To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 505.3.10
- compare with another revision
- download diff
- download tarball
- view history from revision 505.3.10
- Committer: Teddy Hogeborn
- Date: 2011-11-24 20:15:24 UTC
- mto: (505.2.8 mandos-client-network-hooks)
- mto: This revision was merged to the branch mainline in revision 525.
- Revision ID: teddy@recompile.se-20111124201524-5w9ovzpuw3drdlgf
* network-hooks.d: New directory.
* network-hooks.d/bridge: New example hook.
* network-hooks.d/bridge.conf: Config file for bridge example hook.
* network-hooks.d/bridge: New example hook.
* network-hooks.d/bridge.conf: Config file for bridge example hook.
- files added:
- DBUS-API
- debian/source
- network-hooks.d
- files modified:
- .bzrignore
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
14
# Copyright © 2008-2011 Teddy Hogeborn
15
# Copyright © 2008-2011 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
28
28
# along with this program. If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
30
#
31
# Contact the authors at <mandos@fukt.bsnet.se>.
31
# Contact the authors at <mandos@recompile.se>.
32
32
#
33
33
34
from __future__ import division, with_statement, absolute_import
34
from __future__ import (division, absolute_import, print_function,
35
unicode_literals)
35
36
36
import SocketServer
37
import SocketServer as socketserver
37
38
import socket
38
import optparse
39
import argparse
39
40
import datetime
40
41
import errno
41
42
import gnutls.crypto
44
45
import gnutls.library.functions
45
46
import gnutls.library.constants
46
47
import gnutls.library.types
47
import ConfigParser
48
import ConfigParser as configparser
48
49
import sys
49
50
import re
50
51
import os
51
52
import signal
52
from sets import Set
53
53
import subprocess
54
54
import atexit
55
55
import stat
56
56
import logging
57
57
import logging.handlers
58
58
import pwd
59
from contextlib import closing
59
import contextlib
60
import struct
61
import fcntl
62
import functools
63
import cPickle as pickle
64
import multiprocessing
65
import types
60
66
61
67
import dbus
62
68
import dbus.service
65
71
from dbus.mainloop.glib import DBusGMainLoop
66
72
import ctypes
67
73
import ctypes.util
68
69
version = "1.0.8"
70
74
import xml.dom.minidom
75
import inspect
76
77
try:
78
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
79
except AttributeError:
80
try:
81
from IN import SO_BINDTODEVICE
82
except ImportError:
83
SO_BINDTODEVICE = None
84
85
86
version = "1.4.1"
87
88
#logger = logging.getLogger('mandos')
71
89
logger = logging.Logger('mandos')
72
90
syslogger = (logging.handlers.SysLogHandler
73
91
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
74
address = "/dev/log"))
92
address = str("/dev/log")))
75
93
syslogger.setFormatter(logging.Formatter
76
94
('Mandos [%(process)d]: %(levelname)s:'
77
95
' %(message)s'))
79
97
80
98
console = logging.StreamHandler()
81
99
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
82
' %(levelname)s: %(message)s'))
100
' %(levelname)s:'
101
' %(message)s'))
83
102
logger.addHandler(console)
84
103
85
104
class AvahiError(Exception):
98
117
99
118
class AvahiService(object):
100
119
"""An Avahi (Zeroconf) service.
120
101
121
Attributes:
102
122
interface: integer; avahi.IF_UNSPEC or an interface index.
103
123
Used to optionally bind to the specified interface.
111
131
max_renames: integer; maximum number of renames
112
132
rename_count: integer; counter so we only rename after collisions
113
133
a sensible number of times
134
group: D-Bus Entry Group
135
server: D-Bus Server
136
bus: dbus.SystemBus()
114
137
"""
115
138
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
116
139
servicetype = None, port = None, TXT = None,
117
140
domain = "", host = "", max_renames = 32768,
118
protocol = avahi.PROTO_UNSPEC):
141
protocol = avahi.PROTO_UNSPEC, bus = None):
119
142
self.interface = interface
120
143
self.name = name
121
144
self.type = servicetype
126
149
self.rename_count = 0
127
150
self.max_renames = max_renames
128
151
self.protocol = protocol
152
self.group = None # our entry group
153
self.server = None
154
self.bus = bus
155
self.entry_group_state_changed_match = None
129
156
def rename(self):
130
157
"""Derived from the Avahi example code"""
131
158
if self.rename_count >= self.max_renames:
132
logger.critical(u"No suitable Zeroconf service name found"
133
u" after %i retries, exiting.",
159
logger.critical("No suitable Zeroconf service name found"
160
" after %i retries, exiting.",
134
161
self.rename_count)
135
raise AvahiServiceError(u"Too many renames")
136
self.name = server.GetAlternativeServiceName(self.name)
137
logger.info(u"Changing Zeroconf service name to %r ...",
138
str(self.name))
162
raise AvahiServiceError("Too many renames")
163
self.name = unicode(self.server
164
.GetAlternativeServiceName(self.name))
165
logger.info("Changing Zeroconf service name to %r ...",
166
self.name)
139
167
syslogger.setFormatter(logging.Formatter
140
168
('Mandos (%s) [%%(process)d]:'
141
169
' %%(levelname)s: %%(message)s'
142
170
% self.name))
143
171
self.remove()
144
self.add()
172
try:
173
self.add()
174
except dbus.exceptions.DBusException as error:
175
logger.critical("DBusException: %s", error)
176
self.cleanup()
177
os._exit(1)
145
178
self.rename_count += 1
146
179
def remove(self):
147
180
"""Derived from the Avahi example code"""
148
if group is not None:
149
group.Reset()
181
if self.entry_group_state_changed_match is not None:
182
self.entry_group_state_changed_match.remove()
183
self.entry_group_state_changed_match = None
184
if self.group is not None:
185
self.group.Reset()
150
186
def add(self):
151
187
"""Derived from the Avahi example code"""
152
global group
153
if group is None:
154
group = dbus.Interface(bus.get_object
155
(avahi.DBUS_NAME,
156
server.EntryGroupNew()),
157
avahi.DBUS_INTERFACE_ENTRY_GROUP)
158
group.connect_to_signal('StateChanged',
159
entry_group_state_changed)
160
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
161
service.name, service.type)
162
group.AddService(
163
self.interface, # interface
164
self.protocol, # protocol
165
dbus.UInt32(0), # flags
166
self.name, self.type,
167
self.domain, self.host,
168
dbus.UInt16(self.port),
169
avahi.string_array_to_txt_array(self.TXT))
170
group.Commit()
171
172
# From the Avahi example code:
173
group = None # our entry group
174
# End of Avahi example code
175
176
177
def _datetime_to_dbus(dt, variant_level=0):
178
"""Convert a UTC datetime.datetime() to a D-Bus type."""
179
return dbus.String(dt.isoformat(), variant_level=variant_level)
180
181
182
class Client(dbus.service.Object):
188
self.remove()
189
if self.group is None:
190
self.group = dbus.Interface(
191
self.bus.get_object(avahi.DBUS_NAME,
192
self.server.EntryGroupNew()),
193
avahi.DBUS_INTERFACE_ENTRY_GROUP)
194
self.entry_group_state_changed_match = (
195
self.group.connect_to_signal(
196
'StateChanged', self .entry_group_state_changed))
197
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
198
self.name, self.type)
199
self.group.AddService(
200
self.interface,
201
self.protocol,
202
dbus.UInt32(0), # flags
203
self.name, self.type,
204
self.domain, self.host,
205
dbus.UInt16(self.port),
206
avahi.string_array_to_txt_array(self.TXT))
207
self.group.Commit()
208
def entry_group_state_changed(self, state, error):
209
"""Derived from the Avahi example code"""
210
logger.debug("Avahi entry group state change: %i", state)
211
212
if state == avahi.ENTRY_GROUP_ESTABLISHED:
213
logger.debug("Zeroconf service established.")
214
elif state == avahi.ENTRY_GROUP_COLLISION:
215
logger.info("Zeroconf service name collision.")
216
self.rename()
217
elif state == avahi.ENTRY_GROUP_FAILURE:
218
logger.critical("Avahi: Error in group state changed %s",
219
unicode(error))
220
raise AvahiGroupError("State changed: %s"
221
% unicode(error))
222
def cleanup(self):
223
"""Derived from the Avahi example code"""
224
if self.group is not None:
225
try:
226
self.group.Free()
227
except (dbus.exceptions.UnknownMethodException,
228
dbus.exceptions.DBusException) as e:
229
pass
230
self.group = None
231
self.remove()
232
def server_state_changed(self, state, error=None):
233
"""Derived from the Avahi example code"""
234
logger.debug("Avahi server state change: %i", state)
235
bad_states = { avahi.SERVER_INVALID:
236
"Zeroconf server invalid",
237
avahi.SERVER_REGISTERING: None,
238
avahi.SERVER_COLLISION:
239
"Zeroconf server name collision",
240
avahi.SERVER_FAILURE:
241
"Zeroconf server failure" }
242
if state in bad_states:
243
if bad_states[state] is not None:
244
if error is None:
245
logger.error(bad_states[state])
246
else:
247
logger.error(bad_states[state] + ": %r", error)
248
self.cleanup()
249
elif state == avahi.SERVER_RUNNING:
250
self.add()
251
else:
252
if error is None:
253
logger.debug("Unknown state: %r", state)
254
else:
255
logger.debug("Unknown state: %r: %r", state, error)
256
def activate(self):
257
"""Derived from the Avahi example code"""
258
if self.server is None:
259
self.server = dbus.Interface(
260
self.bus.get_object(avahi.DBUS_NAME,
261
avahi.DBUS_PATH_SERVER,
262
follow_name_owner_changes=True),
263
avahi.DBUS_INTERFACE_SERVER)
264
self.server.connect_to_signal("StateChanged",
265
self.server_state_changed)
266
self.server_state_changed(self.server.GetState())
267
268
269
def _timedelta_to_milliseconds(td):
270
"Convert a datetime.timedelta() to milliseconds"
271
return ((td.days * 24 * 60 * 60 * 1000)
272
+ (td.seconds * 1000)
273
+ (td.microseconds // 1000))
274
275
class Client(object):
183
276
"""A representation of a client host served by this server.
277
184
278
Attributes:
185
name: string; from the config file, used in log messages and
186
D-Bus identifiers
187
fingerprint: string (40 or 32 hexadecimal digits); used to
188
uniquely identify the client
189
secret: bytestring; sent verbatim (over TLS) to client
190
host: string; available for use by the checker command
191
created: datetime.datetime(); (UTC) object creation
192
last_enabled: datetime.datetime(); (UTC)
193
enabled: bool()
194
last_checked_ok: datetime.datetime(); (UTC) or None
195
timeout: datetime.timedelta(); How long from last_checked_ok
196
until this client is invalid
197
interval: datetime.timedelta(); How often to start a new checker
198
disable_hook: If set, called by disable() as disable_hook(self)
279
_approved: bool(); 'None' if not yet approved/disapproved
280
approval_delay: datetime.timedelta(); Time to wait for approval
281
approval_duration: datetime.timedelta(); Duration of one approval
199
282
checker: subprocess.Popen(); a running checker process used
200
283
to see if the client lives.
201
284
'None' if no process is running.
202
checker_initiator_tag: a gobject event source tag, or None
203
disable_initiator_tag: - '' -
204
checker_callback_tag: - '' -
205
checker_command: string; External command which is run to check if
206
client lives. %() expansions are done at
285
checker_callback_tag: a gobject event source tag, or None
286
checker_command: string; External command which is run to check
287
if client lives. %() expansions are done at
207
288
runtime with vars(self) as dict, so that for
208
289
instance %(name)s can be used in the command.
290
checker_initiator_tag: a gobject event source tag, or None
291
created: datetime.datetime(); (UTC) object creation
209
292
current_checker_command: string; current running checker_command
210
use_dbus: bool(); Whether to provide D-Bus interface and signals
211
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
293
disable_hook: If set, called by disable() as disable_hook(self)
294
disable_initiator_tag: a gobject event source tag, or None
295
enabled: bool()
296
fingerprint: string (40 or 32 hexadecimal digits); used to
297
uniquely identify the client
298
host: string; available for use by the checker command
299
interval: datetime.timedelta(); How often to start a new checker
300
last_approval_request: datetime.datetime(); (UTC) or None
301
last_checked_ok: datetime.datetime(); (UTC) or None
302
last_enabled: datetime.datetime(); (UTC)
303
name: string; from the config file, used in log messages and
304
D-Bus identifiers
305
secret: bytestring; sent verbatim (over TLS) to client
306
timeout: datetime.timedelta(); How long from last_checked_ok
307
until this client is disabled
308
extended_timeout: extra long timeout when password has been sent
309
runtime_expansions: Allowed attributes for runtime expansion.
