89
78
except ImportError:
90
79
SO_BINDTODEVICE = None
93
stored_state_file = "clients.pickle"
95
logger = logging.getLogger()
84
logger = logging.Logger(u'mandos')
96
85
syslogger = (logging.handlers.SysLogHandler
97
86
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
98
address = str("/dev/log")))
101
if_nametoindex = (ctypes.cdll.LoadLibrary
102
(ctypes.util.find_library("c"))
104
except (OSError, AttributeError):
105
def if_nametoindex(interface):
106
"Get an interface index the hard way, i.e. using fcntl()"
107
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
108
with contextlib.closing(socket.socket()) as s:
109
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
110
struct.pack(str("16s16x"),
112
interface_index = struct.unpack(str("I"),
114
return interface_index
117
def initlogger(debug, level=logging.WARNING):
118
"""init logger and add loglevel"""
120
syslogger.setFormatter(logging.Formatter
121
('Mandos [%(process)d]: %(levelname)s:'
123
logger.addHandler(syslogger)
126
console = logging.StreamHandler()
127
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
131
logger.addHandler(console)
132
logger.setLevel(level)
135
class PGPError(Exception):
136
"""Exception if encryption/decryption fails"""
140
class PGPEngine(object):
141
"""A simple class for OpenPGP symmetric encryption & decryption"""
143
self.gnupg = GnuPGInterface.GnuPG()
144
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
145
self.gnupg = GnuPGInterface.GnuPG()
146
self.gnupg.options.meta_interactive = False
147
self.gnupg.options.homedir = self.tempdir
148
self.gnupg.options.extra_args.extend(['--force-mdc',
155
def __exit__(self, exc_type, exc_value, traceback):
163
if self.tempdir is not None:
164
# Delete contents of tempdir
165
for root, dirs, files in os.walk(self.tempdir,
167
for filename in files:
168
os.remove(os.path.join(root, filename))
170
os.rmdir(os.path.join(root, dirname))
172
os.rmdir(self.tempdir)
175
def password_encode(self, password):
176
# Passphrase can not be empty and can not contain newlines or
177
# NUL bytes. So we prefix it and hex encode it.
178
return b"mandos" + binascii.hexlify(password)
180
def encrypt(self, data, password):
181
self.gnupg.passphrase = self.password_encode(password)
182
with open(os.devnull, "w") as devnull:
184
proc = self.gnupg.run(['--symmetric'],
185
create_fhs=['stdin', 'stdout'],
186
attach_fhs={'stderr': devnull})
187
with contextlib.closing(proc.handles['stdin']) as f:
189
with contextlib.closing(proc.handles['stdout']) as f:
190
ciphertext = f.read()
194
self.gnupg.passphrase = None
197
def decrypt(self, data, password):
198
self.gnupg.passphrase = self.password_encode(password)
199
with open(os.devnull, "w") as devnull:
201
proc = self.gnupg.run(['--decrypt'],
202
create_fhs=['stdin', 'stdout'],
203
attach_fhs={'stderr': devnull})
204
with contextlib.closing(proc.handles['stdin']) as f:
206
with contextlib.closing(proc.handles['stdout']) as f:
207
decrypted_plaintext = f.read()
211
self.gnupg.passphrase = None
212
return decrypted_plaintext
87
address = "/dev/log"))
88
syslogger.setFormatter(logging.Formatter
89
(u'Mandos [%(process)d]: %(levelname)s:'
91
logger.addHandler(syslogger)
93
console = logging.StreamHandler()
94
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
97
logger.addHandler(console)
215
99
class AvahiError(Exception):
216
100
def __init__(self, value, *args, **kwargs):
316
189
dbus.UInt16(self.port),
317
190
avahi.string_array_to_txt_array(self.TXT))
318
191
self.group.Commit()
320
192
def entry_group_state_changed(self, state, error):
321
193
"""Derived from the Avahi example code"""
322
logger.debug("Avahi entry group state change: %i", state)
194
logger.debug(u"Avahi state change: %i", state)
324
196
if state == avahi.ENTRY_GROUP_ESTABLISHED:
325
logger.debug("Zeroconf service established.")
197
logger.debug(u"Zeroconf service established.")
326
198
elif state == avahi.ENTRY_GROUP_COLLISION:
327
logger.info("Zeroconf service name collision.")
199
logger.warning(u"Zeroconf service name collision.")
329
201
elif state == avahi.ENTRY_GROUP_FAILURE:
330
logger.critical("Avahi: Error in group state changed %s",
202
logger.critical(u"Avahi: Error in group state changed %s",
332
raise AvahiGroupError("State changed: {0!s}"
204
raise AvahiGroupError(u"State changed: %s"
335
206
def cleanup(self):
336
207
"""Derived from the Avahi example code"""
337
208
if self.group is not None:
340
except (dbus.exceptions.UnknownMethodException,
341
dbus.exceptions.DBusException):
343
210
self.group = None
346
def server_state_changed(self, state, error=None):
211
def server_state_changed(self, state):
347
212
"""Derived from the Avahi example code"""
348
logger.debug("Avahi server state change: %i", state)
349
bad_states = { avahi.SERVER_INVALID:
350
"Zeroconf server invalid",
351
avahi.SERVER_REGISTERING: None,
352
avahi.SERVER_COLLISION:
353
"Zeroconf server name collision",
354
avahi.SERVER_FAILURE:
355
"Zeroconf server failure" }
356
if state in bad_states:
357
if bad_states[state] is not None:
359
logger.error(bad_states[state])
361
logger.error(bad_states[state] + ": %r", error)
213
if state == avahi.SERVER_COLLISION:
214
logger.error(u"Zeroconf server name collision")
363
216
elif state == avahi.SERVER_RUNNING:
367
logger.debug("Unknown state: %r", state)
369
logger.debug("Unknown state: %r: %r", state, error)
371
218
def activate(self):
372
219
"""Derived from the Avahi example code"""
373
220
if self.server is None:
374
221
self.server = dbus.Interface(
375
222
self.bus.get_object(avahi.DBUS_NAME,
376
avahi.DBUS_PATH_SERVER,
377
follow_name_owner_changes=True),
223
avahi.DBUS_PATH_SERVER),
378
224
avahi.DBUS_INTERFACE_SERVER)
379
self.server.connect_to_signal("StateChanged",
225
self.server.connect_to_signal(u"StateChanged",
380
226
self.server_state_changed)
381
227
self.server_state_changed(self.server.GetState())
384
class AvahiServiceToSyslog(AvahiService):
386
"""Add the new name to the syslog messages"""
387
ret = AvahiService.rename(self)
388
syslogger.setFormatter(logging.Formatter
389
('Mandos ({0}) [%(process)d]:'
390
' %(levelname)s: %(message)s'
395
def timedelta_to_milliseconds(td):
396
"Convert a datetime.timedelta() to milliseconds"
397
return ((td.days * 24 * 60 * 60 * 1000)
398
+ (td.seconds * 1000)
399
+ (td.microseconds // 1000))
402
230
class Client(object):
403
231
"""A representation of a client host served by this server.
406
approved: bool(); 'None' if not yet approved/disapproved
407
approval_delay: datetime.timedelta(); Time to wait for approval
408
approval_duration: datetime.timedelta(); Duration of one approval
234
name: string; from the config file, used in log messages and
236
fingerprint: string (40 or 32 hexadecimal digits); used to
237
uniquely identify the client
238
secret: bytestring; sent verbatim (over TLS) to client
239
host: string; available for use by the checker command
240
created: datetime.datetime(); (UTC) object creation
241
last_enabled: datetime.datetime(); (UTC)
243
last_checked_ok: datetime.datetime(); (UTC) or None
244
timeout: datetime.timedelta(); How long from last_checked_ok
245
until this client is invalid
246
interval: datetime.timedelta(); How often to start a new checker
247
disable_hook: If set, called by disable() as disable_hook(self)
409
248
checker: subprocess.Popen(); a running checker process used
410
249
to see if the client lives.
411
250
'None' if no process is running.
412
checker_callback_tag: a gobject event source tag, or None
413
checker_command: string; External command which is run to check
414
if client lives. %() expansions are done at
251
checker_initiator_tag: a gobject event source tag, or None
252
disable_initiator_tag: - '' -
253
checker_callback_tag: - '' -
254
checker_command: string; External command which is run to check if
255
client lives. %() expansions are done at
415
256
runtime with vars(self) as dict, so that for
416
257
instance %(name)s can be used in the command.
417
checker_initiator_tag: a gobject event source tag, or None
418
created: datetime.datetime(); (UTC) object creation
419
client_structure: Object describing what attributes a client has
420
and is used for storing the client at exit
421
258
current_checker_command: string; current running checker_command
422
disable_initiator_tag: a gobject event source tag, or None
424
fingerprint: string (40 or 32 hexadecimal digits); used to
425
uniquely identify the client
426
host: string; available for use by the checker command
427
interval: datetime.timedelta(); How often to start a new checker
428
last_approval_request: datetime.datetime(); (UTC) or None
429
last_checked_ok: datetime.datetime(); (UTC) or None
430
last_checker_status: integer between 0 and 255 reflecting exit
431
status of last checker. -1 reflects crashed
432
checker, -2 means no checker completed yet.
433
last_enabled: datetime.datetime(); (UTC) or None
434
name: string; from the config file, used in log messages and
436
secret: bytestring; sent verbatim (over TLS) to client
437
timeout: datetime.timedelta(); How long from last_checked_ok
438
until this client is disabled
439
extended_timeout: extra long timeout when secret has been sent
440
runtime_expansions: Allowed attributes for runtime expansion.
