To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 441
- compare with another revision
- download diff
- download tarball
- view history from revision 441
- Committer: Teddy Hogeborn
- Date: 2010-09-25 23:52:17 UTC
- Revision ID: teddy@fukt.bsnet.se-20100925235217-4hhqfryz1ste6uw3
* mandos (ClientDBus.__init__): Bug fix: Translate "-" in client names
to "_" in D-Bus object paths.
(MandosServer.handle_ipc): Bug fix: Send only address string to
D-Bus signal, not whole tuple.
* mandos-ctl: New options "--approve-by-default", "--deny-by-default",
"--approval-delay", and "--approval-duration".
* mandos-ctl.xml (SYNOPSIS, OPTIONS): Document new options.
* mandos-monitor (MandosClientWidget.update): Fix spelling.
to "_" in D-Bus object paths.
(MandosServer.handle_ipc): Bug fix: Send only address string to
D-Bus signal, not whole tuple.
* mandos-ctl: New options "--approve-by-default", "--deny-by-default",
"--approval-delay", and "--approval-duration".
* mandos-ctl.xml (SYNOPSIS, OPTIONS): Document new options.
* mandos-monitor (MandosClientWidget.update): Fix spelling.
- files removed:
- debian/mandos-client.examples
- debian/source
- debian/upstream
- network-hooks.d
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python2.7
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2014 Teddy Hogeborn
15
# Copyright © 2008-2014 Björn Påhlsson
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
28
28
# along with this program. If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
30
#
31
# Contact the authors at <mandos@recompile.se>.
31
# Contact the authors at <mandos@fukt.bsnet.se>.
32
32
#
33
33
34
from __future__ import (division, absolute_import, print_function,
35
unicode_literals)
36
37
from future_builtins import *
34
from __future__ import division, with_statement, absolute_import
38
35
39
36
import SocketServer as socketserver
40
37
import socket
41
import argparse
38
import optparse
42
39
import datetime
43
40
import errno
44
41
import gnutls.crypto
64
61
import functools
65
62
import cPickle as pickle
66
63
import multiprocessing
67
import types
68
import binascii
69
import tempfile
70
import itertools
71
import collections
72
64
73
65
import dbus
74
66
import dbus.service
88
80
except ImportError:
89
81
SO_BINDTODEVICE = None
90
82
91
version = "1.6.8"
92
stored_state_file = "clients.pickle"
93
94
logger = logging.getLogger()
95
syslogger = None
96
97
try:
98
if_nametoindex = (ctypes.cdll.LoadLibrary
99
(ctypes.util.find_library("c"))
100
.if_nametoindex)
101
except (OSError, AttributeError):
102
def if_nametoindex(interface):
103
"Get an interface index the hard way, i.e. using fcntl()"
104
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
105
with contextlib.closing(socket.socket()) as s:
106
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
107
struct.pack(b"16s16x", interface))
108
interface_index = struct.unpack("I", ifreq[16:20])[0]
109
return interface_index
110
111
112
def initlogger(debug, level=logging.WARNING):
113
"""init logger and add loglevel"""
114
115
global syslogger
116
syslogger = (logging.handlers.SysLogHandler
117
(facility =
118
logging.handlers.SysLogHandler.LOG_DAEMON,
119
address = "/dev/log"))
120
syslogger.setFormatter(logging.Formatter
121
('Mandos [%(process)d]: %(levelname)s:'
122
' %(message)s'))
123
logger.addHandler(syslogger)
124
125
if debug:
126
console = logging.StreamHandler()
127
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
128
' [%(process)d]:'
129
' %(levelname)s:'
130
' %(message)s'))
131
logger.addHandler(console)
132
logger.setLevel(level)
133
134
135
class PGPError(Exception):
136
"""Exception if encryption/decryption fails"""
137
pass
138
139
140
class PGPEngine(object):
141
"""A simple class for OpenPGP symmetric encryption & decryption"""
142
def __init__(self):
143
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
144
self.gnupgargs = ['--batch',
145
'--home', self.tempdir,
146
'--force-mdc',
147
'--quiet',
148
'--no-use-agent']
149
150
def __enter__(self):
151
return self
152
153
def __exit__(self, exc_type, exc_value, traceback):
154
self._cleanup()
155
return False
156
157
def __del__(self):
158
self._cleanup()
159
160
def _cleanup(self):
161
if self.tempdir is not None:
162
# Delete contents of tempdir
163
for root, dirs, files in os.walk(self.tempdir,
164
topdown = False):
165
for filename in files:
166
os.remove(os.path.join(root, filename))
167
for dirname in dirs:
168
os.rmdir(os.path.join(root, dirname))
169
# Remove tempdir
170
os.rmdir(self.tempdir)
171
self.tempdir = None
172
173
def password_encode(self, password):
174
# Passphrase can not be empty and can not contain newlines or
175
# NUL bytes. So we prefix it and hex encode it.
176
encoded = b"mandos" + binascii.hexlify(password)
177
if len(encoded) > 2048:
178
# GnuPG can't handle long passwords, so encode differently
179
encoded = (b"mandos" + password.replace(b"\\", b"\\\\")
180
.replace(b"\n", b"\\n")
181
.replace(b"\0", b"\\x00"))
182
return encoded
183
184
def encrypt(self, data, password):
185
passphrase = self.password_encode(password)
186
with tempfile.NamedTemporaryFile(dir=self.tempdir
187
) as passfile:
188
passfile.write(passphrase)
189
passfile.flush()
190
proc = subprocess.Popen(['gpg', '--symmetric',
191
'--passphrase-file',
192
passfile.name]
193
+ self.gnupgargs,
194
stdin = subprocess.PIPE,
195
stdout = subprocess.PIPE,
196
stderr = subprocess.PIPE)
197
ciphertext, err = proc.communicate(input = data)
198
if proc.returncode != 0:
199
raise PGPError(err)
200
return ciphertext
201
202
def decrypt(self, data, password):
203
passphrase = self.password_encode(password)
204
with tempfile.NamedTemporaryFile(dir = self.tempdir
205
) as passfile:
206
passfile.write(passphrase)
207
passfile.flush()
208
proc = subprocess.Popen(['gpg', '--decrypt',
209
'--passphrase-file',
210
passfile.name]
211
+ self.gnupgargs,
212
stdin = subprocess.PIPE,
213
stdout = subprocess.PIPE,
214
stderr = subprocess.PIPE)
215
decrypted_plaintext, err = proc.communicate(input
216
= data)
217
if proc.returncode != 0:
218
raise PGPError(err)
219
return decrypted_plaintext
220
83
84
version = "1.0.14"
85
86
#logger = logging.getLogger(u'mandos')
87
logger = logging.Logger(u'mandos')
88
syslogger = (logging.handlers.SysLogHandler
89
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
90
address = "/dev/log"))
91
syslogger.setFormatter(logging.Formatter
92
(u'Mandos [%(process)d]: %(levelname)s:'
93
u' %(message)s'))
94
logger.addHandler(syslogger)
95
96
console = logging.StreamHandler()
97
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
98
u' %(levelname)s:'
99
u' %(message)s'))
100
logger.addHandler(console)
221
101
222
102
class AvahiError(Exception):
223
103
def __init__(self, value, *args, **kwargs):
224
104
self.value = value
225
return super(AvahiError, self).__init__(value, *args,
226
**kwargs)
105
super(AvahiError, self).__init__(value, *args, **kwargs)
106
def __unicode__(self):
107
return unicode(repr(self.value))
227
108
228
109
class AvahiServiceError(AvahiError):
229
110
pass
238
119
Attributes:
239
120
interface: integer; avahi.IF_UNSPEC or an interface index.
240
121
Used to optionally bind to the specified interface.
241
name: string; Example: 'Mandos'
242
type: string; Example: '_mandos._tcp'.
243
See <https://www.iana.org/assignments/service-names-port-numbers>
122
name: string; Example: u'Mandos'
123
type: string; Example: u'_mandos._tcp'.
124
See <http://www.dns-sd.org/ServiceTypes.html>
244
125
port: integer; what port to announce
245
126
TXT: list of strings; TXT record for the service
246
127
domain: string; Domain to publish on, default to .local if empty.
252
133
server: D-Bus Server
253
134
bus: dbus.SystemBus()
254
135
"""
255
256
136
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
257
137
servicetype = None, port = None, TXT = None,
258
domain = "", host = "", max_renames = 32768,
138
domain = u"", host = u"", max_renames = 32768,
259
139
protocol = avahi.PROTO_UNSPEC, bus = None):
260
140
self.interface = interface
261
141
self.name = name
270
150
self.group = None # our entry group
271
151
self.server = None
272
152
self.bus = bus
273
self.entry_group_state_changed_match = None
274
275
153
def rename(self):
276
154
"""Derived from the Avahi example code"""
277
155
if self.rename_count >= self.max_renames:
278
logger.critical("No suitable Zeroconf service name found"
279
" after %i retries, exiting.",
156
logger.critical(u"No suitable Zeroconf service name found"
157
u" after %i retries, exiting.",
280
158
self.rename_count)
281
raise AvahiServiceError("Too many renames")
282
self.name = unicode(self.server
283
.GetAlternativeServiceName(self.name))
284
logger.info("Changing Zeroconf service name to %r ...",
159
raise AvahiServiceError(u"Too many renames")
160
self.name = unicode(self.server.GetAlternativeServiceName(self.name))
161
logger.info(u"Changing Zeroconf service name to %r ...",
285
162
self.name)
163
syslogger.setFormatter(logging.Formatter
164
(u'Mandos (%s) [%%(process)d]:'
165
u' %%(levelname)s: %%(message)s'
166
% self.name))
286
167
self.remove()
287
168
try:
288
169
self.add()
289
except dbus.exceptions.DBusException as error:
290
logger.critical("D-Bus Exception", exc_info=error)
170
except dbus.exceptions.DBusException, error:
171
logger.critical(u"DBusException: %s", error)
291
172
self.cleanup()
292
173
os._exit(1)
293
174
self.rename_count += 1
294
295
175
def remove(self):
296
176
"""Derived from the Avahi example code"""
297
if self.entry_group_state_changed_match is not None:
298
self.entry_group_state_changed_match.remove()
299
self.entry_group_state_changed_match = None
300
177
if self.group is not None:
301
178
self.group.Reset()
302
303
179
def add(self):
304
180
"""Derived from the Avahi example code"""
305
self.remove()
306
181
if self.group is None:
307
182
self.group = dbus.Interface(
308
183
self.bus.get_object(avahi.DBUS_NAME,
309
184
self.server.EntryGroupNew()),
310
185
avahi.DBUS_INTERFACE_ENTRY_GROUP)
311
self.entry_group_state_changed_match = (
312
self.group.connect_to_signal(
313
'StateChanged', self.entry_group_state_changed))
314
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
186
self.group.connect_to_signal('StateChanged',
187
self
188
.entry_group_state_changed)
189
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
315
190
self.name, self.type)
316
191
self.group.AddService(
317
192
self.interface,
322
197
dbus.UInt16(self.port),
323
198
avahi.string_array_to_txt_array(self.TXT))
324
199
self.group.Commit()
325
326
200
def entry_group_state_changed(self, state, error):
327
201
"""Derived from the Avahi example code"""
328
logger.debug("Avahi entry group state change: %i", state)
202
logger.debug(u"Avahi entry group state change: %i", state)
329
203
330
204
if state == avahi.ENTRY_GROUP_ESTABLISHED:
331
logger.debug("Zeroconf service established.")
205
logger.debug(u"Zeroconf service established.")
332
206
elif state == avahi.ENTRY_GROUP_COLLISION:
333
logger.info("Zeroconf service name collision.")
207
logger.warning(u"Zeroconf service name collision.")
334
208
self.rename()
335
209
elif state == avahi.ENTRY_GROUP_FAILURE:
336
logger.critical("Avahi: Error in group state changed %s",
210
logger.critical(u"Avahi: Error in group state changed %s",
337
211
unicode(error))
338
raise AvahiGroupError("State changed: {!s}"
339
.format(error))
340
212
raise AvahiGroupError(u"State changed: %s"
213
% unicode(error))
341
214
def cleanup(self):
342
215
"""Derived from the Avahi example code"""
343
216
if self.group is not None:
344
try:
345
self.group.Free()
346
except (dbus.exceptions.UnknownMethodException,
347
dbus.exceptions.DBusException):
348
pass
217
self.group.Free()
349
218
self.group = None
350
self.remove()
351
352
def server_state_changed(self, state, error=None):
219
def server_state_changed(self, state):
353
220
"""Derived from the Avahi example code"""
354
logger.debug("Avahi server state change: %i", state)
355
bad_states = { avahi.SERVER_INVALID:
356
"Zeroconf server invalid",
357
avahi.SERVER_REGISTERING: None,
358
avahi.SERVER_COLLISION:
359
"Zeroconf server name collision",
360
avahi.SERVER_FAILURE:
361
"Zeroconf server failure" }
362
if state in bad_states:
363
if bad_states[state] is not None:
364
if error is None:
365
logger.error(bad_states[state])
366
else:
367
logger.error(bad_states[state] + ": %r", error)
368
self.cleanup()
221
logger.debug(u"Avahi server state change: %i", state)
222
if state == avahi.SERVER_COLLISION:
223
logger.error(u"Zeroconf server name collision")
224
self.remove()
369
225
elif state == avahi.SERVER_RUNNING:
370
226
self.add()
371
else:
372
if error is None:
373
logger.debug("Unknown state: %r", state)
374
else:
375
logger.debug("Unknown state: %r: %r", state, error)
376
377
227
def activate(self):
378
228
"""Derived from the Avahi example code"""
379
229
if self.server is None:
380
230
self.server = dbus.Interface(
381
231
self.bus.get_object(avahi.DBUS_NAME,
382
avahi.DBUS_PATH_SERVER,
383
follow_name_owner_changes=True),
232
avahi.DBUS_PATH_SERVER),
384
233
avahi.DBUS_INTERFACE_SERVER)
385
self.server.connect_to_signal("StateChanged",
234
self.server.connect_to_signal(u"StateChanged",
386
235
self.server_state_changed)
387
236
self.server_state_changed(self.server.GetState())
388
237
389
238
390
class AvahiServiceToSyslog(AvahiService):
391
def rename(self):
392
"""Add the new name to the syslog messages"""
393
ret = AvahiService.rename(self)
394
syslogger.setFormatter(logging.Formatter
395
('Mandos ({}) [%(process)d]:'
396
' %(levelname)s: %(message)s'
397
.format(self.name)))
398
return ret
399
400
401
239
class Client(object):
402
240
"""A representation of a client host served by this server.
403
241
404
242
Attributes:
405
approved: bool(); 'None' if not yet approved/disapproved
243
_approved: bool(); 'None' if not yet approved/disapproved
406
244
approval_delay: datetime.timedelta(); Time to wait for approval
407
245
approval_duration: datetime.timedelta(); Duration of one approval
408
246
checker: subprocess.Popen(); a running checker process used
409
247
to see if the client lives.
410
248
'None' if no process is running.
411
checker_callback_tag: a gobject event source tag, or None
249
checker_callback_tag: - '' -
412
250
checker_command: string; External command which is run to check
413
251
if client lives. %() expansions are done at
414
252
runtime with vars(self) as dict, so that for
415
253
instance %(name)s can be used in the command.
416
254
checker_initiator_tag: a gobject event source tag, or None
417
255
created: datetime.datetime(); (UTC) object creation
418
client_structure: Object describing what attributes a client has
419
and is used for storing the client at exit
420
256
current_checker_command: string; current running checker_command
421
disable_initiator_tag: a gobject event source tag, or None
257
disable_hook: If set, called by disable() as disable_hook(self)
258
disable_initiator_tag: - '' -
422
259
enabled: bool()
423
260
fingerprint: string (40 or 32 hexadecimal digits); used to
424
261
uniquely identify the client
425
262
host: string; available for use by the checker command
426
263
interval: datetime.timedelta(); How often to start a new checker
427
last_approval_request: datetime.datetime(); (UTC) or None
428
264
last_checked_ok: datetime.datetime(); (UTC) or None
429
last_checker_status: integer between 0 and 255 reflecting exit
430
status of last checker. -1 reflects crashed
431
checker, -2 means no checker completed yet.
