To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 518.2.3
- compare with another revision
- download diff
- download tarball
- view history from revision 518.2.3
- Committer: Teddy Hogeborn
- Date: 2011-11-26 23:08:17 UTC
- mto: (518.1.8 mandos-persistent)
- mto: This revision was merged to the branch mainline in revision 524.
- Revision ID: teddy@recompile.se-20111126230817-tv08v831s2yltbkd
Make "enabled" a client config option.
* DBUS-API: Fix wording on "Expires" option.
* clients.conf (enabled): New.
* mandos (Client): "last_enabled" can now be None.
(Client.__init__): Get "enabled" from config. Only set
"last_enabled" and "expires" if enabled.
(ClientDBus.Created_dbus_property): Removed redundant dbus.String().
(ClientDBus.Interval_dbus_property): If changed, only reschedule
checker if enabled.
(main/special_settings): Added "enabled".
* mandos-clients.conf (OPTIONS): Added "enabled".
* DBUS-API: Fix wording on "Expires" option.
* clients.conf (enabled): New.
* mandos (Client): "last_enabled" can now be None.
(Client.__init__): Get "enabled" from config. Only set
"last_enabled" and "expires" if enabled.
(ClientDBus.Created_dbus_property): Removed redundant dbus.String().
(ClientDBus.Interval_dbus_property): If changed, only reschedule
checker if enabled.
(main/special_settings): Added "enabled".
* mandos-clients.conf (OPTIONS): Added "enabled".
- files added:
- DBUS-API
- debian/source
- files modified:
- .bzrignore
added
removed
mandos
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
14
# Copyright © 2008-2011 Teddy Hogeborn
15
# Copyright © 2008-2011 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
28
28
# along with this program. If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
30
#
31
# Contact the authors at <mandos@fukt.bsnet.se>.
31
# Contact the authors at <mandos@recompile.se>.
32
32
#
33
33
34
from __future__ import division, with_statement, absolute_import
34
from __future__ import (division, absolute_import, print_function,
35
unicode_literals)
35
36
36
37
import SocketServer as socketserver
37
38
import socket
38
import optparse
39
import argparse
39
40
import datetime
40
41
import errno
41
42
import gnutls.crypto
55
56
import logging
56
57
import logging.handlers
57
58
import pwd
58
from contextlib import closing
59
import contextlib
59
60
import struct
60
61
import fcntl
61
62
import functools
63
import cPickle as pickle
64
import multiprocessing
65
import types
66
import binascii
67
import tempfile
62
68
63
69
import dbus
64
70
import dbus.service
67
73
from dbus.mainloop.glib import DBusGMainLoop
68
74
import ctypes
69
75
import ctypes.util
76
import xml.dom.minidom
77
import inspect
78
import GnuPGInterface
70
79
71
80
try:
72
81
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
77
86
SO_BINDTODEVICE = None
78
87
79
88
80
version = "1.0.13"
89
version = "1.4.1"
90
stored_state_file = "clients.pickle"
81
91
82
logger = logging.Logger(u'mandos')
92
logger = logging.getLogger()
83
93
syslogger = (logging.handlers.SysLogHandler
84
94
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
85
address = "/dev/log"))
86
syslogger.setFormatter(logging.Formatter
87
(u'Mandos [%(process)d]: %(levelname)s:'
88
u' %(message)s'))
89
logger.addHandler(syslogger)
90
91
console = logging.StreamHandler()
92
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
93
u' %(levelname)s:'
94
u' %(message)s'))
95
logger.addHandler(console)
95
address = str("/dev/log")))
96
97
try:
98
if_nametoindex = (ctypes.cdll.LoadLibrary
99
(ctypes.util.find_library("c"))
100
.if_nametoindex)
101
except (OSError, AttributeError):
102
def if_nametoindex(interface):
103
"Get an interface index the hard way, i.e. using fcntl()"
104
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
105
with contextlib.closing(socket.socket()) as s:
106
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
107
struct.pack(str("16s16x"),
108
interface))
109
interface_index = struct.unpack(str("I"),
110
ifreq[16:20])[0]
111
return interface_index
112
113
114
def initlogger(level=logging.WARNING):
115
"""init logger and add loglevel"""
116
117
syslogger.setFormatter(logging.Formatter
118
('Mandos [%(process)d]: %(levelname)s:'
119
' %(message)s'))
120
logger.addHandler(syslogger)
121
122
console = logging.StreamHandler()
123
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
124
' [%(process)d]:'
125
' %(levelname)s:'
126
' %(message)s'))
127
logger.addHandler(console)
128
logger.setLevel(level)
129
130
131
class CryptoError(Exception):
132
pass
133
134
135
class Crypto(object):
136
"""A simple class for OpenPGP symmetric encryption & decryption"""
137
def __init__(self):
138
self.gnupg = GnuPGInterface.GnuPG()
139
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
140
self.gnupg = GnuPGInterface.GnuPG()
141
self.gnupg.options.meta_interactive = False
142
self.gnupg.options.homedir = self.tempdir
143
self.gnupg.options.extra_args.extend(['--force-mdc',
144
'--quiet'])
145
146
def __enter__(self):
147
return self
148
149
def __exit__ (self, exc_type, exc_value, traceback):
150
self._cleanup()
151
return False
152
153
def __del__(self):
154
self._cleanup()
155
156
def _cleanup(self):
157
if self.tempdir is not None:
158
# Delete contents of tempdir
159
for root, dirs, files in os.walk(self.tempdir,
160
topdown = False):
161
for filename in files:
162
os.remove(os.path.join(root, filename))
163
for dirname in dirs:
164
os.rmdir(os.path.join(root, dirname))
165
# Remove tempdir
166
os.rmdir(self.tempdir)
167
self.tempdir = None
168
169
def password_encode(self, password):
170
# Passphrase can not be empty and can not contain newlines or
171
# NUL bytes. So we prefix it and hex encode it.
172
return b"mandos" + binascii.hexlify(password)
173
174
def encrypt(self, data, password):
175
self.gnupg.passphrase = self.password_encode(password)
176
with open(os.devnull) as devnull:
177
try:
178
proc = self.gnupg.run(['--symmetric'],
179
create_fhs=['stdin', 'stdout'],
180
attach_fhs={'stderr': devnull})
181
with contextlib.closing(proc.handles['stdin']) as f:
182
f.write(data)
183
with contextlib.closing(proc.handles['stdout']) as f:
184
ciphertext = f.read()
185
proc.wait()
186
except IOError as e:
187
raise CryptoError(e)
188
self.gnupg.passphrase = None
189
return ciphertext
190
191
def decrypt(self, data, password):
192
self.gnupg.passphrase = self.password_encode(password)
193
with open(os.devnull) as devnull:
194
try:
195
proc = self.gnupg.run(['--decrypt'],
196
create_fhs=['stdin', 'stdout'],
197
attach_fhs={'stderr': devnull})
198
with contextlib.closing(proc.handles['stdin'] ) as f:
199
f.write(data)
200
with contextlib.closing(proc.handles['stdout']) as f:
201
decrypted_plaintext = f.read()
202
proc.wait()
203
except IOError as e:
204
raise CryptoError(e)
205
self.gnupg.passphrase = None
206
return decrypted_plaintext
207
208
96
209
97
210
class AvahiError(Exception):
98
211
def __init__(self, value, *args, **kwargs):
114
227
Attributes:
115
228
interface: integer; avahi.IF_UNSPEC or an interface index.
116
229
Used to optionally bind to the specified interface.
117
name: string; Example: u'Mandos'
118
type: string; Example: u'_mandos._tcp'.
230
name: string; Example: 'Mandos'
231
type: string; Example: '_mandos._tcp'.
119
232
See <http://www.dns-sd.org/ServiceTypes.html>
120
233
port: integer; what port to announce
121
234
TXT: list of strings; TXT record for the service
130
243
"""
131
244
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
132
245
servicetype = None, port = None, TXT = None,
133
domain = u"", host = u"", max_renames = 32768,
246
domain = "", host = "", max_renames = 32768,
134
247
protocol = avahi.PROTO_UNSPEC, bus = None):
135
248
self.interface = interface
136
249
self.name = name
145
258
self.group = None # our entry group
146
259
self.server = None
147
260
self.bus = bus
261
self.entry_group_state_changed_match = None
148
262
def rename(self):
149
263
"""Derived from the Avahi example code"""
150
264
if self.rename_count >= self.max_renames:
151
logger.critical(u"No suitable Zeroconf service name found"
152
u" after %i retries, exiting.",
265
logger.critical("No suitable Zeroconf service name found"
266
" after %i retries, exiting.",
153
267
self.rename_count)
154
raise AvahiServiceError(u"Too many renames")
155
self.name = self.server.GetAlternativeServiceName(self.name)
156
logger.info(u"Changing Zeroconf service name to %r ...",
157
unicode(self.name))
158
syslogger.setFormatter(logging.Formatter
159
(u'Mandos (%s) [%%(process)d]:'
160
u' %%(levelname)s: %%(message)s'
161
% self.name))
268
raise AvahiServiceError("Too many renames")
269
self.name = unicode(self.server
270
.GetAlternativeServiceName(self.name))
271
logger.info("Changing Zeroconf service name to %r ...",
272
self.name)
162
273
self.remove()
163
self.add()
274
try:
275
self.add()
276
except dbus.exceptions.DBusException as error:
277
logger.critical("DBusException: %s", error)
278
self.cleanup()
279
os._exit(1)
164
280
self.rename_count += 1
165
281
def remove(self):
166
282
"""Derived from the Avahi example code"""
283
if self.entry_group_state_changed_match is not None:
284
self.entry_group_state_changed_match.remove()
285
self.entry_group_state_changed_match = None
167
286
if self.group is not None:
168
287
self.group.Reset()
169
288
def add(self):
170
289
"""Derived from the Avahi example code"""
290
self.remove()
171
291
if self.group is None:
172
292
self.group = dbus.Interface(
173
293
self.bus.get_object(avahi.DBUS_NAME,
174
294
self.server.EntryGroupNew()),
175
295
avahi.DBUS_INTERFACE_ENTRY_GROUP)
176
self.group.connect_to_signal('StateChanged',
177
self.entry_group_state_changed)
178
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
296
self.entry_group_state_changed_match = (
297
self.group.connect_to_signal(
298
'StateChanged', self.entry_group_state_changed))
299
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
179
300
self.name, self.type)
180
301
self.group.AddService(
181
302
self.interface,
188
309
self.group.Commit()
189
310
def entry_group_state_changed(self, state, error):
190
311
"""Derived from the Avahi example code"""
191
logger.debug(u"Avahi state change: %i", state)
312
logger.debug("Avahi entry group state change: %i", state)
192
313
193
314
if state == avahi.ENTRY_GROUP_ESTABLISHED:
194
logger.debug(u"Zeroconf service established.")
315
logger.debug("Zeroconf service established.")
195
316
elif state == avahi.ENTRY_GROUP_COLLISION:
196
logger.warning(u"Zeroconf service name collision.")
317
logger.info("Zeroconf service name collision.")
197
318
self.rename()
198
319
elif state == avahi.ENTRY_GROUP_FAILURE:
199
logger.critical(u"Avahi: Error in group state changed %s",
320
logger.critical("Avahi: Error in group state changed %s",
200
321
unicode(error))
201
raise AvahiGroupError(u"State changed: %s"
322
raise AvahiGroupError("State changed: %s"
202
323
% unicode(error))
203
324
def cleanup(self):
204
325
"""Derived from the Avahi example code"""
205
326
if self.group is not None:
206
self.group.Free()
327
try:
328
self.group.Free()
329
except (dbus.exceptions.UnknownMethodException,
330
dbus.exceptions.DBusException):
331
pass
207
332
self.group = None
208
def server_state_changed(self, state):
333
self.remove()
334
def server_state_changed(self, state, error=None):
209
335
"""Derived from the Avahi example code"""
210
if state == avahi.SERVER_COLLISION:
211
logger.error(u"Zeroconf server name collision")
212
self.remove()
336
logger.debug("Avahi server state change: %i", state)
337
bad_states = { avahi.SERVER_INVALID:
338
"Zeroconf server invalid",
339
avahi.SERVER_REGISTERING: None,
340
avahi.SERVER_COLLISION:
341
"Zeroconf server name collision",
342
avahi.SERVER_FAILURE:
343
"Zeroconf server failure" }
344
if state in bad_states:
345
if bad_states[state] is not None:
346
if error is None:
347
logger.error(bad_states[state])
348
else:
349
logger.error(bad_states[state] + ": %r", error)
350
self.cleanup()
213
351
elif state == avahi.SERVER_RUNNING:
214
352
self.add()
353
else:
354
if error is None:
355
logger.debug("Unknown state: %r", state)
356
else:
357
logger.debug("Unknown state: %r: %r", state, error)
215
358
def activate(self):
216
359
"""Derived from the Avahi example code"""
217
360
if self.server is None:
218
361
self.server = dbus.Interface(
219
362
self.bus.get_object(avahi.DBUS_NAME,
220
avahi.DBUS_PATH_SERVER),
363
avahi.DBUS_PATH_SERVER,
364
follow_name_owner_changes=True),
221
365
avahi.DBUS_INTERFACE_SERVER)
222
self.server.connect_to_signal(u"StateChanged",
366
self.server.connect_to_signal("StateChanged",
223
367
self.server_state_changed)
224
368
self.server_state_changed(self.server.GetState())
225
369
370
class AvahiServiceToSyslog(AvahiService):
371
def rename(self):
372
"""Add the new name to the syslog messages"""
373
ret = AvahiService.rename(self)
374
syslogger.setFormatter(logging.Formatter
375
('Mandos (%s) [%%(process)d]:'
376
' %%(levelname)s: %%(message)s'
377
% self.name))
378
return ret
226
379
380
def _timedelta_to_milliseconds(td):
381
"Convert a datetime.timedelta() to milliseconds"
382
return ((td.days * 24 * 60 * 60 * 1000)
383
+ (td.seconds * 1000)
384
+ (td.microseconds // 1000))
385
227
386
class Client(object):
228
387
"""A representation of a client host served by this server.
