To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 499
- compare with another revision
- download diff
- download tarball
- view history from revision 499
- Committer: Teddy Hogeborn
- Date: 2011-09-19 09:25:06 UTC
- Revision ID: teddy@fukt.bsnet.se-20110919092506-klwkjwizzdnza2il
* clients.conf ([DEFAULT]/timeout): Changed default value to "5m".
([DEFAULT]/interval): Changed default value to "2m".
([DEFAULT]/extenden_timeout): New.
([bar]/interval): Changed to "1m".
([DEFAULT]/interval): Changed default value to "2m".
([DEFAULT]/extenden_timeout): New.
([bar]/interval): Changed to "1m".
- files added:
- DBUS-API
- debian/source
- files modified:
- .bzrignore
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
14
# Copyright © 2008-2011 Teddy Hogeborn
15
# Copyright © 2008-2011 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
31
31
# Contact the authors at <mandos@fukt.bsnet.se>.
32
32
#
33
33
34
from __future__ import division, with_statement, absolute_import
34
from __future__ import (division, absolute_import, print_function,
35
unicode_literals)
35
36
36
import SocketServer
37
import SocketServer as socketserver
37
38
import socket
38
import optparse
39
import argparse
39
40
import datetime
40
41
import errno
41
42
import gnutls.crypto
44
45
import gnutls.library.functions
45
46
import gnutls.library.constants
46
47
import gnutls.library.types
47
import ConfigParser
48
import ConfigParser as configparser
48
49
import sys
49
50
import re
50
51
import os
51
52
import signal
52
from sets import Set
53
53
import subprocess
54
54
import atexit
55
55
import stat
56
56
import logging
57
57
import logging.handlers
58
58
import pwd
59
from contextlib import closing
59
import contextlib
60
import struct
61
import fcntl
62
import functools
63
import cPickle as pickle
64
import multiprocessing
60
65
61
66
import dbus
62
67
import dbus.service
65
70
from dbus.mainloop.glib import DBusGMainLoop
66
71
import ctypes
67
72
import ctypes.util
68
69
version = "1.0.8"
70
73
import xml.dom.minidom
74
import inspect
75
76
try:
77
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
78
except AttributeError:
79
try:
80
from IN import SO_BINDTODEVICE
81
except ImportError:
82
SO_BINDTODEVICE = None
83
84
85
version = "1.3.1"
86
87
#logger = logging.getLogger('mandos')
71
88
logger = logging.Logger('mandos')
72
89
syslogger = (logging.handlers.SysLogHandler
73
90
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
74
address = "/dev/log"))
91
address = str("/dev/log")))
75
92
syslogger.setFormatter(logging.Formatter
76
93
('Mandos [%(process)d]: %(levelname)s:'
77
94
' %(message)s'))
79
96
80
97
console = logging.StreamHandler()
81
98
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
82
' %(levelname)s: %(message)s'))
99
' %(levelname)s:'
100
' %(message)s'))
83
101
logger.addHandler(console)
84
102
85
103
class AvahiError(Exception):
98
116
99
117
class AvahiService(object):
100
118
"""An Avahi (Zeroconf) service.
119
101
120
Attributes:
102
121
interface: integer; avahi.IF_UNSPEC or an interface index.
103
122
Used to optionally bind to the specified interface.
111
130
max_renames: integer; maximum number of renames
112
131
rename_count: integer; counter so we only rename after collisions
113
132
a sensible number of times
133
group: D-Bus Entry Group
134
server: D-Bus Server
135
bus: dbus.SystemBus()
114
136
"""
115
137
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
116
138
servicetype = None, port = None, TXT = None,
117
139
domain = "", host = "", max_renames = 32768,
118
protocol = avahi.PROTO_UNSPEC):
140
protocol = avahi.PROTO_UNSPEC, bus = None):
119
141
self.interface = interface
120
142
self.name = name
121
143
self.type = servicetype
126
148
self.rename_count = 0
127
149
self.max_renames = max_renames
128
150
self.protocol = protocol
151
self.group = None # our entry group
152
self.server = None
153
self.bus = bus
154
self.entry_group_state_changed_match = None
129
155
def rename(self):
130
156
"""Derived from the Avahi example code"""
131
157
if self.rename_count >= self.max_renames:
132
logger.critical(u"No suitable Zeroconf service name found"
133
u" after %i retries, exiting.",
158
logger.critical("No suitable Zeroconf service name found"
159
" after %i retries, exiting.",
134
160
self.rename_count)
135
raise AvahiServiceError(u"Too many renames")
136
self.name = server.GetAlternativeServiceName(self.name)
137
logger.info(u"Changing Zeroconf service name to %r ...",
138
str(self.name))
161
raise AvahiServiceError("Too many renames")
162
self.name = unicode(self.server.GetAlternativeServiceName(self.name))
163
logger.info("Changing Zeroconf service name to %r ...",
164
self.name)
139
165
syslogger.setFormatter(logging.Formatter
140
166
('Mandos (%s) [%%(process)d]:'
141
167
' %%(levelname)s: %%(message)s'
142
168
% self.name))
143
169
self.remove()
144
self.add()
170
try:
171
self.add()
172
except dbus.exceptions.DBusException as error:
173
logger.critical("DBusException: %s", error)
174
self.cleanup()
175
os._exit(1)
145
176
self.rename_count += 1
146
177
def remove(self):
147
178
"""Derived from the Avahi example code"""
148
if group is not None:
149
group.Reset()
179
if self.entry_group_state_changed_match is not None:
180
self.entry_group_state_changed_match.remove()
181
self.entry_group_state_changed_match = None
182
if self.group is not None:
183
self.group.Reset()
150
184
def add(self):
151
185
"""Derived from the Avahi example code"""
152
global group
153
if group is None:
154
group = dbus.Interface(bus.get_object
155
(avahi.DBUS_NAME,
156
server.EntryGroupNew()),
157
avahi.DBUS_INTERFACE_ENTRY_GROUP)
158
group.connect_to_signal('StateChanged',
159
entry_group_state_changed)
160
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
161
service.name, service.type)
162
group.AddService(
163
self.interface, # interface
164
self.protocol, # protocol
165
dbus.UInt32(0), # flags
166
self.name, self.type,
167
self.domain, self.host,
168
dbus.UInt16(self.port),
169
avahi.string_array_to_txt_array(self.TXT))
170
group.Commit()
171
172
# From the Avahi example code:
173
group = None # our entry group
174
# End of Avahi example code
175
176
177
def _datetime_to_dbus(dt, variant_level=0):
178
"""Convert a UTC datetime.datetime() to a D-Bus type."""
179
return dbus.String(dt.isoformat(), variant_level=variant_level)
180
181
182
class Client(dbus.service.Object):
186
self.remove()
187
if self.group is None:
188
self.group = dbus.Interface(
189
self.bus.get_object(avahi.DBUS_NAME,
190
self.server.EntryGroupNew()),
191
avahi.DBUS_INTERFACE_ENTRY_GROUP)
192
self.entry_group_state_changed_match = (
193
self.group.connect_to_signal(
194
'StateChanged', self .entry_group_state_changed))
195
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
196
self.name, self.type)
197
self.group.AddService(
198
self.interface,
199
self.protocol,
200
dbus.UInt32(0), # flags
201
self.name, self.type,
202
self.domain, self.host,
203
dbus.UInt16(self.port),
204
avahi.string_array_to_txt_array(self.TXT))
205
self.group.Commit()
206
def entry_group_state_changed(self, state, error):
207
"""Derived from the Avahi example code"""
208
logger.debug("Avahi entry group state change: %i", state)
209
210
if state == avahi.ENTRY_GROUP_ESTABLISHED:
211
logger.debug("Zeroconf service established.")
212
elif state == avahi.ENTRY_GROUP_COLLISION:
213
logger.info("Zeroconf service name collision.")
214
self.rename()
215
elif state == avahi.ENTRY_GROUP_FAILURE:
216
logger.critical("Avahi: Error in group state changed %s",
217
unicode(error))
218
raise AvahiGroupError("State changed: %s"
219
% unicode(error))
220
def cleanup(self):
221
"""Derived from the Avahi example code"""
222
if self.group is not None:
223
try:
224
self.group.Free()
225
except (dbus.exceptions.UnknownMethodException,
226
dbus.exceptions.DBusException) as e:
227
pass
228
self.group = None
229
self.remove()
230
def server_state_changed(self, state, error=None):
231
"""Derived from the Avahi example code"""
232
logger.debug("Avahi server state change: %i", state)
233
bad_states = { avahi.SERVER_INVALID:
234
"Zeroconf server invalid",
235
avahi.SERVER_REGISTERING: None,
236
avahi.SERVER_COLLISION:
237
"Zeroconf server name collision",
238
avahi.SERVER_FAILURE:
239
"Zeroconf server failure" }
240
if state in bad_states:
241
if bad_states[state] is not None:
242
if error is None:
243
logger.error(bad_states[state])
244
else:
245
logger.error(bad_states[state] + ": %r", error)
246
self.cleanup()
247
elif state == avahi.SERVER_RUNNING:
248
self.add()
249
else:
250
if error is None:
251
logger.debug("Unknown state: %r", state)
252
else:
253
logger.debug("Unknown state: %r: %r", state, error)
254
def activate(self):
255
"""Derived from the Avahi example code"""
256
if self.server is None:
257
self.server = dbus.Interface(
258
self.bus.get_object(avahi.DBUS_NAME,
259
avahi.DBUS_PATH_SERVER,
260
follow_name_owner_changes=True),
261
avahi.DBUS_INTERFACE_SERVER)
262
self.server.connect_to_signal("StateChanged",
263
self.server_state_changed)
264
self.server_state_changed(self.server.GetState())
265
266
267
class Client(object):
183
268
"""A representation of a client host served by this server.
269
184
270
Attributes:
185
name: string; from the config file, used in log messages and
186
D-Bus identifiers
187
fingerprint: string (40 or 32 hexadecimal digits); used to
188
uniquely identify the client
189
secret: bytestring; sent verbatim (over TLS) to client
190
host: string; available for use by the checker command
191
created: datetime.datetime(); (UTC) object creation
192
last_enabled: datetime.datetime(); (UTC)
193
enabled: bool()
194
last_checked_ok: datetime.datetime(); (UTC) or None
195
timeout: datetime.timedelta(); How long from last_checked_ok
196
until this client is invalid
197
interval: datetime.timedelta(); How often to start a new checker
198
disable_hook: If set, called by disable() as disable_hook(self)
271
_approved: bool(); 'None' if not yet approved/disapproved
272
approval_delay: datetime.timedelta(); Time to wait for approval
273
approval_duration: datetime.timedelta(); Duration of one approval
199
274
checker: subprocess.Popen(); a running checker process used
200
275
to see if the client lives.
201
276
'None' if no process is running.
202
checker_initiator_tag: a gobject event source tag, or None
203
disable_initiator_tag: - '' -
204
checker_callback_tag: - '' -
205
checker_command: string; External command which is run to check if
206
client lives. %() expansions are done at
277
checker_callback_tag: a gobject event source tag, or None
278
checker_command: string; External command which is run to check
279
if client lives. %() expansions are done at
207
280
runtime with vars(self) as dict, so that for
208
281
instance %(name)s can be used in the command.
282
checker_initiator_tag: a gobject event source tag, or None
283
created: datetime.datetime(); (UTC) object creation
209
284
current_checker_command: string; current running checker_command
210
use_dbus: bool(); Whether to provide D-Bus interface and signals
211
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
285
disable_hook: If set, called by disable() as disable_hook(self)
286
disable_initiator_tag: a gobject event source tag, or None
287
enabled: bool()
288
fingerprint: string (40 or 32 hexadecimal digits); used to
289
uniquely identify the client
290
host: string; available for use by the checker command
291
interval: datetime.timedelta(); How often to start a new checker
292
last_approval_request: datetime.datetime(); (UTC) or None
293
last_checked_ok: datetime.datetime(); (UTC) or None
294
last_enabled: datetime.datetime(); (UTC)
295
name: string; from the config file, used in log messages and
296
D-Bus identifiers
297
secret: bytestring; sent verbatim (over TLS) to client
298
timeout: datetime.timedelta(); How long from last_checked_ok
299
until this client is disabled
300
extended_timeout: extra long timeout when password has been sent
301
runtime_expansions: Allowed attributes for runtime expansion.
