To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 423
- compare with another revision
- download diff
- download tarball
- view history from revision 423
- Committer: Teddy Hogeborn
- Date: 2010-09-12 03:00:40 UTC
- Revision ID: teddy@fukt.bsnet.se-20100912030040-b0uopyennste9fdh
Documentation changes:
* DBUS-API: New file documenting the server D-Bus interface.
* clients.conf: Add examples of new approval settings.
* debian/mandos.docs: Added "DBUS-API".
* mandos-clients.conf.xml (OPTIONS): Added "approved_by_default",
"approval_delay", and
"approval_duration".
* mandos.xml (D-BUS INTERFACE): Refer to the "DBUS-API" file.
(BUGS): Remove mention of lack of a remote query interface.
* DBUS-API: New file documenting the server D-Bus interface.
* clients.conf: Add examples of new approval settings.
* debian/mandos.docs: Added "DBUS-API".
* mandos-clients.conf.xml (OPTIONS): Added "approved_by_default",
"approval_delay", and
"approval_duration".
* mandos.xml (D-BUS INTERFACE): Refer to the "DBUS-API" file.
(BUGS): Remove mention of lack of a remote query interface.
- files removed:
- debian/mandos-client.examples
- debian/source
- debian/upstream
- network-hooks.d
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python2.7
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2014 Teddy Hogeborn
15
# Copyright © 2008-2014 Björn Påhlsson
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
28
28
# along with this program. If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
30
#
31
# Contact the authors at <mandos@recompile.se>.
31
# Contact the authors at <mandos@fukt.bsnet.se>.
32
32
#
33
33
34
from __future__ import (division, absolute_import, print_function,
35
unicode_literals)
36
37
from future_builtins import *
34
from __future__ import division, with_statement, absolute_import
38
35
39
36
import SocketServer as socketserver
40
37
import socket
41
import argparse
38
import optparse
42
39
import datetime
43
40
import errno
44
41
import gnutls.crypto
64
61
import functools
65
62
import cPickle as pickle
66
63
import multiprocessing
67
import types
68
import binascii
69
import tempfile
70
import itertools
71
import collections
72
64
73
65
import dbus
74
66
import dbus.service
88
80
except ImportError:
89
81
SO_BINDTODEVICE = None
90
82
91
if sys.version_info.major == 2:
92
str = unicode
93
94
version = "1.6.8"
95
stored_state_file = "clients.pickle"
96
97
logger = logging.getLogger()
98
syslogger = None
99
100
try:
101
if_nametoindex = (ctypes.cdll.LoadLibrary
102
(ctypes.util.find_library("c"))
103
.if_nametoindex)
104
except (OSError, AttributeError):
105
def if_nametoindex(interface):
106
"Get an interface index the hard way, i.e. using fcntl()"
107
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
108
with contextlib.closing(socket.socket()) as s:
109
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
110
struct.pack(b"16s16x", interface))
111
interface_index = struct.unpack("I", ifreq[16:20])[0]
112
return interface_index
113
114
115
def initlogger(debug, level=logging.WARNING):
116
"""init logger and add loglevel"""
117
118
global syslogger
119
syslogger = (logging.handlers.SysLogHandler
120
(facility =
121
logging.handlers.SysLogHandler.LOG_DAEMON,
122
address = "/dev/log"))
123
syslogger.setFormatter(logging.Formatter
124
('Mandos [%(process)d]: %(levelname)s:'
125
' %(message)s'))
126
logger.addHandler(syslogger)
127
128
if debug:
129
console = logging.StreamHandler()
130
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
131
' [%(process)d]:'
132
' %(levelname)s:'
133
' %(message)s'))
134
logger.addHandler(console)
135
logger.setLevel(level)
136
137
138
class PGPError(Exception):
139
"""Exception if encryption/decryption fails"""
140
pass
141
142
143
class PGPEngine(object):
144
"""A simple class for OpenPGP symmetric encryption & decryption"""
145
def __init__(self):
146
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
147
self.gnupgargs = ['--batch',
148
'--home', self.tempdir,
149
'--force-mdc',
150
'--quiet',
151
'--no-use-agent']
152
153
def __enter__(self):
154
return self
155
156
def __exit__(self, exc_type, exc_value, traceback):
157
self._cleanup()
158
return False
159
160
def __del__(self):
161
self._cleanup()
162
163
def _cleanup(self):
164
if self.tempdir is not None:
165
# Delete contents of tempdir
166
for root, dirs, files in os.walk(self.tempdir,
167
topdown = False):
168
for filename in files:
169
os.remove(os.path.join(root, filename))
170
for dirname in dirs:
171
os.rmdir(os.path.join(root, dirname))
172
# Remove tempdir
173
os.rmdir(self.tempdir)
174
self.tempdir = None
175
176
def password_encode(self, password):
177
# Passphrase can not be empty and can not contain newlines or
178
# NUL bytes. So we prefix it and hex encode it.
179
encoded = b"mandos" + binascii.hexlify(password)
180
if len(encoded) > 2048:
181
# GnuPG can't handle long passwords, so encode differently
182
encoded = (b"mandos" + password.replace(b"\\", b"\\\\")
183
.replace(b"\n", b"\\n")
184
.replace(b"\0", b"\\x00"))
185
return encoded
186
187
def encrypt(self, data, password):
188
passphrase = self.password_encode(password)
189
with tempfile.NamedTemporaryFile(dir=self.tempdir
190
) as passfile:
191
passfile.write(passphrase)
192
passfile.flush()
193
proc = subprocess.Popen(['gpg', '--symmetric',
194
'--passphrase-file',
195
passfile.name]
196
+ self.gnupgargs,
197
stdin = subprocess.PIPE,
198
stdout = subprocess.PIPE,
199
stderr = subprocess.PIPE)
200
ciphertext, err = proc.communicate(input = data)
201
if proc.returncode != 0:
202
raise PGPError(err)
203
return ciphertext
204
205
def decrypt(self, data, password):
206
passphrase = self.password_encode(password)
207
with tempfile.NamedTemporaryFile(dir = self.tempdir
208
) as passfile:
209
passfile.write(passphrase)
210
passfile.flush()
211
proc = subprocess.Popen(['gpg', '--decrypt',
212
'--passphrase-file',
213
passfile.name]
214
+ self.gnupgargs,
215
stdin = subprocess.PIPE,
216
stdout = subprocess.PIPE,
217
stderr = subprocess.PIPE)
218
decrypted_plaintext, err = proc.communicate(input
219
= data)
220
if proc.returncode != 0:
221
raise PGPError(err)
222
return decrypted_plaintext
223
83
84
version = "1.0.14"
85
86
#logger = logging.getLogger(u'mandos')
87
logger = logging.Logger(u'mandos')
88
syslogger = (logging.handlers.SysLogHandler
89
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
90
address = "/dev/log"))
91
syslogger.setFormatter(logging.Formatter
92
(u'Mandos [%(process)d]: %(levelname)s:'
93
u' %(message)s'))
94
logger.addHandler(syslogger)
95
96
console = logging.StreamHandler()
97
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
98
u' %(levelname)s:'
99
u' %(message)s'))
100
logger.addHandler(console)
224
101
225
102
class AvahiError(Exception):
226
103
def __init__(self, value, *args, **kwargs):
227
104
self.value = value
228
return super(AvahiError, self).__init__(value, *args,
229
**kwargs)
105
super(AvahiError, self).__init__(value, *args, **kwargs)
106
def __unicode__(self):
107
return unicode(repr(self.value))
230
108
231
109
class AvahiServiceError(AvahiError):
232
110
pass
241
119
Attributes:
242
120
interface: integer; avahi.IF_UNSPEC or an interface index.
243
121
Used to optionally bind to the specified interface.
244
name: string; Example: 'Mandos'
245
type: string; Example: '_mandos._tcp'.
246
See <https://www.iana.org/assignments/service-names-port-numbers>
122
name: string; Example: u'Mandos'
123
type: string; Example: u'_mandos._tcp'.
124
See <http://www.dns-sd.org/ServiceTypes.html>
247
125
port: integer; what port to announce
248
126
TXT: list of strings; TXT record for the service
249
127
domain: string; Domain to publish on, default to .local if empty.
255
133
server: D-Bus Server
256
134
bus: dbus.SystemBus()
257
135
"""
258
259
136
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
260
137
servicetype = None, port = None, TXT = None,
261
domain = "", host = "", max_renames = 32768,
138
domain = u"", host = u"", max_renames = 32768,
262
139
protocol = avahi.PROTO_UNSPEC, bus = None):
263
140
self.interface = interface
264
141
self.name = name
273
150
self.group = None # our entry group
274
151
self.server = None
275
152
self.bus = bus
276
self.entry_group_state_changed_match = None
277
278
153
def rename(self):
279
154
"""Derived from the Avahi example code"""
280
155
if self.rename_count >= self.max_renames:
281
logger.critical("No suitable Zeroconf service name found"
282
" after %i retries, exiting.",
156
logger.critical(u"No suitable Zeroconf service name found"
157
u" after %i retries, exiting.",
283
158
self.rename_count)
284
raise AvahiServiceError("Too many renames")
285
self.name = str(self.server
286
.GetAlternativeServiceName(self.name))
287
logger.info("Changing Zeroconf service name to %r ...",
159
raise AvahiServiceError(u"Too many renames")
160
self.name = unicode(self.server.GetAlternativeServiceName(self.name))
161
logger.info(u"Changing Zeroconf service name to %r ...",
288
162
self.name)
163
syslogger.setFormatter(logging.Formatter
164
(u'Mandos (%s) [%%(process)d]:'
165
u' %%(levelname)s: %%(message)s'
166
% self.name))
289
167
self.remove()
290
168
try:
291
169
self.add()
292
except dbus.exceptions.DBusException as error:
293
logger.critical("D-Bus Exception", exc_info=error)
170
except dbus.exceptions.DBusException, error:
171
logger.critical(u"DBusException: %s", error)
294
172
self.cleanup()
295
173
os._exit(1)
296
174
self.rename_count += 1
297
298
175
def remove(self):
299
176
"""Derived from the Avahi example code"""
300
if self.entry_group_state_changed_match is not None:
301
self.entry_group_state_changed_match.remove()
302
self.entry_group_state_changed_match = None
303
177
if self.group is not None:
304
178
self.group.Reset()
305
306
179
def add(self):
307
180
"""Derived from the Avahi example code"""
308
self.remove()
309
181
if self.group is None:
310
182
self.group = dbus.Interface(
311
183
self.bus.get_object(avahi.DBUS_NAME,
312
184
self.server.EntryGroupNew()),
313
185
avahi.DBUS_INTERFACE_ENTRY_GROUP)
314
self.entry_group_state_changed_match = (
315
self.group.connect_to_signal(
316
'StateChanged', self.entry_group_state_changed))
317
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
186
self.group.connect_to_signal('StateChanged',
187
self
188
.entry_group_state_changed)
189
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
318
190
self.name, self.type)
319
191
self.group.AddService(
320
192
self.interface,
325
197
dbus.UInt16(self.port),
326
198
avahi.string_array_to_txt_array(self.TXT))
327
199
self.group.Commit()
328
329
200
def entry_group_state_changed(self, state, error):
330
201
"""Derived from the Avahi example code"""
331
logger.debug("Avahi entry group state change: %i", state)
202
logger.debug(u"Avahi entry group state change: %i", state)
332
203
333
204
if state == avahi.ENTRY_GROUP_ESTABLISHED:
334
logger.debug("Zeroconf service established.")
205
logger.debug(u"Zeroconf service established.")
335
206
elif state == avahi.ENTRY_GROUP_COLLISION:
336
logger.info("Zeroconf service name collision.")
207
logger.warning(u"Zeroconf service name collision.")
337
208
self.rename()
338
209
elif state == avahi.ENTRY_GROUP_FAILURE:
339
logger.critical("Avahi: Error in group state changed %s",
340
str(error))
341
raise AvahiGroupError("State changed: {!s}"
342
.format(error))
343
210
logger.critical(u"Avahi: Error in group state changed %s",
211
unicode(error))
212
raise AvahiGroupError(u"State changed: %s"
213
% unicode(error))
344
214
def cleanup(self):
345
215
"""Derived from the Avahi example code"""
346
216
if self.group is not None:
347
try:
348
self.group.Free()
349
except (dbus.exceptions.UnknownMethodException,
350
dbus.exceptions.DBusException):
351
pass
217
self.group.Free()
352
218
self.group = None
353
self.remove()
354
355
def server_state_changed(self, state, error=None):
219
def server_state_changed(self, state):
356
220
"""Derived from the Avahi example code"""
357
logger.debug("Avahi server state change: %i", state)
358
bad_states = { avahi.SERVER_INVALID:
359
"Zeroconf server invalid",
360
avahi.SERVER_REGISTERING: None,
361
avahi.SERVER_COLLISION:
362
"Zeroconf server name collision",
363
avahi.SERVER_FAILURE:
364
"Zeroconf server failure" }
365
if state in bad_states:
366
if bad_states[state] is not None:
367
if error is None:
368
logger.error(bad_states[state])
369
else:
370
logger.error(bad_states[state] + ": %r", error)
371
self.cleanup()
221
logger.debug(u"Avahi server state change: %i", state)
222
if state == avahi.SERVER_COLLISION:
223
logger.error(u"Zeroconf server name collision")
224
self.remove()
372
225
elif state == avahi.SERVER_RUNNING:
373
226
self.add()
374
else:
375
if error is None:
376
logger.debug("Unknown state: %r", state)
377
else:
378
logger.debug("Unknown state: %r: %r", state, error)
379
380
227
def activate(self):
381
228
"""Derived from the Avahi example code"""
382
229
if self.server is None:
383
230
self.server = dbus.Interface(
384
231
self.bus.get_object(avahi.DBUS_NAME,
385
avahi.DBUS_PATH_SERVER,
386
follow_name_owner_changes=True),
232
avahi.DBUS_PATH_SERVER),
387
233
avahi.DBUS_INTERFACE_SERVER)
388
self.server.connect_to_signal("StateChanged",
234
self.server.connect_to_signal(u"StateChanged",
389
235
self.server_state_changed)
390
236
self.server_state_changed(self.server.GetState())
391
237
392
238
393
class AvahiServiceToSyslog(AvahiService):
394
def rename(self):
395
"""Add the new name to the syslog messages"""
396
ret = AvahiService.rename(self)
397
syslogger.setFormatter(logging.Formatter
398
('Mandos ({}) [%(process)d]:'
399
' %(levelname)s: %(message)s'
400
.format(self.name)))
401
return ret
402
403
404
239
class Client(object):
405
240
"""A representation of a client host served by this server.
406
241
407
242
Attributes:
408
approved: bool(); 'None' if not yet approved/disapproved
409
approval_delay: datetime.timedelta(); Time to wait for approval
410
approval_duration: datetime.timedelta(); Duration of one approval
243
name: string; from the config file, used in log messages and
244
D-Bus identifiers
245
fingerprint: string (40 or 32 hexadecimal digits); used to
246
uniquely identify the client
247
secret: bytestring; sent verbatim (over TLS) to client
248
host: string; available for use by the checker command
249
created: datetime.datetime(); (UTC) object creation
250
last_enabled: datetime.datetime(); (UTC)
251
enabled: bool()
252
last_checked_ok: datetime.datetime(); (UTC) or None
253
timeout: datetime.timedelta(); How long from last_checked_ok
254
until this client is disabled
255
interval: datetime.timedelta(); How often to start a new checker
256
disable_hook: If set, called by disable() as disable_hook(self)
411
257
checker: subprocess.Popen(); a running checker process used
412
258
to see if the client lives.
413
259
'None' if no process is running.
414
checker_callback_tag: a gobject event source tag, or None
415
checker_command: string; External command which is run to check
416
if client lives. %() expansions are done at
260
checker_initiator_tag: a gobject event source tag, or None
261
disable_initiator_tag: - '' -
262
checker_callback_tag: - '' -
263
checker_command: string; External command which is run to check if
264
client lives. %() expansions are done at
417
265
runtime with vars(self) as dict, so that for
418
266
instance %(name)s can be used in the command.
419
checker_initiator_tag: a gobject event source tag, or None
420
created: datetime.datetime(); (UTC) object creation
421
client_structure: Object describing what attributes a client has
422
and is used for storing the client at exit
423
267
current_checker_command: string; current running checker_command
424
disable_initiator_tag: a gobject event source tag, or None
425
enabled: bool()
426
fingerprint: string (40 or 32 hexadecimal digits); used to
427
uniquely identify the client
428
host: string; available for use by the checker command
429
interval: datetime.timedelta(); How often to start a new checker
430
last_approval_request: datetime.datetime(); (UTC) or None
431
last_checked_ok: datetime.datetime(); (UTC) or None
432
last_checker_status: integer between 0 and 255 reflecting exit
433
status of last checker. -1 reflects crashed
434
checker, -2 means no checker completed yet.
