To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 505.3.26
- compare with another revision
- download diff
- download tarball
- view history from revision 505.3.26
- Committer: teddy at bsnet
- Date: 2011-12-02 16:52:50 UTC
- mto: (505.2.13 mandos-client-network-hooks)
- mto: This revision was merged to the branch mainline in revision 525.
- Revision ID: teddy@fukt.bsnet.se-20111202165250-gs83pj705gsofb0e
* network-hooks.d/openvpn: Tolerate relative MANDOSNETHOOKDIR path.
(stop): Bug fix: Fix quote escapes.
* network-hooks.d/openvpn.conf: Remove compression.
(stop): Bug fix: Fix quote escapes.
* network-hooks.d/openvpn.conf: Remove compression.
- files added:
- DBUS-API
- debian/source
- network-hooks.d
- files modified:
- .bzrignore
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
9
# methods "add", "remove", "server_state_changed",
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
14
# Copyright © 2008-2011 Teddy Hogeborn
15
# Copyright © 2008-2011 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
28
28
# along with this program. If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
30
#
31
# Contact the authors at <mandos@fukt.bsnet.se>.
31
# Contact the authors at <mandos@recompile.se>.
32
32
#
33
33
34
from __future__ import division, with_statement, absolute_import
34
from __future__ import (division, absolute_import, print_function,
35
unicode_literals)
35
36
36
import SocketServer
37
import SocketServer as socketserver
37
38
import socket
38
import optparse
39
import argparse
39
40
import datetime
40
41
import errno
41
42
import gnutls.crypto
44
45
import gnutls.library.functions
45
46
import gnutls.library.constants
46
47
import gnutls.library.types
47
import ConfigParser
48
import ConfigParser as configparser
48
49
import sys
49
50
import re
50
51
import os
51
52
import signal
52
from sets import Set
53
53
import subprocess
54
54
import atexit
55
55
import stat
56
56
import logging
57
57
import logging.handlers
58
58
import pwd
59
from contextlib import closing
59
import contextlib
60
import struct
61
import fcntl
62
import functools
63
import cPickle as pickle
64
import multiprocessing
65
import types
60
66
61
67
import dbus
62
68
import dbus.service
65
71
from dbus.mainloop.glib import DBusGMainLoop
66
72
import ctypes
67
73
import ctypes.util
68
69
version = "1.0.8"
70
74
import xml.dom.minidom
75
import inspect
76
77
try:
78
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
79
except AttributeError:
80
try:
81
from IN import SO_BINDTODEVICE
82
except ImportError:
83
SO_BINDTODEVICE = None
84
85
86
version = "1.4.1"
87
88
#logger = logging.getLogger('mandos')
71
89
logger = logging.Logger('mandos')
72
90
syslogger = (logging.handlers.SysLogHandler
73
91
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
74
address = "/dev/log"))
92
address = str("/dev/log")))
75
93
syslogger.setFormatter(logging.Formatter
76
94
('Mandos [%(process)d]: %(levelname)s:'
77
95
' %(message)s'))
79
97
80
98
console = logging.StreamHandler()
81
99
console.setFormatter(logging.Formatter('%(name)s [%(process)d]:'
82
' %(levelname)s: %(message)s'))
100
' %(levelname)s:'
101
' %(message)s'))
83
102
logger.addHandler(console)
84
103
85
104
class AvahiError(Exception):
98
117
99
118
class AvahiService(object):
100
119
"""An Avahi (Zeroconf) service.
120
101
121
Attributes:
102
122
interface: integer; avahi.IF_UNSPEC or an interface index.
103
123
Used to optionally bind to the specified interface.
111
131
max_renames: integer; maximum number of renames
112
132
rename_count: integer; counter so we only rename after collisions
113
133
a sensible number of times
134
group: D-Bus Entry Group
135
server: D-Bus Server
136
bus: dbus.SystemBus()
114
137
"""
115
138
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
116
139
servicetype = None, port = None, TXT = None,
117
140
domain = "", host = "", max_renames = 32768,
118
protocol = avahi.PROTO_UNSPEC):
141
protocol = avahi.PROTO_UNSPEC, bus = None):
119
142
self.interface = interface
120
143
self.name = name
121
144
self.type = servicetype
126
149
self.rename_count = 0
127
150
self.max_renames = max_renames
128
151
self.protocol = protocol
152
self.group = None # our entry group
153
self.server = None
154
self.bus = bus
155
self.entry_group_state_changed_match = None
129
156
def rename(self):
130
157
"""Derived from the Avahi example code"""
131
158
if self.rename_count >= self.max_renames:
132
logger.critical(u"No suitable Zeroconf service name found"
133
u" after %i retries, exiting.",
159
logger.critical("No suitable Zeroconf service name found"
160
" after %i retries, exiting.",
134
161
self.rename_count)
135
raise AvahiServiceError(u"Too many renames")
136
self.name = server.GetAlternativeServiceName(self.name)
137
logger.info(u"Changing Zeroconf service name to %r ...",
138
str(self.name))
162
raise AvahiServiceError("Too many renames")
163
self.name = unicode(self.server
164
.GetAlternativeServiceName(self.name))
165
logger.info("Changing Zeroconf service name to %r ...",
166
self.name)
139
167
syslogger.setFormatter(logging.Formatter
140
168
('Mandos (%s) [%%(process)d]:'
141
169
' %%(levelname)s: %%(message)s'
142
170
% self.name))
143
171
self.remove()
144
self.add()
172
try:
173
self.add()
174
except dbus.exceptions.DBusException as error:
175
logger.critical("DBusException: %s", error)
176
self.cleanup()
177
os._exit(1)
145
178
self.rename_count += 1
146
179
def remove(self):
147
180
"""Derived from the Avahi example code"""
148
if group is not None:
149
group.Reset()
181
if self.entry_group_state_changed_match is not None:
182
self.entry_group_state_changed_match.remove()
183
self.entry_group_state_changed_match = None
184
if self.group is not None:
185
self.group.Reset()
150
186
def add(self):
151
187
"""Derived from the Avahi example code"""
152
global group
153
if group is None:
154
group = dbus.Interface(bus.get_object
155
(avahi.DBUS_NAME,
156
server.EntryGroupNew()),
157
avahi.DBUS_INTERFACE_ENTRY_GROUP)
158
group.connect_to_signal('StateChanged',
159
entry_group_state_changed)
160
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
161
service.name, service.type)
162
group.AddService(
163
self.interface, # interface
164
self.protocol, # protocol
165
dbus.UInt32(0), # flags
166
self.name, self.type,
167
self.domain, self.host,
168
dbus.UInt16(self.port),
169
avahi.string_array_to_txt_array(self.TXT))
170
group.Commit()
171
172
# From the Avahi example code:
173
group = None # our entry group
174
# End of Avahi example code
175
176
177
def _datetime_to_dbus(dt, variant_level=0):
178
"""Convert a UTC datetime.datetime() to a D-Bus type."""
179
return dbus.String(dt.isoformat(), variant_level=variant_level)
180
181
188
self.remove()
189
if self.group is None:
190
self.group = dbus.Interface(
191
self.bus.get_object(avahi.DBUS_NAME,
192
self.server.EntryGroupNew()),
193
avahi.DBUS_INTERFACE_ENTRY_GROUP)
194
self.entry_group_state_changed_match = (
195
self.group.connect_to_signal(
196
'StateChanged', self .entry_group_state_changed))
197
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
198
self.name, self.type)
199
self.group.AddService(
200
self.interface,
201
self.protocol,
202
dbus.UInt32(0), # flags
203
self.name, self.type,
204
self.domain, self.host,
205
dbus.UInt16(self.port),
206
avahi.string_array_to_txt_array(self.TXT))
207
self.group.Commit()
208
def entry_group_state_changed(self, state, error):
209
"""Derived from the Avahi example code"""
210
logger.debug("Avahi entry group state change: %i", state)
211
212
if state == avahi.ENTRY_GROUP_ESTABLISHED:
213
logger.debug("Zeroconf service established.")
214
elif state == avahi.ENTRY_GROUP_COLLISION:
215
logger.info("Zeroconf service name collision.")
216
self.rename()
217
elif state == avahi.ENTRY_GROUP_FAILURE:
218
logger.critical("Avahi: Error in group state changed %s",
219
unicode(error))
220
raise AvahiGroupError("State changed: %s"
221
% unicode(error))
222
def cleanup(self):
223
"""Derived from the Avahi example code"""
224
if self.group is not None:
225
try:
226
self.group.Free()
227
except (dbus.exceptions.UnknownMethodException,
228
dbus.exceptions.DBusException) as e:
229
pass
230
self.group = None
231
self.remove()
232
def server_state_changed(self, state, error=None):
233
"""Derived from the Avahi example code"""
234
logger.debug("Avahi server state change: %i", state)
235
bad_states = { avahi.SERVER_INVALID:
236
"Zeroconf server invalid",
237
avahi.SERVER_REGISTERING: None,
238
avahi.SERVER_COLLISION:
239
"Zeroconf server name collision",
240
avahi.SERVER_FAILURE:
241
"Zeroconf server failure" }
242
if state in bad_states:
243
if bad_states[state] is not None:
244
if error is None:
245
logger.error(bad_states[state])
246
else:
247
logger.error(bad_states[state] + ": %r", error)
248
self.cleanup()
249
elif state == avahi.SERVER_RUNNING:
250
self.add()
251
else:
252
if error is None:
253
logger.debug("Unknown state: %r", state)
254
else:
255
logger.debug("Unknown state: %r: %r", state, error)
256
def activate(self):
257
"""Derived from the Avahi example code"""
258
if self.server is None:
259
self.server = dbus.Interface(
260
self.bus.get_object(avahi.DBUS_NAME,
261
avahi.DBUS_PATH_SERVER,
262
follow_name_owner_changes=True),
263
avahi.DBUS_INTERFACE_SERVER)
264
self.server.connect_to_signal("StateChanged",
265
self.server_state_changed)
266
self.server_state_changed(self.server.GetState())
267
268
269
def _timedelta_to_milliseconds(td):
270
"Convert a datetime.timedelta() to milliseconds"
271
return ((td.days * 24 * 60 * 60 * 1000)
272
+ (td.seconds * 1000)
273
+ (td.microseconds // 1000))
274
182
275
class Client(object):
183
276
"""A representation of a client host served by this server.
277
184
278
Attributes:
185
name: string; from the config file, used in log messages and
186
D-Bus identifiers
187
fingerprint: string (40 or 32 hexadecimal digits); used to
188
uniquely identify the client
189
secret: bytestring; sent verbatim (over TLS) to client
190
host: string; available for use by the checker command
191
created: datetime.datetime(); (UTC) object creation
192
last_enabled: datetime.datetime(); (UTC)
193
enabled: bool()
194
last_checked_ok: datetime.datetime(); (UTC) or None
195
timeout: datetime.timedelta(); How long from last_checked_ok
196
until this client is invalid
197
interval: datetime.timedelta(); How often to start a new checker
198
disable_hook: If set, called by disable() as disable_hook(self)
279
_approved: bool(); 'None' if not yet approved/disapproved
280
approval_delay: datetime.timedelta(); Time to wait for approval
281
approval_duration: datetime.timedelta(); Duration of one approval
199
282
checker: subprocess.Popen(); a running checker process used
200
283
to see if the client lives.
201
284
'None' if no process is running.
202
checker_initiator_tag: a gobject event source tag, or None
203
disable_initiator_tag: - '' -
204
checker_callback_tag: - '' -
205
checker_command: string; External command which is run to check if
206
client lives. %() expansions are done at
285
checker_callback_tag: a gobject event source tag, or None
286
checker_command: string; External command which is run to check
287
if client lives. %() expansions are done at
207
288
runtime with vars(self) as dict, so that for
208
289
instance %(name)s can be used in the command.
290
checker_initiator_tag: a gobject event source tag, or None
291
created: datetime.datetime(); (UTC) object creation
209
292
current_checker_command: string; current running checker_command
293
disable_hook: If set, called by disable() as disable_hook(self)
294
disable_initiator_tag: a gobject event source tag, or None
295
enabled: bool()
296
fingerprint: string (40 or 32 hexadecimal digits); used to
297
uniquely identify the client
298
host: string; available for use by the checker command
299
interval: datetime.timedelta(); How often to start a new checker
300
last_approval_request: datetime.datetime(); (UTC) or None
301
last_checked_ok: datetime.datetime(); (UTC) or None
302
last_enabled: datetime.datetime(); (UTC)
303
name: string; from the config file, used in log messages and
304
D-Bus identifiers
305
secret: bytestring; sent verbatim (over TLS) to client
306
timeout: datetime.timedelta(); How long from last_checked_ok
307
until this client is disabled
308
extended_timeout: extra long timeout when password has been sent
309
runtime_expansions: Allowed attributes for runtime expansion.