302
expires: datetime.datetime(); time (UTC) when a client will be
303
disabled, or None
212
304
"""
305
306
runtime_expansions = ("approval_delay", "approval_duration",
307
"created", "enabled", "fingerprint",
308
"host", "interval", "last_checked_ok",
309
"last_enabled", "name", "timeout")
310
311
@staticmethod
312
def _timedelta_to_milliseconds(td):
313
"Convert a datetime.timedelta() to milliseconds"
314
return ((td.days * 24 * 60 * 60 * 1000)
315
+ (td.seconds * 1000)
316
+ (td.microseconds // 1000))
317
213
318
def timeout_milliseconds(self):
214
319
"Return the 'timeout' attribute in milliseconds"
215
return ((self.timeout.days * 24 * 60 * 60 * 1000)
216
+ (self.timeout.seconds * 1000)
217
+ (self.timeout.microseconds // 1000))
320
return self._timedelta_to_milliseconds(self.timeout)
321
322
def extended_timeout_milliseconds(self):
323
"Return the 'extended_timeout' attribute in milliseconds"
324
return self._timedelta_to_milliseconds(self.extended_timeout)
218
325
219
326
def interval_milliseconds(self):
220
327
"Return the 'interval' attribute in milliseconds"
221
return ((self.interval.days * 24 * 60 * 60 * 1000)
222
+ (self.interval.seconds * 1000)
223
+ (self.interval.microseconds // 1000))
328
return self._timedelta_to_milliseconds(self.interval)
329
330
def approval_delay_milliseconds(self):
331
return self._timedelta_to_milliseconds(self.approval_delay)
224
332
225
def __init__(self, name = None, disable_hook=None, config=None,
226
use_dbus=True):
333
def __init__(self, name = None, disable_hook=None, config=None):
227
334
"""Note: the 'checker' key in 'config' sets the
228
335
'checker_command' attribute and *not* the 'checker'
229
336
attribute."""
230
337
self.name = name
231
338
if config is None:
232
339
config = {}
233
logger.debug(u"Creating client %r", self.name)
234
self.use_dbus = False # During __init__
340
logger.debug("Creating client %r", self.name)
235
341
# Uppercase and remove spaces from fingerprint for later
236
342
# comparison purposes with return value from the fingerprint()
237
343
# function
238
344
self.fingerprint = (config["fingerprint"].upper()
239
.replace(u" ", u""))
240
logger.debug(u" Fingerprint: %s", self.fingerprint)
345
.replace(" ", ""))
346
logger.debug(" Fingerprint: %s", self.fingerprint)
241
347
if "secret" in config:
242
self.secret = config["secret"].decode(u"base64")
348
self.secret = config["secret"].decode("base64")
243
349
elif "secfile" in config:
244
with closing(open(os.path.expanduser
245
(os.path.expandvars
246
(config["secfile"])))) as secfile:
350
with open(os.path.expanduser(os.path.expandvars
351
(config["secfile"])),
352
"rb") as secfile:
247
353
self.secret = secfile.read()
248
354
else:
249
raise TypeError(u"No secret or secfile for client %s"
355
raise TypeError("No secret or secfile for client %s"
250
356
% self.name)
251
357
self.host = config.get("host", "")
252
358
self.created = datetime.datetime.utcnow()
253
359
self.enabled = False
360
self.last_approval_request = None
254
361
self.last_enabled = None
255
362
self.last_checked_ok = None
256
363
self.timeout = string_to_delta(config["timeout"])
364
self.extended_timeout = string_to_delta(config["extended_timeout"])
257
365
self.interval = string_to_delta(config["interval"])
258
366
self.disable_hook = disable_hook
259
367
self.checker = None
260
368
self.checker_initiator_tag = None
261
369
self.disable_initiator_tag = None
370
self.expires = None
262
371
self.checker_callback_tag = None
263
372
self.checker_command = config["checker"]
264
373
self.current_checker_command = None
265
374
self.last_connect = None
266
# Only now, when this client is initialized, can it show up on
267
# the D-Bus
268
self.use_dbus = use_dbus
269
if self.use_dbus:
270
self.dbus_object_path = (dbus.ObjectPath
271
("/clients/"
272
+ self.name.replace(".", "_")))
273
dbus.service.Object.__init__(self, bus,
274
self.dbus_object_path)
375
self._approved = None
376
self.approved_by_default = config.get("approved_by_default",
377
True)
378
self.approvals_pending = 0
379
self.approval_delay = string_to_delta(
380
config["approval_delay"])
381
self.approval_duration = string_to_delta(
382
config["approval_duration"])
383
self.changedstate = multiprocessing_manager.Condition(multiprocessing_manager.Lock())
275
384
385
def send_changedstate(self):
386
self.changedstate.acquire()
387
self.changedstate.notify_all()
388
self.changedstate.release()
389
276
390
def enable(self):
277
391
"""Start this client's checker and timeout hooks"""
392
if getattr(self, "enabled", False):
393
# Already enabled
394
return
395
self.send_changedstate()
278
396
self.last_enabled = datetime.datetime.utcnow()
279
397
# Schedule a new checker to be started an 'interval' from now,
280
398
# and every interval from then on.
281
399
self.checker_initiator_tag = (gobject.timeout_add
282
400
(self.interval_milliseconds(),
283
401
self.start_checker))
284
# Also start a new checker *right now*.
285
self.start_checker()
286
402
# Schedule a disable() when 'timeout' has passed
403
self.expires = datetime.datetime.utcnow() + self.timeout
287
404
self.disable_initiator_tag = (gobject.timeout_add
288
405
(self.timeout_milliseconds(),
289
406
self.disable))
290
407
self.enabled = True
291
if self.use_dbus:
292
# Emit D-Bus signals
293
self.PropertyChanged(dbus.String(u"enabled"),
294
dbus.Boolean(True, variant_level=1))
295
self.PropertyChanged(dbus.String(u"last_enabled"),
296
(_datetime_to_dbus(self.last_enabled,
297
variant_level=1)))
408
# Also start a new checker *right now*.
409
self.start_checker()
298
410
299
def disable(self):
411
def disable(self, quiet=True):
300
412
"""Disable this client."""
301
413
if not getattr(self, "enabled", False):
302
414
return False
303
logger.info(u"Disabling client %s", self.name)
415
if not quiet:
416
self.send_changedstate()
417
if not quiet:
418
logger.info("Disabling client %s", self.name)
304
419
if getattr(self, "disable_initiator_tag", False):
305
420
gobject.source_remove(self.disable_initiator_tag)
306
421
self.disable_initiator_tag = None
422
self.expires = None
307
423
if getattr(self, "checker_initiator_tag", False):
308
424
gobject.source_remove(self.checker_initiator_tag)
309
425
self.checker_initiator_tag = None
311
427
if self.disable_hook:
312
428
self.disable_hook(self)
313
429
self.enabled = False
314
if self.use_dbus:
315
# Emit D-Bus signal
316
self.PropertyChanged(dbus.String(u"enabled"),
317
dbus.Boolean(False, variant_level=1))
318
430
# Do not run this again if called by a gobject.timeout_add
319
431
return False
320
432
326
438
"""The checker has completed, so take appropriate actions."""
327
439
self.checker_callback_tag = None
328
440
self.checker = None
329
if self.use_dbus:
330
# Emit D-Bus signal
331
self.PropertyChanged(dbus.String(u"checker_running"),
332
dbus.Boolean(False, variant_level=1))
333
441
if os.WIFEXITED(condition):
334
442
exitstatus = os.WEXITSTATUS(condition)
335
443
if exitstatus == 0:
336
logger.info(u"Checker for %(name)s succeeded",
444
logger.info("Checker for %(name)s succeeded",
337
445
vars(self))
338
446
self.checked_ok()
339
447
else:
340
logger.info(u"Checker for %(name)s failed",
448
logger.info("Checker for %(name)s failed",
341
449
vars(self))
342
if self.use_dbus:
343
# Emit D-Bus signal
344
self.CheckerCompleted(dbus.Int16(exitstatus),
345
dbus.Int64(condition),
346
dbus.String(command))
347
450
else:
348
logger.warning(u"Checker for %(name)s crashed?",
451
logger.warning("Checker for %(name)s crashed?",
349
452
vars(self))
350
if self.use_dbus:
351
# Emit D-Bus signal
352
self.CheckerCompleted(dbus.Int16(-1),
353
dbus.Int64(condition),
354
dbus.String(command))
355
453
356
def checked_ok(self):
454
def checked_ok(self, timeout=None):
357
455
"""Bump up the timeout for this client.
456
358
457
This should only be called when the client has been seen,
359
458
alive and well.
360
459
"""
460
if timeout is None:
461
timeout = self.timeout
361
462
self.last_checked_ok = datetime.datetime.utcnow()
362
463
gobject.source_remove(self.disable_initiator_tag)
464
self.expires = datetime.datetime.utcnow() + timeout
363
465
self.disable_initiator_tag = (gobject.timeout_add
364
(self.timeout_milliseconds(),
466
(self._timedelta_to_milliseconds(timeout),
365
467
self.disable))
366
if self.use_dbus:
367
# Emit D-Bus signal
368
self.PropertyChanged(
369
dbus.String(u"last_checked_ok"),
370
(_datetime_to_dbus(self.last_checked_ok,
371
variant_level=1)))
468
469
def need_approval(self):
470
self.last_approval_request = datetime.datetime.utcnow()
372
471
373
472
def start_checker(self):
374
473
"""Start a new checker subprocess if one is not running.
474
375
475
If a checker already exists, leave it running and do
376
476
nothing."""
377
477
# The reason for not killing a running checker is that if we
380
480
# client would inevitably timeout, since no checker would get
381
481
# a chance to run to completion. If we instead leave running
382
482
# checkers alone, the checker would have to take more time
383
# than 'timeout' for the client to be declared invalid, which
384
# is as it should be.
483
# than 'timeout' for the client to be disabled, which is as it
484
# should be.
385
485
386
486
# If a checker exists, make sure it is not a zombie
387
if self.checker is not None:
487
try:
388
488
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
489
except (AttributeError, OSError) as error:
490
if (isinstance(error, OSError)
491
and error.errno != errno.ECHILD):
492
raise error
493
else:
389
494
if pid:
390
495
logger.warning("Checker was a zombie")
391
496
gobject.source_remove(self.checker_callback_tag)
398
503
command = self.checker_command % self.host
399
504
except TypeError:
400
505
# Escape attributes for the shell
401
escaped_attrs = dict((key, re.escape(str(val)))
402
for key, val in
403
vars(self).iteritems())
506
escaped_attrs = dict(
507
(attr,
508
re.escape(unicode(str(getattr(self, attr, "")),
509
errors=
510
'replace')))
511
for attr in
512
self.runtime_expansions)
513
404
514
try:
405
515
command = self.checker_command % escaped_attrs
406
except TypeError, error:
407
logger.error(u'Could not format string "%s":'
408
u' %s', self.checker_command, error)
516
except TypeError as error:
517
logger.error('Could not format string "%s":'
518
' %s', self.checker_command, error)
409
519
return True # Try again later
410
self.current_checker_command = command
520
self.current_checker_command = command
411
521
try:
412
logger.info(u"Starting checker %r for %s",
522
logger.info("Starting checker %r for %s",
413
523
command, self.name)
414
524
# We don't need to redirect stdout and stderr, since
415
525
# in normal mode, that is already done by daemon(),
418
528
self.checker = subprocess.Popen(command,
419
529
close_fds=True,
420
530
shell=True, cwd="/")
421
if self.use_dbus:
422
# Emit D-Bus signal
423
self.CheckerStarted(command)
424
self.PropertyChanged(
425
dbus.String("checker_running"),
426
dbus.Boolean(True, variant_level=1))
427
531
self.checker_callback_tag = (gobject.child_watch_add
428
532
(self.checker.pid,
429
533
self.checker_callback,
434
538
if pid:
435
539
gobject.source_remove(self.checker_callback_tag)
436
540
self.checker_callback(pid, status, command)
437
except OSError, error:
438
logger.error(u"Failed to start subprocess: %s",
541
except OSError as error:
542
logger.error("Failed to start subprocess: %s",
439
543
error)
440
544
# Re-run this periodically if run by gobject.timeout_add
441
545
return True
447
551
self.checker_callback_tag = None
448
552
if getattr(self, "checker", None) is None:
449
553
return
450
logger.debug(u"Stopping checker for %(name)s", vars(self))
554
logger.debug("Stopping checker for %(name)s", vars(self))
451
555
try:
452
556
os.kill(self.checker.pid, signal.SIGTERM)
453
#os.sleep(0.5)
557
#time.sleep(0.5)
454
558
#if self.checker.poll() is None:
455
559
# os.kill(self.checker.pid, signal.SIGKILL)
456
except OSError, error:
560
except OSError as error:
457
561
if error.errno != errno.ESRCH: # No such process
458
562
raise
459
563
self.checker = None
460
if self.use_dbus:
461
self.PropertyChanged(dbus.String(u"checker_running"),
462
dbus.Boolean(False, variant_level=1))
463
464
def still_valid(self):
465
"""Has the timeout not yet passed for this client?"""
