:
2521
with open(stored_state_path, "rb") as stored_state:
2522
clients_data, old_client_settings = (pickle.load
2523
(stored_state))
2524
os.remove(stored_state_path)
2525
except IOError as e:
2526
if e.errno == errno.ENOENT:
2527
logger.warning("Could not load persistent state: {0}"
2528
.format(os.strerror(e.errno)))
2529
else:
2530
logger.critical("Could not load persistent state:",
2531
exc_info=e)
2532
raise
2533
except EOFError as e:
2534
logger.warning("Could not load persistent state: "
2535
"EOFError:", exc_info=e)
2536
2537
with PGPEngine() as pgp:
2538
for client_name, client in clients_data.iteritems():
2539
# Decide which value to use after restoring saved state.
2540
# We have three different values: Old config file,
2541
# new config file, and saved state.
2542
# New config value takes precedence if it differs from old
2543
# config value, otherwise use saved state.
2544
for name, value in client_settings[client_name].items():
2545
try:
2546
# For each value in new config, check if it
2547
# differs from the old config value (Except for
2548
# the "secret" attribute)
2549
if (name != "secret" and
2550
value != old_client_settings[client_name]
2551
[name]):
2552
client[name] = value
2553
except KeyError:
2554
pass
2555
2556
# Clients who has passed its expire date can still be
2557
# enabled if its last checker was successful. Clients
2558
# whose checker succeeded before we stored its state is
2559
# assumed to have successfully run all checkers during
2560
# downtime.
2561
if client["enabled"]:
2562
if datetime.datetime.utcnow() >= client["expires"]:
2563
if not client["last_checked_ok"]:
2564
logger.warning(
2565
"disabling client {0} - Client never "
2566
"performed a successful checker"
2567
.format(client_name))
2568
client["enabled"] = False
2569
elif client["last_checker_status"] != 0:
2570
logger.warning(
2571
"disabling client {0} - Client "
2572
"last checker failed with error code {1}"
2573
.format(client_name,
2574
client["last_checker_status"]))
2575
client["enabled"] = False
2576
else:
2577
client["expires"] = (datetime.datetime
2578
.utcnow()
2579
+ client["timeout"])
2580
logger.debug("Last checker succeeded,"
2581
" keeping {0} enabled"
2582
.format(client_name))
2583
try:
2584
client["secret"] = (
2585
pgp.decrypt(client["encrypted_secret"],
2586
client_settings[client_name]
2587
["secret"]))
2588
except PGPError:
2589
# If decryption fails, we use secret from new settings
2590
logger.debug("Failed to decrypt {0} old secret"
2591
.format(client_name))
2592
client["secret"] = (
2593
client_settings[client_name]["secret"])
2594
2595
# Add/remove clients based on new changes made to config
2596
for client_name in (set(old_client_settings)
2597
- set(client_settings)):
2598
del clients_data[client_name]
2599
for client_name in (set(client_settings)
2600
- set(old_client_settings)):
2601
clients_data[client_name] = client_settings[client_name]
2602
2603
# Create all client objects
2604
for client_name, client in clients_data.iteritems():
2605
tcp_server.clients[client_name] = client_class(
2606
name = client_name, settings = client)
2607
1349
tcp_server.clients.update(set(
1350
client_class(name = section,
1351
config= dict(client_config.items(section)))
1352
for section in client_config.sections()))
2608
1353
if not tcp_server.clients:
2609
logger.warning("No clients defined")
2610
2611
if not foreground:
2612
if pidfile is not None:
2613
try:
2614
with pidfile:
2615
pid = os.getpid()
2616
pidfile.write(str(pid) + "\n".encode("utf-8"))
2617
except IOError:
2618
logger.error("Could not write to file %r with PID %d",
2619
pidfilename, pid)
1354
logger.warning(u"No clients defined")
1355
1356
if debug:
1357
# Redirect stdin so all checkers get /dev/null
1358
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1359
os.dup2(null, sys.stdin.fileno())
1360
if null > 2:
1361
os.close(null)
1362
else:
1363
# No console logging
1364
logger.removeHandler(console)
