To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 442
- compare with another revision
- download diff
- download tarball
- view history from revision 442
- Committer: Teddy Hogeborn
- Date: 2010-09-26 17:36:30 UTC
- Revision ID: teddy@fukt.bsnet.se-20100926173630-zk7pe17fp2bv6zr7
* DBUS-API: Document new "LastApprovalRequest" client property.
* mandos (Client.last_approval_request): New attribute.
(Client.need_approval): New method.
(ClientDBus.need_approval): - '' -
(ClientDBus.NeedApproval): Call self.need_approval().
(ClientDBus.LastApprovalRequest_dbus_property): New D-Bus property.
* mandos-monitor: Show timeout counter during approval delay.
(MandosClientWidget._update_timer_callback_lock): New.
(MandosClientWidget.property_changed): Override to also call
using_timer if
ApprovalPending property is
changed.
(MandosClientWidget.using_timer): New method.
(MandosClientWidget.checker_completed): Use "using_timer".
(MandosClientWidget.need_approval): - '' -
(MandosClientWidget.update): Show approval delay timer.
* mandos (Client.last_approval_request): New attribute.
(Client.need_approval): New method.
(ClientDBus.need_approval): - '' -
(ClientDBus.NeedApproval): Call self.need_approval().
(ClientDBus.LastApprovalRequest_dbus_property): New D-Bus property.
* mandos-monitor: Show timeout counter during approval delay.
(MandosClientWidget._update_timer_callback_lock): New.
(MandosClientWidget.property_changed): Override to also call
using_timer if
ApprovalPending property is
changed.
(MandosClientWidget.using_timer): New method.
(MandosClientWidget.checker_completed): Use "using_timer".
(MandosClientWidget.need_approval): - '' -
(MandosClientWidget.update): Show approval delay timer.
- files removed:
- debian/mandos-client.examples
- debian/source
- debian/upstream
- network-hooks.d
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python2.7
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2014 Teddy Hogeborn
15
# Copyright © 2008-2014 Björn Påhlsson
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
28
28
# along with this program. If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
30
#
31
# Contact the authors at <mandos@recompile.se>.
31
# Contact the authors at <mandos@fukt.bsnet.se>.
32
32
#
33
33
34
from __future__ import (division, absolute_import, print_function,
35
unicode_literals)
36
37
from future_builtins import *
34
from __future__ import division, with_statement, absolute_import
38
35
39
36
import SocketServer as socketserver
40
37
import socket
41
import argparse
38
import optparse
42
39
import datetime
43
40
import errno
44
41
import gnutls.crypto
64
61
import functools
65
62
import cPickle as pickle
66
63
import multiprocessing
67
import types
68
import binascii
69
import tempfile
70
import itertools
71
import collections
72
64
73
65
import dbus
74
66
import dbus.service
88
80
except ImportError:
89
81
SO_BINDTODEVICE = None
90
82
91
if sys.version_info.major == 2:
92
str = unicode
93
94
version = "1.6.8"
95
stored_state_file = "clients.pickle"
96
97
logger = logging.getLogger()
98
syslogger = None
99
100
try:
101
if_nametoindex = (ctypes.cdll.LoadLibrary
102
(ctypes.util.find_library("c"))
103
.if_nametoindex)
104
except (OSError, AttributeError):
105
def if_nametoindex(interface):
106
"Get an interface index the hard way, i.e. using fcntl()"
107
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
108
with contextlib.closing(socket.socket()) as s:
109
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
110
struct.pack(b"16s16x", interface))
111
interface_index = struct.unpack("I", ifreq[16:20])[0]
112
return interface_index
113
114
115
def initlogger(debug, level=logging.WARNING):
116
"""init logger and add loglevel"""
117
118
global syslogger
119
syslogger = (logging.handlers.SysLogHandler
120
(facility =
121
logging.handlers.SysLogHandler.LOG_DAEMON,
122
address = "/dev/log"))
123
syslogger.setFormatter(logging.Formatter
124
('Mandos [%(process)d]: %(levelname)s:'
125
' %(message)s'))
126
logger.addHandler(syslogger)
127
128
if debug:
129
console = logging.StreamHandler()
130
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
131
' [%(process)d]:'
132
' %(levelname)s:'
133
' %(message)s'))
134
logger.addHandler(console)
135
logger.setLevel(level)
136
137
138
class PGPError(Exception):
139
"""Exception if encryption/decryption fails"""
140
pass
141
142
143
class PGPEngine(object):
144
"""A simple class for OpenPGP symmetric encryption & decryption"""
145
def __init__(self):
146
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
147
self.gnupgargs = ['--batch',
148
'--home', self.tempdir,
149
'--force-mdc',
150
'--quiet',
151
'--no-use-agent']
152
153
def __enter__(self):
154
return self
155
156
def __exit__(self, exc_type, exc_value, traceback):
157
self._cleanup()
158
return False
159
160
def __del__(self):
161
self._cleanup()
162
163
def _cleanup(self):
164
if self.tempdir is not None:
165
# Delete contents of tempdir
166
for root, dirs, files in os.walk(self.tempdir,
167
topdown = False):
168
for filename in files:
169
os.remove(os.path.join(root, filename))
170
for dirname in dirs:
171
os.rmdir(os.path.join(root, dirname))
172
# Remove tempdir
173
os.rmdir(self.tempdir)
174
self.tempdir = None
175
176
def password_encode(self, password):
177
# Passphrase can not be empty and can not contain newlines or
178
# NUL bytes. So we prefix it and hex encode it.
179
encoded = b"mandos" + binascii.hexlify(password)
180
if len(encoded) > 2048:
181
# GnuPG can't handle long passwords, so encode differently
182
encoded = (b"mandos" + password.replace(b"\\", b"\\\\")
183
.replace(b"\n", b"\\n")
184
.replace(b"\0", b"\\x00"))
185
return encoded
186
187
def encrypt(self, data, password):
188
passphrase = self.password_encode(password)
189
with tempfile.NamedTemporaryFile(dir=self.tempdir
190
) as passfile:
191
passfile.write(passphrase)
192
passfile.flush()
193
proc = subprocess.Popen(['gpg', '--symmetric',
194
'--passphrase-file',
195
passfile.name]
196
+ self.gnupgargs,
197
stdin = subprocess.PIPE,
198
stdout = subprocess.PIPE,
199
stderr = subprocess.PIPE)
200
ciphertext, err = proc.communicate(input = data)
201
if proc.returncode != 0:
202
raise PGPError(err)
203
return ciphertext
204
205
def decrypt(self, data, password):
206
passphrase = self.password_encode(password)
207
with tempfile.NamedTemporaryFile(dir = self.tempdir
208
) as passfile:
209
passfile.write(passphrase)
210
passfile.flush()
211
proc = subprocess.Popen(['gpg', '--decrypt',
212
'--passphrase-file',
213
passfile.name]
214
+ self.gnupgargs,
215
stdin = subprocess.PIPE,
216
stdout = subprocess.PIPE,
217
stderr = subprocess.PIPE)
218
decrypted_plaintext, err = proc.communicate(input
219
= data)
220
if proc.returncode != 0:
221
raise PGPError(err)
222
return decrypted_plaintext
223
83
84
version = "1.0.14"
85
86
#logger = logging.getLogger(u'mandos')
87
logger = logging.Logger(u'mandos')
88
syslogger = (logging.handlers.SysLogHandler
89
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
90
address = "/dev/log"))
91
syslogger.setFormatter(logging.Formatter
92
(u'Mandos [%(process)d]: %(levelname)s:'
93
u' %(message)s'))
94
logger.addHandler(syslogger)
95
96
console = logging.StreamHandler()
97
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
98
u' %(levelname)s:'
99
u' %(message)s'))
100
logger.addHandler(console)
224
101
225
102
class AvahiError(Exception):
226
103
def __init__(self, value, *args, **kwargs):
227
104
self.value = value
228
return super(AvahiError, self).__init__(value, *args,
229
**kwargs)
105
super(AvahiError, self).__init__(value, *args, **kwargs)
106
def __unicode__(self):
107
return unicode(repr(self.value))
230
108
231
109
class AvahiServiceError(AvahiError):
232
110
pass
241
119
Attributes:
242
120
interface: integer; avahi.IF_UNSPEC or an interface index.
243
121
Used to optionally bind to the specified interface.
244
name: string; Example: 'Mandos'
245
type: string; Example: '_mandos._tcp'.
246
See <https://www.iana.org/assignments/service-names-port-numbers>
122
name: string; Example: u'Mandos'
123
type: string; Example: u'_mandos._tcp'.
124
See <http://www.dns-sd.org/ServiceTypes.html>
247
125
port: integer; what port to announce
248
126
TXT: list of strings; TXT record for the service
249
127
domain: string; Domain to publish on, default to .local if empty.
255
133
server: D-Bus Server
256
134
bus: dbus.SystemBus()
257
135
"""
258
259
136
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
260
137
servicetype = None, port = None, TXT = None,
261
domain = "", host = "", max_renames = 32768,
138
domain = u"", host = u"", max_renames = 32768,
262
139
protocol = avahi.PROTO_UNSPEC, bus = None):
263
140
self.interface = interface
264
141
self.name = name
273
150
self.group = None # our entry group
274
151
self.server = None
275
152
self.bus = bus
276
self.entry_group_state_changed_match = None
277
278
153
def rename(self):
279
154
"""Derived from the Avahi example code"""
280
155
if self.rename_count >= self.max_renames:
281
logger.critical("No suitable Zeroconf service name found"
282
" after %i retries, exiting.",
156
logger.critical(u"No suitable Zeroconf service name found"
157
u" after %i retries, exiting.",
283
158
self.rename_count)
284
raise AvahiServiceError("Too many renames")
285
self.name = str(self.server
286
.GetAlternativeServiceName(self.name))
287
logger.info("Changing Zeroconf service name to %r ...",
159
raise AvahiServiceError(u"Too many renames")
160
self.name = unicode(self.server.GetAlternativeServiceName(self.name))
161
logger.info(u"Changing Zeroconf service name to %r ...",
288
162
self.name)
163
syslogger.setFormatter(logging.Formatter
164
(u'Mandos (%s) [%%(process)d]:'
165
u' %%(levelname)s: %%(message)s'
166
% self.name))
289
167
self.remove()
290
168
try:
291
169
self.add()
292
except dbus.exceptions.DBusException as error:
293
logger.critical("D-Bus Exception", exc_info=error)
170
except dbus.exceptions.DBusException, error:
171
logger.critical(u"DBusException: %s", error)
294
172
self.cleanup()
295
173
os._exit(1)
296
174
self.rename_count += 1
297
298
175
def remove(self):
299
176
"""Derived from the Avahi example code"""
300
if self.entry_group_state_changed_match is not None:
301
self.entry_group_state_changed_match.remove()
302
self.entry_group_state_changed_match = None
303
177
if self.group is not None:
304
178
self.group.Reset()
305
306
179
def add(self):
307
180
"""Derived from the Avahi example code"""
308
self.remove()
309
181
if self.group is None:
310
182
self.group = dbus.Interface(
311
183
self.bus.get_object(avahi.DBUS_NAME,
312
184
self.server.EntryGroupNew()),
313
185
avahi.DBUS_INTERFACE_ENTRY_GROUP)
314
self.entry_group_state_changed_match = (
315
self.group.connect_to_signal(
316
'StateChanged', self.entry_group_state_changed))
317
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
186
self.group.connect_to_signal('StateChanged',
187
self
188
.entry_group_state_changed)
189
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
318
190
self.name, self.type)
319
191
self.group.AddService(
320
192
self.interface,
325
197
dbus.UInt16(self.port),
326
198
avahi.string_array_to_txt_array(self.TXT))
327
199
self.group.Commit()
328
329
200
def entry_group_state_changed(self, state, error):
330
201
"""Derived from the Avahi example code"""
331
logger.debug("Avahi entry group state change: %i", state)
202
logger.debug(u"Avahi entry group state change: %i", state)
332
203
333
204
if state == avahi.ENTRY_GROUP_ESTABLISHED:
334
logger.debug("Zeroconf service established.")
205
logger.debug(u"Zeroconf service established.")
335
206
elif state == avahi.ENTRY_GROUP_COLLISION:
336
logger.info("Zeroconf service name collision.")
207
logger.warning(u"Zeroconf service name collision.")
337
208
self.rename()
338
209
elif state == avahi.ENTRY_GROUP_FAILURE:
339
logger.critical("Avahi: Error in group state changed %s",
340
str(error))
341
raise AvahiGroupError("State changed: {!s}"
342
.format(error))
343
210
logger.critical(u"Avahi: Error in group state changed %s",
211
unicode(error))
212
raise AvahiGroupError(u"State changed: %s"
213
% unicode(error))
344
214
def cleanup(self):
345
215
"""Derived from the Avahi example code"""
346
216
if self.group is not None:
347
try:
348
self.group.Free()
349
except (dbus.exceptions.UnknownMethodException,
350
dbus.exceptions.DBusException):
351
pass
217
self.group.Free()
352
218
self.group = None
353
self.remove()
354
355
def server_state_changed(self, state, error=None):
219
def server_state_changed(self, state):
356
220
"""Derived from the Avahi example code"""
357
logger.debug("Avahi server state change: %i", state)
358
bad_states = { avahi.SERVER_INVALID:
359
"Zeroconf server invalid",
360
avahi.SERVER_REGISTERING: None,
361
avahi.SERVER_COLLISION:
362
"Zeroconf server name collision",
363
avahi.SERVER_FAILURE:
364
"Zeroconf server failure" }
365
if state in bad_states:
366
if bad_states[state] is not None:
367
if error is None:
368
logger.error(bad_states[state])
369
else:
370
logger.error(bad_states[state] + ": %r", error)
371
self.cleanup()
221
logger.debug(u"Avahi server state change: %i", state)
222
if state == avahi.SERVER_COLLISION:
223
logger.error(u"Zeroconf server name collision")
224
self.remove()
372
225
elif state == avahi.SERVER_RUNNING:
373
226
self.add()
374
else:
375
if error is None:
376
logger.debug("Unknown state: %r", state)
377
else:
378
logger.debug("Unknown state: %r: %r", state, error)
379
380
227
def activate(self):
381
228
"""Derived from the Avahi example code"""
382
229
if self.server is None:
383
230
self.server = dbus.Interface(
384
231
self.bus.get_object(avahi.DBUS_NAME,
385
avahi.DBUS_PATH_SERVER,
386
follow_name_owner_changes=True),
232
avahi.DBUS_PATH_SERVER),
387
233
avahi.DBUS_INTERFACE_SERVER)
388
self.server.connect_to_signal("StateChanged",
234
self.server.connect_to_signal(u"StateChanged",
389
235
self.server_state_changed)
390
236
self.server_state_changed(self.server.GetState())
391
237
392
238
393
class AvahiServiceToSyslog(AvahiService):
394
def rename(self):
395
"""Add the new name to the syslog messages"""
396
ret = AvahiService.rename(self)
397
syslogger.setFormatter(logging.Formatter
398
('Mandos ({}) [%(process)d]:'
399
' %(levelname)s: %(message)s'
400
.format(self.name)))
401
return ret
402
403
404
239
class Client(object):
405
240
"""A representation of a client host served by this server.
406
241
407
242
Attributes:
408
approved: bool(); 'None' if not yet approved/disapproved
243
_approved: bool(); 'None' if not yet approved/disapproved
409
244
approval_delay: datetime.timedelta(); Time to wait for approval
410
245
approval_duration: datetime.timedelta(); Duration of one approval
411
246
checker: subprocess.Popen(); a running checker process used
418
253
instance %(name)s can be used in the command.
419
254
checker_initiator_tag: a gobject event source tag, or None
420
255
created: datetime.datetime(); (UTC) object creation
421
client_structure: Object describing what attributes a client has
422
and is used for storing the client at exit
423
256
current_checker_command: string; current running checker_command
257
disable_hook: If set, called by disable() as disable_hook(self)
424
258
disable_initiator_tag: a gobject event source tag, or None
425
259
enabled: bool()
426
260
fingerprint: string (40 or 32 hexadecimal digits); used to
429
263
interval: datetime.timedelta(); How often to start a new checker
430
264
last_approval_request: datetime.datetime(); (UTC) or None
431
265
last_checked_ok: datetime.datetime(); (UTC) or None
432
last_checker_status: integer between 0 and 255 reflecting exit
433
status of last checker. -1 reflects crashed
434
checker, -2 means no checker completed yet.