432
last_enabled: datetime.datetime(); (UTC) or None
265
last_enabled: datetime.datetime(); (UTC)
433
266
name: string; from the config file, used in log messages and
434
267
D-Bus identifiers
435
268
secret: bytestring; sent verbatim (over TLS) to client
436
269
timeout: datetime.timedelta(); How long from last_checked_ok
437
270
until this client is disabled
438
extended_timeout: extra long timeout when secret has been sent
439
271
runtime_expansions: Allowed attributes for runtime expansion.
440
expires: datetime.datetime(); time (UTC) when a client will be
441
disabled, or None
442
server_settings: The server_settings dict from main()
443
272
"""
444
273
445
runtime_expansions = ("approval_delay", "approval_duration",
446
"created", "enabled", "expires",
447
"fingerprint", "host", "interval",
448
"last_approval_request", "last_checked_ok",
449
"last_enabled", "name", "timeout")
450
client_defaults = { "timeout": "PT5M",
451
"extended_timeout": "PT15M",
452
"interval": "PT2M",
453
"checker": "fping -q -- %%(host)s",
454
"host": "",
455
"approval_delay": "PT0S",
456
"approval_duration": "PT1S",
457
"approved_by_default": "True",
458
"enabled": "True",
459
}
274
runtime_expansions = (u"approval_delay", u"approval_duration",
275
u"created", u"enabled", u"fingerprint",
276
u"host", u"interval", u"last_checked_ok",
277
u"last_enabled", u"name", u"timeout")
460
278
461
279
@staticmethod
462
def config_parser(config):
463
"""Construct a new dict of client settings of this form:
464
{ client_name: {setting_name: value, ...}, ...}
465
with exceptions for any special settings as defined above.
466
NOTE: Must be a pure function. Must return the same result
467
value given the same arguments.
468
"""
469
settings = {}
470
for client_name in config.sections():
471
section = dict(config.items(client_name))
472
client = settings[client_name] = {}
473
474
client["host"] = section["host"]
475
# Reformat values from string types to Python types
476
client["approved_by_default"] = config.getboolean(
477
client_name, "approved_by_default")
478
client["enabled"] = config.getboolean(client_name,
479
"enabled")
480
481
client["fingerprint"] = (section["fingerprint"].upper()
482
.replace(" ", ""))
483
if "secret" in section:
484
client["secret"] = section["secret"].decode("base64")
485
elif "secfile" in section:
486
with open(os.path.expanduser(os.path.expandvars
487
(section["secfile"])),
488
"rb") as secfile:
489
client["secret"] = secfile.read()
490
else:
491
raise TypeError("No secret or secfile for section {}"
492
.format(section))
493
client["timeout"] = string_to_delta(section["timeout"])
494
client["extended_timeout"] = string_to_delta(
495
section["extended_timeout"])
496
client["interval"] = string_to_delta(section["interval"])
497
client["approval_delay"] = string_to_delta(
498
section["approval_delay"])
499
client["approval_duration"] = string_to_delta(
500
section["approval_duration"])
501
client["checker_command"] = section["checker"]
502
client["last_approval_request"] = None
503
client["last_checked_ok"] = None
504
client["last_checker_status"] = -2
505
506
return settings
507
508
def __init__(self, settings, name = None, server_settings=None):
280
def _timedelta_to_milliseconds(td):
281
"Convert a datetime.timedelta() to milliseconds"
282
return ((td.days * 24 * 60 * 60 * 1000)
283
+ (td.seconds * 1000)
284
+ (td.microseconds // 1000))
285
286
def timeout_milliseconds(self):
287
"Return the 'timeout' attribute in milliseconds"
288
return self._timedelta_to_milliseconds(self.timeout)
289
290
def interval_milliseconds(self):
291
"Return the 'interval' attribute in milliseconds"
292
return self._timedelta_to_milliseconds(self.interval)
293
294
def approval_delay_milliseconds(self):
295
return self._timedelta_to_milliseconds(self.approval_delay)
296
297
def __init__(self, name = None, disable_hook=None, config=None):
298
"""Note: the 'checker' key in 'config' sets the
299
'checker_command' attribute and *not* the 'checker'
300
attribute."""
509
301
self.name = name
510
if server_settings is None:
511
server_settings = {}
512
self.server_settings = server_settings
513
# adding all client settings
514
for setting, value in settings.items():
515
setattr(self, setting, value)
516
517
if self.enabled:
518
if not hasattr(self, "last_enabled"):
519
self.last_enabled = datetime.datetime.utcnow()
520
if not hasattr(self, "expires"):
521
self.expires = (datetime.datetime.utcnow()
522
+ self.timeout)
523
else:
524
self.last_enabled = None
525
self.expires = None
526
527
logger.debug("Creating client %r", self.name)
302
if config is None:
303
config = {}
304
logger.debug(u"Creating client %r", self.name)
528
305
# Uppercase and remove spaces from fingerprint for later
529
306
# comparison purposes with return value from the fingerprint()
530
307
# function
531
logger.debug(" Fingerprint: %s", self.fingerprint)
532
self.created = settings.get("created",
533
datetime.datetime.utcnow())
534
535
# attributes specific for this server instance
308
self.fingerprint = (config[u"fingerprint"].upper()
309
.replace(u" ", u""))
310
logger.debug(u" Fingerprint: %s", self.fingerprint)
311
if u"secret" in config:
312
self.secret = config[u"secret"].decode(u"base64")
313
elif u"secfile" in config:
314
with open(os.path.expanduser(os.path.expandvars
315
(config[u"secfile"])),
316
"rb") as secfile:
317
self.secret = secfile.read()
318
else:
319
raise TypeError(u"No secret or secfile for client %s"
320
% self.name)
321
self.host = config.get(u"host", u"")
322
self.created = datetime.datetime.utcnow()
323
self.enabled = False
324
self.last_enabled = None
325
self.last_checked_ok = None
326
self.timeout = string_to_delta(config[u"timeout"])
327
self.interval = string_to_delta(config[u"interval"])
328
self.disable_hook = disable_hook
536
329
self.checker = None
537
330
self.checker_initiator_tag = None
538
331
self.disable_initiator_tag = None
539
332
self.checker_callback_tag = None
333
self.checker_command = config[u"checker"]
540
334
self.current_checker_command = None
541
self.approved = None
335
self.last_connect = None
336
self._approved = None
337
self.approved_by_default = config.get(u"approved_by_default",
338
True)
542
339
self.approvals_pending = 0
543
self.changedstate = (multiprocessing_manager
544
.Condition(multiprocessing_manager
545
.Lock()))
546
self.client_structure = [attr for attr in
547
self.__dict__.iterkeys()
548
if not attr.startswith("_")]
549
self.client_structure.append("client_structure")
550
551
for name, t in inspect.getmembers(type(self),
552
lambda obj:
553
isinstance(obj,
554
property)):
555
if not name.startswith("_"):
556
self.client_structure.append(name)
340
self.approval_delay = string_to_delta(
341
config[u"approval_delay"])
342
self.approval_duration = string_to_delta(
343
config[u"approval_duration"])
344
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
557
345
558
# Send notice to process children that client state has changed
559
346
def send_changedstate(self):
560
with self.changedstate:
561
self.changedstate.notify_all()
562
347
self.changedstate.acquire()
348
self.changedstate.notify_all()
349
self.changedstate.release()
350
563
351
def enable(self):
564
352
"""Start this client's checker and timeout hooks"""
565
if getattr(self, "enabled", False):
353
if getattr(self, u"enabled", False):
566
354
# Already enabled
567
355
return
568
self.expires = datetime.datetime.utcnow() + self.timeout
569
self.enabled = True
356
self.send_changedstate()
570
357
self.last_enabled = datetime.datetime.utcnow()
571
self.init_checker()
572
self.send_changedstate()
358
# Schedule a new checker to be started an 'interval' from now,
359
# and every interval from then on.
360
self.checker_initiator_tag = (gobject.timeout_add
361
(self.interval_milliseconds(),
362
self.start_checker))
363
# Schedule a disable() when 'timeout' has passed
364
self.disable_initiator_tag = (gobject.timeout_add
365
(self.timeout_milliseconds(),
366
self.disable))
367
self.enabled = True
368
# Also start a new checker *right now*.
369
self.start_checker()
573
370
574
371
def disable(self, quiet=True):
575
372
"""Disable this client."""
576
373
if not getattr(self, "enabled", False):
577
374
return False
578
375
if not quiet:
579
logger.info("Disabling client %s", self.name)
580
if getattr(self, "disable_initiator_tag", None) is not None:
376
self.send_changedstate()
377
if not quiet:
378
logger.info(u"Disabling client %s", self.name)
379
if getattr(self, u"disable_initiator_tag", False):
581
380
gobject.source_remove(self.disable_initiator_tag)
582
381
self.disable_initiator_tag = None
583
self.expires = None
584
if getattr(self, "checker_initiator_tag", None) is not None:
382
if getattr(self, u"checker_initiator_tag", False):
585
383
gobject.source_remove(self.checker_initiator_tag)
586
384
self.checker_initiator_tag = None
587
385
self.stop_checker()
386
if self.disable_hook:
387
self.disable_hook(self)
588
388
self.enabled = False
589
if not quiet:
590
self.send_changedstate()
591
389
# Do not run this again if called by a gobject.timeout_add
592
390
return False
593
391
594
392
def __del__(self):
393
self.disable_hook = None
595
394
self.disable()
596
395
597
def init_checker(self):
598
# Schedule a new checker to be started an 'interval' from now,
599
# and every interval from then on.
600
if self.checker_initiator_tag is not None:
601
gobject.source_remove(self.checker_initiator_tag)
602
self.checker_initiator_tag = (gobject.timeout_add
603
(int(self.interval
604
.total_seconds() * 1000),
605
self.start_checker))
606
# Schedule a disable() when 'timeout' has passed
607
if self.disable_initiator_tag is not None:
608
gobject.source_remove(self.disable_initiator_tag)
609
self.disable_initiator_tag = (gobject.timeout_add
610
(int(self.timeout
611
.total_seconds() * 1000),
612
self.disable))
613
# Also start a new checker *right now*.
614
self.start_checker()
615
616
396
def checker_callback(self, pid, condition, command):
617
397
"""The checker has completed, so take appropriate actions."""
618
398
self.checker_callback_tag = None
619
399
self.checker = None
620
400
if os.WIFEXITED(condition):
621
self.last_checker_status = os.WEXITSTATUS(condition)
622
if self.last_checker_status == 0:
623
logger.info("Checker for %(name)s succeeded",
401
exitstatus = os.WEXITSTATUS(condition)
402
if exitstatus == 0:
403
logger.info(u"Checker for %(name)s succeeded",
624
404
vars(self))
625
405
self.checked_ok()
626
406
else:
627
logger.info("Checker for %(name)s failed",
407
logger.info(u"Checker for %(name)s failed",
628
408
vars(self))
629
409
else:
630
self.last_checker_status = -1
631
logger.warning("Checker for %(name)s crashed?",
410
logger.warning(u"Checker for %(name)s crashed?",
632
411
vars(self))
633
412
634
413
def checked_ok(self):
635
"""Assert that the client has been seen, alive and well."""
414
"""Bump up the timeout for this client.
415
416
This should only be called when the client has been seen,
417
alive and well.
418
"""
636
419
self.last_checked_ok = datetime.datetime.utcnow()
637
self.last_checker_status = 0
638
self.bump_timeout()
639
640
def bump_timeout(self, timeout=None):
641
"""Bump up the timeout for this client."""
642
if timeout is None:
643
timeout = self.timeout
644
if self.disable_initiator_tag is not None:
645
gobject.source_remove(self.disable_initiator_tag)
646
self.disable_initiator_tag = None
647
if getattr(self, "enabled", False):
648
self.disable_initiator_tag = (gobject.timeout_add
649
(int(timeout.total_seconds()
650
* 1000), self.disable))
651
self.expires = datetime.datetime.utcnow() + timeout
652
653
def need_approval(self):
654
self.last_approval_request = datetime.datetime.utcnow()
420
gobject.source_remove(self.disable_initiator_tag)
421
self.disable_initiator_tag = (gobject.timeout_add
422
(self.timeout_milliseconds(),
423
self.disable))
655
424
656
425
def start_checker(self):
657
426
"""Start a new checker subprocess if one is not running.
659
428
If a checker already exists, leave it running and do
660
429
nothing."""
661
430
# The reason for not killing a running checker is that if we
662
# did that, and if a checker (for some reason) started running
663
# slowly and taking more than 'interval' time, then the client
664
# would inevitably timeout, since no checker would get a
665
# chance to run to completion. If we instead leave running
431
# did that, then if a checker (for some reason) started
432
# running slowly and taking more than 'interval' time, the
433
# client would inevitably timeout, since no checker would get
434
# a chance to run to completion. If we instead leave running
666
435
# checkers alone, the checker would have to take more time
667
436
# than 'timeout' for the client to be disabled, which is as it
668
437
# should be.
670
439
# If a checker exists, make sure it is not a zombie
671
440
try:
672
441
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
673
except AttributeError:
674
pass
675
except OSError as error:
676
if error.errno != errno.ECHILD:
677
raise
442
except (AttributeError, OSError), error:
443
if (isinstance(error, OSError)
444
and error.errno != errno.ECHILD):
445
raise error
678
446
else:
679
447
if pid:
680
logger.warning("Checker was a zombie")
448
logger.warning(u"Checker was a zombie")
681
449
gobject.source_remove(self.checker_callback_tag)
682
450
self.checker_callback(pid, status,
683
451
self.current_checker_command)
684
452
# Start a new checker if needed
685
453
if self.checker is None:
686
# Escape attributes for the shell
687
escaped_attrs = { attr:
688
re.escape(unicode(getattr(self,
689
attr)))
690
for attr in self.runtime_expansions }
691
454
try:
692
command = self.checker_command % escaped_attrs
693
except TypeError as error:
694
logger.error('Could not format string "%s"',
695
self.checker_command, exc_info=error)
696
return True # Try again later
455
# In case checker_command has exactly one % operator
456
command = self.checker_command % self.host
457
except TypeError:
458
# Escape attributes for the shell
459
escaped_attrs = dict(
460
(attr,
461
re.escape(unicode(str(getattr(self, attr, u"")),
462
errors=
463
u'replace')))
464
for attr in
465
self.runtime_expansions)
466
467
try:
468
command = self.checker_command % escaped_attrs
469
except TypeError, error:
470
logger.error(u'Could not format string "%s":'
471
u' %s', self.checker_command, error)
472
return True # Try again later
697
473
self.current_checker_command = command
698
474
try:
699
logger.info("Starting checker %r for %s",
475
logger.info(u"Starting checker %r for %s",
700
476
command, self.name)
701
477
# We don't need to redirect stdout and stderr, since
702
478
# in normal mode, that is already done by daemon(),
703
479
# and in debug mode we don't want to. (Stdin is
704
480
# always replaced by /dev/null.)
705
# The exception is when not debugging but nevertheless
706
# running in the foreground; use the previously
707
# created wnull.
708
popen_args = {}
709
if (not self.server_settings["debug"]
710
and self.server_settings["foreground"]):
711
popen_args.update({"stdout": wnull,
712
"stderr": wnull })
713
481
self.checker = subprocess.Popen(command,
714
482
close_fds=True,
715
shell=True, cwd="/",
716
**popen_args)
717
except OSError as error:
718
logger.error("Failed to start subprocess",
719
exc_info=error)
720
return True
721
self.checker_callback_tag = (gobject.child_watch_add
722
(self.checker.pid,
723
self.checker_callback,
724
data=command))
725
# The checker may have completed before the gobject
726
# watch was added. Check for this.
727
try:
483
shell=True, cwd=u"/")
484
self.checker_callback_tag = (gobject.child_watch_add
485
(self.checker.pid,
486
self.checker_callback,
487
data=command))
488
# The checker may have completed before the gobject
489
# watch was added. Check for this.
728
490
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
729
except OSError as error:
730
if error.errno == errno.ECHILD:
731
# This should never happen
732
logger.error("Child process vanished",
733
exc_info=error)
734
return True
735
raise
736
if pid:
737
gobject.source_remove(self.checker_callback_tag)
738
self.checker_callback(pid, status, command)
491
if pid:
492
gobject.source_remove(self.checker_callback_tag)
493
self.checker_callback(pid, status, command)
494
except OSError, error:
495
logger.error(u"Failed to start subprocess: %s",
496
error)
739
497
# Re-run this periodically if run by gobject.timeout_add
740
498
return True
741
499
744
502
if self.checker_callback_tag:
745
503
gobject.source_remove(self.checker_callback_tag)
746
504
self.checker_callback_tag = None
747
if getattr(self, "checker", None) is None:
505
if getattr(self, u"checker", None) is None:
748
506
return
749
logger.debug("Stopping checker for %(name)s", vars(self))
507
logger.debug(u"Stopping checker for %(name)s", vars(self))
750
508
try:
751
self.checker.terminate()
509
os.kill(self.checker.pid, signal.SIGTERM)
752
510
#time.sleep(0.5)
753
511
#if self.checker.poll() is None:
754
# self.checker.kill()
755
except OSError as error:
512
# os.kill(self.checker.pid, signal.SIGKILL)
513
except OSError, error:
756
514
if error.errno != errno.ESRCH: # No such process
757
515
raise
758
516
self.checker = None
759
517
760
761
def dbus_service_property(dbus_interface, signature="v",
762
access="readwrite", byte_arrays=False):
518
def dbus_service_property(dbus_interface, signature=u"v",
519
access=u"readwrite", byte_arrays=False):
763
520
"""Decorators for marking methods of a DBusObjectWithProperties to
764
521
become properties on the D-Bus.