435
last_enabled: datetime.datetime(); (UTC) or None
436
name: string; from the config file, used in log messages and
437
D-Bus identifiers
438
secret: bytestring; sent verbatim (over TLS) to client
439
timeout: datetime.timedelta(); How long from last_checked_ok
440
until this client is disabled
441
extended_timeout: extra long timeout when secret has been sent
442
runtime_expansions: Allowed attributes for runtime expansion.
443
expires: datetime.datetime(); time (UTC) when a client will be
444
disabled, or None
445
server_settings: The server_settings dict from main()
268
approval_delay: datetime.timedelta(); Time to wait for approval
269
_approved: bool(); 'None' if not yet approved/disapproved
270
approval_duration: datetime.timedelta(); Duration of one approval
446
271
"""
447
272
448
runtime_expansions = ("approval_delay", "approval_duration",
449
"created", "enabled", "expires",
450
"fingerprint", "host", "interval",
451
"last_approval_request", "last_checked_ok",
452
"last_enabled", "name", "timeout")
453
client_defaults = { "timeout": "PT5M",
454
"extended_timeout": "PT15M",
455
"interval": "PT2M",
456
"checker": "fping -q -- %%(host)s",
457
"host": "",
458
"approval_delay": "PT0S",
459
"approval_duration": "PT1S",
460
"approved_by_default": "True",
461
"enabled": "True",
462
}
463
464
273
@staticmethod
465
def config_parser(config):
466
"""Construct a new dict of client settings of this form:
467
{ client_name: {setting_name: value, ...}, ...}
468
with exceptions for any special settings as defined above.
469
NOTE: Must be a pure function. Must return the same result
470
value given the same arguments.
471
"""
472
settings = {}
473
for client_name in config.sections():
474
section = dict(config.items(client_name))
475
client = settings[client_name] = {}
476
477
client["host"] = section["host"]
478
# Reformat values from string types to Python types
479
client["approved_by_default"] = config.getboolean(
480
client_name, "approved_by_default")
481
client["enabled"] = config.getboolean(client_name,
482
"enabled")
483
484
client["fingerprint"] = (section["fingerprint"].upper()
485
.replace(" ", ""))
486
if "secret" in section:
487
client["secret"] = section["secret"].decode("base64")
488
elif "secfile" in section:
489
with open(os.path.expanduser(os.path.expandvars
490
(section["secfile"])),
491
"rb") as secfile:
492
client["secret"] = secfile.read()
493
else:
494
raise TypeError("No secret or secfile for section {}"
495
.format(section))
496
client["timeout"] = string_to_delta(section["timeout"])
497
client["extended_timeout"] = string_to_delta(
498
section["extended_timeout"])
499
client["interval"] = string_to_delta(section["interval"])
500
client["approval_delay"] = string_to_delta(
501
section["approval_delay"])
502
client["approval_duration"] = string_to_delta(
503
section["approval_duration"])
504
client["checker_command"] = section["checker"]
505
client["last_approval_request"] = None
506
client["last_checked_ok"] = None
507
client["last_checker_status"] = -2
508
509
return settings
510
511
def __init__(self, settings, name = None, server_settings=None):
274
def _timedelta_to_milliseconds(td):
275
"Convert a datetime.timedelta() to milliseconds"
276
return ((td.days * 24 * 60 * 60 * 1000)
277
+ (td.seconds * 1000)
278
+ (td.microseconds // 1000))
279
280
def timeout_milliseconds(self):
281
"Return the 'timeout' attribute in milliseconds"
282
return self._timedelta_to_milliseconds(self.timeout)
283
284
def interval_milliseconds(self):
285
"Return the 'interval' attribute in milliseconds"
286
return self._timedelta_to_milliseconds(self.interval)
287
288
def approval_delay_milliseconds(self):
289
return self._timedelta_to_milliseconds(self.approval_delay)
290
291
def __init__(self, name = None, disable_hook=None, config=None):
292
"""Note: the 'checker' key in 'config' sets the
293
'checker_command' attribute and *not* the 'checker'
294
attribute."""
512
295
self.name = name
513
if server_settings is None:
514
server_settings = {}
515
self.server_settings = server_settings
516
# adding all client settings
517
for setting, value in settings.items():
518
setattr(self, setting, value)
519
520
if self.enabled:
521
if not hasattr(self, "last_enabled"):
522
self.last_enabled = datetime.datetime.utcnow()
523
if not hasattr(self, "expires"):
524
self.expires = (datetime.datetime.utcnow()
525
+ self.timeout)
526
else:
527
self.last_enabled = None
528
self.expires = None
529
530
logger.debug("Creating client %r", self.name)
296
if config is None:
297
config = {}
298
logger.debug(u"Creating client %r", self.name)
531
299
# Uppercase and remove spaces from fingerprint for later
532
300
# comparison purposes with return value from the fingerprint()
533
301
# function
534
logger.debug(" Fingerprint: %s", self.fingerprint)
535
self.created = settings.get("created",
536
datetime.datetime.utcnow())
537
538
# attributes specific for this server instance
302
self.fingerprint = (config[u"fingerprint"].upper()
303
.replace(u" ", u""))
304
logger.debug(u" Fingerprint: %s", self.fingerprint)
305
if u"secret" in config:
306
self.secret = config[u"secret"].decode(u"base64")
307
elif u"secfile" in config:
308
with open(os.path.expanduser(os.path.expandvars
309
(config[u"secfile"])),
310
"rb") as secfile:
311
self.secret = secfile.read()
312
else:
313
raise TypeError(u"No secret or secfile for client %s"
314
% self.name)
315
self.host = config.get(u"host", u"")
316
self.created = datetime.datetime.utcnow()
317
self.enabled = False
318
self.last_enabled = None
319
self.last_checked_ok = None
320
self.timeout = string_to_delta(config[u"timeout"])
321
self.interval = string_to_delta(config[u"interval"])
322
self.disable_hook = disable_hook
539
323
self.checker = None
540
324
self.checker_initiator_tag = None
541
325
self.disable_initiator_tag = None
542
326
self.checker_callback_tag = None
327
self.checker_command = config[u"checker"]
543
328
self.current_checker_command = None
544
self.approved = None
329
self.last_connect = None
330
self._approved = None
331
self.approved_by_default = config.get(u"approved_by_default",
332
True)
545
333
self.approvals_pending = 0
546
self.changedstate = (multiprocessing_manager
547
.Condition(multiprocessing_manager
548
.Lock()))
549
self.client_structure = [attr for attr in
550
self.__dict__.iterkeys()
551
if not attr.startswith("_")]
552
self.client_structure.append("client_structure")
553
554
for name, t in inspect.getmembers(type(self),
555
lambda obj:
556
isinstance(obj,
557
property)):
558
if not name.startswith("_"):
559
self.client_structure.append(name)
334
self.approval_delay = string_to_delta(
335
config[u"approval_delay"])
336
self.approval_duration = string_to_delta(
337
config[u"approval_duration"])
338
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
560
339
561
# Send notice to process children that client state has changed
562
340
def send_changedstate(self):
563
with self.changedstate:
564
self.changedstate.notify_all()
565
341
self.changedstate.acquire()
342
self.changedstate.notify_all()
343
self.changedstate.release()
344
566
345
def enable(self):
567
346
"""Start this client's checker and timeout hooks"""
568
if getattr(self, "enabled", False):
347
if getattr(self, u"enabled", False):
569
348
# Already enabled
570
349
return
571
self.expires = datetime.datetime.utcnow() + self.timeout
572
self.enabled = True
350
self.send_changedstate()
573
351
self.last_enabled = datetime.datetime.utcnow()
574
self.init_checker()
575
self.send_changedstate()
352
# Schedule a new checker to be started an 'interval' from now,
353
# and every interval from then on.
354
self.checker_initiator_tag = (gobject.timeout_add
355
(self.interval_milliseconds(),
356
self.start_checker))
357
# Schedule a disable() when 'timeout' has passed
358
self.disable_initiator_tag = (gobject.timeout_add
359
(self.timeout_milliseconds(),
360
self.disable))
361
self.enabled = True
362
# Also start a new checker *right now*.
363
self.start_checker()
576
364
577
365
def disable(self, quiet=True):
578
366
"""Disable this client."""
579
367
if not getattr(self, "enabled", False):
580
368
return False
581
369
if not quiet:
582
logger.info("Disabling client %s", self.name)
583
if getattr(self, "disable_initiator_tag", None) is not None:
370
self.send_changedstate()
371
if not quiet:
372
logger.info(u"Disabling client %s", self.name)
373
if getattr(self, u"disable_initiator_tag", False):
584
374
gobject.source_remove(self.disable_initiator_tag)
585
375
self.disable_initiator_tag = None
586
self.expires = None
587
if getattr(self, "checker_initiator_tag", None) is not None:
376
if getattr(self, u"checker_initiator_tag", False):
588
377
gobject.source_remove(self.checker_initiator_tag)
589
378
self.checker_initiator_tag = None
590
379
self.stop_checker()
380
if self.disable_hook:
381
self.disable_hook(self)
591
382
self.enabled = False
592
if not quiet:
593
self.send_changedstate()
594
383
# Do not run this again if called by a gobject.timeout_add
595
384
return False
596
385
597
386
def __del__(self):
387
self.disable_hook = None
598
388
self.disable()
599
389
600
def init_checker(self):
601
# Schedule a new checker to be started an 'interval' from now,
602
# and every interval from then on.
603
if self.checker_initiator_tag is not None:
604
gobject.source_remove(self.checker_initiator_tag)
605
self.checker_initiator_tag = (gobject.timeout_add
606
(int(self.interval
607
.total_seconds() * 1000),
608
self.start_checker))
609
# Schedule a disable() when 'timeout' has passed
610
if self.disable_initiator_tag is not None:
611
gobject.source_remove(self.disable_initiator_tag)
612
self.disable_initiator_tag = (gobject.timeout_add
613
(int(self.timeout
614
.total_seconds() * 1000),
615
self.disable))
616
# Also start a new checker *right now*.
617
self.start_checker()
618
619
390
def checker_callback(self, pid, condition, command):
620
391
"""The checker has completed, so take appropriate actions."""
621
392
self.checker_callback_tag = None
622
393
self.checker = None
623
394
if os.WIFEXITED(condition):
624
self.last_checker_status = os.WEXITSTATUS(condition)
625
if self.last_checker_status == 0:
626
logger.info("Checker for %(name)s succeeded",
395
exitstatus = os.WEXITSTATUS(condition)
396
if exitstatus == 0:
397
logger.info(u"Checker for %(name)s succeeded",
627
398
vars(self))
628
399
self.checked_ok()
629
400
else:
630
logger.info("Checker for %(name)s failed",
401
logger.info(u"Checker for %(name)s failed",
631
402
vars(self))
632
403
else:
633
self.last_checker_status = -1
634
logger.warning("Checker for %(name)s crashed?",
404
logger.warning(u"Checker for %(name)s crashed?",
635
405
vars(self))
636
406
637
407
def checked_ok(self):
638
"""Assert that the client has been seen, alive and well."""
408
"""Bump up the timeout for this client.
409
410
This should only be called when the client has been seen,
411
alive and well.
412
"""
639
413
self.last_checked_ok = datetime.datetime.utcnow()
640
self.last_checker_status = 0
641
self.bump_timeout()
642
643
def bump_timeout(self, timeout=None):
644
"""Bump up the timeout for this client."""
645
if timeout is None:
646
timeout = self.timeout
647
if self.disable_initiator_tag is not None:
648
gobject.source_remove(self.disable_initiator_tag)
649
self.disable_initiator_tag = None
650
if getattr(self, "enabled", False):
651
self.disable_initiator_tag = (gobject.timeout_add
652
(int(timeout.total_seconds()
653
* 1000), self.disable))
654
self.expires = datetime.datetime.utcnow() + timeout
655
656
def need_approval(self):
657
self.last_approval_request = datetime.datetime.utcnow()
414
gobject.source_remove(self.disable_initiator_tag)
415
self.disable_initiator_tag = (gobject.timeout_add
416
(self.timeout_milliseconds(),
417
self.disable))
658
418
659
419
def start_checker(self):
660
420
"""Start a new checker subprocess if one is not running.
662
422
If a checker already exists, leave it running and do
663
423
nothing."""
664
424
# The reason for not killing a running checker is that if we
665
# did that, and if a checker (for some reason) started running
666
# slowly and taking more than 'interval' time, then the client
667
# would inevitably timeout, since no checker would get a
668
# chance to run to completion. If we instead leave running
425
# did that, then if a checker (for some reason) started
426
# running slowly and taking more than 'interval' time, the
427
# client would inevitably timeout, since no checker would get
428
# a chance to run to completion. If we instead leave running
669
429
# checkers alone, the checker would have to take more time
670
430
# than 'timeout' for the client to be disabled, which is as it
671
431
# should be.
673
433
# If a checker exists, make sure it is not a zombie
674
434
try:
675
435
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
676
except AttributeError:
677
pass
678
except OSError as error:
679
if error.errno != errno.ECHILD:
680
raise
436
except (AttributeError, OSError), error:
437
if (isinstance(error, OSError)
438
and error.errno != errno.ECHILD):
439
raise error
681
440
else:
682
441
if pid:
683
logger.warning("Checker was a zombie")
442
logger.warning(u"Checker was a zombie")
684
443
gobject.source_remove(self.checker_callback_tag)
685
444
self.checker_callback(pid, status,
686
445
self.current_checker_command)
687
446
# Start a new checker if needed
688
447
if self.checker is None:
689
# Escape attributes for the shell
690
escaped_attrs = { attr:
691
re.escape(str(getattr(self, attr)))
692
for attr in self.runtime_expansions }
693
448
try:
694
command = self.checker_command % escaped_attrs
695
except TypeError as error:
696
logger.error('Could not format string "%s"',
697
self.checker_command, exc_info=error)
698
return True # Try again later
449
# In case checker_command has exactly one % operator
450
command = self.checker_command % self.host
451
except TypeError:
452
# Escape attributes for the shell
453
escaped_attrs = dict((key,
454
re.escape(unicode(str(val),
455
errors=
456
u'replace')))
457
for key, val in
458
vars(self).iteritems())
459
try:
460
command = self.checker_command % escaped_attrs
461
except TypeError, error:
462
logger.error(u'Could not format string "%s":'
463
u' %s', self.checker_command, error)
464
return True # Try again later
699
465
self.current_checker_command = command
700
466
try:
701
logger.info("Starting checker %r for %s",
467
logger.info(u"Starting checker %r for %s",
702
468
command, self.name)
703
469
# We don't need to redirect stdout and stderr, since
704
470
# in normal mode, that is already done by daemon(),
705
471
# and in debug mode we don't want to. (Stdin is
706
472
# always replaced by /dev/null.)
707
# The exception is when not debugging but nevertheless
708
# running in the foreground; use the previously
709
# created wnull.
710
popen_args = {}
711
if (not self.server_settings["debug"]
712
and self.server_settings["foreground"]):
713
popen_args.update({"stdout": wnull,
714
"stderr": wnull })
715
473
self.checker = subprocess.Popen(command,
716
474
close_fds=True,
717
shell=True, cwd="/",
718
**popen_args)
719
except OSError as error:
720
logger.error("Failed to start subprocess",
721
exc_info=error)
722
return True
723
self.checker_callback_tag = (gobject.child_watch_add
724
(self.checker.pid,
725
self.checker_callback,
726
data=command))
727
# The checker may have completed before the gobject
728
# watch was added. Check for this.
729
try:
475
shell=True, cwd=u"/")
476
self.checker_callback_tag = (gobject.child_watch_add
477
(self.checker.pid,
478
self.checker_callback,
479
data=command))
480
# The checker may have completed before the gobject
481
# watch was added. Check for this.
730
482
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
731
except OSError as error:
732
if error.errno == errno.ECHILD:
733
# This should never happen
734
logger.error("Child process vanished",
735
exc_info=error)
736
return True
737
raise
738
if pid:
739
gobject.source_remove(self.checker_callback_tag)
740
self.checker_callback(pid, status, command)
483
if pid:
484
gobject.source_remove(self.checker_callback_tag)
485
self.checker_callback(pid, status, command)
486
except OSError, error:
487
logger.error(u"Failed to start subprocess: %s",
488
error)
741
489
# Re-run this periodically if run by gobject.timeout_add
742
490
return True
743
491
746
494
if self.checker_callback_tag:
747
495
gobject.source_remove(self.checker_callback_tag)
748
496
self.checker_callback_tag = None
749
if getattr(self, "checker", None) is None:
497
if getattr(self, u"checker", None) is None:
750
498
return
751
logger.debug("Stopping checker for %(name)s", vars(self))
499
logger.debug(u"Stopping checker for %(name)s", vars(self))
752
500
try:
753
self.checker.terminate()
501
os.kill(self.checker.pid, signal.SIGTERM)
754
502
#time.sleep(0.5)
755
503
#if self.checker.poll() is None:
756
# self.checker.kill()
757
except OSError as error:
504
# os.kill(self.checker.pid, signal.SIGKILL)
505
except OSError, error:
758
506
if error.errno != errno.ESRCH: # No such process
759
507
raise
760
508
self.checker = None
761
509
762
763
def dbus_service_property(dbus_interface, signature="v",
764
access="readwrite", byte_arrays=False):
510
def dbus_service_property(dbus_interface, signature=u"v",
511
access=u"readwrite", byte_arrays=False):
765
512
"""Decorators for marking methods of a DBusObjectWithProperties to
766
513
become properties on the D-Bus.
767
514
774
521
"""
775
522
# Encoding deeply encoded byte arrays is not supported yet by the
776
523
# "Set" method, so we fail early here:
777
if byte_arrays and signature != "ay":
778
raise ValueError("Byte arrays not supported for non-'ay'"
779
" signature {!r}".format(signature))
524
if byte_arrays and signature != u"ay":
525
raise ValueError(u"Byte arrays not supported for non-'ay'"
526
u" signature %r" % signature)
780
527
def decorator(func):
781
528
func._dbus_is_property = True
782
529
func._dbus_interface = dbus_interface
783
530
func._dbus_signature = signature
784
531
func._dbus_access = access
785
532
func._dbus_name = func.__name__
786
if func._dbus_name.endswith("_dbus_property"):
533
if func._dbus_name.endswith(u"_dbus_property"):
787
534
func._dbus_name = func._dbus_name[:-14]
788
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
789
return func
790
return decorator
791
792
793
def dbus_interface_annotations(dbus_interface):
794
"""Decorator for marking functions returning interface annotations
795
796
Usage:
797
798
@dbus_interface_annotations("org.example.Interface")
799
def _foo(self): # Function name does not matter
800
return {"org.freedesktop.DBus.Deprecated": "true",
801
"org.freedesktop.DBus.Property.EmitsChangedSignal":
802
"false"}
803
"""
804
def decorator(func):
805
func._dbus_is_interface = True
806
func._dbus_interface = dbus_interface
807
func._dbus_name = dbus_interface
808
return func
809
return decorator
810
811
812
def dbus_annotations(annotations):
813
"""Decorator to annotate D-Bus methods, signals or properties
814
Usage:
815
816
@dbus_service_property("org.example.Interface", signature="b",
817
access="r")
818
@dbus_annotations({{"org.freedesktop.DBus.Deprecated": "true",
819
"org.freedesktop.DBus.Property."
820
"EmitsChangedSignal": "false"})
821
def Property_dbus_property(self):
822
return dbus.Boolean(False)
823
"""
824
def decorator(func):
825
func._dbus_annotations = annotations
535
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
826
536
return func
827
537
return decorator
828
538
830
540
class DBusPropertyException(dbus.exceptions.DBusException):
831
541
"""A base class for D-Bus property-related exceptions
832
542
"""
833
pass
543
def __unicode__(self):
544
return unicode(str(self))
545
834
546
835
547
class DBusPropertyAccessException(DBusPropertyException):
836
548
"""A property's access permissions disallows an operation.
846
558
847
559
class DBusObjectWithProperties(dbus.service.Object):
848
560
"""A D-Bus object with properties.
849
561
850
562
Classes inheriting from this can use the dbus_service_property
851
563
decorator to expose methods as D-Bus properties. It exposes the
852
564
standard Get(), Set(), and GetAll() methods on the D-Bus.
853
565
"""
854
566
855
567
@staticmethod
856
def _is_dbus_thing(thing):
857
"""Returns a function testing if an attribute is a D-Bus thing
858
859
If called like _is_dbus_thing("method") it returns a function
860
suitable for use as predicate to inspect.getmembers().
861
"""
862
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
863
False)
568
def _is_dbus_property(obj):
569
return getattr(obj, u"_dbus_is_property", False)
864
570
865
def _get_all_dbus_things(self, thing):
571
def _get_all_dbus_properties(self):
866
572
"""Returns a generator of (name, attribute) pairs
867
573
"""
868
return ((getattr(athing.__get__(self), "_dbus_name",
869
name),
870
athing.__get__(self))
871
for cls in self.__class__.__mro__
872
for name, athing in
873
inspect.getmembers(cls,
874
self._is_dbus_thing(thing)))
574
return ((prop._dbus_name, prop)
575
for name, prop in
576
inspect.getmembers(self, self._is_dbus_property))
875
577
876
578
def _get_dbus_property(self, interface_name, property_name):
877
579
"""Returns a bound method if one exists which is a D-Bus
878
580
property with the specified name and interface.
879
581
"""
880
for cls in self.__class__.__mro__:
881
for name, value in (inspect.getmembers
882
(cls,
883
self._is_dbus_thing("property"))):
884
if (value._dbus_name == property_name
885
and value._dbus_interface == interface_name):
886
return value.__get__(self)
887
582
for name in (property_name,
583
property_name + u"_dbus_property"):
584
prop = getattr(self, name, None)
585
if (prop is None
586
or not self._is_dbus_property(prop)
587
or prop._dbus_name != property_name
588
or (interface_name and prop._dbus_interface
589
and interface_name != prop._dbus_interface)):
590
continue
591
return prop
888
592
# No such property
889
raise DBusPropertyNotFound(self.dbus_object_path + ":"
890
+ interface_name + "."
593
raise DBusPropertyNotFound(self.dbus_object_path + u":"
594
+ interface_name + u"."
891
595
+ property_name)
892
596
893
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
894
out_signature="v")
597
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
598
out_signature=u"v")
895
599
def Get(self, interface_name, property_name):
896
600
"""Standard D-Bus property Get() method, see D-Bus standard.
897
601
"""
898
602
prop = self._get_dbus_property(interface_name, property_name)
899
if prop._dbus_access == "write":
603
if prop._dbus_access == u"write":
900
604
raise DBusPropertyAccessException(property_name)
901
605
value = prop()
902
if not hasattr(value, "variant_level"):
606
if not hasattr(value, u"variant_level"):
903
607
return value
904
608
return type(value)(value, variant_level=value.variant_level+1)
905
609
906
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
610
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
907
611
def Set(self, interface_name, property_name, value):
908
612
"""Standard D-Bus property Set() method, see D-Bus standard.
909
613
"""
910
614
prop = self._get_dbus_property(interface_name, property_name)
911
if prop._dbus_access == "read":
615
if prop._dbus_access == u"read":
912
616
raise DBusPropertyAccessException(property_name)
913
if prop._dbus_get_args_options["byte_arrays"]:
617
if prop._dbus_get_args_options[u"byte_arrays"]:
914
618
# The byte_arrays option is not supported yet on
915
619
# signatures other than "ay".
916
if prop._dbus_signature != "ay":
917
raise ValueError("Byte arrays not supported for non-"
918
"'ay' signature {!r}"
919
.format(prop._dbus_signature))
920
value = dbus.ByteArray(b''.join(chr(byte)
921
for byte in value))
620
if prop._dbus_signature != u"ay":
621
raise ValueError
622
value = dbus.ByteArray(''.join(unichr(byte)
623
for byte in value))
922
624
prop(value)
923
625
924
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
925
out_signature="a{sv}")
626
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
627
out_signature=u"a{sv}")
926
628
def GetAll(self, interface_name):
927
629
"""Standard D-Bus property GetAll() method, see D-Bus
928
630
standard.
929
631
930
632
Note: Will not include properties with access="write".
931
633
"""
932
properties = {}
933
for name, prop in self._get_all_dbus_things("property"):
634
all = {}
635
for name, prop in self._get_all_dbus_properties():
934
636
if (interface_name
935
637
and interface_name != prop._dbus_interface):
936
638
# Interface non-empty but did not match
937
639
continue
938
640
# Ignore write-only properties
939
if prop._dbus_access == "write":
641
if prop._dbus_access == u"write":
940
642
continue
941
643
value = prop()
942
if not hasattr(value, "variant_level"):
943
properties[name] = value
644
if not hasattr(value, u"variant_level"):
645
all[name] = value
944
646
continue
945
properties[name] = type(value)(value, variant_level=
946
value.variant_level+1)
947
return dbus.Dictionary(properties, signature="sv")
647
all[name] = type(value)(value, variant_level=
648
value.variant_level+1)
649
return dbus.Dictionary(all, signature=u"sv")
948
650
949
651
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
950
out_signature="s",
652
out_signature=u"s",
951
653
path_keyword='object_path',
952
654
connection_keyword='connection')
953
655
def Introspect(self, object_path, connection):
954
"""Overloading of standard D-Bus method.
955
956
Inserts property tags and interface annotation tags.
656
"""Standard D-Bus method, overloaded to insert property tags.
957
657
"""
958
658
xmlstring = dbus.service.Object.Introspect(self, object_path,
959
659
connection)
960
660
try:
961
661
document = xml.dom.minidom.parseString(xmlstring)
962
662
def make_tag(document, name, prop):
963
e = document.createElement("property")
964
e.setAttribute("name", name)
965
e.setAttribute("type", prop._dbus_signature)
966
e.setAttribute("access", prop._dbus_access)
663
e = document.createElement(u"property")
664
e.setAttribute(u"name", name)
665
e.setAttribute(u"type", prop._dbus_signature)
666
e.setAttribute(u"access", prop._dbus_access)
967
667
return e
968
for if_tag in document.getElementsByTagName("interface"):
969
# Add property tags
668
for if_tag in document.getElementsByTagName(u"interface"):
970
669
for tag in (make_tag(document, name, prop)
971
670
for name, prop
972
in self._get_all_dbus_things("property")
671
in self._get_all_dbus_properties()
973
672
if prop._dbus_interface
974
== if_tag.getAttribute("name")):
673
== if_tag.getAttribute(u"name")):
975
674
if_tag.appendChild(tag)
976
# Add annotation tags
977
for typ in ("method", "signal", "property"):
978
for tag in if_tag.getElementsByTagName(typ):
979
annots = dict()
980
for name, prop in (self.
981
_get_all_dbus_things(typ)):
982
if (name == tag.getAttribute("name")
983
and prop._dbus_interface
984
== if_tag.getAttribute("name")):
985
annots.update(getattr
986
(prop,
987
"_dbus_annotations",
988
{}))
989
for name, value in annots.items():
990
ann_tag = document.createElement(
991
"annotation")
992
ann_tag.setAttribute("name", name)
993
ann_tag.setAttribute("value", value)
994
tag.appendChild(ann_tag)
995
# Add interface annotation tags
996
for annotation, value in dict(
997
itertools.chain.from_iterable(
998
annotations().items()
999
for name, annotations in
1000
self._get_all_dbus_things("interface")
1001
if name == if_tag.getAttribute("name")
1002
)).items():
1003
ann_tag = document.createElement("annotation")
1004
ann_tag.setAttribute("name", annotation)
1005
ann_tag.setAttribute("value", value)
1006
if_tag.appendChild(ann_tag)
1007
675
# Add the names to the return values for the
1008
676
# "org.freedesktop.DBus.Properties" methods
1009
if (if_tag.getAttribute("name")
1010
== "org.freedesktop.DBus.Properties"):
1011
for cn in if_tag.getElementsByTagName("method"):
1012
if cn.getAttribute("name") == "Get":
1013
for arg in cn.getElementsByTagName("arg"):
1014
if (arg.getAttribute("direction")
1015
== "out"):
1016
arg.setAttribute("name", "value")
1017
elif cn.getAttribute("name") == "GetAll":
1018
for arg in cn.getElementsByTagName("arg"):
1019
if (arg.getAttribute("direction")
1020
== "out"):
1021
arg.setAttribute("name", "props")
1022
xmlstring = document.toxml("utf-8")
677
if (if_tag.getAttribute(u"name")
678
== u"org.freedesktop.DBus.Properties"):
679
for cn in if_tag.getElementsByTagName(u"method"):
680
if cn.getAttribute(u"name") == u"Get":
681
for arg in cn.getElementsByTagName(u"arg"):
682
if (arg.getAttribute(u"direction")
683
== u"out"):
684
arg.setAttribute(u"name", u"value")
685
elif cn.getAttribute(u"name") == u"GetAll":
686
for arg in cn.getElementsByTagName(u"arg"):
687
if (arg.getAttribute(u"direction")
688
== u"out"):
689
arg.setAttribute(u"name", u"props")
690
xmlstring = document.toxml(u"utf-8")
1023
691
document.unlink()
1024
692
except (AttributeError, xml.dom.DOMException,
1025
xml.parsers.expat.ExpatError) as error:
1026
logger.error("Failed to override Introspection method",
1027
exc_info=error)
693
xml.parsers.expat.ExpatError), error:
694
logger.error(u"Failed to override Introspection method",
695
error)
1028
696
return xmlstring
1029
697
1030
698
1031
def datetime_to_dbus(dt, variant_level=0):
1032
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1033
if dt is None:
1034
return dbus.String("", variant_level = variant_level)
1035
return dbus.String(dt.isoformat(),
1036
variant_level=variant_level)
1037
1038
1039
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1040
"""A class decorator; applied to a subclass of
1041
dbus.service.Object, it will add alternate D-Bus attributes with
1042
interface names according to the "alt_interface_names" mapping.
1043
Usage:
1044
1045
@alternate_dbus_interfaces({"org.example.Interface":
1046
"net.example.AlternateInterface"})
1047
class SampleDBusObject(dbus.service.Object):
1048
@dbus.service.method("org.example.Interface")
1049
def SampleDBusMethod():
1050
pass
1051
1052
The above "SampleDBusMethod" on "SampleDBusObject" will be
1053
reachable via two interfaces: "org.example.Interface" and
1054
"net.example.AlternateInterface", the latter of which will have
1055
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1056
"true", unless "deprecate" is passed with a False value.
1057
1058
This works for methods and signals, and also for D-Bus properties
1059
(from DBusObjectWithProperties) and interfaces (from the
1060
dbus_interface_annotations decorator).