310
expires: datetime.datetime(); time (UTC) when a client will be
311
disabled, or None
210
312
"""
313
314
runtime_expansions = ("approval_delay", "approval_duration",
315
"created", "enabled", "fingerprint",
316
"host", "interval", "last_checked_ok",
317
"last_enabled", "name", "timeout")
318
211
319
def timeout_milliseconds(self):
212
320
"Return the 'timeout' attribute in milliseconds"
213
return ((self.timeout.days * 24 * 60 * 60 * 1000)
214
+ (self.timeout.seconds * 1000)
215
+ (self.timeout.microseconds // 1000))
321
return _timedelta_to_milliseconds(self.timeout)
322
323
def extended_timeout_milliseconds(self):
324
"Return the 'extended_timeout' attribute in milliseconds"
325
return _timedelta_to_milliseconds(self.extended_timeout)
216
326
217
327
def interval_milliseconds(self):
218
328
"Return the 'interval' attribute in milliseconds"
219
return ((self.interval.days * 24 * 60 * 60 * 1000)
220
+ (self.interval.seconds * 1000)
221
+ (self.interval.microseconds // 1000))
329
return _timedelta_to_milliseconds(self.interval)
330
331
def approval_delay_milliseconds(self):
332
return _timedelta_to_milliseconds(self.approval_delay)
222
333
223
334
def __init__(self, name = None, disable_hook=None, config=None):
224
335
"""Note: the 'checker' key in 'config' sets the
227
338
self.name = name
228
339
if config is None:
229
340
config = {}
230
logger.debug(u"Creating client %r", self.name)
341
logger.debug("Creating client %r", self.name)
231
342
# Uppercase and remove spaces from fingerprint for later
232
343
# comparison purposes with return value from the fingerprint()
233
344
# function
234
345
self.fingerprint = (config["fingerprint"].upper()
235
.replace(u" ", u""))
236
logger.debug(u" Fingerprint: %s", self.fingerprint)
346
.replace(" ", ""))
347
logger.debug(" Fingerprint: %s", self.fingerprint)
237
348
if "secret" in config:
238
self.secret = config["secret"].decode(u"base64")
349
self.secret = config["secret"].decode("base64")
239
350
elif "secfile" in config:
240
with closing(open(os.path.expanduser
241
(os.path.expandvars
242
(config["secfile"])))) as secfile:
351
with open(os.path.expanduser(os.path.expandvars
352
(config["secfile"])),
353
"rb") as secfile:
243
354
self.secret = secfile.read()
244
355
else:
245
raise TypeError(u"No secret or secfile for client %s"
356
raise TypeError("No secret or secfile for client %s"
246
357
% self.name)
247
358
self.host = config.get("host", "")
248
359
self.created = datetime.datetime.utcnow()
249
360
self.enabled = False
361
self.last_approval_request = None
250
362
self.last_enabled = None
251
363
self.last_checked_ok = None
252
364
self.timeout = string_to_delta(config["timeout"])
365
self.extended_timeout = string_to_delta(config
366
["extended_timeout"])
253
367
self.interval = string_to_delta(config["interval"])
254
368
self.disable_hook = disable_hook
255
369
self.checker = None
256
370
self.checker_initiator_tag = None
257
371
self.disable_initiator_tag = None
372
self.expires = None
258
373
self.checker_callback_tag = None
259
374
self.checker_command = config["checker"]
260
375
self.current_checker_command = None
261
376
self.last_connect = None
377
self._approved = None
378
self.approved_by_default = config.get("approved_by_default",
379
True)
380
self.approvals_pending = 0
381
self.approval_delay = string_to_delta(
382
config["approval_delay"])
383
self.approval_duration = string_to_delta(
384
config["approval_duration"])
385
self.changedstate = (multiprocessing_manager
386
.Condition(multiprocessing_manager
387
.Lock()))
388
389
def send_changedstate(self):
390
self.changedstate.acquire()
391
self.changedstate.notify_all()
392
self.changedstate.release()
262
393
263
394
def enable(self):
264
395
"""Start this client's checker and timeout hooks"""
265
self.last_enabled = datetime.datetime.utcnow()
396
if getattr(self, "enabled", False):
397
# Already enabled
398
return
399
self.send_changedstate()
266
400
# Schedule a new checker to be started an 'interval' from now,
267
401
# and every interval from then on.
268
402
self.checker_initiator_tag = (gobject.timeout_add
269
403
(self.interval_milliseconds(),
270
404
self.start_checker))
271
# Also start a new checker *right now*.
272
self.start_checker()
273
405
# Schedule a disable() when 'timeout' has passed
406
self.expires = datetime.datetime.utcnow() + self.timeout
274
407
self.disable_initiator_tag = (gobject.timeout_add
275
408
(self.timeout_milliseconds(),
276
409
self.disable))
277
410
self.enabled = True
411
self.last_enabled = datetime.datetime.utcnow()
412
# Also start a new checker *right now*.
413
self.start_checker()
278
414
279
def disable(self):
415
def disable(self, quiet=True):
280
416
"""Disable this client."""
281
417
if not getattr(self, "enabled", False):
282
418
return False
283
logger.info(u"Disabling client %s", self.name)
419
if not quiet:
420
self.send_changedstate()
421
if not quiet:
422
logger.info("Disabling client %s", self.name)
284
423
if getattr(self, "disable_initiator_tag", False):
285
424
gobject.source_remove(self.disable_initiator_tag)
286
425
self.disable_initiator_tag = None
426
self.expires = None
287
427
if getattr(self, "checker_initiator_tag", False):
288
428
gobject.source_remove(self.checker_initiator_tag)
289
429
self.checker_initiator_tag = None
305
445
if os.WIFEXITED(condition):
306
446
exitstatus = os.WEXITSTATUS(condition)
307
447
if exitstatus == 0:
308
logger.info(u"Checker for %(name)s succeeded",
448
logger.info("Checker for %(name)s succeeded",
309
449
vars(self))
310
450
self.checked_ok()
311
451
else:
312
logger.info(u"Checker for %(name)s failed",
452
logger.info("Checker for %(name)s failed",
313
453
vars(self))
314
454
else:
315
logger.warning(u"Checker for %(name)s crashed?",
455
logger.warning("Checker for %(name)s crashed?",
316
456
vars(self))
317
457
318
def checked_ok(self):
458
def checked_ok(self, timeout=None):
319
459
"""Bump up the timeout for this client.
460
320
461
This should only be called when the client has been seen,
321
462
alive and well.
322
463
"""
464
if timeout is None:
465
timeout = self.timeout
323
466
self.last_checked_ok = datetime.datetime.utcnow()
324
gobject.source_remove(self.disable_initiator_tag)
325
self.disable_initiator_tag = (gobject.timeout_add
326
(self.timeout_milliseconds(),
327
self.disable))
467
if self.disable_initiator_tag is not None:
468
gobject.source_remove(self.disable_initiator_tag)
469
if getattr(self, "enabled", False):
470
self.disable_initiator_tag = (gobject.timeout_add
471
(_timedelta_to_milliseconds
472
(timeout), self.disable))
473
self.expires = datetime.datetime.utcnow() + timeout
474
475
def need_approval(self):
476
self.last_approval_request = datetime.datetime.utcnow()
328
477
329
478
def start_checker(self):
330
479
"""Start a new checker subprocess if one is not running.
480
331
481
If a checker already exists, leave it running and do
332
482
nothing."""
333
483
# The reason for not killing a running checker is that if we
336
486
# client would inevitably timeout, since no checker would get
337
487
# a chance to run to completion. If we instead leave running
338
488
# checkers alone, the checker would have to take more time
339
# than 'timeout' for the client to be declared invalid, which
340
# is as it should be.
489
# than 'timeout' for the client to be disabled, which is as it
490
# should be.
341
491
342
492
# If a checker exists, make sure it is not a zombie
343
if self.checker is not None:
493
try:
344
494
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
495
except (AttributeError, OSError) as error:
496
if (isinstance(error, OSError)
497
and error.errno != errno.ECHILD):
498
raise error
499
else:
345
500
if pid:
346
501
logger.warning("Checker was a zombie")
347
502
gobject.source_remove(self.checker_callback_tag)
354
509
command = self.checker_command % self.host
355
510
except TypeError:
356
511
# Escape attributes for the shell
357
escaped_attrs = dict((key, re.escape(str(val)))
358
for key, val in
359
vars(self).iteritems())
512
escaped_attrs = dict(
513
(attr,
514
re.escape(unicode(str(getattr(self, attr, "")),
515
errors=
516
'replace')))
517
for attr in
518
self.runtime_expansions)
519
360
520
try:
361
521
command = self.checker_command % escaped_attrs
362
except TypeError, error:
363
logger.error(u'Could not format string "%s":'
364
u' %s', self.checker_command, error)
522
except TypeError as error:
523
logger.error('Could not format string "%s":'
524
' %s', self.checker_command, error)
365
525
return True # Try again later
366
526
self.current_checker_command = command
367
527
try:
368
logger.info(u"Starting checker %r for %s",
528
logger.info("Starting checker %r for %s",
369
529
command, self.name)
370
530
# We don't need to redirect stdout and stderr, since
371
531
# in normal mode, that is already done by daemon(),
384
544
if pid:
385
545
gobject.source_remove(self.checker_callback_tag)
386
546
self.checker_callback(pid, status, command)
387
except OSError, error:
388
logger.error(u"Failed to start subprocess: %s",
547
except OSError as error:
548
logger.error("Failed to start subprocess: %s",
389
549
error)
390
550
# Re-run this periodically if run by gobject.timeout_add
391
551
return True
397
557
self.checker_callback_tag = None
398
558
if getattr(self, "checker", None) is None:
399
559
return
400
logger.debug(u"Stopping checker for %(name)s", vars(self))
560
logger.debug("Stopping checker for %(name)s", vars(self))
401
561
try:
402
562
os.kill(self.checker.pid, signal.SIGTERM)
403
#os.sleep(0.5)
563
#time.sleep(0.5)
404
564
#if self.checker.poll() is None:
405
565
# os.kill(self.checker.pid, signal.SIGKILL)
406
except OSError, error:
566
except OSError as error:
407
567
if error.errno != errno.ESRCH: # No such process
408
568
raise
409
569
self.checker = None
410
411
def still_valid(self):
412
"""Has the timeout not yet passed for this client?"""
413
if not getattr(self, "enabled", False):
414
return False
415
now = datetime.datetime.utcnow()
416
if self.last_checked_ok is None:
417
return now < (self.created + self.timeout)
418
else:
419
return now < (self.last_checked_ok + self.timeout)
420
421
422
class ClientDBus(Client, dbus.service.Object):
570
571
572
def dbus_service_property(dbus_interface, signature="v",
573
access="readwrite", byte_arrays=False):
574
"""Decorators for marking methods of a DBusObjectWithProperties to
575
become properties on the D-Bus.
576
577
The decorated method will be called with no arguments by "Get"
578
and with one argument by "Set".
579
580
The parameters, where they are supported, are the same as
581
dbus.service.method, except there is only "signature", since the
582
type from Get() and the type sent to Set() is the same.
583
"""
584
# Encoding deeply encoded byte arrays is not supported yet by the
585
# "Set" method, so we fail early here:
586
if byte_arrays and signature != "ay":
587
raise ValueError("Byte arrays not supported for non-'ay'"
588
" signature %r" % signature)
589
def decorator(func):
590
func._dbus_is_property = True
591
func._dbus_interface = dbus_interface
592
func._dbus_signature = signature
593
func._dbus_access = access
594
func._dbus_name = func.__name__
595
if func._dbus_name.endswith("_dbus_property"):
596
func._dbus_name = func._dbus_name[:-14]
597
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
598
return func
599
return decorator
600
601
602
class DBusPropertyException(dbus.exceptions.DBusException):
603
"""A base class for D-Bus property-related exceptions
604
"""
605
def __unicode__(self):
606
return unicode(str(self))
607
608
609
class DBusPropertyAccessException(DBusPropertyException):
610
"""A property's access permissions disallows an operation.
611
"""
612
pass
613
614
615
class DBusPropertyNotFound(DBusPropertyException):
616
"""An attempt was made to access a non-existing property.
617
"""
618
pass
619
620
621
class DBusObjectWithProperties(dbus.service.Object):
622
"""A D-Bus object with properties.
623
624
Classes inheriting from this can use the dbus_service_property
625
decorator to expose methods as D-Bus properties. It exposes the
626
standard Get(), Set(), and GetAll() methods on the D-Bus.