435
last_enabled: datetime.datetime(); (UTC) or None
266
last_enabled: datetime.datetime(); (UTC)
436
267
name: string; from the config file, used in log messages and
437
268
D-Bus identifiers
438
269
secret: bytestring; sent verbatim (over TLS) to client
439
270
timeout: datetime.timedelta(); How long from last_checked_ok
440
271
until this client is disabled
441
extended_timeout: extra long timeout when secret has been sent
442
272
runtime_expansions: Allowed attributes for runtime expansion.
443
expires: datetime.datetime(); time (UTC) when a client will be
444
disabled, or None
445
server_settings: The server_settings dict from main()
446
273
"""
447
274
448
runtime_expansions = ("approval_delay", "approval_duration",
449
"created", "enabled", "expires",
450
"fingerprint", "host", "interval",
451
"last_approval_request", "last_checked_ok",
452
"last_enabled", "name", "timeout")
453
client_defaults = { "timeout": "PT5M",
454
"extended_timeout": "PT15M",
455
"interval": "PT2M",
456
"checker": "fping -q -- %%(host)s",
457
"host": "",
458
"approval_delay": "PT0S",
459
"approval_duration": "PT1S",
460
"approved_by_default": "True",
461
"enabled": "True",
462
}
275
runtime_expansions = (u"approval_delay", u"approval_duration",
276
u"created", u"enabled", u"fingerprint",
277
u"host", u"interval", u"last_checked_ok",
278
u"last_enabled", u"name", u"timeout")
463
279
464
280
@staticmethod
465
def config_parser(config):
466
"""Construct a new dict of client settings of this form:
467
{ client_name: {setting_name: value, ...}, ...}
468
with exceptions for any special settings as defined above.
469
NOTE: Must be a pure function. Must return the same result
470
value given the same arguments.
471
"""
472
settings = {}
473
for client_name in config.sections():
474
section = dict(config.items(client_name))
475
client = settings[client_name] = {}
476
477
client["host"] = section["host"]
478
# Reformat values from string types to Python types
479
client["approved_by_default"] = config.getboolean(
480
client_name, "approved_by_default")
481
client["enabled"] = config.getboolean(client_name,
482
"enabled")
483
484
client["fingerprint"] = (section["fingerprint"].upper()
485
.replace(" ", ""))
486
if "secret" in section:
487
client["secret"] = section["secret"].decode("base64")
488
elif "secfile" in section:
489
with open(os.path.expanduser(os.path.expandvars
490
(section["secfile"])),
491
"rb") as secfile:
492
client["secret"] = secfile.read()
493
else:
494
raise TypeError("No secret or secfile for section {}"
495
.format(section))
496
client["timeout"] = string_to_delta(section["timeout"])
497
client["extended_timeout"] = string_to_delta(
498
section["extended_timeout"])
499
client["interval"] = string_to_delta(section["interval"])
500
client["approval_delay"] = string_to_delta(
501
section["approval_delay"])
502
client["approval_duration"] = string_to_delta(
503
section["approval_duration"])
504
client["checker_command"] = section["checker"]
505
client["last_approval_request"] = None
506
client["last_checked_ok"] = None
507
client["last_checker_status"] = -2
508
509
return settings
510
511
def __init__(self, settings, name = None, server_settings=None):
281
def _timedelta_to_milliseconds(td):
282
"Convert a datetime.timedelta() to milliseconds"
283
return ((td.days * 24 * 60 * 60 * 1000)
284
+ (td.seconds * 1000)
285
+ (td.microseconds // 1000))
286
287
def timeout_milliseconds(self):
288
"Return the 'timeout' attribute in milliseconds"
289
return self._timedelta_to_milliseconds(self.timeout)
290
291
def interval_milliseconds(self):
292
"Return the 'interval' attribute in milliseconds"
293
return self._timedelta_to_milliseconds(self.interval)
294
295
def approval_delay_milliseconds(self):
296
return self._timedelta_to_milliseconds(self.approval_delay)
297
298
def __init__(self, name = None, disable_hook=None, config=None):
299
"""Note: the 'checker' key in 'config' sets the
300
'checker_command' attribute and *not* the 'checker'
301
attribute."""
512
302
self.name = name
513
if server_settings is None:
514
server_settings = {}
515
self.server_settings = server_settings
516
# adding all client settings
517
for setting, value in settings.items():
518
setattr(self, setting, value)
519
520
if self.enabled:
521
if not hasattr(self, "last_enabled"):
522
self.last_enabled = datetime.datetime.utcnow()
523
if not hasattr(self, "expires"):
524
self.expires = (datetime.datetime.utcnow()
525
+ self.timeout)
526
else:
527
self.last_enabled = None
528
self.expires = None
529
530
logger.debug("Creating client %r", self.name)
303
if config is None:
304
config = {}
305
logger.debug(u"Creating client %r", self.name)
531
306
# Uppercase and remove spaces from fingerprint for later
532
307
# comparison purposes with return value from the fingerprint()
533
308
# function
534
logger.debug(" Fingerprint: %s", self.fingerprint)
535
self.created = settings.get("created",
536
datetime.datetime.utcnow())
537
538
# attributes specific for this server instance
309
self.fingerprint = (config[u"fingerprint"].upper()
310
.replace(u" ", u""))
311
logger.debug(u" Fingerprint: %s", self.fingerprint)
312
if u"secret" in config:
313
self.secret = config[u"secret"].decode(u"base64")
314
elif u"secfile" in config:
315
with open(os.path.expanduser(os.path.expandvars
316
(config[u"secfile"])),
317
"rb") as secfile:
318
self.secret = secfile.read()
319
else:
320
raise TypeError(u"No secret or secfile for client %s"
321
% self.name)
322
self.host = config.get(u"host", u"")
323
self.created = datetime.datetime.utcnow()
324
self.enabled = False
325
self.last_approval_request = None
326
self.last_enabled = None
327
self.last_checked_ok = None
328
self.timeout = string_to_delta(config[u"timeout"])
329
self.interval = string_to_delta(config[u"interval"])
330
self.disable_hook = disable_hook
539
331
self.checker = None
540
332
self.checker_initiator_tag = None
541
333
self.disable_initiator_tag = None
542
334
self.checker_callback_tag = None
335
self.checker_command = config[u"checker"]
543
336
self.current_checker_command = None
544
self.approved = None
337
self.last_connect = None
338
self._approved = None
339
self.approved_by_default = config.get(u"approved_by_default",
340
True)
545
341
self.approvals_pending = 0
546
self.changedstate = (multiprocessing_manager
547
.Condition(multiprocessing_manager
548
.Lock()))
549
self.client_structure = [attr for attr in
550
self.__dict__.iterkeys()
551
if not attr.startswith("_")]
552
self.client_structure.append("client_structure")
553
554
for name, t in inspect.getmembers(type(self),
555
lambda obj:
556
isinstance(obj,
557
property)):
558
if not name.startswith("_"):
559
self.client_structure.append(name)
342
self.approval_delay = string_to_delta(
343
config[u"approval_delay"])
344
self.approval_duration = string_to_delta(
345
config[u"approval_duration"])
346
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
560
347
561
# Send notice to process children that client state has changed
562
348
def send_changedstate(self):
563
with self.changedstate:
564
self.changedstate.notify_all()
565
349
self.changedstate.acquire()
350
self.changedstate.notify_all()
351
self.changedstate.release()
352
566
353
def enable(self):
567
354
"""Start this client's checker and timeout hooks"""
568
if getattr(self, "enabled", False):
355
if getattr(self, u"enabled", False):
569
356
# Already enabled
570
357
return
571
self.expires = datetime.datetime.utcnow() + self.timeout
572
self.enabled = True
358
self.send_changedstate()
573
359
self.last_enabled = datetime.datetime.utcnow()
574
self.init_checker()
575
self.send_changedstate()
360
# Schedule a new checker to be started an 'interval' from now,
361
# and every interval from then on.
362
self.checker_initiator_tag = (gobject.timeout_add
363
(self.interval_milliseconds(),
364
self.start_checker))
365
# Schedule a disable() when 'timeout' has passed
366
self.disable_initiator_tag = (gobject.timeout_add
367
(self.timeout_milliseconds(),
368
self.disable))
369
self.enabled = True
370
# Also start a new checker *right now*.
371
self.start_checker()
576
372
577
373
def disable(self, quiet=True):
578
374
"""Disable this client."""
579
375
if not getattr(self, "enabled", False):
580
376
return False
581
377
if not quiet:
582
logger.info("Disabling client %s", self.name)
583
if getattr(self, "disable_initiator_tag", None) is not None:
378
self.send_changedstate()
379
if not quiet:
380
logger.info(u"Disabling client %s", self.name)
381
if getattr(self, u"disable_initiator_tag", False):
584
382
gobject.source_remove(self.disable_initiator_tag)
585
383
self.disable_initiator_tag = None
586
self.expires = None
587
if getattr(self, "checker_initiator_tag", None) is not None:
384
if getattr(self, u"checker_initiator_tag", False):
588
385
gobject.source_remove(self.checker_initiator_tag)
589
386
self.checker_initiator_tag = None
590
387
self.stop_checker()
388
if self.disable_hook:
389
self.disable_hook(self)
591
390
self.enabled = False
592
if not quiet:
593
self.send_changedstate()
594
391
# Do not run this again if called by a gobject.timeout_add
595
392
return False
596
393
597
394
def __del__(self):
395
self.disable_hook = None
598
396
self.disable()
599
397
600
def init_checker(self):
601
# Schedule a new checker to be started an 'interval' from now,
602
# and every interval from then on.
603
if self.checker_initiator_tag is not None:
604
gobject.source_remove(self.checker_initiator_tag)
605
self.checker_initiator_tag = (gobject.timeout_add
606
(int(self.interval
607
.total_seconds() * 1000),
608
self.start_checker))
609
# Schedule a disable() when 'timeout' has passed
610
if self.disable_initiator_tag is not None:
611
gobject.source_remove(self.disable_initiator_tag)
612
self.disable_initiator_tag = (gobject.timeout_add
613
(int(self.timeout
614
.total_seconds() * 1000),
615
self.disable))
616
# Also start a new checker *right now*.
617
self.start_checker()
618
619
398
def checker_callback(self, pid, condition, command):
620
399
"""The checker has completed, so take appropriate actions."""
621
400
self.checker_callback_tag = None
622
401
self.checker = None
623
402
if os.WIFEXITED(condition):
624
self.last_checker_status = os.WEXITSTATUS(condition)
625
if self.last_checker_status == 0:
626
logger.info("Checker for %(name)s succeeded",
403
exitstatus = os.WEXITSTATUS(condition)
404
if exitstatus == 0:
405
logger.info(u"Checker for %(name)s succeeded",
627
406
vars(self))
628
407
self.checked_ok()
629
408
else:
630
logger.info("Checker for %(name)s failed",
409
logger.info(u"Checker for %(name)s failed",
631
410
vars(self))
632
411
else:
633
self.last_checker_status = -1
634
logger.warning("Checker for %(name)s crashed?",
412
logger.warning(u"Checker for %(name)s crashed?",
635
413
vars(self))
636
414
637
415
def checked_ok(self):
638
"""Assert that the client has been seen, alive and well."""
416
"""Bump up the timeout for this client.
417
418
This should only be called when the client has been seen,
419
alive and well.
420
"""
639
421
self.last_checked_ok = datetime.datetime.utcnow()
640
self.last_checker_status = 0
641
self.bump_timeout()
642
643
def bump_timeout(self, timeout=None):
644
"""Bump up the timeout for this client."""
645
if timeout is None:
646
timeout = self.timeout
647
if self.disable_initiator_tag is not None:
648
gobject.source_remove(self.disable_initiator_tag)
649
self.disable_initiator_tag = None
650
if getattr(self, "enabled", False):
651
self.disable_initiator_tag = (gobject.timeout_add
652
(int(timeout.total_seconds()
653
* 1000), self.disable))
654
self.expires = datetime.datetime.utcnow() + timeout
422
gobject.source_remove(self.disable_initiator_tag)
423
self.disable_initiator_tag = (gobject.timeout_add
424
(self.timeout_milliseconds(),
425
self.disable))
655
426
656
427
def need_approval(self):
657
428
self.last_approval_request = datetime.datetime.utcnow()
662
433
If a checker already exists, leave it running and do
663
434
nothing."""
664
435
# The reason for not killing a running checker is that if we
665
# did that, and if a checker (for some reason) started running
666
# slowly and taking more than 'interval' time, then the client
667
# would inevitably timeout, since no checker would get a
668
# chance to run to completion. If we instead leave running
436
# did that, then if a checker (for some reason) started
437
# running slowly and taking more than 'interval' time, the
438
# client would inevitably timeout, since no checker would get
439
# a chance to run to completion. If we instead leave running
669
440
# checkers alone, the checker would have to take more time
670
441
# than 'timeout' for the client to be disabled, which is as it
671
442
# should be.
673
444
# If a checker exists, make sure it is not a zombie
674
445
try:
675
446
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
676
except AttributeError:
677
pass
678
except OSError as error:
679
if error.errno != errno.ECHILD:
680
raise
447
except (AttributeError, OSError), error:
448
if (isinstance(error, OSError)
449
and error.errno != errno.ECHILD):
450
raise error
681
451
else:
682
452
if pid:
683
logger.warning("Checker was a zombie")
453
logger.warning(u"Checker was a zombie")
684
454
gobject.source_remove(self.checker_callback_tag)
685
455
self.checker_callback(pid, status,
686
456
self.current_checker_command)
687
457
# Start a new checker if needed
688
458
if self.checker is None:
689
# Escape attributes for the shell
690
escaped_attrs = { attr:
691
re.escape(str(getattr(self, attr)))
692
for attr in self.runtime_expansions }
693
459
try:
694
command = self.checker_command % escaped_attrs
695
except TypeError as error:
696
logger.error('Could not format string "%s"',
697
self.checker_command, exc_info=error)
698
return True # Try again later
460
# In case checker_command has exactly one % operator
461
command = self.checker_command % self.host
462
except TypeError:
463
# Escape attributes for the shell
464
escaped_attrs = dict(
465
(attr,
466
re.escape(unicode(str(getattr(self, attr, u"")),
467
errors=
468
u'replace')))
469
for attr in
470
self.runtime_expansions)
471
472
try:
473
command = self.checker_command % escaped_attrs
474
except TypeError, error:
475
logger.error(u'Could not format string "%s":'
476
u' %s', self.checker_command, error)
477
return True # Try again later
699
478
self.current_checker_command = command
700
479
try:
701
logger.info("Starting checker %r for %s",
480
logger.info(u"Starting checker %r for %s",
702
481
command, self.name)
703
482
# We don't need to redirect stdout and stderr, since
704
483
# in normal mode, that is already done by daemon(),
705
484
# and in debug mode we don't want to. (Stdin is
706
485
# always replaced by /dev/null.)
707
# The exception is when not debugging but nevertheless
708
# running in the foreground; use the previously
709
# created wnull.
710
popen_args = {}
711
if (not self.server_settings["debug"]
712
and self.server_settings["foreground"]):
713
popen_args.update({"stdout": wnull,
714
"stderr": wnull })
715
486
self.checker = subprocess.Popen(command,
716
487
close_fds=True,
717
shell=True, cwd="/",
718
**popen_args)
719
except OSError as error:
720
logger.error("Failed to start subprocess",
721
exc_info=error)
722
return True
723
self.checker_callback_tag = (gobject.child_watch_add
724
(self.checker.pid,
725
self.checker_callback,
726
data=command))
727
# The checker may have completed before the gobject
728
# watch was added. Check for this.
729
try:
488
shell=True, cwd=u"/")
489
self.checker_callback_tag = (gobject.child_watch_add
490
(self.checker.pid,
491
self.checker_callback,
492
data=command))
493
# The checker may have completed before the gobject
494
# watch was added. Check for this.
730
495
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
731
except OSError as error:
732
if error.errno == errno.ECHILD:
733
# This should never happen
734
logger.error("Child process vanished",
735
exc_info=error)
736
return True
737
raise
738
if pid:
739
gobject.source_remove(self.checker_callback_tag)
740
self.checker_callback(pid, status, command)
496
if pid:
497
gobject.source_remove(self.checker_callback_tag)
498
self.checker_callback(pid, status, command)
499
except OSError, error:
500
logger.error(u"Failed to start subprocess: %s",
501
error)
741
502
# Re-run this periodically if run by gobject.timeout_add
742
503
return True
743
504
746
507
if self.checker_callback_tag:
747
508
gobject.source_remove(self.checker_callback_tag)
748
509
self.checker_callback_tag = None
749
if getattr(self, "checker", None) is None:
510
if getattr(self, u"checker", None) is None:
750
511
return
751
logger.debug("Stopping checker for %(name)s", vars(self))
512
logger.debug(u"Stopping checker for %(name)s", vars(self))
752
513
try:
753
self.checker.terminate()
514
os.kill(self.checker.pid, signal.SIGTERM)
754
515
#time.sleep(0.5)
755
516
#if self.checker.poll() is None:
756
# self.checker.kill()
757
except OSError as error:
517
# os.kill(self.checker.pid, signal.SIGKILL)
518
except OSError, error:
758
519
if error.errno != errno.ESRCH: # No such process
759
520
raise
760
521
self.checker = None
761
522
762
763
def dbus_service_property(dbus_interface, signature="v",
764
access="readwrite", byte_arrays=False):
523
def dbus_service_property(dbus_interface, signature=u"v",
524
access=u"readwrite", byte_arrays=False):
765
525
"""Decorators for marking methods of a DBusObjectWithProperties to
766
526
become properties on the D-Bus.