1061
"""
1062
def wrapper(cls):
1063
for orig_interface_name, alt_interface_name in (
1064
alt_interface_names.items()):
1065
attr = {}
1066
interface_names = set()
1067
# Go though all attributes of the class
1068
for attrname, attribute in inspect.getmembers(cls):
1069
# Ignore non-D-Bus attributes, and D-Bus attributes
1070
# with the wrong interface name
1071
if (not hasattr(attribute, "_dbus_interface")
1072
or not attribute._dbus_interface
1073
.startswith(orig_interface_name)):
1074
continue
1075
# Create an alternate D-Bus interface name based on
1076
# the current name
1077
alt_interface = (attribute._dbus_interface
1078
.replace(orig_interface_name,
1079
alt_interface_name))
1080
interface_names.add(alt_interface)
1081
# Is this a D-Bus signal?
1082
if getattr(attribute, "_dbus_is_signal", False):
1083
# Extract the original non-method undecorated
1084
# function by black magic
1085
nonmethod_func = (dict(
1086
zip(attribute.func_code.co_freevars,
1087
attribute.__closure__))["func"]
1088
.cell_contents)
1089
# Create a new, but exactly alike, function
1090
# object, and decorate it to be a new D-Bus signal
1091
# with the alternate D-Bus interface name
1092
new_function = (dbus.service.signal
1093
(alt_interface,
1094
attribute._dbus_signature)
1095
(types.FunctionType(
1096
nonmethod_func.func_code,
1097
nonmethod_func.func_globals,
1098
nonmethod_func.func_name,
1099
nonmethod_func.func_defaults,
1100
nonmethod_func.func_closure)))
1101
# Copy annotations, if any
1102
try:
1103
new_function._dbus_annotations = (
1104
dict(attribute._dbus_annotations))
1105
except AttributeError:
1106
pass
1107
# Define a creator of a function to call both the
1108
# original and alternate functions, so both the
1109
# original and alternate signals gets sent when
1110
# the function is called
1111
def fixscope(func1, func2):
1112
"""This function is a scope container to pass
1113
func1 and func2 to the "call_both" function
1114
outside of its arguments"""
1115
def call_both(*args, **kwargs):
1116
"""This function will emit two D-Bus
1117
signals by calling func1 and func2"""
1118
func1(*args, **kwargs)
1119
func2(*args, **kwargs)
1120
return call_both
1121
# Create the "call_both" function and add it to
1122
# the class
1123
attr[attrname] = fixscope(attribute, new_function)
1124
# Is this a D-Bus method?
1125
elif getattr(attribute, "_dbus_is_method", False):
1126
# Create a new, but exactly alike, function
1127
# object. Decorate it to be a new D-Bus method
1128
# with the alternate D-Bus interface name. Add it
1129
# to the class.
1130
attr[attrname] = (dbus.service.method
1131
(alt_interface,
1132
attribute._dbus_in_signature,
1133
attribute._dbus_out_signature)
1134
(types.FunctionType
1135
(attribute.func_code,
1136
attribute.func_globals,
1137
attribute.func_name,
1138
attribute.func_defaults,
1139
attribute.func_closure)))
1140
# Copy annotations, if any
1141
try:
1142
attr[attrname]._dbus_annotations = (
1143
dict(attribute._dbus_annotations))
1144
except AttributeError:
1145
pass
1146
# Is this a D-Bus property?
1147
elif getattr(attribute, "_dbus_is_property", False):
1148
# Create a new, but exactly alike, function
1149
# object, and decorate it to be a new D-Bus
1150
# property with the alternate D-Bus interface
1151
# name. Add it to the class.
1152
attr[attrname] = (dbus_service_property
1153
(alt_interface,
1154
attribute._dbus_signature,
1155
attribute._dbus_access,
1156
attribute
1157
._dbus_get_args_options
1158
["byte_arrays"])
1159
(types.FunctionType
1160
(attribute.func_code,
1161
attribute.func_globals,
1162
attribute.func_name,
1163
attribute.func_defaults,
1164
attribute.func_closure)))
1165
# Copy annotations, if any
1166
try:
1167
attr[attrname]._dbus_annotations = (
1168
dict(attribute._dbus_annotations))
1169
except AttributeError:
1170
pass
1171
# Is this a D-Bus interface?
1172
elif getattr(attribute, "_dbus_is_interface", False):
1173
# Create a new, but exactly alike, function
1174
# object. Decorate it to be a new D-Bus interface
1175
# with the alternate D-Bus interface name. Add it
1176
# to the class.
1177
attr[attrname] = (dbus_interface_annotations
1178
(alt_interface)
1179
(types.FunctionType
1180
(attribute.func_code,
1181
attribute.func_globals,
1182
attribute.func_name,
1183
attribute.func_defaults,
1184
attribute.func_closure)))
1185
if deprecate:
1186
# Deprecate all alternate interfaces
1187
iname="_AlternateDBusNames_interface_annotation{}"
1188
for interface_name in interface_names:
1189
@dbus_interface_annotations(interface_name)
1190
def func(self):
1191
return { "org.freedesktop.DBus.Deprecated":
1192
"true" }
1193
# Find an unused name
1194
for aname in (iname.format(i)
1195
for i in itertools.count()):
1196
if aname not in attr:
1197
attr[aname] = func
1198
break
1199
if interface_names:
1200
# Replace the class with a new subclass of it with
1201
# methods, signals, etc. as created above.
1202
cls = type(b"{}Alternate".format(cls.__name__),
1203
(cls,), attr)
1204
return cls
1205
return wrapper
1206
1207
1208
@alternate_dbus_interfaces({"se.recompile.Mandos":
1209
"se.bsnet.fukt.Mandos"})
1210
699
class ClientDBus(Client, DBusObjectWithProperties):
1211
700
"""A Client class using D-Bus
1212
701
1214
703
dbus_object_path: dbus.ObjectPath
1215
704
bus: dbus.SystemBus()
1216
705
"""
1217
1218
runtime_expansions = (Client.runtime_expansions
1219
+ ("dbus_object_path",))
1220
1221
706
# dbus.service.Object doesn't use super(), so we can't either.
1222
707
1223
708
def __init__(self, bus = None, *args, **kwargs):
709
self._approvals_pending = 0
1224
710
self.bus = bus
1225
711
Client.__init__(self, *args, **kwargs)
1226
712
# Only now, when this client is initialized, can it show up on
1227
713
# the D-Bus
1228
client_object_name = str(self.name).translate(
1229
{ord("."): ord("_"),
1230
ord("-"): ord("_")})
1231
714
self.dbus_object_path = (dbus.ObjectPath
1232
("/clients/" + client_object_name))
715
(u"/clients/"
716
+ self.name.replace(u".", u"_")))
1233
717
DBusObjectWithProperties.__init__(self, self.bus,
1234
718
self.dbus_object_path)
1235
1236
def notifychangeproperty(transform_func,
1237
dbus_name, type_func=lambda x: x,
1238
variant_level=1):
1239
""" Modify a variable so that it's a property which announces
1240
its changes to DBus.
1241
1242
transform_fun: Function that takes a value and a variant_level
1243
and transforms it to a D-Bus type.
1244
dbus_name: D-Bus name of the variable
1245
type_func: Function that transform the value before sending it
1246
to the D-Bus. Default: no transform
1247
variant_level: D-Bus variant level. Default: 1
1248
"""
1249
attrname = "_{}".format(dbus_name)
1250
def setter(self, value):
1251
if hasattr(self, "dbus_object_path"):
1252
if (not hasattr(self, attrname) or
1253
type_func(getattr(self, attrname, None))
1254
!= type_func(value)):
1255
dbus_value = transform_func(type_func(value),
1256
variant_level
1257
=variant_level)
1258
self.PropertyChanged(dbus.String(dbus_name),
1259
dbus_value)
1260
setattr(self, attrname, value)
1261
1262
return property(lambda self: getattr(self, attrname), setter)
1263
1264
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1265
approvals_pending = notifychangeproperty(dbus.Boolean,
1266
"ApprovalPending",
1267
type_func = bool)
1268
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1269
last_enabled = notifychangeproperty(datetime_to_dbus,
1270
"LastEnabled")
1271
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1272
type_func = lambda checker:
1273
checker is not None)
1274
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1275
"LastCheckedOK")
1276
last_checker_status = notifychangeproperty(dbus.Int16,
1277
"LastCheckerStatus")
1278
last_approval_request = notifychangeproperty(
1279
datetime_to_dbus, "LastApprovalRequest")
1280
approved_by_default = notifychangeproperty(dbus.Boolean,
1281
"ApprovedByDefault")
1282
approval_delay = notifychangeproperty(dbus.UInt64,
1283
"ApprovalDelay",
1284
type_func =
1285
lambda td: td.total_seconds()
1286
* 1000)
1287
approval_duration = notifychangeproperty(
1288
dbus.UInt64, "ApprovalDuration",
1289
type_func = lambda td: td.total_seconds() * 1000)
1290
host = notifychangeproperty(dbus.String, "Host")
1291
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1292
type_func = lambda td:
1293
td.total_seconds() * 1000)
1294
extended_timeout = notifychangeproperty(
1295
dbus.UInt64, "ExtendedTimeout",
1296
type_func = lambda td: td.total_seconds() * 1000)
1297
interval = notifychangeproperty(dbus.UInt64,
1298
"Interval",
1299
type_func =
1300
lambda td: td.total_seconds()
1301
* 1000)
1302
checker_command = notifychangeproperty(dbus.String, "Checker")
1303
1304
del notifychangeproperty
719
720
def _get_approvals_pending(self):
721
return self._approvals_pending
722
def _set_approvals_pending(self, value):
723
old_value = self._approvals_pending
724
self._approvals_pending = value
725
bval = bool(value)
726
if (hasattr(self, "dbus_object_path")
727
and bval is not bool(old_value)):
728
dbus_bool = dbus.Boolean(bval, variant_level=1)
729
self.PropertyChanged(dbus.String(u"ApprovalPending"),
730
dbus_bool)
731
732
approvals_pending = property(_get_approvals_pending,
733
_set_approvals_pending)
734
del _get_approvals_pending, _set_approvals_pending
735
736
@staticmethod
737
def _datetime_to_dbus(dt, variant_level=0):
738
"""Convert a UTC datetime.datetime() to a D-Bus type."""
739
return dbus.String(dt.isoformat(),
740
variant_level=variant_level)
741
742
def enable(self):
743
oldstate = getattr(self, u"enabled", False)
744
r = Client.enable(self)
745
if oldstate != self.enabled:
746
# Emit D-Bus signals
747
self.PropertyChanged(dbus.String(u"Enabled"),
748
dbus.Boolean(True, variant_level=1))
749
self.PropertyChanged(
750
dbus.String(u"LastEnabled"),
751
self._datetime_to_dbus(self.last_enabled,
752
variant_level=1))
753
return r
754
755
def disable(self, quiet = False):
756
oldstate = getattr(self, u"enabled", False)
757
r = Client.disable(self, quiet=quiet)
758
if not quiet and oldstate != self.enabled:
759
# Emit D-Bus signal
760
self.PropertyChanged(dbus.String(u"Enabled"),
761
dbus.Boolean(False, variant_level=1))
762
return r
1305
763
1306
764
def __del__(self, *args, **kwargs):
1307
765
try:
1308
766
self.remove_from_connection()
1309
767
except LookupError:
1310
768
pass
1311
if hasattr(DBusObjectWithProperties, "__del__"):
769
if hasattr(DBusObjectWithProperties, u"__del__"):
1312
770
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1313
771
Client.__del__(self, *args, **kwargs)
1314
772
1316
774
*args, **kwargs):
1317
775
self.checker_callback_tag = None
1318
776
self.checker = None
777
# Emit D-Bus signal
778
self.PropertyChanged(dbus.String(u"CheckerRunning"),
779
dbus.Boolean(False, variant_level=1))
1319
780
if os.WIFEXITED(condition):
1320
781
exitstatus = os.WEXITSTATUS(condition)
1321
782
# Emit D-Bus signal
1331
792
return Client.checker_callback(self, pid, condition, command,
1332
793
*args, **kwargs)
1333
794
795
def checked_ok(self, *args, **kwargs):
796
r = Client.checked_ok(self, *args, **kwargs)
797
# Emit D-Bus signal
798
self.PropertyChanged(
799
dbus.String(u"LastCheckedOK"),
800
(self._datetime_to_dbus(self.last_checked_ok,
801
variant_level=1)))
802
return r
803
1334
804
def start_checker(self, *args, **kwargs):
1335
old_checker_pid = getattr(self.checker, "pid", None)
805
old_checker = self.checker
806
if self.checker is not None:
807
old_checker_pid = self.checker.pid
808
else:
809
old_checker_pid = None
1336
810
r = Client.start_checker(self, *args, **kwargs)
1337
811
# Only if new checker process was started
1338
812
if (self.checker is not None
1339
813
and old_checker_pid != self.checker.pid):
1340
814
# Emit D-Bus signal
1341
815
self.CheckerStarted(self.current_checker_command)
816
self.PropertyChanged(
817
dbus.String(u"CheckerRunning"),
818
dbus.Boolean(True, variant_level=1))
1342
819
return r
1343
820
821
def stop_checker(self, *args, **kwargs):
822
old_checker = getattr(self, u"checker", None)
823
r = Client.stop_checker(self, *args, **kwargs)
824
if (old_checker is not None
825
and getattr(self, u"checker", None) is None):
826
self.PropertyChanged(dbus.String(u"CheckerRunning"),
827
dbus.Boolean(False, variant_level=1))
828
return r
829
1344
830
def _reset_approved(self):
1345
self.approved = None
831
self._approved = None
1346
832
return False
1347
833
1348
834
def approve(self, value=True):
1349
self.approved = value
1350
gobject.timeout_add(int(self.approval_duration.total_seconds()
1351
* 1000), self._reset_approved)
1352
835
self.send_changedstate()
836
self._approved = value
837
gobject.timeout_add(self._timedelta_to_milliseconds
838
(self.approval_duration),
839
self._reset_approved)
840
1353
841
1354
842
## D-Bus methods, signals & properties
1355
_interface = "se.recompile.Mandos.Client"
1356
1357
## Interfaces
1358
1359
@dbus_interface_annotations(_interface)
1360
def _foo(self):
1361
return { "org.freedesktop.DBus.Property.EmitsChangedSignal":
1362
"false"}
843
_interface = u"se.bsnet.fukt.Mandos.Client"
1363
844
1364
845
## Signals
1365
846
1366
847
# CheckerCompleted - signal
1367
@dbus.service.signal(_interface, signature="nxs")
848
@dbus.service.signal(_interface, signature=u"nxs")
1368
849
def CheckerCompleted(self, exitcode, waitstatus, command):
1369
850
"D-Bus signal"
1370
851
pass
1371
852
1372
853
# CheckerStarted - signal
1373
@dbus.service.signal(_interface, signature="s")
854
@dbus.service.signal(_interface, signature=u"s")
1374
855
def CheckerStarted(self, command):
1375
856
"D-Bus signal"
1376
857
pass
1377
858
1378
859
# PropertyChanged - signal
1379
@dbus.service.signal(_interface, signature="sv")
860
@dbus.service.signal(_interface, signature=u"sv")
1380
861
def PropertyChanged(self, property, value):
1381
862
"D-Bus signal"
1382
863
pass
1391
872
pass
1392
873
1393
874
# Rejected - signal
1394
@dbus.service.signal(_interface, signature="s")
875
@dbus.service.signal(_interface, signature=u"s")
1395
876
def Rejected(self, reason):
1396
877
"D-Bus signal"
1397
878
pass
1398
879
1399
880
# NeedApproval - signal
1400
@dbus.service.signal(_interface, signature="tb")
881
@dbus.service.signal(_interface, signature=u"tb")
1401
882
def NeedApproval(self, timeout, default):
1402
883
"D-Bus signal"
1403
return self.need_approval()
884
pass
1404
885
1405
886
## Methods
1406
887
1407
888
# Approve - method
1408
@dbus.service.method(_interface, in_signature="b")
889
@dbus.service.method(_interface, in_signature=u"b")
1409
890
def Approve(self, value):
1410
891
self.approve(value)
1411
892
1412
893
# CheckedOK - method
1413
894
@dbus.service.method(_interface)
1414
895
def CheckedOK(self):
1415
self.checked_ok()
896
return self.checked_ok()
1416
897
1417
898
# Enable - method
1418
899
@dbus.service.method(_interface)
1440
921
## Properties
1441
922
1442
923
# ApprovalPending - property
1443
@dbus_service_property(_interface, signature="b", access="read")
924
@dbus_service_property(_interface, signature=u"b", access=u"read")
1444
925
def ApprovalPending_dbus_property(self):
1445
926
return dbus.Boolean(bool(self.approvals_pending))
1446
927
1447
928
# ApprovedByDefault - property
1448
@dbus_service_property(_interface, signature="b",
1449
access="readwrite")
929
@dbus_service_property(_interface, signature=u"b",
930
access=u"readwrite")
1450
931
def ApprovedByDefault_dbus_property(self, value=None):
1451
932
if value is None: # get
1452
933
return dbus.Boolean(self.approved_by_default)
1453
934
self.approved_by_default = bool(value)
935
# Emit D-Bus signal
936
self.PropertyChanged(dbus.String(u"ApprovedByDefault"),
937
dbus.Boolean(value, variant_level=1))
1454
938
1455
939
# ApprovalDelay - property
1456
@dbus_service_property(_interface, signature="t",
1457
access="readwrite")
940
@dbus_service_property(_interface, signature=u"t",
941
access=u"readwrite")
1458
942
def ApprovalDelay_dbus_property(self, value=None):
1459
943
if value is None: # get
1460
return dbus.UInt64(self.approval_delay.total_seconds()
1461
* 1000)
944
return dbus.UInt64(self.approval_delay_milliseconds())
1462
945
self.approval_delay = datetime.timedelta(0, 0, 0, value)
946
# Emit D-Bus signal
947
self.PropertyChanged(dbus.String(u"ApprovalDelay"),
948
dbus.UInt64(value, variant_level=1))
1463
949
1464
950
# ApprovalDuration - property
1465
@dbus_service_property(_interface, signature="t",
1466
access="readwrite")
951
@dbus_service_property(_interface, signature=u"t",
952
access=u"readwrite")
1467
953
def ApprovalDuration_dbus_property(self, value=None):
1468
954
if value is None: # get
1469
return dbus.UInt64(self.approval_duration.total_seconds()
