To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 549
- compare with another revision
- download diff
- download tarball
- view history from revision 549
- Committer: teddy at recompile
- Date: 2012-01-01 17:38:33 UTC
- Revision ID: teddy@recompile.se-20120101173833-ai39bif1w0ftuyyh
* Makefile (install-server): Add intro(8mandos) man page.
* network-hooks.d/bridge: Add copyright info and year.
* network-hooks.d/openvpn: - '' -
* network-hooks.d/wireless: - '' -
* network-hooks.d/bridge: Add copyright info and year.
* network-hooks.d/openvpn: - '' -
* network-hooks.d/wireless: - '' -
- files removed:
- debian/mandos-client.examples
- files modified:
- .bzrignore
added
removed
mandos
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2013 Teddy Hogeborn
15
# Copyright © 2008-2013 Björn Påhlsson
14
# Copyright © 2008-2012 Teddy Hogeborn
15
# Copyright © 2008-2012 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
34
34
from __future__ import (division, absolute_import, print_function,
35
35
unicode_literals)
36
36
37
from future_builtins import *
38
39
37
import SocketServer as socketserver
40
38
import socket
41
39
import argparse
67
65
import types
68
66
import binascii
69
67
import tempfile
70
import itertools
71
import collections
72
68
73
69
import dbus
74
70
import dbus.service
79
75
import ctypes.util
80
76
import xml.dom.minidom
81
77
import inspect
78
import GnuPGInterface
82
79
83
80
try:
84
81
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
88
85
except ImportError:
89
86
SO_BINDTODEVICE = None
90
87
91
version = "1.6.2"
88
version = "1.5.0"
92
89
stored_state_file = "clients.pickle"
93
90
94
91
logger = logging.getLogger()
139
136
class PGPEngine(object):
140
137
"""A simple class for OpenPGP symmetric encryption & decryption"""
141
138
def __init__(self):
139
self.gnupg = GnuPGInterface.GnuPG()
142
140
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
143
self.gnupgargs = ['--batch',
144
'--home', self.tempdir,
145
'--force-mdc',
146
'--quiet',
147
'--no-use-agent']
141
self.gnupg = GnuPGInterface.GnuPG()
142
self.gnupg.options.meta_interactive = False
143
self.gnupg.options.homedir = self.tempdir
144
self.gnupg.options.extra_args.extend(['--force-mdc',
145
'--quiet',
146
'--no-use-agent'])
148
147
149
148
def __enter__(self):
150
149
return self
151
150
152
def __exit__(self, exc_type, exc_value, traceback):
151
def __exit__ (self, exc_type, exc_value, traceback):
153
152
self._cleanup()
154
153
return False
155
154
172
171
def password_encode(self, password):
173
172
# Passphrase can not be empty and can not contain newlines or
174
173
# NUL bytes. So we prefix it and hex encode it.
175
encoded = b"mandos" + binascii.hexlify(password)
176
if len(encoded) > 2048:
177
# GnuPG can't handle long passwords, so encode differently
178
encoded = (b"mandos" + password.replace(b"\\", b"\\\\")
179
.replace(b"\n", b"\\n")
180
.replace(b"\0", b"\\x00"))
181
return encoded
174
return b"mandos" + binascii.hexlify(password)
182
175
183
176
def encrypt(self, data, password):
184
passphrase = self.password_encode(password)
185
with tempfile.NamedTemporaryFile(dir=self.tempdir
186
) as passfile:
187
passfile.write(passphrase)
188
passfile.flush()
189
proc = subprocess.Popen(['gpg', '--symmetric',
190
'--passphrase-file',
191
passfile.name]
192
+ self.gnupgargs,
193
stdin = subprocess.PIPE,
194
stdout = subprocess.PIPE,
195
stderr = subprocess.PIPE)
196
ciphertext, err = proc.communicate(input = data)
197
if proc.returncode != 0:
198
raise PGPError(err)
177
self.gnupg.passphrase = self.password_encode(password)
178
with open(os.devnull) as devnull:
179
try:
180
proc = self.gnupg.run(['--symmetric'],
181
create_fhs=['stdin', 'stdout'],
182
attach_fhs={'stderr': devnull})
183
with contextlib.closing(proc.handles['stdin']) as f:
184
f.write(data)
185
with contextlib.closing(proc.handles['stdout']) as f:
186
ciphertext = f.read()
187
proc.wait()
188
except IOError as e:
189
raise PGPError(e)
190
self.gnupg.passphrase = None
199
191
return ciphertext
200
192
201
193
def decrypt(self, data, password):
202
passphrase = self.password_encode(password)
203
with tempfile.NamedTemporaryFile(dir = self.tempdir
204
) as passfile:
205
passfile.write(passphrase)
206
passfile.flush()
207
proc = subprocess.Popen(['gpg', '--decrypt',
208
'--passphrase-file',
209
passfile.name]
210
+ self.gnupgargs,
211
stdin = subprocess.PIPE,
212
stdout = subprocess.PIPE,
213
stderr = subprocess.PIPE)
214
decrypted_plaintext, err = proc.communicate(input
215
= data)
216
if proc.returncode != 0:
217
raise PGPError(err)
194
self.gnupg.passphrase = self.password_encode(password)
195
with open(os.devnull) as devnull:
196
try:
197
proc = self.gnupg.run(['--decrypt'],
198
create_fhs=['stdin', 'stdout'],
199
attach_fhs={'stderr': devnull})
200
with contextlib.closing(proc.handles['stdin'] ) as f:
201
f.write(data)
202
with contextlib.closing(proc.handles['stdout']) as f:
203
decrypted_plaintext = f.read()
204
proc.wait()
205
except IOError as e:
206
raise PGPError(e)
207
self.gnupg.passphrase = None
218
208
return decrypted_plaintext
219
209
220
210
211
221
212
class AvahiError(Exception):
222
213
def __init__(self, value, *args, **kwargs):
223
214
self.value = value
240
231
Used to optionally bind to the specified interface.
241
232
name: string; Example: 'Mandos'
242
233
type: string; Example: '_mandos._tcp'.
243
See <https://www.iana.org/assignments/service-names-port-numbers>
234
See <http://www.dns-sd.org/ServiceTypes.html>
244
235
port: integer; what port to announce
245
236
TXT: list of strings; TXT record for the service
246
237
domain: string; Domain to publish on, default to .local if empty.
