To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 403
- compare with another revision
- download diff
- download tarball
- view history from revision 403
- Committer: Teddy Hogeborn
- Date: 2009-11-05 02:12:57 UTC
- Revision ID: teddy@fukt.bsnet.se-20091105021257-l2b5nb1v4pc2tupw
* mandos (ClientDBus.disable): Bug fix: complete rename of "log" and
"signal" to "quiet".
"signal" to "quiet".
- files removed:
- DBUS-API
- debian/source
- debian/upstream
- network-hooks.d
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python2.7
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
28
28
# along with this program. If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
30
#
31
# Contact the authors at <mandos@recompile.se>.
31
# Contact the authors at <mandos@fukt.bsnet.se>.
32
32
#
33
33
34
from __future__ import (division, absolute_import, print_function,
35
unicode_literals)
36
37
from future_builtins import *
38
39
try:
40
import SocketServer as socketserver
41
except ImportError:
42
import socketserver
34
from __future__ import division, with_statement, absolute_import
35
36
import SocketServer as socketserver
43
37
import socket
44
import argparse
38
import optparse
45
39
import datetime
46
40
import errno
47
41
import gnutls.crypto
50
44
import gnutls.library.functions
51
45
import gnutls.library.constants
52
46
import gnutls.library.types
53
try:
54
import ConfigParser as configparser
55
except ImportError:
56
import configparser
47
import ConfigParser as configparser
57
48
import sys
58
49
import re
59
50
import os
64
55
import logging
65
56
import logging.handlers
66
57
import pwd
67
import contextlib
58
from contextlib import closing
68
59
import struct
69
60
import fcntl
70
61
import functools
71
try:
72
import cPickle as pickle
73
except ImportError:
74
import pickle
75
import multiprocessing
76
import types
77
import binascii
78
import tempfile
79
import itertools
80
import collections
81
import codecs
82
62
83
63
import dbus
84
64
import dbus.service
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
65
import gobject
89
66
import avahi
90
67
from dbus.mainloop.glib import DBusGMainLoop
91
68
import ctypes
101
78
except ImportError:
102
79
SO_BINDTODEVICE = None
103
80
104
if sys.version_info.major == 2:
105
str = unicode
106
107
version = "1.6.9"
108
stored_state_file = "clients.pickle"
109
110
logger = logging.getLogger()
111
syslogger = None
112
113
try:
114
if_nametoindex = ctypes.cdll.LoadLibrary(
115
ctypes.util.find_library("c")).if_nametoindex
116
except (OSError, AttributeError):
117
118
def if_nametoindex(interface):
119
"Get an interface index the hard way, i.e. using fcntl()"
120
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
121
with contextlib.closing(socket.socket()) as s:
122
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
123
struct.pack(b"16s16x", interface))
124
interface_index = struct.unpack("I", ifreq[16:20])[0]
125
return interface_index
126
127
128
def initlogger(debug, level=logging.WARNING):
129
"""init logger and add loglevel"""
130
131
global syslogger
132
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
135
syslogger.setFormatter(logging.Formatter
136
('Mandos [%(process)d]: %(levelname)s:'
137
' %(message)s'))
138
logger.addHandler(syslogger)
139
140
if debug:
141
console = logging.StreamHandler()
142
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
143
' [%(process)d]:'
144
' %(levelname)s:'
145
' %(message)s'))
146
logger.addHandler(console)
147
logger.setLevel(level)
148
149
150
class PGPError(Exception):
151
"""Exception if encryption/decryption fails"""
152
pass
153
154
155
class PGPEngine(object):
156
"""A simple class for OpenPGP symmetric encryption & decryption"""
157
158
def __init__(self):
159
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
160
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
162
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
165
166
def __enter__(self):
167
return self
168
169
def __exit__(self, exc_type, exc_value, traceback):
170
self._cleanup()
171
return False
172
173
def __del__(self):
174
self._cleanup()
175
176
def _cleanup(self):
177
if self.tempdir is not None:
178
# Delete contents of tempdir
179
for root, dirs, files in os.walk(self.tempdir,
180
topdown = False):
181
for filename in files:
182
os.remove(os.path.join(root, filename))
183
for dirname in dirs:
184
os.rmdir(os.path.join(root, dirname))
185
# Remove tempdir
186
os.rmdir(self.tempdir)
187
self.tempdir = None
188
189
def password_encode(self, password):
190
# Passphrase can not be empty and can not contain newlines or
191
# NUL bytes. So we prefix it and hex encode it.
192
encoded = b"mandos" + binascii.hexlify(password)
193
if len(encoded) > 2048:
194
# GnuPG can't handle long passwords, so encode differently
195
encoded = (b"mandos" + password.replace(b"\\", b"\\\\")
196
.replace(b"\n", b"\\n")
197
.replace(b"\0", b"\\x00"))
198
return encoded
199
200
def encrypt(self, data, password):
201
passphrase = self.password_encode(password)
202
with tempfile.NamedTemporaryFile(
203
dir=self.tempdir) as passfile:
204
passfile.write(passphrase)
205
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
207
'--passphrase-file',
208
passfile.name]
209
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
214
if proc.returncode != 0:
215
raise PGPError(err)
216
return ciphertext
217
218
def decrypt(self, data, password):
219
passphrase = self.password_encode(password)
220
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
222
passfile.write(passphrase)
223
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
225
'--passphrase-file',
226
passfile.name]
227
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
232
if proc.returncode != 0:
233
raise PGPError(err)
234
return decrypted_plaintext
235
81
82
version = "1.0.14"
83
84
logger = logging.Logger(u'mandos')
85
syslogger = (logging.handlers.SysLogHandler
86
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
87
address = "/dev/log"))
88
syslogger.setFormatter(logging.Formatter
89
(u'Mandos [%(process)d]: %(levelname)s:'
90
u' %(message)s'))
91
logger.addHandler(syslogger)
92
93
console = logging.StreamHandler()
94
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
95
u' %(levelname)s:'
96
u' %(message)s'))
97
logger.addHandler(console)
236
98
237
99
class AvahiError(Exception):
238
100
def __init__(self, value, *args, **kwargs):
239
101
self.value = value
240
return super(AvahiError, self).__init__(value, *args,
241
**kwargs)
242
102
super(AvahiError, self).__init__(value, *args, **kwargs)
103
def __unicode__(self):
104
return unicode(repr(self.value))
243
105
244
106
class AvahiServiceError(AvahiError):
245
107
pass
246
108
247
248
109
class AvahiGroupError(AvahiError):
249
110
pass
250
111
255
116
Attributes:
256
117
interface: integer; avahi.IF_UNSPEC or an interface index.
257
118
Used to optionally bind to the specified interface.
258
name: string; Example: 'Mandos'
259
type: string; Example: '_mandos._tcp'.
260
See <https://www.iana.org/assignments/service-names-port-numbers>
119
name: string; Example: u'Mandos'
120
type: string; Example: u'_mandos._tcp'.
121
See <http://www.dns-sd.org/ServiceTypes.html>
261
122
port: integer; what port to announce
262
123
TXT: list of strings; TXT record for the service
263
124
domain: string; Domain to publish on, default to .local if empty.
269
130
server: D-Bus Server
270
131
bus: dbus.SystemBus()
271
132
"""
272
273
def __init__(self,
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
133
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
134
servicetype = None, port = None, TXT = None,
135
domain = u"", host = u"", max_renames = 32768,
136
protocol = avahi.PROTO_UNSPEC, bus = None):
284
137
self.interface = interface
285
138
self.name = name
286
139
self.type = servicetype
294
147
self.group = None # our entry group
295
148
self.server = None
296
149
self.bus = bus
297
self.entry_group_state_changed_match = None
298
299
def rename(self, remove=True):
150
def rename(self):
300
151
"""Derived from the Avahi example code"""
301
152
if self.rename_count >= self.max_renames:
302
logger.critical("No suitable Zeroconf service name found"
303
" after %i retries, exiting.",
153
logger.critical(u"No suitable Zeroconf service name found"
154
u" after %i retries, exiting.",
304
155
self.rename_count)
305
raise AvahiServiceError("Too many renames")
306
self.name = str(
307
self.server.GetAlternativeServiceName(self.name))
156
raise AvahiServiceError(u"Too many renames")
157
self.name = self.server.GetAlternativeServiceName(self.name)
158
logger.info(u"Changing Zeroconf service name to %r ...",
159
unicode(self.name))
160
syslogger.setFormatter(logging.Formatter
161
(u'Mandos (%s) [%%(process)d]:'
162
u' %%(levelname)s: %%(message)s'
163
% self.name))
164
self.remove()
165
self.add()
308
166
self.rename_count += 1
309
logger.info("Changing Zeroconf service name to %r ...",
310
self.name)
311
if remove:
312
self.remove()
313
try:
314
self.add()
315
except dbus.exceptions.DBusException as error:
316
if (error.get_dbus_name()
317
== "org.freedesktop.Avahi.CollisionError"):
318
logger.info("Local Zeroconf service name collision.")
319
return self.rename(remove=False)
320
else:
321
logger.critical("D-Bus Exception", exc_info=error)
322
self.cleanup()
323
os._exit(1)
324
325
167
def remove(self):
326
168
"""Derived from the Avahi example code"""
327
if self.entry_group_state_changed_match is not None:
328
self.entry_group_state_changed_match.remove()
329
self.entry_group_state_changed_match = None
330
169
if self.group is not None:
331
170
self.group.Reset()
332
333
171
def add(self):
334
172
"""Derived from the Avahi example code"""
335
self.remove()
336
173
if self.group is None:
337
174
self.group = dbus.Interface(
338
175
self.bus.get_object(avahi.DBUS_NAME,
339
176
self.server.EntryGroupNew()),
340
177
avahi.DBUS_INTERFACE_ENTRY_GROUP)
341
self.entry_group_state_changed_match = (
342
self.group.connect_to_signal(
343
'StateChanged', self.entry_group_state_changed))
344
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
178
self.group.connect_to_signal('StateChanged',
179
self
180
.entry_group_state_changed)
181
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
345
182
self.name, self.type)
346
183
self.group.AddService(
347
184
self.interface,
352
189
dbus.UInt16(self.port),
353
190
avahi.string_array_to_txt_array(self.TXT))
354
191
self.group.Commit()
355
356
192
def entry_group_state_changed(self, state, error):
357
193
"""Derived from the Avahi example code"""
358
logger.debug("Avahi entry group state change: %i", state)
194
logger.debug(u"Avahi state change: %i", state)
359
195
360
196
if state == avahi.ENTRY_GROUP_ESTABLISHED:
361
logger.debug("Zeroconf service established.")
197
logger.debug(u"Zeroconf service established.")
362
198
elif state == avahi.ENTRY_GROUP_COLLISION:
363
logger.info("Zeroconf service name collision.")
199
logger.warning(u"Zeroconf service name collision.")
364
200
self.rename()
365
201
elif state == avahi.ENTRY_GROUP_FAILURE:
366
logger.critical("Avahi: Error in group state changed %s",
367
str(error))
368
raise AvahiGroupError("State changed: {!s}".format(error))
369
202
logger.critical(u"Avahi: Error in group state changed %s",
203
unicode(error))
204
raise AvahiGroupError(u"State changed: %s"
205
% unicode(error))
370
206
def cleanup(self):
371
207
"""Derived from the Avahi example code"""
372
208
if self.group is not None:
373
try:
374
self.group.Free()
375
except (dbus.exceptions.UnknownMethodException,
376
dbus.exceptions.DBusException):
377
pass
209
self.group.Free()
378
210
self.group = None
379
self.remove()
380
381
def server_state_changed(self, state, error=None):
211
def server_state_changed(self, state):
382
212
"""Derived from the Avahi example code"""
383
logger.debug("Avahi server state change: %i", state)
384
bad_states = {
385
avahi.SERVER_INVALID: "Zeroconf server invalid",
386
avahi.SERVER_REGISTERING: None,
387
avahi.SERVER_COLLISION: "Zeroconf server name collision",
388
avahi.SERVER_FAILURE: "Zeroconf server failure",
389
}
390
if state in bad_states:
391
if bad_states[state] is not None:
392
if error is None:
393
logger.error(bad_states[state])
394
else:
395
logger.error(bad_states[state] + ": %r", error)
396
self.cleanup()
213
if state == avahi.SERVER_COLLISION:
214
logger.error(u"Zeroconf server name collision")
215
self.remove()
397
216
elif state == avahi.SERVER_RUNNING:
398
217
self.add()
399
else:
400
if error is None:
401
logger.debug("Unknown state: %r", state)
402
else:
403
logger.debug("Unknown state: %r: %r", state, error)
404
405
218
def activate(self):
406
219
"""Derived from the Avahi example code"""
407
220
if self.server is None:
408
221
self.server = dbus.Interface(
409
222
self.bus.get_object(avahi.DBUS_NAME,
410
avahi.DBUS_PATH_SERVER,
411
follow_name_owner_changes=True),
223
avahi.DBUS_PATH_SERVER),
412
224
avahi.DBUS_INTERFACE_SERVER)
413
self.server.connect_to_signal("StateChanged",
414
self.server_state_changed)
225
self.server.connect_to_signal(u"StateChanged",
226
self.server_state_changed)
415
227
self.server_state_changed(self.server.GetState())
416
228
417
229
418
class AvahiServiceToSyslog(AvahiService):
419
def rename(self, *args, **kwargs):
420
"""Add the new name to the syslog messages"""
421
ret = AvahiService.rename(self, *args, **kwargs)
422
syslogger.setFormatter(logging.Formatter(
423
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
424
.format(self.name)))
425
return ret
426
427
428
230
class Client(object):
429
231
"""A representation of a client host served by this server.
430
232
431
233
Attributes:
432
approved: bool(); 'None' if not yet approved/disapproved
433
approval_delay: datetime.timedelta(); Time to wait for approval
434
approval_duration: datetime.timedelta(); Duration of one approval
234
name: string; from the config file, used in log messages and
235
D-Bus identifiers
236
fingerprint: string (40 or 32 hexadecimal digits); used to
237
uniquely identify the client
238
secret: bytestring; sent verbatim (over TLS) to client
239
host: string; available for use by the checker command
240
created: datetime.datetime(); (UTC) object creation
241
last_enabled: datetime.datetime(); (UTC)
242
enabled: bool()
243
last_checked_ok: datetime.datetime(); (UTC) or None
244
timeout: datetime.timedelta(); How long from last_checked_ok
245
until this client is invalid
246
interval: datetime.timedelta(); How often to start a new checker
247
disable_hook: If set, called by disable() as disable_hook(self)
435
248
checker: subprocess.Popen(); a running checker process used
436
249
to see if the client lives.
437
250
'None' if no process is running.
438
checker_callback_tag: a gobject event source tag, or None
439
checker_command: string; External command which is run to check
440
if client lives. %() expansions are done at
251
checker_initiator_tag: a gobject event source tag, or None
252
disable_initiator_tag: - '' -
253
checker_callback_tag: - '' -
254
checker_command: string; External command which is run to check if
255
client lives. %() expansions are done at
441
256
runtime with vars(self) as dict, so that for
442
257
instance %(name)s can be used in the command.
443
checker_initiator_tag: a gobject event source tag, or None
444
created: datetime.datetime(); (UTC) object creation
445
client_structure: Object describing what attributes a client has
446
and is used for storing the client at exit
447
258
current_checker_command: string; current running checker_command
448
disable_initiator_tag: a gobject event source tag, or None
449
enabled: bool()
450
fingerprint: string (40 or 32 hexadecimal digits); used to
451
uniquely identify the client
452
host: string; available for use by the checker command
453
interval: datetime.timedelta(); How often to start a new checker
454
last_approval_request: datetime.datetime(); (UTC) or None
455
last_checked_ok: datetime.datetime(); (UTC) or None
456
last_checker_status: integer between 0 and 255 reflecting exit
457
status of last checker. -1 reflects crashed
458
checker, -2 means no checker completed yet.
459
last_enabled: datetime.datetime(); (UTC) or None
460
name: string; from the config file, used in log messages and
461
D-Bus identifiers
462
secret: bytestring; sent verbatim (over TLS) to client
463
timeout: datetime.timedelta(); How long from last_checked_ok
464
until this client is disabled
465
extended_timeout: extra long timeout when secret has been sent
466
runtime_expansions: Allowed attributes for runtime expansion.
467
expires: datetime.datetime(); time (UTC) when a client will be
468
disabled, or None
469
server_settings: The server_settings dict from main()
470
259
"""
471
260
472
runtime_expansions = ("approval_delay", "approval_duration",
473
"created", "enabled", "expires",
474
"fingerprint", "host", "interval",
475
"last_approval_request", "last_checked_ok",
476
"last_enabled", "name", "timeout")
477
client_defaults = {
478
"timeout": "PT5M",
479
"extended_timeout": "PT15M",
480
"interval": "PT2M",
481
"checker": "fping -q -- %%(host)s",
482
"host": "",
483
"approval_delay": "PT0S",
484
"approval_duration": "PT1S",
485
"approved_by_default": "True",
486
"enabled": "True",
487
}
488
489
261
@staticmethod
490
def config_parser(config):
491
"""Construct a new dict of client settings of this form:
492
{ client_name: {setting_name: value, ...}, ...}
493
with exceptions for any special settings as defined above.
494
NOTE: Must be a pure function. Must return the same result
495
value given the same arguments.
496
"""
497
settings = {}
498
for client_name in config.sections():
499
section = dict(config.items(client_name))
500
client = settings[client_name] = {}
501
502
client["host"] = section["host"]
503
# Reformat values from string types to Python types
504
client["approved_by_default"] = config.getboolean(
505
client_name, "approved_by_default")
506
client["enabled"] = config.getboolean(client_name,
507
"enabled")
508
509
# Uppercase and remove spaces from fingerprint for later
510
# comparison purposes with return value from the
511
# fingerprint() function
512
client["fingerprint"] = (section["fingerprint"].upper()
513
.replace(" ", ""))
514
if "secret" in section:
515
client["secret"] = section["secret"].decode("base64")
516
elif "secfile" in section:
517
with open(os.path.expanduser(os.path.expandvars
518
(section["secfile"])),
519
"rb") as secfile:
520
client["secret"] = secfile.read()
521
else:
522
raise TypeError("No secret or secfile for section {}"
523
.format(section))
524
client["timeout"] = string_to_delta(section["timeout"])
525
client["extended_timeout"] = string_to_delta(
526
section["extended_timeout"])
527
client["interval"] = string_to_delta(section["interval"])
528
client["approval_delay"] = string_to_delta(
529
section["approval_delay"])
530
client["approval_duration"] = string_to_delta(
531
section["approval_duration"])
532
client["checker_command"] = section["checker"]
533
client["last_approval_request"] = None
534
client["last_checked_ok"] = None
535
client["last_checker_status"] = -2
536
537
return settings
538
539
def __init__(self, settings, name = None, server_settings=None):
262
def _timedelta_to_milliseconds(td):
263
"Convert a datetime.timedelta() to milliseconds"
264
return ((td.days * 24 * 60 * 60 * 1000)
265
+ (td.seconds * 1000)
266
+ (td.microseconds // 1000))
267
268
def timeout_milliseconds(self):
269
"Return the 'timeout' attribute in milliseconds"
270
return self._timedelta_to_milliseconds(self.timeout)
271
272
def interval_milliseconds(self):
273
"Return the 'interval' attribute in milliseconds"
274
return self._timedelta_to_milliseconds(self.interval)
275
276
def __init__(self, name = None, disable_hook=None, config=None):
277
"""Note: the 'checker' key in 'config' sets the
278
'checker_command' attribute and *not* the 'checker'
279
attribute."""
540
280
self.name = name
541
if server_settings is None:
542
server_settings = {}
543
self.server_settings = server_settings
544
# adding all client settings
545
for setting, value in settings.items():
546
setattr(self, setting, value)
547
548
if self.enabled:
549
if not hasattr(self, "last_enabled"):
550
self.last_enabled = datetime.datetime.utcnow()
551
if not hasattr(self, "expires"):
552
self.expires = (datetime.datetime.utcnow()
553
+ self.timeout)
281
if config is None:
282
config = {}
283
logger.debug(u"Creating client %r", self.name)
284
# Uppercase and remove spaces from fingerprint for later
285
# comparison purposes with return value from the fingerprint()
286
# function
287
self.fingerprint = (config[u"fingerprint"].upper()
288
.replace(u" ", u""))
289
logger.debug(u" Fingerprint: %s", self.fingerprint)
290
if u"secret" in config:
291
self.secret = config[u"secret"].decode(u"base64")
292
elif u"secfile" in config:
293
with closing(open(os.path.expanduser
294
(os.path.expandvars
295
(config[u"secfile"])),
296
"rb")) as secfile:
297
self.secret = secfile.read()
554
298
else:
555
self.last_enabled = None
556
self.expires = None
557
558
logger.debug("Creating client %r", self.name)
559
logger.debug(" Fingerprint: %s", self.fingerprint)
560
self.created = settings.get("created",
561
datetime.datetime.utcnow())
562
563
# attributes specific for this server instance
299
raise TypeError(u"No secret or secfile for client %s"
300
% self.name)
301
self.host = config.get(u"host", u"")
302
self.created = datetime.datetime.utcnow()
303
self.enabled = False
304
self.last_enabled = None
305
self.last_checked_ok = None
306
self.timeout = string_to_delta(config[u"timeout"])
307
self.interval = string_to_delta(config[u"interval"])
308
self.disable_hook = disable_hook
564
309
self.checker = None
565
310
self.checker_initiator_tag = None
566
311
self.disable_initiator_tag = None
567
312
self.checker_callback_tag = None
313
self.checker_command = config[u"checker"]
568
314
self.current_checker_command = None
569
self.approved = None
570
self.approvals_pending = 0
571
self.changedstate = multiprocessing_manager.Condition(
572
multiprocessing_manager.Lock())
573
self.client_structure = [attr
574
for attr in self.__dict__.iterkeys()
575
if not attr.startswith("_")]
576
self.client_structure.append("client_structure")
577
578
for name, t in inspect.getmembers(
579
type(self), lambda obj: isinstance(obj, property)):
580
if not name.startswith("_"):
581
self.client_structure.append(name)
582
583
# Send notice to process children that client state has changed
584
def send_changedstate(self):
585
with self.changedstate:
586
self.changedstate.notify_all()
315
self.last_connect = None
587
316
588
317
def enable(self):
589
318
"""Start this client's checker and timeout hooks"""
590
if getattr(self, "enabled", False):
319
if getattr(self, u"enabled", False):
591
320
# Already enabled
592
321
return
593
self.expires = datetime.datetime.utcnow() + self.timeout
594
self.enabled = True
595
322
self.last_enabled = datetime.datetime.utcnow()
596
self.init_checker()
597
self.send_changedstate()
323
# Schedule a new checker to be started an 'interval' from now,
324
# and every interval from then on.
325
self.checker_initiator_tag = (gobject.timeout_add
326
(self.interval_milliseconds(),
327
self.start_checker))
328
# Schedule a disable() when 'timeout' has passed
329
self.disable_initiator_tag = (gobject.timeout_add
330
(self.timeout_milliseconds(),
331
self.disable))
332
self.enabled = True
333
# Also start a new checker *right now*.
334
self.start_checker()
598
335
599
336
def disable(self, quiet=True):
600
337
"""Disable this client."""
601
338
if not getattr(self, "enabled", False):
602
339
return False
603
340
if not quiet:
604
logger.info("Disabling client %s", self.name)
605
if getattr(self, "disable_initiator_tag", None) is not None:
341
logger.info(u"Disabling client %s", self.name)
342
if getattr(self, u"disable_initiator_tag", False):
606
343
gobject.source_remove(self.disable_initiator_tag)
607
344
self.disable_initiator_tag = None
608
self.expires = None
609
if getattr(self, "checker_initiator_tag", None) is not None:
345
if getattr(self, u"checker_initiator_tag", False):
610
346
gobject.source_remove(self.checker_initiator_tag)
611
347
self.checker_initiator_tag = None
612
348
self.stop_checker()
349
if self.disable_hook:
350
self.disable_hook(self)
613
351
self.enabled = False
614
if not quiet:
615
self.send_changedstate()
616
352
# Do not run this again if called by a gobject.timeout_add
617
353
return False
618
354
619
355
def __del__(self):
356
self.disable_hook = None
620
357
self.disable()
621
358
622
def init_checker(self):
623
# Schedule a new checker to be started an 'interval' from now,
624
# and every interval from then on.
625
if self.checker_initiator_tag is not None:
626
gobject.source_remove(self.checker_initiator_tag)
627
self.checker_initiator_tag = gobject.timeout_add(
628
int(self.interval.total_seconds() * 1000),
629
self.start_checker)
630
# Schedule a disable() when 'timeout' has passed
631
if self.disable_initiator_tag is not None:
632
gobject.source_remove(self.disable_initiator_tag)
633
self.disable_initiator_tag = gobject.timeout_add(
634
int(self.timeout.total_seconds() * 1000), self.disable)
635
# Also start a new checker *right now*.
636
self.start_checker()
637
638
359
def checker_callback(self, pid, condition, command):
639
360
"""The checker has completed, so take appropriate actions."""
640
361
self.checker_callback_tag = None
641
362
self.checker = None
642
363
if os.WIFEXITED(condition):
643
self.last_checker_status = os.WEXITSTATUS(condition)
644
if self.last_checker_status == 0:
645
logger.info("Checker for %(name)s succeeded",
364
exitstatus = os.WEXITSTATUS(condition)
365
if exitstatus == 0:
366
logger.info(u"Checker for %(name)s succeeded",
646
367
vars(self))
647
368
self.checked_ok()
648
369
else:
649
logger.info("Checker for %(name)s failed", vars(self))
370
logger.info(u"Checker for %(name)s failed",
371
vars(self))
650
372
else:
651
self.last_checker_status = -1
652
logger.warning("Checker for %(name)s crashed?",
373
logger.warning(u"Checker for %(name)s crashed?",
653
374
vars(self))
654
375
655
376
def checked_ok(self):
656
"""Assert that the client has been seen, alive and well."""
377
"""Bump up the timeout for this client.
378
379
This should only be called when the client has been seen,
380
alive and well.
381
"""
657
382
self.last_checked_ok = datetime.datetime.utcnow()
658
self.last_checker_status = 0
659
self.bump_timeout()
660
661
def bump_timeout(self, timeout=None):
662
"""Bump up the timeout for this client."""
663
if timeout is None:
664
timeout = self.timeout
665
if self.disable_initiator_tag is not None:
666
gobject.source_remove(self.disable_initiator_tag)
667
self.disable_initiator_tag = None
668
if getattr(self, "enabled", False):
669
self.disable_initiator_tag = gobject.timeout_add(
670
int(timeout.total_seconds() * 1000), self.disable)
671
self.expires = datetime.datetime.utcnow() + timeout
672
673
def need_approval(self):
674
self.last_approval_request = datetime.datetime.utcnow()
383
gobject.source_remove(self.disable_initiator_tag)
384
self.disable_initiator_tag = (gobject.timeout_add
385
(self.timeout_milliseconds(),
386
self.disable))
675
387
676
388
def start_checker(self):
677
389
"""Start a new checker subprocess if one is not running.
679
391
If a checker already exists, leave it running and do
680
392
nothing."""
681
393
# The reason for not killing a running checker is that if we
682
# did that, and if a checker (for some reason) started running
683
# slowly and taking more than 'interval' time, then the client
684
# would inevitably timeout, since no checker would get a
685
# chance to run to completion. If we instead leave running
394
# did that, then if a checker (for some reason) started
395
# running slowly and taking more than 'interval' time, the
396
# client would inevitably timeout, since no checker would get
397
# a chance to run to completion. If we instead leave running
686
398
# checkers alone, the checker would have to take more time
687
# than 'timeout' for the client to be disabled, which is as it
688
# should be.
399
# than 'timeout' for the client to be declared invalid, which
400
# is as it should be.
689
401
690
402
# If a checker exists, make sure it is not a zombie
691
403
try:
692
404
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
693
except AttributeError:
694
pass
695
except OSError as error:
696
if error.errno != errno.ECHILD:
697
raise
405
except (AttributeError, OSError), error:
406
if (isinstance(error, OSError)
407
and error.errno != errno.ECHILD):
408
raise error
698
409
else:
699
410
if pid:
700
logger.warning("Checker was a zombie")
411
logger.warning(u"Checker was a zombie")
701
412
gobject.source_remove(self.checker_callback_tag)
702
413
self.checker_callback(pid, status,
703
414
self.current_checker_command)
704
415
# Start a new checker if needed
705
416
if self.checker is None:
706
# Escape attributes for the shell
707
escaped_attrs = {
708
attr: re.escape(str(getattr(self, attr)))
709
for attr in self.runtime_expansions }
710
417
try:
711
command = self.checker_command % escaped_attrs
712
except TypeError as error:
713
logger.error('Could not format string "%s"',
714
self.checker_command,
715
exc_info=error)
716
return True # Try again later
418
# In case checker_command has exactly one % operator
419
command = self.checker_command % self.host
420
except TypeError:
421
# Escape attributes for the shell
422
escaped_attrs = dict((key,
423
re.escape(unicode(str(val),
424
errors=
425
u'replace')))
426
for key, val in
427
vars(self).iteritems())
428
try:
429
command = self.checker_command % escaped_attrs
430
except TypeError, error:
431
logger.error(u'Could not format string "%s":'
432
u' %s', self.checker_command, error)
433
return True # Try again later
717
434
self.current_checker_command = command
718
435
try:
719
logger.info("Starting checker %r for %s", command,
720
self.name)
436
logger.info(u"Starting checker %r for %s",
437
command, self.name)
721
438
# We don't need to redirect stdout and stderr, since
722
439
# in normal mode, that is already done by daemon(),
723
440
# and in debug mode we don't want to. (Stdin is
724
441
# always replaced by /dev/null.)
725
# The exception is when not debugging but nevertheless
726
# running in the foreground; use the previously
727
# created wnull.
728
popen_args = {}
729
if (not self.server_settings["debug"]
730
and self.server_settings["foreground"]):
731
popen_args.update({"stdout": wnull,
732
"stderr": wnull })
733
442
self.checker = subprocess.Popen(command,
734
443
close_fds=True,
735
shell=True,
736
cwd="/",
737
**popen_args)
738
except OSError as error:
739
logger.error("Failed to start subprocess",
740
exc_info=error)
741
return True
742
self.checker_callback_tag = gobject.child_watch_add(
743
self.checker.pid, self.checker_callback, data=command)
744
# The checker may have completed before the gobject
745
# watch was added. Check for this.
746
try:
444
shell=True, cwd=u"/")
445
self.checker_callback_tag = (gobject.child_watch_add
446
(self.checker.pid,
447
self.checker_callback,
448
data=command))
449
# The checker may have completed before the gobject
450
# watch was added. Check for this.
747
451
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
748
except OSError as error:
749
if error.errno == errno.ECHILD:
750
# This should never happen
751
logger.error("Child process vanished",
752
exc_info=error)
753
return True
754
raise
755
if pid:
756
gobject.source_remove(self.checker_callback_tag)
757
self.checker_callback(pid, status, command)
452
if pid:
453
gobject.source_remove(self.checker_callback_tag)
454
self.checker_callback(pid, status, command)
455
except OSError, error:
456
logger.error(u"Failed to start subprocess: %s",
457
error)
758
458
# Re-run this periodically if run by gobject.timeout_add
759
459
return True
760
460
763
463
if self.checker_callback_tag:
764
464
gobject.source_remove(self.checker_callback_tag)
765
465
self.checker_callback_tag = None
766
if getattr(self, "checker", None) is None:
466
if getattr(self, u"checker", None) is None:
767
467
return
768
logger.debug("Stopping checker for %(name)s", vars(self))
468
logger.debug(u"Stopping checker for %(name)s", vars(self))
769
469
try:
770
self.checker.terminate()
470
os.kill(self.checker.pid, signal.SIGTERM)
771
471
#time.sleep(0.5)
772
472
#if self.checker.poll() is None:
773
# self.checker.kill()
774
except OSError as error:
473
# os.kill(self.checker.pid, signal.SIGKILL)
474
except OSError, error:
775
475
if error.errno != errno.ESRCH: # No such process
776
476
raise
777
477
self.checker = None
778
779
780
def dbus_service_property(dbus_interface,
781
signature="v",
782
access="readwrite",
783
byte_arrays=False):
478
479
def still_valid(self):
480
"""Has the timeout not yet passed for this client?"""
481
if not getattr(self, u"enabled", False):
482
return False
483
now = datetime.datetime.utcnow()
484
if self.last_checked_ok is None:
485
return now < (self.created + self.timeout)
486
else:
487
return now < (self.last_checked_ok + self.timeout)
488
489
490
def dbus_service_property(dbus_interface, signature=u"v",
491
access=u"readwrite", byte_arrays=False):
784
492
"""Decorators for marking methods of a DBusObjectWithProperties to
785
493
become properties on the D-Bus.
786
494
791
499
dbus.service.method, except there is only "signature", since the
792
500
type from Get() and the type sent to Set() is the same.
793
501
"""
794
# Encoding deeply encoded byte arrays is not supported yet by the
795
# "Set" method, so we fail early here:
796
if byte_arrays and signature != "ay":
797
raise ValueError("Byte arrays not supported for non-'ay'"
798
" signature {!r}".format(signature))
799
800
502
def decorator(func):
801
503
func._dbus_is_property = True
802
504
func._dbus_interface = dbus_interface
803
505
func._dbus_signature = signature
804
506
func._dbus_access = access
805
507
func._dbus_name = func.__name__
806
if func._dbus_name.endswith("_dbus_property"):
508
if func._dbus_name.endswith(u"_dbus_property"):
807
509
func._dbus_name = func._dbus_name[:-14]
808
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
809
return func
810
811
return decorator
812
813
814
def dbus_interface_annotations(dbus_interface):
815
"""Decorator for marking functions returning interface annotations
816
817
Usage:
818
819
@dbus_interface_annotations("org.example.Interface")
820
def _foo(self): # Function name does not matter
821
return {"org.freedesktop.DBus.Deprecated": "true",
822
"org.freedesktop.DBus.Property.EmitsChangedSignal":
823
"false"}
824
"""
825
826
def decorator(func):
827
func._dbus_is_interface = True
828
func._dbus_interface = dbus_interface
829
func._dbus_name = dbus_interface
830
return func
831
832
return decorator
833
834
835
def dbus_annotations(annotations):
836
"""Decorator to annotate D-Bus methods, signals or properties
837
Usage:
838
839
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
840
"org.freedesktop.DBus.Property."
841
"EmitsChangedSignal": "false"})
842
@dbus_service_property("org.example.Interface", signature="b",
843
access="r")
844
def Property_dbus_property(self):
845
return dbus.Boolean(False)
846
"""
847
848
def decorator(func):
849
func._dbus_annotations = annotations
850
return func
851
510
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
511
return func
852
512
return decorator
853
513
854
514
855
515
class DBusPropertyException(dbus.exceptions.DBusException):
856
516
"""A base class for D-Bus property-related exceptions
857
517
"""
858
pass
518
def __unicode__(self):
519
return unicode(str(self))
859
520
860
521
861
522
class DBusPropertyAccessException(DBusPropertyException):
872
533
873
534
class DBusObjectWithProperties(dbus.service.Object):
874
535
"""A D-Bus object with properties.
875
536
876
537
Classes inheriting from this can use the dbus_service_property
877
538
decorator to expose methods as D-Bus properties. It exposes the
878
539
standard Get(), Set(), and GetAll() methods on the D-Bus.
879
540
"""
880
541
881
542
@staticmethod
882
def _is_dbus_thing(thing):
883
"""Returns a function testing if an attribute is a D-Bus thing
884
885
If called like _is_dbus_thing("method") it returns a function
886
suitable for use as predicate to inspect.getmembers().
887
"""
888
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
889
False)
543
def _is_dbus_property(obj):
544
return getattr(obj, u"_dbus_is_property", False)
890
545
891
def _get_all_dbus_things(self, thing):
546
def _get_all_dbus_properties(self):
892
547
"""Returns a generator of (name, attribute) pairs
893
548
"""
894
return ((getattr(athing.__get__(self), "_dbus_name", name),
895
athing.__get__(self))
896
for cls in self.__class__.__mro__
897
for name, athing in
898
inspect.getmembers(cls, self._is_dbus_thing(thing)))
549
return ((prop._dbus_name, prop)
550
for name, prop in
551
inspect.getmembers(self, self._is_dbus_property))
899
552
900
553
def _get_dbus_property(self, interface_name, property_name):
901
554
"""Returns a bound method if one exists which is a D-Bus
902
555
property with the specified name and interface.
903
556
"""
904
for cls in self.__class__.__mro__:
905
for name, value in inspect.getmembers(
906
cls, self._is_dbus_thing("property")):
907
if (value._dbus_name == property_name
908
and value._dbus_interface == interface_name):
909
return value.__get__(self)
910
557
for name in (property_name,
558
property_name + u"_dbus_property"):
559
prop = getattr(self, name, None)
560
if (prop is None
561
or not self._is_dbus_property(prop)
562
or prop._dbus_name != property_name
563
or (interface_name and prop._dbus_interface
564
and interface_name != prop._dbus_interface)):
565
continue
566
return prop
911
567
# No such property
912
raise DBusPropertyNotFound("{}:{}.{}".format(
913
self.dbus_object_path, interface_name, property_name))
568
raise DBusPropertyNotFound(self.dbus_object_path + u":"
569
+ interface_name + u"."
570
+ property_name)
914
571
915
@dbus.service.method(dbus.PROPERTIES_IFACE,
916
in_signature="ss",
917
out_signature="v")
572
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
573
out_signature=u"v")
918
574
def Get(self, interface_name, property_name):
919
575
"""Standard D-Bus property Get() method, see D-Bus standard.
920
576
"""
921
577
prop = self._get_dbus_property(interface_name, property_name)
922
if prop._dbus_access == "write":
578
if prop._dbus_access == u"write":
923
579
raise DBusPropertyAccessException(property_name)
924
580
value = prop()
925
if not hasattr(value, "variant_level"):
581
if not hasattr(value, u"variant_level"):
926
582
return value
927
583
return type(value)(value, variant_level=value.variant_level+1)
928
584
929
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
585
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
930
586
def Set(self, interface_name, property_name, value):
931
587
"""Standard D-Bus property Set() method, see D-Bus standard.
932
588
"""
933
589
prop = self._get_dbus_property(interface_name, property_name)
934
if prop._dbus_access == "read":
590
if prop._dbus_access == u"read":
935
591
raise DBusPropertyAccessException(property_name)
936
if prop._dbus_get_args_options["byte_arrays"]:
937
# The byte_arrays option is not supported yet on
938
# signatures other than "ay".
939
if prop._dbus_signature != "ay":
940
raise ValueError("Byte arrays not supported for non-"
941
"'ay' signature {!r}"
942
.format(prop._dbus_signature))
943
value = dbus.ByteArray(b''.join(chr(byte)
944
for byte in value))
592
if prop._dbus_get_args_options[u"byte_arrays"]:
593
value = dbus.ByteArray(''.join(unichr(byte)
594
for byte in value))
945
595
prop(value)
946
596
947
@dbus.service.method(dbus.PROPERTIES_IFACE,
948
in_signature="s",
949
out_signature="a{sv}")
597
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
598
out_signature=u"a{sv}")
950
599
def GetAll(self, interface_name):
951
600
"""Standard D-Bus property GetAll() method, see D-Bus
952
601
standard.
953
602
954
603
Note: Will not include properties with access="write".
955
604
"""
956
properties = {}
957
for name, prop in self._get_all_dbus_things("property"):
605
all = {}
606
for name, prop in self._get_all_dbus_properties():
958
607
if (interface_name
959
608
and interface_name != prop._dbus_interface):
960
609
# Interface non-empty but did not match
961
610
continue
962
611
# Ignore write-only properties
963
if prop._dbus_access == "write":
612
if prop._dbus_access == u"write":
964
613
continue
965
614
value = prop()
966
if not hasattr(value, "variant_level"):
967
properties[name] = value
615
if not hasattr(value, u"variant_level"):
616
all[name] = value
968
617
continue
969
properties[name] = type(value)(
970
value, variant_level = value.variant_level + 1)
971
return dbus.Dictionary(properties, signature="sv")
972
973
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
974
def PropertiesChanged(self, interface_name, changed_properties,
975
invalidated_properties):
976
"""Standard D-Bus PropertiesChanged() signal, see D-Bus
977
standard.
978
"""
979
pass
618
all[name] = type(value)(value, variant_level=
619
value.variant_level+1)
620
return dbus.Dictionary(all, signature=u"sv")
980
621
981
622
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
982
out_signature="s",
623
out_signature=u"s",
983
624
path_keyword='object_path',
984
625
connection_keyword='connection')
985
626
def Introspect(self, object_path, connection):
986
"""Overloading of standard D-Bus method.
987
988
Inserts property tags and interface annotation tags.
627
"""Standard D-Bus method, overloaded to insert property tags.
989
628
"""
990
629
xmlstring = dbus.service.Object.Introspect(self, object_path,
991
630
connection)
992
631
try:
993
632
document = xml.dom.minidom.parseString(xmlstring)
994
995
633
def make_tag(document, name, prop):
996
e = document.createElement("property")
997
e.setAttribute("name", name)
998
e.setAttribute("type", prop._dbus_signature)
999
e.setAttribute("access", prop._dbus_access)
634
e = document.createElement(u"property")
635
e.setAttribute(u"name", name)
636
e.setAttribute(u"type", prop._dbus_signature)
637
e.setAttribute(u"access", prop._dbus_access)
1000
638
return e
1001
1002
for if_tag in document.getElementsByTagName("interface"):
1003
# Add property tags
639
for if_tag in document.getElementsByTagName(u"interface"):
1004
640
for tag in (make_tag(document, name, prop)
1005
641
for name, prop
1006
in self._get_all_dbus_things("property")
642
in self._get_all_dbus_properties()
1007
643
if prop._dbus_interface
1008
== if_tag.getAttribute("name")):
644
== if_tag.getAttribute(u"name")):
1009
645
if_tag.appendChild(tag)
1010
# Add annotation tags
1011
for typ in ("method", "signal", "property"):
1012
for tag in if_tag.getElementsByTagName(typ):
1013
annots = dict()
1014
for name, prop in (self.
1015
_get_all_dbus_things(typ)):
1016
if (name == tag.getAttribute("name")
1017
and prop._dbus_interface
1018
== if_tag.getAttribute("name")):
1019
annots.update(getattr(
1020
prop, "_dbus_annotations", {}))
1021
for name, value in annots.items():
1022
ann_tag = document.createElement(
1023
"annotation")
1024
ann_tag.setAttribute("name", name)
1025
ann_tag.setAttribute("value", value)
1026
tag.appendChild(ann_tag)
1027
# Add interface annotation tags
1028
for annotation, value in dict(
1029
itertools.chain.from_iterable(
1030
annotations().items()
1031
for name, annotations
1032
in self._get_all_dbus_things("interface")
1033
if name == if_tag.getAttribute("name")
1034
)).items():
1035
ann_tag = document.createElement("annotation")
1036
ann_tag.setAttribute("name", annotation)
1037
ann_tag.setAttribute("value", value)
1038
if_tag.appendChild(ann_tag)
1039
646
# Add the names to the return values for the
1040
647
# "org.freedesktop.DBus.Properties" methods
1041
if (if_tag.getAttribute("name")
1042
== "org.freedesktop.DBus.Properties"):
1043
for cn in if_tag.getElementsByTagName("method"):
1044
if cn.getAttribute("name") == "Get":
1045
for arg in cn.getElementsByTagName("arg"):
1046
if (arg.getAttribute("direction")
1047
== "out"):
1048
arg.setAttribute("name", "value")
1049
elif cn.getAttribute("name") == "GetAll":
1050
for arg in cn.getElementsByTagName("arg"):
1051
if (arg.getAttribute("direction")
1052
== "out"):
1053
arg.setAttribute("name", "props")
1054
xmlstring = document.toxml("utf-8")
648
if (if_tag.getAttribute(u"name")
649
== u"org.freedesktop.DBus.Properties"):
650
for cn in if_tag.getElementsByTagName(u"method"):
651
if cn.getAttribute(u"name") == u"Get":
652
for arg in cn.getElementsByTagName(u"arg"):
653
if (arg.getAttribute(u"direction")
654
== u"out"):
655
arg.setAttribute(u"name", u"value")
656
elif cn.getAttribute(u"name") == u"GetAll":
657
for arg in cn.getElementsByTagName(u"arg"):
658
if (arg.getAttribute(u"direction")
659
== u"out"):
660
arg.setAttribute(u"name", u"props")
661
xmlstring = document.toxml(u"utf-8")
1055
662
document.unlink()
1056
663
except (AttributeError, xml.dom.DOMException,
1057
xml.parsers.expat.ExpatError) as error:
1058
logger.error("Failed to override Introspection method",
1059
exc_info=error)
664
xml.parsers.expat.ExpatError), error:
665
logger.error(u"Failed to override Introspection method",
666
error)
1060
667
return xmlstring
1061
668
1062
669
1063
def datetime_to_dbus(dt, variant_level=0):
1064
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1065
if dt is None:
1066
return dbus.String("", variant_level = variant_level)
1067
return dbus.String(dt.isoformat(), variant_level=variant_level)
1068
1069
1070
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1071
"""A class decorator; applied to a subclass of
1072
dbus.service.Object, it will add alternate D-Bus attributes with
1073
interface names according to the "alt_interface_names" mapping.
1074
Usage:
1075
1076
@alternate_dbus_interfaces({"org.example.Interface":
1077
"net.example.AlternateInterface"})
1078
class SampleDBusObject(dbus.service.Object):
1079
@dbus.service.method("org.example.Interface")
1080
def SampleDBusMethod():
1081
pass
1082
1083
The above "SampleDBusMethod" on "SampleDBusObject" will be
1084
reachable via two interfaces: "org.example.Interface" and
1085
"net.example.AlternateInterface", the latter of which will have
1086
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1087
"true", unless "deprecate" is passed with a False value.
1088
1089
This works for methods and signals, and also for D-Bus properties
1090
(from DBusObjectWithProperties) and interfaces (from the
1091
dbus_interface_annotations decorator).
1092
"""
1093
1094
def wrapper(cls):
1095
for orig_interface_name, alt_interface_name in (
1096
alt_interface_names.items()):
1097
attr = {}
1098
interface_names = set()
1099
# Go though all attributes of the class
1100
for attrname, attribute in inspect.getmembers(cls):
1101
# Ignore non-D-Bus attributes, and D-Bus attributes
1102
# with the wrong interface name
1103
if (not hasattr(attribute, "_dbus_interface")
1104
or not attribute._dbus_interface.startswith(
1105
orig_interface_name)):
1106
continue
1107
# Create an alternate D-Bus interface name based on
1108
# the current name
1109
alt_interface = attribute._dbus_interface.replace(
1110
orig_interface_name, alt_interface_name)
1111
interface_names.add(alt_interface)
1112
# Is this a D-Bus signal?
1113
if getattr(attribute, "_dbus_is_signal", False):
1114
# Extract the original non-method undecorated
1115
# function by black magic
1116
nonmethod_func = (dict(
1117
zip(attribute.func_code.co_freevars,
1118
attribute.__closure__))
1119
["func"].cell_contents)
1120
# Create a new, but exactly alike, function
1121
# object, and decorate it to be a new D-Bus signal
1122
# with the alternate D-Bus interface name
1123
new_function = (dbus.service.signal(
1124
alt_interface, attribute._dbus_signature)
1125
(types.FunctionType(
1126
nonmethod_func.func_code,
1127
nonmethod_func.func_globals,
1128
nonmethod_func.func_name,
1129
nonmethod_func.func_defaults,
1130
nonmethod_func.func_closure)))
1131
# Copy annotations, if any
1132
try:
1133
new_function._dbus_annotations = dict(
1134
attribute._dbus_annotations)
1135
except AttributeError:
1136
pass
1137
# Define a creator of a function to call both the
1138
# original and alternate functions, so both the
1139
# original and alternate signals gets sent when
1140
# the function is called
1141
def fixscope(func1, func2):
1142
"""This function is a scope container to pass
1143
func1 and func2 to the "call_both" function
1144
outside of its arguments"""
1145
1146
def call_both(*args, **kwargs):
1147
"""This function will emit two D-Bus
1148
signals by calling func1 and func2"""
1149
func1(*args, **kwargs)
1150
func2(*args, **kwargs)
1151
1152
return call_both
1153
# Create the "call_both" function and add it to
1154
# the class
1155
attr[attrname] = fixscope(attribute, new_function)
1156
# Is this a D-Bus method?
1157
elif getattr(attribute, "_dbus_is_method", False):
1158
# Create a new, but exactly alike, function
1159
# object. Decorate it to be a new D-Bus method
1160
# with the alternate D-Bus interface name. Add it
1161
# to the class.
1162
attr[attrname] = (
1163
dbus.service.method(
1164
alt_interface,
1165
attribute._dbus_in_signature,
1166
attribute._dbus_out_signature)
1167
(types.FunctionType(attribute.func_code,
1168
attribute.func_globals,
1169
attribute.func_name,
1170
attribute.func_defaults,
1171
attribute.func_closure)))
1172
# Copy annotations, if any
1173
try:
1174
attr[attrname]._dbus_annotations = dict(
1175
attribute._dbus_annotations)
1176
except AttributeError:
1177
pass
1178
# Is this a D-Bus property?
1179
elif getattr(attribute, "_dbus_is_property", False):
1180
# Create a new, but exactly alike, function
1181
# object, and decorate it to be a new D-Bus
1182
# property with the alternate D-Bus interface
1183
# name. Add it to the class.
1184
attr[attrname] = (dbus_service_property(
1185
alt_interface, attribute._dbus_signature,
1186
attribute._dbus_access,
1187
attribute._dbus_get_args_options
1188
["byte_arrays"])
1189
(types.FunctionType(
1190
attribute.func_code,
1191
attribute.func_globals,
1192
attribute.func_name,
1193
attribute.func_defaults,
1194
attribute.func_closure)))
1195
# Copy annotations, if any
1196
try:
1197
attr[attrname]._dbus_annotations = dict(
1198
attribute._dbus_annotations)
1199
except AttributeError:
1200
pass
1201
# Is this a D-Bus interface?
1202
elif getattr(attribute, "_dbus_is_interface", False):
1203
# Create a new, but exactly alike, function
1204
# object. Decorate it to be a new D-Bus interface
1205
# with the alternate D-Bus interface name. Add it
1206
# to the class.
1207
attr[attrname] = (
1208
dbus_interface_annotations(alt_interface)
1209
(types.FunctionType(attribute.func_code,
1210
attribute.func_globals,
1211
attribute.func_name,
1212
attribute.func_defaults,
1213
attribute.func_closure)))
1214
if deprecate:
1215
# Deprecate all alternate interfaces
1216
iname="_AlternateDBusNames_interface_annotation{}"
1217
for interface_name in interface_names:
1218
1219
@dbus_interface_annotations(interface_name)
1220
def func(self):
1221
return { "org.freedesktop.DBus.Deprecated":
1222
"true" }
1223
# Find an unused name
1224
for aname in (iname.format(i)
1225
for i in itertools.count()):
1226
if aname not in attr:
1227
attr[aname] = func
1228
break
1229
if interface_names:
1230
# Replace the class with a new subclass of it with
1231
# methods, signals, etc. as created above.
1232
cls = type(b"{}Alternate".format(cls.__name__),
1233
(cls, ), attr)
1234
return cls
1235
1236
return wrapper
1237
1238
1239
@alternate_dbus_interfaces({"se.recompile.Mandos":
1240
"se.bsnet.fukt.Mandos"})
1241
670
class ClientDBus(Client, DBusObjectWithProperties):
1242
671
"""A Client class using D-Bus
1243
672
1245
674
dbus_object_path: dbus.ObjectPath
1246
675
bus: dbus.SystemBus()
1247
676
"""
1248
1249
runtime_expansions = (Client.runtime_expansions
1250
+ ("dbus_object_path", ))
1251
1252
_interface = "se.recompile.Mandos.Client"
1253
1254
677
# dbus.service.Object doesn't use super(), so we can't either.
1255
678
1256
679
def __init__(self, bus = None, *args, **kwargs):
1258
681
Client.__init__(self, *args, **kwargs)
1259
682
# Only now, when this client is initialized, can it show up on
1260
683
# the D-Bus
1261
client_object_name = str(self.name).translate(
1262
{ord("."): ord("_"),
1263
ord("-"): ord("_")})
1264
self.dbus_object_path = dbus.ObjectPath(
1265
"/clients/" + client_object_name)
684
self.dbus_object_path = (dbus.ObjectPath
685
(u"/clients/"
686
+ self.name.replace(u".", u"_")))
1266
687
DBusObjectWithProperties.__init__(self, self.bus,
1267
688
self.dbus_object_path)
1268
689
1269
def notifychangeproperty(transform_func, dbus_name,
1270
type_func=lambda x: x,
1271
variant_level=1,
1272
invalidate_only=False,
1273
_interface=_interface):
1274
""" Modify a variable so that it's a property which announces
1275
its changes to DBus.
1276
1277
transform_fun: Function that takes a value and a variant_level
1278
and transforms it to a D-Bus type.
1279
dbus_name: D-Bus name of the variable
1280
type_func: Function that transform the value before sending it
1281
to the D-Bus. Default: no transform
1282
variant_level: D-Bus variant level. Default: 1
1283
"""
1284
attrname = "_{}".format(dbus_name)
1285
1286
def setter(self, value):
1287
if hasattr(self, "dbus_object_path"):
1288
if (not hasattr(self, attrname) or
1289
type_func(getattr(self, attrname, None))
1290
!= type_func(value)):
1291
if invalidate_only:
1292
self.PropertiesChanged(
1293
_interface, dbus.Dictionary(),
1294
dbus.Array((dbus_name, )))
1295
else:
1296
dbus_value = transform_func(
1297
type_func(value),
1298
variant_level = variant_level)
1299
self.PropertyChanged(dbus.String(dbus_name),
1300
dbus_value)
1301
self.PropertiesChanged(
1302
_interface,
1303
dbus.Dictionary({ dbus.String(dbus_name):
1304
dbus_value }),
1305
dbus.Array())
1306
setattr(self, attrname, value)
1307
1308
return property(lambda self: getattr(self, attrname), setter)
1309
1310
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1311
approvals_pending = notifychangeproperty(dbus.Boolean,
1312
"ApprovalPending",
1313
type_func = bool)
1314
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1315
last_enabled = notifychangeproperty(datetime_to_dbus,
1316
"LastEnabled")
1317
checker = notifychangeproperty(
1318
dbus.Boolean, "CheckerRunning",
1319
type_func = lambda checker: checker is not None)
1320
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1321
"LastCheckedOK")
1322
last_checker_status = notifychangeproperty(dbus.Int16,
1323
"LastCheckerStatus")
1324
last_approval_request = notifychangeproperty(
1325
datetime_to_dbus, "LastApprovalRequest")
1326
approved_by_default = notifychangeproperty(dbus.Boolean,
1327
"ApprovedByDefault")
1328
approval_delay = notifychangeproperty(
1329
dbus.UInt64, "ApprovalDelay",
1330
type_func = lambda td: td.total_seconds() * 1000)
1331
approval_duration = notifychangeproperty(
1332
dbus.UInt64, "ApprovalDuration",
1333
type_func = lambda td: td.total_seconds() * 1000)
1334
host = notifychangeproperty(dbus.String, "Host")
1335
timeout = notifychangeproperty(
1336
dbus.UInt64, "Timeout",
1337
type_func = lambda td: td.total_seconds() * 1000)
1338
extended_timeout = notifychangeproperty(
1339
dbus.UInt64, "ExtendedTimeout",
1340
type_func = lambda td: td.total_seconds() * 1000)
1341
interval = notifychangeproperty(
1342
dbus.UInt64, "Interval",
1343
type_func = lambda td: td.total_seconds() * 1000)
1344
checker_command = notifychangeproperty(dbus.String, "Checker")
1345
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1346
invalidate_only=True)
1347
1348
del notifychangeproperty
690
@staticmethod
691
def _datetime_to_dbus(dt, variant_level=0):
692
"""Convert a UTC datetime.datetime() to a D-Bus type."""
693
return dbus.String(dt.isoformat(),
694
variant_level=variant_level)
695
696
def enable(self):
697
oldstate = getattr(self, u"enabled", False)
698
r = Client.enable(self)
699
if oldstate != self.enabled:
700
# Emit D-Bus signals
701
self.PropertyChanged(dbus.String(u"enabled"),
702
dbus.Boolean(True, variant_level=1))
703
self.PropertyChanged(
704
dbus.String(u"last_enabled"),
705
self._datetime_to_dbus(self.last_enabled,
706
variant_level=1))
707
return r
708
709
def disable(self, quiet = False):
710
oldstate = getattr(self, u"enabled", False)
711
r = Client.disable(self, quiet=quiet)
712
if not quiet and oldstate != self.enabled:
713
# Emit D-Bus signal
714
self.PropertyChanged(dbus.String(u"enabled"),
715
dbus.Boolean(False, variant_level=1))
716
return r
1349
717
1350
718
def __del__(self, *args, **kwargs):
1351
719
try:
1352
720
self.remove_from_connection()
1353
721
except LookupError:
1354
722
pass
1355
if hasattr(DBusObjectWithProperties, "__del__"):
723
if hasattr(DBusObjectWithProperties, u"__del__"):
1356
724
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1357
725
Client.__del__(self, *args, **kwargs)
1358
726
1360
728
*args, **kwargs):
1361
729
self.checker_callback_tag = None
1362
730
self.checker = None
731
# Emit D-Bus signal
732
self.PropertyChanged(dbus.String(u"checker_running"),
733
dbus.Boolean(False, variant_level=1))
1363
734
if os.WIFEXITED(condition):
1364
735
exitstatus = os.WEXITSTATUS(condition)
1365
736
# Emit D-Bus signal
1375
746
return Client.checker_callback(self, pid, condition, command,
1376
747
*args, **kwargs)
1377
748
749
def checked_ok(self, *args, **kwargs):
750
r = Client.checked_ok(self, *args, **kwargs)
751
# Emit D-Bus signal
752
self.PropertyChanged(
753
dbus.String(u"last_checked_ok"),
754
(self._datetime_to_dbus(self.last_checked_ok,
755
variant_level=1)))
756
return r
757
1378
758
def start_checker(self, *args, **kwargs):
1379
old_checker_pid = getattr(self.checker, "pid", None)
759
old_checker = self.checker
760
if self.checker is not None:
761
old_checker_pid = self.checker.pid
762
else:
763
old_checker_pid = None
1380
764
r = Client.start_checker(self, *args, **kwargs)
1381
765
# Only if new checker process was started
1382
766
if (self.checker is not None
1383
767
and old_checker_pid != self.checker.pid):
1384
768
# Emit D-Bus signal
1385
769
self.CheckerStarted(self.current_checker_command)
1386
return r
1387
1388
def _reset_approved(self):
1389
self.approved = None
1390
return False
1391
1392
def approve(self, value=True):
1393
self.approved = value
1394
gobject.timeout_add(int(self.approval_duration.total_seconds()
1395
* 1000), self._reset_approved)
1396
self.send_changedstate()
1397
1398
## D-Bus methods, signals & properties
1399
1400
## Interfaces
1401
1402
## Signals
770
self.PropertyChanged(
771
dbus.String(u"checker_running"),
772
dbus.Boolean(True, variant_level=1))
773
return r
774
775
def stop_checker(self, *args, **kwargs):
776
old_checker = getattr(self, u"checker", None)
777
r = Client.stop_checker(self, *args, **kwargs)
778
if (old_checker is not None
779
and getattr(self, u"checker", None) is None):
780
self.PropertyChanged(dbus.String(u"checker_running"),
781
dbus.Boolean(False, variant_level=1))
782
return r
783
784
## D-Bus methods & signals
785
_interface = u"se.bsnet.fukt.Mandos.Client"
786
787
# CheckedOK - method
788
@dbus.service.method(_interface)
789
def CheckedOK(self):
790
return self.checked_ok()
1403
791
1404
792
# CheckerCompleted - signal
1405
@dbus.service.signal(_interface, signature="nxs")
793
@dbus.service.signal(_interface, signature=u"nxs")
1406
794
def CheckerCompleted(self, exitcode, waitstatus, command):
1407
795
"D-Bus signal"
1408
796
pass
1409
797
1410
798
# CheckerStarted - signal
1411
@dbus.service.signal(_interface, signature="s")
799
@dbus.service.signal(_interface, signature=u"s")
1412
800
def CheckerStarted(self, command):
1413
801
"D-Bus signal"
1414
802
pass
1415
803
1416
804
# PropertyChanged - signal
1417
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1418
@dbus.service.signal(_interface, signature="sv")
805
@dbus.service.signal(_interface, signature=u"sv")
1419
806
def PropertyChanged(self, property, value):
1420
807
"D-Bus signal"
1421
808
pass
1423
810
# GotSecret - signal
1424
811
@dbus.service.signal(_interface)
1425
812
def GotSecret(self):
1426
"""D-Bus signal
1427
Is sent after a successful transfer of secret from the Mandos
1428
server to mandos-client
1429
"""
813
"D-Bus signal"
1430
814
pass
1431
815
1432
816
# Rejected - signal
1433
@dbus.service.signal(_interface, signature="s")
1434
def Rejected(self, reason):
817
@dbus.service.signal(_interface)
818
def Rejected(self):
1435
819
"D-Bus signal"
1436
820
pass
1437
821
1438
# NeedApproval - signal
1439
@dbus.service.signal(_interface, signature="tb")
1440
def NeedApproval(self, timeout, default):
1441
"D-Bus signal"
1442
return self.need_approval()
1443
1444
## Methods
1445
1446
# Approve - method
1447
@dbus.service.method(_interface, in_signature="b")
1448
def Approve(self, value):
1449
self.approve(value)
1450
1451
# CheckedOK - method
1452
@dbus.service.method(_interface)
1453
def CheckedOK(self):
1454
self.checked_ok()
1455
1456
822
# Enable - method
1457
823
@dbus.service.method(_interface)
1458
824
def Enable(self):
1476
842
def StopChecker(self):
1477
843
self.stop_checker()
1478
844
1479
## Properties
1480
1481
# ApprovalPending - property
1482
@dbus_service_property(_interface, signature="b", access="read")
1483
def ApprovalPending_dbus_property(self):
1484
return dbus.Boolean(bool(self.approvals_pending))
1485
1486
# ApprovedByDefault - property
1487
@dbus_service_property(_interface,
1488
signature="b",
1489
access="readwrite")
1490
def ApprovedByDefault_dbus_property(self, value=None):
1491
if value is None: # get
1492
return dbus.Boolean(self.approved_by_default)
1493
self.approved_by_default = bool(value)
1494
1495
# ApprovalDelay - property
1496
@dbus_service_property(_interface,
1497
signature="t",
1498
access="readwrite")
1499
def ApprovalDelay_dbus_property(self, value=None):
1500
if value is None: # get
1501
return dbus.UInt64(self.approval_delay.total_seconds()
1502
* 1000)
1503
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1504
1505
# ApprovalDuration - property
1506
@dbus_service_property(_interface,
1507
signature="t",
1508
access="readwrite")
1509
def ApprovalDuration_dbus_property(self, value=None):
1510
if value is None: # get
1511
return dbus.UInt64(self.approval_duration.total_seconds()
1512
* 1000)
1513
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1514
1515
# Name - property
1516
@dbus_service_property(_interface, signature="s", access="read")
1517
def Name_dbus_property(self):
845
# name - property
846
@dbus_service_property(_interface, signature=u"s", access=u"read")
847
def name_dbus_property(self):
1518
848
return dbus.String(self.name)
1519
849
1520
# Fingerprint - property
1521
@dbus_service_property(_interface, signature="s", access="read")
1522
def Fingerprint_dbus_property(self):
850
# fingerprint - property
851
@dbus_service_property(_interface, signature=u"s", access=u"read")
852
def fingerprint_dbus_property(self):
1523
853
return dbus.String(self.fingerprint)
1524
854
1525
# Host - property
1526
@dbus_service_property(_interface,
1527
signature="s",
1528
access="readwrite")
1529
def Host_dbus_property(self, value=None):
855
# host - property
856
@dbus_service_property(_interface, signature=u"s",
857
access=u"readwrite")
858
def host_dbus_property(self, value=None):
1530
859
if value is None: # get
1531
860
return dbus.String(self.host)
1532
self.host = str(value)
1533
1534
# Created - property
1535
@dbus_service_property(_interface, signature="s", access="read")
1536
def Created_dbus_property(self):
1537
return datetime_to_dbus(self.created)
1538
1539
# LastEnabled - property
1540
@dbus_service_property(_interface, signature="s", access="read")
1541
def LastEnabled_dbus_property(self):
1542
return datetime_to_dbus(self.last_enabled)
1543
1544
# Enabled - property
1545
@dbus_service_property(_interface,
1546
signature="b",
1547
access="readwrite")
1548
def Enabled_dbus_property(self, value=None):
861
self.host = value
862
# Emit D-Bus signal
863
self.PropertyChanged(dbus.String(u"host"),
864
dbus.String(value, variant_level=1))
865
866
# created - property
867
@dbus_service_property(_interface, signature=u"s", access=u"read")
868
def created_dbus_property(self):
869
return dbus.String(self._datetime_to_dbus(self.created))
870
871
# last_enabled - property
872
@dbus_service_property(_interface, signature=u"s", access=u"read")
873
def last_enabled_dbus_property(self):
874
if self.last_enabled is None:
875
return dbus.String(u"")
876
return dbus.String(self._datetime_to_dbus(self.last_enabled))
877
878
# enabled - property
879
@dbus_service_property(_interface, signature=u"b",
880
access=u"readwrite")
881
def enabled_dbus_property(self, value=None):
1549
882
if value is None: # get
1550
883
return dbus.Boolean(self.enabled)
1551
884
if value:
1553
886
else:
1554
887
self.disable()
1555
888
1556
# LastCheckedOK - property
1557
@dbus_service_property(_interface,
1558
signature="s",
1559
access="readwrite")
1560
def LastCheckedOK_dbus_property(self, value=None):
889
# last_checked_ok - property
890
@dbus_service_property(_interface, signature=u"s",
891
access=u"readwrite")
892
def last_checked_ok_dbus_property(self, value=None):
1561
893
if value is not None:
1562
894
self.checked_ok()
1563
895
return
1564
return datetime_to_dbus(self.last_checked_ok)
1565
1566
# LastCheckerStatus - property
1567
@dbus_service_property(_interface, signature="n", access="read")
1568
def LastCheckerStatus_dbus_property(self):
1569
return dbus.Int16(self.last_checker_status)
1570
1571
# Expires - property
1572
@dbus_service_property(_interface, signature="s", access="read")
1573
def Expires_dbus_property(self):
1574
return datetime_to_dbus(self.expires)
1575
1576
# LastApprovalRequest - property
1577
@dbus_service_property(_interface, signature="s", access="read")
1578
def LastApprovalRequest_dbus_property(self):
1579
return datetime_to_dbus(self.last_approval_request)
1580
1581
# Timeout - property
1582
@dbus_service_property(_interface,
1583
signature="t",
1584
access="readwrite")
1585
def Timeout_dbus_property(self, value=None):
896
if self.last_checked_ok is None:
897
return dbus.String(u"")
898
return dbus.String(self._datetime_to_dbus(self
899
.last_checked_ok))
900
901
# timeout - property
902
@dbus_service_property(_interface, signature=u"t",
903
access=u"readwrite")
904
def timeout_dbus_property(self, value=None):
1586
905
if value is None: # get
1587
return dbus.UInt64(self.timeout.total_seconds() * 1000)
1588
old_timeout = self.timeout
906
return dbus.UInt64(self.timeout_milliseconds())
1589
907
self.timeout = datetime.timedelta(0, 0, 0, value)
1590
# Reschedule disabling
1591
if self.enabled:
1592
now = datetime.datetime.utcnow()
1593
self.expires += self.timeout - old_timeout
1594
if self.expires <= now:
1595
# The timeout has passed
1596
self.disable()
1597
else:
1598
if (getattr(self, "disable_initiator_tag", None)
1599
is None):
1600
return
1601
gobject.source_remove(self.disable_initiator_tag)
1602
self.disable_initiator_tag = gobject.timeout_add(
1603
int((self.expires - now).total_seconds() * 1000),
1604
self.disable)
1605
1606
# ExtendedTimeout - property
1607
@dbus_service_property(_interface,
1608
signature="t",
1609
access="readwrite")
1610
def ExtendedTimeout_dbus_property(self, value=None):
1611
if value is None: # get
1612
return dbus.UInt64(self.extended_timeout.total_seconds()
1613
* 1000)
1614
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1615
1616
# Interval - property
1617
@dbus_service_property(_interface,
1618
signature="t",
1619
access="readwrite")
1620
def Interval_dbus_property(self, value=None):
1621
if value is None: # get
1622
return dbus.UInt64(self.interval.total_seconds() * 1000)
908
# Emit D-Bus signal
909
self.PropertyChanged(dbus.String(u"timeout"),
910
dbus.UInt64(value, variant_level=1))
911
if getattr(self, u"disable_initiator_tag", None) is None:
912
return
913
# Reschedule timeout
914
gobject.source_remove(self.disable_initiator_tag)
915
self.disable_initiator_tag = None
916
time_to_die = (self.
917
_timedelta_to_milliseconds((self
918
.last_checked_ok
919
+ self.timeout)
920
- datetime.datetime
921
.utcnow()))
922
if time_to_die <= 0:
923
# The timeout has passed
924
self.disable()
925
else:
926
self.disable_initiator_tag = (gobject.timeout_add
927
(time_to_die, self.disable))
928
929
# interval - property
930
@dbus_service_property(_interface, signature=u"t",
931
access=u"readwrite")
932
def interval_dbus_property(self, value=None):
933
if value is None: # get
934
return dbus.UInt64(self.interval_milliseconds())
1623
935
self.interval = datetime.timedelta(0, 0, 0, value)
1624
if getattr(self, "checker_initiator_tag", None) is None:
936
# Emit D-Bus signal
937
self.PropertyChanged(dbus.String(u"interval"),
938
dbus.UInt64(value, variant_level=1))
939
if getattr(self, u"checker_initiator_tag", None) is None:
1625
940
return
1626
if self.enabled:
1627
# Reschedule checker run
1628
gobject.source_remove(self.checker_initiator_tag)
1629
self.checker_initiator_tag = gobject.timeout_add(
1630
value, self.start_checker)
1631
self.start_checker() # Start one now, too
1632
1633
# Checker - property
1634
@dbus_service_property(_interface,
1635
signature="s",
1636
access="readwrite")
1637
def Checker_dbus_property(self, value=None):
941
# Reschedule checker run
942
gobject.source_remove(self.checker_initiator_tag)
943
self.checker_initiator_tag = (gobject.timeout_add
944
(value, self.start_checker))
945
self.start_checker() # Start one now, too
946
947
# checker - property
948
@dbus_service_property(_interface, signature=u"s",
949
access=u"readwrite")
950
def checker_dbus_property(self, value=None):
1638
951
if value is None: # get
1639
952
return dbus.String(self.checker_command)
1640
self.checker_command = str(value)
953
self.checker_command = value
954
# Emit D-Bus signal
955
self.PropertyChanged(dbus.String(u"checker"),
956
dbus.String(self.checker_command,
957
variant_level=1))
1641
958
1642
# CheckerRunning - property
1643
@dbus_service_property(_interface,
1644
signature="b",
1645
access="readwrite")
1646
def CheckerRunning_dbus_property(self, value=None):
959
# checker_running - property
960
@dbus_service_property(_interface, signature=u"b",
961
access=u"readwrite")
962
def checker_running_dbus_property(self, value=None):
1647
963
if value is None: # get
1648
964
return dbus.Boolean(self.checker is not None)
1649
965
if value:
1651
967
else:
1652
968
self.stop_checker()
1653
969
1654
# ObjectPath - property
1655
@dbus_service_property(_interface, signature="o", access="read")
1656
def ObjectPath_dbus_property(self):
970
# object_path - property
971
@dbus_service_property(_interface, signature=u"o", access=u"read")
972
def object_path_dbus_property(self):
1657
973
return self.dbus_object_path # is already a dbus.ObjectPath
1658
974
1659
# Secret = property
1660
@dbus_service_property(_interface,
1661
signature="ay",
1662
access="write",
1663
byte_arrays=True)
1664
def Secret_dbus_property(self, value):
1665
self.secret = bytes(value)
975
# secret = property
976
@dbus_service_property(_interface, signature=u"ay",
977
access=u"write", byte_arrays=True)
978
def secret_dbus_property(self, value):
979
self.secret = str(value)
1666
980
1667
981
del _interface
1668
982
1669
983
1670
class ProxyClient(object):
1671
def __init__(self, child_pipe, fpr, address):
1672
self._pipe = child_pipe
1673
self._pipe.send(('init', fpr, address))
1674
if not self._pipe.recv():
1675
raise KeyError()
1676
1677
def __getattribute__(self, name):
1678
if name == '_pipe':
1679
return super(ProxyClient, self).__getattribute__(name)
1680
self._pipe.send(('getattr', name))
1681
data = self._pipe.recv()
1682
if data[0] == 'data':
1683
return data[1]
1684
if data[0] == 'function':
1685
1686
def func(*args, **kwargs):
1687
self._pipe.send(('funcall', name, args, kwargs))
1688
return self._pipe.recv()[1]
1689
1690
return func
1691
1692
def __setattr__(self, name, value):
1693
if name == '_pipe':
1694
return super(ProxyClient, self).__setattr__(name, value)
1695
self._pipe.send(('setattr', name, value))
1696
1697
1698
984
class ClientHandler(socketserver.BaseRequestHandler, object):
1699
985
"""A class to handle client connections.
1700
986
1702
988
Note: This will run in its own forked process."""
1703
989
1704
990
def handle(self):
1705
with contextlib.closing(self.server.child_pipe) as child_pipe:
1706
logger.info("TCP connection from: %s",
1707
str(self.client_address))
1708
logger.debug("Pipe FD: %d",
1709
self.server.child_pipe.fileno())
991
logger.info(u"TCP connection from: %s",
992
unicode(self.client_address))
993
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
994
# Open IPC pipe to parent process
995
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
996
session = (gnutls.connection
997
.ClientSession(self.request,
998
gnutls.connection
999
.X509Credentials()))
1710
1000
1711
session = gnutls.connection.ClientSession(
1712
self.request, gnutls.connection .X509Credentials())
1001
line = self.request.makefile().readline()
1002
logger.debug(u"Protocol version: %r", line)
1003
try:
1004
if int(line.strip().split()[0]) > 1:
1005
raise RuntimeError
1006
except (ValueError, IndexError, RuntimeError), error:
1007
logger.error(u"Unknown protocol version: %s", error)
1008
return
1713
1009
1714
1010
# Note: gnutls.connection.X509Credentials is really a
1715
1011
# generic GnuTLS certificate credentials object so long as
1716
1012
# no X.509 keys are added to it. Therefore, we can use it
1717
1013
# here despite using OpenPGP certificates.
1718
1014
1719
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1720
# "+AES-256-CBC", "+SHA1",
1721
# "+COMP-NULL", "+CTYPE-OPENPGP",
1722
# "+DHE-DSS"))
1015
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1016
# u"+AES-256-CBC", u"+SHA1",
1017
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1018
# u"+DHE-DSS"))
1723
1019
# Use a fallback default, since this MUST be set.
1724
1020
priority = self.server.gnutls_priority
1725
1021
if priority is None:
1726
priority = "NORMAL"
1727
gnutls.library.functions.gnutls_priority_set_direct(
1728
session._c_object, priority, None)
1729
1730
# Start communication using the Mandos protocol
1731
# Get protocol number
1732
line = self.request.makefile().readline()
1733
logger.debug("Protocol version: %r", line)
1734
try:
1735
if int(line.strip().split()[0]) > 1:
1736
raise RuntimeError(line)
1737
except (ValueError, IndexError, RuntimeError) as error:
1738
logger.error("Unknown protocol version: %s", error)
1739
return
1740
1741
# Start GnuTLS connection
1022
priority = u"NORMAL"
1023
(gnutls.library.functions
1024
.gnutls_priority_set_direct(session._c_object,
1025
priority, None))
1026
1742
1027
try:
1743
1028
session.handshake()
1744
except gnutls.errors.GNUTLSError as error:
1745
logger.warning("Handshake failed: %s", error)
1029
except gnutls.errors.GNUTLSError, error:
1030
logger.warning(u"Handshake failed: %s", error)
1746
1031
# Do not run session.bye() here: the session is not
1747
1032
# established. Just abandon the request.
1748
1033
return
1749
logger.debug("Handshake succeeded")
1750
1751
approval_required = False
1034
logger.debug(u"Handshake succeeded")
1752
1035
try:
1753
try:
1754
fpr = self.fingerprint(
1755
self.peer_certificate(session))
1756
except (TypeError,
1757
gnutls.errors.GNUTLSError) as error:
1758
logger.warning("Bad certificate: %s", error)
1759
return
1760
logger.debug("Fingerprint: %s", fpr)
1761
1762
try:
1763
client = ProxyClient(child_pipe, fpr,
1764
self.client_address)
1765
except KeyError:
1766
return
1767
1768
if client.approval_delay:
1769
delay = client.approval_delay
1770
client.approvals_pending += 1
1771
approval_required = True
1772
1773
while True:
1774
if not client.enabled:
1775
logger.info("Client %s is disabled",
1776
client.name)
1777
if self.server.use_dbus:
1778
# Emit D-Bus signal
1779
client.Rejected("Disabled")
1780
return
1781
1782
if client.approved or not client.approval_delay:
1783
#We are approved or approval is disabled
1784
break
1785
elif client.approved is None:
1786
logger.info("Client %s needs approval",
1787
client.name)
1788
if self.server.use_dbus:
1789
# Emit D-Bus signal
1790
client.NeedApproval(
1791
client.approval_delay.total_seconds()
1792
* 1000, client.approved_by_default)
1793
else:
1794
logger.warning("Client %s was not approved",
1795
client.name)
1796
if self.server.use_dbus:
1797
# Emit D-Bus signal
1798
client.Rejected("Denied")
1799
return
1800
1801
#wait until timeout or approved
1802
time = datetime.datetime.now()
1803
client.changedstate.acquire()
1804
client.changedstate.wait(delay.total_seconds())
1805
client.changedstate.release()
1806
time2 = datetime.datetime.now()
1807
if (time2 - time) >= delay:
1808
if not client.approved_by_default:
1809
logger.warning("Client %s timed out while"
1810
" waiting for approval",
1811
client.name)
1812
if self.server.use_dbus:
1813
# Emit D-Bus signal
1814
client.Rejected("Approval timed out")
1815
return
1816
else:
1817
break
1818
else:
1819
delay -= time2 - time
1820
1821
sent_size = 0
1822
while sent_size < len(client.secret):
1823
try:
1824
sent = session.send(client.secret[sent_size:])
1825
except gnutls.errors.GNUTLSError as error:
1826
logger.warning("gnutls send failed",
1827
exc_info=error)
1828
return
1829
logger.debug("Sent: %d, remaining: %d", sent,
1830
len(client.secret) - (sent_size
1831
+ sent))
1832
sent_size += sent
1833
1834
logger.info("Sending secret to %s", client.name)
1835
# bump the timeout using extended_timeout
1836
client.bump_timeout(client.extended_timeout)
1837
if self.server.use_dbus:
1838
# Emit D-Bus signal
1839
client.GotSecret()
1036
fpr = self.fingerprint(self.peer_certificate(session))
1037
except (TypeError, gnutls.errors.GNUTLSError), error:
1038
logger.warning(u"Bad certificate: %s", error)
1039
session.bye()
1040
return
1041
logger.debug(u"Fingerprint: %s", fpr)
1840
1042
1841
finally:
1842
if approval_required:
1843
client.approvals_pending -= 1
1844
try:
1845
session.bye()
1846
except gnutls.errors.GNUTLSError as error:
1847
logger.warning("GnuTLS bye failed",
1848
exc_info=error)
1043
for c in self.server.clients:
1044
if c.fingerprint == fpr:
1045
client = c
1046
break
1047
else:
1048
ipc.write(u"NOTFOUND %s %s\n"
1049
% (fpr, unicode(self.client_address)))
1050
session.bye()
1051
return
1052
# Have to check if client.still_valid(), since it is
1053
# possible that the client timed out while establishing
1054
# the GnuTLS session.
1055
if not client.still_valid():
1056
ipc.write(u"INVALID %s\n" % client.name)
1057
session.bye()
1058
return
1059
ipc.write(u"SENDING %s\n" % client.name)
1060
sent_size = 0
1061
while sent_size < len(client.secret):
1062
sent = session.send(client.secret[sent_size:])
1063
logger.debug(u"Sent: %d, remaining: %d",
1064
sent, len(client.secret)
1065
- (sent_size + sent))
1066
sent_size += sent
1067
session.bye()
1849
1068
1850
1069
@staticmethod
1851
1070
def peer_certificate(session):
1852
1071
"Return the peer's OpenPGP certificate as a bytestring"
1853
1072
# If not an OpenPGP certificate...
1854
if (gnutls.library.functions.gnutls_certificate_type_get(
1855
session._c_object)
1073
if (gnutls.library.functions
1074
.gnutls_certificate_type_get(session._c_object)
1856
1075
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1857
1076
# ...do the normal thing
1858
1077
return session.peer_certificate
1861
1080
.gnutls_certificate_get_peers
1862
1081
(session._c_object, ctypes.byref(list_size)))
1863
1082
if not bool(cert_list) and list_size.value != 0:
1864
raise gnutls.errors.GNUTLSError("error getting peer"
1865
" certificate")
1083
raise gnutls.errors.GNUTLSError(u"error getting peer"
1084
u" certificate")
1866
1085
if list_size.value == 0:
1867
1086
return None
1868
1087
cert = cert_list[0]
1872
1091
def fingerprint(openpgp):
1873
1092
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1874
1093
# New GnuTLS "datum" with the OpenPGP public key
1875
datum = gnutls.library.types.gnutls_datum_t(
1876
ctypes.cast(ctypes.c_char_p(openpgp),
1877
ctypes.POINTER(ctypes.c_ubyte)),
1878
ctypes.c_uint(len(openpgp)))
1094
datum = (gnutls.library.types
1095
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1096
ctypes.POINTER
1097
(ctypes.c_ubyte)),
1098
ctypes.c_uint(len(openpgp))))
1879
1099
# New empty GnuTLS certificate
1880
1100
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1881
gnutls.library.functions.gnutls_openpgp_crt_init(
1882
ctypes.byref(crt))
1101
(gnutls.library.functions
1102
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1883
1103
# Import the OpenPGP public key into the certificate
1884
gnutls.library.functions.gnutls_openpgp_crt_import(
1885
crt, ctypes.byref(datum),
1886
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
1104
(gnutls.library.functions
1105
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1106
gnutls.library.constants
1107
.GNUTLS_OPENPGP_FMT_RAW))
1887
1108
# Verify the self signature in the key
1888
1109
crtverify = ctypes.c_uint()
1889
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
1890
crt, 0, ctypes.byref(crtverify))
1110
(gnutls.library.functions
1111
.gnutls_openpgp_crt_verify_self(crt, 0,
1112
ctypes.byref(crtverify)))
1891
1113
if crtverify.value != 0:
1892
1114
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1893
raise gnutls.errors.CertificateSecurityError(
1894
"Verify failed")
1115
raise (gnutls.errors.CertificateSecurityError
1116
(u"Verify failed"))
1895
1117
# New buffer for the fingerprint
1896
1118
buf = ctypes.create_string_buffer(20)
1897
1119
buf_len = ctypes.c_size_t()
1898
1120
# Get the fingerprint from the certificate into the buffer
1899
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
1900
crt, ctypes.byref(buf), ctypes.byref(buf_len))
1121
(gnutls.library.functions
1122
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1123
ctypes.byref(buf_len)))
1901
1124
# Deinit the certificate
1902
1125
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1903
1126
# Convert the buffer to a Python bytestring
1904
1127
fpr = ctypes.string_at(buf, buf_len.value)
1905
1128
# Convert the bytestring to hexadecimal notation
1906
hex_fpr = binascii.hexlify(fpr).upper()
1129
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1907
1130
return hex_fpr
1908
1131
1909
1132
1910
class MultiprocessingMixIn(object):
1911
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1912
1913
def sub_process_main(self, request, address):
1914
try:
1915
self.finish_request(request, address)
1916
except Exception:
1917
self.handle_error(request, address)
1918
self.close_request(request)
1919
1920
def process_request(self, request, address):
1921
"""Start a new process to process the request."""
1922
proc = multiprocessing.Process(target = self.sub_process_main,
1923
args = (request, address))
1924
proc.start()
1925
return proc
1926
1927
1928
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1929
""" adds a pipe to the MixIn """
1930
1133
class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):
1134
"""Like socketserver.ForkingMixIn, but also pass a pipe."""
1931
1135
def process_request(self, request, client_address):
1932
1136
"""Overrides and wraps the original process_request().
1933
1137
1934
1138
This function creates a new pipe in self.pipe
1935
1139
"""
1936
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1937
1938
proc = MultiprocessingMixIn.process_request(self, request,
1939
client_address)
1940
self.child_pipe.close()
1941
self.add_pipe(parent_pipe, proc)
1942
1943
def add_pipe(self, parent_pipe, proc):
1140
self.pipe = os.pipe()
1141
super(ForkingMixInWithPipe,
1142
self).process_request(request, client_address)
1143
os.close(self.pipe[1]) # close write end
1144
self.add_pipe(self.pipe[0])
1145
def add_pipe(self, pipe):
1944
1146
"""Dummy function; override as necessary"""
1945
raise NotImplementedError()
1946
1947
1948
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1147
os.close(pipe)
1148
1149
1150
class IPv6_TCPServer(ForkingMixInWithPipe,
1949
1151
socketserver.TCPServer, object):
1950
1152
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1951
1153
1954
1156
interface: None or a network interface name (string)
1955
1157
use_ipv6: Boolean; to use IPv6 or not
1956
1158
"""
1957
1958
1159
def __init__(self, server_address, RequestHandlerClass,
1959
interface=None,
1960
use_ipv6=True,
1961
socketfd=None):
1962
"""If socketfd is set, use that file descriptor instead of
1963
creating a new one with socket.socket().
1964
"""
1160
interface=None, use_ipv6=True):
1965
1161
self.interface = interface
1966
1162
if use_ipv6:
1967
1163
self.address_family = socket.AF_INET6
1968
if socketfd is not None:
1969
# Save the file descriptor
1970
self.socketfd = socketfd
1971
# Save the original socket.socket() function
1972
self.socket_socket = socket.socket
1973
# To implement --socket, we monkey patch socket.socket.
1974
#
1975
# (When socketserver.TCPServer is a new-style class, we
1976
# could make self.socket into a property instead of monkey
1977
# patching socket.socket.)
1978
#
1979
# Create a one-time-only replacement for socket.socket()
1980
@functools.wraps(socket.socket)
1981
def socket_wrapper(*args, **kwargs):
1982
# Restore original function so subsequent calls are
1983
# not affected.
1984
socket.socket = self.socket_socket
1985
del self.socket_socket
1986
# This time only, return a new socket object from the
1987
# saved file descriptor.
1988
return socket.fromfd(self.socketfd, *args, **kwargs)
1989
# Replace socket.socket() function with wrapper
1990
socket.socket = socket_wrapper
1991
# The socketserver.TCPServer.__init__ will call
1992
# socket.socket(), which might be our replacement,
1993
# socket_wrapper(), if socketfd was set.
1994
1164
socketserver.TCPServer.__init__(self, server_address,
1995
1165
RequestHandlerClass)
1996
1997
1166
def server_bind(self):
1998
1167
"""This overrides the normal server_bind() function
1999
1168
to bind to an interface if one was specified, and also NOT to
2000
1169
bind to an address or port if they were not specified."""
2001
1170
if self.interface is not None:
2002
1171
if SO_BINDTODEVICE is None:
2003
logger.error("SO_BINDTODEVICE does not exist;"
2004
" cannot bind to interface %s",
1172
logger.error(u"SO_BINDTODEVICE does not exist;"
1173
u" cannot bind to interface %s",
2005
1174
self.interface)
2006
1175
else:
2007
1176
try:
2008
self.socket.setsockopt(
2009
socket.SOL_SOCKET, SO_BINDTODEVICE,
2010
(self.interface + "\0").encode("utf-8"))
2011
except socket.error as error:
2012
if error.errno == errno.EPERM:
2013
logger.error("No permission to bind to"
2014
" interface %s", self.interface)
2015
elif error.errno == errno.ENOPROTOOPT:
2016
logger.error("SO_BINDTODEVICE not available;"
2017
" cannot bind to interface %s",
2018
self.interface)
2019
elif error.errno == errno.ENODEV:
2020
logger.error("Interface %s does not exist,"
2021
" cannot bind", self.interface)
1177
self.socket.setsockopt(socket.SOL_SOCKET,
1178
SO_BINDTODEVICE,
1179
str(self.interface
1180
+ u'\0'))
1181
except socket.error, error:
1182
if error[0] == errno.EPERM:
1183
logger.error(u"No permission to"
1184
u" bind to interface %s",
1185
self.interface)
1186
elif error[0] == errno.ENOPROTOOPT:
1187
logger.error(u"SO_BINDTODEVICE not available;"
1188
u" cannot bind to interface %s",
1189
self.interface)
2022
1190
else:
2023
1191
raise
2024
1192
# Only bind(2) the socket if we really need to.
2025
1193
if self.server_address[0] or self.server_address[1]:
2026
1194
if not self.server_address[0]:
2027
1195
if self.address_family == socket.AF_INET6:
2028
any_address = "::" # in6addr_any
1196
any_address = u"::" # in6addr_any
2029
1197
else:
2030
any_address = "0.0.0.0" # INADDR_ANY
1198
any_address = socket.INADDR_ANY
2031
1199
self.server_address = (any_address,
2032
1200
self.server_address[1])
2033
1201
elif not self.server_address[1]:
2034
self.server_address = (self.server_address[0], 0)
1202
self.server_address = (self.server_address[0],
1203
0)
2035
1204
# if self.interface:
2036
1205
# self.server_address = (self.server_address[0],
2037
1206
# 0, # port
2051
1220
2052
1221
Assumes a gobject.MainLoop event loop.
2053
1222
"""
2054
2055
1223
def __init__(self, server_address, RequestHandlerClass,
2056
interface=None,
2057
use_ipv6=True,
2058
clients=None,
2059
gnutls_priority=None,
2060
use_dbus=True,
2061
socketfd=None):
1224
interface=None, use_ipv6=True, clients=None,
1225
gnutls_priority=None, use_dbus=True):
2062
1226
self.enabled = False
2063
1227
self.clients = clients
2064
1228
if self.clients is None:
2065
self.clients = {}
1229
self.clients = set()
2066
1230
self.use_dbus = use_dbus
2067
1231
self.gnutls_priority = gnutls_priority
2068
1232
IPv6_TCPServer.__init__(self, server_address,
2069
1233
RequestHandlerClass,
2070
1234
interface = interface,
2071
use_ipv6 = use_ipv6,
2072
socketfd = socketfd)
2073
1235
use_ipv6 = use_ipv6)
2074
1236
def server_activate(self):
2075
1237
if self.enabled:
2076
1238
return socketserver.TCPServer.server_activate(self)
2077
2078
1239
def enable(self):
2079
1240
self.enabled = True
2080
2081
def add_pipe(self, parent_pipe, proc):
1241
def add_pipe(self, pipe):
2082
1242
# Call "handle_ipc" for both data and EOF events
2083
gobject.io_add_watch(
2084
parent_pipe.fileno(),
2085
gobject.IO_IN | gobject.IO_HUP,
2086
functools.partial(self.handle_ipc,
2087
parent_pipe = parent_pipe,
2088
proc = proc))
2089
2090
def handle_ipc(self, source, condition,
2091
parent_pipe=None,
2092
proc = None,
2093
client_object=None):
2094
# error, or the other end of multiprocessing.Pipe has closed
2095
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2096
# Wait for other process to exit
2097
proc.join()
2098
return False
2099
2100
# Read a request from the child
2101
request = parent_pipe.recv()
2102
command = request[0]
2103
2104
if command == 'init':
2105
fpr = request[1]
2106
address = request[2]
2107
2108
for c in self.clients.itervalues():
2109
if c.fingerprint == fpr:
2110
client = c
2111
break
2112
else:
2113
logger.info("Client not found for fingerprint: %s, ad"
2114
"dress: %s", fpr, address)
2115
if self.use_dbus:
2116
# Emit D-Bus signal
2117
mandos_dbus_service.ClientNotFound(fpr,
2118
address[0])
2119
parent_pipe.send(False)
2120
return False
2121
2122
gobject.io_add_watch(
2123
parent_pipe.fileno(),
2124
gobject.IO_IN | gobject.IO_HUP,
2125
functools.partial(self.handle_ipc,
2126
parent_pipe = parent_pipe,
2127
proc = proc,
2128
client_object = client))
2129
parent_pipe.send(True)
2130
# remove the old hook in favor of the new above hook on
2131
# same fileno
2132
return False
2133
if command == 'funcall':
2134
funcname = request[1]
2135
args = request[2]
2136
kwargs = request[3]
2137
2138
parent_pipe.send(('data', getattr(client_object,
2139
funcname)(*args,
2140
**kwargs)))
2141
2142
if command == 'getattr':
2143
attrname = request[1]
2144
if callable(client_object.__getattribute__(attrname)):
2145
parent_pipe.send(('function', ))
2146
else:
2147
parent_pipe.send((
2148
'data', client_object.__getattribute__(attrname)))
2149
2150
if command == 'setattr':
2151
attrname = request[1]
2152
value = request[2]
2153
setattr(client_object, attrname, value)
2154
1243
gobject.io_add_watch(pipe, gobject.IO_IN | gobject.IO_HUP,
1244
self.handle_ipc)
1245
def handle_ipc(self, source, condition, file_objects={}):
1246
condition_names = {
1247
gobject.IO_IN: u"IN", # There is data to read.
1248
gobject.IO_OUT: u"OUT", # Data can be written (without
1249
# blocking).
1250
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1251
gobject.IO_ERR: u"ERR", # Error condition.
1252
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1253
# broken, usually for pipes and
1254
# sockets).
1255
}
1256
conditions_string = ' | '.join(name
1257
for cond, name in
1258
condition_names.iteritems()
1259
if cond & condition)
1260
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1261
conditions_string)
1262
1263
# Turn the pipe file descriptor into a Python file object
1264
if source not in file_objects:
1265
file_objects[source] = os.fdopen(source, u"r", 1)
1266
1267
# Read a line from the file object
1268
cmdline = file_objects[source].readline()
1269
if not cmdline: # Empty line means end of file
1270
# close the IPC pipe
1271
file_objects[source].close()
1272
del file_objects[source]
1273
1274
# Stop calling this function
1275
return False
1276
1277
logger.debug(u"IPC command: %r", cmdline)
1278
1279
# Parse and act on command
1280
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1281
1282
if cmd == u"NOTFOUND":
1283
logger.warning(u"Client not found for fingerprint: %s",
1284
args)
1285
if self.use_dbus:
1286
# Emit D-Bus signal
1287
mandos_dbus_service.ClientNotFound(args)
1288
elif cmd == u"INVALID":
1289
for client in self.clients:
1290
if client.name == args:
1291
logger.warning(u"Client %s is invalid", args)
1292
if self.use_dbus:
1293
# Emit D-Bus signal
1294
client.Rejected()
1295
break
1296
else:
1297
logger.error(u"Unknown client %s is invalid", args)
1298
elif cmd == u"SENDING":
1299
for client in self.clients:
1300
if client.name == args:
1301
logger.info(u"Sending secret to %s", client.name)
1302
client.checked_ok()
1303
if self.use_dbus:
1304
# Emit D-Bus signal
1305
client.GotSecret()
1306
break
1307
else:
1308
logger.error(u"Sending secret to unknown client %s",
1309
args)
1310
else:
1311
logger.error(u"Unknown IPC command: %r", cmdline)
1312
1313
# Keep calling this function
2155
1314
return True
2156
1315
2157
1316
2158
def rfc3339_duration_to_delta(duration):
2159
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2160
2161
>>> rfc3339_duration_to_delta("P7D")
2162
datetime.timedelta(7)
2163
>>> rfc3339_duration_to_delta("PT60S")
2164
datetime.timedelta(0, 60)
2165
>>> rfc3339_duration_to_delta("PT60M")
2166
datetime.timedelta(0, 3600)
2167
>>> rfc3339_duration_to_delta("PT24H")
2168
datetime.timedelta(1)
2169
>>> rfc3339_duration_to_delta("P1W")
2170
datetime.timedelta(7)
2171
>>> rfc3339_duration_to_delta("PT5M30S")
2172
datetime.timedelta(0, 330)
2173
>>> rfc3339_duration_to_delta("P1DT3M20S")
2174
datetime.timedelta(1, 200)
2175
"""
2176
2177
# Parsing an RFC 3339 duration with regular expressions is not
2178
# possible - there would have to be multiple places for the same
2179
# values, like seconds. The current code, while more esoteric, is
2180
# cleaner without depending on a parsing library. If Python had a
2181
# built-in library for parsing we would use it, but we'd like to
2182
# avoid excessive use of external libraries.
2183
2184
# New type for defining tokens, syntax, and semantics all-in-one
2185
Token = collections.namedtuple("Token",
2186
("regexp", # To match token; if
2187
# "value" is not None,
2188
# must have a "group"
2189
# containing digits
2190
"value", # datetime.timedelta or
2191
# None
2192
"followers")) # Tokens valid after
2193
# this token
2194
Token = collections.namedtuple("Token", (
2195
"regexp", # To match token; if "value" is not None, must have
2196
# a "group" containing digits
2197
"value", # datetime.timedelta or None
2198
"followers")) # Tokens valid after this token
2199
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2200
# the "duration" ABNF definition in RFC 3339, Appendix A.
2201
token_end = Token(re.compile(r"$"), None, frozenset())
2202
token_second = Token(re.compile(r"(\d+)S"),
2203
datetime.timedelta(seconds=1),
2204
frozenset((token_end, )))
2205
token_minute = Token(re.compile(r"(\d+)M"),
2206
datetime.timedelta(minutes=1),
2207
frozenset((token_second, token_end)))
2208
token_hour = Token(re.compile(r"(\d+)H"),
2209
datetime.timedelta(hours=1),
2210
frozenset((token_minute, token_end)))
2211
token_time = Token(re.compile(r"T"),
2212
None,
2213
frozenset((token_hour, token_minute,
2214
token_second)))
2215
token_day = Token(re.compile(r"(\d+)D"),
2216
datetime.timedelta(days=1),
2217
frozenset((token_time, token_end)))
2218
token_month = Token(re.compile(r"(\d+)M"),
2219
datetime.timedelta(weeks=4),
2220
frozenset((token_day, token_end)))
2221
token_year = Token(re.compile(r"(\d+)Y"),
2222
datetime.timedelta(weeks=52),
2223
frozenset((token_month, token_end)))
2224
token_week = Token(re.compile(r"(\d+)W"),
2225
datetime.timedelta(weeks=1),
2226
frozenset((token_end, )))
2227
token_duration = Token(re.compile(r"P"), None,
2228
frozenset((token_year, token_month,
2229
token_day, token_time,
2230
token_week)))
2231
# Define starting values
2232
value = datetime.timedelta() # Value so far
2233
found_token = None
2234
followers = frozenset((token_duration,)) # Following valid tokens
2235
s = duration # String left to parse
2236
# Loop until end token is found
2237
while found_token is not token_end:
2238
# Search for any currently valid tokens
2239
for token in followers:
2240
match = token.regexp.match(s)
2241
if match is not None:
2242
# Token found
2243
if token.value is not None:
2244
# Value found, parse digits
2245
factor = int(match.group(1), 10)
2246
# Add to value so far
2247
value += factor * token.value
2248
# Strip token from string
2249
s = token.regexp.sub("", s, 1)
2250
# Go to found token
2251
found_token = token
2252
# Set valid next tokens
2253
followers = found_token.followers
2254
break
2255
else:
2256
# No currently valid tokens were found
2257
raise ValueError("Invalid RFC 3339 duration")
2258
# End token found
2259
return value
2260
2261
2262
1317
def string_to_delta(interval):
2263
1318
"""Parse a string and return a datetime.timedelta
2264
1319
2265
>>> string_to_delta('7d')
1320
>>> string_to_delta(u'7d')
2266
1321
datetime.timedelta(7)
2267
>>> string_to_delta('60s')
1322
>>> string_to_delta(u'60s')
2268
1323
datetime.timedelta(0, 60)
2269
>>> string_to_delta('60m')
1324
>>> string_to_delta(u'60m')
2270
1325
datetime.timedelta(0, 3600)
2271
>>> string_to_delta('24h')
1326
>>> string_to_delta(u'24h')
2272
1327
datetime.timedelta(1)
2273
>>> string_to_delta('1w')
1328
>>> string_to_delta(u'1w')
2274
1329
datetime.timedelta(7)
2275
>>> string_to_delta('5m 30s')
1330
>>> string_to_delta(u'5m 30s')
2276
1331
datetime.timedelta(0, 330)
2277
1332
"""
2278
2279
try:
2280
return rfc3339_duration_to_delta(interval)
2281
except ValueError:
2282
pass
2283
2284
1333
timevalue = datetime.timedelta(0)
2285
1334
for s in interval.split():
2286
1335
try:
2287
suffix = s[-1]
1336
suffix = unicode(s[-1])
2288
1337
value = int(s[:-1])
2289
if suffix == "d":
1338
if suffix == u"d":
2290
1339
delta = datetime.timedelta(value)
2291
elif suffix == "s":
1340
elif suffix == u"s":
2292
1341
delta = datetime.timedelta(0, value)
2293
elif suffix == "m":
1342
elif suffix == u"m":
2294
1343
delta = datetime.timedelta(0, 0, 0, 0, value)
2295
elif suffix == "h":
1344
elif suffix == u"h":
2296
1345
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
2297
elif suffix == "w":
1346
elif suffix == u"w":
2298
1347
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
2299
1348
else:
2300
raise ValueError("Unknown suffix {!r}".format(suffix))
2301
except IndexError as e:
2302
raise ValueError(*(e.args))
1349
raise ValueError(u"Unknown suffix %r" % suffix)
1350
except (ValueError, IndexError), e:
1351
raise ValueError(e.message)
2303
1352
timevalue += delta
2304
1353
return timevalue
2305
1354
2306
1355
1356
def if_nametoindex(interface):
1357
"""Call the C function if_nametoindex(), or equivalent
1358
1359
Note: This function cannot accept a unicode string."""
1360
global if_nametoindex
1361
try:
1362
if_nametoindex = (ctypes.cdll.LoadLibrary
1363
(ctypes.util.find_library(u"c"))
1364
.if_nametoindex)
1365
except (OSError, AttributeError):
1366
logger.warning(u"Doing if_nametoindex the hard way")
1367
def if_nametoindex(interface):
1368
"Get an interface index the hard way, i.e. using fcntl()"
1369
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1370
with closing(socket.socket()) as s:
1371
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1372
struct.pack(str(u"16s16x"),
1373
interface))
1374
interface_index = struct.unpack(str(u"I"),
1375
ifreq[16:20])[0]
1376
return interface_index
1377
return if_nametoindex(interface)
1378
1379
2307
1380
def daemon(nochdir = False, noclose = False):
2308
1381
"""See daemon(3). Standard BSD Unix function.
2309
1382
2312
1385
sys.exit()
2313
1386
os.setsid()
2314
1387
if not nochdir:
2315
os.chdir("/")
1388
os.chdir(u"/")
2316
1389
if os.fork():
2317
1390
sys.exit()
2318
1391
if not noclose:
2319
1392
# Close all standard open file descriptors
2320
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
1393
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2321
1394
if not stat.S_ISCHR(os.fstat(null).st_mode):
2322
1395
raise OSError(errno.ENODEV,
2323
"{} not a character device"
2324
.format(os.devnull))
1396
u"%s not a character device"
1397
% os.path.devnull)
2325
1398
os.dup2(null, sys.stdin.fileno())
2326
1399
os.dup2(null, sys.stdout.fileno())
2327
1400
os.dup2(null, sys.stderr.fileno())
2334
1407
##################################################################
2335
1408
# Parsing of options, both command line and config file
2336
1409
2337
parser = argparse.ArgumentParser()
2338
parser.add_argument("-v", "--version", action="version",
2339
version = "%(prog)s {}".format(version),
2340
help="show version number and exit")
2341
parser.add_argument("-i", "--interface", metavar="IF",
2342
help="Bind to interface IF")
2343
parser.add_argument("-a", "--address",
2344
help="Address to listen for requests on")
2345
parser.add_argument("-p", "--port", type=int,
2346
help="Port number to receive requests on")
2347
parser.add_argument("--check", action="store_true",
2348
help="Run self-test")
2349
parser.add_argument("--debug", action="store_true",
2350
help="Debug mode; run in foreground and log"
2351
" to terminal", default=None)
2352
parser.add_argument("--debuglevel", metavar="LEVEL",
2353
help="Debug level for stdout output")
2354
parser.add_argument("--priority", help="GnuTLS"
2355
" priority string (see GnuTLS documentation)")
2356
parser.add_argument("--servicename",
2357
metavar="NAME", help="Zeroconf service name")
2358
parser.add_argument("--configdir",
2359
default="/etc/mandos", metavar="DIR",
2360
help="Directory to search for configuration"
2361
" files")
2362
parser.add_argument("--no-dbus", action="store_false",
2363
dest="use_dbus", help="Do not provide D-Bus"
2364
" system bus interface", default=None)
2365
parser.add_argument("--no-ipv6", action="store_false",
2366
dest="use_ipv6", help="Do not use IPv6",
2367
default=None)
2368
parser.add_argument("--no-restore", action="store_false",
2369
dest="restore", help="Do not restore stored"
2370
" state", default=None)
2371
parser.add_argument("--socket", type=int,
2372
help="Specify a file descriptor to a network"
2373
" socket to use instead of creating one")
2374
parser.add_argument("--statedir", metavar="DIR",
2375
help="Directory to save/restore state in")
2376
parser.add_argument("--foreground", action="store_true",
2377
help="Run in foreground", default=None)
2378
parser.add_argument("--no-zeroconf", action="store_false",
2379
dest="zeroconf", help="Do not use Zeroconf",
2380
default=None)
2381
2382
options = parser.parse_args()
1410
parser = optparse.OptionParser(version = "%%prog %s" % version)
1411
parser.add_option("-i", u"--interface", type=u"string",
1412
metavar="IF", help=u"Bind to interface IF")
1413
parser.add_option("-a", u"--address", type=u"string",
1414
help=u"Address to listen for requests on")
1415
parser.add_option("-p", u"--port", type=u"int",
1416
help=u"Port number to receive requests on")
1417
parser.add_option("--check", action=u"store_true",
1418
help=u"Run self-test")
1419
parser.add_option("--debug", action=u"store_true",
1420
help=u"Debug mode; run in foreground and log to"
1421
u" terminal")
1422
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1423
u" priority string (see GnuTLS documentation)")
1424
parser.add_option("--servicename", type=u"string",
1425
metavar=u"NAME", help=u"Zeroconf service name")
1426
parser.add_option("--configdir", type=u"string",
1427
default=u"/etc/mandos", metavar=u"DIR",
1428
help=u"Directory to search for configuration"
1429
u" files")
1430
parser.add_option("--no-dbus", action=u"store_false",
1431
dest=u"use_dbus", help=u"Do not provide D-Bus"
1432
u" system bus interface")
1433
parser.add_option("--no-ipv6", action=u"store_false",
1434
dest=u"use_ipv6", help=u"Do not use IPv6")
1435
options = parser.parse_args()[0]
2383
1436
2384
1437
if options.check:
2385
1438
import doctest
2386
fail_count, test_count = doctest.testmod()
2387
sys.exit(os.EX_OK if fail_count == 0 else 1)
1439
doctest.testmod()
1440
sys.exit()
2388
1441
2389
1442
# Default values for config file for server-global settings
2390
server_defaults = { "interface": "",
2391
"address": "",
2392
"port": "",
2393
"debug": "False",
2394
"priority":
2395
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2396
":+SIGN-RSA-SHA224:+SIGN-RSA-RMD160",
2397
"servicename": "Mandos",
2398
"use_dbus": "True",
2399
"use_ipv6": "True",
2400
"debuglevel": "",
2401
"restore": "True",
2402
"socket": "",
2403
"statedir": "/var/lib/mandos",
2404
"foreground": "False",
2405
"zeroconf": "True",
2406
}
1443
server_defaults = { u"interface": u"",
1444
u"address": u"",
1445
u"port": u"",
1446
u"debug": u"False",
1447
u"priority":
1448
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1449
u"servicename": u"Mandos",
1450
u"use_dbus": u"True",
1451
u"use_ipv6": u"True",
1452
}
2407
1453
2408
1454
# Parse config file for server-global settings
2409
1455
server_config = configparser.SafeConfigParser(server_defaults)
2410
1456
del server_defaults
2411
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1457
server_config.read(os.path.join(options.configdir,
1458
u"mandos.conf"))
2412
1459
# Convert the SafeConfigParser object to a dict
2413
1460
server_settings = server_config.defaults()
2414
1461
# Use the appropriate methods on the non-string config options
2415
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
2416
server_settings[option] = server_config.getboolean("DEFAULT",
1462
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1463
server_settings[option] = server_config.getboolean(u"DEFAULT",
2417
1464
option)
2418
1465
if server_settings["port"]:
2419
server_settings["port"] = server_config.getint("DEFAULT",
2420
"port")
2421
if server_settings["socket"]:
2422
server_settings["socket"] = server_config.getint("DEFAULT",
2423
"socket")
2424
# Later, stdin will, and stdout and stderr might, be dup'ed
2425
# over with an opened os.devnull. But we don't want this to
2426
# happen with a supplied network socket.
2427
if 0 <= server_settings["socket"] <= 2:
2428
server_settings["socket"] = os.dup(server_settings
2429
["socket"])
1466
server_settings["port"] = server_config.getint(u"DEFAULT",
1467
u"port")
2430
1468
del server_config
2431
1469
2432
1470
# Override the settings from the config file with command line
2433
1471
# options, if set.
2434
for option in ("interface", "address", "port", "debug",
2435
"priority", "servicename", "configdir", "use_dbus",
2436
"use_ipv6", "debuglevel", "restore", "statedir",
2437
"socket", "foreground", "zeroconf"):
1472
for option in (u"interface", u"address", u"port", u"debug",
1473
u"priority", u"servicename", u"configdir",
1474
u"use_dbus", u"use_ipv6"):
2438
1475
value = getattr(options, option)
2439
1476
if value is not None:
2440
1477
server_settings[option] = value
2441
1478
del options
2442
1479
# Force all strings to be unicode
2443
1480
for option in server_settings.keys():
2444
if isinstance(server_settings[option], bytes):
2445
server_settings[option] = (server_settings[option]
2446
.decode("utf-8"))
2447
# Force all boolean options to be boolean
2448
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2449
"foreground", "zeroconf"):
2450
server_settings[option] = bool(server_settings[option])
2451
# Debug implies foreground
2452
if server_settings["debug"]:
2453
server_settings["foreground"] = True
1481
if type(server_settings[option]) is str:
1482
server_settings[option] = unicode(server_settings[option])
2454
1483
# Now we have our good server settings in "server_settings"
2455
1484
2456
1485
##################################################################
2457
1486
2458
if (not server_settings["zeroconf"]
2459
and not (server_settings["port"]
2460
or server_settings["socket"] != "")):
2461
parser.error("Needs port or socket to work without Zeroconf")
2462
2463
1487
# For convenience
2464
debug = server_settings["debug"]
2465
debuglevel = server_settings["debuglevel"]
2466
use_dbus = server_settings["use_dbus"]
2467
use_ipv6 = server_settings["use_ipv6"]
2468
stored_state_path = os.path.join(server_settings["statedir"],
2469
stored_state_file)
2470
foreground = server_settings["foreground"]
2471
zeroconf = server_settings["zeroconf"]
2472
2473
if debug:
2474
initlogger(debug, logging.DEBUG)
2475
else:
2476
if not debuglevel:
2477
initlogger(debug)
2478
else:
2479
level = getattr(logging, debuglevel.upper())
2480
initlogger(debug, level)
2481
2482
if server_settings["servicename"] != "Mandos":
2483
syslogger.setFormatter(
2484
logging.Formatter('Mandos ({}) [%(process)d]:'
2485
' %(levelname)s: %(message)s'.format(
2486
server_settings["servicename"])))
1488
debug = server_settings[u"debug"]
1489
use_dbus = server_settings[u"use_dbus"]
1490
use_ipv6 = server_settings[u"use_ipv6"]
1491
1492
if not debug:
1493
syslogger.setLevel(logging.WARNING)
1494
console.setLevel(logging.WARNING)
1495
1496
if server_settings[u"servicename"] != u"Mandos":
1497
syslogger.setFormatter(logging.Formatter
1498
(u'Mandos (%s) [%%(process)d]:'
1499
u' %%(levelname)s: %%(message)s'
1500
% server_settings[u"servicename"]))
2487
1501
2488
1502
# Parse config file with clients
2489
client_config = configparser.SafeConfigParser(Client
2490
.client_defaults)
2491
client_config.read(os.path.join(server_settings["configdir"],
2492
"clients.conf"))
1503
client_defaults = { u"timeout": u"1h",
1504
u"interval": u"5m",
1505
u"checker": u"fping -q -- %%(host)s",
1506
u"host": u"",
1507
}
1508
client_config = configparser.SafeConfigParser(client_defaults)
1509
client_config.read(os.path.join(server_settings[u"configdir"],
1510
u"clients.conf"))
2493
1511
2494
1512
global mandos_dbus_service
2495
1513
mandos_dbus_service = None
2496
1514
2497
socketfd = None
2498
if server_settings["socket"] != "":
2499
socketfd = server_settings["socket"]
2500
tcp_server = MandosServer(
2501
(server_settings["address"], server_settings["port"]),
2502
ClientHandler,
2503
interface=(server_settings["interface"] or None),
2504
use_ipv6=use_ipv6,
2505
gnutls_priority=server_settings["priority"],
2506
use_dbus=use_dbus,
2507
socketfd=socketfd)
2508
if not foreground:
2509
pidfilename = "/run/mandos.pid"
2510
if not os.path.isdir("/run/."):
2511
pidfilename = "/var/run/mandos.pid"
2512
pidfile = None
2513
try:
2514
pidfile = codecs.open(pidfilename, "w", encoding="utf-8")
2515
except IOError as e:
2516
logger.error("Could not open file %r", pidfilename,
2517
exc_info=e)
1515
tcp_server = MandosServer((server_settings[u"address"],
1516
server_settings[u"port"]),
1517
ClientHandler,
1518
interface=server_settings[u"interface"],
1519
use_ipv6=use_ipv6,
1520
gnutls_priority=
1521
server_settings[u"priority"],
1522
use_dbus=use_dbus)
1523
pidfilename = u"/var/run/mandos.pid"
1524
try:
1525
pidfile = open(pidfilename, u"w")
1526
except IOError:
1527
logger.error(u"Could not open file %r", pidfilename)
2518
1528
2519
for name in ("_mandos", "mandos", "nobody"):
1529
try:
1530
uid = pwd.getpwnam(u"_mandos").pw_uid
1531
gid = pwd.getpwnam(u"_mandos").pw_gid
1532
except KeyError:
2520
1533
try:
2521
uid = pwd.getpwnam(name).pw_uid
2522
gid = pwd.getpwnam(name).pw_gid
2523
break
1534
uid = pwd.getpwnam(u"mandos").pw_uid
1535
gid = pwd.getpwnam(u"mandos").pw_gid
2524
1536
except KeyError:
2525
continue
2526
else:
2527
uid = 65534
2528
gid = 65534
1537
try:
1538
uid = pwd.getpwnam(u"nobody").pw_uid
1539
gid = pwd.getpwnam(u"nobody").pw_gid
1540
except KeyError:
1541
uid = 65534
1542
gid = 65534
2529
1543
try:
2530
1544
os.setgid(gid)
2531
1545
os.setuid(uid)
2532
except OSError as error:
2533
if error.errno != errno.EPERM:
2534
raise
1546
except OSError, error:
1547
if error[0] != errno.EPERM:
1548
raise error
2535
1549
1550
# Enable all possible GnuTLS debugging
2536
1551
if debug:
2537
# Enable all possible GnuTLS debugging
2538
2539
1552
# "Use a log level over 10 to enable all debugging options."
2540
1553
# - GnuTLS manual
2541
1554
gnutls.library.functions.gnutls_global_set_log_level(11)
2542
1555
2543
1556
@gnutls.library.types.gnutls_log_func
2544
1557
def debug_gnutls(level, string):
2545
logger.debug("GnuTLS: %s", string[:-1])
2546
2547
gnutls.library.functions.gnutls_global_set_log_function(
2548
debug_gnutls)
2549
2550
# Redirect stdin so all checkers get /dev/null
2551
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2552
os.dup2(null, sys.stdin.fileno())
2553
if null > 2:
2554
os.close(null)
2555
2556
# Need to fork before connecting to D-Bus
2557
if not foreground:
2558
# Close all input and output, do double fork, etc.
2559
daemon()
2560
2561
# multiprocessing will use threads, so before we use gobject we
2562
# need to inform gobject that threads will be used.
2563
gobject.threads_init()
1558
logger.debug(u"GnuTLS: %s", string[:-1])
1559
1560
(gnutls.library.functions
1561
.gnutls_global_set_log_function(debug_gnutls))
2564
1562
2565
1563
global main_loop
2566
1564
# From the Avahi example code
2567
DBusGMainLoop(set_as_default=True)
1565
DBusGMainLoop(set_as_default=True )
2568
1566
main_loop = gobject.MainLoop()
2569
1567
bus = dbus.SystemBus()
2570
1568
# End of Avahi example code
2571
1569
if use_dbus:
2572
1570
try:
2573
bus_name = dbus.service.BusName("se.recompile.Mandos",
2574
bus,
2575
do_not_queue=True)
2576
old_bus_name = dbus.service.BusName(
2577
"se.bsnet.fukt.Mandos", bus,
2578
do_not_queue=True)
2579
except dbus.exceptions.DBusException as e:
2580
logger.error("Disabling D-Bus:", exc_info=e)
1571
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1572
bus, do_not_queue=True)
1573
except dbus.exceptions.NameExistsException, e:
1574
logger.error(unicode(e) + u", disabling D-Bus")
2581
1575
use_dbus = False
2582
server_settings["use_dbus"] = False
1576
server_settings[u"use_dbus"] = False
2583
1577
tcp_server.use_dbus = False
2584
if zeroconf:
2585
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2586
service = AvahiServiceToSyslog(
2587
name = server_settings["servicename"],
2588
servicetype = "_mandos._tcp",
2589
protocol = protocol,
2590
bus = bus)
2591
if server_settings["interface"]:
2592
service.interface = if_nametoindex(
2593
server_settings["interface"].encode("utf-8"))
2594
2595
global multiprocessing_manager
2596
multiprocessing_manager = multiprocessing.Manager()
1578
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1579
service = AvahiService(name = server_settings[u"servicename"],
1580
servicetype = u"_mandos._tcp",
1581
protocol = protocol, bus = bus)
1582
if server_settings["interface"]:
1583
service.interface = (if_nametoindex
1584
(str(server_settings[u"interface"])))
2597
1585
2598
1586
client_class = Client
2599
1587
if use_dbus:
2600
1588
client_class = functools.partial(ClientDBus, bus = bus)
2601
2602
client_settings = Client.config_parser(client_config)
2603
old_client_settings = {}
2604
clients_data = {}
2605
2606
# This is used to redirect stdout and stderr for checker processes
2607
global wnull
2608
wnull = open(os.devnull, "w") # A writable /dev/null
2609
# Only used if server is running in foreground but not in debug
2610
# mode
2611
if debug or not foreground:
2612
wnull.close()
2613
2614
# Get client data and settings from last running state.
2615
if server_settings["restore"]:
2616
try:
2617
with open(stored_state_path, "rb") as stored_state:
2618
clients_data, old_client_settings = pickle.load(
2619
stored_state)
2620
os.remove(stored_state_path)
2621
except IOError as e:
2622
if e.errno == errno.ENOENT:
2623
logger.warning("Could not load persistent state:"
2624
" {}".format(os.strerror(e.errno)))
2625
else:
2626
logger.critical("Could not load persistent state:",
2627
exc_info=e)
2628
raise
2629
except EOFError as e:
2630
logger.warning("Could not load persistent state: "
2631
"EOFError:",
2632
exc_info=e)
2633
2634
with PGPEngine() as pgp:
2635
for client_name, client in clients_data.items():
2636
# Skip removed clients
2637
if client_name not in client_settings:
2638
continue
2639
2640
# Decide which value to use after restoring saved state.
2641
# We have three different values: Old config file,
2642
# new config file, and saved state.
2643
# New config value takes precedence if it differs from old
2644
# config value, otherwise use saved state.
2645
for name, value in client_settings[client_name].items():
2646
try:
2647
# For each value in new config, check if it
2648
# differs from the old config value (Except for
2649
# the "secret" attribute)
2650
if (name != "secret"
2651
and (value !=
2652
old_client_settings[client_name][name])):
2653
client[name] = value
2654
except KeyError:
2655
pass
2656
2657
# Clients who has passed its expire date can still be
2658
# enabled if its last checker was successful. Clients
2659
# whose checker succeeded before we stored its state is
2660
# assumed to have successfully run all checkers during
2661
# downtime.
2662
if client["enabled"]:
2663
if datetime.datetime.utcnow() >= client["expires"]:
2664
if not client["last_checked_ok"]:
2665
logger.warning(
2666
"disabling client {} - Client never "
2667
"performed a successful checker".format(
2668
client_name))
2669
client["enabled"] = False
2670
elif client["last_checker_status"] != 0:
2671
logger.warning(
2672
"disabling client {} - Client last"
2673
" checker failed with error code"
2674
" {}".format(
2675
client_name,
2676
client["last_checker_status"]))
2677
client["enabled"] = False
2678
else:
2679
client["expires"] = (
2680
datetime.datetime.utcnow()
2681
+ client["timeout"])
2682
logger.debug("Last checker succeeded,"
2683
" keeping {} enabled".format(
2684
client_name))
2685
try:
2686
client["secret"] = pgp.decrypt(
2687
client["encrypted_secret"],
2688
client_settings[client_name]["secret"])
2689
except PGPError:
2690
# If decryption fails, we use secret from new settings
2691
logger.debug("Failed to decrypt {} old secret".format(
2692
client_name))
2693
client["secret"] = (client_settings[client_name]
2694
["secret"])
2695
2696
# Add/remove clients based on new changes made to config
2697
for client_name in (set(old_client_settings)
2698
- set(client_settings)):
2699
del clients_data[client_name]
2700
for client_name in (set(client_settings)
2701
- set(old_client_settings)):
2702
clients_data[client_name] = client_settings[client_name]
2703
2704
# Create all client objects
2705
for client_name, client in clients_data.items():
2706
tcp_server.clients[client_name] = client_class(
2707
name = client_name,
2708
settings = client,
2709
server_settings = server_settings)
2710
1589
tcp_server.clients.update(set(
1590
client_class(name = section,
1591
config= dict(client_config.items(section)))
1592
for section in client_config.sections()))
2711
1593
if not tcp_server.clients:
2712
logger.warning("No clients defined")
2713
2714
if not foreground:
2715
if pidfile is not None:
1594
logger.warning(u"No clients defined")
1595
1596
if debug:
1597
# Redirect stdin so all checkers get /dev/null
1598
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1599
os.dup2(null, sys.stdin.fileno())
1600
if null > 2:
1601
os.close(null)
1602
else:
1603
# No console logging
1604
logger.removeHandler(console)
1605
# Close all input and output, do double fork, etc.
1606
daemon()
1607
1608
try:
1609
with closing(pidfile):
2716
1610
pid = os.getpid()
2717
try:
2718
with pidfile:
2719
print(pid, file=pidfile)
2720
except IOError:
2721
logger.error("Could not write to file %r with PID %d",
2722
pidfilename, pid)
1611
pidfile.write(str(pid) + "\n")
2723
1612
del pidfile
2724
del pidfilename
1613
except IOError:
1614
logger.error(u"Could not write to file %r with PID %d",
1615
pidfilename, pid)
1616
except NameError:
1617
# "pidfile" was never created
1618
pass
1619
del pidfilename
2725
1620
1621
if not debug:
1622
signal.signal(signal.SIGINT, signal.SIG_IGN)
2726
1623
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2727
1624
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2728
1625
2729
1626
if use_dbus:
2730
2731
@alternate_dbus_interfaces(
2732
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
2733
class MandosDBusService(DBusObjectWithProperties):
1627
class MandosDBusService(dbus.service.Object):
2734
1628
"""A D-Bus proxy object"""
2735
2736
1629
def __init__(self):
2737
dbus.service.Object.__init__(self, bus, "/")
2738
2739
_interface = "se.recompile.Mandos"
2740
2741
@dbus_interface_annotations(_interface)
2742
def _foo(self):
2743
return {
2744
"org.freedesktop.DBus.Property.EmitsChangedSignal":
2745
"false" }
2746
2747
@dbus.service.signal(_interface, signature="o")
2748
def ClientAdded(self, objpath):
2749
"D-Bus signal"
2750
pass
2751
2752
@dbus.service.signal(_interface, signature="ss")
2753
def ClientNotFound(self, fingerprint, address):
2754
"D-Bus signal"
2755
pass
2756
2757
@dbus.service.signal(_interface, signature="os")
1630
dbus.service.Object.__init__(self, bus, u"/")
1631
_interface = u"se.bsnet.fukt.Mandos"
1632
1633
@dbus.service.signal(_interface, signature=u"oa{sv}")
1634
def ClientAdded(self, objpath, properties):
1635
"D-Bus signal"
1636
pass
1637
1638
@dbus.service.signal(_interface, signature=u"s")
1639
def ClientNotFound(self, fingerprint):
1640
"D-Bus signal"
1641
pass
1642
1643
@dbus.service.signal(_interface, signature=u"os")
2758
1644
def ClientRemoved(self, objpath, name):
2759
1645
"D-Bus signal"
2760
1646
pass
2761
1647
2762
@dbus.service.method(_interface, out_signature="ao")
1648
@dbus.service.method(_interface, out_signature=u"ao")
2763
1649
def GetAllClients(self):
2764
1650
"D-Bus method"
2765
return dbus.Array(c.dbus_object_path for c in
2766
tcp_server.clients.itervalues())
1651
return dbus.Array(c.dbus_object_path
1652
for c in tcp_server.clients)
2767
1653
2768
1654
@dbus.service.method(_interface,
2769
out_signature="a{oa{sv}}")
1655
out_signature=u"a{oa{sv}}")
2770
1656
def GetAllClientsWithProperties(self):
2771
1657
"D-Bus method"
2772
1658
return dbus.Dictionary(
2773
{ c.dbus_object_path: c.GetAll("")
2774
for c in tcp_server.clients.itervalues() },
2775
signature="oa{sv}")
1659
((c.dbus_object_path, c.GetAll(u""))
1660
for c in tcp_server.clients),
1661
signature=u"oa{sv}")
2776
1662
2777
@dbus.service.method(_interface, in_signature="o")
1663
@dbus.service.method(_interface, in_signature=u"o")
2778
1664
def RemoveClient(self, object_path):
2779
1665
"D-Bus method"
2780
for c in tcp_server.clients.itervalues():
1666
for c in tcp_server.clients:
2781
1667
if c.dbus_object_path == object_path:
2782
del tcp_server.clients[c.name]
1668
tcp_server.clients.remove(c)
2783
1669
c.remove_from_connection()
2784
1670
# Don't signal anything except ClientRemoved
2785
1671
c.disable(quiet=True)
2794
1680
2795
1681
def cleanup():
2796
1682
"Cleanup function; run on exit"
2797
if zeroconf:
2798
service.cleanup()
2799
2800
multiprocessing.active_children()
2801
wnull.close()
2802
if not (tcp_server.clients or client_settings):
2803
return
2804
2805
# Store client before exiting. Secrets are encrypted with key
2806
# based on what config file has. If config file is
2807
# removed/edited, old secret will thus be unrecovable.
2808
clients = {}
2809
with PGPEngine() as pgp:
2810
for client in tcp_server.clients.itervalues():
2811
key = client_settings[client.name]["secret"]
2812
client.encrypted_secret = pgp.encrypt(client.secret,
2813
key)
2814
client_dict = {}
2815
2816
# A list of attributes that can not be pickled
2817
# + secret.
2818
exclude = { "bus", "changedstate", "secret",
2819
"checker", "server_settings" }
2820
for name, typ in inspect.getmembers(dbus.service
2821
.Object):
2822
exclude.add(name)
2823
2824
client_dict["encrypted_secret"] = (client
2825
.encrypted_secret)
2826
for attr in client.client_structure:
2827
if attr not in exclude:
2828
client_dict[attr] = getattr(client, attr)
2829
2830
clients[client.name] = client_dict
2831
del client_settings[client.name]["secret"]
2832
2833
try:
2834
with tempfile.NamedTemporaryFile(
2835
mode='wb',
2836
suffix=".pickle",
2837
prefix='clients-',
2838
dir=os.path.dirname(stored_state_path),
2839
delete=False) as stored_state:
2840
pickle.dump((clients, client_settings), stored_state)
2841
tempname = stored_state.name
2842
os.rename(tempname, stored_state_path)
2843
except (IOError, OSError) as e:
2844
if not debug:
2845
try:
2846
os.remove(tempname)
2847
except NameError:
2848
pass
2849
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
2850
logger.warning("Could not save persistent state: {}"
2851
.format(os.strerror(e.errno)))
2852
else:
2853
logger.warning("Could not save persistent state:",
2854
exc_info=e)
2855
raise
2856
2857
# Delete all clients, and settings from config
1683
service.cleanup()
1684
2858
1685
while tcp_server.clients:
2859
name, client = tcp_server.clients.popitem()
1686
client = tcp_server.clients.pop()
2860
1687
if use_dbus:
2861
1688
client.remove_from_connection()
1689
client.disable_hook = None
2862
1690
# Don't signal anything except ClientRemoved
2863
1691
client.disable(quiet=True)
2864
1692
if use_dbus:
2865
1693
# Emit D-Bus signal
2866
mandos_dbus_service.ClientRemoved(
2867
client.dbus_object_path, client.name)
2868
client_settings.clear()
1694
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1695
client.name)
2869
1696
2870
1697
atexit.register(cleanup)
2871
1698
2872
for client in tcp_server.clients.itervalues():
1699
for client in tcp_server.clients:
2873
1700
if use_dbus:
2874
1701
# Emit D-Bus signal
2875
mandos_dbus_service.ClientAdded(client.dbus_object_path)
2876
# Need to initiate checking of clients
2877
if client.enabled:
2878
client.init_checker()
1702
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1703
client.GetAll(u""))
1704
client.enable()
2879
1705
2880
1706
tcp_server.enable()
2881
1707
tcp_server.server_activate()
2882
1708
2883
1709
# Find out what port we got
2884
if zeroconf:
2885
service.port = tcp_server.socket.getsockname()[1]
1710
service.port = tcp_server.socket.getsockname()[1]
2886
1711
if use_ipv6:
2887
logger.info("Now listening on address %r, port %d,"
2888
" flowinfo %d, scope_id %d",
2889
*tcp_server.socket.getsockname())
1712
logger.info(u"Now listening on address %r, port %d,"
1713
" flowinfo %d, scope_id %d"
1714
% tcp_server.socket.getsockname())
2890
1715
else: # IPv4
2891
logger.info("Now listening on address %r, port %d",
2892
*tcp_server.socket.getsockname())
1716
logger.info(u"Now listening on address %r, port %d"
1717
% tcp_server.socket.getsockname())
2893
1718
2894
1719
#service.interface = tcp_server.socket.getsockname()[3]
2895
1720
2896
1721
try:
2897
if zeroconf:
2898
# From the Avahi example code
2899
try:
2900
service.activate()
2901
except dbus.exceptions.DBusException as error:
2902
logger.critical("D-Bus Exception", exc_info=error)
2903
cleanup()
2904
sys.exit(1)
2905
# End of Avahi example code
1722
# From the Avahi example code
1723
try:
1724
service.activate()
1725
except dbus.exceptions.DBusException, error:
1726
logger.critical(u"DBusException: %s", error)
1727
cleanup()
1728
sys.exit(1)
1729
# End of Avahi example code
2906
1730
2907
1731
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
2908
1732
lambda *args, **kwargs:
2909
1733
(tcp_server.handle_request
2910
1734
(*args[2:], **kwargs) or True))
2911
1735
2912
logger.debug("Starting main loop")
1736
logger.debug(u"Starting main loop")
2913
1737
main_loop.run()
2914
except AvahiError as error:
2915
logger.critical("Avahi Error", exc_info=error)
1738
except AvahiError, error:
1739
logger.critical(u"AvahiError: %s", error)
2916
1740
cleanup()
2917
1741
sys.exit(1)
2918
1742
except KeyboardInterrupt:
2919
1743
if debug:
2920
print("", file=sys.stderr)
2921
logger.debug("Server received KeyboardInterrupt")
2922
logger.debug("Server exiting")
1744
print >> sys.stderr
1745
logger.debug(u"Server received KeyboardInterrupt")
1746
logger.debug(u"Server exiting")
2923
1747
# Must run before the D-Bus bus name gets deregistered
2924
1748
cleanup()
2925
1749
2926
2927
1750
if __name__ == '__main__':
2928
1751
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0