767
527
774
534
"""
775
535
# Encoding deeply encoded byte arrays is not supported yet by the
776
536
# "Set" method, so we fail early here:
777
if byte_arrays and signature != "ay":
778
raise ValueError("Byte arrays not supported for non-'ay'"
779
" signature {!r}".format(signature))
537
if byte_arrays and signature != u"ay":
538
raise ValueError(u"Byte arrays not supported for non-'ay'"
539
u" signature %r" % signature)
780
540
def decorator(func):
781
541
func._dbus_is_property = True
782
542
func._dbus_interface = dbus_interface
783
543
func._dbus_signature = signature
784
544
func._dbus_access = access
785
545
func._dbus_name = func.__name__
786
if func._dbus_name.endswith("_dbus_property"):
546
if func._dbus_name.endswith(u"_dbus_property"):
787
547
func._dbus_name = func._dbus_name[:-14]
788
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
789
return func
790
return decorator
791
792
793
def dbus_interface_annotations(dbus_interface):
794
"""Decorator for marking functions returning interface annotations
795
796
Usage:
797
798
@dbus_interface_annotations("org.example.Interface")
799
def _foo(self): # Function name does not matter
800
return {"org.freedesktop.DBus.Deprecated": "true",
801
"org.freedesktop.DBus.Property.EmitsChangedSignal":
802
"false"}
803
"""
804
def decorator(func):
805
func._dbus_is_interface = True
806
func._dbus_interface = dbus_interface
807
func._dbus_name = dbus_interface
808
return func
809
return decorator
810
811
812
def dbus_annotations(annotations):
813
"""Decorator to annotate D-Bus methods, signals or properties
814
Usage:
815
816
@dbus_service_property("org.example.Interface", signature="b",
817
access="r")
818
@dbus_annotations({{"org.freedesktop.DBus.Deprecated": "true",
819
"org.freedesktop.DBus.Property."
820
"EmitsChangedSignal": "false"})
821
def Property_dbus_property(self):
822
return dbus.Boolean(False)
823
"""
824
def decorator(func):
825
func._dbus_annotations = annotations
548
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
826
549
return func
827
550
return decorator
828
551
830
553
class DBusPropertyException(dbus.exceptions.DBusException):
831
554
"""A base class for D-Bus property-related exceptions
832
555
"""
833
pass
556
def __unicode__(self):
557
return unicode(str(self))
558
834
559
835
560
class DBusPropertyAccessException(DBusPropertyException):
836
561
"""A property's access permissions disallows an operation.
846
571
847
572
class DBusObjectWithProperties(dbus.service.Object):
848
573
"""A D-Bus object with properties.
849
574
850
575
Classes inheriting from this can use the dbus_service_property
851
576
decorator to expose methods as D-Bus properties. It exposes the
852
577
standard Get(), Set(), and GetAll() methods on the D-Bus.
853
578
"""
854
579
855
580
@staticmethod
856
def _is_dbus_thing(thing):
857
"""Returns a function testing if an attribute is a D-Bus thing
858
859
If called like _is_dbus_thing("method") it returns a function
860
suitable for use as predicate to inspect.getmembers().
861
"""
862
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
863
False)
581
def _is_dbus_property(obj):
582
return getattr(obj, u"_dbus_is_property", False)
864
583
865
def _get_all_dbus_things(self, thing):
584
def _get_all_dbus_properties(self):
866
585
"""Returns a generator of (name, attribute) pairs
867
586
"""
868
return ((getattr(athing.__get__(self), "_dbus_name",
869
name),
870
athing.__get__(self))
871
for cls in self.__class__.__mro__
872
for name, athing in
873
inspect.getmembers(cls,
874
self._is_dbus_thing(thing)))
587
return ((prop._dbus_name, prop)
588
for name, prop in
589
inspect.getmembers(self, self._is_dbus_property))
875
590
876
591
def _get_dbus_property(self, interface_name, property_name):
877
592
"""Returns a bound method if one exists which is a D-Bus
878
593
property with the specified name and interface.
879
594
"""
880
for cls in self.__class__.__mro__:
881
for name, value in (inspect.getmembers
882
(cls,
883
self._is_dbus_thing("property"))):
884
if (value._dbus_name == property_name
885
and value._dbus_interface == interface_name):
886
return value.__get__(self)
887
595
for name in (property_name,
596
property_name + u"_dbus_property"):
597
prop = getattr(self, name, None)
598
if (prop is None
599
or not self._is_dbus_property(prop)
600
or prop._dbus_name != property_name
601
or (interface_name and prop._dbus_interface
602
and interface_name != prop._dbus_interface)):
603
continue
604
return prop
888
605
# No such property
889
raise DBusPropertyNotFound(self.dbus_object_path + ":"
890
+ interface_name + "."
606
raise DBusPropertyNotFound(self.dbus_object_path + u":"
607
+ interface_name + u"."
891
608
+ property_name)
892
609
893
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
894
out_signature="v")
610
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
611
out_signature=u"v")
895
612
def Get(self, interface_name, property_name):
896
613
"""Standard D-Bus property Get() method, see D-Bus standard.
897
614
"""
898
615
prop = self._get_dbus_property(interface_name, property_name)
899
if prop._dbus_access == "write":
616
if prop._dbus_access == u"write":
900
617
raise DBusPropertyAccessException(property_name)
901
618
value = prop()
902
if not hasattr(value, "variant_level"):
619
if not hasattr(value, u"variant_level"):
903
620
return value
904
621
return type(value)(value, variant_level=value.variant_level+1)
905
622
906
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
623
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
907
624
def Set(self, interface_name, property_name, value):
908
625
"""Standard D-Bus property Set() method, see D-Bus standard.
909
626
"""
910
627
prop = self._get_dbus_property(interface_name, property_name)
911
if prop._dbus_access == "read":
628
if prop._dbus_access == u"read":
912
629
raise DBusPropertyAccessException(property_name)
913
if prop._dbus_get_args_options["byte_arrays"]:
630
if prop._dbus_get_args_options[u"byte_arrays"]:
914
631
# The byte_arrays option is not supported yet on
915
632
# signatures other than "ay".
916
if prop._dbus_signature != "ay":
917
raise ValueError("Byte arrays not supported for non-"
918
"'ay' signature {!r}"
919
.format(prop._dbus_signature))
920
value = dbus.ByteArray(b''.join(chr(byte)
921
for byte in value))
633
if prop._dbus_signature != u"ay":
634
raise ValueError
635
value = dbus.ByteArray(''.join(unichr(byte)
636
for byte in value))
922
637
prop(value)
923
638
924
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
925
out_signature="a{sv}")
639
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
640
out_signature=u"a{sv}")
926
641
def GetAll(self, interface_name):
927
642
"""Standard D-Bus property GetAll() method, see D-Bus
928
643
standard.
929
644
930
645
Note: Will not include properties with access="write".
931
646
"""
932
properties = {}
933
for name, prop in self._get_all_dbus_things("property"):
647
all = {}
648
for name, prop in self._get_all_dbus_properties():
934
649
if (interface_name
935
650
and interface_name != prop._dbus_interface):
936
651
# Interface non-empty but did not match
937
652
continue
938
653
# Ignore write-only properties
939
if prop._dbus_access == "write":
654
if prop._dbus_access == u"write":
940
655
continue
941
656
value = prop()
942
if not hasattr(value, "variant_level"):
943
properties[name] = value
657
if not hasattr(value, u"variant_level"):
658
all[name] = value
944
659
continue
945
properties[name] = type(value)(value, variant_level=
946
value.variant_level+1)
947
return dbus.Dictionary(properties, signature="sv")
660
all[name] = type(value)(value, variant_level=
661
value.variant_level+1)
662
return dbus.Dictionary(all, signature=u"sv")
948
663
949
664
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
950
out_signature="s",
665
out_signature=u"s",
951
666
path_keyword='object_path',
952
667
connection_keyword='connection')
953
668
def Introspect(self, object_path, connection):
954
"""Overloading of standard D-Bus method.
955
956
Inserts property tags and interface annotation tags.
669
"""Standard D-Bus method, overloaded to insert property tags.
957
670
"""
958
671
xmlstring = dbus.service.Object.Introspect(self, object_path,
959
672
connection)
960
673
try:
961
674
document = xml.dom.minidom.parseString(xmlstring)
962
675
def make_tag(document, name, prop):
963
e = document.createElement("property")
964
e.setAttribute("name", name)
965
e.setAttribute("type", prop._dbus_signature)
966
e.setAttribute("access", prop._dbus_access)
676
e = document.createElement(u"property")
677
e.setAttribute(u"name", name)
678
e.setAttribute(u"type", prop._dbus_signature)
679
e.setAttribute(u"access", prop._dbus_access)
967
680
return e
968
for if_tag in document.getElementsByTagName("interface"):
969
# Add property tags
681
for if_tag in document.getElementsByTagName(u"interface"):
970
682
for tag in (make_tag(document, name, prop)
971
683
for name, prop
972
in self._get_all_dbus_things("property")
684
in self._get_all_dbus_properties()
973
685
if prop._dbus_interface
974
== if_tag.getAttribute("name")):
686
== if_tag.getAttribute(u"name")):
975
687
if_tag.appendChild(tag)
976
# Add annotation tags
977
for typ in ("method", "signal", "property"):
978
for tag in if_tag.getElementsByTagName(typ):
979
annots = dict()
980
for name, prop in (self.
981
_get_all_dbus_things(typ)):
982
if (name == tag.getAttribute("name")
983
and prop._dbus_interface
984
== if_tag.getAttribute("name")):
985
annots.update(getattr
986
(prop,
987
"_dbus_annotations",
988
{}))
989
for name, value in annots.items():
990
ann_tag = document.createElement(
991
"annotation")
992
ann_tag.setAttribute("name", name)
993
ann_tag.setAttribute("value", value)
994
tag.appendChild(ann_tag)
995
# Add interface annotation tags
996
for annotation, value in dict(
997
itertools.chain.from_iterable(
998
annotations().items()
999
for name, annotations in
1000
self._get_all_dbus_things("interface")
1001
if name == if_tag.getAttribute("name")
1002
)).items():
1003
ann_tag = document.createElement("annotation")
1004
ann_tag.setAttribute("name", annotation)
1005
ann_tag.setAttribute("value", value)
1006
if_tag.appendChild(ann_tag)
1007
688
# Add the names to the return values for the
1008
689
# "org.freedesktop.DBus.Properties" methods
1009
if (if_tag.getAttribute("name")
1010
== "org.freedesktop.DBus.Properties"):
1011
for cn in if_tag.getElementsByTagName("method"):
1012
if cn.getAttribute("name") == "Get":
1013
for arg in cn.getElementsByTagName("arg"):
1014
if (arg.getAttribute("direction")
1015
== "out"):
1016
arg.setAttribute("name", "value")
1017
elif cn.getAttribute("name") == "GetAll":
1018
for arg in cn.getElementsByTagName("arg"):
1019
if (arg.getAttribute("direction")
1020
== "out"):
1021
arg.setAttribute("name", "props")
1022
xmlstring = document.toxml("utf-8")
690
if (if_tag.getAttribute(u"name")
691
== u"org.freedesktop.DBus.Properties"):
692
for cn in if_tag.getElementsByTagName(u"method"):
693
if cn.getAttribute(u"name") == u"Get":
694
for arg in cn.getElementsByTagName(u"arg"):
695
if (arg.getAttribute(u"direction")
696
== u"out"):
697
arg.setAttribute(u"name", u"value")
698
elif cn.getAttribute(u"name") == u"GetAll":
699
for arg in cn.getElementsByTagName(u"arg"):
700
if (arg.getAttribute(u"direction")
701
== u"out"):
702
arg.setAttribute(u"name", u"props")
703
xmlstring = document.toxml(u"utf-8")
1023
704
document.unlink()
1024
705
except (AttributeError, xml.dom.DOMException,
1025
xml.parsers.expat.ExpatError) as error:
1026
logger.error("Failed to override Introspection method",
1027
exc_info=error)
706
xml.parsers.expat.ExpatError), error:
707
logger.error(u"Failed to override Introspection method",
708
error)
1028
709
return xmlstring
1029
710
1030
711
1031
def datetime_to_dbus(dt, variant_level=0):
1032
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1033
if dt is None:
1034
return dbus.String("", variant_level = variant_level)
1035
return dbus.String(dt.isoformat(),
1036
variant_level=variant_level)
1037
1038
1039
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1040
"""A class decorator; applied to a subclass of
1041
dbus.service.Object, it will add alternate D-Bus attributes with
1042
interface names according to the "alt_interface_names" mapping.
1043
Usage:
1044
1045
@alternate_dbus_interfaces({"org.example.Interface":
1046
"net.example.AlternateInterface"})
1047
class SampleDBusObject(dbus.service.Object):
1048
@dbus.service.method("org.example.Interface")
1049
def SampleDBusMethod():
1050
pass
1051
1052
The above "SampleDBusMethod" on "SampleDBusObject" will be
1053
reachable via two interfaces: "org.example.Interface" and
1054
"net.example.AlternateInterface", the latter of which will have
1055
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1056
"true", unless "deprecate" is passed with a False value.
1057
1058
This works for methods and signals, and also for D-Bus properties
1059
(from DBusObjectWithProperties) and interfaces (from the
1060
dbus_interface_annotations decorator).