252
243
server: D-Bus Server
253
244
bus: dbus.SystemBus()
254
245
"""
255
256
246
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
257
247
servicetype = None, port = None, TXT = None,
258
248
domain = "", host = "", max_renames = 32768,
271
261
self.server = None
272
262
self.bus = bus
273
263
self.entry_group_state_changed_match = None
274
275
264
def rename(self):
276
265
"""Derived from the Avahi example code"""
277
266
if self.rename_count >= self.max_renames:
287
276
try:
288
277
self.add()
289
278
except dbus.exceptions.DBusException as error:
290
logger.critical("D-Bus Exception", exc_info=error)
279
logger.critical("DBusException: %s", error)
291
280
self.cleanup()
292
281
os._exit(1)
293
282
self.rename_count += 1
294
295
283
def remove(self):
296
284
"""Derived from the Avahi example code"""
297
285
if self.entry_group_state_changed_match is not None:
299
287
self.entry_group_state_changed_match = None
300
288
if self.group is not None:
301
289
self.group.Reset()
302
303
290
def add(self):
304
291
"""Derived from the Avahi example code"""
305
292
self.remove()
322
309
dbus.UInt16(self.port),
323
310
avahi.string_array_to_txt_array(self.TXT))
324
311
self.group.Commit()
325
326
312
def entry_group_state_changed(self, state, error):
327
313
"""Derived from the Avahi example code"""
328
314
logger.debug("Avahi entry group state change: %i", state)
335
321
elif state == avahi.ENTRY_GROUP_FAILURE:
336
322
logger.critical("Avahi: Error in group state changed %s",
337
323
unicode(error))
338
raise AvahiGroupError("State changed: {0!s}"
339
.format(error))
340
324
raise AvahiGroupError("State changed: %s"
325
% unicode(error))
341
326
def cleanup(self):
342
327
"""Derived from the Avahi example code"""
343
328
if self.group is not None:
348
333
pass
349
334
self.group = None
350
335
self.remove()
351
352
336
def server_state_changed(self, state, error=None):
353
337
"""Derived from the Avahi example code"""
354
338
logger.debug("Avahi server state change: %i", state)
373
357
logger.debug("Unknown state: %r", state)
374
358
else:
375
359
logger.debug("Unknown state: %r: %r", state, error)
376
377
360
def activate(self):
378
361
"""Derived from the Avahi example code"""
379
362
if self.server is None:
386
369
self.server_state_changed)
387
370
self.server_state_changed(self.server.GetState())
388
371
389
390
372
class AvahiServiceToSyslog(AvahiService):
391
373
def rename(self):
392
374
"""Add the new name to the syslog messages"""
393
375
ret = AvahiService.rename(self)
394
376
syslogger.setFormatter(logging.Formatter
395
('Mandos ({0}) [%(process)d]:'
396
' %(levelname)s: %(message)s'
397
.format(self.name)))
377
('Mandos (%s) [%%(process)d]:'
378
' %%(levelname)s: %%(message)s'
379
% self.name))
398
380
return ret
399
381
400
401
382
def timedelta_to_milliseconds(td):
402
383
"Convert a datetime.timedelta() to milliseconds"
403
384
return ((td.days * 24 * 60 * 60 * 1000)
404
385
+ (td.seconds * 1000)
405
386
+ (td.microseconds // 1000))
406
407
387
408
388
class Client(object):
409
389
"""A representation of a client host served by this server.
410
390
435
415
last_checked_ok: datetime.datetime(); (UTC) or None
436
416
last_checker_status: integer between 0 and 255 reflecting exit
437
417
status of last checker. -1 reflects crashed
438
checker, -2 means no checker completed yet.
418
checker, or None.
439
419
last_enabled: datetime.datetime(); (UTC) or None
440
420
name: string; from the config file, used in log messages and
441
421
D-Bus identifiers
442
422
secret: bytestring; sent verbatim (over TLS) to client
443
423
timeout: datetime.timedelta(); How long from last_checked_ok
444
424
until this client is disabled
445
extended_timeout: extra long timeout when secret has been sent
425
extended_timeout: extra long timeout when password has been sent
446
426
runtime_expansions: Allowed attributes for runtime expansion.
447
427
expires: datetime.datetime(); time (UTC) when a client will be
448
428
disabled, or None
449
server_settings: The server_settings dict from main()
450
429
"""
451
430
452
431
runtime_expansions = ("approval_delay", "approval_duration",
453
"created", "enabled", "expires",
454
"fingerprint", "host", "interval",
455
"last_approval_request", "last_checked_ok",
432
"created", "enabled", "fingerprint",
433
"host", "interval", "last_checked_ok",
456
434
"last_enabled", "name", "timeout")
457
client_defaults = { "timeout": "PT5M",
458
"extended_timeout": "PT15M",
459
"interval": "PT2M",
435
client_defaults = { "timeout": "5m",
436
"extended_timeout": "15m",
437
"interval": "2m",
460
438
"checker": "fping -q -- %%(host)s",
461
439
"host": "",
462
"approval_delay": "PT0S",
463
"approval_duration": "PT1S",
440
"approval_delay": "0s",
441
"approval_duration": "1s",
464
442
"approved_by_default": "True",
465
443
"enabled": "True",
466
444
}
479
457
480
458
def approval_delay_milliseconds(self):
481
459
return timedelta_to_milliseconds(self.approval_delay)
482
460
483
461
@staticmethod
484
462
def config_parser(config):
485
463
"""Construct a new dict of client settings of this form:
510
488
"rb") as secfile:
511
489
client["secret"] = secfile.read()
512
490
else:
513
raise TypeError("No secret or secfile for section {0}"
514
.format(section))
491
raise TypeError("No secret or secfile for section %s"
492
% section)
515
493
client["timeout"] = string_to_delta(section["timeout"])
516
494
client["extended_timeout"] = string_to_delta(
517
495
section["extended_timeout"])
523
501
client["checker_command"] = section["checker"]
524
502
client["last_approval_request"] = None
525
503
client["last_checked_ok"] = None
526
client["last_checker_status"] = -2
504
client["last_checker_status"] = None
527
505
528
506
return settings
529
530
def __init__(self, settings, name = None, server_settings=None):
507
508
509
def __init__(self, settings, name = None):
510
"""Note: the 'checker' key in 'config' sets the
511
'checker_command' attribute and *not* the 'checker'
512
attribute."""
531
513
self.name = name
532
if server_settings is None:
533
server_settings = {}
534
self.server_settings = server_settings
535
514
# adding all client settings
536
515
for setting, value in settings.iteritems():
537
516
setattr(self, setting, value)
545
524
else:
546
525
self.last_enabled = None
547
526
self.expires = None
548
527
549
528
logger.debug("Creating client %r", self.name)
550
529
# Uppercase and remove spaces from fingerprint for later
551
530
# comparison purposes with return value from the fingerprint()
553
532
logger.debug(" Fingerprint: %s", self.fingerprint)
554
533
self.created = settings.get("created",
555
534
datetime.datetime.utcnow())
556
535
557
536
# attributes specific for this server instance
558
537
self.checker = None
559
538
self.checker_initiator_tag = None
587
566
if getattr(self, "enabled", False):
588
567
# Already enabled
589
568
return
569
self.send_changedstate()
590
570
self.expires = datetime.datetime.utcnow() + self.timeout
591
571
self.enabled = True
592
572
self.last_enabled = datetime.datetime.utcnow()
593
573
self.init_checker()
594
self.send_changedstate()
595
574
596
575
def disable(self, quiet=True):
597
576
"""Disable this client."""
598
577
if not getattr(self, "enabled", False):
599
578
return False
600
579
if not quiet:
580
self.send_changedstate()
581
if not quiet:
601
582
logger.info("Disabling client %s", self.name)
602
if getattr(self, "disable_initiator_tag", None) is not None:
583
if getattr(self, "disable_initiator_tag", False):
603
584
gobject.source_remove(self.disable_initiator_tag)
604
585
self.disable_initiator_tag = None
605
586
self.expires = None
606
if getattr(self, "checker_initiator_tag", None) is not None:
587
if getattr(self, "checker_initiator_tag", False):
607
588
gobject.source_remove(self.checker_initiator_tag)
608
589
self.checker_initiator_tag = None
609
590
self.stop_checker()
610
591
self.enabled = False
611
if not quiet:
612
self.send_changedstate()
613
592
# Do not run this again if called by a gobject.timeout_add
614
593
return False
615
594
619
598
def init_checker(self):
620
599
# Schedule a new checker to be started an 'interval' from now,
621
600
# and every interval from then on.
622
if self.checker_initiator_tag is not None:
623
gobject.source_remove(self.checker_initiator_tag)
624
601
self.checker_initiator_tag = (gobject.timeout_add
625
602
(self.interval_milliseconds(),
626
603
self.start_checker))
627
604
# Schedule a disable() when 'timeout' has passed
628
if self.disable_initiator_tag is not None:
629
gobject.source_remove(self.disable_initiator_tag)
630
605
self.disable_initiator_tag = (gobject.timeout_add
631
606
(self.timeout_milliseconds(),
632
607
self.disable))
651
626
logger.warning("Checker for %(name)s crashed?",
652
627
vars(self))
653
628
654
def checked_ok(self):
655
"""Assert that the client has been seen, alive and well."""
