126
149
self.rename_count = 0
127
150
self.max_renames = max_renames
128
151
self.protocol = protocol
152
self.group = None # our entry group
155
self.entry_group_state_changed_match = None
129
156
def rename(self):
130
157
"""Derived from the Avahi example code"""
131
158
if self.rename_count >= self.max_renames:
132
logger.critical(u"No suitable Zeroconf service name found"
133
u" after %i retries, exiting.",
159
logger.critical("No suitable Zeroconf service name found"
160
" after %i retries, exiting.",
134
161
self.rename_count)
135
raise AvahiServiceError(u"Too many renames")
136
self.name = server.GetAlternativeServiceName(self.name)
137
logger.info(u"Changing Zeroconf service name to %r ...",
162
raise AvahiServiceError("Too many renames")
163
self.name = unicode(self.server
164
.GetAlternativeServiceName(self.name))
165
logger.info("Changing Zeroconf service name to %r ...",
139
167
syslogger.setFormatter(logging.Formatter
140
168
('Mandos (%s) [%%(process)d]:'
141
169
' %%(levelname)s: %%(message)s'
174
except dbus.exceptions.DBusException as error:
175
logger.critical("DBusException: %s", error)
145
178
self.rename_count += 1
146
179
def remove(self):
147
180
"""Derived from the Avahi example code"""
148
if group is not None:
181
if self.entry_group_state_changed_match is not None:
182
self.entry_group_state_changed_match.remove()
183
self.entry_group_state_changed_match = None
184
if self.group is not None:
151
187
"""Derived from the Avahi example code"""
154
group = dbus.Interface(bus.get_object
156
server.EntryGroupNew()),
157
avahi.DBUS_INTERFACE_ENTRY_GROUP)
158
group.connect_to_signal('StateChanged',
159
entry_group_state_changed)
160
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
161
service.name, service.type)
163
self.interface, # interface
164
self.protocol, # protocol
165
dbus.UInt32(0), # flags
166
self.name, self.type,
167
self.domain, self.host,
168
dbus.UInt16(self.port),
169
avahi.string_array_to_txt_array(self.TXT))
172
# From the Avahi example code:
173
group = None # our entry group
174
# End of Avahi example code
177
def _datetime_to_dbus(dt, variant_level=0):
178
"""Convert a UTC datetime.datetime() to a D-Bus type."""
179
return dbus.String(dt.isoformat(), variant_level=variant_level)
182
class Client(dbus.service.Object):
189
if self.group is None:
190
self.group = dbus.Interface(
191
self.bus.get_object(avahi.DBUS_NAME,
192
self.server.EntryGroupNew()),
193
avahi.DBUS_INTERFACE_ENTRY_GROUP)
194
self.entry_group_state_changed_match = (
195
self.group.connect_to_signal(
196
'StateChanged', self .entry_group_state_changed))
197
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
198
self.name, self.type)
199
self.group.AddService(
202
dbus.UInt32(0), # flags
203
self.name, self.type,
204
self.domain, self.host,
205
dbus.UInt16(self.port),
206
avahi.string_array_to_txt_array(self.TXT))
208
def entry_group_state_changed(self, state, error):
209
"""Derived from the Avahi example code"""
210
logger.debug("Avahi entry group state change: %i", state)
212
if state == avahi.ENTRY_GROUP_ESTABLISHED:
213
logger.debug("Zeroconf service established.")
214
elif state == avahi.ENTRY_GROUP_COLLISION:
215
logger.info("Zeroconf service name collision.")
217
elif state == avahi.ENTRY_GROUP_FAILURE:
218
logger.critical("Avahi: Error in group state changed %s",
220
raise AvahiGroupError("State changed: %s"
223
"""Derived from the Avahi example code"""
224
if self.group is not None:
227
except (dbus.exceptions.UnknownMethodException,
228
dbus.exceptions.DBusException) as e:
232
def server_state_changed(self, state, error=None):
233
"""Derived from the Avahi example code"""
234
logger.debug("Avahi server state change: %i", state)
235
bad_states = { avahi.SERVER_INVALID:
236
"Zeroconf server invalid",
237
avahi.SERVER_REGISTERING: None,
238
avahi.SERVER_COLLISION:
239
"Zeroconf server name collision",
240
avahi.SERVER_FAILURE:
241
"Zeroconf server failure" }
242
if state in bad_states:
243
if bad_states[state] is not None:
245
logger.error(bad_states[state])
247
logger.error(bad_states[state] + ": %r", error)
249
elif state == avahi.SERVER_RUNNING:
253
logger.debug("Unknown state: %r", state)
255
logger.debug("Unknown state: %r: %r", state, error)
257
"""Derived from the Avahi example code"""
258
if self.server is None:
259
self.server = dbus.Interface(
260
self.bus.get_object(avahi.DBUS_NAME,
261
avahi.DBUS_PATH_SERVER,
262
follow_name_owner_changes=True),
263
avahi.DBUS_INTERFACE_SERVER)
264
self.server.connect_to_signal("StateChanged",
265
self.server_state_changed)
266
self.server_state_changed(self.server.GetState())
269
def _timedelta_to_milliseconds(td):
270
"Convert a datetime.timedelta() to milliseconds"
271
return ((td.days * 24 * 60 * 60 * 1000)
272
+ (td.seconds * 1000)
273
+ (td.microseconds // 1000))
275
class Client(object):
183
276
"""A representation of a client host served by this server.
185
name: string; from the config file, used in log messages and
187
fingerprint: string (40 or 32 hexadecimal digits); used to
188
uniquely identify the client
189
secret: bytestring; sent verbatim (over TLS) to client
190
host: string; available for use by the checker command
191
created: datetime.datetime(); (UTC) object creation
192
last_enabled: datetime.datetime(); (UTC)
194
last_checked_ok: datetime.datetime(); (UTC) or None
195
timeout: datetime.timedelta(); How long from last_checked_ok
196
until this client is invalid
197
interval: datetime.timedelta(); How often to start a new checker
198
disable_hook: If set, called by disable() as disable_hook(self)
279
_approved: bool(); 'None' if not yet approved/disapproved
280
approval_delay: datetime.timedelta(); Time to wait for approval
281
approval_duration: datetime.timedelta(); Duration of one approval
199
282
checker: subprocess.Popen(); a running checker process used
200
283
to see if the client lives.
201
284
'None' if no process is running.
202
checker_initiator_tag: a gobject event source tag, or None
203
disable_initiator_tag: - '' -
204
checker_callback_tag: - '' -
205
checker_command: string; External command which is run to check if
206
client lives. %() expansions are done at
285
checker_callback_tag: a gobject event source tag, or None
286
checker_command: string; External command which is run to check
287
if client lives. %() expansions are done at
207
288
runtime with vars(self) as dict, so that for
208
289
instance %(name)s can be used in the command.