1061
"""
1062
def wrapper(cls):
1063
for orig_interface_name, alt_interface_name in (
1064
alt_interface_names.items()):
1065
attr = {}
1066
interface_names = set()
1067
# Go though all attributes of the class
1068
for attrname, attribute in inspect.getmembers(cls):
1069
# Ignore non-D-Bus attributes, and D-Bus attributes
1070
# with the wrong interface name
1071
if (not hasattr(attribute, "_dbus_interface")
1072
or not attribute._dbus_interface
1073
.startswith(orig_interface_name)):
1074
continue
1075
# Create an alternate D-Bus interface name based on
1076
# the current name
1077
alt_interface = (attribute._dbus_interface
1078
.replace(orig_interface_name,
1079
alt_interface_name))
1080
interface_names.add(alt_interface)
1081
# Is this a D-Bus signal?
1082
if getattr(attribute, "_dbus_is_signal", False):
1083
# Extract the original non-method undecorated
1084
# function by black magic
1085
nonmethod_func = (dict(
1086
zip(attribute.func_code.co_freevars,
1087
attribute.__closure__))["func"]
1088
.cell_contents)
1089
# Create a new, but exactly alike, function
1090
# object, and decorate it to be a new D-Bus signal
1091
# with the alternate D-Bus interface name
1092
new_function = (dbus.service.signal
1093
(alt_interface,
1094
attribute._dbus_signature)
1095
(types.FunctionType(
1096
nonmethod_func.func_code,
1097
nonmethod_func.func_globals,
1098
nonmethod_func.func_name,
1099
nonmethod_func.func_defaults,
1100
nonmethod_func.func_closure)))
1101
# Copy annotations, if any
1102
try:
1103
new_function._dbus_annotations = (
1104
dict(attribute._dbus_annotations))
1105
except AttributeError:
1106
pass
1107
# Define a creator of a function to call both the
1108
# original and alternate functions, so both the
1109
# original and alternate signals gets sent when
1110
# the function is called
1111
def fixscope(func1, func2):
1112
"""This function is a scope container to pass
1113
func1 and func2 to the "call_both" function
1114
outside of its arguments"""
1115
def call_both(*args, **kwargs):
1116
"""This function will emit two D-Bus
1117
signals by calling func1 and func2"""
1118
func1(*args, **kwargs)
1119
func2(*args, **kwargs)
1120
return call_both
1121
# Create the "call_both" function and add it to
1122
# the class
1123
attr[attrname] = fixscope(attribute, new_function)
1124
# Is this a D-Bus method?
1125
elif getattr(attribute, "_dbus_is_method", False):
1126
# Create a new, but exactly alike, function
1127
# object. Decorate it to be a new D-Bus method
1128
# with the alternate D-Bus interface name. Add it
1129
# to the class.
1130
attr[attrname] = (dbus.service.method
1131
(alt_interface,
1132
attribute._dbus_in_signature,
1133
attribute._dbus_out_signature)
1134
(types.FunctionType
1135
(attribute.func_code,
1136
attribute.func_globals,
1137
attribute.func_name,
1138
attribute.func_defaults,
1139
attribute.func_closure)))
1140
# Copy annotations, if any
1141
try:
1142
attr[attrname]._dbus_annotations = (
1143
dict(attribute._dbus_annotations))
1144
except AttributeError:
1145
pass
1146
# Is this a D-Bus property?
1147
elif getattr(attribute, "_dbus_is_property", False):
1148
# Create a new, but exactly alike, function
1149
# object, and decorate it to be a new D-Bus
1150
# property with the alternate D-Bus interface
1151
# name. Add it to the class.
1152
attr[attrname] = (dbus_service_property
1153
(alt_interface,
1154
attribute._dbus_signature,
1155
attribute._dbus_access,
1156
attribute
1157
._dbus_get_args_options
1158
["byte_arrays"])
1159
(types.FunctionType
1160
(attribute.func_code,
1161
attribute.func_globals,
1162
attribute.func_name,
1163
attribute.func_defaults,
1164
attribute.func_closure)))
1165
# Copy annotations, if any
1166
try:
1167
attr[attrname]._dbus_annotations = (
1168
dict(attribute._dbus_annotations))
1169
except AttributeError:
1170
pass
1171
# Is this a D-Bus interface?
1172
elif getattr(attribute, "_dbus_is_interface", False):
1173
# Create a new, but exactly alike, function
1174
# object. Decorate it to be a new D-Bus interface
1175
# with the alternate D-Bus interface name. Add it
1176
# to the class.
1177
attr[attrname] = (dbus_interface_annotations
1178
(alt_interface)
1179
(types.FunctionType
1180
(attribute.func_code,
1181
attribute.func_globals,
1182
attribute.func_name,
1183
attribute.func_defaults,
1184
attribute.func_closure)))
1185
if deprecate:
1186
# Deprecate all alternate interfaces
1187
iname="_AlternateDBusNames_interface_annotation{}"
1188
for interface_name in interface_names:
1189
@dbus_interface_annotations(interface_name)
1190
def func(self):
1191
return { "org.freedesktop.DBus.Deprecated":
1192
"true" }
1193
# Find an unused name
1194
for aname in (iname.format(i)
1195
for i in itertools.count()):
1196
if aname not in attr:
1197
attr[aname] = func
1198
break
1199
if interface_names:
1200
# Replace the class with a new subclass of it with
1201
# methods, signals, etc. as created above.
1202
cls = type(b"{}Alternate".format(cls.__name__),
1203
(cls,), attr)
1204
return cls
1205
return wrapper
1206
1207
1208
@alternate_dbus_interfaces({"se.recompile.Mandos":
1209
"se.bsnet.fukt.Mandos"})
1210
712
class ClientDBus(Client, DBusObjectWithProperties):
1211
713
"""A Client class using D-Bus
1212
714
1216
718
"""
1217
719
1218
720
runtime_expansions = (Client.runtime_expansions
1219
+ ("dbus_object_path",))
721
+ (u"dbus_object_path",))
1220
722
1221
723
# dbus.service.Object doesn't use super(), so we can't either.
1222
724
1223
725
def __init__(self, bus = None, *args, **kwargs):
726
self._approvals_pending = 0
1224
727
self.bus = bus
1225
728
Client.__init__(self, *args, **kwargs)
1226
729
# Only now, when this client is initialized, can it show up on
1227
730
# the D-Bus
1228
client_object_name = str(self.name).translate(
1229
{ord("."): ord("_"),
1230
ord("-"): ord("_")})
731
client_object_name = unicode(self.name).translate(
732
{ord(u"."): ord(u"_"),
733
ord(u"-"): ord(u"_")})
1231
734
self.dbus_object_path = (dbus.ObjectPath
1232
("/clients/" + client_object_name))
735
(u"/clients/" + client_object_name))
1233
736
DBusObjectWithProperties.__init__(self, self.bus,
1234
737
self.dbus_object_path)
1235
1236
def notifychangeproperty(transform_func,
1237
dbus_name, type_func=lambda x: x,
1238
variant_level=1):
1239
""" Modify a variable so that it's a property which announces
1240
its changes to DBus.
1241
1242
transform_fun: Function that takes a value and a variant_level
1243
and transforms it to a D-Bus type.
1244
dbus_name: D-Bus name of the variable
1245
type_func: Function that transform the value before sending it
1246
to the D-Bus. Default: no transform
1247
variant_level: D-Bus variant level. Default: 1
1248
"""
1249
attrname = "_{}".format(dbus_name)
1250
def setter(self, value):
1251
if hasattr(self, "dbus_object_path"):
1252
if (not hasattr(self, attrname) or
1253
type_func(getattr(self, attrname, None))
1254
!= type_func(value)):
1255
dbus_value = transform_func(type_func(value),
1256
variant_level
1257
=variant_level)
1258
self.PropertyChanged(dbus.String(dbus_name),
1259
dbus_value)
1260
setattr(self, attrname, value)
1261
1262
return property(lambda self: getattr(self, attrname), setter)
1263
1264
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1265
approvals_pending = notifychangeproperty(dbus.Boolean,
1266
"ApprovalPending",
1267
type_func = bool)
1268
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1269
last_enabled = notifychangeproperty(datetime_to_dbus,
1270
"LastEnabled")
1271
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1272
type_func = lambda checker:
1273
checker is not None)
1274
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1275
"LastCheckedOK")
1276
last_checker_status = notifychangeproperty(dbus.Int16,
1277
"LastCheckerStatus")
1278
last_approval_request = notifychangeproperty(
1279
datetime_to_dbus, "LastApprovalRequest")
1280
approved_by_default = notifychangeproperty(dbus.Boolean,
1281
"ApprovedByDefault")
1282
approval_delay = notifychangeproperty(dbus.UInt64,
1283
"ApprovalDelay",
1284
type_func =
1285
lambda td: td.total_seconds()
1286
* 1000)
1287
approval_duration = notifychangeproperty(
1288
dbus.UInt64, "ApprovalDuration",
1289
type_func = lambda td: td.total_seconds() * 1000)
1290
host = notifychangeproperty(dbus.String, "Host")
1291
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1292
type_func = lambda td:
1293
td.total_seconds() * 1000)
1294
extended_timeout = notifychangeproperty(
1295
dbus.UInt64, "ExtendedTimeout",
1296
type_func = lambda td: td.total_seconds() * 1000)
1297
interval = notifychangeproperty(dbus.UInt64,
1298
"Interval",
1299
type_func =
1300
lambda td: td.total_seconds()
1301
* 1000)
1302
checker_command = notifychangeproperty(dbus.String, "Checker")
1303
1304
del notifychangeproperty
738
739
def _get_approvals_pending(self):
740
return self._approvals_pending
741
def _set_approvals_pending(self, value):
742
old_value = self._approvals_pending
743
self._approvals_pending = value
744
bval = bool(value)
745
if (hasattr(self, "dbus_object_path")
746
and bval is not bool(old_value)):
747
dbus_bool = dbus.Boolean(bval, variant_level=1)
748
self.PropertyChanged(dbus.String(u"ApprovalPending"),
749
dbus_bool)
750
751
approvals_pending = property(_get_approvals_pending,
752
_set_approvals_pending)
753
del _get_approvals_pending, _set_approvals_pending
754
755
@staticmethod
756
def _datetime_to_dbus(dt, variant_level=0):
757
"""Convert a UTC datetime.datetime() to a D-Bus type."""
758
return dbus.String(dt.isoformat(),
759
variant_level=variant_level)
760
761
def enable(self):
762
oldstate = getattr(self, u"enabled", False)
763
r = Client.enable(self)
764
if oldstate != self.enabled:
765
# Emit D-Bus signals
766
self.PropertyChanged(dbus.String(u"Enabled"),
767
dbus.Boolean(True, variant_level=1))
768
self.PropertyChanged(
769
dbus.String(u"LastEnabled"),
770
self._datetime_to_dbus(self.last_enabled,
771
variant_level=1))
772
return r
773
774
def disable(self, quiet = False):
775
oldstate = getattr(self, u"enabled", False)
776
r = Client.disable(self, quiet=quiet)
777
if not quiet and oldstate != self.enabled:
778
# Emit D-Bus signal
779
self.PropertyChanged(dbus.String(u"Enabled"),
780
dbus.Boolean(False, variant_level=1))
781
return r
1305
782
1306
783
def __del__(self, *args, **kwargs):
1307
784
try:
1308
785
self.remove_from_connection()
1309
786
except LookupError:
1310
787
pass
1311
if hasattr(DBusObjectWithProperties, "__del__"):
788
if hasattr(DBusObjectWithProperties, u"__del__"):
1312
789
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1313
790
Client.__del__(self, *args, **kwargs)
1314
791
1316
793
*args, **kwargs):
1317
794
self.checker_callback_tag = None
1318
795
self.checker = None
796
# Emit D-Bus signal
797
self.PropertyChanged(dbus.String(u"CheckerRunning"),
798
dbus.Boolean(False, variant_level=1))
1319
799
if os.WIFEXITED(condition):
1320
800
exitstatus = os.WEXITSTATUS(condition)
1321
801
# Emit D-Bus signal
1331
811
return Client.checker_callback(self, pid, condition, command,
1332
812
*args, **kwargs)
1333
813
814
def checked_ok(self, *args, **kwargs):
815
r = Client.checked_ok(self, *args, **kwargs)
816
# Emit D-Bus signal
817
self.PropertyChanged(
818
dbus.String(u"LastCheckedOK"),
819
(self._datetime_to_dbus(self.last_checked_ok,
820
variant_level=1)))
821
return r
822
823
def need_approval(self, *args, **kwargs):
824
r = Client.need_approval(self, *args, **kwargs)
825
# Emit D-Bus signal
826
self.PropertyChanged(
827
dbus.String(u"LastApprovalRequest"),
828
(self._datetime_to_dbus(self.last_approval_request,
829
variant_level=1)))
830
return r
831
1334
832
def start_checker(self, *args, **kwargs):
1335
old_checker_pid = getattr(self.checker, "pid", None)
833
old_checker = self.checker
834
if self.checker is not None:
835
old_checker_pid = self.checker.pid
836
else:
837
old_checker_pid = None
1336
838
r = Client.start_checker(self, *args, **kwargs)
1337
839
# Only if new checker process was started
1338
840
if (self.checker is not None
1339
841
and old_checker_pid != self.checker.pid):
1340
842
# Emit D-Bus signal
1341
843
self.CheckerStarted(self.current_checker_command)
844
self.PropertyChanged(
845
dbus.String(u"CheckerRunning"),
846
dbus.Boolean(True, variant_level=1))
1342
847
return r
1343
848
849
def stop_checker(self, *args, **kwargs):
850
old_checker = getattr(self, u"checker", None)
851
r = Client.stop_checker(self, *args, **kwargs)
852
if (old_checker is not None
853
and getattr(self, u"checker", None) is None):
854
self.PropertyChanged(dbus.String(u"CheckerRunning"),
855
dbus.Boolean(False, variant_level=1))
856
return r
857
1344
858
def _reset_approved(self):
1345
self.approved = None
859
self._approved = None
1346
860
return False
1347
861
1348
862
def approve(self, value=True):
1349
self.approved = value
1350
gobject.timeout_add(int(self.approval_duration.total_seconds()
1351
* 1000), self._reset_approved)
1352
863
self.send_changedstate()
864
self._approved = value
865
gobject.timeout_add(self._timedelta_to_milliseconds
866
(self.approval_duration),
867
self._reset_approved)
868
1353
869
1354
870
## D-Bus methods, signals & properties
1355
_interface = "se.recompile.Mandos.Client"
1356
1357
## Interfaces
1358
1359
@dbus_interface_annotations(_interface)
1360
def _foo(self):
1361
return { "org.freedesktop.DBus.Property.EmitsChangedSignal":
1362
"false"}
871
_interface = u"se.bsnet.fukt.Mandos.Client"
1363
872
1364
873
## Signals
1365
874
1366
875
# CheckerCompleted - signal
1367
@dbus.service.signal(_interface, signature="nxs")
876
@dbus.service.signal(_interface, signature=u"nxs")
1368
877
def CheckerCompleted(self, exitcode, waitstatus, command):
1369
878
"D-Bus signal"
1370
879
pass
1371
880
1372
881
# CheckerStarted - signal
1373
@dbus.service.signal(_interface, signature="s")
882
@dbus.service.signal(_interface, signature=u"s")
1374
883
def CheckerStarted(self, command):
1375
884
"D-Bus signal"
1376
885
pass
1377
886
1378
887
# PropertyChanged - signal
1379
@dbus.service.signal(_interface, signature="sv")
888
@dbus.service.signal(_interface, signature=u"sv")
1380
889
def PropertyChanged(self, property, value):
1381
890
"D-Bus signal"
1382
891
pass
1391
900
pass
1392
901
1393
902
# Rejected - signal
1394
@dbus.service.signal(_interface, signature="s")
903
@dbus.service.signal(_interface, signature=u"s")
1395
904
def Rejected(self, reason):
1396
905
"D-Bus signal"
1397
906
pass
1398
907
1399
908
# NeedApproval - signal
1400
@dbus.service.signal(_interface, signature="tb")
909
@dbus.service.signal(_interface, signature=u"tb")
1401
910
def NeedApproval(self, timeout, default):
1402
911
"D-Bus signal"
1403
912
return self.need_approval()
1405
914
## Methods
1406
915
1407
916
# Approve - method
1408
@dbus.service.method(_interface, in_signature="b")
917
@dbus.service.method(_interface, in_signature=u"b")
1409
918
def Approve(self, value):
1410
919
self.approve(value)
1411
920
1412
921
# CheckedOK - method
1413
922
@dbus.service.method(_interface)
1414
923
def CheckedOK(self):
1415
self.checked_ok()
924
return self.checked_ok()
1416
925
1417
926
# Enable - method
1418
927
@dbus.service.method(_interface)
1440
949
## Properties
1441
950
1442
951
# ApprovalPending - property
1443
@dbus_service_property(_interface, signature="b", access="read")
952
@dbus_service_property(_interface, signature=u"b", access=u"read")
1444
953
def ApprovalPending_dbus_property(self):
1445
954
return dbus.Boolean(bool(self.approvals_pending))
1446
955
1447
956
# ApprovedByDefault - property
1448
@dbus_service_property(_interface, signature="b",
1449
access="readwrite")
957
@dbus_service_property(_interface, signature=u"b",
958
access=u"readwrite")
1450
959
def ApprovedByDefault_dbus_property(self, value=None):
1451
960
if value is None: # get
1452
961
return dbus.Boolean(self.approved_by_default)
1453
962
self.approved_by_default = bool(value)
963
# Emit D-Bus signal
964
self.PropertyChanged(dbus.String(u"ApprovedByDefault"),
965
dbus.Boolean(value, variant_level=1))
1454
966
1455
967
# ApprovalDelay - property
1456
@dbus_service_property(_interface, signature="t",
1457
access="readwrite")
968
@dbus_service_property(_interface, signature=u"t",
969
access=u"readwrite")
1458
970
def ApprovalDelay_dbus_property(self, value=None):
1459
971
if value is None: # get
1460
return dbus.UInt64(self.approval_delay.total_seconds()
1461
* 1000)
972
return dbus.UInt64(self.approval_delay_milliseconds())
1462
973
self.approval_delay = datetime.timedelta(0, 0, 0, value)
974
# Emit D-Bus signal
975
self.PropertyChanged(dbus.String(u"ApprovalDelay"),
976
dbus.UInt64(value, variant_level=1))
1463
977
1464
978
# ApprovalDuration - property
1465
@dbus_service_property(_interface, signature="t",
1466
access="readwrite")
979
@dbus_service_property(_interface, signature=u"t",
980
access=u"readwrite")
1467
981
def ApprovalDuration_dbus_property(self, value=None):
1468
982
if value is None: # get
1469
return dbus.UInt64(self.approval_duration.total_seconds()
1470
* 1000)
983
return dbus.UInt64(self._timedelta_to_milliseconds(
984
self.approval_duration))
1471
985
self.approval_duration = datetime.timedelta(0, 0, 0, value)
986
# Emit D-Bus signal
987
self.PropertyChanged(dbus.String(u"ApprovalDuration"),
988
dbus.UInt64(value, variant_level=1))
1472
989
1473
990
# Name - property
1474
@dbus_service_property(_interface, signature="s", access="read")
991
@dbus_service_property(_interface, signature=u"s", access=u"read")
1475
992
def Name_dbus_property(self):
1476
993
return dbus.String(self.name)
1477
994
1478
995
# Fingerprint - property
1479
@dbus_service_property(_interface, signature="s", access="read")
996
@dbus_service_property(_interface, signature=u"s", access=u"read")
1480
997
def Fingerprint_dbus_property(self):
1481
998
return dbus.String(self.fingerprint)
1482
999
1483
1000
# Host - property
1484
@dbus_service_property(_interface, signature="s",
1485
access="readwrite")
1001
@dbus_service_property(_interface, signature=u"s",
1002
access=u"readwrite")
1486
1003
def Host_dbus_property(self, value=None):
1487
1004
if value is None: # get
1488
1005
return dbus.String(self.host)
1489
self.host = str(value)
1006
self.host = value
1007
# Emit D-Bus signal
1008
self.PropertyChanged(dbus.String(u"Host"),
1009
dbus.String(value, variant_level=1))
1490
1010
1491
1011
# Created - property
1492
@dbus_service_property(_interface, signature="s", access="read")
1012
@dbus_service_property(_interface, signature=u"s", access=u"read")
1493
1013
def Created_dbus_property(self):
1494
return datetime_to_dbus(self.created)
1014
return dbus.String(self._datetime_to_dbus(self.created))
1495
1015
1496
1016
# LastEnabled - property
1497
@dbus_service_property(_interface, signature="s", access="read")
1017
@dbus_service_property(_interface, signature=u"s", access=u"read")
1498
1018
def LastEnabled_dbus_property(self):
1499
return datetime_to_dbus(self.last_enabled)
1019
if self.last_enabled is None:
1020
return dbus.String(u"")
1021
return dbus.String(self._datetime_to_dbus(self.last_enabled))
1500
1022
1501
1023
# Enabled - property
1502
@dbus_service_property(_interface, signature="b",
1503
access="readwrite")
1024
@dbus_service_property(_interface, signature=u"b",
1025
access=u"readwrite")
1504
1026
def Enabled_dbus_property(self, value=None):
1505
1027
if value is None: # get
1506
1028
return dbus.Boolean(self.enabled)
1510
1032
self.disable()
1511
1033
1512
1034
# LastCheckedOK - property
1513
@dbus_service_property(_interface, signature="s",
1514
access="readwrite")
1035
@dbus_service_property(_interface, signature=u"s",
1036
access=u"readwrite")
1515
1037
def LastCheckedOK_dbus_property(self, value=None):
1516
1038
if value is not None:
1517
1039
self.checked_ok()
1518
1040
return
1519
return datetime_to_dbus(self.last_checked_ok)
1520
1521
# LastCheckerStatus - property
1522
@dbus_service_property(_interface, signature="n",
1523
access="read")
1524
def LastCheckerStatus_dbus_property(self):
1525
return dbus.Int16(self.last_checker_status)
1526
1527
# Expires - property
1528
@dbus_service_property(_interface, signature="s", access="read")
1529
def Expires_dbus_property(self):
1530
return datetime_to_dbus(self.expires)
1041
if self.last_checked_ok is None:
1042
return dbus.String(u"")
1043
return dbus.String(self._datetime_to_dbus(self
1044
.last_checked_ok))
1531
1045
1532
1046
# LastApprovalRequest - property
1533
@dbus_service_property(_interface, signature="s", access="read")
1047
@dbus_service_property(_interface, signature=u"s", access=u"read")
1534
1048
def LastApprovalRequest_dbus_property(self):
1535
return datetime_to_dbus(self.last_approval_request)
1049
if self.last_approval_request is None:
1050
return dbus.String(u"")
1051
return dbus.String(self.