466
if not getattr(self, "enabled", False):
467
return False
468
now = datetime.datetime.utcnow()
469
if self.last_checked_ok is None:
470
return now < (self.created + self.timeout)
471
else:
472
return now < (self.last_checked_ok + self.timeout)
473
474
## D-Bus methods & signals
475
_interface = u"se.bsnet.fukt.Mandos.Client"
476
477
# CheckedOK - method
478
CheckedOK = dbus.service.method(_interface)(checked_ok)
479
CheckedOK.__name__ = "CheckedOK"
564
565
def dbus_service_property(dbus_interface, signature="v",
566
access="readwrite", byte_arrays=False):
567
"""Decorators for marking methods of a DBusObjectWithProperties to
568
become properties on the D-Bus.
569
570
The decorated method will be called with no arguments by "Get"
571
and with one argument by "Set".
572
573
The parameters, where they are supported, are the same as
574
dbus.service.method, except there is only "signature", since the
575
type from Get() and the type sent to Set() is the same.
576
"""
577
# Encoding deeply encoded byte arrays is not supported yet by the
578
# "Set" method, so we fail early here:
579
if byte_arrays and signature != "ay":
580
raise ValueError("Byte arrays not supported for non-'ay'"
581
" signature %r" % signature)
582
def decorator(func):
583
func._dbus_is_property = True
584
func._dbus_interface = dbus_interface
585
func._dbus_signature = signature
586
func._dbus_access = access
587
func._dbus_name = func.__name__
588
if func._dbus_name.endswith("_dbus_property"):
589
func._dbus_name = func._dbus_name[:-14]
590
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
591
return func
592
return decorator
593
594
595
class DBusPropertyException(dbus.exceptions.DBusException):
596
"""A base class for D-Bus property-related exceptions
597
"""
598
def __unicode__(self):
599
return unicode(str(self))
600
601
602
class DBusPropertyAccessException(DBusPropertyException):
603
"""A property's access permissions disallows an operation.
604
"""
605
pass
606
607
608
class DBusPropertyNotFound(DBusPropertyException):
609
"""An attempt was made to access a non-existing property.
610
"""
611
pass
612
613
614
class DBusObjectWithProperties(dbus.service.Object):
615
"""A D-Bus object with properties.
616
617
Classes inheriting from this can use the dbus_service_property
618
decorator to expose methods as D-Bus properties. It exposes the
619
standard Get(), Set(), and GetAll() methods on the D-Bus.
620
"""
621
622
@staticmethod
623
def _is_dbus_property(obj):
624
return getattr(obj, "_dbus_is_property", False)
625
626
def _get_all_dbus_properties(self):
627
"""Returns a generator of (name, attribute) pairs
628
"""
629
return ((prop._dbus_name, prop)
630
for name, prop in
631
inspect.getmembers(self, self._is_dbus_property))
632
633
def _get_dbus_property(self, interface_name, property_name):
634
"""Returns a bound method if one exists which is a D-Bus
635
property with the specified name and interface.
636
"""
637
for name in (property_name,
638
property_name + "_dbus_property"):
639
prop = getattr(self, name, None)
640
if (prop is None
641
or not self._is_dbus_property(prop)
642
or prop._dbus_name != property_name
643
or (interface_name and prop._dbus_interface
644
and interface_name != prop._dbus_interface)):
645
continue
646
return prop
647
# No such property
648
raise DBusPropertyNotFound(self.dbus_object_path + ":"
649
+ interface_name + "."
650
+ property_name)
651
652
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
653
out_signature="v")
654
def Get(self, interface_name, property_name):
655
"""Standard D-Bus property Get() method, see D-Bus standard.
656
"""
657
prop = self._get_dbus_property(interface_name, property_name)
658
if prop._dbus_access == "write":
659
raise DBusPropertyAccessException(property_name)
660
value = prop()
661
if not hasattr(value, "variant_level"):
662
return value
663
return type(value)(value, variant_level=value.variant_level+1)
664
665
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
666
def Set(self, interface_name, property_name, value):
667
"""Standard D-Bus property Set() method, see D-Bus standard.
668
"""
669
prop = self._get_dbus_property(interface_name, property_name)
670
if prop._dbus_access == "read":
671
raise DBusPropertyAccessException(property_name)
672
if prop._dbus_get_args_options["byte_arrays"]:
673
# The byte_arrays option is not supported yet on
674
# signatures other than "ay".
675
if prop._dbus_signature != "ay":
676
raise ValueError
677
value = dbus.ByteArray(''.join(unichr(byte)
678
for byte in value))
679
prop(value)
680
681
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
682
out_signature="a{sv}")
683
def GetAll(self, interface_name):
684
"""Standard D-Bus property GetAll() method, see D-Bus
685
standard.
686
687
Note: Will not include properties with access="write".
688
"""
689
all = {}
690
for name, prop in self._get_all_dbus_properties():
691
if (interface_name
692
and interface_name != prop._dbus_interface):
693
# Interface non-empty but did not match
694
continue
695
# Ignore write-only properties
696
if prop._dbus_access == "write":
697
continue
698
value = prop()
699
if not hasattr(value, "variant_level"):
700
all[name] = value
701
continue
702
all[name] = type(value)(value, variant_level=
703
value.variant_level+1)
704
return dbus.Dictionary(all, signature="sv")
705
706
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
707
out_signature="s",
708
path_keyword='object_path',
709
connection_keyword='connection')
710
def Introspect(self, object_path, connection):
711
"""Standard D-Bus method, overloaded to insert property tags.
712
"""
713
xmlstring = dbus.service.Object.Introspect(self, object_path,
714
connection)
715
try:
716
document = xml.dom.minidom.parseString(xmlstring)
717
def make_tag(document, name, prop):
718
e = document.createElement("property")
719
e.setAttribute("name", name)
720
e.setAttribute("type", prop._dbus_signature)
721
e.setAttribute("access", prop._dbus_access)
722
return e
723
for if_tag in document.getElementsByTagName("interface"):
724
for tag in (make_tag(document, name, prop)
725
for name, prop
726
in self._get_all_dbus_properties()
727
if prop._dbus_interface
728
== if_tag.getAttribute("name")):
729
if_tag.appendChild(tag)
730
# Add the names to the return values for the
731
# "org.freedesktop.DBus.Properties" methods
732
if (if_tag.getAttribute("name")
733
== "org.freedesktop.DBus.Properties"):
734
for cn in if_tag.getElementsByTagName("method"):
735
if cn.getAttribute("name") == "Get":
736
for arg in cn.getElementsByTagName("arg"):
737
if (arg.getAttribute("direction")
738
== "out"):
739
arg.setAttribute("name", "value")
740
elif cn.getAttribute("name") == "GetAll":
741
for arg in cn.getElementsByTagName("arg"):
742
if (arg.getAttribute("direction")
743
== "out"):
744
arg.setAttribute("name", "props")
745
xmlstring = document.toxml("utf-8")
746
document.unlink()
747
except (AttributeError, xml.dom.DOMException,
748
xml.parsers.expat.ExpatError) as error:
749
logger.error("Failed to override Introspection method",
750
error)
751
return xmlstring
752
753
754
class ClientDBus(Client, DBusObjectWithProperties):
755
"""A Client class using D-Bus
756
757
Attributes:
758
dbus_object_path: dbus.ObjectPath
759
bus: dbus.SystemBus()
760
"""
761
762
runtime_expansions = (Client.runtime_expansions
763
+ ("dbus_object_path",))
764
765
# dbus.service.Object doesn't use super(), so we can't either.
766
767
def __init__(self, bus = None, *args, **kwargs):
768
self._approvals_pending = 0
769
self.bus = bus
770
Client.__init__(self, *args, **kwargs)
771
# Only now, when this client is initialized, can it show up on
772
# the D-Bus
773
client_object_name = unicode(self.name).translate(
774
{ord("."): ord("_"),
775
ord("-"): ord("_")})
776
self.dbus_object_path = (dbus.ObjectPath
777
("/clients/" + client_object_name))
778
DBusObjectWithProperties.__init__(self, self.bus,
779
self.dbus_object_path)
780
def _set_expires(self, value):
781
old_value = getattr(self, "_expires", None)
782
self._expires = value
783
if hasattr(self, "dbus_object_path") and old_value != value:
784
dbus_time = (self._datetime_to_dbus(self._expires,
785
variant_level=1))
786
self.PropertyChanged(dbus.String("Expires"),
787
dbus_time)
788
expires = property(lambda self: self._expires, _set_expires)
789
del _set_expires
790
791
def _get_approvals_pending(self):
792
return self._approvals_pending
793
def _set_approvals_pending(self, value):
794
old_value = self._approvals_pending
795
self._approvals_pending = value
796
bval = bool(value)
797
if (hasattr(self, "dbus_object_path")
798
and bval is not bool(old_value)):
799
dbus_bool = dbus.Boolean(bval, variant_level=1)
800
self.PropertyChanged(dbus.String("ApprovalPending"),
801
dbus_bool)
802
803
approvals_pending = property(_get_approvals_pending,
804
_set_approvals_pending)
805
del _get_approvals_pending, _set_approvals_pending
806
807
@staticmethod
808
def _datetime_to_dbus(dt, variant_level=0):
809
"""Convert a UTC datetime.datetime() to a D-Bus type."""