627
"""
628
629
@staticmethod
630
def _is_dbus_property(obj):
631
return getattr(obj, "_dbus_is_property", False)
632
633
def _get_all_dbus_properties(self):
634
"""Returns a generator of (name, attribute) pairs
635
"""
636
return ((prop.__get__(self)._dbus_name, prop.__get__(self))
637
for cls in self.__class__.__mro__
638
for name, prop in
639
inspect.getmembers(cls, self._is_dbus_property))
640
641
def _get_dbus_property(self, interface_name, property_name):
642
"""Returns a bound method if one exists which is a D-Bus
643
property with the specified name and interface.
644
"""
645
for cls in self.__class__.__mro__:
646
for name, value in (inspect.getmembers
647
(cls, self._is_dbus_property)):
648
if (value._dbus_name == property_name
649
and value._dbus_interface == interface_name):
650
return value.__get__(self)
651
652
# No such property
653
raise DBusPropertyNotFound(self.dbus_object_path + ":"
654
+ interface_name + "."
655
+ property_name)
656
657
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
658
out_signature="v")
659
def Get(self, interface_name, property_name):
660
"""Standard D-Bus property Get() method, see D-Bus standard.
661
"""
662
prop = self._get_dbus_property(interface_name, property_name)
663
if prop._dbus_access == "write":
664
raise DBusPropertyAccessException(property_name)
665
value = prop()
666
if not hasattr(value, "variant_level"):
667
return value
668
return type(value)(value, variant_level=value.variant_level+1)
669
670
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
671
def Set(self, interface_name, property_name, value):
672
"""Standard D-Bus property Set() method, see D-Bus standard.
673
"""
674
prop = self._get_dbus_property(interface_name, property_name)
675
if prop._dbus_access == "read":
676
raise DBusPropertyAccessException(property_name)
677
if prop._dbus_get_args_options["byte_arrays"]:
678
# The byte_arrays option is not supported yet on
679
# signatures other than "ay".
680
if prop._dbus_signature != "ay":
681
raise ValueError
682
value = dbus.ByteArray(''.join(unichr(byte)
683
for byte in value))
684
prop(value)
685
686
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
687
out_signature="a{sv}")
688
def GetAll(self, interface_name):
689
"""Standard D-Bus property GetAll() method, see D-Bus
690
standard.
691
692
Note: Will not include properties with access="write".
693
"""
694
all = {}
695
for name, prop in self._get_all_dbus_properties():
696
if (interface_name
697
and interface_name != prop._dbus_interface):
698
# Interface non-empty but did not match
699
continue
700
# Ignore write-only properties
701
if prop._dbus_access == "write":
702
continue
703
value = prop()
704
if not hasattr(value, "variant_level"):
705
all[name] = value
706
continue
707
all[name] = type(value)(value, variant_level=
708
value.variant_level+1)
709
return dbus.Dictionary(all, signature="sv")
710
711
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
712
out_signature="s",
713
path_keyword='object_path',
714
connection_keyword='connection')
715
def Introspect(self, object_path, connection):
716
"""Standard D-Bus method, overloaded to insert property tags.
717
"""
718
xmlstring = dbus.service.Object.Introspect(self, object_path,
719
connection)
720
try:
721
document = xml.dom.minidom.parseString(xmlstring)
722
def make_tag(document, name, prop):
723
e = document.createElement("property")
724
e.setAttribute("name", name)
725
e.setAttribute("type", prop._dbus_signature)
726
e.setAttribute("access", prop._dbus_access)
727
return e
728
for if_tag in document.getElementsByTagName("interface"):
729
for tag in (make_tag(document, name, prop)
730
for name, prop
731
in self._get_all_dbus_properties()
732
if prop._dbus_interface
733
== if_tag.getAttribute("name")):
734
if_tag.appendChild(tag)
735
# Add the names to the return values for the
736
# "org.freedesktop.DBus.Properties" methods
737
if (if_tag.getAttribute("name")
738
== "org.freedesktop.DBus.Properties"):
739
for cn in if_tag.getElementsByTagName("method"):
740
if cn.getAttribute("name") == "Get":
741
for arg in cn.getElementsByTagName("arg"):
742
if (arg.getAttribute("direction")
743
== "out"):
744
arg.setAttribute("name", "value")
745
elif cn.getAttribute("name") == "GetAll":
746
for arg in cn.getElementsByTagName("arg"):
747
if (arg.getAttribute("direction")
748
== "out"):
749
arg.setAttribute("name", "props")
750
xmlstring = document.toxml("utf-8")
751
document.unlink()
752
except (AttributeError, xml.dom.DOMException,
753
xml.parsers.expat.ExpatError) as error:
754
logger.error("Failed to override Introspection method",
755
error)
756
return xmlstring
757
758
759
def datetime_to_dbus (dt, variant_level=0):
760
"""Convert a UTC datetime.datetime() to a D-Bus type."""
761
if dt is None:
762
return dbus.String("", variant_level = variant_level)
763
return dbus.String(dt.isoformat(),
764
variant_level=variant_level)
765
766
class AlternateDBusNamesMetaclass(DBusObjectWithProperties
767
.__metaclass__):
768
"""Applied to an empty subclass of a D-Bus object, this metaclass
769
will add additional D-Bus attributes matching a certain pattern.
770
"""
771
def __new__(mcs, name, bases, attr):
772
# Go through all the base classes which could have D-Bus
773
# methods, signals, or properties in them
774
for base in (b for b in bases
775
if issubclass(b, dbus.service.Object)):
776
# Go though all attributes of the base class
777
for attrname, attribute in inspect.getmembers(base):
778
# Ignore non-D-Bus attributes, and D-Bus attributes
779
# with the wrong interface name
780
if (not hasattr(attribute, "_dbus_interface")
781
or not attribute._dbus_interface
782
.startswith("se.recompile.Mandos")):
783
continue
784
# Create an alternate D-Bus interface name based on
785
# the current name
786
alt_interface = (attribute._dbus_interface
787
.replace("se.recompile.Mandos",
788
"se.bsnet.fukt.Mandos"))
789
# Is this a D-Bus signal?
790
if getattr(attribute, "_dbus_is_signal", False):
791
# Extract the original non-method function by
792
# black magic
793
nonmethod_func = (dict(
794
zip(attribute.func_code.co_freevars,
795
attribute.__closure__))["func"]
796
.cell_contents)
797
# Create a new, but exactly alike, function
798
# object, and decorate it to be a new D-Bus signal
799
# with the alternate D-Bus interface name
800
new_function = (dbus.service.signal
801
(alt_interface,
802
attribute._dbus_signature)
803
(types.FunctionType(
804
nonmethod_func.func_code,
805
nonmethod_func.func_globals,
806
nonmethod_func.func_name,
807
nonmethod_func.func_defaults,
808
nonmethod_func.func_closure)))
809
# Define a creator of a function to call both the
810
# old and new functions, so both the old and new
811
# signals gets sent when the function is called
812
def fixscope(func1, func2):
813
"""This function is a scope container to pass
814
func1 and func2 to the "call_both" function
815
outside of its arguments"""
816
def call_both(*args, **kwargs):
817
"""This function will emit two D-Bus
818
signals by calling func1 and func2"""
819
func1(*args, **kwargs)
820
func2(*args, **kwargs)
821
return call_both
822
# Create the "call_both" function and add it to
823
# the class
824
attr[attrname] = fixscope(attribute,
825
new_function)
826
# Is this a D-Bus method?
827
elif getattr(attribute, "_dbus_is_method", False):
828
# Create a new, but exactly alike, function
829
# object. Decorate it to be a new D-Bus method
830
# with the alternate D-Bus interface name. Add it
831
# to the class.
832
attr[attrname] = (dbus.service.method
833
(alt_interface,
834
attribute._dbus_in_signature,
835
attribute._dbus_out_signature)
836
(types.FunctionType
837
(attribute.func_code,
838
attribute.func_globals,
839
attribute.func_name,
840
attribute.func_defaults,
841
attribute.func_closure)))
842
# Is this a D-Bus property?
843
elif getattr(attribute, "_dbus_is_property", False):
844
# Create a new, but exactly alike, function
845
# object, and decorate it to be a new D-Bus
846
# property with the alternate D-Bus interface
847
# name. Add it to the class.
848
attr[attrname] = (dbus_service_property
849
(alt_interface,
850
attribute._dbus_signature,
851
attribute._dbus_access,
852
attribute
853
._dbus_get_args_options
854
["byte_arrays"])
855
(types.FunctionType
856
(attribute.func_code,
857
attribute.func_globals,
858
attribute.func_name,
859
attribute.func_defaults,
860
attribute.func_closure)))
861
return type.__new__(mcs, name, bases, attr)
862
863
class ClientDBus(Client, DBusObjectWithProperties):
423
864
"""A Client class using D-Bus
865
424
866
Attributes:
425
dbus_object_path: dbus.ObjectPath ; only set if self.use_dbus
867
dbus_object_path: dbus.ObjectPath
868
bus: dbus.SystemBus()
426
869
"""
870
871
runtime_expansions = (Client.runtime_expansions
872
+ ("dbus_object_path",))
873
427
874
# dbus.service.Object doesn't use super(), so we can't either.
428
875
429
def __init__(self, *args, **kwargs):
876
def __init__(self, bus = None, *args, **kwargs):
877
self._approvals_pending = 0
878
self.bus = bus
430
879
Client.__init__(self, *args, **kwargs)
431
880
# Only now, when this client is initialized, can it show up on
432
881
# the D-Bus
882
client_object_name = unicode(self.name).translate(
883
{ord("."): ord("_"),
884
ord("-"): ord("_")})
433
885
self.dbus_object_path = (dbus.ObjectPath
434
("/clients/"
435
+ self.name.replace(".", "_")))
436
dbus.service.Object.__init__(self, bus,
437
self.dbus_object_path)
438
def enable(self):
439
oldstate = getattr(self, "enabled", False)
440
r = Client.enable(self)
441
if oldstate != self.enabled:
442
# Emit D-Bus signals
443
self.PropertyChanged(dbus.String(u"enabled"),
444
dbus.Boolean(True, variant_level=1))
445
self.PropertyChanged(dbus.String(u"last_enabled"),
446
(_datetime_to_dbus(self.last_enabled,
447
variant_level=1)))
448
return r
449
450
def disable(self, signal = True):
451
oldstate = getattr(self, "enabled", False)
452
r = Client.disable(self)
453
if signal and oldstate != self.enabled:
454
# Emit D-Bus signal
455
self.PropertyChanged(dbus.String(u"enabled"),
456
dbus.Boolean(False, variant_level=1))
457
return r
886
("/clients/" + client_object_name))
887
DBusObjectWithProperties.__init__(self, self.bus,
888
self.dbus_object_path)
889
890
def notifychangeproperty(transform_func,
891
dbus_name, type_func=lambda x: x,
892
variant_level=1):
893
""" Modify a variable so that it's a property which announces
894
its changes to DBus.
895
896
transform_fun: Function that takes a value and a variant_level
897
and transforms it to a D-Bus type.
