/mandos/trunk : revision 525

11

# "AvahiService" class, and some lines in "main".

12

#

13

# Everything else is

14

15

14

15

16

#

17

# This program is free software: you can redistribute it and/or modify

18

# it under the terms of the GNU General Public License as published by

34

from __future__ import (division, absolute_import, print_function,

35

unicode_literals)

36

37

from future_builtins import *

38

39

37

import SocketServer as socketserver

40

38

import socket

41

39

import argparse

67

65

import types

68

66

import binascii

69

67

import tempfile

70

import itertools

71

import collections

72

68

73

69

import dbus

74

70

import dbus.service

79

75

import ctypes.util

80

76

import xml.dom.minidom

81

77

import inspect

78

import GnuPGInterface

82

79

83

80

try:

84

81

SO_BINDTODEVICE = socket.SO_BINDTODEVICE

88

85

except ImportError:

89

86

SO_BINDTODEVICE = None

90

87

91

version = "1.6.5"

88

version = "1.4.1"

92

89

stored_state_file = "clients.pickle"

93

90

94

91

logger = logging.getLogger()

95

syslogger = None

92

syslogger = (logging.handlers.SysLogHandler

93

(facility = logging.handlers.SysLogHandler.LOG_DAEMON,

94

address = str("/dev/log")))

96

95

97

96

try:

98

97

if_nametoindex = (ctypes.cdll.LoadLibrary

111

110

return interface_index

112

111

113

112

114

def initlogger(debug, level=logging.WARNING):

113

def initlogger(level=logging.WARNING):

115

114

"""init logger and add loglevel"""

116

115

117

syslogger = (logging.handlers.SysLogHandler

118

(facility =

119

logging.handlers.SysLogHandler.LOG_DAEMON,

120

address = str("/dev/log")))

121

116

syslogger.setFormatter(logging.Formatter

122

117

('Mandos [%(process)d]: %(levelname)s:'

123

118

' %(message)s'))

124

119

logger.addHandler(syslogger)

125

120

126

if debug:

127

console = logging.StreamHandler()

128

console.setFormatter(logging.Formatter('%(asctime)s %(name)s'

129

' [%(process)d]:'

130

' %(levelname)s:'

131

' %(message)s'))

132

logger.addHandler(console)

121

console = logging.StreamHandler()

122

console.setFormatter(logging.Formatter('%(asctime)s %(name)s'

123

' [%(process)d]:'

124

' %(levelname)s:'

125

' %(message)s'))

126

logger.addHandler(console)

133

127

logger.setLevel(level)

134

128

135

129

141

135

class PGPEngine(object):

142

136

"""A simple class for OpenPGP symmetric encryption & decryption"""

143

137

def __init__(self):

138

self.gnupg = GnuPGInterface.GnuPG()

144

139

self.tempdir = tempfile.mkdtemp(prefix="mandos-")

145

self.gnupgargs = ['--batch',

146

'--home', self.tempdir,

147

'--force-mdc',

148

'--quiet',

149

'--no-use-agent']

140

self.gnupg = GnuPGInterface.GnuPG()

141

self.gnupg.options.meta_interactive = False

142

self.gnupg.options.homedir = self.tempdir

143

self.gnupg.options.extra_args.extend(['--force-mdc',

144

'--quiet'])

150

145

151

146

def __enter__(self):

152

147

return self

153

148

154

def __exit__(self, exc_type, exc_value, traceback):

149

def __exit__ (self, exc_type, exc_value, traceback):

155

150

self._cleanup()

156

151

return False

157

152

174

169

def password_encode(self, password):

175

170

# Passphrase can not be empty and can not contain newlines or

176

171

# NUL bytes. So we prefix it and hex encode it.

177

encoded = b"mandos" + binascii.hexlify(password)

178

if len(encoded) > 2048:

179

# GnuPG can't handle long passwords, so encode differently

180

encoded = (b"mandos" + password.replace(b"\\", b"\\\\")

181

.replace(b"\n", b"\\n")

182

.replace(b"\0", b"\\x00"))

183

return encoded

172

return b"mandos" + binascii.hexlify(password)

184

173

185

174

def encrypt(self, data, password):

186

passphrase = self.password_encode(password)

187

with tempfile.NamedTemporaryFile(dir=self.tempdir

188

) as passfile:

189

passfile.write(passphrase)

190

passfile.flush()

191

proc = subprocess.Popen(['gpg', '--symmetric',

192

'--passphrase-file',

193

passfile.name]

194

+ self.gnupgargs,

195

stdin = subprocess.PIPE,

196

stdout = subprocess.PIPE,

197

stderr = subprocess.PIPE)

198

ciphertext, err = proc.communicate(input = data)

199

if proc.returncode != 0:

200

raise PGPError(err)

175

self.gnupg.passphrase = self.password_encode(password)

176

with open(os.devnull) as devnull:

177

try:

178

proc = self.gnupg.run(['--symmetric'],

179

create_fhs=['stdin', 'stdout'],

180

attach_fhs={'stderr': devnull})

181

with contextlib.closing(proc.handles['stdin']) as f:

182

f.write(data)

183

with contextlib.closing(proc.handles['stdout']) as f:

184

ciphertext = f.read()

185

proc.wait()

186

except IOError as e:

187

raise PGPError(e)

188

self.gnupg.passphrase = None

201

189

return ciphertext

202

190

203

191

def decrypt(self, data, password):

204

passphrase = self.password_encode(password)

205

with tempfile.NamedTemporaryFile(dir = self.tempdir

206

) as passfile:

207

passfile.write(passphrase)

208

passfile.flush()

209

proc = subprocess.Popen(['gpg', '--decrypt',

210

'--passphrase-file',

211

passfile.name]

212

+ self.gnupgargs,

213

stdin = subprocess.PIPE,

214

stdout = subprocess.PIPE,

215

stderr = subprocess.PIPE)

216

decrypted_plaintext, err = proc.communicate(input

217

= data)

218

if proc.returncode != 0:

219

raise PGPError(err)

192

self.gnupg.passphrase = self.password_encode(password)

193

with open(os.devnull) as devnull:

194

try:

195

proc = self.gnupg.run(['--decrypt'],

196

create_fhs=['stdin', 'stdout'],

197

attach_fhs={'stderr': devnull})

198

with contextlib.closing(proc.handles['stdin'] ) as f:

199

f.write(data)

200

with contextlib.closing(proc.handles['stdout']) as f:

201

decrypted_plaintext = f.read()

202

proc.wait()

203

except IOError as e:

204

raise PGPError(e)

205

self.gnupg.passphrase = None

220

206

return decrypted_plaintext

221

207

222

208

209

223

210

class AvahiError(Exception):

224

211

def __init__(self, value, *args, **kwargs):

225

212

self.value = value

242

229

Used to optionally bind to the specified interface.

243

230

name: string; Example: 'Mandos'

244

231

type: string; Example: '_mandos._tcp'.

245

See <https://www.iana.org/assignments/service-names-port-numbers>

232

See <http://www.dns-sd.org/ServiceTypes.html>

246

233

port: integer; what port to announce

247

234

TXT: list of strings; TXT record for the service

248

235

domain: string; Domain to publish on, default to .local if empty.

254

241

server: D-Bus Server

255

242

bus: dbus.SystemBus()

256

243

"""

257

258

244

def __init__(self, interface = avahi.IF_UNSPEC, name = None,

259

245

servicetype = None, port = None, TXT = None,

260

246

domain = "", host = "", max_renames = 32768,

273

259

self.server = None

274

260

self.bus = bus

275

261

self.entry_group_state_changed_match = None

276

277

262

def rename(self):

278

263

"""Derived from the Avahi example code"""

279

264

if self.rename_count >= self.max_renames:

289

274

try:

290

275

self.add()

291

276

except dbus.exceptions.DBusException as error:

292

logger.critical("D-Bus Exception", exc_info=error)

277

logger.critical("DBusException: %s", error)

293

278

self.cleanup()

294

279

os._exit(1)

295

280

self.rename_count += 1

296

297

281

def remove(self):

298

282

"""Derived from the Avahi example code"""

299

283

if self.entry_group_state_changed_match is not None:

301

285

self.entry_group_state_changed_match = None

302

286

if self.group is not None:

303

287

self.group.Reset()

304

305

288

def add(self):

306

289

"""Derived from the Avahi example code"""

307

290

self.remove()

324

307

dbus.UInt16(self.port),

325

308

avahi.string_array_to_txt_array(self.TXT))

326

309

self.group.Commit()

327

328

310

def entry_group_state_changed(self, state, error):

329

311

"""Derived from the Avahi example code"""

330

312

logger.debug("Avahi entry group state change: %i", state)

337

319

elif state == avahi.ENTRY_GROUP_FAILURE:

338

320

logger.critical("Avahi: Error in group state changed %s",

339

321

unicode(error))

340

raise AvahiGroupError("State changed: {0!s}"

341

.format(error))

342

322

raise AvahiGroupError("State changed: %s"

323

% unicode(error))

343

324

def cleanup(self):

344

325

"""Derived from the Avahi example code"""

345

326

if self.group is not None:

350

331

pass

351

332

self.group = None

352

333

self.remove()

353

354

334

def server_state_changed(self, state, error=None):

355

335

"""Derived from the Avahi example code"""

356

336

logger.debug("Avahi server state change: %i", state)

375

355

logger.debug("Unknown state: %r", state)

376

356

else:

377

357

logger.debug("Unknown state: %r: %r", state, error)

378

379

358

def activate(self):

380

359

"""Derived from the Avahi example code"""

381

360

if self.server is None:

388

367

self.server_state_changed)

389

368

self.server_state_changed(self.server.GetState())

390

369

391

392

370

class AvahiServiceToSyslog(AvahiService):

393

371

def rename(self):

394

372

"""Add the new name to the syslog messages"""

395

373

ret = AvahiService.rename(self)

396

374

syslogger.setFormatter(logging.Formatter

397

('Mandos ({0}) [%(process)d]:'

398

' %(levelname)s: %(message)s'

399

.format(self.name)))

375

('Mandos (%s) [%%(process)d]:'

376

' %%(levelname)s: %%(message)s'

377

% self.name))

400

378

return ret

401

379

402

403

380

def timedelta_to_milliseconds(td):

404

381

"Convert a datetime.timedelta() to milliseconds"

405

382

return ((td.days * 24 * 60 * 60 * 1000)

406

383

+ (td.seconds * 1000)

407

384

+ (td.microseconds // 1000))

408

409

385

410

386

class Client(object):

411

387

"""A representation of a client host served by this server.