290
checker_initiator_tag: a gobject event source tag, or None
291
created: datetime.datetime(); (UTC) object creation
209
292
current_checker_command: string; current running checker_command
210
use_dbus: bool(); Whether to provide D-Bus interface and signals
211
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
293
disable_hook: If set, called by disable() as disable_hook(self)
294
disable_initiator_tag: a gobject event source tag, or None
296
fingerprint: string (40 or 32 hexadecimal digits); used to
297
uniquely identify the client
298
host: string; available for use by the checker command
299
interval: datetime.timedelta(); How often to start a new checker
300
last_approval_request: datetime.datetime(); (UTC) or None
301
last_checked_ok: datetime.datetime(); (UTC) or None
302
last_enabled: datetime.datetime(); (UTC)
303
name: string; from the config file, used in log messages and
305
secret: bytestring; sent verbatim (over TLS) to client
306
timeout: datetime.timedelta(); How long from last_checked_ok
307
until this client is disabled
308
extended_timeout: extra long timeout when password has been sent
309
runtime_expansions: Allowed attributes for runtime expansion.
310
expires: datetime.datetime(); time (UTC) when a client will be
314
runtime_expansions = ("approval_delay", "approval_duration",
315
"created", "enabled", "fingerprint",
316
"host", "interval", "last_checked_ok",
317
"last_enabled", "name", "timeout")
213
319
def timeout_milliseconds(self):
214
320
"Return the 'timeout' attribute in milliseconds"
215
return ((self.timeout.days * 24 * 60 * 60 * 1000)
216
+ (self.timeout.seconds * 1000)
217
+ (self.timeout.microseconds // 1000))
321
return _timedelta_to_milliseconds(self.timeout)
323
def extended_timeout_milliseconds(self):
324
"Return the 'extended_timeout' attribute in milliseconds"
325
return _timedelta_to_milliseconds(self.extended_timeout)
219
327
def interval_milliseconds(self):
220
328
"Return the 'interval' attribute in milliseconds"
221
return ((self.interval.days * 24 * 60 * 60 * 1000)
222
+ (self.interval.seconds * 1000)
223
+ (self.interval.microseconds // 1000))
225
def __init__(self, name = None, disable_hook=None, config=None,
329
return _timedelta_to_milliseconds(self.interval)
331
def approval_delay_milliseconds(self):
332
return _timedelta_to_milliseconds(self.approval_delay)
334
def __init__(self, name = None, disable_hook=None, config=None):
227
335
"""Note: the 'checker' key in 'config' sets the
228
336
'checker_command' attribute and *not* the 'checker'
231
339
if config is None:
233
logger.debug(u"Creating client %r", self.name)
234
self.use_dbus = False # During __init__
341
logger.debug("Creating client %r", self.name)
235
342
# Uppercase and remove spaces from fingerprint for later
236
343
# comparison purposes with return value from the fingerprint()
238
345
self.fingerprint = (config["fingerprint"].upper()
240
logger.debug(u" Fingerprint: %s", self.fingerprint)
347
logger.debug(" Fingerprint: %s", self.fingerprint)
241
348
if "secret" in config:
242
self.secret = config["secret"].decode(u"base64")
349
self.secret = config["secret"].decode("base64")
243
350
elif "secfile" in config:
244
with closing(open(os.path.expanduser
246
(config["secfile"])))) as secfile:
351
with open(os.path.expanduser(os.path.expandvars
352
(config["secfile"])),
247
354
self.secret = secfile.read()
249
raise TypeError(u"No secret or secfile for client %s"
356
raise TypeError("No secret or secfile for client %s"
251
358
self.host = config.get("host", "")
252
359
self.created = datetime.datetime.utcnow()
253
360
self.enabled = False
361
self.last_approval_request = None
254
362
self.last_enabled = None
255
363
self.last_checked_ok = None
256
364
self.timeout = string_to_delta(config["timeout"])
365
self.extended_timeout = string_to_delta(config
366
["extended_timeout"])
257
367
self.interval = string_to_delta(config["interval"])
258
368
self.disable_hook = disable_hook
259
369
self.checker = None
260
370
self.checker_initiator_tag = None
261
371
self.disable_initiator_tag = None
262
373
self.checker_callback_tag = None
263
374
self.checker_command = config["checker"]
264
375
self.current_checker_command = None
265
376
self.last_connect = None
266
# Only now, when this client is initialized, can it show up on
268
self.use_dbus = use_dbus
270
self.dbus_object_path = (dbus.ObjectPath
272
+ self.name.replace(".", "_")))
273
dbus.service.Object.__init__(self, bus,
274
self.dbus_object_path)
377
self._approved = None
378
self.approved_by_default = config.get("approved_by_default",
380
self.approvals_pending = 0
381
self.approval_delay = string_to_delta(
382
config["approval_delay"])
383
self.approval_duration = string_to_delta(
384
config["approval_duration"])
385
self.changedstate = (multiprocessing_manager
386
.Condition(multiprocessing_manager
389
def send_changedstate(self):
390
self.changedstate.acquire()
391
self.changedstate.notify_all()
392
self.changedstate.release()
276
394
def enable(self):
277
395
"""Start this client's checker and timeout hooks"""
278
self.last_enabled = datetime.datetime.utcnow()
396
if getattr(self, "enabled", False):
399
self.send_changedstate()
279
400
# Schedule a new checker to be started an 'interval' from now,
280
401
# and every interval from then on.
281
402
self.checker_initiator_tag = (gobject.timeout_add
282
403
(self.interval_milliseconds(),
283
404
self.start_checker))
284
# Also start a new checker *right now*.
286
405
# Schedule a disable() when 'timeout' has passed
406
self.expires = datetime.datetime.utcnow() + self.timeout
287
407
self.disable_initiator_tag = (gobject.timeout_add
288
408
(self.timeout_milliseconds(),
290
410
self.enabled = True
293
self.PropertyChanged(dbus.String(u"enabled"),
294
dbus.Boolean(True, variant_level=1))
295
self.PropertyChanged(dbus.String(u"last_enabled"),
296
(_datetime_to_dbus(self.last_enabled,
411
self.last_enabled = datetime.datetime.utcnow()
412
# Also start a new checker *right now*.
415
def disable(self, quiet=True):
300
416
"""Disable this client."""
301
417
if not getattr(self, "enabled", False):
303
logger.info(u"Disabling client %s", self.name)
420
self.send_changedstate()
422
logger.info("Disabling client %s", self.name)
304
423
if getattr(self, "disable_initiator_tag", False):
305
424
gobject.source_remove(self.disable_initiator_tag)
306
425
self.disable_initiator_tag = None
307
427
if getattr(self, "checker_initiator_tag", False):
308
428
gobject.source_remove(self.checker_initiator_tag)
309
429
self.checker_initiator_tag = None
447
557
self.checker_callback_tag = None
448
558
if getattr(self, "checker", None) is None:
450
logger.debug(u"Stopping checker for %(name)s", vars(self))
560
logger.debug("Stopping checker for %(name)s", vars(self))
452
562
os.kill(self.checker.pid, signal.SIGTERM)
454
564
#if self.checker.poll() is None:
455
565
# os.kill(self.checker.pid, signal.SIGKILL)
456
except OSError, error:
566
except OSError as error:
457
567
if error.errno != errno.ESRCH: # No such process
459
569
self.checker = None
461
self.PropertyChanged(dbus.String(u"checker_running"),
462
dbus.Boolean(False, variant_level=1))
464
def still_valid(self):
465
"""Has the timeout not yet passed for this client?"""