656
self.last_checked_ok = datetime.datetime.utcnow()
657
self.last_checker_status = 0
658
self.bump_timeout()
659
660
def bump_timeout(self, timeout=None):
661
"""Bump up the timeout for this client."""
629
def checked_ok(self, timeout=None):
630
"""Bump up the timeout for this client.
631
632
This should only be called when the client has been seen,
633
alive and well.
634
"""
662
635
if timeout is None:
663
636
timeout = self.timeout
637
self.last_checked_ok = datetime.datetime.utcnow()
664
638
if self.disable_initiator_tag is not None:
665
639
gobject.source_remove(self.disable_initiator_tag)
666
self.disable_initiator_tag = None
667
640
if getattr(self, "enabled", False):
668
641
self.disable_initiator_tag = (gobject.timeout_add
669
642
(timedelta_to_milliseconds
679
652
If a checker already exists, leave it running and do
680
653
nothing."""
681
654
# The reason for not killing a running checker is that if we
682
# did that, and if a checker (for some reason) started running
683
# slowly and taking more than 'interval' time, then the client
684
# would inevitably timeout, since no checker would get a
685
# chance to run to completion. If we instead leave running
655
# did that, then if a checker (for some reason) started
656
# running slowly and taking more than 'interval' time, the
657
# client would inevitably timeout, since no checker would get
658
# a chance to run to completion. If we instead leave running
686
659
# checkers alone, the checker would have to take more time
687
660
# than 'timeout' for the client to be disabled, which is as it
688
661
# should be.
690
663
# If a checker exists, make sure it is not a zombie
691
664
try:
692
665
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
693
except AttributeError:
694
pass
695
except OSError as error:
696
if error.errno != errno.ECHILD:
697
raise
666
except (AttributeError, OSError) as error:
667
if (isinstance(error, OSError)
668
and error.errno != errno.ECHILD):
669
raise error
698
670
else:
699
671
if pid:
700
672
logger.warning("Checker was a zombie")
703
675
self.current_checker_command)
704
676
# Start a new checker if needed
705
677
if self.checker is None:
706
# Escape attributes for the shell
707
escaped_attrs = dict(
708
(attr, re.escape(unicode(getattr(self, attr))))
709
for attr in
710
self.runtime_expansions)
711
678
try:
712
command = self.checker_command % escaped_attrs
713
except TypeError as error:
714
logger.error('Could not format string "%s"',
715
self.checker_command, exc_info=error)
716
return True # Try again later
679
# In case checker_command has exactly one % operator
680
command = self.checker_command % self.host
681
except TypeError:
682
# Escape attributes for the shell
683
escaped_attrs = dict(
684
(attr,
685
re.escape(unicode(str(getattr(self, attr, "")),
686
errors=
687
'replace')))
688
for attr in
689
self.runtime_expansions)
690
691
try:
692
command = self.checker_command % escaped_attrs
693
except TypeError as error:
694
logger.error('Could not format string "%s":'
695
' %s', self.checker_command, error)
696
return True # Try again later
717
697
self.current_checker_command = command
718
698
try:
719
699
logger.info("Starting checker %r for %s",
722
702
# in normal mode, that is already done by daemon(),
723
703
# and in debug mode we don't want to. (Stdin is
724
704
# always replaced by /dev/null.)
725
# The exception is when not debugging but nevertheless
726
# running in the foreground; use the previously
727
# created wnull.
728
popen_args = {}
729
if (not self.server_settings["debug"]
730
and self.server_settings["foreground"]):
731
popen_args.update({"stdout": wnull,
732
"stderr": wnull })
733
705
self.checker = subprocess.Popen(command,
734
706
close_fds=True,
735
shell=True, cwd="/",
736
**popen_args)
737
except OSError as error:
738
logger.error("Failed to start subprocess",
739
exc_info=error)
740
return True
741
self.checker_callback_tag = (gobject.child_watch_add
742
(self.checker.pid,
743
self.checker_callback,
744
data=command))
745
# The checker may have completed before the gobject
746
# watch was added. Check for this.
747
try:
707
shell=True, cwd="/")
708
self.checker_callback_tag = (gobject.child_watch_add
709
(self.checker.pid,
710
self.checker_callback,
711
data=command))
712
# The checker may have completed before the gobject
713
# watch was added. Check for this.
748
714
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
715
if pid:
716
gobject.source_remove(self.checker_callback_tag)
717
self.checker_callback(pid, status, command)
749
718
except OSError as error:
750
if error.errno == errno.ECHILD:
751
# This should never happen
752
logger.error("Child process vanished",
753
exc_info=error)
754
return True
755
raise
756
if pid:
757
gobject.source_remove(self.checker_callback_tag)
758
self.checker_callback(pid, status, command)
719
logger.error("Failed to start subprocess: %s",
720
error)
759
721
# Re-run this periodically if run by gobject.timeout_add
760
722
return True
761
723
768
730
return
769
731
logger.debug("Stopping checker for %(name)s", vars(self))
770
732
try:
771
self.checker.terminate()
733
os.kill(self.checker.pid, signal.SIGTERM)
772
734
#time.sleep(0.5)
773
735
#if self.checker.poll() is None:
774
# self.checker.kill()
736
# os.kill(self.checker.pid, signal.SIGKILL)
775
737
except OSError as error:
776
738
if error.errno != errno.ESRCH: # No such process
777
739
raise
794
756
# "Set" method, so we fail early here:
795
757
if byte_arrays and signature != "ay":
796
758
raise ValueError("Byte arrays not supported for non-'ay'"
797
" signature {0!r}".format(signature))
759
" signature %r" % signature)
798
760
def decorator(func):
799
761
func._dbus_is_property = True
800
762
func._dbus_interface = dbus_interface
808
770
return decorator
809
771
810
772
811
def dbus_interface_annotations(dbus_interface):
812
"""Decorator for marking functions returning interface annotations
813
814
Usage:
815
816
@dbus_interface_annotations("org.example.Interface")
817
def _foo(self): # Function name does not matter
818
return {"org.freedesktop.DBus.Deprecated": "true",
819
"org.freedesktop.DBus.Property.EmitsChangedSignal":
820
"false"}
821
"""
822
def decorator(func):
823
func._dbus_is_interface = True
824
func._dbus_interface = dbus_interface
825
func._dbus_name = dbus_interface
826
return func
827
return decorator
828
829
830
def dbus_annotations(annotations):
831
"""Decorator to annotate D-Bus methods, signals or properties
832
Usage:
833
834
@dbus_service_property("org.example.Interface", signature="b",
835
access="r")
836
@dbus_annotations({{"org.freedesktop.DBus.Deprecated": "true",
837
"org.freedesktop.DBus.Property."
838
"EmitsChangedSignal": "false"})
839
def Property_dbus_property(self):
840
return dbus.Boolean(False)
841
"""
842
def decorator(func):
843
func._dbus_annotations = annotations
844
return func
845
return decorator
846
847
848
773
class DBusPropertyException(dbus.exceptions.DBusException):
849
774
"""A base class for D-Bus property-related exceptions
850
775
"""
873
798
"""
874
799
875
800
@staticmethod
876
def _is_dbus_thing(thing):
877
"""Returns a function testing if an attribute is a D-Bus thing
878
879
If called like _is_dbus_thing("method") it returns a function
880
suitable for use as predicate to inspect.getmembers().
881
"""
882
return lambda obj: getattr(obj, "_dbus_is_{0}".format(thing),
883
False)
801
def _is_dbus_property(obj):
802
return getattr(obj, "_dbus_is_property", False)
884
803
885
def _get_all_dbus_things(self, thing):
804
def _get_all_dbus_properties(self):
886
805
"""Returns a generator of (name, attribute) pairs
887
806
"""
888
return ((getattr(athing.__get__(self), "_dbus_name",
889
name),
890
athing.__get__(self))
807
return ((prop.__get__(self)._dbus_name, prop.__get__(self))
891
808
for cls in self.__class__.__mro__
892
for name, athing in
893
inspect.getmembers(cls,
894
self._is_dbus_thing(thing)))
809
for name, prop in
810
inspect.getmembers(cls, self._is_dbus_property))
895
811
896
812
def _get_dbus_property(self, interface_name, property_name):
897
813
"""Returns a bound method if one exists which is a D-Bus
899
815
"""
900
816
for cls in self.__class__.__mro__:
901
817
for name, value in (inspect.getmembers
902
(cls,
903
self._is_dbus_thing("property"))):
818
(cls, self._is_dbus_property)):
904
819
if (value._dbus_name == property_name
905
820
and value._dbus_interface == interface_name):
906
821
return value.__get__(self)
948
863
Note: Will not include properties with access="write".
949
864
"""
950
865
properties = {}
951
for name, prop in self._get_all_dbus_things("property"):
866
for name, prop in self._get_all_dbus_properties():
952
867
if (interface_name
953
868
and interface_name != prop._dbus_interface):
954
869
# Interface non-empty but did not match
969
884
path_keyword='object_path',
970
885
connection_keyword='connection')
971
886
def Introspect(self, object_path, connection):
972
"""Overloading of standard D-Bus method.
973
974
Inserts property tags and interface annotation tags.
887
"""Standard D-Bus method, overloaded to insert property tags.
975
888
"""
976
889
xmlstring = dbus.service.Object.Introspect(self, object_path,
977
890
connection)
984
897
e.setAttribute("access", prop._dbus_access)
985
898
return e
986
899
for if_tag in document.getElementsByTagName("interface"):
987
# Add property tags
988
900
for tag in (make_tag(document, name, prop)
989
901
for name, prop
990
in self._get_all_dbus_things("property")
902
in self._get_all_dbus_properties()
991
903
if prop._dbus_interface
992
904
== if_tag.getAttribute("name")):
993
905
if_tag.appendChild(tag)
994
# Add annotation tags
995
for typ in ("method", "signal", "property"):
996
for tag in if_tag.getElementsByTagName(typ):
997
annots = dict()
998
for name, prop in (self.
999
_get_all_dbus_things(typ)):
1000
if (name == tag.getAttribute("name")
1001
and prop._dbus_interface
1002
== if_tag.getAttribute("name")):
1003
annots.update(getattr
1004
(prop,
1005
"_dbus_annotations",
1006
{}))
1007
for name, value in annots.iteritems():
1008
ann_tag = document.createElement(
1009
"annotation")
1010
ann_tag.setAttribute("name", name)
1011
ann_tag.setAttribute("value", value)
1012
tag.appendChild(ann_tag)
1013
# Add interface annotation tags
1014
for annotation, value in dict(
1015
itertools.chain.from_iterable(
1016
annotations().iteritems()
1017
for name, annotations in
1018
self._get_all_dbus_things("interface")
1019
if name == if_tag.getAttribute("name")
1020
)).iteritems():
1021
ann_tag = document.createElement("annotation")
1022
ann_tag.setAttribute("name", annotation)
1023
ann_tag.setAttribute("value", value)
1024
if_tag.appendChild(ann_tag)
1025
906
# Add the names to the return values for the
1026
907
# "org.freedesktop.DBus.Properties" methods
1027
908
if (if_tag.getAttribute("name")
1042
923
except (AttributeError, xml.dom.DOMException,
1043
924
xml.parsers.expat.ExpatError) as error:
1044
925
logger.error("Failed to override Introspection method",
1045
exc_info=error)
926
error)
1046
927
return xmlstring
1047
928
1048
929
1049
def datetime_to_dbus(dt, variant_level=0):
930
def datetime_to_dbus (dt, variant_level=0):
1050
931
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1051
932
if dt is None:
1052
933
return dbus.String("", variant_level = variant_level)
1054
935
variant_level=variant_level)
1055
936
1056
937
1057
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1058
"""A class decorator; applied to a subclass of
1059
dbus.service.Object, it will add alternate D-Bus attributes with
1060
interface names according to the "alt_interface_names" mapping.
1061
Usage:
1062
1063
@alternate_dbus_interfaces({"org.example.Interface":
1064
"net.example.AlternateInterface"})
1065
class SampleDBusObject(dbus.service.Object):
1066
@dbus.service.method("org.example.Interface")
1067
def SampleDBusMethod():
1068
pass
1069
1070
The above "SampleDBusMethod" on "SampleDBusObject" will be
1071
reachable via two interfaces: "org.example.Interface" and
1072
"net.example.AlternateInterface", the latter of which will have
1073
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1074
"true", unless "deprecate" is passed with a False value.
1075
1076
This works for methods and signals, and also for D-Bus properties
1077
(from DBusObjectWithProperties) and interfaces (from the
1078
dbus_interface_annotations decorator).
938
class AlternateDBusNamesMetaclass(DBusObjectWithProperties
939
.__metaclass__):
940
"""Applied to an empty subclass of a D-Bus object, this metaclass
941
will add additional D-Bus attributes matching a certain pattern.
1079
942
"""
1080
def wrapper(cls):
1081
for orig_interface_name, alt_interface_name in (
1082
alt_interface_names.iteritems()):
1083
attr = {}
1084
interface_names = set()
1085
# Go though all attributes of the class
1086
for attrname, attribute in inspect.getmembers(cls):
943
def __new__(mcs, name, bases, attr):
944
# Go through all the base classes which could have D-Bus
945
# methods, signals, or properties in them
946
for base in (b for b in bases
947
if issubclass(b, dbus.service.Object)):
948
# Go though all attributes of the base class
949
for attrname, attribute in inspect.getmembers(base):
1087
950
# Ignore non-D-Bus attributes, and D-Bus attributes
1088
951
# with the wrong interface name
1089
952
if (not hasattr(attribute, "_dbus_interface")
1090
953
or not attribute._dbus_interface
1091
.startswith(orig_interface_name)):
954
.startswith("se.recompile.Mandos")):
1092
955
continue
1093
956
# Create an alternate D-Bus interface name based on
1094
957
# the current name
1095
958
alt_interface = (attribute._dbus_interface
1096
.replace(orig_interface_name,
1097
alt_interface_name))
1098
interface_names.add(alt_interface)
959
.replace("se.recompile.Mandos",
960
"se.bsnet.fukt.Mandos"))
1099
961
# Is this a D-Bus signal?
1100
962
if getattr(attribute, "_dbus_is_signal", False):
1101
# Extract the original non-method undecorated
1102
# function by black magic
963
# Extract the original non-method function by
964
# black magic
1103
965
nonmethod_func = (dict(
1104
966
zip(attribute.func_code.co_freevars,
1105
967
attribute.__closure__))["func"]
1116
978
nonmethod_func.func_name,
1117
979
nonmethod_func.func_defaults,
1118
980
nonmethod_func.func_closure)))
1119
# Copy annotations, if any
1120
try:
1121
new_function._dbus_annotations = (
1122
dict(attribute._dbus_annotations))
1123
except AttributeError:
1124
pass
1125
981
# Define a creator of a function to call both the
1126
# original and alternate functions, so both the
1127
# original and alternate signals gets sent when
1128
# the function is called
982
# old and new functions, so both the old and new
983
# signals gets sent when the function is called
1129
984
def fixscope(func1, func2):
1130
985
"""This function is a scope container to pass
1131
986
func1 and func2 to the "call_both" function
1138
993
return call_both
1139
994
# Create the "call_both" function and add it to
1140
995
# the class
1141
attr[attrname] = fixscope(attribute, new_function)
996
attr[attrname] = fixscope(attribute,
997
new_function)
1142
998
# Is this a D-Bus method?
1143
999
elif getattr(attribute, "_dbus_is_method", False):
1144
1000
# Create a new, but exactly alike, function
1155
1011
attribute.func_name,
1156
1012
attribute.func_defaults,
1157
1013
attribute.func_closure)))
1158
# Copy annotations, if any
1159
try:
1160
attr[attrname]._dbus_annotations = (
1161
dict(attribute._dbus_annotations))
1162
except AttributeError:
1163
pass
1164
1014
# Is this a D-Bus property?
1165
1015
elif getattr(attribute, "_dbus_is_property", False):
1166
1016
# Create a new, but exactly alike, function
1180
1030
attribute.func_name,
1181
1031
attribute.func_defaults,
1182
1032
attribute.func_closure)))
1183
# Copy annotations, if any
1184
try:
1185
attr[attrname]._dbus_annotations = (
1186
dict(attribute._dbus_annotations))
1187
except AttributeError:
1188
pass
1189
# Is this a D-Bus interface?
1190
elif getattr(attribute, "_dbus_is_interface", False):
1191
# Create a new, but exactly alike, function
1192
# object. Decorate it to be a new D-Bus interface
1193
# with the alternate D-Bus interface name. Add it
1194
# to the class.
1195
attr[attrname] = (dbus_interface_annotations
1196
(alt_interface)
1197
(types.FunctionType
1198
(attribute.func_code,
1199
attribute.func_globals,
1200
attribute.func_name,
1201
attribute.func_defaults,
1202
attribute.func_closure)))
1203
if deprecate:
1204
# Deprecate all alternate interfaces
1205
iname="_AlternateDBusNames_interface_annotation{0}"
1206
for interface_name in interface_names:
1207
@dbus_interface_annotations(interface_name)
1208
def func(self):
1209
return { "org.freedesktop.DBus.Deprecated":
1210
"true" }
1211
# Find an unused name
1212
for aname in (iname.format(i)
1213
for i in itertools.count()):
1214
if aname not in attr:
1215
attr[aname] = func
1216
break
1217
if interface_names:
1218
# Replace the class with a new subclass of it with
1219
# methods, signals, etc. as created above.
1220
cls = type(b"{0}Alternate".format(cls.__name__),
1221
(cls,), attr)
1222
return cls
1223
return wrapper
1224
1225
1226
@alternate_dbus_interfaces({"se.recompile.Mandos":
1227
"se.bsnet.fukt.Mandos"})
1033
return type.__new__(mcs, name, bases, attr)
1034
1035
1228
1036
class ClientDBus(Client, DBusObjectWithProperties):
1229
1037
"""A Client class using D-Bus
1230
1038
1241
1049
def __init__(self, bus = None, *args, **kwargs):
1242
1050
self.bus = bus
1243
1051
Client.__init__(self, *args, **kwargs)
1052
self._approvals_pending = 0
1053
1054
self._approvals_pending = 0
1244
1055
# Only now, when this client is initialized, can it show up on
1245
1056
# the D-Bus
1246
1057
client_object_name = unicode(self.name).translate(
1250
1061
("/clients/" + client_object_name))
1251
1062
DBusObjectWithProperties.__init__(self, self.bus,
1252
1063
self.dbus_object_path)
1253
1064
1254
1065
def notifychangeproperty(transform_func,
1255
1066
dbus_name, type_func=lambda x: x,
1256
1067
variant_level=1):
1279
1090
1280
1091
return property(lambda self: getattr(self, attrname), setter)
1281
1092
1093
1282
1094
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1283
1095
approvals_pending = notifychangeproperty(dbus.Boolean,
1284
1096
"ApprovalPending",
1291
1103
checker is not None)
1292
1104
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1293
1105
"LastCheckedOK")
1294
last_checker_status = notifychangeproperty(dbus.Int16,
1295
"LastCheckerStatus")
1296
1106
last_approval_request = notifychangeproperty(
1297
1107
datetime_to_dbus, "LastApprovalRequest")
1298
1108
approved_by_default = notifychangeproperty(dbus.Boolean,
1366
1176
return False
1367
1177
1368
1178
def approve(self, value=True):
1179
self.send_changedstate()
1369
1180
self.approved = value
1370
1181
gobject.timeout_add(timedelta_to_milliseconds
1371
1182
(self.approval_duration),
1372
1183
self._reset_approved)
1373
self.send_changedstate()
1184
1374
1185
1375
1186
## D-Bus methods, signals & properties
1376
1187
_interface = "se.recompile.Mandos.Client"
1377
1188
1378
## Interfaces
1379
1380
@dbus_interface_annotations(_interface)
1381
def _foo(self):
1382
return { "org.freedesktop.DBus.Property.EmitsChangedSignal":
1383
"false"}
1384
1385
1189
## Signals
1386
1190
1387
1191
# CheckerCompleted - signal
1423
1227
"D-Bus signal"
1424
1228
return self.need_approval()
1425
1229
1230
# NeRwequest - signal
1231
@dbus.service.signal(_interface, signature="s")
1232
def NewRequest(self, ip):
1233
"""D-Bus signal
1234
Is sent after a client request a password.
1235
"""
1236
pass
1237
1426
1238
## Methods
1427
1239
1428
1240
# Approve - method
1538
1350
return
1539
1351
return datetime_to_dbus(self.last_checked_ok)
1540
1352
1541
# LastCheckerStatus - property
1542
@dbus_service_property(_interface, signature="n",
1543
access="read")
1544
def LastCheckerStatus_dbus_property(self):
1545
return dbus.Int16(self.last_checker_status)
1546
1547
1353
# Expires - property
1548
1354
@dbus_service_property(_interface, signature="s", access="read")
1549
1355
def Expires_dbus_property(self):
1560
1366
def Timeout_dbus_property(self, value=None):
1561
1367
if value is None: # get
1562
1368
return dbus.UInt64(self.timeout_milliseconds())
1563
old_timeout = self.timeout
1564
1369
self.timeout = datetime.timedelta(0, 0, 0, value)
1565
# Reschedule disabling
1370
# Reschedule timeout
1566
1371
if self.enabled:
1567
1372
now = datetime.datetime.utcnow()
1568
self.expires += self.timeout - old_timeout
1569
if self.expires <= now:
1373
time_to_die = timedelta_to_milliseconds(
1374
(self.last_checked_ok + self.timeout) - now)
1375
if time_to_die <= 0:
1570
1376
# The timeout has passed
1571
1377
self.disable()
1572
1378
else:
1379
self.expires = (now +
1380
datetime.timedelta(milliseconds =
1381
time_to_die))
1573
1382
if (getattr(self, "disable_initiator_tag", None)
1574
1383
is None):
1575
1384
return
1576
1385
gobject.source_remove(self.disable_initiator_tag)
1577
self.disable_initiator_tag = (
1578
gobject.timeout_add(
1579
timedelta_to_milliseconds(self.expires - now),
1580
self.disable))
1386
self.disable_initiator_tag = (gobject.timeout_add
1387
(time_to_die,
1388
self.disable))
1581
1389
1582
1390
# ExtendedTimeout - property
1583
1391
@dbus_service_property(_interface, signature="t",
1662
1470
self._pipe.send(('setattr', name, value))
1663
1471
1664
1472
1473
class ClientDBusTransitional(ClientDBus):
1474
__metaclass__ = AlternateDBusNamesMetaclass
1475
1476
1665
1477
class ClientHandler(socketserver.BaseRequestHandler, object):
1666
1478
"""A class to handle client connections.
1667
1479
1703
1515
logger.debug("Protocol version: %r", line)
1704
1516
try:
1705
1517
if int(line.strip().split()[0]) > 1:
1706
raise RuntimeError(line)
1518
raise RuntimeError
1707
1519
except (ValueError, IndexError, RuntimeError) as error:
1708
1520
logger.error("Unknown protocol version: %s", error)
1709
1521
return
1735
1547
except KeyError:
1736
1548
return
1737
1549
1550
if self.server.use_dbus:
1551
# Emit D-Bus signal
1552
client.NewRequest(str(self.client_address))
1553
1738
1554
if client.approval_delay:
1739
1555
delay = client.approval_delay
1740
1556
client.approvals_pending += 1
1771
1587
#wait until timeout or approved
1772
1588
time = datetime.datetime.now()
1773
1589
client.changedstate.acquire()
1774
client.changedstate.wait(
1775
float(timedelta_to_milliseconds(delay)
1776
/ 1000))
1590
(client.changedstate.wait
1591
(float(client.timedelta_to_milliseconds(delay)
1592
/ 1000)))
1777
1593
client.changedstate.release()
1778
1594
time2 = datetime.datetime.now()
1779
1595
if (time2 - time) >= delay:
1795
1611
try:
1796
1612
sent = session.send(client.secret[sent_size:])
1797
1613
except gnutls.errors.GNUTLSError as error:
1798
logger.warning("gnutls send failed",
1799
exc_info=error)
1614
logger.warning("gnutls send failed")
1800
1615
return
1801
1616
logger.debug("Sent: %d, remaining: %d",
1802
1617
sent, len(client.secret)
1805
1620
1806
1621
logger.info("Sending secret to %s", client.name)
1807
1622
# bump the timeout using extended_timeout
1808
client.bump_timeout(client.extended_timeout)
1623
client.checked_ok(client.extended_timeout)
1809
1624
if self.server.use_dbus:
1810
1625
# Emit D-Bus signal
1811
1626
client.GotSecret()
1816
1631
try:
1817
1632
session.bye()
1818
1633
except gnutls.errors.GNUTLSError as error:
1819
logger.warning("GnuTLS bye failed",
1820
exc_info=error)
1634
logger.warning("GnuTLS bye failed")
1821
1635
1822
1636
@staticmethod
1823
1637
def peer_certificate(session):
1895
1709
def process_request(self, request, address):
1896
1710
"""Start a new process to process the request."""
1897
1711
proc = multiprocessing.Process(target = self.sub_process_main,
1898
args = (request, address))
1712
args = (request,
1713
address))
1899
1714
proc.start()
1900
1715
return proc
1901
1716
1916
1731
1917
1732
def add_pipe(self, parent_pipe, proc):
1918
1733
"""Dummy function; override as necessary"""
1919
raise NotImplementedError()
1734
raise NotImplementedError
1920
1735
1921
1736
1922
1737
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1929
1744
use_ipv6: Boolean; to use IPv6 or not
1930
1745
"""
1931
1746
def __init__(self, server_address, RequestHandlerClass,
1932
interface=None, use_ipv6=True, socketfd=None):
1933
"""If socketfd is set, use that file descriptor instead of
1934
creating a new one with socket.socket().
1935
"""
1747
interface=None, use_ipv6=True):
1936
1748
self.interface = interface
1937
1749
if use_ipv6:
1938
1750
self.address_family = socket.AF_INET6
1939
if socketfd is not None:
1940
# Save the file descriptor
1941
self.socketfd = socketfd
1942
# Save the original socket.socket() function
1943
self.socket_socket = socket.socket
1944
# To implement --socket, we monkey patch socket.socket.
1945
#
1946
# (When socketserver.TCPServer is a new-style class, we
1947
# could make self.socket into a property instead of monkey
1948
# patching socket.socket.)
1949
#
1950
# Create a one-time-only replacement for socket.socket()
1951
@functools.wraps(socket.socket)
1952
def socket_wrapper(*args, **kwargs):
1953
# Restore original function so subsequent calls are
1954
# not affected.
1955
socket.socket = self.socket_socket
1956
del self.socket_socket
1957
# This time only, return a new socket object from the
1958
# saved file descriptor.
1959
return socket.fromfd(self.socketfd, *args, **kwargs)
1960
# Replace socket.socket() function with wrapper
1961
socket.socket = socket_wrapper
1962
# The socketserver.TCPServer.__init__ will call
1963
# socket.socket(), which might be our replacement,
1964
# socket_wrapper(), if socketfd was set.
1965
1751
socketserver.TCPServer.__init__(self, server_address,
1966
1752
RequestHandlerClass)
1967
1968
1753
def server_bind(self):
1969
1754
"""This overrides the normal server_bind() function
1970
1755
to bind to an interface if one was specified, and also NOT to
1978
1763
try:
1979
1764
self.socket.setsockopt(socket.SOL_SOCKET,
1980
1765
SO_BINDTODEVICE,
1981
str(self.interface + '\0'))
1766
str(self.interface
1767
+ '\0'))
1982
1768
except socket.error as error:
1983
if error.errno == errno.EPERM:
1984
logger.error("No permission to bind to"
1985
" interface %s", self.interface)
1986
elif error.errno == errno.ENOPROTOOPT:
1769
if error[0] == errno.EPERM:
1770
logger.error("No permission to"
1771
" bind to interface %s",
1772
self.interface)
1773
elif error[0] == errno.ENOPROTOOPT:
1987
1774
logger.error("SO_BINDTODEVICE not available;"
1988
1775
" cannot bind to interface %s",
1989
1776
self.interface)
1990
elif error.errno == errno.ENODEV:
1991
logger.error("Interface %s does not exist,"
1992
" cannot bind", self.interface)
1993
1777
else:
1994
1778
raise
1995
1779
# Only bind(2) the socket if we really need to.
1998
1782
if self.address_family == socket.AF_INET6:
1999
1783
any_address = "::" # in6addr_any
2000
1784
else:
2001
any_address = "0.0.0.0" # INADDR_ANY
1785
any_address = socket.INADDR_ANY
2002
1786
self.server_address = (any_address,
2003
1787
self.server_address[1])
2004
1788
elif not self.server_address[1]:
2025
1809
"""
2026
1810
def __init__(self, server_address, RequestHandlerClass,
2027
1811
interface=None, use_ipv6=True, clients=None,
2028
gnutls_priority=None, use_dbus=True, socketfd=None):
1812
gnutls_priority=None, use_dbus=True):
2029
1813
self.enabled = False
2030
1814
self.clients = clients
2031
1815
if self.clients is None:
2035
1819
IPv6_TCPServer.__init__(self, server_address,
2036
1820
RequestHandlerClass,
2037
1821
interface = interface,
2038
use_ipv6 = use_ipv6,
2039
socketfd = socketfd)
1822
use_ipv6 = use_ipv6)
2040
1823
def server_activate(self):
2041
1824
if self.enabled:
2042
1825
return socketserver.TCPServer.server_activate(self)
2055
1838
2056
1839
def handle_ipc(self, source, condition, parent_pipe=None,
2057
1840
proc = None, client_object=None):
1841
condition_names = {
1842
gobject.IO_IN: "IN", # There is data to read.
1843
gobject.IO_OUT: "OUT", # Data can be written (without
1844
# blocking).
1845
gobject.IO_PRI: "PRI", # There is urgent data to read.
1846
gobject.IO_ERR: "ERR", # Error condition.
1847
gobject.IO_HUP: "HUP" # Hung up (the connection has been
1848
# broken, usually for pipes and
1849
# sockets).
1850
}
1851
conditions_string = ' | '.join(name
1852
for cond, name in
1853
condition_names.iteritems()
1854
if cond & condition)
2058
1855
# error, or the other end of multiprocessing.Pipe has closed
2059
if condition & (gobject.IO_ERR | gobject.IO_HUP):
1856
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
2060
1857
# Wait for other process to exit
2061
1858
proc.join()
2062
1859
return False
2120
1917
return True
2121
1918
2122
1919
2123
def rfc3339_duration_to_delta(duration):
2124
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2125
2126
>>> rfc3339_duration_to_delta("P7D")
2127
datetime.timedelta(7)
2128
>>> rfc3339_duration_to_delta("PT60S")
2129
datetime.timedelta(0, 60)
2130
>>> rfc3339_duration_to_delta("PT60M")
2131
datetime.timedelta(0, 3600)
2132
>>> rfc3339_duration_to_delta("PT24H")
2133
datetime.timedelta(1)
2134
>>> rfc3339_duration_to_delta("P1W")
2135
datetime.timedelta(7)
2136
>>> rfc3339_duration_to_delta("PT5M30S")
2137
datetime.timedelta(0, 330)
2138
>>> rfc3339_duration_to_delta("P1DT3M20S")
2139
datetime.timedelta(1, 200)
2140
"""
2141
2142
# Parsing an RFC 3339 duration with regular expressions is not
2143
# possible - there would have to be multiple places for the same
2144
# values, like seconds. The current code, while more esoteric, is
2145
# cleaner without depending on a parsing library. If Python had a
2146
# built-in library for parsing we would use it, but we'd like to
2147
# avoid excessive use of external libraries.
2148
2149
# New type for defining tokens, syntax, and semantics all-in-one
2150
Token = collections.namedtuple("Token",
2151
("regexp", # To match token; if
2152
# "value" is not None,
2153
# must have a "group"
2154
# containing digits
2155
"value", # datetime.timedelta or
2156
# None
2157
"followers")) # Tokens valid after
2158
# this token
2159
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2160
# the "duration" ABNF definition in RFC 3339, Appendix A.
2161
token_end = Token(re.compile(r"$"), None, frozenset())
2162
token_second = Token(re.compile(r"(\d+)S"),
2163
datetime.timedelta(seconds=1),
2164
frozenset((token_end,)))
2165
token_minute = Token(re.compile(r"(\d+)M"),
2166
datetime.timedelta(minutes=1),
2167
frozenset((token_second, token_end)))
2168
token_hour = Token(re.compile(r"(\d+)H"),
2169
datetime.timedelta(hours=1),
2170
frozenset((token_minute, token_end)))
2171
token_time = Token(re.compile(r"T"),
2172
None,
2173
frozenset((token_hour, token_minute,
2174
token_second)))
2175
token_day = Token(re.compile(r"(\d+)D"),
2176
datetime.timedelta(days=1),
2177
frozenset((token_time, token_end)))
2178
token_month = Token(re.compile(r"(\d+)M"),
2179
datetime.timedelta(weeks=4),
2180
frozenset((token_day, token_end)))
2181
token_year = Token(re.compile(r"(\d+)Y"),
2182
datetime.timedelta(weeks=52),
2183
frozenset((token_month, token_end)))
2184
token_week = Token(re.compile(r"(\d+)W"),
2185
datetime.timedelta(weeks=1),
2186
frozenset((token_end,)))
2187
token_duration = Token(re.compile(r"P"), None,
2188
frozenset((token_year, token_month,
2189
token_day, token_time,
2190
token_week))),
2191
# Define starting values
2192
value = datetime.timedelta() # Value so far
2193
found_token = None
2194
followers = frozenset(token_duration,) # Following valid tokens
2195
s = duration # String left to parse
2196
# Loop until end token is found
2197
while found_token is not token_end:
2198
# Search for any currently valid tokens
2199
for token in followers:
2200
match = token.regexp.match(s)
2201
if match is not None:
2202
# Token found
2203
if token.value is not None:
2204
# Value found, parse digits
2205
factor = int(match.group(1), 10)
2206
# Add to value so far
2207
value += factor * token.value
2208
# Strip token from string
2209
s = token.regexp.sub("", s, 1)
2210
# Go to found token
2211
found_token = token
2212
# Set valid next tokens
2213
followers = found_token.followers
2214
break
2215
else:
2216
# No currently valid tokens were found
2217
raise ValueError("Invalid RFC 3339 duration")
2218
# End token found
2219
return value
2220
2221
2222
1920
def string_to_delta(interval):
2223
1921
"""Parse a string and return a datetime.timedelta
2224
1922
2235
1933
>>> string_to_delta('5m 30s')
2236
1934
datetime.timedelta(0, 330)
2237
1935
"""
2238
2239
try:
2240
return rfc3339_duration_to_delta(interval)
2241
except ValueError:
2242
pass
2243
2244
1936
timevalue = datetime.timedelta(0)
2245
1937
for s in interval.split():
2246
1938
try:
2257
1949
elif suffix == "w":
2258
1950
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
2259
1951
else:
2260
raise ValueError("Unknown suffix {0!r}"
2261
.format(suffix))
2262
except IndexError as e:
1952
raise ValueError("Unknown suffix %r" % suffix)
1953
except (ValueError, IndexError) as e:
2263
1954
raise ValueError(*(e.args))
2264
1955
timevalue += delta
2265
1956
return timevalue
2278
1969
sys.exit()
2279
1970
if not noclose:
2280
1971
# Close all standard open file descriptors
2281
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
1972