765
522
772
529
"""
773
530
# Encoding deeply encoded byte arrays is not supported yet by the
774
531
# "Set" method, so we fail early here:
775
if byte_arrays and signature != "ay":
776
raise ValueError("Byte arrays not supported for non-'ay'"
777
" signature {!r}".format(signature))
532
if byte_arrays and signature != u"ay":
533
raise ValueError(u"Byte arrays not supported for non-'ay'"
534
u" signature %r" % signature)
778
535
def decorator(func):
779
536
func._dbus_is_property = True
780
537
func._dbus_interface = dbus_interface
781
538
func._dbus_signature = signature
782
539
func._dbus_access = access
783
540
func._dbus_name = func.__name__
784
if func._dbus_name.endswith("_dbus_property"):
541
if func._dbus_name.endswith(u"_dbus_property"):
785
542
func._dbus_name = func._dbus_name[:-14]
786
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
787
return func
788
return decorator
789
790
791
def dbus_interface_annotations(dbus_interface):
792
"""Decorator for marking functions returning interface annotations
793
794
Usage:
795
796
@dbus_interface_annotations("org.example.Interface")
797
def _foo(self): # Function name does not matter
798
return {"org.freedesktop.DBus.Deprecated": "true",
799
"org.freedesktop.DBus.Property.EmitsChangedSignal":
800
"false"}
801
"""
802
def decorator(func):
803
func._dbus_is_interface = True
804
func._dbus_interface = dbus_interface
805
func._dbus_name = dbus_interface
806
return func
807
return decorator
808
809
810
def dbus_annotations(annotations):
811
"""Decorator to annotate D-Bus methods, signals or properties
812
Usage:
813
814
@dbus_service_property("org.example.Interface", signature="b",
815
access="r")
816
@dbus_annotations({{"org.freedesktop.DBus.Deprecated": "true",
817
"org.freedesktop.DBus.Property."
818
"EmitsChangedSignal": "false"})
819
def Property_dbus_property(self):
820
return dbus.Boolean(False)
821
"""
822
def decorator(func):
823
func._dbus_annotations = annotations
543
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
824
544
return func
825
545
return decorator
826
546
828
548
class DBusPropertyException(dbus.exceptions.DBusException):
829
549
"""A base class for D-Bus property-related exceptions
830
550
"""
831
pass
551
def __unicode__(self):
552
return unicode(str(self))
553
832
554
833
555
class DBusPropertyAccessException(DBusPropertyException):
834
556
"""A property's access permissions disallows an operation.
844
566
845
567
class DBusObjectWithProperties(dbus.service.Object):
846
568
"""A D-Bus object with properties.
847
569
848
570
Classes inheriting from this can use the dbus_service_property
849
571
decorator to expose methods as D-Bus properties. It exposes the
850
572
standard Get(), Set(), and GetAll() methods on the D-Bus.
851
573
"""
852
574
853
575
@staticmethod
854
def _is_dbus_thing(thing):
855
"""Returns a function testing if an attribute is a D-Bus thing
856
857
If called like _is_dbus_thing("method") it returns a function
858
suitable for use as predicate to inspect.getmembers().
859
"""
860
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
861
False)
576
def _is_dbus_property(obj):
577
return getattr(obj, u"_dbus_is_property", False)
862
578
863
def _get_all_dbus_things(self, thing):
579
def _get_all_dbus_properties(self):
864
580
"""Returns a generator of (name, attribute) pairs
865
581
"""
866
return ((getattr(athing.__get__(self), "_dbus_name",
867
name),
868
athing.__get__(self))
869
for cls in self.__class__.__mro__
870
for name, athing in
871
inspect.getmembers(cls,
872
self._is_dbus_thing(thing)))
582
return ((prop._dbus_name, prop)
583
for name, prop in
584
inspect.getmembers(self, self._is_dbus_property))
873
585
874
586
def _get_dbus_property(self, interface_name, property_name):
875
587
"""Returns a bound method if one exists which is a D-Bus
876
588
property with the specified name and interface.
877
589
"""
878
for cls in self.__class__.__mro__:
879
for name, value in (inspect.getmembers
880
(cls,
881
self._is_dbus_thing("property"))):
882
if (value._dbus_name == property_name
883
and value._dbus_interface == interface_name):
884
return value.__get__(self)
885
590
for name in (property_name,
591
property_name + u"_dbus_property"):
592
prop = getattr(self, name, None)
593
if (prop is None
594
or not self._is_dbus_property(prop)
595
or prop._dbus_name != property_name
596
or (interface_name and prop._dbus_interface
597
and interface_name != prop._dbus_interface)):
598
continue
599
return prop
886
600
# No such property
887
raise DBusPropertyNotFound(self.dbus_object_path + ":"
888
+ interface_name + "."
601
raise DBusPropertyNotFound(self.dbus_object_path + u":"
602
+ interface_name + u"."
889
603
+ property_name)
890
604
891
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
892
out_signature="v")
605
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
606
out_signature=u"v")
893
607
def Get(self, interface_name, property_name):
894
608
"""Standard D-Bus property Get() method, see D-Bus standard.
895
609
"""
896
610
prop = self._get_dbus_property(interface_name, property_name)
897
if prop._dbus_access == "write":
611
if prop._dbus_access == u"write":
898
612
raise DBusPropertyAccessException(property_name)
899
613
value = prop()
900
if not hasattr(value, "variant_level"):
614
if not hasattr(value, u"variant_level"):
901
615
return value
902
616
return type(value)(value, variant_level=value.variant_level+1)
903
617
904
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
618
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
905
619
def Set(self, interface_name, property_name, value):
906
620
"""Standard D-Bus property Set() method, see D-Bus standard.
907
621
"""
908
622
prop = self._get_dbus_property(interface_name, property_name)
909
if prop._dbus_access == "read":
623
if prop._dbus_access == u"read":
910
624
raise DBusPropertyAccessException(property_name)
911
if prop._dbus_get_args_options["byte_arrays"]:
625
if prop._dbus_get_args_options[u"byte_arrays"]:
912
626
# The byte_arrays option is not supported yet on
913
627
# signatures other than "ay".
914
if prop._dbus_signature != "ay":
915
raise ValueError("Byte arrays not supported for non-"
916
"'ay' signature {!r}"
917
.format(prop._dbus_signature))
918
value = dbus.ByteArray(b''.join(chr(byte)
919
for byte in value))
628
if prop._dbus_signature != u"ay":
629
raise ValueError
630
value = dbus.ByteArray(''.join(unichr(byte)
631
for byte in value))
920
632
prop(value)
921
633
922
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
923
out_signature="a{sv}")
634
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
635
out_signature=u"a{sv}")
924
636
def GetAll(self, interface_name):
925
637
"""Standard D-Bus property GetAll() method, see D-Bus
926
638
standard.
927
639
928
640
Note: Will not include properties with access="write".
929
641
"""
930
properties = {}
931
for name, prop in self._get_all_dbus_things("property"):
642
all = {}
643
for name, prop in self._get_all_dbus_properties():
932
644
if (interface_name
933
645
and interface_name != prop._dbus_interface):
934
646
# Interface non-empty but did not match
935
647
continue
936
648
# Ignore write-only properties
937
if prop._dbus_access == "write":
649
if prop._dbus_access == u"write":
938
650
continue
939
651
value = prop()
940
if not hasattr(value, "variant_level"):
941
properties[name] = value
652
if not hasattr(value, u"variant_level"):
653
all[name] = value
942
654
continue
943
properties[name] = type(value)(value, variant_level=
944
value.variant_level+1)
945
return dbus.Dictionary(properties, signature="sv")
655
all[name] = type(value)(value, variant_level=
656
value.variant_level+1)
657
return dbus.Dictionary(all, signature=u"sv")
946
658
947
659
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
948
out_signature="s",
660
out_signature=u"s",
949
661
path_keyword='object_path',
950
662
connection_keyword='connection')
951
663
def Introspect(self, object_path, connection):
952
"""Overloading of standard D-Bus method.
953
954
Inserts property tags and interface annotation tags.
664
"""Standard D-Bus method, overloaded to insert property tags.
955
665
"""
956
666
xmlstring = dbus.service.Object.Introspect(self, object_path,
957
667
connection)
958
668
try:
959
669
document = xml.dom.minidom.parseString(xmlstring)
960
670
def make_tag(document, name, prop):
961
e = document.createElement("property")
962
e.setAttribute("name", name)
963
e.setAttribute("type", prop._dbus_signature)
964
e.setAttribute("access", prop._dbus_access)
671
e = document.createElement(u"property")
672
e.setAttribute(u"name", name)
673
e.setAttribute(u"type", prop._dbus_signature)
674
e.setAttribute(u"access", prop._dbus_access)
965
675
return e
966
for if_tag in document.getElementsByTagName("interface"):
967
# Add property tags
676
for if_tag in document.getElementsByTagName(u"interface"):
968
677
for tag in (make_tag(document, name, prop)
969
678
for name, prop
970
in self._get_all_dbus_things("property")
679
in self._get_all_dbus_properties()
971
680
if prop._dbus_interface
972
== if_tag.getAttribute("name")):
681
== if_tag.getAttribute(u"name")):
973
682
if_tag.appendChild(tag)
974
# Add annotation tags
975
for typ in ("method", "signal", "property"):
976
for tag in if_tag.getElementsByTagName(typ):
977
annots = dict()
978
for name, prop in (self.
979
_get_all_dbus_things(typ)):
980
if (name == tag.getAttribute("name")
981
and prop._dbus_interface
982
== if_tag.getAttribute("name")):
983
annots.update(getattr
984
(prop,
985
"_dbus_annotations",
986
{}))
987
for name, value in annots.items():
988
ann_tag = document.createElement(
989
"annotation")
990
ann_tag.setAttribute("name", name)
991
ann_tag.setAttribute("value", value)
992
tag.appendChild(ann_tag)
993
# Add interface annotation tags
994
for annotation, value in dict(
995
itertools.chain.from_iterable(
996
annotations().items()
997
for name, annotations in
998
self._get_all_dbus_things("interface")
999
if name == if_tag.getAttribute("name")
1000
)).items():
1001
ann_tag = document.createElement("annotation")
1002
ann_tag.setAttribute("name", annotation)
1003
ann_tag.setAttribute("value", value)
1004
if_tag.appendChild(ann_tag)
1005
683
# Add the names to the return values for the
1006
684
# "org.freedesktop.DBus.Properties" methods
1007
if (if_tag.getAttribute("name")
1008
== "org.freedesktop.DBus.Properties"):
1009
for cn in if_tag.getElementsByTagName("method"):
1010
if cn.getAttribute("name") == "Get":
1011
for arg in cn.getElementsByTagName("arg"):
1012
if (arg.getAttribute("direction")
1013
== "out"):
1014
arg.setAttribute("name", "value")
1015
elif cn.getAttribute("name") == "GetAll":
1016
for arg in cn.getElementsByTagName("arg"):
1017
if (arg.getAttribute("direction")
1018
== "out"):
1019
arg.setAttribute("name", "props")
1020
xmlstring = document.toxml("utf-8")
685
if (if_tag.getAttribute(u"name")
686
== u"org.freedesktop.DBus.Properties"):
687
for cn in if_tag.getElementsByTagName(u"method"):
688
if cn.getAttribute(u"name") == u"Get":
689
for arg in cn.getElementsByTagName(u"arg"):
690
if (arg.getAttribute(u"direction")
691
== u"out"):
692
arg.setAttribute(u"name", u"value")
693
elif cn.getAttribute(u"name") == u"GetAll":
694
for arg in cn.getElementsByTagName(u"arg"):
695
if (arg.getAttribute(u"direction")
696
== u"out"):
697
arg.setAttribute(u"name", u"props")
698
xmlstring = document.toxml(u"utf-8")
1021
699
document.unlink()
1022
700
except (AttributeError, xml.dom.DOMException,
1023
xml.parsers.expat.ExpatError) as error:
1024
logger.error("Failed to override Introspection method",
1025
exc_info=error)
701
xml.parsers.expat.ExpatError), error:
702
logger.error(u"Failed to override Introspection method",
703
error)
1026
704
return xmlstring
1027
705
1028
706
1029
def datetime_to_dbus(dt, variant_level=0):
1030
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1031
if dt is None:
1032
return dbus.String("", variant_level = variant_level)
1033
return dbus.String(dt.isoformat(),
1034
variant_level=variant_level)
1035
1036
1037
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1038
"""A class decorator; applied to a subclass of
1039
dbus.service.Object, it will add alternate D-Bus attributes with
1040
interface names according to the "alt_interface_names" mapping.
1041
Usage:
1042
1043
@alternate_dbus_interfaces({"org.example.Interface":
1044
"net.example.AlternateInterface"})
1045
class SampleDBusObject(dbus.service.Object):
1046
@dbus.service.method("org.example.Interface")
1047
def SampleDBusMethod():
1048
pass
1049
1050
The above "SampleDBusMethod" on "SampleDBusObject" will be
1051
reachable via two interfaces: "org.example.Interface" and
1052
"net.example.AlternateInterface", the latter of which will have
1053
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1054
"true", unless "deprecate" is passed with a False value.
1055
1056
This works for methods and signals, and also for D-Bus properties
1057
(from DBusObjectWithProperties) and interfaces (from the
1058
dbus_interface_annotations decorator).