1052
_datetime_to_dbus(self
1053
.last_approval_request))
1536
1054
1537
1055
# Timeout - property
1538
@dbus_service_property(_interface, signature="t",
1539
access="readwrite")
1056
@dbus_service_property(_interface, signature=u"t",
1057
access=u"readwrite")
1540
1058
def Timeout_dbus_property(self, value=None):
1541
1059
if value is None: # get
1542
return dbus.UInt64(self.timeout.total_seconds() * 1000)
1543
old_timeout = self.timeout
1060
return dbus.UInt64(self.timeout_milliseconds())
1544
1061
self.timeout = datetime.timedelta(0, 0, 0, value)
1545
# Reschedule disabling
1546
if self.enabled:
1547
now = datetime.datetime.utcnow()
1548
self.expires += self.timeout - old_timeout
1549
if self.expires <= now:
1550
# The timeout has passed
1551
self.disable()
1552
else:
1553
if (getattr(self, "disable_initiator_tag", None)
1554
is None):
1555
return
1556
gobject.source_remove(self.disable_initiator_tag)
1557
self.disable_initiator_tag = (
1558
gobject.timeout_add(
1559
int((self.expires - now).total_seconds()
1560
* 1000), self.disable))
1561
1562
# ExtendedTimeout - property
1563
@dbus_service_property(_interface, signature="t",
1564
access="readwrite")
1565
def ExtendedTimeout_dbus_property(self, value=None):
1566
if value is None: # get
1567
return dbus.UInt64(self.extended_timeout.total_seconds()
1568
* 1000)
1569
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1062
# Emit D-Bus signal
1063
self.PropertyChanged(dbus.String(u"Timeout"),
1064
dbus.UInt64(value, variant_level=1))
1065
if getattr(self, u"disable_initiator_tag", None) is None:
1066
return
1067
# Reschedule timeout
1068
gobject.source_remove(self.disable_initiator_tag)
1069
self.disable_initiator_tag = None
1070
time_to_die = (self.
1071
_timedelta_to_milliseconds((self
1072
.last_checked_ok
1073
+ self.timeout)
1074
- datetime.datetime
1075
.utcnow()))
1076
if time_to_die <= 0:
1077
# The timeout has passed
1078
self.disable()
1079
else:
1080
self.disable_initiator_tag = (gobject.timeout_add
1081
(time_to_die, self.disable))
1570
1082
1571
1083
# Interval - property
1572
@dbus_service_property(_interface, signature="t",
1573
access="readwrite")
1084
@dbus_service_property(_interface, signature=u"t",
1085
access=u"readwrite")
1574
1086
def Interval_dbus_property(self, value=None):
1575
1087
if value is None: # get
1576
return dbus.UInt64(self.interval.total_seconds() * 1000)
1088
return dbus.UInt64(self.interval_milliseconds())
1577
1089
self.interval = datetime.timedelta(0, 0, 0, value)
1578
if getattr(self, "checker_initiator_tag", None) is None:
1090
# Emit D-Bus signal
1091
self.PropertyChanged(dbus.String(u"Interval"),
1092
dbus.UInt64(value, variant_level=1))
1093
if getattr(self, u"checker_initiator_tag", None) is None:
1579
1094
return
1580
if self.enabled:
1581
# Reschedule checker run
1582
gobject.source_remove(self.checker_initiator_tag)
1583
self.checker_initiator_tag = (gobject.timeout_add
1584
(value, self.start_checker))
1585
self.start_checker() # Start one now, too
1586
1095
# Reschedule checker run
1096
gobject.source_remove(self.checker_initiator_tag)
1097
self.checker_initiator_tag = (gobject.timeout_add
1098
(value, self.start_checker))
1099
self.start_checker() # Start one now, too
1100
1587
1101
# Checker - property
1588
@dbus_service_property(_interface, signature="s",
1589
access="readwrite")
1102
@dbus_service_property(_interface, signature=u"s",
1103
access=u"readwrite")
1590
1104
def Checker_dbus_property(self, value=None):
1591
1105
if value is None: # get
1592
1106
return dbus.String(self.checker_command)
1593
self.checker_command = str(value)
1107
self.checker_command = value
1108
# Emit D-Bus signal
1109
self.PropertyChanged(dbus.String(u"Checker"),
1110
dbus.String(self.checker_command,
1111
variant_level=1))
1594
1112
1595
1113
# CheckerRunning - property
1596
@dbus_service_property(_interface, signature="b",
1597
access="readwrite")
1114
@dbus_service_property(_interface, signature=u"b",
1115
access=u"readwrite")
1598
1116
def CheckerRunning_dbus_property(self, value=None):
1599
1117
if value is None: # get
1600
1118
return dbus.Boolean(self.checker is not None)
1604
1122
self.stop_checker()
1605
1123
1606
1124
# ObjectPath - property
1607
@dbus_service_property(_interface, signature="o", access="read")
1125
@dbus_service_property(_interface, signature=u"o", access=u"read")
1608
1126
def ObjectPath_dbus_property(self):
1609
1127
return self.dbus_object_path # is already a dbus.ObjectPath
1610
1128
1611
1129
# Secret = property
1612
@dbus_service_property(_interface, signature="ay",
1613
access="write", byte_arrays=True)
1130
@dbus_service_property(_interface, signature=u"ay",
1131
access=u"write", byte_arrays=True)
1614
1132
def Secret_dbus_property(self, value):
1615
self.secret = bytes(value)
1133
self.secret = str(value)
1616
1134
1617
1135
del _interface
1618
1136
1623
1141
self._pipe.send(('init', fpr, address))
1624
1142
if not self._pipe.recv():
1625
1143
raise KeyError()
1626
1144
1627
1145
def __getattribute__(self, name):
1628
if name == '_pipe':
1146
if(name == '_pipe'):
1629
1147
return super(ProxyClient, self).__getattribute__(name)
1630
1148
self._pipe.send(('getattr', name))
1631
1149
data = self._pipe.recv()
1636
1154
self._pipe.send(('funcall', name, args, kwargs))
1637
1155
return self._pipe.recv()[1]
1638
1156
return func
1639
1157
1640
1158
def __setattr__(self, name, value):
1641
if name == '_pipe':
1159
if(name == '_pipe'):
1642
1160
return super(ProxyClient, self).__setattr__(name, value)
1643
1161
self._pipe.send(('setattr', name, value))
1644
1162
1651
1169
1652
1170
def handle(self):
1653
1171
with contextlib.closing(self.server.child_pipe) as child_pipe:
1654
logger.info("TCP connection from: %s",
1655
str(self.client_address))
1656
logger.debug("Pipe FD: %d",
1172
logger.info(u"TCP connection from: %s",
1173
unicode(self.client_address))
1174
logger.debug(u"Pipe FD: %d",
1657
1175
self.server.child_pipe.fileno())
1658
1176
1659
1177
session = (gnutls.connection
1660
1178
.ClientSession(self.request,
1661
1179
gnutls.connection
1662
1180
.X509Credentials()))
1663
1181
1664
1182
# Note: gnutls.connection.X509Credentials is really a
1665
1183
# generic GnuTLS certificate credentials object so long as
1666
1184
# no X.509 keys are added to it. Therefore, we can use it
1667
1185
# here despite using OpenPGP certificates.
1668
1669
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1670
# "+AES-256-CBC", "+SHA1",
1671
# "+COMP-NULL", "+CTYPE-OPENPGP",
1672
# "+DHE-DSS"))
1186
1187
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1188
# u"+AES-256-CBC", u"+SHA1",
1189
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1190
# u"+DHE-DSS"))
1673
1191
# Use a fallback default, since this MUST be set.
1674
1192
priority = self.server.gnutls_priority
1675
1193
if priority is None:
1676
priority = "NORMAL"
1194
priority = u"NORMAL"
1677
1195
(gnutls.library.functions
1678
1196
.gnutls_priority_set_direct(session._c_object,
1679
1197
priority, None))
1680
1198
1681
1199
# Start communication using the Mandos protocol
1682
1200
# Get protocol number
1683
1201
line = self.request.makefile().readline()
1684
logger.debug("Protocol version: %r", line)
1202
logger.debug(u"Protocol version: %r", line)
1685
1203
try:
1686
1204
if int(line.strip().split()[0]) > 1:
1687
raise RuntimeError(line)
1688
except (ValueError, IndexError, RuntimeError) as error:
1689
logger.error("Unknown protocol version: %s", error)
1205
raise RuntimeError
1206
except (ValueError, IndexError, RuntimeError), error:
1207
logger.error(u"Unknown protocol version: %s", error)
1690
1208
return
1691
1209
1692
1210
# Start GnuTLS connection
1693
1211
try:
1694
1212
session.handshake()
1695
except gnutls.errors.GNUTLSError as error:
1696
logger.warning("Handshake failed: %s", error)
1213
except gnutls.errors.GNUTLSError, error:
1214
logger.warning(u"Handshake failed: %s", error)
1697
1215
# Do not run session.bye() here: the session is not
1698
1216
# established. Just abandon the request.
1699
1217
return
1700
logger.debug("Handshake succeeded")
1701
1218
logger.debug(u"Handshake succeeded")
1219
1702
1220
approval_required = False
1703
1221
try:
1704
1222
try:
1705
1223
fpr = self.fingerprint(self.peer_certificate
1706
1224
(session))
1707
except (TypeError,
1708
gnutls.errors.GNUTLSError) as error:
1709
logger.warning("Bad certificate: %s", error)
1225
except (TypeError, gnutls.errors.GNUTLSError), error:
1226
logger.warning(u"Bad certificate: %s", error)
1710
1227
return
1711
logger.debug("Fingerprint: %s", fpr)
1712
1228
logger.debug(u"Fingerprint: %s", fpr)
1229
1713
1230
try:
1714
1231
client = ProxyClient(child_pipe, fpr,
1715
1232
self.client_address)
1723
1240
1724
1241
while True:
1725
1242
if not client.enabled:
1726
logger.info("Client %s is disabled",
1243
logger.warning(u"Client %s is disabled",
1727
1244
client.name)
1728
1245
if self.server.use_dbus:
1729
1246
# Emit D-Bus signal
1730
client.Rejected("Disabled")
1247
client.Rejected("Disabled")
1731
1248
return
1732
1249
1733
if client.approved or not client.approval_delay:
1250
if client._approved or not client.approval_delay:
1734
1251
#We are approved or approval is disabled
1735
1252
break
1736
elif client.approved is None:
1737
logger.info("Client %s needs approval",
1253
elif client._approved is None:
1254
logger.info(u"Client %s needs approval",
1738
1255
client.name)
1739
1256
if self.server.use_dbus:
1740
1257
# Emit D-Bus signal
1741
1258
client.NeedApproval(
1742
client.approval_delay.total_seconds()
1743
* 1000, client.approved_by_default)
1259
client.approval_delay_milliseconds(),
1260
client.approved_by_default)
1744
1261
else:
1745
logger.warning("Client %s was not approved",
1262
logger.warning(u"Client %s was not approved",
1746
1263
client.name)
1747
1264
if self.server.use_dbus:
1748
1265
# Emit D-Bus signal
1750
1267
return
1751
1268
1752
1269
#wait until timeout or approved
1270
#x = float(client._timedelta_to_milliseconds(delay))
1753
1271
time = datetime.datetime.now()
1754
1272
client.changedstate.acquire()
1755
client.changedstate.wait(delay.total_seconds())
1273
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1756
1274
client.changedstate.release()
1757
1275
time2 = datetime.datetime.now()
1758
1276
if (time2 - time) >= delay:
1773
1291
while sent_size < len(client.secret):
1774
1292
try:
1775
1293
sent = session.send(client.secret[sent_size:])
1776
except gnutls.errors.GNUTLSError as error:
1777
logger.warning("gnutls send failed",
1778
exc_info=error)
1294
except (gnutls.errors.GNUTLSError), error:
1295
logger.warning("gnutls send failed")
1779
1296
return
1780
logger.debug("Sent: %d, remaining: %d",
1297
logger.debug(u"Sent: %d, remaining: %d",
1781
1298
sent, len(client.secret)
1782
1299
- (sent_size + sent))
1783
1300
sent_size += sent
1784
1785
logger.info("Sending secret to %s", client.name)
1786
# bump the timeout using extended_timeout
1787
client.bump_timeout(client.extended_timeout)
1301
1302
logger.info(u"Sending secret to %s", client.name)
1303
# bump the timeout as if seen
1304
client.checked_ok()
1788
1305
if self.server.use_dbus:
1789
1306
# Emit D-Bus signal
1790
1307
client.GotSecret()
1794
1311
client.approvals_pending -= 1
1795
1312
try:
1796
1313
session.bye()
1797
except gnutls.errors.GNUTLSError as error:
1798
logger.warning("GnuTLS bye failed",
1799
exc_info=error)
1314
except (gnutls.errors.GNUTLSError), error:
1315
logger.warning("GnuTLS bye failed")
1800
1316
1801
1317
@staticmethod
1802
1318
def peer_certificate(session):
1812
1328
.gnutls_certificate_get_peers
1813
1329
(session._c_object, ctypes.byref(list_size)))
1814
1330
if not bool(cert_list) and list_size.value != 0:
1815
raise gnutls.errors.GNUTLSError("error getting peer"
1816
" certificate")
1331
raise gnutls.errors.GNUTLSError(u"error getting peer"
1332
u" certificate")
1817
1333
if list_size.value == 0:
1818
1334
return None
1819
1335
cert = cert_list[0]
1845
1361
if crtverify.value != 0:
1846
1362
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1847
1363
raise (gnutls.errors.CertificateSecurityError
1848
("Verify failed"))
1364
(u"Verify failed"))
1849
1365
# New buffer for the fingerprint
1850
1366
buf = ctypes.create_string_buffer(20)
1851
1367
buf_len = ctypes.c_size_t()
1858
1374
# Convert the buffer to a Python bytestring
1859
1375
fpr = ctypes.string_at(buf, buf_len.value)
1860
1376
# Convert the bytestring to hexadecimal notation
1861
hex_fpr = binascii.hexlify(fpr).upper()
1377
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1862
1378
return hex_fpr
1863
1379
1864
1380
1867
1383
def sub_process_main(self, request, address):
1868
1384
try:
1869
1385
self.finish_request(request, address)
1870
except Exception:
1386
except:
1871
1387
self.handle_error(request, address)
1872
1388
self.close_request(request)
1873
1389
1874
1390
def process_request(self, request, address):
1875
1391
"""Start a new process to process the request."""