466
if not getattr(self, "enabled", False):
468
now = datetime.datetime.utcnow()
469
if self.last_checked_ok is None:
470
return now < (self.created + self.timeout)
472
return now < (self.last_checked_ok + self.timeout)
474
## D-Bus methods & signals
475
_interface = u"se.bsnet.fukt.Mandos.Client"
478
CheckedOK = dbus.service.method(_interface)(checked_ok)
479
CheckedOK.__name__ = "CheckedOK"
572
def dbus_service_property(dbus_interface, signature="v",
573
access="readwrite", byte_arrays=False):
574
"""Decorators for marking methods of a DBusObjectWithProperties to
575
become properties on the D-Bus.
577
The decorated method will be called with no arguments by "Get"
578
and with one argument by "Set".
580
The parameters, where they are supported, are the same as
581
dbus.service.method, except there is only "signature", since the
582
type from Get() and the type sent to Set() is the same.
584
# Encoding deeply encoded byte arrays is not supported yet by the
585
# "Set" method, so we fail early here:
586
if byte_arrays and signature != "ay":
587
raise ValueError("Byte arrays not supported for non-'ay'"
588
" signature %r" % signature)
590
func._dbus_is_property = True
591
func._dbus_interface = dbus_interface
592
func._dbus_signature = signature
593
func._dbus_access = access
594
func._dbus_name = func.__name__
595
if func._dbus_name.endswith("_dbus_property"):
596
func._dbus_name = func._dbus_name[:-14]
597
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
602
class DBusPropertyException(dbus.exceptions.DBusException):
603
"""A base class for D-Bus property-related exceptions
605
def __unicode__(self):
606
return unicode(str(self))
609
class DBusPropertyAccessException(DBusPropertyException):
610
"""A property's access permissions disallows an operation.
615
class DBusPropertyNotFound(DBusPropertyException):
616
"""An attempt was made to access a non-existing property.
621
class DBusObjectWithProperties(dbus.service.Object):
622
"""A D-Bus object with properties.
624
Classes inheriting from this can use the dbus_service_property
625
decorator to expose methods as D-Bus properties. It exposes the
626
standard Get(), Set(), and GetAll() methods on the D-Bus.
630
def _is_dbus_property(obj):
631
return getattr(obj, "_dbus_is_property", False)
633
def _get_all_dbus_properties(self):
634
"""Returns a generator of (name, attribute) pairs
636
return ((prop.__get__(self)._dbus_name, prop.__get__(self))
637
for cls in self.__class__.__mro__
639
inspect.getmembers(cls, self._is_dbus_property))
641
def _get_dbus_property(self, interface_name, property_name):
642
"""Returns a bound method if one exists which is a D-Bus
643
property with the specified name and interface.
645
for cls in self.__class__.__mro__:
646
for name, value in (inspect.getmembers
647
(cls, self._is_dbus_property)):
648
if (value._dbus_name == property_name
649
and value._dbus_interface == interface_name):
650
return value.__get__(self)
653
raise DBusPropertyNotFound(self.dbus_object_path + ":"
654
+ interface_name + "."
657
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
659
def Get(self, interface_name, property_name):
660
"""Standard D-Bus property Get() method, see D-Bus standard.
662
prop = self._get_dbus_property(interface_name, property_name)
663
if prop._dbus_access == "write":
664
raise DBusPropertyAccessException(property_name)
666
if not hasattr(value, "variant_level"):
668
return type(value)(value, variant_level=value.variant_level+1)
670
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
671
def Set(self, interface_name, property_name, value):
672
"""Standard D-Bus property Set() method, see D-Bus standard.
674
prop = self._get_dbus_property(interface_name, property_name)
675
if prop._dbus_access == "read":
676
raise DBusPropertyAccessException(property_name)
677
if prop._dbus_get_args_options["byte_arrays"]:
678
# The byte_arrays option is not supported yet on
679
# signatures other than "ay".
680
if prop._dbus_signature != "ay":
682
value = dbus.ByteArray(''.join(unichr(byte)
686
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
687
out_signature="a{sv}")
688
def GetAll(self, interface_name):
689
"""Standard D-Bus property GetAll() method, see D-Bus
692
Note: Will not include properties with access="write".
695
for name, prop in self._get_all_dbus_properties():
697
and interface_name != prop._dbus_interface):
698
# Interface non-empty but did not match
700
# Ignore write-only properties
701
if prop._dbus_access == "write":
704
if not hasattr(value, "variant_level"):
707
all[name] = type(value)(value, variant_level=
708
value.variant_level+1)
709
return dbus.Dictionary(all, signature="sv")
711
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
713
path_keyword='object_path',
714
connection_keyword='connection')
715
def Introspect(self, object_path, connection):
716
"""Standard D-Bus method, overloaded to insert property tags.
718
xmlstring = dbus.service.Object.Introspect(self, object_path,
721
document = xml.dom.minidom.parseString(xmlstring)
722
def make_tag(document, name, prop):
723
e = document.createElement("property")
724
e.setAttribute("name", name)
725
e.setAttribute("type", prop._dbus_signature)
726
e.setAttribute("access", prop._dbus_access)
728
for if_tag in document.getElementsByTagName("interface"):
729
for tag in (make_tag(document, name, prop)
731
in self._get_all_dbus_properties()
732
if prop._dbus_interface
733
== if_tag.getAttribute("name")):
734
if_tag.appendChild(tag)
735
# Add the names to the return values for the
736
# "org.freedesktop.DBus.Properties" methods
737
if (if_tag.getAttribute("name")
738
== "org.freedesktop.DBus.Properties"):
739
for cn in if_tag.getElementsByTagName("method"):
740
if cn.getAttribute("name") == "Get":
741
for arg in cn.getElementsByTagName("arg"):
742
if (arg.getAttribute("direction")
744
arg.setAttribute("name", "value")
745
elif cn.getAttribute("name") == "GetAll":
746
for arg in cn.getElementsByTagName("arg"):
747
if (arg.getAttribute("direction")
749
arg.setAttribute("name", "props")
750
xmlstring = document.toxml("utf-8")
752
except (AttributeError, xml.dom.DOMException,
753
xml.parsers.expat.ExpatError) as error:
754
logger.error("Failed to override Introspection method",
759
def datetime_to_dbus (dt, variant_level=0):
760
"""Convert a UTC datetime.datetime() to a D-Bus type."""