229
388
230
389
Attributes:
231
name: string; from the config file, used in log messages and
232
D-Bus identifiers
233
fingerprint: string (40 or 32 hexadecimal digits); used to
234
uniquely identify the client
235
secret: bytestring; sent verbatim (over TLS) to client
236
host: string; available for use by the checker command
237
created: datetime.datetime(); (UTC) object creation
238
last_enabled: datetime.datetime(); (UTC)
239
enabled: bool()
240
last_checked_ok: datetime.datetime(); (UTC) or None
241
timeout: datetime.timedelta(); How long from last_checked_ok
242
until this client is invalid
243
interval: datetime.timedelta(); How often to start a new checker
244
disable_hook: If set, called by disable() as disable_hook(self)
390
_approved: bool(); 'None' if not yet approved/disapproved
391
approval_delay: datetime.timedelta(); Time to wait for approval
392
approval_duration: datetime.timedelta(); Duration of one approval
245
393
checker: subprocess.Popen(); a running checker process used
246
394
to see if the client lives.
247
395
'None' if no process is running.
248
checker_initiator_tag: a gobject event source tag, or None
249
disable_initiator_tag: - '' -
250
checker_callback_tag: - '' -
251
checker_command: string; External command which is run to check if
252
client lives. %() expansions are done at
396
checker_callback_tag: a gobject event source tag, or None
397
checker_command: string; External command which is run to check
398
if client lives. %() expansions are done at
253
399
runtime with vars(self) as dict, so that for
254
400
instance %(name)s can be used in the command.
401
checker_initiator_tag: a gobject event source tag, or None
402
created: datetime.datetime(); (UTC) object creation
403
client_structure: Object describing what attributes a client has
404
and is used for storing the client at exit
255
405
current_checker_command: string; current running checker_command
406
disable_initiator_tag: a gobject event source tag, or None
407
enabled: bool()
408
fingerprint: string (40 or 32 hexadecimal digits); used to
409
uniquely identify the client
410
host: string; available for use by the checker command
411
interval: datetime.timedelta(); How often to start a new checker
412
last_approval_request: datetime.datetime(); (UTC) or None
413
last_checked_ok: datetime.datetime(); (UTC) or None
414
415
last_checker_status: integer between 0 and 255 reflecting exit
416
status of last checker. -1 reflects crashed
417
checker, or None.
418
last_enabled: datetime.datetime(); (UTC) or None
419
name: string; from the config file, used in log messages and
420
D-Bus identifiers
421
secret: bytestring; sent verbatim (over TLS) to client
422
timeout: datetime.timedelta(); How long from last_checked_ok
423
until this client is disabled
424
extended_timeout: extra long timeout when password has been sent
425
runtime_expansions: Allowed attributes for runtime expansion.
426
expires: datetime.datetime(); time (UTC) when a client will be
427
disabled, or None
256
428
"""
257
429
258
@staticmethod
259
def _datetime_to_milliseconds(dt):
260
"Convert a datetime.datetime() to milliseconds"
261
return ((dt.days * 24 * 60 * 60 * 1000)
262
+ (dt.seconds * 1000)
263
+ (dt.microseconds // 1000))
430
runtime_expansions = ("approval_delay", "approval_duration",
431
"created", "enabled", "fingerprint",
432
"host", "interval", "last_checked_ok",
433
"last_enabled", "name", "timeout")
264
434
265
435
def timeout_milliseconds(self):
266
436
"Return the 'timeout' attribute in milliseconds"
267
return self._datetime_to_milliseconds(self.timeout)
437
return _timedelta_to_milliseconds(self.timeout)
438
439
def extended_timeout_milliseconds(self):
440
"Return the 'extended_timeout' attribute in milliseconds"
441
return _timedelta_to_milliseconds(self.extended_timeout)
268
442
269
443
def interval_milliseconds(self):
270
444
"Return the 'interval' attribute in milliseconds"
271
return self._datetime_to_milliseconds(self.interval)
272
273
def __init__(self, name = None, disable_hook=None, config=None):
445
return _timedelta_to_milliseconds(self.interval)
446
447
def approval_delay_milliseconds(self):
448
return _timedelta_to_milliseconds(self.approval_delay)
449
450
def __init__(self, name = None, config=None):
274
451
"""Note: the 'checker' key in 'config' sets the
275
452
'checker_command' attribute and *not* the 'checker'
276
453
attribute."""
277
454
self.name = name
278
455
if config is None:
279
456
config = {}
280
logger.debug(u"Creating client %r", self.name)
457
logger.debug("Creating client %r", self.name)
281
458
# Uppercase and remove spaces from fingerprint for later
282
459
# comparison purposes with return value from the fingerprint()
283
460
# function
284
self.fingerprint = (config[u"fingerprint"].upper()
285
.replace(u" ", u""))
286
logger.debug(u" Fingerprint: %s", self.fingerprint)
287
if u"secret" in config:
288
self.secret = config[u"secret"].decode(u"base64")
289
elif u"secfile" in config:
290
with closing(open(os.path.expanduser
291
(os.path.expandvars
292
(config[u"secfile"])))) as secfile:
461
self.fingerprint = (config["fingerprint"].upper()
462
.replace(" ", ""))
463
logger.debug(" Fingerprint: %s", self.fingerprint)
464
if "secret" in config:
465
self.secret = config["secret"].decode("base64")
466
elif "secfile" in config:
467
with open(os.path.expanduser(os.path.expandvars
468
(config["secfile"])),
469
"rb") as secfile:
293
470
self.secret = secfile.read()
294
471
else:
295
raise TypeError(u"No secret or secfile for client %s"
472
raise TypeError("No secret or secfile for client %s"
296
473
% self.name)
297
self.host = config.get(u"host", u"")
474
self.host = config.get("host", "")
298
475
self.created = datetime.datetime.utcnow()
299
self.enabled = False
300
self.last_enabled = None
476
self.enabled = config.get("enabled", True)
477
self.last_approval_request = None
478
if self.enabled:
479
self.last_enabled = datetime.datetime.utcnow()
480
else:
481
self.last_enabled = None
301
482
self.last_checked_ok = None
302
self.timeout = string_to_delta(config[u"timeout"])
303
self.interval = string_to_delta(config[u"interval"])
304
self.disable_hook = disable_hook
483
self.last_checker_status = None
484
self.timeout = string_to_delta(config["timeout"])
485
self.extended_timeout = string_to_delta(config
486
["extended_timeout"])
487
self.interval = string_to_delta(config["interval"])
305
488
self.checker = None
306
489
self.checker_initiator_tag = None
307
490
self.disable_initiator_tag = None
491
if self.enabled:
492
self.expires = datetime.datetime.utcnow() + self.timeout
493
else:
494
self.expires = None
308
495
self.checker_callback_tag = None
309
self.checker_command = config[u"checker"]
496
self.checker_command = config["checker"]
310
497
self.current_checker_command = None
311
self.last_connect = None
498
self._approved = None
499
self.approved_by_default = config.get("approved_by_default",
500
True)
501
self.approvals_pending = 0
502
self.approval_delay = string_to_delta(
503
config["approval_delay"])
504
self.approval_duration = string_to_delta(
505
config["approval_duration"])
506
self.changedstate = (multiprocessing_manager
507
.Condition(multiprocessing_manager
508
.Lock()))
509
self.client_structure = [attr for attr in
510
self.__dict__.iterkeys()
511
if not attr.startswith("_")]
512
self.client_structure.append("client_structure")
513
514
for name, t in inspect.getmembers(type(self),
515
lambda obj:
516
isinstance(obj,
517
property)):
518
if not name.startswith("_"):
519
self.client_structure.append(name)
520
521
# Send notice to process children that client state has changed
522
def send_changedstate(self):
523
with self.changedstate:
524
self.changedstate.notify_all()
312
525
313
526
def enable(self):
314
527
"""Start this client's checker and timeout hooks"""
315
if getattr(self, u"enabled", False):
528
if getattr(self, "enabled", False):
316
529
# Already enabled
317
530
return
531
self.send_changedstate()
532
self.expires = datetime.datetime.utcnow() + self.timeout
533
self.enabled = True
318
534
self.last_enabled = datetime.datetime.utcnow()
535
self.init_checker()
536
537
def disable(self, quiet=True):
538
"""Disable this client."""
539
if not getattr(self, "enabled", False):
540
return False
541
if not quiet:
542
self.send_changedstate()
543
if not quiet:
544
logger.info("Disabling client %s", self.name)
545
if getattr(self, "disable_initiator_tag", False):
546
gobject.source_remove(self.disable_initiator_tag)
547
self.disable_initiator_tag = None
548
self.expires = None
549
if getattr(self, "checker_initiator_tag", False):
550
gobject.source_remove(self.checker_initiator_tag)
551
self.checker_initiator_tag = None
552
self.stop_checker()
553
self.enabled = False
554
# Do not run this again if called by a gobject.timeout_add
555
return False
556
557
def __del__(self):
558
self.disable()
559
560
def init_checker(self):
319
561
# Schedule a new checker to be started an 'interval' from now,
320
562
# and every interval from then on.
321
563
self.checker_initiator_tag = (gobject.timeout_add
322
564
(self.interval_milliseconds(),
323
565
self.start_checker))
324
# Also start a new checker *right now*.
325
self.start_checker()
326
566
# Schedule a disable() when 'timeout' has passed
327
567
self.disable_initiator_tag = (gobject.timeout_add
328
568
(self.timeout_milliseconds(),
329
569
self.disable))
330
self.enabled = True
331
332
def disable(self):
333
"""Disable this client."""
334
if not getattr(self, "enabled", False):
335
return False
336
logger.info(u"Disabling client %s", self.name)
337
if getattr(self, u"disable_initiator_tag", False):
338
gobject.source_remove(self.disable_initiator_tag)
339
self.disable_initiator_tag = None
340
if getattr(self, u"checker_initiator_tag", False):
341
gobject.source_remove(self.checker_initiator_tag)
342
self.checker_initiator_tag = None
343
self.stop_checker()
344
if self.disable_hook:
345
self.disable_hook(self)
346
self.enabled = False
347
# Do not run this again if called by a gobject.timeout_add
348
return False
349
350
def __del__(self):
351
self.disable_hook = None
352
self.disable()
570
# Also start a new checker *right now*.
571
self.start_checker()
353
572
354
573
def checker_callback(self, pid, condition, command):
355
574
"""The checker has completed, so take appropriate actions."""
356
575
self.checker_callback_tag = None
357
576
self.checker = None
358
577
if os.WIFEXITED(condition):
359
exitstatus = os.WEXITSTATUS(condition)
360
if exitstatus == 0:
361
logger.info(u"Checker for %(name)s succeeded",
578
self.last_checker_status = os.WEXITSTATUS(condition)
579
if self.last_checker_status == 0:
580
logger.info("Checker for %(name)s succeeded",
362
581
vars(self))
363
582
self.checked_ok()
364
583
else:
365
logger.info(u"Checker for %(name)s failed",
584
logger.info("Checker for %(name)s failed",
366
585
vars(self))
367
586
else:
368
logger.warning(u"Checker for %(name)s crashed?",
587
self.last_checker_status = -1
588
logger.warning("Checker for %(name)s crashed?",
369
589
vars(self))
370
590
371
def checked_ok(self):
591
def checked_ok(self, timeout=None):
372
592
"""Bump up the timeout for this client.
373
593
374
594
This should only be called when the client has been seen,
375
595
alive and well.
376
596
"""
597
if timeout is None:
598
timeout = self.timeout
377
599
self.last_checked_ok = datetime.datetime.utcnow()
378
gobject.source_remove(self.disable_initiator_tag)
379
self.disable_initiator_tag = (gobject.timeout_add
380
(self.timeout_milliseconds(),
381
self.disable))
600
if self.disable_initiator_tag is not None:
601
gobject.source_remove(self.disable_initiator_tag)
602
if getattr(self, "enabled", False):
603
self.disable_initiator_tag = (gobject.timeout_add
604
(_timedelta_to_milliseconds
605
(timeout), self.disable))
606
self.expires = datetime.datetime.utcnow() + timeout
607
608
def need_approval(self):
609
self.last_approval_request = datetime.datetime.utcnow()
382
610
383
611
def start_checker(self):
384
612
"""Start a new checker subprocess if one is not running.