898
dbus_name: D-Bus name of the variable
899
type_func: Function that transform the value before sending it
900
to the D-Bus. Default: no transform
901
variant_level: D-Bus variant level. Default: 1
902
"""
903
attrname = "_{0}".format(dbus_name)
904
def setter(self, value):
905
if hasattr(self, "dbus_object_path"):
906
if (not hasattr(self, attrname) or
907
type_func(getattr(self, attrname, None))
908
!= type_func(value)):
909
dbus_value = transform_func(type_func(value),
910
variant_level
911
=variant_level)
912
self.PropertyChanged(dbus.String(dbus_name),
913
dbus_value)
914
setattr(self, attrname, value)
915
916
return property(lambda self: getattr(self, attrname), setter)
917
918
919
expires = notifychangeproperty(datetime_to_dbus, "Expires")
920
approvals_pending = notifychangeproperty(dbus.Boolean,
921
"ApprovalPending",
922
type_func = bool)
923
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
924
last_enabled = notifychangeproperty(datetime_to_dbus,
925
"LastEnabled")
926
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
927
type_func = lambda checker:
928
checker is not None)
929
last_checked_ok = notifychangeproperty(datetime_to_dbus,
930
"LastCheckedOK")
931
last_approval_request = notifychangeproperty(
932
datetime_to_dbus, "LastApprovalRequest")
933
approved_by_default = notifychangeproperty(dbus.Boolean,
934
"ApprovedByDefault")
935
approval_delay = notifychangeproperty(dbus.UInt16,
936
"ApprovalDelay",
937
type_func =
938
_timedelta_to_milliseconds)
939
approval_duration = notifychangeproperty(
940
dbus.UInt16, "ApprovalDuration",
941
type_func = _timedelta_to_milliseconds)
942
host = notifychangeproperty(dbus.String, "Host")
943
timeout = notifychangeproperty(dbus.UInt16, "Timeout",
944
type_func =
945
_timedelta_to_milliseconds)
946
extended_timeout = notifychangeproperty(
947
dbus.UInt16, "ExtendedTimeout",
948
type_func = _timedelta_to_milliseconds)
949
interval = notifychangeproperty(dbus.UInt16,
950
"Interval",
951
type_func =
952
_timedelta_to_milliseconds)
953
checker_command = notifychangeproperty(dbus.String, "Checker")
954
955
del notifychangeproperty
458
956
459
957
def __del__(self, *args, **kwargs):
460
958
try:
461
959
self.remove_from_connection()
462
except org.freedesktop.DBus.Python.LookupError:
960
except LookupError:
463
961
pass
464
dbus.service.Object.__del__(self, *args, **kwargs)
962
if hasattr(DBusObjectWithProperties, "__del__"):
963
DBusObjectWithProperties.__del__(self, *args, **kwargs)
465
964
Client.__del__(self, *args, **kwargs)
466
965
467
966
def checker_callback(self, pid, condition, command,
468
967
*args, **kwargs):
469
968
self.checker_callback_tag = None
470
969
self.checker = None
471
# Emit D-Bus signal
472
self.PropertyChanged(dbus.String(u"checker_running"),
473
dbus.Boolean(False, variant_level=1))
474
970
if os.WIFEXITED(condition):
475
971
exitstatus = os.WEXITSTATUS(condition)
476
972
# Emit D-Bus signal
486
982
return Client.checker_callback(self, pid, condition, command,
487
983
*args, **kwargs)
488
984
489
def checked_ok(self, *args, **kwargs):
490
r = Client.checked_ok(self, *args, **kwargs)
491
# Emit D-Bus signal
492
self.PropertyChanged(
493
dbus.String(u"last_checked_ok"),
494
(_datetime_to_dbus(self.last_checked_ok,
495
variant_level=1)))
496
return r
497
498
985
def start_checker(self, *args, **kwargs):
499
986
old_checker = self.checker
500
987
if self.checker is not None:
502
989
else:
503
990
old_checker_pid = None
504
991
r = Client.start_checker(self, *args, **kwargs)
505
# Only emit D-Bus signal if new checker process was started
506
if ((self.checker is not None)
507
and not (old_checker is not None
508
and old_checker_pid == self.checker.pid)):
992
# Only if new checker process was started
993
if (self.checker is not None
994
and old_checker_pid != self.checker.pid):
995
# Emit D-Bus signal
509
996
self.CheckerStarted(self.current_checker_command)
510
self.PropertyChanged(
511
dbus.String("checker_running"),
512
dbus.Boolean(True, variant_level=1))
513
return r
514
515
def stop_checker(self, *args, **kwargs):
516
old_checker = getattr(self, "checker", None)
517
r = Client.stop_checker(self, *args, **kwargs)
518
if (old_checker is not None
519
and getattr(self, "checker", None) is None):
520
self.PropertyChanged(dbus.String(u"checker_running"),
521
dbus.Boolean(False, variant_level=1))
522
return r
523
524
## D-Bus methods & signals
525
_interface = u"se.bsnet.fukt.Mandos.Client"
526
527
# CheckedOK - method
528
CheckedOK = dbus.service.method(_interface)(checked_ok)
529
CheckedOK.__name__ = "CheckedOK"
997
return r
998
999
def _reset_approved(self):
1000
self._approved = None
1001
return False
1002
1003
def approve(self, value=True):
1004
self.send_changedstate()
1005
self._approved = value
1006
gobject.timeout_add(_timedelta_to_milliseconds
1007
(self.approval_duration),
1008
self._reset_approved)
1009
1010
1011
## D-Bus methods, signals & properties
1012
_interface = "se.recompile.Mandos.Client"
1013
1014
## Signals
530
1015
531
1016
# CheckerCompleted - signal
532
1017
@dbus.service.signal(_interface, signature="nxs")
540
1025
"D-Bus signal"
541
1026
pass
542
1027
543
# GetAllProperties - method
544
@dbus.service.method(_interface, out_signature="a{sv}")
545
def GetAllProperties(self):
546
"D-Bus method"
547
return dbus.Dictionary({
548
dbus.String("name"):
549
dbus.String(self.name, variant_level=1),
550
dbus.String("fingerprint"):
551
dbus.String(self.fingerprint, variant_level=1),
552
dbus.String("host"):
553
dbus.String(self.host, variant_level=1),
554
dbus.String("created"):
555
_datetime_to_dbus(self.created, variant_level=1),
556
dbus.String("last_enabled"):
557
(_datetime_to_dbus(self.last_enabled,
558
variant_level=1)
559
if self.last_enabled is not None
560
else dbus.Boolean(False, variant_level=1)),
561
dbus.String("enabled"):
562
dbus.Boolean(self.enabled, variant_level=1),
563
dbus.String("last_checked_ok"):
564
(_datetime_to_dbus(self.last_checked_ok,
565
variant_level=1)
566
if self.last_checked_ok is not None
567
else dbus.Boolean (False, variant_level=1)),
568
dbus.String("timeout"):
569
dbus.UInt64(self.timeout_milliseconds(),
570
variant_level=1),
571
dbus.String("interval"):
572
dbus.UInt64(self.interval_milliseconds(),
573
variant_level=1),
574
dbus.String("checker"):
575
dbus.String(self.checker_command,
576
variant_level=1),
577
dbus.String("checker_running"):
578
dbus.Boolean(self.checker is not None,
579
variant_level=1),
580
dbus.String("object_path"):
581
dbus.ObjectPath(self.dbus_object_path,
582
variant_level=1)
583
}, signature="sv")
584
585
# IsStillValid - method
586
@dbus.service.method(_interface, out_signature="b")
587
def IsStillValid(self):
588
return self.still_valid()
589
590
1028
# PropertyChanged - signal
591
1029
@dbus.service.signal(_interface, signature="sv")
592
1030
def PropertyChanged(self, property, value):
593
1031
"D-Bus signal"
594
1032
pass
595
1033
596
# ReceivedSecret - signal
1034
# GotSecret - signal
597
1035
@dbus.service.signal(_interface)
598
def ReceivedSecret(self):
599
"D-Bus signal"
1036
def GotSecret(self):
1037
"""D-Bus signal
1038
Is sent after a successful transfer of secret from the Mandos
1039
server to mandos-client
1040
"""
600
1041
pass
601
1042
602
1043
# Rejected - signal
603
@dbus.service.signal(_interface)
604
def Rejected(self):
1044
@dbus.service.signal(_interface, signature="s")
1045
def Rejected(self, reason):
605
1046
"D-Bus signal"
606
1047
pass
607
1048
608
# SetChecker - method
609
@dbus.service.method(_interface, in_signature="s")
610
def SetChecker(self, checker):
611
"D-Bus setter method"
612
self.checker_command = checker
613
# Emit D-Bus signal
614
self.PropertyChanged(dbus.String(u"checker"),
615
dbus.String(self.checker_command,
616
variant_level=1))
617
618
# SetHost - method
619
@dbus.service.method(_interface, in_signature="s")
620
def SetHost(self, host):
621
"D-Bus setter method"
622
self.host = host
623
# Emit D-Bus signal
624
self.PropertyChanged(dbus.String(u"host"),
625
dbus.String(self.host, variant_level=1))
626
627
# SetInterval - method
628
@dbus.service.method(_interface, in_signature="t")
629
def SetInterval(self, milliseconds):
630
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
631
# Emit D-Bus signal
632
self.PropertyChanged(dbus.String(u"interval"),
633
(dbus.UInt64(self.interval_milliseconds(),
634
variant_level=1)))
635
636
# SetSecret - method
637
@dbus.service.method(_interface, in_signature="ay",
638
byte_arrays=True)
639
def SetSecret(self, secret):
640
"D-Bus setter method"
641
self.secret = str(secret)
642
643
# SetTimeout - method
644
@dbus.service.method(_interface, in_signature="t")
645
def SetTimeout(self, milliseconds):
646
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
647
# Emit D-Bus signal
648
self.PropertyChanged(dbus.String(u"timeout"),
649
(dbus.UInt64(self.timeout_milliseconds(),
650
variant_level=1)))
1049
# NeedApproval - signal
1050
@dbus.service.signal(_interface, signature="tb")
1051
def NeedApproval(self, timeout, default):
1052
"D-Bus signal"
1053
return self.need_approval()
1054
1055
## Methods
1056
1057
# Approve - method
1058
@dbus.service.method(_interface, in_signature="b")
1059
def Approve(self, value):
1060
self.approve(value)
1061
1062
# CheckedOK - method
1063
@dbus.service.method(_interface)
1064
def CheckedOK(self):
1065
self.checked_ok()
651
1066
652
1067
# Enable - method
653
Enable = dbus.service.method(_interface)(enable)
654
Enable.__name__ = "Enable"
1068
@dbus.service.method(_interface)
1069
def Enable(self):
1070
"D-Bus method"
1071
self.enable()
655
1072
656
1073
# StartChecker - method
657
1074
@dbus.service.method(_interface)
666
1083
self.disable()
667
1084
668
1085
# StopChecker - method
669
StopChecker = dbus.service.method(_interface)(stop_checker)
670
StopChecker.__name__ = "StopChecker"
1086
@dbus.service.method(_interface)
1087
def StopChecker(self):
1088
self.stop_checker()
1089
1090
## Properties
1091
1092
# ApprovalPending - property
1093
@dbus_service_property(_interface, signature="b", access="read")
1094
def ApprovalPending_dbus_property(self):
1095
return dbus.Boolean(bool(self.approvals_pending))
1096
1097
# ApprovedByDefault - property
1098
@dbus_service_property(_interface, signature="b",
1099
access="readwrite")
1100
def ApprovedByDefault_dbus_property(self, value=None):
1101
if value is None: # get
1102
return dbus.Boolean(self.approved_by_default)
1103
self.approved_by_default = bool(value)
1104
1105
# ApprovalDelay - property
1106
@dbus_service_property(_interface, signature="t",
1107
access="readwrite")
1108
def ApprovalDelay_dbus_property(self, value=None):
1109
if value is None: # get
1110
return dbus.UInt64(self.approval_delay_milliseconds())
1111
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1112
1113
# ApprovalDuration - property
1114
@dbus_service_property(_interface, signature="t",
1115
access="readwrite")
1116
def ApprovalDuration_dbus_property(self, value=None):
1117
if value is None: # get
1118
return dbus.UInt64(_timedelta_to_milliseconds(
1119
self.approval_duration))
1120
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1121
1122
# Name - property
1123
@dbus_service_property(_interface, signature="s", access="read")
1124
def Name_dbus_property(self):
1125
return dbus.String(self.name)
1126
1127
# Fingerprint - property
1128
@dbus_service_property(_interface, signature="s", access="read")
1129
def Fingerprint_dbus_property(self):
1130
return dbus.String(self.fingerprint)
1131
1132
# Host - property
1133
@dbus_service_property(_interface, signature="s",
1134
access="readwrite")
1135
def Host_dbus_property(self, value=None):
1136
if value is None: # get
1137
return dbus.String(self.host)
1138
self.host = value
1139
1140
# Created - property
1141
@dbus_service_property(_interface, signature="s", access="read")
1142
def Created_dbus_property(self):
1143
return dbus.String(datetime_to_dbus(self.created))
1144
1145
# LastEnabled - property
1146
@dbus_service_property(_interface, signature="s", access="read")
1147
def LastEnabled_dbus_property(self):
1148
return datetime_to_dbus(self.last_enabled)
1149
1150
# Enabled - property
1151
@dbus_service_property(_interface, signature="b",
1152
access="readwrite")
1153
def Enabled_dbus_property(self, value=None):
1154
if value is None: # get
1155
return dbus.Boolean(self.enabled)
1156
if value:
1157
self.enable()
1158
else:
1159
self.disable()
1160
1161
# LastCheckedOK - property
1162
@dbus_service_property(_interface, signature="s",
1163
access="readwrite")
1164
def LastCheckedOK_dbus_property(self, value=None):
1165
if value is not None:
1166
self.checked_ok()
1167
return
1168
return datetime_to_dbus(self.last_checked_ok)
1169
1170
# Expires - property
1171
@dbus_service_property(_interface, signature="s", access="read")
1172
def Expires_dbus_property(self):
1173
return datetime_to_dbus(self.expires)
1174
1175
# LastApprovalRequest - property
1176
@dbus_service_property(_interface, signature="s", access="read")
1177
def LastApprovalRequest_dbus_property(self):
1178
return datetime_to_dbus(self.last_approval_request)
1179
1180
# Timeout - property
1181
@dbus_service_property(_interface, signature="t",
1182
access="readwrite")
1183
def Timeout_dbus_property(self, value=None):
1184
if value is None: # get
1185
return dbus.UInt64(self.timeout_milliseconds())
1186
self.timeout = datetime.timedelta(0, 0, 0, value)
1187
if getattr(self, "disable_initiator_tag", None) is None:
1188
return
1189
# Reschedule timeout
1190
gobject.source_remove(self.disable_initiator_tag)
1191
self.disable_initiator_tag = None
1192
self.expires = None
1193
time_to_die = _timedelta_to_milliseconds((self
1194
.last_checked_ok
1195
+ self.timeout)
1196
- datetime.datetime
1197
.utcnow())
1198
if time_to_die <= 0:
1199
# The timeout has passed
1200
self.disable()
1201
else:
1202
self.expires = (datetime.datetime.utcnow()
1203
+ datetime.timedelta(milliseconds =
1204
time_to_die))
1205
self.disable_initiator_tag = (gobject.timeout_add
1206
(time_to_die, self.disable))
1207
1208
# ExtendedTimeout - property
1209
@dbus_service_property(_interface, signature="t",
1210
access="readwrite")
1211
def ExtendedTimeout_dbus_property(self, value=None):
1212
if value is None: # get
1213
return dbus.UInt64(self.extended_timeout_milliseconds())
1214
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1215
1216
# Interval - property
1217
@dbus_service_property(_interface, signature="t",
1218
access="readwrite")
1219
def Interval_dbus_property(self, value=None):
1220
if value is None: # get
1221
return dbus.UInt64(self.interval_milliseconds())
1222
self.interval = datetime.timedelta(0, 0, 0, value)
1223
if getattr(self, "checker_initiator_tag", None) is None:
1224
return
1225
# Reschedule checker run
1226
gobject.source_remove(self.checker_initiator_tag)
1227
self.checker_initiator_tag = (gobject.timeout_add
1228
(value, self.start_checker))
1229
self.start_checker() # Start one now, too
1230
1231
# Checker - property
1232
@dbus_service_property(_interface, signature="s",
1233
access="readwrite")
1234
def Checker_dbus_property(self, value=None):
1235
if value is None: # get
1236
return dbus.String(self.checker_command)
1237
self.checker_command = value
1238
1239
# CheckerRunning - property
1240
@dbus_service_property(_interface, signature="b",
1241
access="readwrite")
1242
def CheckerRunning_dbus_property(self, value=None):
1243
if value is None: # get
1244
return dbus.Boolean(self.checker is not None)
1245
if value:
1246
self.start_checker()
1247
else:
1248
self.stop_checker()
1249
1250
# ObjectPath - property
1251
@dbus_service_property(_interface, signature="o", access="read")
1252
def ObjectPath_dbus_property(self):
1253
return self.dbus_object_path # is already a dbus.ObjectPath
1254
1255
# Secret = property
1256
@dbus_service_property(_interface, signature="ay",
1257
access="write", byte_arrays=True)
1258
def Secret_dbus_property(self, value):
1259
self.secret = str(value)
671
1260
672
1261
del _interface
673
1262
674
1263
675
def peer_certificate(session):
676
"Return the peer's OpenPGP certificate as a bytestring"