1470
* 1000)
955
return dbus.UInt64(self._timedelta_to_milliseconds(
956
self.approval_duration))
1471
957
self.approval_duration = datetime.timedelta(0, 0, 0, value)
958
# Emit D-Bus signal
959
self.PropertyChanged(dbus.String(u"ApprovalDuration"),
960
dbus.UInt64(value, variant_level=1))
1472
961
1473
962
# Name - property
1474
@dbus_service_property(_interface, signature="s", access="read")
963
@dbus_service_property(_interface, signature=u"s", access=u"read")
1475
964
def Name_dbus_property(self):
1476
965
return dbus.String(self.name)
1477
966
1478
967
# Fingerprint - property
1479
@dbus_service_property(_interface, signature="s", access="read")
968
@dbus_service_property(_interface, signature=u"s", access=u"read")
1480
969
def Fingerprint_dbus_property(self):
1481
970
return dbus.String(self.fingerprint)
1482
971
1483
972
# Host - property
1484
@dbus_service_property(_interface, signature="s",
1485
access="readwrite")
973
@dbus_service_property(_interface, signature=u"s",
974
access=u"readwrite")
1486
975
def Host_dbus_property(self, value=None):
1487
976
if value is None: # get
1488
977
return dbus.String(self.host)
1489
self.host = str(value)
978
self.host = value
979
# Emit D-Bus signal
980
self.PropertyChanged(dbus.String(u"Host"),
981
dbus.String(value, variant_level=1))
1490
982
1491
983
# Created - property
1492
@dbus_service_property(_interface, signature="s", access="read")
984
@dbus_service_property(_interface, signature=u"s", access=u"read")
1493
985
def Created_dbus_property(self):
1494
return datetime_to_dbus(self.created)
986
return dbus.String(self._datetime_to_dbus(self.created))
1495
987
1496
988
# LastEnabled - property
1497
@dbus_service_property(_interface, signature="s", access="read")
989
@dbus_service_property(_interface, signature=u"s", access=u"read")
1498
990
def LastEnabled_dbus_property(self):
1499
return datetime_to_dbus(self.last_enabled)
991
if self.last_enabled is None:
992
return dbus.String(u"")
993
return dbus.String(self._datetime_to_dbus(self.last_enabled))
1500
994
1501
995
# Enabled - property
1502
@dbus_service_property(_interface, signature="b",
1503
access="readwrite")
996
@dbus_service_property(_interface, signature=u"b",
997
access=u"readwrite")
1504
998
def Enabled_dbus_property(self, value=None):
1505
999
if value is None: # get
1506
1000
return dbus.Boolean(self.enabled)
1510
1004
self.disable()
1511
1005
1512
1006
# LastCheckedOK - property
1513
@dbus_service_property(_interface, signature="s",
1514
access="readwrite")
1007
@dbus_service_property(_interface, signature=u"s",
1008
access=u"readwrite")
1515
1009
def LastCheckedOK_dbus_property(self, value=None):
1516
1010
if value is not None:
1517
1011
self.checked_ok()
1518
1012
return
1519
return datetime_to_dbus(self.last_checked_ok)
1520
1521
# LastCheckerStatus - property
1522
@dbus_service_property(_interface, signature="n",
1523
access="read")
1524
def LastCheckerStatus_dbus_property(self):
1525
return dbus.Int16(self.last_checker_status)
1526
1527
# Expires - property
1528
@dbus_service_property(_interface, signature="s", access="read")
1529
def Expires_dbus_property(self):
1530
return datetime_to_dbus(self.expires)
1531
1532
# LastApprovalRequest - property
1533
@dbus_service_property(_interface, signature="s", access="read")
1534
def LastApprovalRequest_dbus_property(self):
1535
return datetime_to_dbus(self.last_approval_request)
1013
if self.last_checked_ok is None:
1014
return dbus.String(u"")
1015
return dbus.String(self._datetime_to_dbus(self
1016
.last_checked_ok))
1536
1017
1537
1018
# Timeout - property
1538
@dbus_service_property(_interface, signature="t",
1539
access="readwrite")
1019
@dbus_service_property(_interface, signature=u"t",
1020
access=u"readwrite")
1540
1021
def Timeout_dbus_property(self, value=None):
1541
1022
if value is None: # get
1542
return dbus.UInt64(self.timeout.total_seconds() * 1000)
1543
old_timeout = self.timeout
1023
return dbus.UInt64(self.timeout_milliseconds())
1544
1024
self.timeout = datetime.timedelta(0, 0, 0, value)
1545
# Reschedule disabling
1546
if self.enabled:
1547
now = datetime.datetime.utcnow()
1548
self.expires += self.timeout - old_timeout
1549
if self.expires <= now:
1550
# The timeout has passed
1551
self.disable()
1552
else:
1553
if (getattr(self, "disable_initiator_tag", None)
1554
is None):
1555
return
1556
gobject.source_remove(self.disable_initiator_tag)
1557
self.disable_initiator_tag = (
1558
gobject.timeout_add(
1559
int((self.expires - now).total_seconds()
1560
* 1000), self.disable))
1561
1562
# ExtendedTimeout - property
1563
@dbus_service_property(_interface, signature="t",
1564
access="readwrite")
1565
def ExtendedTimeout_dbus_property(self, value=None):
1566
if value is None: # get
1567
return dbus.UInt64(self.extended_timeout.total_seconds()
1568
* 1000)
1569
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1025
# Emit D-Bus signal
1026
self.PropertyChanged(dbus.String(u"Timeout"),
1027
dbus.UInt64(value, variant_level=1))
1028
if getattr(self, u"disable_initiator_tag", None) is None:
1029
return
1030
# Reschedule timeout
1031
gobject.source_remove(self.disable_initiator_tag)
1032
self.disable_initiator_tag = None
1033
time_to_die = (self.
1034
_timedelta_to_milliseconds((self
1035
.last_checked_ok
1036
+ self.timeout)
1037
- datetime.datetime
1038
.utcnow()))
1039
if time_to_die <= 0:
1040
# The timeout has passed
1041
self.disable()
1042
else:
1043
self.disable_initiator_tag = (gobject.timeout_add
1044
(time_to_die, self.disable))
1570
1045
1571
1046
# Interval - property
1572
@dbus_service_property(_interface, signature="t",
1573
access="readwrite")
1047
@dbus_service_property(_interface, signature=u"t",
1048
access=u"readwrite")
1574
1049
def Interval_dbus_property(self, value=None):
1575
1050
if value is None: # get
1576
return dbus.UInt64(self.interval.total_seconds() * 1000)
1051
return dbus.UInt64(self.interval_milliseconds())
1577
1052
self.interval = datetime.timedelta(0, 0, 0, value)
1578
if getattr(self, "checker_initiator_tag", None) is None:
1053
# Emit D-Bus signal
1054
self.PropertyChanged(dbus.String(u"Interval"),
1055
dbus.UInt64(value, variant_level=1))
1056
if getattr(self, u"checker_initiator_tag", None) is None:
1579
1057
return
1580
if self.enabled:
1581
# Reschedule checker run
1582
gobject.source_remove(self.checker_initiator_tag)
1583
self.checker_initiator_tag = (gobject.timeout_add
1584
(value, self.start_checker))
1585
self.start_checker() # Start one now, too
1586
1058
# Reschedule checker run
1059
gobject.source_remove(self.checker_initiator_tag)
1060
self.checker_initiator_tag = (gobject.timeout_add
1061
(value, self.start_checker))
1062
self.start_checker() # Start one now, too
1063
1587
1064
# Checker - property
1588
@dbus_service_property(_interface, signature="s",
1589
access="readwrite")
1065
@dbus_service_property(_interface, signature=u"s",
1066
access=u"readwrite")
1590
1067
def Checker_dbus_property(self, value=None):
1591
1068
if value is None: # get
1592
1069
return dbus.String(self.checker_command)
1593
self.checker_command = str(value)
1070
self.checker_command = value
1071
# Emit D-Bus signal
1072
self.PropertyChanged(dbus.String(u"Checker"),
1073
dbus.String(self.checker_command,
1074
variant_level=1))
1594
1075
1595
1076
# CheckerRunning - property
1596
@dbus_service_property(_interface, signature="b",
1597
access="readwrite")
1077
@dbus_service_property(_interface, signature=u"b",
1078
access=u"readwrite")
1598
1079
def CheckerRunning_dbus_property(self, value=None):
1599
1080
if value is None: # get
1600
1081
return dbus.Boolean(self.checker is not None)
1604
1085
self.stop_checker()
1605
1086
1606
1087
# ObjectPath - property
1607
@dbus_service_property(_interface, signature="o", access="read")
1088
@dbus_service_property(_interface, signature=u"o", access=u"read")
1608
1089
def ObjectPath_dbus_property(self):
1609
1090
return self.dbus_object_path # is already a dbus.ObjectPath
1610
1091
1611
1092
# Secret = property
1612
@dbus_service_property(_interface, signature="ay",
1613
access="write", byte_arrays=True)
1093
@dbus_service_property(_interface, signature=u"ay",
1094
access=u"write", byte_arrays=True)
1614
1095
def Secret_dbus_property(self, value):
1615
self.secret = bytes(value)
1096
self.secret = str(value)
1616
1097
1617
1098
del _interface
1618
1099
1623
1104
self._pipe.send(('init', fpr, address))
1624
1105
if not self._pipe.recv():
1625
1106
raise KeyError()
1626
1107
1627
1108
def __getattribute__(self, name):
1628
if name == '_pipe':
1109
if(name == '_pipe'):
1629
1110
return super(ProxyClient, self).__getattribute__(name)
1630
1111
self._pipe.send(('getattr', name))
1631
1112
data = self._pipe.recv()
1636
1117
self._pipe.send(('funcall', name, args, kwargs))
1637
1118
return self._pipe.recv()[1]
1638
1119
return func
1639
1120
1640
1121
def __setattr__(self, name, value):
1641
if name == '_pipe':
1122
if(name == '_pipe'):
1642
1123
return super(ProxyClient, self).__setattr__(name, value)
1643
1124
self._pipe.send(('setattr', name, value))
1644
1125
1651
1132
1652
1133
def handle(self):
1653
1134
with contextlib.closing(self.server.child_pipe) as child_pipe:
1654
logger.info("TCP connection from: %s",
1655
str(self.client_address))
1656
logger.debug("Pipe FD: %d",
1135
logger.info(u"TCP connection from: %s",
1136
unicode(self.client_address))
1137
logger.debug(u"Pipe FD: %d",
1657
1138
self.server.child_pipe.fileno())
1658
1139
1659
1140
session = (gnutls.connection
1660
1141
.ClientSession(self.request,
1661
1142
gnutls.connection
1662
1143
.X509Credentials()))
1663
1144
1664
1145
# Note: gnutls.connection.X509Credentials is really a
1665
1146
# generic GnuTLS certificate credentials object so long as
1666
1147
# no X.509 keys are added to it. Therefore, we can use it
1667
1148
# here despite using OpenPGP certificates.
1668
1669
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1670
# "+AES-256-CBC", "+SHA1",
1671
# "+COMP-NULL", "+CTYPE-OPENPGP",
1672
# "+DHE-DSS"))
1149
1150
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1151
# u"+AES-256-CBC", u"+SHA1",
1152
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1153
# u"+DHE-DSS"))
1673
1154
# Use a fallback default, since this MUST be set.
1674
1155
priority = self.server.gnutls_priority
1675
1156
if priority is None:
1676
priority = "NORMAL"
1157
priority = u"NORMAL"
1677
1158
(gnutls.library.functions
1678
1159
.gnutls_priority_set_direct(session._c_object,
1679
1160
priority, None))
1680
1161
1681
1162
# Start communication using the Mandos protocol
1682
1163
# Get protocol number
1683
1164
line = self.request.makefile().readline()
1684
logger.debug("Protocol version: %r", line)
1165
logger.debug(u"Protocol version: %r", line)
1685
1166
try:
1686
1167
if int(line.strip().split()[0]) > 1:
1687
raise RuntimeError(line)
1688
except (ValueError, IndexError, RuntimeError) as error:
1689
logger.error("Unknown protocol version: %s", error)
1168
raise RuntimeError
1169
except (ValueError, IndexError, RuntimeError), error:
1170
logger.error(u"Unknown protocol version: %s", error)
1690
1171
return
1691
1172
1692
1173
# Start GnuTLS connection
1693
1174
try:
1694
1175
session.handshake()
1695
except gnutls.errors.GNUTLSError as error:
1696
logger.warning("Handshake failed: %s", error)
1176
except gnutls.errors.GNUTLSError, error:
1177
logger.warning(u"Handshake failed: %s", error)
1697
1178
# Do not run session.bye() here: the session is not
1698
1179
# established. Just abandon the request.
1699
1180
return
1700
logger.debug("Handshake succeeded")
1701
1181
logger.debug(u"Handshake succeeded")
1182
1702
1183
approval_required = False
1703
1184
try:
1704
1185
try:
1705
1186
fpr = self.fingerprint(self.peer_certificate
1706
1187
(session))
1707
except (TypeError,
1708
gnutls.errors.GNUTLSError) as error:
1709
logger.warning("Bad certificate: %s", error)
1188
except (TypeError, gnutls.errors.GNUTLSError), error:
1189
logger.warning(u"Bad certificate: %s", error)
1710
1190
return
1711
logger.debug("Fingerprint: %s", fpr)
1712
1191
logger.debug(u"Fingerprint: %s", fpr)
1192
1713
1193
try:
1714
1194
client = ProxyClient(child_pipe, fpr,
1715
1195
self.client_address)
1723
1203
1724
1204
while True:
1725
1205
if not client.enabled:
1726
logger.info("Client %s is disabled",
1206
logger.warning(u"Client %s is disabled",
1727
1207
client.name)
1728
1208
if self.server.use_dbus:
1729
1209
# Emit D-Bus signal
1730
client.Rejected("Disabled")
1210
client.Rejected("Disabled")
1731
1211
return
1732
1212
1733
if client.approved or not client.approval_delay:
1213
if client._approved or not client.approval_delay:
1734
1214
#We are approved or approval is disabled
1735
1215
break
1736
elif client.approved is None:
1737
logger.info("Client %s needs approval",
1216
elif client._approved is None:
1217
logger.info(u"Client %s needs approval",
1738
1218
client.name)
1739
1219
if self.server.use_dbus:
1740
1220
# Emit D-Bus signal
1741
1221
client.NeedApproval(
1742
client.approval_delay.total_seconds()
1743
* 1000, client.approved_by_default)
1222
client.approval_delay_milliseconds(),
1223
client.approved_by_default)
1744
1224
else:
1745
logger.warning("Client %s was not approved",
1225
logger.warning(u"Client %s was not approved",
1746
1226
client.name)
1747
1227
if self.server.use_dbus:
1748
1228
# Emit D-Bus signal
1750
1230
return
1751
1231
1752
1232
#wait until timeout or approved
1233
#x = float(client._timedelta_to_milliseconds(delay))
1753
1234
time = datetime.datetime.now()
1754
1235
client.changedstate.acquire()
1755
client.changedstate.wait(delay.total_seconds())
1236
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1756
1237
client.changedstate.release()
1757
1238
time2 = datetime.datetime.now()
1758
1239
if (time2 - time) >= delay:
1762
1243
client.name)
1763
1244
if self.server.use_dbus:
1764
1245
# Emit D-Bus signal
1765
client.Rejected("Approval timed out")
1246
client.Rejected("Timed out")
1766
1247
return
1767
1248
else:
1768
1249
break
1773
1254
while sent_size < len(client.secret):
1774
1255
try:
1775
1256
sent = session.send(client.secret[sent_size:])
1776
except gnutls.errors.GNUTLSError as error:
1777
logger.warning("gnutls send failed",
1778
exc_info=error)
1257
except (gnutls.errors.GNUTLSError), error:
1258
logger.warning("gnutls send failed")
1779
1259
return
1780
logger.debug("Sent: %d, remaining: %d",
1260
logger.debug(u"Sent: %d, remaining: %d",
1781
1261
sent, len(client.secret)
1782
1262
- (sent_size + sent))
1783
1263
sent_size += sent
1784
1785
logger.info("Sending secret to %s", client.name)
1786
# bump the timeout using extended_timeout
1787
client.bump_timeout(client.extended_timeout)
1264
1265
logger.info(u"Sending secret to %s", client.name)
1266
# bump the timeout as if seen
1267
client.checked_ok()
1788
1268
if self.server.use_dbus:
1789
1269
# Emit D-Bus signal
1790
1270
client.GotSecret()
1794
1274
client.approvals_pending -= 1
1795
1275
try:
1796
1276
session.bye()
1797
except gnutls.errors.GNUTLSError as error:
1798
logger.warning("GnuTLS bye failed",
1799
exc_info=error)
1277
except (gnutls.errors.GNUTLSError), error:
1278
logger.warning("GnuTLS bye failed")
1800
1279
1801
1280
@staticmethod
1802
1281
def peer_certificate(session):
1812
1291
.gnutls_certificate_get_peers
1813
1292
(session._c_object, ctypes.byref(list_size)))
1814
1293
if not bool(cert_list) and list_size.value != 0:
1815
raise gnutls.errors.GNUTLSError("error getting peer"
1816
" certificate")
1294
raise gnutls.errors.GNUTLSError(u"error getting peer"
1295
u" certificate")
1817
1296
if list_size.value == 0:
1818
1297
return None
1819
1298
cert = cert_list[0]
1845
1324
if crtverify.value != 0:
1846
1325
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1847
1326
raise (gnutls.errors.CertificateSecurityError
1848
("Verify failed"))
1327
(u"Verify failed"))
1849
1328
# New buffer for the fingerprint
1850
1329
buf = ctypes.create_string_buffer(20)
1851
1330
buf_len = ctypes.c_size_t()
1858
1337
# Convert the buffer to a Python bytestring
1859
1338
fpr = ctypes.string_at(buf, buf_len.value)
1860
1339
# Convert the bytestring to hexadecimal notation
1861
hex_fpr = binascii.hexlify(fpr).upper()
1340
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1862
1341
return hex_fpr
1863
1342
1864
1343
1867
1346
def sub_process_main(self, request, address):
1868
1347
try:
1869
1348
self.finish_request(request, address)
1870
except Exception:
1349
except:
1871
1350
self.handle_error(request, address)
1872
1351
self.close_request(request)
1873
1352
1874
1353
def process_request(self, request, address):
1875
1354
"""Start a new process to process the request."""
