/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos

  • Committer: Teddy Hogeborn
  • Date: 2009-11-05 02:12:57 UTC
  • Revision ID: teddy@fukt.bsnet.se-20091105021257-l2b5nb1v4pc2tupw
* mandos (ClientDBus.disable): Bug fix: complete rename of "log" and
                               "signal" to "quiet".

Show diffs side-by-side

added added

removed removed

Lines of Context:
11
11
# "AvahiService" class, and some lines in "main".
12
12
13
13
# Everything else is
14
 
# Copyright © 2008-2012 Teddy Hogeborn
15
 
# Copyright © 2008-2012 Björn Påhlsson
 
14
# Copyright © 2008,2009 Teddy Hogeborn
 
15
# Copyright © 2008,2009 Björn Påhlsson
16
16
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
28
28
# along with this program.  If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
30
31
 
# Contact the authors at <mandos@recompile.se>.
 
31
# Contact the authors at <mandos@fukt.bsnet.se>.
32
32
33
33
 
34
 
from __future__ import (division, absolute_import, print_function,
35
 
                        unicode_literals)
36
 
 
37
 
from future_builtins import *
 
34
from __future__ import division, with_statement, absolute_import
38
35
 
39
36
import SocketServer as socketserver
40
37
import socket
41
 
import argparse
 
38
import optparse
42
39
import datetime
43
40
import errno
44
41
import gnutls.crypto
58
55
import logging
59
56
import logging.handlers
60
57
import pwd
61
 
import contextlib
 
58
from contextlib import closing
62
59
import struct
63
60
import fcntl
64
61
import functools
65
 
import cPickle as pickle
66
 
import multiprocessing
67
 
import types
68
 
import binascii
69
 
import tempfile
70
 
import itertools
71
 
import collections
72
62
 
73
63
import dbus
74
64
import dbus.service
79
69
import ctypes.util
80
70
import xml.dom.minidom
81
71
import inspect
82
 
import GnuPGInterface
83
72
 
84
73
try:
85
74
    SO_BINDTODEVICE = socket.SO_BINDTODEVICE
89
78
    except ImportError:
90
79
        SO_BINDTODEVICE = None
91
80
 
92
 
version = "1.6.0"
93
 
stored_state_file = "clients.pickle"
94
 
 
95
 
logger = logging.getLogger()
 
81
 
 
82
version = "1.0.14"
 
83
 
 
84
logger = logging.Logger(u'mandos')
96
85
syslogger = (logging.handlers.SysLogHandler
97
86
             (facility = logging.handlers.SysLogHandler.LOG_DAEMON,
98
 
              address = str("/dev/log")))
99
 
 
100
 
try:
101
 
    if_nametoindex = (ctypes.cdll.LoadLibrary
102
 
                      (ctypes.util.find_library("c"))
103
 
                      .if_nametoindex)
104
 
except (OSError, AttributeError):
105
 
    def if_nametoindex(interface):
106
 
        "Get an interface index the hard way, i.e. using fcntl()"
107
 
        SIOCGIFINDEX = 0x8933  # From /usr/include/linux/sockios.h
108
 
        with contextlib.closing(socket.socket()) as s:
109
 
            ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
110
 
                                struct.pack(str("16s16x"),
111
 
                                            interface))
112
 
        interface_index = struct.unpack(str("I"),
113
 
                                        ifreq[16:20])[0]
114
 
        return interface_index
115
 
 
116
 
 
117
 
def initlogger(debug, level=logging.WARNING):
118
 
    """init logger and add loglevel"""
119
 
    
120
 
    syslogger.setFormatter(logging.Formatter
121
 
                           ('Mandos [%(process)d]: %(levelname)s:'
122
 
                            ' %(message)s'))
123
 
    logger.addHandler(syslogger)
124
 
    
125
 
    if debug:
126
 
        console = logging.StreamHandler()
127
 
        console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
128
 
                                               ' [%(process)d]:'
129
 
                                               ' %(levelname)s:'
130
 
                                               ' %(message)s'))
131
 
        logger.addHandler(console)
132
 
    logger.setLevel(level)
133
 
 
134
 
 
135
 
class PGPError(Exception):
136
 
    """Exception if encryption/decryption fails"""
137
 
    pass
138
 
 
139
 
 
140
 
class PGPEngine(object):
141
 
    """A simple class for OpenPGP symmetric encryption & decryption"""
142
 
    def __init__(self):
143
 
        self.gnupg = GnuPGInterface.GnuPG()
144
 
        self.tempdir = tempfile.mkdtemp(prefix="mandos-")
145
 
        self.gnupg = GnuPGInterface.GnuPG()
146
 
        self.gnupg.options.meta_interactive = False
147
 
        self.gnupg.options.homedir = self.tempdir
148
 
        self.gnupg.options.extra_args.extend(['--force-mdc',
149
 
                                              '--quiet',
150
 
                                              '--no-use-agent'])
151
 
    
152
 
    def __enter__(self):
153
 
        return self
154
 
    
155
 
    def __exit__(self, exc_type, exc_value, traceback):
156
 
        self._cleanup()
157
 
        return False
158
 
    
159
 
    def __del__(self):
160
 
        self._cleanup()
161
 
    
162
 
    def _cleanup(self):
163
 
        if self.tempdir is not None:
164
 
            # Delete contents of tempdir
165
 
            for root, dirs, files in os.walk(self.tempdir,
166
 
                                             topdown = False):
167
 
                for filename in files:
168
 
                    os.remove(os.path.join(root, filename))
169
 
                for dirname in dirs:
170
 
                    os.rmdir(os.path.join(root, dirname))
171
 
            # Remove tempdir
172
 
            os.rmdir(self.tempdir)
173
 
            self.tempdir = None
174
 
    
175
 
    def password_encode(self, password):
176
 
        # Passphrase can not be empty and can not contain newlines or
177
 
        # NUL bytes.  So we prefix it and hex encode it.
178
 
        return b"mandos" + binascii.hexlify(password)
179
 
    
180
 
    def encrypt(self, data, password):
181
 
        self.gnupg.passphrase = self.password_encode(password)
182
 
        with open(os.devnull, "w") as devnull:
183
 
            try:
184
 
                proc = self.gnupg.run(['--symmetric'],
185
 
                                      create_fhs=['stdin', 'stdout'],
186
 
                                      attach_fhs={'stderr': devnull})
187
 
                with contextlib.closing(proc.handles['stdin']) as f:
188
 
                    f.write(data)
189
 
                with contextlib.closing(proc.handles['stdout']) as f:
190
 
                    ciphertext = f.read()
191
 
                proc.wait()
192
 
            except IOError as e:
193
 
                raise PGPError(e)
194
 
        self.gnupg.passphrase = None
195
 
        return ciphertext
196
 
    
197
 
    def decrypt(self, data, password):
198
 
        self.gnupg.passphrase = self.password_encode(password)
199
 
        with open(os.devnull, "w") as devnull:
200
 
            try:
201
 
                proc = self.gnupg.run(['--decrypt'],
202
 
                                      create_fhs=['stdin', 'stdout'],
203
 
                                      attach_fhs={'stderr': devnull})
204
 
                with contextlib.closing(proc.handles['stdin']) as f:
205
 
                    f.write(data)
206
 
                with contextlib.closing(proc.handles['stdout']) as f:
207
 
                    decrypted_plaintext = f.read()
208
 
                proc.wait()
209
 
            except IOError as e:
210
 
                raise PGPError(e)
211
 
        self.gnupg.passphrase = None
212
 
        return decrypted_plaintext
213
 
 
 
87
              address = "/dev/log"))
 
88
syslogger.setFormatter(logging.Formatter
 
89
                       (u'Mandos [%(process)d]: %(levelname)s:'
 
90
                        u' %(message)s'))
 
91
logger.addHandler(syslogger)
 
92
 
 
93
console = logging.StreamHandler()
 
94
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
 
95
                                       u' %(levelname)s:'
 
96
                                       u' %(message)s'))
 
97
logger.addHandler(console)
214
98
 
215
99
class AvahiError(Exception):
216
100
    def __init__(self, value, *args, **kwargs):
232
116
    Attributes:
233
117
    interface: integer; avahi.IF_UNSPEC or an interface index.
234
118
               Used to optionally bind to the specified interface.
235
 
    name: string; Example: 'Mandos'
236
 
    type: string; Example: '_mandos._tcp'.
 
119
    name: string; Example: u'Mandos'
 
120
    type: string; Example: u'_mandos._tcp'.
237
121
                  See <http://www.dns-sd.org/ServiceTypes.html>
238
122
    port: integer; what port to announce
239
123
    TXT: list of strings; TXT record for the service
246
130
    server: D-Bus Server
247
131
    bus: dbus.SystemBus()
248
132
    """
249
 
    
250
133
    def __init__(self, interface = avahi.IF_UNSPEC, name = None,
251
134
                 servicetype = None, port = None, TXT = None,
252
 
                 domain = "", host = "", max_renames = 32768,
 
135
                 domain = u"", host = u"", max_renames = 32768,
253
136
                 protocol = avahi.PROTO_UNSPEC, bus = None):
254
137
        self.interface = interface
255
138
        self.name = name
264
147
        self.group = None       # our entry group
265
148
        self.server = None
266
149
        self.bus = bus
267
 
        self.entry_group_state_changed_match = None
268
 
    
269
150
    def rename(self):
270
151
        """Derived from the Avahi example code"""
271
152
        if self.rename_count >= self.max_renames:
272
 
            logger.critical("No suitable Zeroconf service name found"
273
 
                            " after %i retries, exiting.",
 
153
            logger.critical(u"No suitable Zeroconf service name found"
 
154
                            u" after %i retries, exiting.",
274
155
                            self.rename_count)
275
 
            raise AvahiServiceError("Too many renames")
276
 
        self.name = unicode(self.server
277
 
                            .GetAlternativeServiceName(self.name))
278
 
        logger.info("Changing Zeroconf service name to %r ...",
279
 
                    self.name)
 
156
            raise AvahiServiceError(u"Too many renames")
 
157
        self.name = self.server.GetAlternativeServiceName(self.name)
 
158
        logger.info(u"Changing Zeroconf service name to %r ...",
 
159
                    unicode(self.name))
 
160
        syslogger.setFormatter(logging.Formatter
 
161
                               (u'Mandos (%s) [%%(process)d]:'
 
162
                                u' %%(levelname)s: %%(message)s'
 
163
                                % self.name))
280
164
        self.remove()
281
 
        try:
282
 
            self.add()
283
 
        except dbus.exceptions.DBusException as error:
284
 
            logger.critical("D-Bus Exception", exc_info=error)
285
 
            self.cleanup()
286
 
            os._exit(1)
 
165
        self.add()
287
166
        self.rename_count += 1
288
 
    
289
167
    def remove(self):
290
168
        """Derived from the Avahi example code"""
291
 
        if self.entry_group_state_changed_match is not None:
292
 
            self.entry_group_state_changed_match.remove()
293
 
            self.entry_group_state_changed_match = None
294
169
        if self.group is not None:
295
170
            self.group.Reset()
296
 
    
297
171
    def add(self):
298
172
        """Derived from the Avahi example code"""
299
 
        self.remove()
300
173
        if self.group is None:
301
174
            self.group = dbus.Interface(
302
175
                self.bus.get_object(avahi.DBUS_NAME,
303
176
                                    self.server.EntryGroupNew()),
304
177
                avahi.DBUS_INTERFACE_ENTRY_GROUP)
305
 
        self.entry_group_state_changed_match = (
306
 
            self.group.connect_to_signal(
307
 
                'StateChanged', self.entry_group_state_changed))
308
 
        logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
 
178
            self.group.connect_to_signal('StateChanged',
 
179
                                         self
 
180
                                         .entry_group_state_changed)
 
181
        logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
309
182
                     self.name, self.type)
310
183
        self.group.AddService(
311
184
            self.interface,
316
189
            dbus.UInt16(self.port),
317
190
            avahi.string_array_to_txt_array(self.TXT))
318
191
        self.group.Commit()
319
 
    
320
192
    def entry_group_state_changed(self, state, error):
321
193
        """Derived from the Avahi example code"""
322
 
        logger.debug("Avahi entry group state change: %i", state)
 
194
        logger.debug(u"Avahi state change: %i", state)
323
195
        
324
196
        if state == avahi.ENTRY_GROUP_ESTABLISHED:
325
 
            logger.debug("Zeroconf service established.")
 
197
            logger.debug(u"Zeroconf service established.")
326
198
        elif state == avahi.ENTRY_GROUP_COLLISION:
327
 
            logger.info("Zeroconf service name collision.")
 
199
            logger.warning(u"Zeroconf service name collision.")
328
200
            self.rename()
329
201
        elif state == avahi.ENTRY_GROUP_FAILURE:
330
 
            logger.critical("Avahi: Error in group state changed %s",
 
202
            logger.critical(u"Avahi: Error in group state changed %s",
331
203
                            unicode(error))
332
 
            raise AvahiGroupError("State changed: {0!s}"
333
 
                                  .format(error))
334
 
    
 
204
            raise AvahiGroupError(u"State changed: %s"
 
205
                                  % unicode(error))
335
206
    def cleanup(self):
336
207
        """Derived from the Avahi example code"""
337
208
        if self.group is not None:
338
 
            try:
339
 
                self.group.Free()
340
 
            except (dbus.exceptions.UnknownMethodException,
341
 
                    dbus.exceptions.DBusException):
342
 
                pass
 
209
            self.group.Free()
343
210
            self.group = None
344
 
        self.remove()
345
 
    
346
 
    def server_state_changed(self, state, error=None):
 
211
    def server_state_changed(self, state):
347
212
        """Derived from the Avahi example code"""
348
 
        logger.debug("Avahi server state change: %i", state)
349
 
        bad_states = { avahi.SERVER_INVALID:
350
 
                           "Zeroconf server invalid",
351
 
                       avahi.SERVER_REGISTERING: None,
352
 
                       avahi.SERVER_COLLISION:
353
 
                           "Zeroconf server name collision",
354
 
                       avahi.SERVER_FAILURE:
355
 
                           "Zeroconf server failure" }
356
 
        if state in bad_states:
357
 
            if bad_states[state] is not None:
358
 
                if error is None:
359
 
                    logger.error(bad_states[state])
360
 
                else:
361
 
                    logger.error(bad_states[state] + ": %r", error)
362
 
            self.cleanup()
 
213
        if state == avahi.SERVER_COLLISION:
 
214
            logger.error(u"Zeroconf server name collision")
 
215
            self.remove()
363
216
        elif state == avahi.SERVER_RUNNING:
364
217
            self.add()
365
 
        else:
366
 
            if error is None:
367
 
                logger.debug("Unknown state: %r", state)
368
 
            else:
369
 
                logger.debug("Unknown state: %r: %r", state, error)
370
 
    
371
218
    def activate(self):
372
219
        """Derived from the Avahi example code"""
373
220
        if self.server is None:
374
221
            self.server = dbus.Interface(
375
222
                self.bus.get_object(avahi.DBUS_NAME,
376
 
                                    avahi.DBUS_PATH_SERVER,
377
 
                                    follow_name_owner_changes=True),
 
223
                                    avahi.DBUS_PATH_SERVER),
378
224
                avahi.DBUS_INTERFACE_SERVER)
379
 
        self.server.connect_to_signal("StateChanged",
 
225
        self.server.connect_to_signal(u"StateChanged",
380
226
                                 self.server_state_changed)
381
227
        self.server_state_changed(self.server.GetState())
382
228
 
383
229
 
384
 
class AvahiServiceToSyslog(AvahiService):
385
 
    def rename(self):
386
 
        """Add the new name to the syslog messages"""
387
 
        ret = AvahiService.rename(self)
388
 
        syslogger.setFormatter(logging.Formatter
389
 
                               ('Mandos ({0}) [%(process)d]:'
390
 
                                ' %(levelname)s: %(message)s'
391
 
                                .format(self.name)))
392
 
        return ret
393
 
 
394
 
 
395
 
def timedelta_to_milliseconds(td):
396
 
    "Convert a datetime.timedelta() to milliseconds"
397
 
    return ((td.days * 24 * 60 * 60 * 1000)
398
 
            + (td.seconds * 1000)
399
 
            + (td.microseconds // 1000))
400
 
 
401
 
 
402
230
class Client(object):
403
231
    """A representation of a client host served by this server.
404
232
    
405
233
    Attributes:
406
 
    approved:   bool(); 'None' if not yet approved/disapproved
407
 
    approval_delay: datetime.timedelta(); Time to wait for approval
408
 
    approval_duration: datetime.timedelta(); Duration of one approval
 
234
    name:       string; from the config file, used in log messages and
 
235
                        D-Bus identifiers
 
236
    fingerprint: string (40 or 32 hexadecimal digits); used to
 
237
                 uniquely identify the client
 
238
    secret:     bytestring; sent verbatim (over TLS) to client
 
239
    host:       string; available for use by the checker command
 
240
    created:    datetime.datetime(); (UTC) object creation
 
241
    last_enabled: datetime.datetime(); (UTC)
 
242
    enabled:    bool()
 
243
    last_checked_ok: datetime.datetime(); (UTC) or None
 
244
    timeout:    datetime.timedelta(); How long from last_checked_ok
 
245
                                      until this client is invalid
 
246
    interval:   datetime.timedelta(); How often to start a new checker
 
247
    disable_hook:  If set, called by disable() as disable_hook(self)
409
248
    checker:    subprocess.Popen(); a running checker process used
410
249
                                    to see if the client lives.
411
250
                                    'None' if no process is running.
412
 
    checker_callback_tag: a gobject event source tag, or None
413
 
    checker_command: string; External command which is run to check
414
 
                     if client lives.  %() expansions are done at
 
251
    checker_initiator_tag: a gobject event source tag, or None
 
252
    disable_initiator_tag: - '' -
 
253
    checker_callback_tag:  - '' -
 
254
    checker_command: string; External command which is run to check if
 
255
                     client lives.  %() expansions are done at
415
256
                     runtime with vars(self) as dict, so that for
416
257
                     instance %(name)s can be used in the command.
417
 
    checker_initiator_tag: a gobject event source tag, or None
418
 
    created:    datetime.datetime(); (UTC) object creation
419
 
    client_structure: Object describing what attributes a client has
420
 
                      and is used for storing the client at exit
421
258
    current_checker_command: string; current running checker_command
422
 
    disable_initiator_tag: a gobject event source tag, or None
423
 
    enabled:    bool()
424
 
    fingerprint: string (40 or 32 hexadecimal digits); used to
425
 
                 uniquely identify the client
426
 
    host:       string; available for use by the checker command
427
 
    interval:   datetime.timedelta(); How often to start a new checker
428
 
    last_approval_request: datetime.datetime(); (UTC) or None
429
 
    last_checked_ok: datetime.datetime(); (UTC) or None
430
 
    last_checker_status: integer between 0 and 255 reflecting exit
431
 
                         status of last checker. -1 reflects crashed
432
 
                         checker, -2 means no checker completed yet.
433
 
    last_enabled: datetime.datetime(); (UTC) or None
434
 
    name:       string; from the config file, used in log messages and
435
 
                        D-Bus identifiers
436
 
    secret:     bytestring; sent verbatim (over TLS) to client
437
 
    timeout:    datetime.timedelta(); How long from last_checked_ok
438
 
                                      until this client is disabled
439
 
    extended_timeout:   extra long timeout when secret has been sent
440
 
    runtime_expansions: Allowed attributes for runtime expansion.
441
 
    expires:    datetime.datetime(); time (UTC) when a client will be
442
 
                disabled, or None
443
259
    """
444
260
    
445
 
    runtime_expansions = ("approval_delay", "approval_duration",
446
 
                          "created", "enabled", "expires",
447
 
                          "fingerprint", "host", "interval",
448
 
                          "last_approval_request", "last_checked_ok",
449
 
                          "last_enabled", "name", "timeout")
450
 
    client_defaults = { "timeout": "PT5M",
451
 
                        "extended_timeout": "PT15M",
452
 
                        "interval": "PT2M",
453
 
                        "checker": "fping -q -- %%(host)s",
454
 
                        "host": "",
455
 
                        "approval_delay": "PT0S",
456
 
                        "approval_duration": "PT1S",
457
 
                        "approved_by_default": "True",
458
 
                        "enabled": "True",
459
 
                        }
 
261
    @staticmethod
 
262
    def _timedelta_to_milliseconds(td):
 