1365
# Close all input and output, do double fork, etc.
1366
daemon()
1367
1368
try:
1369
with closing(pidfile):
1370
pid = os.getpid()
1371
pidfile.write(str(pid) + "\n")
2620
1372
del pidfile
2621
del pidfilename
2622
1373
except IOError:
1374
logger.error(u"Could not write to file %r with PID %d",
1375
pidfilename, pid)
1376
except NameError:
1377
# "pidfile" was never created
1378
pass
1379
del pidfilename
1380
1381
def cleanup():
1382
"Cleanup function; run on exit"
1383
service.cleanup()
1384
1385
while tcp_server.clients:
1386
client = tcp_server.clients.pop()
1387
client.disable_hook = None
1388
client.disable()
1389
1390
atexit.register(cleanup)
1391
1392
if not debug:
1393
signal.signal(signal.SIGINT, signal.SIG_IGN)
2623
1394
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2624
1395
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2625
1396
2626
1397
if use_dbus:
2627
@alternate_dbus_interfaces({"se.recompile.Mandos":
2628
"se.bsnet.fukt.Mandos"})
2629
class MandosDBusService(DBusObjectWithProperties):
1398
class MandosDBusService(dbus.service.Object):
2630
1399
"""A D-Bus proxy object"""
2631
1400
def __init__(self):
2632
dbus.service.Object.__init__(self, bus, "/")
2633
_interface = "se.recompile.Mandos"
2634
2635
@dbus_interface_annotations(_interface)
2636
def _foo(self):
2637
return { "org.freedesktop.DBus.Property"
2638
".EmitsChangedSignal":
2639
"false"}
2640
2641
@dbus.service.signal(_interface, signature="o")
2642
def ClientAdded(self, objpath):
2643
"D-Bus signal"
2644
pass
2645
2646
@dbus.service.signal(_interface, signature="ss")
2647
def ClientNotFound(self, fingerprint, address):
2648
"D-Bus signal"
2649
pass
2650
2651
@dbus.service.signal(_interface, signature="os")
1401
dbus.service.Object.__init__(self, bus, u"/")
1402
_interface = u"se.bsnet.fukt.Mandos"
1403
1404
@dbus.service.signal(_interface, signature=u"oa{sv}")
1405
def ClientAdded(self, objpath, properties):
1406
"D-Bus signal"
1407
pass
1408
1409
@dbus.service.signal(_interface, signature=u"s")
1410
def ClientNotFound(self, fingerprint):
1411
"D-Bus signal"
1412
pass
1413
1414
@dbus.service.signal(_interface, signature=u"os")
2652
1415
def ClientRemoved(self, objpath, name):
2653
1416
"D-Bus signal"
2654
1417
pass
2655
1418
2656
@dbus.service.method(_interface, out_signature="ao")
1419
@dbus.service.method(_interface, out_signature=u"ao")
2657
1420
def GetAllClients(self):
2658
1421
"D-Bus method"
2659
1422
return dbus.Array(c.dbus_object_path
2660
for c in
2661
tcp_server.clients.itervalues())
1423
for c in tcp_server.clients)
2662
1424
2663
1425
@dbus.service.method(_interface,
2664
out_signature="a{oa{sv}}")
1426
out_signature=u"a{oa{sv}}")
2665
1427
def GetAllClientsWithProperties(self):
2666
1428
"D-Bus method"
2667
1429
return dbus.Dictionary(
2668
((c.dbus_object_path, c.GetAll(""))
2669
for c in tcp_server.clients.itervalues()),
2670
signature="oa{sv}")
1430
((c.dbus_object_path, c.GetAllProperties())
1431
for c in tcp_server.clients),
1432
signature=u"oa{sv}")
2671
1433
2672
@dbus.service.method(_interface, in_signature="o")
1434
@dbus.service.method(_interface, in_signature=u"o")
2673
1435
def RemoveClient(self, object_path):
2674
1436
"D-Bus method"
2675
for c in tcp_server.clients.itervalues():
1437
for c in tcp_server.clients:
2676
1438
if c.dbus_object_path == object_path:
2677
del tcp_server.clients[c.name]
1439
tcp_server.clients.remove(c)
2678
1440
c.remove_from_connection()
2679
1441
# Don't signal anything except ClientRemoved
2680
c.disable(quiet=True)
1442
c.disable(signal=False)
2681
1443
# Emit D-Bus signal
2682
1444
self.ClientRemoved(object_path, c.name)
2683
1445
return
2684
raise KeyError(object_path)
1446
raise KeyError
2685
1447
2686
1448
del _interface
2687
1449
2688
1450
mandos_dbus_service = MandosDBusService()
2689
1451
2690
def cleanup():
2691
"Cleanup function; run on exit"
2692
service.cleanup()
2693
2694
multiprocessing.active_children()
2695
if not (tcp_server.clients or client_settings):
2696
return
2697
2698
# Store client before exiting. Secrets are encrypted with key
2699
# based on what config file has. If config file is
2700
# removed/edited, old secret will thus be unrecovable.
2701
clients = {}
2702
with PGPEngine() as pgp:
2703
for client in tcp_server.clients.itervalues():
2704
key = client_settings[client.name]["secret"]
2705
client.encrypted_secret = pgp.encrypt(client.secret,
2706
key)