412

388

437

413

last_checked_ok: datetime.datetime(); (UTC) or None

438

414

last_checker_status: integer between 0 and 255 reflecting exit

439

415

status of last checker. -1 reflects crashed

440

checker, -2 means no checker completed yet.

416

checker, or None.

441

417

last_enabled: datetime.datetime(); (UTC) or None

442

418

name: string; from the config file, used in log messages and

443

419

D-Bus identifiers

444

420

secret: bytestring; sent verbatim (over TLS) to client

445

421

timeout: datetime.timedelta(); How long from last_checked_ok

446

422

until this client is disabled

447

extended_timeout: extra long timeout when secret has been sent

423

extended_timeout: extra long timeout when password has been sent

448

424

runtime_expansions: Allowed attributes for runtime expansion.

449

425

expires: datetime.datetime(); time (UTC) when a client will be

450

426

disabled, or None

451

server_settings: The server_settings dict from main()

452

427

"""

453

428

454

429

runtime_expansions = ("approval_delay", "approval_duration",

455

"created", "enabled", "expires",

456

"fingerprint", "host", "interval",

457

"last_approval_request", "last_checked_ok",

430

"created", "enabled", "fingerprint",

431

"host", "interval", "last_checked_ok",

458

432

"last_enabled", "name", "timeout")

459

client_defaults = { "timeout": "PT5M",

460

"extended_timeout": "PT15M",

461

"interval": "PT2M",

433

client_defaults = { "timeout": "5m",

434

"extended_timeout": "15m",

435

"interval": "2m",

462

436

"checker": "fping -q -- %%(host)s",

463

437

"host": "",

464

"approval_delay": "PT0S",

465

"approval_duration": "PT1S",

438

"approval_delay": "0s",

439

"approval_duration": "1s",

466

440

"approved_by_default": "True",

467

441

"enabled": "True",

468

442

}

481

455

482

456

def approval_delay_milliseconds(self):

483

457

return timedelta_to_milliseconds(self.approval_delay)

484

458

485

459

@staticmethod

486

460

def config_parser(config):

487

"""Construct a new dict of client settings of this form:

461

""" Construct a new dict of client settings of this form:

488

462

{ client_name: {setting_name: value, ...}, ...}

489

with exceptions for any special settings as defined above.

490

NOTE: Must be a pure function. Must return the same result

491

value given the same arguments.

492

"""

463

with exceptions for any special settings as defined above"""

493

464

settings = {}

494

465

for client_name in config.sections():

495

466

section = dict(config.items(client_name))

499

470

# Reformat values from string types to Python types

500

471

client["approved_by_default"] = config.getboolean(

501

472

client_name, "approved_by_default")

502

client["enabled"] = config.getboolean(client_name,

503

"enabled")

473

client["enabled"] = config.getboolean(client_name, "enabled")

504

474

505

475

client["fingerprint"] = (section["fingerprint"].upper()

506

476

.replace(" ", ""))

512

482

"rb") as secfile:

513

483

client["secret"] = secfile.read()

514

484

else:

515

raise TypeError("No secret or secfile for section {0}"

516

.format(section))

485

raise TypeError("No secret or secfile for section %s"

486

% section)

517

487

client["timeout"] = string_to_delta(section["timeout"])

518

488

client["extended_timeout"] = string_to_delta(

519

489

section["extended_timeout"])

525

495

client["checker_command"] = section["checker"]

526

496

client["last_approval_request"] = None

527

497

client["last_checked_ok"] = None

528

client["last_checker_status"] = -2

529

498

client["last_checker_status"] = None

499

if client["enabled"]:

500

client["last_enabled"] = datetime.datetime.utcnow()

501

client["expires"] = (datetime.datetime.utcnow()

502

+ client["timeout"])

503

else:

504

client["last_enabled"] = None

505

client["expires"] = None

506

530

507

return settings

531

532

def __init__(self, settings, name = None, server_settings=None):

508

509

510

def __init__(self, settings, name = None):

511

"""Note: the 'checker' key in 'config' sets the

512

'checker_command' attribute and *not* the 'checker'

513

attribute."""

533

514

self.name = name

534

if server_settings is None:

535

server_settings = {}

536

self.server_settings = server_settings

537

515

# adding all client settings

538

516

for setting, value in settings.iteritems():

539

517

setattr(self, setting, value)

540

518

541

if self.enabled:

542

if not hasattr(self, "last_enabled"):

543

self.last_enabled = datetime.datetime.utcnow()

544

if not hasattr(self, "expires"):

545

self.expires = (datetime.datetime.utcnow()

546

+ self.timeout)

547

else:

548

self.last_enabled = None

549

self.expires = None

550

551

519

logger.debug("Creating client %r", self.name)

552

520

# Uppercase and remove spaces from fingerprint for later

553

521

# comparison purposes with return value from the fingerprint()

554

522

# function

555

523

logger.debug(" Fingerprint: %s", self.fingerprint)

556

self.created = settings.get("created",

557

datetime.datetime.utcnow())

558

524

self.created = settings.get("created", datetime.datetime.utcnow())

525

559

526

# attributes specific for this server instance

560

527

self.checker = None

561

528

self.checker_initiator_tag = None

589

556

if getattr(self, "enabled", False):

590

557

# Already enabled

591

558

return

559

self.send_changedstate()

592

560

self.expires = datetime.datetime.utcnow() + self.timeout

593

561

self.enabled = True

594

562

self.last_enabled = datetime.datetime.utcnow()

595

563

self.init_checker()

596

self.send_changedstate()

597

564

598

565

def disable(self, quiet=True):

599

566

"""Disable this client."""

600

567

if not getattr(self, "enabled", False):

601

568

return False

602

569

if not quiet:

570

self.send_changedstate()

571

if not quiet:

603

572

logger.info("Disabling client %s", self.name)

604

if getattr(self, "disable_initiator_tag", None) is not None:

573

if getattr(self, "disable_initiator_tag", False):

605

574

gobject.source_remove(self.disable_initiator_tag)

606

575

self.disable_initiator_tag = None

607

576

self.expires = None

608

if getattr(self, "checker_initiator_tag", None) is not None:

577

if getattr(self, "checker_initiator_tag", False):

609

578

gobject.source_remove(self.checker_initiator_tag)

610

579

self.checker_initiator_tag = None

611

580

self.stop_checker()

612

581

self.enabled = False

613

if not quiet:

614

self.send_changedstate()

615

582

# Do not run this again if called by a gobject.timeout_add

616

583

return False

617

584

621

588

def init_checker(self):

622

589

# Schedule a new checker to be started an 'interval' from now,

623

590

# and every interval from then on.

624

if self.checker_initiator_tag is not None:

625

gobject.source_remove(self.checker_initiator_tag)

626

591

self.checker_initiator_tag = (gobject.timeout_add

627

592

(self.interval_milliseconds(),

628

593

self.start_checker))

629

594

# Schedule a disable() when 'timeout' has passed

630

if self.disable_initiator_tag is not None:

631

gobject.source_remove(self.disable_initiator_tag)

632

595

self.disable_initiator_tag = (gobject.timeout_add

633

596

(self.timeout_milliseconds(),

634

597

self.disable))

653

616

logger.warning("Checker for %(name)s crashed?",

654

617

vars(self))

655

618

656

def checked_ok(self):

657

"""Assert that the client has been seen, alive and well."""

658

self.last_checked_ok = datetime.datetime.utcnow()

659

self.last_checker_status = 0

660

self.bump_timeout()

661

662

def bump_timeout(self, timeout=None):

663

"""Bump up the timeout for this client."""

619

def checked_ok(self, timeout=None):

620

"""Bump up the timeout for this client.

621

622

This should only be called when the client has been seen,

623

alive and well.

624

"""

664

625

if timeout is None:

665

626

timeout = self.timeout

627

self.last_checked_ok = datetime.datetime.utcnow()

666

628

if self.disable_initiator_tag is not None:

667

629

gobject.source_remove(self.disable_initiator_tag)

668

self.disable_initiator_tag = None

669

630

if getattr(self, "enabled", False):

670

631

self.disable_initiator_tag = (gobject.timeout_add

671

632

(timedelta_to_milliseconds

681

642

If a checker already exists, leave it running and do

682

643

nothing."""