263
        "Convert a datetime.timedelta() to milliseconds"
 
264
        return ((td.days * 24 * 60 * 60 * 1000)
 
265
                + (td.seconds * 1000)
 
266
                + (td.microseconds // 1000))
460
267
    
461
268
    def timeout_milliseconds(self):
462
269
        "Return the 'timeout' attribute in milliseconds"
463
 
        return timedelta_to_milliseconds(self.timeout)
464
 
    
465
 
    def extended_timeout_milliseconds(self):
466
 
        "Return the 'extended_timeout' attribute in milliseconds"
467
 
        return timedelta_to_milliseconds(self.extended_timeout)
 
270
        return self._timedelta_to_milliseconds(self.timeout)
468
271
    
469
272
    def interval_milliseconds(self):
470
273
        "Return the 'interval' attribute in milliseconds"
471
 
        return timedelta_to_milliseconds(self.interval)
472
 
    
473
 
    def approval_delay_milliseconds(self):
474
 
        return timedelta_to_milliseconds(self.approval_delay)
475
 
    
476
 
    @staticmethod
477
 
    def config_parser(config):
478
 
        """Construct a new dict of client settings of this form:
479
 
        { client_name: {setting_name: value, ...}, ...}
480
 
        with exceptions for any special settings as defined above.
481
 
        NOTE: Must be a pure function. Must return the same result
482
 
        value given the same arguments.
483
 
        """
484
 
        settings = {}
485
 
        for client_name in config.sections():
486
 
            section = dict(config.items(client_name))
487
 
            client = settings[client_name] = {}
488
 
            
489
 
            client["host"] = section["host"]
490
 
            # Reformat values from string types to Python types
491
 
            client["approved_by_default"] = config.getboolean(
492
 
                client_name, "approved_by_default")
493
 
            client["enabled"] = config.getboolean(client_name,
494
 
                                                  "enabled")
495
 
            
496
 
            client["fingerprint"] = (section["fingerprint"].upper()
497
 
                                     .replace(" ", ""))
498
 
            if "secret" in section:
499
 
                client["secret"] = section["secret"].decode("base64")
500
 
            elif "secfile" in section:
501
 
                with open(os.path.expanduser(os.path.expandvars
502
 
                                             (section["secfile"])),
503
 
                          "rb") as secfile:
504
 
                    client["secret"] = secfile.read()
505
 
            else:
506
 
                raise TypeError("No secret or secfile for section {0}"
507
 
                                .format(section))
508
 
            client["timeout"] = string_to_delta(section["timeout"])
509
 
            client["extended_timeout"] = string_to_delta(
510
 
                section["extended_timeout"])
511
 
            client["interval"] = string_to_delta(section["interval"])
512
 
            client["approval_delay"] = string_to_delta(
513
 
                section["approval_delay"])
514
 
            client["approval_duration"] = string_to_delta(
515
 
                section["approval_duration"])
516
 
            client["checker_command"] = section["checker"]
517
 
            client["last_approval_request"] = None
518
 
            client["last_checked_ok"] = None
519
 
            client["last_checker_status"] = -2
520
 
        
521
 
        return settings
522
 
    
523
 
    def __init__(self, settings, name = None):
 
274
        return self._timedelta_to_milliseconds(self.interval)
 
275
    
 
276
    def __init__(self, name = None, disable_hook=None, config=None):
 
277
        """Note: the 'checker' key in 'config' sets the
 
278
        'checker_command' attribute and *not* the 'checker'
 
279
        attribute."""
524
280
        self.name = name
525
 
        # adding all client settings
526
 
        for setting, value in settings.iteritems():
527
 
            setattr(self, setting, value)
528
 
        
529
 
        if self.enabled:
530
 
            if not hasattr(self, "last_enabled"):
531
 
                self.last_enabled = datetime.datetime.utcnow()
532
 
            if not hasattr(self, "expires"):
533
 
                self.expires = (datetime.datetime.utcnow()
534
 
                                + self.timeout)
535
 
        else:
536
 
            self.last_enabled = None
537
 
            self.expires = None
538
 
        
539
 
        logger.debug("Creating client %r", self.name)
 
281
        if config is None:
 
282
            config = {}
 
283
        logger.debug(u"Creating client %r", self.name)
540
284
        # Uppercase and remove spaces from fingerprint for later
541
285
        # comparison purposes with return value from the fingerprint()
542
286
        # function
543
 
        logger.debug("  Fingerprint: %s", self.fingerprint)
544
 
        self.created = settings.get("created",
545
 
                                    datetime.datetime.utcnow())
546
 
        
547
 
        # attributes specific for this server instance
 
287
        self.fingerprint = (config[u"fingerprint"].upper()
 
288
                            .replace(u" ", u""))
 
289
        logger.debug(u"  Fingerprint: %s", self.fingerprint)
 
290
        if u"secret" in config:
 
291
            self.secret = config[u"secret"].decode(u"base64")
 
292
        elif u"secfile" in config:
 
293
            with closing(open(os.path.expanduser
 
294
                              (os.path.expandvars
 
295
                               (config[u"secfile"])),
 
296
                              "rb")) as secfile:
 
297
                self.secret = secfile.read()
 
298
        else:
 
299
            raise TypeError(u"No secret or secfile for client %s"
 
300
                            % self.name)
 
301
        self.host = config.get(u"host", u"")
 
302
        self.created = datetime.datetime.utcnow()
 
303
        self.enabled = False
 
304
        self.last_enabled = None
 
305
        self.last_checked_ok = None
 
306
        self.timeout = string_to_delta(config[u"timeout"])
 
307
        self.interval = string_to_delta(config[u"interval"])
 
308
        self.disable_hook = disable_hook
548
309
        self.checker = None
549
310
        self.checker_initiator_tag = None
550
311
        self.disable_initiator_tag = None
551
312
        self.checker_callback_tag = None
 
313
        self.checker_command = config[u"checker"]
552
314
        self.current_checker_command = None
553
 
        self.approved = None
554
 
        self.approvals_pending = 0
555
 
        self.changedstate = (multiprocessing_manager
556
 
                             .Condition(multiprocessing_manager
557
 
                                        .Lock()))
558
 
        self.client_structure = [attr for attr in
559
 
                                 self.__dict__.iterkeys()
560
 
                                 if not attr.startswith("_")]
561
 
        self.client_structure.append("client_structure")
562
 
        
563
 
        for name, t in inspect.getmembers(type(self),
564
 
                                          lambda obj:
565
 
                                              isinstance(obj,
566
 
                                                         property)):
567
 
            if not name.startswith("_"):
568
 
                self.client_structure.append(name)
569
 
    
570
 
    # Send notice to process children that client state has changed
571
 
    def send_changedstate(self):
572
 
        with self.changedstate:
573
 
            self.changedstate.notify_all()
 
315
        self.last_connect = None
574
316
    
575
317
    def enable(self):
576
318
        """Start this client's checker and timeout hooks"""
577
 
        if getattr(self, "enabled", False):
 
319
        if getattr(self, u"enabled", False):
578
320
            # Already enabled
579
321
            return
580
 
        self.expires = datetime.datetime.utcnow() + self.timeout
581
 
        self.enabled = True
582
322
        self.last_enabled = datetime.datetime.utcnow()
583
 
        self.init_checker()
584
 
        self.send_changedstate()
585
 
    
586
 
    def disable(self, quiet=True):
587
 
        """Disable this client."""
588
 
        if not getattr(self, "enabled", False):
589
 
            return False
590
 
        if not quiet:
591
 
            logger.info("Disabling client %s", self.name)
592
 
        if getattr(self, "disable_initiator_tag", None) is not None:
593
 
            gobject.source_remove(self.disable_initiator_tag)
594
 
            self.disable_initiator_tag = None
595
 
        self.expires = None
596
 
        if getattr(self, "checker_initiator_tag", None) is not None:
597
 
            gobject.source_remove(self.checker_initiator_tag)
598
 
            self.checker_initiator_tag = None
599
 
        self.stop_checker()
600
 
        self.enabled = False
601
 
        if not quiet:
602
 
            self.send_changedstate()
603
 
        # Do not run this again if called by a gobject.timeout_add
604
 
        return False
605
 
    
606
 
    def __del__(self):
607
 
        self.disable()
608
 
    
609
 
    def init_checker(self):
610
323
        # Schedule a new checker to be started an 'interval' from now,
611
324
        # and every interval from then on.
612
 
        if self.checker_initiator_tag is not None:
613
 
            gobject.source_remove(self.checker_initiator_tag)
614
325
        self.checker_initiator_tag = (gobject.timeout_add
615
326
                                      (self.interval_milliseconds(),
616
327
                                       self.start_checker))
617
328
        # Schedule a disable() when 'timeout' has passed
618
 
        if self.disable_initiator_tag is not None:
619
 
            gobject.source_remove(self.disable_initiator_tag)
620
329
        self.disable_initiator_tag = (gobject.timeout_add
621
330
                                   (self.timeout_milliseconds(),
622
331
                                    self.disable))
 
332
        self.enabled = True
623
333
        # Also start a new checker *right now*.
624
334
        self.start_checker()
625
335
    
 
336
    def disable(self, quiet=True):
 
337
        """Disable this client."""
 
338
        if not getattr(self, "enabled", False):
 
339
            return False
 
340
        if not quiet:
 
341
            logger.info(u"Disabling client %s", self.name)
 
342
        if getattr(self, u"disable_initiator_tag", False):
 
343
            gobject.source_remove(self.disable_initiator_tag)
 
344
            self.disable_initiator_tag = None
 
345
        if getattr(self, u"checker_initiator_tag", False):
 
346
            gobject.source_remove(self.checker_initiator_tag)
 
347
            self.checker_initiator_tag = None
 
348
        self.stop_checker()
 
349
        if self.disable_hook:
 
350
            self.disable_hook(self)
 
351
        self.enabled = False
 
352
        # Do not run this again if called by a gobject.timeout_add
 
353
        return False
 
354
    
 
355
    def __del__(self):
 
356
        self.disable_hook = None
 
357
        self.disable()
 
358
    
626
359
    def checker_callback(self, pid, condition, command):
627
360
        """The checker has completed, so take appropriate actions."""
628
361
        self.checker_callback_tag = None
629
362
        self.checker = None
630
363
        if os.WIFEXITED(condition):
631
 
            self.last_checker_status = os.WEXITSTATUS(condition)
632
 
            if self.last_checker_status == 0:
633
 
                logger.info("Checker for %(name)s succeeded",
 
364
            exitstatus = os.WEXITSTATUS(condition)
 
365
            if exitstatus == 0:
 
366
                logger.info(u"Checker for %(name)s succeeded",
634
367
                            vars(self))
635
368
                self.checked_ok()
636
369
            else:
637
 
                logger.info("Checker for %(name)s failed",
 
370
                logger.info(u"Checker for %(name)s failed",
638
371
                            vars(self))
639
372
        else:
640
 
            self.last_checker_status = -1
641
 
            logger.warning("Checker for %(name)s crashed?",
 
373
            logger.warning(u"Checker for %(name)s crashed?",
642
374
                           vars(self))
643
375
    
644
376
    def checked_ok(self):
645
 
        """Assert that the client has been seen, alive and well."""
 
377
        """Bump up the timeout for this client.
 
378
        
 
379
        This should only be called when the client has been seen,
 
380
        alive and well.
 
381
        """
646
382
        self.last_checked_ok = datetime.datetime.utcnow()
647
 
        self.last_checker_status = 0
648
 
        self.bump_timeout()
649
 
    
650
 
    def bump_timeout(self, timeout=None):
651
 
        """Bump up the timeout for this client."""
652
 
        if timeout is None:
653
 
            timeout = self.timeout
654
 
        if self.disable_initiator_tag is not None:
655
 
            gobject.source_remove(self.disable_initiator_tag)
656
 
            self.disable_initiator_tag = None
657
 
        if getattr(self, "enabled", False):
658
 
            self.disable_initiator_tag = (gobject.timeout_add
659
 
                                          (timedelta_to_milliseconds
660
 
                                           (timeout), self.disable))
661
 
            self.expires = datetime.datetime.utcnow() + timeout
662
 
    
663
 
    def need_approval(self):
664
 
        self.last_approval_request = datetime.datetime.utcnow()
 
383
        gobject.source_remove(self.disable_initiator_tag)
 
384
        self.disable_initiator_tag = (gobject.timeout_add
 
385
                                      (self.timeout_milliseconds(),
 
386
                                       self.disable))
665
387
    
666
388
    def start_checker(self):
667
389
        """Start a new checker subprocess if one is not running.
669
391
        If a checker already exists, leave it running and do
670
392
        nothing."""
671
393
        # The reason for not killing a running checker is that if we
672
 
        # did that, and if a checker (for some reason) started running
673
 
        # slowly and taking more than 'interval' time, then the client
674
 
        # would inevitably timeout, since no checker would get a
675
 
        # chance to run to completion.  If we instead leave running
 
394
        # did that, then if a checker (for some reason) started
 
395
        # running slowly and taking more than 'interval' time, the
 
396
        # client would inevitably timeout, since no checker would get
 
397
        # a chance to run to completion.  If we instead leave running
676
398
        # checkers alone, the checker would have to take more time
677
 
        # than 'timeout' for the client to be disabled, which is as it
678
 
        # should be.
 
399
        # than 'timeout' for the client to be declared invalid, which
 
400
        # is as it should be.
679
401
        
680
402
        # If a checker exists, make sure it is not a zombie
681
403
        try:
682
404
            pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
683
 
        except (AttributeError, OSError) as error:
 
405
        except (AttributeError, OSError), error:
684
406
            if (isinstance(error, OSError)
685
407
                and error.errno != errno.ECHILD):
686
408
                raise error
687
409
        else:
688
410
            if pid:
689
 
                logger.warning("Checker was a zombie")
 
411
                logger.warning(u"Checker was a zombie")
690
412
                gobject.source_remove(self.checker_callback_tag)
691
413
                self.checker_callback(pid, status,
692
414
                                      self.current_checker_command)
693
415
        # Start a new checker if needed
694
416
        if self.checker is None:
695
 
            # Escape attributes for the shell
696
 
            escaped_attrs = dict(
697
 
                (attr, re.escape(unicode(getattr(self, attr))))
698
 
                for attr in
699
 
                self.runtime_expansions)
700
417
            try:
701
 
                command = self.checker_command % escaped_attrs
702
 
            except TypeError as error:
703
 
                logger.error('Could not format string "%s"',
704
 
                             self.checker_command, exc_info=error)
705
 
                return True # Try again later
 
418
                # In case checker_command has exactly one % operator
 
419
                command = self.checker_command % self.host
 
420
            except TypeError:
 
421
                # Escape attributes for the shell
 
422
                escaped_attrs = dict((key,
 
423
                                      re.escape(unicode(str(val),
 
424
                                                        errors=
 
425
                                                        u'replace')))
 
426
                                     for key, val in
 
427
                                     vars(self).iteritems())
 
428
                try:
 
429
                    command = self.checker_command % escaped_attrs
 
430
                except TypeError, error:
 
431
                    logger.error(u'Could not format string "%s":'
 
432
                                 u' %s', self.checker_command, error)
 
433
                    return True # Try again later
706
434
            self.current_checker_command = command
707
435
            try:
708
 
                logger.info("Starting checker %r for %s",
 
436
                logger.info(u"Starting checker %r for %s",
709
437
                            command, self.name)
710
438
                # We don't need to redirect stdout and stderr, since
711
439
                # in normal mode, that is already done by daemon(),
713
441
                # always replaced by /dev/null.)
714
442
                self.checker = subprocess.Popen(command,
715
443
                                                close_fds=True,
716
 
                                                shell=True, cwd="/")
717
 
            except OSError as error:
718
 
                logger.error("Failed to start subprocess",
719
 
                             exc_info=error)
720
 
                return True
721
 
            self.checker_callback_tag = (gobject.child_watch_add
722
 
                                         (self.checker.pid,
723
 
                                          self.checker_callback,
724
 
                                          data=command))
725
 
            # The checker may have completed before the gobject
726
 
            # watch was added.  Check for this.
727
 
            try:
 
444
                                                shell=True, cwd=u"/")
 
445
                self.checker_callback_tag = (gobject.child_watch_add
 
446
                                             (self.checker.pid,
 
447
                                              self.checker_callback,
 
448
                                              data=command))
 
449
                # The checker may have completed before the gobject
 
450
                # watch was added.  Check for this.
728
451
                pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
729
 
            except OSError as error:
730
 
                if error.errno == errno.ECHILD:
731
 
                    logger.error("Child process vanished", exc_info=error)
732
 
                    return True
733
 
                raise
734
 
            if pid:
735
 
                gobject.source_remove(self.checker_callback_tag)
736
 
                self.checker_callback(pid, status, command)
 
452
                if pid:
 
453
                    gobject.source_remove(self.checker_callback_tag)
 
454
                    self.checker_callback(pid, status, command)
 
455
            except OSError, error:
 
456
                logger.error(u"Failed to start subprocess: %s",
 
457
                             error)
737
458
        # Re-run this periodically if run by gobject.timeout_add
738
459
        return True
739
460
    
742
463
        if self.checker_callback_tag:
743
464
            gobject.source_remove(self.checker_callback_tag)
744
465
            self.checker_callback_tag = None
745
 
        if getattr(self, "checker", None) is None:
 
466
        if getattr(self, u"checker", None) is None:
746
467
            return
747
 
        logger.debug("Stopping checker for %(name)s", vars(self))
 
468
        logger.debug(u"Stopping checker for %(name)s", vars(self))
748
469
        try:
749
 
            self.checker.terminate()
 
470
            os.kill(self.checker.pid, signal.SIGTERM)
750
471
            #time.sleep(0.5)
751
472
            #if self.checker.poll() is None:
752
 
            #    self.checker.kill()
753
 
        except OSError as error:
 
473
            #    os.kill(self.checker.pid, signal.SIGKILL)
 
474
        except OSError, error:
754
475
            if error.errno != errno.ESRCH: # No such process
755
476
                raise
756
477
        self.checker = None
757
 
 
758
 
 
759
 
def dbus_service_property(dbus_interface, signature="v",
760
 
                          access="readwrite", byte_arrays=False):
 
478
    
 
479
    def still_valid(self):
 
480
        """Has the timeout not yet passed for this client?"""
 