391
619
# client would inevitably timeout, since no checker would get
392
620
# a chance to run to completion. If we instead leave running
393
621
# checkers alone, the checker would have to take more time
394
# than 'timeout' for the client to be declared invalid, which
395
# is as it should be.
622
# than 'timeout' for the client to be disabled, which is as it
623
# should be.
396
624
397
625
# If a checker exists, make sure it is not a zombie
398
if self.checker is not None:
626
try:
399
627
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
628
except (AttributeError, OSError) as error:
629
if (isinstance(error, OSError)
630
and error.errno != errno.ECHILD):
631
raise error
632
else:
400
633
if pid:
401
logger.warning(u"Checker was a zombie")
634
logger.warning("Checker was a zombie")
402
635
gobject.source_remove(self.checker_callback_tag)
403
636
self.checker_callback(pid, status,
404
637
self.current_checker_command)
409
642
command = self.checker_command % self.host
410
643
except TypeError:
411
644
# Escape attributes for the shell
412
escaped_attrs = dict((key,
413
re.escape(unicode(str(val),
414
errors=
415
u'replace')))
416
for key, val in
417
vars(self).iteritems())
645
escaped_attrs = dict(
646
(attr,
647
re.escape(unicode(str(getattr(self, attr, "")),
648
errors=
649
'replace')))
650
for attr in
651
self.runtime_expansions)
652
418
653
try:
419
654
command = self.checker_command % escaped_attrs
420
except TypeError, error:
421
logger.error(u'Could not format string "%s":'
422
u' %s', self.checker_command, error)
655
except TypeError as error:
656
logger.error('Could not format string "%s":'
657
' %s', self.checker_command, error)
423
658
return True # Try again later
424
659
self.current_checker_command = command
425
660
try:
426
logger.info(u"Starting checker %r for %s",
661
logger.info("Starting checker %r for %s",
427
662
command, self.name)
428
663
# We don't need to redirect stdout and stderr, since
429
664
# in normal mode, that is already done by daemon(),
431
666
# always replaced by /dev/null.)
432
667
self.checker = subprocess.Popen(command,
433
668
close_fds=True,
434
shell=True, cwd=u"/")
669
shell=True, cwd="/")
435
670
self.checker_callback_tag = (gobject.child_watch_add
436
671
(self.checker.pid,
437
672
self.checker_callback,
442
677
if pid:
443
678
gobject.source_remove(self.checker_callback_tag)
444
679
self.checker_callback(pid, status, command)
445
except OSError, error:
446
logger.error(u"Failed to start subprocess: %s",
680
except OSError as error:
681
logger.error("Failed to start subprocess: %s",
447
682
error)
448
683
# Re-run this periodically if run by gobject.timeout_add
449
684
return True
453
688
if self.checker_callback_tag:
454
689
gobject.source_remove(self.checker_callback_tag)
455
690
self.checker_callback_tag = None
456
if getattr(self, u"checker", None) is None:
691
if getattr(self, "checker", None) is None:
457
692
return
458
logger.debug(u"Stopping checker for %(name)s", vars(self))
693
logger.debug("Stopping checker for %(name)s", vars(self))
459
694
try:
460
695
os.kill(self.checker.pid, signal.SIGTERM)
461
#os.sleep(0.5)
696
#time.sleep(0.5)
462
697
#if self.checker.poll() is None:
463
698
# os.kill(self.checker.pid, signal.SIGKILL)
464
except OSError, error:
699
except OSError as error:
465
700
if error.errno != errno.ESRCH: # No such process
466
701
raise
467
702
self.checker = None
468
469
def still_valid(self):
470
"""Has the timeout not yet passed for this client?"""
471
if not getattr(self, u"enabled", False):
472
return False
473
now = datetime.datetime.utcnow()
474
if self.last_checked_ok is None:
475
return now < (self.created + self.timeout)
476
else:
477
return now < (self.last_checked_ok + self.timeout)
478
479
480
class ClientDBus(Client, dbus.service.Object):
703
704
705
def dbus_service_property(dbus_interface, signature="v",
706
access="readwrite", byte_arrays=False):
707
"""Decorators for marking methods of a DBusObjectWithProperties to
708
become properties on the D-Bus.
709
710
The decorated method will be called with no arguments by "Get"
711
and with one argument by "Set".
712
713
The parameters, where they are supported, are the same as
714
dbus.service.method, except there is only "signature", since the
715
type from Get() and the type sent to Set() is the same.
716
"""
717
# Encoding deeply encoded byte arrays is not supported yet by the
718
# "Set" method, so we fail early here:
719
if byte_arrays and signature != "ay":
720
raise ValueError("Byte arrays not supported for non-'ay'"
721
" signature %r" % signature)
722
def decorator(func):
723
func._dbus_is_property = True
724
func._dbus_interface = dbus_interface
725
func._dbus_signature = signature
726
func._dbus_access = access
727
func._dbus_name = func.__name__
728
if func._dbus_name.endswith("_dbus_property"):
729
func._dbus_name = func._dbus_name[:-14]
730
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
731
return func
732
return decorator
733
734
735
class DBusPropertyException(dbus.exceptions.DBusException):
736
"""A base class for D-Bus property-related exceptions
737
"""
738
def __unicode__(self):
739
return unicode(str(self))
740
741
742
class DBusPropertyAccessException(DBusPropertyException):
743
"""A property's access permissions disallows an operation.
744
"""
745
pass
746
747
748
class DBusPropertyNotFound(DBusPropertyException):
749
"""An attempt was made to access a non-existing property.
750
"""
751
pass
752
753
754
class DBusObjectWithProperties(dbus.service.Object):
755
"""A D-Bus object with properties.
756
757
Classes inheriting from this can use the dbus_service_property
758
decorator to expose methods as D-Bus properties. It exposes the
759
standard Get(), Set(), and GetAll() methods on the D-Bus.
760
"""
761
762
@staticmethod
763
def _is_dbus_property(obj):
764
return getattr(obj, "_dbus_is_property", False)
765
766
def _get_all_dbus_properties(self):
767
"""Returns a generator of (name, attribute) pairs
768
"""
769
return ((prop.__get__(self)._dbus_name, prop.__get__(self))
770
for cls in self.__class__.__mro__
771
for name, prop in
772
inspect.getmembers(cls, self._is_dbus_property))
773
774
def _get_dbus_property(self, interface_name, property_name):
775
"""Returns a bound method if one exists which is a D-Bus
776
property with the specified name and interface.
777
"""
778
for cls in self.__class__.__mro__:
779
for name, value in (inspect.getmembers
780
(cls, self._is_dbus_property)):
781
if (value._dbus_name == property_name
782
and value._dbus_interface == interface_name):
783
return value.__get__(self)
784
785
# No such property
786
raise DBusPropertyNotFound(self.dbus_object_path + ":"
787
+ interface_name + "."
788
+ property_name)
789
790
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
791
out_signature="v")
792
def Get(self, interface_name, property_name):
793
"""Standard D-Bus property Get() method, see D-Bus standard.
794
"""
795
prop = self._get_dbus_property(interface_name, property_name)
796
if prop._dbus_access == "write":
797
raise DBusPropertyAccessException(property_name)
798
value = prop()
799
if not hasattr(value, "variant_level"):
800
return value
801
return type(value)(value, variant_level=value.variant_level+1)
802
803
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
804
def Set(self, interface_name, property_name, value):
805
"""Standard D-Bus property Set() method, see D-Bus standard.
806
"""
807
prop = self._get_dbus_property(interface_name, property_name)
808
if prop._dbus_access == "read":
809
raise DBusPropertyAccessException(property_name)
810
if prop._dbus_get_args_options["byte_arrays"]:
811
# The byte_arrays option is not supported yet on
812
# signatures other than "ay".
813
if prop._dbus_signature != "ay":
814
raise ValueError
815
value = dbus.ByteArray(''.join(unichr(byte)
816
for byte in value))
817
prop(value)
818
819
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
820
out_signature="a{sv}")
821
def GetAll(self, interface_name):
822
"""Standard D-Bus property GetAll() method, see D-Bus
823
standard.
824
825
Note: Will not include properties with access="write".
826
"""
827
properties = {}
828
for name, prop in self._get_all_dbus_properties():
829
if (interface_name
830
and interface_name != prop._dbus_interface):
831
# Interface non-empty but did not match
832
continue
833
# Ignore write-only properties
834
if prop._dbus_access == "write":
835
continue
836
value = prop()
837
if not hasattr(value, "variant_level"):
838
properties[name] = value
839
continue
840
properties[name] = type(value)(value, variant_level=
841
value.variant_level+1)
842
return dbus.Dictionary(properties, signature="sv")
843
844
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
845
out_signature="s",
846
path_keyword='object_path',
847
connection_keyword='connection')
848
def Introspect(self, object_path, connection):
849
"""Standard D-Bus method, overloaded to insert property tags.
850
"""
851
xmlstring = dbus.service.Object.Introspect(self, object_path,
852
connection)
853
try:
854
document = xml.dom.minidom.parseString(xmlstring)
855
def make_tag(document, name, prop):
856
e = document.createElement("property")
857
e.setAttribute("name", name)
858
e.setAttribute("type", prop._dbus_signature)
859
e.setAttribute("access", prop._dbus_access)
860
return e
861
for if_tag in document.getElementsByTagName("interface"):
862
for tag in (make_tag(document, name, prop)
863
for name, prop
864
in self._get_all_dbus_properties()
865
if prop._dbus_interface
866
== if_tag.getAttribute("name")):
867
if_tag.appendChild(tag)
868
# Add the names to the return values for the
869
# "org.freedesktop.DBus.Properties" methods
870
if (if_tag.getAttribute("name")
871
== "org.freedesktop.DBus.Properties"):
872
for cn in if_tag.getElementsByTagName("method"):
873
if cn.getAttribute("name") == "Get":
874
for arg in cn.getElementsByTagName("arg"):
875
if (arg.getAttribute("direction")
876
== "out"):
877
arg.setAttribute("name", "value")
878
elif cn.getAttribute("name") == "GetAll":
879
for arg in cn.getElementsByTagName("arg"):
880
if (arg.getAttribute("direction")
881
== "out"):
882
arg.setAttribute("name", "props")
883
xmlstring = document.toxml("utf-8")
884
document.unlink()
885
except (AttributeError, xml.dom.DOMException,
886
xml.parsers.expat.ExpatError) as error:
887
logger.error("Failed to override Introspection method",
888
error)
889
return xmlstring
890
891
892
def datetime_to_dbus (dt, variant_level=0):
893
"""Convert a UTC datetime.datetime() to a D-Bus type."""
894
if dt is None:
895
return dbus.String("", variant_level = variant_level)
896
return dbus.String(dt.isoformat(),
897
variant_level=variant_level)
898
899
900
class AlternateDBusNamesMetaclass(DBusObjectWithProperties
901
.__metaclass__):
902
"""Applied to an empty subclass of a D-Bus object, this metaclass
903
will add additional D-Bus attributes matching a certain pattern.
904
"""
905
def __new__(mcs, name, bases, attr):
906
# Go through all the base classes which could have D-Bus
907
# methods, signals, or properties in them
908
for base in (b for b in bases
909
if issubclass(b, dbus.service.Object)):
910
# Go though all attributes of the base class
911
for attrname, attribute in inspect.getmembers(base):
912
# Ignore non-D-Bus attributes, and D-Bus attributes
913
# with the wrong interface name
914
if (not hasattr(attribute, "_dbus_interface")
915
or not attribute._dbus_interface
916
.startswith("se.recompile.Mandos")):
917
continue
918
# Create an alternate D-Bus interface name based on
919
# the current name
920
alt_interface = (attribute._dbus_interface
921
.replace("se.recompile.Mandos",
922
"se.bsnet.fukt.Mandos"))
923
# Is this a D-Bus signal?
924
if getattr(attribute, "_dbus_is_signal", False):
925
# Extract the original non-method function by
926
# black magic
927
nonmethod_func = (dict(
928
zip(attribute.func_code.co_freevars,
929
attribute.__closure__))["func"]
930
.cell_contents)
931
# Create a new, but exactly alike, function
932
# object, and decorate it to be a new D-Bus signal
933
# with the alternate D-Bus interface name
934
new_function = (dbus.service.signal
935
(alt_interface,
936
attribute._dbus_signature)
937
(types.FunctionType(
938
nonmethod_func.func_code,
939
nonmethod_func.func_globals,
940
nonmethod_func.func_name,
941
nonmethod_func.func_defaults,
942
nonmethod_func.func_closure)))
943
# Define a creator of a function to call both the
944
# old and new functions, so both the old and new
945
# signals gets sent when the function is called
946
def fixscope(func1, func2):
947
"""This function is a scope container to pass
948
func1 and func2 to the "call_both" function
949
outside of its arguments"""
950
def call_both(*args, **kwargs):
951
"""This function will emit two D-Bus
952
signals by calling func1 and func2"""
953
func1(*args, **kwargs)
954
func2(*args, **kwargs)
955
return call_both
956
# Create the "call_both" function and add it to
957
# the class
958
attr[attrname] = fixscope(attribute,
959
new_function)
960
# Is this a D-Bus method?
961
elif getattr(attribute, "_dbus_is_method", False):
962
# Create a new, but exactly alike, function
963
# object. Decorate it to be a new D-Bus method
964
# with the alternate D-Bus interface name. Add it
965
# to the class.
966
attr[attrname] = (dbus.service.method
967
(alt_interface,
968
attribute._dbus_in_signature,
969
attribute._dbus_out_signature)
970
(types.FunctionType
971
(attribute.func_code,
972
attribute.func_globals,
973
attribute.func_name,
974
attribute.func_defaults,
975
attribute.func_closure)))
976
# Is this a D-Bus property?
977
elif getattr(attribute, "_dbus_is_property", False):
978
# Create a new, but exactly alike, function
979
# object, and decorate it to be a new D-Bus
980
# property with the alternate D-Bus interface
981
# name. Add it to the class.
982
attr[attrname] = (dbus_service_property
983
(alt_interface,
984
attribute._dbus_signature,
985
attribute._dbus_access,
986
attribute
987
._dbus_get_args_options
988
["byte_arrays"])
989
(types.FunctionType
990
(attribute.func_code,
991
attribute.func_globals,
992
attribute.func_name,
993
attribute.func_defaults,
994
attribute.func_closure)))
995
return type.__new__(mcs, name, bases, attr)
996
997
998
class ClientDBus(Client, DBusObjectWithProperties):
481
999
"""A Client class using D-Bus
482
1000
483
1001
Attributes:
484
1002
dbus_object_path: dbus.ObjectPath
485
1003
bus: dbus.SystemBus()
486
1004
"""
1005
1006
runtime_expansions = (Client.runtime_expansions
1007
+ ("dbus_object_path",))
1008
487
1009
# dbus.service.Object doesn't use super(), so we can't either.
488
1010
489
1011
def __init__(self, bus = None, *args, **kwargs):
490
1012
self.bus = bus
491
1013
Client.__init__(self, *args, **kwargs)
1014
1015
self._approvals_pending = 0
492
1016
# Only now, when this client is initialized, can it show up on
493
1017
# the D-Bus
1018
client_object_name = unicode(self.name).translate(
1019
{ord("."): ord("_"),
1020
ord("-"): ord("_")})
494
1021
self.dbus_object_path = (dbus.ObjectPath
495
(u"/clients/"
496
+ self.name.replace(u".", u"_")))
497
dbus.service.Object.__init__(self, self.bus,
498
self.dbus_object_path)
499
500
@staticmethod
501
def _datetime_to_dbus(dt, variant_level=0):
502
"""Convert a UTC datetime.datetime() to a D-Bus type."""