762
return dbus.String("", variant_level = variant_level)
763
return dbus.String(dt.isoformat(),
764
variant_level=variant_level)
766
class AlternateDBusNamesMetaclass(DBusObjectWithProperties
768
"""Applied to an empty subclass of a D-Bus object, this metaclass
769
will add additional D-Bus attributes matching a certain pattern.
771
def __new__(mcs, name, bases, attr):
772
# Go through all the base classes which could have D-Bus
773
# methods, signals, or properties in them
774
for base in (b for b in bases
775
if issubclass(b, dbus.service.Object)):
776
# Go though all attributes of the base class
777
for attrname, attribute in inspect.getmembers(base):
778
# Ignore non-D-Bus attributes, and D-Bus attributes
779
# with the wrong interface name
780
if (not hasattr(attribute, "_dbus_interface")
781
or not attribute._dbus_interface
782
.startswith("se.recompile.Mandos")):
784
# Create an alternate D-Bus interface name based on
786
alt_interface = (attribute._dbus_interface
787
.replace("se.recompile.Mandos",
788
"se.bsnet.fukt.Mandos"))
789
# Is this a D-Bus signal?
790
if getattr(attribute, "_dbus_is_signal", False):
791
# Extract the original non-method function by
793
nonmethod_func = (dict(
794
zip(attribute.func_code.co_freevars,
795
attribute.__closure__))["func"]
797
# Create a new, but exactly alike, function
798
# object, and decorate it to be a new D-Bus signal
799
# with the alternate D-Bus interface name
800
new_function = (dbus.service.signal
802
attribute._dbus_signature)
804
nonmethod_func.func_code,
805
nonmethod_func.func_globals,
806
nonmethod_func.func_name,
807
nonmethod_func.func_defaults,
808
nonmethod_func.func_closure)))
809
# Define a creator of a function to call both the
810
# old and new functions, so both the old and new
811
# signals gets sent when the function is called
812
def fixscope(func1, func2):
813
"""This function is a scope container to pass
814
func1 and func2 to the "call_both" function
815
outside of its arguments"""
816
def call_both(*args, **kwargs):
817
"""This function will emit two D-Bus
818
signals by calling func1 and func2"""
819
func1(*args, **kwargs)
820
func2(*args, **kwargs)
822
# Create the "call_both" function and add it to
824
attr[attrname] = fixscope(attribute,
826
# Is this a D-Bus method?
827
elif getattr(attribute, "_dbus_is_method", False):
828
# Create a new, but exactly alike, function
829
# object. Decorate it to be a new D-Bus method
830
# with the alternate D-Bus interface name. Add it
832
attr[attrname] = (dbus.service.method
834
attribute._dbus_in_signature,
835
attribute._dbus_out_signature)
837
(attribute.func_code,
838
attribute.func_globals,
840
attribute.func_defaults,
841
attribute.func_closure)))
842
# Is this a D-Bus property?
843
elif getattr(attribute, "_dbus_is_property", False):
844
# Create a new, but exactly alike, function
845
# object, and decorate it to be a new D-Bus
846
# property with the alternate D-Bus interface
847
# name. Add it to the class.
848
attr[attrname] = (dbus_service_property
850
attribute._dbus_signature,
851
attribute._dbus_access,
853
._dbus_get_args_options
856
(attribute.func_code,
857
attribute.func_globals,
859
attribute.func_defaults,
860
attribute.func_closure)))
861
return type.__new__(mcs, name, bases, attr)
863
class ClientDBus(Client, DBusObjectWithProperties):
864
"""A Client class using D-Bus
867
dbus_object_path: dbus.ObjectPath
868
bus: dbus.SystemBus()
871
runtime_expansions = (Client.runtime_expansions
872
+ ("dbus_object_path",))
874
# dbus.service.Object doesn't use super(), so we can't either.
876
def __init__(self, bus = None, *args, **kwargs):
877
self._approvals_pending = 0
879
Client.__init__(self, *args, **kwargs)
880
# Only now, when this client is initialized, can it show up on
882
client_object_name = unicode(self.name).translate(
885
self.dbus_object_path = (dbus.ObjectPath
886
("/clients/" + client_object_name))
887
DBusObjectWithProperties.__init__(self, self.bus,
888
self.dbus_object_path)
890
def notifychangeproperty(transform_func,
891
dbus_name, type_func=lambda x: x,
893
""" Modify a variable so that it's a property which announces
896
transform_fun: Function that takes a value and a variant_level
897
and transforms it to a D-Bus type.
898
dbus_name: D-Bus name of the variable
899
type_func: Function that transform the value before sending it
900
to the D-Bus. Default: no transform
901
variant_level: D-Bus variant level. Default: 1
903
attrname = "_{0}".format(dbus_name)
904
def setter(self, value):
905
if hasattr(self, "dbus_object_path"):
906
if (not hasattr(self, attrname) or
907
type_func(getattr(self, attrname, None))
908
!= type_func(value)):
909
dbus_value = transform_func(type_func(value),
912
self.PropertyChanged(dbus.String(dbus_name),
914
setattr(self, attrname, value)
916
return property(lambda self: getattr(self, attrname), setter)
919
expires = notifychangeproperty(datetime_to_dbus, "Expires")
920
approvals_pending = notifychangeproperty(dbus.Boolean,
923
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
924
last_enabled = notifychangeproperty(datetime_to_dbus,
926
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
927
type_func = lambda checker:
929
last_checked_ok = notifychangeproperty(datetime_to_dbus,
931
last_approval_request = notifychangeproperty(
932
datetime_to_dbus, "LastApprovalRequest")
933
approved_by_default = notifychangeproperty(dbus.Boolean,
935
approval_delay = notifychangeproperty(dbus.UInt16,
938
_timedelta_to_milliseconds)
939
approval_duration = notifychangeproperty(
940
dbus.UInt16, "ApprovalDuration",
941
type_func = _timedelta_to_milliseconds)
942
host = notifychangeproperty(dbus.String, "Host")
943
timeout = notifychangeproperty(dbus.UInt16, "Timeout",
945
_timedelta_to_milliseconds)
946
extended_timeout = notifychangeproperty(
947
dbus.UInt16, "ExtendedTimeout",
948
type_func = _timedelta_to_milliseconds)
949
interval = notifychangeproperty(dbus.UInt16,
952
_timedelta_to_milliseconds)
953
checker_command = notifychangeproperty(dbus.String, "Checker")
955
del notifychangeproperty
957
def __del__(self, *args, **kwargs):
959
self.remove_from_connection()
962
if hasattr(DBusObjectWithProperties, "__del__"):
963
DBusObjectWithProperties.__del__(self, *args, **kwargs)
964
Client.__del__(self, *args, **kwargs)
966
def checker_callback(self, pid, condition, command,
968
self.checker_callback_tag = None
970
if os.WIFEXITED(condition):
971
exitstatus = os.WEXITSTATUS(condition)
973
self.CheckerCompleted(dbus.Int16(exitstatus),
974
dbus.Int64(condition),
975