481
        if not getattr(self, u"enabled", False):
 
482
            return False
 
483
        now = datetime.datetime.utcnow()
 
484
        if self.last_checked_ok is None:
 
485
            return now < (self.created + self.timeout)
 
486
        else:
 
487
            return now < (self.last_checked_ok + self.timeout)
 
488
 
 
489
 
 
490
def dbus_service_property(dbus_interface, signature=u"v",
 
491
                          access=u"readwrite", byte_arrays=False):
761
492
    """Decorators for marking methods of a DBusObjectWithProperties to
762
493
    become properties on the D-Bus.
763
494
    
768
499
    dbus.service.method, except there is only "signature", since the
769
500
    type from Get() and the type sent to Set() is the same.
770
501
    """
771
 
    # Encoding deeply encoded byte arrays is not supported yet by the
772
 
    # "Set" method, so we fail early here:
773
 
    if byte_arrays and signature != "ay":
774
 
        raise ValueError("Byte arrays not supported for non-'ay'"
775
 
                         " signature {0!r}".format(signature))
776
502
    def decorator(func):
777
503
        func._dbus_is_property = True
778
504
        func._dbus_interface = dbus_interface
779
505
        func._dbus_signature = signature
780
506
        func._dbus_access = access
781
507
        func._dbus_name = func.__name__
782
 
        if func._dbus_name.endswith("_dbus_property"):
 
508
        if func._dbus_name.endswith(u"_dbus_property"):
783
509
            func._dbus_name = func._dbus_name[:-14]
784
 
        func._dbus_get_args_options = {'byte_arrays': byte_arrays }
785
 
        return func
786
 
    return decorator
787
 
 
788
 
 
789
 
def dbus_interface_annotations(dbus_interface):
790
 
    """Decorator for marking functions returning interface annotations
791
 
    
792
 
    Usage:
793
 
    
794
 
    @dbus_interface_annotations("org.example.Interface")
795
 
    def _foo(self):  # Function name does not matter
796
 
        return {"org.freedesktop.DBus.Deprecated": "true",
797
 
                "org.freedesktop.DBus.Property.EmitsChangedSignal":
798
 
                    "false"}
799
 
    """
800
 
    def decorator(func):
801
 
        func._dbus_is_interface = True
802
 
        func._dbus_interface = dbus_interface
803
 
        func._dbus_name = dbus_interface
804
 
        return func
805
 
    return decorator
806
 
 
807
 
 
808
 
def dbus_annotations(annotations):
809
 
    """Decorator to annotate D-Bus methods, signals or properties
810
 
    Usage:
811
 
    
812
 
    @dbus_service_property("org.example.Interface", signature="b",
813
 
                           access="r")
814
 
    @dbus_annotations({{"org.freedesktop.DBus.Deprecated": "true",
815
 
                        "org.freedesktop.DBus.Property."
816
 
                        "EmitsChangedSignal": "false"})
817
 
    def Property_dbus_property(self):
818
 
        return dbus.Boolean(False)
819
 
    """
820
 
    def decorator(func):
821
 
        func._dbus_annotations = annotations
 
510
        func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
822
511
        return func
823
512
    return decorator
824
513
 
844
533
 
845
534
class DBusObjectWithProperties(dbus.service.Object):
846
535
    """A D-Bus object with properties.
847
 
    
 
536
 
848
537
    Classes inheriting from this can use the dbus_service_property
849
538
    decorator to expose methods as D-Bus properties.  It exposes the
850
539
    standard Get(), Set(), and GetAll() methods on the D-Bus.
851
540
    """
852
541
    
853
542
    @staticmethod
854
 
    def _is_dbus_thing(thing):
855
 
        """Returns a function testing if an attribute is a D-Bus thing
856
 
        
857
 
        If called like _is_dbus_thing("method") it returns a function
858
 
        suitable for use as predicate to inspect.getmembers().
859
 
        """
860
 
        return lambda obj: getattr(obj, "_dbus_is_{0}".format(thing),
861
 
                                   False)
 
543
    def _is_dbus_property(obj):
 
544
        return getattr(obj, u"_dbus_is_property", False)
862
545
    
863
 
    def _get_all_dbus_things(self, thing):
 
546
    def _get_all_dbus_properties(self):
864
547
        """Returns a generator of (name, attribute) pairs
865
548
        """
866
 
        return ((getattr(athing.__get__(self), "_dbus_name",
867
 
                         name),
868
 
                 athing.__get__(self))
869
 
                for cls in self.__class__.__mro__
870
 
                for name, athing in
871
 
                inspect.getmembers(cls,
872
 
                                   self._is_dbus_thing(thing)))
 
549
        return ((prop._dbus_name, prop)
 
550
                for name, prop in
 
551
                inspect.getmembers(self, self._is_dbus_property))
873
552
    
874
553
    def _get_dbus_property(self, interface_name, property_name):
875
554
        """Returns a bound method if one exists which is a D-Bus
876
555
        property with the specified name and interface.
877
556
        """
878
 
        for cls in  self.__class__.__mro__:
879
 
            for name, value in (inspect.getmembers
880
 
                                (cls,
881
 
                                 self._is_dbus_thing("property"))):
882
 
                if (value._dbus_name == property_name
883
 
                    and value._dbus_interface == interface_name):
884
 
                    return value.__get__(self)
885
 
        
 
557
        for name in (property_name,
 
558
                     property_name + u"_dbus_property"):
 
559
            prop = getattr(self, name, None)
 
560
            if (prop is None
 
561
                or not self._is_dbus_property(prop)
 
562
                or prop._dbus_name != property_name
 
563
                or (interface_name and prop._dbus_interface
 
564
                    and interface_name != prop._dbus_interface)):
 
565
                continue
 
566
            return prop
886
567
        # No such property
887
 
        raise DBusPropertyNotFound(self.dbus_object_path + ":"
888
 
                                   + interface_name + "."
 
568
        raise DBusPropertyNotFound(self.dbus_object_path + u":"
 
569
                                   + interface_name + u"."
889
570
                                   + property_name)
890
571
    
891
 
    @dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
892
 
                         out_signature="v")
 
572
    @dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
 
573
                         out_signature=u"v")
893
574
    def Get(self, interface_name, property_name):
894
575
        """Standard D-Bus property Get() method, see D-Bus standard.
895
576
        """
896
577
        prop = self._get_dbus_property(interface_name, property_name)
897
 
        if prop._dbus_access == "write":
 
578
        if prop._dbus_access == u"write":
898
579
            raise DBusPropertyAccessException(property_name)
899
580
        value = prop()
900
 
        if not hasattr(value, "variant_level"):
 
581
        if not hasattr(value, u"variant_level"):
901
582
            return value
902
583
        return type(value)(value, variant_level=value.variant_level+1)
903
584
    
904
 
    @dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
 
585
    @dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
905
586
    def Set(self, interface_name, property_name, value):
906
587
        """Standard D-Bus property Set() method, see D-Bus standard.
907
588
        """
908
589
        prop = self._get_dbus_property(interface_name, property_name)
909
 
        if prop._dbus_access == "read":
 
590
        if prop._dbus_access == u"read":
910
591
            raise DBusPropertyAccessException(property_name)
911
 
        if prop._dbus_get_args_options["byte_arrays"]:
912
 
            # The byte_arrays option is not supported yet on
913
 
            # signatures other than "ay".
914
 
            if prop._dbus_signature != "ay":
915
 
                raise ValueError
916
 
            value = dbus.ByteArray(b''.join(chr(byte)
917
 
                                            for byte in value))
 
592
        if prop._dbus_get_args_options[u"byte_arrays"]:
 
593
            value = dbus.ByteArray(''.join(unichr(byte)
 
594
                                           for byte in value))
918
595
        prop(value)
919
596
    
920
 
    @dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
921
 
                         out_signature="a{sv}")
 
597
    @dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
 
598
                         out_signature=u"a{sv}")
922
599
    def GetAll(self, interface_name):
923
600
        """Standard D-Bus property GetAll() method, see D-Bus
924
601
        standard.
925
 
        
 
602
 
926
603
        Note: Will not include properties with access="write".
927
604
        """
928
 
        properties = {}
929
 
        for name, prop in self._get_all_dbus_things("property"):
 
605
        all = {}
 
606
        for name, prop in self._get_all_dbus_properties():
930
607
            if (interface_name
931
608
                and interface_name != prop._dbus_interface):
932
609
                # Interface non-empty but did not match
933
610
                continue
934
611
            # Ignore write-only properties
935
 
            if prop._dbus_access == "write":
 
612
            if prop._dbus_access == u"write":
936
613
                continue
937
614
            value = prop()
938
 
            if not hasattr(value, "variant_level"):
939
 
                properties[name] = value
 
615
            if not hasattr(value, u"variant_level"):
 
616
                all[name] = value
940
617
                continue
941
 
            properties[name] = type(value)(value, variant_level=
942
 
                                           value.variant_level+1)
943
 
        return dbus.Dictionary(properties, signature="sv")
 
618
            all[name] = type(value)(value, variant_level=
 
619
                                    value.variant_level+1)
 
620
        return dbus.Dictionary(all, signature=u"sv")
944
621
    
945
622
    @dbus.service.method(dbus.INTROSPECTABLE_IFACE,
946
 
                         out_signature="s",
 
623
                         out_signature=u"s",
947
624
                         path_keyword='object_path',
948
625
                         connection_keyword='connection')
949
626
    def Introspect(self, object_path, connection):
950
 
        """Overloading of standard D-Bus method.
951
 
        
952
 
        Inserts property tags and interface annotation tags.
 
627
        """Standard D-Bus method, overloaded to insert property tags.
953
628
        """
954
629
        xmlstring = dbus.service.Object.Introspect(self, object_path,
955
630
                                                   connection)
956
631
        try:
957
632
            document = xml.dom.minidom.parseString(xmlstring)
958
633
            def make_tag(document, name, prop):
959
 
                e = document.createElement("property")
960
 
                e.setAttribute("name", name)
961
 
                e.setAttribute("type", prop._dbus_signature)
962
 
                e.setAttribute("access", prop._dbus_access)
 
634
                e = document.createElement(u"property")
 
635
                e.setAttribute(u"name", name)
 
636
                e.setAttribute(u"type", prop._dbus_signature)
 
637
                e.setAttribute(u"access", prop._dbus_access)
963
638
                return e
964
 
            for if_tag in document.getElementsByTagName("interface"):
965
 
                # Add property tags
 
639
            for if_tag in document.getElementsByTagName(u"interface"):
966
640
                for tag in (make_tag(document, name, prop)
967
641
                            for name, prop
968
 
                            in self._get_all_dbus_things("property")
 
642
                            in self._get_all_dbus_properties()
969
643
                            if prop._dbus_interface
970
 
                            == if_tag.getAttribute("name")):
 
644
                            == if_tag.getAttribute(u"name")):
971
645
                    if_tag.appendChild(tag)
972
 
                # Add annotation tags
973
 
                for typ in ("method", "signal", "property"):
974
 
                    for tag in if_tag.getElementsByTagName(typ):
975
 
                        annots = dict()
976
 
                        for name, prop in (self.
977
 
                                           _get_all_dbus_things(typ)):
978
 
                            if (name == tag.getAttribute("name")
979
 
                                and prop._dbus_interface
980
 
                                == if_tag.getAttribute("name")):
981
 
                                annots.update(getattr
982
 
                                              (prop,
983
 
                                               "_dbus_annotations",
984
 
                                               {}))
985
 
                        for name, value in annots.iteritems():
986
 
                            ann_tag = document.createElement(
987
 
                                "annotation")
988
 
                            ann_tag.setAttribute("name", name)
989
 
                            ann_tag.setAttribute("value", value)
990
 
                            tag.appendChild(ann_tag)
991
 
                # Add interface annotation tags
992
 
                for annotation, value in dict(
993
 
                    itertools.chain.from_iterable(
994
 
                        annotations().iteritems()
995
 
                        for name, annotations in
996
 
                        self._get_all_dbus_things("interface")
997
 
                        if name == if_tag.getAttribute("name")
998
 
                        )).iteritems():
999
 
                    ann_tag = document.createElement("annotation")
1000
 
                    ann_tag.setAttribute("name", annotation)
1001
 
                    ann_tag.setAttribute("value", value)
1002
 
                    if_tag.appendChild(ann_tag)
1003
646
                # Add the names to the return values for the
1004
647
                # "org.freedesktop.DBus.Properties" methods
1005
 
                if (if_tag.getAttribute("name")
1006
 
                    == "org.freedesktop.DBus.Properties"):
1007
 
                    for cn in if_tag.getElementsByTagName("method"):
1008
 
                        if cn.getAttribute("name") == "Get":
1009
 
                            for arg in cn.getElementsByTagName("arg"):
1010
 
                                if (arg.getAttribute("direction")
1011
 
                                    == "out"):
1012
 
                                    arg.setAttribute("name", "value")
1013
 
                        elif cn.getAttribute("name") == "GetAll":
1014
 
                            for arg in cn.getElementsByTagName("arg"):
1015
 
                                if (arg.getAttribute("direction")
1016
 
                                    == "out"):
1017
 
                                    arg.setAttribute("name", "props")
1018
 
            xmlstring = document.toxml("utf-8")
 
648
                if (if_tag.getAttribute(u"name")
 
649
                    == u"org.freedesktop.DBus.Properties"):
 
650
                    for cn in if_tag.getElementsByTagName(u"method"):
 
651
                        if cn.getAttribute(u"name") == u"Get":
 
652
                            for arg in cn.getElementsByTagName(u"arg"):
 
653
                                if (arg.getAttribute(u"direction")
 
654
                                    == u"out"):
 
655
                                    arg.setAttribute(u"name", u"value")
 
656
                        elif cn.getAttribute(u"name") == u"GetAll":
 
657
                            for arg in cn.getElementsByTagName(u"arg"):
 
658
                                if (arg.getAttribute(u"direction")
 
659
                                    == u"out"):
 
660
                                    arg.setAttribute(u"name", u"props")
 
661
            xmlstring = document.toxml(u"utf-8")
1019
662
            document.unlink()
1020
663
        except (AttributeError, xml.dom.DOMException,
1021
 
                xml.parsers.expat.ExpatError) as error:
1022
 
            logger.error("Failed to override Introspection method",
1023
 
                         exc_info=error)
 
664
                xml.parsers.expat.ExpatError), error:
 