683

644

# The reason for not killing a running checker is that if we

684

# did that, and if a checker (for some reason) started running

685

# slowly and taking more than 'interval' time, then the client

686

# would inevitably timeout, since no checker would get a

687

# chance to run to completion. If we instead leave running

645

# did that, then if a checker (for some reason) started

646

# running slowly and taking more than 'interval' time, the

647

# client would inevitably timeout, since no checker would get

648

# a chance to run to completion. If we instead leave running

688

649

# checkers alone, the checker would have to take more time

689

650

# than 'timeout' for the client to be disabled, which is as it

690

651

# should be.

692

653

# If a checker exists, make sure it is not a zombie

693

654

try:

694

655

pid, status = os.waitpid(self.checker.pid, os.WNOHANG)

695

except AttributeError:

696

pass

697

except OSError as error:

698

if error.errno != errno.ECHILD:

699

raise

656

except (AttributeError, OSError) as error:

657

if (isinstance(error, OSError)

658

and error.errno != errno.ECHILD):

659

raise error

700

660

else:

701

661

if pid:

702

662

logger.warning("Checker was a zombie")

705

665

self.current_checker_command)

706

666

# Start a new checker if needed

707

667

if self.checker is None:

708

# Escape attributes for the shell

709

escaped_attrs = dict(

710

(attr, re.escape(unicode(getattr(self, attr))))

711

for attr in

712

self.runtime_expansions)

713

668

try:

714

command = self.checker_command % escaped_attrs

715

except TypeError as error:

716

logger.error('Could not format string "%s"',

717

self.checker_command, exc_info=error)

718

return True # Try again later

669

# In case checker_command has exactly one % operator

670

command = self.checker_command % self.host

671

except TypeError:

672

# Escape attributes for the shell

673

escaped_attrs = dict(

674

(attr,

675

re.escape(unicode(str(getattr(self, attr, "")),

676

errors=

677

'replace')))

678

for attr in

679

self.runtime_expansions)

680

681

try:

682

command = self.checker_command % escaped_attrs

683

except TypeError as error:

684

logger.error('Could not format string "%s":'

685

' %s', self.checker_command, error)

686

return True # Try again later

719

687

self.current_checker_command = command

720

688

try:

721

689

logger.info("Starting checker %r for %s",

724

692

# in normal mode, that is already done by daemon(),

725

693

# and in debug mode we don't want to. (Stdin is

726

694

# always replaced by /dev/null.)

727

# The exception is when not debugging but nevertheless

728

# running in the foreground; use the previously

729

# created wnull.

730

popen_args = {}

731

if (not self.server_settings["debug"]

732

and self.server_settings["foreground"]):

733

popen_args.update({"stdout": wnull,

734

"stderr": wnull })

735

695

self.checker = subprocess.Popen(command,

736

696

close_fds=True,

737

shell=True, cwd="/",

738

**popen_args)

739

except OSError as error:

740

logger.error("Failed to start subprocess",

741

exc_info=error)

742

return True

743

self.checker_callback_tag = (gobject.child_watch_add

744

(self.checker.pid,

745

self.checker_callback,

746

data=command))

747

# The checker may have completed before the gobject

748

# watch was added. Check for this.

749

try:

697

shell=True, cwd="/")

698

self.checker_callback_tag = (gobject.child_watch_add

699

(self.checker.pid,

700

self.checker_callback,

701

data=command))

702

# The checker may have completed before the gobject

703

# watch was added. Check for this.

750

704

pid, status = os.waitpid(self.checker.pid, os.WNOHANG)

705

if pid:

706

gobject.source_remove(self.checker_callback_tag)

707

self.checker_callback(pid, status, command)

751

708

except OSError as error:

752

if error.errno == errno.ECHILD:

753

# This should never happen

754

logger.error("Child process vanished",

755

exc_info=error)

756

return True

757

raise

758

if pid:

759

gobject.source_remove(self.checker_callback_tag)

760

self.checker_callback(pid, status, command)

709

logger.error("Failed to start subprocess: %s",

710

error)

761

711

# Re-run this periodically if run by gobject.timeout_add

762

712

return True

763

713

770

720

return

771

721

logger.debug("Stopping checker for %(name)s", vars(self))

772

722

try:

773

self.checker.terminate()

723

os.kill(self.checker.pid, signal.SIGTERM)

774

724

#time.sleep(0.5)

775

725

#if self.checker.poll() is None:

776

# self.checker.kill()

726

# os.kill(self.checker.pid, signal.SIGKILL)

777

727

except OSError as error:

778

728

if error.errno != errno.ESRCH: # No such process

779

729

raise

796

746

# "Set" method, so we fail early here:

797

747

if byte_arrays and signature != "ay":

798

748

raise ValueError("Byte arrays not supported for non-'ay'"

799

" signature {0!r}".format(signature))

749

" signature %r" % signature)

800

750

def decorator(func):

801

751

func._dbus_is_property = True

802

752

func._dbus_interface = dbus_interface

810

760

return decorator

811

761

812

762

813

def dbus_interface_annotations(dbus_interface):

814

"""Decorator for marking functions returning interface annotations

815

816

Usage:

817

818

@dbus_interface_annotations("org.example.Interface")

819

def _foo(self): # Function name does not matter

820

return {"org.freedesktop.DBus.Deprecated": "true",

821

"org.freedesktop.DBus.Property.EmitsChangedSignal":

822

"false"}

823

"""

824

def decorator(func):

825

func._dbus_is_interface = True

826

func._dbus_interface = dbus_interface

827

func._dbus_name = dbus_interface

828

return func

829

return decorator

830

831

832

def dbus_annotations(annotations):

833

"""Decorator to annotate D-Bus methods, signals or properties

834

Usage:

835

836

@dbus_service_property("org.example.Interface", signature="b",

837

access="r")

838

@dbus_annotations({{"org.freedesktop.DBus.Deprecated": "true",

839

"org.freedesktop.DBus.Property."

840

"EmitsChangedSignal": "false"})

841

def Property_dbus_property(self):

842

return dbus.Boolean(False)

843

"""

844

def decorator(func):

845

func._dbus_annotations = annotations

846

return func

847

return decorator

848

849

850

763

class DBusPropertyException(dbus.exceptions.DBusException):

851

764

"""A base class for D-Bus property-related exceptions

852

765

"""

875

788

"""

876

789

877

790

@staticmethod

878

def _is_dbus_thing(thing):

879

"""Returns a function testing if an attribute is a D-Bus thing

880

881

If called like _is_dbus_thing("method") it returns a function

882

suitable for use as predicate to inspect.getmembers().

883

"""

884

return lambda obj: getattr(obj, "_dbus_is_{0}".format(thing),

885

False)

791

def _is_dbus_property(obj):

792

return getattr(obj, "_dbus_is_property", False)

886

793

887

def _get_all_dbus_things(self, thing):

794

def _get_all_dbus_properties(self):

888

795

"""Returns a generator of (name, attribute) pairs

889

796

"""

890

return ((getattr(athing.__get__(self), "_dbus_name",

891

name),

892

athing.__get__(self))

797

return ((prop.__get__(self)._dbus_name, prop.__get__(self))

893

798

for cls in self.__class__.__mro__

894

for name, athing in

895

inspect.getmembers(cls,

896

self._is_dbus_thing(thing)))

799

for name, prop in

800

inspect.getmembers(cls, self._is_dbus_property))

897

801

898

802

def _get_dbus_property(self, interface_name, property_name):

899

803

"""Returns a bound method if one exists which is a D-Bus

901

805

"""

902

806

for cls in self.__class__.__mro__:

903

807

for name, value in (inspect.getmembers

904

(cls,

905

self._is_dbus_thing("property"))):

808

(cls, self._is_dbus_property)):

906

809

if (value._dbus_name == property_name

907

810

and value._dbus_interface == interface_name):

908

811

return value.__get__(self)

936

839

# The byte_arrays option is not supported yet on

937

840

# signatures other than "ay".

938

841

if prop._dbus_signature != "ay":

939

raise ValueError("Byte arrays not supported for non-"

940

"'ay' signature {0!r}"

941

.format(prop._dbus_signature))

942

value = dbus.ByteArray(b''.join(chr(byte)

943

for byte in value))

842

raise ValueError

843

value = dbus.ByteArray(''.join(unichr(byte)

844

for byte in value))

944

845

prop(value)

945

846

946

847

@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",

952

853

Note: Will not include properties with access="write".

953

854

"""

954

855

properties = {}

955

for name, prop in self._get_all_dbus_things("property"):

856

for name, prop in self._get_all_dbus_properties():

956

857

if (interface_name

957

858

and interface_name != prop._dbus_interface):

958

859

# Interface non-empty but did not match

973

874

path_keyword='object_path',

974

875

connection_keyword='connection')

975

876

def Introspect(self, object_path, connection):

976

"""Overloading of standard D-Bus method.

977

978

Inserts property tags and interface annotation tags.

877

"""Standard D-Bus method, overloaded to insert property tags.

979

878

"""

980

879

xmlstring = dbus.service.Object.Introspect(self, object_path,

981

880

connection)

988

887

e.setAttribute("access", prop._dbus_access)

989

888

return e

990

889

for if_tag in document.getElementsByTagName("interface"):

991

# Add property tags

992

890

for tag in (make_tag(document, name, prop)

993

891

for name, prop

994

in self._get_all_dbus_things("property")

892

in self._get_all_dbus_properties()

995

893

if prop._dbus_interface

996

894

== if_tag.getAttribute("name")):

997

895

if_tag.appendChild(tag)

998

# Add annotation tags

999

for typ in ("method", "signal", "property"):

1000

for tag in if_tag.getElementsByTagName(typ):

1001

annots = dict()

1002

for name, prop in (self.