310
expires: datetime.datetime(); time (UTC) when a client will be
311
disabled, or None
212
312
"""
313
314
runtime_expansions = ("approval_delay", "approval_duration",
315
"created", "enabled", "fingerprint",
316
"host", "interval", "last_checked_ok",
317
"last_enabled", "name", "timeout")
318
213
319
def timeout_milliseconds(self):
214
320
"Return the 'timeout' attribute in milliseconds"
215
return ((self.timeout.days * 24 * 60 * 60 * 1000)
216
+ (self.timeout.seconds * 1000)
217
+ (self.timeout.microseconds // 1000))
321
return _timedelta_to_milliseconds(self.timeout)
322
323
def extended_timeout_milliseconds(self):
324
"Return the 'extended_timeout' attribute in milliseconds"
325
return _timedelta_to_milliseconds(self.extended_timeout)
218
326
219
327
def interval_milliseconds(self):
220
328
"Return the 'interval' attribute in milliseconds"
221
return ((self.interval.days * 24 * 60 * 60 * 1000)
222
+ (self.interval.seconds * 1000)
223
+ (self.interval.microseconds // 1000))
224
225
def __init__(self, name = None, disable_hook=None, config=None,
226
use_dbus=True):
329
return _timedelta_to_milliseconds(self.interval)
330
331
def approval_delay_milliseconds(self):
332
return _timedelta_to_milliseconds(self.approval_delay)
333
334
def __init__(self, name = None, disable_hook=None, config=None):
227
335
"""Note: the 'checker' key in 'config' sets the
228
336
'checker_command' attribute and *not* the 'checker'
229
337
attribute."""
230
338
self.name = name
231
339
if config is None:
232
340
config = {}
233
logger.debug(u"Creating client %r", self.name)
234
self.use_dbus = False # During __init__
341
logger.debug("Creating client %r", self.name)
235
342
# Uppercase and remove spaces from fingerprint for later
236
343
# comparison purposes with return value from the fingerprint()
237
344
# function
238
345
self.fingerprint = (config["fingerprint"].upper()
239
.replace(u" ", u""))
240
logger.debug(u" Fingerprint: %s", self.fingerprint)
346
.replace(" ", ""))
347
logger.debug(" Fingerprint: %s", self.fingerprint)
241
348
if "secret" in config:
242
self.secret = config["secret"].decode(u"base64")
349
self.secret = config["secret"].decode("base64")
243
350
elif "secfile" in config:
244
with closing(open(os.path.expanduser
245
(os.path.expandvars
246
(config["secfile"])))) as secfile:
351
with open(os.path.expanduser(os.path.expandvars
352
(config["secfile"])),
353
"rb") as secfile:
247
354
self.secret = secfile.read()
248
355
else:
249
raise TypeError(u"No secret or secfile for client %s"
356
raise TypeError("No secret or secfile for client %s"
250
357
% self.name)
251
358
self.host = config.get("host", "")
252
359
self.created = datetime.datetime.utcnow()
253
360
self.enabled = False
361
self.last_approval_request = None
254
362
self.last_enabled = None
255
363
self.last_checked_ok = None
256
364
self.timeout = string_to_delta(config["timeout"])
365
self.extended_timeout = string_to_delta(config
366
["extended_timeout"])
257
367
self.interval = string_to_delta(config["interval"])
258
368
self.disable_hook = disable_hook
259
369
self.checker = None
260
370
self.checker_initiator_tag = None
261
371
self.disable_initiator_tag = None
372
self.expires = None
262
373
self.checker_callback_tag = None
263
374
self.checker_command = config["checker"]
264
375
self.current_checker_command = None
265
376
self.last_connect = None
266
# Only now, when this client is initialized, can it show up on
267
# the D-Bus
268
self.use_dbus = use_dbus
269
if self.use_dbus:
270
self.dbus_object_path = (dbus.ObjectPath
271
("/clients/"
272
+ self.name.replace(".", "_")))
273
dbus.service.Object.__init__(self, bus,
274
self.dbus_object_path)
377
self._approved = None
378
self.approved_by_default = config.get("approved_by_default",
379
True)
380
self.approvals_pending = 0
381
self.approval_delay = string_to_delta(
382
config["approval_delay"])
383
self.approval_duration = string_to_delta(
384
config["approval_duration"])
385
self.changedstate = (multiprocessing_manager
386
.Condition(multiprocessing_manager
387
.Lock()))
388
389
def send_changedstate(self):
390
self.changedstate.acquire()
391
self.changedstate.notify_all()
392
self.changedstate.release()
275
393
276
394
def enable(self):
277
395
"""Start this client's checker and timeout hooks"""
278
self.last_enabled = datetime.datetime.utcnow()
396
if getattr(self, "enabled", False):
397
# Already enabled
398
return
399
self.send_changedstate()
279
400
# Schedule a new checker to be started an 'interval' from now,
280
401
# and every interval from then on.
281
402
self.checker_initiator_tag = (gobject.timeout_add
282
403
(self.interval_milliseconds(),
283
404
self.start_checker))
284
# Also start a new checker *right now*.
285
self.start_checker()
286
405
# Schedule a disable() when 'timeout' has passed
406
self.expires = datetime.datetime.utcnow() + self.timeout
287
407
self.disable_initiator_tag = (gobject.timeout_add
288
408
(self.timeout_milliseconds(),
289
409
self.disable))
290
410
self.enabled = True
291
if self.use_dbus:
292
# Emit D-Bus signals
293
self.PropertyChanged(dbus.String(u"enabled"),
294
dbus.Boolean(True, variant_level=1))
295
self.PropertyChanged(dbus.String(u"last_enabled"),
296
(_datetime_to_dbus(self.last_enabled,
297
variant_level=1)))
411
self.last_enabled = datetime.datetime.utcnow()
412
# Also start a new checker *right now*.
413
self.start_checker()
298
414
299
def disable(self):
415
def disable(self, quiet=True):
300
416
"""Disable this client."""
301
417
if not getattr(self, "enabled", False):
302
418
return False
303
logger.info(u"Disabling client %s", self.name)
419
if not quiet:
420
self.send_changedstate()
421
if not quiet:
422
logger.info("Disabling client %s", self.name)
304
423
if getattr(self, "disable_initiator_tag", False):
305
424
gobject.source_remove(self.disable_initiator_tag)
306
425
self.disable_initiator_tag = None
426
self.expires = None
307
427
if getattr(self, "checker_initiator_tag", False):
308
428
gobject.source_remove(self.checker_initiator_tag)
309
429
self.checker_initiator_tag = None
311
431
if self.disable_hook:
312
432
self.disable_hook(self)
313
433
self.enabled = False
314
if self.use_dbus:
315
# Emit D-Bus signal
316
self.PropertyChanged(dbus.String(u"enabled"),
317
dbus.Boolean(False, variant_level=1))
318
434
# Do not run this again if called by a gobject.timeout_add
319
435
return False
320
436
326
442
"""The checker has completed, so take appropriate actions."""
327
443
self.checker_callback_tag = None
328
444
self.checker = None
329
if self.use_dbus:
330
# Emit D-Bus signal
331
self.PropertyChanged(dbus.String(u"checker_running"),
332
dbus.Boolean(False, variant_level=1))
333
445
if os.WIFEXITED(condition):
334
446
exitstatus = os.WEXITSTATUS(condition)
335
447
if exitstatus == 0:
336
logger.info(u"Checker for %(name)s succeeded",
448
logger.info("Checker for %(name)s succeeded",
337
449
vars(self))
338
450
self.checked_ok()
339
451
else:
340
logger.info(u"Checker for %(name)s failed",
452
logger.info("Checker for %(name)s failed",
341
453
vars(self))
342
if self.use_dbus:
343
# Emit D-Bus signal
344
self.CheckerCompleted(dbus.Int16(exitstatus),
345
dbus.Int64(condition),
346
dbus.String(command))
347
454
else:
348
logger.warning(u"Checker for %(name)s crashed?",
455
logger.warning("Checker for %(name)s crashed?",
349
456
vars(self))
350
if self.use_dbus:
351
# Emit D-Bus signal
352
self.CheckerCompleted(dbus.Int16(-1),
353
dbus.Int64(condition),
354
dbus.String(command))
355
457
356
def checked_ok(self):
458
def checked_ok(self, timeout=None):
357
459
"""Bump up the timeout for this client.
460
358
461
This should only be called when the client has been seen,
359
462
alive and well.
360
463
"""
464
if timeout is None:
465
timeout = self.timeout
361
466
self.last_checked_ok = datetime.datetime.utcnow()
362
gobject.source_remove(self.disable_initiator_tag)
363
self.disable_initiator_tag = (gobject.timeout_add
364
(self.timeout_milliseconds(),
365
self.disable))
366
if self.use_dbus:
367
# Emit D-Bus signal
368
self.PropertyChanged(
369
dbus.String(u"last_checked_ok"),
370
(_datetime_to_dbus(self.last_checked_ok,
371
variant_level=1)))
467
if self.disable_initiator_tag is not None:
468
gobject.source_remove(self.disable_initiator_tag)
469
if getattr(self, "enabled", False):
470
self.disable_initiator_tag = (gobject.timeout_add
471
(_timedelta_to_milliseconds
472
(timeout), self.disable))
473
self.expires = datetime.datetime.utcnow() + timeout
474
475
def need_approval(self):
476
self.last_approval_request = datetime.datetime.utcnow()
372
477
373
478
def start_checker(self):
374
479
"""Start a new checker subprocess if one is not running.
480
375
481
If a checker already exists, leave it running and do
376
482
nothing."""
377
483
# The reason for not killing a running checker is that if we
380
486
# client would inevitably timeout, since no checker would get
381
487
# a chance to run to completion. If we instead leave running
382
488
# checkers alone, the checker would have to take more time
383
# than 'timeout' for the client to be declared invalid, which
384
# is as it should be.
489
# than 'timeout' for the client to be disabled, which is as it
490
# should be.
385
491
386
492
# If a checker exists, make sure it is not a zombie
387
if self.checker is not None:
493
try:
388
494
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
495
except (AttributeError, OSError) as error:
496
if (isinstance(error, OSError)
497
and error.errno != errno.ECHILD):
498
raise error
499
else:
389
500
if pid:
390
501
logger.warning("Checker was a zombie")
391
502
gobject.source_remove(self.checker_callback_tag)
398
509
command = self.checker_command % self.host
399
510
except TypeError:
400
511
# Escape attributes for the shell
401
escaped_attrs = dict((key, re.escape(str(val)))
402
for key, val in
403
vars(self).iteritems())
512
escaped_attrs = dict(
513
(attr,
514
re.escape(unicode(str(getattr(self, attr, "")),
515
errors=
516
'replace')))
517
for attr in
518
self.runtime_expansions)
519
404
520
try:
405
521
command = self.checker_command % escaped_attrs
406
except TypeError, error:
407
logger.error(u'Could not format string "%s":'
408
u' %s', self.checker_command, error)
522
except TypeError as error:
523
logger.error('Could not format string "%s":'
524
' %s', self.checker_command, error)
409
525
return True # Try again later
410
self.current_checker_command = command
526
self.current_checker_command = command
411
527
try:
412
logger.info(u"Starting checker %r for %s",
528
logger.info("Starting checker %r for %s",
413
529
command, self.name)
414
530
# We don't need to redirect stdout and stderr, since
415
531
# in normal mode, that is already done by daemon(),
418
534
self.checker = subprocess.Popen(command,
419
535
close_fds=True,
420
536
shell=True, cwd="/")
421
if self.use_dbus:
422
# Emit D-Bus signal
423
self.CheckerStarted(command)
424
self.PropertyChanged(
425
dbus.String("checker_running"),
426
dbus.Boolean(True, variant_level=1))
427
537
self.checker_callback_tag = (gobject.child_watch_add
428
538
(self.checker.pid,
429
539
self.checker_callback,
434
544
if pid:
435
545
gobject.source_remove(self.checker_callback_tag)
436
546
self.checker_callback(pid, status, command)
437
except OSError, error:
438
logger.error(u"Failed to start subprocess: %s",
547
except OSError as error:
548
logger.error("Failed to start subprocess: %s",
439
549
error)
440
550
# Re-run this periodically if run by gobject.timeout_add
441
551
return True
447
557
self.checker_callback_tag = None
448
558
if getattr(self, "checker", None) is None:
449
559
return
450
logger.debug(u"Stopping checker for %(name)s", vars(self))
560
logger.debug("Stopping checker for %(name)s", vars(self))
451
561
try:
452
562
os.kill(self.checker.pid, signal.SIGTERM)
453
#os.sleep(0.5)
563
#time.sleep(0.5)
454
564
#if self.checker.poll() is None:
455
565
# os.kill(self.checker.pid, signal.SIGKILL)
456
except OSError, error:
566
except OSError as error:
457
567
if error.errno != errno.ESRCH: # No such process
458
568
raise
459
569
self.checker = None
460
if self.use_dbus:
461
self.PropertyChanged(dbus.String(u"checker_running"),
462
dbus.Boolean(False, variant_level=1))
463
464
def still_valid(self):
465
"""Has the timeout not yet passed for this client?"""