1059
"""
1060
def wrapper(cls):
1061
for orig_interface_name, alt_interface_name in (
1062
alt_interface_names.items()):
1063
attr = {}
1064
interface_names = set()
1065
# Go though all attributes of the class
1066
for attrname, attribute in inspect.getmembers(cls):
1067
# Ignore non-D-Bus attributes, and D-Bus attributes
1068
# with the wrong interface name
1069
if (not hasattr(attribute, "_dbus_interface")
1070
or not attribute._dbus_interface
1071
.startswith(orig_interface_name)):
1072
continue
1073
# Create an alternate D-Bus interface name based on
1074
# the current name
1075
alt_interface = (attribute._dbus_interface
1076
.replace(orig_interface_name,
1077
alt_interface_name))
1078
interface_names.add(alt_interface)
1079
# Is this a D-Bus signal?
1080
if getattr(attribute, "_dbus_is_signal", False):
1081
# Extract the original non-method undecorated
1082
# function by black magic
1083
nonmethod_func = (dict(
1084
zip(attribute.func_code.co_freevars,
1085
attribute.__closure__))["func"]
1086
.cell_contents)
1087
# Create a new, but exactly alike, function
1088
# object, and decorate it to be a new D-Bus signal
1089
# with the alternate D-Bus interface name
1090
new_function = (dbus.service.signal
1091
(alt_interface,
1092
attribute._dbus_signature)
1093
(types.FunctionType(
1094
nonmethod_func.func_code,
1095
nonmethod_func.func_globals,
1096
nonmethod_func.func_name,
1097
nonmethod_func.func_defaults,
1098
nonmethod_func.func_closure)))
1099
# Copy annotations, if any
1100
try:
1101
new_function._dbus_annotations = (
1102
dict(attribute._dbus_annotations))
1103
except AttributeError:
1104
pass
1105
# Define a creator of a function to call both the
1106
# original and alternate functions, so both the
1107
# original and alternate signals gets sent when
1108
# the function is called
1109
def fixscope(func1, func2):
1110
"""This function is a scope container to pass
1111
func1 and func2 to the "call_both" function
1112
outside of its arguments"""
1113
def call_both(*args, **kwargs):
1114
"""This function will emit two D-Bus
1115
signals by calling func1 and func2"""
1116
func1(*args, **kwargs)
1117
func2(*args, **kwargs)
1118
return call_both
1119
# Create the "call_both" function and add it to
1120
# the class
1121
attr[attrname] = fixscope(attribute, new_function)
1122
# Is this a D-Bus method?
1123
elif getattr(attribute, "_dbus_is_method", False):
1124
# Create a new, but exactly alike, function
1125
# object. Decorate it to be a new D-Bus method
1126
# with the alternate D-Bus interface name. Add it
1127
# to the class.
1128
attr[attrname] = (dbus.service.method
1129
(alt_interface,
1130
attribute._dbus_in_signature,
1131
attribute._dbus_out_signature)
1132
(types.FunctionType
1133
(attribute.func_code,
1134
attribute.func_globals,
1135
attribute.func_name,
1136
attribute.func_defaults,
1137
attribute.func_closure)))
1138
# Copy annotations, if any
1139
try:
1140
attr[attrname]._dbus_annotations = (
1141
dict(attribute._dbus_annotations))
1142
except AttributeError:
1143
pass
1144
# Is this a D-Bus property?
1145
elif getattr(attribute, "_dbus_is_property", False):
1146
# Create a new, but exactly alike, function
1147
# object, and decorate it to be a new D-Bus
1148
# property with the alternate D-Bus interface
1149
# name. Add it to the class.
1150
attr[attrname] = (dbus_service_property
1151
(alt_interface,
1152
attribute._dbus_signature,
1153
attribute._dbus_access,
1154
attribute
1155
._dbus_get_args_options
1156
["byte_arrays"])
1157
(types.FunctionType
1158
(attribute.func_code,
1159
attribute.func_globals,
1160
attribute.func_name,
1161
attribute.func_defaults,
1162
attribute.func_closure)))
1163
# Copy annotations, if any
1164
try:
1165
attr[attrname]._dbus_annotations = (
1166
dict(attribute._dbus_annotations))
1167
except AttributeError:
1168
pass
1169
# Is this a D-Bus interface?
1170
elif getattr(attribute, "_dbus_is_interface", False):
1171
# Create a new, but exactly alike, function
1172
# object. Decorate it to be a new D-Bus interface
1173
# with the alternate D-Bus interface name. Add it
1174
# to the class.
1175
attr[attrname] = (dbus_interface_annotations
1176
(alt_interface)
1177
(types.FunctionType
1178
(attribute.func_code,
1179
attribute.func_globals,
1180
attribute.func_name,
1181
attribute.func_defaults,
1182
attribute.func_closure)))
1183
if deprecate:
1184
# Deprecate all alternate interfaces
1185
iname="_AlternateDBusNames_interface_annotation{}"
1186
for interface_name in interface_names:
1187
@dbus_interface_annotations(interface_name)
1188
def func(self):
1189
return { "org.freedesktop.DBus.Deprecated":
1190
"true" }
1191
# Find an unused name
1192
for aname in (iname.format(i)
1193
for i in itertools.count()):
1194
if aname not in attr:
1195
attr[aname] = func
1196
break
1197
if interface_names:
1198
# Replace the class with a new subclass of it with
1199
# methods, signals, etc. as created above.
1200
cls = type(b"{}Alternate".format(cls.__name__),
1201
(cls,), attr)
1202
return cls
1203
return wrapper
1204
1205
1206
@alternate_dbus_interfaces({"se.recompile.Mandos":
1207
"se.bsnet.fukt.Mandos"})
1208
707
class ClientDBus(Client, DBusObjectWithProperties):
1209
708
"""A Client class using D-Bus
1210
709
1214
713
"""
1215
714
1216
715
runtime_expansions = (Client.runtime_expansions
1217
+ ("dbus_object_path",))
716
+ (u"dbus_object_path",))
1218
717
1219
718
# dbus.service.Object doesn't use super(), so we can't either.
1220
719
1221
720
def __init__(self, bus = None, *args, **kwargs):
721
self._approvals_pending = 0
1222
722
self.bus = bus
1223
723
Client.__init__(self, *args, **kwargs)
1224
724
# Only now, when this client is initialized, can it show up on
1225
725
# the D-Bus
1226
726
client_object_name = unicode(self.name).translate(
1227
{ord("."): ord("_"),
1228
ord("-"): ord("_")})
727
{ord(u"."): ord(u"_"),
728
ord(u"-"): ord(u"_")})
1229
729
self.dbus_object_path = (dbus.ObjectPath
1230
("/clients/" + client_object_name))
730
(u"/clients/" + client_object_name))
1231
731
DBusObjectWithProperties.__init__(self, self.bus,
1232
732
self.dbus_object_path)
1233
1234
def notifychangeproperty(transform_func,
1235
dbus_name, type_func=lambda x: x,
1236
variant_level=1):
1237
""" Modify a variable so that it's a property which announces
1238
its changes to DBus.
1239
1240
transform_fun: Function that takes a value and a variant_level
1241
and transforms it to a D-Bus type.
1242
dbus_name: D-Bus name of the variable
1243
type_func: Function that transform the value before sending it
1244
to the D-Bus. Default: no transform
1245
variant_level: D-Bus variant level. Default: 1
1246
"""
1247
attrname = "_{}".format(dbus_name)
1248
def setter(self, value):
1249
if hasattr(self, "dbus_object_path"):
1250
if (not hasattr(self, attrname) or
1251
type_func(getattr(self, attrname, None))
1252
!= type_func(value)):
1253
dbus_value = transform_func(type_func(value),
1254
variant_level
1255
=variant_level)
1256
self.PropertyChanged(dbus.String(dbus_name),
1257
dbus_value)
1258
setattr(self, attrname, value)
1259
1260
return property(lambda self: getattr(self, attrname), setter)
1261
1262
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1263
approvals_pending = notifychangeproperty(dbus.Boolean,
1264
"ApprovalPending",
1265
type_func = bool)
1266
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1267
last_enabled = notifychangeproperty(datetime_to_dbus,
1268
"LastEnabled")
1269
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1270
type_func = lambda checker:
1271
checker is not None)
1272
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1273
"LastCheckedOK")
1274
last_checker_status = notifychangeproperty(dbus.Int16,
1275
"LastCheckerStatus")
1276
last_approval_request = notifychangeproperty(
1277
datetime_to_dbus, "LastApprovalRequest")
1278
approved_by_default = notifychangeproperty(dbus.Boolean,
1279
"ApprovedByDefault")
1280
approval_delay = notifychangeproperty(dbus.UInt64,
1281
"ApprovalDelay",
1282
type_func =
1283
lambda td: td.total_seconds()
1284
* 1000)
1285
approval_duration = notifychangeproperty(
1286
dbus.UInt64, "ApprovalDuration",
1287
type_func = lambda td: td.total_seconds() * 1000)
1288
host = notifychangeproperty(dbus.String, "Host")
1289
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1290
type_func = lambda td:
1291
td.total_seconds() * 1000)
1292
extended_timeout = notifychangeproperty(
1293
dbus.UInt64, "ExtendedTimeout",
1294
type_func = lambda td: td.total_seconds() * 1000)
1295
interval = notifychangeproperty(dbus.UInt64,
1296
"Interval",
1297
type_func =
1298
lambda td: td.total_seconds()
1299
* 1000)
1300
checker_command = notifychangeproperty(dbus.String, "Checker")
1301
1302
del notifychangeproperty
733
734
def _get_approvals_pending(self):
735
return self._approvals_pending
736
def _set_approvals_pending(self, value):
737
old_value = self._approvals_pending
738
self._approvals_pending = value
739
bval = bool(value)
740
if (hasattr(self, "dbus_object_path")
741
and bval is not bool(old_value)):
742
dbus_bool = dbus.Boolean(bval, variant_level=1)
743
self.PropertyChanged(dbus.String(u"ApprovalPending"),
744
dbus_bool)
745
746
approvals_pending = property(_get_approvals_pending,
747
_set_approvals_pending)
748
del _get_approvals_pending, _set_approvals_pending
749
750
@staticmethod
751
def _datetime_to_dbus(dt, variant_level=0):
752
"""Convert a UTC datetime.datetime() to a D-Bus type."""
753
return dbus.String(dt.isoformat(),
754
variant_level=variant_level)
755
756
def enable(self):
757
oldstate = getattr(self, u"enabled", False)
758
r = Client.enable(self)
759
if oldstate != self.enabled:
760
# Emit D-Bus signals
761
self.PropertyChanged(dbus.String(u"Enabled"),
762
dbus.Boolean(True, variant_level=1))
763
self.PropertyChanged(
764
dbus.String(u"LastEnabled"),
765
self._datetime_to_dbus(self.last_enabled,
766
variant_level=1))
767
return r
768
769
def disable(self, quiet = False):
770
oldstate = getattr(self, u"enabled", False)
771
r = Client.disable(self, quiet=quiet)
772
if not quiet and oldstate != self.enabled:
773
# Emit D-Bus signal
774
self.PropertyChanged(dbus.String(u"Enabled"),
775
dbus.Boolean(False, variant_level=1))
776
return r
1303
777
1304
778
def __del__(self, *args, **kwargs):
1305
779
try:
1306
780
self.remove_from_connection()
1307
781
except LookupError:
1308
782
pass
1309
if hasattr(DBusObjectWithProperties, "__del__"):
783
if hasattr(DBusObjectWithProperties, u"__del__"):
1310
784
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1311
785
Client.__del__(self, *args, **kwargs)
1312
786
1314
788
*args, **kwargs):
1315
789
self.checker_callback_tag = None
1316
790
self.checker = None
791
# Emit D-Bus signal
792
self.PropertyChanged(dbus.String(u"CheckerRunning"),
793
dbus.Boolean(False, variant_level=1))
1317
794
if os.WIFEXITED(condition):
1318
795
exitstatus = os.WEXITSTATUS(condition)
1319
796
# Emit D-Bus signal
1329
806
return Client.checker_callback(self, pid, condition, command,
1330
807
*args, **kwargs)
1331
808
809
def checked_ok(self, *args, **kwargs):
810
r = Client.checked_ok(self, *args, **kwargs)
811
# Emit D-Bus signal
812
self.PropertyChanged(
813
dbus.String(u"LastCheckedOK"),
814
(self._datetime_to_dbus(self.last_checked_ok,
815
variant_level=1)))
816
return r
817
1332
818
def start_checker(self, *args, **kwargs):
1333
old_checker_pid = getattr(self.checker, "pid", None)
819
old_checker = self.checker
820
if self.checker is not None:
821
old_checker_pid = self.checker.pid
822
else:
823
old_checker_pid = None
1334
824
r = Client.start_checker(self, *args, **kwargs)
1335
825
# Only if new checker process was started
1336
826
if (self.checker is not None
1337
827
and old_checker_pid != self.checker.pid):
1338
828
# Emit D-Bus signal
1339
829
self.CheckerStarted(self.current_checker_command)
830
self.PropertyChanged(
831
dbus.String(u"CheckerRunning"),
832
dbus.Boolean(True, variant_level=1))
1340
833
return r
1341
834
835
def stop_checker(self, *args, **kwargs):
836
old_checker = getattr(self, u"checker", None)
837
r = Client.stop_checker(self, *args, **kwargs)
838
if (old_checker is not None
839
and getattr(self, u"checker", None) is None):
840
self.PropertyChanged(dbus.String(u"CheckerRunning"),
841
dbus.Boolean(False, variant_level=1))
842
return r
843
1342
844
def _reset_approved(self):
1343
self.approved = None
845
self._approved = None
1344
846
return False
1345
847
1346
848
def approve(self, value=True):
1347
self.approved = value
1348
gobject.timeout_add(int(self.approval_duration.total_seconds()
1349
* 1000), self._reset_approved)
1350
849
self.send_changedstate()
850
self._approved = value
851
gobject.timeout_add(self._timedelta_to_milliseconds
852
(self.approval_duration),
853
self._reset_approved)
854
1351
855
1352
856
## D-Bus methods, signals & properties
1353
_interface = "se.recompile.Mandos.Client"
1354
1355
## Interfaces
1356
1357
@dbus_interface_annotations(_interface)
1358
def _foo(self):
1359
return { "org.freedesktop.DBus.Property.EmitsChangedSignal":
1360
"false"}
857
_interface = u"se.bsnet.fukt.Mandos.Client"
1361
858
1362
859
## Signals
1363
860
1364
861
# CheckerCompleted - signal
1365
@dbus.service.signal(_interface, signature="nxs")
862
@dbus.service.signal(_interface, signature=u"nxs")
1366
863
def CheckerCompleted(self, exitcode, waitstatus, command):
1367
864
"D-Bus signal"
1368
865
pass
1369
866
1370
867
# CheckerStarted - signal
1371
@dbus.service.signal(_interface, signature="s")
868
@dbus.service.signal(_interface, signature=u"s")
1372
869
def CheckerStarted(self, command):
1373
870
"D-Bus signal"
1374
871
pass
1375
872
1376
873
# PropertyChanged - signal
1377
@dbus.service.signal(_interface, signature="sv")
874
@dbus.service.signal(_interface, signature=u"sv")
1378
875
def PropertyChanged(self, property, value):
1379
876
"D-Bus signal"
1380
877
pass
1389
886
pass
1390
887
1391
888
# Rejected - signal
1392
@dbus.service.signal(_interface, signature="s")
889
@dbus.service.signal(_interface, signature=u"s")
1393
890
def Rejected(self, reason):
1394
891
"D-Bus signal"
1395
892
pass
1396
893
1397
894
# NeedApproval - signal
1398
@dbus.service.signal(_interface, signature="tb")
895
@dbus.service.signal(_interface, signature=u"tb")
1399
896
def NeedApproval(self, timeout, default):
1400
897
"D-Bus signal"
1401
return self.need_approval()
898
pass
1402
899
1403
900
## Methods
1404
901
1405
902
# Approve - method
1406
@dbus.service.method(_interface, in_signature="b")
903
@dbus.service.method(_interface, in_signature=u"b")
1407
904
def Approve(self, value):
1408
905
self.approve(value)
1409
906
1410
907
# CheckedOK - method
1411
908
@dbus.service.method(_interface)
1412
909
def CheckedOK(self):
1413
self.checked_ok()
910
return self.checked_ok()
1414
911
1415
912
# Enable - method
1416
913
@dbus.service.method(_interface)
1438
935
## Properties
1439
936
1440
937
# ApprovalPending - property
1441
@dbus_service_property(_interface, signature="b", access="read")
938
@dbus_service_property(_interface, signature=u"b", access=u"read")
1442
939
def ApprovalPending_dbus_property(self):
1443
940
return dbus.Boolean(bool(self.approvals_pending))
1444
941
1445
942
# ApprovedByDefault - property
1446
@dbus_service_property(_interface, signature="b",
1447
access="readwrite")
943
@dbus_service_property(_interface, signature=u"b",
944
access=u"readwrite")
1448
945
def ApprovedByDefault_dbus_property(self, value=None):
1449
946
if value is None: # get
1450
947
return dbus.Boolean(self.approved_by_default)
1451
948
self.approved_by_default = bool(value)
949
# Emit D-Bus signal
950
self.PropertyChanged(dbus.String(u"ApprovedByDefault"),
951
dbus.Boolean(value, variant_level=1))
1452
952
1453
953
# ApprovalDelay - property
1454
@dbus_service_property(_interface, signature="t",
1455
access="readwrite")
954
@dbus_service_property(_interface, signature=u"t",
955
access=u"readwrite")
1456
956
def ApprovalDelay_dbus_property(self, value=None):
1457
957
if value is None: # get
1458
return dbus.UInt64(self.approval_delay.total_seconds()
1459
* 1000)
958
return dbus.UInt64(self.approval_delay_milliseconds())
1460
959
self.approval_delay = datetime.timedelta(0, 0, 0, value)
960
# Emit D-Bus signal
961
self.PropertyChanged(dbus.String(u"ApprovalDelay"),
962
dbus.UInt64(value, variant_level=1))
1461
963
1462
964
# ApprovalDuration - property
1463
@dbus_service_property(_interface, signature="t",
1464
access="readwrite")
965
@dbus_service_property(_interface, signature=u"t",
966
access=u"readwrite")
1465
967
def ApprovalDuration_dbus_property(self, value=None):