dbus.String(command))
978
self.CheckerCompleted(dbus.Int16(-1),
979
dbus.Int64(condition),
980
dbus.String(command))
982
return Client.checker_callback(self, pid, condition, command,
985
def start_checker(self, *args, **kwargs):
986
old_checker = self.checker
987
if self.checker is not None:
988
old_checker_pid = self.checker.pid
990
old_checker_pid = None
991
r = Client.start_checker(self, *args, **kwargs)
992
# Only if new checker process was started
993
if (self.checker is not None
994
and old_checker_pid != self.checker.pid):
996
self.CheckerStarted(self.current_checker_command)
999
def _reset_approved(self):
1000
self._approved = None
1003
def approve(self, value=True):
1004
self.send_changedstate()
1005
self._approved = value
1006
gobject.timeout_add(_timedelta_to_milliseconds
1007
(self.approval_duration),
1008
self._reset_approved)
1011
## D-Bus methods, signals & properties
1012
_interface = "se.recompile.Mandos.Client"
481
1016
# CheckerCompleted - signal
482
1017
@dbus.service.signal(_interface, signature="nxs")
618
1085
# StopChecker - method
619
StopChecker = dbus.service.method(_interface)(stop_checker)
620
StopChecker.__name__ = "StopChecker"
1086
@dbus.service.method(_interface)
1087
def StopChecker(self):
1092
# ApprovalPending - property
1093
@dbus_service_property(_interface, signature="b", access="read")
1094
def ApprovalPending_dbus_property(self):
1095
return dbus.Boolean(bool(self.approvals_pending))
1097
# ApprovedByDefault - property
1098
@dbus_service_property(_interface, signature="b",
1100
def ApprovedByDefault_dbus_property(self, value=None):
1101
if value is None: # get
1102
return dbus.Boolean(self.approved_by_default)
1103
self.approved_by_default = bool(value)
1105
# ApprovalDelay - property
1106
@dbus_service_property(_interface, signature="t",
1108
def ApprovalDelay_dbus_property(self, value=None):
1109
if value is None: # get
1110
return dbus.UInt64(self.approval_delay_milliseconds())
1111
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1113
# ApprovalDuration - property
1114
@dbus_service_property(_interface, signature="t",
1116
def ApprovalDuration_dbus_property(self, value=None):
1117
if value is None: # get
1118
return dbus.UInt64(_timedelta_to_milliseconds(
1119
self.approval_duration))
1120
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1123
@dbus_service_property(_interface, signature="s", access="read")
1124
def Name_dbus_property(self):
1125
return dbus.String(self.name)
1127
# Fingerprint - property
1128
@dbus_service_property(_interface, signature="s", access="read")
1129
def Fingerprint_dbus_property(self):
1130
return dbus.String(self.fingerprint)
1133
@dbus_service_property(_interface, signature="s",
1135
def Host_dbus_property(self, value=None):
1136
if value is None: # get
1137
return dbus.String(self.host)
1140
# Created - property
1141
@dbus_service_property(_interface, signature="s", access="read")
1142
def Created_dbus_property(self):
1143
return dbus.String(datetime_to_dbus(self.created))
1145
# LastEnabled - property
1146
@dbus_service_property(_interface, signature="s", access="read")
1147
def LastEnabled_dbus_property(self):
1148
return datetime_to_dbus(self.last_enabled)
1150
# Enabled - property
1151
@dbus_service_property(_interface, signature="b",
1153
def Enabled_dbus_property(self, value=None):
1154
if value is None: # get
1155
return dbus.Boolean(self.enabled)
1161
# LastCheckedOK - property
1162
@dbus_service_property(_interface, signature="s",
1164
def LastCheckedOK_dbus_property(self, value=None):
1165
if value is not None:
1168
return datetime_to_dbus(self.last_checked_ok)
1170
# Expires - property
1171
@dbus_service_property(_interface, signature="s", access="read")
1172
def Expires_dbus_property(self):
1173
return datetime_to_dbus(self.expires)
1175
# LastApprovalRequest - property
1176
@dbus_service_property(_interface, signature="s", access="read")
1177
def LastApprovalRequest_dbus_property(self):
1178
return datetime_to_dbus(self.last_approval_request)
1180
# Timeout - property
1181
@dbus_service_property(_interface, signature="t",
1183
def Timeout_dbus_property(self, value=None):
1184
if value is None: # get
1185
return dbus.UInt64(self.timeout_milliseconds())
1186
self.timeout = datetime.timedelta(0, 0, 0, value)
1187
if getattr(self, "disable_initiator_tag", None) is None:
1189
# Reschedule timeout
1190
gobject.source_remove(self.disable_initiator_tag)
1191
self.disable_initiator_tag = None
1193
time_to_die = _timedelta_to_milliseconds((self
1198
if time_to_die <= 0:
1199
# The timeout has passed
1202
self.expires = (datetime.datetime.utcnow()
1203
+ datetime.timedelta(milliseconds =
1205
self.disable_initiator_tag = (gobject.timeout_add
1206
(time_to_die, self.disable))
1208
# ExtendedTimeout - property
1209
@dbus_service_property(_interface, signature="t",
1211
def ExtendedTimeout_dbus_property(self, value=None):
1212
if value is None: # get
1213
return dbus.UInt64(self.extended_timeout_milliseconds())
1214
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1216
# Interval - property
1217
@dbus_service_property(_interface, signature="t",
1219
def Interval_dbus_property(self, value=None):
1220
if value is None: # get
1221
return dbus.UInt64(self.interval_milliseconds())
1222
self.interval = datetime.timedelta(0, 0, 0, value)
1223
if getattr(self, "checker_initiator_tag", None) is None:
1225
# Reschedule checker run
1226
gobject.source_remove(self.checker_initiator_tag)
1227
self.checker_initiator_tag = (gobject.timeout_add
1228
(value, self.start_checker))
1229
self.start_checker() # Start one now, too
1231
# Checker - property
1232
@dbus_service_property(_interface, signature="s",
1234
def Checker_dbus_property(self, value=None):
1235
if value is None: # get
1236
return dbus.String(self.checker_command)
1237
self.checker_command = value
1239
# CheckerRunning - property
1240
@dbus_service_property(_interface, signature="b",
1242
def CheckerRunning_dbus_property(self, value=None):
1243
if value is None: # get
1244
return dbus.Boolean(self.checker is not None)
1246
self.start_checker()
1250
# ObjectPath - property
1251
@dbus_service_property(_interface, signature="o", access="read")
1252
def ObjectPath_dbus_property(self):
1253
return self.dbus_object_path # is already a dbus.ObjectPath
1256
@dbus_service_property(_interface, signature="ay",
1257
access="write", byte_arrays=True)
1258
def Secret_dbus_property(self, value):
1259
self.secret = str(value)
625
def peer_certificate(session):
626
"Return the peer's OpenPGP certificate as a bytestring"