1003

_get_all_dbus_things(typ)):

1004

if (name == tag.getAttribute("name")

1005

and prop._dbus_interface

1006

== if_tag.getAttribute("name")):

1007

annots.update(getattr

1008

(prop,

1009

"_dbus_annotations",

1010

{}))

1011

for name, value in annots.iteritems():

1012

ann_tag = document.createElement(

1013

"annotation")

1014

ann_tag.setAttribute("name", name)

1015

ann_tag.setAttribute("value", value)

1016

tag.appendChild(ann_tag)

1017

# Add interface annotation tags

1018

for annotation, value in dict(

1019

itertools.chain.from_iterable(

1020

annotations().iteritems()

1021

for name, annotations in

1022

self._get_all_dbus_things("interface")

1023

if name == if_tag.getAttribute("name")

1024

)).iteritems():

1025

ann_tag = document.createElement("annotation")

1026

ann_tag.setAttribute("name", annotation)

1027

ann_tag.setAttribute("value", value)

1028

if_tag.appendChild(ann_tag)

1029

896

# Add the names to the return values for the

1030

897

# "org.freedesktop.DBus.Properties" methods

1031

898

if (if_tag.getAttribute("name")

1046

913

except (AttributeError, xml.dom.DOMException,

1047

914

xml.parsers.expat.ExpatError) as error:

1048

915

logger.error("Failed to override Introspection method",

1049

exc_info=error)

916

error)

1050

917

return xmlstring

1051

918

1052

919

1053

def datetime_to_dbus(dt, variant_level=0):

920

def datetime_to_dbus (dt, variant_level=0):

1054

921

"""Convert a UTC datetime.datetime() to a D-Bus type."""

1055

922

if dt is None:

1056

923

return dbus.String("", variant_level = variant_level)

1058

925

variant_level=variant_level)

1059

926

1060

927

1061

def alternate_dbus_interfaces(alt_interface_names, deprecate=True):

1062

"""A class decorator; applied to a subclass of

1063

dbus.service.Object, it will add alternate D-Bus attributes with

1064

interface names according to the "alt_interface_names" mapping.

1065

Usage:

1066

1067

@alternate_dbus_interfaces({"org.example.Interface":

1068

"net.example.AlternateInterface"})

1069

class SampleDBusObject(dbus.service.Object):

1070

@dbus.service.method("org.example.Interface")

1071

def SampleDBusMethod():

1072

pass

1073

1074

The above "SampleDBusMethod" on "SampleDBusObject" will be

1075

reachable via two interfaces: "org.example.Interface" and

1076

"net.example.AlternateInterface", the latter of which will have

1077

its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to

1078

"true", unless "deprecate" is passed with a False value.

1079

1080

This works for methods and signals, and also for D-Bus properties

1081

(from DBusObjectWithProperties) and interfaces (from the

1082

dbus_interface_annotations decorator).

928

class AlternateDBusNamesMetaclass(DBusObjectWithProperties

929

.__metaclass__):

930

"""Applied to an empty subclass of a D-Bus object, this metaclass

931

will add additional D-Bus attributes matching a certain pattern.

1083

932

"""

1084

def wrapper(cls):

1085

for orig_interface_name, alt_interface_name in (

1086

alt_interface_names.iteritems()):

1087

attr = {}

1088

interface_names = set()

1089

# Go though all attributes of the class

1090

for attrname, attribute in inspect.getmembers(cls):

933

def __new__(mcs, name, bases, attr):

934

# Go through all the base classes which could have D-Bus

935

# methods, signals, or properties in them

936

for base in (b for b in bases

937

if issubclass(b, dbus.service.Object)):

938

# Go though all attributes of the base class

939

for attrname, attribute in inspect.getmembers(base):

1091

940

# Ignore non-D-Bus attributes, and D-Bus attributes

1092

941

# with the wrong interface name

1093

942

if (not hasattr(attribute, "_dbus_interface")

1094

943

or not attribute._dbus_interface

1095

.startswith(orig_interface_name)):

944

.startswith("se.recompile.Mandos")):

1096

945

continue

1097

946

# Create an alternate D-Bus interface name based on

1098

947

# the current name

1099

948

alt_interface = (attribute._dbus_interface

1100

.replace(orig_interface_name,

1101

alt_interface_name))

1102

interface_names.add(alt_interface)

949

.replace("se.recompile.Mandos",

950

"se.bsnet.fukt.Mandos"))

1103

951

# Is this a D-Bus signal?

1104

952

if getattr(attribute, "_dbus_is_signal", False):

1105

# Extract the original non-method undecorated

1106

# function by black magic

953

# Extract the original non-method function by

954

# black magic

1107

955

nonmethod_func = (dict(

1108

956

zip(attribute.func_code.co_freevars,

1109

957

attribute.__closure__))["func"]

1120

968

nonmethod_func.func_name,

1121

969

nonmethod_func.func_defaults,

1122

970

nonmethod_func.func_closure)))

1123

# Copy annotations, if any

1124

try:

1125

new_function._dbus_annotations = (

1126

dict(attribute._dbus_annotations))

1127

except AttributeError:

1128

pass

1129

971

# Define a creator of a function to call both the

1130

# original and alternate functions, so both the

1131

# original and alternate signals gets sent when

1132

# the function is called

972

# old and new functions, so both the old and new

973

# signals gets sent when the function is called

1133

974

def fixscope(func1, func2):

1134

975

"""This function is a scope container to pass

1135

976

func1 and func2 to the "call_both" function

1142

983

return call_both

1143

984

# Create the "call_both" function and add it to

1144

985

# the class

1145

attr[attrname] = fixscope(attribute, new_function)

986

attr[attrname] = fixscope(attribute,

987

new_function)

1146

988

# Is this a D-Bus method?

1147

989

elif getattr(attribute, "_dbus_is_method", False):

1148

990

# Create a new, but exactly alike, function

1159

1001

attribute.func_name,

1160

1002

attribute.func_defaults,

1161

1003

attribute.func_closure)))

1162

# Copy annotations, if any

1163

try:

1164

attr[attrname]._dbus_annotations = (

1165

dict(attribute._dbus_annotations))

1166

except AttributeError:

1167

pass

1168

1004

# Is this a D-Bus property?

1169

1005

elif getattr(attribute, "_dbus_is_property", False):

1170

1006

# Create a new, but exactly alike, function

1184

1020

attribute.func_name,

1185

1021

attribute.func_defaults,

1186

1022

attribute.func_closure)))

1187

# Copy annotations, if any

1188

try:

1189

attr[attrname]._dbus_annotations = (

1190

dict(attribute._dbus_annotations))

1191

except AttributeError:

1192

pass

1193

# Is this a D-Bus interface?

1194

elif getattr(attribute, "_dbus_is_interface", False):

1195

# Create a new, but exactly alike, function

1196

# object. Decorate it to be a new D-Bus interface

1197

# with the alternate D-Bus interface name. Add it

1198

# to the class.

1199

attr[attrname] = (dbus_interface_annotations

1200

(alt_interface)

1201

(types.FunctionType

1202

(attribute.func_code,

1203

attribute.func_globals,

1204

attribute.func_name,

1205

attribute.func_defaults,

1206

attribute.func_closure)))

1207

if deprecate:

1208

# Deprecate all alternate interfaces

1209

iname="_AlternateDBusNames_interface_annotation{0}"

1210

for interface_name in interface_names:

1211

@dbus_interface_annotations(interface_name)

1212

def func(self):

1213

return { "org.freedesktop.DBus.Deprecated":

1214

"true" }

1215

# Find an unused name

1216

for aname in (iname.format(i)

1217

for i in itertools.count()):

1218

if aname not in attr:

1219

attr[aname] = func

1220

break

1221

if interface_names:

1222

# Replace the class with a new subclass of it with

1223

# methods, signals, etc. as created above.

1224

cls = type(b"{0}Alternate".format(cls.__name__),

1225

(cls,), attr)

1226

return cls

1227

return wrapper

1228

1229

1230

@alternate_dbus_interfaces({"se.recompile.Mandos":

1231

"se.bsnet.fukt.Mandos"})

1023

return type.__new__(mcs, name, bases, attr)

1024

1025

1232

1026

class ClientDBus(Client, DBusObjectWithProperties):

1233

1027

"""A Client class using D-Bus

1234

1028

1245

1039

def __init__(self, bus = None, *args, **kwargs):

1246

1040

self.bus = bus

1247

1041

Client.__init__(self, *args, **kwargs)

1042

self._approvals_pending = 0

1043

1044

self._approvals_pending = 0

1248

1045

# Only now, when this client is initialized, can it show up on

1249

1046

# the D-Bus

1250

1047

client_object_name = unicode(self.name).translate(

1254

1051

("/clients/" + client_object_name))

1255

1052

DBusObjectWithProperties.__init__(self, self.bus,

1256

1053

self.dbus_object_path)

1257

1054

1258

1055

def notifychangeproperty(transform_func,

1259

1056

dbus_name, type_func=lambda x: x,

1260

1057

variant_level=1):

1283

1080

1284

1081

return property(lambda self: getattr(self, attrname), setter)

1285

1082

1083

1286

1084

expires = notifychangeproperty(datetime_to_dbus, "Expires")

1287

1085

approvals_pending = notifychangeproperty(dbus.Boolean,

1288

1086

"ApprovalPending",

1295

1093

checker is not None)