1466
968
if value is None: # get
1467
return dbus.UInt64(self.approval_duration.total_seconds()
1468
* 1000)
969
return dbus.UInt64(self._timedelta_to_milliseconds(
970
self.approval_duration))
1469
971
self.approval_duration = datetime.timedelta(0, 0, 0, value)
972
# Emit D-Bus signal
973
self.PropertyChanged(dbus.String(u"ApprovalDuration"),
974
dbus.UInt64(value, variant_level=1))
1470
975
1471
976
# Name - property
1472
@dbus_service_property(_interface, signature="s", access="read")
977
@dbus_service_property(_interface, signature=u"s", access=u"read")
1473
978
def Name_dbus_property(self):
1474
979
return dbus.String(self.name)
1475
980
1476
981
# Fingerprint - property
1477
@dbus_service_property(_interface, signature="s", access="read")
982
@dbus_service_property(_interface, signature=u"s", access=u"read")
1478
983
def Fingerprint_dbus_property(self):
1479
984
return dbus.String(self.fingerprint)
1480
985
1481
986
# Host - property
1482
@dbus_service_property(_interface, signature="s",
1483
access="readwrite")
987
@dbus_service_property(_interface, signature=u"s",
988
access=u"readwrite")
1484
989
def Host_dbus_property(self, value=None):
1485
990
if value is None: # get
1486
991
return dbus.String(self.host)
1487
self.host = unicode(value)
992
self.host = value
993
# Emit D-Bus signal
994
self.PropertyChanged(dbus.String(u"Host"),
995
dbus.String(value, variant_level=1))
1488
996
1489
997
# Created - property
1490
@dbus_service_property(_interface, signature="s", access="read")
998
@dbus_service_property(_interface, signature=u"s", access=u"read")
1491
999
def Created_dbus_property(self):
1492
return datetime_to_dbus(self.created)
1000
return dbus.String(self._datetime_to_dbus(self.created))
1493
1001
1494
1002
# LastEnabled - property
1495
@dbus_service_property(_interface, signature="s", access="read")
1003
@dbus_service_property(_interface, signature=u"s", access=u"read")
1496
1004
def LastEnabled_dbus_property(self):
1497
return datetime_to_dbus(self.last_enabled)
1005
if self.last_enabled is None:
1006
return dbus.String(u"")
1007
return dbus.String(self._datetime_to_dbus(self.last_enabled))
1498
1008
1499
1009
# Enabled - property
1500
@dbus_service_property(_interface, signature="b",
1501
access="readwrite")
1010
@dbus_service_property(_interface, signature=u"b",
1011
access=u"readwrite")
1502
1012
def Enabled_dbus_property(self, value=None):
1503
1013
if value is None: # get
1504
1014
return dbus.Boolean(self.enabled)
1508
1018
self.disable()
1509
1019
1510
1020
# LastCheckedOK - property
1511
@dbus_service_property(_interface, signature="s",
1512
access="readwrite")
1021
@dbus_service_property(_interface, signature=u"s",
1022
access=u"readwrite")
1513
1023
def LastCheckedOK_dbus_property(self, value=None):
1514
1024
if value is not None:
1515
1025
self.checked_ok()
1516
1026
return
1517
return datetime_to_dbus(self.last_checked_ok)
1518
1519
# LastCheckerStatus - property
1520
@dbus_service_property(_interface, signature="n",
1521
access="read")
1522
def LastCheckerStatus_dbus_property(self):
1523
return dbus.Int16(self.last_checker_status)
1524
1525
# Expires - property
1526
@dbus_service_property(_interface, signature="s", access="read")
1527
def Expires_dbus_property(self):
1528
return datetime_to_dbus(self.expires)
1529
1530
# LastApprovalRequest - property
1531
@dbus_service_property(_interface, signature="s", access="read")
1532
def LastApprovalRequest_dbus_property(self):
1533
return datetime_to_dbus(self.last_approval_request)
1027
if self.last_checked_ok is None:
1028
return dbus.String(u"")
1029
return dbus.String(self._datetime_to_dbus(self
1030
.last_checked_ok))
1534
1031
1535
1032
# Timeout - property
1536
@dbus_service_property(_interface, signature="t",
1537
access="readwrite")
1033
@dbus_service_property(_interface, signature=u"t",
1034
access=u"readwrite")
1538
1035
def Timeout_dbus_property(self, value=None):
1539
1036
if value is None: # get
1540
return dbus.UInt64(self.timeout.total_seconds() * 1000)
1541
old_timeout = self.timeout
1037
return dbus.UInt64(self.timeout_milliseconds())
1542
1038
self.timeout = datetime.timedelta(0, 0, 0, value)
1543
# Reschedule disabling
1544
if self.enabled:
1545
now = datetime.datetime.utcnow()
1546
self.expires += self.timeout - old_timeout
1547
if self.expires <= now:
1548
# The timeout has passed
1549
self.disable()
1550
else:
1551
if (getattr(self, "disable_initiator_tag", None)
1552
is None):
1553
return
1554
gobject.source_remove(self.disable_initiator_tag)
1555
self.disable_initiator_tag = (
1556
gobject.timeout_add(
1557
int((self.expires - now).total_seconds()
1558
* 1000), self.disable))
1559
1560
# ExtendedTimeout - property
1561
@dbus_service_property(_interface, signature="t",
1562
access="readwrite")
1563
def ExtendedTimeout_dbus_property(self, value=None):
1564
if value is None: # get
1565
return dbus.UInt64(self.extended_timeout.total_seconds()
1566
* 1000)
1567
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1039
# Emit D-Bus signal
1040
self.PropertyChanged(dbus.String(u"Timeout"),
1041
dbus.UInt64(value, variant_level=1))
1042
if getattr(self, u"disable_initiator_tag", None) is None:
1043
return
1044
# Reschedule timeout
1045
gobject.source_remove(self.disable_initiator_tag)
1046
self.disable_initiator_tag = None
1047
time_to_die = (self.
1048
_timedelta_to_milliseconds((self
1049
.last_checked_ok
1050
+ self.timeout)
1051
- datetime.datetime
1052
.utcnow()))
1053
if time_to_die <= 0:
1054
# The timeout has passed
1055
self.disable()
1056
else:
1057
self.disable_initiator_tag = (gobject.timeout_add
1058
(time_to_die, self.disable))
1568
1059
1569
1060
# Interval - property
1570
@dbus_service_property(_interface, signature="t",
1571
access="readwrite")
1061
@dbus_service_property(_interface, signature=u"t",
1062
access=u"readwrite")
1572
1063
def Interval_dbus_property(self, value=None):
1573
1064
if value is None: # get
1574
return dbus.UInt64(self.interval.total_seconds() * 1000)
1065
return dbus.UInt64(self.interval_milliseconds())
1575
1066
self.interval = datetime.timedelta(0, 0, 0, value)
1576
if getattr(self, "checker_initiator_tag", None) is None:
1067
# Emit D-Bus signal
1068
self.PropertyChanged(dbus.String(u"Interval"),
1069
dbus.UInt64(value, variant_level=1))
1070
if getattr(self, u"checker_initiator_tag", None) is None:
1577
1071
return
1578
if self.enabled:
1579
# Reschedule checker run
1580
gobject.source_remove(self.checker_initiator_tag)
1581
self.checker_initiator_tag = (gobject.timeout_add
1582
(value, self.start_checker))
1583
self.start_checker() # Start one now, too
1584
1072
# Reschedule checker run
1073
gobject.source_remove(self.checker_initiator_tag)
1074
self.checker_initiator_tag = (gobject.timeout_add
1075
(value, self.start_checker))
1076
self.start_checker() # Start one now, too
1077
1585
1078
# Checker - property
1586
@dbus_service_property(_interface, signature="s",
1587
access="readwrite")
1079
@dbus_service_property(_interface, signature=u"s",
1080
access=u"readwrite")
1588
1081
def Checker_dbus_property(self, value=None):
1589
1082
if value is None: # get
1590
1083
return dbus.String(self.checker_command)
1591
self.checker_command = unicode(value)
1084
self.checker_command = value
1085
# Emit D-Bus signal
1086
self.PropertyChanged(dbus.String(u"Checker"),
1087
dbus.String(self.checker_command,
1088
variant_level=1))
1592
1089
1593
1090
# CheckerRunning - property
1594
@dbus_service_property(_interface, signature="b",
1595
access="readwrite")
1091
@dbus_service_property(_interface, signature=u"b",
1092
access=u"readwrite")
1596
1093
def CheckerRunning_dbus_property(self, value=None):
1597
1094
if value is None: # get
1598
1095
return dbus.Boolean(self.checker is not None)
1602
1099
self.stop_checker()
1603
1100
1604
1101
# ObjectPath - property
1605
@dbus_service_property(_interface, signature="o", access="read")
1102
@dbus_service_property(_interface, signature=u"o", access=u"read")
1606
1103
def ObjectPath_dbus_property(self):
1607
1104
return self.dbus_object_path # is already a dbus.ObjectPath
1608
1105
1609
1106
# Secret = property
1610
@dbus_service_property(_interface, signature="ay",
1611
access="write", byte_arrays=True)
1107
@dbus_service_property(_interface, signature=u"ay",
1108
access=u"write", byte_arrays=True)
1612
1109
def Secret_dbus_property(self, value):
1613
self.secret = bytes(value)
1110
self.secret = str(value)
1614
1111
1615
1112
del _interface
1616
1113
1621
1118
self._pipe.send(('init', fpr, address))
1622
1119
if not self._pipe.recv():
1623
1120
raise KeyError()
1624
1121
1625
1122
def __getattribute__(self, name):
1626
if name == '_pipe':
1123
if(name == '_pipe'):
1627
1124
return super(ProxyClient, self).__getattribute__(name)
1628
1125
self._pipe.send(('getattr', name))
1629
1126
data = self._pipe.recv()
1634
1131
self._pipe.send(('funcall', name, args, kwargs))
1635
1132
return self._pipe.recv()[1]
1636
1133
return func
1637
1134
1638
1135
def __setattr__(self, name, value):
1639
if name == '_pipe':
1136
if(name == '_pipe'):
1640
1137
return super(ProxyClient, self).__setattr__(name, value)
1641
1138
self._pipe.send(('setattr', name, value))
1642
1139
1649
1146
1650
1147
def handle(self):
1651
1148
with contextlib.closing(self.server.child_pipe) as child_pipe:
1652
logger.info("TCP connection from: %s",
1149
logger.info(u"TCP connection from: %s",
1653
1150
unicode(self.client_address))
1654
logger.debug("Pipe FD: %d",
1151
logger.debug(u"Pipe FD: %d",
1655
1152
self.server.child_pipe.fileno())
1656
1153
1657
1154
session = (gnutls.connection
1658
1155
.ClientSession(self.request,
1659
1156
gnutls.connection
1660
1157
.X509Credentials()))
1661
1158
1662
1159
# Note: gnutls.connection.X509Credentials is really a
1663
1160
# generic GnuTLS certificate credentials object so long as
1664
1161
# no X.509 keys are added to it. Therefore, we can use it
1665
1162
# here despite using OpenPGP certificates.
1666
1667
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1668
# "+AES-256-CBC", "+SHA1",
1669
# "+COMP-NULL", "+CTYPE-OPENPGP",
1670
# "+DHE-DSS"))
1163
1164
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1165
# u"+AES-256-CBC", u"+SHA1",
1166
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1167
# u"+DHE-DSS"))
1671
1168
# Use a fallback default, since this MUST be set.
1672
1169
priority = self.server.gnutls_priority
1673
1170
if priority is None:
1674
priority = "NORMAL"
1171
priority = u"NORMAL"
1675
1172
(gnutls.library.functions
1676
1173
.gnutls_priority_set_direct(session._c_object,
1677
1174
priority, None))
1678
1175
1679
1176
# Start communication using the Mandos protocol
1680
1177
# Get protocol number
1681
1178
line = self.request.makefile().readline()
1682
logger.debug("Protocol version: %r", line)
1179
logger.debug(u"Protocol version: %r", line)
1683
1180
try:
1684
1181
if int(line.strip().split()[0]) > 1:
1685
raise RuntimeError(line)
1686
except (ValueError, IndexError, RuntimeError) as error:
1687
logger.error("Unknown protocol version: %s", error)
1182
raise RuntimeError
1183
except (ValueError, IndexError, RuntimeError), error:
1184
logger.error(u"Unknown protocol version: %s", error)
1688
1185
return
1689
1186
1690
1187
# Start GnuTLS connection
1691
1188
try:
1692
1189
session.handshake()
1693
except gnutls.errors.GNUTLSError as error:
1694
logger.warning("Handshake failed: %s", error)
1190
except gnutls.errors.GNUTLSError, error:
1191
logger.warning(u"Handshake failed: %s", error)
1695
1192
# Do not run session.bye() here: the session is not
1696
1193
# established. Just abandon the request.
1697
1194
return
1698
logger.debug("Handshake succeeded")
1699
1195
logger.debug(u"Handshake succeeded")
1196
1700
1197
approval_required = False
1701
1198
try:
1702
1199
try:
1703
1200
fpr = self.fingerprint(self.peer_certificate
1704
1201
(session))
1705
except (TypeError,
1706
gnutls.errors.GNUTLSError) as error:
1707
logger.warning("Bad certificate: %s", error)
1202
except (TypeError, gnutls.errors.GNUTLSError), error:
1203
logger.warning(u"Bad certificate: %s", error)
1708
1204
return
1709
logger.debug("Fingerprint: %s", fpr)
1710
1205
logger.debug(u"Fingerprint: %s", fpr)
1206
1711
1207
try:
1712
1208
client = ProxyClient(child_pipe, fpr,
1713
1209
self.client_address)
1721
1217
1722
1218
while True:
1723
1219
if not client.enabled:
1724
logger.info("Client %s is disabled",
1220
logger.warning(u"Client %s is disabled",
1725
1221
client.name)
1726
1222
if self.server.use_dbus:
1727
1223
# Emit D-Bus signal
1728
client.Rejected("Disabled")
1224
client.Rejected("Disabled")
1729
1225
return
1730
1226
1731
if client.approved or not client.approval_delay:
1227
if client._approved or not client.approval_delay:
1732
1228
#We are approved or approval is disabled
1733
1229
break
1734
elif client.approved is None:
1735
logger.info("Client %s needs approval",
1230
elif client._approved is None:
1231
logger.info(u"Client %s needs approval",
1736
1232
client.name)
1737
1233
if self.server.use_dbus:
1738
1234
# Emit D-Bus signal
1739
1235
client.NeedApproval(
1740
client.approval_delay.total_seconds()
1741
* 1000, client.approved_by_default)
1236
client.approval_delay_milliseconds(),
1237
client.approved_by_default)
1742
1238
else:
1743
logger.warning("Client %s was not approved",
1239
logger.warning(u"Client %s was not approved",
1744
1240
client.name)
1745
1241
if self.server.use_dbus:
1746
1242
# Emit D-Bus signal
1748
1244
return
1749
1245
1750
1246
#wait until timeout or approved
1247
#x = float(client._timedelta_to_milliseconds(delay))
1751
1248
time = datetime.datetime.now()
1752
1249
client.changedstate.acquire()
1753
client.changedstate.wait(delay.total_seconds())
1250
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1754
1251
client.changedstate.release()
1755
1252
time2 = datetime.datetime.now()
1756
1253
if (time2 - time) >= delay:
1771
1268
while sent_size < len(client.secret):
1772
1269
try:
1773
1270
sent = session.send(client.secret[sent_size:])
1774
except gnutls.errors.GNUTLSError as error:
1775
logger.warning("gnutls send failed",
1776
exc_info=error)
1271
except (gnutls.errors.GNUTLSError), error:
1272
logger.warning("gnutls send failed")
1777
1273
return
1778
logger.debug("Sent: %d, remaining: %d",
1274
logger.debug(u"Sent: %d, remaining: %d",
1779
1275
sent, len(client.secret)
1780
1276
- (sent_size + sent))
1781
1277
sent_size += sent
1782
1783
logger.info("Sending secret to %s", client.name)
1784
# bump the timeout using extended_timeout
1785
client.bump_timeout(client.extended_timeout)
1278
1279
logger.info(u"Sending secret to %s", client.name)
1280
# bump the timeout as if seen
1281
client.checked_ok()
1786
1282
if self.server.use_dbus:
1787
1283
# Emit D-Bus signal
1788
1284
client.GotSecret()
1792
1288
client.approvals_pending -= 1
1793
1289
try:
1794
1290
session.bye()
1795
except gnutls.errors.GNUTLSError as error:
1796
logger.warning("GnuTLS bye failed",
1797
exc_info=error)
1291
except (gnutls.errors.GNUTLSError), error:
1292
logger.warning("GnuTLS bye failed")
1798
1293
1799
1294
@staticmethod
1800
1295
def peer_certificate(session):
1810
1305
.gnutls_certificate_get_peers
1811
1306
(session._c_object, ctypes.byref(list_size)))
1812
1307
if not bool(cert_list) and list_size.value != 0:
1813
raise gnutls.errors.GNUTLSError("error getting peer"
1814
" certificate")
1308
raise gnutls.errors.GNUTLSError(u"error getting peer"
1309
u" certificate")
1815
1310
if list_size.value == 0:
1816
1311
return None
1817
1312
cert = cert_list[0]
1843
1338
if crtverify.value != 0:
1844
1339
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1845
1340
raise (gnutls.errors.CertificateSecurityError
1846
("Verify failed"))
1341
(u"Verify failed"))
1847
1342
# New buffer for the fingerprint
1848
1343
buf = ctypes.create_string_buffer(20)
1849
1344
buf_len = ctypes.c_size_t()
1856
1351
# Convert the buffer to a Python bytestring
1857
1352
fpr = ctypes.string_at(buf, buf_len.value)
1858
1353
# Convert the bytestring to hexadecimal notation
1859
hex_fpr = binascii.hexlify(fpr).upper()
1354
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1860
1355
return hex_fpr
1861
1356
1862
1357
1865
1360
def sub_process_main(self, request, address):
1866
1361
try:
1867
1362
self.finish_request(request, address)
1868
except Exception:
1363
except:
1869
1364
self.handle_error(request, address)
1870
1365
self.close_request(request)
1871
1366
1872
1367
def process_request(self, request, address):
1873
1368
"""Start a new process to process the request."""