677
# If not an OpenPGP certificate...
678
if (gnutls.library.functions
679
.gnutls_certificate_type_get(session._c_object)
680
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
681
# ...do the normal thing
682
return session.peer_certificate
683
list_size = ctypes.c_uint(1)
684
cert_list = (gnutls.library.functions
685
.gnutls_certificate_get_peers
686
(session._c_object, ctypes.byref(list_size)))
687
if not bool(cert_list) and list_size.value != 0:
688
raise gnutls.errors.GNUTLSError("error getting peer"
689
" certificate")
690
if list_size.value == 0:
691
return None
692
cert = cert_list[0]
693
return ctypes.string_at(cert.data, cert.size)
694
695
696
def fingerprint(openpgp):
697
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
698
# New GnuTLS "datum" with the OpenPGP public key
699
datum = (gnutls.library.types
700
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
701
ctypes.POINTER
702
(ctypes.c_ubyte)),
703
ctypes.c_uint(len(openpgp))))
704
# New empty GnuTLS certificate
705
crt = gnutls.library.types.gnutls_openpgp_crt_t()
706
(gnutls.library.functions
707
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
708
# Import the OpenPGP public key into the certificate
709
(gnutls.library.functions
710
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
711
gnutls.library.constants
712
.GNUTLS_OPENPGP_FMT_RAW))
713
# Verify the self signature in the key
714
crtverify = ctypes.c_uint()
715
(gnutls.library.functions
716
.gnutls_openpgp_crt_verify_self(crt, 0, ctypes.byref(crtverify)))
717
if crtverify.value != 0:
718
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
719
raise gnutls.errors.CertificateSecurityError("Verify failed")
720
# New buffer for the fingerprint
721
buf = ctypes.create_string_buffer(20)
722
buf_len = ctypes.c_size_t()
723
# Get the fingerprint from the certificate into the buffer
724
(gnutls.library.functions
725
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
726
ctypes.byref(buf_len)))
727
# Deinit the certificate
728
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
729
# Convert the buffer to a Python bytestring
730
fpr = ctypes.string_at(buf, buf_len.value)
731
# Convert the bytestring to hexadecimal notation
732
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
733
return hex_fpr
734
735
736
class TCP_handler(SocketServer.BaseRequestHandler, object):
737
"""A TCP request handler class.
738
Instantiated by IPv6_TCPServer for each request to handle it.
1264
class ProxyClient(object):
1265
def __init__(self, child_pipe, fpr, address):
1266
self._pipe = child_pipe
1267
self._pipe.send(('init', fpr, address))
1268
if not self._pipe.recv():
1269
raise KeyError()
1270
1271
def __getattribute__(self, name):
1272
if(name == '_pipe'):
1273
return super(ProxyClient, self).__getattribute__(name)
1274
self._pipe.send(('getattr', name))
1275
data = self._pipe.recv()
1276
if data[0] == 'data':
1277
return data[1]
1278
if data[0] == 'function':
1279
def func(*args, **kwargs):
1280
self._pipe.send(('funcall', name, args, kwargs))
1281
return self._pipe.recv()[1]
1282
return func
1283
1284
def __setattr__(self, name, value):
1285
if(name == '_pipe'):
1286
return super(ProxyClient, self).__setattr__(name, value)
1287
self._pipe.send(('setattr', name, value))
1288
1289
class ClientDBusTransitional(ClientDBus):
1290
__metaclass__ = AlternateDBusNamesMetaclass
1291
1292
class ClientHandler(socketserver.BaseRequestHandler, object):
1293
"""A class to handle client connections.
1294
1295
Instantiated once for each connection to handle it.
739
1296
Note: This will run in its own forked process."""
740
1297
741
1298
def handle(self):
742
logger.info(u"TCP connection from: %s",
743
unicode(self.client_address))
744
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
745
# Open IPC pipe to parent process
746
with closing(os.fdopen(self.server.pipe[1], "w", 1)) as ipc:
1299
with contextlib.closing(self.server.child_pipe) as child_pipe:
1300
logger.info("TCP connection from: %s",
1301
unicode(self.client_address))
1302
logger.debug("Pipe FD: %d",
1303
self.server.child_pipe.fileno())
1304
747
1305
session = (gnutls.connection
748
1306
.ClientSession(self.request,
749
1307
gnutls.connection
750
1308
.X509Credentials()))
751
1309
752
line = self.request.makefile().readline()
753
logger.debug(u"Protocol version: %r", line)
754
try:
755
if int(line.strip().split()[0]) > 1:
756
raise RuntimeError
757
except (ValueError, IndexError, RuntimeError), error:
758
logger.error(u"Unknown protocol version: %s", error)
759
return
760
761
1310
# Note: gnutls.connection.X509Credentials is really a
762
1311
# generic GnuTLS certificate credentials object so long as
763
1312
# no X.509 keys are added to it. Therefore, we can use it
764
1313
# here despite using OpenPGP certificates.
765
1314
766
1315
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
767
# "+AES-256-CBC", "+SHA1",
768
# "+COMP-NULL", "+CTYPE-OPENPGP",
769
# "+DHE-DSS"))
1316
# "+AES-256-CBC", "+SHA1",
1317
# "+COMP-NULL", "+CTYPE-OPENPGP",
1318
# "+DHE-DSS"))
770
1319
# Use a fallback default, since this MUST be set.
771
priority = self.server.settings.get("priority", "NORMAL")
1320
priority = self.server.gnutls_priority
1321
if priority is None:
1322
priority = "NORMAL"
772
1323
(gnutls.library.functions
773
1324
.gnutls_priority_set_direct(session._c_object,
774
1325
priority, None))
775
1326
1327
# Start communication using the Mandos protocol
1328
# Get protocol number
1329
line = self.request.makefile().readline()
1330
logger.debug("Protocol version: %r", line)
1331
try:
1332
if int(line.strip().split()[0]) > 1:
1333
raise RuntimeError
1334
except (ValueError, IndexError, RuntimeError) as error:
1335
logger.error("Unknown protocol version: %s", error)
1336
return
1337
1338
# Start GnuTLS connection
776
1339
try:
777
1340
session.handshake()
778
except gnutls.errors.GNUTLSError, error:
779
logger.warning(u"Handshake failed: %s", error)
1341
except gnutls.errors.GNUTLSError as error:
1342
logger.warning("Handshake failed: %s", error)
780
1343
# Do not run session.bye() here: the session is not
781
1344
# established. Just abandon the request.
782
1345
return
783
logger.debug(u"Handshake succeeded")
1346
logger.debug("Handshake succeeded")
1347
1348
approval_required = False
784
1349
try:
785
fpr = fingerprint(peer_certificate(session))
786
except (TypeError, gnutls.errors.GNUTLSError), error:
787
logger.warning(u"Bad certificate: %s", error)
788
session.bye()
789
return
790
logger.debug(u"Fingerprint: %s", fpr)
1350
try:
1351
fpr = self.fingerprint(self.peer_certificate
1352
(session))
1353
except (TypeError,
1354
gnutls.errors.GNUTLSError) as error:
1355
logger.warning("Bad certificate: %s", error)
1356
return
1357
logger.debug("Fingerprint: %s", fpr)
1358
1359
try:
1360
client = ProxyClient(child_pipe, fpr,
1361
self.client_address)
1362
except KeyError:
1363
return
1364
1365
if client.approval_delay:
1366
delay = client.approval_delay
1367
client.approvals_pending += 1
1368
approval_required = True
1369
1370
while True:
1371
if not client.enabled:
1372
logger.info("Client %s is disabled",
1373
client.name)
1374
if self.server.use_dbus:
1375
# Emit D-Bus signal
1376
client.Rejected("Disabled")
1377
return
1378
1379
if client._approved or not client.approval_delay:
1380
#We are approved or approval is disabled
1381
break
1382
elif client._approved is None:
1383
logger.info("Client %s needs approval",
1384
client.name)
1385
if self.server.use_dbus:
1386
# Emit D-Bus signal
1387
client.NeedApproval(
1388
client.approval_delay_milliseconds(),
1389
client.approved_by_default)
1390
else:
1391
logger.warning("Client %s was not approved",
1392
client.name)
1393
if self.server.use_dbus:
1394
# Emit D-Bus signal
1395
client.Rejected("Denied")
1396
return
1397
1398
#wait until timeout or approved
1399
time = datetime.datetime.now()
1400
client.changedstate.acquire()
1401
(client.changedstate.wait
1402
(float(client._timedelta_to_milliseconds(delay)
1403
/ 1000)))
1404
client.changedstate.release()
1405
time2 = datetime.datetime.now()
1406
if (time2 - time) >= delay:
1407
if not client.approved_by_default:
1408
logger.warning("Client %s timed out while"
1409
" waiting for approval",
1410
client.name)
1411
if self.server.use_dbus:
1412
# Emit D-Bus signal
1413
client.Rejected("Approval timed out")
1414
return
1415
else:
1416
break
1417
else:
1418
delay -= time2 - time
1419
1420
sent_size = 0
1421
while sent_size < len(client.secret):
1422
try:
1423
sent = session.send(client.secret[sent_size:])
1424
except gnutls.errors.GNUTLSError as error:
1425
logger.warning("gnutls send failed")
1426
return
1427
logger.debug("Sent: %d, remaining: %d",
1428
sent, len(client.secret)
1429
- (sent_size + sent))
1430
sent_size += sent
1431
1432
logger.info("Sending secret to %s", client.name)
1433
# bump the timeout using extended_timeout
1434
client.checked_ok(client.extended_timeout)
1435
if self.server.use_dbus:
1436
# Emit D-Bus signal
1437
client.GotSecret()
791
1438
792
for c in self.server.clients:
793
if c.fingerprint == fpr:
794
client = c
795
break
796
else:
797
logger.warning(u"Client not found for fingerprint: %s",
798
fpr)
799
ipc.write("NOTFOUND %s\n" % fpr)
800
session.bye()
801
return
802
# Have to check if client.still_valid(), since it is
803
# possible that the client timed out while establishing
804
# the GnuTLS session.
805
if not client.still_valid():
806
logger.warning(u"Client %(name)s is invalid",
807
vars(client))
808
ipc.write("INVALID %s\n" % client.name)
809
session.bye()
810
return
811
ipc.write("SENDING %s\n" % client.name)
812
sent_size = 0
813
while sent_size < len(client.secret):
814
sent = session.send(client.secret[sent_size:])
815
logger.debug(u"Sent: %d, remaining: %d",
816
sent, len(client.secret)
817
- (sent_size + sent))
818
sent_size += sent
819
session.bye()
820
821
822
class ForkingMixInWithPipe(SocketServer.ForkingMixIn, object):
823
"""Like SocketServer.ForkingMixIn, but also pass a pipe.