1876
proc = multiprocessing.Process(target = self.sub_process_main,
1877
args = (request, address))
1878
proc.start()
1879
return proc
1880
1355
multiprocessing.Process(target = self.sub_process_main,
1356
args = (request, address)).start()
1881
1357
1882
1358
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1883
1359
""" adds a pipe to the MixIn """
1887
1363
This function creates a new pipe in self.pipe
1888
1364
"""
1889
1365
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1890
1891
proc = MultiprocessingMixIn.process_request(self, request,
1892
client_address)
1366
1367
super(MultiprocessingMixInWithPipe,
1368
self).process_request(request, client_address)
1893
1369
self.child_pipe.close()
1894
self.add_pipe(parent_pipe, proc)
1895
1896
def add_pipe(self, parent_pipe, proc):
1370
self.add_pipe(parent_pipe)
1371
1372
def add_pipe(self, parent_pipe):
1897
1373
"""Dummy function; override as necessary"""
1898
raise NotImplementedError()
1899
1374
pass
1900
1375
1901
1376
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1902
1377
socketserver.TCPServer, object):
1908
1383
use_ipv6: Boolean; to use IPv6 or not
1909
1384
"""
1910
1385
def __init__(self, server_address, RequestHandlerClass,
1911
interface=None, use_ipv6=True, socketfd=None):
1912
"""If socketfd is set, use that file descriptor instead of
1913
creating a new one with socket.socket().
1914
"""
1386
interface=None, use_ipv6=True):
1915
1387
self.interface = interface
1916
1388
if use_ipv6:
1917
1389
self.address_family = socket.AF_INET6
1918
if socketfd is not None:
1919
# Save the file descriptor
1920
self.socketfd = socketfd
1921
# Save the original socket.socket() function
1922
self.socket_socket = socket.socket
1923
# To implement --socket, we monkey patch socket.socket.
1924
#
1925
# (When socketserver.TCPServer is a new-style class, we
1926
# could make self.socket into a property instead of monkey
1927
# patching socket.socket.)
1928
#
1929
# Create a one-time-only replacement for socket.socket()
1930
@functools.wraps(socket.socket)
1931
def socket_wrapper(*args, **kwargs):
1932
# Restore original function so subsequent calls are
1933
# not affected.
1934
socket.socket = self.socket_socket
1935
del self.socket_socket
1936
# This time only, return a new socket object from the
1937
# saved file descriptor.
1938
return socket.fromfd(self.socketfd, *args, **kwargs)
1939
# Replace socket.socket() function with wrapper
1940
socket.socket = socket_wrapper
1941
# The socketserver.TCPServer.__init__ will call
1942
# socket.socket(), which might be our replacement,
1943
# socket_wrapper(), if socketfd was set.
1944
1390
socketserver.TCPServer.__init__(self, server_address,
1945
1391
RequestHandlerClass)
1946
1947
1392
def server_bind(self):
1948
1393
"""This overrides the normal server_bind() function
1949
1394
to bind to an interface if one was specified, and also NOT to
1950
1395
bind to an address or port if they were not specified."""
1951
1396
if self.interface is not None:
1952
1397
if SO_BINDTODEVICE is None:
1953
logger.error("SO_BINDTODEVICE does not exist;"
1954
" cannot bind to interface %s",
1398
logger.error(u"SO_BINDTODEVICE does not exist;"
1399
u" cannot bind to interface %s",
1955
1400
self.interface)
1956
1401
else:
1957
1402
try:
1958
1403
self.socket.setsockopt(socket.SOL_SOCKET,
1959
1404
SO_BINDTODEVICE,
1960
(self.interface + "\0")
1961
.encode("utf-8"))
1962
except socket.error as error:
1963
if error.errno == errno.EPERM:
1964
logger.error("No permission to bind to"
1965
" interface %s", self.interface)
1966
elif error.errno == errno.ENOPROTOOPT:
1967
logger.error("SO_BINDTODEVICE not available;"
1968
" cannot bind to interface %s",
1969
self.interface)
1970
elif error.errno == errno.ENODEV:
1971
logger.error("Interface %s does not exist,"
1972
" cannot bind", self.interface)
1405
str(self.interface
1406
+ u'\0'))
1407
except socket.error, error:
1408
if error[0] == errno.EPERM:
1409
logger.error(u"No permission to"
1410
u" bind to interface %s",
1411
self.interface)
1412
elif error[0] == errno.ENOPROTOOPT:
1413
logger.error(u"SO_BINDTODEVICE not available;"
1414
u" cannot bind to interface %s",
1415
self.interface)
1973
1416
else:
1974
1417
raise
1975
1418
# Only bind(2) the socket if we really need to.
1976
1419
if self.server_address[0] or self.server_address[1]:
1977
1420
if not self.server_address[0]:
1978
1421
if self.address_family == socket.AF_INET6:
1979
any_address = "::" # in6addr_any
1422
any_address = u"::" # in6addr_any
1980
1423
else:
1981
any_address = "0.0.0.0" # INADDR_ANY
1424
any_address = socket.INADDR_ANY
1982
1425
self.server_address = (any_address,
1983
1426
self.server_address[1])
1984
1427
elif not self.server_address[1]:
2005
1448
"""
2006
1449
def __init__(self, server_address, RequestHandlerClass,
2007
1450
interface=None, use_ipv6=True, clients=None,
2008
gnutls_priority=None, use_dbus=True, socketfd=None):
1451
gnutls_priority=None, use_dbus=True):
2009
1452
self.enabled = False
2010
1453
self.clients = clients
2011
1454
if self.clients is None:
2012
self.clients = {}
1455
self.clients = set()
2013
1456
self.use_dbus = use_dbus
2014
1457
self.gnutls_priority = gnutls_priority
2015
1458
IPv6_TCPServer.__init__(self, server_address,
2016
1459
RequestHandlerClass,
2017
1460
interface = interface,
2018
use_ipv6 = use_ipv6,
2019
socketfd = socketfd)
1461
use_ipv6 = use_ipv6)
2020
1462
def server_activate(self):
2021
1463
if self.enabled:
2022
1464
return socketserver.TCPServer.server_activate(self)
2023
2024
1465
def enable(self):
2025
1466
self.enabled = True
2026
2027
def add_pipe(self, parent_pipe, proc):
1467
def add_pipe(self, parent_pipe):
2028
1468
# Call "handle_ipc" for both data and EOF events
2029
1469
gobject.io_add_watch(parent_pipe.fileno(),
2030
1470
gobject.IO_IN | gobject.IO_HUP,
2031
1471
functools.partial(self.handle_ipc,
2032
parent_pipe =
2033
parent_pipe,
2034
proc = proc))
2035
1472
parent_pipe = parent_pipe))
1473
2036
1474
def handle_ipc(self, source, condition, parent_pipe=None,
2037
proc = None, client_object=None):
2038
# error, or the other end of multiprocessing.Pipe has closed
2039
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2040
# Wait for other process to exit
2041
proc.join()
1475
client_object=None):
1476
condition_names = {
1477
gobject.IO_IN: u"IN", # There is data to read.
1478
gobject.IO_OUT: u"OUT", # Data can be written (without
1479
# blocking).
1480
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1481
gobject.IO_ERR: u"ERR", # Error condition.
1482
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1483
# broken, usually for pipes and
1484
# sockets).
1485
}
1486
conditions_string = ' | '.join(name
1487
for cond, name in
1488
condition_names.iteritems()
1489
if cond & condition)
1490
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1491
conditions_string)
1492
1493
# error or the other end of multiprocessing.Pipe has closed
1494
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
2042
1495
return False
2043
1496
2044
1497
# Read a request from the child
2045
1498
request = parent_pipe.recv()
1499
logger.debug(u"IPC request: %s", repr(request))
2046
1500
command = request[0]
2047
1501
2048
1502
if command == 'init':
2049
1503
fpr = request[1]
2050
1504
address = request[2]
2051
1505
2052
for c in self.clients.itervalues():
1506
for c in self.clients:
2053
1507
if c.fingerprint == fpr:
2054
1508
client = c
2055
1509
break
2056
1510
else:
2057
logger.info("Client not found for fingerprint: %s, ad"
2058
"dress: %s", fpr, address)
1511
logger.warning(u"Client not found for fingerprint: %s, ad"
1512
u"dress: %s", fpr, address)
2059
1513
if self.use_dbus:
2060
1514
# Emit D-Bus signal
2061
mandos_dbus_service.ClientNotFound(fpr,
2062
address[0])
1515
mandos_dbus_service.ClientNotFound(fpr, address)
2063
1516
parent_pipe.send(False)
2064
1517
return False
2065
1518
2066
1519
gobject.io_add_watch(parent_pipe.fileno(),
2067
1520
gobject.IO_IN | gobject.IO_HUP,
2068
1521
functools.partial(self.handle_ipc,
2069
parent_pipe =
2070
parent_pipe,
2071
proc = proc,
2072
client_object =
2073
client))
1522
parent_pipe = parent_pipe,
1523
client_object = client))
2074
1524
parent_pipe.send(True)
2075
# remove the old hook in favor of the new above hook on
2076
# same fileno
1525
# remove the old hook in favor of the new above hook on same fileno
2077
1526
return False
2078
1527
if command == 'funcall':
2079
1528
funcname = request[1]
2080
1529
args = request[2]
2081
1530
kwargs = request[3]
2082
1531
2083
parent_pipe.send(('data', getattr(client_object,
2084
funcname)(*args,
2085
**kwargs)))
2086
1532
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1533
2087
1534
if command == 'getattr':
2088
1535
attrname = request[1]
2089
1536
if callable(client_object.__getattribute__(attrname)):
2090
1537
parent_pipe.send(('function',))
2091
1538
else:
2092
parent_pipe.send(('data', client_object
2093
.__getattribute__(attrname)))
1539
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
2094
1540
2095
1541
if command == 'setattr':
2096
1542
attrname = request[1]
2097
1543
value = request[2]
2098
1544
setattr(client_object, attrname, value)
2099
1545
2100
1546
return True
2101
1547
2102
1548
2103
def rfc3339_duration_to_delta(duration):
2104
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2105
2106
>>> rfc3339_duration_to_delta("P7D")
2107
datetime.timedelta(7)
2108
>>> rfc3339_duration_to_delta("PT60S")
2109
datetime.timedelta(0, 60)
2110
>>> rfc3339_duration_to_delta("PT60M")
2111
datetime.timedelta(0, 3600)
2112
>>> rfc3339_duration_to_delta("PT24H")
2113
datetime.timedelta(1)
2114
>>> rfc3339_duration_to_delta("P1W")
2115
datetime.timedelta(7)
2116
>>> rfc3339_duration_to_delta("PT5M30S")
2117
datetime.timedelta(0, 330)
2118
>>> rfc3339_duration_to_delta("P1DT3M20S")
2119
datetime.timedelta(1, 200)
2120
"""
2121
2122
# Parsing an RFC 3339 duration with regular expressions is not
2123
# possible - there would have to be multiple places for the same
2124
# values, like seconds. The current code, while more esoteric, is
2125
# cleaner without depending on a parsing library. If Python had a
2126
# built-in library for parsing we would use it, but we'd like to
2127
# avoid excessive use of external libraries.
2128
2129
# New type for defining tokens, syntax, and semantics all-in-one
2130
Token = collections.namedtuple("Token",
2131
("regexp", # To match token; if
2132
# "value" is not None,
2133
# must have a "group"
2134
# containing digits
2135
"value", # datetime.timedelta or
2136
# None
2137
"followers")) # Tokens valid after
2138
# this token
2139
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2140
# the "duration" ABNF definition in RFC 3339, Appendix A.
2141
token_end = Token(re.compile(r"$"), None, frozenset())
2142
token_second = Token(re.compile(r"(\d+)S"),
2143
datetime.timedelta(seconds=1),
2144
frozenset((token_end,)))
2145
token_minute = Token(re.compile(r"(\d+)M"),
2146
datetime.timedelta(minutes=1),
2147
frozenset((token_second, token_end)))
2148
token_hour = Token(re.compile(r"(\d+)H"),
2149
datetime.timedelta(hours=1),
2150
frozenset((token_minute, token_end)))
2151
token_time = Token(re.compile(r"T"),
2152
None,
2153
frozenset((token_hour, token_minute,
2154
token_second)))
2155
token_day = Token(re.compile(r"(\d+)D"),
2156
datetime.timedelta(days=1),
2157
frozenset((token_time, token_end)))
2158
token_month = Token(re.compile(r"(\d+)M"),
2159
datetime.timedelta(weeks=4),
2160
frozenset((token_day, token_end)))
2161
token_year = Token(re.compile(r"(\d+)Y"),
2162
datetime.timedelta(weeks=52),
2163
frozenset((token_month, token_end)))
2164
token_week = Token(re.compile(r"(\d+)W"),
2165
datetime.timedelta(weeks=1),
2166
frozenset((token_end,)))
2167
token_duration = Token(re.compile(r"P"), None,
2168
frozenset((token_year, token_month,
2169
token_day, token_time,
2170
token_week)))
2171
# Define starting values
2172
value = datetime.timedelta() # Value so far
2173
found_token = None
2174
followers = frozenset((token_duration,)) # Following valid tokens
2175
s = duration # String left to parse
2176
# Loop until end token is found
2177
while found_token is not token_end:
2178
# Search for any currently valid tokens
2179
for token in followers:
2180
match = token.regexp.match(s)
2181
if match is not None:
2182
# Token found
2183
if token.value is not None:
2184
# Value found, parse digits
2185
factor = int(match.group(1), 10)
2186
# Add to value so far
2187
value += factor * token.value
2188
# Strip token from string
2189
s = token.regexp.sub("", s, 1)
2190
# Go to found token
2191
found_token = token
2192
# Set valid next tokens
2193
followers = found_token.followers
2194
break
2195
else:
2196
# No currently valid tokens were found
2197
raise ValueError("Invalid RFC 3339 duration")
2198
# End token found
2199
return value
2200
2201
2202
1549
def string_to_delta(interval):
2203
1550
"""Parse a string and return a datetime.timedelta
2204
1551
2205
>>> string_to_delta('7d')
1552
>>> string_to_delta(u'7d')
2206
1553
datetime.timedelta(7)
2207
>>> string_to_delta('60s')
1554
>>> string_to_delta(u'60s')
2208
1555
datetime.timedelta(0, 60)
2209
>>> string_to_delta('60m')
1556
>>> string_to_delta(u'60m')
2210
1557
datetime.timedelta(0, 3600)
2211
>>> string_to_delta('24h')
1558
>>> string_to_delta(u'24h')
2212
1559
datetime.timedelta(1)
2213
>>> string_to_delta('1w')
1560
>>> string_to_delta(u'1w')
2214
1561
datetime.timedelta(7)
2215
>>> string_to_delta('5m 30s')
1562
>>> string_to_delta(u'5m 30s')
2216
1563
datetime.timedelta(0, 330)
2217
1564
"""
2218
2219
try:
2220
return rfc3339_duration_to_delta(interval)
2221
except ValueError:
2222
pass
2223
2224
1565
timevalue = datetime.timedelta(0)
2225
1566
for s in interval.split():
2226
1567
try:
2227
suffix = s[-1]
1568
suffix = unicode(s[-1])
2228
1569
value = int(s[:-1])
2229
if suffix == "d":
1570
if suffix == u"d":
2230
1571
delta = datetime.timedelta(value)
2231
elif suffix == "s":
1572
elif suffix == u"s":
2232
1573
delta = datetime.timedelta(0, value)
2233
elif suffix == "m":
1574
elif suffix == u"m":
2234
1575
delta = datetime.timedelta(0, 0, 0, 0, value)
2235
elif suffix == "h":
1576
elif suffix == u"h":
2236
1577
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
2237
elif suffix == "w":
1578
elif suffix == u"w":
2238
1579
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
2239
1580
else:
2240
raise ValueError("Unknown suffix {!r}"
2241
.format(suffix))
2242
except IndexError as e:
2243
raise ValueError(*(e.args))
1581
raise ValueError(u"Unknown suffix %r" % suffix)
1582
except (ValueError, IndexError), e:
1583
raise ValueError(e.message)
2244
1584
timevalue += delta
2245
1585
return timevalue
2246
1586
2247
1587
1588
def if_nametoindex(interface):
1589
"""Call the C function if_nametoindex(), or equivalent
1590
1591
Note: This function cannot accept a unicode string."""