665
            logger.error(u"Failed to override Introspection method",
 
666
                         error)
1024
667
        return xmlstring
1025
668
 
1026
669
 
1027
 
def datetime_to_dbus(dt, variant_level=0):
1028
 
    """Convert a UTC datetime.datetime() to a D-Bus type."""
1029
 
    if dt is None:
1030
 
        return dbus.String("", variant_level = variant_level)
1031
 
    return dbus.String(dt.isoformat(),
1032
 
                       variant_level=variant_level)
1033
 
 
1034
 
 
1035
 
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1036
 
    """A class decorator; applied to a subclass of
1037
 
    dbus.service.Object, it will add alternate D-Bus attributes with
1038
 
    interface names according to the "alt_interface_names" mapping.
1039
 
    Usage:
1040
 
    
1041
 
    @alternate_dbus_interfaces({"org.example.Interface":
1042
 
                                    "net.example.AlternateInterface"})
1043
 
    class SampleDBusObject(dbus.service.Object):
1044
 
        @dbus.service.method("org.example.Interface")
1045
 
        def SampleDBusMethod():
1046
 
            pass
1047
 
    
1048
 
    The above "SampleDBusMethod" on "SampleDBusObject" will be
1049
 
    reachable via two interfaces: "org.example.Interface" and
1050
 
    "net.example.AlternateInterface", the latter of which will have
1051
 
    its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1052
 
    "true", unless "deprecate" is passed with a False value.
1053
 
    
1054
 
    This works for methods and signals, and also for D-Bus properties
1055
 
    (from DBusObjectWithProperties) and interfaces (from the
1056
 
    dbus_interface_annotations decorator).
1057
 
    """
1058
 
    def wrapper(cls):
1059
 
        for orig_interface_name, alt_interface_name in (
1060
 
            alt_interface_names.iteritems()):
1061
 
            attr = {}
1062
 
            interface_names = set()
1063
 
            # Go though all attributes of the class
1064
 
            for attrname, attribute in inspect.getmembers(cls):
1065
 
                # Ignore non-D-Bus attributes, and D-Bus attributes
1066
 
                # with the wrong interface name
1067
 
                if (not hasattr(attribute, "_dbus_interface")
1068
 
                    or not attribute._dbus_interface
1069
 
                    .startswith(orig_interface_name)):
1070
 
                    continue
1071
 
                # Create an alternate D-Bus interface name based on
1072
 
                # the current name
1073
 
                alt_interface = (attribute._dbus_interface
1074
 
                                 .replace(orig_interface_name,
1075
 
                                          alt_interface_name))
1076
 
                interface_names.add(alt_interface)
1077
 
                # Is this a D-Bus signal?
1078
 
                if getattr(attribute, "_dbus_is_signal", False):
1079
 
                    # Extract the original non-method function by
1080
 
                    # black magic
1081
 
                    nonmethod_func = (dict(
1082
 
                            zip(attribute.func_code.co_freevars,
1083
 
                                attribute.__closure__))["func"]
1084
 
                                      .cell_contents)
1085
 
                    # Create a new, but exactly alike, function
1086
 
                    # object, and decorate it to be a new D-Bus signal
1087
 
                    # with the alternate D-Bus interface name
1088
 
                    new_function = (dbus.service.signal
1089
 
                                    (alt_interface,
1090
 
                                     attribute._dbus_signature)
1091
 
                                    (types.FunctionType(
1092
 
                                nonmethod_func.func_code,
1093
 
                                nonmethod_func.func_globals,
1094
 
                                nonmethod_func.func_name,
1095
 
                                nonmethod_func.func_defaults,
1096
 
                                nonmethod_func.func_closure)))
1097
 
                    # Copy annotations, if any
1098
 
                    try:
1099
 
                        new_function._dbus_annotations = (
1100
 
                            dict(attribute._dbus_annotations))
1101
 
                    except AttributeError:
1102
 
                        pass
1103
 
                    # Define a creator of a function to call both the
1104
 
                    # original and alternate functions, so both the
1105
 
                    # original and alternate signals gets sent when
1106
 
                    # the function is called
1107
 
                    def fixscope(func1, func2):
1108
 
                        """This function is a scope container to pass
1109
 
                        func1 and func2 to the "call_both" function
1110
 
                        outside of its arguments"""
1111
 
                        def call_both(*args, **kwargs):
1112
 
                            """This function will emit two D-Bus
1113
 
                            signals by calling func1 and func2"""
1114
 
                            func1(*args, **kwargs)
1115
 
                            func2(*args, **kwargs)
1116
 
                        return call_both
1117
 
                    # Create the "call_both" function and add it to
1118
 
                    # the class
1119
 
                    attr[attrname] = fixscope(attribute, new_function)
1120
 
                # Is this a D-Bus method?
1121
 
                elif getattr(attribute, "_dbus_is_method", False):
1122
 
                    # Create a new, but exactly alike, function
1123
 
                    # object.  Decorate it to be a new D-Bus method
1124
 
                    # with the alternate D-Bus interface name.  Add it
1125
 
                    # to the class.
1126
 
                    attr[attrname] = (dbus.service.method
1127
 
                                      (alt_interface,
1128
 
                                       attribute._dbus_in_signature,
1129
 
                                       attribute._dbus_out_signature)
1130
 
                                      (types.FunctionType
1131
 
                                       (attribute.func_code,
1132
 
                                        attribute.func_globals,
1133
 
                                        attribute.func_name,
1134
 
                                        attribute.func_defaults,
1135
 
                                        attribute.func_closure)))
1136
 
                    # Copy annotations, if any
1137
 
                    try:
1138
 
                        attr[attrname]._dbus_annotations = (
1139
 
                            dict(attribute._dbus_annotations))
1140
 
                    except AttributeError:
1141
 
                        pass
1142
 
                # Is this a D-Bus property?
1143
 
                elif getattr(attribute, "_dbus_is_property", False):
1144
 
                    # Create a new, but exactly alike, function
1145
 
                    # object, and decorate it to be a new D-Bus
1146
 
                    # property with the alternate D-Bus interface
1147
 
                    # name.  Add it to the class.
1148
 
                    attr[attrname] = (dbus_service_property
1149
 
                                      (alt_interface,
1150
 
                                       attribute._dbus_signature,
1151
 
                                       attribute._dbus_access,
1152
 
                                       attribute
1153
 
                                       ._dbus_get_args_options
1154
 
                                       ["byte_arrays"])
1155
 
                                      (types.FunctionType
1156
 
                                       (attribute.func_code,
1157
 
                                        attribute.func_globals,
1158
 
                                        attribute.func_name,
1159
 
                                        attribute.func_defaults,
1160
 
                                        attribute.func_closure)))
1161
 
                    # Copy annotations, if any
1162
 
                    try:
1163
 
                        attr[attrname]._dbus_annotations = (
1164
 
                            dict(attribute._dbus_annotations))
1165
 
                    except AttributeError:
1166
 
                        pass
1167
 
                # Is this a D-Bus interface?
1168
 
                elif getattr(attribute, "_dbus_is_interface", False):
1169
 
                    # Create a new, but exactly alike, function
1170
 
                    # object.  Decorate it to be a new D-Bus interface
1171
 
                    # with the alternate D-Bus interface name.  Add it
1172
 
                    # to the class.
1173
 
                    attr[attrname] = (dbus_interface_annotations
1174
 
                                      (alt_interface)
1175
 
                                      (types.FunctionType
1176
 
                                       (attribute.func_code,
1177
 
                                        attribute.func_globals,
1178
 
                                        attribute.func_name,
1179
 
                                        attribute.func_defaults,
1180
 
                                        attribute.func_closure)))
1181
 
            if deprecate:
1182
 
                # Deprecate all alternate interfaces
1183
 
                iname="_AlternateDBusNames_interface_annotation{0}"
1184
 
                for interface_name in interface_names:
1185
 
                    @dbus_interface_annotations(interface_name)
1186
 
                    def func(self):
1187
 
                        return { "org.freedesktop.DBus.Deprecated":
1188
 
                                     "true" }
1189
 
                    # Find an unused name
1190
 
                    for aname in (iname.format(i)
1191
 
                                  for i in itertools.count()):
1192
 
                        if aname not in attr:
1193
 
                            attr[aname] = func
1194
 
                            break
1195
 
            if interface_names:
1196
 
                # Replace the class with a new subclass of it with
1197
 
                # methods, signals, etc. as created above.
1198
 
                cls = type(b"{0}Alternate".format(cls.__name__),
1199
 
                           (cls,), attr)
1200
 
        return cls
1201
 
    return wrapper
1202
 
 
1203
 
 
1204
 
@alternate_dbus_interfaces({"se.recompile.Mandos":
1205
 
                                "se.bsnet.fukt.Mandos"})
1206
670
class ClientDBus(Client, DBusObjectWithProperties):
1207
671
    """A Client class using D-Bus
1208
672
    
1210
674
    dbus_object_path: dbus.ObjectPath
1211
675
    bus: dbus.SystemBus()
1212
676
    """
1213
 
    
1214
 
    runtime_expansions = (Client.runtime_expansions
1215
 
                          + ("dbus_object_path",))
1216
 
    
1217
677
    # dbus.service.Object doesn't use super(), so we can't either.
1218
678
    
1219
679
    def __init__(self, bus = None, *args, **kwargs):
1221
681
        Client.__init__(self, *args, **kwargs)
1222
682
        # Only now, when this client is initialized, can it show up on
1223
683
        # the D-Bus
1224
 
        client_object_name = unicode(self.name).translate(
1225
 
            {ord("."): ord("_"),
1226
 
             ord("-"): ord("_")})
1227
684
        self.dbus_object_path = (dbus.ObjectPath
1228
 
                                 ("/clients/" + client_object_name))
 
685
                                 (u"/clients/"
 
686
                                  + self.name.replace(u".", u"_")))
1229
687
        DBusObjectWithProperties.__init__(self, self.bus,
1230
688
                                          self.dbus_object_path)
1231
689
    
1232
 
    def notifychangeproperty(transform_func,
1233
 
                             dbus_name, type_func=lambda x: x,
1234
 
                             variant_level=1):
1235
 
        """ Modify a variable so that it's a property which announces
1236
 
        its changes to DBus.
1237
 
        
1238
 
        transform_fun: Function that takes a value and a variant_level
1239
 
                       and transforms it to a D-Bus type.
1240
 
        dbus_name: D-Bus name of the variable
1241
 
        type_func: Function that transform the value before sending it
1242
 
                   to the D-Bus.  Default: no transform
1243
 
        variant_level: D-Bus variant level.  Default: 1
1244
 
        """
1245
 
        attrname = "_{0}".format(dbus_name)
1246
 
        def setter(self, value):
1247
 
            if hasattr(self, "dbus_object_path"):
1248
 
                if (not hasattr(self, attrname) or
1249
 
                    type_func(getattr(self, attrname, None))
1250
 
                    != type_func(value)):
1251
 
                    dbus_value = transform_func(type_func(value),
1252
 
                                                variant_level
1253
 
                                                =variant_level)
1254
 
                    self.PropertyChanged(dbus.String(dbus_name),
1255
 
                                         dbus_value)
1256
 
            setattr(self, attrname, value)
1257
 
        
1258
 
        return property(lambda self: getattr(self, attrname), setter)
1259
 
    
1260
 
    expires = notifychangeproperty(datetime_to_dbus, "Expires")
1261
 
    approvals_pending = notifychangeproperty(dbus.Boolean,
1262
 
                                             "ApprovalPending",
1263
 
                                             type_func = bool)
1264
 
    enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1265
 
    last_enabled = notifychangeproperty(datetime_to_dbus,
1266
 
                                        "LastEnabled")
1267
 
    checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1268
 
                                   type_func = lambda checker:
1269
 
                                       checker is not None)
1270
 
    last_checked_ok = notifychangeproperty(datetime_to_dbus,
1271
 
                                           "LastCheckedOK")
1272
 
    last_checker_status = notifychangeproperty(dbus.Int16,
1273
 
                                               "LastCheckerStatus")
1274
 
    last_approval_request = notifychangeproperty(
1275
 
        datetime_to_dbus, "LastApprovalRequest")
1276
 
    approved_by_default = notifychangeproperty(dbus.Boolean,
1277
 
                                               "ApprovedByDefault")
1278
 
    approval_delay = notifychangeproperty(dbus.UInt64,
1279
 
                                          "ApprovalDelay",
1280
 
                                          type_func =
1281
 
                                          timedelta_to_milliseconds)
1282
 
    approval_duration = notifychangeproperty(
1283
 
        dbus.UInt64, "ApprovalDuration",
1284
 
        type_func = timedelta_to_milliseconds)
1285
 
    host = notifychangeproperty(dbus.String, "Host")
1286
 
    timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1287
 
                                   type_func =
1288
 
                                   timedelta_to_milliseconds)
1289
 
    extended_timeout = notifychangeproperty(
1290
 
        dbus.UInt64, "ExtendedTimeout",
1291
 
        type_func = timedelta_to_milliseconds)
1292
 
    interval = notifychangeproperty(dbus.UInt64,
1293
 
                                    "Interval",
1294
 
                                    type_func =
1295
 
                                    timedelta_to_milliseconds)
1296
 
    checker_command = notifychangeproperty(dbus.String, "Checker")
1297
 
    
1298
 
    del notifychangeproperty
 
690
    @staticmethod
 
691
    def _datetime_to_dbus(dt, variant_level=0):
 
692
        """Convert a UTC datetime.datetime() to a D-Bus type."""
 
693
        return dbus.String(dt.isoformat(),
 
694
                           variant_level=variant_level)
 
695
    
 
696
    def enable(self):
 
697
        oldstate = getattr(self, u"enabled", False)
 
698
        r = Client.enable(self)
 
699
        if oldstate != self.enabled:
 
700
            # Emit D-Bus signals
 
701
            self.PropertyChanged(dbus.String(u"enabled"),
 
702
                                 dbus.Boolean(True, variant_level=1))
 
703
            self.PropertyChanged(
 
704
                dbus.String(u"last_enabled"),
 
705
                self._datetime_to_dbus(self.last_enabled,
 
706
                                       variant_level=1))
 
707
        return r
 
708
    
 
709
    def disable(self, quiet = False):
 
710
        oldstate = getattr(self, u"enabled", False)
 
711
        r = Client.disable(self, quiet=quiet)
 
712
        if not quiet and oldstate != self.enabled:
 
713
            # Emit D-Bus signal
 
714
            self.PropertyChanged(dbus.String(u"enabled"),
 
715
                                 dbus.Boolean(False, variant_level=1))
 
716
        return r
1299
717
    
1300
718
    def __del__(self, *args, **kwargs):
1301
719
        try:
1302
720
            self.remove_from_connection()
1303
721
        except LookupError:
1304
722
            pass
1305
 
        if hasattr(DBusObjectWithProperties, "__del__"):
 
723
        if hasattr(DBusObjectWithProperties, u"__del__"):
1306
724
            DBusObjectWithProperties.__del__(self, *args, **kwargs)
1307
725
        Client.__del__(self, *args, **kwargs)
1308
726
    
1310
728
                         *args, **kwargs):
1311
729
        self.checker_callback_tag = None
1312
730
        self.checker = None
 
731
        # Emit D-Bus signal
 
732
        self.PropertyChanged(dbus.String(u"checker_running"),
 
733
                             dbus.Boolean(False, variant_level=1))
1313
734
        if os.WIFEXITED(condition):
1314
735
            exitstatus = os.WEXITSTATUS(condition)
1315
736
            # Emit D-Bus signal
1325
746
        return Client.checker_callback(self, pid, condition, command,
1326
747
                                       *args, **kwargs)
1327
748
    
 
749
    def checked_ok(self, *args, **kwargs):
 
750
        r = Client.checked_ok(self, *args, **kwargs)
 
751
        # Emit D-Bus signal
 
752
        self.PropertyChanged(
 
753
            dbus.String(u"last_checked_ok"),
 
754
            (self._datetime_to_dbus(self.last_checked_ok,
 
755
                                    variant_level=1)))
 
756
        return r
 
757
    
1328
758
    def start_checker(self, *args, **kwargs):
1329
759
        old_checker = self.checker
1330
760
        if self.checker is not None:
1337
767
            and old_checker_pid != self.checker.pid):
1338
768
            # Emit D-Bus signal
1339
769
            self.CheckerStarted(self.current_checker_command)
1340
 
        return r
1341
 
    
1342
 
    def _reset_approved(self):
1343
 
        self.approved = None
1344
 
        return False
1345
 
    
1346
 
    def approve(self, value=True):
1347
 
        self.approved = value
1348
 
        gobject.timeout_add(timedelta_to_milliseconds
1349
 
                            (self.approval_duration),
1350
 
                            self._reset_approved)
1351
 
        self.send_changedstate()
1352
 
    
1353
 
    ## D-Bus methods, signals & properties
1354
 
    _interface = "se.recompile.Mandos.Client"
1355
 
    
1356
 
    ## Interfaces
1357
 
    
1358
 
    @dbus_interface_annotations(_interface)
1359
 
    def _foo(self):
1360
 
        return { "org.freedesktop.DBus.Property.EmitsChangedSignal":
1361
 
                     "false"}
1362
 
    
1363
 
    ## Signals
 
770
            self.PropertyChanged(
 
771
                dbus.String(u"checker_running"),
 
772
                dbus.Boolean(True, variant_level=1))
 
773
        return r
 
774
    
 
775
    def stop_checker(self, *args, **kwargs):
 
776
        old_checker = getattr(self, u"checker", None)
 
777
        r = Client.stop_checker(self, *args, **kwargs)
 
778
        if (old_checker is not None
 
779
            and getattr(self, u"checker", None) is None):
 
780
            self.PropertyChanged(dbus.String(u"checker_running"),
 
781
                                 dbus.Boolean(False, variant_level=1))
 
782
        return r
 
783
    
 
784
    ## D-Bus methods & signals
 
785
    _interface = u"se.bsnet.fukt.Mandos.Client"
 
786
    
 
787
    # CheckedOK - method
 
788
    @dbus.service.method(_interface)
 
789
    def CheckedOK(self):
 
790
        return self.checked_ok()
1364
791
    
1365
792
    # CheckerCompleted - signal
1366
 
    @dbus.service.signal(_interface, signature="nxs")
 
793
    @dbus.service.signal(_interface, signature=u"nxs")
1367
794
    def CheckerCompleted(self, exitcode, waitstatus, command):
1368
795
        "D-Bus signal"
1369
796
        pass
1370
797
    
1371
798
    # CheckerStarted - signal
1372
 
    @dbus.service.signal(_interface, signature="s")
 
799
    @dbus.service.signal(_interface, signature=u"s")
1373
800
    def CheckerStarted(self, command):
1374
801
        "D-Bus signal"
1375
802
        pass
1376
803
    
1377
804
    # PropertyChanged - signal
1378
 
    @dbus.service.signal(_interface, signature="sv")
 
805
    @dbus.service.signal(_interface, signature=u"sv")
1379
806
    def PropertyChanged(self, property, value):
1380
807
        "D-Bus signal"
1381
808
        pass
1383
810
    # GotSecret - signal
1384
811
    @dbus.service.signal(_interface)
1385
812
    def GotSecret(self):
1386
 
        """D-Bus signal
1387
 
        Is sent after a successful transfer of secret from the Mandos
1388
 
        server to mandos-client
1389
 
        """
 
813
        "D-Bus signal"
1390
814
        pass
1391
815
    
1392
816
    # Rejected - signal
1393
 
    @dbus.service.signal(_interface, signature="s")
1394
 
    def Rejected(self, reason):
 
817
    @dbus.service.signal(_interface)
 
818
    def Rejected(self):
1395
819
        "D-Bus signal"
1396
820
        pass
1397
821
    
1398
 
    # NeedApproval - signal
1399
 
    @dbus.service.signal(_interface, signature="tb")
1400
 
    def NeedApproval(self, timeout, default):
1401
 
        "D-Bus signal"
1402
 
        return self.need_approval()
1403
 
    
1404
 
    ## Methods
1405
 
    
1406
 
    # Approve - method
1407
 
    @dbus.service.method(_interface, in_signature="b")
1408
 
    def Approve(self, value):
1409
 
        self.approve(value)
1410
 
    
1411
 
    # CheckedOK - method
1412
 
    @dbus.service.method(_interface)
1413
 
    def CheckedOK(self):
1414
 
        self.checked_ok()
1415
 
    
1416
822
    # Enable - method
1417
823
    @dbus.service.method(_interface)
1418
824
    def Enable(self):
1436
842
    def StopChecker(self):
1437
843
        self.stop_checker()
1438
844
    
1439
 
    ## Properties
1440
 
    
1441
 
    # ApprovalPending - property
1442
 
    @dbus_service_property(_interface, signature="b", access="read")
1443
 
    def ApprovalPending_dbus_property(self):
1444
 
        return dbus.Boolean(bool(self.approvals_pending))
1445
 
    
1446
 
    # ApprovedByDefault - property
1447
 
    @dbus_service_property(_interface, signature="b",
1448
 
                           access="readwrite")
1449
 
    def ApprovedByDefault_dbus_property(self, value=None):
1450
 
        if value is None:       # get
1451
 
            return dbus.Boolean(self.approved_by_default)
1452
 
        self.approved_by_default = bool(value)
1453
 
    
1454
 
    # ApprovalDelay - property
1455
 
    @dbus_service_property(_interface, signature="t",
1456
 
                           access="readwrite")
1457
 
    def ApprovalDelay_dbus_property(self, value=None):
1458
 
        if value is None:       # get
1459
 
            return dbus.UInt64(self.approval_delay_milliseconds())
1460
 
        self.approval_delay = datetime.timedelta(0, 0, 0, value)
1461
 
    
1462
 
    # ApprovalDuration - property
1463
 
    @dbus_service_property(_interface, signature="t",
1464
 
                           access="readwrite")
1465
 
    def ApprovalDuration_dbus_property(self, value=None):
1466
 
        if value is None:       # get
1467
 
            return dbus.UInt64(timedelta_to_milliseconds(
1468
 
                    self.approval_duration))
1469
 
        self.approval_duration = datetime.timedelta(0, 0, 0, value)
1470
 
    
1471
 
    # Name - property
1472
 
    @dbus_service_property(_interface, signature="s", access="read")
1473
 
    def Name_dbus_property(self):
 
845
    # name - property
 
846
    @dbus_service_property(_interface, signature=u"s", access=u"read")
 
847
    def name_dbus_property(self):
1474
848
        return dbus.String(self.name)
1475
849
    
1476
 
    # Fingerprint - property
1477
 
    @dbus_service_property(_interface, signature="s", access="read")
1478
 
    def Fingerprint_dbus_property(self):
 
850
    # fingerprint - property
 
851
    @dbus_service_property(_interface, signature=u"s", access=u"read")
 
852
    def fingerprint_dbus_property(self):
1479
853
        return dbus.String(self.fingerprint)
1480
854
    
1481
 
    # Host - property
1482
 
    @dbus_service_property(_interface, signature="s",
1483
 
                           access="readwrite")
1484
 
    def Host_dbus_property(self, value=None):
 
855
    # host - property
 
856
    @dbus_service_property(_interface, signature=u"s",
 
857
                           access=u"readwrite")
 
858
    def host_dbus_property(self, value=None):
1485
859
        if value is None:       # get
1486
860
            return dbus.String(self.host)
1487
 
        self.host = unicode(value)
1488
 
    
1489
 
    # Created - property
1490
 
    @dbus_service_property(_interface, signature="s", access="read")
1491
 
    def Created_dbus_property(self):
1492
 
        return datetime_to_dbus(self.created)
1493
 
    
1494
 
    # LastEnabled - property
1495
 
    @dbus_service_property(_interface, signature="s", access="read")
1496
 
    def LastEnabled_dbus_property(self):
1497
 
        return datetime_to_dbus(self.last_enabled)
1498
 
    
1499
 
    # Enabled - property
1500
 
    @dbus_service_property(_interface, signature="b",
1501
 
                           access="readwrite")
1502
 
    def Enabled_dbus_property(self, value=None):
 
861
        self.host = value
 
862
        # Emit D-Bus signal
 
863
        self.PropertyChanged(dbus.String(u"host"),
 
864
                             dbus.String(value, variant_level=1))
 