1296

1094

last_checked_ok = notifychangeproperty(datetime_to_dbus,

1297

1095

"LastCheckedOK")

1298

last_checker_status = notifychangeproperty(dbus.Int16,

1299

"LastCheckerStatus")

1300

1096

last_approval_request = notifychangeproperty(

1301

1097

datetime_to_dbus, "LastApprovalRequest")

1302

1098

approved_by_default = notifychangeproperty(dbus.Boolean,

1352

1148

*args, **kwargs)

1353

1149

1354

1150

def start_checker(self, *args, **kwargs):

1355

old_checker_pid = getattr(self.checker, "pid", None)

1151

old_checker = self.checker

1152

if self.checker is not None:

1153

old_checker_pid = self.checker.pid

1154

else:

1155

old_checker_pid = None

1356

1156

r = Client.start_checker(self, *args, **kwargs)

1357

1157

# Only if new checker process was started

1358

1158

if (self.checker is not None

1366

1166

return False

1367

1167

1368

1168

def approve(self, value=True):

1169

self.send_changedstate()

1369

1170

self.approved = value

1370

1171

gobject.timeout_add(timedelta_to_milliseconds

1371

1172

(self.approval_duration),

1372

1173

self._reset_approved)

1373

self.send_changedstate()

1174

1374

1175

1375

1176

## D-Bus methods, signals & properties

1376

1177

_interface = "se.recompile.Mandos.Client"

1377

1178

1378

## Interfaces

1379

1380

@dbus_interface_annotations(_interface)

1381

def _foo(self):

1382

return { "org.freedesktop.DBus.Property.EmitsChangedSignal":

1383

"false"}

1384

1385

1179

## Signals

1386

1180

1387

1181

# CheckerCompleted - signal

1423

1217

"D-Bus signal"

1424

1218

return self.need_approval()

1425

1219

1220

# NeRwequest - signal

1221

@dbus.service.signal(_interface, signature="s")

1222

def NewRequest(self, ip):

1223

"""D-Bus signal

1224

Is sent after a client request a password.

1225

"""

1226

pass

1227

1426

1228

## Methods

1427

1229

1428

1230

# Approve - method

1538

1340

return

1539

1341

return datetime_to_dbus(self.last_checked_ok)

1540

1342

1541

# LastCheckerStatus - property

1542

@dbus_service_property(_interface, signature="n",

1543

access="read")

1544

def LastCheckerStatus_dbus_property(self):

1545

return dbus.Int16(self.last_checker_status)

1546

1547

1343

# Expires - property

1548

1344

@dbus_service_property(_interface, signature="s", access="read")

1549

1345

def Expires_dbus_property(self):

1560

1356

def Timeout_dbus_property(self, value=None):

1561

1357

if value is None: # get

1562

1358

return dbus.UInt64(self.timeout_milliseconds())

1563

old_timeout = self.timeout

1564

1359

self.timeout = datetime.timedelta(0, 0, 0, value)

1565

# Reschedule disabling

1566

if self.enabled:

1567

now = datetime.datetime.utcnow()

1568

self.expires += self.timeout - old_timeout

1569

if self.expires <= now:

1570

# The timeout has passed

1571

self.disable()

1572

else:

1573

if (getattr(self, "disable_initiator_tag", None)

1574

is None):

1575

return

1576

gobject.source_remove(self.disable_initiator_tag)

1577

self.disable_initiator_tag = (

1578

gobject.timeout_add(

1579

timedelta_to_milliseconds(self.expires - now),

1580

self.disable))

1360

if getattr(self, "disable_initiator_tag", None) is None:

1361

return

1362

# Reschedule timeout

1363

gobject.source_remove(self.disable_initiator_tag)

1364

self.disable_initiator_tag = None

1365

self.expires = None

1366

time_to_die = timedelta_to_milliseconds((self

1367

.last_checked_ok

1368

+ self.timeout)

1369

- datetime.datetime

1370

.utcnow())

1371

if time_to_die <= 0:

1372

# The timeout has passed

1373

self.disable()

1374

else:

1375

self.expires = (datetime.datetime.utcnow()

1376

+ datetime.timedelta(milliseconds =

1377

time_to_die))

1378

self.disable_initiator_tag = (gobject.timeout_add

1379

(time_to_die, self.disable))

1581

1380

1582

1381

# ExtendedTimeout - property

1583

1382

@dbus_service_property(_interface, signature="t",

1662

1461

self._pipe.send(('setattr', name, value))

1663

1462

1664

1463

1464

class ClientDBusTransitional(ClientDBus):

1465

__metaclass__ = AlternateDBusNamesMetaclass

1466

1467

1665

1468

class ClientHandler(socketserver.BaseRequestHandler, object):

1666

1469

"""A class to handle client connections.

1667

1470

1703

1506

logger.debug("Protocol version: %r", line)

1704

1507

try:

1705

1508

if int(line.strip().split()[0]) > 1:

1706

raise RuntimeError(line)

1509

raise RuntimeError

1707

1510

except (ValueError, IndexError, RuntimeError) as error:

1708

1511

logger.error("Unknown protocol version: %s", error)

1709

1512

return

1735

1538

except KeyError:

1736

1539

return

1737

1540

1541

if self.server.use_dbus:

1542

# Emit D-Bus signal

1543

client.NewRequest(str(self.client_address))

1544

1738

1545

if client.approval_delay:

1739

1546

delay = client.approval_delay

1740

1547

client.approvals_pending += 1

1771

1578

#wait until timeout or approved

1772

1579

time = datetime.datetime.now()

1773

1580

client.changedstate.acquire()

1774

client.changedstate.wait(

1775

float(timedelta_to_milliseconds(delay)

1776

/ 1000))

1581

(client.changedstate.wait

1582

(float(client.timedelta_to_milliseconds(delay)

1583

/ 1000)))

1777

1584

client.changedstate.release()

1778

1585

time2 = datetime.datetime.now()

1779

1586

if (time2 - time) >= delay:

1795

1602

try:

1796

1603

sent = session.send(client.secret[sent_size:])

1797

1604

except gnutls.errors.GNUTLSError as error:

1798

logger.warning("gnutls send failed",

1799

exc_info=error)

1605

logger.warning("gnutls send failed")

1800

1606

return

1801

1607

logger.debug("Sent: %d, remaining: %d",

1802

1608

sent, len(client.secret)

1805

1611

1806

1612

logger.info("Sending secret to %s", client.name)

1807

1613

# bump the timeout using extended_timeout

1808

client.bump_timeout(client.extended_timeout)

1614

client.checked_ok(client.extended_timeout)

1809

1615

if self.server.use_dbus:

1810

1616

# Emit D-Bus signal

1811

1617

client.GotSecret()

1816

1622

try:

1817

1623

session.bye()

1818

1624

except gnutls.errors.GNUTLSError as error:

1819

logger.warning("GnuTLS bye failed",

1820

exc_info=error)

1625

logger.warning("GnuTLS bye failed")

1821

1626

1822

1627

@staticmethod

1823

1628

def peer_certificate(session):

1895

1700

def process_request(self, request, address):

1896

1701

"""Start a new process to process the request."""

1897

1702

proc = multiprocessing.Process(target = self.sub_process_main,

1898

args = (request, address))

1703

args = (request,

1704

address))

1899

1705

proc.start()

1900

1706

return proc

1901

1707

1916

1722

1917

1723

def add_pipe(self, parent_pipe, proc):

1918

1724

"""Dummy function; override as necessary"""

1919

raise NotImplementedError()

1725

raise NotImplementedError

1920

1726

1921

1727

1922

1728

class IPv6_TCPServer(MultiprocessingMixInWithPipe,

1929

1735

use_ipv6: Boolean; to use IPv6 or not

1930

1736

"""

1931

1737

def __init__(self, server_address, RequestHandlerClass,

1932

interface=None, use_ipv6=True, socketfd=None):

1933

"""If socketfd is set, use that file descriptor instead of

1934

creating a new one with socket.socket().

1935

"""

1738

interface=None, use_ipv6=True):

1936

1739

self.interface = interface

1937

1740

if use_ipv6:

1938

1741

self.address_family = socket.AF_INET6

1939

if socketfd is not None:

1940

# Save the file descriptor

1941

self.socketfd = socketfd

1942

# Save the original socket.socket() function

1943

self.socket_socket = socket.socket

1944

# To implement --socket, we monkey patch socket.socket.

1945

#

1946

# (When socketserver.TCPServer is a new-style class, we

1947

# could make self.socket into a property instead of monkey

1948

# patching socket.socket.)

1949

#

1950

# Create a one-time-only replacement for socket.socket()

1951

@functools.wraps(socket.socket)

1952

def socket_wrapper(*args, **kwargs):

1953

# Restore original function so subsequent calls are

1954

# not affected.

1955

socket.socket = self.socket_socket

1956

del self.socket_socket

1957

# This time only, return a new socket object from the

1958

# saved file descriptor.

1959

return socket.fromfd(self.socketfd, *args, **kwargs)

1960

# Replace socket.socket() function with wrapper

1961

socket.socket = socket_wrapper

1962

# The socketserver.TCPServer.__init__ will call

1963

# socket.socket(), which might be our replacement,

1964

# socket_wrapper(), if socketfd was set.

1965

1742

socketserver.TCPServer.__init__(self, server_address,

1966

1743

RequestHandlerClass)

1967

1968

1744

def server_bind(self):

1969

1745

"""This overrides the normal server_bind() function

1970

1746

to bind to an interface if one was specified, and also NOT to

1978

1754

try:

1979

1755

self.socket.setsockopt(socket.SOL_SOCKET,

1980

1756

SO_BINDTODEVICE,

1981

str(self.interface + '\0'))

1757

str(self.interface

1758

+ '\0'))

1982

1759

except socket.error as error:

1983

if error.errno == errno.EPERM:

1984

logger.error("No permission to bind to"

1985

" interface %s", self.interface)

1986

elif error.errno == errno.ENOPROTOOPT:

1760

if error[0] == errno.EPERM:

1761

logger.error("No permission to"

1762

" bind to interface %s",

1763

self.interface)

1764

elif error[0] == errno.ENOPROTOOPT:

1987

1765

logger.error("SO_BINDTODEVICE not available;"

1988

1766

" cannot bind to interface %s",

1989

1767

self.interface)

1990

elif error.errno == errno.ENODEV:

1991

logger.error("Interface %s does not exist,"

1992

" cannot bind", self.interface)

1993

1768

else:

1994

1769

raise

1995

1770

# Only bind(2) the socket if we really need to.

1998

1773

if self.address_family == socket.AF_INET6:

1999

1774

any_address = "::" # in6addr_any

2000

1775

else:

2001

any_address = "0.0.0.0" # INADDR_ANY

1776

any_address = socket.INADDR_ANY

2002

1777

self.server_address = (any_address,

2003

1778

self.server_address[1])

2004

1779

elif not self.server_address[1]:

2025

1800

"""

2026

1801

def __init__(self, server_address, RequestHandlerClass,

2027

1802

interface=None, use_ipv6=True, clients=None,

2028

gnutls_priority=None, use_dbus=True, socketfd=None):

1803

gnutls_priority=None, use_dbus=True):

2029

1804

self.enabled = False

2030

1805

self.clients = clients

2031

1806

if self.clients is None:

2035

1810

IPv6_TCPServer.__init__(self, server_address,

2036

1811

RequestHandlerClass,

2037

1812

interface = interface,

2038

use_ipv6 = use_ipv6,

2039

socketfd = socketfd)

1813

use_ipv6 = use_ipv6)

2040

1814

def server_activate(self):

2041

1815

if self.enabled:

2042

1816

return socketserver.TCPServer.server_activate(self)

2055

1829

2056

1830

def handle_ipc(self, source, condition, parent_pipe=None,

2057

1831

proc = None, client_object=None):

1832

condition_names = {

1833

gobject.IO_IN: "IN", # There is data to read.

1834

gobject.IO_OUT: "OUT", # Data can be written (without

1835

# blocking).

1836

gobject.IO_PRI: "PRI", # There is urgent data to read.

1837

gobject.IO_ERR: "ERR", # Error condition.

1838

gobject.IO_HUP: "HUP" # Hung up (the connection has been

1839

# broken, usually for pipes and

1840

# sockets).

1841

}

1842

conditions_string = ' | '.join(name

1843

for cond, name in

1844

condition_names.iteritems()

1845

if cond & condition)

2058

1846

# error, or the other end of multiprocessing.Pipe has closed

2059

if condition & (gobject.IO_ERR | gobject.IO_HUP):

1847

if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):

2060

1848

# Wait for other process to exit

2061

1849

proc.join()

2062

1850

return False

2120

1908

return True

2121

1909

2122

1910

2123

def rfc3339_duration_to_delta(duration):

2124

"""Parse an RFC 3339 "duration" and return a datetime.timedelta

2125

2126

>>> rfc3339_duration_to_delta("P7D")

2127

datetime.timedelta(7)

2128

>>> rfc3339_duration_to_delta("PT60S")

2129

datetime.timedelta(0, 60)

2130

>>> rfc3339_duration_to_delta("PT60M")

2131

datetime.timedelta(0, 3600)

2132

>>> rfc3339_duration_to_delta("PT24H")

2133

datetime.timedelta(1)

2134

>>> rfc3339_duration_to_delta("P1W")

2135

datetime.timedelta(7)

2136

>>> rfc3339_duration_to_delta("PT5M30S")

2137

datetime.timedelta(0, 330)

2138

>>> rfc3339_duration_to_delta("P1DT3M20S")

2139

datetime.timedelta(1, 200)

2140

"""

2141

2142

# Parsing an RFC 3339 duration with regular expressions is not

2143

# possible - there would have to be multiple places for the same

2144

# values, like seconds. The current code, while more esoteric, is

2145

# cleaner without depending on a parsing library. If Python had a

2146

# built-in library for parsing we would use it, but we'd like to

2147

# avoid excessive use of external libraries.

2148

2149

# New type for defining tokens, syntax, and semantics all-in-one

2150

Token = collections.namedtuple("Token",

2151

("regexp", # To match token; if

2152

# "value" is not None,

2153

# must have a "group"

2154

# containing digits

2155

"value", # datetime.timedelta or

2156

# None

2157

"followers")) # Tokens valid after

2158

# this token

2159

# RFC 3339 "duration" tokens, syntax, and semantics; taken from

2160

# the "duration" ABNF definition in RFC 3339, Appendix A.

2161

token_end = Token(re.compile(r"$"), None, frozenset())

2162

token_second = Token(re.compile(r"(\d+)S"),

2163

datetime.timedelta(seconds=1),

2164

frozenset((token_end,)))

2165

token_minute = Token(re.compile(r"(\d+)M"),

2166

datetime.timedelta(minutes=1),

2167

frozenset((token_second, token_end)))

2168

token_hour = Token(re.compile(r"(\d+)H"),

2169

datetime.timedelta(hours=1),

2170

frozenset((token_minute, token_end)))

2171

token_time = Token(re.compile(r"T"),

2172

None,

2173

frozenset((token_hour, token_minute,

2174

token_second)))

2175

token_day = Token(re.compile(r"(\d+)D"),

2176

datetime.timedelta(days=1),

2177

frozenset((token_time, token_end)))

2178

token_month = Token(re.compile(r"(\d+)M"),

2179

datetime.timedelta(weeks=4),

2180

frozenset((token_day, token_end)))

2181

token_year = Token(re.compile(r"(\d+)Y"),

2182

datetime.timedelta(weeks=52),

2183

frozenset((token_month, token_end)))

2184

token_week = Token(re.compile(r"(\d+)W"),

2185

datetime.timedelta(weeks=1),

2186

frozenset((token_end,)))

2187

token_duration = Token(re.compile(r"P"), None,

2188

frozenset((token_year, token_month,

2189

token_day, token_time,

2190

token_week))),

2191

# Define starting values

2192

value = datetime.timedelta() # Value so far

2193

found_token = None

2194

followers = frozenset(token_duration,) # Following valid tokens

2195

s = duration # String left to parse

2196

# Loop until end token is found

2197

while found_token is not token_end:

2198

# Search for any currently valid tokens

2199

for token in followers:

2200

match = token.regexp.match(s)

2201

if match is not None:

2202

# Token found

2203

if token.value is not None:

2204

# Value found, parse digits

2205

factor = int(match.group(1), 10)

2206

# Add to value so far

2207

value += factor * token.value

2208

# Strip token from string

2209

s = token.regexp.sub("", s, 1)

2210

# Go to found token

2211

found_token = token

2212

# Set valid next tokens

2213

followers = found_token.followers

2214

break

2215

else:

2216

# No currently valid tokens were found

2217

raise ValueError("Invalid RFC 3339 duration")

2218

# End token found

2219

return value

2220

2221

2222

1911

def string_to_delta(interval):

2223

1912

"""Parse a string and return a datetime.timedelta

2224

1913

2235

1924

>>> string_to_delta('5m 30s')

2236

1925

datetime.timedelta(0, 330)

2237

1926

"""

2238

2239

try:

2240

return rfc3339_duration_to_delta(interval)

2241

except ValueError:

2242

pass

2243

2244

1927

timevalue = datetime.timedelta(0)

2245

1928

for s in interval.split():

2246

1929

try:

2257

1940

elif suffix == "w":

2258

1941

delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)

2259

1942

else:

2260

raise ValueError("Unknown suffix {0!r}"

2261

.format(suffix))

2262

except IndexError as e:

1943

raise ValueError("Unknown suffix %r" % suffix)

1944

except (ValueError, IndexError) as e:

2263

1945

raise ValueError(*(e.args))

2264

1946

timevalue += delta

2265

1947

return timevalue

2278

1960

sys.exit()

2279

1961

if not noclose:

2280

1962

# Close all standard open file descriptors

2281

null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)

1963

null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)

2282

1964

if not stat.S_ISCHR(os.fstat(null).st_mode):

2283

1965

raise OSError(errno.ENODEV,

2284

"{0} not a character device"

2285

.format(os.devnull))

1966

"%s not a character device"

1967

% os.path.devnull)

2286

1968

os.dup2(null, sys.stdin.fileno())

2287

1969

os.dup2(null, sys.stdout.fileno())

2288

1970

os.dup2(null, sys.stderr.fileno())

2297

1979

2298

1980

parser = argparse.ArgumentParser()

2299

1981

parser.add_argument("-v", "--version", action="version",

2300

version = "%(prog)s {0}".format(version),

1982

version = "%%(prog)s %s" % version,

2301

1983

help="show version number and exit")

2302

1984

parser.add_argument("-i", "--interface", metavar="IF",

2303

1985

help="Bind to interface IF")

2309

1991

help="Run self-test")

2310

1992

parser.add_argument("--debug", action="store_true",

2311

1993

help="Debug mode; run in foreground and log"