2707
client_dict = {}
2708
2709
# A list of attributes that can not be pickled
2710
# + secret.
2711
exclude = set(("bus", "changedstate", "secret",
2712
"checker"))
2713
for name, typ in (inspect.getmembers
2714
(dbus.service.Object)):
2715
exclude.add(name)
2716
2717
client_dict["encrypted_secret"] = (client
2718
.encrypted_secret)
2719
for attr in client.client_structure:
2720
if attr not in exclude:
2721
client_dict[attr] = getattr(client, attr)
2722
2723
clients[client.name] = client_dict
2724
del client_settings[client.name]["secret"]
2725
2726
try:
2727
with (tempfile.NamedTemporaryFile
2728
(mode='wb', suffix=".pickle", prefix='clients-',
2729
dir=os.path.dirname(stored_state_path),
2730
delete=False)) as stored_state:
2731
pickle.dump((clients, client_settings), stored_state)
2732
tempname=stored_state.name
2733
os.rename(tempname, stored_state_path)
2734
except (IOError, OSError) as e:
2735
if not debug:
2736
try:
2737
os.remove(tempname)
2738
except NameError:
2739
pass
2740
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
2741
logger.warning("Could not save persistent state: {0}"
2742
.format(os.strerror(e.errno)))
2743
else:
2744
logger.warning("Could not save persistent state:",
2745
exc_info=e)
2746
raise e
2747
2748
# Delete all clients, and settings from config
2749
while tcp_server.clients:
2750
name, client = tcp_server.clients.popitem()
2751
if use_dbus:
2752
client.remove_from_connection()
2753
# Don't signal anything except ClientRemoved
2754
client.disable(quiet=True)
2755
if use_dbus:
2756
# Emit D-Bus signal
2757
mandos_dbus_service.ClientRemoved(client
2758
.dbus_object_path,
2759
client.name)
2760
client_settings.clear()
2761
2762
atexit.register(cleanup)
2763
2764
for client in tcp_server.clients.itervalues():
1452
for client in tcp_server.clients:
2765
1453
if use_dbus:
2766
1454
# Emit D-Bus signal
2767
mandos_dbus_service.ClientAdded(client.dbus_object_path)
2768
# Need to initiate checking of clients
2769
if client.enabled:
2770
client.init_checker()
1455
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1456
client.GetAllProperties())
1457
client.enable()
2771
1458
2772
1459
tcp_server.enable()
2773
1460
tcp_server.server_activate()
2775
1462
# Find out what port we got
2776
1463
service.port = tcp_server.socket.getsockname()[1]
2777
1464
if use_ipv6:
2778
logger.info("Now listening on address %r, port %d,"
2779
" flowinfo %d, scope_id %d",
2780
*tcp_server.socket.getsockname())
1465
logger.info(u"Now listening on address %r, port %d,"
1466
" flowinfo %d, scope_id %d"
1467
% tcp_server.socket.getsockname())
2781
1468
else: # IPv4
2782
logger.info("Now listening on address %r, port %d",
2783
*tcp_server.socket.getsockname())
1469
logger.info(u"Now listening on address %r, port %d"
1470
% tcp_server.socket.getsockname())
2784
1471
2785
1472
#service.interface = tcp_server.socket.getsockname()[3]
2786
1473
2788
1475
# From the Avahi example code
2789
1476
try:
2790
1477
service.activate()
2791
except dbus.exceptions.DBusException as error:
2792
logger.critical("D-Bus Exception", exc_info=error)
2793
cleanup()
1478
except dbus.exceptions.DBusException, error:
1479
logger.critical(u"DBusException: %s", error)
2794
1480
sys.exit(1)
2795
1481
# End of Avahi example code
2796
1482
2799
1485
(tcp_server.handle_request
2800
1486
(*args[2:], **kwargs) or True))
2801
1487
2802
logger.debug("Starting main loop")
1488
logger.debug(u"Starting main loop")
2803
1489
main_loop.run()
2804
except AvahiError as error:
2805
logger.critical("Avahi Error", exc_info=error)
2806
cleanup()
1490
except AvahiError, error:
1491
logger.critical(u"AvahiError: %s", error)
2807
1492
sys.exit(1)
2808
1493
except KeyboardInterrupt:
2809
1494
if debug:
2810
print("", file=sys.stderr)
2811
logger.debug("Server received KeyboardInterrupt")
2812
logger.debug("Server exiting")
2813
# Must run before the D-Bus bus name gets deregistered
2814
cleanup()
1495
print >> sys.stderr
1496
logger.debug(u"Server received KeyboardInterrupt")
1497
logger.debug(u"Server exiting")
2815
1498
2816
1499
if __name__ == '__main__':
2817
1500
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0