To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 441
- compare with another revision
- download diff
- download tarball
- view history from revision 441
- Committer: Teddy Hogeborn
- Date: 2010-09-25 23:52:17 UTC
- Revision ID: teddy@fukt.bsnet.se-20100925235217-4hhqfryz1ste6uw3
* mandos (ClientDBus.__init__): Bug fix: Translate "-" in client names
to "_" in D-Bus object paths.
(MandosServer.handle_ipc): Bug fix: Send only address string to
D-Bus signal, not whole tuple.
* mandos-ctl: New options "--approve-by-default", "--deny-by-default",
"--approval-delay", and "--approval-duration".
* mandos-ctl.xml (SYNOPSIS, OPTIONS): Document new options.
* mandos-monitor (MandosClientWidget.update): Fix spelling.
to "_" in D-Bus object paths.
(MandosServer.handle_ipc): Bug fix: Send only address string to
D-Bus signal, not whole tuple.
* mandos-ctl: New options "--approve-by-default", "--deny-by-default",
"--approval-delay", and "--approval-duration".
* mandos-ctl.xml (SYNOPSIS, OPTIONS): Document new options.
* mandos-monitor (MandosClientWidget.update): Fix spelling.
- files added:
- DBUS-API
- files removed:
- debian/mandos-client.config
- files modified:
- INSTALL
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008 Teddy Hogeborn
15
# Copyright © 2008 Björn Påhlsson
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
33
33
34
34
from __future__ import division, with_statement, absolute_import
35
35
36
import SocketServer
36
import SocketServer as socketserver
37
37
import socket
38
from optparse import OptionParser
38
import optparse
39
39
import datetime
40
40
import errno
41
41
import gnutls.crypto
44
44
import gnutls.library.functions
45
45
import gnutls.library.constants
46
46
import gnutls.library.types
47
import ConfigParser
47
import ConfigParser as configparser
48
48
import sys
49
49
import re
50
50
import os
51
51
import signal
52
from sets import Set
53
52
import subprocess
54
53
import atexit
55
54
import stat
56
55
import logging
57
56
import logging.handlers
58
57
import pwd
59
from contextlib import closing
58
import contextlib
59
import struct
60
import fcntl
61
import functools
62
import cPickle as pickle
63
import multiprocessing
60
64
61
65
import dbus
62
66
import dbus.service
65
69
from dbus.mainloop.glib import DBusGMainLoop
66
70
import ctypes
67
71
import ctypes.util
68
69
version = "1.0.2"
70
71
logger = logging.Logger('mandos')
72
import xml.dom.minidom
73
import inspect
74
75
try:
76
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
77
except AttributeError:
78
try:
79
from IN import SO_BINDTODEVICE
80
except ImportError:
81
SO_BINDTODEVICE = None
82
83
84
version = "1.0.14"
85
86
#logger = logging.getLogger(u'mandos')
87
logger = logging.Logger(u'mandos')
72
88
syslogger = (logging.handlers.SysLogHandler
73
89
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
74
90
address = "/dev/log"))
75
91
syslogger.setFormatter(logging.Formatter
76
('Mandos: %(levelname)s: %(message)s'))
92
(u'Mandos [%(process)d]: %(levelname)s:'
93
u' %(message)s'))
77
94
logger.addHandler(syslogger)
78
95
79
96
console = logging.StreamHandler()
80
console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'
81
' %(message)s'))
97
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
98
u' %(levelname)s:'
99
u' %(message)s'))
82
100
logger.addHandler(console)
83
101
84
102
class AvahiError(Exception):
85
def __init__(self, value):
103
def __init__(self, value, *args, **kwargs):
86
104
self.value = value
87
super(AvahiError, self).__init__()
88
def __str__(self):
89
return repr(self.value)
105
super(AvahiError, self).__init__(value, *args, **kwargs)
106
def __unicode__(self):
107
return unicode(repr(self.value))
90
108
91
109
class AvahiServiceError(AvahiError):
92
110
pass
97
115
98
116
class AvahiService(object):
99
117
"""An Avahi (Zeroconf) service.
118
100
119
Attributes:
101
120
interface: integer; avahi.IF_UNSPEC or an interface index.
102
121
Used to optionally bind to the specified interface.
103
name: string; Example: 'Mandos'
104
type: string; Example: '_mandos._tcp'.
122
name: string; Example: u'Mandos'
123
type: string; Example: u'_mandos._tcp'.
105
124
See <http://www.dns-sd.org/ServiceTypes.html>
106
125
port: integer; what port to announce
107
126
TXT: list of strings; TXT record for the service
110
129
max_renames: integer; maximum number of renames
111
130
rename_count: integer; counter so we only rename after collisions
112
131
a sensible number of times
132
group: D-Bus Entry Group
133
server: D-Bus Server
134
bus: dbus.SystemBus()
113
135
"""
114
136
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
115
137
servicetype = None, port = None, TXT = None,
116
domain = "", host = "", max_renames = 32768):
138
domain = u"", host = u"", max_renames = 32768,
139
protocol = avahi.PROTO_UNSPEC, bus = None):
117
140
self.interface = interface
118
141
self.name = name
119
142
self.type = servicetype
123
146
self.host = host
124
147
self.rename_count = 0
125
148
self.max_renames = max_renames
149
self.protocol = protocol
150
self.group = None # our entry group
151
self.server = None
152
self.bus = bus
126
153
def rename(self):
127
154
"""Derived from the Avahi example code"""
128
155
if self.rename_count >= self.max_renames:
129
156
logger.critical(u"No suitable Zeroconf service name found"
130
157
u" after %i retries, exiting.",
131
158
self.rename_count)
132
raise AvahiServiceError("Too many renames")
133
self.name = server.GetAlternativeServiceName(self.name)
159
raise AvahiServiceError(u"Too many renames")
160
self.name = unicode(self.server.GetAlternativeServiceName(self.name))
134
161
logger.info(u"Changing Zeroconf service name to %r ...",
135
str(self.name))
162
self.name)
136
163
syslogger.setFormatter(logging.Formatter
137
('Mandos (%s): %%(levelname)s:'
138
' %%(message)s' % self.name))
164
(u'Mandos (%s) [%%(process)d]:'
165
u' %%(levelname)s: %%(message)s'
166
% self.name))
139
167
self.remove()
140
self.add()
168
try:
169
self.add()
170
except dbus.exceptions.DBusException, error:
171
logger.critical(u"DBusException: %s", error)
172
self.cleanup()
173
os._exit(1)
141
174
self.rename_count += 1
142
175
def remove(self):
143
176
"""Derived from the Avahi example code"""
144
if group is not None:
145
group.Reset()
177
if self.group is not None:
178
self.group.Reset()
146
179
def add(self):
147
180
"""Derived from the Avahi example code"""
148
global group
149
if group is None:
150
group = dbus.Interface(bus.get_object
151
(avahi.DBUS_NAME,
152
server.EntryGroupNew()),
153
avahi.DBUS_INTERFACE_ENTRY_GROUP)
154
group.connect_to_signal('StateChanged',
155
entry_group_state_changed)
181
if self.group is None:
182
self.group = dbus.Interface(
183
self.bus.get_object(avahi.DBUS_NAME,
184
self.server.EntryGroupNew()),
185
avahi.DBUS_INTERFACE_ENTRY_GROUP)
186
self.group.connect_to_signal('StateChanged',
187
self
188
.entry_group_state_changed)
156
189
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
157
service.name, service.type)
158
group.AddService(
159
self.interface, # interface
160
avahi.PROTO_INET6, # protocol
161
dbus.UInt32(0), # flags
162
self.name, self.type,
163
self.domain, self.host,
164
dbus.UInt16(self.port),
165
avahi.string_array_to_txt_array(self.TXT))
166
group.Commit()
167
168
# From the Avahi example code:
169
group = None # our entry group
170
# End of Avahi example code
171
172
173
def _datetime_to_dbus_struct(dt, variant_level=0):
174
"""Convert a UTC datetime.datetime() to a D-Bus struct.
175
The format is special to this application, since we could not find
176
any other standard way."""
177
return dbus.Struct((dbus.Int16(dt.year),
178
dbus.Byte(dt.month),
179
dbus.Byte(dt.day),
180
dbus.Byte(dt.hour),
181
dbus.Byte(dt.minute),
182
dbus.Byte(dt.second),
183
dbus.UInt32(dt.microsecond)),
184
signature="nyyyyyu",
185
variant_level=variant_level)
186
187
188
class Client(dbus.service.Object):
190
self.name, self.type)
191
self.group.AddService(
192
self.interface,
193
self.protocol,
194
dbus.UInt32(0), # flags
195
self.name, self.type,
196
self.domain, self.host,
197
dbus.UInt16(self.port),
198
avahi.string_array_to_txt_array(self.TXT))
199
self.group.Commit()
200
def entry_group_state_changed(self, state, error):
201
"""Derived from the Avahi example code"""
202
logger.debug(u"Avahi entry group state change: %i", state)
203
204
if state == avahi.ENTRY_GROUP_ESTABLISHED:
205
logger.debug(u"Zeroconf service established.")
206
elif state == avahi.ENTRY_GROUP_COLLISION:
207
logger.warning(u"Zeroconf service name collision.")
208
self.rename()
209
elif state == avahi.ENTRY_GROUP_FAILURE:
210
logger.critical(u"Avahi: Error in group state changed %s",
211
unicode(error))
212
raise AvahiGroupError(u"State changed: %s"
213
% unicode(error))
214
def cleanup(self):
215
"""Derived from the Avahi example code"""
216
if self.group is not None:
217
self.group.Free()
218
self.group = None
219
def server_state_changed(self, state):
220
"""Derived from the Avahi example code"""
221
logger.debug(u"Avahi server state change: %i", state)
222
if state == avahi.SERVER_COLLISION:
223
logger.error(u"Zeroconf server name collision")
224
self.remove()
225
elif state == avahi.SERVER_RUNNING:
226
self.add()
227
def activate(self):
228
"""Derived from the Avahi example code"""
229
if self.server is None:
230
self.server = dbus.Interface(
231
self.bus.get_object(avahi.DBUS_NAME,
232
avahi.DBUS_PATH_SERVER),
233
avahi.DBUS_INTERFACE_SERVER)
234
self.server.connect_to_signal(u"StateChanged",
235
self.server_state_changed)
236
self.server_state_changed(self.server.GetState())
237
238
239
class Client(object):
189
240
"""A representation of a client host served by this server.
241
190
242
Attributes:
191
name: string; from the config file, used in log messages
192
fingerprint: string (40 or 32 hexadecimal digits); used to
193
uniquely identify the client
194
secret: bytestring; sent verbatim (over TLS) to client
195
host: string; available for use by the checker command
196
created: datetime.datetime(); (UTC) object creation
197
last_started: datetime.datetime(); (UTC)
198
started: bool()
199
last_checked_ok: datetime.datetime(); (UTC) or None
200
timeout: datetime.timedelta(); How long from last_checked_ok
201
until this client is invalid
202
interval: datetime.timedelta(); How often to start a new checker
203
stop_hook: If set, called by stop() as stop_hook(self)
243
_approved: bool(); 'None' if not yet approved/disapproved
244
approval_delay: datetime.timedelta(); Time to wait for approval
245
approval_duration: datetime.timedelta(); Duration of one approval
204
246
checker: subprocess.Popen(); a running checker process used
205
247
to see if the client lives.
206
248
'None' if no process is running.
207
checker_initiator_tag: a gobject event source tag, or None
208
stop_initiator_tag: - '' -
209
249
checker_callback_tag: - '' -
210
checker_command: string; External command which is run to check if
211
client lives. %() expansions are done at
250
checker_command: string; External command which is run to check
251
if client lives. %() expansions are done at
212
252
runtime with vars(self) as dict, so that for
213
253
instance %(name)s can be used in the command.