810
if dt is None:
811
return dbus.String("", variant_level = variant_level)
812
return dbus.String(dt.isoformat(),
813
variant_level=variant_level)
814
815
def enable(self):
816
oldstate = getattr(self, "enabled", False)
817
r = Client.enable(self)
818
if oldstate != self.enabled:
819
# Emit D-Bus signals
820
self.PropertyChanged(dbus.String("Enabled"),
821
dbus.Boolean(True, variant_level=1))
822
self.PropertyChanged(
823
dbus.String("LastEnabled"),
824
self._datetime_to_dbus(self.last_enabled,
825
variant_level=1))
826
return r
827
828
def disable(self, quiet = False):
829
oldstate = getattr(self, "enabled", False)
830
r = Client.disable(self, quiet=quiet)
831
if not quiet and oldstate != self.enabled:
832
# Emit D-Bus signal
833
self.PropertyChanged(dbus.String("Enabled"),
834
dbus.Boolean(False, variant_level=1))
835
return r
836
837
def __del__(self, *args, **kwargs):
838
try:
839
self.remove_from_connection()
840
except LookupError:
841
pass
842
if hasattr(DBusObjectWithProperties, "__del__"):
843
DBusObjectWithProperties.__del__(self, *args, **kwargs)
844
Client.__del__(self, *args, **kwargs)
845
846
def checker_callback(self, pid, condition, command,
847
*args, **kwargs):
848
self.checker_callback_tag = None
849
self.checker = None
850
# Emit D-Bus signal
851
self.PropertyChanged(dbus.String("CheckerRunning"),
852
dbus.Boolean(False, variant_level=1))
853
if os.WIFEXITED(condition):
854
exitstatus = os.WEXITSTATUS(condition)
855
# Emit D-Bus signal
856
self.CheckerCompleted(dbus.Int16(exitstatus),
857
dbus.Int64(condition),
858
dbus.String(command))
859
else:
860
# Emit D-Bus signal
861
self.CheckerCompleted(dbus.Int16(-1),
862
dbus.Int64(condition),
863
dbus.String(command))
864
865
return Client.checker_callback(self, pid, condition, command,
866
*args, **kwargs)
867
868
def checked_ok(self, *args, **kwargs):
869
Client.checked_ok(self, *args, **kwargs)
870
# Emit D-Bus signal
871
self.PropertyChanged(
872
dbus.String("LastCheckedOK"),
873
(self._datetime_to_dbus(self.last_checked_ok,
874
variant_level=1)))
875
876
def need_approval(self, *args, **kwargs):
877
r = Client.need_approval(self, *args, **kwargs)
878
# Emit D-Bus signal
879
self.PropertyChanged(
880
dbus.String("LastApprovalRequest"),
881
(self._datetime_to_dbus(self.last_approval_request,
882
variant_level=1)))
883
return r
884
885
def start_checker(self, *args, **kwargs):
886
old_checker = self.checker
887
if self.checker is not None:
888
old_checker_pid = self.checker.pid
889
else:
890
old_checker_pid = None
891
r = Client.start_checker(self, *args, **kwargs)
892
# Only if new checker process was started
893
if (self.checker is not None
894
and old_checker_pid != self.checker.pid):
895
# Emit D-Bus signal
896
self.CheckerStarted(self.current_checker_command)
897
self.PropertyChanged(
898
dbus.String("CheckerRunning"),
899
dbus.Boolean(True, variant_level=1))
900
return r
901
902
def stop_checker(self, *args, **kwargs):
903
old_checker = getattr(self, "checker", None)
904
r = Client.stop_checker(self, *args, **kwargs)
905
if (old_checker is not None
906
and getattr(self, "checker", None) is None):
907
self.PropertyChanged(dbus.String("CheckerRunning"),
908
dbus.Boolean(False, variant_level=1))
909
return r
910
911
def _reset_approved(self):
912
self._approved = None
913
return False
914
915
def approve(self, value=True):
916
self.send_changedstate()
917
self._approved = value
918
gobject.timeout_add(self._timedelta_to_milliseconds
919
(self.approval_duration),
920
self._reset_approved)
921
922
923
## D-Bus methods, signals & properties
924
_interface = "se.bsnet.fukt.Mandos.Client"
925
926
## Signals
480
927
481
928
# CheckerCompleted - signal
482
929
@dbus.service.signal(_interface, signature="nxs")
490
937
"D-Bus signal"
491
938
pass
492
939
493
# GetAllProperties - method
494
@dbus.service.method(_interface, out_signature="a{sv}")
495
def GetAllProperties(self):
496
"D-Bus method"
497
return dbus.Dictionary({
498
dbus.String("name"):
499
dbus.String(self.name, variant_level=1),
500
dbus.String("fingerprint"):
501
dbus.String(self.fingerprint, variant_level=1),
502
dbus.String("host"):
503
dbus.String(self.host, variant_level=1),
504
dbus.String("created"):
505
_datetime_to_dbus(self.created, variant_level=1),
506
dbus.String("last_enabled"):
507
(_datetime_to_dbus(self.last_enabled,
508
variant_level=1)
509
if self.last_enabled is not None
510
else dbus.Boolean(False, variant_level=1)),
511
dbus.String("enabled"):
512
dbus.Boolean(self.enabled, variant_level=1),
513
dbus.String("last_checked_ok"):
514
(_datetime_to_dbus(self.last_checked_ok,
515
variant_level=1)
516
if self.last_checked_ok is not None
517
else dbus.Boolean (False, variant_level=1)),
518
dbus.String("timeout"):
519
dbus.UInt64(self.timeout_milliseconds(),
520
variant_level=1),
521
dbus.String("interval"):
522
dbus.UInt64(self.interval_milliseconds(),
523
variant_level=1),
524
dbus.String("checker"):
525
dbus.String(self.checker_command,
526
variant_level=1),
527
dbus.String("checker_running"):
528
dbus.Boolean(self.checker is not None,
529
variant_level=1),
530
dbus.String("object_path"):
531
dbus.ObjectPath(self.dbus_object_path,
532
variant_level=1)
533
}, signature="sv")
534
535
# IsStillValid - method
536
IsStillValid = (dbus.service.method(_interface, out_signature="b")
537
(still_valid))
538
IsStillValid.__name__ = "IsStillValid"
539
540
940
# PropertyChanged - signal
541
941
@dbus.service.signal(_interface, signature="sv")
542
942
def PropertyChanged(self, property, value):
543
943
"D-Bus signal"
544
944
pass
545
945
546
# ReceivedSecret - signal
946
# GotSecret - signal
547
947
@dbus.service.signal(_interface)
548
def ReceivedSecret(self):
549
"D-Bus signal"
948
def GotSecret(self):
949
"""D-Bus signal
950
Is sent after a successful transfer of secret from the Mandos
951
server to mandos-client
952
"""
550
953
pass
551
954
552
955
# Rejected - signal
553
@dbus.service.signal(_interface)
554
def Rejected(self):
956
@dbus.service.signal(_interface, signature="s")
957
def Rejected(self, reason):
555
958
"D-Bus signal"
556
959
pass
557
960
558
# SetChecker - method
559
@dbus.service.method(_interface, in_signature="s")
560
def SetChecker(self, checker):
561
"D-Bus setter method"
562
self.checker_command = checker
563
# Emit D-Bus signal
564
self.PropertyChanged(dbus.String(u"checker"),
565
dbus.String(self.checker_command,
566
variant_level=1))
567
568
# SetHost - method
569
@dbus.service.method(_interface, in_signature="s")
570
def SetHost(self, host):
571
"D-Bus setter method"
572
self.host = host
573
# Emit D-Bus signal
574
self.PropertyChanged(dbus.String(u"host"),
575
dbus.String(self.host, variant_level=1))
576
577
# SetInterval - method
578
@dbus.service.method(_interface, in_signature="t")
579
def SetInterval(self, milliseconds):
580
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
581
# Emit D-Bus signal
582
self.PropertyChanged(dbus.String(u"interval"),
583
(dbus.UInt64(self.interval_milliseconds(),
584
variant_level=1)))
585
586
# SetSecret - method
587
@dbus.service.method(_interface, in_signature="ay",
588
byte_arrays=True)
589
def SetSecret(self, secret):
590
"D-Bus setter method"
591
self.secret = str(secret)
592
593
# SetTimeout - method
594
@dbus.service.method(_interface, in_signature="t")
595
def SetTimeout(self, milliseconds):
596
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
597
# Emit D-Bus signal
598
self.PropertyChanged(dbus.String(u"timeout"),
599
(dbus.UInt64(self.timeout_milliseconds(),
600
variant_level=1)))
961
# NeedApproval - signal
962
@dbus.service.signal(_interface, signature="tb")
963
def NeedApproval(self, timeout, default):
964
"D-Bus signal"
965
return self.need_approval()
966
967
## Methods
968
969
# Approve - method
970
@dbus.service.method(_interface, in_signature="b")
971
def Approve(self, value):
972
self.approve(value)
973
974
# CheckedOK - method
975
@dbus.service.method(_interface)
976
def CheckedOK(self):
977
self.checked_ok()
601
978
602
979
# Enable - method
603
Enable = dbus.service.method(_interface)(enable)
604
Enable.__name__ = "Enable"
980
@dbus.service.method(_interface)
981
def Enable(self):
982
"D-Bus method"
983
self.enable()
605
984
606
985
# StartChecker - method
607
986
@dbus.service.method(_interface)
616
995
self.disable()
617
996
618
997
# StopChecker - method
619
StopChecker = dbus.service.method(_interface)(stop_checker)
620
StopChecker.__name__ = "StopChecker"
998
@dbus.service.method(_interface)
999
def StopChecker(self):
1000
self.stop_checker()
1001
1002
## Properties
1003
1004
# ApprovalPending - property
1005
@dbus_service_property(_interface, signature="b", access="read")
1006
def ApprovalPending_dbus_property(self):
1007
return dbus.Boolean(bool(self.approvals_pending))
1008
1009
# ApprovedByDefault - property
1010
@dbus_service_property(_interface, signature="b",
1011
access="readwrite")
1012
def ApprovedByDefault_dbus_property(self, value=None):
1013
if value is None: # get
1014
return dbus.Boolean(self.approved_by_default)
1015
old_value = self.approved_by_default
1016
self.approved_by_default = bool(value)
1017
# Emit D-Bus signal
1018
if old_value != self.approved_by_default:
1019
self.PropertyChanged(dbus.String("ApprovedByDefault"),
1020
dbus.Boolean(value, variant_level=1))
1021
1022
# ApprovalDelay - property
1023
@dbus_service_property(_interface, signature="t",
1024
access="readwrite")
1025
def ApprovalDelay_dbus_property(self, value=None):
1026
if value is None: # get
1027
return dbus.UInt64(self.approval_delay_milliseconds())
1028
old_value = self.approval_delay
1029
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1030
# Emit D-Bus signal
1031
if old_value != self.approval_delay:
1032
self.PropertyChanged(dbus.String("ApprovalDelay"),
1033
dbus.UInt64(value, variant_level=1))
1034
1035
# ApprovalDuration - property
1036
@dbus_service_property(_interface, signature="t",
1037
access="readwrite")
1038
def ApprovalDuration_dbus_property(self, value=None):
1039
if value is None: # get
1040
return dbus.UInt64(self._timedelta_to_milliseconds(
1041
self.approval_duration))
1042
old_value = self.approval_duration
1043
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1044
# Emit D-Bus signal
1045
if old_value != self.approval_duration:
1046
self.PropertyChanged(dbus.String("ApprovalDuration"),
1047
dbus.UInt64(value, variant_level=1))
1048
1049
# Name - property
1050
@dbus_service_property(_interface, signature="s", access="read")
1051
def Name_dbus_property(self):
1052
return dbus.String(self.name)
1053
1054
# Fingerprint - property
1055
@dbus_service_property(_interface, signature="s", access="read")
1056
def Fingerprint_dbus_property(self):
1057
return dbus.String(self.fingerprint)
1058
1059
# Host - property
1060
@dbus_service_property(_interface, signature="s",
1061
access="readwrite")
1062
def Host_dbus_property(self, value=None):
1063
if value is None: # get
1064
return dbus.String(self.host)
1065
old_value = self.host
1066
self.host = value
1067
# Emit D-Bus signal
1068
if old_value != self.host:
1069
self.PropertyChanged(dbus.String("Host"),
1070
dbus.String(value, variant_level=1))
1071
1072
# Created - property
1073
@dbus_service_property(_interface, signature="s", access="read")
1074
def Created_dbus_property(self):
1075
return dbus.String(self._datetime_to_dbus(self.created))
1076
1077
# LastEnabled - property
1078
@dbus_service_property(_interface, signature="s", access="read")
1079
def LastEnabled_dbus_property(self):
1080
return self._datetime_to_dbus(self.last_enabled)
1081
1082
# Enabled - property
1083
@dbus_service_property(_interface, signature="b",
1084
access="readwrite")
1085
def Enabled_dbus_property(self, value=None):
1086
if value is None: # get
1087
return dbus.Boolean(self.enabled)
1088
if value:
1089
self.enable()
1090
else:
1091
self.disable()
1092
1093
# LastCheckedOK - property
1094
@dbus_service_property(_interface, signature="s",
1095
access="readwrite")
1096
def LastCheckedOK_dbus_property(self, value=None):
1097
if value is not None:
1098
self.checked_ok()
1099
return
1100
return self._datetime_to_dbus(self.last_checked_ok)
1101
1102
# Expires - property
1103
@dbus_service_property(_interface, signature="s", access="read")
1104
def Expires_dbus_property(self):
1105
return self._datetime_to_dbus(self.expires)
1106
1107
# LastApprovalRequest - property
1108
@dbus_service_property(_interface, signature="s", access="read")
1109
def LastApprovalRequest_dbus_property(self):
1110
return self._datetime_to_dbus(self.last_approval_request)
1111
1112
# Timeout - property
1113
@dbus_service_property(_interface, signature="t",
1114
access="readwrite")
1115
def Timeout_dbus_property(self, value=None):
1116
if value is None: # get
1117
return dbus.UInt64(self.timeout_milliseconds())
1118
old_value = self.timeout
1119
self.timeout = datetime.timedelta(0, 0, 0, value)
1120
# Emit D-Bus signal
1121
if old_value != self.timeout:
1122
self.PropertyChanged(dbus.String("Timeout"),
1123
dbus.UInt64(value, variant_level=1))
1124
if getattr(self, "disable_initiator_tag", None) is None:
1125
return
1126
# Reschedule timeout
1127
gobject.source_remove(self.disable_initiator_tag)
1128
self.disable_initiator_tag = None
1129
self.expires = None
1130
time_to_die = (self.