627
# If not an OpenPGP certificate...
628
if (gnutls.library.functions
629
.gnutls_certificate_type_get(session._c_object)
630
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
631
# ...do the normal thing
632
return session.peer_certificate
633
list_size = ctypes.c_uint(1)
634
cert_list = (gnutls.library.functions
635
.gnutls_certificate_get_peers
636
(session._c_object, ctypes.byref(list_size)))
637
if not bool(cert_list) and list_size.value != 0:
638
raise gnutls.errors.GNUTLSError("error getting peer"
640
if list_size.value == 0:
643
return ctypes.string_at(cert.data, cert.size)
646
def fingerprint(openpgp):
647
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
648
# New GnuTLS "datum" with the OpenPGP public key
649
datum = (gnutls.library.types
650
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
653
ctypes.c_uint(len(openpgp))))
654
# New empty GnuTLS certificate
655
crt = gnutls.library.types.gnutls_openpgp_crt_t()
656
(gnutls.library.functions
657
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
658
# Import the OpenPGP public key into the certificate
659
(gnutls.library.functions
660
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
661
gnutls.library.constants
662
.GNUTLS_OPENPGP_FMT_RAW))
663
# Verify the self signature in the key
664
crtverify = ctypes.c_uint()
665
(gnutls.library.functions
666
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
667
if crtverify.value != 0:
668
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
669
raise gnutls.errors.CertificateSecurityError("Verify failed")
670
# New buffer for the fingerprint
671
buf = ctypes.create_string_buffer(20)
672
buf_len = ctypes.c_size_t()
673
# Get the fingerprint from the certificate into the buffer
674
(gnutls.library.functions
675
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
676
ctypes.byref(buf_len)))
677
# Deinit the certificate
678
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
679
# Convert the buffer to a Python bytestring
680
fpr = ctypes.string_at(buf, buf_len.value)
681
# Convert the bytestring to hexadecimal notation
682
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
686
class TCP_handler(SocketServer.BaseRequestHandler, object):
687
"""A TCP request handler class.
688
Instantiated by IPv6_TCPServer for each request to handle it.
1264
class ProxyClient(object):
1265
def __init__(self, child_pipe, fpr, address):
1266
self._pipe = child_pipe
1267
self._pipe.send(('init', fpr, address))
1268
if not self._pipe.recv():
1271
def __getattribute__(self, name):
1272
if(name == '_pipe'):
1273
return super(ProxyClient, self).__getattribute__(name)
1274
self._pipe.send(('getattr', name))
1275
data = self._pipe.recv()
1276
if data[0] == 'data':
1278
if data[0] == 'function':
1279
def func(*args, **kwargs):
1280
self._pipe.send(('funcall', name, args, kwargs))
1281
return self._pipe.recv()[1]
1284
def __setattr__(self, name, value):
1285
if(name == '_pipe'):
1286
return super(ProxyClient, self).__setattr__(name, value)
1287
self._pipe.send(('setattr', name, value))
1289
class ClientDBusTransitional(ClientDBus):
1290
__metaclass__ = AlternateDBusNamesMetaclass
1292
class ClientHandler(socketserver.BaseRequestHandler, object):
1293
"""A class to handle client connections.
1295
Instantiated once for each connection to handle it.
689
1296
Note: This will run in its own forked process."""
691
1298
def handle(self):
692
logger.info(u"TCP connection from: %s",
693
unicode(self.client_address))
694
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
695
# Open IPC pipe to parent process
696
with closing(os.fdopen(self.server.pipe[1], "w", 1)) as ipc:
1299
with contextlib.closing(self.server.child_pipe) as child_pipe:
1300
logger.info("TCP connection from: %s",
1301
unicode(self.client_address))
1302
logger.debug("Pipe FD: %d",
1303
self.server.child_pipe.fileno())
697
1305
session = (gnutls.connection
698
1306
.ClientSession(self.request,
699
1307
gnutls.connection
700
1308
.X509Credentials()))
702
line = self.request.makefile().readline()
703
logger.debug(u"Protocol version: %r", line)
705
if int(line.strip().split()[0]) > 1:
707
except (ValueError, IndexError, RuntimeError), error:
708
logger.error(u"Unknown protocol version: %s", error)
711
1310
# Note: gnutls.connection.X509Credentials is really a
712
1311
# generic GnuTLS certificate credentials object so long as
713
1312
# no X.509 keys are added to it. Therefore, we can use it
714
1313
# here despite using OpenPGP certificates.
716
1315
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
717
# "+AES-256-CBC", "+SHA1",
718
# "+COMP-NULL", "+CTYPE-OPENPGP",
1316
# "+AES-256-CBC", "+SHA1",
1317
# "+COMP-NULL", "+CTYPE-OPENPGP",
720
1319
# Use a fallback default, since this MUST be set.
721
priority = self.server.settings.get("priority", "NORMAL")
1320
priority = self.server.gnutls_priority
1321
if priority is None:
722
1323
(gnutls.library.functions
723
1324
.gnutls_priority_set_direct(session._c_object,
724
1325
priority, None))
1327
# Start communication using the Mandos protocol
1328
# Get protocol number
1329
line = self.request.makefile().readline()
1330
logger.debug("Protocol version: %r", line)
1332
if int(line.strip().split()[0]) > 1:
1334
except (ValueError, IndexError, RuntimeError) as error:
1335
logger.error("Unknown protocol version: %s", error)
1338
# Start GnuTLS connection
727
1340
session.handshake()
728
except gnutls.errors.GNUTLSError, error:
729
logger.warning(u"Handshake failed: %s", error)
1341
except gnutls.errors.GNUTLSError as error:
1342
logger.warning("Handshake failed: %s", error)