214
dbus_object_path: dbus.ObjectPath
215
Private attibutes:
216
_timeout: Real variable for 'timeout'
217
_interval: Real variable for 'interval'
218
_timeout_milliseconds: Used when calling gobject.timeout_add()
219
_interval_milliseconds: - '' -
254
checker_initiator_tag: a gobject event source tag, or None
255
created: datetime.datetime(); (UTC) object creation
256
current_checker_command: string; current running checker_command
257
disable_hook: If set, called by disable() as disable_hook(self)
258
disable_initiator_tag: - '' -
259
enabled: bool()
260
fingerprint: string (40 or 32 hexadecimal digits); used to
261
uniquely identify the client
262
host: string; available for use by the checker command
263
interval: datetime.timedelta(); How often to start a new checker
264
last_checked_ok: datetime.datetime(); (UTC) or None
265
last_enabled: datetime.datetime(); (UTC)
266
name: string; from the config file, used in log messages and
267
D-Bus identifiers
268
secret: bytestring; sent verbatim (over TLS) to client
269
timeout: datetime.timedelta(); How long from last_checked_ok
270
until this client is disabled
271
runtime_expansions: Allowed attributes for runtime expansion.
220
272
"""
221
def _set_timeout(self, timeout):
222
"Setter function for the 'timeout' attribute"
223
self._timeout = timeout
224
self._timeout_milliseconds = ((self.timeout.days
225
* 24 * 60 * 60 * 1000)
226
+ (self.timeout.seconds * 1000)
227
+ (self.timeout.microseconds
228
// 1000))
229
# Emit D-Bus signal
230
self.PropertyChanged(dbus.String(u"timeout"),
231
(dbus.UInt64(self._timeout_milliseconds,
232
variant_level=1)))
233
timeout = property(lambda self: self._timeout, _set_timeout)
234
del _set_timeout
235
236
def _set_interval(self, interval):
237
"Setter function for the 'interval' attribute"
238
self._interval = interval
239
self._interval_milliseconds = ((self.interval.days
240
* 24 * 60 * 60 * 1000)
241
+ (self.interval.seconds
242
* 1000)
243
+ (self.interval.microseconds
244
// 1000))
245
# Emit D-Bus signal
246
self.PropertyChanged(dbus.String(u"interval"),
247
(dbus.UInt64(self._interval_milliseconds,
248
variant_level=1)))
249
interval = property(lambda self: self._interval, _set_interval)
250
del _set_interval
251
252
def __init__(self, name = None, stop_hook=None, config=None):
273
274
runtime_expansions = (u"approval_delay", u"approval_duration",
275
u"created", u"enabled", u"fingerprint",
276
u"host", u"interval", u"last_checked_ok",
277
u"last_enabled", u"name", u"timeout")
278
279
@staticmethod
280
def _timedelta_to_milliseconds(td):
281
"Convert a datetime.timedelta() to milliseconds"
282
return ((td.days * 24 * 60 * 60 * 1000)
283
+ (td.seconds * 1000)
284
+ (td.microseconds // 1000))
285
286
def timeout_milliseconds(self):
287
"Return the 'timeout' attribute in milliseconds"
288
return self._timedelta_to_milliseconds(self.timeout)
289
290
def interval_milliseconds(self):
291
"Return the 'interval' attribute in milliseconds"
292
return self._timedelta_to_milliseconds(self.interval)
293
294
def approval_delay_milliseconds(self):
295
return self._timedelta_to_milliseconds(self.approval_delay)
296
297
def __init__(self, name = None, disable_hook=None, config=None):
253
298
"""Note: the 'checker' key in 'config' sets the
254
299
'checker_command' attribute and *not* the 'checker'
255
300
attribute."""
256
self.dbus_object_path = (dbus.ObjectPath
257
("/Mandos/clients/"
258
+ name.replace(".", "_")))
259
dbus.service.Object.__init__(self, bus,
260
self.dbus_object_path)
301
self.name = name
261
302
if config is None:
262
303
config = {}
263
self.name = name
264
304
logger.debug(u"Creating client %r", self.name)
265
305
# Uppercase and remove spaces from fingerprint for later
266
306
# comparison purposes with return value from the fingerprint()
267
307
# function
268
self.fingerprint = (config["fingerprint"].upper()
308
self.fingerprint = (config[u"fingerprint"].upper()
269
309
.replace(u" ", u""))
270
310
logger.debug(u" Fingerprint: %s", self.fingerprint)
271
if "secret" in config:
272
self.secret = config["secret"].decode(u"base64")
273
elif "secfile" in config:
274
with closing(open(os.path.expanduser
275
(os.path.expandvars
276
(config["secfile"])))) as secfile:
311
if u"secret" in config:
312
self.secret = config[u"secret"].decode(u"base64")
313
elif u"secfile" in config:
314
with open(os.path.expanduser(os.path.expandvars
315
(config[u"secfile"])),
316
"rb") as secfile:
277
317
self.secret = secfile.read()
278
318
else:
279
319
raise TypeError(u"No secret or secfile for client %s"
280
320
% self.name)
281
self.host = config.get("host", "")
321
self.host = config.get(u"host", u"")
282
322
self.created = datetime.datetime.utcnow()
283
self.started = False
284
self.last_started = None
323
self.enabled = False
324
self.last_enabled = None
285
325
self.last_checked_ok = None
286
self.timeout = string_to_delta(config["timeout"])
287
self.interval = string_to_delta(config["interval"])
288
self.stop_hook = stop_hook
326
self.timeout = string_to_delta(config[u"timeout"])
327
self.interval = string_to_delta(config[u"interval"])
328
self.disable_hook = disable_hook
289
329
self.checker = None
290
330
self.checker_initiator_tag = None
291
self.stop_initiator_tag = None
331
self.disable_initiator_tag = None
292
332
self.checker_callback_tag = None
293
self.checker_command = config["checker"]
333
self.checker_command = config[u"checker"]
334
self.current_checker_command = None
335
self.last_connect = None
336
self._approved = None
337
self.approved_by_default = config.get(u"approved_by_default",
338
True)
339
self.approvals_pending = 0
340
self.approval_delay = string_to_delta(
341
config[u"approval_delay"])
342
self.approval_duration = string_to_delta(
343
config[u"approval_duration"])
344
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
294
345
295
def start(self):
346
def send_changedstate(self):
347
self.changedstate.acquire()
348
self.changedstate.notify_all()
349
self.changedstate.release()
350
351
def enable(self):
296
352
"""Start this client's checker and timeout hooks"""
297
self.last_started = datetime.datetime.utcnow()
353
if getattr(self, u"enabled", False):
354
# Already enabled
355
return
356
self.send_changedstate()
357
self.last_enabled = datetime.datetime.utcnow()
298
358
# Schedule a new checker to be started an 'interval' from now,
299
359
# and every interval from then on.
300
360
self.checker_initiator_tag = (gobject.timeout_add
301
(self._interval_milliseconds,
361
(self.interval_milliseconds(),
302
362
self.start_checker))
363
# Schedule a disable() when 'timeout' has passed
364
self.disable_initiator_tag = (gobject.timeout_add
365
(self.timeout_milliseconds(),
366
self.disable))
367
self.enabled = True
303
368
# Also start a new checker *right now*.
304
369
self.start_checker()
305
# Schedule a stop() when 'timeout' has passed
306
self.stop_initiator_tag = (gobject.timeout_add
307
(self._timeout_milliseconds,
308
self.stop))
309
self.started = True
310
# Emit D-Bus signal
311
self.PropertyChanged(dbus.String(u"started"),
312
dbus.Boolean(True, variant_level=1))
313
self.PropertyChanged(dbus.String(u"last_started"),
314
(_datetime_to_dbus_struct
315
(self.last_started, variant_level=1)))
316
370
317
def stop(self):
318
"""Stop this client."""
319
if not getattr(self, "started", False):
371
def disable(self, quiet=True):
372
"""Disable this client."""
373
if not getattr(self, "enabled", False):
320
374
return False
321
logger.info(u"Stopping client %s", self.name)
322
if getattr(self, "stop_initiator_tag", False):
323
gobject.source_remove(self.stop_initiator_tag)
324
self.stop_initiator_tag = None
325
if getattr(self, "checker_initiator_tag", False):
375
if not quiet:
376
self.send_changedstate()
377
if not quiet:
378
logger.info(u"Disabling client %s", self.name)
379
if getattr(self, u"disable_initiator_tag", False):
380
gobject.source_remove(self.disable_initiator_tag)
381
self.disable_initiator_tag = None
382
if getattr(self, u"checker_initiator_tag", False):
326
383
gobject.source_remove(self.checker_initiator_tag)
327
384
self.checker_initiator_tag = None
328
385
self.stop_checker()
329
if self.stop_hook:
330
self.stop_hook(self)
331
self.started = False
332
# Emit D-Bus signal
333
self.PropertyChanged(dbus.String(u"started"),
334
dbus.Boolean(False, variant_level=1))
386
if self.disable_hook:
387
self.disable_hook(self)
388
self.enabled = False
335
389
# Do not run this again if called by a gobject.timeout_add
336
390
return False
337
391
338
392
def __del__(self):
339
self.stop_hook = None
340
self.stop()
393
self.disable_hook = None
394
self.disable()
341
395
342
396
def checker_callback(self, pid, condition, command):
343
397
"""The checker has completed, so take appropriate actions."""
344
398
self.checker_callback_tag = None
345
399
self.checker = None
346
# Emit D-Bus signal
347
self.PropertyChanged(dbus.String(u"checker_running"),
348
dbus.Boolean(False, variant_level=1))
349
if (os.WIFEXITED(condition)
350
and (os.WEXITSTATUS(condition) == 0)):
351
logger.info(u"Checker for %(name)s succeeded",
352
vars(self))
353
# Emit D-Bus signal
354
self.CheckerCompleted(dbus.Boolean(True),
355
dbus.UInt16(condition),
356
dbus.String(command))
357
self.bump_timeout()
358
elif not os.WIFEXITED(condition):
400
if os.WIFEXITED(condition):
401
exitstatus = os.WEXITSTATUS(condition)
402
if exitstatus == 0:
403
logger.info(u"Checker for %(name)s succeeded",
404
vars(self))
405
self.checked_ok()
406
else:
407
logger.info(u"Checker for %(name)s failed",
408
vars(self))
409
else:
359
410
logger.warning(u"Checker for %(name)s crashed?",
360
411
vars(self))
361
# Emit D-Bus signal
362
self.CheckerCompleted(dbus.Boolean(False),
363
dbus.UInt16(condition),
364
dbus.String(command))
365
else:
366
logger.info(u"Checker for %(name)s failed",
367
vars(self))
368
# Emit D-Bus signal
369
self.CheckerCompleted(dbus.Boolean(False),
370
dbus.UInt16(condition),
371
dbus.String(command))
372
412
373
def bump_timeout(self):
413
def checked_ok(self):
374
414
"""Bump up the timeout for this client.
415
375
416
This should only be called when the client has been seen,
376
417
alive and well.
377
418
"""
378
419
self.last_checked_ok = datetime.datetime.utcnow()
379
gobject.source_remove(self.stop_initiator_tag)
380
self.stop_initiator_tag = (gobject.timeout_add
381
(self._timeout_milliseconds,
382
self.stop))
383
self.PropertyChanged(dbus.String(u"last_checked_ok"),
384
(_datetime_to_dbus_struct
385
(self.last_checked_ok,
386
variant_level=1)))
420
gobject.source_remove(self.disable_initiator_tag)
421
self.disable_initiator_tag = (gobject.timeout_add
422
(self.timeout_milliseconds(),
423
self.disable))
387
424
388
425
def start_checker(self):
389
426
"""Start a new checker subprocess if one is not running.
427
390
428
If a checker already exists, leave it running and do
391
429
nothing."""