1874
proc = multiprocessing.Process(target = self.sub_process_main,
1875
args = (request, address))
1876
proc.start()
1877
return proc
1878
1369
multiprocessing.Process(target = self.sub_process_main,
1370
args = (request, address)).start()
1879
1371
1880
1372
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1881
1373
""" adds a pipe to the MixIn """
1885
1377
This function creates a new pipe in self.pipe
1886
1378
"""
1887
1379
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1888
1889
proc = MultiprocessingMixIn.process_request(self, request,
1890
client_address)
1380
1381
super(MultiprocessingMixInWithPipe,
1382
self).process_request(request, client_address)
1891
1383
self.child_pipe.close()
1892
self.add_pipe(parent_pipe, proc)
1893
1894
def add_pipe(self, parent_pipe, proc):
1384
self.add_pipe(parent_pipe)
1385
1386
def add_pipe(self, parent_pipe):
1895
1387
"""Dummy function; override as necessary"""
1896
raise NotImplementedError()
1897
1388
pass
1898
1389
1899
1390
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1900
1391
socketserver.TCPServer, object):
1906
1397
use_ipv6: Boolean; to use IPv6 or not
1907
1398
"""
1908
1399
def __init__(self, server_address, RequestHandlerClass,
1909
interface=None, use_ipv6=True, socketfd=None):
1910
"""If socketfd is set, use that file descriptor instead of
1911
creating a new one with socket.socket().
1912
"""
1400
interface=None, use_ipv6=True):
1913
1401
self.interface = interface
1914
1402
if use_ipv6:
1915
1403
self.address_family = socket.AF_INET6
1916
if socketfd is not None:
1917
# Save the file descriptor
1918
self.socketfd = socketfd
1919
# Save the original socket.socket() function
1920
self.socket_socket = socket.socket
1921
# To implement --socket, we monkey patch socket.socket.
1922
#
1923
# (When socketserver.TCPServer is a new-style class, we
1924
# could make self.socket into a property instead of monkey
1925
# patching socket.socket.)
1926
#
1927
# Create a one-time-only replacement for socket.socket()
1928
@functools.wraps(socket.socket)
1929
def socket_wrapper(*args, **kwargs):
1930
# Restore original function so subsequent calls are
1931
# not affected.
1932
socket.socket = self.socket_socket
1933
del self.socket_socket
1934
# This time only, return a new socket object from the
1935
# saved file descriptor.
1936
return socket.fromfd(self.socketfd, *args, **kwargs)
1937
# Replace socket.socket() function with wrapper
1938
socket.socket = socket_wrapper
1939
# The socketserver.TCPServer.__init__ will call
1940
# socket.socket(), which might be our replacement,
1941
# socket_wrapper(), if socketfd was set.
1942
1404
socketserver.TCPServer.__init__(self, server_address,
1943
1405
RequestHandlerClass)
1944
1945
1406
def server_bind(self):
1946
1407
"""This overrides the normal server_bind() function
1947
1408
to bind to an interface if one was specified, and also NOT to
1948
1409
bind to an address or port if they were not specified."""
1949
1410
if self.interface is not None:
1950
1411
if SO_BINDTODEVICE is None:
1951
logger.error("SO_BINDTODEVICE does not exist;"
1952
" cannot bind to interface %s",
1412
logger.error(u"SO_BINDTODEVICE does not exist;"
1413
u" cannot bind to interface %s",
1953
1414
self.interface)
1954
1415
else:
1955
1416
try:
1956
1417
self.socket.setsockopt(socket.SOL_SOCKET,
1957
1418
SO_BINDTODEVICE,
1958
(self.interface + "\0")
1959
.encode("utf-8"))
1960
except socket.error as error:
1961
if error.errno == errno.EPERM:
1962
logger.error("No permission to bind to"
1963
" interface %s", self.interface)
1964
elif error.errno == errno.ENOPROTOOPT:
1965
logger.error("SO_BINDTODEVICE not available;"
1966
" cannot bind to interface %s",
1967
self.interface)
1968
elif error.errno == errno.ENODEV:
1969
logger.error("Interface %s does not exist,"
1970
" cannot bind", self.interface)
1419
str(self.interface
1420
+ u'\0'))
1421
except socket.error, error:
1422
if error[0] == errno.EPERM:
1423
logger.error(u"No permission to"
1424
u" bind to interface %s",
1425
self.interface)
1426
elif error[0] == errno.ENOPROTOOPT:
1427
logger.error(u"SO_BINDTODEVICE not available;"
1428
u" cannot bind to interface %s",
1429
self.interface)
1971
1430
else:
1972
1431
raise
1973
1432
# Only bind(2) the socket if we really need to.
1974
1433
if self.server_address[0] or self.server_address[1]:
1975
1434
if not self.server_address[0]:
1976
1435
if self.address_family == socket.AF_INET6:
1977
any_address = "::" # in6addr_any
1436
any_address = u"::" # in6addr_any
1978
1437
else:
1979
any_address = "0.0.0.0" # INADDR_ANY
1438
any_address = socket.INADDR_ANY
1980
1439
self.server_address = (any_address,
1981
1440
self.server_address[1])
1982
1441
elif not self.server_address[1]:
2003
1462
"""
2004
1463
def __init__(self, server_address, RequestHandlerClass,
2005
1464
interface=None, use_ipv6=True, clients=None,
2006
gnutls_priority=None, use_dbus=True, socketfd=None):
1465
gnutls_priority=None, use_dbus=True):
2007
1466
self.enabled = False
2008
1467
self.clients = clients
2009
1468
if self.clients is None:
2010
self.clients = {}
1469
self.clients = set()
2011
1470
self.use_dbus = use_dbus
2012
1471
self.gnutls_priority = gnutls_priority
2013
1472
IPv6_TCPServer.__init__(self, server_address,
2014
1473
RequestHandlerClass,
2015
1474
interface = interface,
2016
use_ipv6 = use_ipv6,
2017
socketfd = socketfd)
1475
use_ipv6 = use_ipv6)
2018
1476
def server_activate(self):
2019
1477
if self.enabled:
2020
1478
return socketserver.TCPServer.server_activate(self)
2021
2022
1479
def enable(self):
2023
1480
self.enabled = True
2024
2025
def add_pipe(self, parent_pipe, proc):
1481
def add_pipe(self, parent_pipe):
2026
1482
# Call "handle_ipc" for both data and EOF events
2027
1483
gobject.io_add_watch(parent_pipe.fileno(),
2028
1484
gobject.IO_IN | gobject.IO_HUP,
2029
1485
functools.partial(self.handle_ipc,
2030
parent_pipe =
2031
parent_pipe,
2032
proc = proc))
2033
1486
parent_pipe = parent_pipe))
1487
2034
1488
def handle_ipc(self, source, condition, parent_pipe=None,
2035
proc = None, client_object=None):
2036
# error, or the other end of multiprocessing.Pipe has closed
2037
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2038
# Wait for other process to exit
2039
proc.join()
1489
client_object=None):
1490
condition_names = {
1491
gobject.IO_IN: u"IN", # There is data to read.
1492
gobject.IO_OUT: u"OUT", # Data can be written (without
1493
# blocking).
1494
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1495
gobject.IO_ERR: u"ERR", # Error condition.
1496
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1497
# broken, usually for pipes and
1498
# sockets).
1499
}
1500
conditions_string = ' | '.join(name
1501
for cond, name in
1502
condition_names.iteritems()
1503
if cond & condition)
1504
# error or the other end of multiprocessing.Pipe has closed
1505
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
2040
1506
return False
2041
1507
2042
1508
# Read a request from the child
2047
1513
fpr = request[1]
2048
1514
address = request[2]
2049
1515
2050
for c in self.clients.itervalues():
1516
for c in self.clients:
2051
1517
if c.fingerprint == fpr:
2052
1518
client = c
2053
1519
break
2054
1520
else:
2055
logger.info("Client not found for fingerprint: %s, ad"
2056
"dress: %s", fpr, address)
1521
logger.warning(u"Client not found for fingerprint: %s, ad"
1522
u"dress: %s", fpr, address)
2057
1523
if self.use_dbus:
2058
1524
# Emit D-Bus signal
2059
mandos_dbus_service.ClientNotFound(fpr,
2060
address[0])
1525
mandos_dbus_service.ClientNotFound(fpr, address[0])
2061
1526
parent_pipe.send(False)
2062
1527
return False
2063
1528
2064
1529
gobject.io_add_watch(parent_pipe.fileno(),
2065
1530
gobject.IO_IN | gobject.IO_HUP,
2066
1531
functools.partial(self.handle_ipc,
2067
parent_pipe =
2068
parent_pipe,
2069
proc = proc,
2070
client_object =
2071
client))
1532
parent_pipe = parent_pipe,
1533
client_object = client))
2072
1534
parent_pipe.send(True)
2073
# remove the old hook in favor of the new above hook on
2074
# same fileno
1535
# remove the old hook in favor of the new above hook on same fileno
2075
1536
return False
2076
1537
if command == 'funcall':
2077
1538
funcname = request[1]
2078
1539
args = request[2]
2079
1540
kwargs = request[3]
2080
1541
2081
parent_pipe.send(('data', getattr(client_object,
2082
funcname)(*args,
2083
**kwargs)))
2084
1542
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1543
2085
1544
if command == 'getattr':
2086
1545
attrname = request[1]
2087
1546
if callable(client_object.__getattribute__(attrname)):
2088
1547
parent_pipe.send(('function',))
2089
1548
else:
2090
parent_pipe.send(('data', client_object
2091
.__getattribute__(attrname)))
1549
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
2092
1550
2093
1551
if command == 'setattr':
2094
1552
attrname = request[1]
2095
1553
value = request[2]
2096
1554
setattr(client_object, attrname, value)
2097
1555
2098
1556
return True
2099
1557
2100
1558
2101
def rfc3339_duration_to_delta(duration):
2102
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2103
2104
>>> rfc3339_duration_to_delta("P7D")
2105
datetime.timedelta(7)
2106
>>> rfc3339_duration_to_delta("PT60S")
2107
datetime.timedelta(0, 60)
2108
>>> rfc3339_duration_to_delta("PT60M")
2109
datetime.timedelta(0, 3600)
2110
>>> rfc3339_duration_to_delta("PT24H")
2111
datetime.timedelta(1)
2112
>>> rfc3339_duration_to_delta("P1W")
2113
datetime.timedelta(7)
2114
>>> rfc3339_duration_to_delta("PT5M30S")
2115
datetime.timedelta(0, 330)
2116
>>> rfc3339_duration_to_delta("P1DT3M20S")
2117
datetime.timedelta(1, 200)
2118
"""
2119
2120
# Parsing an RFC 3339 duration with regular expressions is not
2121
# possible - there would have to be multiple places for the same
2122
# values, like seconds. The current code, while more esoteric, is
2123
# cleaner without depending on a parsing library. If Python had a
2124
# built-in library for parsing we would use it, but we'd like to
2125
# avoid excessive use of external libraries.
2126
2127
# New type for defining tokens, syntax, and semantics all-in-one
2128
Token = collections.namedtuple("Token",
2129
("regexp", # To match token; if
2130
# "value" is not None,
2131
# must have a "group"
2132
# containing digits
2133
"value", # datetime.timedelta or
2134
# None
2135
"followers")) # Tokens valid after
2136
# this token
2137
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2138
# the "duration" ABNF definition in RFC 3339, Appendix A.
2139
token_end = Token(re.compile(r"$"), None, frozenset())
2140
token_second = Token(re.compile(r"(\d+)S"),
2141
datetime.timedelta(seconds=1),
2142
frozenset((token_end,)))
2143
token_minute = Token(re.compile(r"(\d+)M"),
2144
datetime.timedelta(minutes=1),
2145
frozenset((token_second, token_end)))
2146
token_hour = Token(re.compile(r"(\d+)H"),
2147
datetime.timedelta(hours=1),
2148
frozenset((token_minute, token_end)))
2149
token_time = Token(re.compile(r"T"),
2150
None,
2151
frozenset((token_hour, token_minute,
2152
token_second)))
2153
token_day = Token(re.compile(r"(\d+)D"),
2154
datetime.timedelta(days=1),
2155
frozenset((token_time, token_end)))
2156
token_month = Token(re.compile(r"(\d+)M"),
2157
datetime.timedelta(weeks=4),
2158
frozenset((token_day, token_end)))
2159
token_year = Token(re.compile(r"(\d+)Y"),
2160
datetime.timedelta(weeks=52),
2161
frozenset((token_month, token_end)))
2162
token_week = Token(re.compile(r"(\d+)W"),
2163
datetime.timedelta(weeks=1),
2164
frozenset((token_end,)))
2165
token_duration = Token(re.compile(r"P"), None,
2166
frozenset((token_year, token_month,
2167
token_day, token_time,
2168
token_week)))
2169
# Define starting values
2170
value = datetime.timedelta() # Value so far
2171
found_token = None
2172
followers = frozenset((token_duration,)) # Following valid tokens
2173
s = duration # String left to parse
2174
# Loop until end token is found
2175
while found_token is not token_end:
2176
# Search for any currently valid tokens
2177
for token in followers:
2178
match = token.regexp.match(s)
2179
if match is not None:
2180
# Token found
2181
if token.value is not None:
2182
# Value found, parse digits
2183
factor = int(match.group(1), 10)
2184
# Add to value so far
2185
value += factor * token.value
2186
# Strip token from string
2187
s = token.regexp.sub("", s, 1)
2188
# Go to found token
2189
found_token = token
2190
# Set valid next tokens
2191
followers = found_token.followers
2192
break
2193
else:
2194
# No currently valid tokens were found
2195
raise ValueError("Invalid RFC 3339 duration")
2196
# End token found
2197
return value
2198
2199
2200
1559
def string_to_delta(interval):
2201
1560
"""Parse a string and return a datetime.timedelta
2202
1561
2203
>>> string_to_delta('7d')
1562
>>> string_to_delta(u'7d')
2204
1563
datetime.timedelta(7)
2205
>>> string_to_delta('60s')
1564
>>> string_to_delta(u'60s')
2206
1565
datetime.timedelta(0, 60)
2207
>>> string_to_delta('60m')
1566
>>> string_to_delta(u'60m')
2208
1567
datetime.timedelta(0, 3600)
2209
>>> string_to_delta('24h')
1568
>>> string_to_delta(u'24h')
2210
1569
datetime.timedelta(1)
2211
>>> string_to_delta('1w')
1570
>>> string_to_delta(u'1w')
2212
1571
datetime.timedelta(7)
2213
>>> string_to_delta('5m 30s')
1572
>>> string_to_delta(u'5m 30s')
2214
1573
datetime.timedelta(0, 330)
2215
1574
"""
2216
2217
try:
2218
return rfc3339_duration_to_delta(interval)
2219
except ValueError:
2220
pass
2221
2222
1575
timevalue = datetime.timedelta(0)
2223
1576
for s in interval.split():
2224
1577
try:
2225
suffix = s[-1]
1578
suffix = unicode(s[-1])
2226
1579
value = int(s[:-1])
2227
if suffix == "d":
1580
if suffix == u"d":
2228
1581
delta = datetime.timedelta(value)
2229
elif suffix == "s":
1582
elif suffix == u"s":
2230
1583
delta = datetime.timedelta(0, value)
2231
elif suffix == "m":
1584
elif suffix == u"m":
2232
1585
delta = datetime.timedelta(0, 0, 0, 0, value)
2233
elif suffix == "h":
1586
elif suffix == u"h":
2234
1587
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
2235
elif suffix == "w":
1588
elif suffix == u"w":
2236
1589
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
2237
1590
else:
2238
raise ValueError("Unknown suffix {!r}"
2239
.format(suffix))
2240
except IndexError as e:
2241
raise ValueError(*(e.args))
1591
raise ValueError(u"Unknown suffix %r" % suffix)
1592
except (ValueError, IndexError), e:
1593
raise ValueError(e.message)
2242
1594
timevalue += delta
2243
1595
return timevalue
2244
1596
2245
1597
1598
def if_nametoindex(interface):
1599
"""Call the C function if_nametoindex(), or equivalent
1600
1601
Note: This function cannot accept a unicode string."""