466
if not getattr(self, "enabled", False):
467
return False
468
now = datetime.datetime.utcnow()
469
if self.last_checked_ok is None:
470
return now < (self.created + self.timeout)
471
else:
472
return now < (self.last_checked_ok + self.timeout)
473
474
## D-Bus methods & signals
475
_interface = u"se.bsnet.fukt.Mandos.Client"
476
477
# CheckedOK - method
478
CheckedOK = dbus.service.method(_interface)(checked_ok)
479
CheckedOK.__name__ = "CheckedOK"
570
571
572
def dbus_service_property(dbus_interface, signature="v",
573
access="readwrite", byte_arrays=False):
574
"""Decorators for marking methods of a DBusObjectWithProperties to
575
become properties on the D-Bus.
576
577
The decorated method will be called with no arguments by "Get"
578
and with one argument by "Set".
579
580
The parameters, where they are supported, are the same as
581
dbus.service.method, except there is only "signature", since the
582
type from Get() and the type sent to Set() is the same.
583
"""
584
# Encoding deeply encoded byte arrays is not supported yet by the
585
# "Set" method, so we fail early here:
586
if byte_arrays and signature != "ay":
587
raise ValueError("Byte arrays not supported for non-'ay'"
588
" signature %r" % signature)
589
def decorator(func):
590
func._dbus_is_property = True
591
func._dbus_interface = dbus_interface
592
func._dbus_signature = signature
593
func._dbus_access = access
594
func._dbus_name = func.__name__
595
if func._dbus_name.endswith("_dbus_property"):
596
func._dbus_name = func._dbus_name[:-14]
597
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
598
return func
599
return decorator
600
601
602
class DBusPropertyException(dbus.exceptions.DBusException):
603
"""A base class for D-Bus property-related exceptions
604
"""
605
def __unicode__(self):
606
return unicode(str(self))
607
608
609
class DBusPropertyAccessException(DBusPropertyException):
610
"""A property's access permissions disallows an operation.
611
"""
612
pass
613
614
615
class DBusPropertyNotFound(DBusPropertyException):
616
"""An attempt was made to access a non-existing property.
617
"""
618
pass
619
620
621
class DBusObjectWithProperties(dbus.service.Object):
622
"""A D-Bus object with properties.
623
624
Classes inheriting from this can use the dbus_service_property
625
decorator to expose methods as D-Bus properties. It exposes the
626
standard Get(), Set(), and GetAll() methods on the D-Bus.
627
"""
628
629
@staticmethod
630
def _is_dbus_property(obj):
631
return getattr(obj, "_dbus_is_property", False)
632
633
def _get_all_dbus_properties(self):
634
"""Returns a generator of (name, attribute) pairs
635
"""
636
return ((prop.__get__(self)._dbus_name, prop.__get__(self))
637
for cls in self.__class__.__mro__
638
for name, prop in
639
inspect.getmembers(cls, self._is_dbus_property))
640
641
def _get_dbus_property(self, interface_name, property_name):
642
"""Returns a bound method if one exists which is a D-Bus
643
property with the specified name and interface.
644
"""
645
for cls in self.__class__.__mro__:
646
for name, value in (inspect.getmembers
647
(cls, self._is_dbus_property)):
648
if (value._dbus_name == property_name
649
and value._dbus_interface == interface_name):
650
return value.__get__(self)
651
652
# No such property
653
raise DBusPropertyNotFound(self.dbus_object_path + ":"
654
+ interface_name + "."
655
+ property_name)
656
657
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
658
out_signature="v")
659
def Get(self, interface_name, property_name):
660
"""Standard D-Bus property Get() method, see D-Bus standard.
661
"""
662
prop = self._get_dbus_property(interface_name, property_name)
663
if prop._dbus_access == "write":
664
raise DBusPropertyAccessException(property_name)
665
value = prop()
666
if not hasattr(value, "variant_level"):
667
return value
668
return type(value)(value, variant_level=value.variant_level+1)
669
670
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
671
def Set(self, interface_name, property_name, value):
672
"""Standard D-Bus property Set() method, see D-Bus standard.
673
"""
674
prop = self._get_dbus_property(interface_name, property_name)
675
if prop._dbus_access == "read":
676
raise DBusPropertyAccessException(property_name)
677
if prop._dbus_get_args_options["byte_arrays"]:
678
# The byte_arrays option is not supported yet on
679
# signatures other than "ay".
680
if prop._dbus_signature != "ay":
681
raise ValueError
682
value = dbus.ByteArray(''.join(unichr(byte)
683
for byte in value))
684
prop(value)
685
686
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
687
out_signature="a{sv}")
688
def GetAll(self, interface_name):
689
"""Standard D-Bus property GetAll() method, see D-Bus
690
standard.
691
692
Note: Will not include properties with access="write".
693
"""
694
all = {}
695
for name, prop in self._get_all_dbus_properties():
696
if (interface_name
697
and interface_name != prop._dbus_interface):
698
# Interface non-empty but did not match
699
continue
700
# Ignore write-only properties
701
if prop._dbus_access == "write":
702
continue
703
value = prop()
704
if not hasattr(value, "variant_level"):
705
all[name] = value
706
continue
707
all[name] = type(value)(value, variant_level=
708
value.variant_level+1)
709
return dbus.Dictionary(all, signature="sv")
710
711
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
712
out_signature="s",
713
path_keyword='object_path',
714
connection_keyword='connection')
715
def Introspect(self, object_path, connection):
716
"""Standard D-Bus method, overloaded to insert property tags.
717
"""
718
xmlstring = dbus.service.Object.Introspect(self, object_path,
719
connection)
720
try:
721
document = xml.dom.minidom.parseString(xmlstring)
722
def make_tag(document, name, prop):
723
e = document.createElement("property")
724
e.setAttribute("name", name)
725
e.setAttribute("type", prop._dbus_signature)
726
e.setAttribute("access", prop._dbus_access)
727
return e
728
for if_tag in document.getElementsByTagName("interface"):
729
for tag in (make_tag(document, name, prop)
730
for name, prop
731
in self._get_all_dbus_properties()
732
if prop._dbus_interface
733
== if_tag.getAttribute("name")):
734
if_tag.appendChild(tag)
735
# Add the names to the return values for the
736
# "org.freedesktop.DBus.Properties" methods
737
if (if_tag.getAttribute("name")
738
== "org.freedesktop.DBus.Properties"):
739
for cn in if_tag.getElementsByTagName("method"):
740
if cn.getAttribute("name") == "Get":
741
for arg in cn.getElementsByTagName("arg"):
742
if (arg.getAttribute("direction")
743
== "out"):
744
arg.setAttribute("name", "value")
745
elif cn.getAttribute("name") == "GetAll":
746
for arg in cn.getElementsByTagName("arg"):
747
if (arg.getAttribute("direction")
748
== "out"):
749
arg.setAttribute("name", "props")
750
xmlstring = document.toxml("utf-8")
751
document.unlink()
752
except (AttributeError, xml.dom.DOMException,
753
xml.parsers.expat.ExpatError) as error:
754
logger.error("Failed to override Introspection method",
755
error)
756
return xmlstring
757
758
759
def datetime_to_dbus (dt, variant_level=0):
760
"""Convert a UTC datetime.datetime() to a D-Bus type."""
761
if dt is None:
762
return dbus.String("", variant_level = variant_level)
763
return dbus.String(dt.isoformat(),
764
variant_level=variant_level)
765
766
class AlternateDBusNamesMetaclass(DBusObjectWithProperties
767
.__metaclass__):
768
"""Applied to an empty subclass of a D-Bus object, this metaclass
769
will add additional D-Bus attributes matching a certain pattern.
770
"""
771
def __new__(mcs, name, bases, attr):
772
# Go through all the base classes which could have D-Bus
773
# methods, signals, or properties in them
774
for base in (b for b in bases
775
if issubclass(b, dbus.service.Object)):
776
# Go though all attributes of the base class
777
for attrname, attribute in inspect.getmembers(base):
778
# Ignore non-D-Bus attributes, and D-Bus attributes
779
# with the wrong interface name
780
if (not hasattr(attribute, "_dbus_interface")
781
or not attribute._dbus_interface
782
.startswith("se.recompile.Mandos")):
783
continue
784
# Create an alternate D-Bus interface name based on
785
# the current name
786
alt_interface = (attribute._dbus_interface
787
.replace("se.recompile.Mandos",
788
"se.bsnet.fukt.Mandos"))
789
# Is this a D-Bus signal?
790
if getattr(attribute, "_dbus_is_signal", False):
791
# Extract the original non-method function by
792
# black magic
793
nonmethod_func = (dict(
794
zip(attribute.func_code.co_freevars,
795
attribute.__closure__))["func"]
796
.cell_contents)
797
# Create a new, but exactly alike, function
798
# object, and decorate it to be a new D-Bus signal
799
# with the alternate D-Bus interface name
800
new_function = (dbus.service.signal
801
(alt_interface,
802
attribute._dbus_signature)
803
(types.FunctionType(
804
nonmethod_func.func_code,
805
nonmethod_func.func_globals,
806
nonmethod_func.func_name,
807
nonmethod_func.func_defaults,
808
nonmethod_func.func_closure)))
809
# Define a creator of a function to call both the
810
# old and new functions, so both the old and new
811
# signals gets sent when the function is called
812
def fixscope(func1, func2):
813
"""This function is a scope container to pass
814
func1 and func2 to the "call_both" function
815
outside of its arguments"""
816
def call_both(*args, **kwargs):
817
"""This function will emit two D-Bus
818
signals by calling func1 and func2"""
819
func1(*args, **kwargs)
820
func2(*args, **kwargs)
821
return call_both
822
# Create the "call_both" function and add it to
823
# the class
824
attr[attrname] = fixscope(attribute,
825
new_function)
826
# Is this a D-Bus method?
827
elif getattr(attribute, "_dbus_is_method", False):
828
# Create a new, but exactly alike, function
829
# object. Decorate it to be a new D-Bus method
830
# with the alternate D-Bus interface name. Add it
831
# to the class.
832
attr[attrname] = (dbus.service.method
833
(alt_interface,
834
attribute._dbus_in_signature,
835
attribute._dbus_out_signature)
836
(types.FunctionType
837
(attribute.func_code,
838
attribute.func_globals,
839
attribute.func_name,
840
attribute.func_defaults,
841
attribute.func_closure)))
842
# Is this a D-Bus property?
843
elif getattr(attribute, "_dbus_is_property", False):
844
# Create a new, but exactly alike, function
845
# object, and decorate it to be a new D-Bus
846
# property with the alternate D-Bus interface
847
# name. Add it to the class.
848
attr[attrname] = (dbus_service_property
849
(alt_interface,
850
attribute._dbus_signature,
851
attribute._dbus_access,
852
attribute
853
._dbus_get_args_options
854
["byte_arrays"])
855
(types.FunctionType
856
(attribute.func_code,
857
attribute.func_globals,
858
attribute.func_name,
859
attribute.func_defaults,
860
attribute.func_closure)))
861
return type.__new__(mcs, name, bases, attr)
862
863
class ClientDBus(Client, DBusObjectWithProperties):
864
"""A Client class using D-Bus
865
866
Attributes:
867
dbus_object_path: dbus.ObjectPath
868
bus: dbus.SystemBus()
869
"""
870
871
runtime_expansions = (Client.runtime_expansions
872
+ ("dbus_object_path",))
873
874
# dbus.service.Object doesn't use super(), so we can't either.
875
876
def __init__(self, bus = None, *args, **kwargs):
877
self._approvals_pending = 0
878
self.bus = bus
879
Client.__init__(self, *args, **kwargs)
880
# Only now, when this client is initialized, can it show up on
881
# the D-Bus
882
client_object_name = unicode(self.name).translate(
883
{ord("."): ord("_"),
884
ord("-"): ord("_")})
885
self.dbus_object_path = (dbus.ObjectPath
886
("/clients/" + client_object_name))
887
DBusObjectWithProperties.__init__(self, self.bus,
888
self.dbus_object_path)
889
890
def notifychangeproperty(transform_func,
891
dbus_name, type_func=lambda x: x,
892
variant_level=1):
893
""" Modify a variable so that it's a property which announces
894
its changes to DBus.
895
896
transform_fun: Function that takes a value and a variant_level
897
and transforms it to a D-Bus type.