392
430
# The reason for not killing a running checker is that if we
395
433
# client would inevitably timeout, since no checker would get
396
434
# a chance to run to completion. If we instead leave running
397
435
# checkers alone, the checker would have to take more time
398
# than 'timeout' for the client to be declared invalid, which
399
# is as it should be.
436
# than 'timeout' for the client to be disabled, which is as it
437
# should be.
438
439
# If a checker exists, make sure it is not a zombie
440
try:
441
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
442
except (AttributeError, OSError), error:
443
if (isinstance(error, OSError)
444
and error.errno != errno.ECHILD):
445
raise error
446
else:
447
if pid:
448
logger.warning(u"Checker was a zombie")
449
gobject.source_remove(self.checker_callback_tag)
450
self.checker_callback(pid, status,
451
self.current_checker_command)
452
# Start a new checker if needed
400
453
if self.checker is None:
401
454
try:
402
455
# In case checker_command has exactly one % operator
403
456
command = self.checker_command % self.host
404
457
except TypeError:
405
458
# Escape attributes for the shell
406
escaped_attrs = dict((key, re.escape(str(val)))
407
for key, val in
408
vars(self).iteritems())
459
escaped_attrs = dict(
460
(attr,
461
re.escape(unicode(str(getattr(self, attr, u"")),
462
errors=
463
u'replace')))
464
for attr in
465
self.runtime_expansions)
466
409
467
try:
410
468
command = self.checker_command % escaped_attrs
411
469
except TypeError, error:
412
470
logger.error(u'Could not format string "%s":'
413
471
u' %s', self.checker_command, error)
414
472
return True # Try again later
473
self.current_checker_command = command
415
474
try:
416
475
logger.info(u"Starting checker %r for %s",
417
476
command, self.name)
421
480
# always replaced by /dev/null.)
422
481
self.checker = subprocess.Popen(command,
423
482
close_fds=True,
424
shell=True, cwd="/")
425
# Emit D-Bus signal
426
self.CheckerStarted(command)
427
self.PropertyChanged(dbus.String("checker_running"),
428
dbus.Boolean(True, variant_level=1))
483
shell=True, cwd=u"/")
429
484
self.checker_callback_tag = (gobject.child_watch_add
430
485
(self.checker.pid,
431
486
self.checker_callback,
432
487
data=command))
488
# The checker may have completed before the gobject
489
# watch was added. Check for this.
490
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
491
if pid:
492
gobject.source_remove(self.checker_callback_tag)
493
self.checker_callback(pid, status, command)
433
494
except OSError, error:
434
495
logger.error(u"Failed to start subprocess: %s",
435
496
error)
441
502
if self.checker_callback_tag:
442
503
gobject.source_remove(self.checker_callback_tag)
443
504
self.checker_callback_tag = None
444
if getattr(self, "checker", None) is None:
505
if getattr(self, u"checker", None) is None:
445
506
return
446
507
logger.debug(u"Stopping checker for %(name)s", vars(self))
447
508
try:
448
509
os.kill(self.checker.pid, signal.SIGTERM)
449
#os.sleep(0.5)
510
#time.sleep(0.5)
450
511
#if self.checker.poll() is None:
451
512
# os.kill(self.checker.pid, signal.SIGKILL)
452
513
except OSError, error:
453
514
if error.errno != errno.ESRCH: # No such process
454
515
raise
455
516
self.checker = None
456
self.PropertyChanged(dbus.String(u"checker_running"),
517
518
def dbus_service_property(dbus_interface, signature=u"v",
519
access=u"readwrite", byte_arrays=False):
520
"""Decorators for marking methods of a DBusObjectWithProperties to
521
become properties on the D-Bus.
522
523
The decorated method will be called with no arguments by "Get"
524
and with one argument by "Set".
525
526
The parameters, where they are supported, are the same as
527
dbus.service.method, except there is only "signature", since the
528
type from Get() and the type sent to Set() is the same.
529
"""
530
# Encoding deeply encoded byte arrays is not supported yet by the
531
# "Set" method, so we fail early here:
532
if byte_arrays and signature != u"ay":
533
raise ValueError(u"Byte arrays not supported for non-'ay'"
534
u" signature %r" % signature)
535
def decorator(func):
536
func._dbus_is_property = True
537
func._dbus_interface = dbus_interface
538
func._dbus_signature = signature
539
func._dbus_access = access
540
func._dbus_name = func.__name__
541
if func._dbus_name.endswith(u"_dbus_property"):
542
func._dbus_name = func._dbus_name[:-14]
543
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
544
return func
545
return decorator
546
547
548
class DBusPropertyException(dbus.exceptions.DBusException):
549
"""A base class for D-Bus property-related exceptions
550
"""
551
def __unicode__(self):
552
return unicode(str(self))
553
554
555
class DBusPropertyAccessException(DBusPropertyException):
556
"""A property's access permissions disallows an operation.
557
"""
558
pass
559
560
561
class DBusPropertyNotFound(DBusPropertyException):
562
"""An attempt was made to access a non-existing property.
563
"""
564
pass
565
566
567
class DBusObjectWithProperties(dbus.service.Object):
568
"""A D-Bus object with properties.
569
570
Classes inheriting from this can use the dbus_service_property
571
decorator to expose methods as D-Bus properties. It exposes the
572
standard Get(), Set(), and GetAll() methods on the D-Bus.
573
"""
574
575
@staticmethod
576
def _is_dbus_property(obj):
577
return getattr(obj, u"_dbus_is_property", False)
578
579
def _get_all_dbus_properties(self):
580
"""Returns a generator of (name, attribute) pairs
581
"""
582
return ((prop._dbus_name, prop)
583
for name, prop in
584
inspect.getmembers(self, self._is_dbus_property))
585
586
def _get_dbus_property(self, interface_name, property_name):
587
"""Returns a bound method if one exists which is a D-Bus
588
property with the specified name and interface.
589
"""
590
for name in (property_name,
591
property_name + u"_dbus_property"):
592
prop = getattr(self, name, None)
593
if (prop is None
594
or not self._is_dbus_property(prop)
595
or prop._dbus_name != property_name
596
or (interface_name and prop._dbus_interface
597
and interface_name != prop._dbus_interface)):
598
continue
599
return prop
600
# No such property
601
raise DBusPropertyNotFound(self.dbus_object_path + u":"
602
+ interface_name + u"."
603
+ property_name)
604
605
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
606
out_signature=u"v")
607
def Get(self, interface_name, property_name):
608
"""Standard D-Bus property Get() method, see D-Bus standard.
609
"""
610
prop = self._get_dbus_property(interface_name, property_name)
611
if prop._dbus_access == u"write":
612
raise DBusPropertyAccessException(property_name)
613
value = prop()
614
if not hasattr(value, u"variant_level"):
615
return value
616
return type(value)(value, variant_level=value.variant_level+1)
617
618
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
619
def Set(self, interface_name, property_name, value):
620
"""Standard D-Bus property Set() method, see D-Bus standard.
621
"""
622
prop = self._get_dbus_property(interface_name, property_name)
623
if prop._dbus_access == u"read":
624
raise DBusPropertyAccessException(property_name)
625
if prop._dbus_get_args_options[u"byte_arrays"]:
626
# The byte_arrays option is not supported yet on
627
# signatures other than "ay".
628
if prop._dbus_signature != u"ay":
629
raise ValueError
630
value = dbus.ByteArray(''.join(unichr(byte)
631
for byte in value))
632
prop(value)
633
634
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
635
out_signature=u"a{sv}")
636
def GetAll(self, interface_name):
637
"""Standard D-Bus property GetAll() method, see D-Bus
638
standard.
639
640
Note: Will not include properties with access="write".
641
"""
642
all = {}
643
for name, prop in self._get_all_dbus_properties():
644
if (interface_name
645
and interface_name != prop._dbus_interface):
646
# Interface non-empty but did not match
647
continue
648
# Ignore write-only properties
649
if prop._dbus_access == u"write":
650
continue
651
value = prop()
652
if not hasattr(value, u"variant_level"):
653
all[name] = value
654
continue
655
all[name] = type(value)(value, variant_level=
656
value.variant_level+1)
657
return dbus.Dictionary(all, signature=u"sv")
658
659
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
660
out_signature=u"s",
661
path_keyword='object_path',
662
connection_keyword='connection')
663
def Introspect(self, object_path, connection):
664
"""Standard D-Bus method, overloaded to insert property tags.
665
"""
666
xmlstring = dbus.service.Object.Introspect(self, object_path,
667
connection)
668
try:
669
document = xml.dom.minidom.parseString(xmlstring)
670
def make_tag(document, name, prop):
671
e = document.createElement(u"property")
672
e.setAttribute(u"name", name)
673
e.setAttribute(u"type", prop._dbus_signature)
674
e.setAttribute(u"access", prop._dbus_access)
675
return e
676
for if_tag in document.getElementsByTagName(u"interface"):
677
for tag in (make_tag(document, name, prop)
678
for name, prop
679
in self._get_all_dbus_properties()
680
if prop._dbus_interface
681
== if_tag.getAttribute(u"name")):
682
if_tag.appendChild(tag)
683
# Add the names to the return values for the
684
# "org.freedesktop.DBus.Properties" methods
685
if (if_tag.getAttribute(u"name")
686
== u"org.freedesktop.DBus.Properties"):
687
for cn in if_tag.getElementsByTagName(u"method"):
688
if cn.getAttribute(u"name") == u"Get":
689
for arg in cn.getElementsByTagName(u"arg"):
690
if (arg.getAttribute(u"direction")
691
== u"out"):
692
arg.setAttribute(u"name", u"value")
693
elif cn.getAttribute(u"name") == u"GetAll":
694
for arg in cn.getElementsByTagName(u"arg"):
695
if (arg.getAttribute(u"direction")
696
== u"out"):
697
arg.setAttribute(u"name", u"props")
698
xmlstring = document.toxml(u"utf-8")
699
document.unlink()
700
except (AttributeError, xml.dom.DOMException,
701
xml.parsers.expat.ExpatError), error:
702
logger.error(u"Failed to override Introspection method",
703
error)
704
return xmlstring
705
706
707
class ClientDBus(Client, DBusObjectWithProperties):
708
"""A Client class using D-Bus
709
710
Attributes:
711
dbus_object_path: dbus.ObjectPath
712
bus: dbus.SystemBus()
713
"""
714
715
runtime_expansions = (Client.runtime_expansions
716
+ (u"dbus_object_path",))
717
718
# dbus.service.Object doesn't use super(), so we can't either.
719
720
def __init__(self, bus = None, *args, **kwargs):
721
self._approvals_pending = 0
722
self.bus = bus
723
Client.__init__(self, *args, **kwargs)
724
# Only now, when this client is initialized, can it show up on
725
# the D-Bus
726
client_object_name = unicode(self.name).translate(
727
{ord(u"."): ord(u"_"),
728
ord(u"-"): ord(u"_")})
729
self.dbus_object_path = (dbus.ObjectPath
730
(u"/clients/" + client_object_name))
731
DBusObjectWithProperties.__init__(self, self.bus,
732
self.dbus_object_path)
733
734
def _get_approvals_pending(self):
735
return self._approvals_pending
736
def _set_approvals_pending(self, value):
737
old_value = self._approvals_pending
738
self._approvals_pending = value
739
bval = bool(value)
740
if (hasattr(self, "dbus_object_path")
741
and bval is not bool(old_value)):
742
dbus_bool = dbus.Boolean(bval, variant_level=1)
743
self.PropertyChanged(dbus.String(u"ApprovalPending"),
744
dbus_bool)
745
746
approvals_pending = property(_get_approvals_pending,
747
_set_approvals_pending)
748
del _get_approvals_pending, _set_approvals_pending
749
750
@staticmethod
751
def _datetime_to_dbus(dt, variant_level=0):
752
"""Convert a UTC datetime.datetime() to a D-Bus type."""
753
return dbus.String(dt.isoformat(),
754
variant_level=variant_level)
755
756
def enable(self):
757
oldstate = getattr(self, u"enabled", False)
758
r = Client.enable(self)
759
if oldstate != self.enabled:
760
# Emit D-Bus signals
761
self.PropertyChanged(dbus.String(u"Enabled"),
762
dbus.Boolean(True, variant_level=1))
763
self.PropertyChanged(
764
dbus.String(u"LastEnabled"),
765
self._datetime_to_dbus(self.last_enabled,
766
variant_level=1))
767
return r
768
769
def disable(self, quiet = False):
770
oldstate = getattr(self, u"enabled", False)
771
r = Client.disable(self, quiet=quiet)
772
if not quiet and oldstate != self.enabled:
773
# Emit D-Bus signal
774
self.PropertyChanged(dbus.String(u"Enabled"),
775
dbus.Boolean(False, variant_level=1))
776
return r
777
778
def __del__(self, *args, **kwargs):
779
try:
780
self.remove_from_connection()
781
except LookupError:
782
pass
783
if hasattr(DBusObjectWithProperties, u"__del__"):
784
DBusObjectWithProperties.__del__(self, *args, **kwargs)
785
Client.__del__(self, *args, **kwargs)
786
787
def checker_callback(self, pid, condition, command,
788
*args, **kwargs):
789
self.checker_callback_tag = None
790
self.checker = None
791
# Emit D-Bus signal
792
self.PropertyChanged(dbus.String(u"CheckerRunning"),
457
793
dbus.Boolean(False, variant_level=1))
458
459
def still_valid(self):
460
"""Has the timeout not yet passed for this client?"""