1876
proc = multiprocessing.Process(target = self.sub_process_main,
1877
args = (request, address))
1878
proc.start()
1879
return proc
1880
1392
multiprocessing.Process(target = self.sub_process_main,
1393
args = (request, address)).start()
1881
1394
1882
1395
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1883
1396
""" adds a pipe to the MixIn """
1887
1400
This function creates a new pipe in self.pipe
1888
1401
"""
1889
1402
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1890
1891
proc = MultiprocessingMixIn.process_request(self, request,
1892
client_address)
1403
1404
super(MultiprocessingMixInWithPipe,
1405
self).process_request(request, client_address)
1893
1406
self.child_pipe.close()
1894
self.add_pipe(parent_pipe, proc)
1895
1896
def add_pipe(self, parent_pipe, proc):
1407
self.add_pipe(parent_pipe)
1408
1409
def add_pipe(self, parent_pipe):
1897
1410
"""Dummy function; override as necessary"""
1898
raise NotImplementedError()
1899
1411
pass
1900
1412
1901
1413
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1902
1414
socketserver.TCPServer, object):
1908
1420
use_ipv6: Boolean; to use IPv6 or not
1909
1421
"""
1910
1422
def __init__(self, server_address, RequestHandlerClass,
1911
interface=None, use_ipv6=True, socketfd=None):
1912
"""If socketfd is set, use that file descriptor instead of
1913
creating a new one with socket.socket().
1914
"""
1423
interface=None, use_ipv6=True):
1915
1424
self.interface = interface
1916
1425
if use_ipv6:
1917
1426
self.address_family = socket.AF_INET6
1918
if socketfd is not None:
1919
# Save the file descriptor
1920
self.socketfd = socketfd
1921
# Save the original socket.socket() function
1922
self.socket_socket = socket.socket
1923
# To implement --socket, we monkey patch socket.socket.
1924
#
1925
# (When socketserver.TCPServer is a new-style class, we
1926
# could make self.socket into a property instead of monkey
1927
# patching socket.socket.)
1928
#
1929
# Create a one-time-only replacement for socket.socket()
1930
@functools.wraps(socket.socket)
1931
def socket_wrapper(*args, **kwargs):
1932
# Restore original function so subsequent calls are
1933
# not affected.
1934
socket.socket = self.socket_socket
1935
del self.socket_socket
1936
# This time only, return a new socket object from the
1937
# saved file descriptor.
1938
return socket.fromfd(self.socketfd, *args, **kwargs)
1939
# Replace socket.socket() function with wrapper
1940
socket.socket = socket_wrapper
1941
# The socketserver.TCPServer.__init__ will call
1942
# socket.socket(), which might be our replacement,
1943
# socket_wrapper(), if socketfd was set.
1944
1427
socketserver.TCPServer.__init__(self, server_address,
1945
1428
RequestHandlerClass)
1946
1947
1429
def server_bind(self):
1948
1430
"""This overrides the normal server_bind() function
1949
1431
to bind to an interface if one was specified, and also NOT to
1950
1432
bind to an address or port if they were not specified."""
1951
1433
if self.interface is not None:
1952
1434
if SO_BINDTODEVICE is None:
1953
logger.error("SO_BINDTODEVICE does not exist;"
1954
" cannot bind to interface %s",
1435
logger.error(u"SO_BINDTODEVICE does not exist;"
1436
u" cannot bind to interface %s",
1955
1437
self.interface)
1956
1438
else:
1957
1439
try:
1958
1440
self.socket.setsockopt(socket.SOL_SOCKET,
1959
1441
SO_BINDTODEVICE,
1960
(self.interface + "\0")
1961
.encode("utf-8"))
1962
except socket.error as error:
1963
if error.errno == errno.EPERM:
1964
logger.error("No permission to bind to"
1965
" interface %s", self.interface)
1966
elif error.errno == errno.ENOPROTOOPT:
1967
logger.error("SO_BINDTODEVICE not available;"
1968
" cannot bind to interface %s",
1969
self.interface)
1970
elif error.errno == errno.ENODEV:
1971
logger.error("Interface %s does not exist,"
1972
" cannot bind", self.interface)
1442
str(self.interface
1443
+ u'\0'))
1444
except socket.error, error:
1445
if error[0] == errno.EPERM:
1446
logger.error(u"No permission to"
1447
u" bind to interface %s",
1448
self.interface)
1449
elif error[0] == errno.ENOPROTOOPT:
1450
logger.error(u"SO_BINDTODEVICE not available;"
1451
u" cannot bind to interface %s",
1452
self.interface)
1973
1453
else:
1974
1454
raise
1975
1455
# Only bind(2) the socket if we really need to.
1976
1456
if self.server_address[0] or self.server_address[1]:
1977
1457
if not self.server_address[0]:
1978
1458
if self.address_family == socket.AF_INET6:
1979
any_address = "::" # in6addr_any
1459
any_address = u"::" # in6addr_any
1980
1460
else:
1981
any_address = "0.0.0.0" # INADDR_ANY
1461
any_address = socket.INADDR_ANY
1982
1462
self.server_address = (any_address,
1983
1463
self.server_address[1])
1984
1464
elif not self.server_address[1]:
2005
1485
"""
2006
1486
def __init__(self, server_address, RequestHandlerClass,
2007
1487
interface=None, use_ipv6=True, clients=None,
2008
gnutls_priority=None, use_dbus=True, socketfd=None):
1488
gnutls_priority=None, use_dbus=True):
2009
1489
self.enabled = False
2010
1490
self.clients = clients
2011
1491
if self.clients is None:
2012
self.clients = {}
1492
self.clients = set()
2013
1493
self.use_dbus = use_dbus
2014
1494
self.gnutls_priority = gnutls_priority
2015
1495
IPv6_TCPServer.__init__(self, server_address,
2016
1496
RequestHandlerClass,
2017
1497
interface = interface,
2018
use_ipv6 = use_ipv6,
2019
socketfd = socketfd)
1498
use_ipv6 = use_ipv6)
2020
1499
def server_activate(self):
2021
1500
if self.enabled:
2022
1501
return socketserver.TCPServer.server_activate(self)
2023
2024
1502
def enable(self):
2025
1503
self.enabled = True
2026
2027
def add_pipe(self, parent_pipe, proc):
1504
def add_pipe(self, parent_pipe):
2028
1505
# Call "handle_ipc" for both data and EOF events
2029
1506
gobject.io_add_watch(parent_pipe.fileno(),
2030
1507
gobject.IO_IN | gobject.IO_HUP,
2031
1508
functools.partial(self.handle_ipc,
2032
parent_pipe =
2033
parent_pipe,
2034
proc = proc))
2035
1509
parent_pipe = parent_pipe))
1510
2036
1511
def handle_ipc(self, source, condition, parent_pipe=None,
2037
proc = None, client_object=None):
2038
# error, or the other end of multiprocessing.Pipe has closed
2039
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2040
# Wait for other process to exit
2041
proc.join()
1512
client_object=None):
1513
condition_names = {
1514
gobject.IO_IN: u"IN", # There is data to read.
1515
gobject.IO_OUT: u"OUT", # Data can be written (without
1516
# blocking).
1517
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1518
gobject.IO_ERR: u"ERR", # Error condition.
1519
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1520
# broken, usually for pipes and
1521
# sockets).
1522
}
1523
conditions_string = ' | '.join(name
1524
for cond, name in
1525
condition_names.iteritems()
1526
if cond & condition)
1527
# error or the other end of multiprocessing.Pipe has closed
1528
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
2042
1529
return False
2043
1530
2044
1531
# Read a request from the child
2049
1536
fpr = request[1]
2050
1537
address = request[2]
2051
1538
2052
for c in self.clients.itervalues():
1539
for c in self.clients:
2053
1540
if c.fingerprint == fpr:
2054
1541
client = c
2055
1542
break
2056
1543
else:
2057
logger.info("Client not found for fingerprint: %s, ad"
2058
"dress: %s", fpr, address)
1544
logger.warning(u"Client not found for fingerprint: %s, ad"
1545
u"dress: %s", fpr, address)
2059
1546
if self.use_dbus:
2060
1547
# Emit D-Bus signal
2061
mandos_dbus_service.ClientNotFound(fpr,
2062
address[0])
1548
mandos_dbus_service.ClientNotFound(fpr, address[0])
2063
1549
parent_pipe.send(False)
2064
1550
return False
2065
1551
2066
1552
gobject.io_add_watch(parent_pipe.fileno(),
2067
1553
gobject.IO_IN | gobject.IO_HUP,
2068
1554
functools.partial(self.handle_ipc,
2069
parent_pipe =
2070
parent_pipe,
2071
proc = proc,
2072
client_object =
2073
client))
1555
parent_pipe = parent_pipe,
1556
client_object = client))
2074
1557
parent_pipe.send(True)
2075
# remove the old hook in favor of the new above hook on
2076
# same fileno
1558
# remove the old hook in favor of the new above hook on same fileno
2077
1559
return False
2078
1560
if command == 'funcall':
2079
1561
funcname = request[1]
2080
1562
args = request[2]
2081
1563
kwargs = request[3]
2082
1564
2083
parent_pipe.send(('data', getattr(client_object,
2084
funcname)(*args,
2085
**kwargs)))
2086
1565
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1566
2087
1567
if command == 'getattr':
2088
1568
attrname = request[1]
2089
1569
if callable(client_object.__getattribute__(attrname)):
2090
1570
parent_pipe.send(('function',))
2091
1571
else:
2092
parent_pipe.send(('data', client_object
2093
.__getattribute__(attrname)))
1572
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
2094
1573
2095
1574
if command == 'setattr':
2096
1575
attrname = request[1]
2097
1576
value = request[2]
2098
1577
setattr(client_object, attrname, value)
2099
1578
2100
1579
return True
2101
1580
2102
1581
2103
def rfc3339_duration_to_delta(duration):
2104
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2105
2106
>>> rfc3339_duration_to_delta("P7D")
2107
datetime.timedelta(7)
2108
>>> rfc3339_duration_to_delta("PT60S")
2109
datetime.timedelta(0, 60)
2110
>>> rfc3339_duration_to_delta("PT60M")
2111
datetime.timedelta(0, 3600)
2112
>>> rfc3339_duration_to_delta("PT24H")
2113
datetime.timedelta(1)
2114
>>> rfc3339_duration_to_delta("P1W")
2115
datetime.timedelta(7)
2116
>>> rfc3339_duration_to_delta("PT5M30S")
2117
datetime.timedelta(0, 330)
2118
>>> rfc3339_duration_to_delta("P1DT3M20S")
2119
datetime.timedelta(1, 200)
2120
"""
2121
2122
# Parsing an RFC 3339 duration with regular expressions is not
2123
# possible - there would have to be multiple places for the same
2124
# values, like seconds. The current code, while more esoteric, is
2125
# cleaner without depending on a parsing library. If Python had a
2126
# built-in library for parsing we would use it, but we'd like to
2127
# avoid excessive use of external libraries.
2128
2129
# New type for defining tokens, syntax, and semantics all-in-one
2130
Token = collections.namedtuple("Token",
2131
("regexp", # To match token; if
2132
# "value" is not None,
2133
# must have a "group"
2134
# containing digits
2135
"value", # datetime.timedelta or
2136
# None
2137
"followers")) # Tokens valid after
2138
# this token
2139
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2140
# the "duration" ABNF definition in RFC 3339, Appendix A.
2141
token_end = Token(re.compile(r"$"), None, frozenset())
2142
token_second = Token(re.compile(r"(\d+)S"),
2143
datetime.timedelta(seconds=1),
2144
frozenset((token_end,)))
2145
token_minute = Token(re.compile(r"(\d+)M"),
2146
datetime.timedelta(minutes=1),
2147
frozenset((token_second, token_end)))
2148
token_hour = Token(re.compile(r"(\d+)H"),
2149
datetime.timedelta(hours=1),
2150
frozenset((token_minute, token_end)))
2151
token_time = Token(re.compile(r"T"),
2152
None,
2153
frozenset((token_hour, token_minute,
2154
token_second)))
2155
token_day = Token(re.compile(r"(\d+)D"),
2156
datetime.timedelta(days=1),
2157
frozenset((token_time, token_end)))
2158
token_month = Token(re.compile(r"(\d+)M"),
2159
datetime.timedelta(weeks=4),
2160
frozenset((token_day, token_end)))
2161
token_year = Token(re.compile(r"(\d+)Y"),
2162
datetime.timedelta(weeks=52),
2163
frozenset((token_month, token_end)))
2164
token_week = Token(re.compile(r"(\d+)W"),
2165
datetime.timedelta(weeks=1),
2166
frozenset((token_end,)))
2167
token_duration = Token(re.compile(r"P"), None,
2168
frozenset((token_year, token_month,
2169
token_day, token_time,
2170
token_week)))
2171
# Define starting values
2172
value = datetime.timedelta() # Value so far
2173
found_token = None
2174
followers = frozenset((token_duration,)) # Following valid tokens
2175
s = duration # String left to parse
2176
# Loop until end token is found
2177
while found_token is not token_end:
2178
# Search for any currently valid tokens
2179
for token in followers:
2180
match = token.regexp.match(s)
2181
if match is not None:
2182
# Token found
2183
if token.value is not None:
2184
# Value found, parse digits
2185
factor = int(match.group(1), 10)
2186
# Add to value so far
2187
value += factor * token.value
2188
# Strip token from string
2189
s = token.regexp.sub("", s, 1)
2190
# Go to found token
2191
found_token = token
2192
# Set valid next tokens
2193
followers = found_token.followers
2194
break
2195
else:
2196
# No currently valid tokens were found
2197
raise ValueError("Invalid RFC 3339 duration")
2198
# End token found
2199
return value
2200
2201
2202
1582
def string_to_delta(interval):
2203
1583
"""Parse a string and return a datetime.timedelta
2204
1584
2205
>>> string_to_delta('7d')
1585
>>> string_to_delta(u'7d')
2206
1586
datetime.timedelta(7)
2207
>>> string_to_delta('60s')
1587
>>> string_to_delta(u'60s')
2208
1588
datetime.timedelta(0, 60)
2209
>>> string_to_delta('60m')
1589
>>> string_to_delta(u'60m')
2210
1590
datetime.timedelta(0, 3600)
2211
>>> string_to_delta('24h')
1591
>>> string_to_delta(u'24h')
2212
1592
datetime.timedelta(1)
2213
>>> string_to_delta('1w')
1593
>>> string_to_delta(u'1w')
2214
1594
datetime.timedelta(7)
2215
>>> string_to_delta('5m 30s')
1595
>>> string_to_delta(u'5m 30s')
2216
1596
datetime.timedelta(0, 330)
2217
1597
"""
2218
2219
try:
2220
return rfc3339_duration_to_delta(interval)
2221
except ValueError:
2222
pass
2223
2224
1598
timevalue = datetime.timedelta(0)
2225
1599
for s in interval.split():
2226
1600
try:
2227
suffix = s[-1]
1601
suffix = unicode(s[-1])
2228
1602
value = int(s[:-1])
2229
if suffix == "d":
1603
if suffix == u"d":
2230
1604
delta = datetime.timedelta(value)
2231
elif suffix == "s":
1605
elif suffix == u"s":
2232
1606
delta = datetime.timedelta(0, value)
2233
elif suffix == "m":
1607
elif suffix == u"m":
2234
1608
delta = datetime.timedelta(0, 0, 0, 0, value)
2235
elif suffix == "h":
1609
elif suffix == u"h":
2236
1610
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
2237
elif suffix == "w":
1611
elif suffix == u"w":
2238
1612
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
2239
1613
else:
2240
raise ValueError("Unknown suffix {!r}"
2241
.format(suffix))
2242
except IndexError as e:
2243
raise ValueError(*(e.args))
1614
raise ValueError(u"Unknown suffix %r" % suffix)
1615
except (ValueError, IndexError), e:
1616
raise ValueError(e.message)
2244
1617
timevalue += delta
2245
1618
return timevalue
2246
1619
2247
1620
1621
def if_nametoindex(interface):
1622
"""Call the C function if_nametoindex(), or equivalent
1623
1624
Note: This function cannot accept a unicode string."""