865
    
 
866
    # created - property
 
867
    @dbus_service_property(_interface, signature=u"s", access=u"read")
 
868
    def created_dbus_property(self):
 
869
        return dbus.String(self._datetime_to_dbus(self.created))
 
870
    
 
871
    # last_enabled - property
 
872
    @dbus_service_property(_interface, signature=u"s", access=u"read")
 
873
    def last_enabled_dbus_property(self):
 
874
        if self.last_enabled is None:
 
875
            return dbus.String(u"")
 
876
        return dbus.String(self._datetime_to_dbus(self.last_enabled))
 
877
    
 
878
    # enabled - property
 
879
    @dbus_service_property(_interface, signature=u"b",
 
880
                           access=u"readwrite")
 
881
    def enabled_dbus_property(self, value=None):
1503
882
        if value is None:       # get
1504
883
            return dbus.Boolean(self.enabled)
1505
884
        if value:
1507
886
        else:
1508
887
            self.disable()
1509
888
    
1510
 
    # LastCheckedOK - property
1511
 
    @dbus_service_property(_interface, signature="s",
1512
 
                           access="readwrite")
1513
 
    def LastCheckedOK_dbus_property(self, value=None):
 
889
    # last_checked_ok - property
 
890
    @dbus_service_property(_interface, signature=u"s",
 
891
                           access=u"readwrite")
 
892
    def last_checked_ok_dbus_property(self, value=None):
1514
893
        if value is not None:
1515
894
            self.checked_ok()
1516
895
            return
1517
 
        return datetime_to_dbus(self.last_checked_ok)
1518
 
    
1519
 
    # LastCheckerStatus - property
1520
 
    @dbus_service_property(_interface, signature="n",
1521
 
                           access="read")
1522
 
    def LastCheckerStatus_dbus_property(self):
1523
 
        return dbus.Int16(self.last_checker_status)
1524
 
    
1525
 
    # Expires - property
1526
 
    @dbus_service_property(_interface, signature="s", access="read")
1527
 
    def Expires_dbus_property(self):
1528
 
        return datetime_to_dbus(self.expires)
1529
 
    
1530
 
    # LastApprovalRequest - property
1531
 
    @dbus_service_property(_interface, signature="s", access="read")
1532
 
    def LastApprovalRequest_dbus_property(self):
1533
 
        return datetime_to_dbus(self.last_approval_request)
1534
 
    
1535
 
    # Timeout - property
1536
 
    @dbus_service_property(_interface, signature="t",
1537
 
                           access="readwrite")
1538
 
    def Timeout_dbus_property(self, value=None):
 
896
        if self.last_checked_ok is None:
 
897
            return dbus.String(u"")
 
898
        return dbus.String(self._datetime_to_dbus(self
 
899
                                                  .last_checked_ok))
 
900
    
 
901
    # timeout - property
 
902
    @dbus_service_property(_interface, signature=u"t",
 
903
                           access=u"readwrite")
 
904
    def timeout_dbus_property(self, value=None):
1539
905
        if value is None:       # get
1540
906
            return dbus.UInt64(self.timeout_milliseconds())
1541
 
        old_timeout = self.timeout
1542
907
        self.timeout = datetime.timedelta(0, 0, 0, value)
1543
 
        # Reschedule disabling
1544
 
        if self.enabled:
1545
 
            now = datetime.datetime.utcnow()
1546
 
            self.expires += self.timeout - old_timeout
1547
 
            if self.expires <= now:
1548
 
                # The timeout has passed
1549
 
                self.disable()
1550
 
            else:
1551
 
                if (getattr(self, "disable_initiator_tag", None)
1552
 
                    is None):
1553
 
                    return
1554
 
                gobject.source_remove(self.disable_initiator_tag)
1555
 
                self.disable_initiator_tag = (
1556
 
                    gobject.timeout_add(
1557
 
                        timedelta_to_milliseconds(self.expires - now),
1558
 
                        self.disable))
1559
 
    
1560
 
    # ExtendedTimeout - property
1561
 
    @dbus_service_property(_interface, signature="t",
1562
 
                           access="readwrite")
1563
 
    def ExtendedTimeout_dbus_property(self, value=None):
1564
 
        if value is None:       # get
1565
 
            return dbus.UInt64(self.extended_timeout_milliseconds())
1566
 
        self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1567
 
    
1568
 
    # Interval - property
1569
 
    @dbus_service_property(_interface, signature="t",
1570
 
                           access="readwrite")
1571
 
    def Interval_dbus_property(self, value=None):
 
908
        # Emit D-Bus signal
 
909
        self.PropertyChanged(dbus.String(u"timeout"),
 
910
                             dbus.UInt64(value, variant_level=1))
 
911
        if getattr(self, u"disable_initiator_tag", None) is None:
 
912
            return
 
913
        # Reschedule timeout
 
914
        gobject.source_remove(self.disable_initiator_tag)
 
915
        self.disable_initiator_tag = None
 
916
        time_to_die = (self.
 
917
                       _timedelta_to_milliseconds((self
 
918
                                                   .last_checked_ok
 
919
                                                   + self.timeout)
 
920
                                                  - datetime.datetime
 
921
                                                  .utcnow()))
 
922
        if time_to_die <= 0:
 
923
            # The timeout has passed
 
924
            self.disable()
 
925
        else:
 
926
            self.disable_initiator_tag = (gobject.timeout_add
 
927
                                          (time_to_die, self.disable))
 
928
    
 
929
    # interval - property
 
930
    @dbus_service_property(_interface, signature=u"t",
 
931
                           access=u"readwrite")
 
932
    def interval_dbus_property(self, value=None):
1572
933
        if value is None:       # get
1573
934
            return dbus.UInt64(self.interval_milliseconds())
1574
935
        self.interval = datetime.timedelta(0, 0, 0, value)
1575
 
        if getattr(self, "checker_initiator_tag", None) is None:
 
936
        # Emit D-Bus signal
 
937
        self.PropertyChanged(dbus.String(u"interval"),
 
938
                             dbus.UInt64(value, variant_level=1))
 
939
        if getattr(self, u"checker_initiator_tag", None) is None:
1576
940
            return
1577
 
        if self.enabled:
1578
 
            # Reschedule checker run
1579
 
            gobject.source_remove(self.checker_initiator_tag)
1580
 
            self.checker_initiator_tag = (gobject.timeout_add
1581
 
                                          (value, self.start_checker))
1582
 
            self.start_checker()    # Start one now, too
1583
 
    
1584
 
    # Checker - property
1585
 
    @dbus_service_property(_interface, signature="s",
1586
 
                           access="readwrite")
1587
 
    def Checker_dbus_property(self, value=None):
 
941
        # Reschedule checker run
 
942
        gobject.source_remove(self.checker_initiator_tag)
 
943
        self.checker_initiator_tag = (gobject.timeout_add
 
944
                                      (value, self.start_checker))
 
945
        self.start_checker()    # Start one now, too
 
946
 
 
947
    # checker - property
 
948
    @dbus_service_property(_interface, signature=u"s",
 
949
                           access=u"readwrite")
 
950
    def checker_dbus_property(self, value=None):
1588
951
        if value is None:       # get
1589
952
            return dbus.String(self.checker_command)
1590
 
        self.checker_command = unicode(value)
 
953
        self.checker_command = value
 
954
        # Emit D-Bus signal
 
955
        self.PropertyChanged(dbus.String(u"checker"),
 
956
                             dbus.String(self.checker_command,
 
957
                                         variant_level=1))
1591
958
    
1592
 
    # CheckerRunning - property
1593
 
    @dbus_service_property(_interface, signature="b",
1594
 
                           access="readwrite")
1595
 
    def CheckerRunning_dbus_property(self, value=None):
 
959
    # checker_running - property
 
960
    @dbus_service_property(_interface, signature=u"b",
 
961
                           access=u"readwrite")
 
962
    def checker_running_dbus_property(self, value=None):
1596
963
        if value is None:       # get
1597
964
            return dbus.Boolean(self.checker is not None)
1598
965
        if value:
1600
967
        else:
1601
968
            self.stop_checker()
1602
969
    
1603
 
    # ObjectPath - property
1604
 
    @dbus_service_property(_interface, signature="o", access="read")
1605
 
    def ObjectPath_dbus_property(self):
 
970
    # object_path - property
 
971
    @dbus_service_property(_interface, signature=u"o", access=u"read")
 
972
    def object_path_dbus_property(self):
1606
973
        return self.dbus_object_path # is already a dbus.ObjectPath
1607
974
    
1608
 
    # Secret = property
1609
 
    @dbus_service_property(_interface, signature="ay",
1610
 
                           access="write", byte_arrays=True)
1611
 
    def Secret_dbus_property(self, value):
 
975
    # secret = property
 
976
    @dbus_service_property(_interface, signature=u"ay",
 
977
                           access=u"write", byte_arrays=True)
 
978
    def secret_dbus_property(self, value):
1612
979
        self.secret = str(value)
1613
980
    
1614
981
    del _interface
1615
982
 
1616
983
 
1617
 
class ProxyClient(object):
1618
 
    def __init__(self, child_pipe, fpr, address):
1619
 
        self._pipe = child_pipe
1620
 
        self._pipe.send(('init', fpr, address))
1621
 
        if not self._pipe.recv():
1622
 
            raise KeyError()
1623
 
    
1624
 
    def __getattribute__(self, name):
1625
 
        if name == '_pipe':
1626
 
            return super(ProxyClient, self).__getattribute__(name)
1627
 
        self._pipe.send(('getattr', name))
1628
 
        data = self._pipe.recv()
1629
 
        if data[0] == 'data':
1630
 
            return data[1]
1631
 
        if data[0] == 'function':
1632
 
            def func(*args, **kwargs):
1633
 
                self._pipe.send(('funcall', name, args, kwargs))
1634
 
                return self._pipe.recv()[1]
1635
 
            return func
1636
 
    
1637
 
    def __setattr__(self, name, value):
1638
 
        if name == '_pipe':
1639
 
            return super(ProxyClient, self).__setattr__(name, value)
1640
 
        self._pipe.send(('setattr', name, value))
1641
 
 
1642
 
 
1643
984
class ClientHandler(socketserver.BaseRequestHandler, object):
1644
985
    """A class to handle client connections.
1645
986
    
1647
988
    Note: This will run in its own forked process."""
1648
989
    
1649
990
    def handle(self):
1650
 
        with contextlib.closing(self.server.child_pipe) as child_pipe:
1651
 
            logger.info("TCP connection from: %s",
1652
 
                        unicode(self.client_address))
1653
 
            logger.debug("Pipe FD: %d",
1654
 
                         self.server.child_pipe.fileno())
1655
 
            
 
991
        logger.info(u"TCP connection from: %s",
 
992
                    unicode(self.client_address))
 
993
        logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
 
994
        # Open IPC pipe to parent process
 
995
        with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
1656
996
            session = (gnutls.connection
1657
997
                       .ClientSession(self.request,
1658
998
                                      gnutls.connection
1659
999
                                      .X509Credentials()))
1660
1000
            
 
1001
            line = self.request.makefile().readline()
 
1002
            logger.debug(u"Protocol version: %r", line)
 
1003
            try:
 
1004
                if int(line.strip().split()[0]) > 1:
 
1005
                    raise RuntimeError
 
1006
            except (ValueError, IndexError, RuntimeError), error:
 
1007
                logger.error(u"Unknown protocol version: %s", error)
 
1008
                return
 
1009
            
1661
1010
            # Note: gnutls.connection.X509Credentials is really a
1662
1011
            # generic GnuTLS certificate credentials object so long as
1663
1012
            # no X.509 keys are added to it.  Therefore, we can use it
1664
1013
            # here despite using OpenPGP certificates.
1665
1014
            
1666
 
            #priority = ':'.join(("NONE", "+VERS-TLS1.1",
1667
 
            #                      "+AES-256-CBC", "+SHA1",
1668
 
            #                      "+COMP-NULL", "+CTYPE-OPENPGP",
1669
 
            #                      "+DHE-DSS"))
 
1015
            #priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
 
1016
            #                      u"+AES-256-CBC", u"+SHA1",
 
1017
            #                      u"+COMP-NULL", u"+CTYPE-OPENPGP",
 
1018
            #                      u"+DHE-DSS"))
1670
1019
            # Use a fallback default, since this MUST be set.
1671
1020
            priority = self.server.gnutls_priority
1672
1021
            if priority is None:
1673
 
                priority = "NORMAL"
 
1022
                priority = u"NORMAL"
1674
1023
            (gnutls.library.functions
1675
1024
             .gnutls_priority_set_direct(session._c_object,
1676
1025
                                         priority, None))
1677
1026
            
1678
 
            # Start communication using the Mandos protocol
1679
 
            # Get protocol number
1680
 
            line = self.request.makefile().readline()
1681
 
            logger.debug("Protocol version: %r", line)
1682
 
            try:
1683
 
                if int(line.strip().split()[0]) > 1:
1684
 
                    raise RuntimeError
1685
 
            except (ValueError, IndexError, RuntimeError) as error:
1686
 
                logger.error("Unknown protocol version: %s", error)
1687
 
                return
1688
 
            
1689
 
            # Start GnuTLS connection
1690
1027
            try:
1691
1028
                session.handshake()
1692
 
            except gnutls.errors.GNUTLSError as error:
1693
 
                logger.warning("Handshake failed: %s", error)
 
1029
            except gnutls.errors.GNUTLSError, error:
 
1030
                logger.warning(u"Handshake failed: %s", error)
1694
1031
                # Do not run session.bye() here: the session is not
1695
1032
                # established.  Just abandon the request.
1696
1033
                return
1697
 
            logger.debug("Handshake succeeded")
1698
 
            
1699
 
            approval_required = False
 
1034
            logger.debug(u"Handshake succeeded")
1700
1035
            try:
1701
 
                try:
1702
 
                    fpr = self.fingerprint(self.peer_certificate
1703
 
                                           (session))
1704
 
                except (TypeError,
1705
 
                        gnutls.errors.GNUTLSError) as error:
1706
 
                    logger.warning("Bad certificate: %s", error)
1707
 
                    return
1708
 
                logger.debug("Fingerprint: %s", fpr)
1709
 
                
1710
 
                try:
1711
 
                    client = ProxyClient(child_pipe, fpr,
1712
 
                                         self.client_address)
1713
 
                except KeyError:
1714
 
                    return
1715
 
                
1716
 
                if client.approval_delay:
1717
 
                    delay = client.approval_delay
1718
 
                    client.approvals_pending += 1
1719
 
                    approval_required = True
1720
 
                
1721
 
                while True:
1722
 
                    if not client.enabled:
1723
 
                        logger.info("Client %s is disabled",
1724
 
                                       client.name)
1725
 
                        if self.server.use_dbus:
1726
 
                            # Emit D-Bus signal
1727
 
                            client.Rejected("Disabled")
1728
 
                        return
1729
 
                    
1730
 
                    if client.approved or not client.approval_delay:
1731
 
                        #We are approved or approval is disabled
1732
 
                        break
1733
 
                    elif client.approved is None:
1734
 
                        logger.info("Client %s needs approval",
1735
 
                                    client.name)
1736
 
                        if self.server.use_dbus:
1737
 
                            # Emit D-Bus signal
1738
 
                            client.NeedApproval(
1739
 
                                client.approval_delay_milliseconds(),
1740
 
                                client.approved_by_default)
1741
 
                    else:
1742
 
                        logger.warning("Client %s was not approved",
1743
 
                                       client.name)
1744
 
                        if self.server.use_dbus:
1745
 
                            # Emit D-Bus signal
1746
 
                            client.Rejected("Denied")
1747
 
                        return
1748
 
                    
1749
 
                    #wait until timeout or approved
1750
 
                    time = datetime.datetime.now()
1751
 
                    client.changedstate.acquire()
1752
 
                    client.changedstate.wait(
1753
 
                        float(timedelta_to_milliseconds(delay)
1754
 
                              / 1000))
1755
 
                    client.changedstate.release()
1756
 
                    time2 = datetime.datetime.now()
1757
 
                    if (time2 - time) >= delay:
1758
 
                        if not client.approved_by_default:
1759
 
                            logger.warning("Client %s timed out while"
1760
 
                                           " waiting for approval",
1761
 
                                           client.name)
1762
 
                            if self.server.use_dbus:
1763
 
                                # Emit D-Bus signal
1764
 
                                client.Rejected("Approval timed out")
1765
 
                            return
1766
 
                        else:
1767
 
                            break
1768
 
                    else:
1769
 
                        delay -= time2 - time
1770
 
                
1771
 
                sent_size = 0
1772
 
                while sent_size < len(client.secret):
1773
 
                    try:
1774
 
                        sent = session.send(client.secret[sent_size:])
1775
 
                    except gnutls.errors.GNUTLSError as error:
1776
 
                        logger.warning("gnutls send failed",
1777
 
                                       exc_info=error)
1778
 
                        return
1779
 
                    logger.debug("Sent: %d, remaining: %d",
1780
 
                                 sent, len(client.secret)
1781
 
                                 - (sent_size + sent))
1782
 
                    sent_size += sent
1783
 
                
1784
 
                logger.info("Sending secret to %s", client.name)
1785
 
                # bump the timeout using extended_timeout
1786
 
                client.bump_timeout(client.extended_timeout)
1787
 
                if self.server.use_dbus:
1788
 
                    # Emit D-Bus signal
1789
 
                    client.GotSecret()
 
1036
                fpr = self.fingerprint(self.peer_certificate(session))
 
1037
            except (TypeError, gnutls.errors.GNUTLSError), error:
 
1038
                logger.warning(u"Bad certificate: %s", error)
 
1039
                session.bye()
 
1040
                return
 
1041
            logger.debug(u"Fingerprint: %s", fpr)
1790
1042
            
1791
 
            finally:
1792
 
                if approval_required:
1793
 
                    client.approvals_pending -= 1
1794
 
                try:
1795
 
                    session.bye()
1796
 
                except gnutls.errors.GNUTLSError as error:
1797
 
                    logger.warning("GnuTLS bye failed",
1798
 
                                   exc_info=error)
 
1043
            for c in self.server.clients:
 
1044
                if c.fingerprint == fpr:
 
1045
                    client = c
 
1046
                    break
 
1047
            else:
 
1048
                ipc.write(u"NOTFOUND %s %s\n"
 
1049
                          % (fpr, unicode(self.client_address)))
 
1050
                session.bye()
 
1051
                return
 
1052
            # Have to check if client.still_valid(), since it is
 
1053
            # possible that the client timed out while establishing
 
1054
            # the GnuTLS session.
 