1131
_timedelta_to_milliseconds((self
1132
.last_checked_ok
1133
+ self.timeout)
1134
- datetime.datetime
1135
.utcnow()))
1136
if time_to_die <= 0:
1137
# The timeout has passed
1138
self.disable()
1139
else:
1140
self.expires = (datetime.datetime.utcnow()
1141
+ datetime.timedelta(milliseconds = time_to_die))
1142
self.disable_initiator_tag = (gobject.timeout_add
1143
(time_to_die, self.disable))
1144
1145
# ExtendedTimeout - property
1146
@dbus_service_property(_interface, signature="t",
1147
access="readwrite")
1148
def ExtendedTimeout_dbus_property(self, value=None):
1149
if value is None: # get
1150
return dbus.UInt64(self.extended_timeout_milliseconds())
1151
old_value = self.extended_timeout
1152
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1153
# Emit D-Bus signal
1154
if old_value != self.extended_timeout:
1155
self.PropertyChanged(dbus.String("ExtendedTimeout"),
1156
dbus.UInt64(value, variant_level=1))
1157
1158
# Interval - property
1159
@dbus_service_property(_interface, signature="t",
1160
access="readwrite")
1161
def Interval_dbus_property(self, value=None):
1162
if value is None: # get
1163
return dbus.UInt64(self.interval_milliseconds())
1164
old_value = self.interval
1165
self.interval = datetime.timedelta(0, 0, 0, value)
1166
# Emit D-Bus signal
1167
if old_value != self.interval:
1168
self.PropertyChanged(dbus.String("Interval"),
1169
dbus.UInt64(value, variant_level=1))
1170
if getattr(self, "checker_initiator_tag", None) is None:
1171
return
1172
# Reschedule checker run
1173
gobject.source_remove(self.checker_initiator_tag)
1174
self.checker_initiator_tag = (gobject.timeout_add
1175
(value, self.start_checker))
1176
self.start_checker() # Start one now, too
1177
1178
# Checker - property
1179
@dbus_service_property(_interface, signature="s",
1180
access="readwrite")
1181
def Checker_dbus_property(self, value=None):
1182
if value is None: # get
1183
return dbus.String(self.checker_command)
1184
old_value = self.checker_command
1185
self.checker_command = value
1186
# Emit D-Bus signal
1187
if old_value != self.checker_command:
1188
self.PropertyChanged(dbus.String("Checker"),
1189
dbus.String(self.checker_command,
1190
variant_level=1))
1191
1192
# CheckerRunning - property
1193
@dbus_service_property(_interface, signature="b",
1194
access="readwrite")
1195
def CheckerRunning_dbus_property(self, value=None):
1196
if value is None: # get
1197
return dbus.Boolean(self.checker is not None)
1198
if value:
1199
self.start_checker()
1200
else:
1201
self.stop_checker()
1202
1203
# ObjectPath - property
1204
@dbus_service_property(_interface, signature="o", access="read")
1205
def ObjectPath_dbus_property(self):
1206
return self.dbus_object_path # is already a dbus.ObjectPath
1207
1208
# Secret = property
1209
@dbus_service_property(_interface, signature="ay",
1210
access="write", byte_arrays=True)
1211
def Secret_dbus_property(self, value):
1212
self.secret = str(value)
621
1213
622
1214
del _interface
623
1215
624
1216
625
def peer_certificate(session):
626
"Return the peer's OpenPGP certificate as a bytestring"
627
# If not an OpenPGP certificate...
628
if (gnutls.library.functions
629
.gnutls_certificate_type_get(session._c_object)
630
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
631
# ...do the normal thing
632
return session.peer_certificate
633
list_size = ctypes.c_uint(1)
634
cert_list = (gnutls.library.functions
635
.gnutls_certificate_get_peers
636
(session._c_object, ctypes.byref(list_size)))
637
if not bool(cert_list) and list_size.value != 0:
638
raise gnutls.errors.GNUTLSError("error getting peer"
639
" certificate")
640
if list_size.value == 0:
641
return None
642
cert = cert_list[0]
643
return ctypes.string_at(cert.data, cert.size)
644
645
646
def fingerprint(openpgp):
647
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
648
# New GnuTLS "datum" with the OpenPGP public key
649
datum = (gnutls.library.types
650
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
651
ctypes.POINTER
652
(ctypes.c_ubyte)),
653
ctypes.c_uint(len(openpgp))))
654
# New empty GnuTLS certificate
655
crt = gnutls.library.types.gnutls_openpgp_crt_t()
656
(gnutls.library.functions
657
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
658
# Import the OpenPGP public key into the certificate
659
(gnutls.library.functions
660
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
661
gnutls.library.constants
662
.GNUTLS_OPENPGP_FMT_RAW))
663
# Verify the self signature in the key
664
crtverify = ctypes.c_uint()
665
(gnutls.library.functions
666
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
667
if crtverify.value != 0:
668
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
669
raise gnutls.errors.CertificateSecurityError("Verify failed")
670
# New buffer for the fingerprint
671
buf = ctypes.create_string_buffer(20)
672
buf_len = ctypes.c_size_t()
673
# Get the fingerprint from the certificate into the buffer
674
(gnutls.library.functions
675
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
676
ctypes.byref(buf_len)))
677
# Deinit the certificate
678
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
679
# Convert the buffer to a Python bytestring
680
fpr = ctypes.string_at(buf, buf_len.value)
681
# Convert the bytestring to hexadecimal notation
682
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
683
return hex_fpr
684
685
686
class TCP_handler(SocketServer.BaseRequestHandler, object):
687
"""A TCP request handler class.
688
Instantiated by IPv6_TCPServer for each request to handle it.
1217
class ProxyClient(object):
1218
def __init__(self, child_pipe, fpr, address):
1219
self._pipe = child_pipe
1220
self._pipe.send(('init', fpr, address))
1221
if not self._pipe.recv():
1222
raise KeyError()
1223
1224
def __getattribute__(self, name):
1225
if(name == '_pipe'):
1226
return super(ProxyClient, self).__getattribute__(name)
1227
self._pipe.send(('getattr', name))
1228
data = self._pipe.recv()
1229
if data[0] == 'data':
1230
return data[1]
1231
if data[0] == 'function':
1232
def func(*args, **kwargs):
1233
self._pipe.send(('funcall', name, args, kwargs))
1234
return self._pipe.recv()[1]
1235
return func
1236
1237
def __setattr__(self, name, value):
1238
if(name == '_pipe'):
1239
return super(ProxyClient, self).__setattr__(name, value)
1240
self._pipe.send(('setattr', name, value))
1241
1242
1243
class ClientHandler(socketserver.BaseRequestHandler, object):
1244
"""A class to handle client connections.
1245
1246
Instantiated once for each connection to handle it.
689
1247
Note: This will run in its own forked process."""
690
1248
691
1249
def handle(self):
692
logger.info(u"TCP connection from: %s",
693
unicode(self.client_address))
694
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
695
# Open IPC pipe to parent process
696
with closing(os.fdopen(self.server.pipe[1], "w", 1)) as ipc:
1250
with contextlib.closing(self.server.child_pipe) as child_pipe:
1251
logger.info("TCP connection from: %s",
1252
unicode(self.client_address))
1253
logger.debug("Pipe FD: %d",
1254
self.server.child_pipe.fileno())
1255
697
1256
session = (gnutls.connection
698
1257
.ClientSession(self.request,
699
1258
gnutls.connection
700
1259
.X509Credentials()))
701
702
line = self.request.makefile().readline()
703
logger.debug(u"Protocol version: %r", line)
704
try:
705
if int(line.strip().split()[0]) > 1:
706
raise RuntimeError
707
except (ValueError, IndexError, RuntimeError), error:
708
logger.error(u"Unknown protocol version: %s", error)
709
return
710
1260
711
1261
# Note: gnutls.connection.X509Credentials is really a
712
1262
# generic GnuTLS certificate credentials object so long as
713
1263
# no X.509 keys are added to it. Therefore, we can use it
714
1264
# here despite using OpenPGP certificates.
715
1265
716
1266
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
717
# "+AES-256-CBC", "+SHA1",
718
# "+COMP-NULL", "+CTYPE-OPENPGP",
719
# "+DHE-DSS"))
1267
# "+AES-256-CBC", "+SHA1",
1268
# "+COMP-NULL", "+CTYPE-OPENPGP",
1269
# "+DHE-DSS"))
720
1270
# Use a fallback default, since this MUST be set.
721
priority = self.server.settings.get("priority", "NORMAL")
1271
priority = self.server.gnutls_priority
1272
if priority is None:
1273
priority = "NORMAL"
722
1274
(gnutls.library.functions
723
1275
.gnutls_priority_set_direct(session._c_object,
724
1276
priority, None))
725
1277
1278
# Start communication using the Mandos protocol
1279
# Get protocol number
1280
line = self.request.makefile().readline()
1281
logger.debug("Protocol version: %r", line)
1282
try:
1283
if int(line.strip().split()[0]) > 1:
1284
raise RuntimeError
1285
except (ValueError, IndexError, RuntimeError) as error:
1286
logger.error("Unknown protocol version: %s", error)
1287
return
1288
1289
# Start GnuTLS connection
726
1290
try:
727
1291
session.handshake()
728
except gnutls.errors.GNUTLSError, error:
729
logger.warning(u"Handshake failed: %s", error)
1292
except gnutls.errors.GNUTLSError as error:
1293
logger.warning("Handshake failed: %s", error)
730
1294
# Do not run session.bye() here: the session is not
731
1295
# established. Just abandon the request.
732
1296
return
733
logger.debug(u"Handshake succeeded")
1297
logger.debug("Handshake succeeded")
1298
1299
approval_required = False
734
1300
try:
735
fpr = fingerprint(peer_certificate(session))
736
except (TypeError, gnutls.errors.GNUTLSError), error:
737
logger.warning(u"Bad certificate: %s", error)
738
session.bye()
739
return
740
logger.debug(u"Fingerprint: %s", fpr)
741
742
for c in self.server.clients:
743
if c.fingerprint == fpr:
744
client = c
745
break
746
else:
747
logger.warning(u"Client not found for fingerprint: %s",
748
fpr)
749
ipc.write("NOTFOUND %s\n" % fpr)
750
session.bye()
751
return
752
# Have to check if client.still_valid(), since it is
753
# possible that the client timed out while establishing
754
# the GnuTLS session.
755
if not client.still_valid():
756
logger.warning(u"Client %(name)s is invalid",
757
vars(client))
758
ipc.write("INVALID %s\n" % client.name)
759
session.bye()
760
return
761
ipc.write("SENDING %s\n" % client.name)
762
sent_size = 0
763
while sent_size < len(client.secret):
764
sent = session.send(client.secret[sent_size:])
765
logger.debug(u"Sent: %d, remaining: %d",
766
sent, len(client.secret)
767
- (sent_size + sent))
768
sent_size += sent
769
session.bye()
770
771
772
class ForkingMixInWithPipe(SocketServer.ForkingMixIn, object):
773
"""Like SocketServer.ForkingMixIn, but also pass a pipe.
774
Assumes a gobject.MainLoop event loop.
775
"""
1301
try:
1302
fpr = self.fingerprint(self.peer_certificate
1303
(session))
1304
except (TypeError,
1305
gnutls.errors.GNUTLSError) as error:
1306
logger.warning("Bad certificate: %s", error)
1307
return
1308
logger.debug("Fingerprint: %s", fpr)
1309
1310
try:
1311
client = ProxyClient(child_pipe, fpr,
1312
self.client_address)
1313
except KeyError:
1314
return
1315
1316
if client.approval_delay:
1317
delay = client.approval_delay
1318
client.approvals_pending += 1
1319
approval_required = True
1320
1321
while True:
1322
if not client.enabled:
1323
logger.info("Client %s is disabled",
1324
client.name)
1325
if self.server.use_dbus:
1326
# Emit D-Bus signal
1327
client.Rejected("Disabled")
1328
return
1329
1330
if client._approved or not client.approval_delay:
1331
#We are approved or approval is disabled
1332
break
1333
elif client._approved is None:
1334
logger.info("Client %s needs approval",
1335
client.name)
1336
if self.server.use_dbus:
1337
# Emit D-Bus signal
1338
client.NeedApproval(
1339
client.approval_delay_milliseconds(),
1340
client.approved_by_default)
1341
else:
1342
logger.warning("Client %s was not approved",
1343
client.name)
1344
if self.server.use_dbus:
1345
# Emit D-Bus signal
1346
client.Rejected("Denied")
1347
return
1348
1349
#wait until timeout or approved
1350
#x = float(client._timedelta_to_milliseconds(delay))
1351
time = datetime.datetime.now()
1352
client.changedstate.acquire()
1353
client.changedstate.wait(float(client._timedelta_to_milliseconds(delay) / 1000))
1354
client.changedstate.release()
1355
time2 = datetime.datetime.now()
1356
if (time2 - time) >= delay:
1357
if not client.approved_by_default:
1358
logger.warning("Client %s timed out while"
1359
" waiting for approval",
1360
client.name)
1361
if self.server.use_dbus:
1362
# Emit D-Bus signal
1363
client.Rejected("Approval timed out")
1364
return
1365
else:
1366
break
1367
else:
1368
delay -= time2 - time
1369
1370
sent_size = 0
1371
while sent_size < len(client.secret):
1372
try:
1373
sent = session.send(client.secret[sent_size:])
1374
except gnutls.errors.GNUTLSError as error:
1375
logger.warning("gnutls send failed")
1376
return
1377
logger.debug("Sent: %d, remaining: %d",
1378
sent, len(client.secret)
1379
- (sent_size + sent))
1380
sent_size += sent
1381
1382
logger.info("Sending secret to %s", client.name)
1383
# bump the timeout as if seen
1384
client.checked_ok(client.extended_timeout)
1385
if self.server.use_dbus:
1386
# Emit D-Bus signal
1387
client.GotSecret()
1388
1389
finally:
1390
if approval_required:
1391
client.approvals_pending -= 1
1392
try:
1393
session.bye()
1394
except gnutls.errors.GNUTLSError as error:
1395
logger.warning("GnuTLS bye failed")
1396
1397
@staticmethod
1398
def peer_certificate(session):
1399
"Return the peer's OpenPGP certificate as a bytestring"
1400
# If not an OpenPGP certificate...
1401
if (gnutls.library.functions
1402
.gnutls_certificate_type_get(session._c_object)
1403
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1404
# ...do the normal thing
1405
return session.peer_certificate
1406
list_size = ctypes.c_uint(1)
1407
cert_list = (gnutls.library.functions
1408
.gnutls_certificate_get_peers
1409
(session._c_object, ctypes.byref(list_size)))
1410
if not bool(cert_list) and list_size.value != 0:
1411
raise gnutls.errors.GNUTLSError("error getting peer"
1412
" certificate")
1413
if list_size.value == 0:
1414
return None
1415
cert = cert_list[0]
1416
return ctypes.string_at(cert.data, cert.size)
1417
1418
@staticmethod
1419
def fingerprint(openpgp):
1420
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1421
# New GnuTLS "datum" with the OpenPGP public key
1422
datum = (gnutls.library.types
1423
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1424
ctypes.POINTER
1425
(ctypes.c_ubyte)),
1426
ctypes.c_uint(len(openpgp))))
1427
# New empty GnuTLS certificate
1428
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1429
(gnutls.library.functions
1430
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1431
# Import the OpenPGP public key into the certificate
1432
(gnutls.library.functions
1433
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1434
gnutls.library.constants
1435
.GNUTLS_OPENPGP_FMT_RAW))
1436
# Verify the self signature in the key
1437
crtverify = ctypes.c_uint()
1438
(gnutls.library.functions
1439
.gnutls_openpgp_crt_verify_self(crt, 0,
1440
ctypes.byref(crtverify)))
1441
if crtverify.value != 0:
1442
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1443
raise (gnutls.errors.CertificateSecurityError
1444
("Verify failed"))
1445
# New buffer for the fingerprint
1446
buf = ctypes.create_string_buffer(20)
1447
buf_len = ctypes.c_size_t()
1448
# Get the fingerprint from the certificate into the buffer
1449
(gnutls.library.functions
1450
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1451
ctypes.byref(buf_len)))
1452
# Deinit the certificate
1453
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1454
# Convert the buffer to a Python bytestring
1455
fpr = ctypes.string_at(buf, buf_len.value)
1456
# Convert the bytestring to hexadecimal notation
1457
hex_fpr = ''.join("%02X" % ord(char) for char in fpr)
1458
return hex_fpr
1459
1460
1461
class MultiprocessingMixIn(object):
1462
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1463
def sub_process_main(self, request, address):
1464
try:
1465
self.finish_request(request, address)
1466
except:
1467
self.handle_error(request, address)
1468
self.close_request(request)
1469
1470
def process_request(self, request, address):
1471
"""Start a new process to process the request."""
1472
multiprocessing.Process(target = self.sub_process_main,
1473
args = (request, address)).start()
1474
1475
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1476
""" adds a pipe to the MixIn """
776
1477
def process_request(self, request, client_address):
777
"""This overrides and wraps the original process_request().
778
This function creates a new pipe in self.pipe
1478
"""Overrides and wraps the original process_request().
1479
1480
This function creates a new pipe in self.pipe
779
1481
"""
780
self.pipe = os.pipe()
781
super(ForkingMixInWithPipe,
1482
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1483
1484
super(MultiprocessingMixInWithPipe,
782
1485
self).process_request(request, client_address)
783
os.close(self.pipe[1]) # close write end
784
# Call "handle_ipc" for both data and EOF events
785
gobject.io_add_watch(self.pipe[0],
786
gobject.IO_IN | gobject.IO_HUP,
787
self.handle_ipc)
788
def handle_ipc(source, condition):
1486
self.child_pipe.close()
1487
self.add_pipe(parent_pipe)
1488
1489
def add_pipe(self, parent_pipe):
789
1490
"""Dummy function; override as necessary"""
790
os.close(source)
791
return False
792
793
794
class IPv6_TCPServer(ForkingMixInWithPipe,
795
SocketServer.TCPServer, object):
1491
raise NotImplementedError
1492
1493
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1494
socketserver.TCPServer, object):
796
1495
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1496
797
1497
Attributes:
798
settings: Server settings
799
clients: Set() of Client objects
800
1498
enabled: Boolean; whether this server is activated yet
1499
interface: None or a network interface name (string)
1500
use_ipv6: Boolean; to use IPv6 or not
801
1501
"""
802
address_family = socket.AF_INET6
803
def __init__(self, *args, **kwargs):
804
if "settings" in kwargs:
805
self.settings = kwargs["settings"]
806
del kwargs["settings"]
807
if "clients" in kwargs:
808
self.clients = kwargs["clients"]
809
del kwargs["clients"]
810
if "use_ipv6" in kwargs:
811
if not kwargs["use_ipv6"]:
812
self.address_family = socket.AF_INET
813
del kwargs["use_ipv6"]
814
self.enabled = False
815
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1502
def __init__(self, server_address, RequestHandlerClass,
1503
interface=None, use_ipv6=True):
1504
self.interface = interface
1505
if use_ipv6:
1506
self.address_family = socket.AF_INET6
1507
socketserver.TCPServer.__init__(self, server_address,
1508
RequestHandlerClass)
816
1509
def server_bind(self):
817
1510
"""This overrides the normal server_bind() function
818
1511
to bind to an interface if one was specified, and also NOT to
819
1512
bind to an address or port if they were not specified."""
820
if self.settings["interface"]:
821
# 25 is from /usr/include/asm-i486/socket.h
822
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
823
try:
824
self.socket.setsockopt(socket.SOL_SOCKET,
825
SO_BINDTODEVICE,
826
self.settings["interface"])
827
except socket.error, error:
828
if error[0] == errno.EPERM:
829
logger.error(u"No permission to"
830
u" bind to interface %s",
831
self.settings["interface"])
832
else:
833
raise
1513
if self.interface is not None:
1514
if SO_BINDTODEVICE is None:
1515
logger.error("SO_BINDTODEVICE does not exist;"
1516
" cannot bind to interface %s",
1517
self.interface)
1518
else:
1519
try:
1520
self.socket.setsockopt(socket.SOL_SOCKET,
1521
SO_BINDTODEVICE,
1522
str(self.interface
1523
+ '\0'))
1524
except socket.error as error:
1525
if error[0] == errno.EPERM:
1526
logger.error("No permission to"
1527
" bind to interface %s",
1528
self.interface)
1529
elif error[0] == errno.ENOPROTOOPT:
1530
logger.error("SO_BINDTODEVICE not available;"
1531
" cannot bind to interface %s",
1532
self.interface)
1533
else:
1534
raise
834
1535
# Only bind(2) the socket if we really need to.
835
1536
if self.server_address[0] or self.server_address[1]:
836
1537
if not self.server_address[0]:
843
1544
elif not self.server_address[1]:
844
1545
self.server_address = (self.server_address[0],
845
1546
0)
846
# if self.settings["interface"]:
1547
# if self.interface:
847
1548
# self.server_address = (self.server_address[0],
848
1549
# 0, # port
849
1550
# 0, # flowinfo
850
1551
# if_nametoindex
851
# (self.settings
852
# ["interface"]))
853
return super(IPv6_TCPServer, self).server_bind()
1552
# (self.interface))
1553
return socketserver.TCPServer.server_bind(self)
1554
1555
1556
class MandosServer(IPv6_TCPServer):
1557
"""Mandos server.
1558
1559
Attributes:
1560
clients: set of Client objects
1561
gnutls_priority GnuTLS priority string
1562
use_dbus: Boolean; to emit D-Bus signals or not
1563
1564
Assumes a gobject.MainLoop event loop.
1565
"""
1566
def __init__(self, server_address, RequestHandlerClass,
1567
interface=None, use_ipv6=True, clients=None,
1568
gnutls_priority=None, use_dbus=True):
1569
self.enabled = False
1570
self.clients = clients
1571
if self.clients is None:
1572
self.clients = set()
1573
self.use_dbus = use_dbus
1574
self.gnutls_priority = gnutls_priority
1575
IPv6_TCPServer.__init__(self, server_address,
1576
RequestHandlerClass,
1577
interface = interface,
1578
use_ipv6 = use_ipv6)
854
1579
def server_activate(self):
855
1580
if self.enabled:
856
return super(IPv6_TCPServer, self).server_activate()
1581
return socketserver.TCPServer.server_activate(self)
857
1582
def enable(self):
858
1583
self.enabled = True
859
def handle_ipc(self, source, condition, file_objects={}):
1584
def add_pipe(self, parent_pipe):
1585
# Call "handle_ipc" for both data and EOF events
1586
gobject.io_add_watch(parent_pipe.fileno(),
1587
gobject.IO_IN | gobject.IO_HUP,
1588
functools.partial(self.handle_ipc,
1589
parent_pipe = parent_pipe))
1590
1591
def handle_ipc(self, source, condition, parent_pipe=None,
1592
client_object=None):
860
1593
condition_names = {
861
gobject.IO_IN: "IN", # There is data to read.
1594
gobject.IO_IN: "IN", # There is data to read.
862
1595
gobject.IO_OUT: "OUT", # Data can be written (without
863
# blocking).
1596
# blocking).
864
1597
gobject.IO_PRI: "PRI", # There is urgent data to read.
865
1598
gobject.IO_ERR: "ERR", # Error condition.