503
return dbus.String(dt.isoformat(),
504
variant_level=variant_level)
505
506
def enable(self):
507
oldstate = getattr(self, u"enabled", False)
508
r = Client.enable(self)
509
if oldstate != self.enabled:
510
# Emit D-Bus signals
511
self.PropertyChanged(dbus.String(u"enabled"),
512
dbus.Boolean(True, variant_level=1))
513
self.PropertyChanged(
514
dbus.String(u"last_enabled"),
515
self._datetime_to_dbus(self.last_enabled,
516
variant_level=1))
517
return r
518
519
def disable(self, signal = True):
520
oldstate = getattr(self, u"enabled", False)
521
r = Client.disable(self)
522
if signal and oldstate != self.enabled:
523
# Emit D-Bus signal
524
self.PropertyChanged(dbus.String(u"enabled"),
525
dbus.Boolean(False, variant_level=1))
526
return r
1022
("/clients/" + client_object_name))
1023
DBusObjectWithProperties.__init__(self, self.bus,
1024
self.dbus_object_path)
1025
1026
def notifychangeproperty(transform_func,
1027
dbus_name, type_func=lambda x: x,
1028
variant_level=1):
1029
""" Modify a variable so that it's a property which announces
1030
its changes to DBus.
1031
1032
transform_fun: Function that takes a value and a variant_level
1033
and transforms it to a D-Bus type.
1034
dbus_name: D-Bus name of the variable
1035
type_func: Function that transform the value before sending it
1036
to the D-Bus. Default: no transform
1037
variant_level: D-Bus variant level. Default: 1
1038
"""
1039
attrname = "_{0}".format(dbus_name)
1040
def setter(self, value):
1041
if hasattr(self, "dbus_object_path"):
1042
if (not hasattr(self, attrname) or
1043
type_func(getattr(self, attrname, None))
1044
!= type_func(value)):
1045
dbus_value = transform_func(type_func(value),
1046
variant_level
1047
=variant_level)
1048
self.PropertyChanged(dbus.String(dbus_name),
1049
dbus_value)
1050
setattr(self, attrname, value)
1051
1052
return property(lambda self: getattr(self, attrname), setter)
1053
1054
1055
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1056
approvals_pending = notifychangeproperty(dbus.Boolean,
1057
"ApprovalPending",
1058
type_func = bool)
1059
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1060
last_enabled = notifychangeproperty(datetime_to_dbus,
1061
"LastEnabled")
1062
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1063
type_func = lambda checker:
1064
checker is not None)
1065
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1066
"LastCheckedOK")
1067
last_approval_request = notifychangeproperty(
1068
datetime_to_dbus, "LastApprovalRequest")
1069
approved_by_default = notifychangeproperty(dbus.Boolean,
1070
"ApprovedByDefault")
1071
approval_delay = notifychangeproperty(dbus.UInt16,
1072
"ApprovalDelay",
1073
type_func =
1074
_timedelta_to_milliseconds)
1075
approval_duration = notifychangeproperty(
1076
dbus.UInt16, "ApprovalDuration",
1077
type_func = _timedelta_to_milliseconds)
1078
host = notifychangeproperty(dbus.String, "Host")
1079
timeout = notifychangeproperty(dbus.UInt16, "Timeout",
1080
type_func =
1081
_timedelta_to_milliseconds)
1082
extended_timeout = notifychangeproperty(
1083
dbus.UInt16, "ExtendedTimeout",
1084
type_func = _timedelta_to_milliseconds)
1085
interval = notifychangeproperty(dbus.UInt16,
1086
"Interval",
1087
type_func =
1088
_timedelta_to_milliseconds)
1089
checker_command = notifychangeproperty(dbus.String, "Checker")
1090
1091
del notifychangeproperty
527
1092
528
1093
def __del__(self, *args, **kwargs):
529
1094
try:
530
1095
self.remove_from_connection()
531
1096
except LookupError:
532
1097
pass
533
if hasattr(dbus.service.Object, u"__del__"):
534
dbus.service.Object.__del__(self, *args, **kwargs)
1098
if hasattr(DBusObjectWithProperties, "__del__"):
1099
DBusObjectWithProperties.__del__(self, *args, **kwargs)
535
1100
Client.__del__(self, *args, **kwargs)
536
1101
537
1102
def checker_callback(self, pid, condition, command,
538
1103
*args, **kwargs):
539
1104
self.checker_callback_tag = None
540
1105
self.checker = None
541
# Emit D-Bus signal
542
self.PropertyChanged(dbus.String(u"checker_running"),
543
dbus.Boolean(False, variant_level=1))
544
1106
if os.WIFEXITED(condition):
545
1107
exitstatus = os.WEXITSTATUS(condition)
546
1108
# Emit D-Bus signal
556
1118
return Client.checker_callback(self, pid, condition, command,
557
1119
*args, **kwargs)
558
1120
559
def checked_ok(self, *args, **kwargs):
560
r = Client.checked_ok(self, *args, **kwargs)
561
# Emit D-Bus signal
562
self.PropertyChanged(
563
dbus.String(u"last_checked_ok"),
564
(self._datetime_to_dbus(self.last_checked_ok,
565
variant_level=1)))
566
return r
567
568
1121
def start_checker(self, *args, **kwargs):
569
1122
old_checker = self.checker
570
1123
if self.checker is not None:
577
1130
and old_checker_pid != self.checker.pid):
578
1131
# Emit D-Bus signal
579
1132
self.CheckerStarted(self.current_checker_command)
580
self.PropertyChanged(
581
dbus.String(u"checker_running"),
582
dbus.Boolean(True, variant_level=1))
583
return r
584
585
def stop_checker(self, *args, **kwargs):
586
old_checker = getattr(self, u"checker", None)
587
r = Client.stop_checker(self, *args, **kwargs)
588
if (old_checker is not None
589
and getattr(self, u"checker", None) is None):
590
self.PropertyChanged(dbus.String(u"checker_running"),
591
dbus.Boolean(False, variant_level=1))
592
return r
593
594
## D-Bus methods & signals
595
_interface = u"se.bsnet.fukt.Mandos.Client"
596
597
# CheckedOK - method
598
@dbus.service.method(_interface)
599
def CheckedOK(self):
600
return self.checked_ok()
1133
return r
1134
1135
def _reset_approved(self):
1136
self._approved = None
1137
return False
1138
1139
def approve(self, value=True):
1140
self.send_changedstate()
1141
self._approved = value
1142
gobject.timeout_add(_timedelta_to_milliseconds
1143
(self.approval_duration),
1144
self._reset_approved)
1145
1146
1147
## D-Bus methods, signals & properties
1148
_interface = "se.recompile.Mandos.Client"
1149
1150
## Signals
601
1151
602
1152
# CheckerCompleted - signal
603
@dbus.service.signal(_interface, signature=u"nxs")
1153
@dbus.service.signal(_interface, signature="nxs")
604
1154
def CheckerCompleted(self, exitcode, waitstatus, command):
605
1155
"D-Bus signal"
606
1156
pass
607
1157
608
1158
# CheckerStarted - signal
609
@dbus.service.signal(_interface, signature=u"s")
1159
@dbus.service.signal(_interface, signature="s")
610
1160
def CheckerStarted(self, command):
611
1161
"D-Bus signal"
612
1162
pass
613
1163
614
# GetAllProperties - method
615
@dbus.service.method(_interface, out_signature=u"a{sv}")
616
def GetAllProperties(self):
617
"D-Bus method"
618
return dbus.Dictionary({
619
dbus.String(u"name"):
620
dbus.String(self.name, variant_level=1),
621
dbus.String(u"fingerprint"):
622
dbus.String(self.fingerprint, variant_level=1),
623
dbus.String(u"host"):
624
dbus.String(self.host, variant_level=1),
625
dbus.String(u"created"):
626
self._datetime_to_dbus(self.created,
627
variant_level=1),
628
dbus.String(u"last_enabled"):
629
(self._datetime_to_dbus(self.last_enabled,
630
variant_level=1)
631
if self.last_enabled is not None
632
else dbus.Boolean(False, variant_level=1)),
633
dbus.String(u"enabled"):
634
dbus.Boolean(self.enabled, variant_level=1),
635
dbus.String(u"last_checked_ok"):
636
(self._datetime_to_dbus(self.last_checked_ok,
637
variant_level=1)
638
if self.last_checked_ok is not None
639
else dbus.Boolean (False, variant_level=1)),
640
dbus.String(u"timeout"):
641
dbus.UInt64(self.timeout_milliseconds(),
642
variant_level=1),
643
dbus.String(u"interval"):
644
dbus.UInt64(self.interval_milliseconds(),
645
variant_level=1),
646
dbus.String(u"checker"):
647
dbus.String(self.checker_command,
648
variant_level=1),
649
dbus.String(u"checker_running"):
650
dbus.Boolean(self.checker is not None,
651
variant_level=1),
652
dbus.String(u"object_path"):
653
dbus.ObjectPath(self.dbus_object_path,
654
variant_level=1)
655
}, signature=u"sv")
656
657
# IsStillValid - method
658
@dbus.service.method(_interface, out_signature=u"b")
659
def IsStillValid(self):
660
return self.still_valid()
661
662
1164
# PropertyChanged - signal
663
@dbus.service.signal(_interface, signature=u"sv")
1165
@dbus.service.signal(_interface, signature="sv")
664
1166
def PropertyChanged(self, property, value):
665
1167
"D-Bus signal"
666
1168
pass
667
1169
668
# ReceivedSecret - signal
1170
# GotSecret - signal
669
1171
@dbus.service.signal(_interface)
670
def ReceivedSecret(self):
671
"D-Bus signal"
1172
def GotSecret(self):
1173
"""D-Bus signal
1174
Is sent after a successful transfer of secret from the Mandos
1175
server to mandos-client
1176
"""
672
1177
pass
673
1178
674
1179
# Rejected - signal
675
@dbus.service.signal(_interface)
676
def Rejected(self):
677
"D-Bus signal"
678
pass
679
680
# SetChecker - method
681
@dbus.service.method(_interface, in_signature=u"s")
682
def SetChecker(self, checker):
683
"D-Bus setter method"
684
self.checker_command = checker
685
# Emit D-Bus signal
686
self.PropertyChanged(dbus.String(u"checker"),
687
dbus.String(self.checker_command,
688
variant_level=1))
689
690
# SetHost - method
691
@dbus.service.method(_interface, in_signature=u"s")
692
def SetHost(self, host):
693
"D-Bus setter method"
694
self.host = host
695
# Emit D-Bus signal
696
self.PropertyChanged(dbus.String(u"host"),
697
dbus.String(self.host, variant_level=1))
698
699
# SetInterval - method
700
@dbus.service.method(_interface, in_signature=u"t")
701
def SetInterval(self, milliseconds):
702
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
703
# Emit D-Bus signal
704
self.PropertyChanged(dbus.String(u"interval"),
705
(dbus.UInt64(self.interval_milliseconds(),
706
variant_level=1)))
707
708
# SetSecret - method
709
@dbus.service.method(_interface, in_signature=u"ay",
710
byte_arrays=True)
711
def SetSecret(self, secret):
712
"D-Bus setter method"
713
self.secret = str(secret)
714
715
# SetTimeout - method
716
@dbus.service.method(_interface, in_signature=u"t")
717
def SetTimeout(self, milliseconds):
718
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
719
# Emit D-Bus signal
720
self.PropertyChanged(dbus.String(u"timeout"),
721
(dbus.UInt64(self.timeout_milliseconds(),
722
variant_level=1)))
1180
@dbus.service.signal(_interface, signature="s")
1181
def Rejected(self, reason):
1182
"D-Bus signal"
1183
pass
1184
1185
# NeedApproval - signal
1186
@dbus.service.signal(_interface, signature="tb")
1187
def NeedApproval(self, timeout, default):
1188
"D-Bus signal"
1189
return self.need_approval()
1190
1191
# NeRwequest - signal
1192
@dbus.service.signal(_interface, signature="s")
1193
def NewRequest(self, ip):
1194
"""D-Bus signal
1195
Is sent after a client request a password.
1196
"""
1197
pass
1198
1199
## Methods
1200
1201
# Approve - method
1202
@dbus.service.method(_interface, in_signature="b")
1203
def Approve(self, value):
1204
self.approve(value)
1205
1206
# CheckedOK - method
1207
@dbus.service.method(_interface)
1208
def CheckedOK(self):
1209
self.checked_ok()
723
1210
724
1211
# Enable - method
725
1212
@dbus.service.method(_interface)
744
1231
def StopChecker(self):
745
1232
self.stop_checker()
746
1233
1234
## Properties
1235
1236
# ApprovalPending - property
1237
@dbus_service_property(_interface, signature="b", access="read")
1238
def ApprovalPending_dbus_property(self):
1239
return dbus.Boolean(bool(self.approvals_pending))
1240
1241
# ApprovedByDefault - property
1242
@dbus_service_property(_interface, signature="b",
1243
access="readwrite")
1244
def ApprovedByDefault_dbus_property(self, value=None):
1245
if value is None: # get
1246
return dbus.Boolean(self.approved_by_default)
1247
self.approved_by_default = bool(value)
1248
1249
# ApprovalDelay - property
1250
@dbus_service_property(_interface, signature="t",
1251
access="readwrite")
1252
def ApprovalDelay_dbus_property(self, value=None):
1253
if value is None: # get
1254
return dbus.UInt64(self.approval_delay_milliseconds())
1255
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1256
1257
# ApprovalDuration - property
1258
@dbus_service_property(_interface, signature="t",
1259
access="readwrite")
1260
def ApprovalDuration_dbus_property(self, value=None):
1261
if value is None: # get
1262
return dbus.UInt64(_timedelta_to_milliseconds(
1263
self.approval_duration))
1264
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1265
1266
# Name - property
1267
@dbus_service_property(_interface, signature="s", access="read")
1268
def Name_dbus_property(self):
1269
return dbus.String(self.name)
1270
1271
# Fingerprint - property
1272
@dbus_service_property(_interface, signature="s", access="read")
1273
def Fingerprint_dbus_property(self):
1274
return dbus.String(self.fingerprint)
1275
1276
# Host - property
1277
@dbus_service_property(_interface, signature="s",
1278
access="readwrite")
1279
def Host_dbus_property(self, value=None):
1280
if value is None: # get
1281
return dbus.String(self.host)
1282
self.host = value
1283
1284
# Created - property
1285
@dbus_service_property(_interface, signature="s", access="read")
1286
def Created_dbus_property(self):
1287
return datetime_to_dbus(self.created)
1288
1289
# LastEnabled - property
1290
@dbus_service_property(_interface, signature="s", access="read")
1291
def LastEnabled_dbus_property(self):
1292
return datetime_to_dbus(self.last_enabled)
1293
1294
# Enabled - property
1295
@dbus_service_property(_interface, signature="b",
1296
access="readwrite")
1297
def Enabled_dbus_property(self, value=None):
1298
if value is None: # get
1299
return dbus.Boolean(self.enabled)
1300
if value:
1301
self.enable()
1302
else:
1303
self.disable()
1304
1305
# LastCheckedOK - property
1306
@dbus_service_property(_interface, signature="s",
1307
access="readwrite")
1308
def LastCheckedOK_dbus_property(self, value=None):
1309
if value is not None:
1310
self.checked_ok()
1311
return
1312
return datetime_to_dbus(self.last_checked_ok)
1313
1314
# Expires - property
1315
@dbus_service_property(_interface, signature="s", access="read")
1316
def Expires_dbus_property(self):
1317
return datetime_to_dbus(self.expires)
1318
1319
# LastApprovalRequest - property
1320
@dbus_service_property(_interface, signature="s", access="read")
1321
def LastApprovalRequest_dbus_property(self):
1322
return datetime_to_dbus(self.last_approval_request)
1323
1324
# Timeout - property
1325
@dbus_service_property(_interface, signature="t",
1326
access="readwrite")
1327
def Timeout_dbus_property(self, value=None):
1328
if value is None: # get
1329
return dbus.UInt64(self.timeout_milliseconds())
1330
self.timeout = datetime.timedelta(0, 0, 0, value)
1331
if getattr(self, "disable_initiator_tag", None) is None:
1332
return
1333
# Reschedule timeout
1334
gobject.source_remove(self.disable_initiator_tag)
1335
self.disable_initiator_tag = None
1336
self.expires = None
1337
time_to_die = _timedelta_to_milliseconds((self
1338
.last_checked_ok
1339
+ self.timeout)
1340
- datetime.datetime
1341
.utcnow())
1342
if time_to_die <= 0:
1343
# The timeout has passed
1344
self.disable()
1345
else:
1346
self.expires = (datetime.datetime.utcnow()
1347
+ datetime.timedelta(milliseconds =
1348
time_to_die))
1349
self.disable_initiator_tag = (gobject.timeout_add
1350
(time_to_die, self.disable))
1351
1352
# ExtendedTimeout - property
1353
@dbus_service_property(_interface, signature="t",
1354
access="readwrite")
1355
def ExtendedTimeout_dbus_property(self, value=None):
1356
if value is None: # get
1357
return dbus.UInt64(self.extended_timeout_milliseconds())
1358
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1359
1360
# Interval - property
1361
@dbus_service_property(_interface, signature="t",
1362
access="readwrite")
1363
def Interval_dbus_property(self, value=None):
1364
if value is None: # get
1365
return dbus.UInt64(self.interval_milliseconds())
1366
self.interval = datetime.timedelta(0, 0, 0, value)
1367
if getattr(self, "checker_initiator_tag", None) is None:
1368
return
1369
if self.enabled:
1370
# Reschedule checker run
1371
gobject.source_remove(self.checker_initiator_tag)
1372
self.checker_initiator_tag = (gobject.timeout_add
1373
(value, self.start_checker))
1374
self.start_checker() # Start one now, too
1375
1376
# Checker - property
1377
@dbus_service_property(_interface, signature="s",
1378
access="readwrite")
1379
def Checker_dbus_property(self, value=None):
1380
if value is None: # get
1381
return dbus.String(self.checker_command)
1382
self.checker_command = value
1383
1384
# CheckerRunning - property
1385
@dbus_service_property(_interface, signature="b",
1386
access="readwrite")
1387
def CheckerRunning_dbus_property(self, value=None):
1388
if value is None: # get
1389
return dbus.Boolean(self.checker is not None)
1390
if value:
1391
self.start_checker()
1392
else:
1393
self.stop_checker()
1394
1395
# ObjectPath - property
1396
@dbus_service_property(_interface, signature="o", access="read")
1397
def ObjectPath_dbus_property(self):
1398
return self.dbus_object_path # is already a dbus.ObjectPath
1399
1400
# Secret = property
1401
@dbus_service_property(_interface, signature="ay",
1402
access="write", byte_arrays=True)
1403
def Secret_dbus_property(self, value):
1404
self.secret = str(value)
1405
747
1406
del _interface
748
1407
749
1408
1409
class ProxyClient(object):
1410
def __init__(self, child_pipe, fpr, address):
1411
self._pipe = child_pipe
1412
self._pipe.send(('init', fpr, address))
1413
if not self._pipe.recv():
1414
raise KeyError()
1415
1416
def __getattribute__(self, name):
1417
if(name == '_pipe'):
1418
return super(ProxyClient, self).__getattribute__(name)
1419
self._pipe.send(('getattr', name))
1420
data = self._pipe.recv()
1421
if data[0] == 'data':
1422
return data[1]
1423
if data[0] == 'function':
1424
def func(*args, **kwargs):
1425
self._pipe.send(('funcall', name, args, kwargs))
1426
return self._pipe.recv()[1]
1427
return func
1428
1429
def __setattr__(self, name, value):
1430
if(name == '_pipe'):
1431
return super(ProxyClient, self).__setattr__(name, value)
1432
self._pipe.send(('setattr', name, value))
1433
1434
1435
class ClientDBusTransitional(ClientDBus):
1436
__metaclass__ = AlternateDBusNamesMetaclass
1437
1438
750
1439
class ClientHandler(socketserver.BaseRequestHandler, object):
751
1440
"""A class to handle client connections.
752
1441
754
1443
Note: This will run in its own forked process."""
755
1444
756
1445
def handle(self):
757
logger.info(u"TCP connection from: %s",
758
unicode(self.client_address))
759
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
760
# Open IPC pipe to parent process
761
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
1446
with contextlib.closing(self.server.child_pipe) as child_pipe:
1447
logger.info("TCP connection from: %s",
1448
unicode(self.client_address))
1449
logger.debug("Pipe FD: %d",
1450
self.server.child_pipe.fileno())
1451
762
1452
session = (gnutls.connection
763
1453
.ClientSession(self.request,
764
1454
gnutls.connection
765
1455
.X509Credentials()))
766
1456
767
line = self.request.makefile().readline()
768
logger.debug(u"Protocol version: %r", line)
769
try:
770
if int(line.strip().split()[0]) > 1:
771
raise RuntimeError
772
except (ValueError, IndexError, RuntimeError), error:
773
logger.error(u"Unknown protocol version: %s", error)
774
return
775
776
1457
# Note: gnutls.connection.X509Credentials is really a
777
1458
# generic GnuTLS certificate credentials object so long as
778
1459
# no X.509 keys are added to it. Therefore, we can use it
779
1460
# here despite using OpenPGP certificates.
780
1461
781
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
782
# u"+AES-256-CBC", u"+SHA1",
783
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
784
# u"+DHE-DSS"))
1462
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1463
# "+AES-256-CBC", "+SHA1",
1464
# "+COMP-NULL", "+CTYPE-OPENPGP",
1465
# "+DHE-DSS"))
785
1466
# Use a fallback default, since this MUST be set.
786
1467
priority = self.server.gnutls_priority
787
1468
if priority is None:
788
priority = u"NORMAL"
1469
priority = "NORMAL"
789
1470
(gnutls.library.functions
790
1471
.gnutls_priority_set_direct(session._c_object,
791
1472
priority, None))
792
1473
1474
# Start communication using the Mandos protocol
1475
# Get protocol number
1476
line = self.request.makefile().readline()
1477
logger.debug("Protocol version: %r", line)
1478
try:
1479
if int(line.strip().split()[0]) > 1:
1480
raise RuntimeError
1481
except (ValueError, IndexError, RuntimeError) as error:
1482
logger.error("Unknown protocol version: %s", error)
1483
return
1484
1485
# Start GnuTLS connection
793
1486
try:
794
1487
session.handshake()
795
except gnutls.errors.GNUTLSError, error:
796
logger.warning(u"Handshake failed: %s", error)
1488
except gnutls.errors.GNUTLSError as error:
1489
logger.warning("Handshake failed: %s", error)
797
1490
# Do not run session.bye() here: the session is not
798
1491
# established. Just abandon the request.
799
1492
return
800
logger.debug(u"Handshake succeeded")
1493
logger.debug("Handshake succeeded")
1494
1495
approval_required = False
801
1496
try:
802
fpr = self.fingerprint(self.peer_certificate(session))
803
except (TypeError, gnutls.errors.GNUTLSError), error:
804
logger.warning(u"Bad certificate: %s", error)
805
session.bye()
806
return
807
logger.debug(u"Fingerprint: %s", fpr)
1497
try:
1498
fpr = self.fingerprint(self.peer_certificate
1499
(session))
1500
except (TypeError,
1501
gnutls.errors.GNUTLSError) as error:
1502
logger.warning("Bad certificate: %s", error)
1503
return
1504
logger.debug("Fingerprint: %s", fpr)
1505
if self.server.use_dbus:
1506
# Emit D-Bus signal
1507
client.NewRequest(str(self.client_address))
1508
1509
try:
1510
client = ProxyClient(child_pipe, fpr,
1511
self.client_address)
1512
except KeyError:
1513
return
1514
1515
if client.approval_delay:
1516
delay = client.approval_delay
1517
client.approvals_pending += 1
1518
approval_required = True
1519
1520
while True:
1521
if not client.enabled:
1522
logger.info("Client %s is disabled",
1523
client.name)
1524
if self.server.use_dbus:
1525
# Emit D-Bus signal
1526
client.Rejected("Disabled")
1527
return
1528
1529
if client._approved or not client.approval_delay:
1530
#We are approved or approval is disabled
1531
break
1532
elif client._approved is None:
1533
logger.info("Client %s needs approval",
1534
client.name)
1535
if self.server.use_dbus:
1536
# Emit D-Bus signal
1537
client.NeedApproval(
1538
client.approval_delay_milliseconds(),
1539
client.approved_by_default)
1540
else:
1541
logger.warning("Client %s was not approved",
1542
client.name)
1543
if self.server.use_dbus:
1544
# Emit D-Bus signal
1545
client.Rejected("Denied")
1546
return
1547
1548
#wait until timeout or approved
1549
time = datetime.datetime.now()
1550
client.changedstate.acquire()
1551
(client.changedstate.wait
1552
(float(client._timedelta_to_milliseconds(delay)
1553
/ 1000)))
1554
client.changedstate.release()
1555
time2 = datetime.datetime.now()
1556
if (time2 - time) >= delay:
1557
if not client.approved_by_default:
1558
logger.warning("Client %s timed out while"
1559
" waiting for approval",
1560
client.name)
1561
if self.server.use_dbus:
1562
# Emit D-Bus signal
1563
client.Rejected("Approval timed out")
1564
return
1565
else:
1566
break
1567
else:
1568
delay -= time2 - time
1569
1570
sent_size = 0
1571
while sent_size < len(client.secret):
1572
try:
1573
sent = session.send(client.secret[sent_size:])
1574
except gnutls.errors.GNUTLSError as error:
1575
logger.warning("gnutls send failed")
1576
return
1577
logger.debug("Sent: %d, remaining: %d",
1578
sent, len(client.secret)
1579
- (sent_size + sent))
1580
sent_size += sent
1581
1582
logger.info("Sending secret to %s", client.name)
1583
# bump the timeout using extended_timeout
1584
client.checked_ok(client.extended_timeout)
1585
if self.server.use_dbus:
1586
# Emit D-Bus signal
1587
client.GotSecret()
808
1588
809
for c in self.server.clients:
810
if c.fingerprint == fpr:
811
client = c
812
break
813
else:
814
ipc.write(u"NOTFOUND %s %s\n"
815
% (fpr, unicode(self.client_address)))
816
session.bye()
817
return
818
# Have to check if client.still_valid(), since it is
819
# possible that the client timed out while establishing
820
# the GnuTLS session.
821
if not client.still_valid():
822
ipc.write(u"INVALID %s\n" % client.name)
823
session.bye()
824
return
825
ipc.write(u"SENDING %s\n" % client.name)
826
sent_size = 0
827
while sent_size < len(client.secret):
828
sent = session.send(client.secret[sent_size:])
829
logger.debug(u"Sent: %d, remaining: %d",
830
sent, len(client.secret)
831
- (sent_size + sent))
832
sent_size += sent
833
session.bye()
1589
finally:
1590
if approval_required:
1591
client.approvals_pending -= 1
1592
try:
1593
session.bye()
1594
except gnutls.errors.GNUTLSError as error:
1595
logger.warning("GnuTLS bye failed")
834
1596
835
1597
@staticmethod
836
1598
def peer_certificate(session):
846
1608
.gnutls_certificate_get_peers
847
1609
(session._c_object, ctypes.byref(list_size)))
848
1610
if not bool(cert_list) and list_size.value != 0:
849
raise gnutls.errors.GNUTLSError(u"error getting peer"
850
u" certificate")
1611
raise gnutls.errors.GNUTLSError("error getting peer"
1612
" certificate")
851
1613
if list_size.value == 0:
852
1614
return None
853
1615
cert = cert_list[0]
879
1641
if crtverify.value != 0:
880
1642
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
881
1643
raise (gnutls.errors.CertificateSecurityError
882
(u"Verify failed"))
1644
("Verify failed"))
883
1645
# New buffer for the fingerprint
884
1646
buf = ctypes.create_string_buffer(20)
885
1647
buf_len = ctypes.c_size_t()
892
1654
# Convert the buffer to a Python bytestring
893
1655
fpr = ctypes.string_at(buf, buf_len.value)
894
1656
# Convert the bytestring to hexadecimal notation
895
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1657
hex_fpr = binascii.hexlify(fpr).upper()
896
1658
return hex_fpr
897
1659
898
1660
899
class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):
900
"""Like socketserver.ForkingMixIn, but also pass a pipe."""
1661
class MultiprocessingMixIn(object):
1662
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1663
def sub_process_main(self, request, address):
1664
try:
1665
self.finish_request(request, address)
1666
except:
1667
self.handle_error(request, address)
1668
self.close_request(request)
1669
1670
def process_request(self, request, address):
1671
"""Start a new process to process the request."""
1672
proc = multiprocessing.Process(target = self.sub_process_main,
1673
args = (request,
1674
address))
1675
proc.start()
1676
return proc
1677
1678
1679
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1680
""" adds a pipe to the MixIn """
901
1681
def process_request(self, request, client_address):
902
1682
"""Overrides and wraps the original process_request().
903
1683
904
1684
This function creates a new pipe in self.pipe
905
1685
"""
906
self.pipe = os.pipe()
907
super(ForkingMixInWithPipe,
908
self).process_request(request, client_address)
909
os.close(self.pipe[1]) # close write end
910
self.add_pipe(self.pipe[0])
911
def add_pipe(self, pipe):
1686
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1687
1688
proc = MultiprocessingMixIn.process_request(self, request,
1689
client_address)
1690
self.child_pipe.close()
1691
self.add_pipe(parent_pipe, proc)
1692
1693
def add_pipe(self, parent_pipe, proc):
912
1694
"""Dummy function; override as necessary"""
913
os.close(pipe)
914
915
916
class IPv6_TCPServer(ForkingMixInWithPipe,
1695
raise NotImplementedError
1696
1697
1698
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
917
1699
socketserver.TCPServer, object):
918
1700
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
919
1701
935
1717
bind to an address or port if they were not specified."""
936
1718
if self.interface is not None:
937
1719
if SO_BINDTODEVICE is None:
938
logger.error(u"SO_BINDTODEVICE does not exist;"
939
u" cannot bind to interface %s",
1720
logger.error("SO_BINDTODEVICE does not exist;"
1721
" cannot bind to interface %s",
940
1722
self.interface)
941
1723
else:
942
1724
try:
943
1725
self.socket.setsockopt(socket.SOL_SOCKET,
944
1726
SO_BINDTODEVICE,
945
1727
str(self.interface
946
+ u'\0'))
947
except socket.error, error:
1728
+ '\0'))
1729
except socket.error as error:
948
1730
if error[0] == errno.EPERM:
949
logger.error(u"No permission to"
950
u" bind to interface %s",
1731
logger.error("No permission to"
1732
" bind to interface %s",
951
1733
self.interface)
952
1734
elif error[0] == errno.ENOPROTOOPT:
953
logger.error(u"SO_BINDTODEVICE not available;"
954
u" cannot bind to interface %s",
1735
logger.error("SO_BINDTODEVICE not available;"
1736
" cannot bind to interface %s",
955
1737
self.interface)
956
1738
else:
957
1739
raise
959
1741
if self.server_address[0] or self.server_address[1]:
960
1742
if not self.server_address[0]:
961
1743
if self.address_family == socket.AF_INET6:
962
any_address = u"::" # in6addr_any
1744
any_address = "::" # in6addr_any
963
1745
else:
964
1746
any_address = socket.INADDR_ANY
965
1747
self.server_address = (any_address,
983
1765
clients: set of Client objects
984
1766
gnutls_priority GnuTLS priority string
985
1767
use_dbus: Boolean; to emit D-Bus signals or not
986
clients: set of Client objects
987
gnutls_priority GnuTLS priority string
988
use_dbus: Boolean; to emit D-Bus signals or not
989
1768
990
1769
Assumes a gobject.MainLoop event loop.
991
1770
"""
995
1774
self.enabled = False
996
1775
self.clients = clients
997
1776
if self.clients is None:
998
self.clients = set()
1777
self.clients = {}
999
1778
self.use_dbus = use_dbus
1000
1779
self.gnutls_priority = gnutls_priority
1001
1780
IPv6_TCPServer.__init__(self, server_address,
1005
1784
def server_activate(self):
1006
1785
if self.enabled:
1007
1786
return socketserver.TCPServer.server_activate(self)
1787
1008
1788
def enable(self):
1009
1789
self.enabled = True
1010
def add_pipe(self, pipe):
1790
1791
def add_pipe(self, parent_pipe, proc):
1011
1792
# Call "handle_ipc" for both data and EOF events
1012
gobject.io_add_watch(pipe, gobject.IO_IN | gobject.IO_HUP,
1013
self.handle_ipc)
1014
def handle_ipc(self, source, condition, file_objects={}):
1793
gobject.io_add_watch(parent_pipe.fileno(),
1794
gobject.IO_IN | gobject.IO_HUP,
1795
functools.partial(self.handle_ipc,
1796
parent_pipe =
1797
parent_pipe,
1798
proc = proc))
1799
1800
def handle_ipc(self, source, condition, parent_pipe=None,
1801
proc = None, client_object=None):
1015
1802
condition_names = {
1016
gobject.IO_IN: u"IN", # There is data to read.
1017
gobject.IO_OUT: u"OUT", # Data can be written (without
1803
gobject.IO_IN: "IN", # There is data to read.
1804
gobject.IO_OUT: "OUT", # Data can be written (without
1018
1805
# blocking).
1019
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1020
gobject.IO_ERR: u"ERR", # Error condition.
1021
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1806
gobject.IO_PRI: "PRI", # There is urgent data to read.
1807
gobject.IO_ERR: "ERR", # Error condition.
1808
gobject.IO_HUP: "HUP" # Hung up (the connection has been
1022
1809
# broken, usually for pipes and
1023
1810
# sockets).
1024
1811
}
1026
1813
for cond, name in
1027
1814
condition_names.iteritems()
1028
1815
if cond & condition)
1029
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1030
conditions_string)
1031
1032
# Turn the pipe file descriptor into a Python file object
1033
if source not in file_objects:
1034
file_objects[source] = os.fdopen(source, u"r", 1)
1035
1036
# Read a line from the file object
1037
cmdline = file_objects[source].readline()
1038
if not cmdline: # Empty line means end of file
1039
# close the IPC pipe
1040
file_objects[source].close()
1041
del file_objects[source]
1042
1043
# Stop calling this function
1044
return False
1045
1046
logger.debug(u"IPC command: %r", cmdline)
1047
1048
# Parse and act on command
1049
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1050
1051
if cmd == u"NOTFOUND":
1052
logger.warning(u"Client not found for fingerprint: %s",
1053
args)
1054
if self.use_dbus:
1055
# Emit D-Bus signal
1056
mandos_dbus_service.ClientNotFound(args)
1057
elif cmd == u"INVALID":
1058
for client in self.clients:
1059
if client.name == args:
1060
logger.warning(u"Client %s is invalid", args)
1061
if self.use_dbus:
1062
# Emit D-Bus signal
1063
client.Rejected()
1064
break
1065
else:
1066
logger.error(u"Unknown client %s is invalid", args)
1067
elif cmd == u"SENDING":
1068
for client in self.clients:
1069
if client.name == args:
1070
logger.info(u"Sending secret to %s", client.name)
1071
client.checked_ok()
1072
if self.use_dbus:
1073
# Emit D-Bus signal
1074
client.ReceivedSecret()
1075
break
1076
else:
1077
logger.error(u"Sending secret to unknown client %s",
1078
args)
1079
else:
1080
logger.error(u"Unknown IPC command: %r", cmdline)
1081
1082
# Keep calling this function
1816
# error, or the other end of multiprocessing.Pipe has closed
1817
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1818
# Wait for other process to exit
1819
proc.join()
1820
return False
1821
1822
# Read a request from the child
1823
request = parent_pipe.recv()
1824
command = request[0]
1825
1826
if command == 'init':
1827
fpr = request[1]
1828
address = request[2]
1829
1830
for c in self.clients.itervalues():
1831
if c.fingerprint == fpr:
1832
client = c
1833
break
1834
else:
1835
logger.info("Client not found for fingerprint: %s, ad"
1836
"dress: %s", fpr, address)
1837
if self.use_dbus:
1838
# Emit D-Bus signal
1839
mandos_dbus_service.ClientNotFound(fpr,
1840
address[0])
1841
parent_pipe.send(False)
1842
return False
1843
1844
gobject.io_add_watch(parent_pipe.fileno(),
1845
gobject.IO_IN | gobject.IO_HUP,
1846
functools.partial(self.handle_ipc,
1847
parent_pipe =
1848
parent_pipe,
1849
proc = proc,
1850
client_object =
1851
client))
1852
parent_pipe.send(True)
1853
# remove the old hook in favor of the new above hook on
1854
# same fileno
1855
return False
1856
if command == 'funcall':
1857
funcname = request[1]
1858
args = request[2]
1859
kwargs = request[3]
1860
1861
parent_pipe.send(('data', getattr(client_object,
1862
funcname)(*args,
1863
**kwargs)))
1864
1865
if command == 'getattr':
1866
attrname = request[1]
1867
if callable(client_object.__getattribute__(attrname)):
1868
parent_pipe.send(('function',))
1869
else:
1870
parent_pipe.send(('data', client_object
1871
.__getattribute__(attrname)))
1872
1873
if command == 'setattr':
1874
attrname = request[1]
1875
value = request[2]
1876
setattr(client_object, attrname, value)
1877
1083
1878
return True
1084
1879
1085
1880
1086
1881
def string_to_delta(interval):
1087
1882
"""Parse a string and return a datetime.timedelta
1088
1883
1089
>>> string_to_delta(u'7d')
1884
>>> string_to_delta('7d')
1090
1885
datetime.timedelta(7)
1091
>>> string_to_delta(u'60s')
1886
>>> string_to_delta('60s')
1092
1887
datetime.timedelta(0, 60)
1093
>>> string_to_delta(u'60m')
1888
>>> string_to_delta('60m')
1094
1889
datetime.timedelta(0, 3600)
1095
>>> string_to_delta(u'24h')
1890
>>> string_to_delta('24h')
1096
1891
datetime.timedelta(1)
1097
>>> string_to_delta(u'1w')
1892
>>> string_to_delta('1w')
1098
1893
datetime.timedelta(7)
1099
>>> string_to_delta(u'5m 30s')
1894
>>> string_to_delta('5m 30s')
1100
1895
datetime.timedelta(0, 330)
1101
1896
"""
1102
1897
timevalue = datetime.timedelta(0)
1104
1899
try:
1105
1900
suffix = unicode(s[-1])
1106
1901
value = int(s[:-1])
1107
if suffix == u"d":
1902
if suffix == "d":
1108
1903
delta = datetime.timedelta(value)
1109
elif suffix == u"s":
1904
elif suffix == "s":
1110
1905
delta = datetime.timedelta(0, value)
1111
elif suffix == u"m":
1906
elif suffix == "m":
1112
1907
delta = datetime.timedelta(0, 0, 0, 0, value)
1113
elif suffix == u"h":
1908
elif suffix == "h":
1114
1909
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
1115
elif suffix == u"w":
1910
elif suffix == "w":
1116
1911
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1117
1912
else:
1118
raise ValueError
1119
except (ValueError, IndexError):
1120
raise ValueError
1913
raise ValueError("Unknown suffix %r" % suffix)
1914
except (ValueError, IndexError) as e:
1915
raise ValueError(*(e.args))
1121
1916
timevalue += delta
1122
1917
return timevalue
1123
1918
1124
1919
1125
def if_nametoindex(interface):
1126
"""Call the C function if_nametoindex(), or equivalent
1127
1128
Note: This function cannot accept a unicode string."""
1129
global if_nametoindex
1130
try:
1131
if_nametoindex = (ctypes.cdll.LoadLibrary
1132
(ctypes.util.find_library(u"c"))
1133
.if_nametoindex)
1134
except (OSError, AttributeError):
1135
logger.warning(u"Doing if_nametoindex the hard way")
1136
def if_nametoindex(interface):
1137
"Get an interface index the hard way, i.e. using fcntl()"
1138
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1139
with closing(socket.socket()) as s:
1140
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1141
struct.pack(str(u"16s16x"),
1142
interface))
1143
interface_index = struct.unpack(str(u"I"),
1144
ifreq[16:20])[0]
1145
return interface_index
1146
return if_nametoindex(interface)
1147
1148
1149
1920
def daemon(nochdir = False, noclose = False):
1150
1921
"""See daemon(3). Standard BSD Unix function.
1151
1922
1154
1925
sys.exit()
1155
1926
os.setsid()
1156
1927
if not nochdir:
1157
os.chdir(u"/")
1928
os.chdir("/")
1158
1929
if os.fork():
1159
1930
sys.exit()
1160
1931
if not noclose:
1162
1933
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1163
1934
if not stat.S_ISCHR(os.fstat(null).st_mode):
1164
1935
raise OSError(errno.ENODEV,
1165
u"/dev/null not a character device")
1936
"%s not a character device"
1937
% os.path.devnull)
1166
1938
os.dup2(null, sys.stdin.fileno())
1167
1939
os.dup2(null, sys.stdout.fileno())
1168
1940
os.dup2(null, sys.stderr.fileno())
1172
1944
1173
1945
def main():
1174
1946
1175
######################################################################
1947
##################################################################
1176
1948
# Parsing of options, both command line and config file
1177
1949
1178
parser = optparse.OptionParser(version = "%%prog %s" % version)
1179
parser.add_option("-i", u"--interface", type=u"string",
1180
metavar="IF", help=u"Bind to interface IF")
1181
parser.add_option("-a", u"--address", type=u"string",
1182
help=u"Address to listen for requests on")
1183
parser.add_option("-p", u"--port", type=u"int",
1184
help=u"Port number to receive requests on")
1185
parser.add_option("--check", action=u"store_true",
1186
help=u"Run self-test")
1187
parser.add_option("--debug", action=u"store_true",
1188
help=u"Debug mode; run in foreground and log to"
1189
u" terminal")
1190
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1191
u" priority string (see GnuTLS documentation)")
1192
parser.add_option("--servicename", type=u"string",
1193
metavar=u"NAME", help=u"Zeroconf service name")
1194
parser.add_option("--configdir", type=u"string",
1195
default=u"/etc/mandos", metavar=u"DIR",
1196
help=u"Directory to search for configuration"
1197
u" files")
1198
parser.add_option("--no-dbus", action=u"store_false",
1199
dest=u"use_dbus",
1200
help=optparse.SUPPRESS_HELP) # XXX: Not done yet
1201
parser.add_option("--no-ipv6", action=u"store_false",
1202
dest=u"use_ipv6", help=u"Do not use IPv6")
1203
options = parser.parse_args()[0]
1950
parser = argparse.ArgumentParser()
1951
parser.add_argument("-v", "--version", action="version",
1952
version = "%%(prog)s %s" % version,
1953
help="show version number and exit")
1954
parser.add_argument("-i", "--interface", metavar="IF",
1955
help="Bind to interface IF")
1956
parser.add_argument("-a", "--address",
1957
help="Address to listen for requests on")
1958
parser.add_argument("-p", "--port", type=int,
1959
help="Port number to receive requests on")
1960
parser.add_argument("--check", action="store_true",
1961
help="Run self-test")
1962
parser.add_argument("--debug", action="store_true",
1963
help="Debug mode; run in foreground and log"
1964
" to terminal")
1965
parser.add_argument("--debuglevel", metavar="LEVEL",
1966
help="Debug level for stdout output")
1967
parser.add_argument("--priority", help="GnuTLS"
1968
" priority string (see GnuTLS documentation)")
1969
parser.add_argument("--servicename",
1970
metavar="NAME", help="Zeroconf service name")
1971
parser.add_argument("--configdir",
1972
default="/etc/mandos", metavar="DIR",
1973
help="Directory to search for configuration"
1974
" files")
1975
parser.add_argument("--no-dbus", action="store_false",
1976
dest="use_dbus", help="Do not provide D-Bus"
1977
" system bus interface")
1978
parser.add_argument("--no-ipv6", action="store_false",
1979
dest="use_ipv6", help="Do not use IPv6")
1980
parser.add_argument("--no-restore", action="store_false",
1981
dest="restore", help="Do not restore stored"
1982
" state")
1983
parser.add_argument("--statedir", metavar="DIR",
1984
help="Directory to save/restore state in")
1985
1986
options = parser.parse_args()
1204
1987
1205
1988
if options.check:
1206
1989
import doctest
1208
1991
sys.exit()
1209
1992
1210
1993
# Default values for config file for server-global settings
1211
server_defaults = { u"interface": u"",
1212
u"address": u"",
1213
u"port": u"",
1214
u"debug": u"False",
1215
u"priority":
1216
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1217
u"servicename": u"Mandos",
1218
u"use_dbus": u"True",
1219
u"use_ipv6": u"True",
1994
server_defaults = { "interface": "",
1995
"address": "",
1996
"port": "",
1997
"debug": "False",
1998
"priority":
1999
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
2000
"servicename": "Mandos",
2001
"use_dbus": "True",
2002
"use_ipv6": "True",
2003
"debuglevel": "",
2004
"restore": "True",
2005
"statedir": "/var/lib/mandos"
1220
2006
}
1221
2007
1222
2008
# Parse config file for server-global settings
1223
2009
server_config = configparser.SafeConfigParser(server_defaults)
1224
2010
del server_defaults
1225
2011
server_config.read(os.path.join(options.configdir,
1226
u"mandos.conf"))
2012
"mandos.conf"))
1227
2013
# Convert the SafeConfigParser object to a dict
1228
2014
server_settings = server_config.defaults()
1229
2015
# Use the appropriate methods on the non-string config options
1230
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1231
server_settings[option] = server_config.getboolean(u"DEFAULT",
2016
for option in ("debug", "use_dbus", "use_ipv6"):
2017
server_settings[option] = server_config.getboolean("DEFAULT",
1232
2018
option)
1233
2019
if server_settings["port"]:
1234
server_settings["port"] = server_config.getint(u"DEFAULT",
1235
u"port")
2020
server_settings["port"] = server_config.getint("DEFAULT",
2021
"port")
1236
2022
del server_config
1237
2023
1238
2024
# Override the settings from the config file with command line
1239
2025
# options, if set.
1240
for option in (u"interface", u"address", u"port", u"debug",
1241
u"priority", u"servicename", u"configdir",
1242
u"use_dbus", u"use_ipv6"):
2026
for option in ("interface", "address", "port", "debug",
2027
"priority", "servicename", "configdir",
2028
"use_dbus", "use_ipv6", "debuglevel", "restore",
2029
"statedir"):
1243
2030
value = getattr(options, option)
1244
2031
if value is not None:
1245
2032
server_settings[option] = value
1253
2040
##################################################################
1254
2041
1255
2042
# For convenience
1256
debug = server_settings[u"debug"]
1257
use_dbus = server_settings[u"use_dbus"]
1258
use_dbus = False # XXX: Not done yet
1259
use_ipv6 = server_settings[u"use_ipv6"]
1260
1261
if not debug:
1262
syslogger.setLevel(logging.WARNING)
1263
console.setLevel(logging.WARNING)
1264
1265
if server_settings[u"servicename"] != u"Mandos":
2043
debug = server_settings["debug"]
2044
debuglevel = server_settings["debuglevel"]
2045
use_dbus = server_settings["use_dbus"]
2046
use_ipv6 = server_settings["use_ipv6"]
2047
stored_state_path = os.path.join(server_settings["statedir"],
2048
stored_state_file)
2049
2050
if debug:
2051
initlogger(logging.DEBUG)
2052
else:
2053
if not debuglevel:
2054
initlogger()
2055
else:
2056
level = getattr(logging, debuglevel.upper())
2057
initlogger(level)
2058
2059
if server_settings["servicename"] != "Mandos":
1266
2060
syslogger.setFormatter(logging.Formatter
1267
(u'Mandos (%s) [%%(process)d]:'
1268
u' %%(levelname)s: %%(message)s'
1269
% server_settings[u"servicename"]))
2061
('Mandos (%s) [%%(process)d]:'
2062
' %%(levelname)s: %%(message)s'
2063
% server_settings["servicename"]))
1270
2064
1271
2065
# Parse config file with clients
1272
client_defaults = { u"timeout": u"1h",
1273
u"interval": u"5m",
1274
u"checker": u"fping -q -- %%(host)s",
1275
u"host": u"",
2066
client_defaults = { "timeout": "5m",
2067
"extended_timeout": "15m",
2068
"interval": "2m",
2069
"checker": "fping -q -- %%(host)s",
2070
"host": "",
2071
"approval_delay": "0s",
2072
"approval_duration": "1s",
1276
2073
}
1277
2074
client_config = configparser.SafeConfigParser(client_defaults)
1278
client_config.read(os.path.join(server_settings[u"configdir"],
1279
u"clients.conf"))
2075
client_config.read(os.path.join(server_settings["configdir"],
2076
"clients.conf"))
1280
2077
1281
2078
global mandos_dbus_service
1282
2079
mandos_dbus_service = None
1283
2080
1284
tcp_server = MandosServer((server_settings[u"address"],
1285
server_settings[u"port"]),
2081
tcp_server = MandosServer((server_settings["address"],
2082
server_settings["port"]),
1286
2083
ClientHandler,
1287
interface=server_settings[u"interface"],
2084
interface=(server_settings["interface"]
2085
or None),
1288
2086
use_ipv6=use_ipv6,
1289
2087
gnutls_priority=
1290
server_settings[u"priority"],
2088
server_settings["priority"],
1291
2089
use_dbus=use_dbus)
1292
pidfilename = u"/var/run/mandos.pid"
1293
try:
1294
pidfile = open(pidfilename, u"w")
1295
except IOError:
1296
logger.error(u"Could not open file %r", pidfilename)
2090
if not debug:
2091
pidfilename = "/var/run/mandos.pid"
2092
try:
2093
pidfile = open(pidfilename, "w")
2094
except IOError:
2095
logger.error("Could not open file %r", pidfilename)
1297
2096
1298
2097
try:
1299
uid = pwd.getpwnam(u"_mandos").pw_uid
1300
gid = pwd.getpwnam(u"_mandos").pw_gid
2098
uid = pwd.getpwnam("_mandos").pw_uid
2099
gid = pwd.getpwnam("_mandos").pw_gid
1301
2100
except KeyError:
1302
2101
try:
1303
uid = pwd.getpwnam(u"mandos").pw_uid
1304
gid = pwd.getpwnam(u"mandos").pw_gid
2102
uid = pwd.getpwnam("mandos").pw_uid
2103
gid = pwd.getpwnam("mandos").pw_gid
1305
2104
except KeyError:
1306
2105
try:
1307
uid = pwd.getpwnam(u"nobody").pw_uid
1308
gid = pwd.getpwnam(u"nobody").pw_gid
2106
uid = pwd.getpwnam("nobody").pw_uid
2107
gid = pwd.getpwnam("nobody").pw_gid
1309
2108
except KeyError:
1310
2109
uid = 65534
1311
2110
gid = 65534
1312
2111
try:
1313
2112
os.setgid(gid)
1314
2113
os.setuid(uid)
1315
except OSError, error:
2114
except OSError as error:
1316
2115
if error[0] != errno.EPERM:
1317
2116
raise error
1318
2117
1319
# Enable all possible GnuTLS debugging
1320
2118
if debug:
2119
# Enable all possible GnuTLS debugging
2120
1321
2121
# "Use a log level over 10 to enable all debugging options."
1322
2122
# - GnuTLS manual
1323
2123
gnutls.library.functions.gnutls_global_set_log_level(11)
1324
2124
1325
2125
@gnutls.library.types.gnutls_log_func
1326
2126
def debug_gnutls(level, string):
1327
logger.debug(u"GnuTLS: %s", string[:-1])
2127
logger.debug("GnuTLS: %s", string[:-1])
1328
2128
1329
2129
(gnutls.library.functions
1330
2130
.gnutls_global_set_log_function(debug_gnutls))
2131
2132
# Redirect stdin so all checkers get /dev/null
2133
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2134
os.dup2(null, sys.stdin.fileno())
2135
if null > 2:
2136
os.close(null)
2137
else:
2138
# No console logging
2139
logger.removeHandler(console)
2140
2141
# Need to fork before connecting to D-Bus
2142
if not debug:
2143
# Close all input and output, do double fork, etc.
2144
daemon()
1331
2145
1332
2146
global main_loop
1333
2147
# From the Avahi example code
1336
2150
bus = dbus.SystemBus()
1337
2151
# End of Avahi example code
1338
2152
if use_dbus:
1339
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
2153
try:
2154
bus_name = dbus.service.BusName("se.recompile.Mandos",
2155
bus, do_not_queue=True)
2156
old_bus_name = (dbus.service.BusName
2157
("se.bsnet.fukt.Mandos", bus,
2158
do_not_queue=True))
2159
except dbus.exceptions.NameExistsException as e:
2160
logger.error(unicode(e) + ", disabling D-Bus")
2161
use_dbus = False
2162
server_settings["use_dbus"] = False
2163
tcp_server.use_dbus = False
1340
2164
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1341
service = AvahiService(name = server_settings[u"servicename"],
1342
servicetype = u"_mandos._tcp",
1343
protocol = protocol, bus = bus)
2165
service = AvahiServiceToSyslog(name =
2166
server_settings["servicename"],
2167
servicetype = "_mandos._tcp",
2168
protocol = protocol, bus = bus)
1344
2169
if server_settings["interface"]:
1345
2170
service.interface = (if_nametoindex
1346
(str(server_settings[u"interface"])))
2171
(str(server_settings["interface"])))
2172
2173
global multiprocessing_manager
2174
multiprocessing_manager = multiprocessing.Manager()
1347
2175
1348
2176
client_class = Client
1349
2177
if use_dbus:
1350
client_class = functools.partial(ClientDBus, bus = bus)
1351
tcp_server.clients.update(set(
1352
client_class(name = section,
1353
config= dict(client_config.items(section)))
1354
for section in client_config.sections()))
2178
client_class = functools.partial(ClientDBusTransitional,
2179
bus = bus)
2180
2181
special_settings = {
2182
# Some settings need to be accessd by special methods;
2183
# booleans need .getboolean(), etc. Here is a list of them:
2184
"approved_by_default":
2185
lambda section:
2186
client_config.getboolean(section, "approved_by_default"),
2187
"enabled":
2188
lambda section:
2189
client_config.getboolean(section, "enabled"),
2190
}
2191
# Construct a new dict of client settings of this form:
2192
# { client_name: {setting_name: value, ...}, ...}
2193
# with exceptions for any special settings as defined above
2194
client_settings = dict((clientname,
2195
dict((setting,
2196
(value
2197
if setting not in special_settings
2198
else special_settings[setting]
2199
(clientname)))
2200
for setting, value in
2201
client_config.items(clientname)))
2202
for clientname in client_config.sections())
2203
2204
old_client_settings = {}
2205
clients_data = []
2206
2207
# Get client data and settings from last running state.
2208
if server_settings["restore"]:
2209
try:
2210
with open(stored_state_path, "rb") as stored_state:
2211
clients_data, old_client_settings = (pickle.load
2212
(stored_state))
2213
os.remove(stored_state_path)
2214
except IOError as e:
2215
logger.warning("Could not load persistent state: {0}"
2216
.format(e))
2217
if e.errno != errno.ENOENT:
2218
raise
2219
2220
with Crypto() as crypt:
2221
for client in clients_data:
2222
client_name = client["name"]
2223
2224
# Decide which value to use after restoring saved state.
2225
# We have three different values: Old config file,
2226
# new config file, and saved state.
2227
# New config value takes precedence if it differs from old
2228
# config value, otherwise use saved state.
2229
for name, value in client_settings[client_name].items():
2230
try:
2231
# For each value in new config, check if it
2232
# differs from the old config value (Except for
2233
# the "secret" attribute)
2234
if (name != "secret" and
2235
value != old_client_settings[client_name]
2236
[name]):
2237
setattr(client, name, value)
2238
except KeyError:
2239
pass
2240
2241
# Clients who has passed its expire date can still be
2242
# enabled if its last checker was sucessful. Clients
2243
# whose checker failed before we stored its state is
2244
# assumed to have failed all checkers during downtime.
2245
if client["enabled"] and client["last_checked_ok"]:
2246
if ((datetime.datetime.utcnow()
2247
- client["last_checked_ok"])
2248
> client["interval"]):
2249
if client["last_checker_status"] != 0:
2250
client["enabled"] = False
2251
else:
2252
client["expires"] = (datetime.datetime
2253
.utcnow()
2254
+ client["timeout"])
2255
2256
client["changedstate"] = (multiprocessing_manager
2257
.Condition
2258
(multiprocessing_manager
2259
.Lock()))
2260
if use_dbus:
2261
new_client = (ClientDBusTransitional.__new__
2262
(ClientDBusTransitional))
2263
tcp_server.clients[client_name] = new_client
2264
new_client.bus = bus
2265
for name, value in client.iteritems():
2266
setattr(new_client, name, value)
2267
client_object_name = unicode(client_name).translate(
2268
{ord("."): ord("_"),
2269
ord("-"): ord("_")})
2270
new_client.dbus_object_path = (dbus.ObjectPath
2271
("/clients/"
2272
+ client_object_name))
2273
DBusObjectWithProperties.__init__(new_client,
2274
new_client.bus,
2275
new_client
2276
.dbus_object_path)
2277
else:
2278
tcp_server.clients[client_name] = (Client.__new__
2279
(Client))
2280
for name, value in client.iteritems():
2281
setattr(tcp_server.clients[client_name],
2282
name, value)
2283
2284
try:
2285
tcp_server.clients[client_name].secret = (
2286
crypt.decrypt(tcp_server.clients[client_name]
2287
.encrypted_secret,
2288
client_settings[client_name]
2289
["secret"]))
2290
except CryptoError:
2291
# If decryption fails, we use secret from new settings
2292
tcp_server.clients[client_name].secret = (
2293
client_settings[client_name]["secret"])
2294
2295
# Create/remove clients based on new changes made to config
2296
for clientname in set(old_client_settings) - set(client_settings):
2297
del tcp_server.clients[clientname]
2298
for clientname in set(client_settings) - set(old_client_settings):
2299
tcp_server.clients[clientname] = (client_class(name
2300
= clientname,
2301
config =
2302
client_settings
2303
[clientname]))
2304
1355
2305
if not tcp_server.clients:
1356
logger.warning(u"No clients defined")
1357
1358
if debug:
1359
# Redirect stdin so all checkers get /dev/null
1360
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1361
os.dup2(null, sys.stdin.fileno())
1362
if null > 2:
1363
os.close(null)
1364
else:
1365
# No console logging
1366
logger.removeHandler(console)
1367
# Close all input and output, do double fork, etc.
1368
daemon()
1369
1370
try:
1371
with closing(pidfile):
1372
pid = os.getpid()
1373
pidfile.write(str(pid) + "\n")
1374
del pidfile
1375
except IOError:
1376
logger.error(u"Could not write to file %r with PID %d",
1377
pidfilename, pid)
1378
except NameError:
1379
# "pidfile" was never created
1380
pass
1381
del pidfilename
1382
1383
def cleanup():
1384
"Cleanup function; run on exit"
1385
service.cleanup()
2306
logger.warning("No clients defined")
1386
2307
1387
while tcp_server.clients:
1388
client = tcp_server.clients.pop()
1389
client.disable_hook = None
1390
client.disable()
1391
1392
atexit.register(cleanup)
1393
1394
2308
if not debug:
2309
try:
2310
with pidfile:
2311
pid = os.getpid()
2312
pidfile.write(str(pid) + "\n".encode("utf-8"))
2313
del pidfile
2314
except IOError:
2315
logger.error("Could not write to file %r with PID %d",
2316
pidfilename, pid)
2317
except NameError:
2318
# "pidfile" was never created
2319
pass
2320
del pidfilename
2321
1395
2322
signal.signal(signal.SIGINT, signal.SIG_IGN)
2323
1396
2324
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1397
2325
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1398
2326
1400
2328
class MandosDBusService(dbus.service.Object):
1401
2329
"""A D-Bus proxy object"""
1402
2330
def __init__(self):
1403
dbus.service.Object.__init__(self, bus, u"/")
1404
_interface = u"se.bsnet.fukt.Mandos"
1405
1406
@dbus.service.signal(_interface, signature=u"oa{sv}")
1407
def ClientAdded(self, objpath, properties):
1408
"D-Bus signal"
1409
pass
1410
1411
@dbus.service.signal(_interface, signature=u"s")
1412
def ClientNotFound(self, fingerprint):
1413
"D-Bus signal"
1414
pass
1415
1416
@dbus.service.signal(_interface, signature=u"os")
2331
dbus.service.Object.__init__(self, bus, "/")
2332
_interface = "se.recompile.Mandos"
2333
2334
@dbus.service.signal(_interface, signature="o")
2335
def ClientAdded(self, objpath):
2336
"D-Bus signal"
2337
pass
2338
2339
@dbus.service.signal(_interface, signature="ss")
2340
def ClientNotFound(self, fingerprint, address):
2341
"D-Bus signal"
2342
pass
2343
2344
@dbus.service.signal(_interface, signature="os")
1417
2345
def ClientRemoved(self, objpath, name):
1418
2346
"D-Bus signal"
1419
2347
pass
1420
2348
1421
@dbus.service.method(_interface, out_signature=u"ao")
2349
@dbus.service.method(_interface, out_signature="ao")
1422
2350
def GetAllClients(self):
1423
2351
"D-Bus method"
1424
2352
return dbus.Array(c.dbus_object_path
1425
for c in tcp_server.clients)
2353
for c in
2354
tcp_server.clients.itervalues())
1426
2355
1427
2356
@dbus.service.method(_interface,
1428
out_signature=u"a{oa{sv}}")
2357
out_signature="a{oa{sv}}")
1429
2358
def GetAllClientsWithProperties(self):
1430
2359
"D-Bus method"
1431
2360
return dbus.Dictionary(
1432
((c.dbus_object_path, c.GetAllProperties())
1433
for c in tcp_server.clients),
1434
signature=u"oa{sv}")
2361
((c.dbus_object_path, c.GetAll(""))
2362
for c in tcp_server.clients.itervalues()),
2363
signature="oa{sv}")
1435
2364
1436
@dbus.service.method(_interface, in_signature=u"o")
2365
@dbus.service.method(_interface, in_signature="o")
1437
2366
def RemoveClient(self, object_path):
1438
2367
"D-Bus method"
1439
for c in tcp_server.clients:
2368
for c in tcp_server.clients.itervalues():
1440
2369
if c.dbus_object_path == object_path:
1441
tcp_server.clients.remove(c)
2370
del tcp_server.clients[c.name]
1442
2371
c.remove_from_connection()
1443
2372
# Don't signal anything except ClientRemoved
1444
c.disable(signal=False)
2373
c.disable(quiet=True)
1445
2374
# Emit D-Bus signal
1446
2375
self.ClientRemoved(object_path, c.name)
1447
2376
return
1448
raise KeyError
2377
raise KeyError(object_path)
1449
2378
1450
2379
del _interface
1451
2380
1452
mandos_dbus_service = MandosDBusService()
1453
1454
for client in tcp_server.clients:
2381
class MandosDBusServiceTransitional(MandosDBusService):
2382
__metaclass__ = AlternateDBusNamesMetaclass
2383
mandos_dbus_service = MandosDBusServiceTransitional()
2384
2385
def cleanup():
2386
"Cleanup function; run on exit"
2387
service.cleanup()
2388
2389
multiprocessing.active_children()
2390
if not (tcp_server.clients or client_settings):
2391
return
2392
2393
# Store client before exiting. Secrets are encrypted with key
2394
# based on what config file has. If config file is
2395
# removed/edited, old secret will thus be unrecovable.
2396
clients = []
2397
with Crypto() as crypt:
2398
for client in tcp_server.clients.itervalues():
2399
key = client_settings[client.name]["secret"]
2400
client.encrypted_secret = crypt.encrypt(client.secret,
2401
key)
2402
client_dict = {}
2403
2404
# A list of attributes that will not be stored when
2405
# shutting down.
2406
exclude = set(("bus", "changedstate", "secret"))
2407
for name, typ in (inspect.getmembers
2408
(dbus.service.Object)):
2409
exclude.add(name)
2410
2411
client_dict["encrypted_secret"] = (client
2412
.encrypted_secret)
2413
for attr in client.client_structure:
2414
if attr not in exclude:
2415
client_dict[attr] = getattr(client, attr)
2416
2417
clients.append(client_dict)
2418
del client_settings[client.name]["secret"]
2419
2420
try:
2421
with os.fdopen(os.open(stored_state_path,
2422
os.O_CREAT|os.O_WRONLY|os.O_TRUNC,
2423
0600), "wb") as stored_state:
2424
pickle.dump((clients, client_settings), stored_state)
2425
except (IOError, OSError) as e:
2426
logger.warning("Could not save persistent state: {0}"
2427
.format(e))
2428
if e.errno not in (errno.ENOENT, errno.EACCES):
2429
raise
2430
2431
# Delete all clients, and settings from config
2432
while tcp_server.clients:
2433
name, client = tcp_server.clients.popitem()
2434
if use_dbus:
2435
client.remove_from_connection()
2436
# Don't signal anything except ClientRemoved
2437
client.disable(quiet=True)
2438
if use_dbus:
2439
# Emit D-Bus signal
2440
mandos_dbus_service.ClientRemoved(client
2441
.dbus_object_path,
2442
client.name)
2443
client_settings.clear()
2444
2445
atexit.register(cleanup)
2446
2447
for client in tcp_server.clients.itervalues():
1455
2448
if use_dbus:
1456
2449
# Emit D-Bus signal
1457
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1458
client.GetAllProperties())
1459
client.enable()
2450
mandos_dbus_service.ClientAdded(client.dbus_object_path)
2451
# Need to initiate checking of clients
2452
if client.enabled:
2453
client.init_checker()
1460
2454
1461
2455
tcp_server.enable()
1462
2456
tcp_server.server_activate()
1464
2458
# Find out what port we got
1465
2459
service.port = tcp_server.socket.getsockname()[1]
1466
2460
if use_ipv6:
1467
logger.info(u"Now listening on address %r, port %d,"
2461
logger.info("Now listening on address %r, port %d,"
1468
2462
" flowinfo %d, scope_id %d"
1469
2463
% tcp_server.socket.getsockname())
1470
2464
else: # IPv4
1471
logger.info(u"Now listening on address %r, port %d"
2465
logger.info("Now listening on address %r, port %d"
1472
2466
% tcp_server.socket.getsockname())
1473
2467
1474
2468
#service.interface = tcp_server.socket.getsockname()[3]
1477
2471
# From the Avahi example code
1478
2472
try:
1479
2473
service.activate()
1480
except dbus.exceptions.DBusException, error:
1481
logger.critical(u"DBusException: %s", error)
2474
except dbus.exceptions.DBusException as error:
2475
logger.critical("DBusException: %s", error)
2476
cleanup()
1482
2477
sys.exit(1)
1483
2478
# End of Avahi example code
1484
2479
1487
2482
(tcp_server.handle_request
1488
2483
(*args[2:], **kwargs) or True))
1489
2484
1490
logger.debug(u"Starting main loop")
2485
logger.debug("Starting main loop")
1491
2486
main_loop.run()
1492
except AvahiError, error:
1493
logger.critical(u"AvahiError: %s", error)
2487
except AvahiError as error:
2488
logger.critical("AvahiError: %s", error)
2489
cleanup()
1494
2490
sys.exit(1)
1495
2491
except KeyboardInterrupt:
1496
2492
if debug:
1497
print >> sys.stderr
1498
logger.debug(u"Server received KeyboardInterrupt")
1499
logger.debug(u"Server exiting")
2493
print("", file=sys.stderr)
2494
logger.debug("Server received KeyboardInterrupt")
2495
logger.debug("Server exiting")
2496
# Must run before the D-Bus bus name gets deregistered
2497
cleanup()
2498
1500
2499
1501
2500
if __name__ == '__main__':
1502
2501
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0