1055
            if not client.still_valid():
 
1056
                ipc.write(u"INVALID %s\n" % client.name)
 
1057
                session.bye()
 
1058
                return
 
1059
            ipc.write(u"SENDING %s\n" % client.name)
 
1060
            sent_size = 0
 
1061
            while sent_size < len(client.secret):
 
1062
                sent = session.send(client.secret[sent_size:])
 
1063
                logger.debug(u"Sent: %d, remaining: %d",
 
1064
                             sent, len(client.secret)
 
1065
                             - (sent_size + sent))
 
1066
                sent_size += sent
 
1067
            session.bye()
1799
1068
    
1800
1069
    @staticmethod
1801
1070
    def peer_certificate(session):
1811
1080
                     .gnutls_certificate_get_peers
1812
1081
                     (session._c_object, ctypes.byref(list_size)))
1813
1082
        if not bool(cert_list) and list_size.value != 0:
1814
 
            raise gnutls.errors.GNUTLSError("error getting peer"
1815
 
                                            " certificate")
 
1083
            raise gnutls.errors.GNUTLSError(u"error getting peer"
 
1084
                                            u" certificate")
1816
1085
        if list_size.value == 0:
1817
1086
            return None
1818
1087
        cert = cert_list[0]
1844
1113
        if crtverify.value != 0:
1845
1114
            gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1846
1115
            raise (gnutls.errors.CertificateSecurityError
1847
 
                   ("Verify failed"))
 
1116
                   (u"Verify failed"))
1848
1117
        # New buffer for the fingerprint
1849
1118
        buf = ctypes.create_string_buffer(20)
1850
1119
        buf_len = ctypes.c_size_t()
1857
1126
        # Convert the buffer to a Python bytestring
1858
1127
        fpr = ctypes.string_at(buf, buf_len.value)
1859
1128
        # Convert the bytestring to hexadecimal notation
1860
 
        hex_fpr = binascii.hexlify(fpr).upper()
 
1129
        hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1861
1130
        return hex_fpr
1862
1131
 
1863
1132
 
1864
 
class MultiprocessingMixIn(object):
1865
 
    """Like socketserver.ThreadingMixIn, but with multiprocessing"""
1866
 
    def sub_process_main(self, request, address):
1867
 
        try:
1868
 
            self.finish_request(request, address)
1869
 
        except Exception:
1870
 
            self.handle_error(request, address)
1871
 
        self.close_request(request)
1872
 
    
1873
 
    def process_request(self, request, address):
1874
 
        """Start a new process to process the request."""
1875
 
        proc = multiprocessing.Process(target = self.sub_process_main,
1876
 
                                       args = (request, address))
1877
 
        proc.start()
1878
 
        return proc
1879
 
 
1880
 
 
1881
 
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1882
 
    """ adds a pipe to the MixIn """
 
1133
class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):
 
1134
    """Like socketserver.ForkingMixIn, but also pass a pipe."""
1883
1135
    def process_request(self, request, client_address):
1884
1136
        """Overrides and wraps the original process_request().
1885
1137
        
1886
1138
        This function creates a new pipe in self.pipe
1887
1139
        """
1888
 
        parent_pipe, self.child_pipe = multiprocessing.Pipe()
1889
 
        
1890
 
        proc = MultiprocessingMixIn.process_request(self, request,
1891
 
                                                    client_address)
1892
 
        self.child_pipe.close()
1893
 
        self.add_pipe(parent_pipe, proc)
1894
 
    
1895
 
    def add_pipe(self, parent_pipe, proc):
 
1140
        self.pipe = os.pipe()
 
1141
        super(ForkingMixInWithPipe,
 
1142
              self).process_request(request, client_address)
 
1143
        os.close(self.pipe[1])  # close write end
 
1144
        self.add_pipe(self.pipe[0])
 
1145
    def add_pipe(self, pipe):
1896
1146
        """Dummy function; override as necessary"""
1897
 
        raise NotImplementedError
1898
 
 
1899
 
 
1900
 
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
 
1147
        os.close(pipe)
 
1148
 
 
1149
 
 
1150
class IPv6_TCPServer(ForkingMixInWithPipe,
1901
1151
                     socketserver.TCPServer, object):
1902
1152
    """IPv6-capable TCP server.  Accepts 'None' as address and/or port
1903
1153
    
1907
1157
        use_ipv6:       Boolean; to use IPv6 or not
1908
1158
    """
1909
1159
    def __init__(self, server_address, RequestHandlerClass,
1910
 
                 interface=None, use_ipv6=True, socketfd=None):
1911
 
        """If socketfd is set, use that file descriptor instead of
1912
 
        creating a new one with socket.socket().
1913
 
        """
 
1160
                 interface=None, use_ipv6=True):
1914
1161
        self.interface = interface
1915
1162
        if use_ipv6:
1916
1163
            self.address_family = socket.AF_INET6
1917
 
        if socketfd is not None:
1918
 
            # Save the file descriptor
1919
 
            self.socketfd = socketfd
1920
 
            # Save the original socket.socket() function
1921
 
            self.socket_socket = socket.socket
1922
 
            # To implement --socket, we monkey patch socket.socket.
1923
 
            # 
1924
 
            # (When socketserver.TCPServer is a new-style class, we
1925
 
            # could make self.socket into a property instead of monkey
1926
 
            # patching socket.socket.)
1927
 
            # 
1928
 
            # Create a one-time-only replacement for socket.socket()
1929
 
            @functools.wraps(socket.socket)
1930
 
            def socket_wrapper(*args, **kwargs):
1931
 
                # Restore original function so subsequent calls are
1932
 
                # not affected.
1933
 
                socket.socket = self.socket_socket
1934
 
                del self.socket_socket
1935
 
                # This time only, return a new socket object from the
1936
 
                # saved file descriptor.
1937
 
                return socket.fromfd(self.socketfd, *args, **kwargs)
1938
 
            # Replace socket.socket() function with wrapper
1939
 
            socket.socket = socket_wrapper
1940
 
        # The socketserver.TCPServer.__init__ will call
1941
 
        # socket.socket(), which might be our replacement,
1942
 
        # socket_wrapper(), if socketfd was set.
1943
1164
        socketserver.TCPServer.__init__(self, server_address,
1944
1165
                                        RequestHandlerClass)
1945
 
    
1946
1166
    def server_bind(self):
1947
1167
        """This overrides the normal server_bind() function
1948
1168
        to bind to an interface if one was specified, and also NOT to
1949
1169
        bind to an address or port if they were not specified."""
1950
1170
        if self.interface is not None:
1951
1171
            if SO_BINDTODEVICE is None:
1952
 
                logger.error("SO_BINDTODEVICE does not exist;"
1953
 
                             " cannot bind to interface %s",
 
1172
                logger.error(u"SO_BINDTODEVICE does not exist;"
 
1173
                             u" cannot bind to interface %s",
1954
1174
                             self.interface)
1955
1175
            else:
1956
1176
                try:
1957
1177
                    self.socket.setsockopt(socket.SOL_SOCKET,
1958
1178
                                           SO_BINDTODEVICE,
1959
 
                                           str(self.interface + '\0'))
1960
 
                except socket.error as error:
1961
 
                    if error.errno == errno.EPERM:
1962
 
                        logger.error("No permission to bind to"
1963
 
                                     " interface %s", self.interface)
1964
 
                    elif error.errno == errno.ENOPROTOOPT:
1965
 
                        logger.error("SO_BINDTODEVICE not available;"
1966
 
                                     " cannot bind to interface %s",
1967
 
                                     self.interface)
1968
 
                    elif error.errno == errno.ENODEV:
1969
 
                        logger.error("Interface %s does not exist,"
1970
 
                                     " cannot bind", self.interface)
 
1179
                                           str(self.interface
 
1180
                                               + u'\0'))
 
1181
                except socket.error, error:
 
1182
                    if error[0] == errno.EPERM:
 
1183
                        logger.error(u"No permission to"
 
1184
                                     u" bind to interface %s",
 
1185
                                     self.interface)
 
1186
                    elif error[0] == errno.ENOPROTOOPT:
 
1187
                        logger.error(u"SO_BINDTODEVICE not available;"
 
1188
                                     u" cannot bind to interface %s",
 
1189
                                     self.interface)
1971
1190
                    else:
1972
1191
                        raise
1973
1192
        # Only bind(2) the socket if we really need to.
1974
1193
        if self.server_address[0] or self.server_address[1]:
1975
1194
            if not self.server_address[0]:
1976
1195
                if self.address_family == socket.AF_INET6:
1977
 
                    any_address = "::" # in6addr_any
 
1196
                    any_address = u"::" # in6addr_any
1978
1197
                else:
1979
1198
                    any_address = socket.INADDR_ANY
1980
1199
                self.server_address = (any_address,
2003
1222
    """
2004
1223
    def __init__(self, server_address, RequestHandlerClass,
2005
1224
                 interface=None, use_ipv6=True, clients=None,
2006
 
                 gnutls_priority=None, use_dbus=True, socketfd=None):
 
1225
                 gnutls_priority=None, use_dbus=True):
2007
1226
        self.enabled = False
2008
1227
        self.clients = clients
2009
1228
        if self.clients is None:
2010
 
            self.clients = {}
 
1229
            self.clients = set()
2011
1230
        self.use_dbus = use_dbus
2012
1231
        self.gnutls_priority = gnutls_priority
2013
1232
        IPv6_TCPServer.__init__(self, server_address,
2014
1233
                                RequestHandlerClass,
2015
1234
                                interface = interface,
2016
 
                                use_ipv6 = use_ipv6,
2017
 
                                socketfd = socketfd)
 
1235
                                use_ipv6 = use_ipv6)
2018
1236
    def server_activate(self):
2019
1237
        if self.enabled:
2020
1238
            return socketserver.TCPServer.server_activate(self)
2021
 
    
2022
1239
    def enable(self):
2023
1240
        self.enabled = True
2024
 
    
2025
 
    def add_pipe(self, parent_pipe, proc):
 
1241
    def add_pipe(self, pipe):
2026
1242
        # Call "handle_ipc" for both data and EOF events
2027
 
        gobject.io_add_watch(parent_pipe.fileno(),
2028
 
                             gobject.IO_IN | gobject.IO_HUP,
2029
 
                             functools.partial(self.handle_ipc,
2030
 
                                               parent_pipe =
2031
 
                                               parent_pipe,
2032
 
                                               proc = proc))
2033
 
    
2034
 
    def handle_ipc(self, source, condition, parent_pipe=None,
2035
 
                   proc = None, client_object=None):
2036
 
        # error, or the other end of multiprocessing.Pipe has closed
2037
 
        if condition & (gobject.IO_ERR | gobject.IO_HUP):
2038
 
            # Wait for other process to exit
2039
 
            proc.join()
2040
 
            return False
2041
 
        
2042
 
        # Read a request from the child
2043
 
        request = parent_pipe.recv()
2044
 
        command = request[0]
2045
 
        
2046
 
        if command == 'init':
2047
 
            fpr = request[1]
2048
 
            address = request[2]
2049
 
            
2050
 
            for c in self.clients.itervalues():
2051
 
                if c.fingerprint == fpr:
2052
 
                    client = c
2053
 
                    break
2054
 
            else:
2055
 
                logger.info("Client not found for fingerprint: %s, ad"
2056
 
                            "dress: %s", fpr, address)
2057
 
                if self.use_dbus:
2058
 
                    # Emit D-Bus signal
2059
 
                    mandos_dbus_service.ClientNotFound(fpr,
2060
 
                                                       address[0])
2061
 
                parent_pipe.send(False)
2062
 
                return False
2063
 
            
2064
 
            gobject.io_add_watch(parent_pipe.fileno(),
2065
 
                                 gobject.IO_IN | gobject.IO_HUP,
2066
 
                                 functools.partial(self.handle_ipc,
2067
 
                                                   parent_pipe =
2068
 
                                                   parent_pipe,
2069
 
                                                   proc = proc,
2070
 
                                                   client_object =
2071
 
                                                   client))
2072
 
            parent_pipe.send(True)
2073
 
            # remove the old hook in favor of the new above hook on
2074
 
            # same fileno
2075
 
            return False
2076
 
        if command == 'funcall':
2077
 
            funcname = request[1]
2078
 
            args = request[2]
2079
 
            kwargs = request[3]
2080
 
            
2081
 
            parent_pipe.send(('data', getattr(client_object,
2082
 
                                              funcname)(*args,
2083
 
                                                         **kwargs)))
2084
 
        
2085
 
        if command == 'getattr':
2086
 
            attrname = request[1]
2087
 
            if callable(client_object.__getattribute__(attrname)):
2088
 
                parent_pipe.send(('function',))
2089
 
            else:
2090
 
                parent_pipe.send(('data', client_object
2091
 
                                  .__getattribute__(attrname)))
2092
 
        
2093
 
        if command == 'setattr':
2094
 
            attrname = request[1]
2095
 
            value = request[2]
2096
 
            setattr(client_object, attrname, value)
2097
 
        
 
1243
        gobject.io_add_watch(pipe, gobject.IO_IN | gobject.IO_HUP,
 
1244
                             self.handle_ipc)
 
1245
    def handle_ipc(self, source, condition, file_objects={}):
 
1246
        condition_names = {
 
1247
            gobject.IO_IN: u"IN",   # There is data to read.
 
1248
            gobject.IO_OUT: u"OUT", # Data can be written (without
 
1249
                                    # blocking).
 
1250
            gobject.IO_PRI: u"PRI", # There is urgent data to read.
 
1251
            gobject.IO_ERR: u"ERR", # Error condition.
 
1252
            gobject.IO_HUP: u"HUP"  # Hung up (the connection has been
 
1253
                                    # broken, usually for pipes and
 
1254
                                    # sockets).
 
1255
            }
 
1256
        conditions_string = ' | '.join(name
 
1257
                                       for cond, name in
 
1258
                                       condition_names.iteritems()
 
1259
                                       if cond & condition)
 
1260
        logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
 
1261
                     conditions_string)
 
1262
        
 
1263
        # Turn the pipe file descriptor into a Python file object
 
1264
        if source not in file_objects:
 
1265
            file_objects[source] = os.fdopen(source, u"r", 1)
 
1266
        
 
1267
        # Read a line from the file object
 
1268
        cmdline = file_objects[source].readline()
 
1269
        if not cmdline:             # Empty line means end of file
 
1270
            # close the IPC pipe
 
1271
            file_objects[source].close()
 
1272
            del file_objects[source]
 
1273
            
 
1274
            # Stop calling this function
 
1275
            return False
 
1276
        
 
1277
        logger.debug(u"IPC command: %r", cmdline)
 
1278
        
 
1279
        # Parse and act on command
 
1280
        cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
 
1281
        
 
1282
        if cmd == u"NOTFOUND":
 
1283
            logger.warning(u"Client not found for fingerprint: %s",
 
1284
                           args)
 
1285
            if self.use_dbus:
 
1286
                # Emit D-Bus signal
 
1287
                mandos_dbus_service.ClientNotFound(args)
 
1288
        elif cmd == u"INVALID":
 
1289
            for client in self.clients:
 
1290
                if client.name == args:
 
1291
                    logger.warning(u"Client %s is invalid", args)
 
1292
                    if self.use_dbus:
 
1293
                        # Emit D-Bus signal
 
1294
                        client.Rejected()
 
1295
                    break
 
1296
            else:
 
1297
                logger.error(u"Unknown client %s is invalid", args)
 
1298
        elif cmd == u"SENDING":
 
1299
            for client in self.clients:
 
1300
                if client.name == args:
 
1301
                    logger.info(u"Sending secret to %s", client.name)
 
1302
                    client.checked_ok()
 
1303
                    if self.use_dbus:
 
1304
                        # Emit D-Bus signal
 
1305
                        client.GotSecret()
 
1306
                    break
 
1307
            else:
 
1308
                logger.error(u"Sending secret to unknown client %s",
 
1309
                             args)
 
1310
        else:
 
1311
            logger.error(u"Unknown IPC command: %r", cmdline)
 
1312
        
 
1313
        # Keep calling this function
2098
1314
        return True
2099
1315
 
2100
1316
 
2101
 
def rfc3339_duration_to_delta(duration):
2102
 
    """Parse an RFC 3339 "duration" and return a datetime.timedelta
2103
 
    
2104
 
    >>> rfc3339_duration_to_delta("P7D")
2105
 
    datetime.timedelta(7)
2106
 
    >>> rfc3339_duration_to_delta("PT60S")
2107
 
    datetime.timedelta(0, 60)
2108
 
    >>> rfc3339_duration_to_delta("PT60M")
2109
 
    datetime.timedelta(0, 3600)
2110
 
    >>> rfc3339_duration_to_delta("PT24H")
2111
 
    datetime.timedelta(1)
2112
 
    >>> rfc3339_duration_to_delta("P1W")
2113
 
    datetime.timedelta(7)
2114
 
    >>> rfc3339_duration_to_delta("PT5M30S")
2115
 
    datetime.timedelta(0, 330)
2116
 
    >>> rfc3339_duration_to_delta("P1DT3M20S")
2117
 
    datetime.timedelta(1, 200)
2118
 
    """
2119
 
    
2120
 
    # Parsing an RFC 3339 duration with regular expressions is not
2121
 
    # possible - there would have to be multiple places for the same
2122
 
    # values, like seconds.  The current code, while more esoteric, is
2123
 
    # cleaner without depending on a parsing library.  If Python had a
2124
 
    # built-in library for parsing we would use it, but we'd like to
2125
 
    # avoid excessive use of external libraries.
2126
 
    
2127
 
    # New type for defining tokens, syntax, and semantics all-in-one
2128
 
    Token = collections.namedtuple("Token",
2129
 
                                   ("regexp", # To match token; if
2130
 
                                              # "value" is not None,
2131
 
                                              # must have a "group"
2132
 
                                              # containing digits
2133
 
                                    "value",  # datetime.timedelta or
2134
 
                                              # None
2135
 
                                    "followers")) # Tokens valid after
2136
 
                                                  # this token
2137
 
    # RFC 3339 "duration" tokens, syntax, and semantics; taken from
2138
 
    # the "duration" ABNF definition in RFC 3339, Appendix A.
2139
 
    token_end = Token(re.compile(r"$"), None, frozenset())
2140
 
    token_second = Token(re.compile(r"(\d+)S"),
2141
 
                         datetime.timedelta(seconds=1),
2142
 
                         frozenset((token_end,)))
2143
 
    token_minute = Token(re.compile(r"(\d+)M"),
2144
 
                         datetime.timedelta(minutes=1),
2145
 
                         frozenset((token_second, token_end)))
2146
 
    token_hour = Token(re.compile(r"(\d+)H"),
2147
 
                       datetime.timedelta(hours=1),
2148
 
                       frozenset((token_minute, token_end)))
2149
 
    token_time = Token(re.compile(r"T"),
2150
 
                       None,
2151
 
                       frozenset((token_hour, token_minute,
2152
 
                                  token_second)))
2153
 
    token_day = Token(re.compile(r"(\d+)D"),
2154
 
                      datetime.timedelta(days=1),
2155
 
                      frozenset((token_time, token_end)))
2156
 
    token_month = Token(re.compile(r"(\d+)M"),
2157
 
                        datetime.timedelta(weeks=4),
2158
 
                        frozenset((token_day, token_end)))
2159
 
    token_year = Token(re.compile(r"(\d+)Y"),
2160
 
                       datetime.timedelta(weeks=52),
2161
 
                       frozenset((token_month, token_end)))
2162
 
    token_week = Token(re.compile(r"(\d+)W"),
2163
 
                       datetime.timedelta(weeks=1),
2164
 
                       frozenset((token_end,)))
2165
 
    token_duration = Token(re.compile(r"P"), None,
2166
 
                           frozenset((token_year, token_month,
2167
 
                                      token_day, token_time,
2168
 
                                      token_week))),
2169
 
    # Define starting values
2170
 
    value = datetime.timedelta() # Value so far
2171
 
    found_token = None
2172
 
    followers = frozenset(token_duration,) # Following valid tokens
2173
 
    s = duration                # String left to parse
2174
 
    # Loop until end token is found
2175
 
    while found_token is not token_end:
2176
 
        # Search for any currently valid tokens
2177
 
        for token in followers:
2178
 
            match = token.regexp.match(s)
2179
 
            if match is not None:
2180
 
                # Token found
2181
 
                if token.value is not None:
2182
 
                    # Value found, parse digits
2183
 
                    factor = int(match.group(1), 10)
2184
 
                    # Add to value so far
2185
 
                    value += factor * token.value
2186
 
                # Strip token from string
2187
 
                s = token.regexp.sub("", s, 1)
2188
 
                # Go to found token
2189
 
                found_token = token
2190
 
                # Set valid next tokens
2191
 
                followers = found_token.followers
2192
 
                break
2193
 
        else:
2194
 
            # No currently valid tokens were found
2195
 
            raise ValueError("Invalid RFC 3339 duration")
2196
 
    # End token found
2197
 
    return value
2198
 
 
2199
 
 
2200
1317
def string_to_delta(interval):
2201
1318
    """Parse a string and return a datetime.timedelta
2202
1319
    
2203
 
    >>> string_to_delta('7d')
 
1320
    >>> string_to_delta(u'7d')
2204
1321
    datetime.timedelta(7)
2205
 
    >>> string_to_delta('60s')
 
1322
    >>> string_to_delta(u'60s')
2206
1323
    datetime.timedelta(0, 60)
2207
 
    >>> string_to_delta('60m')
 
1324
    >>> string_to_delta(u'60m')
2208
1325
    datetime.timedelta(0, 3600)
2209
 
    >>> string_to_delta('24h')
 
1326
    >>> string_to_delta(u'24h')
2210
1327
    datetime.timedelta(1)
2211
 
    >>> string_to_delta('1w')
 
1328
    >>> string_to_delta(u'1w')
2212
1329
    datetime.timedelta(7)
2213
 
    >>> string_to_delta('5m 30s')
 
1330
    >>> string_to_delta(u'5m 30s')
2214
1331
    datetime.timedelta(0, 330)
2215
1332
    """
2216
 
    
2217
 
    try:
2218
 
        return rfc3339_duration_to_delta(interval)
2219
 
    except ValueError:
2220
 
        pass
2221
 
    
2222
1333
    timevalue = datetime.timedelta(0)
2223
1334
    for s in interval.split():
2224
1335
        try:
2225
1336
            suffix = unicode(s[-1])
2226
1337
            value = int(s[:-1])
2227
 
            if suffix == "d":
 
1338
            if suffix == u"d":
2228
1339
                delta = datetime.timedelta(value)
2229
 
            elif suffix == "s":
 
1340
            elif suffix == u"s":
2230
1341
                delta = datetime.timedelta(0, value)
2231
 
            elif suffix == "m":
 
1342
            elif suffix == u"m":
2232
1343
                delta = datetime.timedelta(0, 0, 0, 0, value)
2233
 
            elif suffix == "h":
 
1344
            elif suffix == u"h":
2234
1345
                delta = datetime.timedelta(0, 0, 0, 0, 0, value)
2235
 
            elif suffix == "w":
 
1346
            elif suffix == u"w":
2236
1347
                delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
2237
1348
            else:
2238
 
                raise ValueError("Unknown suffix {0!r}"
2239
 
                                 .format(suffix))
2240
 
        except (ValueError, IndexError) as e:
2241
 
            raise ValueError(*(e.args))
 
1349
                raise ValueError(u"Unknown suffix %r" % suffix)
 
1350
        except (ValueError, IndexError), e:
 
1351
            raise ValueError(e.message)
2242
1352
        timevalue += delta
2243
1353
    return timevalue
2244
1354
 
2245
1355
 
 
1356
def if_nametoindex(interface):
 
1357
    """Call the C function if_nametoindex(), or equivalent
 
1358
    
 
1359
    Note: This function cannot accept a unicode string."""
 
1360
    global if_nametoindex
 
1361
    try:
 
1362
        if_nametoindex = (ctypes.cdll.LoadLibrary
 
1363
                          (ctypes.util.find_library(u"c"))
 
1364
                          .if_nametoindex)
 
1365
    except (OSError, AttributeError):
 
1366
        logger.warning(u"Doing if_nametoindex the hard way")
 
1367
        def if_nametoindex(interface):
 
1368
            "Get an interface index the hard way, i.e. using fcntl()"
 
1369
            SIOCGIFINDEX = 0x8933  # From /usr/include/linux/sockios.h
 
1370
            with closing(socket.socket()) as s:
 
1371
                ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
 
1372
                                    struct.pack(str(u"16s16x"),
 
1373
                                                interface))
 
1374
            interface_index = struct.unpack(str(u"I"),
 
1375
                                            ifreq[16:20])[0]
 
1376
            return interface_index
 
1377
    return if_nametoindex(interface)
 
1378
 
 
1379
 
2246
1380
def daemon(nochdir = False, noclose = False):
2247
1381
    """See daemon(3).  Standard BSD Unix function.
2248
1382
    
2251
1385
        sys.exit()
2252
1386
    os.setsid()
2253
1387
    if not nochdir:
2254
 
        os.chdir("/")
 
1388
        os.chdir(u"/")
2255
1389
    if os.fork():
2256
1390
        sys.exit()
2257
1391
    if not noclose:
2258
1392
        # Close all standard open file descriptors
2259
 
        null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
 
1393
        null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2260
1394
        if not stat.S_ISCHR(os.fstat(null).st_mode):
2261
1395
            raise OSError(errno.ENODEV,
2262
 
                          "{0} not a character device"
2263
 
                          .format(os.devnull))
 
1396
                          u"%s not a character device"
 
1397
                          % os.path.devnull)
2264
1398
        os.dup2(null, sys.stdin.fileno())
2265
1399
        os.dup2(null, sys.stdout.fileno())
2266
1400
        os.dup2(null, sys.stderr.fileno())
2273
1407
    ##################################################################
2274
1408
    # Parsing of options, both command line and config file
2275
1409
    
2276
 
    parser = argparse.ArgumentParser()
2277
 
    parser.add_argument("-v", "--version", action="version",
2278
 
                        version = "%(prog)s {0}".format(version),
2279
 
                        help="show version number and exit")
2280
 
    parser.add_argument("-i", "--interface", metavar="IF",
2281
 
                        help="Bind to interface IF")
2282
 
    parser.add_argument("-a", "--address",
2283
 
                        help="Address to listen for requests on")
2284
 
    parser.add_argument("-p", "--port", type=int,
2285
 
                        help="Port number to receive requests on")
2286
 
    parser.add_argument("--check", action="store_true",
2287
 
                        help="Run self-test")
2288
 
    parser.add_argument("--debug", action="store_true",
2289
 
                        help="Debug mode; run in foreground and log"
2290
 
                        " to terminal")
2291
 
    parser.add_argument("--debuglevel", metavar="LEVEL",
2292
 
                        help="Debug level for stdout output")
2293
 
    parser.add_argument("--priority", help="GnuTLS"
2294
 
                        " priority string (see GnuTLS documentation)")
2295
 
    parser.add_argument("--servicename",
2296
 
                        metavar="NAME", help="Zeroconf service name")
2297
 
    parser.add_argument("--configdir",
2298
 
                        default="/etc/mandos", metavar="DIR",
2299
 
                        help="Directory to search for configuration"
2300
 
                        " files")
2301
 
    parser.add_argument("--no-dbus", action="store_false",
2302
 
                        dest="use_dbus", help="Do not provide D-Bus"
2303
 
                        " system bus interface")
2304
 
    parser.add_argument("--no-ipv6", action="store_false",
2305
 
                        dest="use_ipv6", help="Do not use IPv6")
2306
 
    parser.add_argument("--no-restore", action="store_false",
2307
 
                        dest="restore", help="Do not restore stored"
2308
 
                        " state")
2309
 
    parser.add_argument("--socket", type=int,
2310
 
                        help="Specify a file descriptor to a network"
2311
 
                        " socket to use instead of creating one")
2312
 
    parser.add_argument("--statedir", metavar="DIR",
2313
 
                        help="Directory to save/restore state in")
2314
 
    parser.add_argument("--foreground", action="store_true",
2315
 
                        help="Run in foreground")
2316
 
    
2317
 
    options = parser.parse_args()
 
1410
    parser = optparse.OptionParser(version = "%%prog %s" % version)
 
1411
    parser.add_option("-i", u"--interface", type=u"string",
 
1412
                      metavar="IF", help=u"Bind to interface IF")
 
1413
    parser.add_option("-a", u"--address", type=u"string",
 
1414
                      help=u"Address to listen for requests on")
 
1415
    parser.add_option("-p", u"--port", type=u"int",
 
1416
                      help=u"Port number to receive requests on")
 
1417
    parser.add_option("--check", action=u"store_true",
 
1418
                      help=u"Run self-test")
 
1419
    parser.add_option("--debug", action=u"store_true",
 
1420
                      help=u"Debug mode; run in foreground and log to"
 
1421
                      u" terminal")
 
1422
    parser.add_option("--priority", type=u"string", help=u"GnuTLS"
 
1423
                      u" priority string (see GnuTLS documentation)")
 
1424
    parser.add_option("--servicename", type=u"string",
 
1425
                      metavar=u"NAME", help=u"Zeroconf service name")
 
1426
    parser.add_option("--configdir", type=u"string",
 
1427
                      default=u"/etc/mandos", metavar=u"DIR",
 
1428
                      help=u"Directory to search for configuration"
 
1429
                      u" files")
 
1430
    parser.add_option("--no-dbus", action=u"store_false",
 
1431
                      dest=u"use_dbus", help=u"Do not provide D-Bus"
 
1432
                      u" system bus interface")
 
1433
    parser.add_option("--no-ipv6", action=u"store_false",
 
1434
                      dest=u"use_ipv6", help=u"Do not use IPv6")
 
1435
    options = parser.parse_args()[0]
2318
1436
    
2319
1437
    if options.check:
2320
1438
        import doctest
2322
1440
        sys.exit()
2323
1441
    
2324
1442
    # Default values for config file for server-global settings
2325
 
    server_defaults = { "interface": "",
2326
 
                        "address": "",
2327
 
                        "port": "",
2328
 
                        "debug": "False",
2329
 
                        "priority":
2330
 
                        "SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
2331
 
                        "servicename": "Mandos",
2332
 
                        "use_dbus": "True",
2333
 
                        "use_ipv6": "True",
2334
 
                        "debuglevel": "",
2335
 
                        "restore": "True",
2336
 
                        "socket": "",
2337
 
                        "statedir": "/var/lib/mandos",
2338
 
                        "foreground": "False",
 
1443
    server_defaults = { u"interface": u"",
 
1444
                        u"address": u"",
 
1445
                        u"port": u"",
 
1446
                        u"debug": u"False",
 
1447
                        u"priority":
 
1448
                        u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
 
1449
                        u"servicename": u"Mandos",
 
1450
                        u"use_dbus": u"True",
 
1451
                        u"use_ipv6": u"True",
2339
1452
                        }
2340
1453
    
2341
1454
    # Parse config file for server-global settings
2342
1455
    server_config = configparser.SafeConfigParser(server_defaults)
2343
1456
    del server_defaults
2344
1457
    server_config.read(os.path.join(options.configdir,
2345
 
                                    "mandos.conf"))
 
1458
                                    u"mandos.conf"))
2346
1459
    # Convert the SafeConfigParser object to a dict
2347
1460
    server_settings = server_config.defaults()
2348
1461
    # Use the appropriate methods on the non-string config options
2349
 
    for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
2350
 
        server_settings[option] = server_config.getboolean("DEFAULT",
 
1462
    for option in (u"debug", u"use_dbus", u"use_ipv6"):
 
1463
        server_settings[option] = server_config.getboolean(u"DEFAULT",
2351
1464
                                                           option)
2352
1465
    if server_settings["port"]:
2353
 
        server_settings["port"] = server_config.getint("DEFAULT",
2354
 
                                                       "port")
2355
 
    if server_settings["socket"]:
2356
 
        server_settings["socket"] = server_config.getint("DEFAULT",
2357
 
                                                         "socket")
2358
 
        # Later, stdin will, and stdout and stderr might, be dup'ed
2359
 
        # over with an opened os.devnull.  But we don't want this to
2360
 
        # happen with a supplied network socket.
2361
 
        if 0 <= server_settings["socket"] <= 2:
2362
 
            server_settings["socket"] = os.dup(server_settings
2363
 
                                               ["socket"])
 
1466
        server_settings["port"] = server_config.getint(u"DEFAULT",
 
1467
                                                       u"port")
2364
1468
    del server_config
2365
1469
    
2366
1470
    # Override the settings from the config file with command line
2367
1471
    # options, if set.
2368
 
    for option in ("interface", "address", "port", "debug",
2369
 
                   "priority", "servicename", "configdir",
2370
 
                   "use_dbus", "use_ipv6", "debuglevel", "restore",
2371
 
                   "statedir", "socket", "foreground"):
 
1472
    for option in (u"interface", u"address", u"port", u"debug",
 
1473
                   u"priority", u"servicename", u"configdir",
 
1474
                   u"use_dbus", u"use_ipv6"):
2372
1475
        value = getattr(options, option)
2373
1476
        if value is not None:
2374
1477
            server_settings[option] = value
2377
1480
    for option in server_settings.keys():
2378
1481
        if type(server_settings[option]) is str:
2379
1482
            server_settings[option] = unicode(server_settings[option])
2380
 
    # Debug implies foreground
2381
 
    if server_settings["debug"]:
2382
 
        server_settings["foreground"] = True
2383
1483
    # Now we have our good server settings in "server_settings"
2384
1484
    
2385
1485
    ##################################################################
2386
1486
    
2387
1487
    # For convenience
2388
 
    debug = server_settings["debug"]
2389
 
    debuglevel = server_settings["debuglevel"]
2390
 
    use_dbus = server_settings["use_dbus"]
2391
 
    use_ipv6 = server_settings["use_ipv6"]
2392
 
    stored_state_path = os.path.join(server_settings["statedir"],
2393
 
                                     stored_state_file)
2394
 
    foreground = server_settings["foreground"]
2395
 
    
2396
 
    if debug:
2397
 
        initlogger(debug, logging.DEBUG)
2398
 
    else:
2399
 
        if not debuglevel:
2400
 
            initlogger(debug)
2401
 
        else:
2402
 
            level = getattr(logging, debuglevel.upper())
2403
 
            initlogger(debug, level)
2404
 
    
2405
 
    if server_settings["servicename"] != "Mandos":
 
1488
    debug = server_settings[u"debug"]
 
1489
    use_dbus = server_settings[u"use_dbus"]
 
1490
    use_ipv6 = server_settings[u"use_ipv6"]
 
1491
    
 
1492
    if not debug:
 
1493
        syslogger.setLevel(logging.WARNING)
 
1494
        console.setLevel(logging.WARNING)
 
1495
    
 
1496
    if server_settings[u"servicename"] != u"Mandos":
2406
1497
        syslogger.setFormatter(logging.Formatter
2407
 
                               ('Mandos ({0}) [%(process)d]:'
2408
 
                                ' %(levelname)s: %(message)s'
2409
 
                                .format(server_settings
2410
 
                                        ["servicename"])))
 
1498
                               (u'Mandos (%s) [%%(process)d]:'
 
1499
                                u' %%(levelname)s: %%(message)s'
 
1500
                                % server_settings[u"servicename"]))
2411
1501
    
2412
1502
    # Parse config file with clients
2413
 
    client_config = configparser.SafeConfigParser(Client
2414
 
                                                  .client_defaults)
2415
 
    client_config.read(os.path.join(server_settings["configdir"],
2416
 
                                    "clients.conf"))
 
1503
    client_defaults = { u"timeout": u"1h",
 
1504
                        u"interval": u"5m",
 
1505
                        u"checker": u"fping -q -- %%(host)s",
 
1506
                        u"host": u"",
 
1507
                        }
 
1508
    client_config = configparser.SafeConfigParser(client_defaults)
 
1509
    client_config.read(os.path.join(server_settings[u"configdir"],
 
1510
                                    u"clients.conf"))
2417
1511
    
2418
1512
    global mandos_dbus_service
2419
1513
    mandos_dbus_service = None
2420
1514
    
2421
 
    tcp_server = MandosServer((server_settings["address"],
2422
 
                               server_settings["port"]),
 
1515
    tcp_server = MandosServer((server_settings[u"address"],
 
1516
                               server_settings[u"port"]),
2423
1517
                              ClientHandler,
2424
 
                              interface=(server_settings["interface"]
2425
 
                                         or None),
 
1518
                              interface=server_settings[u"interface"],
2426
1519
                              use_ipv6=use_ipv6,
2427
1520
                              gnutls_priority=
2428
 
                              server_settings["priority"],
2429
 
                              use_dbus=use_dbus,
2430
 
                              socketfd=(server_settings["socket"]
2431
 
                                        or None))
2432
 
    if not foreground:
2433
 
        pidfilename = "/var/run/mandos.pid"
2434
 
        pidfile = None
2435
 
        try:
2436
 
            pidfile = open(pidfilename, "w")
2437
 
        except IOError as e:
2438
 
            logger.error("Could not open file %r", pidfilename,
2439
 
                         exc_info=e)
 
1521
                              server_settings[u"priority"],
 
1522
                              use_dbus=use_dbus)
 
1523
    pidfilename = u"/var/run/mandos.pid"
 
1524
    try:
 
1525
        pidfile = open(pidfilename, u"w")
 
1526
    except IOError:
 
1527
        logger.error(u"Could not open file %r", pidfilename)
2440
1528
    
2441
 
    for name in ("_mandos", "mandos", "nobody"):
 
1529
    try:
 
1530
        uid = pwd.getpwnam(u"_mandos").pw_uid
 
1531
        gid = pwd.getpwnam(u"_mandos").pw_gid
 
1532
    except KeyError:
2442
1533
        try:
2443
 
            uid = pwd.getpwnam(name).pw_uid
2444
 
            gid = pwd.getpwnam(name).pw_gid
2445
 
            break
 
1534
            uid = pwd.getpwnam(u"mandos").pw_uid
 
1535
            gid = pwd.getpwnam(u"mandos").pw_gid
2446
1536
        except KeyError:
2447
 
            continue
2448
 
    else:
2449
 
        uid = 65534
2450
 
        gid = 65534
 
1537
            try:
 
1538
                uid = pwd.getpwnam(u"nobody").pw_uid
 
1539
                gid = pwd.getpwnam(u"nobody").pw_gid
 
1540
            except KeyError:
 
1541
                uid = 65534
 
1542
                gid = 65534
2451
1543
    try:
2452
1544
        os.setgid(gid)
2453
1545
        os.setuid(uid)
2454
 
    except OSError as error:
2455
 
        if error.errno != errno.EPERM:
 
1546
    except OSError, error:
 
1547
        if error[0] != errno.EPERM:
2456
1548
            raise error
2457
1549
    
 
1550
    # Enable all possible GnuTLS debugging
2458
1551
    if debug:
2459
 
        # Enable all possible GnuTLS debugging
2460
 
        
2461
1552
        # "Use a log level over 10 to enable all debugging options."
2462
1553
        # - GnuTLS manual
2463
1554
        gnutls.library.functions.gnutls_global_set_log_level(11)
2464
1555
        