730
1343
# Do not run session.bye() here: the session is not
731
1344
# established. Just abandon the request.
733
logger.debug(u"Handshake succeeded")
1346
logger.debug("Handshake succeeded")
1348
approval_required = False
735
fpr = fingerprint(peer_certificate(session))
736
except (TypeError, gnutls.errors.GNUTLSError), error:
737
logger.warning(u"Bad certificate: %s", error)
740
logger.debug(u"Fingerprint: %s", fpr)
1351
fpr = self.fingerprint(self.peer_certificate
1354
gnutls.errors.GNUTLSError) as error:
1355
logger.warning("Bad certificate: %s", error)
1357
logger.debug("Fingerprint: %s", fpr)
1360
client = ProxyClient(child_pipe, fpr,
1361
self.client_address)
1365
if client.approval_delay:
1366
delay = client.approval_delay
1367
client.approvals_pending += 1
1368
approval_required = True
1371
if not client.enabled:
1372
logger.info("Client %s is disabled",
1374
if self.server.use_dbus:
1376
client.Rejected("Disabled")
1379
if client._approved or not client.approval_delay:
1380
#We are approved or approval is disabled
1382
elif client._approved is None:
1383
logger.info("Client %s needs approval",
1385
if self.server.use_dbus:
1387
client.NeedApproval(
1388
client.approval_delay_milliseconds(),
1389
client.approved_by_default)
1391
logger.warning("Client %s was not approved",
1393
if self.server.use_dbus:
1395
client.Rejected("Denied")
1398
#wait until timeout or approved
1399
time = datetime.datetime.now()
1400
client.changedstate.acquire()
1401
(client.changedstate.wait
1402
(float(client._timedelta_to_milliseconds(delay)
1404
client.changedstate.release()
1405
time2 = datetime.datetime.now()
1406
if (time2 - time) >= delay:
1407
if not client.approved_by_default:
1408
logger.warning("Client %s timed out while"
1409
" waiting for approval",
1411
if self.server.use_dbus:
1413
client.Rejected("Approval timed out")
1418
delay -= time2 - time
1421
while sent_size < len(client.secret):
1423
sent = session.send(client.secret[sent_size:])
1424
except gnutls.errors.GNUTLSError as error:
1425
logger.warning("gnutls send failed")
1427
logger.debug("Sent: %d, remaining: %d",
1428
sent, len(client.secret)
1429
- (sent_size + sent))
1432
logger.info("Sending secret to %s", client.name)
1433
# bump the timeout using extended_timeout
1434
client.checked_ok(client.extended_timeout)
1435
if self.server.use_dbus:
742
for c in self.server.clients:
743
if c.fingerprint == fpr:
747
logger.warning(u"Client not found for fingerprint: %s",
749
ipc.write("NOTFOUND %s\n" % fpr)
752
# Have to check if client.still_valid(), since it is
753
# possible that the client timed out while establishing
754
# the GnuTLS session.
755
if not client.still_valid():
756
logger.warning(u"Client %(name)s is invalid",
758
ipc.write("INVALID %s\n" % client.name)
761
ipc.write("SENDING %s\n" % client.name)
763
while sent_size < len(client.secret):
764
sent = session.send(client.secret[sent_size:])
765
logger.debug(u"Sent: %d, remaining: %d",
766
sent, len(client.secret)
767
- (sent_size + sent))
772
class ForkingMixInWithPipe(SocketServer.ForkingMixIn, object):
773
"""Like SocketServer.ForkingMixIn, but also pass a pipe.
774
Assumes a gobject.MainLoop event loop.
1440
if approval_required:
1441
client.approvals_pending -= 1
1444
except gnutls.errors.GNUTLSError as error:
1445
logger.warning("GnuTLS bye failed")
1448
def peer_certificate(session):
1449
"Return the peer's OpenPGP certificate as a bytestring"
1450
# If not an OpenPGP certificate...
1451
if (gnutls.library.functions
1452
.gnutls_certificate_type_get(session._c_object)
1453
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1454
# ...do the normal thing
1455
return session.peer_certificate
1456
list_size = ctypes.c_uint(1)
1457
cert_list = (gnutls.library.functions
1458
.gnutls_certificate_get_peers
1459
(session._c_object, ctypes.byref(list_size)))
1460
if not bool(cert_list) and list_size.value != 0:
1461
raise gnutls.errors.GNUTLSError("error getting peer"
1463
if list_size.value == 0:
1466
return ctypes.string_at(cert.data, cert.size)
1469
def fingerprint(openpgp):
1470
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1471
# New GnuTLS "datum" with the OpenPGP public key
1472
datum = (gnutls.library.types
1473
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1476
ctypes.c_uint(len(openpgp))))
1477
# New empty GnuTLS certificate
1478
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1479
(gnutls.library.functions
1480
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1481
# Import the OpenPGP public key into the certificate
1482
(gnutls.library.functions
1483
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1484
gnutls.library.constants
1485
.GNUTLS_OPENPGP_FMT_RAW))
1486
# Verify the self signature in the key
1487
crtverify = ctypes.c_uint()
1488
(gnutls.library.functions
1489
.gnutls_openpgp_crt_verify_self(crt, 0,
1490
ctypes.byref(crtverify)))
1491
if crtverify.value != 0:
1492
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1493
raise (gnutls.errors.CertificateSecurityError
1495
# New buffer for the fingerprint
1496
buf = ctypes.create_string_buffer(20)
1497
buf_len = ctypes.c_size_t()
1498
# Get the fingerprint from the certificate into the buffer
1499
(gnutls.library.functions
1500
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1501
ctypes.byref(buf_len)))
1502
# Deinit the certificate
1503
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1504
# Convert the buffer to a Python bytestring
1505
fpr = ctypes.string_at(buf, buf_len.value)
1506
# Convert the bytestring to hexadecimal notation
1507
hex_fpr = ''.join("%02X" % ord(char) for char in fpr)
1511
class MultiprocessingMixIn(object):
1512
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1513
def sub_process_main(self, request, address):
1515
self.finish_request(request, address)
1517
self.handle_error(request, address)
1518
self.close_request(request)
1520
def process_request(self, request, address):
1521
"""Start a new process to process the request."""
1522
proc = multiprocessing.Process(target = self.sub_process_main,
1529
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1530
""" adds a pipe to the MixIn """
776
1531
def process_request(self, request, client_address):
777
"""This overrides and wraps the original process_request().
778
This function creates a new pipe in self.pipe
1532
"""Overrides and wraps the original process_request().
1534
This function creates a new pipe in self.pipe
780
self.pipe = os.pipe()
781
super(ForkingMixInWithPipe,
782
self).process_request(request, client_address)
783
os.close(self.pipe[1]) # close write end
784
# Call "handle_ipc" for both data and EOF events
785
gobject.io_add_watch(self.pipe[0],
786
gobject.IO_IN | gobject.IO_HUP,
788
def handle_ipc(source, condition):
1536
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1538
proc = MultiprocessingMixIn.process_request(self, request,
1540
self.child_pipe.close()
1541
self.add_pipe(parent_pipe, proc)
1543
def add_pipe(self, parent_pipe, proc):
789
1544
"""Dummy function; override as necessary"""
794
class IPv6_TCPServer(ForkingMixInWithPipe,
795
SocketServer.TCPServer, object):
1545
raise NotImplementedError
1548
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1549
socketserver.TCPServer, object):
796
1550
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
798
settings: Server settings
799
clients: Set() of Client objects
800
1553
enabled: Boolean; whether this server is activated yet
1554
interface: None or a network interface name (string)
1555
use_ipv6: Boolean; to use IPv6 or not
802
address_family = socket.AF_INET6
803
def __init__(self, *args, **kwargs):
804
if "settings" in kwargs:
805
self.settings = kwargs["settings"]
806
del kwargs["settings"]
807
if "clients" in kwargs:
808
self.clients = kwargs["clients"]
809
del kwargs["clients"]
810
if "use_ipv6" in kwargs:
811
if not kwargs["use_ipv6"]:
812
self.address_family = socket.AF_INET
813
del kwargs["use_ipv6"]
815
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1557
def __init__(self, server_address, RequestHandlerClass,
1558
interface=None, use_ipv6=True):
1559
self.interface = interface
1561
self.address_family = socket.AF_INET6
1562
socketserver.TCPServer.__init__(self, server_address,
1563
RequestHandlerClass)
816
1564
def server_bind(self):
817
1565
"""This overrides the normal server_bind() function
818
1566
to bind to an interface if one was specified, and also NOT to
819
1567
bind to an address or port if they were not specified."""