2312

" to terminal", default=None)

1994

" to terminal")

2313

1995

parser.add_argument("--debuglevel", metavar="LEVEL",

2314

1996

help="Debug level for stdout output")

2315

1997

parser.add_argument("--priority", help="GnuTLS"

2322

2004

" files")

2323

2005

parser.add_argument("--no-dbus", action="store_false",

2324

2006

dest="use_dbus", help="Do not provide D-Bus"

2325

" system bus interface", default=None)

2007

" system bus interface")

2326

2008

parser.add_argument("--no-ipv6", action="store_false",

2327

dest="use_ipv6", help="Do not use IPv6",

2328

default=None)

2009

dest="use_ipv6", help="Do not use IPv6")

2329

2010

parser.add_argument("--no-restore", action="store_false",

2330

2011

dest="restore", help="Do not restore stored"

2331

" state", default=None)

2332

parser.add_argument("--socket", type=int,

2333

help="Specify a file descriptor to a network"

2334

" socket to use instead of creating one")

2012

" state")

2335

2013

parser.add_argument("--statedir", metavar="DIR",

2336

2014

help="Directory to save/restore state in")

2337

parser.add_argument("--foreground", action="store_true",

2338

help="Run in foreground", default=None)

2339

2015

2340

2016

options = parser.parse_args()

2341

2017

2342

2018

if options.check:

2343

2019

import doctest

2344

fail_count, test_count = doctest.testmod()

2345

sys.exit(os.EX_OK if fail_count == 0 else 1)

2020

doctest.testmod()

2021

sys.exit()

2346

2022

2347

2023

# Default values for config file for server-global settings

2348

2024

server_defaults = { "interface": "",

2350

2026

"port": "",

2351

2027

"debug": "False",

2352

2028

"priority":

2353

"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224:+SIGN-RSA-RMD160",

2029

"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",

2354

2030

"servicename": "Mandos",

2355

2031

"use_dbus": "True",

2356

2032

"use_ipv6": "True",

2357

2033

"debuglevel": "",

2358

2034

"restore": "True",

2359

"socket": "",

2360

"statedir": "/var/lib/mandos",

2361

"foreground": "False",

2035

"statedir": "/var/lib/mandos"

2362

2036

}

2363

2037

2364

2038

# Parse config file for server-global settings

2369

2043

# Convert the SafeConfigParser object to a dict

2370

2044

server_settings = server_config.defaults()

2371

2045

# Use the appropriate methods on the non-string config options

2372

for option in ("debug", "use_dbus", "use_ipv6", "foreground"):

2046

for option in ("debug", "use_dbus", "use_ipv6"):

2373

2047

server_settings[option] = server_config.getboolean("DEFAULT",

2374

2048

option)

2375

2049

if server_settings["port"]:

2376

2050

server_settings["port"] = server_config.getint("DEFAULT",

2377

2051

"port")

2378

if server_settings["socket"]:

2379

server_settings["socket"] = server_config.getint("DEFAULT",

2380

"socket")

2381

# Later, stdin will, and stdout and stderr might, be dup'ed

2382

# over with an opened os.devnull. But we don't want this to

2383

# happen with a supplied network socket.

2384

if 0 <= server_settings["socket"] <= 2:

2385

server_settings["socket"] = os.dup(server_settings

2386

["socket"])

2387

2052

del server_config

2388

2053

2389

2054

# Override the settings from the config file with command line

2391

2056

for option in ("interface", "address", "port", "debug",

2392

2057

"priority", "servicename", "configdir",

2393

2058

"use_dbus", "use_ipv6", "debuglevel", "restore",

2394

"statedir", "socket", "foreground"):

2059

"statedir"):

2395

2060

value = getattr(options, option)

2396

2061

if value is not None:

2397

2062

server_settings[option] = value

2400

2065

for option in server_settings.keys():

2401

2066

if type(server_settings[option]) is str:

2402

2067

server_settings[option] = unicode(server_settings[option])

2403

# Force all boolean options to be boolean

2404

for option in ("debug", "use_dbus", "use_ipv6", "restore",

2405

"foreground"):

2406

server_settings[option] = bool(server_settings[option])

2407

# Debug implies foreground

2408

if server_settings["debug"]:

2409

server_settings["foreground"] = True

2410

2068

# Now we have our good server settings in "server_settings"

2411

2069

2412

2070

##################################################################

2418

2076

use_ipv6 = server_settings["use_ipv6"]

2419

2077

stored_state_path = os.path.join(server_settings["statedir"],

2420

2078

stored_state_file)

2421

foreground = server_settings["foreground"]

2422

2079

2423

2080

if debug:

2424

initlogger(debug, logging.DEBUG)

2081

initlogger(logging.DEBUG)

2425

2082

else:

2426

2083

if not debuglevel:

2427

initlogger(debug)

2084

initlogger()

2428

2085

else:

2429

2086

level = getattr(logging, debuglevel.upper())

2430

initlogger(debug, level)

2087

initlogger(level)

2431

2088

2432

2089

if server_settings["servicename"] != "Mandos":

2433

2090

syslogger.setFormatter(logging.Formatter

2434

('Mandos ({0}) [%(process)d]:'

2435

' %(levelname)s: %(message)s'

2436

.format(server_settings

2437

["servicename"])))

2091

('Mandos (%s) [%%(process)d]:'

2092

' %%(levelname)s: %%(message)s'

2093

% server_settings["servicename"]))

2438

2094

2439

2095

# Parse config file with clients

2440

client_config = configparser.SafeConfigParser(Client

2441

.client_defaults)

2096

client_config = configparser.SafeConfigParser(Client.client_defaults)

2442

2097

client_config.read(os.path.join(server_settings["configdir"],

2443

2098

"clients.conf"))

2444

2099

2453

2108

use_ipv6=use_ipv6,

2454

2109

gnutls_priority=

2455

2110

server_settings["priority"],

2456

use_dbus=use_dbus,

2457

socketfd=(server_settings["socket"]

2458

or None))

2459

if not foreground:

2460

pidfilename = "/run/mandos.pid"

2461

if not os.path.isdir("/run/."):

2462

pidfilename = "/var/run/mandos.pid"

2463

pidfile = None

2111

use_dbus=use_dbus)

2112

if not debug:

2113

pidfilename = "/var/run/mandos.pid"

2464

2114

try:

2465

2115

pidfile = open(pidfilename, "w")

2466

except IOError as e:

2467

logger.error("Could not open file %r", pidfilename,

2468

exc_info=e)

2116

except IOError:

2117

logger.error("Could not open file %r", pidfilename)

2469

2118

2470

for name in ("_mandos", "mandos", "nobody"):

2119

try:

2120

uid = pwd.getpwnam("_mandos").pw_uid

2121

gid = pwd.getpwnam("_mandos").pw_gid

2122

except KeyError:

2471

2123

try:

2472

uid = pwd.getpwnam(name).pw_uid

2473

gid = pwd.getpwnam(name).pw_gid

2474

break

2124

uid = pwd.getpwnam("mandos").pw_uid

2125

gid = pwd.getpwnam("mandos").pw_gid

2475

2126

except KeyError:

2476

continue

2477

else:

2478

uid = 65534

2479

gid = 65534

2127

try:

2128

uid = pwd.getpwnam("nobody").pw_uid

2129

gid = pwd.getpwnam("nobody").pw_gid

2130

except KeyError:

2131

uid = 65534

2132

gid = 65534

2480

2133

try:

2481

2134

os.setgid(gid)

2482

2135

os.setuid(uid)

2483

2136

except OSError as error:

2484

if error.errno != errno.EPERM:

2485

raise

2137

if error[0] != errno.EPERM:

2138

raise error

2486

2139

2487

2140

if debug:

2488

2141

# Enable all possible GnuTLS debugging

2499

2152

.gnutls_global_set_log_function(debug_gnutls))

2500

2153

2501

2154

# Redirect stdin so all checkers get /dev/null

2502

null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)

2155

null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)

2503

2156

os.dup2(null, sys.stdin.fileno())

2504

2157

if null > 2:

2505

2158

os.close(null)

2159

else:

2160

# No console logging

2161

logger.removeHandler(console)

2506

2162

2507

2163

# Need to fork before connecting to D-Bus

2508

if not foreground:

2164

if not debug:

2509

2165

# Close all input and output, do double fork, etc.

2510

2166

daemon()

2511

2167

2512

# multiprocessing will use threads, so before we use gobject we

2513

# need to inform gobject that threads will be used.

2514

gobject.threads_init()

2515

2516

2168

global main_loop

2517

2169

# From the Avahi example code

2518

DBusGMainLoop(set_as_default=True)

2170

DBusGMainLoop(set_as_default=True )

2519

2171

main_loop = gobject.MainLoop()

2520

2172

bus = dbus.SystemBus()

2521

2173

# End of Avahi example code

2527

2179

("se.bsnet.fukt.Mandos", bus,

2528

2180

do_not_queue=True))

2529

2181

except dbus.exceptions.NameExistsException as e:

2530

logger.error("Disabling D-Bus:", exc_info=e)

2182

logger.error(unicode(e) + ", disabling D-Bus")

2531

2183

use_dbus = False

2532

2184

server_settings["use_dbus"] = False

2533

2185

tcp_server.use_dbus = False

2545

2197

2546

2198

client_class = Client

2547

2199

if use_dbus:

2548

client_class = functools.partial(ClientDBus, bus = bus)