461
if not getattr(self, "started", False):
462
return False
463
now = datetime.datetime.utcnow()
464
if self.last_checked_ok is None:
465
return now < (self.created + self.timeout)
466
else:
467
return now < (self.last_checked_ok + self.timeout)
468
469
## D-Bus methods & signals
470
_interface = u"org.mandos_system.Mandos.Client"
471
472
# BumpTimeout - method
473
BumpTimeout = dbus.service.method(_interface)(bump_timeout)
474
BumpTimeout.__name__ = "BumpTimeout"
794
if os.WIFEXITED(condition):
795
exitstatus = os.WEXITSTATUS(condition)
796
# Emit D-Bus signal
797
self.CheckerCompleted(dbus.Int16(exitstatus),
798
dbus.Int64(condition),
799
dbus.String(command))
800
else:
801
# Emit D-Bus signal
802
self.CheckerCompleted(dbus.Int16(-1),
803
dbus.Int64(condition),
804
dbus.String(command))
805
806
return Client.checker_callback(self, pid, condition, command,
807
*args, **kwargs)
808
809
def checked_ok(self, *args, **kwargs):
810
r = Client.checked_ok(self, *args, **kwargs)
811
# Emit D-Bus signal
812
self.PropertyChanged(
813
dbus.String(u"LastCheckedOK"),
814
(self._datetime_to_dbus(self.last_checked_ok,
815
variant_level=1)))
816
return r
817
818
def start_checker(self, *args, **kwargs):
819
old_checker = self.checker
820
if self.checker is not None:
821
old_checker_pid = self.checker.pid
822
else:
823
old_checker_pid = None
824
r = Client.start_checker(self, *args, **kwargs)
825
# Only if new checker process was started
826
if (self.checker is not None
827
and old_checker_pid != self.checker.pid):
828
# Emit D-Bus signal
829
self.CheckerStarted(self.current_checker_command)
830
self.PropertyChanged(
831
dbus.String(u"CheckerRunning"),
832
dbus.Boolean(True, variant_level=1))
833
return r
834
835
def stop_checker(self, *args, **kwargs):
836
old_checker = getattr(self, u"checker", None)
837
r = Client.stop_checker(self, *args, **kwargs)
838
if (old_checker is not None
839
and getattr(self, u"checker", None) is None):
840
self.PropertyChanged(dbus.String(u"CheckerRunning"),
841
dbus.Boolean(False, variant_level=1))
842
return r
843
844
def _reset_approved(self):
845
self._approved = None
846
return False
847
848
def approve(self, value=True):
849
self.send_changedstate()
850
self._approved = value
851
gobject.timeout_add(self._timedelta_to_milliseconds
852
(self.approval_duration),
853
self._reset_approved)
854
855
856
## D-Bus methods, signals & properties
857
_interface = u"se.bsnet.fukt.Mandos.Client"
858
859
## Signals
475
860
476
861
# CheckerCompleted - signal
477
@dbus.service.signal(_interface, signature="bqs")
478
def CheckerCompleted(self, success, condition, command):
862
@dbus.service.signal(_interface, signature=u"nxs")
863
def CheckerCompleted(self, exitcode, waitstatus, command):
479
864
"D-Bus signal"
480
865
pass
481
866
482
867
# CheckerStarted - signal
483
@dbus.service.signal(_interface, signature="s")
868
@dbus.service.signal(_interface, signature=u"s")
484
869
def CheckerStarted(self, command):
485
870
"D-Bus signal"
486
871
pass
487
872
488
# GetAllProperties - method
489
@dbus.service.method(_interface, out_signature="a{sv}")
490
def GetAllProperties(self):
491
"D-Bus method"
492
return dbus.Dictionary({
493
dbus.String("name"):
494
dbus.String(self.name, variant_level=1),
495
dbus.String("fingerprint"):
496
dbus.String(self.fingerprint, variant_level=1),
497
dbus.String("host"):
498
dbus.String(self.host, variant_level=1),
499
dbus.String("created"):
500
_datetime_to_dbus_struct(self.created,
501
variant_level=1),
502
dbus.String("last_started"):
503
(_datetime_to_dbus_struct(self.last_started,
504
variant_level=1)
505
if self.last_started is not None
506
else dbus.Boolean(False, variant_level=1)),
507
dbus.String("started"):
508
dbus.Boolean(self.started, variant_level=1),
509
dbus.String("last_checked_ok"):
510
(_datetime_to_dbus_struct(self.last_checked_ok,
511
variant_level=1)
512
if self.last_checked_ok is not None
513
else dbus.Boolean (False, variant_level=1)),
514
dbus.String("timeout"):
515
dbus.UInt64(self._timeout_milliseconds,
516
variant_level=1),
517
dbus.String("interval"):
518
dbus.UInt64(self._interval_milliseconds,
519
variant_level=1),
520
dbus.String("checker"):
521
dbus.String(self.checker_command,
522
variant_level=1),
523
dbus.String("checker_running"):
524
dbus.Boolean(self.checker is not None,
525
variant_level=1),
526
}, signature="sv")
527
528
# IsStillValid - method
529
IsStillValid = (dbus.service.method(_interface, out_signature="b")
530
(still_valid))
531
IsStillValid.__name__ = "IsStillValid"
532
533
873
# PropertyChanged - signal
534
@dbus.service.signal(_interface, signature="sv")
874
@dbus.service.signal(_interface, signature=u"sv")
535
875
def PropertyChanged(self, property, value):
536
876
"D-Bus signal"
537
877
pass
538
878
539
# SetChecker - method
540
@dbus.service.method(_interface, in_signature="s")
541
def SetChecker(self, checker):
542
"D-Bus setter method"
543
self.checker_command = checker
544
545
# SetHost - method
546
@dbus.service.method(_interface, in_signature="s")
547
def SetHost(self, host):
548
"D-Bus setter method"
549
self.host = host
550
551
# SetInterval - method
552
@dbus.service.method(_interface, in_signature="t")
553
def SetInterval(self, milliseconds):
554
self.interval = datetime.timdeelta(0, 0, 0, milliseconds)
555
556
# SetSecret - method
557
@dbus.service.method(_interface, in_signature="ay",
558
byte_arrays=True)
559
def SetSecret(self, secret):
560
"D-Bus setter method"
561
self.secret = str(secret)
562
563
# SetTimeout - method
564
@dbus.service.method(_interface, in_signature="t")
565
def SetTimeout(self, milliseconds):
566
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
567
568
# Start - method
569
Start = dbus.service.method(_interface)(start)
570
Start.__name__ = "Start"
879
# GotSecret - signal
880
@dbus.service.signal(_interface)
881
def GotSecret(self):
882
"""D-Bus signal
883
Is sent after a successful transfer of secret from the Mandos
884
server to mandos-client
885
"""
886
pass
887
888
# Rejected - signal
889
@dbus.service.signal(_interface, signature=u"s")
890
def Rejected(self, reason):
891
"D-Bus signal"
892
pass
893
894
# NeedApproval - signal
895
@dbus.service.signal(_interface, signature=u"tb")
896
def NeedApproval(self, timeout, default):
897
"D-Bus signal"
898
pass
899
900
## Methods
901
902
# Approve - method
903
@dbus.service.method(_interface, in_signature=u"b")
904
def Approve(self, value):
905
self.approve(value)
906
907
# CheckedOK - method
908
@dbus.service.method(_interface)
909
def CheckedOK(self):
910
return self.checked_ok()
911
912
# Enable - method
913
@dbus.service.method(_interface)
914
def Enable(self):
915
"D-Bus method"
916
self.enable()
571
917
572
918
# StartChecker - method
573
919
@dbus.service.method(_interface)
575
921
"D-Bus method"
576
922
self.start_checker()
577
923
578
# Stop - method
924
# Disable - method
579
925
@dbus.service.method(_interface)
580
def Stop(self):
926
def Disable(self):
581
927
"D-Bus method"
582
self.stop()
928
self.disable()
583
929
584
930
# StopChecker - method
585
StopChecker = dbus.service.method(_interface)(stop_checker)
586
StopChecker.__name__ = "StopChecker"
931
@dbus.service.method(_interface)
932
def StopChecker(self):
933
self.stop_checker()
934
935
## Properties
936
937
# ApprovalPending - property
938
@dbus_service_property(_interface, signature=u"b", access=u"read")
939
def ApprovalPending_dbus_property(self):
940
return dbus.Boolean(bool(self.approvals_pending))
941
942
# ApprovedByDefault - property
943
@dbus_service_property(_interface, signature=u"b",
944
access=u"readwrite")
945
def ApprovedByDefault_dbus_property(self, value=None):
946
if value is None: # get
947
return dbus.Boolean(self.approved_by_default)
948
self.approved_by_default = bool(value)
949
# Emit D-Bus signal
950
self.PropertyChanged(dbus.String(u"ApprovedByDefault"),
951
dbus.Boolean(value, variant_level=1))
952
953
# ApprovalDelay - property
954
@dbus_service_property(_interface, signature=u"t",
955
access=u"readwrite")
956
def ApprovalDelay_dbus_property(self, value=None):
957
if value is None: # get
958
return dbus.UInt64(self.approval_delay_milliseconds())
959
self.approval_delay = datetime.timedelta(0, 0, 0, value)
960
# Emit D-Bus signal
961
self.PropertyChanged(dbus.String(u"ApprovalDelay"),
962
dbus.UInt64(value, variant_level=1))
963
964
# ApprovalDuration - property
965
@dbus_service_property(_interface, signature=u"t",
966
access=u"readwrite")
967
def ApprovalDuration_dbus_property(self, value=None):
968
if value is None: # get
969
return dbus.UInt64(self._timedelta_to_milliseconds(
970
self.approval_duration))
971
self.approval_duration = datetime.timedelta(0, 0, 0, value)
972
# Emit D-Bus signal
973
self.PropertyChanged(dbus.String(u"ApprovalDuration"),
974
dbus.UInt64(value, variant_level=1))
975
976
# Name - property
977
@dbus_service_property(_interface, signature=u"s", access=u"read")
978
def Name_dbus_property(self):
979
return dbus.String(self.name)
980
981
# Fingerprint - property
982
@dbus_service_property(_interface, signature=u"s", access=u"read")
983
def Fingerprint_dbus_property(self):
984
return dbus.String(self.fingerprint)
985
986
# Host - property
987
@dbus_service_property(_interface, signature=u"s",
988
access=u"readwrite")
989
def Host_dbus_property(self, value=None):
990
if value is None: # get
991
return dbus.String(self.host)
992
self.host = value
993
# Emit D-Bus signal
994
self.PropertyChanged(dbus.String(u"Host"),
995
dbus.String(value, variant_level=1))
996
997
# Created - property
998
@dbus_service_property(_interface, signature=u"s", access=u"read")
999
def Created_dbus_property(self):
1000
return dbus.String(self._datetime_to_dbus(self.created))
1001
1002
# LastEnabled - property
1003
@dbus_service_property(_interface, signature=u"s", access=u"read")
1004
def LastEnabled_dbus_property(self):
1005
if self.last_enabled is None:
1006
return dbus.String(u"")
1007
return dbus.String(self._datetime_to_dbus(self.last_enabled))
1008
1009
# Enabled - property
1010
@dbus_service_property(_interface, signature=u"b",
1011
access=u"readwrite")
1012
def Enabled_dbus_property(self, value=None):
1013
if value is None: # get
1014
return dbus.Boolean(self.enabled)
1015
if value:
1016
self.enable()
1017
else:
1018
self.disable()
1019
1020
# LastCheckedOK - property
1021
@dbus_service_property(_interface, signature=u"s",
1022
access=u"readwrite")
1023
def LastCheckedOK_dbus_property(self, value=None):
1024
if value is not None:
1025
self.checked_ok()
1026
return
1027
if self.last_checked_ok is None:
1028
return dbus.String(u"")
1029
return dbus.String(self._datetime_to_dbus(self
1030
.last_checked_ok))
1031
1032
# Timeout - property
1033
@dbus_service_property(_interface, signature=u"t",
1034
access=u"readwrite")
1035
def Timeout_dbus_property(self, value=None):
1036
if value is None: # get
1037
return dbus.UInt64(self.timeout_milliseconds())
1038
self.timeout = datetime.timedelta(0, 0, 0, value)
1039
# Emit D-Bus signal
1040
self.PropertyChanged(dbus.String(u"Timeout"),
1041
dbus.UInt64(value, variant_level=1))
1042
if getattr(self, u"disable_initiator_tag", None) is None:
1043
return
1044
# Reschedule timeout
1045
gobject.source_remove(self.disable_initiator_tag)
1046
self.disable_initiator_tag = None
1047
time_to_die = (self.
1048
_timedelta_to_milliseconds((self
1049
.last_checked_ok
1050
+ self.timeout)
1051
- datetime.datetime
1052
.utcnow()))
1053
if time_to_die <= 0:
1054
# The timeout has passed
1055
self.disable()
1056
else:
1057
self.disable_initiator_tag = (gobject.timeout_add
1058
(time_to_die, self.disable))
1059
1060
# Interval - property
1061
@dbus_service_property(_interface, signature=u"t",
1062
access=u"readwrite")
1063
def Interval_dbus_property(self, value=None):
1064
if value is None: # get
1065
return dbus.UInt64(self.interval_milliseconds())
1066
self.interval = datetime.timedelta(0, 0, 0, value)
1067
# Emit D-Bus signal
1068
self.PropertyChanged(dbus.String(u"Interval"),
1069
dbus.UInt64(value, variant_level=1))
1070
if getattr(self, u"checker_initiator_tag", None) is None:
1071
return
1072
# Reschedule checker run
1073
gobject.source_remove(self.checker_initiator_tag)
1074
self.checker_initiator_tag = (gobject.timeout_add
1075
(value, self.start_checker))
1076
self.start_checker() # Start one now, too
1077
1078
# Checker - property
1079
@dbus_service_property(_interface, signature=u"s",
1080
access=u"readwrite")
1081
def Checker_dbus_property(self, value=None):
1082
if value is None: # get
1083
return dbus.String(self.checker_command)
1084
self.checker_command = value
1085
# Emit D-Bus signal
1086
self.PropertyChanged(dbus.String(u"Checker"),
1087
dbus.String(self.checker_command,
1088
variant_level=1))
1089
1090
# CheckerRunning - property
1091
@dbus_service_property(_interface, signature=u"b",
1092
access=u"readwrite")
1093
def CheckerRunning_dbus_property(self, value=None):
1094
if value is None: # get
1095
return dbus.Boolean(self.checker is not None)
1096
if value:
1097
self.start_checker()
1098
else:
1099
self.stop_checker()
1100
1101
# ObjectPath - property
1102
@dbus_service_property(_interface, signature=u"o", access=u"read")
1103
def ObjectPath_dbus_property(self):
1104
return self.dbus_object_path # is already a dbus.ObjectPath
1105
1106
# Secret = property
1107
@dbus_service_property(_interface, signature=u"ay",
1108
access=u"write", byte_arrays=True)
1109
def Secret_dbus_property(self, value):
1110
self.secret = str(value)
587
1111
588
1112
del _interface
589
1113
590
1114
591
def peer_certificate(session):
592
"Return the peer's OpenPGP certificate as a bytestring"
593
# If not an OpenPGP certificate...
594
if (gnutls.library.functions
595
.gnutls_certificate_type_get(session._c_object)
596
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
597
# ...do the normal thing
598
return session.peer_certificate
599
list_size = ctypes.c_uint()
600
cert_list = (gnutls.library.functions
601
.gnutls_certificate_get_peers
602
(session._c_object, ctypes.byref(list_size)))
603
if list_size.value == 0:
604
return None
605
cert = cert_list[0]
606
return ctypes.string_at(cert.data, cert.size)
607
608
609
def fingerprint(openpgp):
610
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
611
# New GnuTLS "datum" with the OpenPGP public key
612
datum = (gnutls.library.types
613
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
614
ctypes.POINTER
615
(ctypes.c_ubyte)),
616
ctypes.c_uint(len(openpgp))))
617
# New empty GnuTLS certificate
618
crt = gnutls.library.types.gnutls_openpgp_crt_t()
619
(gnutls.library.functions
620
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
621
# Import the OpenPGP public key into the certificate
622
(gnutls.library.functions
623
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
624
gnutls.library.constants
625
.GNUTLS_OPENPGP_FMT_RAW))
626
# Verify the self signature in the key
627
crtverify = ctypes.c_uint()
628
(gnutls.library.functions
629
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
630
if crtverify.value != 0:
631
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
632
raise gnutls.errors.CertificateSecurityError("Verify failed")
633
# New buffer for the fingerprint
634
buf = ctypes.create_string_buffer(20)
635
buf_len = ctypes.c_size_t()
636
# Get the fingerprint from the certificate into the buffer
637
(gnutls.library.functions
638
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
639
ctypes.byref(buf_len)))
640
# Deinit the certificate
641
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
642
# Convert the buffer to a Python bytestring
643
fpr = ctypes.string_at(buf, buf_len.value)
644
# Convert the bytestring to hexadecimal notation
645
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
646
return hex_fpr
647
648
649
class TCP_handler(SocketServer.BaseRequestHandler, object):
650
"""A TCP request handler class.
651
Instantiated by IPv6_TCPServer for each request to handle it.
1115
class ProxyClient(object):
1116
def __init__(self, child_pipe, fpr, address):
1117
self._pipe = child_pipe
1118
self._pipe.send(('init', fpr, address))
1119
if not self._pipe.recv():
1120
raise KeyError()
1121
1122
def __getattribute__(self, name):
1123
if(name == '_pipe'):
1124
return super(ProxyClient, self).__getattribute__(name)
1125
self._pipe.send(('getattr', name))
1126
data = self._pipe.recv()
1127
if data[0] == 'data':
1128
return data[1]
1129
if data[0] == 'function':
1130
def func(*args, **kwargs):
1131
self._pipe.send(('funcall', name, args, kwargs))
1132
return self._pipe.recv()[1]
1133
return func
1134
1135
def __setattr__(self, name, value):
1136
if(name == '_pipe'):
1137
return super(ProxyClient, self).__setattr__(name, value)
1138
self._pipe.send(('setattr', name, value))
1139
1140
1141
class ClientHandler(socketserver.BaseRequestHandler, object):
1142
"""A class to handle client connections.
1143
1144
Instantiated once for each connection to handle it.
652
1145
Note: This will run in its own forked process."""
653
1146
654
1147
def handle(self):
655
logger.info(u"TCP connection from: %s",
656
unicode(self.client_address))
657
session = (gnutls.connection
658
.ClientSession(self.request,
659
gnutls.connection
660
.X509Credentials()))
661
662
line = self.request.makefile().readline()
663
logger.debug(u"Protocol version: %r", line)
664
try:
665
if int(line.strip().split()[0]) > 1:
666
raise RuntimeError
667
except (ValueError, IndexError, RuntimeError), error:
668
logger.error(u"Unknown protocol version: %s", error)
669
return
670
671
# Note: gnutls.connection.X509Credentials is really a generic
672
# GnuTLS certificate credentials object so long as no X.509
673
# keys are added to it. Therefore, we can use it here despite
674
# using OpenPGP certificates.
675
676
#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",
677
# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",
678
# "+DHE-DSS"))
679
# Use a fallback default, since this MUST be set.
680
priority = self.server.settings.get("priority", "NORMAL")
681
(gnutls.library.functions
682
.gnutls_priority_set_direct(session._c_object,
683
priority, None))
684
685
try:
686
session.handshake()
687
except gnutls.errors.GNUTLSError, error:
688
logger.warning(u"Handshake failed: %s", error)
689
# Do not run session.bye() here: the session is not
690
# established. Just abandon the request.
691
return
692
try:
693
fpr = fingerprint(peer_certificate(session))
694
except (TypeError, gnutls.errors.GNUTLSError), error:
695
logger.warning(u"Bad certificate: %s", error)
696
session.bye()
697
return
698
logger.debug(u"Fingerprint: %s", fpr)
699
for c in self.server.clients:
700
if c.fingerprint == fpr:
701
client = c
702
break
703
else:
704
logger.warning(u"Client not found for fingerprint: %s",
705
fpr)
706
session.bye()
707
return
708
# Have to check if client.still_valid(), since it is possible
709
# that the client timed out while establishing the GnuTLS
710
# session.
711
if not client.still_valid():
712
logger.warning(u"Client %(name)s is invalid",
713
vars(client))
714
session.bye()
715
return
716
## This won't work here, since we're in a fork.
717
# client.bump_timeout()
718
sent_size = 0
719
while sent_size < len(client.secret):
720
sent = session.send(client.secret[sent_size:])
721
logger.debug(u"Sent: %d, remaining: %d",
722
sent, len(client.secret)
723
- (sent_size + sent))
724
sent_size += sent
725
session.bye()
726
727
728
class IPv6_TCPServer(SocketServer.ForkingMixIn,
729
SocketServer.TCPServer, object):
730
"""IPv6 TCP server. Accepts 'None' as address and/or port.
1148
with contextlib.closing(self.server.child_pipe) as child_pipe:
1149
logger.info(u"TCP connection from: %s",
1150
unicode(self.client_address))
1151
logger.debug(u"Pipe FD: %d",
1152
self.server.child_pipe.fileno())
1153
1154
session = (gnutls.connection
1155
.ClientSession(self.request,
1156
gnutls.connection
1157
.X509Credentials()))
1158
1159
# Note: gnutls.connection.X509Credentials is really a
1160
# generic GnuTLS certificate credentials object so long as
1161
# no X.509 keys are added to it. Therefore, we can use it
1162
# here despite using OpenPGP certificates.
1163
1164
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1165
# u"+AES-256-CBC", u"+SHA1",
1166
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1167
# u"+DHE-DSS"))
1168
# Use a fallback default, since this MUST be set.
1169
priority = self.server.gnutls_priority
1170
if priority is None:
1171
priority = u"NORMAL"
1172
(gnutls.library.functions
1173
.gnutls_priority_set_direct(session._c_object,
1174
priority, None))
1175
1176
# Start communication using the Mandos protocol
1177
# Get protocol number
1178
line = self.request.makefile().readline()
1179
logger.debug(u"Protocol version: %r", line)
1180
try:
1181
if int(line.strip().split()[0]) > 1:
1182
raise RuntimeError
1183
except (ValueError, IndexError, RuntimeError), error:
1184
logger.error(u"Unknown protocol version: %s", error)
1185
return
1186
1187
# Start GnuTLS connection
1188
try:
1189
session.handshake()
1190
except gnutls.errors.GNUTLSError, error:
1191
logger.warning(u"Handshake failed: %s", error)
1192
# Do not run session.bye() here: the session is not
1193
# established. Just abandon the request.
1194
return
1195
logger.debug(u"Handshake succeeded")
1196
1197
approval_required = False
1198
try:
1199
try:
1200
fpr = self.fingerprint(self.peer_certificate
1201
(session))
1202
except (TypeError, gnutls.errors.GNUTLSError), error:
1203
logger.warning(u"Bad certificate: %s", error)
1204
return
1205
logger.debug(u"Fingerprint: %s", fpr)
1206
1207
try:
1208
client = ProxyClient(child_pipe, fpr,
1209
self.client_address)
1210
except KeyError:
1211
return
1212
1213
if client.approval_delay:
1214
delay = client.approval_delay
1215
client.approvals_pending += 1
1216
approval_required = True
1217
1218
while True:
1219
if not client.enabled:
1220
logger.warning(u"Client %s is disabled",
1221
client.name)
1222
if self.server.use_dbus:
1223
# Emit D-Bus signal
1224
client.Rejected("Disabled")
1225
return
1226
1227
if client._approved or not client.approval_delay:
1228
#We are approved or approval is disabled
1229
break
1230
elif client._approved is None:
1231
logger.info(u"Client %s needs approval",
1232
client.name)
1233
if self.server.use_dbus:
1234
# Emit D-Bus signal
1235
client.NeedApproval(
1236
client.approval_delay_milliseconds(),
1237
client.approved_by_default)
1238
else:
1239
logger.warning(u"Client %s was not approved",
1240
client.name)
1241
if self.server.use_dbus:
1242
# Emit D-Bus signal
1243
client.Rejected("Denied")
1244
return
1245
1246
#wait until timeout or approved
1247
#x = float(client._timedelta_to_milliseconds(delay))
1248
time = datetime.datetime.now()
1249
client.changedstate.acquire()
1250
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1251
client.changedstate.release()
1252
time2 = datetime.datetime.now()
1253
if (time2 - time) >= delay:
1254
if not client.approved_by_default:
1255
logger.warning("Client %s timed out while"
1256
" waiting for approval",
1257
client.name)
1258
if self.server.use_dbus:
1259
# Emit D-Bus signal
1260
client.Rejected("Approval timed out")
1261
return
1262
else:
1263
break
1264
else:
1265
delay -= time2 - time
1266
1267
sent_size = 0
1268
while sent_size < len(client.secret):
1269
try:
1270
sent = session.send(client.secret[sent_size:])
1271
except (gnutls.errors.GNUTLSError), error:
1272
logger.warning("gnutls send failed")
1273
return
1274
logger.debug(u"Sent: %d, remaining: %d",
1275
sent, len(client.secret)
1276
- (sent_size + sent))
1277
sent_size += sent
1278
1279
logger.info(u"Sending secret to %s", client.name)
1280
# bump the timeout as if seen
1281
client.checked_ok()
1282
if self.server.use_dbus:
1283
# Emit D-Bus signal
1284
client.GotSecret()
1285
1286
finally:
1287
if approval_required:
1288
client.approvals_pending -= 1
1289
try:
1290
session.bye()
1291
except (gnutls.errors.GNUTLSError), error:
1292
logger.warning("GnuTLS bye failed")
1293
1294
@staticmethod
1295
def peer_certificate(session):
1296
"Return the peer's OpenPGP certificate as a bytestring"
1297
# If not an OpenPGP certificate...
1298
if (gnutls.library.functions
1299
.gnutls_certificate_type_get(session._c_object)
1300
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1301
# ...do the normal thing
1302
return session.peer_certificate
1303
list_size = ctypes.c_uint(1)
1304
cert_list = (gnutls.library.functions
1305
.gnutls_certificate_get_peers
1306
(session._c_object, ctypes.byref(list_size)))
1307
if not bool(cert_list) and list_size.value != 0:
1308
raise gnutls.errors.GNUTLSError(u"error getting peer"
1309
u" certificate")
1310
if list_size.value == 0:
1311
return None
1312
cert = cert_list[0]
1313
return ctypes.string_at(cert.data, cert.size)
1314
1315
@staticmethod
1316
def fingerprint(openpgp):
1317
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1318
# New GnuTLS "datum" with the OpenPGP public key
1319
datum = (gnutls.library.types
1320
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1321
ctypes.POINTER
1322
(ctypes.c_ubyte)),
1323
ctypes.c_uint(len(openpgp))))
1324
# New empty GnuTLS certificate
1325
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1326
(gnutls.library.functions
1327
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1328
# Import the OpenPGP public key into the certificate
1329
(gnutls.library.functions
1330
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1331
gnutls.library.constants
1332
.GNUTLS_OPENPGP_FMT_RAW))
1333
# Verify the self signature in the key
1334
crtverify = ctypes.c_uint()
1335
(gnutls.library.functions
1336
.gnutls_openpgp_crt_verify_self(crt, 0,
1337
ctypes.byref(crtverify)))
1338
if crtverify.value != 0:
1339
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1340
raise (gnutls.errors.CertificateSecurityError
1341
(u"Verify failed"))
1342
# New buffer for the fingerprint
1343
buf = ctypes.create_string_buffer(20)
1344
buf_len = ctypes.c_size_t()
1345
# Get the fingerprint from the certificate into the buffer
1346
(gnutls.library.functions
1347
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1348
ctypes.byref(buf_len)))
1349
# Deinit the certificate
1350
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1351
# Convert the buffer to a Python bytestring
1352
fpr = ctypes.string_at(buf, buf_len.value)
1353
# Convert the bytestring to hexadecimal notation
1354
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1355
return hex_fpr
1356
1357
1358
class MultiprocessingMixIn(object):
1359
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1360
def sub_process_main(self, request, address):
1361
try:
1362
self.finish_request(request, address)
1363
except:
1364
self.handle_error(request, address)
1365
self.close_request(request)
1366
1367
def process_request(self, request, address):
1368
"""Start a new process to process the request."""
1369
multiprocessing.Process(target = self.sub_process_main,
1370
args = (request, address)).start()
1371
1372
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1373
""" adds a pipe to the MixIn """
1374
def process_request(self, request, client_address):
1375
"""Overrides and wraps the original process_request().
1376
1377
This function creates a new pipe in self.pipe
1378
"""
1379
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1380
1381
super(MultiprocessingMixInWithPipe,
1382
self).process_request(request, client_address)
1383
self.child_pipe.close()
1384
self.add_pipe(parent_pipe)
1385
1386
def add_pipe(self, parent_pipe):
1387
"""Dummy function; override as necessary"""
1388
pass
1389
1390
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1391
socketserver.TCPServer, object):
1392
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1393
731
1394
Attributes:
732
settings: Server settings
733
clients: Set() of Client objects
734
1395
enabled: Boolean; whether this server is activated yet
1396
interface: None or a network interface name (string)
1397
use_ipv6: Boolean; to use IPv6 or not
735
1398
"""
736
address_family = socket.AF_INET6
737
def __init__(self, *args, **kwargs):
738
if "settings" in kwargs:
739
self.settings = kwargs["settings"]
740
del kwargs["settings"]
741
if "clients" in kwargs:
742
self.clients = kwargs["clients"]
743
del kwargs["clients"]
744
self.enabled = False
745
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1399
def __init__(self, server_address, RequestHandlerClass,
1400
interface=None, use_ipv6=True):
1401
self.interface = interface
1402
if use_ipv6:
1403
self.address_family = socket.AF_INET6
1404
socketserver.TCPServer.__init__(self, server_address,
1405
RequestHandlerClass)
746
1406
def server_bind(self):
747
1407
"""This overrides the normal server_bind() function
748
1408
to bind to an interface if one was specified, and also NOT to
749
1409
bind to an address or port if they were not specified."""
750
if self.settings["interface"]:
751
# 25 is from /usr/include/asm-i486/socket.h
752
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
753
try:
754
self.socket.setsockopt(socket.SOL_SOCKET,
755
SO_BINDTODEVICE,
756
self.settings["interface"])
757
except socket.error, error:
758
if error[0] == errno.EPERM:
759
logger.error(u"No permission to"
760
u" bind to interface %s",
761
self.settings["interface"])
762
else:
763
raise error
1410
if self.interface is not None:
1411
if SO_BINDTODEVICE is None:
1412
logger.error(u"SO_BINDTODEVICE does not exist;"
1413
u" cannot bind to interface %s",
1414
self.interface)
1415
else:
1416
try:
1417
self.socket.setsockopt(socket.SOL_SOCKET,
1418
SO_BINDTODEVICE,
1419
str(self.interface
1420
+ u'\0'))
1421
except socket.error, error:
1422
if error[0] == errno.EPERM:
1423
logger.error(u"No permission to"
1424
u" bind to interface %s",
1425
self.interface)
1426
elif error[0] == errno.ENOPROTOOPT:
1427
logger.error(u"SO_BINDTODEVICE not available;"
1428
u" cannot bind to interface %s",
1429
self.interface)
1430
else:
1431
raise
764
1432
# Only bind(2) the socket if we really need to.
765
1433
if self.server_address[0] or self.server_address[1]:
766
1434
if not self.server_address[0]:
767
in6addr_any = "::"
768
self.server_address = (in6addr_any,
1435
if self.address_family == socket.AF_INET6:
1436
any_address = u"::" # in6addr_any
1437
else:
1438
any_address = socket.INADDR_ANY
1439
self.server_address = (any_address,
769
1440
self.server_address[1])
770
1441
elif not self.server_address[1]:
771
1442
self.server_address = (self.server_address[0],
772
1443
0)
773
# if self.settings["interface"]:
1444
# if self.interface:
774
1445
# self.server_address = (self.server_address[0],
775
1446
# 0, # port
776
1447
# 0, # flowinfo
777
1448
# if_nametoindex
778
# (self.settings
779
# ["interface"]))
780
return super(IPv6_TCPServer, self).server_bind()
1449
# (self.interface))
1450
return socketserver.TCPServer.server_bind(self)
1451
1452
1453
class MandosServer(IPv6_TCPServer):
1454
"""Mandos server.
1455
1456
Attributes:
1457
clients: set of Client objects
1458
gnutls_priority GnuTLS priority string
1459
use_dbus: Boolean; to emit D-Bus signals or not
1460
1461
Assumes a gobject.MainLoop event loop.
1462
"""
1463
def __init__(self, server_address, RequestHandlerClass,
1464
interface=None, use_ipv6=True, clients=None,
1465
gnutls_priority=None, use_dbus=True):
1466
self.enabled = False
1467
self.clients = clients
1468
if self.clients is None:
1469
self.clients = set()
1470
self.use_dbus = use_dbus
1471
self.gnutls_priority = gnutls_priority
1472
IPv6_TCPServer.__init__(self, server_address,
1473
RequestHandlerClass,
1474
interface = interface,
1475
use_ipv6 = use_ipv6)
781
1476
def server_activate(self):
782
1477
if self.enabled:
783
return super(IPv6_TCPServer, self).server_activate()
1478
return socketserver.TCPServer.server_activate(self)
784
1479
def enable(self):
785
1480
self.enabled = True
1481
def add_pipe(self, parent_pipe):
1482
# Call "handle_ipc" for both data and EOF events
1483
gobject.io_add_watch(parent_pipe.fileno(),
1484
gobject.IO_IN | gobject.IO_HUP,
1485
functools.partial(self.handle_ipc,
1486
parent_pipe = parent_pipe))
1487
1488
def handle_ipc(self, source, condition, parent_pipe=None,
1489
client_object=None):
1490
condition_names = {
1491
gobject.IO_IN: u"IN", # There is data to read.
1492
gobject.IO_OUT: u"OUT", # Data can be written (without
1493
# blocking).
1494
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1495
gobject.IO_ERR: u"ERR", # Error condition.
1496
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1497
# broken, usually for pipes and
1498
# sockets).
1499
}
1500
conditions_string = ' | '.join(name
1501
for cond, name in
1502
condition_names.iteritems()
1503
if cond & condition)
1504
# error or the other end of multiprocessing.Pipe has closed
1505
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1506
return False
1507
1508
# Read a request from the child
1509
request = parent_pipe.recv()
1510
command = request[0]
1511
1512
if command == 'init':
1513
fpr = request[1]
1514
address = request[2]
1515
1516
for c in self.clients:
1517
if c.fingerprint == fpr:
1518
client = c
1519
break
1520
else:
1521
logger.warning(u"Client not found for fingerprint: %s, ad"
1522
u"dress: %s", fpr, address)
1523
if self.use_dbus:
1524
# Emit D-Bus signal
1525
mandos_dbus_service.ClientNotFound(fpr, address[0])
1526
parent_pipe.send(False)
1527
return False
1528
1529
gobject.io_add_watch(parent_pipe.fileno(),
1530
gobject.IO_IN | gobject.IO_HUP,
1531
functools.partial(self.handle_ipc,
1532
parent_pipe = parent_pipe,
1533
client_object = client))
1534
parent_pipe.send(True)
1535
# remove the old hook in favor of the new above hook on same fileno
1536
return False
1537
if command == 'funcall':
1538
funcname = request[1]
1539
args = request[2]
1540
kwargs = request[3]
1541
1542
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1543
1544
if command == 'getattr':
1545
attrname = request[1]
1546
if callable(client_object.__getattribute__(attrname)):
1547
parent_pipe.send(('function',))
1548
else:
1549
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
1550
1551
if command == 'setattr':
1552
attrname = request[1]
1553
value = request[2]
1554
setattr(client_object, attrname, value)
1555
1556
return True
786
1557
787
1558
788
1559
def string_to_delta(interval):
789
1560
"""Parse a string and return a datetime.timedelta
790
791
>>> string_to_delta('7d')
1561
1562
>>> string_to_delta(u'7d')
792
1563
datetime.timedelta(7)
793
>>> string_to_delta('60s')
1564
>>> string_to_delta(u'60s')
794
1565
datetime.timedelta(0, 60)
795
>>> string_to_delta('60m')
1566
>>> string_to_delta(u'60m')
796
1567
datetime.timedelta(0, 3600)
797
>>> string_to_delta('24h')
1568
>>> string_to_delta(u'24h')
798
1569
datetime.timedelta(1)
799
1570
>>> string_to_delta(u'1w')
800
1571
datetime.timedelta(7)
801
>>> string_to_delta('5m 30s')
1572
>>> string_to_delta(u'5m 30s')
802
1573
datetime.timedelta(0, 330)
803
1574
"""
804
1575
timevalue = datetime.timedelta(0)
817
1588
elif suffix == u"w":
818
1589
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
819
1590
else:
820
raise ValueError
821
except (ValueError, IndexError):
822
raise ValueError
1591
raise ValueError(u"Unknown suffix %r" % suffix)
1592
except (ValueError, IndexError), e:
1593
raise ValueError(e.message)
823
1594
timevalue += delta
824
1595
return timevalue
825
1596
826
1597
827
def server_state_changed(state):
828
"""Derived from the Avahi example code"""
829
if state == avahi.SERVER_COLLISION:
830
logger.error(u"Zeroconf server name collision")
831
service.remove()
832
elif state == avahi.SERVER_RUNNING:
833
service.add()
834
835
836
def entry_group_state_changed(state, error):
837
"""Derived from the Avahi example code"""
838
logger.debug(u"Avahi state change: %i", state)
839
840
if state == avahi.ENTRY_GROUP_ESTABLISHED:
841
logger.debug(u"Zeroconf service established.")