441
expires: datetime.datetime(); time (UTC) when a client will be
445
runtime_expansions = ("approval_delay", "approval_duration",
446
"created", "enabled", "expires",
447
"fingerprint", "host", "interval",
448
"last_approval_request", "last_checked_ok",
449
"last_enabled", "name", "timeout")
450
client_defaults = { "timeout": "PT5M",
451
"extended_timeout": "PT15M",
453
"checker": "fping -q -- %%(host)s",
455
"approval_delay": "PT0S",
456
"approval_duration": "PT1S",
457
"approved_by_default": "True",
262
def _timedelta_to_milliseconds(td):
263
"Convert a datetime.timedelta() to milliseconds"
264
return ((td.days * 24 * 60 * 60 * 1000)
265
+ (td.seconds * 1000)
266
+ (td.microseconds // 1000))
461
268
def timeout_milliseconds(self):
462
269
"Return the 'timeout' attribute in milliseconds"
463
return timedelta_to_milliseconds(self.timeout)
465
def extended_timeout_milliseconds(self):
466
"Return the 'extended_timeout' attribute in milliseconds"
467
return timedelta_to_milliseconds(self.extended_timeout)
270
return self._timedelta_to_milliseconds(self.timeout)
469
272
def interval_milliseconds(self):
470
273
"Return the 'interval' attribute in milliseconds"
471
return timedelta_to_milliseconds(self.interval)
473
def approval_delay_milliseconds(self):
474
return timedelta_to_milliseconds(self.approval_delay)
477
def config_parser(config):
478
"""Construct a new dict of client settings of this form:
479
{ client_name: {setting_name: value, ...}, ...}
480
with exceptions for any special settings as defined above.
481
NOTE: Must be a pure function. Must return the same result
482
value given the same arguments.
485
for client_name in config.sections():
486
section = dict(config.items(client_name))
487
client = settings[client_name] = {}
489
client["host"] = section["host"]
490
# Reformat values from string types to Python types
491
client["approved_by_default"] = config.getboolean(
492
client_name, "approved_by_default")
493
client["enabled"] = config.getboolean(client_name,
496
client["fingerprint"] = (section["fingerprint"].upper()
498
if "secret" in section:
499
client["secret"] = section["secret"].decode("base64")
500
elif "secfile" in section:
501
with open(os.path.expanduser(os.path.expandvars
502
(section["secfile"])),
504
client["secret"] = secfile.read()
506
raise TypeError("No secret or secfile for section {0}"
508
client["timeout"] = string_to_delta(section["timeout"])
509
client["extended_timeout"] = string_to_delta(
510
section["extended_timeout"])
511
client["interval"] = string_to_delta(section["interval"])
512
client["approval_delay"] = string_to_delta(
513
section["approval_delay"])
514
client["approval_duration"] = string_to_delta(
515
section["approval_duration"])
516
client["checker_command"] = section["checker"]
517
client["last_approval_request"] = None
518
client["last_checked_ok"] = None
519
client["last_checker_status"] = -2
523
def __init__(self, settings, name = None):
274
return self._timedelta_to_milliseconds(self.interval)
276
def __init__(self, name = None, disable_hook=None, config=None):
277
"""Note: the 'checker' key in 'config' sets the
278
'checker_command' attribute and *not* the 'checker'
525
# adding all client settings
526
for setting, value in settings.iteritems():
527
setattr(self, setting, value)
530
if not hasattr(self, "last_enabled"):
531
self.last_enabled = datetime.datetime.utcnow()
532
if not hasattr(self, "expires"):
533
self.expires = (datetime.datetime.utcnow()
536
self.last_enabled = None
539
logger.debug("Creating client %r", self.name)
283
logger.debug(u"Creating client %r", self.name)
540
284
# Uppercase and remove spaces from fingerprint for later
541
285
# comparison purposes with return value from the fingerprint()
543
logger.debug(" Fingerprint: %s", self.fingerprint)
544
self.created = settings.get("created",
545
datetime.datetime.utcnow())
547
# attributes specific for this server instance
287
self.fingerprint = (config[u"fingerprint"].upper()
289
logger.debug(u" Fingerprint: %s", self.fingerprint)
290
if u"secret" in config:
291
self.secret = config[u"secret"].decode(u"base64")
292
elif u"secfile" in config:
293
with closing(open(os.path.expanduser
295
(config[u"secfile"])),
297
self.secret = secfile.read()
299
raise TypeError(u"No secret or secfile for client %s"
301
self.host = config.get(u"host", u"")
302
self.created = datetime.datetime.utcnow()
304
self.last_enabled = None
305
self.last_checked_ok = None
306
self.timeout = string_to_delta(config[u"timeout"])
307
self.interval = string_to_delta(config[u"interval"])
308
self.disable_hook = disable_hook
548
309
self.checker = None
549
310
self.checker_initiator_tag = None
550
311
self.disable_initiator_tag = None
551
312
self.checker_callback_tag = None
313
self.checker_command = config[u"checker"]
552
314
self.current_checker_command = None
554
self.approvals_pending = 0
555
self.changedstate = (multiprocessing_manager
556
.Condition(multiprocessing_manager
558
self.client_structure = [attr for attr in
559
self.__dict__.iterkeys()
560
if not attr.startswith("_")]
561
self.client_structure.append("client_structure")
563
for name, t in inspect.getmembers(type(self),
567
if not name.startswith("_"):
568
self.client_structure.append(name)
570
# Send notice to process children that client state has changed
571
def send_changedstate(self):
572
with self.changedstate:
573
self.changedstate.notify_all()
315
self.last_connect = None
575
317
def enable(self):
576
318
"""Start this client's checker and timeout hooks"""
577
if getattr(self, "enabled", False):
319
if getattr(self, u"enabled", False):
578
320
# Already enabled
580
self.expires = datetime.datetime.utcnow() + self.timeout
582
322
self.last_enabled = datetime.datetime.utcnow()
584
self.send_changedstate()
586
def disable(self, quiet=True):
587
"""Disable this client."""
588
if not getattr(self, "enabled", False):
591
logger.info("Disabling client %s", self.name)
592
if getattr(self, "disable_initiator_tag", None) is not None:
593
gobject.source_remove(self.disable_initiator_tag)
594
self.disable_initiator_tag = None
596
if getattr(self, "checker_initiator_tag", None) is not None:
597
gobject.source_remove(self.checker_initiator_tag)
598
self.checker_initiator_tag = None
602
self.send_changedstate()
603
# Do not run this again if called by a gobject.timeout_add
609
def init_checker(self):
610
323
# Schedule a new checker to be started an 'interval' from now,
611
324
# and every interval from then on.
612
if self.checker_initiator_tag is not None:
613
gobject.source_remove(self.checker_initiator_tag)
614
325
self.checker_initiator_tag = (gobject.timeout_add
615
326
(self.interval_milliseconds(),
616
327
self.start_checker))
617
328
# Schedule a disable() when 'timeout' has passed
618
if self.disable_initiator_tag is not None:
619
gobject.source_remove(self.disable_initiator_tag)
620
329
self.disable_initiator_tag = (gobject.timeout_add
621
330
(self.timeout_milliseconds(),
623
333
# Also start a new checker *right now*.
624
334
self.start_checker()
336
def disable(self, quiet=True):
337
"""Disable this client."""
338
if not getattr(self, "enabled", False):
341
logger.info(u"Disabling client %s", self.name)
342
if getattr(self, u"disable_initiator_tag", False):
343
gobject.source_remove(self.disable_initiator_tag)
344
self.disable_initiator_tag = None
345
if getattr(self, u"checker_initiator_tag", False):
346
gobject.source_remove(self.checker_initiator_tag)
347
self.checker_initiator_tag = None
349
if self.disable_hook:
350
self.disable_hook(self)
352
# Do not run this again if called by a gobject.timeout_add
356
self.disable_hook = None
626
359
def checker_callback(self, pid, condition, command):
627
360
"""The checker has completed, so take appropriate actions."""
628
361
self.checker_callback_tag = None
629
362
self.checker = None
630
363
if os.WIFEXITED(condition):
631
self.last_checker_status = os.WEXITSTATUS(condition)
632
if self.last_checker_status == 0:
633
logger.info("Checker for %(name)s succeeded",
364
exitstatus = os.WEXITSTATUS(condition)
366
logger.info(u"Checker for %(name)s succeeded",
635
368
self.checked_ok()
637
logger.info("Checker for %(name)s failed",
370
logger.info(u"Checker for %(name)s failed",
640
self.last_checker_status = -1
641
logger.warning("Checker for %(name)s crashed?",
373
logger.warning(u"Checker for %(name)s crashed?",
644
376
def checked_ok(self):
645
"""Assert that the client has been seen, alive and well."""
377
"""Bump up the timeout for this client.
379
This should only be called when the client has been seen,
646
382
self.last_checked_ok = datetime.datetime.utcnow()
647
self.last_checker_status = 0
650
def bump_timeout(self, timeout=None):
651
"""Bump up the timeout for this client."""
653
timeout = self.timeout
654
if self.disable_initiator_tag is not None:
655
gobject.source_remove(self.disable_initiator_tag)
656
self.disable_initiator_tag = None
657
if getattr(self, "enabled", False):
658
self.disable_initiator_tag = (gobject.timeout_add
659
(timedelta_to_milliseconds
660
(timeout), self.disable))
661
self.expires = datetime.datetime.utcnow() + timeout
663
def need_approval(self):
664
self.last_approval_request = datetime.datetime.utcnow()
383
gobject.source_remove(self.disable_initiator_tag)
384
self.disable_initiator_tag = (gobject.timeout_add
385
(self.timeout_milliseconds(),
666
388
def start_checker(self):
667
389
"""Start a new checker subprocess if one is not running.
845
534
class DBusObjectWithProperties(dbus.service.Object):
846
535
"""A D-Bus object with properties.
848
537
Classes inheriting from this can use the dbus_service_property
849
538
decorator to expose methods as D-Bus properties. It exposes the
850
539
standard Get(), Set(), and GetAll() methods on the D-Bus.
854
def _is_dbus_thing(thing):
855
"""Returns a function testing if an attribute is a D-Bus thing
857
If called like _is_dbus_thing("method") it returns a function
858
suitable for use as predicate to inspect.getmembers().
860
return lambda obj: getattr(obj, "_dbus_is_{0}".format(thing),
543
def _is_dbus_property(obj):
544
return getattr(obj, u"_dbus_is_property", False)
863
def _get_all_dbus_things(self, thing):
546
def _get_all_dbus_properties(self):
864
547
"""Returns a generator of (name, attribute) pairs
866
return ((getattr(athing.__get__(self), "_dbus_name",
868
athing.__get__(self))
869
for cls in self.__class__.__mro__
871
inspect.getmembers(cls,
872
self._is_dbus_thing(thing)))
549
return ((prop._dbus_name, prop)
551
inspect.getmembers(self, self._is_dbus_property))
874
553
def _get_dbus_property(self, interface_name, property_name):
875
554
"""Returns a bound method if one exists which is a D-Bus
876
555
property with the specified name and interface.
878
for cls in self.__class__.__mro__:
879
for name, value in (inspect.getmembers
881
self._is_dbus_thing("property"))):
882
if (value._dbus_name == property_name
883
and value._dbus_interface == interface_name):
884
return value.__get__(self)
557
for name in (property_name,
558
property_name + u"_dbus_property"):
559
prop = getattr(self, name, None)
561
or not self._is_dbus_property(prop)
562
or prop._dbus_name != property_name
563
or (interface_name and prop._dbus_interface
564
and interface_name != prop._dbus_interface)):
886
567
# No such property
887
raise DBusPropertyNotFound(self.dbus_object_path + ":"
888
+ interface_name + "."
568
raise DBusPropertyNotFound(self.dbus_object_path + u":"
569
+ interface_name + u"."
891
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
572
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
893
574
def Get(self, interface_name, property_name):
894
575
"""Standard D-Bus property Get() method, see D-Bus standard.
896
577
prop = self._get_dbus_property(interface_name, property_name)
897
if prop._dbus_access == "write":
578
if prop._dbus_access == u"write":
898
579
raise DBusPropertyAccessException(property_name)
900
if not hasattr(value, "variant_level"):
581
if not hasattr(value, u"variant_level"):
902
583
return type(value)(value, variant_level=value.variant_level+1)
904
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
585
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
905
586
def Set(self, interface_name, property_name, value):
906
587
"""Standard D-Bus property Set() method, see D-Bus standard.
908
589
prop = self._get_dbus_property(interface_name, property_name)
909
if prop._dbus_access == "read":
590
if prop._dbus_access == u"read":
910
591
raise DBusPropertyAccessException(property_name)
911
if prop._dbus_get_args_options["byte_arrays"]:
912
# The byte_arrays option is not supported yet on
913
# signatures other than "ay".
914
if prop._dbus_signature != "ay":
916
value = dbus.ByteArray(b''.join(chr(byte)
592
if prop._dbus_get_args_options[u"byte_arrays"]:
593
value = dbus.ByteArray(''.join(unichr(byte)
920
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
921
out_signature="a{sv}")
597
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
598
out_signature=u"a{sv}")
922
599
def GetAll(self, interface_name):
923
600
"""Standard D-Bus property GetAll() method, see D-Bus
926
603
Note: Will not include properties with access="write".
929
for name, prop in self._get_all_dbus_things("property"):
606
for name, prop in self._get_all_dbus_properties():
930
607
if (interface_name
931
608
and interface_name != prop._dbus_interface):
932
609
# Interface non-empty but did not match
934
611
# Ignore write-only properties
935
if prop._dbus_access == "write":
612
if prop._dbus_access == u"write":
938
if not hasattr(value, "variant_level"):
939
properties[name] = value
615
if not hasattr(value, u"variant_level"):
941
properties[name] = type(value)(value, variant_level=
942
value.variant_level+1)
943
return dbus.Dictionary(properties, signature="sv")
618
all[name] = type(value)(value, variant_level=
619
value.variant_level+1)
620
return dbus.Dictionary(all, signature=u"sv")
945
622
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
947
624
path_keyword='object_path',
948
625
connection_keyword='connection')
949
626
def Introspect(self, object_path, connection):
950
"""Overloading of standard D-Bus method.
952
Inserts property tags and interface annotation tags.
627
"""Standard D-Bus method, overloaded to insert property tags.
954
629
xmlstring = dbus.service.Object.Introspect(self, object_path,
957
632
document = xml.dom.minidom.parseString(xmlstring)
958
633
def make_tag(document, name, prop):
959
e = document.createElement("property")
960
e.setAttribute("name", name)
961
e.setAttribute("type", prop._dbus_signature)
962
e.setAttribute("access", prop._dbus_access)
634
e = document.createElement(u"property")
635
e.setAttribute(u"name", name)
636
e.setAttribute(u"type", prop._dbus_signature)
637
e.setAttribute(u"access", prop._dbus_access)
964
for if_tag in document.getElementsByTagName("interface"):
639
for if_tag in document.getElementsByTagName(u"interface"):
966
640
for tag in (make_tag(document, name, prop)
968
in self._get_all_dbus_things("property")
642
in self._get_all_dbus_properties()
969
643
if prop._dbus_interface
970
== if_tag.getAttribute("name")):
644
== if_tag.getAttribute(u"name")):
971
645
if_tag.appendChild(tag)
972
# Add annotation tags
973
for typ in ("method", "signal", "property"):
974
for tag in if_tag.getElementsByTagName(typ):
976
for name, prop in (self.
977
_get_all_dbus_things(typ)):
978
if (name == tag.getAttribute("name")
979
and prop._dbus_interface
980
== if_tag.getAttribute("name")):
981
annots.update(getattr
985
for name, value in annots.iteritems():
986
ann_tag = document.createElement(
988
ann_tag.setAttribute("name", name)
989
ann_tag.setAttribute("value", value)
990
tag.appendChild(ann_tag)
991
# Add interface annotation tags
992
for annotation, value in dict(
993
itertools.chain.from_iterable(
994
annotations().iteritems()
995
for name, annotations in
996
self._get_all_dbus_things("interface")
997
if name == if_tag.getAttribute("name")
999
ann_tag = document.createElement("annotation")
1000
ann_tag.setAttribute("name", annotation)
1001
ann_tag.setAttribute("value", value)
1002
if_tag.appendChild(ann_tag)
1003
646
# Add the names to the return values for the
1004
647
# "org.freedesktop.DBus.Properties" methods
1005
if (if_tag.getAttribute("name")
1006
== "org.freedesktop.DBus.Properties"):
1007
for cn in if_tag.getElementsByTagName("method"):
1008
if cn.getAttribute("name") == "Get":
1009
for arg in cn.getElementsByTagName("arg"):
1010
if (arg.getAttribute("direction")
1012
arg.setAttribute("name", "value")
1013
elif cn.getAttribute("name") == "GetAll":
1014
for arg in cn.getElementsByTagName("arg"):
1015
if (arg.getAttribute("direction")
1017
arg.setAttribute("name", "props")
1018
xmlstring = document.toxml("utf-8")
648
if (if_tag.getAttribute(u"name")
649
== u"org.freedesktop.DBus.Properties"):
650
for cn in if_tag.getElementsByTagName(u"method"):
651
if cn.getAttribute(u"name") == u"Get":
652
for arg in cn.getElementsByTagName(u"arg"):
653
if (arg.getAttribute(u"direction")
655
arg.setAttribute(u"name", u"value")
656
elif cn.getAttribute(u"name") == u"GetAll":
657
for arg in cn.getElementsByTagName(u"arg"):
658
if (arg.getAttribute(u"direction")
660
arg.setAttribute(u"name", u"props")
661
xmlstring = document.toxml(u"utf-8")
1019
662
document.unlink()
1020
663
except (AttributeError, xml.dom.DOMException,
1021
xml.parsers.expat.ExpatError) as error:
1022
logger.error("Failed to override Introspection method",
664
xml.parsers.expat.ExpatError), error:
665
logger.error(u"Failed to override Introspection method",
1024
667
return xmlstring
1027
def datetime_to_dbus(dt, variant_level=0):
1028
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1030
return dbus.String("", variant_level = variant_level)
1031
return dbus.String(dt.isoformat(),
1032
variant_level=variant_level)
1035
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1036
"""A class decorator; applied to a subclass of
1037
dbus.service.Object, it will add alternate D-Bus attributes with
1038
interface names according to the "alt_interface_names" mapping.
1041
@alternate_dbus_interfaces({"org.example.Interface":
1042
"net.example.AlternateInterface"})
1043
class SampleDBusObject(dbus.service.Object):
1044
@dbus.service.method("org.example.Interface")
1045
def SampleDBusMethod():
1048
The above "SampleDBusMethod" on "SampleDBusObject" will be
1049
reachable via two interfaces: "org.example.Interface" and
1050
"net.example.AlternateInterface", the latter of which will have
1051
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1052
"true", unless "deprecate" is passed with a False value.
1054
This works for methods and signals, and also for D-Bus properties
1055
(from DBusObjectWithProperties) and interfaces (from the
1056
dbus_interface_annotations decorator).
1059
for orig_interface_name, alt_interface_name in (
1060
alt_interface_names.iteritems()):
1062
interface_names = set()
1063
# Go though all attributes of the class
1064
for attrname, attribute in inspect.getmembers(cls):
1065
# Ignore non-D-Bus attributes, and D-Bus attributes
1066
# with the wrong interface name
1067
if (not hasattr(attribute, "_dbus_interface")
1068
or not attribute._dbus_interface
1069
.startswith(orig_interface_name)):
1071
# Create an alternate D-Bus interface name based on
1073
alt_interface = (attribute._dbus_interface
1074
.replace(orig_interface_name,
1075
alt_interface_name))
1076
interface_names.add(alt_interface)
1077
# Is this a D-Bus signal?
1078
if getattr(attribute, "_dbus_is_signal", False):
1079
# Extract the original non-method function by
1081
nonmethod_func = (dict(
1082
zip(attribute.func_code.co_freevars,
1083
attribute.__closure__))["func"]
1085
# Create a new, but exactly alike, function
1086
# object, and decorate it to be a new D-Bus signal
1087
# with the alternate D-Bus interface name
1088
new_function = (dbus.service.signal
1090
attribute._dbus_signature)
1091
(types.FunctionType(
1092
nonmethod_func.func_code,
1093
nonmethod_func.func_globals,
1094
nonmethod_func.func_name,
1095
nonmethod_func.func_defaults,
1096
nonmethod_func.func_closure)))
1097
# Copy annotations, if any
1099
new_function._dbus_annotations = (
1100
dict(attribute._dbus_annotations))
1101
except AttributeError:
1103
# Define a creator of a function to call both the
1104
# original and alternate functions, so both the
1105
# original and alternate signals gets sent when
1106
# the function is called
1107
def fixscope(func1, func2):
1108
"""This function is a scope container to pass
1109
func1 and func2 to the "call_both" function
1110
outside of its arguments"""
1111
def call_both(*args, **kwargs):
1112
"""This function will emit two D-Bus
1113
signals by calling func1 and func2"""
1114
func1(*args, **kwargs)
1115
func2(*args, **kwargs)
1117
# Create the "call_both" function and add it to
1119
attr[attrname] = fixscope(attribute, new_function)
1120
# Is this a D-Bus method?
1121
elif getattr(attribute, "_dbus_is_method", False):
1122
# Create a new, but exactly alike, function
1123
# object. Decorate it to be a new D-Bus method
1124
# with the alternate D-Bus interface name. Add it
1126
attr[attrname] = (dbus.service.method
1128
attribute._dbus_in_signature,
1129
attribute._dbus_out_signature)
1131
(attribute.func_code,
1132
attribute.func_globals,
1133
attribute.func_name,
1134
attribute.func_defaults,
1135
attribute.func_closure)))
1136
# Copy annotations, if any
1138
attr[attrname]._dbus_annotations = (
1139
dict(attribute._dbus_annotations))
1140
except AttributeError:
1142
# Is this a D-Bus property?
1143
elif getattr(attribute, "_dbus_is_property", False):
1144
# Create a new, but exactly alike, function
1145
# object, and decorate it to be a new D-Bus
1146
# property with the alternate D-Bus interface
1147
# name. Add it to the class.
1148
attr[attrname] = (dbus_service_property
1150
attribute._dbus_signature,
1151
attribute._dbus_access,
1153
._dbus_get_args_options
1156
(attribute.func_code,
1157
attribute.func_globals,
1158
attribute.func_name,
1159
attribute.func_defaults,
1160
attribute.func_closure)))
1161
# Copy annotations, if any
1163
attr[attrname]._dbus_annotations = (
1164
dict(attribute._dbus_annotations))
1165
except AttributeError:
1167
# Is this a D-Bus interface?
1168
elif getattr(attribute, "_dbus_is_interface", False):
1169
# Create a new, but exactly alike, function
1170
# object. Decorate it to be a new D-Bus interface
1171
# with the alternate D-Bus interface name. Add it
1173
attr[attrname] = (dbus_interface_annotations
1176
(attribute.func_code,
1177
attribute.func_globals,
1178
attribute.func_name,
1179
attribute.func_defaults,
1180
attribute.func_closure)))
1182
# Deprecate all alternate interfaces
1183
iname="_AlternateDBusNames_interface_annotation{0}"
1184
for interface_name in interface_names:
1185
@dbus_interface_annotations(interface_name)
1187
return { "org.freedesktop.DBus.Deprecated":
1189
# Find an unused name
1190
for aname in (iname.format(i)
1191
for i in itertools.count()):
1192
if aname not in attr:
1196
# Replace the class with a new subclass of it with
1197
# methods, signals, etc. as created above.
1198
cls = type(b"{0}Alternate".format(cls.__name__),
1204
@alternate_dbus_interfaces({"se.recompile.Mandos":
1205
"se.bsnet.fukt.Mandos"})
1206
670
class ClientDBus(Client, DBusObjectWithProperties):
1207
671
"""A Client class using D-Bus
1221
681
Client.__init__(self, *args, **kwargs)
1222
682
# Only now, when this client is initialized, can it show up on
1224
client_object_name = unicode(self.name).translate(
1225
{ord("."): ord("_"),
1226
ord("-"): ord("_")})
1227
684
self.dbus_object_path = (dbus.ObjectPath
1228
("/clients/" + client_object_name))
686
+ self.name.replace(u".", u"_")))
1229
687
DBusObjectWithProperties.__init__(self, self.bus,
1230
688
self.dbus_object_path)
1232
def notifychangeproperty(transform_func,
1233
dbus_name, type_func=lambda x: x,
1235
""" Modify a variable so that it's a property which announces
1236
its changes to DBus.
1238
transform_fun: Function that takes a value and a variant_level
1239
and transforms it to a D-Bus type.
1240
dbus_name: D-Bus name of the variable
1241
type_func: Function that transform the value before sending it
1242
to the D-Bus. Default: no transform
1243
variant_level: D-Bus variant level. Default: 1
1245
attrname = "_{0}".format(dbus_name)
1246
def setter(self, value):
1247
if hasattr(self, "dbus_object_path"):
1248
if (not hasattr(self, attrname) or
1249
type_func(getattr(self, attrname, None))
1250
!= type_func(value)):
1251
dbus_value = transform_func(type_func(value),
1254
self.PropertyChanged(dbus.String(dbus_name),
1256
setattr(self, attrname, value)
1258
return property(lambda self: getattr(self, attrname), setter)
1260
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1261
approvals_pending = notifychangeproperty(dbus.Boolean,
1264
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1265
last_enabled = notifychangeproperty(datetime_to_dbus,
1267
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1268
type_func = lambda checker:
1269
checker is not None)
1270
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1272
last_checker_status = notifychangeproperty(dbus.Int16,
1273
"LastCheckerStatus")
1274
last_approval_request = notifychangeproperty(
1275
datetime_to_dbus, "LastApprovalRequest")
1276
approved_by_default = notifychangeproperty(dbus.Boolean,
1277
"ApprovedByDefault")
1278
approval_delay = notifychangeproperty(dbus.UInt64,
1281
timedelta_to_milliseconds)
1282
approval_duration = notifychangeproperty(
1283
dbus.UInt64, "ApprovalDuration",
1284
type_func = timedelta_to_milliseconds)
1285
host = notifychangeproperty(dbus.String, "Host")
1286
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1288
timedelta_to_milliseconds)
1289
extended_timeout = notifychangeproperty(
1290
dbus.UInt64, "ExtendedTimeout",
1291
type_func = timedelta_to_milliseconds)
1292
interval = notifychangeproperty(dbus.UInt64,
1295
timedelta_to_milliseconds)
1296
checker_command = notifychangeproperty(dbus.String, "Checker")
1298
del notifychangeproperty
691
def _datetime_to_dbus(dt, variant_level=0):
692
"""Convert a UTC datetime.datetime() to a D-Bus type."""
693
return dbus.String(dt.isoformat(),
694
variant_level=variant_level)
697
oldstate = getattr(self, u"enabled", False)
698
r = Client.enable(self)
699
if oldstate != self.enabled:
701
self.PropertyChanged(dbus.String(u"enabled"),
702
dbus.Boolean(True, variant_level=1))
703
self.PropertyChanged(
704
dbus.String(u"last_enabled"),
705
self._datetime_to_dbus(self.last_enabled,
709
def disable(self, quiet = False):
710
oldstate = getattr(self, u"enabled", False)
711
r = Client.disable(self, quiet=quiet)
712
if not quiet and oldstate != self.enabled:
714
self.PropertyChanged(dbus.String(u"enabled"),
715
dbus.Boolean(False, variant_level=1))
1300
718
def __del__(self, *args, **kwargs):
1302
720
self.remove_from_connection()
1303
721
except LookupError:
1305
if hasattr(DBusObjectWithProperties, "__del__"):
723
if hasattr(DBusObjectWithProperties, u"__del__"):
1306
724
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1307
725
Client.__del__(self, *args, **kwargs)
1436
842
def StopChecker(self):
1437
843
self.stop_checker()
1441
# ApprovalPending - property
1442
@dbus_service_property(_interface, signature="b", access="read")
1443
def ApprovalPending_dbus_property(self):
1444
return dbus.Boolean(bool(self.approvals_pending))
1446
# ApprovedByDefault - property
1447
@dbus_service_property(_interface, signature="b",
1449
def ApprovedByDefault_dbus_property(self, value=None):
1450
if value is None: # get
1451
return dbus.Boolean(self.approved_by_default)
1452
self.approved_by_default = bool(value)
1454
# ApprovalDelay - property
1455
@dbus_service_property(_interface, signature="t",
1457
def ApprovalDelay_dbus_property(self, value=None):
1458
if value is None: # get
1459
return dbus.UInt64(self.approval_delay_milliseconds())
1460
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1462
# ApprovalDuration - property
1463
@dbus_service_property(_interface, signature="t",
1465
def ApprovalDuration_dbus_property(self, value=None):
1466
if value is None: # get
1467
return dbus.UInt64(timedelta_to_milliseconds(
1468
self.approval_duration))
1469
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1472
@dbus_service_property(_interface, signature="s", access="read")
1473
def Name_dbus_property(self):
846
@dbus_service_property(_interface, signature=u"s", access=u"read")
847
def name_dbus_property(self):
1474
848
return dbus.String(self.name)
1476
# Fingerprint - property
1477
@dbus_service_property(_interface, signature="s", access="read")
1478
def Fingerprint_dbus_property(self):
850
# fingerprint - property
851
@dbus_service_property(_interface, signature=u"s", access=u"read")
852
def fingerprint_dbus_property(self):
1479
853
return dbus.String(self.fingerprint)
1482
@dbus_service_property(_interface, signature="s",
1484
def Host_dbus_property(self, value=None):
856
@dbus_service_property(_interface, signature=u"s",
858
def host_dbus_property(self, value=None):
1485
859
if value is None: # get
1486
860
return dbus.String(self.host)
1487
self.host = unicode(value)
1489
# Created - property
1490
@dbus_service_property(_interface, signature="s", access="read")
1491
def Created_dbus_property(self):
1492
return datetime_to_dbus(self.created)
1494
# LastEnabled - property
1495
@dbus_service_property(_interface, signature="s", access="read")
1496
def LastEnabled_dbus_property(self):
1497
return datetime_to_dbus(self.last_enabled)
1499
# Enabled - property
1500
@dbus_service_property(_interface, signature="b",
1502
def Enabled_dbus_property(self, value=None):
863
self.PropertyChanged(dbus.String(u"host"),
864
dbus.String(value, variant_level=1))
867
@dbus_service_property(_interface, signature=u"s", access=u"read")
868
def created_dbus_property(self):
869
return dbus.String(self._datetime_to_dbus(self.created))
871
# last_enabled - property
872
@dbus_service_property(_interface, signature=u"s", access=u"read")
873
def last_enabled_dbus_property(self):
874
if self.last_enabled is None:
875
return dbus.String(u"")
876
return dbus.String(self._datetime_to_dbus(self.last_enabled))
879
@dbus_service_property(_interface, signature=u"b",
881
def enabled_dbus_property(self, value=None):
1503
882
if value is None: # get
1504
883
return dbus.Boolean(self.enabled)
1510
# LastCheckedOK - property
1511
@dbus_service_property(_interface, signature="s",
1513
def LastCheckedOK_dbus_property(self, value=None):
889
# last_checked_ok - property
890
@dbus_service_property(_interface, signature=u"s",
892
def last_checked_ok_dbus_property(self, value=None):
1514
893
if value is not None:
1515
894
self.checked_ok()
1517
return datetime_to_dbus(self.last_checked_ok)
1519
# LastCheckerStatus - property
1520
@dbus_service_property(_interface, signature="n",
1522
def LastCheckerStatus_dbus_property(self):
1523
return dbus.Int16(self.last_checker_status)
1525
# Expires - property
1526
@dbus_service_property(_interface, signature="s", access="read")
1527
def Expires_dbus_property(self):
1528
return datetime_to_dbus(self.expires)
1530
# LastApprovalRequest - property
1531
@dbus_service_property(_interface, signature="s", access="read")
1532
def LastApprovalRequest_dbus_property(self):
1533
return datetime_to_dbus(self.last_approval_request)
1535
# Timeout - property
1536
@dbus_service_property(_interface, signature="t",
1538
def Timeout_dbus_property(self, value=None):
896
if self.last_checked_ok is None:
897
return dbus.String(u"")
898
return dbus.String(self._datetime_to_dbus(self
902
@dbus_service_property(_interface, signature=u"t",
904
def timeout_dbus_property(self, value=None):
1539
905
if value is None: # get
1540
906
return dbus.UInt64(self.timeout_milliseconds())
1541
old_timeout = self.timeout
1542
907
self.timeout = datetime.timedelta(0, 0, 0, value)
1543
# Reschedule disabling
1545
now = datetime.datetime.utcnow()
1546
self.expires += self.timeout - old_timeout
1547
if self.expires <= now:
1548
# The timeout has passed
1551
if (getattr(self, "disable_initiator_tag", None)
1554
gobject.source_remove(self.disable_initiator_tag)
1555
self.disable_initiator_tag = (
1556
gobject.timeout_add(
1557
timedelta_to_milliseconds(self.expires - now),
1560
# ExtendedTimeout - property
1561
@dbus_service_property(_interface, signature="t",
1563
def ExtendedTimeout_dbus_property(self, value=None):
1564
if value is None: # get
1565
return dbus.UInt64(self.extended_timeout_milliseconds())
1566
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1568
# Interval - property
1569
@dbus_service_property(_interface, signature="t",
1571
def Interval_dbus_property(self, value=None):
909
self.PropertyChanged(dbus.String(u"timeout"),
910
dbus.UInt64(value, variant_level=1))
911
if getattr(self, u"disable_initiator_tag", None) is None:
914
gobject.source_remove(self.disable_initiator_tag)
915
self.disable_initiator_tag = None
917
_timedelta_to_milliseconds((self
923
# The timeout has passed
926
self.disable_initiator_tag = (gobject.timeout_add
927
(time_to_die, self.disable))
929
# interval - property
930
@dbus_service_property(_interface, signature=u"t",
932
def interval_dbus_property(self, value=None):
1572
933
if value is None: # get
1573
934
return dbus.UInt64(self.interval_milliseconds())
1574
935
self.interval = datetime.timedelta(0, 0, 0, value)
1575
if getattr(self, "checker_initiator_tag", None) is None:
937
self.PropertyChanged(dbus.String(u"interval"),
938
dbus.UInt64(value, variant_level=1))
939
if getattr(self, u"checker_initiator_tag", None) is None:
1578
# Reschedule checker run
1579
gobject.source_remove(self.checker_initiator_tag)
1580
self.checker_initiator_tag = (gobject.timeout_add
1581
(value, self.start_checker))
1582
self.start_checker() # Start one now, too
1584
# Checker - property
1585
@dbus_service_property(_interface, signature="s",
1587
def Checker_dbus_property(self, value=None):
941
# Reschedule checker run
942
gobject.source_remove(self.checker_initiator_tag)
943
self.checker_initiator_tag = (gobject.timeout_add
944
(value, self.start_checker))
945
self.start_checker() # Start one now, too
948
@dbus_service_property(_interface, signature=u"s",
950
def checker_dbus_property(self, value=None):
1588
951
if value is None: # get
1589
952
return dbus.String(self.checker_command)
1590
self.checker_command = unicode(value)
953
self.checker_command = value
955
self.PropertyChanged(dbus.String(u"checker"),
956
dbus.String(self.checker_command,
1592
# CheckerRunning - property
1593
@dbus_service_property(_interface, signature="b",
1595
def CheckerRunning_dbus_property(self, value=None):
959
# checker_running - property
960
@dbus_service_property(_interface, signature=u"b",
962
def checker_running_dbus_property(self, value=None):
1596
963
if value is None: # get
1597
964
return dbus.Boolean(self.checker is not None)
1647
988
Note: This will run in its own forked process."""
1649
990
def handle(self):
1650
with contextlib.closing(self.server.child_pipe) as child_pipe:
1651
logger.info("TCP connection from: %s",
1652
unicode(self.client_address))
1653
logger.debug("Pipe FD: %d",
1654
self.server.child_pipe.fileno())
991
logger.info(u"TCP connection from: %s",
992
unicode(self.client_address))
993
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
994
# Open IPC pipe to parent process
995
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
1656
996
session = (gnutls.connection
1657
997
.ClientSession(self.request,
1658
998
gnutls.connection
1659
999
.X509Credentials()))
1001
line = self.request.makefile().readline()
1002
logger.debug(u"Protocol version: %r", line)
1004
if int(line.strip().split()[0]) > 1:
1006
except (ValueError, IndexError, RuntimeError), error:
1007
logger.error(u"Unknown protocol version: %s", error)
1661
1010
# Note: gnutls.connection.X509Credentials is really a
1662
1011
# generic GnuTLS certificate credentials object so long as
1663
1012
# no X.509 keys are added to it. Therefore, we can use it
1664
1013
# here despite using OpenPGP certificates.
1666
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1667
# "+AES-256-CBC", "+SHA1",
1668
# "+COMP-NULL", "+CTYPE-OPENPGP",
1015
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1016
# u"+AES-256-CBC", u"+SHA1",
1017
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1670
1019
# Use a fallback default, since this MUST be set.
1671
1020
priority = self.server.gnutls_priority
1672
1021
if priority is None:
1022
priority = u"NORMAL"
1674
1023
(gnutls.library.functions
1675
1024
.gnutls_priority_set_direct(session._c_object,
1676
1025
priority, None))
1678
# Start communication using the Mandos protocol
1679
# Get protocol number
1680
line = self.request.makefile().readline()
1681
logger.debug("Protocol version: %r", line)
1683
if int(line.strip().split()[0]) > 1:
1685
except (ValueError, IndexError, RuntimeError) as error:
1686
logger.error("Unknown protocol version: %s", error)
1689
# Start GnuTLS connection
1691
1028
session.handshake()
1692
except gnutls.errors.GNUTLSError as error:
1693
logger.warning("Handshake failed: %s", error)
1029
except gnutls.errors.GNUTLSError, error:
1030
logger.warning(u"Handshake failed: %s", error)
1694
1031
# Do not run session.bye() here: the session is not
1695
1032
# established. Just abandon the request.
1697
logger.debug("Handshake succeeded")
1699
approval_required = False
1034
logger.debug(u"Handshake succeeded")
1702
fpr = self.fingerprint(self.peer_certificate
1705
gnutls.errors.GNUTLSError) as error:
1706
logger.warning("Bad certificate: %s", error)
1708
logger.debug("Fingerprint: %s", fpr)
1711
client = ProxyClient(child_pipe, fpr,
1712
self.client_address)
1716
if client.approval_delay:
1717
delay = client.approval_delay
1718
client.approvals_pending += 1
1719
approval_required = True
1722
if not client.enabled:
1723
logger.info("Client %s is disabled",
1725
if self.server.use_dbus:
1727
client.Rejected("Disabled")
1730
if client.approved or not client.approval_delay:
1731
#We are approved or approval is disabled
1733
elif client.approved is None:
1734
logger.info("Client %s needs approval",
1736
if self.server.use_dbus:
1738
client.NeedApproval(
1739
client.approval_delay_milliseconds(),
1740
client.approved_by_default)
1742
logger.warning("Client %s was not approved",
1744
if self.server.use_dbus:
1746
client.Rejected("Denied")
1749
#wait until timeout or approved
1750
time = datetime.datetime.now()
1751
client.changedstate.acquire()
1752
client.changedstate.wait(
1753
float(timedelta_to_milliseconds(delay)
1755
client.changedstate.release()
1756
time2 = datetime.datetime.now()
1757
if (time2 - time) >= delay:
1758
if not client.approved_by_default:
1759
logger.warning("Client %s timed out while"
1760
" waiting for approval",
1762
if self.server.use_dbus:
1764
client.Rejected("Approval timed out")
1769
delay -= time2 - time
1772
while sent_size < len(client.secret):
1774
sent = session.send(client.secret[sent_size:])
1775
except gnutls.errors.GNUTLSError as error:
1776
logger.warning("gnutls send failed",
1779
logger.debug("Sent: %d, remaining: %d",
1780
sent, len(client.secret)
1781
- (sent_size + sent))
1784
logger.info("Sending secret to %s", client.name)
1785
# bump the timeout using extended_timeout
1786
client.bump_timeout(client.extended_timeout)
1787
if self.server.use_dbus:
1036
fpr = self.fingerprint(self.peer_certificate(session))
1037
except (TypeError, gnutls.errors.GNUTLSError), error:
1038
logger.warning(u"Bad certificate: %s", error)
1041
logger.debug(u"Fingerprint: %s", fpr)
1792
if approval_required:
1793
client.approvals_pending -= 1
1796
except gnutls.errors.GNUTLSError as error:
1797
logger.warning("GnuTLS bye failed",
1043
for c in self.server.clients:
1044
if c.fingerprint == fpr:
1048
ipc.write(u"NOTFOUND %s %s\n"
1049
% (fpr, unicode(self.client_address)))
1052
# Have to check if client.still_valid(), since it is
1053
# possible that the client timed out while establishing
1054
# the GnuTLS session.
1055
if not client.still_valid():
1056
ipc.write(u"INVALID %s\n" % client.name)
1059
ipc.write(u"SENDING %s\n" % client.name)
1061
while sent_size < len(client.secret):
1062
sent = session.send(client.secret[sent_size:])
1063
logger.debug(u"Sent: %d, remaining: %d",
1064
sent, len(client.secret)
1065
- (sent_size + sent))
1801
1070
def peer_certificate(session):
1907
1157
use_ipv6: Boolean; to use IPv6 or not
1909
1159
def __init__(self, server_address, RequestHandlerClass,
1910
interface=None, use_ipv6=True, socketfd=None):
1911
"""If socketfd is set, use that file descriptor instead of
1912
creating a new one with socket.socket().
1160
interface=None, use_ipv6=True):
1914
1161
self.interface = interface
1916
1163
self.address_family = socket.AF_INET6
1917
if socketfd is not None:
1918
# Save the file descriptor
1919
self.socketfd = socketfd
1920
# Save the original socket.socket() function
1921
self.socket_socket = socket.socket
1922
# To implement --socket, we monkey patch socket.socket.
1924
# (When socketserver.TCPServer is a new-style class, we
1925
# could make self.socket into a property instead of monkey
1926
# patching socket.socket.)
1928
# Create a one-time-only replacement for socket.socket()
1929
@functools.wraps(socket.socket)
1930
def socket_wrapper(*args, **kwargs):
1931
# Restore original function so subsequent calls are
1933
socket.socket = self.socket_socket
1934
del self.socket_socket
1935
# This time only, return a new socket object from the
1936
# saved file descriptor.
1937
return socket.fromfd(self.socketfd, *args, **kwargs)
1938
# Replace socket.socket() function with wrapper
1939
socket.socket = socket_wrapper
1940
# The socketserver.TCPServer.__init__ will call
1941
# socket.socket(), which might be our replacement,
1942
# socket_wrapper(), if socketfd was set.
1943
1164
socketserver.TCPServer.__init__(self, server_address,
1944
1165
RequestHandlerClass)
1946
1166
def server_bind(self):
1947
1167
"""This overrides the normal server_bind() function
1948
1168
to bind to an interface if one was specified, and also NOT to
1949
1169
bind to an address or port if they were not specified."""
1950
1170
if self.interface is not None:
1951
1171
if SO_BINDTODEVICE is None:
1952
logger.error("SO_BINDTODEVICE does not exist;"
1953
" cannot bind to interface %s",
1172
logger.error(u"SO_BINDTODEVICE does not exist;"
1173
u" cannot bind to interface %s",
1954
1174
self.interface)
1957
1177
self.socket.setsockopt(socket.SOL_SOCKET,
1958
1178
SO_BINDTODEVICE,
1959
str(self.interface + '\0'))
1960
except socket.error as error:
1961
if error.errno == errno.EPERM:
1962
logger.error("No permission to bind to"
1963
" interface %s", self.interface)
1964
elif error.errno == errno.ENOPROTOOPT:
1965
logger.error("SO_BINDTODEVICE not available;"
1966
" cannot bind to interface %s",
1968
elif error.errno == errno.ENODEV:
1969
logger.error("Interface %s does not exist,"
1970
" cannot bind", self.interface)
1181
except socket.error, error:
1182
if error[0] == errno.EPERM:
1183
logger.error(u"No permission to"
1184
u" bind to interface %s",
1186
elif error[0] == errno.ENOPROTOOPT:
1187
logger.error(u"SO_BINDTODEVICE not available;"
1188
u" cannot bind to interface %s",
1973
1192
# Only bind(2) the socket if we really need to.
1974
1193
if self.server_address[0] or self.server_address[1]:
1975
1194
if not self.server_address[0]:
1976
1195
if self.address_family == socket.AF_INET6:
1977
any_address = "::" # in6addr_any
1196
any_address = u"::" # in6addr_any
1979
1198
any_address = socket.INADDR_ANY
1980
1199
self.server_address = (any_address,
2004
1223
def __init__(self, server_address, RequestHandlerClass,
2005
1224
interface=None, use_ipv6=True, clients=None,
2006
gnutls_priority=None, use_dbus=True, socketfd=None):
1225
gnutls_priority=None, use_dbus=True):
2007
1226
self.enabled = False
2008
1227
self.clients = clients
2009
1228
if self.clients is None:
1229
self.clients = set()
2011
1230
self.use_dbus = use_dbus
2012
1231
self.gnutls_priority = gnutls_priority
2013
1232
IPv6_TCPServer.__init__(self, server_address,
2014
1233
RequestHandlerClass,
2015
1234
interface = interface,
2016
use_ipv6 = use_ipv6,
2017
socketfd = socketfd)
1235
use_ipv6 = use_ipv6)
2018
1236
def server_activate(self):
2019
1237
if self.enabled:
2020
1238
return socketserver.TCPServer.server_activate(self)
2022
1239
def enable(self):
2023
1240
self.enabled = True
2025
def add_pipe(self, parent_pipe, proc):
1241
def add_pipe(self, pipe):
2026
1242
# Call "handle_ipc" for both data and EOF events
2027
gobject.io_add_watch(parent_pipe.fileno(),
2028
gobject.IO_IN | gobject.IO_HUP,
2029
functools.partial(self.handle_ipc,
2034
def handle_ipc(self, source, condition, parent_pipe=None,
2035
proc = None, client_object=None):
2036
# error, or the other end of multiprocessing.Pipe has closed
2037
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2038
# Wait for other process to exit
2042
# Read a request from the child
2043
request = parent_pipe.recv()
2044
command = request[0]
2046
if command == 'init':
2048
address = request[2]
2050
for c in self.clients.itervalues():
2051
if c.fingerprint == fpr:
2055
logger.info("Client not found for fingerprint: %s, ad"
2056
"dress: %s", fpr, address)
2059
mandos_dbus_service.ClientNotFound(fpr,
2061
parent_pipe.send(False)
2064
gobject.io_add_watch(parent_pipe.fileno(),
2065
gobject.IO_IN | gobject.IO_HUP,
2066
functools.partial(self.handle_ipc,
2072
parent_pipe.send(True)
2073
# remove the old hook in favor of the new above hook on
2076
if command == 'funcall':
2077
funcname = request[1]
2081
parent_pipe.send(('data', getattr(client_object,
2085
if command == 'getattr':
2086
attrname = request[1]
2087
if callable(client_object.__getattribute__(attrname)):
2088
parent_pipe.send(('function',))
2090
parent_pipe.send(('data', client_object
2091
.__getattribute__(attrname)))
2093
if command == 'setattr':
2094
attrname = request[1]
2096
setattr(client_object, attrname, value)
1243
gobject.io_add_watch(pipe, gobject.IO_IN | gobject.IO_HUP,
1245
def handle_ipc(self, source, condition, file_objects={}):
1247
gobject.IO_IN: u"IN", # There is data to read.
1248
gobject.IO_OUT: u"OUT", # Data can be written (without
1250
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1251
gobject.IO_ERR: u"ERR", # Error condition.
1252
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1253
# broken, usually for pipes and
1256
conditions_string = ' | '.join(name
1258
condition_names.iteritems()
1259
if cond & condition)
1260
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1263
# Turn the pipe file descriptor into a Python file object
1264
if source not in file_objects:
1265
file_objects[source] = os.fdopen(source, u"r", 1)
1267
# Read a line from the file object
1268
cmdline = file_objects[source].readline()
1269
if not cmdline: # Empty line means end of file
1270
# close the IPC pipe
1271
file_objects[source].close()
1272
del file_objects[source]
1274
# Stop calling this function
1277
logger.debug(u"IPC command: %r", cmdline)
1279
# Parse and act on command
1280
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1282
if cmd == u"NOTFOUND":
1283
logger.warning(u"Client not found for fingerprint: %s",
1287
mandos_dbus_service.ClientNotFound(args)
1288
elif cmd == u"INVALID":
1289
for client in self.clients:
1290
if client.name == args:
1291
logger.warning(u"Client %s is invalid", args)
1297
logger.error(u"Unknown client %s is invalid", args)
1298
elif cmd == u"SENDING":
1299
for client in self.clients:
1300
if client.name == args:
1301
logger.info(u"Sending secret to %s", client.name)
1308
logger.error(u"Sending secret to unknown client %s",
1311
logger.error(u"Unknown IPC command: %r", cmdline)
1313
# Keep calling this function
2101
def rfc3339_duration_to_delta(duration):
2102
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2104
>>> rfc3339_duration_to_delta("P7D")
2105
datetime.timedelta(7)
2106
>>> rfc3339_duration_to_delta("PT60S")
2107
datetime.timedelta(0, 60)
2108
>>> rfc3339_duration_to_delta("PT60M")
2109
datetime.timedelta(0, 3600)
2110
>>> rfc3339_duration_to_delta("PT24H")
2111
datetime.timedelta(1)
2112
>>> rfc3339_duration_to_delta("P1W")
2113
datetime.timedelta(7)
2114
>>> rfc3339_duration_to_delta("PT5M30S")
2115
datetime.timedelta(0, 330)
2116
>>> rfc3339_duration_to_delta("P1DT3M20S")
2117
datetime.timedelta(1, 200)
2120
# Parsing an RFC 3339 duration with regular expressions is not
2121
# possible - there would have to be multiple places for the same
2122
# values, like seconds. The current code, while more esoteric, is
2123
# cleaner without depending on a parsing library. If Python had a
2124
# built-in library for parsing we would use it, but we'd like to
2125
# avoid excessive use of external libraries.
2127
# New type for defining tokens, syntax, and semantics all-in-one
2128
Token = collections.namedtuple("Token",
2129
("regexp", # To match token; if
2130
# "value" is not None,
2131
# must have a "group"
2133
"value", # datetime.timedelta or
2135
"followers")) # Tokens valid after
2137
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2138
# the "duration" ABNF definition in RFC 3339, Appendix A.
2139
token_end = Token(re.compile(r"$"), None, frozenset())
2140
token_second = Token(re.compile(r"(\d+)S"),
2141
datetime.timedelta(seconds=1),
2142
frozenset((token_end,)))
2143
token_minute = Token(re.compile(r"(\d+)M"),
2144
datetime.timedelta(minutes=1),
2145
frozenset((token_second, token_end)))
2146
token_hour = Token(re.compile(r"(\d+)H"),
2147
datetime.timedelta(hours=1),
2148
frozenset((token_minute, token_end)))
2149
token_time = Token(re.compile(r"T"),
2151
frozenset((token_hour, token_minute,
2153
token_day = Token(re.compile(r"(\d+)D"),
2154
datetime.timedelta(days=1),
2155
frozenset((token_time, token_end)))
2156
token_month = Token(re.compile(r"(\d+)M"),
2157
datetime.timedelta(weeks=4),
2158
frozenset((token_day, token_end)))
2159
token_year = Token(re.compile(r"(\d+)Y"),
2160
datetime.timedelta(weeks=52),
2161
frozenset((token_month, token_end)))
2162
token_week = Token(re.compile(r"(\d+)W"),
2163
datetime.timedelta(weeks=1),
2164
frozenset((token_end,)))
2165
token_duration = Token(re.compile(r"P"), None,
2166
frozenset((token_year, token_month,
2167
token_day, token_time,
2169
# Define starting values
2170
value = datetime.timedelta() # Value so far
2172
followers = frozenset(token_duration,) # Following valid tokens
2173
s = duration # String left to parse
2174
# Loop until end token is found
2175
while found_token is not token_end:
2176
# Search for any currently valid tokens
2177
for token in followers:
2178
match = token.regexp.match(s)
2179
if match is not None:
2181
if token.value is not None:
2182
# Value found, parse digits
2183
factor = int(match.group(1), 10)
2184
# Add to value so far
2185
value += factor * token.value
2186
# Strip token from string
2187
s = token.regexp.sub("", s, 1)
2190
# Set valid next tokens
2191
followers = found_token.followers
2194
# No currently valid tokens were found
2195
raise ValueError("Invalid RFC 3339 duration")
2200
1317
def string_to_delta(interval):
2201
1318
"""Parse a string and return a datetime.timedelta
2203
>>> string_to_delta('7d')
1320
>>> string_to_delta(u'7d')
2204
1321
datetime.timedelta(7)
2205
>>> string_to_delta('60s')
1322
>>> string_to_delta(u'60s')
2206
1323
datetime.timedelta(0, 60)
2207
>>> string_to_delta('60m')
1324
>>> string_to_delta(u'60m')
2208
1325
datetime.timedelta(0, 3600)
2209
>>> string_to_delta('24h')
1326
>>> string_to_delta(u'24h')
2210
1327
datetime.timedelta(1)
2211
>>> string_to_delta('1w')
1328
>>> string_to_delta(u'1w')
2212
1329
datetime.timedelta(7)
2213
>>> string_to_delta('5m 30s')
1330
>>> string_to_delta(u'5m 30s')
2214
1331
datetime.timedelta(0, 330)
2218
return rfc3339_duration_to_delta(interval)
2222
1333
timevalue = datetime.timedelta(0)
2223
1334
for s in interval.split():
2225
1336
suffix = unicode(s[-1])
2226
1337
value = int(s[:-1])
2228
1339
delta = datetime.timedelta(value)
1340
elif suffix == u"s":
2230
1341
delta = datetime.timedelta(0, value)
1342
elif suffix == u"m":
2232
1343
delta = datetime.timedelta(0, 0, 0, 0, value)
1344
elif suffix == u"h":
2234
1345
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
1346
elif suffix == u"w":
2236
1347
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
2238
raise ValueError("Unknown suffix {0!r}"
2240
except (ValueError, IndexError) as e:
2241
raise ValueError(*(e.args))
1349
raise ValueError(u"Unknown suffix %r" % suffix)
1350
except (ValueError, IndexError), e:
1351
raise ValueError(e.message)
2242
1352
timevalue += delta
2243
1353
return timevalue
1356
def if_nametoindex(interface):
1357
"""Call the C function if_nametoindex(), or equivalent
1359
Note: This function cannot accept a unicode string."""
1360
global if_nametoindex
1362
if_nametoindex = (ctypes.cdll.LoadLibrary
1363
(ctypes.util.find_library(u"c"))
1365
except (OSError, AttributeError):
1366
logger.warning(u"Doing if_nametoindex the hard way")
1367
def if_nametoindex(interface):
1368
"Get an interface index the hard way, i.e. using fcntl()"
1369
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1370
with closing(socket.socket()) as s:
1371
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1372
struct.pack(str(u"16s16x"),
1374
interface_index = struct.unpack(str(u"I"),
1376
return interface_index
1377
return if_nametoindex(interface)
2246
1380
def daemon(nochdir = False, noclose = False):
2247
1381
"""See daemon(3). Standard BSD Unix function.
2273
1407
##################################################################
2274
1408
# Parsing of options, both command line and config file
2276
parser = argparse.ArgumentParser()
2277
parser.add_argument("-v", "--version", action="version",
2278
version = "%(prog)s {0}".format(version),
2279
help="show version number and exit")
2280
parser.add_argument("-i", "--interface", metavar="IF",
2281
help="Bind to interface IF")
2282
parser.add_argument("-a", "--address",
2283
help="Address to listen for requests on")
2284
parser.add_argument("-p", "--port", type=int,
2285
help="Port number to receive requests on")
2286
parser.add_argument("--check", action="store_true",
2287
help="Run self-test")
2288
parser.add_argument("--debug", action="store_true",
2289
help="Debug mode; run in foreground and log"
2291
parser.add_argument("--debuglevel", metavar="LEVEL",
2292
help="Debug level for stdout output")
2293
parser.add_argument("--priority", help="GnuTLS"
2294
" priority string (see GnuTLS documentation)")
2295
parser.add_argument("--servicename",
2296
metavar="NAME", help="Zeroconf service name")
2297
parser.add_argument("--configdir",
2298
default="/etc/mandos", metavar="DIR",
2299
help="Directory to search for configuration"
2301
parser.add_argument("--no-dbus", action="store_false",
2302
dest="use_dbus", help="Do not provide D-Bus"
2303
" system bus interface")
2304
parser.add_argument("--no-ipv6", action="store_false",
2305
dest="use_ipv6", help="Do not use IPv6")
2306
parser.add_argument("--no-restore", action="store_false",
2307
dest="restore", help="Do not restore stored"
2309
parser.add_argument("--socket", type=int,
2310
help="Specify a file descriptor to a network"
2311
" socket to use instead of creating one")
2312
parser.add_argument("--statedir", metavar="DIR",
2313
help="Directory to save/restore state in")
2314
parser.add_argument("--foreground", action="store_true",
2315
help="Run in foreground")
2317
options = parser.parse_args()
1410
parser = optparse.OptionParser(version = "%%prog %s" % version)
1411
parser.add_option("-i", u"--interface", type=u"string",
1412
metavar="IF", help=u"Bind to interface IF")
1413
parser.add_option("-a", u"--address", type=u"string",
1414
help=u"Address to listen for requests on")
1415
parser.add_option("-p", u"--port", type=u"int",
1416
help=u"Port number to receive requests on")
1417
parser.add_option("--check", action=u"store_true",
1418
help=u"Run self-test")
1419
parser.add_option("--debug", action=u"store_true",
1420
help=u"Debug mode; run in foreground and log to"
1422
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1423
u" priority string (see GnuTLS documentation)")
1424
parser.add_option("--servicename", type=u"string",
1425
metavar=u"NAME", help=u"Zeroconf service name")
1426
parser.add_option("--configdir", type=u"string",
1427
default=u"/etc/mandos", metavar=u"DIR",
1428
help=u"Directory to search for configuration"
1430
parser.add_option("--no-dbus", action=u"store_false",
1431
dest=u"use_dbus", help=u"Do not provide D-Bus"
1432
u" system bus interface")
1433
parser.add_option("--no-ipv6", action=u"store_false",
1434
dest=u"use_ipv6", help=u"Do not use IPv6")
1435
options = parser.parse_args()[0]
2319
1437
if options.check:
2377
1480
for option in server_settings.keys():
2378
1481
if type(server_settings[option]) is str:
2379
1482
server_settings[option] = unicode(server_settings[option])
2380
# Debug implies foreground
2381
if server_settings["debug"]:
2382
server_settings["foreground"] = True
2383
1483
# Now we have our good server settings in "server_settings"
2385
1485
##################################################################
2387
1487
# For convenience
2388
debug = server_settings["debug"]
2389
debuglevel = server_settings["debuglevel"]
2390
use_dbus = server_settings["use_dbus"]
2391
use_ipv6 = server_settings["use_ipv6"]
2392
stored_state_path = os.path.join(server_settings["statedir"],
2394
foreground = server_settings["foreground"]
2397
initlogger(debug, logging.DEBUG)
2402
level = getattr(logging, debuglevel.upper())
2403
initlogger(debug, level)
2405
if server_settings["servicename"] != "Mandos":
1488
debug = server_settings[u"debug"]
1489
use_dbus = server_settings[u"use_dbus"]
1490
use_ipv6 = server_settings[u"use_ipv6"]
1493
syslogger.setLevel(logging.WARNING)
1494
console.setLevel(logging.WARNING)
1496
if server_settings[u"servicename"] != u"Mandos":
2406
1497
syslogger.setFormatter(logging.Formatter
2407
('Mandos ({0}) [%(process)d]:'
2408
' %(levelname)s: %(message)s'
2409
.format(server_settings
1498
(u'Mandos (%s) [%%(process)d]:'
1499
u' %%(levelname)s: %%(message)s'
1500
% server_settings[u"servicename"]))
2412
1502
# Parse config file with clients
2413
client_config = configparser.SafeConfigParser(Client
2415
client_config.read(os.path.join(server_settings["configdir"],
1503
client_defaults = { u"timeout": u"1h",
1505
u"checker": u"fping -q -- %%(host)s",
1508
client_config = configparser.SafeConfigParser(client_defaults)
1509
client_config.read(os.path.join(server_settings[u"configdir"],
2418
1512
global mandos_dbus_service
2419
1513
mandos_dbus_service = None
2421
tcp_server = MandosServer((server_settings["address"],
2422
server_settings["port"]),
1515
tcp_server = MandosServer((server_settings[u"address"],
1516
server_settings[u"port"]),
2424
interface=(server_settings["interface"]
1518
interface=server_settings[u"interface"],
2426
1519
use_ipv6=use_ipv6,
2427
1520
gnutls_priority=
2428
server_settings["priority"],
2430
socketfd=(server_settings["socket"]
2433
pidfilename = "/var/run/mandos.pid"
2436
pidfile = open(pidfilename, "w")
2437
except IOError as e:
2438
logger.error("Could not open file %r", pidfilename,
1521
server_settings[u"priority"],
1523
pidfilename = u"/var/run/mandos.pid"
1525
pidfile = open(pidfilename, u"w")
1527
logger.error(u"Could not open file %r", pidfilename)
2441
for name in ("_mandos", "mandos", "nobody"):
1530
uid = pwd.getpwnam(u"_mandos").pw_uid
1531
gid = pwd.getpwnam(u"_mandos").pw_gid
2443
uid = pwd.getpwnam(name).pw_uid
2444
gid = pwd.getpwnam(name).pw_gid
1534
uid = pwd.getpwnam(u"mandos").pw_uid
1535
gid = pwd.getpwnam(u"mandos").pw_gid
2446
1536
except KeyError:
1538
uid = pwd.getpwnam(u"nobody").pw_uid
1539
gid = pwd.getpwnam(u"nobody").pw_gid
2454
except OSError as error:
2455
if error.errno != errno.EPERM:
1546
except OSError, error:
1547
if error[0] != errno.EPERM:
1550
# Enable all possible GnuTLS debugging
2459
# Enable all possible GnuTLS debugging
2461
1552
# "Use a log level over 10 to enable all debugging options."
2462
1553
# - GnuTLS manual
2463
1554
gnutls.library.functions.gnutls_global_set_log_level(11)
2465
1556
@gnutls.library.types.gnutls_log_func
2466
1557
def debug_gnutls(level, string):
2467
logger.debug("GnuTLS: %s", string[:-1])
1558
logger.debug(u"GnuTLS: %s", string[:-1])
2469
1560
(gnutls.library.functions
2470
1561
.gnutls_global_set_log_function(debug_gnutls))
2472
# Redirect stdin so all checkers get /dev/null
2473
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2474
os.dup2(null, sys.stdin.fileno())
2478
# Need to fork before connecting to D-Bus
2480
# Close all input and output, do double fork, etc.
2483
# multiprocessing will use threads, so before we use gobject we
2484
# need to inform gobject that threads will be used.
2485
gobject.threads_init()
2487
1563
global main_loop
2488
1564
# From the Avahi example code
2489
DBusGMainLoop(set_as_default=True)
1565
DBusGMainLoop(set_as_default=True )
2490
1566
main_loop = gobject.MainLoop()
2491
1567
bus = dbus.SystemBus()
2492
1568
# End of Avahi example code
2495
bus_name = dbus.service.BusName("se.recompile.Mandos",
1571
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
2496
1572
bus, do_not_queue=True)
2497
old_bus_name = (dbus.service.BusName
2498
("se.bsnet.fukt.Mandos", bus,
2500
except dbus.exceptions.NameExistsException as e:
2501
logger.error("Disabling D-Bus:", exc_info=e)
1573
except dbus.exceptions.NameExistsException, e:
1574
logger.error(unicode(e) + u", disabling D-Bus")
2502
1575
use_dbus = False
2503
server_settings["use_dbus"] = False
1576
server_settings[u"use_dbus"] = False
2504
1577
tcp_server.use_dbus = False
2505
1578
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2506
service = AvahiServiceToSyslog(name =
2507
server_settings["servicename"],
2508
servicetype = "_mandos._tcp",
2509
protocol = protocol, bus = bus)
1579
service = AvahiService(name = server_settings[u"servicename"],
1580
servicetype = u"_mandos._tcp",
1581
protocol = protocol, bus = bus)
2510
1582
if server_settings["interface"]:
2511
1583
service.interface = (if_nametoindex
2512
(str(server_settings["interface"])))
2514
global multiprocessing_manager
2515
multiprocessing_manager = multiprocessing.Manager()
1584
(str(server_settings[u"interface"])))
2517
1586
client_class = Client
2519
1588
client_class = functools.partial(ClientDBus, bus = bus)
2521
client_settings = Client.config_parser(client_config)
2522
old_client_settings = {}
2525
# Get client data and settings from last running state.
2526
if server_settings["restore"]:
2528
with open(stored_state_path, "rb") as stored_state:
2529
clients_data, old_client_settings = (pickle.load
2531
os.remove(stored_state_path)
2532
except IOError as e:
2533
if e.errno == errno.ENOENT:
2534
logger.warning("Could not load persistent state: {0}"
2535
.format(os.strerror(e.errno)))
2537
logger.critical("Could not load persistent state:",
2540
except EOFError as e:
2541
logger.warning("Could not load persistent state: "
2542
"EOFError:", exc_info=e)
2544
with PGPEngine() as pgp:
2545
for client_name, client in clients_data.iteritems():
2546
# Decide which value to use after restoring saved state.
2547
# We have three different values: Old config file,
2548
# new config file, and saved state.
2549
# New config value takes precedence if it differs from old
2550
# config value, otherwise use saved state.
2551
for name, value in client_settings[client_name].items():
2553
# For each value in new config, check if it
2554
# differs from the old config value (Except for
2555
# the "secret" attribute)
2556
if (name != "secret" and
2557
value != old_client_settings[client_name]
2559
client[name] = value
2563
# Clients who has passed its expire date can still be
2564
# enabled if its last checker was successful. Clients
2565
# whose checker succeeded before we stored its state is
2566
# assumed to have successfully run all checkers during
2568
if client["enabled"]:
2569
if datetime.datetime.utcnow() >= client["expires"]:
2570
if not client["last_checked_ok"]:
2572
"disabling client {0} - Client never "
2573
"performed a successful checker"
2574
.format(client_name))
2575
client["enabled"] = False
2576
elif client["last_checker_status"] != 0:
2578
"disabling client {0} - Client "
2579
"last checker failed with error code {1}"
2580
.format(client_name,
2581
client["last_checker_status"]))
2582
client["enabled"] = False
2584
client["expires"] = (datetime.datetime
2586
+ client["timeout"])
2587
logger.debug("Last checker succeeded,"
2588
" keeping {0} enabled"
2589
.format(client_name))
2591
client["secret"] = (
2592
pgp.decrypt(client["encrypted_secret"],
2593
client_settings[client_name]
2596
# If decryption fails, we use secret from new settings
2597
logger.debug("Failed to decrypt {0} old secret"
2598
.format(client_name))
2599
client["secret"] = (
2600
client_settings[client_name]["secret"])
2602
# Add/remove clients based on new changes made to config
2603
for client_name in (set(old_client_settings)
2604
- set(client_settings)):
2605
del clients_data[client_name]
2606
for client_name in (set(client_settings)
2607
- set(old_client_settings)):
2608
clients_data[client_name] = client_settings[client_name]
2610
# Create all client objects
2611
for client_name, client in clients_data.iteritems():
2612
tcp_server.clients[client_name] = client_class(
2613
name = client_name, settings = client)
1589
tcp_server.clients.update(set(
1590
client_class(name = section,
1591
config= dict(client_config.items(section)))
1592
for section in client_config.sections()))
2615
1593
if not tcp_server.clients:
2616
logger.warning("No clients defined")
2619
if pidfile is not None:
2623
pidfile.write(str(pid) + "\n".encode("utf-8"))
2625
logger.error("Could not write to file %r with PID %d",
1594
logger.warning(u"No clients defined")
1597
# Redirect stdin so all checkers get /dev/null
1598
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1599
os.dup2(null, sys.stdin.fileno())
1603
# No console logging
1604
logger.removeHandler(console)
1605
# Close all input and output, do double fork, etc.
1609
with closing(pidfile):
1611
pidfile.write(str(pid) + "\n")
1614
logger.error(u"Could not write to file %r with PID %d",
1617
# "pidfile" was never created
1622
signal.signal(signal.SIGINT, signal.SIG_IGN)
2630
1623
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2631
1624
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2634
@alternate_dbus_interfaces({"se.recompile.Mandos":
2635
"se.bsnet.fukt.Mandos"})
2636
class MandosDBusService(DBusObjectWithProperties):
1627
class MandosDBusService(dbus.service.Object):
2637
1628
"""A D-Bus proxy object"""
2638
1629
def __init__(self):
2639
dbus.service.Object.__init__(self, bus, "/")
2640
_interface = "se.recompile.Mandos"
2642
@dbus_interface_annotations(_interface)
2644
return { "org.freedesktop.DBus.Property"
2645
".EmitsChangedSignal":
2648
@dbus.service.signal(_interface, signature="o")
2649
def ClientAdded(self, objpath):
2653
@dbus.service.signal(_interface, signature="ss")
2654
def ClientNotFound(self, fingerprint, address):
2658
@dbus.service.signal(_interface, signature="os")
1630
dbus.service.Object.__init__(self, bus, u"/")
1631
_interface = u"se.bsnet.fukt.Mandos"
1633
@dbus.service.signal(_interface, signature=u"oa{sv}")
1634
def ClientAdded(self, objpath, properties):
1638
@dbus.service.signal(_interface, signature=u"s")
1639
def ClientNotFound(self, fingerprint):
1643
@dbus.service.signal(_interface, signature=u"os")
2659
1644
def ClientRemoved(self, objpath, name):
2663
@dbus.service.method(_interface, out_signature="ao")
1648
@dbus.service.method(_interface, out_signature=u"ao")
2664
1649
def GetAllClients(self):
2666
1651
return dbus.Array(c.dbus_object_path
2668
tcp_server.clients.itervalues())
1652
for c in tcp_server.clients)
2670
1654
@dbus.service.method(_interface,
2671
out_signature="a{oa{sv}}")
1655
out_signature=u"a{oa{sv}}")
2672
1656
def GetAllClientsWithProperties(self):
2674
1658
return dbus.Dictionary(
2675
((c.dbus_object_path, c.GetAll(""))
2676
for c in tcp_server.clients.itervalues()),
1659
((c.dbus_object_path, c.GetAll(u""))
1660
for c in tcp_server.clients),
1661
signature=u"oa{sv}")
2679
@dbus.service.method(_interface, in_signature="o")
1663
@dbus.service.method(_interface, in_signature=u"o")
2680
1664
def RemoveClient(self, object_path):
2682
for c in tcp_server.clients.itervalues():
1666
for c in tcp_server.clients:
2683
1667
if c.dbus_object_path == object_path:
2684
del tcp_server.clients[c.name]
1668
tcp_server.clients.remove(c)
2685
1669
c.remove_from_connection()
2686
1670
# Don't signal anything except ClientRemoved
2687
1671
c.disable(quiet=True)