1602
global if_nametoindex
1603
try:
1604
if_nametoindex = (ctypes.cdll.LoadLibrary
1605
(ctypes.util.find_library(u"c"))
1606
.if_nametoindex)
1607
except (OSError, AttributeError):
1608
logger.warning(u"Doing if_nametoindex the hard way")
1609
def if_nametoindex(interface):
1610
"Get an interface index the hard way, i.e. using fcntl()"
1611
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1612
with contextlib.closing(socket.socket()) as s:
1613
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1614
struct.pack(str(u"16s16x"),
1615
interface))
1616
interface_index = struct.unpack(str(u"I"),
1617
ifreq[16:20])[0]
1618
return interface_index
1619
return if_nametoindex(interface)
1620
1621
2246
1622
def daemon(nochdir = False, noclose = False):
2247
1623
"""See daemon(3). Standard BSD Unix function.
2248
1624
2251
1627
sys.exit()
2252
1628
os.setsid()
2253
1629
if not nochdir:
2254
os.chdir("/")
1630
os.chdir(u"/")
2255
1631
if os.fork():
2256
1632
sys.exit()
2257
1633
if not noclose:
2258
1634
# Close all standard open file descriptors
2259
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
1635
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2260
1636
if not stat.S_ISCHR(os.fstat(null).st_mode):
2261
raise OSError(errno.ENODEV, "{} not a character device"
2262
.format(os.devnull))
1637
raise OSError(errno.ENODEV,
1638
u"%s not a character device"
1639
% os.path.devnull)
2263
1640
os.dup2(null, sys.stdin.fileno())
2264
1641
os.dup2(null, sys.stdout.fileno())
2265
1642
os.dup2(null, sys.stderr.fileno())
2272
1649
##################################################################
2273
1650
# Parsing of options, both command line and config file
2274
1651
2275
parser = argparse.ArgumentParser()
2276
parser.add_argument("-v", "--version", action="version",
2277
version = "%(prog)s {}".format(version),
2278
help="show version number and exit")
2279
parser.add_argument("-i", "--interface", metavar="IF",
2280
help="Bind to interface IF")
2281
parser.add_argument("-a", "--address",
2282
help="Address to listen for requests on")
2283
parser.add_argument("-p", "--port", type=int,
2284
help="Port number to receive requests on")
2285
parser.add_argument("--check", action="store_true",
2286
help="Run self-test")
2287
parser.add_argument("--debug", action="store_true",
2288
help="Debug mode; run in foreground and log"
2289
" to terminal", default=None)
2290
parser.add_argument("--debuglevel", metavar="LEVEL",
2291
help="Debug level for stdout output")
2292
parser.add_argument("--priority", help="GnuTLS"
2293
" priority string (see GnuTLS documentation)")
2294
parser.add_argument("--servicename",
2295
metavar="NAME", help="Zeroconf service name")
2296
parser.add_argument("--configdir",
2297
default="/etc/mandos", metavar="DIR",
2298
help="Directory to search for configuration"
2299
" files")
2300
parser.add_argument("--no-dbus", action="store_false",
2301
dest="use_dbus", help="Do not provide D-Bus"
2302
" system bus interface", default=None)
2303
parser.add_argument("--no-ipv6", action="store_false",
2304
dest="use_ipv6", help="Do not use IPv6",
2305
default=None)
2306
parser.add_argument("--no-restore", action="store_false",
2307
dest="restore", help="Do not restore stored"
2308
" state", default=None)
2309
parser.add_argument("--socket", type=int,
2310
help="Specify a file descriptor to a network"
2311
" socket to use instead of creating one")
2312
parser.add_argument("--statedir", metavar="DIR",
2313
help="Directory to save/restore state in")
2314
parser.add_argument("--foreground", action="store_true",
2315
help="Run in foreground", default=None)
2316
parser.add_argument("--no-zeroconf", action="store_false",
2317
dest="zeroconf", help="Do not use Zeroconf",
2318
default=None)
2319
2320
options = parser.parse_args()
1652
parser = optparse.OptionParser(version = "%%prog %s" % version)
1653
parser.add_option("-i", u"--interface", type=u"string",
1654
metavar="IF", help=u"Bind to interface IF")
1655
parser.add_option("-a", u"--address", type=u"string",
1656
help=u"Address to listen for requests on")
1657
parser.add_option("-p", u"--port", type=u"int",
1658
help=u"Port number to receive requests on")
1659
parser.add_option("--check", action=u"store_true",
1660
help=u"Run self-test")
1661
parser.add_option("--debug", action=u"store_true",
1662
help=u"Debug mode; run in foreground and log to"
1663
u" terminal")
1664
parser.add_option("--debuglevel", type=u"string", metavar="Level",
1665
help=u"Debug level for stdout output")
1666
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1667
u" priority string (see GnuTLS documentation)")
1668
parser.add_option("--servicename", type=u"string",
1669
metavar=u"NAME", help=u"Zeroconf service name")
1670
parser.add_option("--configdir", type=u"string",
1671
default=u"/etc/mandos", metavar=u"DIR",
1672
help=u"Directory to search for configuration"
1673
u" files")
1674
parser.add_option("--no-dbus", action=u"store_false",
1675
dest=u"use_dbus", help=u"Do not provide D-Bus"
1676
u" system bus interface")
1677
parser.add_option("--no-ipv6", action=u"store_false",
1678
dest=u"use_ipv6", help=u"Do not use IPv6")
1679
options = parser.parse_args()[0]
2321
1680
2322
1681
if options.check:
2323
1682
import doctest
2324
fail_count, test_count = doctest.testmod()
2325
sys.exit(os.EX_OK if fail_count == 0 else 1)
1683
doctest.testmod()
1684
sys.exit()
2326
1685
2327
1686
# Default values for config file for server-global settings
2328
server_defaults = { "interface": "",
2329
"address": "",
2330
"port": "",
2331
"debug": "False",
2332
"priority":
2333
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224:+SIGN-RSA-RMD160",
2334
"servicename": "Mandos",
2335
"use_dbus": "True",
2336
"use_ipv6": "True",
2337
"debuglevel": "",
2338
"restore": "True",
2339
"socket": "",
2340
"statedir": "/var/lib/mandos",
2341
"foreground": "False",
2342
"zeroconf": "True",
1687
server_defaults = { u"interface": u"",
1688
u"address": u"",
1689
u"port": u"",
1690
u"debug": u"False",
1691
u"priority":
1692
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1693
u"servicename": u"Mandos",
1694
u"use_dbus": u"True",
1695
u"use_ipv6": u"True",
1696
u"debuglevel": u"",
2343
1697
}
2344
1698
2345
1699
# Parse config file for server-global settings
2346
1700
server_config = configparser.SafeConfigParser(server_defaults)
2347
1701
del server_defaults
2348
1702
server_config.read(os.path.join(options.configdir,
2349
"mandos.conf"))
1703
u"mandos.conf"))
2350
1704
# Convert the SafeConfigParser object to a dict
2351
1705
server_settings = server_config.defaults()
2352
1706
# Use the appropriate methods on the non-string config options
2353
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
2354
server_settings[option] = server_config.getboolean("DEFAULT",
1707
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1708
server_settings[option] = server_config.getboolean(u"DEFAULT",
2355
1709
option)
2356
1710
if server_settings["port"]:
2357
server_settings["port"] = server_config.getint("DEFAULT",
2358
"port")
2359
if server_settings["socket"]:
2360
server_settings["socket"] = server_config.getint("DEFAULT",
2361
"socket")
2362
# Later, stdin will, and stdout and stderr might, be dup'ed
2363
# over with an opened os.devnull. But we don't want this to
2364
# happen with a supplied network socket.
2365
if 0 <= server_settings["socket"] <= 2:
2366
server_settings["socket"] = os.dup(server_settings
2367
["socket"])
1711
server_settings["port"] = server_config.getint(u"DEFAULT",
1712
u"port")
2368
1713
del server_config
2369
1714
2370
1715
# Override the settings from the config file with command line
2371
1716
# options, if set.
2372
for option in ("interface", "address", "port", "debug",
2373
"priority", "servicename", "configdir",
2374
"use_dbus", "use_ipv6", "debuglevel", "restore",
2375
"statedir", "socket", "foreground", "zeroconf"):
1717
for option in (u"interface", u"address", u"port", u"debug",
1718
u"priority", u"servicename", u"configdir",
1719
u"use_dbus", u"use_ipv6", u"debuglevel"):
2376
1720
value = getattr(options, option)
2377
1721
if value is not None:
2378
1722
server_settings[option] = value
2379
1723
del options
2380
1724
# Force all strings to be unicode
2381
1725
for option in server_settings.keys():
2382
if isinstance(server_settings[option], bytes):
2383
server_settings[option] = (server_settings[option]
2384
.decode("utf-8"))
2385
# Force all boolean options to be boolean
2386
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2387
"foreground", "zeroconf"):
2388
server_settings[option] = bool(server_settings[option])
2389
# Debug implies foreground
2390
if server_settings["debug"]:
2391
server_settings["foreground"] = True
1726
if type(server_settings[option]) is str:
1727
server_settings[option] = unicode(server_settings[option])
2392
1728
# Now we have our good server settings in "server_settings"
2393
1729
2394
1730
##################################################################
2395
1731
2396
if (not server_settings["zeroconf"] and
2397
not (server_settings["port"]
2398
or server_settings["socket"] != "")):
2399
parser.error("Needs port or socket to work without"
2400
" Zeroconf")
2401
2402
1732
# For convenience
2403
debug = server_settings["debug"]
2404
debuglevel = server_settings["debuglevel"]
2405
use_dbus = server_settings["use_dbus"]
2406
use_ipv6 = server_settings["use_ipv6"]
2407
stored_state_path = os.path.join(server_settings["statedir"],
2408
stored_state_file)
2409
foreground = server_settings["foreground"]
2410
zeroconf = server_settings["zeroconf"]
2411
2412
if debug:
2413
initlogger(debug, logging.DEBUG)
2414
else:
2415
if not debuglevel:
2416
initlogger(debug)
2417
else:
2418
level = getattr(logging, debuglevel.upper())
2419
initlogger(debug, level)
2420
2421
if server_settings["servicename"] != "Mandos":
1733
debug = server_settings[u"debug"]
1734
debuglevel = server_settings[u"debuglevel"]
1735
use_dbus = server_settings[u"use_dbus"]
1736
use_ipv6 = server_settings[u"use_ipv6"]
1737
1738
if server_settings[u"servicename"] != u"Mandos":
2422
1739
syslogger.setFormatter(logging.Formatter
2423
('Mandos ({}) [%(process)d]:'
2424
' %(levelname)s: %(message)s'
2425
.format(server_settings
2426
["servicename"])))
1740
(u'Mandos (%s) [%%(process)d]:'
1741
u' %%(levelname)s: %%(message)s'
1742
% server_settings[u"servicename"]))
2427
1743
2428
1744
# Parse config file with clients
2429
client_config = configparser.SafeConfigParser(Client
2430
.client_defaults)
2431
client_config.read(os.path.join(server_settings["configdir"],
2432
"clients.conf"))
1745
client_defaults = { u"timeout": u"1h",
1746
u"interval": u"5m",
1747
u"checker": u"fping -q -- %%(host)s",
1748
u"host": u"",
1749
u"approval_delay": u"0s",
1750
u"approval_duration": u"1s",
1751
}
1752
client_config = configparser.SafeConfigParser(client_defaults)
1753
client_config.read(os.path.join(server_settings[u"configdir"],
1754
u"clients.conf"))
2433
1755
2434
1756
global mandos_dbus_service
2435
1757
mandos_dbus_service = None
2436
1758
2437
socketfd = None
2438
if server_settings["socket"] != "":
2439
socketfd = server_settings["socket"]
2440
tcp_server = MandosServer((server_settings["address"],
2441
server_settings["port"]),
1759
tcp_server = MandosServer((server_settings[u"address"],
1760
server_settings[u"port"]),
2442
1761
ClientHandler,
2443
interface=(server_settings["interface"]
1762
interface=(server_settings[u"interface"]
2444
1763
or None),
2445
1764
use_ipv6=use_ipv6,
2446
1765
gnutls_priority=
2447
server_settings["priority"],
2448
use_dbus=use_dbus,
2449
socketfd=socketfd)
2450
if not foreground:
2451
pidfilename = "/run/mandos.pid"
2452
if not os.path.isdir("/run/."):
2453
pidfilename = "/var/run/mandos.pid"
2454
pidfile = None
1766
server_settings[u"priority"],
1767
use_dbus=use_dbus)
1768
if not debug:
1769
pidfilename = u"/var/run/mandos.pid"
2455
1770
try:
2456
pidfile = open(pidfilename, "w")
2457
except IOError as e:
2458
logger.error("Could not open file %r", pidfilename,
2459
exc_info=e)
1771
pidfile = open(pidfilename, u"w")
1772
except IOError:
1773
logger.error(u"Could not open file %r", pidfilename)
2460
1774
2461
for name in ("_mandos", "mandos", "nobody"):
1775
try:
1776
uid = pwd.getpwnam(u"_mandos").pw_uid
1777
gid = pwd.getpwnam(u"_mandos").pw_gid
1778
except KeyError:
2462
1779
try:
2463
uid = pwd.getpwnam(name).pw_uid
2464
gid = pwd.getpwnam(name).pw_gid
2465
break
1780
uid = pwd.getpwnam(u"mandos").pw_uid
1781
gid = pwd.getpwnam(u"mandos").pw_gid
2466
1782
except KeyError:
2467
continue
2468
else:
2469
uid = 65534
2470
gid = 65534
1783
try:
1784
uid = pwd.getpwnam(u"nobody").pw_uid
1785
gid = pwd.getpwnam(u"nobody").pw_gid
1786
except KeyError:
1787
uid = 65534
1788
gid = 65534
2471
1789
try:
2472
1790
os.setgid(gid)
2473
1791
os.setuid(uid)
2474
except OSError as error:
2475
if error.errno != errno.EPERM:
2476
raise
1792
except OSError, error:
1793
if error[0] != errno.EPERM:
1794
raise error
2477
1795
1796
if not debug and not debuglevel:
1797
syslogger.setLevel(logging.WARNING)
1798
console.setLevel(logging.WARNING)
1799
if debuglevel:
1800
level = getattr(logging, debuglevel.upper())
1801
syslogger.setLevel(level)
1802
console.setLevel(level)
1803
2478
1804
if debug:
2479
1805
# Enable all possible GnuTLS debugging
2480
1806
2484
1810
2485
1811
@gnutls.library.types.gnutls_log_func
2486
1812
def debug_gnutls(level, string):
2487
logger.debug("GnuTLS: %s", string[:-1])
1813
logger.debug(u"GnuTLS: %s", string[:-1])
2488
1814
2489
1815
(gnutls.library.functions
2490
1816
.gnutls_global_set_log_function(debug_gnutls))
2491
1817
2492
1818
# Redirect stdin so all checkers get /dev/null
2493
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
1819
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2494
1820
os.dup2(null, sys.stdin.fileno())
2495
1821
if null > 2:
2496
1822
os.close(null)
2497
2498
# Need to fork before connecting to D-Bus
2499
if not foreground:
2500
# Close all input and output, do double fork, etc.
2501
daemon()
2502
2503
# multiprocessing will use threads, so before we use gobject we
2504
# need to inform gobject that threads will be used.
2505
gobject.threads_init()
1823
else:
1824
# No console logging
1825
logger.removeHandler(console)
1826
2506
1827
2507
1828
global main_loop
2508
1829
# From the Avahi example code
2509
DBusGMainLoop(set_as_default=True)
1830
DBusGMainLoop(set_as_default=True )
2510
1831
main_loop = gobject.MainLoop()
2511
1832
bus = dbus.SystemBus()
2512
1833
# End of Avahi example code
2513
1834
if use_dbus:
2514
1835
try:
2515
bus_name = dbus.service.BusName("se.recompile.Mandos",
1836
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
2516
1837
bus, do_not_queue=True)
2517
old_bus_name = (dbus.service.BusName
2518
("se.bsnet.fukt.Mandos", bus,
2519
do_not_queue=True))
2520
except dbus.exceptions.NameExistsException as e:
2521
logger.error("Disabling D-Bus:", exc_info=e)
1838
except dbus.exceptions.NameExistsException, e:
1839
logger.error(unicode(e) + u", disabling D-Bus")
2522
1840
use_dbus = False
2523
server_settings["use_dbus"] = False
1841
server_settings[u"use_dbus"] = False
2524
1842
tcp_server.use_dbus = False
2525
if zeroconf:
2526
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2527
service = AvahiServiceToSyslog(name =
2528
server_settings["servicename"],
2529
servicetype = "_mandos._tcp",
2530
protocol = protocol, bus = bus)
2531
if server_settings["interface"]:
2532
service.interface = (if_nametoindex
2533
(server_settings["interface"]
2534
.encode("utf-8")))
2535
1843
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1844
service = AvahiService(name = server_settings[u"servicename"],
1845
servicetype = u"_mandos._tcp",
1846
protocol = protocol, bus = bus)
1847
if server_settings["interface"]:
1848
service.interface = (if_nametoindex
1849
(str(server_settings[u"interface"])))
1850
1851
if not debug:
1852
# Close all input and output, do double fork, etc.
1853
daemon()
1854
2536
1855
global multiprocessing_manager
2537
1856
multiprocessing_manager = multiprocessing.Manager()
2538
1857
2539
1858
client_class = Client
2540
1859
if use_dbus:
2541
1860
client_class = functools.partial(ClientDBus, bus = bus)
2542
2543
client_settings = Client.config_parser(client_config)
2544
old_client_settings = {}
2545
clients_data = {}
2546
2547
# This is used to redirect stdout and stderr for checker processes
2548
global wnull
2549
wnull = open(os.devnull, "w") # A writable /dev/null
2550
# Only used if server is running in foreground but not in debug
2551
# mode
2552
if debug or not foreground:
2553
wnull.close()
2554
2555
# Get client data and settings from last running state.
2556
if server_settings["restore"]:
2557
try:
2558
with open(stored_state_path, "rb") as stored_state:
2559
clients_data, old_client_settings = (pickle.load
2560
(stored_state))
2561
os.remove(stored_state_path)
2562
except IOError as e:
2563
if e.errno == errno.ENOENT:
2564
logger.warning("Could not load persistent state: {}"
2565
.format(os.strerror(e.errno)))
2566
else:
2567
logger.critical("Could not load persistent state:",
2568
exc_info=e)
2569
raise
2570
except EOFError as e:
2571
logger.warning("Could not load persistent state: "
2572
"EOFError:", exc_info=e)
2573
2574
with PGPEngine() as pgp:
2575
for client_name, client in clients_data.items():
2576
# Skip removed clients
2577
if client_name not in client_settings:
2578
continue
2579
2580
# Decide which value to use after restoring saved state.
2581
# We have three different values: Old config file,
2582
# new config file, and saved state.
2583
# New config value takes precedence if it differs from old
2584
# config value, otherwise use saved state.
2585
for name, value in client_settings[client_name].items():
2586
try:
2587
# For each value in new config, check if it
2588
# differs from the old config value (Except for
2589
# the "secret" attribute)
2590
if (name != "secret" and
2591
value != old_client_settings[client_name]
2592
[name]):
2593
client[name] = value
2594
except KeyError:
2595
pass
2596
2597
# Clients who has passed its expire date can still be
2598
# enabled if its last checker was successful. Clients
2599
# whose checker succeeded before we stored its state is
2600
# assumed to have successfully run all checkers during
2601
# downtime.
2602
if client["enabled"]:
2603
if datetime.datetime.utcnow() >= client["expires"]:
2604
if not client["last_checked_ok"]:
2605
logger.warning(
2606
"disabling client {} - Client never "
2607
"performed a successful checker"
2608
.format(client_name))
2609
client["enabled"] = False
2610
elif client["last_checker_status"] != 0:
2611
logger.warning(
2612
"disabling client {} - Client last"
2613
" checker failed with error code {}"
2614
.format(client_name,
2615
client["last_checker_status"]))
2616
client["enabled"] = False
2617
else:
2618
client["expires"] = (datetime.datetime
2619
.utcnow()
2620
+ client["timeout"])
2621
logger.debug("Last checker succeeded,"
2622
" keeping {} enabled"
2623
.format(client_name))
1861
def client_config_items(config, section):
1862
special_settings = {
1863
"approved_by_default":
1864
lambda: config.getboolean(section,
1865
"approved_by_default"),
1866
}
1867
for name, value in config.items(section):
2624
1868
try:
2625
client["secret"] = (
2626
pgp.decrypt(client["encrypted_secret"],
2627
client_settings[client_name]
2628
["secret"]))
2629
except PGPError:
2630
# If decryption fails, we use secret from new settings
2631
logger.debug("Failed to decrypt {} old secret"
2632
.format(client_name))
2633
client["secret"] = (
2634
client_settings[client_name]["secret"])
2635
2636
# Add/remove clients based on new changes made to config
2637
for client_name in (set(old_client_settings)
2638
- set(client_settings)):
2639
del clients_data[client_name]
2640
for client_name in (set(client_settings)
2641
- set(old_client_settings)):
2642
clients_data[client_name] = client_settings[client_name]
2643
2644
# Create all client objects
2645
for client_name, client in clients_data.items():
2646
tcp_server.clients[client_name] = client_class(
2647
name = client_name, settings = client,
2648
server_settings = server_settings)
2649
1869
yield (name, special_settings[name]())
1870
except KeyError:
1871
yield (name, value)
1872
1873
tcp_server.clients.update(set(
1874
client_class(name = section,
1875
config= dict(client_config_items(
1876
client_config, section)))
1877
for section in client_config.sections()))
2650
1878
if not tcp_server.clients:
2651
logger.warning("No clients defined")
2652
2653
if not foreground:
2654
if pidfile is not None:
2655
try:
2656
with pidfile:
2657
pid = os.getpid()
2658
pidfile.write("{}\n".format(pid).encode("utf-8"))
2659
except IOError:
2660
logger.error("Could not write to file %r with PID %d",
2661
pidfilename, pid)
2662
del pidfile
1879
logger.warning(u"No clients defined")
1880
1881
if not debug:
1882
try:
1883
with pidfile:
1884
pid = os.getpid()
1885
pidfile.write(str(pid) + "\n")
1886
del pidfile
1887
except IOError:
1888
logger.error(u"Could not write to file %r with PID %d",
1889
pidfilename, pid)
1890
except NameError:
1891
# "pidfile" was never created
1892
pass
2663
1893
del pidfilename
2664
1894
1895
signal.signal(signal.SIGINT, signal.SIG_IGN)
1896
2665
1897
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2666
1898
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2667
1899
2668
1900
if use_dbus:
2669
@alternate_dbus_interfaces({"se.recompile.Mandos":
2670
"se.bsnet.fukt.Mandos"})
2671
class MandosDBusService(DBusObjectWithProperties):
1901
class MandosDBusService(dbus.service.Object):
2672
1902
"""A D-Bus proxy object"""
2673
1903
def __init__(self):
2674
dbus.service.Object.__init__(self, bus, "/")
2675
_interface = "se.recompile.Mandos"
2676
2677
@dbus_interface_annotations(_interface)
2678
def _foo(self):
2679
return { "org.freedesktop.DBus.Property"
2680
".EmitsChangedSignal":
2681
"false"}
2682
2683
@dbus.service.signal(_interface, signature="o")
1904
dbus.service.Object.__init__(self, bus, u"/")
1905
_interface = u"se.bsnet.fukt.Mandos"
1906
1907
@dbus.service.signal(_interface, signature=u"o")
2684
1908
def ClientAdded(self, objpath):
2685
1909
"D-Bus signal"
2686
1910
pass
2687
1911
2688
@dbus.service.signal(_interface, signature="ss")
1912
@dbus.service.signal(_interface, signature=u"ss")
2689
1913
def ClientNotFound(self, fingerprint, address):
2690
1914
"D-Bus signal"
2691
1915
pass
2692
1916
2693
@dbus.service.signal(_interface, signature="os")
1917
@dbus.service.signal(_interface, signature=u"os")
2694
1918
def ClientRemoved(self, objpath, name):
2695
1919
"D-Bus signal"
2696
1920
pass
2697
1921
2698
@dbus.service.method(_interface, out_signature="ao")
1922
@dbus.service.method(_interface, out_signature=u"ao")
2699
1923
def GetAllClients(self):
2700
1924
"D-Bus method"
2701
1925
return dbus.Array(c.dbus_object_path
2702
for c in
2703
tcp_server.clients.itervalues())
1926
for c in tcp_server.clients)
2704
1927
2705
1928
@dbus.service.method(_interface,
2706
out_signature="a{oa{sv}}")
1929
out_signature=u"a{oa{sv}}")
2707
1930
def GetAllClientsWithProperties(self):
2708
1931
"D-Bus method"
2709
1932
return dbus.Dictionary(
2710
((c.dbus_object_path, c.GetAll(""))
2711
for c in tcp_server.clients.itervalues()),
2712
signature="oa{sv}")
1933
((c.dbus_object_path, c.GetAll(u""))
1934
for c in tcp_server.clients),
1935
signature=u"oa{sv}")
2713
1936
2714
@dbus.service.method(_interface, in_signature="o")
1937
@dbus.service.method(_interface, in_signature=u"o")
2715
1938
def RemoveClient(self, object_path):
2716
1939
"D-Bus method"
2717
for c in tcp_server.clients.itervalues():
1940
for c in tcp_server.clients:
2718
1941
if c.dbus_object_path == object_path:
2719
del tcp_server.clients[c.name]
1942
tcp_server.clients.remove(c)
2720
1943
c.remove_from_connection()
2721
1944
# Don't signal anything except ClientRemoved
2722
1945
c.disable(quiet=True)
2731
1954
2732
1955
def cleanup():
2733
1956
"Cleanup function; run on exit"
2734
if zeroconf:
2735
service.cleanup()
2736
2737
multiprocessing.active_children()
2738
wnull.close()
2739
if not (tcp_server.clients or client_settings):
2740
return
2741
2742
# Store client before exiting. Secrets are encrypted with key
2743
# based on what config file has. If config file is
2744
# removed/edited, old secret will thus be unrecovable.
2745
clients = {}
2746
with PGPEngine() as pgp:
2747
for client in tcp_server.clients.itervalues():
2748
key = client_settings[client.name]["secret"]
2749
client.encrypted_secret = pgp.encrypt(client.secret,
2750
key)
2751
client_dict = {}
2752
2753
# A list of attributes that can not be pickled
2754
# + secret.
2755
exclude = { "bus", "changedstate", "secret",
2756
"checker", "server_settings" }
2757
for name, typ in (inspect.getmembers
2758
(dbus.service.Object)):
2759
exclude.add(name)
2760
2761
client_dict["encrypted_secret"] = (client
2762
.encrypted_secret)
2763
for attr in client.client_structure:
2764
if attr not in exclude:
2765
client_dict[attr] = getattr(client, attr)
2766
2767
clients[client.name] = client_dict
2768
del client_settings[client.name]["secret"]
2769
2770
try:
2771
with (tempfile.NamedTemporaryFile
2772
(mode='wb', suffix=".pickle", prefix='clients-',
2773
dir=os.path.dirname(stored_state_path),
2774
delete=False)) as stored_state:
2775
pickle.dump((clients, client_settings), stored_state)
2776
tempname=stored_state.name
2777
os.rename(tempname, stored_state_path)
2778
except (IOError, OSError) as e:
2779
if not debug:
2780
try:
2781
os.remove(tempname)
2782
except NameError:
2783
pass
2784
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
2785
logger.warning("Could not save persistent state: {}"
2786
.format(os.strerror(e.errno)))
2787
else:
2788
logger.warning("Could not save persistent state:",
2789
exc_info=e)
2790
raise
2791
2792
# Delete all clients, and settings from config
1957
service.cleanup()
1958
2793
1959
while tcp_server.clients:
2794
name, client = tcp_server.clients.popitem()
1960
client = tcp_server.clients.pop()
2795
1961
if use_dbus:
2796
1962
client.remove_from_connection()
1963
client.disable_hook = None
2797
1964
# Don't signal anything except ClientRemoved
2798
1965
client.disable(quiet=True)
2799
1966
if use_dbus:
2800
1967
# Emit D-Bus signal
2801
mandos_dbus_service.ClientRemoved(client
2802
.dbus_object_path,
1968
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
2803
1969
client.name)
2804
client_settings.clear()
2805
1970
2806
1971
atexit.register(cleanup)
2807
1972
2808
for client in tcp_server.clients.itervalues():
1973
for client in tcp_server.clients:
2809
1974
if use_dbus:
2810
1975
# Emit D-Bus signal
2811
1976
mandos_dbus_service.ClientAdded(client.dbus_object_path)
2812
# Need to initiate checking of clients
2813
if client.enabled:
2814
client.init_checker()
1977
client.enable()
2815
1978
2816
1979
tcp_server.enable()
2817
1980
tcp_server.server_activate()
2818
1981
2819
1982
# Find out what port we got
2820
if zeroconf:
2821
service.port = tcp_server.socket.getsockname()[1]
1983
service.port = tcp_server.socket.getsockname()[1]
2822
1984
if use_ipv6:
2823
logger.info("Now listening on address %r, port %d,"
2824
" flowinfo %d, scope_id %d",
2825
*tcp_server.socket.getsockname())
1985
logger.info(u"Now listening on address %r, port %d,"
1986
" flowinfo %d, scope_id %d"
1987
% tcp_server.socket.getsockname())
2826
1988
else: # IPv4
2827
logger.info("Now listening on address %r, port %d",
2828
*tcp_server.socket.getsockname())
1989
logger.info(u"Now listening on address %r, port %d"
1990
% tcp_server.socket.getsockname())
2829
1991
2830
1992
#service.interface = tcp_server.socket.getsockname()[3]
2831
1993
2832
1994
try:
2833
if zeroconf:
2834
# From the Avahi example code
2835
try:
2836
service.activate()
2837
except dbus.exceptions.DBusException as error:
2838
logger.critical("D-Bus Exception", exc_info=error)
2839
cleanup()
2840
sys.exit(1)
2841
# End of Avahi example code
1995
# From the Avahi example code
1996
try:
1997
service.activate()
1998
except dbus.exceptions.DBusException, error:
1999
logger.critical(u"DBusException: %s", error)
2000
cleanup()
2001
sys.exit(1)
2002
# End of Avahi example code
2842
2003
2843
2004
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
2844
2005
lambda *args, **kwargs:
2845
2006
(tcp_server.handle_request
2846
2007
(*args[2:], **kwargs) or True))
2847
2008
2848
logger.debug("Starting main loop")
2009
logger.debug(u"Starting main loop")
2849
2010
main_loop.run()
2850
except AvahiError as error:
2851
logger.critical("Avahi Error", exc_info=error)
2011
except AvahiError, error:
2012
logger.critical(u"AvahiError: %s", error)
2852
2013
cleanup()
2853
2014
sys.exit(1)
2854
2015
except KeyboardInterrupt:
2855
2016
if debug:
2856
print("", file=sys.stderr)
2857
logger.debug("Server received KeyboardInterrupt")
2858
logger.debug("Server exiting")
2017
print >> sys.stderr
2018
logger.debug(u"Server received KeyboardInterrupt")
2019
logger.debug(u"Server exiting")
2859
2020
# Must run before the D-Bus bus name gets deregistered
2860
2021
cleanup()
2861
2022
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0