820
if self.settings["interface"]:
821
# 25 is from /usr/include/asm-i486/socket.h
822
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
824
self.socket.setsockopt(socket.SOL_SOCKET,
826
self.settings["interface"])
827
except socket.error, error:
828
if error[0] == errno.EPERM:
829
logger.error(u"No permission to"
830
u" bind to interface %s",
831
self.settings["interface"])
1568
if self.interface is not None:
1569
if SO_BINDTODEVICE is None:
1570
logger.error("SO_BINDTODEVICE does not exist;"
1571
" cannot bind to interface %s",
1575
self.socket.setsockopt(socket.SOL_SOCKET,
1579
except socket.error as error:
1580
if error[0] == errno.EPERM:
1581
logger.error("No permission to"
1582
" bind to interface %s",
1584
elif error[0] == errno.ENOPROTOOPT:
1585
logger.error("SO_BINDTODEVICE not available;"
1586
" cannot bind to interface %s",
834
1590
# Only bind(2) the socket if we really need to.
835
1591
if self.server_address[0] or self.server_address[1]:
836
1592
if not self.server_address[0]:
843
1599
elif not self.server_address[1]:
844
1600
self.server_address = (self.server_address[0],
846
# if self.settings["interface"]:
1602
# if self.interface:
847
1603
# self.server_address = (self.server_address[0],
850
1606
# if_nametoindex
853
return super(IPv6_TCPServer, self).server_bind()
1608
return socketserver.TCPServer.server_bind(self)
1611
class MandosServer(IPv6_TCPServer):
1615
clients: set of Client objects
1616
gnutls_priority GnuTLS priority string
1617
use_dbus: Boolean; to emit D-Bus signals or not
1619
Assumes a gobject.MainLoop event loop.
1621
def __init__(self, server_address, RequestHandlerClass,
1622
interface=None, use_ipv6=True, clients=None,
1623
gnutls_priority=None, use_dbus=True):
1624
self.enabled = False
1625
self.clients = clients
1626
if self.clients is None:
1627
self.clients = set()
1628
self.use_dbus = use_dbus
1629
self.gnutls_priority = gnutls_priority
1630
IPv6_TCPServer.__init__(self, server_address,
1631
RequestHandlerClass,
1632
interface = interface,
1633
use_ipv6 = use_ipv6)
854
1634
def server_activate(self):
855
1635
if self.enabled:
856
return super(IPv6_TCPServer, self).server_activate()
1636
return socketserver.TCPServer.server_activate(self)
857
1638
def enable(self):
858
1639
self.enabled = True
859
def handle_ipc(self, source, condition, file_objects={}):
1641
def add_pipe(self, parent_pipe, proc):
1642
# Call "handle_ipc" for both data and EOF events
1643
gobject.io_add_watch(parent_pipe.fileno(),
1644
gobject.IO_IN | gobject.IO_HUP,
1645
functools.partial(self.handle_ipc,
1650
def handle_ipc(self, source, condition, parent_pipe=None,
1651
proc = None, client_object=None):
860
1652
condition_names = {
861
gobject.IO_IN: "IN", # There is data to read.
1653
gobject.IO_IN: "IN", # There is data to read.
862
1654
gobject.IO_OUT: "OUT", # Data can be written (without
864
1656
gobject.IO_PRI: "PRI", # There is urgent data to read.
865
1657
gobject.IO_ERR: "ERR", # Error condition.
866
1658
gobject.IO_HUP: "HUP" # Hung up (the connection has been
867
# broken, usually for pipes and
1659
# broken, usually for pipes and
870
1662
conditions_string = ' | '.join(name
871
1663
for cond, name in
872
1664
condition_names.iteritems()
873
1665
if cond & condition)
874
logger.debug("Handling IPC: FD = %d, condition = %s", source,
877
# Turn the pipe file descriptor into a Python file object
878
if source not in file_objects:
879
file_objects[source] = os.fdopen(source, "r", 1)
881
# Read a line from the file object
882
cmdline = file_objects[source].readline()
883
if not cmdline: # Empty line means end of file
885
file_objects[source].close()
886
del file_objects[source]
1666
# error, or the other end of multiprocessing.Pipe has closed
1667
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1668
# Wait for other process to exit
1672
# Read a request from the child
1673
request = parent_pipe.recv()
1674
command = request[0]
1676
if command == 'init':
1678
address = request[2]
888
# Stop calling this function
891
logger.debug("IPC command: %r\n" % cmdline)
893
# Parse and act on command
894
cmd, args = cmdline.split(None, 1)
895
if cmd == "NOTFOUND":
896
if self.settings["use_dbus"]:
898
mandos_dbus_service.ClientNotFound(args)
899
elif cmd == "INVALID":
900
if self.settings["use_dbus"]:
901
for client in self.clients:
902
if client.name == args:
906
elif cmd == "SENDING":
907
for client in self.clients:
908
if client.name == args:
910
if self.settings["use_dbus"]:
912
client.ReceivedSecret()
1680
for c in self.clients:
1681
if c.fingerprint == fpr:
915
logger.error("Unknown IPC command: %r", cmdline)
917
# Keep calling this function
1685
logger.info("Client not found for fingerprint: %s, ad"
1686
"dress: %s", fpr, address)
1689
mandos_dbus_service.ClientNotFound(fpr,
1691
parent_pipe.send(False)
1694
gobject.io_add_watch(parent_pipe.fileno(),
1695
gobject.IO_IN | gobject.IO_HUP,
1696
functools.partial(self.handle_ipc,
1702
parent_pipe.send(True)
1703
# remove the old hook in favor of the new above hook on
1706
if command == 'funcall':
1707
funcname = request[1]
1711
parent_pipe.send(('data', getattr(client_object,
1715
if command == 'getattr':
1716
attrname = request[1]
1717
if callable(client_object.__getattribute__(attrname)):
1718
parent_pipe.send(('function',))
1720
parent_pipe.send(('data', client_object
1721
.__getattribute__(attrname)))
1723
if command == 'setattr':
1724
attrname = request[1]
1726
setattr(client_object, attrname, value)