866
1599
gobject.IO_HUP: "HUP" # Hung up (the connection has been
867
# broken, usually for pipes and
868
# sockets).
1600
# broken, usually for pipes and
1601
# sockets).
869
1602
}
870
1603
conditions_string = ' | '.join(name
871
1604
for cond, name in
872
1605
condition_names.iteritems()
873
1606
if cond & condition)
874
logger.debug("Handling IPC: FD = %d, condition = %s", source,
875
conditions_string)
876
877
# Turn the pipe file descriptor into a Python file object
878
if source not in file_objects:
879
file_objects[source] = os.fdopen(source, "r", 1)
880
881
# Read a line from the file object
882
cmdline = file_objects[source].readline()
883
if not cmdline: # Empty line means end of file
884
# close the IPC pipe
885
file_objects[source].close()
886
del file_objects[source]
1607
# error or the other end of multiprocessing.Pipe has closed
1608
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1609
return False
1610
1611
# Read a request from the child
1612
request = parent_pipe.recv()
1613
command = request[0]
1614
1615
if command == 'init':
1616
fpr = request[1]
1617
address = request[2]
887
1618
888
# Stop calling this function
889
return False
890
891
logger.debug("IPC command: %r\n" % cmdline)
892
893
# Parse and act on command
894
cmd, args = cmdline.split(None, 1)
895
if cmd == "NOTFOUND":
896
if self.settings["use_dbus"]:
897
# Emit D-Bus signal
898
mandos_dbus_service.ClientNotFound(args)
899
elif cmd == "INVALID":
900
if self.settings["use_dbus"]:
901
for client in self.clients:
902
if client.name == args:
903
# Emit D-Bus signal
904
client.Rejected()
905
break
906
elif cmd == "SENDING":
907
for client in self.clients:
908
if client.name == args:
909
client.checked_ok()
910
if self.settings["use_dbus"]:
911
# Emit D-Bus signal
912
client.ReceivedSecret()
1619
for c in self.clients:
1620
if c.fingerprint == fpr:
1621
client = c
913
1622
break
914
else:
915
logger.error("Unknown IPC command: %r", cmdline)
1623
else:
1624
logger.info("Client not found for fingerprint: %s, ad"
1625
"dress: %s", fpr, address)
1626
if self.use_dbus:
1627
# Emit D-Bus signal
1628
mandos_dbus_service.ClientNotFound(fpr, address[0])
1629
parent_pipe.send(False)
1630
return False
1631
1632
gobject.io_add_watch(parent_pipe.fileno(),
1633
gobject.IO_IN | gobject.IO_HUP,
1634
functools.partial(self.handle_ipc,
1635
parent_pipe = parent_pipe,
1636
client_object = client))
1637
parent_pipe.send(True)
1638
# remove the old hook in favor of the new above hook on same fileno
1639
return False
1640
if command == 'funcall':
1641
funcname = request[1]
1642
args = request[2]
1643
kwargs = request[3]
1644
1645
parent_pipe.send(('data', getattr(client_object, funcname)(*args, **kwargs)))
1646
1647
if command == 'getattr':
1648
attrname = request[1]
1649
if callable(client_object.__getattribute__(attrname)):
1650
parent_pipe.send(('function',))
1651
else:
1652
parent_pipe.send(('data', client_object.__getattribute__(attrname)))
916
1653
917
# Keep calling this function
1654
if command == 'setattr':
1655
attrname = request[1]
1656
value = request[2]
1657
setattr(client_object, attrname, value)
1658
918
1659
return True
919
1660
920
1661
929
1670
datetime.timedelta(0, 3600)
930
1671
>>> string_to_delta('24h')
931
1672
datetime.timedelta(1)
932
>>> string_to_delta(u'1w')
1673
>>> string_to_delta('1w')
933
1674
datetime.timedelta(7)
934
1675
>>> string_to_delta('5m 30s')
935
1676
datetime.timedelta(0, 330)
939
1680
try:
940
1681
suffix = unicode(s[-1])
941
1682
value = int(s[:-1])
942
if suffix == u"d":
1683
if suffix == "d":
943
1684
delta = datetime.timedelta(value)
944
elif suffix == u"s":
1685
elif suffix == "s":
945
1686
delta = datetime.timedelta(0, value)
946
elif suffix == u"m":
1687
elif suffix == "m":
947
1688
delta = datetime.timedelta(0, 0, 0, 0, value)
948
elif suffix == u"h":
1689
elif suffix == "h":
949
1690
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
950
elif suffix == u"w":
1691
elif suffix == "w":
951
1692
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
952
1693
else:
953
raise ValueError
954
except (ValueError, IndexError):
955
raise ValueError
1694
raise ValueError("Unknown suffix %r" % suffix)
1695
except (ValueError, IndexError) as e:
1696
raise ValueError(*(e.args))
956
1697
timevalue += delta
957
1698
return timevalue
958
1699
959
1700
960
def server_state_changed(state):
961
"""Derived from the Avahi example code"""
962
if state == avahi.SERVER_COLLISION:
963
logger.error(u"Zeroconf server name collision")
964
service.remove()
965
elif state == avahi.SERVER_RUNNING:
966
service.add()
967
968
969
def entry_group_state_changed(state, error):
970
"""Derived from the Avahi example code"""
971
logger.debug(u"Avahi state change: %i", state)
972
973
if state == avahi.ENTRY_GROUP_ESTABLISHED:
974
logger.debug(u"Zeroconf service established.")
975
elif state == avahi.ENTRY_GROUP_COLLISION:
976
logger.warning(u"Zeroconf service name collision.")
977
service.rename()
978
elif state == avahi.ENTRY_GROUP_FAILURE:
979
logger.critical(u"Avahi: Error in group state changed %s",
980
unicode(error))
981
raise AvahiGroupError(u"State changed: %s" % unicode(error))
982
983
1701
def if_nametoindex(interface):
984
"""Call the C function if_nametoindex(), or equivalent"""
1702
"""Call the C function if_nametoindex(), or equivalent
1703
1704
Note: This function cannot accept a unicode string."""
985
1705
global if_nametoindex
986
1706
try:
987
1707
if_nametoindex = (ctypes.cdll.LoadLibrary
988
1708
(ctypes.util.find_library("c"))
989
1709
.if_nametoindex)
990
1710
except (OSError, AttributeError):
991
if "struct" not in sys.modules:
992
import struct
993
if "fcntl" not in sys.modules:
994
import fcntl
1711
logger.warning("Doing if_nametoindex the hard way")
995
1712
def if_nametoindex(interface):
996
1713
"Get an interface index the hard way, i.e. using fcntl()"
997
1714
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
998
with closing(socket.socket()) as s:
1715
with contextlib.closing(socket.socket()) as s:
999
1716
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1000
struct.pack("16s16x", interface))
1001
interface_index = struct.unpack("I", ifreq[16:20])[0]
1717
struct.pack(str("16s16x"),
1718
interface))
1719
interface_index = struct.unpack(str("I"),
1720
ifreq[16:20])[0]
1002
1721
return interface_index
1003
1722
return if_nametoindex(interface)
1004
1723
1005
1724
1006
1725
def daemon(nochdir = False, noclose = False):
1007
1726
"""See daemon(3). Standard BSD Unix function.
1727
1008
1728
This should really exist as os.daemon, but it doesn't (yet)."""
1009
1729
if os.fork():
1010
1730
sys.exit()
1018
1738
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1019
1739
if not stat.S_ISCHR(os.fstat(null).st_mode):
1020
1740
raise OSError(errno.ENODEV,
1021
"/dev/null not a character device")
1741
"%s not a character device"
1742
% os.path.devnull)
1022
1743
os.dup2(null, sys.stdin.fileno())
1023
1744
os.dup2(null, sys.stdout.fileno())
1024
1745
os.dup2(null, sys.stderr.fileno())
1028
1749
1029
1750
def main():
1030
1751
1031
######################################################################
1752
##################################################################
1032
1753
# Parsing of options, both command line and config file
1033
1754
1034
parser = optparse.OptionParser(version = "%%prog %s" % version)
1035
parser.add_option("-i", "--interface", type="string",
1036
metavar="IF", help="Bind to interface IF")
1037
parser.add_option("-a", "--address", type="string",
1038
help="Address to listen for requests on")
1039
parser.add_option("-p", "--port", type="int",
1040
help="Port number to receive requests on")
1041
parser.add_option("--check", action="store_true",
1042
help="Run self-test")
1043
parser.add_option("--debug", action="store_true",
1044
help="Debug mode; run in foreground and log to"
1045
" terminal")
1046
parser.add_option("--priority", type="string", help="GnuTLS"
1047
" priority string (see GnuTLS documentation)")
1048
parser.add_option("--servicename", type="string", metavar="NAME",
1049
help="Zeroconf service name")
1050
parser.add_option("--configdir", type="string",
1051
default="/etc/mandos", metavar="DIR",
1052
help="Directory to search for configuration"
1053
" files")
1054
parser.add_option("--no-dbus", action="store_false",
1055
dest="use_dbus",
1056
help="Do not provide D-Bus system bus"
1057
" interface")
1058
parser.add_option("--no-ipv6", action="store_false",
1059
dest="use_ipv6", help="Do not use IPv6")
1060
options = parser.parse_args()[0]
1755
parser = argparse.ArgumentParser()
1756
parser.add_argument("-v", "--version", action="version",
1757
version = "%%(prog)s %s" % version,
1758
help="show version number and exit")
1759
parser.add_argument("-i", "--interface", metavar="IF",
1760
help="Bind to interface IF")
1761
parser.add_argument("-a", "--address",
1762
help="Address to listen for requests on")
1763
parser.add_argument("-p", "--port", type=int,
1764
help="Port number to receive requests on")
1765
parser.add_argument("--check", action="store_true",
1766
help="Run self-test")
1767
parser.add_argument("--debug", action="store_true",
1768
help="Debug mode; run in foreground and log"
1769
" to terminal")
1770
parser.add_argument("--debuglevel", metavar="LEVEL",
1771
help="Debug level for stdout output")
1772
parser.add_argument("--priority", help="GnuTLS"
1773
" priority string (see GnuTLS documentation)")
1774
parser.add_argument("--servicename",
1775
metavar="NAME", help="Zeroconf service name")
1776
parser.add_argument("--configdir",
1777
default="/etc/mandos", metavar="DIR",
1778
help="Directory to search for configuration"
1779
" files")
1780
parser.add_argument("--no-dbus", action="store_false",
1781
dest="use_dbus", help="Do not provide D-Bus"
1782
" system bus interface")
1783
parser.add_argument("--no-ipv6", action="store_false",
1784
dest="use_ipv6", help="Do not use IPv6")
1785
options = parser.parse_args()
1061
1786
1062
1787
if options.check:
1063
1788
import doctest
1074
1799
"servicename": "Mandos",
1075
1800
"use_dbus": "True",
1076
1801
"use_ipv6": "True",
1802
"debuglevel": "",
1077
1803
}
1078
1804
1079
1805
# Parse config file for server-global settings
1080
server_config = ConfigParser.SafeConfigParser(server_defaults)
1806
server_config = configparser.SafeConfigParser(server_defaults)
1081
1807
del server_defaults
1082
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1808
server_config.read(os.path.join(options.configdir,
1809
"mandos.conf"))
1083
1810
# Convert the SafeConfigParser object to a dict
1084
1811
server_settings = server_config.defaults()
1085
1812
# Use the appropriate methods on the non-string config options
1086
server_settings["debug"] = server_config.getboolean("DEFAULT",
1087
"debug")
1088
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
1089
"use_dbus")
1090
server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",
1091
"use_ipv6")
1813
for option in ("debug", "use_dbus", "use_ipv6"):
1814
server_settings[option] = server_config.getboolean("DEFAULT",
1815
option)
1092
1816
if server_settings["port"]:
1093
1817
server_settings["port"] = server_config.getint("DEFAULT",
1094
1818
"port")