898
dbus_name: D-Bus name of the variable
899
type_func: Function that transform the value before sending it
900
to the D-Bus. Default: no transform
901
variant_level: D-Bus variant level. Default: 1
902
"""
903
attrname = "_{0}".format(dbus_name)
904
def setter(self, value):
905
if hasattr(self, "dbus_object_path"):
906
if (not hasattr(self, attrname) or
907
type_func(getattr(self, attrname, None))
908
!= type_func(value)):
909
dbus_value = transform_func(type_func(value),
910
variant_level
911
=variant_level)
912
self.PropertyChanged(dbus.String(dbus_name),
913
dbus_value)
914
setattr(self, attrname, value)
915
916
return property(lambda self: getattr(self, attrname), setter)
917
918
919
expires = notifychangeproperty(datetime_to_dbus, "Expires")
920
approvals_pending = notifychangeproperty(dbus.Boolean,
921
"ApprovalPending",
922
type_func = bool)
923
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
924
last_enabled = notifychangeproperty(datetime_to_dbus,
925
"LastEnabled")
926
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
927
type_func = lambda checker:
928
checker is not None)
929
last_checked_ok = notifychangeproperty(datetime_to_dbus,
930
"LastCheckedOK")
931
last_approval_request = notifychangeproperty(
932
datetime_to_dbus, "LastApprovalRequest")
933
approved_by_default = notifychangeproperty(dbus.Boolean,
934
"ApprovedByDefault")
935
approval_delay = notifychangeproperty(dbus.UInt16,
936
"ApprovalDelay",
937
type_func =
938
_timedelta_to_milliseconds)
939
approval_duration = notifychangeproperty(
940
dbus.UInt16, "ApprovalDuration",
941
type_func = _timedelta_to_milliseconds)
942
host = notifychangeproperty(dbus.String, "Host")
943
timeout = notifychangeproperty(dbus.UInt16, "Timeout",
944
type_func =
945
_timedelta_to_milliseconds)
946
extended_timeout = notifychangeproperty(
947
dbus.UInt16, "ExtendedTimeout",
948
type_func = _timedelta_to_milliseconds)
949
interval = notifychangeproperty(dbus.UInt16,
950
"Interval",
951
type_func =
952
_timedelta_to_milliseconds)
953
checker_command = notifychangeproperty(dbus.String, "Checker")
954
955
del notifychangeproperty
956
957
def __del__(self, *args, **kwargs):
958
try:
959
self.remove_from_connection()
960
except LookupError:
961
pass
962
if hasattr(DBusObjectWithProperties, "__del__"):
963
DBusObjectWithProperties.__del__(self, *args, **kwargs)
964
Client.__del__(self, *args, **kwargs)
965
966
def checker_callback(self, pid, condition, command,
967
*args, **kwargs):
968
self.checker_callback_tag = None
969
self.checker = None
970
if os.WIFEXITED(condition):
971
exitstatus = os.WEXITSTATUS(condition)
972
# Emit D-Bus signal
973
self.CheckerCompleted(dbus.Int16(exitstatus),
974
dbus.Int64(condition),
975
dbus.String(command))
976
else:
977
# Emit D-Bus signal
978
self.CheckerCompleted(dbus.Int16(-1),
979
dbus.Int64(condition),
980
dbus.String(command))
981
982
return Client.checker_callback(self, pid, condition, command,
983
*args, **kwargs)
984
985
def start_checker(self, *args, **kwargs):
986
old_checker = self.checker
987
if self.checker is not None:
988
old_checker_pid = self.checker.pid
989
else:
990
old_checker_pid = None
991
r = Client.start_checker(self, *args, **kwargs)
992
# Only if new checker process was started
993
if (self.checker is not None
994
and old_checker_pid != self.checker.pid):
995
# Emit D-Bus signal
996
self.CheckerStarted(self.current_checker_command)
997
return r
998
999
def _reset_approved(self):
1000
self._approved = None
1001
return False
1002
1003
def approve(self, value=True):
1004
self.send_changedstate()
1005
self._approved = value
1006
gobject.timeout_add(_timedelta_to_milliseconds
1007
(self.approval_duration),
1008
self._reset_approved)
1009
1010
1011
## D-Bus methods, signals & properties
1012
_interface = "se.recompile.Mandos.Client"
1013
1014
## Signals
480
1015
481
1016
# CheckerCompleted - signal
482
1017
@dbus.service.signal(_interface, signature="nxs")
490
1025
"D-Bus signal"
491
1026
pass
492
1027
493
# GetAllProperties - method
494
@dbus.service.method(_interface, out_signature="a{sv}")
495
def GetAllProperties(self):
496
"D-Bus method"
497
return dbus.Dictionary({
498
dbus.String("name"):
499
dbus.String(self.name, variant_level=1),
500
dbus.String("fingerprint"):
501
dbus.String(self.fingerprint, variant_level=1),
502
dbus.String("host"):
503
dbus.String(self.host, variant_level=1),
504
dbus.String("created"):
505
_datetime_to_dbus(self.created, variant_level=1),
506
dbus.String("last_enabled"):
507
(_datetime_to_dbus(self.last_enabled,
508
variant_level=1)
509
if self.last_enabled is not None
510
else dbus.Boolean(False, variant_level=1)),
511
dbus.String("enabled"):
512
dbus.Boolean(self.enabled, variant_level=1),
513
dbus.String("last_checked_ok"):
514
(_datetime_to_dbus(self.last_checked_ok,
515
variant_level=1)
516
if self.last_checked_ok is not None
517
else dbus.Boolean (False, variant_level=1)),
518
dbus.String("timeout"):
519
dbus.UInt64(self.timeout_milliseconds(),
520
variant_level=1),
521
dbus.String("interval"):
522
dbus.UInt64(self.interval_milliseconds(),
523
variant_level=1),
524
dbus.String("checker"):
525
dbus.String(self.checker_command,
526
variant_level=1),
527
dbus.String("checker_running"):
528
dbus.Boolean(self.checker is not None,
529
variant_level=1),
530
dbus.String("object_path"):
531
dbus.ObjectPath(self.dbus_object_path,
532
variant_level=1)
533
}, signature="sv")
534
535
# IsStillValid - method
536
IsStillValid = (dbus.service.method(_interface, out_signature="b")
537
(still_valid))
538
IsStillValid.__name__ = "IsStillValid"
539
540
1028
# PropertyChanged - signal
541
1029
@dbus.service.signal(_interface, signature="sv")
542
1030
def PropertyChanged(self, property, value):
543
1031
"D-Bus signal"
544
1032
pass
545
1033
546
# ReceivedSecret - signal
1034
# GotSecret - signal
547
1035
@dbus.service.signal(_interface)
548
def ReceivedSecret(self):
549
"D-Bus signal"
1036
def GotSecret(self):
1037
"""D-Bus signal
1038
Is sent after a successful transfer of secret from the Mandos
1039
server to mandos-client
1040
"""
550
1041
pass
551
1042
552
1043
# Rejected - signal
553
@dbus.service.signal(_interface)
554
def Rejected(self):
1044
@dbus.service.signal(_interface, signature="s")
1045
def Rejected(self, reason):
555
1046
"D-Bus signal"
556
1047
pass
557
1048
558
# SetChecker - method
559
@dbus.service.method(_interface, in_signature="s")
560
def SetChecker(self, checker):
561
"D-Bus setter method"
562
self.checker_command = checker
563
# Emit D-Bus signal
564
self.PropertyChanged(dbus.String(u"checker"),
565
dbus.String(self.checker_command,
566
variant_level=1))
567
568
# SetHost - method
569
@dbus.service.method(_interface, in_signature="s")
570
def SetHost(self, host):
571
"D-Bus setter method"
572
self.host = host
573
# Emit D-Bus signal
574
self.PropertyChanged(dbus.String(u"host"),
575
dbus.String(self.host, variant_level=1))
576
577
# SetInterval - method
578
@dbus.service.method(_interface, in_signature="t")
579
def SetInterval(self, milliseconds):
580
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
581
# Emit D-Bus signal
582
self.PropertyChanged(dbus.String(u"interval"),
583
(dbus.UInt64(self.interval_milliseconds(),
584
variant_level=1)))
585
586
# SetSecret - method
587
@dbus.service.method(_interface, in_signature="ay",
588
byte_arrays=True)
589
def SetSecret(self, secret):
590
"D-Bus setter method"
591
self.secret = str(secret)
592
593
# SetTimeout - method
594
@dbus.service.method(_interface, in_signature="t")
595
def SetTimeout(self, milliseconds):
596
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
597
# Emit D-Bus signal
598
self.PropertyChanged(dbus.String(u"timeout"),
599
(dbus.UInt64(self.timeout_milliseconds(),
600
variant_level=1)))
1049
# NeedApproval - signal
1050
@dbus.service.signal(_interface, signature="tb")
1051
def NeedApproval(self, timeout, default):
1052
"D-Bus signal"
1053
return self.need_approval()
1054
1055
## Methods
1056
1057
# Approve - method
1058
@dbus.service.method(_interface, in_signature="b")
1059
def Approve(self, value):
1060
self.approve(value)
1061
1062
# CheckedOK - method
1063
@dbus.service.method(_interface)
1064
def CheckedOK(self):
1065
self.checked_ok()
601
1066
602
1067
# Enable - method
603
Enable = dbus.service.method(_interface)(enable)
604
Enable.__name__ = "Enable"
1068
@dbus.service.method(_interface)
1069
def Enable(self):
1070
"D-Bus method"
1071
self.enable()
605
1072
606
1073
# StartChecker - method
607
1074
@dbus.service.method(_interface)
616
1083
self.disable()
617
1084
618
1085
# StopChecker - method
619
StopChecker = dbus.service.method(_interface)(stop_checker)
620
StopChecker.__name__ = "StopChecker"
1086
@dbus.service.method(_interface)
1087
def StopChecker(self):
1088
self.stop_checker()
1089
1090
## Properties
1091
1092
# ApprovalPending - property
1093
@dbus_service_property(_interface, signature="b", access="read")
1094
def ApprovalPending_dbus_property(self):
1095
return dbus.Boolean(bool(self.approvals_pending))
1096
1097
# ApprovedByDefault - property
1098
@dbus_service_property(_interface, signature="b",
1099
access="readwrite")
1100
def ApprovedByDefault_dbus_property(self, value=None):
1101
if value is None: # get
1102
return dbus.Boolean(self.approved_by_default)
1103
self.approved_by_default = bool(value)
1104
1105
# ApprovalDelay - property
1106
@dbus_service_property(_interface, signature="t",
1107
access="readwrite")
1108
def ApprovalDelay_dbus_property(self, value=None):
1109
if value is None: # get
1110
return dbus.UInt64(self.approval_delay_milliseconds())
1111
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1112
1113
# ApprovalDuration - property
1114
@dbus_service_property(_interface, signature="t",
1115
access="readwrite")
1116
def ApprovalDuration_dbus_property(self, value=None):
1117
if value is None: # get
1118
return dbus.UInt64(_timedelta_to_milliseconds(
1119
self.approval_duration))
1120
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1121
1122
# Name - property
1123
@dbus_service_property(_interface, signature="s", access="read")
1124
def Name_dbus_property(self):
1125
return dbus.String(self.name)
1126
1127
# Fingerprint - property
1128
@dbus_service_property(_interface, signature="s", access="read")
1129
def Fingerprint_dbus_property(self):
1130
return dbus.String(self.fingerprint)
1131
1132
# Host - property
1133
@dbus_service_property(_interface, signature="s",
1134
access="readwrite")
1135
def Host_dbus_property(self, value=None):
1136
if value is None: # get
1137
return dbus.String(self.host)
1138
self.host = value
1139
1140
# Created - property
1141
@dbus_service_property(_interface, signature="s", access="read")
1142
def Created_dbus_property(self):
1143
return dbus.String(datetime_to_dbus(self.created))
1144
1145
# LastEnabled - property
1146
@dbus_service_property(_interface, signature="s", access="read")
1147
def LastEnabled_dbus_property(self):
1148
return datetime_to_dbus(self.last_enabled)
1149
1150
# Enabled - property
1151
@dbus_service_property(_interface, signature="b",
1152
access="readwrite")
1153
def Enabled_dbus_property(self, value=None):
1154
if value is None: # get
1155
return dbus.Boolean(self.enabled)
1156
if value:
1157
self.enable()
1158
else:
1159
self.disable()
1160
1161
# LastCheckedOK - property
1162
@dbus_service_property(_interface, signature="s",
1163
access="readwrite")
1164
def LastCheckedOK_dbus_property(self, value=None):
1165
if value is not None:
1166
self.checked_ok()
1167
return
1168
return datetime_to_dbus(self.last_checked_ok)
1169
1170
# Expires - property
1171
@dbus_service_property(_interface, signature="s", access="read")
1172
def Expires_dbus_property(self):
1173
return datetime_to_dbus(self.expires)
1174
1175
# LastApprovalRequest - property
1176
@dbus_service_property(_interface, signature="s", access="read")
1177
def LastApprovalRequest_dbus_property(self):
1178
return datetime_to_dbus(self.last_approval_request)
1179
1180
# Timeout - property
1181
@dbus_service_property(_interface, signature="t",
1182
access="readwrite")
1183
def Timeout_dbus_property(self, value=None):
1184
if value is None: # get
1185
return dbus.UInt64(self.timeout_milliseconds())
1186
self.timeout = datetime.timedelta(0, 0, 0, value)
1187
if getattr(self, "disable_initiator_tag", None) is None:
1188
return
1189
# Reschedule timeout
1190
gobject.source_remove(self.disable_initiator_tag)
1191
self.disable_initiator_tag = None
1192
self.expires = None
1193
time_to_die = _timedelta_to_milliseconds((self
1194
.last_checked_ok
1195
+ self.timeout)
1196
- datetime.datetime
1197
.utcnow())
1198
if time_to_die <= 0:
1199
# The timeout has passed
1200
self.disable()
1201
else:
1202
self.expires = (datetime.datetime.utcnow()
1203
+ datetime.timedelta(milliseconds =
1204
time_to_die))
1205
self.disable_initiator_tag = (gobject.timeout_add
1206
(time_to_die, self.disable))
1207
1208
# ExtendedTimeout - property
1209
@dbus_service_property(_interface, signature="t",
1210
access="readwrite")
1211
def ExtendedTimeout_dbus_property(self, value=None):
1212
if value is None: # get
1213
return dbus.UInt64(self.extended_timeout_milliseconds())
1214
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1215
1216
# Interval - property
1217
@dbus_service_property(_interface, signature="t",
1218
access="readwrite")
1219
def Interval_dbus_property(self, value=None):
1220
if value is None: # get
1221
return dbus.UInt64(self.interval_milliseconds())
1222
self.interval = datetime.timedelta(0, 0, 0, value)
1223
if getattr(self, "checker_initiator_tag", None) is None:
1224
return
1225
# Reschedule checker run
1226
gobject.source_remove(self.checker_initiator_tag)
1227
self.checker_initiator_tag = (gobject.timeout_add
1228
(value, self.start_checker))
1229
self.start_checker() # Start one now, too
1230
1231
# Checker - property
1232
@dbus_service_property(_interface, signature="s",
1233
access="readwrite")
1234
def Checker_dbus_property(self, value=None):
1235
if value is None: # get
1236
return dbus.String(self.checker_command)
1237
self.checker_command = value
1238
1239
# CheckerRunning - property
1240
@dbus_service_property(_interface, signature="b",
1241
access="readwrite")
1242
def CheckerRunning_dbus_property(self, value=None):
1243
if value is None: # get
1244
return dbus.Boolean(self.checker is not None)
1245
if value:
1246
self.start_checker()
1247
else:
1248
self.stop_checker()
1249
1250
# ObjectPath - property
1251
@dbus_service_property(_interface, signature="o", access="read")
1252
def ObjectPath_dbus_property(self):
1253
return self.dbus_object_path # is already a dbus.ObjectPath
1254
1255
# Secret = property
1256
@dbus_service_property(_interface, signature="ay",
1257
access="write", byte_arrays=True)
1258
def Secret_dbus_property(self, value):
1259
self.secret = str(value)
621
1260
622
1261
del _interface
623
1262
624
1263
625
def peer_certificate(session):
626
"Return the peer's OpenPGP certificate as a bytestring"
627
# If not an OpenPGP certificate...
628
if (gnutls.library.functions
629
.gnutls_certificate_type_get(session._c_object)
630
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
631
# ...do the normal thing
632
return session.peer_certificate
633
list_size = ctypes.c_uint(1)
634
cert_list = (gnutls.library.functions
635
.gnutls_certificate_get_peers
636
(session._c_object, ctypes.byref(list_size)))
637
if not bool(cert_list) and list_size.value != 0:
638
raise gnutls.errors.GNUTLSError("error getting peer"
639
" certificate")
640
if list_size.value == 0:
641
return None
642
cert = cert_list[0]
643
return ctypes.string_at(cert.data, cert.size)
644
645
646
def fingerprint(openpgp):
647
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
648
# New GnuTLS "datum" with the OpenPGP public key
649
datum = (gnutls.library.types
650
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
651
ctypes.POINTER
652
(ctypes.c_ubyte)),
653
ctypes.c_uint(len(openpgp))))
654
# New empty GnuTLS certificate
655
crt = gnutls.library.types.gnutls_openpgp_crt_t()
656
(gnutls.library.functions
657
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
658
# Import the OpenPGP public key into the certificate
659
(gnutls.library.functions
660
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
661
gnutls.library.constants
662
.GNUTLS_OPENPGP_FMT_RAW))
663
# Verify the self signature in the key
664
crtverify = ctypes.c_uint()
665
(gnutls.library.functions
666
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
667
if crtverify.value != 0:
668
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
669
raise gnutls.errors.CertificateSecurityError("Verify failed")
670
# New buffer for the fingerprint
671
buf = ctypes.create_string_buffer(20)
672
buf_len = ctypes.c_size_t()
673
# Get the fingerprint from the certificate into the buffer
674
(gnutls.library.functions
675
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
676
ctypes.byref(buf_len)))
677
# Deinit the certificate
678
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
679
# Convert the buffer to a Python bytestring
680
fpr = ctypes.string_at(buf, buf_len.value)
681
# Convert the bytestring to hexadecimal notation
682
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
683
return hex_fpr
684
685
686
class TCP_handler(SocketServer.BaseRequestHandler, object):
687
"""A TCP request handler class.
688
Instantiated by IPv6_TCPServer for each request to handle it.
1264
class ProxyClient(object):
1265
def __init__(self, child_pipe, fpr, address):
1266
self._pipe = child_pipe
1267
self._pipe.send(('init', fpr, address))
1268
if not self._pipe.recv():
1269
raise KeyError()
1270
1271
def __getattribute__(self, name):
1272
if(name == '_pipe'):
1273
return super(ProxyClient, self).__getattribute__(name)
1274
self._pipe.send(('getattr', name))
1275
data = self._pipe.recv()
1276
if data[0] == 'data':
1277
return data[1]
1278
if data[0] == 'function':
1279
def func(*args, **kwargs):
1280
self._pipe.send(('funcall', name, args, kwargs))
1281
return self._pipe.recv()[1]
1282
return func
1283
1284
def __setattr__(self, name, value):
1285
if(name == '_pipe'):
1286
return super(ProxyClient, self).__setattr__(name, value)
1287
self._pipe.send(('setattr', name, value))
1288
1289
class ClientDBusTransitional(ClientDBus):
1290
__metaclass__ = AlternateDBusNamesMetaclass
1291
1292
class ClientHandler(socketserver.BaseRequestHandler, object):
1293
"""A class to handle client connections.
1294
1295
Instantiated once for each connection to handle it.
689
1296
Note: This will run in its own forked process."""
690
1297
691
1298
def handle(self):
692
logger.info(u"TCP connection from: %s",
693
unicode(self.client_address))
694
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
695
# Open IPC pipe to parent process
696
with closing(os.fdopen(self.server.pipe[1], "w", 1)) as ipc:
1299
with contextlib.closing(self.server.child_pipe) as child_pipe:
1300
logger.info("TCP connection from: %s",
1301
unicode(self.client_address))
1302
logger.debug("Pipe FD: %d",
1303
self.server.child_pipe.fileno())
1304
697
1305
session = (gnutls.connection
698
1306
.ClientSession(self.request,
699
1307
gnutls.connection
700
1308
.X509Credentials()))
701
1309
702
line = self.request.makefile().readline()
703
logger.debug(u"Protocol version: %r", line)
704
try:
705
if int(line.strip().split()[0]) > 1:
706
raise RuntimeError
707
except (ValueError, IndexError, RuntimeError), error:
708
logger.error(u"Unknown protocol version: %s", error)
709
return
710
711
1310
# Note: gnutls.connection.X509Credentials is really a
712
1311
# generic GnuTLS certificate credentials object so long as
713
1312
# no X.509 keys are added to it. Therefore, we can use it
714
1313
# here despite using OpenPGP certificates.
715
1314
716
1315
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
717
# "+AES-256-CBC", "+SHA1",
718
# "+COMP-NULL", "+CTYPE-OPENPGP",
719
# "+DHE-DSS"))
1316
# "+AES-256-CBC", "+SHA1",
1317
# "+COMP-NULL", "+CTYPE-OPENPGP",
1318
# "+DHE-DSS"))
720
1319
# Use a fallback default, since this MUST be set.
721
priority = self.server.settings.get("priority", "NORMAL")
1320
priority = self.server.gnutls_priority
1321
if priority is None:
1322
priority = "NORMAL"
722
1323
(gnutls.library.functions
723
1324
.gnutls_priority_set_direct(session._c_object,
724
1325
priority, None))
725
1326
1327
# Start communication using the Mandos protocol
1328
# Get protocol number
1329
line = self.request.makefile().readline()
1330
logger.debug("Protocol version: %r", line)
1331
try:
1332
if int(line.strip().split()[0]) > 1:
1333
raise RuntimeError
1334
except (ValueError, IndexError, RuntimeError) as error:
1335
logger.error("Unknown protocol version: %s", error)
1336
return
1337
1338
# Start GnuTLS connection
726
1339
try:
727
1340
session.handshake()
728
except gnutls.errors.GNUTLSError, error:
729
logger.warning(u"Handshake failed: %s", error)
1341
except gnutls.errors.GNUTLSError as error:
1342
logger.warning("Handshake failed: %s", error)
730
1343
# Do not run session.bye() here: the session is not
731
1344
# established. Just abandon the request.
732
1345
return
733
logger.debug(u"Handshake succeeded")
1346
logger.debug("Handshake succeeded")
1347
1348
approval_required = False
734
1349
try:
735
fpr = fingerprint(peer_certificate(session))
736
except (TypeError, gnutls.errors.GNUTLSError), error:
737
logger.warning(u"Bad certificate: %s", error)
738
session.bye()
739
return
740
logger.debug(u"Fingerprint: %s", fpr)
1350
try:
1351
fpr = self.fingerprint(self.peer_certificate
1352
(session))
1353
except (TypeError,
1354
gnutls.errors.GNUTLSError) as error:
1355
logger.warning("Bad certificate: %s", error)
1356
return
1357
logger.debug("Fingerprint: %s", fpr)
1358
1359
try:
1360
client = ProxyClient(child_pipe, fpr,
1361
self.client_address)
1362
except KeyError:
1363
return
1364
1365
if client.approval_delay:
1366
delay = client.approval_delay
1367
client.approvals_pending += 1
1368
approval_required = True
1369
1370
while True:
1371
if not client.enabled:
1372
logger.info("Client %s is disabled",
1373
client.name)
1374
if self.server.use_dbus:
1375
# Emit D-Bus signal
1376
client.Rejected("Disabled")
1377
return
1378
1379
if client._approved or not client.approval_delay:
1380
#We are approved or approval is disabled
1381
break
1382
elif client._approved is None:
1383
logger.info("Client %s needs approval",
1384
client.name)
1385
if self.server.use_dbus:
1386
# Emit D-Bus signal
1387
client.NeedApproval(
1388
client.approval_delay_milliseconds(),
1389
client.approved_by_default)
1390
else:
1391
logger.warning("Client %s was not approved",
1392
client.name)
1393
if self.server.use_dbus:
1394
# Emit D-Bus signal
1395
client.Rejected("Denied")
1396
return
1397
1398
#wait until timeout or approved
1399
time = datetime.datetime.now()
1400
client.changedstate.acquire()
1401
(client.changedstate.wait
1402
(float(client._timedelta_to_milliseconds(delay)
1403
/ 1000)))
1404
client.changedstate.release()
1405
time2 = datetime.datetime.now()
1406
if (time2 - time) >= delay:
1407
if not client.approved_by_default:
1408
logger.warning("Client %s timed out while"
1409
" waiting for approval",
1410
client.name)
1411
if self.server.use_dbus:
1412
# Emit D-Bus signal
1413
client.Rejected("Approval timed out")
1414
return
1415
else:
1416
break
1417
else:
1418
delay -= time2 - time
1419
1420
sent_size = 0
1421
while sent_size < len(client.secret):
1422
try:
1423
sent = session.send(client.secret[sent_size:])
1424
except gnutls.errors.GNUTLSError as error:
1425
logger.warning("gnutls send failed")
1426
return
1427
logger.debug("Sent: %d, remaining: %d",
1428
sent, len(client.secret)
1429
- (sent_size + sent))
1430
sent_size += sent
1431
1432
logger.info("Sending secret to %s", client.name)
1433
# bump the timeout using extended_timeout
1434
client.checked_ok(client.extended_timeout)
1435
if self.server.use_dbus:
1436
# Emit D-Bus signal
1437
client.GotSecret()
741
1438
742
for c in self.server.clients:
743
if c.fingerprint == fpr:
744
client = c
745
break
746
else:
747
logger.warning(u"Client not found for fingerprint: %s",
748
fpr)
749
ipc.write("NOTFOUND %s\n" % fpr)
750
session.bye()
751
return
752
# Have to check if client.still_valid(), since it is
753
# possible that the client timed out while establishing
754
# the GnuTLS session.
755
if not client.still_valid():
756
logger.warning(u"Client %(name)s is invalid",
757
vars(client))
758
ipc.write("INVALID %s\n" % client.name)
759
session.bye()
760
return
761
ipc.write("SENDING %s\n" % client.name)
762
sent_size = 0
763
while sent_size < len(client.secret):
764
sent = session.send(client.secret[sent_size:])
765
logger.debug(u"Sent: %d, remaining: %d",
766
sent, len(client.secret)
767
- (sent_size + sent))
768
sent_size += sent
769
session.bye()
770
771
772
class ForkingMixInWithPipe(SocketServer.ForkingMixIn, object):
773
"""Like SocketServer.ForkingMixIn, but also pass a pipe.
774
Assumes a gobject.MainLoop event loop.
775
"""
1439
finally:
1440
if approval_required:
1441
client.approvals_pending -= 1
1442
try:
1443
session.bye()
1444
except gnutls.errors.GNUTLSError as error:
1445
logger.warning("GnuTLS bye failed")
1446
1447
@staticmethod
1448
def peer_certificate(session):
1449
"Return the peer's OpenPGP certificate as a bytestring"
1450
# If not an OpenPGP certificate...
1451
if (gnutls.library.functions
1452
.gnutls_certificate_type_get(session._c_object)
1453
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1454
# ...do the normal thing
1455
return session.peer_certificate
1456
list_size = ctypes.c_uint(1)
1457
cert_list = (gnutls.library.functions
1458
.gnutls_certificate_get_peers
1459
(session._c_object, ctypes.byref(list_size)))
1460
if not bool(cert_list) and list_size.value != 0:
1461
raise gnutls.errors.GNUTLSError("error getting peer"
1462
" certificate")
1463
if list_size.value == 0:
1464
return None
1465
cert = cert_list[0]
1466
return ctypes.string_at(cert.data, cert.size)
1467
1468
@staticmethod
1469
def fingerprint(openpgp):
1470
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1471
# New GnuTLS "datum" with the OpenPGP public key
1472
datum = (gnutls.library.types
1473
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1474
ctypes.POINTER
1475
(ctypes.c_ubyte)),
1476
ctypes.c_uint(len(openpgp))))
1477
# New empty GnuTLS certificate
1478
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1479
(gnutls.library.functions
1480
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1481
# Import the OpenPGP public key into the certificate
1482
(gnutls.library.functions
1483
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1484
gnutls.library.constants
1485
.GNUTLS_OPENPGP_FMT_RAW))
1486
# Verify the self signature in the key
1487
crtverify = ctypes.c_uint()
1488
(gnutls.library.functions
1489
.gnutls_openpgp_crt_verify_self(crt, 0,
1490
ctypes.byref(crtverify)))
1491
if crtverify.value != 0:
1492
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1493
raise (gnutls.errors.CertificateSecurityError
1494
("Verify failed"))
1495
# New buffer for the fingerprint
1496
buf = ctypes.create_string_buffer(20)
1497
buf_len = ctypes.c_size_t()
1498
# Get the fingerprint from the certificate into the buffer
1499
(gnutls.library.functions
1500
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1501
ctypes.byref(buf_len)))
1502
# Deinit the certificate
1503
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1504
# Convert the buffer to a Python bytestring
1505
fpr = ctypes.string_at(buf, buf_len.value)
1506
# Convert the bytestring to hexadecimal notation
1507
hex_fpr = ''.join("%02X" % ord(char) for char in fpr)
1508
return hex_fpr
1509
1510
1511
class MultiprocessingMixIn(object):
1512
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1513
def sub_process_main(self, request, address):
1514
try:
1515
self.finish_request(request, address)
1516
except:
1517
self.handle_error(request, address)
1518
self.close_request(request)
1519
1520
def process_request(self, request, address):
1521
"""Start a new process to process the request."""
1522
proc = multiprocessing.Process(target = self.sub_process_main,
1523
args = (request,
1524
address))
1525
proc.start()
1526
return proc
1527
1528
1529
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1530
""" adds a pipe to the MixIn """
776
1531
def process_request(self, request, client_address):
777
"""This overrides and wraps the original process_request().
778
This function creates a new pipe in self.pipe
1532
"""Overrides and wraps the original process_request().
1533
1534
This function creates a new pipe in self.pipe
779
1535
"""
780
self.pipe = os.pipe()
781
super(ForkingMixInWithPipe,
782
self).process_request(request, client_address)
783
os.close(self.pipe[1]) # close write end
784
# Call "handle_ipc" for both data and EOF events
785
gobject.io_add_watch(self.pipe[0],
786
gobject.IO_IN | gobject.IO_HUP,
787
self.handle_ipc)
788
def handle_ipc(source, condition):
1536
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1537
1538
proc = MultiprocessingMixIn.process_request(self, request,
1539
client_address)
1540
self.child_pipe.close()
1541
self.add_pipe(parent_pipe, proc)
1542
1543
def add_pipe(self, parent_pipe, proc):
789
1544
"""Dummy function; override as necessary"""
790
os.close(source)
791
return False
792
793
794
class IPv6_TCPServer(ForkingMixInWithPipe,
795
SocketServer.TCPServer, object):
1545
raise NotImplementedError
1546
1547
1548
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1549
socketserver.TCPServer, object):
796
1550
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1551
797
1552
Attributes:
798
settings: Server settings
799
clients: Set() of Client objects
800
1553
enabled: Boolean; whether this server is activated yet
1554
interface: None or a network interface name (string)
1555
use_ipv6: Boolean; to use IPv6 or not
801
1556
"""
802
address_family = socket.AF_INET6
803
def __init__(self, *args, **kwargs):
804
if "settings" in kwargs:
805
self.settings = kwargs["settings"]
806
del kwargs["settings"]
807
if "clients" in kwargs:
808
self.clients = kwargs["clients"]
809
del kwargs["clients"]
810
if "use_ipv6" in kwargs:
811
if not kwargs["use_ipv6"]:
812
self.address_family = socket.AF_INET
813
del kwargs["use_ipv6"]
814
self.enabled = False
815
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1557
def __init__(self, server_address, RequestHandlerClass,
1558
interface=None, use_ipv6=True):
1559
self.interface = interface
1560
if use_ipv6:
1561
self.address_family = socket.AF_INET6
1562
socketserver.TCPServer.__init__(self, server_address,
1563
RequestHandlerClass)
816
1564
def server_bind(self):
817
1565
"""This overrides the normal server_bind() function
818
1566
to bind to an interface if one was specified, and also NOT to
819
1567
bind to an address or port if they were not specified."""
820
if self.settings["interface"]:
821
# 25 is from /usr/include/asm-i486/socket.h
822
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
823
try:
824
self.socket.setsockopt(socket.SOL_SOCKET,
825
SO_BINDTODEVICE,
826
self.settings["interface"])
827
except socket.error, error:
828
if error[0] == errno.EPERM:
829
logger.error(u"No permission to"
830
u" bind to interface %s",
831
self.settings["interface"])
832
else:
833
raise
1568
if self.interface is not None:
1569
if SO_BINDTODEVICE is None:
1570
logger.error("SO_BINDTODEVICE does not exist;"
1571
" cannot bind to interface %s",
1572
self.interface)
1573
else:
1574
try:
1575
self.socket.setsockopt(socket.SOL_SOCKET,
1576
SO_BINDTODEVICE,
1577
str(self.interface
1578
+ '\0'))
1579
except socket.error as error:
1580
if error[0] == errno.EPERM:
1581
logger.error("No permission to"
1582
" bind to interface %s",
1583
self.interface)
1584
elif error[0] == errno.ENOPROTOOPT:
1585
logger.error("SO_BINDTODEVICE not available;"
1586
" cannot bind to interface %s",
1587
self.interface)
1588
else:
1589
raise
834
1590
# Only bind(2) the socket if we really need to.
835
1591
if self.server_address[0] or self.server_address[1]:
836
1592
if not self.server_address[0]:
843
1599
elif not self.server_address[1]:
844
1600
self.server_address = (self.server_address[0],
845
1601
0)
846
# if self.settings["interface"]:
1602
# if self.interface:
847
1603
# self.server_address = (self.server_address[0],
848
1604
# 0, # port
849
1605
# 0, # flowinfo
850
1606
# if_nametoindex
851
# (self.settings
852
# ["interface"]))
853
return super(IPv6_TCPServer, self).server_bind()
1607
# (self.interface))
1608
return socketserver.TCPServer.server_bind(self)
1609
1610
1611
class MandosServer(IPv6_TCPServer):
1612
"""Mandos server.
1613
1614
Attributes:
1615
clients: set of Client objects
1616
gnutls_priority GnuTLS priority string
1617
use_dbus: Boolean; to emit D-Bus signals or not
1618
1619
Assumes a gobject.MainLoop event loop.
1620
"""
1621
def __init__(self, server_address, RequestHandlerClass,
1622
interface=None, use_ipv6=True, clients=None,
1623
gnutls_priority=None, use_dbus=True):
1624
self.enabled = False
1625
self.clients = clients
1626
if self.clients is None:
1627
self.clients = set()
1628
self.use_dbus = use_dbus
1629
self.gnutls_priority = gnutls_priority
1630
IPv6_TCPServer.__init__(self, server_address,
1631
RequestHandlerClass,
1632
interface = interface,
1633
use_ipv6 = use_ipv6)
854
1634
def server_activate(self):
855
1635
if self.enabled:
856
return super(IPv6_TCPServer, self).server_activate()
1636
return socketserver.TCPServer.server_activate(self)
1637
857
1638
def enable(self):
858
1639
self.enabled = True
859
def handle_ipc(self, source, condition, file_objects={}):
1640
1641
def add_pipe(self, parent_pipe, proc):
1642
# Call "handle_ipc" for both data and EOF events
1643
gobject.io_add_watch(parent_pipe.fileno(),
1644
gobject.IO_IN | gobject.IO_HUP,
1645
functools.partial(self.handle_ipc,
1646
parent_pipe =
1647
parent_pipe,
1648
proc = proc))
1649
1650
def handle_ipc(self, source, condition, parent_pipe=None,
1651
proc = None, client_object=None):
860
1652
condition_names = {
861
gobject.IO_IN: "IN", # There is data to read.
1653
gobject.IO_IN: "IN", # There is data to read.
862
1654
gobject.IO_OUT: "OUT", # Data can be written (without
863
# blocking).
1655
# blocking).
864
1656
gobject.IO_PRI: "PRI", # There is urgent data to read.
865
1657
gobject.IO_ERR: "ERR", # Error condition.
866
1658
gobject.IO_HUP: "HUP" # Hung up (the connection has been
867
# broken, usually for pipes and
868
# sockets).
1659
# broken, usually for pipes and
1660
# sockets).
869
1661
}
870
1662
conditions_string = ' | '.join(name
871
1663
for cond, name in
872
1664
condition_names.iteritems()
873
1665
if cond & condition)
874
logger.debug("Handling IPC: FD = %d, condition = %s", source,
875
conditions_string)
876
877
# Turn the pipe file descriptor into a Python file object
878
if source not in file_objects:
879
file_objects[source] = os.fdopen(source, "r", 1)
880
881
# Read a line from the file object
882
cmdline = file_objects[source].readline()
883
if not cmdline: # Empty line means end of file
884
# close the IPC pipe
885
file_objects[source].close()
886
del file_objects[source]
1666
# error, or the other end of multiprocessing.Pipe has closed
1667
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1668
# Wait for other process to exit
1669
proc.join()
1670
return False
1671
1672
# Read a request from the child
1673
request = parent_pipe.recv()
1674
command = request[0]
1675
1676
if command == 'init':
1677
fpr = request[1]
1678
address = request[2]
887
1679
888
# Stop calling this function
889
return False
890
891
logger.debug("IPC command: %r\n" % cmdline)
892
893
# Parse and act on command
894
cmd, args = cmdline.split(None, 1)
895
if cmd == "NOTFOUND":
896
if self.settings["use_dbus"]:
897
# Emit D-Bus signal
898
mandos_dbus_service.ClientNotFound(args)
899
elif cmd == "INVALID":
900
if self.settings["use_dbus"]:
901
for client in self.clients:
902
if client.name == args:
903
# Emit D-Bus signal
904
client.Rejected()
905
break
906
elif cmd == "SENDING":
907
for client in self.clients:
908
if client.name == args:
909
client.checked_ok()
910
if self.settings["use_dbus"]:
911
# Emit D-Bus signal
912
client.ReceivedSecret()
1680
for c in self.clients:
1681
if c.fingerprint == fpr:
1682
client = c
913
1683
break
914
else:
915
logger.error("Unknown IPC command: %r", cmdline)
916
917
# Keep calling this function
1684
else:
1685
logger.info("Client not found for fingerprint: %s, ad"
1686
"dress: %s", fpr, address)
1687
if self.use_dbus:
1688
# Emit D-Bus signal
1689
mandos_dbus_service.ClientNotFound(fpr,
1690
address[0])
1691
parent_pipe.send(False)
1692
return False
1693
1694
gobject.io_add_watch(parent_pipe.fileno(),
1695
gobject.IO_IN | gobject.IO_HUP,
1696
functools.partial(self.handle_ipc,
1697
parent_pipe =
1698
parent_pipe,
1699
proc = proc,
1700
client_object =
1701
client))
1702
parent_pipe.send(True)
1703
# remove the old hook in favor of the new above hook on
1704
# same fileno
1705
return False
1706
if command == 'funcall':
1707
funcname = request[1]
1708
args = request[2]
1709
kwargs = request[3]
1710
1711
parent_pipe.send(('data', getattr(client_object,
1712
funcname)(*args,
1713
**kwargs)))
1714
1715
if command == 'getattr':
1716
attrname = request[1]
1717
if callable(client_object.__getattribute__(attrname)):
1718
parent_pipe.send(('function',))
1719
else:
1720
parent_pipe.send(('data', client_object
1721
.__getattribute__(attrname)))
1722
1723
if command == 'setattr':
1724
attrname = request[1]
1725
value = request[2]
1726
setattr(client_object, attrname, value)
1727
918
1728
return True
919
1729
920
1730
929
1739
datetime.timedelta(0, 3600)
930
1740
>>> string_to_delta('24h')
931
1741
datetime.timedelta(1)
932
>>> string_to_delta(u'1w')
1742
>>> string_to_delta('1w')
933
1743
datetime.timedelta(7)
934
1744
>>> string_to_delta('5m 30s')
935
1745
datetime.timedelta(0, 330)
939
1749
try:
940
1750
suffix = unicode(s[-1])
941
1751
value = int(s[:-1])
942
if suffix == u"d":
1752
if suffix == "d":
943
1753
delta = datetime.timedelta(value)
944
elif suffix == u"s":
1754
elif suffix == "s":
945
1755
delta = datetime.timedelta(0, value)
946
elif suffix == u"m":
1756
elif suffix == "m":
947
1757
delta = datetime.timedelta(0, 0, 0, 0, value)
948
elif suffix == u"h":
1758
elif suffix == "h":
949
1759
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
950
elif suffix == u"w":
1760
elif suffix == "w":
951
1761
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
952
1762
else:
953
raise ValueError
954
except (ValueError, IndexError):
955
raise ValueError
1763
raise ValueError("Unknown suffix %r" % suffix)
1764
except (ValueError, IndexError) as e:
1765
raise ValueError(*(e.args))
956
1766
timevalue += delta
957
1767
return timevalue
958
1768
959
1769
960
def server_state_changed(state):
961
"""Derived from the Avahi example code"""
962
if state == avahi.SERVER_COLLISION:
963
logger.error(u"Zeroconf server name collision")
964
service.remove()
965
elif state == avahi.SERVER_RUNNING:
966
service.add()
967
968
969
def entry_group_state_changed(state, error):
970
"""Derived from the Avahi example code"""
971
logger.debug(u"Avahi state change: %i", state)
972
973
if state == avahi.ENTRY_GROUP_ESTABLISHED:
974
logger.debug(u"Zeroconf service established.")
975
elif state == avahi.ENTRY_GROUP_COLLISION:
976
logger.warning(u"Zeroconf service name collision.")
977
service.rename()
978
elif state == avahi.ENTRY_GROUP_FAILURE:
979
logger.critical(u"Avahi: Error in group state changed %s",
980
unicode(error))
981
raise AvahiGroupError(u"State changed: %s" % unicode(error))
982
983
1770
def if_nametoindex(interface):
984
"""Call the C function if_nametoindex(), or equivalent"""
1771
"""Call the C function if_nametoindex(), or equivalent
1772
1773
Note: This function cannot accept a unicode string."""
985
1774
global if_nametoindex
986
1775
try:
987
1776
if_nametoindex = (ctypes.cdll.LoadLibrary
988
1777
(ctypes.util.find_library("c"))
989
1778
.if_nametoindex)
990
1779
except (OSError, AttributeError):
991
if "struct" not in sys.modules:
992
import struct
993
if "fcntl" not in sys.modules:
994
import fcntl
1780
logger.warning("Doing if_nametoindex the hard way")
995
1781
def if_nametoindex(interface):
996
1782
"Get an interface index the hard way, i.e. using fcntl()"
997
1783
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
998
with closing(socket.socket()) as s:
1784
with contextlib.closing(socket.socket()) as s:
999
1785
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1000
struct.pack("16s16x", interface))
1001
interface_index = struct.unpack("I", ifreq[16:20])[0]
1786
struct.pack(str("16s16x"),
1787
interface))
1788
interface_index = struct.unpack(str("I"),
1789
ifreq[16:20])[0]
1002
1790
return interface_index
1003
1791
return if_nametoindex(interface)
1004
1792
1005
1793
1006
1794
def daemon(nochdir = False, noclose = False):
1007
1795
"""See daemon(3). Standard BSD Unix function.
1796
1008
1797
This should really exist as os.daemon, but it doesn't (yet)."""
1009
1798
if os.fork():
1010
1799
sys.exit()
1018
1807
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1019
1808
if not stat.S_ISCHR(os.fstat(null).st_mode):
1020
1809
raise OSError(errno.ENODEV,
1021
"/dev/null not a character device")
1810
"%s not a character device"
1811
% os.path.devnull)
1022
1812
os.dup2(null, sys.stdin.fileno())
1023
1813
os.dup2(null, sys.stdout.fileno())
1024
1814
os.dup2(null, sys.stderr.fileno())
1028
1818
1029
1819
def main():
1030
1820
1031
######################################################################
1821
##################################################################
1032
1822
# Parsing of options, both command line and config file
1033
1823
1034
parser = optparse.OptionParser(version = "%%prog %s" % version)
1035
parser.add_option("-i", "--interface", type="string",
1036
metavar="IF", help="Bind to interface IF")
1037
parser.add_option("-a", "--address", type="string",
1038
help="Address to listen for requests on")
1039
parser.add_option("-p", "--port", type="int",
1040
help="Port number to receive requests on")
1041
parser.add_option("--check", action="store_true",
1042
help="Run self-test")
1043
parser.add_option("--debug", action="store_true",
1044
help="Debug mode; run in foreground and log to"
1045
" terminal")
1046
parser.add_option("--priority", type="string", help="GnuTLS"
1047
" priority string (see GnuTLS documentation)")
1048
parser.add_option("--servicename", type="string", metavar="NAME",
1049
help="Zeroconf service name")
1050
parser.add_option("--configdir", type="string",
1051
default="/etc/mandos", metavar="DIR",
1052
help="Directory to search for configuration"
1053
" files")
1054
parser.add_option("--no-dbus", action="store_false",
1055
dest="use_dbus",
1056
help="Do not provide D-Bus system bus"
1057
" interface")
1058
parser.add_option("--no-ipv6", action="store_false",
1059
dest="use_ipv6", help="Do not use IPv6")
1060
options = parser.parse_args()[0]
1824
parser = argparse.ArgumentParser()
1825
parser.add_argument("-v", "--version", action="version",
1826
version = "%%(prog)s %s" % version,
1827
help="show version number and exit")
1828
parser.add_argument("-i", "--interface", metavar="IF",
1829
help="Bind to interface IF")
1830
parser.add_argument("-a", "--address",
1831
help="Address to listen for requests on")
1832
parser.add_argument("-p", "--port", type=int,
1833
help="Port number to receive requests on")
1834
parser.add_argument("--check", action="store_true",
1835
help="Run self-test")
1836
parser.add_argument("--debug", action="store_true",
1837
help="Debug mode; run in foreground and log"
1838
" to terminal")
1839
parser.add_argument("--debuglevel", metavar="LEVEL",
1840
help="Debug level for stdout output")
1841
parser.add_argument("--priority", help="GnuTLS"
1842
" priority string (see GnuTLS documentation)")
1843
parser.add_argument("--servicename",
1844
metavar="NAME", help="Zeroconf service name")
1845
parser.add_argument("--configdir",
1846
default="/etc/mandos", metavar="DIR",
1847
help="Directory to search for configuration"
1848
" files")
1849
parser.add_argument("--no-dbus", action="store_false",
1850
dest="use_dbus", help="Do not provide D-Bus"
1851
" system bus interface")
1852
parser.add_argument("--no-ipv6", action="store_false",
1853
dest="use_ipv6", help="Do not use IPv6")
1854
options = parser.parse_args()
1061
1855
1062
1856
if options.check:
1063
1857
import doctest
1074
1868
"servicename": "Mandos",
1075
1869
"use_dbus": "True",
1076
1870
"use_ipv6": "True",
1871
"debuglevel": "",
1077
1872
}
1078
1873
1079
1874
# Parse config file for server-global settings
1080
server_config = ConfigParser.SafeConfigParser(server_defaults)
1875
server_config = configparser.SafeConfigParser(server_defaults)
1081
1876
del server_defaults
1082
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1877
server_config.read(os.path.join(options.configdir,
1878
"mandos.conf"))
1083
1879
# Convert the SafeConfigParser object to a dict
1084
1880
server_settings = server_config.defaults()
1085
1881
# Use the appropriate methods on the non-string config options
1086
server_settings["debug"] = server_config.getboolean("DEFAULT",
1087
"debug")
1088
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
1089
"use_dbus")
1090
server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",
1091
"use_ipv6")
1882
for option in ("debug", "use_dbus", "use_ipv6"):
1883
server_settings[option] = server_config.getboolean("DEFAULT",
1884
option)
1092
1885
if server_settings["port"]:
1093
1886
server_settings["port"] = server_config.getint("DEFAULT",
1094
1887
"port")
1098
1891
# options, if set.
1099
1892
for option in ("interface", "address", "port", "debug",
1100
1893
"priority", "servicename", "configdir",
1101
"use_dbus", "use_ipv6"):
1894
"use_dbus", "use_ipv6", "debuglevel"):
1102
1895
value = getattr(options, option)
1103
1896
if value is not None:
1104
1897
server_settings[option] = value
1105
1898
del options
1899
# Force all strings to be unicode
1900
for option in server_settings.keys():
1901
if type(server_settings[option]) is str:
1902
server_settings[option] = unicode(server_settings[option])
1106
1903
# Now we have our good server settings in "server_settings"
1107
1904
1108
1905
##################################################################
1109
1906
1110
1907
# For convenience
1111
1908
debug = server_settings["debug"]
1909
debuglevel = server_settings["debuglevel"]
1112
1910
use_dbus = server_settings["use_dbus"]
1113
1911
use_ipv6 = server_settings["use_ipv6"]
1114
1912
1115
if not debug:
1116
syslogger.setLevel(logging.WARNING)
1117
console.setLevel(logging.WARNING)
1118
1119
1913
if server_settings["servicename"] != "Mandos":
1120
1914
syslogger.setFormatter(logging.Formatter
1121
1915
('Mandos (%s) [%%(process)d]:'
1123
1917
% server_settings["servicename"]))
1124
1918
1125
1919
# Parse config file with clients
1126
client_defaults = { "timeout": "1h",
1127
"interval": "5m",
1920
client_defaults = { "timeout": "5m",
1921
"extended_timeout": "15m",
1922
"interval": "2m",
1128
1923
"checker": "fping -q -- %%(host)s",
1129
1924
"host": "",
1925
"approval_delay": "0s",
1926
"approval_duration": "1s",
1130
1927
}
1131
client_config = ConfigParser.SafeConfigParser(client_defaults)
1928
client_config = configparser.SafeConfigParser(client_defaults)
1132
1929
client_config.read(os.path.join(server_settings["configdir"],
1133
1930
"clients.conf"))
1134
1931
1135
1932
global mandos_dbus_service
1136
1933
mandos_dbus_service = None
1137
1934
1138
clients = Set()
1139
tcp_server = IPv6_TCPServer((server_settings["address"],
1140
server_settings["port"]),
1141
TCP_handler,
1142
settings=server_settings,
1143
clients=clients, use_ipv6=use_ipv6)
1144
pidfilename = "/var/run/mandos.pid"
1145
try:
1146
pidfile = open(pidfilename, "w")
1147
except IOError:
1148
logger.error("Could not open file %r", pidfilename)
1935
tcp_server = MandosServer((server_settings["address"],
1936
server_settings["port"]),
1937
ClientHandler,
1938
interface=(server_settings["interface"]
1939
or None),
1940
use_ipv6=use_ipv6,
1941
gnutls_priority=
1942
server_settings["priority"],
1943
use_dbus=use_dbus)
1944
if not debug:
1945
pidfilename = "/var/run/mandos.pid"
1946
try:
1947
pidfile = open(pidfilename, "w")
1948
except IOError:
1949
logger.error("Could not open file %r", pidfilename)
1149
1950
1150
1951
try:
1151
1952
uid = pwd.getpwnam("_mandos").pw_uid
1157
1958
except KeyError:
1158
1959
try:
1159
1960
uid = pwd.getpwnam("nobody").pw_uid
1160
gid = pwd.getpwnam("nogroup").pw_gid
1961
gid = pwd.getpwnam("nobody").pw_gid
1161
1962
except KeyError:
1162
1963
uid = 65534
1163
1964
gid = 65534
1164
1965
try:
1165
1966
os.setgid(gid)
1166
1967
os.setuid(uid)
1167
except OSError, error:
1968
except OSError as error:
1168
1969
if error[0] != errno.EPERM:
1169
1970
raise error
1170
1971
1171
# Enable all possible GnuTLS debugging
1972
if not debug and not debuglevel:
1973
syslogger.setLevel(logging.WARNING)
1974
console.setLevel(logging.WARNING)
1975
if debuglevel:
1976
level = getattr(logging, debuglevel.upper())
1977
syslogger.setLevel(level)
1978
console.setLevel(level)
1979
1172
1980
if debug:
1981
# Enable all possible GnuTLS debugging
1982
1173
1983
# "Use a log level over 10 to enable all debugging options."
1174
1984
# - GnuTLS manual
1175
1985
gnutls.library.functions.gnutls_global_set_log_level(11)
1180
1990
1181
1991
(gnutls.library.functions
1182
1992
.gnutls_global_set_log_function(debug_gnutls))
1993
1994
# Redirect stdin so all checkers get /dev/null
1995
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1996
os.dup2(null, sys.stdin.fileno())
1997
if null > 2:
1998
os.close(null)
1999
else:
2000
# No console logging
2001
logger.removeHandler(console)
1183
2002
1184
global service
1185
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1186
service = AvahiService(name = server_settings["servicename"],
1187
servicetype = "_mandos._tcp",
1188
protocol = protocol)
1189
if server_settings["interface"]:
1190
service.interface = (if_nametoindex
1191
(server_settings["interface"]))
2003
# Need to fork before connecting to D-Bus
2004
if not debug:
2005
# Close all input and output, do double fork, etc.
2006
daemon()
1192
2007
1193
2008
global main_loop
1194
global bus
1195
global server
1196
2009
# From the Avahi example code
1197
2010
DBusGMainLoop(set_as_default=True )
1198
2011
main_loop = gobject.MainLoop()
1199
2012
bus = dbus.SystemBus()
1200
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1201
avahi.DBUS_PATH_SERVER),
1202
avahi.DBUS_INTERFACE_SERVER)
1203
2013
# End of Avahi example code
1204
2014
if use_dbus:
1205
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1206
1207
clients.update(Set(Client(name = section,
1208
config
1209
= dict(client_config.items(section)),
1210
use_dbus = use_dbus)
1211
for section in client_config.sections()))
1212
if not clients:
1213
logger.warning(u"No clients defined")
1214
1215
if debug:
1216
# Redirect stdin so all checkers get /dev/null
1217
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1218
os.dup2(null, sys.stdin.fileno())
1219
if null > 2:
1220
os.close(null)
1221
else:
1222
# No console logging
1223
logger.removeHandler(console)
1224
# Close all input and output, do double fork, etc.
1225
daemon()
1226
1227
try:
1228
with closing(pidfile):
1229
pid = os.getpid()
1230
pidfile.write(str(pid) + "\n")
1231
del pidfile
1232
except IOError:
1233
logger.error(u"Could not write to file %r with PID %d",
1234
pidfilename, pid)
1235
except NameError:
1236
# "pidfile" was never created
1237
pass
1238
del pidfilename
1239
1240
def cleanup():
1241
"Cleanup function; run on exit"
1242
global group
1243
# From the Avahi example code
1244
if not group is None:
1245
group.Free()
1246
group = None
1247
# End of Avahi example code
2015
try:
2016
bus_name = dbus.service.BusName("se.recompile.Mandos",
2017
bus, do_not_queue=True)
2018
old_bus_name = (dbus.service.BusName
2019
("se.bsnet.fukt.Mandos", bus,
2020
do_not_queue=True))
2021
except dbus.exceptions.NameExistsException as e:
2022
logger.error(unicode(e) + ", disabling D-Bus")
2023
use_dbus = False
2024
server_settings["use_dbus"] = False
2025
tcp_server.use_dbus = False
2026
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2027
service = AvahiService(name = server_settings["servicename"],
2028
servicetype = "_mandos._tcp",
2029
protocol = protocol, bus = bus)
2030
if server_settings["interface"]:
2031
service.interface = (if_nametoindex
2032
(str(server_settings["interface"])))
2033
2034
global multiprocessing_manager
2035
multiprocessing_manager = multiprocessing.Manager()
2036
2037
client_class = Client
2038
if use_dbus:
2039
client_class = functools.partial(ClientDBusTransitional,
2040
bus = bus)
2041
def client_config_items(config, section):
2042
special_settings = {
2043
"approved_by_default":
2044
lambda: config.getboolean(section,
2045
"approved_by_default"),
2046
}
2047
for name, value in config.items(section):
2048
try:
2049
yield (name, special_settings[name]())
2050
except KeyError:
2051
yield (name, value)
2052
2053
tcp_server.clients.update(set(
2054
client_class(name = section,
2055
config= dict(client_config_items(
2056
client_config, section)))
2057
for section in client_config.sections()))
2058
if not tcp_server.clients:
2059
logger.warning("No clients defined")
1248
2060
1249
while clients:
1250
client = clients.pop()
1251
client.disable_hook = None
1252
client.disable()
1253
1254
atexit.register(cleanup)
1255
1256
2061
if not debug:
2062
try:
2063
with pidfile:
2064
pid = os.getpid()
2065
pidfile.write(str(pid) + "\n".encode("utf-8"))
2066
del pidfile
2067
except IOError:
2068
logger.error("Could not write to file %r with PID %d",
2069
pidfilename, pid)
2070
except NameError:
2071
# "pidfile" was never created
2072
pass
2073
del pidfilename
2074
1257
2075
signal.signal(signal.SIGINT, signal.SIG_IGN)
2076
1258
2077
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1259
2078
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1260
2079
1263
2082
"""A D-Bus proxy object"""
1264
2083
def __init__(self):
1265
2084
dbus.service.Object.__init__(self, bus, "/")
1266
_interface = u"se.bsnet.fukt.Mandos"
2085
_interface = "se.recompile.Mandos"
1267
2086
1268
@dbus.service.signal(_interface, signature="oa{sv}")
1269
def ClientAdded(self, objpath, properties):
2087
@dbus.service.signal(_interface, signature="o")
2088
def ClientAdded(self, objpath):
1270
2089
"D-Bus signal"
1271
2090
pass
1272
2091
1273
@dbus.service.signal(_interface, signature="s")
1274
def ClientNotFound(self, fingerprint):
2092
@dbus.service.signal(_interface, signature="ss")
2093
def ClientNotFound(self, fingerprint, address):
1275
2094
"D-Bus signal"
1276
2095
pass
1277
2096
1283
2102
@dbus.service.method(_interface, out_signature="ao")
1284
2103
def GetAllClients(self):
1285
2104
"D-Bus method"
1286
return dbus.Array(c.dbus_object_path for c in clients)
2105
return dbus.Array(c.dbus_object_path
2106
for c in tcp_server.clients)
1287
2107
1288
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
2108
@dbus.service.method(_interface,
2109
out_signature="a{oa{sv}}")
1289
2110
def GetAllClientsWithProperties(self):
1290
2111
"D-Bus method"
1291
2112
return dbus.Dictionary(
1292
((c.dbus_object_path, c.GetAllProperties())
1293
for c in clients),
2113
((c.dbus_object_path, c.GetAll(""))
2114
for c in tcp_server.clients),
1294
2115
signature="oa{sv}")
1295
2116
1296
2117
@dbus.service.method(_interface, in_signature="o")
1297
2118
def RemoveClient(self, object_path):
1298
2119
"D-Bus method"
1299
for c in clients:
2120
for c in tcp_server.clients:
1300
2121
if c.dbus_object_path == object_path:
1301
clients.remove(c)
2122
tcp_server.clients.remove(c)
2123
c.remove_from_connection()
1302
2124
# Don't signal anything except ClientRemoved
1303
c.use_dbus = False
1304
c.disable()
2125
c.disable(quiet=True)
1305
2126
# Emit D-Bus signal
1306
2127
self.ClientRemoved(object_path, c.name)
1307
2128
return
1308
raise KeyError
2129
raise KeyError(object_path)
1309
2130
1310
2131
del _interface
1311
2132
1312
mandos_dbus_service = MandosDBusService()
1313
1314
for client in clients:
2133
class MandosDBusServiceTransitional(MandosDBusService):
2134
__metaclass__ = AlternateDBusNamesMetaclass
2135
mandos_dbus_service = MandosDBusServiceTransitional()
2136
2137
def cleanup():
2138
"Cleanup function; run on exit"
2139
service.cleanup()
2140
2141
multiprocessing.active_children()
2142
while tcp_server.clients:
2143
client = tcp_server.clients.pop()
2144
if use_dbus:
2145
client.remove_from_connection()
2146
client.disable_hook = None
2147
# Don't signal anything except ClientRemoved
2148
client.disable(quiet=True)
2149
if use_dbus:
2150
# Emit D-Bus signal
2151
mandos_dbus_service.ClientRemoved(client
2152
.dbus_object_path,
2153
client.name)
2154
2155
atexit.register(cleanup)
2156
2157
for client in tcp_server.clients:
1315
2158
if use_dbus:
1316
2159
# Emit D-Bus signal
1317
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1318
client.GetAllProperties())
2160
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1319
2161
client.enable()
1320
2162
1321
2163
tcp_server.enable()
1324
2166
# Find out what port we got
1325
2167
service.port = tcp_server.socket.getsockname()[1]
1326
2168
if use_ipv6:
1327
logger.info(u"Now listening on address %r, port %d,"
2169
logger.info("Now listening on address %r, port %d,"
1328
2170
" flowinfo %d, scope_id %d"
1329
2171
% tcp_server.socket.getsockname())
1330
2172
else: # IPv4
1331
logger.info(u"Now listening on address %r, port %d"
2173
logger.info("Now listening on address %r, port %d"
1332
2174
% tcp_server.socket.getsockname())
1333
2175
1334
2176
#service.interface = tcp_server.socket.getsockname()[3]
1335
2177
1336
2178
try:
1337
2179
# From the Avahi example code
1338
server.connect_to_signal("StateChanged", server_state_changed)
1339
2180
try:
1340
server_state_changed(server.GetState())
1341
except dbus.exceptions.DBusException, error:
1342
logger.critical(u"DBusException: %s", error)
2181
service.activate()
2182
except dbus.exceptions.DBusException as error:
2183
logger.critical("DBusException: %s", error)
2184
cleanup()
1343
2185
sys.exit(1)
1344
2186
# End of Avahi example code
1345
2187
1348
2190
(tcp_server.handle_request
1349
2191
(*args[2:], **kwargs) or True))
1350
2192
1351
logger.debug(u"Starting main loop")
2193
logger.debug("Starting main loop")
1352
2194
main_loop.run()
1353
except AvahiError, error:
1354
logger.critical(u"AvahiError: %s", error)
2195
except AvahiError as error:
2196
logger.critical("AvahiError: %s", error)
2197
cleanup()
1355
2198
sys.exit(1)
1356
2199
except KeyboardInterrupt:
1357
2200
if debug:
1358
print >> sys.stderr
2201
print("", file=sys.stderr)
1359
2202
logger.debug("Server received KeyboardInterrupt")
1360
2203
logger.debug("Server exiting")
2204
# Must run before the D-Bus bus name gets deregistered
2205
cleanup()
2206
1361
2207
1362
2208
if __name__ == '__main__':
1363
2209
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0