842
elif state == avahi.ENTRY_GROUP_COLLISION:
843
logger.warning(u"Zeroconf service name collision.")
844
service.rename()
845
elif state == avahi.ENTRY_GROUP_FAILURE:
846
logger.critical(u"Avahi: Error in group state changed %s",
847
unicode(error))
848
raise AvahiGroupError("State changed: %s", str(error))
849
850
1598
def if_nametoindex(interface):
851
"""Call the C function if_nametoindex(), or equivalent"""
1599
"""Call the C function if_nametoindex(), or equivalent
1600
1601
Note: This function cannot accept a unicode string."""
852
1602
global if_nametoindex
853
1603
try:
854
1604
if_nametoindex = (ctypes.cdll.LoadLibrary
855
(ctypes.util.find_library("c"))
1605
(ctypes.util.find_library(u"c"))
856
1606
.if_nametoindex)
857
1607
except (OSError, AttributeError):
858
if "struct" not in sys.modules:
859
import struct
860
if "fcntl" not in sys.modules:
861
import fcntl
1608
logger.warning(u"Doing if_nametoindex the hard way")
862
1609
def if_nametoindex(interface):
863
1610
"Get an interface index the hard way, i.e. using fcntl()"
864
1611
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
865
with closing(socket.socket()) as s:
1612
with contextlib.closing(socket.socket()) as s:
866
1613
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
867
struct.pack("16s16x", interface))
868
interface_index = struct.unpack("I", ifreq[16:20])[0]
1614
struct.pack(str(u"16s16x"),
1615
interface))
1616
interface_index = struct.unpack(str(u"I"),
1617
ifreq[16:20])[0]
869
1618
return interface_index
870
1619
return if_nametoindex(interface)
871
1620
872
1621
873
1622
def daemon(nochdir = False, noclose = False):
874
1623
"""See daemon(3). Standard BSD Unix function.
1624
875
1625
This should really exist as os.daemon, but it doesn't (yet)."""
876
1626
if os.fork():
877
1627
sys.exit()
878
1628
os.setsid()
879
1629
if not nochdir:
880
os.chdir("/")
1630
os.chdir(u"/")
881
1631
if os.fork():
882
1632
sys.exit()
883
1633
if not noclose:
885
1635
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
886
1636
if not stat.S_ISCHR(os.fstat(null).st_mode):
887
1637
raise OSError(errno.ENODEV,
888
"/dev/null not a character device")
1638
u"%s not a character device"
1639
% os.path.devnull)
889
1640
os.dup2(null, sys.stdin.fileno())
890
1641
os.dup2(null, sys.stdout.fileno())
891
1642
os.dup2(null, sys.stderr.fileno())
894
1645
895
1646
896
1647
def main():
897
parser = OptionParser(version = "%%prog %s" % version)
898
parser.add_option("-i", "--interface", type="string",
899
metavar="IF", help="Bind to interface IF")
900
parser.add_option("-a", "--address", type="string",
901
help="Address to listen for requests on")
902
parser.add_option("-p", "--port", type="int",
903
help="Port number to receive requests on")
904
parser.add_option("--check", action="store_true", default=False,
905
help="Run self-test")
906
parser.add_option("--debug", action="store_true",
907
help="Debug mode; run in foreground and log to"
908
" terminal")
909
parser.add_option("--priority", type="string", help="GnuTLS"
910
" priority string (see GnuTLS documentation)")
911
parser.add_option("--servicename", type="string", metavar="NAME",
912
help="Zeroconf service name")
913
parser.add_option("--configdir", type="string",
914
default="/etc/mandos", metavar="DIR",
915
help="Directory to search for configuration"
916
" files")
1648
1649
##################################################################
1650
# Parsing of options, both command line and config file
1651
1652
parser = optparse.OptionParser(version = "%%prog %s" % version)
1653
parser.add_option("-i", u"--interface", type=u"string",
1654
metavar="IF", help=u"Bind to interface IF")
1655
parser.add_option("-a", u"--address", type=u"string",
1656
help=u"Address to listen for requests on")
1657
parser.add_option("-p", u"--port", type=u"int",
1658
help=u"Port number to receive requests on")
1659
parser.add_option("--check", action=u"store_true",
1660
help=u"Run self-test")
1661
parser.add_option("--debug", action=u"store_true",
1662
help=u"Debug mode; run in foreground and log to"
1663
u" terminal")
1664
parser.add_option("--debuglevel", type=u"string", metavar="Level",
1665
help=u"Debug level for stdout output")
1666
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1667
u" priority string (see GnuTLS documentation)")
1668
parser.add_option("--servicename", type=u"string",
1669
metavar=u"NAME", help=u"Zeroconf service name")
1670
parser.add_option("--configdir", type=u"string",
1671
default=u"/etc/mandos", metavar=u"DIR",
1672
help=u"Directory to search for configuration"
1673
u" files")
1674
parser.add_option("--no-dbus", action=u"store_false",
1675
dest=u"use_dbus", help=u"Do not provide D-Bus"
1676
u" system bus interface")
1677
parser.add_option("--no-ipv6", action=u"store_false",
1678
dest=u"use_ipv6", help=u"Do not use IPv6")
917
1679
options = parser.parse_args()[0]
918
1680
919
1681
if options.check:
922
1684
sys.exit()
923
1685
924
1686
# Default values for config file for server-global settings
925
server_defaults = { "interface": "",
926
"address": "",
927
"port": "",
928
"debug": "False",
929
"priority":
930
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
931
"servicename": "Mandos",
1687
server_defaults = { u"interface": u"",
1688
u"address": u"",
1689
u"port": u"",
1690
u"debug": u"False",
1691
u"priority":
1692
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1693
u"servicename": u"Mandos",
1694
u"use_dbus": u"True",
1695
u"use_ipv6": u"True",
1696
u"debuglevel": u"",
932
1697
}
933
1698
934
1699
# Parse config file for server-global settings
935
server_config = ConfigParser.SafeConfigParser(server_defaults)
1700
server_config = configparser.SafeConfigParser(server_defaults)
936
1701
del server_defaults
937
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1702
server_config.read(os.path.join(options.configdir,
1703
u"mandos.conf"))
938
1704
# Convert the SafeConfigParser object to a dict
939
1705
server_settings = server_config.defaults()
940
# Use getboolean on the boolean config option
941
server_settings["debug"] = (server_config.getboolean
942
("DEFAULT", "debug"))
1706
# Use the appropriate methods on the non-string config options
1707
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1708
server_settings[option] = server_config.getboolean(u"DEFAULT",
1709
option)
1710
if server_settings["port"]:
1711
server_settings["port"] = server_config.getint(u"DEFAULT",
1712
u"port")
943
1713
del server_config
944
1714
945
1715
# Override the settings from the config file with command line
946
1716
# options, if set.
947
for option in ("interface", "address", "port", "debug",
948
"priority", "servicename", "configdir"):
1717
for option in (u"interface", u"address", u"port", u"debug",
1718
u"priority", u"servicename", u"configdir",
1719
u"use_dbus", u"use_ipv6", u"debuglevel"):
949
1720
value = getattr(options, option)
950
1721
if value is not None:
951
1722
server_settings[option] = value
952
1723
del options
1724
# Force all strings to be unicode
1725
for option in server_settings.keys():
1726
if type(server_settings[option]) is str:
1727
server_settings[option] = unicode(server_settings[option])
953
1728
# Now we have our good server settings in "server_settings"
954
1729
955
debug = server_settings["debug"]
956
957
if not debug:
958
syslogger.setLevel(logging.WARNING)
959
console.setLevel(logging.WARNING)
960
961
if server_settings["servicename"] != "Mandos":
1730
##################################################################
1731
1732
# For convenience
1733
debug = server_settings[u"debug"]
1734
debuglevel = server_settings[u"debuglevel"]
1735
use_dbus = server_settings[u"use_dbus"]
1736
use_ipv6 = server_settings[u"use_ipv6"]
1737
1738
if server_settings[u"servicename"] != u"Mandos":
962
1739
syslogger.setFormatter(logging.Formatter
963
('Mandos (%s): %%(levelname)s:'
964
' %%(message)s'
965
% server_settings["servicename"]))
1740
(u'Mandos (%s) [%%(process)d]:'
1741
u' %%(levelname)s: %%(message)s'
1742
% server_settings[u"servicename"]))
966
1743
967
1744
# Parse config file with clients
968
client_defaults = { "timeout": "1h",
969
"interval": "5m",
970
"checker": "fping -q -- %(host)s",
971
"host": "",
1745
client_defaults = { u"timeout": u"1h",
1746
u"interval": u"5m",
1747
u"checker": u"fping -q -- %%(host)s",
1748
u"host": u"",
1749
u"approval_delay": u"0s",
1750
u"approval_duration": u"1s",
972
1751
}
973
client_config = ConfigParser.SafeConfigParser(client_defaults)
974
client_config.read(os.path.join(server_settings["configdir"],
975
"clients.conf"))
976
977
clients = Set()
978
tcp_server = IPv6_TCPServer((server_settings["address"],
979
server_settings["port"]),
980
TCP_handler,
981
settings=server_settings,
982
clients=clients)
983
pidfilename = "/var/run/mandos.pid"
984
try:
985
pidfile = open(pidfilename, "w")
986
except IOError, error:
987
logger.error("Could not open file %r", pidfilename)
988
989
try:
990
uid = pwd.getpwnam("_mandos").pw_uid
1752
client_config = configparser.SafeConfigParser(client_defaults)
1753
client_config.read(os.path.join(server_settings[u"configdir"],
1754
u"clients.conf"))
1755
1756
global mandos_dbus_service
1757
mandos_dbus_service = None
1758
1759
tcp_server = MandosServer((server_settings[u"address"],
1760
server_settings[u"port"]),
1761
ClientHandler,
1762
interface=(server_settings[u"interface"]
1763
or None),
1764
use_ipv6=use_ipv6,
1765
gnutls_priority=
1766
server_settings[u"priority"],
1767
use_dbus=use_dbus)
1768
if not debug:
1769
pidfilename = u"/var/run/mandos.pid"
1770
try:
1771
pidfile = open(pidfilename, u"w")
1772
except IOError:
1773
logger.error(u"Could not open file %r", pidfilename)
1774
1775
try:
1776
uid = pwd.getpwnam(u"_mandos").pw_uid
1777
gid = pwd.getpwnam(u"_mandos").pw_gid
991
1778
except KeyError:
992
1779
try:
993
uid = pwd.getpwnam("mandos").pw_uid
1780
uid = pwd.getpwnam(u"mandos").pw_uid
1781
gid = pwd.getpwnam(u"mandos").pw_gid
994
1782
except KeyError:
995
1783
try:
996
uid = pwd.getpwnam("nobody").pw_uid
1784
uid = pwd.getpwnam(u"nobody").pw_uid
1785
gid = pwd.getpwnam(u"nobody").pw_gid
997
1786
except KeyError:
998
1787
uid = 65534
999
try:
1000
gid = pwd.getpwnam("_mandos").pw_gid
1001
except KeyError:
1002
try:
1003
gid = pwd.getpwnam("mandos").pw_gid
1004
except KeyError:
1005
try:
1006
gid = pwd.getpwnam("nogroup").pw_gid
1007
except KeyError:
1008
1788
gid = 65534
1009
1789
try:
1790
os.setgid(gid)
1010
1791
os.setuid(uid)
1011
os.setgid(gid)
1012
1792
except OSError, error:
1013
1793
if error[0] != errno.EPERM:
1014
1794
raise error
1015
1795
1016
global service
1017
service = AvahiService(name = server_settings["servicename"],
1018
servicetype = "_mandos._tcp", )
1019
if server_settings["interface"]:
1020
service.interface = (if_nametoindex
1021
(server_settings["interface"]))
1796
if not debug and not debuglevel:
1797
syslogger.setLevel(logging.WARNING)
1798
console.setLevel(logging.WARNING)
1799
if debuglevel:
1800
level = getattr(logging, debuglevel.upper())
1801
syslogger.setLevel(level)
1802
console.setLevel(level)
1803
1804
if debug:
1805
# Enable all possible GnuTLS debugging
1806
1807
# "Use a log level over 10 to enable all debugging options."
1808
# - GnuTLS manual
1809
gnutls.library.functions.gnutls_global_set_log_level(11)
1810
1811
@gnutls.library.types.gnutls_log_func
1812
def debug_gnutls(level, string):
1813
logger.debug(u"GnuTLS: %s", string[:-1])
1814
1815
(gnutls.library.functions
1816
.gnutls_global_set_log_function(debug_gnutls))
1817
1818
# Redirect stdin so all checkers get /dev/null
1819
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1820
os.dup2(null, sys.stdin.fileno())
1821
if null > 2:
1822
os.close(null)
1823
else:
1824
# No console logging
1825
logger.removeHandler(console)
1826
1022
1827
1023
1828
global main_loop
1024
global bus
1025
global server
1026
1829
# From the Avahi example code
1027
1830
DBusGMainLoop(set_as_default=True )
1028
1831
main_loop = gobject.MainLoop()
1029
1832
bus = dbus.SystemBus()
1030
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1031
avahi.DBUS_PATH_SERVER),
1032
avahi.DBUS_INTERFACE_SERVER)
1033
1833
# End of Avahi example code
1034
bus_name = dbus.service.BusName(u"org.mandos-system.Mandos", bus)
1035
1036
clients.update(Set(Client(name = section,
1037
config
1038
= dict(client_config.items(section)))
1039
for section in client_config.sections()))
1040
if not clients:
1041
logger.critical(u"No clients defined")
1042
sys.exit(1)
1043
1044
if debug:
1045
# Redirect stdin so all checkers get /dev/null
1046
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1047
os.dup2(null, sys.stdin.fileno())
1048
if null > 2:
1049
os.close(null)
1050
else:
1051
# No console logging
1052
logger.removeHandler(console)
1834
if use_dbus:
1835
try:
1836
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
1837
bus, do_not_queue=True)
1838
except dbus.exceptions.NameExistsException, e:
1839
logger.error(unicode(e) + u", disabling D-Bus")
1840
use_dbus = False
1841
server_settings[u"use_dbus"] = False
1842
tcp_server.use_dbus = False
1843
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1844
service = AvahiService(name = server_settings[u"servicename"],
1845
servicetype = u"_mandos._tcp",
1846
protocol = protocol, bus = bus)
1847
if server_settings["interface"]:
1848
service.interface = (if_nametoindex
1849
(str(server_settings[u"interface"])))
1850
1851
if not debug:
1053
1852
# Close all input and output, do double fork, etc.
1054
1853
daemon()
1055
1056
try:
1057
pid = os.getpid()
1058
pidfile.write(str(pid) + "\n")
1059
pidfile.close()
1060
del pidfile
1061
except IOError:
1062
logger.error(u"Could not write to file %r with PID %d",
1063
pidfilename, pid)
1064
except NameError:
1065
# "pidfile" was never created
1066
pass
1067
del pidfilename
1854
1855
global multiprocessing_manager
1856
multiprocessing_manager = multiprocessing.Manager()
1857
1858
client_class = Client
1859
if use_dbus:
1860
client_class = functools.partial(ClientDBus, bus = bus)
1861
def client_config_items(config, section):
1862
special_settings = {
1863
"approved_by_default":
1864
lambda: config.getboolean(section,
1865
"approved_by_default"),
1866
}
1867
for name, value in config.items(section):
1868
try:
1869
yield (name, special_settings[name]())
1870
except KeyError:
1871
yield (name, value)
1872
1873
tcp_server.clients.update(set(
1874
client_class(name = section,
1875
config= dict(client_config_items(
1876
client_config, section)))
1877
for section in client_config.sections()))
1878
if not tcp_server.clients:
1879
logger.warning(u"No clients defined")
1880
1881
if not debug:
1882
try:
1883
with pidfile:
1884
pid = os.getpid()
1885
pidfile.write(str(pid) + "\n")
1886
del pidfile
1887
except IOError:
1888
logger.error(u"Could not write to file %r with PID %d",
1889
pidfilename, pid)
1890
except NameError:
1891
# "pidfile" was never created
1892
pass
1893
del pidfilename
1894
1895
signal.signal(signal.SIGINT, signal.SIG_IGN)
1896
1897
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1898
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1899
1900
if use_dbus:
1901
class MandosDBusService(dbus.service.Object):
1902
"""A D-Bus proxy object"""
1903
def __init__(self):
1904
dbus.service.Object.__init__(self, bus, u"/")
1905
_interface = u"se.bsnet.fukt.Mandos"
1906
1907
@dbus.service.signal(_interface, signature=u"o")
1908
def ClientAdded(self, objpath):
1909
"D-Bus signal"
1910
pass
1911
1912
@dbus.service.signal(_interface, signature=u"ss")
1913
def ClientNotFound(self, fingerprint, address):
1914
"D-Bus signal"
1915
pass
1916
1917
@dbus.service.signal(_interface, signature=u"os")
1918
def ClientRemoved(self, objpath, name):
1919
"D-Bus signal"
1920
pass
1921
1922
@dbus.service.method(_interface, out_signature=u"ao")
1923
def GetAllClients(self):
1924
"D-Bus method"
1925
return dbus.Array(c.dbus_object_path
1926
for c in tcp_server.clients)
1927
1928
@dbus.service.method(_interface,
1929
out_signature=u"a{oa{sv}}")
1930
def GetAllClientsWithProperties(self):
1931
"D-Bus method"
1932
return dbus.Dictionary(
1933
((c.dbus_object_path, c.GetAll(u""))
1934
for c in tcp_server.clients),
1935
signature=u"oa{sv}")
1936
1937
@dbus.service.method(_interface, in_signature=u"o")
1938
def RemoveClient(self, object_path):
1939
"D-Bus method"
1940
for c in tcp_server.clients:
1941
if c.dbus_object_path == object_path:
1942
tcp_server.clients.remove(c)
1943
c.remove_from_connection()
1944
# Don't signal anything except ClientRemoved
1945
c.disable(quiet=True)
1946
# Emit D-Bus signal
1947
self.ClientRemoved(object_path, c.name)
1948
return
1949
raise KeyError(object_path)
1950
1951
del _interface
1952
1953
mandos_dbus_service = MandosDBusService()
1068
1954
1069
1955
def cleanup():
1070
1956
"Cleanup function; run on exit"
1071
global group
1072
# From the Avahi example code
1073
if not group is None:
1074
group.Free()
1075
group = None
1076
# End of Avahi example code
1957
service.cleanup()
1077
1958
1078
while clients:
1079
client = clients.pop()
1080
client.stop_hook = None
1081
client.stop()
1959
while tcp_server.clients:
1960
client = tcp_server.clients.pop()
1961
if use_dbus:
1962
client.remove_from_connection()
1963
client.disable_hook = None
1964
# Don't signal anything except ClientRemoved
1965
client.disable(quiet=True)
1966
if use_dbus:
1967
# Emit D-Bus signal
1968
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
1969
client.name)
1082
1970
1083
1971
atexit.register(cleanup)
1084
1972
1085
if not debug:
1086
signal.signal(signal.SIGINT, signal.SIG_IGN)
1087
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1088
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1089
1090
class MandosServer(dbus.service.Object):
1091
"""A D-Bus proxy object"""
1092
def __init__(self):
1093
dbus.service.Object.__init__(self, bus,
1094
"/Mandos")
1095
_interface = u"org.mandos_system.Mandos"
1096
1097
@dbus.service.signal(_interface, signature="oa{sv}")
1098
def ClientAdded(self, objpath, properties):
1099
"D-Bus signal"
1100
pass
1101
1102
@dbus.service.signal(_interface, signature="o")
1103
def ClientRemoved(self, objpath):
1104
"D-Bus signal"
1105
pass
1106
1107
@dbus.service.method(_interface, out_signature="ao")
1108
def GetAllClients(self):
1109
return dbus.Array(c.dbus_object_path for c in clients)
1110
1111
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
1112
def GetAllClientsWithProperties(self):
1113
return dbus.Dictionary(
1114
((c.dbus_object_path, c.GetAllProperties())
1115
for c in clients),
1116
signature="oa{sv}")
1117
1118
@dbus.service.method(_interface, in_signature="o")
1119
def RemoveClient(self, object_path):
1120
for c in clients:
1121
if c.dbus_object_path == object_path:
1122
c.stop()
1123
clients.remove(c)
1124
return
1125
raise KeyError
1126
1127
del _interface
1128
1129
mandos_server = MandosServer()
1130
1131
for client in clients:
1132
# Emit D-Bus signal
1133
mandos_server.ClientAdded(client.dbus_object_path,
1134
client.GetAllProperties())
1135
client.start()
1973
for client in tcp_server.clients:
1974
if use_dbus:
1975
# Emit D-Bus signal
1976
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1977
client.enable()
1136
1978
1137
1979
tcp_server.enable()
1138
1980
tcp_server.server_activate()
1139
1981
1140
1982
# Find out what port we got
1141
1983
service.port = tcp_server.socket.getsockname()[1]
1142
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
1143
u" scope_id %d" % tcp_server.socket.getsockname())
1984
if use_ipv6:
1985
logger.info(u"Now listening on address %r, port %d,"
1986
" flowinfo %d, scope_id %d"
1987
% tcp_server.socket.getsockname())
1988
else: # IPv4
1989
logger.info(u"Now listening on address %r, port %d"
1990
% tcp_server.socket.getsockname())
1144
1991
1145
1992
#service.interface = tcp_server.socket.getsockname()[3]
1146
1993
1147
1994
try:
1148
1995
# From the Avahi example code
1149
server.connect_to_signal("StateChanged", server_state_changed)
1150
1996
try:
1151
server_state_changed(server.GetState())
1997
service.activate()
1152
1998
except dbus.exceptions.DBusException, error:
1153
1999
logger.critical(u"DBusException: %s", error)
2000
cleanup()
1154
2001
sys.exit(1)
1155
2002
# End of Avahi example code
1156
2003
1162
2009
logger.debug(u"Starting main loop")
1163
2010
main_loop.run()
1164
2011
except AvahiError, error:
1165
logger.critical(u"AvahiError: %s" + unicode(error))
2012
logger.critical(u"AvahiError: %s", error)
2013
cleanup()
1166
2014
sys.exit(1)
1167
2015
except KeyboardInterrupt:
1168
2016
if debug:
1169
print
2017
print >> sys.stderr
2018
logger.debug(u"Server received KeyboardInterrupt")
2019
logger.debug(u"Server exiting")
2020
# Must run before the D-Bus bus name gets deregistered
2021
cleanup()
1170
2022
1171
2023
if __name__ == '__main__':
1172
2024
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0