824
Assumes a gobject.MainLoop event loop.
825
"""
1439
finally:
1440
if approval_required:
1441
client.approvals_pending -= 1
1442
try:
1443
session.bye()
1444
except gnutls.errors.GNUTLSError as error:
1445
logger.warning("GnuTLS bye failed")
1446
1447
@staticmethod
1448
def peer_certificate(session):
1449
"Return the peer's OpenPGP certificate as a bytestring"
1450
# If not an OpenPGP certificate...
1451
if (gnutls.library.functions
1452
.gnutls_certificate_type_get(session._c_object)
1453
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1454
# ...do the normal thing
1455
return session.peer_certificate
1456
list_size = ctypes.c_uint(1)
1457
cert_list = (gnutls.library.functions
1458
.gnutls_certificate_get_peers
1459
(session._c_object, ctypes.byref(list_size)))
1460
if not bool(cert_list) and list_size.value != 0:
1461
raise gnutls.errors.GNUTLSError("error getting peer"
1462
" certificate")
1463
if list_size.value == 0:
1464
return None
1465
cert = cert_list[0]
1466
return ctypes.string_at(cert.data, cert.size)
1467
1468
@staticmethod
1469
def fingerprint(openpgp):
1470
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1471
# New GnuTLS "datum" with the OpenPGP public key
1472
datum = (gnutls.library.types
1473
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1474
ctypes.POINTER
1475
(ctypes.c_ubyte)),
1476
ctypes.c_uint(len(openpgp))))
1477
# New empty GnuTLS certificate
1478
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1479
(gnutls.library.functions
1480
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1481
# Import the OpenPGP public key into the certificate
1482
(gnutls.library.functions
1483
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1484
gnutls.library.constants
1485
.GNUTLS_OPENPGP_FMT_RAW))
1486
# Verify the self signature in the key
1487
crtverify = ctypes.c_uint()
1488
(gnutls.library.functions
1489
.gnutls_openpgp_crt_verify_self(crt, 0,
1490
ctypes.byref(crtverify)))
1491
if crtverify.value != 0:
1492
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1493
raise (gnutls.errors.CertificateSecurityError
1494
("Verify failed"))
1495
# New buffer for the fingerprint
1496
buf = ctypes.create_string_buffer(20)
1497
buf_len = ctypes.c_size_t()
1498
# Get the fingerprint from the certificate into the buffer
1499
(gnutls.library.functions
1500
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1501
ctypes.byref(buf_len)))
1502
# Deinit the certificate
1503
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1504
# Convert the buffer to a Python bytestring
1505
fpr = ctypes.string_at(buf, buf_len.value)
1506
# Convert the bytestring to hexadecimal notation
1507
hex_fpr = ''.join("%02X" % ord(char) for char in fpr)
1508
return hex_fpr
1509
1510
1511
class MultiprocessingMixIn(object):
1512
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1513
def sub_process_main(self, request, address):
1514
try:
1515
self.finish_request(request, address)
1516
except:
1517
self.handle_error(request, address)
1518
self.close_request(request)
1519
1520
def process_request(self, request, address):
1521
"""Start a new process to process the request."""
1522
proc = multiprocessing.Process(target = self.sub_process_main,
1523
args = (request,
1524
address))
1525
proc.start()
1526
return proc
1527
1528
1529
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1530
""" adds a pipe to the MixIn """
826
1531
def process_request(self, request, client_address):
827
"""This overrides and wraps the original process_request().
828
This function creates a new pipe in self.pipe
1532
"""Overrides and wraps the original process_request().
1533
1534
This function creates a new pipe in self.pipe
829
1535
"""
830
self.pipe = os.pipe()
831
super(ForkingMixInWithPipe,
832
self).process_request(request, client_address)
833
os.close(self.pipe[1]) # close write end
834
# Call "handle_ipc" for both data and EOF events
835
gobject.io_add_watch(self.pipe[0],
836
gobject.IO_IN | gobject.IO_HUP,
837
self.handle_ipc)
838
def handle_ipc(source, condition):
1536
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1537
1538
proc = MultiprocessingMixIn.process_request(self, request,
1539
client_address)
1540
self.child_pipe.close()
1541
self.add_pipe(parent_pipe, proc)
1542
1543
def add_pipe(self, parent_pipe, proc):
839
1544
"""Dummy function; override as necessary"""
840
os.close(source)
841
return False
842
843
844
class IPv6_TCPServer(ForkingMixInWithPipe,
845
SocketServer.TCPServer, object):
1545
raise NotImplementedError
1546
1547
1548
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1549
socketserver.TCPServer, object):
846
1550
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1551
847
1552
Attributes:
848
settings: Server settings
849
clients: Set() of Client objects
850
1553
enabled: Boolean; whether this server is activated yet
1554
interface: None or a network interface name (string)
1555
use_ipv6: Boolean; to use IPv6 or not
851
1556
"""
852
address_family = socket.AF_INET6
853
def __init__(self, *args, **kwargs):
854
if "settings" in kwargs:
855
self.settings = kwargs["settings"]
856
del kwargs["settings"]
857
if "clients" in kwargs:
858
self.clients = kwargs["clients"]
859
del kwargs["clients"]
860
if "use_ipv6" in kwargs:
861
if not kwargs["use_ipv6"]:
862
self.address_family = socket.AF_INET
863
del kwargs["use_ipv6"]
864
self.enabled = False
865
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
1557
def __init__(self, server_address, RequestHandlerClass,
1558
interface=None, use_ipv6=True):
1559
self.interface = interface
1560
if use_ipv6:
1561
self.address_family = socket.AF_INET6
1562
socketserver.TCPServer.__init__(self, server_address,
1563
RequestHandlerClass)
866
1564
def server_bind(self):
867
1565
"""This overrides the normal server_bind() function
868
1566
to bind to an interface if one was specified, and also NOT to
869
1567
bind to an address or port if they were not specified."""
870
if self.settings["interface"]:
871
# 25 is from /usr/include/asm-i486/socket.h
872
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
873
try:
874
self.socket.setsockopt(socket.SOL_SOCKET,
875
SO_BINDTODEVICE,
876
self.settings["interface"])
877
except socket.error, error:
878
if error[0] == errno.EPERM:
879
logger.error(u"No permission to"
880
u" bind to interface %s",
881
self.settings["interface"])
882
else:
883
raise
1568
if self.interface is not None:
1569
if SO_BINDTODEVICE is None:
1570
logger.error("SO_BINDTODEVICE does not exist;"
1571
" cannot bind to interface %s",
1572
self.interface)
1573
else:
1574
try:
1575
self.socket.setsockopt(socket.SOL_SOCKET,
1576
SO_BINDTODEVICE,
1577
str(self.interface
1578
+ '\0'))
1579
except socket.error as error:
1580
if error[0] == errno.EPERM:
1581
logger.error("No permission to"
1582
" bind to interface %s",
1583
self.interface)
1584
elif error[0] == errno.ENOPROTOOPT:
1585
logger.error("SO_BINDTODEVICE not available;"
1586
" cannot bind to interface %s",
1587
self.interface)
1588
else:
1589
raise
884
1590
# Only bind(2) the socket if we really need to.
885
1591
if self.server_address[0] or self.server_address[1]:
886
1592
if not self.server_address[0]:
893
1599
elif not self.server_address[1]:
894
1600
self.server_address = (self.server_address[0],
895
1601
0)
896
# if self.settings["interface"]:
1602
# if self.interface:
897
1603
# self.server_address = (self.server_address[0],
898
1604
# 0, # port
899
1605
# 0, # flowinfo
900
1606
# if_nametoindex
901
# (self.settings
902
# ["interface"]))
903
return super(IPv6_TCPServer, self).server_bind()
1607
# (self.interface))
1608
return socketserver.TCPServer.server_bind(self)
1609
1610
1611
class MandosServer(IPv6_TCPServer):
1612
"""Mandos server.
1613
1614
Attributes:
1615
clients: set of Client objects
1616
gnutls_priority GnuTLS priority string
1617
use_dbus: Boolean; to emit D-Bus signals or not
1618
1619
Assumes a gobject.MainLoop event loop.
1620
"""
1621
def __init__(self, server_address, RequestHandlerClass,
1622
interface=None, use_ipv6=True, clients=None,
1623
gnutls_priority=None, use_dbus=True):
1624
self.enabled = False
1625
self.clients = clients
1626
if self.clients is None:
1627
self.clients = set()
1628
self.use_dbus = use_dbus
1629
self.gnutls_priority = gnutls_priority
1630
IPv6_TCPServer.__init__(self, server_address,
1631
RequestHandlerClass,
1632
interface = interface,
1633
use_ipv6 = use_ipv6)
904
1634
def server_activate(self):
905
1635
if self.enabled:
906
return super(IPv6_TCPServer, self).server_activate()
1636
return socketserver.TCPServer.server_activate(self)
1637
907
1638
def enable(self):
908
1639
self.enabled = True
909
def handle_ipc(self, source, condition, file_objects={}):
1640
1641
def add_pipe(self, parent_pipe, proc):
1642
# Call "handle_ipc" for both data and EOF events
1643
gobject.io_add_watch(parent_pipe.fileno(),
1644
gobject.IO_IN | gobject.IO_HUP,
1645
functools.partial(self.handle_ipc,
1646
parent_pipe =
1647
parent_pipe,
1648
proc = proc))
1649
1650
def handle_ipc(self, source, condition, parent_pipe=None,
1651
proc = None, client_object=None):
910
1652
condition_names = {
911
gobject.IO_IN: "IN", # There is data to read.
1653
gobject.IO_IN: "IN", # There is data to read.
912
1654
gobject.IO_OUT: "OUT", # Data can be written (without
913
# blocking).
1655
# blocking).
914
1656
gobject.IO_PRI: "PRI", # There is urgent data to read.
915
1657
gobject.IO_ERR: "ERR", # Error condition.
916
1658
gobject.IO_HUP: "HUP" # Hung up (the connection has been
917
# broken, usually for pipes and
918
# sockets).
1659
# broken, usually for pipes and
1660
# sockets).
919
1661
}
920
1662
conditions_string = ' | '.join(name
921
1663
for cond, name in
922
1664
condition_names.iteritems()
923
1665
if cond & condition)
924
logger.debug("Handling IPC: FD = %d, condition = %s", source,
925
conditions_string)
926
927
# Turn the pipe file descriptor into a Python file object
928
if source not in file_objects:
929
file_objects[source] = os.fdopen(source, "r", 1)
930
931
# Read a line from the file object
932
cmdline = file_objects[source].readline()
933
if not cmdline: # Empty line means end of file
934
# close the IPC pipe
935
file_objects[source].close()
936
del file_objects[source]
1666
# error, or the other end of multiprocessing.Pipe has closed
1667
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1668
# Wait for other process to exit
1669
proc.join()
1670
return False
1671
1672
# Read a request from the child
1673
request = parent_pipe.recv()
1674
command = request[0]
1675
1676
if command == 'init':
1677
fpr = request[1]
1678
address = request[2]
937
1679
938
# Stop calling this function
939
return False
940
941
logger.debug("IPC command: %r\n" % cmdline)
942
943
# Parse and act on command
944
cmd, args = cmdline.split(None, 1)
945
if cmd == "NOTFOUND":
946
if self.settings["use_dbus"]:
947
# Emit D-Bus signal
948
mandos_dbus_service.ClientNotFound(args)
949
elif cmd == "INVALID":
950
if self.settings["use_dbus"]:
951
for client in self.clients:
952
if client.name == args:
953
# Emit D-Bus signal
954
client.Rejected()
955
break
956
elif cmd == "SENDING":
957
for client in self.clients:
958
if client.name == args:
959
client.checked_ok()
960
if self.settings["use_dbus"]:
961
# Emit D-Bus signal
962
client.ReceivedSecret()
1680
for c in self.clients:
1681
if c.fingerprint == fpr:
1682
client = c
963
1683
break
964
else:
965
logger.error("Unknown IPC command: %r", cmdline)
966
967
# Keep calling this function
1684
else:
1685
logger.info("Client not found for fingerprint: %s, ad"
1686
"dress: %s", fpr, address)
1687
if self.use_dbus:
1688
# Emit D-Bus signal
1689
mandos_dbus_service.ClientNotFound(fpr,
1690
address[0])
1691
parent_pipe.send(False)
1692
return False
1693
1694
gobject.io_add_watch(parent_pipe.fileno(),
1695
gobject.IO_IN | gobject.IO_HUP,
1696
functools.partial(self.handle_ipc,
1697
parent_pipe =
1698
parent_pipe,
1699
proc = proc,
1700
client_object =
1701
client))
1702
parent_pipe.send(True)
1703
# remove the old hook in favor of the new above hook on
1704
# same fileno
1705
return False
1706
if command == 'funcall':
1707
funcname = request[1]
1708
args = request[2]
1709
kwargs = request[3]
1710
1711
parent_pipe.send(('data', getattr(client_object,
1712
funcname)(*args,
1713
**kwargs)))
1714
1715
if command == 'getattr':
1716
attrname = request[1]
1717
if callable(client_object.__getattribute__(attrname)):
1718
parent_pipe.send(('function',))
1719
else:
1720
parent_pipe.send(('data', client_object
1721
.__getattribute__(attrname)))
1722
1723
if command == 'setattr':
1724
attrname = request[1]
1725
value = request[2]
1726
setattr(client_object, attrname, value)
1727
968
1728
return True
969
1729
970
1730
979
1739
datetime.timedelta(0, 3600)
980
1740
>>> string_to_delta('24h')
981
1741
datetime.timedelta(1)
982
>>> string_to_delta(u'1w')
1742
>>> string_to_delta('1w')
983
1743
datetime.timedelta(7)
984
1744
>>> string_to_delta('5m 30s')
985
1745
datetime.timedelta(0, 330)
989
1749
try:
990
1750
suffix = unicode(s[-1])
991
1751
value = int(s[:-1])
992
if suffix == u"d":
1752
if suffix == "d":
993
1753
delta = datetime.timedelta(value)
994
elif suffix == u"s":
1754
elif suffix == "s":
995
1755
delta = datetime.timedelta(0, value)
996
elif suffix == u"m":
1756
elif suffix == "m":
997
1757
delta = datetime.timedelta(0, 0, 0, 0, value)
998
elif suffix == u"h":
1758
elif suffix == "h":
999
1759
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
1000
elif suffix == u"w":
1760
elif suffix == "w":
1001
1761
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1002
1762
else:
1003
raise ValueError
1004
except (ValueError, IndexError):
1005
raise ValueError
1763
raise ValueError("Unknown suffix %r" % suffix)
1764
except (ValueError, IndexError) as e:
1765
raise ValueError(*(e.args))
1006
1766
timevalue += delta
1007
1767
return timevalue
1008
1768
1009
1769
1010
def server_state_changed(state):
1011
"""Derived from the Avahi example code"""
1012
if state == avahi.SERVER_COLLISION:
1013
logger.error(u"Zeroconf server name collision")
1014
service.remove()
1015
elif state == avahi.SERVER_RUNNING:
1016
service.add()
1017
1018
1019
def entry_group_state_changed(state, error):
1020
"""Derived from the Avahi example code"""
1021
logger.debug(u"Avahi state change: %i", state)
1022
1023
if state == avahi.ENTRY_GROUP_ESTABLISHED:
1024
logger.debug(u"Zeroconf service established.")
1025
elif state == avahi.ENTRY_GROUP_COLLISION:
1026
logger.warning(u"Zeroconf service name collision.")
1027
service.rename()
1028
elif state == avahi.ENTRY_GROUP_FAILURE:
1029
logger.critical(u"Avahi: Error in group state changed %s",
1030
unicode(error))
1031
raise AvahiGroupError(u"State changed: %s" % unicode(error))
1032
1033
1770
def if_nametoindex(interface):
1034
"""Call the C function if_nametoindex(), or equivalent"""
1771
"""Call the C function if_nametoindex(), or equivalent
1772
1773
Note: This function cannot accept a unicode string."""
1035
1774
global if_nametoindex
1036
1775
try:
1037
1776
if_nametoindex = (ctypes.cdll.LoadLibrary
1038
1777
(ctypes.util.find_library("c"))
1039
1778
.if_nametoindex)
1040
1779
except (OSError, AttributeError):
1041
if "struct" not in sys.modules:
1042
import struct
1043
if "fcntl" not in sys.modules:
1044
import fcntl
1780
logger.warning("Doing if_nametoindex the hard way")
1045
1781
def if_nametoindex(interface):
1046
1782
"Get an interface index the hard way, i.e. using fcntl()"
1047
1783
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1048
with closing(socket.socket()) as s:
1784
with contextlib.closing(socket.socket()) as s:
1049
1785
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1050
struct.pack("16s16x", interface))
1051
interface_index = struct.unpack("I", ifreq[16:20])[0]
1786
struct.pack(str("16s16x"),
1787
interface))
1788
interface_index = struct.unpack(str("I"),
1789
ifreq[16:20])[0]
1052
1790
return interface_index
1053
1791
return if_nametoindex(interface)
1054
1792
1055
1793
1056
1794
def daemon(nochdir = False, noclose = False):
1057
1795
"""See daemon(3). Standard BSD Unix function.
1796
1058
1797
This should really exist as os.daemon, but it doesn't (yet)."""
1059
1798
if os.fork():
1060
1799
sys.exit()
1068
1807
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1069
1808
if not stat.S_ISCHR(os.fstat(null).st_mode):
1070
1809
raise OSError(errno.ENODEV,
1071
"/dev/null not a character device")
1810
"%s not a character device"
1811
% os.path.devnull)
1072
1812
os.dup2(null, sys.stdin.fileno())
1073
1813
os.dup2(null, sys.stdout.fileno())
1074
1814
os.dup2(null, sys.stderr.fileno())
1078
1818
1079
1819
def main():
1080
1820
1081
######################################################################
1821
##################################################################
1082
1822
# Parsing of options, both command line and config file
1083
1823
1084
parser = optparse.OptionParser(version = "%%prog %s" % version)
1085
parser.add_option("-i", "--interface", type="string",
1086
metavar="IF", help="Bind to interface IF")
1087
parser.add_option("-a", "--address", type="string",
1088
help="Address to listen for requests on")
1089
parser.add_option("-p", "--port", type="int",
1090
help="Port number to receive requests on")
1091
parser.add_option("--check", action="store_true",
1092
help="Run self-test")
1093
parser.add_option("--debug", action="store_true",
1094
help="Debug mode; run in foreground and log to"
1095
" terminal")
1096
parser.add_option("--priority", type="string", help="GnuTLS"
1097
" priority string (see GnuTLS documentation)")
1098
parser.add_option("--servicename", type="string", metavar="NAME",
1099
help="Zeroconf service name")
1100
parser.add_option("--configdir", type="string",
1101
default="/etc/mandos", metavar="DIR",
1102
help="Directory to search for configuration"
1103
" files")
1104
parser.add_option("--no-dbus", action="store_false",
1105
dest="use_dbus",
1106
help="Do not provide D-Bus system bus"
1107
" interface")
1108
parser.add_option("--no-ipv6", action="store_false",
1109
dest="use_ipv6", help="Do not use IPv6")
1110
options = parser.parse_args()[0]
1824
parser = argparse.ArgumentParser()
1825
parser.add_argument("-v", "--version", action="version",
1826
version = "%%(prog)s %s" % version,
1827
help="show version number and exit")
1828
parser.add_argument("-i", "--interface", metavar="IF",
1829
help="Bind to interface IF")
1830
parser.add_argument("-a", "--address",
1831
help="Address to listen for requests on")
1832
parser.add_argument("-p", "--port", type=int,
1833
help="Port number to receive requests on")
1834
parser.add_argument("--check", action="store_true",
1835
help="Run self-test")
1836
parser.add_argument("--debug", action="store_true",
1837
help="Debug mode; run in foreground and log"
1838
" to terminal")
1839
parser.add_argument("--debuglevel", metavar="LEVEL",
1840
help="Debug level for stdout output")
1841
parser.add_argument("--priority", help="GnuTLS"
1842
" priority string (see GnuTLS documentation)")
1843
parser.add_argument("--servicename",
1844
metavar="NAME", help="Zeroconf service name")
1845
parser.add_argument("--configdir",
1846
default="/etc/mandos", metavar="DIR",
1847
help="Directory to search for configuration"
1848
" files")
1849
parser.add_argument("--no-dbus", action="store_false",
1850
dest="use_dbus", help="Do not provide D-Bus"
1851
" system bus interface")
1852
parser.add_argument("--no-ipv6", action="store_false",
1853
dest="use_ipv6", help="Do not use IPv6")
1854
options = parser.parse_args()
1111
1855
1112
1856
if options.check:
1113
1857
import doctest
1124
1868
"servicename": "Mandos",
1125
1869
"use_dbus": "True",
1126
1870
"use_ipv6": "True",
1871
"debuglevel": "",
1127
1872
}
1128
1873
1129
1874
# Parse config file for server-global settings
1130
server_config = ConfigParser.SafeConfigParser(server_defaults)
1875
server_config = configparser.SafeConfigParser(server_defaults)
1131
1876
del server_defaults
1132
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1877
server_config.read(os.path.join(options.configdir,
1878
"mandos.conf"))
1133
1879
# Convert the SafeConfigParser object to a dict
1134
1880
server_settings = server_config.defaults()
1135
1881
# Use the appropriate methods on the non-string config options
1136
server_settings["debug"] = server_config.getboolean("DEFAULT",
1137
"debug")
1138
server_settings["use_dbus"] = server_config.getboolean("DEFAULT",
1139
"use_dbus")
1140
server_settings["use_ipv6"] = server_config.getboolean("DEFAULT",
1141
"use_ipv6")
1882
for option in ("debug", "use_dbus", "use_ipv6"):
1883
server_settings[option] = server_config.getboolean("DEFAULT",
1884
option)
1142
1885
if server_settings["port"]:
1143
1886
server_settings["port"] = server_config.getint("DEFAULT",
1144
1887
"port")
1148
1891
# options, if set.
1149
1892
for option in ("interface", "address", "port", "debug",
1150
1893
"priority", "servicename", "configdir",
1151
"use_dbus", "use_ipv6"):
1894
"use_dbus", "use_ipv6", "debuglevel"):
1152
1895
value = getattr(options, option)
1153
1896
if value is not None:
1154
1897
server_settings[option] = value
1155
1898
del options
1899
# Force all strings to be unicode
1900
for option in server_settings.keys():
1901
if type(server_settings[option]) is str:
1902
server_settings[option] = unicode(server_settings[option])
1156
1903
# Now we have our good server settings in "server_settings"
1157
1904
1158
1905
##################################################################
1159
1906
1160
1907
# For convenience
1161
1908
debug = server_settings["debug"]
1909
debuglevel = server_settings["debuglevel"]
1162
1910
use_dbus = server_settings["use_dbus"]
1163
1911
use_ipv6 = server_settings["use_ipv6"]
1164
1912
1165
if not debug:
1166
syslogger.setLevel(logging.WARNING)
1167
console.setLevel(logging.WARNING)
1168
1169
1913
if server_settings["servicename"] != "Mandos":
1170
1914
syslogger.setFormatter(logging.Formatter
1171
1915
('Mandos (%s) [%%(process)d]:'
1173
1917
% server_settings["servicename"]))
1174
1918
1175
1919
# Parse config file with clients
1176
client_defaults = { "timeout": "1h",
1177
"interval": "5m",
1920
client_defaults = { "timeout": "5m",
1921
"extended_timeout": "15m",
1922
"interval": "2m",
1178
1923
"checker": "fping -q -- %%(host)s",
1179
1924
"host": "",
1925
"approval_delay": "0s",
1926
"approval_duration": "1s",
1180
1927
}
1181
client_config = ConfigParser.SafeConfigParser(client_defaults)
1928
client_config = configparser.SafeConfigParser(client_defaults)
1182
1929
client_config.read(os.path.join(server_settings["configdir"],
1183
1930
"clients.conf"))
1184
1931
1185
1932
global mandos_dbus_service
1186
1933
mandos_dbus_service = None
1187
1934
1188
clients = Set()
1189
tcp_server = IPv6_TCPServer((server_settings["address"],
1190
server_settings["port"]),
1191
TCP_handler,
1192
settings=server_settings,
1193
clients=clients, use_ipv6=use_ipv6)
1194
pidfilename = "/var/run/mandos.pid"
1195
try:
1196
pidfile = open(pidfilename, "w")
1197
except IOError:
1198
logger.error("Could not open file %r", pidfilename)
1935
tcp_server = MandosServer((server_settings["address"],
1936
server_settings["port"]),
1937
ClientHandler,
1938
interface=(server_settings["interface"]
1939
or None),
1940
use_ipv6=use_ipv6,
1941
gnutls_priority=
1942
server_settings["priority"],
1943
use_dbus=use_dbus)
1944
if not debug:
1945
pidfilename = "/var/run/mandos.pid"
1946
try:
1947
pidfile = open(pidfilename, "w")
1948
except IOError:
1949
logger.error("Could not open file %r", pidfilename)
1199
1950
1200
1951
try:
1201
1952
uid = pwd.getpwnam("_mandos").pw_uid
1207
1958
except KeyError:
1208
1959
try:
1209
1960
uid = pwd.getpwnam("nobody").pw_uid
1210
gid = pwd.getpwnam("nogroup").pw_gid
1961
gid = pwd.getpwnam("nobody").pw_gid
1211
1962
except KeyError:
1212
1963
uid = 65534
1213
1964
gid = 65534
1214
1965
try:
1215
1966
os.setgid(gid)
1216
1967
os.setuid(uid)
1217
except OSError, error:
1968
except OSError as error:
1218
1969
if error[0] != errno.EPERM:
1219
1970
raise error
1220
1971
1221
# Enable all possible GnuTLS debugging
1972
if not debug and not debuglevel:
1973
syslogger.setLevel(logging.WARNING)
1974
console.setLevel(logging.WARNING)
1975
if debuglevel:
1976
level = getattr(logging, debuglevel.upper())
1977
syslogger.setLevel(level)
1978
console.setLevel(level)
1979
1222
1980
if debug:
1981
# Enable all possible GnuTLS debugging
1982
1223
1983
# "Use a log level over 10 to enable all debugging options."
1224
1984
# - GnuTLS manual
1225
1985
gnutls.library.functions.gnutls_global_set_log_level(11)
1230
1990
1231
1991
(gnutls.library.functions
1232
1992
.gnutls_global_set_log_function(debug_gnutls))
1993
1994
# Redirect stdin so all checkers get /dev/null
1995
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1996
os.dup2(null, sys.stdin.fileno())
1997
if null > 2:
1998
os.close(null)
1999
else:
2000
# No console logging
2001
logger.removeHandler(console)
1233
2002
1234
global service
1235
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1236
service = AvahiService(name = server_settings["servicename"],
1237
servicetype = "_mandos._tcp",
1238
protocol = protocol)
1239
if server_settings["interface"]:
1240
service.interface = (if_nametoindex
1241
(server_settings["interface"]))
2003
# Need to fork before connecting to D-Bus
2004
if not debug:
2005
# Close all input and output, do double fork, etc.
2006
daemon()
1242
2007
1243
2008
global main_loop
1244
global bus
1245
global server
1246
2009
# From the Avahi example code
1247
2010
DBusGMainLoop(set_as_default=True )
1248
2011
main_loop = gobject.MainLoop()
1249
2012
bus = dbus.SystemBus()
1250
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
1251
avahi.DBUS_PATH_SERVER),
1252
avahi.DBUS_INTERFACE_SERVER)
1253
2013
# End of Avahi example code
1254
2014
if use_dbus:
1255
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
2015
try:
2016
bus_name = dbus.service.BusName("se.recompile.Mandos",
2017
bus, do_not_queue=True)
2018
old_bus_name = (dbus.service.BusName
2019
("se.bsnet.fukt.Mandos", bus,
2020
do_not_queue=True))
2021
except dbus.exceptions.NameExistsException as e:
2022
logger.error(unicode(e) + ", disabling D-Bus")
2023
use_dbus = False
2024
server_settings["use_dbus"] = False
2025
tcp_server.use_dbus = False
2026
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2027
service = AvahiService(name = server_settings["servicename"],
2028
servicetype = "_mandos._tcp",
2029
protocol = protocol, bus = bus)
2030
if server_settings["interface"]:
2031
service.interface = (if_nametoindex
2032
(str(server_settings["interface"])))
2033
2034
global multiprocessing_manager
2035
multiprocessing_manager = multiprocessing.Manager()
1256
2036
1257
2037
client_class = Client
1258
2038
if use_dbus:
1259
client_class = ClientDBus
1260
clients.update(Set(
2039
client_class = functools.partial(ClientDBusTransitional,
2040
bus = bus)
2041
def client_config_items(config, section):
2042
special_settings = {
2043
"approved_by_default":
2044
lambda: config.getboolean(section,
2045
"approved_by_default"),
2046
}
2047
for name, value in config.items(section):
2048
try:
2049
yield (name, special_settings[name]())
2050
except KeyError:
2051
yield (name, value)
2052
2053
tcp_server.clients.update(set(
1261
2054
client_class(name = section,
1262
config= dict(client_config.items(section)))
2055
config= dict(client_config_items(
2056
client_config, section)))
1263
2057
for section in client_config.sections()))
1264
if not clients:
1265
logger.warning(u"No clients defined")
1266
1267
if debug:
1268
# Redirect stdin so all checkers get /dev/null
1269
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1270
os.dup2(null, sys.stdin.fileno())
1271
if null > 2:
1272
os.close(null)
1273
else:
1274
# No console logging
1275
logger.removeHandler(console)
1276
# Close all input and output, do double fork, etc.
1277
daemon()
1278
1279
try:
1280
with closing(pidfile):
1281
pid = os.getpid()
1282
pidfile.write(str(pid) + "\n")
1283
del pidfile
1284
except IOError:
1285
logger.error(u"Could not write to file %r with PID %d",
1286
pidfilename, pid)
1287
except NameError:
1288
# "pidfile" was never created
1289
pass
1290
del pidfilename
1291
1292
def cleanup():
1293
"Cleanup function; run on exit"
1294
global group
1295
# From the Avahi example code
1296
if not group is None:
1297
group.Free()
1298
group = None
1299
# End of Avahi example code
2058
if not tcp_server.clients:
2059
logger.warning("No clients defined")
1300
2060
1301
while clients:
1302
client = clients.pop()
1303
client.disable_hook = None
1304
client.disable()
1305
1306
atexit.register(cleanup)
1307
1308
2061
if not debug:
2062
try:
2063
with pidfile:
2064
pid = os.getpid()
2065
pidfile.write(str(pid) + "\n".encode("utf-8"))
2066
del pidfile
2067
except IOError:
2068
logger.error("Could not write to file %r with PID %d",
2069
pidfilename, pid)
2070
except NameError:
2071
# "pidfile" was never created
2072
pass
2073
del pidfilename
2074
1309
2075
signal.signal(signal.SIGINT, signal.SIG_IGN)
2076
1310
2077
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1311
2078
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1312
2079
1315
2082
"""A D-Bus proxy object"""
1316
2083
def __init__(self):
1317
2084
dbus.service.Object.__init__(self, bus, "/")
1318
_interface = u"se.bsnet.fukt.Mandos"
2085
_interface = "se.recompile.Mandos"
1319
2086
1320
@dbus.service.signal(_interface, signature="oa{sv}")
1321
def ClientAdded(self, objpath, properties):
2087
@dbus.service.signal(_interface, signature="o")
2088
def ClientAdded(self, objpath):
1322
2089
"D-Bus signal"
1323
2090
pass
1324
2091
1325
@dbus.service.signal(_interface, signature="s")
1326
def ClientNotFound(self, fingerprint):
2092
@dbus.service.signal(_interface, signature="ss")
2093
def ClientNotFound(self, fingerprint, address):
1327
2094
"D-Bus signal"
1328
2095
pass
1329
2096
1335
2102
@dbus.service.method(_interface, out_signature="ao")
1336
2103
def GetAllClients(self):
1337
2104
"D-Bus method"
1338
return dbus.Array(c.dbus_object_path for c in clients)
2105
return dbus.Array(c.dbus_object_path
2106
for c in tcp_server.clients)
1339
2107
1340
@dbus.service.method(_interface, out_signature="a{oa{sv}}")
2108
@dbus.service.method(_interface,
2109
out_signature="a{oa{sv}}")
1341
2110
def GetAllClientsWithProperties(self):
1342
2111
"D-Bus method"
1343
2112
return dbus.Dictionary(
1344
((c.dbus_object_path, c.GetAllProperties())
1345
for c in clients),
2113
((c.dbus_object_path, c.GetAll(""))
2114
for c in tcp_server.clients),
1346
2115
signature="oa{sv}")
1347
2116
1348
2117
@dbus.service.method(_interface, in_signature="o")
1349
2118
def RemoveClient(self, object_path):
1350
2119
"D-Bus method"
1351
for c in clients:
2120
for c in tcp_server.clients:
1352
2121
if c.dbus_object_path == object_path:
1353
clients.remove(c)
2122
tcp_server.clients.remove(c)
1354
2123
c.remove_from_connection()
1355
2124
# Don't signal anything except ClientRemoved
1356
c.disable(signal=False)
2125
c.disable(quiet=True)
1357
2126
# Emit D-Bus signal
1358
2127
self.ClientRemoved(object_path, c.name)
1359
2128
return
1360
raise KeyError
2129
raise KeyError(object_path)
1361
2130
1362
2131
del _interface
1363
2132
1364
mandos_dbus_service = MandosDBusService()
1365
1366
for client in clients:
2133
class MandosDBusServiceTransitional(MandosDBusService):
2134
__metaclass__ = AlternateDBusNamesMetaclass
2135
mandos_dbus_service = MandosDBusServiceTransitional()
2136
2137
def cleanup():
2138
"Cleanup function; run on exit"
2139
service.cleanup()
2140
2141
multiprocessing.active_children()
2142
while tcp_server.clients:
2143
client = tcp_server.clients.pop()
2144
if use_dbus:
2145
client.remove_from_connection()
2146
client.disable_hook = None
2147
# Don't signal anything except ClientRemoved
2148
client.disable(quiet=True)
2149
if use_dbus:
2150
# Emit D-Bus signal
2151
mandos_dbus_service.ClientRemoved(client
2152
.dbus_object_path,
2153
client.name)
2154
2155
atexit.register(cleanup)
2156
2157
for client in tcp_server.clients:
1367
2158
if use_dbus:
1368
2159
# Emit D-Bus signal
1369
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1370
client.GetAllProperties())
2160
mandos_dbus_service.ClientAdded(client.dbus_object_path)
1371
2161
client.enable()
1372
2162
1373
2163
tcp_server.enable()
1376
2166
# Find out what port we got
1377
2167
service.port = tcp_server.socket.getsockname()[1]
1378
2168
if use_ipv6:
1379
logger.info(u"Now listening on address %r, port %d,"
2169
logger.info("Now listening on address %r, port %d,"
1380
2170
" flowinfo %d, scope_id %d"
1381
2171
% tcp_server.socket.getsockname())
1382
2172
else: # IPv4
1383
logger.info(u"Now listening on address %r, port %d"
2173
logger.info("Now listening on address %r, port %d"
1384
2174
% tcp_server.socket.getsockname())
1385
2175
1386
2176
#service.interface = tcp_server.socket.getsockname()[3]
1387
2177
1388
2178
try:
1389
2179
# From the Avahi example code
1390
server.connect_to_signal("StateChanged", server_state_changed)
1391
2180
try:
1392
server_state_changed(server.GetState())
1393
except dbus.exceptions.DBusException, error:
1394
logger.critical(u"DBusException: %s", error)
2181
service.activate()
2182
except dbus.exceptions.DBusException as error:
2183
logger.critical("DBusException: %s", error)
2184
cleanup()
1395
2185
sys.exit(1)
1396
2186
# End of Avahi example code
1397
2187
1400
2190
(tcp_server.handle_request
1401
2191
(*args[2:], **kwargs) or True))
1402
2192
1403
logger.debug(u"Starting main loop")
2193
logger.debug("Starting main loop")
1404
2194
main_loop.run()
1405
except AvahiError, error:
1406
logger.critical(u"AvahiError: %s", error)
2195
except AvahiError as error:
2196
logger.critical("AvahiError: %s", error)
2197
cleanup()
1407
2198
sys.exit(1)
1408
2199
except KeyboardInterrupt:
1409
2200
if debug:
1410
print >> sys.stderr
2201
print("", file=sys.stderr)
1411
2202
logger.debug("Server received KeyboardInterrupt")
1412
2203
logger.debug("Server exiting")
2204
# Must run before the D-Bus bus name gets deregistered
2205
cleanup()
2206
1413
2207
1414
2208
if __name__ == '__main__':
1415
2209
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0