1098
1822
# options, if set.
1099
1823
for option in ("interface", "address", "port", "debug",
1100
1824
"priority", "servicename", "configdir",
1101
"use_dbus", "use_ipv6"):
1825
"use_dbus", "use_ipv6", "debuglevel"):
1102
1826
value = getattr(options, option)
1103
1827
if value is not None:
1104
1828
server_settings[option] = value
1105
1829
del options
1830
# Force all strings to be unicode
1831
for option in server_settings.keys():
1832
if type(server_settings[option]) is str:
1833
server_settings[option] = unicode(server_settings[option])
1106
1834
# Now we have our good server settings in "server_settings"
1107
1835
1108
1836
##################################################################
1109
1837
1110
1838
# For convenience
1111
1839
debug = server_settings["debug"]
1840
debuglevel = server_settings["debuglevel"]
1112
1841
use_dbus = server_settings["use_dbus"]
1113
1842
use_ipv6 = server_settings["use_ipv6"]
1114
1115
if not debug:
1116
syslogger.setLevel(logging.WARNING)
1117
console.setLevel(logging.WARNING)
1118
1843
1119
1844
if server_settings["servicename"] != "Mandos":
1120
1845
syslogger.setFormatter(logging.Formatter
1121
1846
('Mandos (%s) [%%(process)d]:'
1123
1848
% server_settings["servicename"]))
1124
1849
1125
1850
# Parse config file with clients
1126
client_defaults = { "timeout": "1h",
1127
"interval": "5m",
1851
client_defaults = { "timeout": "5m",
1852
"extended_timeout": "15m",
1853
"interval": "2m",
1128
1854
"checker": "fping -q -- %%(host)s",
1129
1855
"host": "",
1856
"approval_delay": "0s",
1857
"approval_duration": "1s",
1130
1858
}
1131
client_config = ConfigParser.SafeConfigParser(client_defaults)
1859
client_config = configparser.SafeConfigParser(client_defaults)
1132
1860
client_config.read(os.path.join(server_settings["configdir"],
1133
1861
"clients.conf"))
1134
1862
1135
1863
global mandos_dbus_service
1136
1864
mandos_dbus_service = None
1137
1865
1138
clients = Set()
1139
tcp_server = IPv6_TCPServer((server_settings["address"],
1140
server_settings["port"]),
1141
TCP_handler,
1142
settings=server_settings,
1143
clients=clients, use_ipv6=use_ipv6)
1144
pidfilename = "/var/run/mandos.pid"
1145
try:
1146
pidfile = open(pidfilename, "w")
1147
except IOError:
1148
logger.error("Could not open file %r", pidfilename)
1866
tcp_server = MandosServer((server_settings["address"],
1867
server_settings["port"]),
1868
ClientHandler,
1869
interface=(server_settings["interface"]
1870
or None),
1871
use_ipv6=use_ipv6,
1872
gnutls_priority=
1873
server_settings["priority"],
1874
use_dbus=use_dbus)
1875
if not debug:
1876
pidfilename = "/var/run/mandos.pid"
1877
try:
1878
pidfile = open(pidfilename, "w")
1879
except IOError:
1880
logger.error("Could not open file %r", pidfilename)
1149
1881
1150
1882
try:
1151
1883
uid = pwd.getpwnam("_mandos").pw_uid
1157
1889
except KeyError:
1158
1890
try:
1159
1891
uid = pwd.getpwnam("nobody").pw_uid
1160
gid = pwd.getpwnam("nogroup").pw_gid
1892
gid = pwd.getpwnam("nobody").pw_gid
1161
1893
except KeyError:
1162
1894
uid = 65534
1163
1895
gid = 65534
1164
1896
try:
1165
1897
os.setgid(gid)
1166
1898
os.setuid(uid)
1167
except OSError, error:
1899
except OSError as error:
1168
1900
if error[0] != errno.EPERM:
1169
1901
raise error
1170
1902
1171
# Enable all possible GnuTLS debugging
1903
if not debug and not debuglevel:
1904
syslogger.setLevel(logging.WARNING)
1905
console.setLevel(logging.WARNING)
1906
if debuglevel:
1907
level = getattr(logging, debuglevel.upper())
1908
syslogger.setLevel(level)
1909
console.setLevel(level)
1910
1172
1911
if debug:
1912
# Enable all possible GnuTLS debugging
1913
1173
1914
# "Use a log level over 10 to enable all debugging options."
1174
1915
# - GnuTLS manual
1175
1916
gnutls.library.functions.gnutls_global_set_log_level(11)
1180
1921
1181
1922
(gnutls.library.functions
1182
1923
.gnutls_global_set_log_function(debug_gnutls))
1924
1925
# Redirect stdin so all checkers get /dev/null
1926
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1927
os.dup2(null, sys.stdin.fileno())
1928
if null > 2:
1929
os.close(null)
1930
else:
1931
# No console logging
1932
logger.removeHandler(console)
1183
1933
1184
global service
1185
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1186
service = AvahiService(name = server_settings["servicename"],
1187
servicetype = "_mandos._tcp",
1188
protocol = protocol)
1189
if server_settings["interface"]:
1190
service.interface = (if_nametoindex
1191
(server_settings["interface"]))
1934
# Need to fork before connecting to D-Bus
1935
if not debug:
1936
# Close all input and output, do double fork, etc.
1937
daemon()
1192
1938
1193
1939
global main_loop
1194
global bus
1195
global server
1196
1940
# From the Avahi example code
1197
1941
DBusGMainLoop(set_as_default=True )
1198
1942
main_loop = gobject.MainLoop()
1199
1943
bus = dbus.SystemBus()
1200
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1201
avahi.DBUS_PATH_SERVER),
1202
avahi.DBUS_INTERFACE_SERVER)
1203
1944
# End of Avahi example code
1204
1945
if use_dbus:
1205
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1206
1207
clients.update(Set(Client(name = section,
1208
config
1209
= dict(client_config.items(section)),
1210
use_dbus = use_dbus)
1211
for section in client_config.sections()))
1212
if not clients:
1213
logger.warning(u"No clients defined")
1214
1215
if debug:
1216
# Redirect stdin so all checkers get /dev/null
1217
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1218
os.dup2(null, sys.stdin.fileno())
1219
if null > 2:
1220
os.close(null)
1221
else:
1222
# No console logging
1223
logger.removeHandler(console)
1224
# Close all input and output, do double fork, etc.
1225
daemon()
1226
1227
try:
1228
with closing(pidfile):
1229
pid = os.getpid()
1230
pidfile.write(str(pid) + "\n")
1231
del pidfile
1232
except IOError:
1233
logger.error(u"Could not write to file %r with PID %d",
1234
pidfilename, pid)
1235
except NameError:
1236
# "pidfile" was never created
1237
pass
1238
del pidfilename
1239
1240
def cleanup():
1241
"Cleanup function; run on exit"
1242
global group
1243
# From the Avahi example code
1244
if not group is None:
1245
group.Free()
1246
group = None
1247
# End of Avahi example code
1946
try:
1947
bus_name = dbus.service.BusName("se.bsnet.fukt.Mandos",
1948
bus, do_not_queue=True)
1949
except dbus.exceptions.NameExistsException as e:
1950
logger.error(unicode(e) + ", disabling D-Bus")
1951
use_dbus = False
1952
server_settings["use_dbus"] = False
1953
tcp_server.use_dbus = False
1954
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1955
service = AvahiService(name = server_settings["servicename"],
1956
servicetype = "_mandos._tcp",
1957
protocol = protocol, bus = bus)
1958
if server_settings["interface"]:
1959
service.interface = (if_nametoindex
1960
(str(server_settings["interface"])))
1961
1962
global multiprocessing_manager
1963
multiprocessing_manager = multiprocessing.Manager()
1964
1965
client_class = Client
1966
if use_dbus:
1967
client_class = functools.partial(ClientDBus, bus = bus)
1968
def client_config_items(config, section):
1969
special_settings = {
1970
"approved_by_default":
1971
lambda: config.getboolean(section,
1972
"approved_by_default"),
1973
}
1974
for name, value in config.items(section):
1975
try:
1976
yield (name, special_settings[name]())
1977
except KeyError:
1978
yield (name, value)
1979
1980
tcp_server.clients.update(set(
1981
client_class(name = section,
1982
config= dict(client_config_items(
1983
client_config, section)))
1984
for section in client_config.sections()))
1985
if not tcp_server.clients:
1986
logger.warning("No clients defined")
1248
1987
1249
while clients:
1250
client = clients.pop()
1251
client.disable_hook = None
1252
client.disable()
1253
1254
atexit.register(cleanup)
1255
1256
1988
if not debug:
1989
try:
1990
with pidfile:
1991
pid = os.getpid()
1992
pidfile.write(str(pid) + "\n".encode("utf-8"))
1993
del pidfile
1994
except IOError:
1995
logger.error("Could not write to file %r with PID %d",
1996
pidfilename, pid)
1997
except NameError:
1998
# "pidfile" was never created
1999
pass
2000
del pidfilename
2001
1257
2002
signal.signal(signal.SIGINT, signal.SIG_IGN)
2003
1258
2004
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1259
2005
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1260
2006
1263
2009
"""A D-Bus proxy object"""
1264
2010
def __init__(self):
1265
2011
dbus.service.Object.__init__(self, bus, "/")
1266
_interface = u"se.bsnet.fukt.Mandos"
2012
_interface = "se.bsnet.fukt.Mandos"
1267
2013
1268
@dbus.service.signal(_interface, signature="oa{sv}")
1269
def ClientAdded(self, objpath, properties):
2014
@dbus.service.signal(_interface, signature="o")
2015
def ClientAdded(self, objpath):
1270
2016
"D-Bus signal"
1271
2017
pass
1272
2018
1273
@dbus.service.signal(_interface, signature="s")
1274
def ClientNotFound(self, fingerprint):
2019
@dbus.service.signal(_interface, signature="ss")
2020
def ClientNotFound(self, fingerprint, address):
1275
2021
"D-Bus signal"
1276
2022
pass
1277
2023
1283
2029
@dbus.service.method(_interface, out_signature="ao")
1284
2030
def GetAllClients(self):
1285
2031
"D-Bus method"
1286
return dbus.Array(c.dbus_object_path for c in clients)
2032
return dbus.Array(c.dbus_object_path
2033
for c in tcp_server.clients)
1287
2034
1288
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
2035
@dbus.service.method(_interface,
2036
out_signature="a{oa{sv}}")
1289
2037
def GetAllClientsWithProperties(self):
1290
2038
"D-Bus method"
1291
2039
return dbus.Dictionary(
1292
((c.dbus_object_path, c.GetAllProperties())
1293
for c in clients),
2040
((c.dbus_object_path, c.GetAll(""))
2041
for c in tcp_server.clients),
1294
2042
signature="oa{sv}")
1295
2043
1296
2044
@dbus.service.method(_interface, in_signature="o")
1297
2045
def RemoveClient(self, object_path):
1298
2046
"D-Bus method"
1299
for c in clients:
2047
for c in tcp_server.clients:
1300
2048
if c.dbus_object_path == object_path:
1301
clients.remove(c)
2049
tcp_server.clients.remove(c)
2050
c.remove_from_connection()
1302
2051
# Don't signal anything except ClientRemoved
1303
c.use_dbus = False
1304
c.disable()
2052
c.disable(quiet=True)
1305
2053
# Emit D-Bus signal
1306
2054
self.ClientRemoved(object_path, c.name)
1307
2055
return
1308
raise KeyError
2056
raise KeyError(object_path)
1309
2057
1310
2058
del _interface
1311
2059
1312
2060
mandos_dbus_service = MandosDBusService()
1313
2061
1314
for client in clients:
2062
def cleanup():
2063
"Cleanup function; run on exit"
2064
service.cleanup()
2065
2066
while tcp_server.clients:
2067
client = tcp_server.clients.pop()
2068
if use_dbus:
2069
client.remove_from_connection()
2070
client.disable_hook = None
2071
# Don't signal anything except ClientRemoved
2072
client.disable(quiet=True)
2073
if use_dbus:
2074
# Emit D-Bus signal
2075
mandos_dbus_service.ClientRemoved(client.dbus_object_path,
2076
client.name)
2077
2078
atexit.register(cleanup)
2079
2080
for client in tcp_server.clients:
1315
2081
if use_dbus:
1316
2082
# Emit D-Bus signal
1317
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1318
client.GetAllProperties())
2083
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1319
2084
client.enable()
1320
2085
1321
2086
tcp_server.enable()
1324
2089
# Find out what port we got
1325
2090
service.port = tcp_server.socket.getsockname()[1]
1326
2091
if use_ipv6:
1327
logger.info(u"Now listening on address %r, port %d,"
2092
logger.info("Now listening on address %r, port %d,"
1328
2093
" flowinfo %d, scope_id %d"
1329
2094
% tcp_server.socket.getsockname())
1330
2095
else: # IPv4
1331
logger.info(u"Now listening on address %r, port %d"
2096
logger.info("Now listening on address %r, port %d"
1332
2097
% tcp_server.socket.getsockname())
1333
2098
1334
2099
#service.interface = tcp_server.socket.getsockname()[3]
1335
2100
1336
2101
try:
1337
2102
# From the Avahi example code
1338
server.connect_to_signal("StateChanged", server_state_changed)
1339
2103
try:
1340
server_state_changed(server.GetState())
1341
except dbus.exceptions.DBusException, error:
1342
logger.critical(u"DBusException: %s", error)
2104
service.activate()
2105
except dbus.exceptions.DBusException as error:
2106
logger.critical("DBusException: %s", error)
2107
cleanup()
1343
2108
sys.exit(1)
1344
2109
# End of Avahi example code
1345
2110
1348
2113
(tcp_server.handle_request
1349
2114
(*args[2:], **kwargs) or True))
1350
2115
1351
logger.debug(u"Starting main loop")
2116
logger.debug("Starting main loop")
1352
2117
main_loop.run()
1353
except AvahiError, error:
1354
logger.critical(u"AvahiError: %s", error)
2118
except AvahiError as error:
2119
logger.critical("AvahiError: %s", error)
2120
cleanup()
1355
2121
sys.exit(1)
1356
2122
except KeyboardInterrupt:
1357
2123
if debug:
1358
print >> sys.stderr
2124
print("", file=sys.stderr)
1359
2125
logger.debug("Server received KeyboardInterrupt")
1360
2126
logger.debug("Server exiting")
2127
# Must run before the D-Bus bus name gets deregistered
2128
cleanup()
1361
2129
1362
2130
if __name__ == '__main__':
1363
2131
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0