2465
1556
        @gnutls.library.types.gnutls_log_func
2466
1557
        def debug_gnutls(level, string):
2467
 
            logger.debug("GnuTLS: %s", string[:-1])
 
1558
            logger.debug(u"GnuTLS: %s", string[:-1])
2468
1559
        
2469
1560
        (gnutls.library.functions
2470
1561
         .gnutls_global_set_log_function(debug_gnutls))
2471
 
        
2472
 
        # Redirect stdin so all checkers get /dev/null
2473
 
        null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2474
 
        os.dup2(null, sys.stdin.fileno())
2475
 
        if null > 2:
2476
 
            os.close(null)
2477
 
    
2478
 
    # Need to fork before connecting to D-Bus
2479
 
    if not foreground:
2480
 
        # Close all input and output, do double fork, etc.
2481
 
        daemon()
2482
 
    
2483
 
    # multiprocessing will use threads, so before we use gobject we
2484
 
    # need to inform gobject that threads will be used.
2485
 
    gobject.threads_init()
2486
1562
    
2487
1563
    global main_loop
2488
1564
    # From the Avahi example code
2489
 
    DBusGMainLoop(set_as_default=True)
 
1565
    DBusGMainLoop(set_as_default=True )
2490
1566
    main_loop = gobject.MainLoop()
2491
1567
    bus = dbus.SystemBus()
2492
1568
    # End of Avahi example code
2493
1569
    if use_dbus:
2494
1570
        try:
2495
 
            bus_name = dbus.service.BusName("se.recompile.Mandos",
 
1571
            bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
2496
1572
                                            bus, do_not_queue=True)
2497
 
            old_bus_name = (dbus.service.BusName
2498
 
                            ("se.bsnet.fukt.Mandos", bus,
2499
 
                             do_not_queue=True))
2500
 
        except dbus.exceptions.NameExistsException as e:
2501
 
            logger.error("Disabling D-Bus:", exc_info=e)
 
1573
        except dbus.exceptions.NameExistsException, e:
 
1574
            logger.error(unicode(e) + u", disabling D-Bus")
2502
1575
            use_dbus = False
2503
 
            server_settings["use_dbus"] = False
 
1576
            server_settings[u"use_dbus"] = False
2504
1577
            tcp_server.use_dbus = False
2505
1578
    protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2506
 
    service = AvahiServiceToSyslog(name =
2507
 
                                   server_settings["servicename"],
2508
 
                                   servicetype = "_mandos._tcp",
2509
 
                                   protocol = protocol, bus = bus)
 
1579
    service = AvahiService(name = server_settings[u"servicename"],
 
1580
                           servicetype = u"_mandos._tcp",
 
1581
                           protocol = protocol, bus = bus)
2510
1582
    if server_settings["interface"]:
2511
1583
        service.interface = (if_nametoindex
2512
 
                             (str(server_settings["interface"])))
2513
 
    
2514
 
    global multiprocessing_manager
2515
 
    multiprocessing_manager = multiprocessing.Manager()
 
1584
                             (str(server_settings[u"interface"])))
2516
1585
    
2517
1586
    client_class = Client
2518
1587
    if use_dbus:
2519
1588
        client_class = functools.partial(ClientDBus, bus = bus)
2520
 
    
2521
 
    client_settings = Client.config_parser(client_config)
2522
 
    old_client_settings = {}
2523
 
    clients_data = {}
2524
 
    
2525
 
    # Get client data and settings from last running state.
2526
 
    if server_settings["restore"]:
2527
 
        try:
2528
 
            with open(stored_state_path, "rb") as stored_state:
2529
 
                clients_data, old_client_settings = (pickle.load
2530
 
                                                     (stored_state))
2531
 
            os.remove(stored_state_path)
2532
 
        except IOError as e:
2533
 
            if e.errno == errno.ENOENT:
2534
 
                logger.warning("Could not load persistent state: {0}"
2535
 
                                .format(os.strerror(e.errno)))
2536
 
            else:
2537
 
                logger.critical("Could not load persistent state:",
2538
 
                                exc_info=e)
2539
 
                raise
2540
 
        except EOFError as e:
2541
 
            logger.warning("Could not load persistent state: "
2542
 
                           "EOFError:", exc_info=e)
2543
 
    
2544
 
    with PGPEngine() as pgp:
2545
 
        for client_name, client in clients_data.iteritems():
2546
 
            # Decide which value to use after restoring saved state.
2547
 
            # We have three different values: Old config file,
2548
 
            # new config file, and saved state.
2549
 
            # New config value takes precedence if it differs from old
2550
 
            # config value, otherwise use saved state.
2551
 
            for name, value in client_settings[client_name].items():
2552
 
                try:
2553
 
                    # For each value in new config, check if it
2554
 
                    # differs from the old config value (Except for
2555
 
                    # the "secret" attribute)
2556
 
                    if (name != "secret" and
2557
 
                        value != old_client_settings[client_name]
2558
 
                        [name]):
2559
 
                        client[name] = value
2560
 
                except KeyError:
2561
 
                    pass
2562
 
            
2563
 
            # Clients who has passed its expire date can still be
2564
 
            # enabled if its last checker was successful.  Clients
2565
 
            # whose checker succeeded before we stored its state is
2566
 
            # assumed to have successfully run all checkers during
2567
 
            # downtime.
2568
 
            if client["enabled"]:
2569
 
                if datetime.datetime.utcnow() >= client["expires"]:
2570
 
                    if not client["last_checked_ok"]:
2571
 
                        logger.warning(
2572
 
                            "disabling client {0} - Client never "
2573
 
                            "performed a successful checker"
2574
 
                            .format(client_name))
2575
 
                        client["enabled"] = False
2576
 
                    elif client["last_checker_status"] != 0:
2577
 
                        logger.warning(
2578
 
                            "disabling client {0} - Client "
2579
 
                            "last checker failed with error code {1}"
2580
 
                            .format(client_name,
2581
 
                                    client["last_checker_status"]))
2582
 
                        client["enabled"] = False
2583
 
                    else:
2584
 
                        client["expires"] = (datetime.datetime
2585
 
                                             .utcnow()
2586
 
                                             + client["timeout"])
2587
 
                        logger.debug("Last checker succeeded,"
2588
 
                                     " keeping {0} enabled"
2589
 
                                     .format(client_name))
2590
 
            try:
2591
 
                client["secret"] = (
2592
 
                    pgp.decrypt(client["encrypted_secret"],
2593
 
                                client_settings[client_name]
2594
 
                                ["secret"]))
2595
 
            except PGPError:
2596
 
                # If decryption fails, we use secret from new settings
2597
 
                logger.debug("Failed to decrypt {0} old secret"
2598
 
                             .format(client_name))
2599
 
                client["secret"] = (
2600
 
                    client_settings[client_name]["secret"])
2601
 
    
2602
 
    # Add/remove clients based on new changes made to config
2603
 
    for client_name in (set(old_client_settings)
2604
 
                        - set(client_settings)):
2605
 
        del clients_data[client_name]
2606
 
    for client_name in (set(client_settings)
2607
 
                        - set(old_client_settings)):
2608
 
        clients_data[client_name] = client_settings[client_name]
2609
 
    
2610
 
    # Create all client objects
2611
 
    for client_name, client in clients_data.iteritems():
2612
 
        tcp_server.clients[client_name] = client_class(
2613
 
            name = client_name, settings = client)
2614
 
    
 
1589
    tcp_server.clients.update(set(
 
1590
            client_class(name = section,
 
1591
                         config= dict(client_config.items(section)))
 
1592
            for section in client_config.sections()))
2615
1593
    if not tcp_server.clients:
2616
 
        logger.warning("No clients defined")
2617
 
    
2618
 
    if not foreground:
2619
 
        if pidfile is not None:
2620
 
            try:
2621
 
                with pidfile:
2622
 
                    pid = os.getpid()
2623
 
                    pidfile.write(str(pid) + "\n".encode("utf-8"))
2624
 
            except IOError:
2625
 
                logger.error("Could not write to file %r with PID %d",
2626
 
                             pidfilename, pid)
 
1594
        logger.warning(u"No clients defined")
 
1595
    
 
1596
    if debug:
 
1597
        # Redirect stdin so all checkers get /dev/null
 
1598
        null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
 
1599
        os.dup2(null, sys.stdin.fileno())
 
1600
        if null > 2:
 
1601
            os.close(null)
 
1602
    else:
 
1603
        # No console logging
 
1604
        logger.removeHandler(console)
 
1605
        # Close all input and output, do double fork, etc.
 
1606
        daemon()
 
1607
    
 
1608
    try:
 
1609
        with closing(pidfile):
 
1610
            pid = os.getpid()
 
1611
            pidfile.write(str(pid) + "\n")
2627
1612
        del pidfile
2628
 
        del pidfilename
 
1613
    except IOError:
 
1614
        logger.error(u"Could not write to file %r with PID %d",
 
1615
                     pidfilename, pid)
 
1616
    except NameError:
 
1617
        # "pidfile" was never created
 
1618
        pass
 
1619
    del pidfilename
2629
1620
    
 
1621
    if not debug:
 
1622
        signal.signal(signal.SIGINT, signal.SIG_IGN)
2630
1623
    signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2631
1624
    signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2632
1625
    
2633
1626
    if use_dbus:
2634
 
        @alternate_dbus_interfaces({"se.recompile.Mandos":
2635
 
                                        "se.bsnet.fukt.Mandos"})
2636
 
        class MandosDBusService(DBusObjectWithProperties):
 
1627
        class MandosDBusService(dbus.service.Object):
2637
1628
            """A D-Bus proxy object"""
2638
1629
            def __init__(self):
2639
 
                dbus.service.Object.__init__(self, bus, "/")
2640
 
            _interface = "se.recompile.Mandos"
2641
 
            
2642
 
            @dbus_interface_annotations(_interface)
2643
 
            def _foo(self):
2644
 
                return { "org.freedesktop.DBus.Property"
2645
 
                         ".EmitsChangedSignal":
2646
 
                             "false"}
2647
 
            
2648
 
            @dbus.service.signal(_interface, signature="o")
2649
 
            def ClientAdded(self, objpath):
2650
 
                "D-Bus signal"
2651
 
                pass
2652
 
            
2653
 
            @dbus.service.signal(_interface, signature="ss")
2654
 
            def ClientNotFound(self, fingerprint, address):
2655
 
                "D-Bus signal"
2656
 
                pass
2657
 
            
2658
 
            @dbus.service.signal(_interface, signature="os")
 
1630
                dbus.service.Object.__init__(self, bus, u"/")
 
1631
            _interface = u"se.bsnet.fukt.Mandos"
 
1632
            
 
1633
            @dbus.service.signal(_interface, signature=u"oa{sv}")
 
1634
            def ClientAdded(self, objpath, properties):
 
1635
                "D-Bus signal"
 
1636
                pass
 
1637
            
 
1638
            @dbus.service.signal(_interface, signature=u"s")
 
1639
            def ClientNotFound(self, fingerprint):
 
1640
                "D-Bus signal"
 
1641
                pass
 
1642
            
 
1643
            @dbus.service.signal(_interface, signature=u"os")
2659
1644
            def ClientRemoved(self, objpath, name):
2660
1645
                "D-Bus signal"
2661
1646
                pass
2662
1647
            
2663
 
            @dbus.service.method(_interface, out_signature="ao")
 
1648
            @dbus.service.method(_interface, out_signature=u"ao")
2664
1649
            def GetAllClients(self):
2665
1650
                "D-Bus method"
2666
1651
                return dbus.Array(c.dbus_object_path
2667
 
                                  for c in
2668
 
                                  tcp_server.clients.itervalues())
 
1652
                                  for c in tcp_server.clients)
2669
1653
            
2670
1654
            @dbus.service.method(_interface,
2671
 
                                 out_signature="a{oa{sv}}")
 
1655
                                 out_signature=u"a{oa{sv}}")
2672
1656
            def GetAllClientsWithProperties(self):
2673
1657
                "D-Bus method"
2674
1658
                return dbus.Dictionary(
2675
 
                    ((c.dbus_object_path, c.GetAll(""))
2676
 
                     for c in tcp_server.clients.itervalues()),
2677
 
                    signature="oa{sv}")
 
1659
                    ((c.dbus_object_path, c.GetAll(u""))
 
1660
                     for c in tcp_server.clients),
 
1661
                    signature=u"oa{sv}")
2678
1662
            
2679
 
            @dbus.service.method(_interface, in_signature="o")
 
1663
            @dbus.service.method(_interface, in_signature=u"o")
2680
1664
            def RemoveClient(self, object_path):
2681
1665
                "D-Bus method"
2682
 
                for c in tcp_server.clients.itervalues():
 
1666
                for c in tcp_server.clients:
2683
1667
                    if c.dbus_object_path == object_path:
2684
 
                        del tcp_server.clients[c.name]
 
1668
                        tcp_server.clients.remove(c)
2685
1669
                        c.remove_from_connection()
2686
1670
                        # Don't signal anything except ClientRemoved
2687
1671
                        c.disable(quiet=True)
2698
1682
        "Cleanup function; run on exit"
2699
1683
        service.cleanup()
2700
1684
        
2701
 
        multiprocessing.active_children()
2702
 
        if not (tcp_server.clients or client_settings):
2703
 
            return
2704
 
        
2705
 
        # Store client before exiting. Secrets are encrypted with key
2706
 
        # based on what config file has. If config file is
2707
 
        # removed/edited, old secret will thus be unrecovable.
2708
 
        clients = {}
2709
 
        with PGPEngine() as pgp:
2710
 
            for client in tcp_server.clients.itervalues():
2711
 
                key = client_settings[client.name]["secret"]
2712
 
                client.encrypted_secret = pgp.encrypt(client.secret,
2713
 
                                                      key)
2714
 
                client_dict = {}
2715
 
                
2716
 
                # A list of attributes that can not be pickled
2717
 
                # + secret.
2718
 
                exclude = set(("bus", "changedstate", "secret",
2719
 
                               "checker"))
2720
 
                for name, typ in (inspect.getmembers
2721
 
                                  (dbus.service.Object)):
2722
 
                    exclude.add(name)
2723
 
                
2724
 
                client_dict["encrypted_secret"] = (client
2725
 
                                                   .encrypted_secret)
2726
 
                for attr in client.client_structure:
2727
 
                    if attr not in exclude:
2728
 
                        client_dict[attr] = getattr(client, attr)
2729
 
                
2730
 
                clients[client.name] = client_dict
2731
 
                del client_settings[client.name]["secret"]
2732
 
        
2733
 
        try:
2734
 
            with (tempfile.NamedTemporaryFile
2735
 
                  (mode='wb', suffix=".pickle", prefix='clients-',
2736
 
                   dir=os.path.dirname(stored_state_path),
2737
 
                   delete=False)) as stored_state:
2738
 
                pickle.dump((clients, client_settings), stored_state)
2739
 
                tempname=stored_state.name
2740
 
            os.rename(tempname, stored_state_path)
2741
 
        except (IOError, OSError) as e:
2742
 
            if not debug:
2743
 
                try:
2744
 
                    os.remove(tempname)
2745
 
                except NameError:
2746
 
                    pass
2747
 
            if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
2748
 
                logger.warning("Could not save persistent state: {0}"
2749
 
                               .format(os.strerror(e.errno)))
2750
 
            else:
2751
 
                logger.warning("Could not save persistent state:",
2752
 
                               exc_info=e)
2753
 
                raise e
2754
 
        
2755
 
        # Delete all clients, and settings from config
2756
1685
        while tcp_server.clients:
2757
 
            name, client = tcp_server.clients.popitem()
 
1686
            client = tcp_server.clients.pop()
2758
1687
            if use_dbus:
2759
1688
                client.remove_from_connection()
 
1689
            client.disable_hook = None
2760
1690
            # Don't signal anything except ClientRemoved
2761
1691
            client.disable(quiet=True)
2762
1692
            if use_dbus:
2763
1693
                # Emit D-Bus signal
2764
 
                mandos_dbus_service.ClientRemoved(client
2765
 
                                                  .dbus_object_path,
 
1694
                mandos_dbus_service.ClientRemoved(client.dbus_object_path,
2766
1695
                                                  client.name)
2767
 
        client_settings.clear()
2768
1696
    
2769
1697
    atexit.register(cleanup)
2770
1698
    
2771
 
    for client in tcp_server.clients.itervalues():
 
1699
    for client in tcp_server.clients:
2772
1700
        if use_dbus:
2773
1701
            # Emit D-Bus signal
2774
 
            mandos_dbus_service.ClientAdded(client.dbus_object_path)
2775
 
        # Need to initiate checking of clients
2776
 
        if client.enabled:
2777
 
            client.init_checker()
 
1702
            mandos_dbus_service.ClientAdded(client.dbus_object_path,
 
1703
                                            client.GetAll(u""))
 
1704
        client.enable()
2778
1705
    
2779
1706
    tcp_server.enable()
2780
1707
    tcp_server.server_activate()
2782
1709
    # Find out what port we got
2783
1710
    service.port = tcp_server.socket.getsockname()[1]
2784
1711
    if use_ipv6:
2785
 
        logger.info("Now listening on address %r, port %d,"
2786
 
                    " flowinfo %d, scope_id %d",
2787
 
                    *tcp_server.socket.getsockname())
 
1712
        logger.info(u"Now listening on address %r, port %d,"
 
1713
                    " flowinfo %d, scope_id %d"
 
1714
                    % tcp_server.socket.getsockname())
2788
1715
    else:                       # IPv4
2789
 
        logger.info("Now listening on address %r, port %d",
2790
 
                    *tcp_server.socket.getsockname())
 
1716
        logger.info(u"Now listening on address %r, port %d"
 
1717
                    % tcp_server.socket.getsockname())
2791
1718
    
2792
1719
    #service.interface = tcp_server.socket.getsockname()[3]
2793
1720
    
2795
1722
        # From the Avahi example code
2796
1723
        try:
2797
1724
            service.activate()
2798
 
        except dbus.exceptions.DBusException as error:
2799
 
            logger.critical("D-Bus Exception", exc_info=error)
 
1725
        except dbus.exceptions.DBusException, error:
 
1726
            logger.critical(u"DBusException: %s", error)
2800
1727
            cleanup()
2801
1728
            sys.exit(1)
2802
1729
        # End of Avahi example code
2806
1733
                             (tcp_server.handle_request
2807
1734
                              (*args[2:], **kwargs) or True))
2808
1735
        
2809
 
        logger.debug("Starting main loop")
 
1736
        logger.debug(u"Starting main loop")
2810
1737
        main_loop.run()
2811
 
    except AvahiError as error:
2812
 
        logger.critical("Avahi Error", exc_info=error)
 
1738
    except AvahiError, error:
 
1739
        logger.critical(u"AvahiError: %s", error)
2813
1740
        cleanup()
2814
1741
        sys.exit(1)
2815
1742
    except KeyboardInterrupt:
2816
1743
        if debug:
2817
 
            print("", file=sys.stderr)
2818
 
        logger.debug("Server received KeyboardInterrupt")
2819
 
    logger.debug("Server exiting")
 
1744
            print >> sys.stderr
 
1745
        logger.debug(u"Server received KeyboardInterrupt")
 
1746
    logger.debug(u"Server exiting")
2820
1747
    # Must run before the D-Bus bus name gets deregistered
2821
1748
    cleanup()
2822
1749