1625
global if_nametoindex
1626
try:
1627
if_nametoindex = (ctypes.cdll.LoadLibrary
1628
(ctypes.util.find_library(u"c"))
1629
.if_nametoindex)
1630
except (OSError, AttributeError):
1631
logger.warning(u"Doing if_nametoindex the hard way")
1632
def if_nametoindex(interface):
1633
"Get an interface index the hard way, i.e. using fcntl()"
1634
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1635
with contextlib.closing(socket.socket()) as s:
1636
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1637
struct.pack(str(u"16s16x"),
1638
interface))
1639
interface_index = struct.unpack(str(u"I"),
1640
ifreq[16:20])[0]
1641
return interface_index
1642
return if_nametoindex(interface)
1643
1644
2248
1645
def daemon(nochdir = False, noclose = False):
2249
1646
"""See daemon(3). Standard BSD Unix function.
2250
1647
2253
1650
sys.exit()
2254
1651
os.setsid()
2255
1652
if not nochdir:
2256
os.chdir("/")
1653
os.chdir(u"/")
2257
1654
if os.fork():
2258
1655
sys.exit()
2259
1656
if not noclose:
2260
1657
# Close all standard open file descriptors
2261
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
1658
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2262
1659
if not stat.S_ISCHR(os.fstat(null).st_mode):
2263
raise OSError(errno.ENODEV, "{} not a character device"
2264
.format(os.devnull))
1660
raise OSError(errno.ENODEV,
1661
u"%s not a character device"
1662
% os.path.devnull)
2265
1663
os.dup2(null, sys.stdin.fileno())
2266
1664
os.dup2(null, sys.stdout.fileno())
2267
1665
os.dup2(null, sys.stderr.fileno())
2274
1672
##################################################################
2275
1673
# Parsing of options, both command line and config file
2276
1674
2277
parser = argparse.ArgumentParser()
2278
parser.add_argument("-v", "--version", action="version",
2279
version = "%(prog)s {}".format(version),
2280
help="show version number and exit")
2281
parser.add_argument("-i", "--interface", metavar="IF",
2282
help="Bind to interface IF")
2283
parser.add_argument("-a", "--address",
2284
help="Address to listen for requests on")
2285
parser.add_argument("-p", "--port", type=int,
2286
help="Port number to receive requests on")
2287
parser.add_argument("--check", action="store_true",
2288
help="Run self-test")
2289
parser.add_argument("--debug", action="store_true",
2290
help="Debug mode; run in foreground and log"
2291
" to terminal", default=None)
2292
parser.add_argument("--debuglevel", metavar="LEVEL",
2293
help="Debug level for stdout output")
2294
parser.add_argument("--priority", help="GnuTLS"
2295
" priority string (see GnuTLS documentation)")
2296
parser.add_argument("--servicename",
2297
metavar="NAME", help="Zeroconf service name")
2298
parser.add_argument("--configdir",
2299
default="/etc/mandos", metavar="DIR",
2300
help="Directory to search for configuration"
2301
" files")
2302
parser.add_argument("--no-dbus", action="store_false",
2303
dest="use_dbus", help="Do not provide D-Bus"
2304
" system bus interface", default=None)
2305
parser.add_argument("--no-ipv6", action="store_false",
2306
dest="use_ipv6", help="Do not use IPv6",
2307
default=None)
2308
parser.add_argument("--no-restore", action="store_false",
2309
dest="restore", help="Do not restore stored"
2310
" state", default=None)
2311
parser.add_argument("--socket", type=int,
2312
help="Specify a file descriptor to a network"
2313
" socket to use instead of creating one")
2314
parser.add_argument("--statedir", metavar="DIR",
2315
help="Directory to save/restore state in")
2316
parser.add_argument("--foreground", action="store_true",
2317
help="Run in foreground", default=None)
2318
parser.add_argument("--no-zeroconf", action="store_false",
2319
dest="zeroconf", help="Do not use Zeroconf",
2320
default=None)
2321
2322
options = parser.parse_args()
1675
parser = optparse.OptionParser(version = "%%prog %s" % version)
1676
parser.add_option("-i", u"--interface", type=u"string",
1677
metavar="IF", help=u"Bind to interface IF")
1678
parser.add_option("-a", u"--address", type=u"string",
1679
help=u"Address to listen for requests on")
1680
parser.add_option("-p", u"--port", type=u"int",
1681
help=u"Port number to receive requests on")
1682
parser.add_option("--check", action=u"store_true",
1683
help=u"Run self-test")
1684
parser.add_option("--debug", action=u"store_true",
1685
help=u"Debug mode; run in foreground and log to"
1686
u" terminal")
1687
parser.add_option("--debuglevel", type=u"string", metavar="Level",
1688
help=u"Debug level for stdout output")
1689
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1690
u" priority string (see GnuTLS documentation)")
1691
parser.add_option("--servicename", type=u"string",
1692
metavar=u"NAME", help=u"Zeroconf service name")
1693
parser.add_option("--configdir", type=u"string",
1694
default=u"/etc/mandos", metavar=u"DIR",
1695
help=u"Directory to search for configuration"
1696
u" files")
1697
parser.add_option("--no-dbus", action=u"store_false",
1698
dest=u"use_dbus", help=u"Do not provide D-Bus"
1699
u" system bus interface")
1700
parser.add_option("--no-ipv6", action=u"store_false",
1701
dest=u"use_ipv6", help=u"Do not use IPv6")
1702
options = parser.parse_args()[0]
2323
1703
2324
1704
if options.check:
2325
1705
import doctest
2326
fail_count, test_count = doctest.testmod()
2327
sys.exit(os.EX_OK if fail_count == 0 else 1)
1706
doctest.testmod()
1707
sys.exit()
2328
1708
2329
1709
# Default values for config file for server-global settings
2330
server_defaults = { "interface": "",
2331
"address": "",
2332
"port": "",
2333
"debug": "False",
2334
"priority":
2335
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224:+SIGN-RSA-RMD160",
2336
"servicename": "Mandos",
2337
"use_dbus": "True",
2338
"use_ipv6": "True",
2339
"debuglevel": "",
2340
"restore": "True",
2341
"socket": "",
2342
"statedir": "/var/lib/mandos",
2343
"foreground": "False",
2344
"zeroconf": "True",
1710
server_defaults = { u"interface": u"",
1711
u"address": u"",
1712
u"port": u"",
1713
u"debug": u"False",
1714
u"priority":
1715
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1716
u"servicename": u"Mandos",
1717
u"use_dbus": u"True",
1718
u"use_ipv6": u"True",
1719
u"debuglevel": u"",
2345
1720
}
2346
1721
2347
1722
# Parse config file for server-global settings
2348
1723
server_config = configparser.SafeConfigParser(server_defaults)
2349
1724
del server_defaults
2350
1725
server_config.read(os.path.join(options.configdir,
2351
"mandos.conf"))
1726
u"mandos.conf"))
2352
1727
# Convert the SafeConfigParser object to a dict
2353
1728
server_settings = server_config.defaults()
2354
1729
# Use the appropriate methods on the non-string config options
2355
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
2356
server_settings[option] = server_config.getboolean("DEFAULT",
1730
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1731
server_settings[option] = server_config.getboolean(u"DEFAULT",
2357
1732
option)
2358
1733
if server_settings["port"]:
2359
server_settings["port"] = server_config.getint("DEFAULT",
2360
"port")
2361
if server_settings["socket"]:
2362
server_settings["socket"] = server_config.getint("DEFAULT",
2363
"socket")
2364
# Later, stdin will, and stdout and stderr might, be dup'ed
2365
# over with an opened os.devnull. But we don't want this to
2366
# happen with a supplied network socket.
2367
if 0 <= server_settings["socket"] <= 2:
2368
server_settings["socket"] = os.dup(server_settings
2369
["socket"])
1734
server_settings["port"] = server_config.getint(u"DEFAULT",
1735
u"port")
2370
1736
del server_config
2371
1737
2372
1738
# Override the settings from the config file with command line
2373
1739
# options, if set.
2374
for option in ("interface", "address", "port", "debug",
2375
"priority", "servicename", "configdir",
2376
"use_dbus", "use_ipv6", "debuglevel", "restore",
2377
"statedir", "socket", "foreground", "zeroconf"):
1740
for option in (u"interface", u"address", u"port", u"debug",
1741
u"priority", u"servicename", u"configdir",
1742
u"use_dbus", u"use_ipv6", u"debuglevel"):
2378
1743
value = getattr(options, option)
2379
1744
if value is not None:
2380
1745
server_settings[option] = value
2381
1746
del options
2382
1747
# Force all strings to be unicode
2383
1748
for option in server_settings.keys():
2384
if isinstance(server_settings[option], bytes):
2385
server_settings[option] = (server_settings[option]
2386
.decode("utf-8"))
2387
# Force all boolean options to be boolean
2388
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2389
"foreground", "zeroconf"):
2390
server_settings[option] = bool(server_settings[option])
2391
# Debug implies foreground
2392
if server_settings["debug"]:
2393
server_settings["foreground"] = True
1749
if type(server_settings[option]) is str:
1750
server_settings[option] = unicode(server_settings[option])
2394
1751
# Now we have our good server settings in "server_settings"
2395
1752
2396
1753
##################################################################
2397
1754
2398
if (not server_settings["zeroconf"] and
2399
not (server_settings["port"]
2400
or server_settings["socket"] != "")):
2401
parser.error("Needs port or socket to work without"
2402
" Zeroconf")
2403
2404
1755
# For convenience
2405
debug = server_settings["debug"]
2406
debuglevel = server_settings["debuglevel"]
2407
use_dbus = server_settings["use_dbus"]
2408
use_ipv6 = server_settings["use_ipv6"]
2409
stored_state_path = os.path.join(server_settings["statedir"],
2410
stored_state_file)
2411
foreground = server_settings["foreground"]
2412
zeroconf = server_settings["zeroconf"]
2413
2414
if debug:
2415
initlogger(debug, logging.DEBUG)
2416
else:
2417
if not debuglevel:
2418
initlogger(debug)
2419
else:
2420
level = getattr(logging, debuglevel.upper())
2421
initlogger(debug, level)
2422
2423
if server_settings["servicename"] != "Mandos":
1756
debug = server_settings[u"debug"]
1757
debuglevel = server_settings[u"debuglevel"]
1758
use_dbus = server_settings[u"use_dbus"]
1759
use_ipv6 = server_settings[u"use_ipv6"]
1760
1761
if server_settings[u"servicename"] != u"Mandos":
2424
1762
syslogger.setFormatter(logging.Formatter
2425
('Mandos ({}) [%(process)d]:'
2426
' %(levelname)s: %(message)s'
2427
.format(server_settings
2428
["servicename"])))
1763
(u'Mandos (%s) [%%(process)d]:'
1764
u' %%(levelname)s: %%(message)s'
1765
% server_settings[u"servicename"]))
2429
1766
2430
1767
# Parse config file with clients
2431
client_config = configparser.SafeConfigParser(Client
2432
.client_defaults)
2433
client_config.read(os.path.join(server_settings["configdir"],
2434
"clients.conf"))
1768
client_defaults = { u"timeout": u"1h",
1769
u"interval": u"5m",
1770
u"checker": u"fping -q -- %%(host)s",
1771
u"host": u"",
1772
u"approval_delay": u"0s",
1773
u"approval_duration": u"1s",
1774
}
1775
client_config = configparser.SafeConfigParser(client_defaults)
1776
client_config.read(os.path.join(server_settings[u"configdir"],
1777
u"clients.conf"))
2435
1778
2436
1779
global mandos_dbus_service
2437
1780
mandos_dbus_service = None
2438
1781
2439
socketfd = None
2440
if server_settings["socket"] != "":
2441
socketfd = server_settings["socket"]
2442
tcp_server = MandosServer((server_settings["address"],
2443
server_settings["port"]),
1782
tcp_server = MandosServer((server_settings[u"address"],
1783
server_settings[u"port"]),
2444
1784
ClientHandler,
2445
interface=(server_settings["interface"]
1785
interface=(server_settings[u"interface"]
2446
1786
or None),
2447
1787
use_ipv6=use_ipv6,
2448
1788
gnutls_priority=
2449
server_settings["priority"],
2450
use_dbus=use_dbus,
2451
socketfd=socketfd)
2452
if not foreground:
2453
pidfilename = "/run/mandos.pid"
2454
if not os.path.isdir("/run/."):
2455
pidfilename = "/var/run/mandos.pid"
2456
pidfile = None
1789
server_settings[u"priority"],
1790
use_dbus=use_dbus)
1791
if not debug:
1792
pidfilename = u"/var/run/mandos.pid"
2457
1793
try:
2458
pidfile = open(pidfilename, "w")
2459
except IOError as e:
2460
logger.error("Could not open file %r", pidfilename,
2461
exc_info=e)
1794
pidfile = open(pidfilename, u"w")
1795
except IOError:
1796
logger.error(u"Could not open file %r", pidfilename)
2462
1797
2463
for name in ("_mandos", "mandos", "nobody"):
1798
try:
1799
uid = pwd.getpwnam(u"_mandos").pw_uid
1800
gid = pwd.getpwnam(u"_mandos").pw_gid
1801
except KeyError:
2464
1802
try:
2465
uid = pwd.getpwnam(name).pw_uid
2466
gid = pwd.getpwnam(name).pw_gid
2467
break
1803
uid = pwd.getpwnam(u"mandos").pw_uid
1804
gid = pwd.getpwnam(u"mandos").pw_gid
2468
1805
except KeyError:
2469
continue
2470
else:
2471
uid = 65534
2472
gid = 65534
1806
try:
1807
uid = pwd.getpwnam(u"nobody").pw_uid
1808
gid = pwd.getpwnam(u"nobody").pw_gid
1809
except KeyError:
1810
uid = 65534
1811
gid = 65534
2473
1812
try:
2474
1813
os.setgid(gid)
2475
1814
os.setuid(uid)
2476
except OSError as error:
2477
if error.errno != errno.EPERM:
2478
raise
1815
except OSError, error:
1816
if error[0] != errno.EPERM:
1817
raise error
2479
1818
1819
if not debug and not debuglevel:
1820
syslogger.setLevel(logging.WARNING)
1821
console.setLevel(logging.WARNING)
1822
if debuglevel:
1823
level = getattr(logging, debuglevel.upper())
1824
syslogger.setLevel(level)
1825
console.setLevel(level)
1826
2480
1827
if debug:
2481
1828
# Enable all possible GnuTLS debugging
2482
1829
2486
1833
2487
1834
@gnutls.library.types.gnutls_log_func
2488
1835
def debug_gnutls(level, string):
2489
logger.debug("GnuTLS: %s", string[:-1])
1836
logger.debug(u"GnuTLS: %s", string[:-1])
2490
1837
2491
1838
(gnutls.library.functions
2492
1839
.gnutls_global_set_log_function(debug_gnutls))
2493
1840
2494
1841
# Redirect stdin so all checkers get /dev/null
2495
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
1842
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2496
1843
os.dup2(null, sys.stdin.fileno())
2497
1844
if null > 2:
2498
1845
os.close(null)
2499
2500
# Need to fork before connecting to D-Bus
2501
if not foreground:
2502
# Close all input and output, do double fork, etc.
2503
daemon()
2504
2505
# multiprocessing will use threads, so before we use gobject we
2506
# need to inform gobject that threads will be used.
2507
gobject.threads_init()
1846
else:
1847
# No console logging
1848
logger.removeHandler(console)
1849
2508
1850
2509
1851
global main_loop
2510
1852
# From the Avahi example code
2511
DBusGMainLoop(set_as_default=True)
1853
DBusGMainLoop(set_as_default=True )
2512
1854
main_loop = gobject.MainLoop()
2513
1855
bus = dbus.SystemBus()
2514
1856
# End of Avahi example code
2515
1857
if use_dbus:
2516
1858
try:
2517
bus_name = dbus.service.BusName("se.recompile.Mandos",
1859
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
2518
1860
bus, do_not_queue=True)
2519
old_bus_name = (dbus.service.BusName
2520
("se.bsnet.fukt.Mandos", bus,
2521
do_not_queue=True))
2522
except dbus.exceptions.NameExistsException as e:
2523
logger.error("Disabling D-Bus:", exc_info=e)
1861
except dbus.exceptions.NameExistsException, e:
1862
logger.error(unicode(e) + u", disabling D-Bus")
2524
1863
use_dbus = False
2525
server_settings["use_dbus"] = False
1864
server_settings[u"use_dbus"] = False
2526
1865
tcp_server.use_dbus = False
2527
if zeroconf:
2528
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2529
service = AvahiServiceToSyslog(name =
2530
server_settings["servicename"],
2531
servicetype = "_mandos._tcp",
2532
protocol = protocol, bus = bus)
2533
if server_settings["interface"]:
2534
service.interface = (if_nametoindex
2535
(server_settings["interface"]
2536
.encode("utf-8")))
2537
1866
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1867
service = AvahiService(name = server_settings[u"servicename"],
1868
servicetype = u"_mandos._tcp",
1869
protocol = protocol, bus = bus)
1870
if server_settings["interface"]:
1871
service.interface = (if_nametoindex
1872
(str(server_settings[u"interface"])))
1873
1874
if not debug:
1875
# Close all input and output, do double fork, etc.
1876
daemon()
1877
2538
1878
global multiprocessing_manager
2539
1879
multiprocessing_manager = multiprocessing.Manager()
2540
1880
2541
1881
client_class = Client
2542
1882
if use_dbus:
2543
1883
client_class = functools.partial(ClientDBus, bus = bus)
2544
2545
client_settings = Client.config_parser(client_config)
2546
old_client_settings = {}
2547
clients_data = {}
2548
2549
# This is used to redirect stdout and stderr for checker processes
2550
global wnull
2551
wnull = open(os.devnull, "w") # A writable /dev/null
2552
# Only used if server is running in foreground but not in debug
2553
# mode
2554
if debug or not foreground:
2555
wnull.close()
2556
2557
# Get client data and settings from last running state.
2558
if server_settings["restore"]:
2559
try:
2560
with open(stored_state_path, "rb") as stored_state:
2561
clients_data, old_client_settings = (pickle.load
2562
(stored_state))
2563
os.remove(stored_state_path)
2564
except IOError as e:
2565
if e.errno == errno.ENOENT:
2566
logger.warning("Could not load persistent state: {}"
2567
.format(os.strerror(e.errno)))
2568
else:
2569
logger.critical("Could not load persistent state:",
2570
exc_info=e)
2571
raise
2572
except EOFError as e:
2573
logger.warning("Could not load persistent state: "
2574
"EOFError:", exc_info=e)
2575
2576
with PGPEngine() as pgp:
2577
for client_name, client in clients_data.items():
2578
# Skip removed clients
2579
if client_name not in client_settings:
2580
continue
2581
2582
# Decide which value to use after restoring saved state.
2583
# We have three different values: Old config file,
2584
# new config file, and saved state.
2585
# New config value takes precedence if it differs from old
2586
# config value, otherwise use saved state.
2587
for name, value in client_settings[client_name].items():
2588
try:
2589
# For each value in new config, check if it
2590
# differs from the old config value (Except for
2591
# the "secret" attribute)
2592
if (name != "secret" and
2593
value != old_client_settings[client_name]
2594
[name]):
2595
client[name] = value
2596
except KeyError:
2597
pass
2598
2599
# Clients who has passed its expire date can still be
2600
# enabled if its last checker was successful. Clients
2601
# whose checker succeeded before we stored its state is
2602
# assumed to have successfully run all checkers during
2603
# downtime.
2604
if client["enabled"]:
2605
if datetime.datetime.utcnow() >= client["expires"]:
2606
if not client["last_checked_ok"]:
2607
logger.warning(
2608
"disabling client {} - Client never "
2609
"performed a successful checker"
2610
.format(client_name))
2611
client["enabled"] = False
2612
elif client["last_checker_status"] != 0:
2613
logger.warning(
2614
"disabling client {} - Client last"
2615
" checker failed with error code {}"
2616
.format(client_name,
2617
client["last_checker_status"]))
2618
client["enabled"] = False
2619
else:
2620
client["expires"] = (datetime.datetime
2621
.utcnow()
2622
+ client["timeout"])
2623
logger.debug("Last checker succeeded,"
2624
" keeping {} enabled"
2625
.format(client_name))
1884
def client_config_items(config, section):
1885
special_settings = {
1886
"approved_by_default":
1887
lambda: config.getboolean(section,
1888
"approved_by_default"),
1889
}
1890
for name, value in config.items(section):
2626
1891
try:
2627
client["secret"] = (
2628
pgp.decrypt(client["encrypted_secret"],
2629
client_settings[client_name]
2630
["secret"]))
2631
except PGPError:
2632
# If decryption fails, we use secret from new settings
2633
logger.debug("Failed to decrypt {} old secret"
2634
.format(client_name))
2635
client["secret"] = (
2636
client_settings[client_name]["secret"])
2637
2638
# Add/remove clients based on new changes made to config
2639
for client_name in (set(old_client_settings)
2640
- set(client_settings)):
2641
del clients_data[client_name]
2642
for client_name in (set(client_settings)
2643
- set(old_client_settings)):
2644
clients_data[client_name] = client_settings[client_name]
2645
2646
# Create all client objects
2647
for client_name, client in clients_data.items():
2648
tcp_server.clients[client_name] = client_class(
2649
name = client_name, settings = client,
2650
server_settings = server_settings)
2651
1892
yield (name, special_settings[name]())
1893
except KeyError:
1894
yield (name, value)
1895
1896
tcp_server.clients.update(set(
1897
client_class(name = section,
1898
config= dict(client_config_items(
1899
client_config, section)))
1900
for section in client_config.sections()))
2652
1901
if not tcp_server.clients:
2653
logger.warning("No clients defined")
2654
2655
if not foreground:
2656
if pidfile is not None:
2657
try:
2658
with pidfile:
2659
pid = os.getpid()
2660
pidfile.write("{}\n".format(pid).encode("utf-8"))
2661
except IOError:
2662
logger.error("Could not write to file %r with PID %d",
2663
pidfilename, pid)
2664
del pidfile
1902
logger.warning(u"No clients defined")
1903
1904
if not debug:
1905
try:
1906
with pidfile:
1907
pid = os.getpid()
1908
pidfile.write(str(pid) + "\n")
1909
del pidfile
1910
except IOError:
1911
logger.error(u"Could not write to file %r with PID %d",
1912
pidfilename, pid)
1913
except NameError:
1914
# "pidfile" was never created
1915
pass
2665
1916
del pidfilename
2666
1917
1918
signal.signal(signal.SIGINT, signal.SIG_IGN)
1919
2667
1920
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2668
1921
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2669
1922
2670
1923
if use_dbus:
2671
@alternate_dbus_interfaces({"se.recompile.Mandos":
2672
"se.bsnet.fukt.Mandos"})
2673
class MandosDBusService(DBusObjectWithProperties):
1924
class MandosDBusService(dbus.service.Object):
2674
1925
"""A D-Bus proxy object"""
2675
1926
def __init__(self):
2676
dbus.service.Object.__init__(self, bus, "/")
2677
_interface = "se.recompile.Mandos"
2678
2679
@dbus_interface_annotations(_interface)
2680
def _foo(self):
2681
return { "org.freedesktop.DBus.Property"
2682
".EmitsChangedSignal":
2683
"false"}
2684
2685
@dbus.service.signal(_interface, signature="o")
1927
dbus.service.Object.__init__(self, bus, u"/")
1928
_interface = u"se.bsnet.fukt.Mandos"
1929
1930
@dbus.service.signal(_interface, signature=u"o")
2686
1931
def ClientAdded(self, objpath):
2687
1932
"D-Bus signal"
2688
1933
pass
2689
1934
2690
@dbus.service.signal(_interface, signature="ss")
1935
@dbus.service.signal(_interface, signature=u"ss")
2691
1936
def ClientNotFound(self, fingerprint, address):
2692
1937
"D-Bus signal"
2693
1938
pass
2694
1939
2695
@dbus.service.signal(_interface, signature="os")
1940
@dbus.service.signal(_interface, signature=u"os")
2696
1941
def ClientRemoved(self, objpath, name):
2697
1942
"D-Bus signal"
2698
1943
pass
2699
1944
2700
@dbus.service.method(_interface, out_signature="ao")
1945
@dbus.service.method(_interface, out_signature=u"ao")
2701
1946
def GetAllClients(self):
2702
1947
"D-Bus method"
2703
1948
return dbus.Array(c.dbus_object_path
2704
for c in
2705
tcp_server.clients.itervalues())
1949
for c in tcp_server.clients)
2706
1950
2707
1951
@dbus.service.method(_interface,
2708
out_signature="a{oa{sv}}")
1952
out_signature=u"a{oa{sv}}")
2709
1953
def GetAllClientsWithProperties(self):
2710
1954
"D-Bus method"
2711
1955
return dbus.Dictionary(
2712
((c.dbus_object_path, c.GetAll(""))
2713
for c in tcp_server.clients.itervalues()),
2714
signature="oa{sv}")
1956
((c.dbus_object_path, c.GetAll(u""))
1957
for c in tcp_server.clients),
1958
signature=u"oa{sv}")
2715
1959
2716
@dbus.service.method(_interface, in_signature="o")
1960
@dbus.service.method(_interface, in_signature=u"o")
2717
1961
def RemoveClient(self, object_path):
2718
1962
"D-Bus method"
2719
for c in tcp_server.clients.itervalues():
1963
for c in tcp_server.clients:
2720
1964
if c.dbus_object_path == object_path:
2721
del tcp_server.clients[c.name]
1965
tcp_server.clients.remove(c)
2722
1966
c.remove_from_connection()
2723
1967
# Don't signal anything except ClientRemoved
2724
1968
c.disable(quiet=True)
2733
1977
2734
1978
def cleanup():
2735
1979
"Cleanup function; run on exit"
2736
if zeroconf:
2737
service.cleanup()
2738
2739
multiprocessing.active_children()
2740
wnull.close()
2741
if not (tcp_server.clients or client_settings):
2742
return
2743
2744
# Store client before exiting. Secrets are encrypted with key
2745
# based on what config file has. If config file is
2746
# removed/edited, old secret will thus be unrecovable.
2747
clients = {}
2748
with PGPEngine() as pgp:
2749
for client in tcp_server.clients.itervalues():
2750
key = client_settings[client.name]["secret"]
2751
client.encrypted_secret = pgp.encrypt(client.secret,
2752
key)
2753
client_dict = {}
2754
2755
# A list of attributes that can not be pickled
2756
# + secret.
2757
exclude = { "bus", "changedstate", "secret",
2758
"checker", "server_settings" }
2759
for name, typ in (inspect.getmembers
2760
(dbus.service.Object)):
2761
exclude.add(name)
2762
2763
client_dict["encrypted_secret"] = (client
2764
.encrypted_secret)
2765
for attr in client.client_structure:
2766
if attr not in exclude:
2767
client_dict[attr] = getattr(client, attr)
2768
2769
clients[client.name] = client_dict
2770
del client_settings[client.name]["secret"]
2771
2772
try:
2773
with (tempfile.NamedTemporaryFile
2774
(mode='wb', suffix=".pickle", prefix='clients-',
2775
dir=os.path.dirname(stored_state_path),
2776
delete=False)) as stored_state:
2777
pickle.dump((clients, client_settings), stored_state)
2778
tempname=stored_state.name
2779
os.rename(tempname, stored_state_path)
2780
except (IOError, OSError) as e:
2781
if not debug:
2782
try:
2783
os.remove(tempname)
2784
except NameError:
2785
pass
2786
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
2787
logger.warning("Could not save persistent state: {}"
2788
.format(os.strerror(e.errno)))
2789
else:
2790
logger.warning("Could not save persistent state:",
2791
exc_info=e)
2792
raise
2793
2794
# Delete all clients, and settings from config
1980
service.cleanup()
1981
2795
1982
while tcp_server.clients:
2796
name, client = tcp_server.clients.popitem()
1983
client = tcp_server.clients.pop()
2797
1984
if use_dbus:
2798
1985
client.remove_from_connection()
1986
client.disable_hook = None
2799
1987
# Don't signal anything except ClientRemoved
2800
1988
client.disable(quiet=True)
2801
1989
if use_dbus:
2802
1990
# Emit D-Bus signal
2803
mandos_dbus_service.ClientRemoved(client
2804
.dbus_object_path,
1991
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
2805
1992
client.name)
2806
client_settings.clear()
2807
1993
2808
1994
atexit.register(cleanup)
2809
1995
2810
for client in tcp_server.clients.itervalues():
1996
for client in tcp_server.clients:
2811
1997
if use_dbus:
2812
1998
# Emit D-Bus signal
2813
1999
mandos_dbus_service.ClientAdded(client.dbus_object_path)
2814
# Need to initiate checking of clients
2815
if client.enabled:
2816
client.init_checker()
2000
client.enable()
2817
2001
2818
2002
tcp_server.enable()
2819
2003
tcp_server.server_activate()
2820
2004
2821
2005
# Find out what port we got
2822
if zeroconf:
2823
service.port = tcp_server.socket.getsockname()[1]
2006
service.port = tcp_server.socket.getsockname()[1]
2824
2007
if use_ipv6:
2825
logger.info("Now listening on address %r, port %d,"
2826
" flowinfo %d, scope_id %d",
2827
*tcp_server.socket.getsockname())
2008
logger.info(u"Now listening on address %r, port %d,"
2009
" flowinfo %d, scope_id %d"
2010
% tcp_server.socket.getsockname())
2828
2011
else: # IPv4
2829
logger.info("Now listening on address %r, port %d",
2830
*tcp_server.socket.getsockname())
2012
logger.info(u"Now listening on address %r, port %d"
2013
% tcp_server.socket.getsockname())
2831
2014
2832
2015
#service.interface = tcp_server.socket.getsockname()[3]
2833
2016
2834
2017
try:
2835
if zeroconf:
2836
# From the Avahi example code
2837
try:
2838
service.activate()
2839
except dbus.exceptions.DBusException as error:
2840
logger.critical("D-Bus Exception", exc_info=error)
2841
cleanup()
2842
sys.exit(1)
2843
# End of Avahi example code
2018
# From the Avahi example code
2019
try:
2020
service.activate()
2021
except dbus.exceptions.DBusException, error:
2022
logger.critical(u"DBusException: %s", error)
2023
cleanup()
2024
sys.exit(1)
2025
# End of Avahi example code
2844
2026
2845
2027
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
2846
2028
lambda *args, **kwargs:
2847
2029
(tcp_server.handle_request
2848
2030
(*args[2:], **kwargs) or True))
2849
2031
2850
logger.debug("Starting main loop")
2032
logger.debug(u"Starting main loop")
2851
2033
main_loop.run()
2852
except AvahiError as error:
2853
logger.critical("Avahi Error", exc_info=error)
2034
except AvahiError, error:
2035
logger.critical(u"AvahiError: %s", error)
2854
2036
cleanup()
2855
2037
sys.exit(1)
2856
2038
except KeyboardInterrupt:
2857
2039
if debug:
2858
print("", file=sys.stderr)
2859
logger.debug("Server received KeyboardInterrupt")
2860
logger.debug("Server exiting")
2040
print >> sys.stderr
2041
logger.debug(u"Server received KeyboardInterrupt")
2042
logger.debug(u"Server exiting")
2861
2043
# Must run before the D-Bus bus name gets deregistered
2862
2044
cleanup()
2863
2045
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0