2200

client_class = functools.partial(ClientDBusTransitional,

2201

bus = bus)

2549

2202

2550

2203

client_settings = Client.config_parser(client_config)

2551

2204

old_client_settings = {}

2552

2205

clients_data = {}

2553

2206

2554

# This is used to redirect stdout and stderr for checker processes

2555

global wnull

2556

wnull = open(os.devnull, "w") # A writable /dev/null

2557

# Only used if server is running in foreground but not in debug

2558

# mode

2559

if debug or not foreground:

2560

wnull.close()

2561

2562

2207

# Get client data and settings from last running state.

2563

2208

if server_settings["restore"]:

2564

2209

try:

2567

2212

(stored_state))

2568

2213

os.remove(stored_state_path)

2569

2214

except IOError as e:

2570

if e.errno == errno.ENOENT:

2571

logger.warning("Could not load persistent state: {0}"

2572

.format(os.strerror(e.errno)))

2573

else:

2574

logger.critical("Could not load persistent state:",

2575

exc_info=e)

2215

logger.warning("Could not load persistent state: {0}"

2216

.format(e))

2217

if e.errno != errno.ENOENT:

2576

2218

raise

2577

except EOFError as e:

2578

logger.warning("Could not load persistent state: "

2579

"EOFError:", exc_info=e)

2580

2219

2581

2220

with PGPEngine() as pgp:

2582

2221

for client_name, client in clients_data.iteritems():

2583

# Skip removed clients

2584

if client_name not in client_settings:

2585

continue

2586

2587

2222

# Decide which value to use after restoring saved state.

2588

2223

# We have three different values: Old config file,

2589

2224

# new config file, and saved state.

2603

2238

2604

2239

# Clients who has passed its expire date can still be

2605

2240

# enabled if its last checker was successful. Clients

2606

# whose checker succeeded before we stored its state is

2607

# assumed to have successfully run all checkers during

2608

# downtime.

2241

# whose checker failed before we stored its state is

2242

# assumed to have failed all checkers during downtime.

2609

2243

if client["enabled"]:

2610

2244

if datetime.datetime.utcnow() >= client["expires"]:

2611

2245

if not client["last_checked_ok"]:

2612

2246

logger.warning(

2613

2247

"disabling client {0} - Client never "

2614

"performed a successful checker"

2615

.format(client_name))

2248

"performed a successfull checker"

2249

.format(client["name"]))

2616

2250

client["enabled"] = False

2617

2251

elif client["last_checker_status"] != 0:

2618

2252

logger.warning(

2619

2253

"disabling client {0} - Client "

2620

2254

"last checker failed with error code {1}"

2621

.format(client_name,

2255

.format(client["name"],

2622

2256

client["last_checker_status"]))

2623

2257

client["enabled"] = False

2624

2258

else:

2625

2259

client["expires"] = (datetime.datetime

2626

2260

.utcnow()

2627

2261

+ client["timeout"])

2628

logger.debug("Last checker succeeded,"

2629

" keeping {0} enabled"

2630

.format(client_name))

2262

2631

2263

try:

2632

2264

client["secret"] = (

2633

2265

pgp.decrypt(client["encrypted_secret"],

2639

2271

.format(client_name))

2640

2272

client["secret"] = (

2641

2273

client_settings[client_name]["secret"])

2274

2642

2275

2643

2276

# Add/remove clients based on new changes made to config

2644

for client_name in (set(old_client_settings)

2645

- set(client_settings)):

2277

for client_name in set(old_client_settings) - set(client_settings):

2646

2278

del clients_data[client_name]

2647

for client_name in (set(client_settings)

2648

- set(old_client_settings)):

2279

for client_name in set(client_settings) - set(old_client_settings):

2649

2280

clients_data[client_name] = client_settings[client_name]

2650

2651

# Create all client objects

2281

2282

# Create clients all clients

2652

2283

for client_name, client in clients_data.iteritems():

2653

2284

tcp_server.clients[client_name] = client_class(

2654

name = client_name, settings = client,

2655

server_settings = server_settings)

2285

name = client_name, settings = client)

2656

2286

2657

2287

if not tcp_server.clients:

2658

2288

logger.warning("No clients defined")

2659

2660

if not foreground:

2661

if pidfile is not None:

2662

try:

2663

with pidfile:

2664

pid = os.getpid()

2665

pidfile.write(str(pid) + "\n".encode("utf-8"))

2666

except IOError:

2667

logger.error("Could not write to file %r with PID %d",

2668

pidfilename, pid)

2669

del pidfile

2289

2290

if not debug:

2291

try:

2292

with pidfile:

2293

pid = os.getpid()

2294

pidfile.write(str(pid) + "\n".encode("utf-8"))

2295

del pidfile

2296

except IOError:

2297

logger.error("Could not write to file %r with PID %d",

2298

pidfilename, pid)

2299

except NameError:

2300

# "pidfile" was never created

2301

pass

2670

2302

del pidfilename

2303

signal.signal(signal.SIGINT, signal.SIG_IGN)

2671

2304

2672

2305

signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())

2673

2306

signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())

2674

2307

2675

2308

if use_dbus:

2676

@alternate_dbus_interfaces({"se.recompile.Mandos":

2677

"se.bsnet.fukt.Mandos"})

2678

class MandosDBusService(DBusObjectWithProperties):

2309

class MandosDBusService(dbus.service.Object):

2679

2310

"""A D-Bus proxy object"""

2680

2311

def __init__(self):

2681

2312

dbus.service.Object.__init__(self, bus, "/")

2682

2313

_interface = "se.recompile.Mandos"

2683

2314

2684

@dbus_interface_annotations(_interface)

2685

def _foo(self):

2686

return { "org.freedesktop.DBus.Property"

2687

".EmitsChangedSignal":

2688

"false"}

2689

2690

2315

@dbus.service.signal(_interface, signature="o")

2691

2316

def ClientAdded(self, objpath):

2692

2317

"D-Bus signal"

2734

2359

2735

2360

del _interface

2736

2361

2737

mandos_dbus_service = MandosDBusService()

2362

class MandosDBusServiceTransitional(MandosDBusService):

2363

__metaclass__ = AlternateDBusNamesMetaclass

2364

mandos_dbus_service = MandosDBusServiceTransitional()

2738

2365

2739

2366

def cleanup():

2740

2367

"Cleanup function; run on exit"

2741

2368

service.cleanup()

2742

2369

2743

2370

multiprocessing.active_children()

2744

wnull.close()

2745

2371

if not (tcp_server.clients or client_settings):

2746

2372

return

2747

2373

2759

2385

# A list of attributes that can not be pickled

2760

2386

# + secret.

2761

2387

exclude = set(("bus", "changedstate", "secret",

2762

"checker", "server_settings"))

2388

"checker"))

2763

2389

for name, typ in (inspect.getmembers

2764

2390

(dbus.service.Object)):

2765

2391

exclude.add(name)

2774

2400

del client_settings[client.name]["secret"]

2775

2401

2776

2402

try:

2777

with (tempfile.NamedTemporaryFile

2778

(mode='wb', suffix=".pickle", prefix='clients-',

2779

dir=os.path.dirname(stored_state_path),

2780

delete=False)) as stored_state:

2403

with os.fdopen(os.open(stored_state_path,

2404

os.O_CREAT|os.O_WRONLY|os.O_TRUNC,

2405

0600), "wb") as stored_state:

2781

2406

pickle.dump((clients, client_settings), stored_state)

2782

tempname=stored_state.name

2783

os.rename(tempname, stored_state_path)

2784

2407

except (IOError, OSError) as e:

2785

if not debug:

2786

try:

2787

os.remove(tempname)

2788

except NameError:

2789

pass

2790

if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):

2791

logger.warning("Could not save persistent state: {0}"

2792

.format(os.strerror(e.errno)))

2793

else:

2794

logger.warning("Could not save persistent state:",

2795

exc_info=e)

2408

logger.warning("Could not save persistent state: {0}"

2409

.format(e))

2410

if e.errno not in (errno.ENOENT, errno.EACCES):

2796

2411

raise

2797

2412

2798

2413

# Delete all clients, and settings from config

2826

2441

service.port = tcp_server.socket.getsockname()[1]

2827

2442

if use_ipv6:

2828

2443

logger.info("Now listening on address %r, port %d,"

2829

" flowinfo %d, scope_id %d",

2830

*tcp_server.socket.getsockname())

2444

" flowinfo %d, scope_id %d"

2445

% tcp_server.socket.getsockname())

2831

2446

else: # IPv4

2832

logger.info("Now listening on address %r, port %d",

2833

*tcp_server.socket.getsockname())

2447

logger.info("Now listening on address %r, port %d"

2448

% tcp_server.socket.getsockname())

2834

2449

2835

2450

#service.interface = tcp_server.socket.getsockname()[3]

2836

2451

2839

2454

try:

2840

2455

service.activate()

2841

2456

except dbus.exceptions.DBusException as error:

2842

logger.critical("D-Bus Exception", exc_info=error)

2457

logger.critical("DBusException: %s", error)

2843

2458

cleanup()

2844

2459

sys.exit(1)

2845

2460

# End of Avahi example code

2852

2467

logger.debug("Starting main loop")

2853

2468

main_loop.run()

2854

2469

except AvahiError as error:

2855

logger.critical("Avahi Error", exc_info=error)

2470

logger.critical("AvahiError: %s", error)

2856

2471

cleanup()

2857

2472

sys.exit(1)

2858

2473

except KeyboardInterrupt: