192
208
self.group.Commit()
193
209
def entry_group_state_changed(self, state, error):
194
210
"""Derived from the Avahi example code"""
195
logger.debug(u"Avahi state change: %i", state)
211
logger.debug("Avahi entry group state change: %i", state)
197
213
if state == avahi.ENTRY_GROUP_ESTABLISHED:
198
logger.debug(u"Zeroconf service established.")
214
logger.debug("Zeroconf service established.")
199
215
elif state == avahi.ENTRY_GROUP_COLLISION:
200
logger.warning(u"Zeroconf service name collision.")
216
logger.info("Zeroconf service name collision.")
202
218
elif state == avahi.ENTRY_GROUP_FAILURE:
203
logger.critical(u"Avahi: Error in group state changed %s",
219
logger.critical("Avahi: Error in group state changed %s",
205
raise AvahiGroupError(u"State changed: %s"
221
raise AvahiGroupError("State changed: %s"
206
222
% unicode(error))
207
223
def cleanup(self):
208
224
"""Derived from the Avahi example code"""
209
225
if self.group is not None:
228
except (dbus.exceptions.UnknownMethodException,
229
dbus.exceptions.DBusException) as e:
211
231
self.group = None
212
def server_state_changed(self, state):
233
def server_state_changed(self, state, error=None):
213
234
"""Derived from the Avahi example code"""
214
if state == avahi.SERVER_COLLISION:
215
logger.error(u"Zeroconf server name collision")
235
logger.debug("Avahi server state change: %i", state)
236
bad_states = { avahi.SERVER_INVALID:
237
"Zeroconf server invalid",
238
avahi.SERVER_REGISTERING: None,
239
avahi.SERVER_COLLISION:
240
"Zeroconf server name collision",
241
avahi.SERVER_FAILURE:
242
"Zeroconf server failure" }
243
if state in bad_states:
244
if bad_states[state] is not None:
246
logger.error(bad_states[state])
248
logger.error(bad_states[state] + ": %r", error)
217
250
elif state == avahi.SERVER_RUNNING:
254
logger.debug("Unknown state: %r", state)
256
logger.debug("Unknown state: %r: %r", state, error)
219
257
def activate(self):
220
258
"""Derived from the Avahi example code"""
221
259
if self.server is None:
222
260
self.server = dbus.Interface(
223
261
self.bus.get_object(avahi.DBUS_NAME,
224
avahi.DBUS_PATH_SERVER),
262
avahi.DBUS_PATH_SERVER,
263
follow_name_owner_changes=True),
225
264
avahi.DBUS_INTERFACE_SERVER)
226
self.server.connect_to_signal(u"StateChanged",
265
self.server.connect_to_signal("StateChanged",
227
266
self.server_state_changed)
228
267
self.server_state_changed(self.server.GetState())
269
class AvahiServiceToSyslog(AvahiService):
271
"""Add the new name to the syslog messages"""
272
ret = AvahiService.rename(self)
273
syslogger.setFormatter(logging.Formatter
274
('Mandos (%s) [%%(process)d]:'
275
' %%(levelname)s: %%(message)s'
279
def _timedelta_to_milliseconds(td):
280
"Convert a datetime.timedelta() to milliseconds"
281
return ((td.days * 24 * 60 * 60 * 1000)
282
+ (td.seconds * 1000)
283
+ (td.microseconds // 1000))
231
285
class Client(object):
232
286
"""A representation of a client host served by this server.
235
name: string; from the config file, used in log messages and
289
_approved: bool(); 'None' if not yet approved/disapproved
290
approval_delay: datetime.timedelta(); Time to wait for approval
291
approval_duration: datetime.timedelta(); Duration of one approval
292
checker: subprocess.Popen(); a running checker process used
293
to see if the client lives.
294
'None' if no process is running.
295
checker_callback_tag: a gobject event source tag, or None
296
checker_command: string; External command which is run to check
297
if client lives. %() expansions are done at
298
runtime with vars(self) as dict, so that for
299
instance %(name)s can be used in the command.
300
checker_initiator_tag: a gobject event source tag, or None
301
created: datetime.datetime(); (UTC) object creation
302
client_structure: Object describing what attributes a client has
303
and is used for storing the client at exit
304
current_checker_command: string; current running checker_command
305
disable_initiator_tag: a gobject event source tag, or None
237
307
fingerprint: string (40 or 32 hexadecimal digits); used to
238
308
uniquely identify the client
239
secret: bytestring; sent verbatim (over TLS) to client
240
309
host: string; available for use by the checker command
241
created: datetime.datetime(); (UTC) object creation
310
interval: datetime.timedelta(); How often to start a new checker
311
last_approval_request: datetime.datetime(); (UTC) or None
312
last_checked_ok: datetime.datetime(); (UTC) or None
313
last_checker_status: integer between 0 and 255 reflecting exit
314
status of last checker. -1 reflect crashed
242
316
last_enabled: datetime.datetime(); (UTC)
244
last_checked_ok: datetime.datetime(); (UTC) or None
317
name: string; from the config file, used in log messages and
319
secret: bytestring; sent verbatim (over TLS) to client
245
320
timeout: datetime.timedelta(); How long from last_checked_ok
246
321
until this client is disabled
247
interval: datetime.timedelta(); How often to start a new checker
248
disable_hook: If set, called by disable() as disable_hook(self)
249
checker: subprocess.Popen(); a running checker process used
250
to see if the client lives.
251
'None' if no process is running.
252
checker_initiator_tag: a gobject event source tag, or None
253
disable_initiator_tag: - '' -
254
checker_callback_tag: - '' -
255
checker_command: string; External command which is run to check if
256
client lives. %() expansions are done at
257
runtime with vars(self) as dict, so that for
258
instance %(name)s can be used in the command.
259
current_checker_command: string; current running checker_command
260
changesignal: File descriptor; written to on object change
261
_reset: File descriptor; for flushing changesignal
262
delay: datetime.timedelta(); how long to wait for approval/secret
263
approved: bool(); None if not yet approved/disapproved
322
extended_timeout: extra long timeout when password has been sent
323
runtime_expansions: Allowed attributes for runtime expansion.
324
expires: datetime.datetime(); time (UTC) when a client will be
267
def _timedelta_to_milliseconds(td):
268
"Convert a datetime.timedelta() to milliseconds"
269
return ((td.days * 24 * 60 * 60 * 1000)
270
+ (td.seconds * 1000)
271
+ (td.microseconds // 1000))
328
runtime_expansions = ("approval_delay", "approval_duration",
329
"created", "enabled", "fingerprint",
330
"host", "interval", "last_checked_ok",
331
"last_enabled", "name", "timeout")
273
333
def timeout_milliseconds(self):
274
334
"Return the 'timeout' attribute in milliseconds"
275
return self._timedelta_to_milliseconds(self.timeout)
335
return _timedelta_to_milliseconds(self.timeout)
337
def extended_timeout_milliseconds(self):
338
"Return the 'extended_timeout' attribute in milliseconds"
339
return _timedelta_to_milliseconds(self.extended_timeout)
277
341
def interval_milliseconds(self):
278
342
"Return the 'interval' attribute in milliseconds"
279
return self._timedelta_to_milliseconds(self.interval)
281
def __init__(self, name = None, disable_hook=None, config=None):
343
return _timedelta_to_milliseconds(self.interval)
345
def approval_delay_milliseconds(self):
346
return _timedelta_to_milliseconds(self.approval_delay)
348
def __init__(self, name = None, config=None):
282
349
"""Note: the 'checker' key in 'config' sets the
283
350
'checker_command' attribute and *not* the 'checker'
286
353
if config is None:
288
logger.debug(u"Creating client %r", self.name)
355
logger.debug("Creating client %r", self.name)
289
356
# Uppercase and remove spaces from fingerprint for later
290
357
# comparison purposes with return value from the fingerprint()
292
self.fingerprint = (config[u"fingerprint"].upper()
294
logger.debug(u" Fingerprint: %s", self.fingerprint)
295
if u"secret" in config:
296
self._secret = config[u"secret"].decode(u"base64")
297
elif u"secfile" in config:
359
self.fingerprint = (config["fingerprint"].upper()
361
logger.debug(" Fingerprint: %s", self.fingerprint)
362
if "secret" in config:
363
self.secret = config["secret"].decode("base64")
364
elif "secfile" in config:
298
365
with open(os.path.expanduser(os.path.expandvars
299
(config[u"secfile"])),
366
(config["secfile"])),
300
367
"rb") as secfile:
301
self._secret = secfile.read()
368
self.secret = secfile.read()
303
#XXX Need to allow secret on demand!
304
raise TypeError(u"No secret or secfile for client %s"
370
raise TypeError("No secret or secfile for client %s"
306
self.host = config.get(u"host", u"")
372
self.host = config.get("host", "")
307
373
self.created = datetime.datetime.utcnow()
309
self.last_enabled = None
375
self.last_approval_request = None
376
self.last_enabled = datetime.datetime.utcnow()
310
377
self.last_checked_ok = None
311
self.timeout = string_to_delta(config[u"timeout"])
312
self.interval = string_to_delta(config[u"interval"])
313
self.disable_hook = disable_hook
378
self.last_checker_status = None
379
self.timeout = string_to_delta(config["timeout"])
380
self.extended_timeout = string_to_delta(config
381
["extended_timeout"])
382
self.interval = string_to_delta(config["interval"])
314
383
self.checker = None
315
384
self.checker_initiator_tag = None
316
385
self.disable_initiator_tag = None
386
self.expires = datetime.datetime.utcnow() + self.timeout
317
387
self.checker_callback_tag = None
318
self.checker_command = config[u"checker"]
388
self.checker_command = config["checker"]
319
389
self.current_checker_command = None
320
self.last_connect = None
321
self.changesignal, self._reset = os.pipe()
322
self._approved = None #XXX should be based on configfile
323
self.delay = 10; #XXX Should be based on configfile
325
def setsecret(self, value):
327
os.write(self.changesignal, "\0")
328
os.read(self._reset, 1)
330
secret = property(lambda self: self._secret, setsecret)
333
def setapproved(self, value):
334
self._approved = value
335
os.write(self.changesignal, "\0")
336
os.read(self._reset, 1)
338
approved = property(lambda self: self._approved, setapproved)
390
self._approved = None
391
self.approved_by_default = config.get("approved_by_default",
393
self.approvals_pending = 0
394
self.approval_delay = string_to_delta(
395
config["approval_delay"])
396
self.approval_duration = string_to_delta(
397
config["approval_duration"])
398
self.changedstate = (multiprocessing_manager
399
.Condition(multiprocessing_manager
401
self.client_structure = [attr for attr
402
in self.__dict__.iterkeys()
403
if not attr.startswith("_")]
404
self.client_structure.append("client_structure")
407
for name, t in inspect.getmembers(type(self),
411
if not name.startswith("_"):
412
self.client_structure.append(name)
414
# Send notice to process children that client state has changed
415
def send_changedstate(self):
416
with self.changedstate:
417
self.changedstate.notify_all()
341
419
def enable(self):
342
420
"""Start this client's checker and timeout hooks"""
343
if getattr(self, u"enabled", False):
421
if getattr(self, "enabled", False):
344
422
# Already enabled
424
self.send_changedstate()
425
self.expires = datetime.datetime.utcnow() + self.timeout
346
427
self.last_enabled = datetime.datetime.utcnow()
430
def disable(self, quiet=True):
431
"""Disable this client."""
432
if not getattr(self, "enabled", False):
435
self.send_changedstate()
437
logger.info("Disabling client %s", self.name)
438
if getattr(self, "disable_initiator_tag", False):
439
gobject.source_remove(self.disable_initiator_tag)
440
self.disable_initiator_tag = None
442
if getattr(self, "checker_initiator_tag", False):
443
gobject.source_remove(self.checker_initiator_tag)
444
self.checker_initiator_tag = None
447
# Do not run this again if called by a gobject.timeout_add
453
def init_checker(self):
347
454
# Schedule a new checker to be started an 'interval' from now,
348
455
# and every interval from then on.
349
456
self.checker_initiator_tag = (gobject.timeout_add
353
460
self.disable_initiator_tag = (gobject.timeout_add
354
461
(self.timeout_milliseconds(),
357
463
# Also start a new checker *right now*.
358
464
self.start_checker()
360
def disable(self, quiet=True):
361
"""Disable this client."""
362
if not getattr(self, "enabled", False):
365
logger.info(u"Disabling client %s", self.name)
366
if getattr(self, u"disable_initiator_tag", False):
367
gobject.source_remove(self.disable_initiator_tag)
368
self.disable_initiator_tag = None
369
if getattr(self, u"checker_initiator_tag", False):
370
gobject.source_remove(self.checker_initiator_tag)
371
self.checker_initiator_tag = None
373
if self.disable_hook:
374
self.disable_hook(self)
376
# Do not run this again if called by a gobject.timeout_add
380
self.disable_hook = None
383
467
def checker_callback(self, pid, condition, command):
384
468
"""The checker has completed, so take appropriate actions."""
385
469
self.checker_callback_tag = None
386
470
self.checker = None
387
471
if os.WIFEXITED(condition):
388
exitstatus = os.WEXITSTATUS(condition)
390
logger.info(u"Checker for %(name)s succeeded",
472
self.last_checker_status = os.WEXITSTATUS(condition)
473
if self.last_checker_status == 0:
474
logger.info("Checker for %(name)s succeeded",
392
476
self.checked_ok()
394
logger.info(u"Checker for %(name)s failed",
478
logger.info("Checker for %(name)s failed",
397
logger.warning(u"Checker for %(name)s crashed?",
481
self.last_checker_status = -1
482
logger.warning("Checker for %(name)s crashed?",
400
def checked_ok(self):
485
def checked_ok(self, timeout=None):
401
486
"""Bump up the timeout for this client.
403
488
This should only be called when the client has been seen,
492
timeout = self.timeout
406
493
self.last_checked_ok = datetime.datetime.utcnow()
407
gobject.source_remove(self.disable_initiator_tag)
408
self.disable_initiator_tag = (gobject.timeout_add
409
(self.timeout_milliseconds(),
494
if self.disable_initiator_tag is not None:
495
gobject.source_remove(self.disable_initiator_tag)
496
if getattr(self, "enabled", False):
497
self.disable_initiator_tag = (gobject.timeout_add
498
(_timedelta_to_milliseconds
499
(timeout), self.disable))
500
self.expires = datetime.datetime.utcnow() + timeout
502
def need_approval(self):
503
self.last_approval_request = datetime.datetime.utcnow()
412
505
def start_checker(self):
413
506
"""Start a new checker subprocess if one is not running.
487
582
if self.checker_callback_tag:
488
583
gobject.source_remove(self.checker_callback_tag)
489
584
self.checker_callback_tag = None
490
if getattr(self, u"checker", None) is None:
585
if getattr(self, "checker", None) is None:
492
logger.debug(u"Stopping checker for %(name)s", vars(self))
587
logger.debug("Stopping checker for %(name)s", vars(self))
494
589
os.kill(self.checker.pid, signal.SIGTERM)
496
591
#if self.checker.poll() is None:
497
592
# os.kill(self.checker.pid, signal.SIGKILL)
498
except OSError, error:
593
except OSError as error:
499
594
if error.errno != errno.ESRCH: # No such process
501
596
self.checker = None
504
def dbus_service_property(dbus_interface, signature=u"v",
505
access=u"readwrite", byte_arrays=False):
598
# Encrypts a client secret and stores it in a varible
600
def encrypt_secret(self, key):
601
# Encryption-key need to be of a specific size, so we hash
603
hasheng = hashlib.sha256()
605
encryptionkey = hasheng.digest()
607
# Create validation hash so we know at decryption if it was
609
hasheng = hashlib.sha256()
610
hasheng.update(self.secret)
611
validationhash = hasheng.digest()
614
iv = os.urandom(Crypto.Cipher.AES.block_size)
615
ciphereng = Crypto.Cipher.AES.new(encryptionkey,
616
Crypto.Cipher.AES.MODE_CFB, iv)
617
ciphertext = ciphereng.encrypt(validationhash+self.secret)
618
self.encrypted_secret = (ciphertext, iv)
620
# Decrypt a encrypted client secret
621
def decrypt_secret(self, key):
622
# Decryption-key need to be of a specific size, so we hash
624
hasheng = hashlib.sha256()
626
encryptionkey = hasheng.digest()
628
# Decrypt encrypted secret
629
ciphertext, iv = self.encrypted_secret
630
ciphereng = Crypto.Cipher.AES.new(encryptionkey,
631
Crypto.Cipher.AES.MODE_CFB, iv)
632
plain = ciphereng.decrypt(ciphertext)
634
# Validate decrypted secret to know if it was succesful
635
hasheng = hashlib.sha256()
636
validationhash = plain[:hasheng.digest_size]
637
secret = plain[hasheng.digest_size:]
638
hasheng.update(secret)
640
# If validation fails, we use key as new secret. Otherwise, we
641
# use the decrypted secret
642
if hasheng.digest() == validationhash:
646
del self.encrypted_secret
649
def dbus_service_property(dbus_interface, signature="v",
650
access="readwrite", byte_arrays=False):
506
651
"""Decorators for marking methods of a DBusObjectWithProperties to
507
652
become properties on the D-Bus.
562
707
def _is_dbus_property(obj):
563
return getattr(obj, u"_dbus_is_property", False)
708
return getattr(obj, "_dbus_is_property", False)
565
710
def _get_all_dbus_properties(self):
566
711
"""Returns a generator of (name, attribute) pairs
568
return ((prop._dbus_name, prop)
713
return ((prop.__get__(self)._dbus_name, prop.__get__(self))
714
for cls in self.__class__.__mro__
569
715
for name, prop in
570
inspect.getmembers(self, self._is_dbus_property))
716
inspect.getmembers(cls, self._is_dbus_property))
572
718
def _get_dbus_property(self, interface_name, property_name):
573
719
"""Returns a bound method if one exists which is a D-Bus
574
720
property with the specified name and interface.
576
for name in (property_name,
577
property_name + u"_dbus_property"):
578
prop = getattr(self, name, None)
580
or not self._is_dbus_property(prop)
581
or prop._dbus_name != property_name
582
or (interface_name and prop._dbus_interface
583
and interface_name != prop._dbus_interface)):
722
for cls in self.__class__.__mro__:
723
for name, value in (inspect.getmembers
724
(cls, self._is_dbus_property)):
725
if (value._dbus_name == property_name
726
and value._dbus_interface == interface_name):
727
return value.__get__(self)
586
729
# No such property
587
raise DBusPropertyNotFound(self.dbus_object_path + u":"
588
+ interface_name + u"."
730
raise DBusPropertyNotFound(self.dbus_object_path + ":"
731
+ interface_name + "."
591
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
734
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
593
736
def Get(self, interface_name, property_name):
594
737
"""Standard D-Bus property Get() method, see D-Bus standard.
596
739
prop = self._get_dbus_property(interface_name, property_name)
597
if prop._dbus_access == u"write":
740
if prop._dbus_access == "write":
598
741
raise DBusPropertyAccessException(property_name)
600
if not hasattr(value, u"variant_level"):
743
if not hasattr(value, "variant_level"):
602
745
return type(value)(value, variant_level=value.variant_level+1)
604
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
747
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
605
748
def Set(self, interface_name, property_name, value):
606
749
"""Standard D-Bus property Set() method, see D-Bus standard.
608
751
prop = self._get_dbus_property(interface_name, property_name)
609
if prop._dbus_access == u"read":
752
if prop._dbus_access == "read":
610
753
raise DBusPropertyAccessException(property_name)
611
if prop._dbus_get_args_options[u"byte_arrays"]:
754
if prop._dbus_get_args_options["byte_arrays"]:
612
755
# The byte_arrays option is not supported yet on
613
756
# signatures other than "ay".
614
if prop._dbus_signature != u"ay":
757
if prop._dbus_signature != "ay":
616
759
value = dbus.ByteArray(''.join(unichr(byte)
617
760
for byte in value))
620
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
621
out_signature=u"a{sv}")
763
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
764
out_signature="a{sv}")
622
765
def GetAll(self, interface_name):
623
766
"""Standard D-Bus property GetAll() method, see D-Bus
626
769
Note: Will not include properties with access="write".
655
798
document = xml.dom.minidom.parseString(xmlstring)
656
799
def make_tag(document, name, prop):
657
e = document.createElement(u"property")
658
e.setAttribute(u"name", name)
659
e.setAttribute(u"type", prop._dbus_signature)
660
e.setAttribute(u"access", prop._dbus_access)
800
e = document.createElement("property")
801
e.setAttribute("name", name)
802
e.setAttribute("type", prop._dbus_signature)
803
e.setAttribute("access", prop._dbus_access)
662
for if_tag in document.getElementsByTagName(u"interface"):
805
for if_tag in document.getElementsByTagName("interface"):
663
806
for tag in (make_tag(document, name, prop)
665
808
in self._get_all_dbus_properties()
666
809
if prop._dbus_interface
667
== if_tag.getAttribute(u"name")):
810
== if_tag.getAttribute("name")):
668
811
if_tag.appendChild(tag)
669
812
# Add the names to the return values for the
670
813
# "org.freedesktop.DBus.Properties" methods
671
if (if_tag.getAttribute(u"name")
672
== u"org.freedesktop.DBus.Properties"):
673
for cn in if_tag.getElementsByTagName(u"method"):
674
if cn.getAttribute(u"name") == u"Get":
675
for arg in cn.getElementsByTagName(u"arg"):
676
if (arg.getAttribute(u"direction")
678
arg.setAttribute(u"name", u"value")
679
elif cn.getAttribute(u"name") == u"GetAll":
680
for arg in cn.getElementsByTagName(u"arg"):
681
if (arg.getAttribute(u"direction")
683
arg.setAttribute(u"name", u"props")
684
xmlstring = document.toxml(u"utf-8")
814
if (if_tag.getAttribute("name")
815
== "org.freedesktop.DBus.Properties"):
816
for cn in if_tag.getElementsByTagName("method"):
817
if cn.getAttribute("name") == "Get":
818
for arg in cn.getElementsByTagName("arg"):
819
if (arg.getAttribute("direction")
821
arg.setAttribute("name", "value")
822
elif cn.getAttribute("name") == "GetAll":
823
for arg in cn.getElementsByTagName("arg"):
824
if (arg.getAttribute("direction")
826
arg.setAttribute("name", "props")
827
xmlstring = document.toxml("utf-8")
685
828
document.unlink()
686
829
except (AttributeError, xml.dom.DOMException,
687
xml.parsers.expat.ExpatError), error:
688
logger.error(u"Failed to override Introspection method",
830
xml.parsers.expat.ExpatError) as error:
831
logger.error("Failed to override Introspection method",
836
def datetime_to_dbus (dt, variant_level=0):
837
"""Convert a UTC datetime.datetime() to a D-Bus type."""
839
return dbus.String("", variant_level = variant_level)
840
return dbus.String(dt.isoformat(),
841
variant_level=variant_level)
843
class AlternateDBusNamesMetaclass(DBusObjectWithProperties
845
"""Applied to an empty subclass of a D-Bus object, this metaclass
846
will add additional D-Bus attributes matching a certain pattern.
848
def __new__(mcs, name, bases, attr):
849
# Go through all the base classes which could have D-Bus
850
# methods, signals, or properties in them
851
for base in (b for b in bases
852
if issubclass(b, dbus.service.Object)):
853
# Go though all attributes of the base class
854
for attrname, attribute in inspect.getmembers(base):
855
# Ignore non-D-Bus attributes, and D-Bus attributes
856
# with the wrong interface name
857
if (not hasattr(attribute, "_dbus_interface")
858
or not attribute._dbus_interface
859
.startswith("se.recompile.Mandos")):
861
# Create an alternate D-Bus interface name based on
863
alt_interface = (attribute._dbus_interface
864
.replace("se.recompile.Mandos",
865
"se.bsnet.fukt.Mandos"))
866
# Is this a D-Bus signal?
867
if getattr(attribute, "_dbus_is_signal", False):
868
# Extract the original non-method function by
870
nonmethod_func = (dict(
871
zip(attribute.func_code.co_freevars,
872
attribute.__closure__))["func"]
874
# Create a new, but exactly alike, function
875
# object, and decorate it to be a new D-Bus signal
876
# with the alternate D-Bus interface name
877
new_function = (dbus.service.signal
879
attribute._dbus_signature)
881
nonmethod_func.func_code,
882
nonmethod_func.func_globals,
883
nonmethod_func.func_name,
884
nonmethod_func.func_defaults,
885
nonmethod_func.func_closure)))
886
# Define a creator of a function to call both the
887
# old and new functions, so both the old and new
888
# signals gets sent when the function is called
889
def fixscope(func1, func2):
890
"""This function is a scope container to pass
891
func1 and func2 to the "call_both" function
892
outside of its arguments"""
893
def call_both(*args, **kwargs):
894
"""This function will emit two D-Bus
895
signals by calling func1 and func2"""
896
func1(*args, **kwargs)
897
func2(*args, **kwargs)
899
# Create the "call_both" function and add it to
901
attr[attrname] = fixscope(attribute,
903
# Is this a D-Bus method?
904
elif getattr(attribute, "_dbus_is_method", False):
905
# Create a new, but exactly alike, function
906
# object. Decorate it to be a new D-Bus method
907
# with the alternate D-Bus interface name. Add it
909
attr[attrname] = (dbus.service.method
911
attribute._dbus_in_signature,
912
attribute._dbus_out_signature)
914
(attribute.func_code,
915
attribute.func_globals,
917
attribute.func_defaults,
918
attribute.func_closure)))
919
# Is this a D-Bus property?
920
elif getattr(attribute, "_dbus_is_property", False):
921
# Create a new, but exactly alike, function
922
# object, and decorate it to be a new D-Bus
923
# property with the alternate D-Bus interface
924
# name. Add it to the class.
925
attr[attrname] = (dbus_service_property
927
attribute._dbus_signature,
928
attribute._dbus_access,
930
._dbus_get_args_options
933
(attribute.func_code,
934
attribute.func_globals,
936
attribute.func_defaults,
937
attribute.func_closure)))
938
return type.__new__(mcs, name, bases, attr)
693
940
class ClientDBus(Client, DBusObjectWithProperties):
694
941
"""A Client class using D-Bus
697
944
dbus_object_path: dbus.ObjectPath
698
945
bus: dbus.SystemBus()
948
runtime_expansions = (Client.runtime_expansions
949
+ ("dbus_object_path",))
700
951
# dbus.service.Object doesn't use super(), so we can't either.
702
953
def __init__(self, bus = None, *args, **kwargs):
955
self._approvals_pending = 0
704
956
Client.__init__(self, *args, **kwargs)
959
def add_to_dbus(self):
705
960
# Only now, when this client is initialized, can it show up on
962
client_object_name = unicode(self.name).translate(
707
965
self.dbus_object_path = (dbus.ObjectPath
709
+ self.name.replace(u".", u"_")))
966
("/clients/" + client_object_name))
710
967
DBusObjectWithProperties.__init__(self, self.bus,
711
968
self.dbus_object_path)
714
def _datetime_to_dbus(dt, variant_level=0):
715
"""Convert a UTC datetime.datetime() to a D-Bus type."""
716
return dbus.String(dt.isoformat(),
717
variant_level=variant_level)
720
oldstate = getattr(self, u"enabled", False)
721
r = Client.enable(self)
722
if oldstate != self.enabled:
724
self.PropertyChanged(dbus.String(u"enabled"),
725
dbus.Boolean(True, variant_level=1))
726
self.PropertyChanged(
727
dbus.String(u"last_enabled"),
728
self._datetime_to_dbus(self.last_enabled,
732
def disable(self, quiet = False):
733
oldstate = getattr(self, u"enabled", False)
734
r = Client.disable(self, quiet=quiet)
735
if not quiet and oldstate != self.enabled:
737
self.PropertyChanged(dbus.String(u"enabled"),
738
dbus.Boolean(False, variant_level=1))
970
def notifychangeproperty(transform_func,
971
dbus_name, type_func=lambda x: x,
973
""" Modify a variable so that it's a property which announces
976
transform_fun: Function that takes a value and a variant_level
977
and transforms it to a D-Bus type.
978
dbus_name: D-Bus name of the variable
979
type_func: Function that transform the value before sending it
980
to the D-Bus. Default: no transform
981
variant_level: D-Bus variant level. Default: 1
983
attrname = "_{0}".format(dbus_name)
984
def setter(self, value):
985
if hasattr(self, "dbus_object_path"):
986
if (not hasattr(self, attrname) or
987
type_func(getattr(self, attrname, None))
988
!= type_func(value)):
989
dbus_value = transform_func(type_func(value),
992
self.PropertyChanged(dbus.String(dbus_name),
994
setattr(self, attrname, value)
996
return property(lambda self: getattr(self, attrname), setter)
999
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1000
approvals_pending = notifychangeproperty(dbus.Boolean,
1003
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1004
last_enabled = notifychangeproperty(datetime_to_dbus,
1006
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1007
type_func = lambda checker:
1008
checker is not None)
1009
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1011
last_approval_request = notifychangeproperty(
1012
datetime_to_dbus, "LastApprovalRequest")
1013
approved_by_default = notifychangeproperty(dbus.Boolean,
1014
"ApprovedByDefault")
1015
approval_delay = notifychangeproperty(dbus.UInt16,
1018
_timedelta_to_milliseconds)
1019
approval_duration = notifychangeproperty(
1020
dbus.UInt16, "ApprovalDuration",
1021
type_func = _timedelta_to_milliseconds)
1022
host = notifychangeproperty(dbus.String, "Host")
1023
timeout = notifychangeproperty(dbus.UInt16, "Timeout",
1025
_timedelta_to_milliseconds)
1026
extended_timeout = notifychangeproperty(
1027
dbus.UInt16, "ExtendedTimeout",
1028
type_func = _timedelta_to_milliseconds)
1029
interval = notifychangeproperty(dbus.UInt16,
1032
_timedelta_to_milliseconds)
1033
checker_command = notifychangeproperty(dbus.String, "Checker")
1035
del notifychangeproperty
741
1037
def __del__(self, *args, **kwargs):
743
1039
self.remove_from_connection()
744
1040
except LookupError:
746
if hasattr(DBusObjectWithProperties, u"__del__"):
1042
if hasattr(DBusObjectWithProperties, "__del__"):
747
1043
DBusObjectWithProperties.__del__(self, *args, **kwargs)
748
1044
Client.__del__(self, *args, **kwargs)
875
@dbus_service_property(_interface, signature=u"s", access=u"read")
876
def name_dbus_property(self):
1172
# ApprovalPending - property
1173
@dbus_service_property(_interface, signature="b", access="read")
1174
def ApprovalPending_dbus_property(self):
1175
return dbus.Boolean(bool(self.approvals_pending))
1177
# ApprovedByDefault - property
1178
@dbus_service_property(_interface, signature="b",
1180
def ApprovedByDefault_dbus_property(self, value=None):
1181
if value is None: # get
1182
return dbus.Boolean(self.approved_by_default)
1183
self.approved_by_default = bool(value)
1185
# ApprovalDelay - property
1186
@dbus_service_property(_interface, signature="t",
1188
def ApprovalDelay_dbus_property(self, value=None):
1189
if value is None: # get
1190
return dbus.UInt64(self.approval_delay_milliseconds())
1191
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1193
# ApprovalDuration - property
1194
@dbus_service_property(_interface, signature="t",
1196
def ApprovalDuration_dbus_property(self, value=None):
1197
if value is None: # get
1198
return dbus.UInt64(_timedelta_to_milliseconds(
1199
self.approval_duration))
1200
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1203
@dbus_service_property(_interface, signature="s", access="read")
1204
def Name_dbus_property(self):
877
1205
return dbus.String(self.name)
879
# fingerprint - property
880
@dbus_service_property(_interface, signature=u"s", access=u"read")
881
def fingerprint_dbus_property(self):
1207
# Fingerprint - property
1208
@dbus_service_property(_interface, signature="s", access="read")
1209
def Fingerprint_dbus_property(self):
882
1210
return dbus.String(self.fingerprint)
885
@dbus_service_property(_interface, signature=u"s",
887
def host_dbus_property(self, value=None):
1213
@dbus_service_property(_interface, signature="s",
1215
def Host_dbus_property(self, value=None):
888
1216
if value is None: # get
889
1217
return dbus.String(self.host)
890
1218
self.host = value
892
self.PropertyChanged(dbus.String(u"host"),
893
dbus.String(value, variant_level=1))
896
@dbus_service_property(_interface, signature=u"s", access=u"read")
897
def created_dbus_property(self):
898
return dbus.String(self._datetime_to_dbus(self.created))
900
# last_enabled - property
901
@dbus_service_property(_interface, signature=u"s", access=u"read")
902
def last_enabled_dbus_property(self):
903
if self.last_enabled is None:
904
return dbus.String(u"")
905
return dbus.String(self._datetime_to_dbus(self.last_enabled))
908
@dbus_service_property(_interface, signature=u"b",
910
def enabled_dbus_property(self, value=None):
1220
# Created - property
1221
@dbus_service_property(_interface, signature="s", access="read")
1222
def Created_dbus_property(self):
1223
return dbus.String(datetime_to_dbus(self.created))
1225
# LastEnabled - property
1226
@dbus_service_property(_interface, signature="s", access="read")
1227
def LastEnabled_dbus_property(self):
1228
return datetime_to_dbus(self.last_enabled)
1230
# Enabled - property
1231
@dbus_service_property(_interface, signature="b",
1233
def Enabled_dbus_property(self, value=None):
911
1234
if value is None: # get
912
1235
return dbus.Boolean(self.enabled)
918
# last_checked_ok - property
919
@dbus_service_property(_interface, signature=u"s",
921
def last_checked_ok_dbus_property(self, value=None):
1241
# LastCheckedOK - property
1242
@dbus_service_property(_interface, signature="s",
1244
def LastCheckedOK_dbus_property(self, value=None):
922
1245
if value is not None:
923
1246
self.checked_ok()
925
if self.last_checked_ok is None:
926
return dbus.String(u"")
927
return dbus.String(self._datetime_to_dbus(self
931
@dbus_service_property(_interface, signature=u"t",
933
def timeout_dbus_property(self, value=None):
1248
return datetime_to_dbus(self.last_checked_ok)
1250
# Expires - property
1251
@dbus_service_property(_interface, signature="s", access="read")
1252
def Expires_dbus_property(self):
1253
return datetime_to_dbus(self.expires)
1255
# LastApprovalRequest - property
1256
@dbus_service_property(_interface, signature="s", access="read")
1257
def LastApprovalRequest_dbus_property(self):
1258
return datetime_to_dbus(self.last_approval_request)
1260
# Timeout - property
1261
@dbus_service_property(_interface, signature="t",
1263
def Timeout_dbus_property(self, value=None):
934
1264
if value is None: # get
935
1265
return dbus.UInt64(self.timeout_milliseconds())
936
1266
self.timeout = datetime.timedelta(0, 0, 0, value)
938
self.PropertyChanged(dbus.String(u"timeout"),
939
dbus.UInt64(value, variant_level=1))
940
if getattr(self, u"disable_initiator_tag", None) is None:
1267
if getattr(self, "disable_initiator_tag", None) is None:
942
1269
# Reschedule timeout
943
1270
gobject.source_remove(self.disable_initiator_tag)
944
1271
self.disable_initiator_tag = None
946
_timedelta_to_milliseconds((self
1273
time_to_die = _timedelta_to_milliseconds((self
951
1278
if time_to_die <= 0:
952
1279
# The timeout has passed
1282
self.expires = (datetime.datetime.utcnow()
1283
+ datetime.timedelta(milliseconds =
955
1285
self.disable_initiator_tag = (gobject.timeout_add
956
1286
(time_to_die, self.disable))
958
# interval - property
959
@dbus_service_property(_interface, signature=u"t",
961
def interval_dbus_property(self, value=None):
1288
# ExtendedTimeout - property
1289
@dbus_service_property(_interface, signature="t",
1291
def ExtendedTimeout_dbus_property(self, value=None):
1292
if value is None: # get
1293
return dbus.UInt64(self.extended_timeout_milliseconds())
1294
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1296
# Interval - property
1297
@dbus_service_property(_interface, signature="t",
1299
def Interval_dbus_property(self, value=None):
962
1300
if value is None: # get
963
1301
return dbus.UInt64(self.interval_milliseconds())
964
1302
self.interval = datetime.timedelta(0, 0, 0, value)
966
self.PropertyChanged(dbus.String(u"interval"),
967
dbus.UInt64(value, variant_level=1))
968
if getattr(self, u"checker_initiator_tag", None) is None:
1303
if getattr(self, "checker_initiator_tag", None) is None:
970
1305
# Reschedule checker run
971
1306
gobject.source_remove(self.checker_initiator_tag)
972
1307
self.checker_initiator_tag = (gobject.timeout_add
973
1308
(value, self.start_checker))
974
1309
self.start_checker() # Start one now, too
977
@dbus_service_property(_interface, signature=u"s",
979
def checker_dbus_property(self, value=None):
1311
# Checker - property
1312
@dbus_service_property(_interface, signature="s",
1314
def Checker_dbus_property(self, value=None):
980
1315
if value is None: # get
981
1316
return dbus.String(self.checker_command)
982
1317
self.checker_command = value
984
self.PropertyChanged(dbus.String(u"checker"),
985
dbus.String(self.checker_command,
988
# checker_running - property
989
@dbus_service_property(_interface, signature=u"b",
991
def checker_running_dbus_property(self, value=None):
1319
# CheckerRunning - property
1320
@dbus_service_property(_interface, signature="b",
1322
def CheckerRunning_dbus_property(self, value=None):
992
1323
if value is None: # get
993
1324
return dbus.Boolean(self.checker is not None)
1017
1376
Note: This will run in its own forked process."""
1019
1378
def handle(self):
1020
logger.info(u"TCP connection from: %s",
1021
unicode(self.client_address))
1022
logger.debug(u"IPC Pipe FD: %d",
1023
self.server.child_pipe[1].fileno())
1024
# Open IPC pipe to parent process
1025
with contextlib.nested(self.server.child_pipe[1],
1026
self.server.parent_pipe[0]
1027
) as (ipc, ipc_return):
1379
with contextlib.closing(self.server.child_pipe) as child_pipe:
1380
logger.info("TCP connection from: %s",
1381
unicode(self.client_address))
1382
logger.debug("Pipe FD: %d",
1383
self.server.child_pipe.fileno())
1028
1385
session = (gnutls.connection
1029
1386
.ClientSession(self.request,
1030
1387
gnutls.connection
1031
1388
.X509Credentials()))
1033
line = self.request.makefile().readline()
1034
logger.debug(u"Protocol version: %r", line)
1036
if int(line.strip().split()[0]) > 1:
1038
except (ValueError, IndexError, RuntimeError), error:
1039
logger.error(u"Unknown protocol version: %s", error)
1042
1390
# Note: gnutls.connection.X509Credentials is really a
1043
1391
# generic GnuTLS certificate credentials object so long as
1044
1392
# no X.509 keys are added to it. Therefore, we can use it
1045
1393
# here despite using OpenPGP certificates.
1047
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
1048
# u"+AES-256-CBC", u"+SHA1",
1049
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1395
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1396
# "+AES-256-CBC", "+SHA1",
1397
# "+COMP-NULL", "+CTYPE-OPENPGP",
1051
1399
# Use a fallback default, since this MUST be set.
1052
1400
priority = self.server.gnutls_priority
1053
1401
if priority is None:
1054
priority = u"NORMAL"
1055
1403
(gnutls.library.functions
1056
1404
.gnutls_priority_set_direct(session._c_object,
1057
1405
priority, None))
1407
# Start communication using the Mandos protocol
1408
# Get protocol number
1409
line = self.request.makefile().readline()
1410
logger.debug("Protocol version: %r", line)
1412
if int(line.strip().split()[0]) > 1:
1414
except (ValueError, IndexError, RuntimeError) as error:
1415
logger.error("Unknown protocol version: %s", error)
1418
# Start GnuTLS connection
1060
1420
session.handshake()
1061
except gnutls.errors.GNUTLSError, error:
1062
logger.warning(u"Handshake failed: %s", error)
1421
except gnutls.errors.GNUTLSError as error:
1422
logger.warning("Handshake failed: %s", error)
1063
1423
# Do not run session.bye() here: the session is not
1064
1424
# established. Just abandon the request.
1066
logger.debug(u"Handshake succeeded")
1426
logger.debug("Handshake succeeded")
1428
approval_required = False
1069
1431
fpr = self.fingerprint(self.peer_certificate
1071
except (TypeError, gnutls.errors.GNUTLSError), error:
1072
logger.warning(u"Bad certificate: %s", error)
1074
logger.debug(u"Fingerprint: %s", fpr)
1076
for c in self.server.clients:
1077
if c.fingerprint == fpr:
1081
ipc.write(u"NOTFOUND %s %s\n"
1082
% (fpr, unicode(self.client_address)))
1085
class proxyclient(object):
1086
def __getattribute__(self, name):
1087
ipc.write(u"GETATTR %s %s\n" % name, client.fpr)
1088
return pickle.load(ipc_reply)
1089
p = proxyclient(client)
1434
gnutls.errors.GNUTLSError) as error:
1435
logger.warning("Bad certificate: %s", error)
1437
logger.debug("Fingerprint: %s", fpr)
1440
client = ProxyClient(child_pipe, fpr,
1441
self.client_address)
1445
if client.approval_delay:
1446
delay = client.approval_delay
1447
client.approvals_pending += 1
1448
approval_required = True
1092
if not p.client.enabled:
1093
icp.write("DISABLED %s\n" % client.fpr)
1095
if p.client.approved == False:
1096
icp.write("Disaproved")
1451
if not client.enabled:
1452
logger.info("Client %s is disabled",
1454
if self.server.use_dbus:
1456
client.Rejected("Disabled")
1099
if not p.client.secret:
1100
icp.write("No password")
1101
elif not p.client.approved:
1102
icp.write("Need approval"):
1104
#We have a password and are approved
1459
if client._approved or not client.approval_delay:
1460
#We are approved or approval is disabled
1106
i, o, e = select(p.changesignal, (), (), client.delay)
1108
icp.write("Timeout passed")
1462
elif client._approved is None:
1463
logger.info("Client %s needs approval",
1465
if self.server.use_dbus:
1467
client.NeedApproval(
1468
client.approval_delay_milliseconds(),
1469
client.approved_by_default)
1471
logger.warning("Client %s was not approved",
1473
if self.server.use_dbus:
1475
client.Rejected("Denied")
1111
ipc.write(u"SENDING %s\n" % client.name)
1478
#wait until timeout or approved
1479
time = datetime.datetime.now()
1480
client.changedstate.acquire()
1481
(client.changedstate.wait
1482
(float(client._timedelta_to_milliseconds(delay)
1484
client.changedstate.release()
1485
time2 = datetime.datetime.now()
1486
if (time2 - time) >= delay:
1487
if not client.approved_by_default:
1488
logger.warning("Client %s timed out while"
1489
" waiting for approval",
1491
if self.server.use_dbus:
1493
client.Rejected("Approval timed out")
1498
delay -= time2 - time
1113
1501
while sent_size < len(client.secret):
1114
sent = session.send(client.secret[sent_size:])
1115
logger.debug(u"Sent: %d, remaining: %d",
1503
sent = session.send(client.secret[sent_size:])
1504
except gnutls.errors.GNUTLSError as error:
1505
logger.warning("gnutls send failed")
1507
logger.debug("Sent: %d, remaining: %d",
1116
1508
sent, len(client.secret)
1117
1509
- (sent_size + sent))
1118
1510
sent_size += sent
1512
logger.info("Sending secret to %s", client.name)
1513
# bump the timeout using extended_timeout
1514
client.checked_ok(client.extended_timeout)
1515
if self.server.use_dbus:
1520
if approval_required:
1521
client.approvals_pending -= 1
1524
except gnutls.errors.GNUTLSError as error:
1525
logger.warning("GnuTLS bye failed")
1123
1528
def peer_certificate(session):
1179
1584
# Convert the buffer to a Python bytestring
1180
1585
fpr = ctypes.string_at(buf, buf_len.value)
1181
1586
# Convert the bytestring to hexadecimal notation
1182
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1587
hex_fpr = ''.join("%02X" % ord(char) for char in fpr)
1186
class ForkingMixInWithPipes(socketserver.ForkingMixIn, object):
1187
"""Like socketserver.ForkingMixIn, but also pass a pipe pair."""
1591
class MultiprocessingMixIn(object):
1592
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1593
def sub_process_main(self, request, address):
1595
self.finish_request(request, address)
1597
self.handle_error(request, address)
1598
self.close_request(request)
1600
def process_request(self, request, address):
1601
"""Start a new process to process the request."""
1602
proc = multiprocessing.Process(target = self.sub_process_main,
1609
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1610
""" adds a pipe to the MixIn """
1188
1611
def process_request(self, request, client_address):
1189
1612
"""Overrides and wraps the original process_request().
1191
1614
This function creates a new pipe in self.pipe
1193
# Child writes to child_pipe
1194
self.child_pipe = map(os.fdopen, os.pipe(), u"rw", (1, 0))
1195
# Parent writes to parent_pipe
1196
self.parent_pipe = map(os.fdopen, os.pipe(), u"rw", (1, 0))
1197
super(ForkingMixInWithPipes,
1198
self).process_request(request, client_address)
1199
# Close unused ends for parent
1200
self.parent_pipe[0].close() # close read end
1201
self.child_pipe[1].close() # close write end
1202
self.add_pipe_fds(self.child_pipe[0], self.parent_pipe[1])
1203
def add_pipe_fds(self, child_pipe_fd, parent_pipe_fd):
1616
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1618
proc = MultiprocessingMixIn.process_request(self, request,
1620
self.child_pipe.close()
1621
self.add_pipe(parent_pipe, proc)
1623
def add_pipe(self, parent_pipe, proc):
1204
1624
"""Dummy function; override as necessary"""
1205
child_pipe_fd.close()
1206
parent_pipe_fd.close()
1209
class IPv6_TCPServer(ForkingMixInWithPipes,
1625
raise NotImplementedError
1628
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1210
1629
socketserver.TCPServer, object):
1211
1630
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1319
1743
for cond, name in
1320
1744
condition_names.iteritems()
1321
1745
if cond & condition)
1322
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1325
# Read a line from the file object
1326
cmdline = sender.readline()
1327
if not cmdline: # Empty line means end of file
1328
# close the IPC pipes
1332
# Stop calling this function
1335
logger.debug(u"IPC command: %r", cmdline)
1337
# Parse and act on command
1338
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1340
if cmd == u"NOTFOUND":
1341
fpr, address = args.split(None, 1)
1342
logger.warning(u"Client not found for fingerprint: %s, ad"
1343
u"dress: %s", fpr, address)
1346
mandos_dbus_service.ClientNotFound(fpr, address)
1347
elif cmd == u"DISABLED":
1348
for client in self.clients:
1349
if client.name == args:
1350
logger.warning(u"Client %s is disabled", args)
1356
logger.error(u"Unknown client %s is disabled", args)
1357
elif cmd == u"SENDING":
1358
for client in self.clients:
1359
if client.name == args:
1360
logger.info(u"Sending secret to %s", client.name)
1367
logger.error(u"Sending secret to unknown client %s",
1369
elif cmd == u"GETATTR":
1370
attr_name, fpr = args.split(None, 1)
1371
for client in self.clients:
1372
if client.fingerprint == fpr:
1373
attr_value = getattr(client, attr_name, None)
1374
logger.debug("IPC reply: %r", attr_value)
1375
pickle.dump(attr_value, reply)
1378
logger.error(u"Client %s on address %s requesting "
1379
u"attribute %s not found", fpr, address,
1381
pickle.dump(None, reply)
1383
logger.error(u"Unknown IPC command: %r", cmdline)
1385
# Keep calling this function
1746
# error, or the other end of multiprocessing.Pipe has closed
1747
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
1748
# Wait for other process to exit
1752
# Read a request from the child
1753
request = parent_pipe.recv()
1754
command = request[0]
1756
if command == 'init':
1758
address = request[2]
1760
for c in self.clients.itervalues():
1761
if c.fingerprint == fpr:
1765
logger.info("Client not found for fingerprint: %s, ad"
1766
"dress: %s", fpr, address)
1769
mandos_dbus_service.ClientNotFound(fpr,
1771
parent_pipe.send(False)
1774
gobject.io_add_watch(parent_pipe.fileno(),
1775
gobject.IO_IN | gobject.IO_HUP,
1776
functools.partial(self.handle_ipc,
1782
parent_pipe.send(True)
1783
# remove the old hook in favor of the new above hook on
1786
if command == 'funcall':
1787
funcname = request[1]
1791
parent_pipe.send(('data', getattr(client_object,
1795
if command == 'getattr':
1796
attrname = request[1]
1797
if callable(client_object.__getattribute__(attrname)):
1798
parent_pipe.send(('function',))
1800
parent_pipe.send(('data', client_object
1801
.__getattribute__(attrname)))
1803
if command == 'setattr':
1804
attrname = request[1]
1806
setattr(client_object, attrname, value)
1389
1811
def string_to_delta(interval):
1390
1812
"""Parse a string and return a datetime.timedelta
1392
>>> string_to_delta(u'7d')
1814
>>> string_to_delta('7d')
1393
1815
datetime.timedelta(7)
1394
>>> string_to_delta(u'60s')
1816
>>> string_to_delta('60s')
1395
1817
datetime.timedelta(0, 60)
1396
>>> string_to_delta(u'60m')
1818
>>> string_to_delta('60m')
1397
1819
datetime.timedelta(0, 3600)
1398
>>> string_to_delta(u'24h')
1820
>>> string_to_delta('24h')
1399
1821
datetime.timedelta(1)
1400
>>> string_to_delta(u'1w')
1822
>>> string_to_delta('1w')
1401
1823
datetime.timedelta(7)
1402
>>> string_to_delta(u'5m 30s')
1824
>>> string_to_delta('5m 30s')
1403
1825
datetime.timedelta(0, 330)
1405
1827
timevalue = datetime.timedelta(0)
1479
1901
##################################################################
1480
1902
# Parsing of options, both command line and config file
1482
parser = optparse.OptionParser(version = "%%prog %s" % version)
1483
parser.add_option("-i", u"--interface", type=u"string",
1484
metavar="IF", help=u"Bind to interface IF")
1485
parser.add_option("-a", u"--address", type=u"string",
1486
help=u"Address to listen for requests on")
1487
parser.add_option("-p", u"--port", type=u"int",
1488
help=u"Port number to receive requests on")
1489
parser.add_option("--check", action=u"store_true",
1490
help=u"Run self-test")
1491
parser.add_option("--debug", action=u"store_true",
1492
help=u"Debug mode; run in foreground and log to"
1494
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1495
u" priority string (see GnuTLS documentation)")
1496
parser.add_option("--servicename", type=u"string",
1497
metavar=u"NAME", help=u"Zeroconf service name")
1498
parser.add_option("--configdir", type=u"string",
1499
default=u"/etc/mandos", metavar=u"DIR",
1500
help=u"Directory to search for configuration"
1502
parser.add_option("--no-dbus", action=u"store_false",
1503
dest=u"use_dbus", help=u"Do not provide D-Bus"
1504
u" system bus interface")
1505
parser.add_option("--no-ipv6", action=u"store_false",
1506
dest=u"use_ipv6", help=u"Do not use IPv6")
1507
options = parser.parse_args()[0]
1904
parser = argparse.ArgumentParser()
1905
parser.add_argument("-v", "--version", action="version",
1906
version = "%%(prog)s %s" % version,
1907
help="show version number and exit")
1908
parser.add_argument("-i", "--interface", metavar="IF",
1909
help="Bind to interface IF")
1910
parser.add_argument("-a", "--address",
1911
help="Address to listen for requests on")
1912
parser.add_argument("-p", "--port", type=int,
1913
help="Port number to receive requests on")
1914
parser.add_argument("--check", action="store_true",
1915
help="Run self-test")
1916
parser.add_argument("--debug", action="store_true",
1917
help="Debug mode; run in foreground and log"
1919
parser.add_argument("--debuglevel", metavar="LEVEL",
1920
help="Debug level for stdout output")
1921
parser.add_argument("--priority", help="GnuTLS"
1922
" priority string (see GnuTLS documentation)")
1923
parser.add_argument("--servicename",
1924
metavar="NAME", help="Zeroconf service name")
1925
parser.add_argument("--configdir",
1926
default="/etc/mandos", metavar="DIR",
1927
help="Directory to search for configuration"
1929
parser.add_argument("--no-dbus", action="store_false",
1930
dest="use_dbus", help="Do not provide D-Bus"
1931
" system bus interface")
1932
parser.add_argument("--no-ipv6", action="store_false",
1933
dest="use_ipv6", help="Do not use IPv6")
1934
parser.add_argument("--no-restore", action="store_false",
1936
help="Do not restore stored state",
1939
options = parser.parse_args()
1509
1941
if options.check:
1557
1990
##################################################################
1559
1992
# For convenience
1560
debug = server_settings[u"debug"]
1561
use_dbus = server_settings[u"use_dbus"]
1562
use_ipv6 = server_settings[u"use_ipv6"]
1565
syslogger.setLevel(logging.WARNING)
1566
console.setLevel(logging.WARNING)
1568
if server_settings[u"servicename"] != u"Mandos":
1993
debug = server_settings["debug"]
1994
debuglevel = server_settings["debuglevel"]
1995
use_dbus = server_settings["use_dbus"]
1996
use_ipv6 = server_settings["use_ipv6"]
1998
if server_settings["servicename"] != "Mandos":
1569
1999
syslogger.setFormatter(logging.Formatter
1570
(u'Mandos (%s) [%%(process)d]:'
1571
u' %%(levelname)s: %%(message)s'
1572
% server_settings[u"servicename"]))
2000
('Mandos (%s) [%%(process)d]:'
2001
' %%(levelname)s: %%(message)s'
2002
% server_settings["servicename"]))
1574
2004
# Parse config file with clients
1575
client_defaults = { u"timeout": u"1h",
1577
u"checker": u"fping -q -- %%(host)s",
2005
client_defaults = { "timeout": "5m",
2006
"extended_timeout": "15m",
2008
"checker": "fping -q -- %%(host)s",
2010
"approval_delay": "0s",
2011
"approval_duration": "1s",
1580
2013
client_config = configparser.SafeConfigParser(client_defaults)
1581
client_config.read(os.path.join(server_settings[u"configdir"],
2014
client_config.read(os.path.join(server_settings["configdir"],
1584
2017
global mandos_dbus_service
1585
2018
mandos_dbus_service = None
1587
tcp_server = MandosServer((server_settings[u"address"],
1588
server_settings[u"port"]),
2020
tcp_server = MandosServer((server_settings["address"],
2021
server_settings["port"]),
1590
interface=server_settings[u"interface"],
2023
interface=(server_settings["interface"]
1591
2025
use_ipv6=use_ipv6,
1592
2026
gnutls_priority=
1593
server_settings[u"priority"],
2027
server_settings["priority"],
1594
2028
use_dbus=use_dbus)
1595
pidfilename = u"/var/run/mandos.pid"
1597
pidfile = open(pidfilename, u"w")
1599
logger.error(u"Could not open file %r", pidfilename)
2030
pidfilename = "/var/run/mandos.pid"
2032
pidfile = open(pidfilename, "w")
2034
logger.error("Could not open file %r", pidfilename)
1602
uid = pwd.getpwnam(u"_mandos").pw_uid
1603
gid = pwd.getpwnam(u"_mandos").pw_gid
2037
uid = pwd.getpwnam("_mandos").pw_uid
2038
gid = pwd.getpwnam("_mandos").pw_gid
1604
2039
except KeyError:
1606
uid = pwd.getpwnam(u"mandos").pw_uid
1607
gid = pwd.getpwnam(u"mandos").pw_gid
2041
uid = pwd.getpwnam("mandos").pw_uid
2042
gid = pwd.getpwnam("mandos").pw_gid
1608
2043
except KeyError:
1610
uid = pwd.getpwnam(u"nobody").pw_uid
1611
gid = pwd.getpwnam(u"nobody").pw_gid
2045
uid = pwd.getpwnam("nobody").pw_uid
2046
gid = pwd.getpwnam("nobody").pw_gid
1612
2047
except KeyError:
1618
except OSError, error:
2053
except OSError as error:
1619
2054
if error[0] != errno.EPERM:
1622
# Enable all possible GnuTLS debugging
2057
if not debug and not debuglevel:
2058
logger.setLevel(logging.WARNING)
2060
level = getattr(logging, debuglevel.upper())
2061
logger.setLevel(level)
2064
logger.setLevel(logging.DEBUG)
2065
# Enable all possible GnuTLS debugging
1624
2067
# "Use a log level over 10 to enable all debugging options."
1625
2068
# - GnuTLS manual
1626
2069
gnutls.library.functions.gnutls_global_set_log_level(11)
1628
2071
@gnutls.library.types.gnutls_log_func
1629
2072
def debug_gnutls(level, string):
1630
logger.debug(u"GnuTLS: %s", string[:-1])
2073
logger.debug("GnuTLS: %s", string[:-1])
1632
2075
(gnutls.library.functions
1633
2076
.gnutls_global_set_log_function(debug_gnutls))
2078
# Redirect stdin so all checkers get /dev/null
2079
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2080
os.dup2(null, sys.stdin.fileno())
2084
# No console logging
2085
logger.removeHandler(console)
2087
# Need to fork before connecting to D-Bus
2089
# Close all input and output, do double fork, etc.
1635
2092
global main_loop
1636
2093
# From the Avahi example code
1640
2097
# End of Avahi example code
1643
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos",
2100
bus_name = dbus.service.BusName("se.recompile.Mandos",
1644
2101
bus, do_not_queue=True)
1645
except dbus.exceptions.NameExistsException, e:
1646
logger.error(unicode(e) + u", disabling D-Bus")
2102
old_bus_name = (dbus.service.BusName
2103
("se.bsnet.fukt.Mandos", bus,
2105
except dbus.exceptions.NameExistsException as e:
2106
logger.error(unicode(e) + ", disabling D-Bus")
1647
2107
use_dbus = False
1648
server_settings[u"use_dbus"] = False
2108
server_settings["use_dbus"] = False
1649
2109
tcp_server.use_dbus = False
1650
2110
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1651
service = AvahiService(name = server_settings[u"servicename"],
1652
servicetype = u"_mandos._tcp",
1653
protocol = protocol, bus = bus)
2111
service = AvahiServiceToSyslog(name =
2112
server_settings["servicename"],
2113
servicetype = "_mandos._tcp",
2114
protocol = protocol, bus = bus)
1654
2115
if server_settings["interface"]:
1655
2116
service.interface = (if_nametoindex
1656
(str(server_settings[u"interface"])))
2117
(str(server_settings["interface"])))
2119
global multiprocessing_manager
2120
multiprocessing_manager = multiprocessing.Manager()
1658
2122
client_class = Client
1660
client_class = functools.partial(ClientDBus, bus = bus)
1661
tcp_server.clients.update(set(
1662
client_class(name = section,
1663
config= dict(client_config.items(section)))
1664
for section in client_config.sections()))
2124
client_class = functools.partial(ClientDBusTransitional,
2127
special_settings = {
2128
# Some settings need to be accessd by special methods;
2129
# booleans need .getboolean(), etc. Here is a list of them:
2130
"approved_by_default":
2132
client_config.getboolean(section, "approved_by_default"),
2134
# Construct a new dict of client settings of this form:
2135
# { client_name: {setting_name: value, ...}, ...}
2136
# with exceptions for any special settings as defined above
2137
client_settings = dict((clientname,
2140
setting not in special_settings
2141
else special_settings[setting]
2144
in client_config.items(clientname)))
2145
for clientname in client_config.sections())
2147
old_client_settings = {}
2150
# Get client data and settings from last running state.
2151
if server_settings["restore"]:
2153
with open(stored_state_path, "rb") as stored_state:
2154
clients_data, old_client_settings = (
2155
pickle.load(stored_state))
2156
os.remove(stored_state_path)
2157
except IOError as e:
2158
logger.warning("Could not load persistant state: {0}"
2160
if e.errno != errno.ENOENT:
2163
for client in clients_data:
2164
client_name = client["name"]
2166
# Decide which value to use after restoring saved state.
2167
# We have three different values: Old config file,
2168
# new config file, and saved state.
2169
# New config value takes precedence if it differs from old
2170
# config value, otherwise use saved state.
2171
for name, value in client_settings[client_name].items():
2173
# For each value in new config, check if it differs
2174
# from the old config value (Except for the "secret"
2176
if (name != "secret" and
2177
value != old_client_settings[client_name][name]):
2178
setattr(client, name, value)
2182
# Clients who has passed its expire date, can still be enabled
2183
# if its last checker was sucessful. Clients who checkers
2184
# failed before we stored it state is asumed to had failed
2185
# checker during downtime.
2186
if client["enabled"] and client["last_checked_ok"]:
2187
if ((datetime.datetime.utcnow()
2188
- client["last_checked_ok"]) > client["interval"]):
2189
if client["last_checker_status"] != 0:
2190
client["enabled"] = False
2192
client["expires"] = (datetime.datetime.utcnow()
2193
+ client["timeout"])
2195
client["changedstate"] = (multiprocessing_manager
2196
.Condition(multiprocessing_manager
2199
new_client = ClientDBusTransitional.__new__(
2200
ClientDBusTransitional)
2201
tcp_server.clients[client_name] = new_client
2202
new_client.bus = bus
2203
for name, value in client.iteritems():
2204
setattr(new_client, name, value)
2205
new_client._approvals_pending = 0
2206
new_client.add_to_dbus()
2208
tcp_server.clients[client_name] = Client.__new__(Client)
2209
for name, value in client.iteritems():
2210
setattr(tcp_server.clients[client_name], name, value)
2212
tcp_server.clients[client_name].decrypt_secret(
2213
client_settings[client_name]["secret"])
2215
# Create/remove clients based on new changes made to config
2216
for clientname in set(old_client_settings) - set(client_settings):
2217
del tcp_server.clients[clientname]
2218
for clientname in set(client_settings) - set(old_client_settings):
2219
tcp_server.clients[clientname] = client_class(name
1665
2225
if not tcp_server.clients:
1666
logger.warning(u"No clients defined")
1669
# Redirect stdin so all checkers get /dev/null
1670
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1671
os.dup2(null, sys.stdin.fileno())
1675
# No console logging
1676
logger.removeHandler(console)
1677
# Close all input and output, do double fork, etc.
1683
pidfile.write(str(pid) + "\n")
1686
logger.error(u"Could not write to file %r with PID %d",
1689
# "pidfile" was never created
2226
logger.warning("No clients defined")
2232
pidfile.write(str(pid) + "\n".encode("utf-8"))
2235
logger.error("Could not write to file %r with PID %d",
2238
# "pidfile" was never created
1694
2242
signal.signal(signal.SIGINT, signal.SIG_IGN)
1695
2244
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1696
2245
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1699
2248
class MandosDBusService(dbus.service.Object):
1700
2249
"""A D-Bus proxy object"""
1701
2250
def __init__(self):
1702
dbus.service.Object.__init__(self, bus, u"/")
1703
_interface = u"se.bsnet.fukt.Mandos"
2251
dbus.service.Object.__init__(self, bus, "/")
2252
_interface = "se.recompile.Mandos"
1705
@dbus.service.signal(_interface, signature=u"o")
2254
@dbus.service.signal(_interface, signature="o")
1706
2255
def ClientAdded(self, objpath):
1710
@dbus.service.signal(_interface, signature=u"ss")
2259
@dbus.service.signal(_interface, signature="ss")
1711
2260
def ClientNotFound(self, fingerprint, address):
1715
@dbus.service.signal(_interface, signature=u"os")
2264
@dbus.service.signal(_interface, signature="os")
1716
2265
def ClientRemoved(self, objpath, name):
1720
@dbus.service.method(_interface, out_signature=u"ao")
2269
@dbus.service.method(_interface, out_signature="ao")
1721
2270
def GetAllClients(self):
1723
2272
return dbus.Array(c.dbus_object_path
1724
for c in tcp_server.clients)
2274
tcp_server.clients.itervalues())
1726
2276
@dbus.service.method(_interface,
1727
out_signature=u"a{oa{sv}}")
2277
out_signature="a{oa{sv}}")
1728
2278
def GetAllClientsWithProperties(self):
1730
2280
return dbus.Dictionary(
1731
((c.dbus_object_path, c.GetAll(u""))
1732
for c in tcp_server.clients),
1733
signature=u"oa{sv}")
2281
((c.dbus_object_path, c.GetAll(""))
2282
for c in tcp_server.clients.itervalues()),
1735
@dbus.service.method(_interface, in_signature=u"o")
2285
@dbus.service.method(_interface, in_signature="o")
1736
2286
def RemoveClient(self, object_path):
1738
for c in tcp_server.clients:
2288
for c in tcp_server.clients.itervalues():
1739
2289
if c.dbus_object_path == object_path:
1740
tcp_server.clients.remove(c)
2290
del tcp_server.clients[c.name]
1741
2291
c.remove_from_connection()
1742
2292
# Don't signal anything except ClientRemoved
1743
2293
c.disable(quiet=True)