1592
global if_nametoindex
1593
try:
1594
if_nametoindex = (ctypes.cdll.LoadLibrary
1595
(ctypes.util.find_library(u"c"))
1596
.if_nametoindex)
1597
except (OSError, AttributeError):
1598
logger.warning(u"Doing if_nametoindex the hard way")
1599
def if_nametoindex(interface):
1600
"Get an interface index the hard way, i.e. using fcntl()"
1601
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1602
with contextlib.closing(socket.socket()) as s:
1603
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1604
struct.pack(str(u"16s16x"),
1605
interface))
1606
interface_index = struct.unpack(str(u"I"),
1607
ifreq[16:20])[0]
1608
return interface_index
1609
return if_nametoindex(interface)
1610
1611
2248
1612
def daemon(nochdir = False, noclose = False):
2249
1613
"""See daemon(3). Standard BSD Unix function.
2250
1614
2253
1617
sys.exit()
2254
1618
os.setsid()
2255
1619
if not nochdir:
2256
os.chdir("/")
1620
os.chdir(u"/")
2257
1621
if os.fork():
2258
1622
sys.exit()
2259
1623
if not noclose:
2260
1624
# Close all standard open file descriptors
2261
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
1625
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2262
1626
if not stat.S_ISCHR(os.fstat(null).st_mode):
2263
raise OSError(errno.ENODEV, "{} not a character device"
2264
.format(os.devnull))
1627
raise OSError(errno.ENODEV,
1628
u"%s not a character device"
1629
% os.path.devnull)
2265
1630
os.dup2(null, sys.stdin.fileno())
2266
1631
os.dup2(null, sys.stdout.fileno())
2267
1632
os.dup2(null, sys.stderr.fileno())
2274
1639
##################################################################
2275
1640
# Parsing of options, both command line and config file
2276
1641
2277
parser = argparse.ArgumentParser()
2278
parser.add_argument("-v", "--version", action="version",
2279
version = "%(prog)s {}".format(version),
2280
help="show version number and exit")
2281
parser.add_argument("-i", "--interface", metavar="IF",
2282
help="Bind to interface IF")
2283
parser.add_argument("-a", "--address",
2284
help="Address to listen for requests on")
2285
parser.add_argument("-p", "--port", type=int,
2286
help="Port number to receive requests on")
2287
parser.add_argument("--check", action="store_true",
2288
help="Run self-test")
2289
parser.add_argument("--debug", action="store_true",
2290
help="Debug mode; run in foreground and log"
2291
" to terminal", default=None)
2292
parser.add_argument("--debuglevel", metavar="LEVEL",
2293
help="Debug level for stdout output")
2294
parser.add_argument("--priority", help="GnuTLS"
2295
" priority string (see GnuTLS documentation)")
2296
parser.add_argument("--servicename",
2297
metavar="NAME", help="Zeroconf service name")
2298
parser.add_argument("--configdir",
2299
default="/etc/mandos", metavar="DIR",
2300
help="Directory to search for configuration"
2301
" files")
2302
parser.add_argument("--no-dbus", action="store_false",
2303
dest="use_dbus", help="Do not provide D-Bus"
2304
" system bus interface", default=None)
2305
parser.add_argument("--no-ipv6", action="store_false",
2306
dest="use_ipv6", help="Do not use IPv6",
2307
default=None)
2308
parser.add_argument("--no-restore", action="store_false",
2309
dest="restore", help="Do not restore stored"
2310
" state", default=None)
2311
parser.add_argument("--socket", type=int,
2312
help="Specify a file descriptor to a network"
2313
" socket to use instead of creating one")
2314
parser.add_argument("--statedir", metavar="DIR",
2315
help="Directory to save/restore state in")
2316
parser.add_argument("--foreground", action="store_true",
2317
help="Run in foreground", default=None)
2318
parser.add_argument("--no-zeroconf", action="store_false",
2319
dest="zeroconf", help="Do not use Zeroconf",
2320
default=None)
2321
2322
options = parser.parse_args()
1642
parser = optparse.OptionParser(version = "%%prog %s" % version)
1643
parser.add_option("-i", u"--interface", type=u"string",
1644
metavar="IF", help=u"Bind to interface IF")
1645
parser.add_option("-a", u"--address", type=u"string",
1646
help=u"Address to listen for requests on")
1647
parser.add_option("-p", u"--port", type=u"int",
1648
help=u"Port number to receive requests on")
1649
parser.add_option("--check", action=u"store_true",
1650
help=u"Run self-test")
1651
parser.add_option("--debug", action=u"store_true",
1652
help=u"Debug mode; run in foreground and log to"
1653
u" terminal")
1654
parser.add_option("--debuglevel", type=u"string", metavar="Level",
1655
help=u"Debug level for stdout output")
1656
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1657
u" priority string (see GnuTLS documentation)")
1658
parser.add_option("--servicename", type=u"string",
1659
metavar=u"NAME", help=u"Zeroconf service name")
1660
parser.add_option("--configdir", type=u"string",
1661
default=u"/etc/mandos", metavar=u"DIR",
1662
help=u"Directory to search for configuration"
1663
u" files")
1664
parser.add_option("--no-dbus", action=u"store_false",
1665
dest=u"use_dbus", help=u"Do not provide D-Bus"
1666
u" system bus interface")
1667
parser.add_option("--no-ipv6", action=u"store_false",
1668
dest=u"use_ipv6", help=u"Do not use IPv6")
1669
options = parser.parse_args()[0]
2323
1670
2324
1671
if options.check:
2325
1672
import doctest
2326
fail_count, test_count = doctest.testmod()
2327
sys.exit(os.EX_OK if fail_count == 0 else 1)
1673
doctest.testmod()
1674
sys.exit()
2328
1675
2329
1676
# Default values for config file for server-global settings
2330
server_defaults = { "interface": "",
2331
"address": "",
2332
"port": "",
2333
"debug": "False",
2334
"priority":
2335
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224:+SIGN-RSA-RMD160",
2336
"servicename": "Mandos",
2337
"use_dbus": "True",
2338
"use_ipv6": "True",
2339
"debuglevel": "",
2340
"restore": "True",
2341
"socket": "",
2342
"statedir": "/var/lib/mandos",
2343
"foreground": "False",
2344
"zeroconf": "True",
1677
server_defaults = { u"interface": u"",
1678
u"address": u"",
1679
u"port": u"",
1680
u"debug": u"False",
1681
u"priority":
1682
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1683
u"servicename": u"Mandos",
1684
u"use_dbus": u"True",
1685
u"use_ipv6": u"True",
1686
u"debuglevel": u"",
2345
1687
}
2346
1688
2347
1689
# Parse config file for server-global settings
2348
1690
server_config = configparser.SafeConfigParser(server_defaults)
2349
1691
del server_defaults
2350
1692
server_config.read(os.path.join(options.configdir,
2351
"mandos.conf"))
1693
u"mandos.conf"))
2352
1694
# Convert the SafeConfigParser object to a dict
2353
1695
server_settings = server_config.defaults()
2354
1696
# Use the appropriate methods on the non-string config options
2355
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
2356
server_settings[option] = server_config.getboolean("DEFAULT",
1697
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1698
server_settings[option] = server_config.getboolean(u"DEFAULT",
2357
1699
option)
2358
1700
if server_settings["port"]:
2359
server_settings["port"] = server_config.getint("DEFAULT",
2360
"port")
2361
if server_settings["socket"]:
2362
server_settings["socket"] = server_config.getint("DEFAULT",
2363
"socket")
2364
# Later, stdin will, and stdout and stderr might, be dup'ed
2365
# over with an opened os.devnull. But we don't want this to
2366
# happen with a supplied network socket.
2367
if 0 <= server_settings["socket"] <= 2:
2368
server_settings["socket"] = os.dup(server_settings
2369
["socket"])
1701
server_settings["port"] = server_config.getint(u"DEFAULT",
1702
u"port")
2370
1703
del server_config
2371
1704
2372
1705
# Override the settings from the config file with command line
2373
1706
# options, if set.
2374
for option in ("interface", "address", "port", "debug",
2375
"priority", "servicename", "configdir",
2376
"use_dbus", "use_ipv6", "debuglevel", "restore",
2377
"statedir", "socket", "foreground", "zeroconf"):
1707
for option in (u"interface", u"address", u"port", u"debug",
1708
u"priority", u"servicename", u"configdir",
1709
u"use_dbus", u"use_ipv6", u"debuglevel"):
2378
1710
value = getattr(options, option)
2379
1711
if value is not None:
2380
1712
server_settings[option] = value
2381
1713
del options
2382
1714
# Force all strings to be unicode
2383
1715
for option in server_settings.keys():
2384
if isinstance(server_settings[option], bytes):
2385
server_settings[option] = (server_settings[option]
2386
.decode("utf-8"))
2387
# Force all boolean options to be boolean
2388
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2389
"foreground", "zeroconf"):
2390
server_settings[option] = bool(server_settings[option])
2391
# Debug implies foreground
2392
if server_settings["debug"]:
2393
server_settings["foreground"] = True
1716
if type(server_settings[option]) is str:
1717
server_settings[option] = unicode(server_settings[option])
2394
1718
# Now we have our good server settings in "server_settings"
2395
1719
2396
1720
##################################################################
2397
1721
2398
if (not server_settings["zeroconf"] and
2399
not (server_settings["port"]
2400
or server_settings["socket"] != "")):
2401
parser.error("Needs port or socket to work without"
2402
" Zeroconf")
2403
2404
1722
# For convenience
2405
debug = server_settings["debug"]
2406
debuglevel = server_settings["debuglevel"]
2407
use_dbus = server_settings["use_dbus"]
2408
use_ipv6 = server_settings["use_ipv6"]
2409
stored_state_path = os.path.join(server_settings["statedir"],
2410
stored_state_file)
2411
foreground = server_settings["foreground"]
2412
zeroconf = server_settings["zeroconf"]
2413
2414
if debug:
2415
initlogger(debug, logging.DEBUG)
2416
else:
2417
if not debuglevel:
2418
initlogger(debug)
2419
else:
2420
level = getattr(logging, debuglevel.upper())
2421
initlogger(debug, level)
2422
2423
if server_settings["servicename"] != "Mandos":
1723
debug = server_settings[u"debug"]
1724
debuglevel = server_settings[u"debuglevel"]
1725
use_dbus = server_settings[u"use_dbus"]
1726
use_ipv6 = server_settings[u"use_ipv6"]
1727
1728
if server_settings[u"servicename"] != u"Mandos":
2424
1729
syslogger.setFormatter(logging.Formatter
2425
('Mandos ({}) [%(process)d]:'
2426
' %(levelname)s: %(message)s'
2427
.format(server_settings
2428
["servicename"])))
1730
(u'Mandos (%s) [%%(process)d]:'
1731
u' %%(levelname)s: %%(message)s'
1732
% server_settings[u"servicename"]))
2429
1733
2430
1734
# Parse config file with clients
2431
client_config = configparser.SafeConfigParser(Client
2432
.client_defaults)
2433
client_config.read(os.path.join(server_settings["configdir"],
2434
"clients.conf"))
1735
client_defaults = { u"timeout": u"1h",
1736
u"interval": u"5m",
1737
u"checker": u"fping -q -- %%(host)s",
1738
u"host": u"",
1739
u"approval_delay": u"0s",
1740
u"approval_duration": u"1s",
1741
}
1742
client_config = configparser.SafeConfigParser(client_defaults)
1743
client_config.read(os.path.join(server_settings[u"configdir"],
1744
u"clients.conf"))
2435
1745
2436
1746
global mandos_dbus_service
2437
1747
mandos_dbus_service = None
2438
1748
2439
socketfd = None
2440
if server_settings["socket"] != "":
2441
socketfd = server_settings["socket"]
2442
tcp_server = MandosServer((server_settings["address"],
2443
server_settings["port"]),
1749
tcp_server = MandosServer((server_settings[u"address"],
1750
server_settings[u"port"]),
2444
1751
ClientHandler,
2445
interface=(server_settings["interface"]
1752
interface=(server_settings[u"interface"]
2446
1753
or None),
2447
1754
use_ipv6=use_ipv6,
2448
1755
gnutls_priority=
2449
server_settings["priority"],
2450
use_dbus=use_dbus,
2451
socketfd=socketfd)
2452
if not foreground:
2453
pidfilename = "/run/mandos.pid"
2454
if not os.path.isdir("/run/."):
2455
pidfilename = "/var/run/mandos.pid"
2456
pidfile = None
2457
try:
2458
pidfile = open(pidfilename, "w")
2459
except IOError as e:
2460
logger.error("Could not open file %r", pidfilename,
2461
exc_info=e)
1756
server_settings[u"priority"],
1757
use_dbus=use_dbus)
1758
pidfilename = u"/var/run/mandos.pid"
1759
try:
1760
pidfile = open(pidfilename, u"w")
1761
except IOError:
1762
logger.error(u"Could not open file %r", pidfilename)
2462
1763
2463
for name in ("_mandos", "mandos", "nobody"):
1764
try:
1765
uid = pwd.getpwnam(u"_mandos").pw_uid
1766
gid = pwd.getpwnam(u"_mandos").pw_gid
1767
except KeyError:
2464
1768
try:
2465
uid = pwd.getpwnam(name).pw_uid
2466
gid = pwd.getpwnam(name).pw_gid
2467
break
1769
uid = pwd.getpwnam(u"mandos").pw_uid
1770
gid = pwd.getpwnam(u"mandos").pw_gid
2468
1771
except KeyError:
2469
continue
2470
else:
2471
uid = 65534
2472
gid = 65534
1772
try:
1773
uid = pwd.getpwnam(u"nobody").pw_uid
1774
gid = pwd.getpwnam(u"nobody").pw_gid
1775
except KeyError:
1776
uid = 65534
1777
gid = 65534
2473
1778
try:
2474
1779
os.setgid(gid)
2475
1780
os.setuid(uid)
2476
except OSError as error:
2477
if error.errno != errno.EPERM:
2478
raise
1781
except OSError, error:
1782
if error[0] != errno.EPERM:
1783
raise error
2479
1784
1785
if not debug and not debuglevel:
1786
syslogger.setLevel(logging.WARNING)
1787
console.setLevel(logging.WARNING)
1788
if debuglevel:
1789
level = getattr(logging, debuglevel.upper())
1790
syslogger.setLevel(level)
1791
console.setLevel(level)
1792
2480
1793
if debug:
2481
1794
# Enable all possible GnuTLS debugging
2482
1795
2486
1799
2487
1800
@gnutls.library.types.gnutls_log_func
2488
1801
def debug_gnutls(level, string):
2489
logger.debug("GnuTLS: %s", string[:-1])
1802
logger.debug(u"GnuTLS: %s", string[:-1])
2490
1803
2491
1804
(gnutls.library.functions
2492
1805
.gnutls_global_set_log_function(debug_gnutls))
2493
1806
2494
1807
# Redirect stdin so all checkers get /dev/null
2495
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
1808
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2496
1809
os.dup2(null, sys.stdin.fileno())
2497
1810
if null > 2:
2498
1811
os.close(null)
2499
2500
# Need to fork before connecting to D-Bus
2501
if not foreground:
2502
# Close all input and output, do double fork, etc.
2503
daemon()
2504
2505
# multiprocessing will use threads, so before we use gobject we
2506
# need to inform gobject that threads will be used.
2507
gobject.threads_init()
1812
else:
1813
# No console logging
1814
logger.removeHandler(console)
1815
2508
1816
2509
1817
global main_loop
2510
1818
# From the Avahi example code
2511
DBusGMainLoop(set_as_default=True)
1819
DBusGMainLoop(set_as_default=True )
2512
1820
main_loop = gobject.MainLoop()
2513
1821
bus = dbus.SystemBus()
2514
1822
# End of Avahi example code
2515
1823
if use_dbus:
2516
1824
try:
2517
bus_name = dbus.service.BusName("se.recompile.Mandos",
1825
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
2518
1826
bus, do_not_queue=True)
2519
old_bus_name = (dbus.service.BusName
2520
("se.bsnet.fukt.Mandos", bus,
2521
do_not_queue=True))
2522
except dbus.exceptions.NameExistsException as e:
2523
logger.error("Disabling D-Bus:", exc_info=e)
1827
except dbus.exceptions.NameExistsException, e:
1828
logger.error(unicode(e) + u", disabling D-Bus")
2524
1829
use_dbus = False
2525
server_settings["use_dbus"] = False
1830
server_settings[u"use_dbus"] = False
2526
1831
tcp_server.use_dbus = False
2527
if zeroconf:
2528
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2529
service = AvahiServiceToSyslog(name =
2530
server_settings["servicename"],
2531
servicetype = "_mandos._tcp",
2532
protocol = protocol, bus = bus)
2533
if server_settings["interface"]:
2534
service.interface = (if_nametoindex
2535
(server_settings["interface"]
2536
.encode("utf-8")))
2537
1832
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1833
service = AvahiService(name = server_settings[u"servicename"],
1834
servicetype = u"_mandos._tcp",
1835
protocol = protocol, bus = bus)
1836
if server_settings["interface"]:
1837
service.interface = (if_nametoindex
1838
(str(server_settings[u"interface"])))
1839
1840
if not debug:
1841
# Close all input and output, do double fork, etc.
1842
daemon()
1843
2538
1844
global multiprocessing_manager
2539
1845
multiprocessing_manager = multiprocessing.Manager()
2540
1846
2541
1847
client_class = Client
2542
1848
if use_dbus:
2543
1849
client_class = functools.partial(ClientDBus, bus = bus)
2544
2545
client_settings = Client.config_parser(client_config)
2546
old_client_settings = {}
2547
clients_data = {}
2548
2549
# This is used to redirect stdout and stderr for checker processes
2550
global wnull
2551
wnull = open(os.devnull, "w") # A writable /dev/null
2552
# Only used if server is running in foreground but not in debug
2553
# mode
2554
if debug or not foreground:
2555
wnull.close()
2556
2557
# Get client data and settings from last running state.
2558
if server_settings["restore"]:
2559
try:
2560
with open(stored_state_path, "rb") as stored_state:
2561
clients_data, old_client_settings = (pickle.load
2562
(stored_state))
2563
os.remove(stored_state_path)
2564
except IOError as e:
2565
if e.errno == errno.ENOENT:
2566
logger.warning("Could not load persistent state: {}"
2567
.format(os.strerror(e.errno)))
2568
else:
2569
logger.critical("Could not load persistent state:",
2570
exc_info=e)
2571
raise
2572
except EOFError as e:
2573
logger.warning("Could not load persistent state: "
2574
"EOFError:", exc_info=e)
2575
2576
with PGPEngine() as pgp:
2577
for client_name, client in clients_data.items():
2578
# Skip removed clients
2579
if client_name not in client_settings:
2580
continue
2581
2582
# Decide which value to use after restoring saved state.
2583
# We have three different values: Old config file,
2584
# new config file, and saved state.
2585
# New config value takes precedence if it differs from old
2586
# config value, otherwise use saved state.
2587
for name, value in client_settings[client_name].items():
2588
try:
2589
# For each value in new config, check if it
2590
# differs from the old config value (Except for
2591
# the "secret" attribute)
2592
if (name != "secret" and
2593
value != old_client_settings[client_name]
2594
[name]):
2595
client[name] = value
2596
except KeyError:
2597
pass
2598
2599
# Clients who has passed its expire date can still be
2600
# enabled if its last checker was successful. Clients
2601
# whose checker succeeded before we stored its state is
2602
# assumed to have successfully run all checkers during
2603
# downtime.
2604
if client["enabled"]:
2605
if datetime.datetime.utcnow() >= client["expires"]:
2606
if not client["last_checked_ok"]:
2607
logger.warning(
2608
"disabling client {} - Client never "
2609
"performed a successful checker"
2610
.format(client_name))
2611
client["enabled"] = False
2612
elif client["last_checker_status"] != 0:
2613
logger.warning(
2614
"disabling client {} - Client last"
2615
" checker failed with error code {}"
2616
.format(client_name,
2617
client["last_checker_status"]))
2618
client["enabled"] = False
2619
else:
2620
client["expires"] = (datetime.datetime
2621
.utcnow()
2622
+ client["timeout"])
2623
logger.debug("Last checker succeeded,"
2624
" keeping {} enabled"
2625
.format(client_name))
1850
def client_config_items(config, section):
1851
special_settings = {
1852
"approved_by_default":
1853
lambda: config.getboolean(section,
1854
"approved_by_default"),
1855
}
1856
for name, value in config.items(section):
2626
1857
try:
2627
client["secret"] = (
2628
pgp.decrypt(client["encrypted_secret"],
2629
client_settings[client_name]
2630
["secret"]))
2631
except PGPError:
2632
# If decryption fails, we use secret from new settings
2633
logger.debug("Failed to decrypt {} old secret"
2634
.format(client_name))
2635
client["secret"] = (
2636
client_settings[client_name]["secret"])
2637
2638
# Add/remove clients based on new changes made to config
2639
for client_name in (set(old_client_settings)
2640
- set(client_settings)):
2641
del clients_data[client_name]
2642
for client_name in (set(client_settings)
2643
- set(old_client_settings)):
2644
clients_data[client_name] = client_settings[client_name]
2645
2646
# Create all client objects
2647
for client_name, client in clients_data.items():
2648
tcp_server.clients[client_name] = client_class(
2649
name = client_name, settings = client,
2650
server_settings = server_settings)
2651
1858
yield (name, special_settings[name]())
1859
except KeyError:
1860
yield (name, value)
1861
1862
tcp_server.clients.update(set(
1863
client_class(name = section,
1864
config= dict(client_config_items(
1865
client_config, section)))
1866
for section in client_config.sections()))
2652
1867
if not tcp_server.clients:
2653
logger.warning("No clients defined")
2654
2655
if not foreground:
2656
if pidfile is not None:
2657
try:
2658
with pidfile:
2659
pid = os.getpid()
2660
pidfile.write("{}\n".format(pid).encode("utf-8"))
2661
except IOError:
2662
logger.error("Could not write to file %r with PID %d",
2663
pidfilename, pid)
1868
logger.warning(u"No clients defined")
1869
1870
try:
1871
with pidfile:
1872
pid = os.getpid()
1873
pidfile.write(str(pid) + "\n")
2664
1874
del pidfile
2665
del pidfilename
1875
except IOError:
1876
logger.error(u"Could not write to file %r with PID %d",
1877
pidfilename, pid)
1878
except NameError:
1879
# "pidfile" was never created
1880
pass
1881
del pidfilename
2666
1882
1883
if not debug:
1884
signal.signal(signal.SIGINT, signal.SIG_IGN)
2667
1885
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2668
1886
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2669
1887
2670
1888
if use_dbus:
2671
@alternate_dbus_interfaces({"se.recompile.Mandos":
2672
"se.bsnet.fukt.Mandos"})
2673
class MandosDBusService(DBusObjectWithProperties):
1889
class MandosDBusService(dbus.service.Object):
2674
1890
"""A D-Bus proxy object"""
2675
1891
def __init__(self):
2676
dbus.service.Object.__init__(self, bus, "/")
2677
_interface = "se.recompile.Mandos"
2678
2679
@dbus_interface_annotations(_interface)
2680
def _foo(self):
2681
return { "org.freedesktop.DBus.Property"
2682
".EmitsChangedSignal":
2683
"false"}
2684
2685
@dbus.service.signal(_interface, signature="o")
1892
dbus.service.Object.__init__(self, bus, u"/")
1893
_interface = u"se.bsnet.fukt.Mandos"
1894
1895
@dbus.service.signal(_interface, signature=u"o")
2686
1896
def ClientAdded(self, objpath):
2687
1897
"D-Bus signal"
2688
1898
pass
2689
1899
2690
@dbus.service.signal(_interface, signature="ss")
1900
@dbus.service.signal(_interface, signature=u"ss")
2691
1901
def ClientNotFound(self, fingerprint, address):
2692
1902
"D-Bus signal"
2693
1903
pass
2694
1904
2695
@dbus.service.signal(_interface, signature="os")
1905
@dbus.service.signal(_interface, signature=u"os")
2696
1906
def ClientRemoved(self, objpath, name):
2697
1907
"D-Bus signal"
2698
1908
pass
2699
1909
2700
@dbus.service.method(_interface, out_signature="ao")
1910
@dbus.service.method(_interface, out_signature=u"ao")
2701
1911
def GetAllClients(self):
2702
1912
"D-Bus method"
2703
1913
return dbus.Array(c.dbus_object_path
2704
for c in
2705
tcp_server.clients.itervalues())
1914
for c in tcp_server.clients)
2706
1915
2707
1916
@dbus.service.method(_interface,
2708
out_signature="a{oa{sv}}")
1917
out_signature=u"a{oa{sv}}")
2709
1918
def GetAllClientsWithProperties(self):
2710
1919
"D-Bus method"
2711
1920
return dbus.Dictionary(
2712
((c.dbus_object_path, c.GetAll(""))
2713
for c in tcp_server.clients.itervalues()),
2714
signature="oa{sv}")
1921
((c.dbus_object_path, c.GetAll(u""))
1922
for c in tcp_server.clients),
1923
signature=u"oa{sv}")
2715
1924
2716
@dbus.service.method(_interface, in_signature="o")
1925
@dbus.service.method(_interface, in_signature=u"o")
2717
1926
def RemoveClient(self, object_path):
2718
1927
"D-Bus method"
2719
for c in tcp_server.clients.itervalues():
1928
for c in tcp_server.clients:
2720
1929
if c.dbus_object_path == object_path:
2721
del tcp_server.clients[c.name]
1930
tcp_server.clients.remove(c)
2722
1931
c.remove_from_connection()
2723
1932
# Don't signal anything except ClientRemoved
2724
1933
c.disable(quiet=True)
2733
1942
2734
1943
def cleanup():
2735
1944
"Cleanup function; run on exit"
2736
if zeroconf:
2737
service.cleanup()
2738
2739
multiprocessing.active_children()
2740
wnull.close()
2741
if not (tcp_server.clients or client_settings):
2742
return
2743
2744
# Store client before exiting. Secrets are encrypted with key
2745
# based on what config file has. If config file is
2746
# removed/edited, old secret will thus be unrecovable.
2747
clients = {}
2748
with PGPEngine() as pgp:
2749
for client in tcp_server.clients.itervalues():
2750
key = client_settings[client.name]["secret"]
2751
client.encrypted_secret = pgp.encrypt(client.secret,
2752
key)
2753
client_dict = {}
2754
2755
# A list of attributes that can not be pickled
2756
# + secret.
2757
exclude = { "bus", "changedstate", "secret",
2758
"checker", "server_settings" }
2759
for name, typ in (inspect.getmembers
2760
(dbus.service.Object)):
2761
exclude.add(name)
2762
2763
client_dict["encrypted_secret"] = (client
2764
.encrypted_secret)
2765
for attr in client.client_structure:
2766
if attr not in exclude:
2767
client_dict[attr] = getattr(client, attr)
2768
2769
clients[client.name] = client_dict
2770
del client_settings[client.name]["secret"]
2771
2772
try:
2773
with (tempfile.NamedTemporaryFile
2774
(mode='wb', suffix=".pickle", prefix='clients-',
2775
dir=os.path.dirname(stored_state_path),
2776
delete=False)) as stored_state:
2777
pickle.dump((clients, client_settings), stored_state)
2778
tempname=stored_state.name
2779
os.rename(tempname, stored_state_path)
2780
except (IOError, OSError) as e:
2781
if not debug:
2782
try:
2783
os.remove(tempname)
2784
except NameError:
2785
pass
2786
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
2787
logger.warning("Could not save persistent state: {}"
2788
.format(os.strerror(e.errno)))
2789
else:
2790
logger.warning("Could not save persistent state:",
2791
exc_info=e)
2792
raise
2793
2794
# Delete all clients, and settings from config
1945
service.cleanup()
1946
2795
1947
while tcp_server.clients:
2796
name, client = tcp_server.clients.popitem()
1948
client = tcp_server.clients.pop()
2797
1949
if use_dbus:
2798
1950
client.remove_from_connection()
1951
client.disable_hook = None
2799
1952
# Don't signal anything except ClientRemoved
2800
1953
client.disable(quiet=True)
2801
1954
if use_dbus:
2802
1955
# Emit D-Bus signal
2803
mandos_dbus_service.ClientRemoved(client
2804
.dbus_object_path,
1956
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
2805
1957
client.name)
2806
client_settings.clear()
2807
1958
2808
1959
atexit.register(cleanup)
2809
1960
2810
for client in tcp_server.clients.itervalues():
1961
for client in tcp_server.clients:
2811
1962
if use_dbus:
2812
1963
# Emit D-Bus signal
2813
1964
mandos_dbus_service.ClientAdded(client.dbus_object_path)
2814
# Need to initiate checking of clients
2815
if client.enabled:
2816
client.init_checker()
1965
client.enable()
2817
1966
2818
1967
tcp_server.enable()
2819
1968
tcp_server.server_activate()
2820
1969
2821
1970
# Find out what port we got
2822
if zeroconf:
2823
service.port = tcp_server.socket.getsockname()[1]
1971
service.port = tcp_server.socket.getsockname()[1]
2824
1972
if use_ipv6:
2825
logger.info("Now listening on address %r, port %d,"
2826
" flowinfo %d, scope_id %d",
2827
*tcp_server.socket.getsockname())
1973
logger.info(u"Now listening on address %r, port %d,"
1974
" flowinfo %d, scope_id %d"
1975
% tcp_server.socket.getsockname())
2828
1976
else: # IPv4
2829
logger.info("Now listening on address %r, port %d",
2830
*tcp_server.socket.getsockname())
1977
logger.info(u"Now listening on address %r, port %d"
1978
% tcp_server.socket.getsockname())
2831
1979
2832
1980
#service.interface = tcp_server.socket.getsockname()[3]
2833
1981
2834
1982
try:
2835
if zeroconf:
2836
# From the Avahi example code
2837
try:
2838
service.activate()
2839
except dbus.exceptions.DBusException as error:
2840
logger.critical("D-Bus Exception", exc_info=error)
2841
cleanup()
2842
sys.exit(1)
2843
# End of Avahi example code
1983
# From the Avahi example code
1984
try:
1985
service.activate()
1986
except dbus.exceptions.DBusException, error:
1987
logger.critical(u"DBusException: %s", error)
1988
cleanup()
1989
sys.exit(1)
1990
# End of Avahi example code
2844
1991
2845
1992
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
2846
1993
lambda *args, **kwargs:
2847
1994
(tcp_server.handle_request
2848
1995
(*args[2:], **kwargs) or True))
2849
1996
2850
logger.debug("Starting main loop")
1997
logger.debug(u"Starting main loop")
2851
1998
main_loop.run()
2852
except AvahiError as error:
2853
logger.critical("Avahi Error", exc_info=error)
1999
except AvahiError, error:
2000
logger.critical(u"AvahiError: %s", error)
2854
2001
cleanup()
2855
2002
sys.exit(1)
2856
2003
except KeyboardInterrupt:
2857
2004
if debug:
2858
print("", file=sys.stderr)
2859
logger.debug("Server received KeyboardInterrupt")
2860
logger.debug("Server exiting")
2005
print >> sys.stderr
2006
logger.debug(u"Server received KeyboardInterrupt")
2007
logger.debug(u"Server exiting")
2861
2008
# Must run before the D-Bus bus name gets deregistered
2862
2009
cleanup()
2863
2010
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0