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2282
1973
if not stat.S_ISCHR(os.fstat(null).st_mode):
2283
1974
raise OSError(errno.ENODEV,
2284
"{0} not a character device"
2285
.format(os.devnull))
1975
"%s not a character device"
1976
% os.path.devnull)
2286
1977
os.dup2(null, sys.stdin.fileno())
2287
1978
os.dup2(null, sys.stdout.fileno())
2288
1979
os.dup2(null, sys.stderr.fileno())
2297
1988
2298
1989
parser = argparse.ArgumentParser()
2299
1990
parser.add_argument("-v", "--version", action="version",
2300
version = "%(prog)s {0}".format(version),
1991
version = "%%(prog)s %s" % version,
2301
1992
help="show version number and exit")
2302
1993
parser.add_argument("-i", "--interface", metavar="IF",
2303
1994
help="Bind to interface IF")
2309
2000
help="Run self-test")
2310
2001
parser.add_argument("--debug", action="store_true",
2311
2002
help="Debug mode; run in foreground and log"
2312
" to terminal", default=None)
2003
" to terminal")
2313
2004
parser.add_argument("--debuglevel", metavar="LEVEL",
2314
2005
help="Debug level for stdout output")
2315
2006
parser.add_argument("--priority", help="GnuTLS"
2322
2013
" files")
2323
2014
parser.add_argument("--no-dbus", action="store_false",
2324
2015
dest="use_dbus", help="Do not provide D-Bus"
2325
" system bus interface", default=None)
2016
" system bus interface")
2326
2017
parser.add_argument("--no-ipv6", action="store_false",
2327
dest="use_ipv6", help="Do not use IPv6",
2328
default=None)
2018
dest="use_ipv6", help="Do not use IPv6")
2329
2019
parser.add_argument("--no-restore", action="store_false",
2330
2020
dest="restore", help="Do not restore stored"
2331
" state", default=None)
2332
parser.add_argument("--socket", type=int,
2333
help="Specify a file descriptor to a network"
2334
" socket to use instead of creating one")
2021
" state")
2335
2022
parser.add_argument("--statedir", metavar="DIR",
2336
2023
help="Directory to save/restore state in")
2337
parser.add_argument("--foreground", action="store_true",
2338
help="Run in foreground", default=None)
2339
2024
2340
2025
options = parser.parse_args()
2341
2026
2350
2035
"port": "",
2351
2036
"debug": "False",
2352
2037
"priority":
2353
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224:+SIGN-RSA-RMD160",
2038
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
2354
2039
"servicename": "Mandos",
2355
2040
"use_dbus": "True",
2356
2041
"use_ipv6": "True",
2357
2042
"debuglevel": "",
2358
2043
"restore": "True",
2359
"socket": "",
2360
"statedir": "/var/lib/mandos",
2361
"foreground": "False",
2044
"statedir": "/var/lib/mandos"
2362
2045
}
2363
2046
2364
2047
# Parse config file for server-global settings
2369
2052
# Convert the SafeConfigParser object to a dict
2370
2053
server_settings = server_config.defaults()
2371
2054
# Use the appropriate methods on the non-string config options
2372
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
2055
for option in ("debug", "use_dbus", "use_ipv6"):
2373
2056
server_settings[option] = server_config.getboolean("DEFAULT",
2374
2057
option)
2375
2058
if server_settings["port"]:
2376
2059
server_settings["port"] = server_config.getint("DEFAULT",
2377
2060
"port")
2378
if server_settings["socket"]:
2379
server_settings["socket"] = server_config.getint("DEFAULT",
2380
"socket")
2381
# Later, stdin will, and stdout and stderr might, be dup'ed
2382
# over with an opened os.devnull. But we don't want this to
2383
# happen with a supplied network socket.
2384
if 0 <= server_settings["socket"] <= 2:
2385
server_settings["socket"] = os.dup(server_settings
2386
["socket"])
2387
2061
del server_config
2388
2062
2389
2063
# Override the settings from the config file with command line
2391
2065
for option in ("interface", "address", "port", "debug",
2392
2066
"priority", "servicename", "configdir",
2393
2067
"use_dbus", "use_ipv6", "debuglevel", "restore",
2394
"statedir", "socket", "foreground"):
2068
"statedir"):
2395
2069
value = getattr(options, option)
2396
2070
if value is not None:
2397
2071
server_settings[option] = value
2400
2074
for option in server_settings.keys():
2401
2075
if type(server_settings[option]) is str:
2402
2076
server_settings[option] = unicode(server_settings[option])
2403
# Force all boolean options to be boolean
2404
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2405
"foreground"):
2406
server_settings[option] = bool(server_settings[option])
2407
# Debug implies foreground
2408
if server_settings["debug"]:
2409
server_settings["foreground"] = True
2410
2077
# Now we have our good server settings in "server_settings"
2411
2078
2412
2079
##################################################################
2418
2085
use_ipv6 = server_settings["use_ipv6"]
2419
2086
stored_state_path = os.path.join(server_settings["statedir"],
2420
2087
stored_state_file)
2421
foreground = server_settings["foreground"]
2422
2088
2423
2089
if debug:
2424
2090
initlogger(debug, logging.DEBUG)
2431
2097
2432
2098
if server_settings["servicename"] != "Mandos":
2433
2099
syslogger.setFormatter(logging.Formatter
2434
('Mandos ({0}) [%(process)d]:'
2435
' %(levelname)s: %(message)s'
2436
.format(server_settings
2437
["servicename"])))
2100
('Mandos (%s) [%%(process)d]:'
2101
' %%(levelname)s: %%(message)s'
2102
% server_settings["servicename"]))
2438
2103
2439
2104
# Parse config file with clients
2440
2105
client_config = configparser.SafeConfigParser(Client
2453
2118
use_ipv6=use_ipv6,
2454
2119
gnutls_priority=
2455
2120
server_settings["priority"],
2456
use_dbus=use_dbus,
2457
socketfd=(server_settings["socket"]
2458
or None))
2459
if not foreground:
2460
pidfilename = "/run/mandos.pid"
2461
if not os.path.isdir("/run/."):
2462
pidfilename = "/var/run/mandos.pid"
2463
pidfile = None
2121
use_dbus=use_dbus)
2122
if not debug:
2123
pidfilename = "/var/run/mandos.pid"
2464
2124
try:
2465
2125
pidfile = open(pidfilename, "w")
2466
except IOError as e:
2467
logger.error("Could not open file %r", pidfilename,
2468
exc_info=e)
2126
except IOError:
2127
logger.error("Could not open file %r", pidfilename)
2469
2128
2470
for name in ("_mandos", "mandos", "nobody"):
2129
try:
2130
uid = pwd.getpwnam("_mandos").pw_uid
2131
gid = pwd.getpwnam("_mandos").pw_gid
2132
except KeyError:
2471
2133
try:
2472
uid = pwd.getpwnam(name).pw_uid
2473
gid = pwd.getpwnam(name).pw_gid
2474
break
2134
uid = pwd.getpwnam("mandos").pw_uid
2135
gid = pwd.getpwnam("mandos").pw_gid
2475
2136
except KeyError:
2476
continue
2477
else:
2478
uid = 65534
2479
gid = 65534
2137
try:
2138
uid = pwd.getpwnam("nobody").pw_uid
2139
gid = pwd.getpwnam("nobody").pw_gid
2140
except KeyError:
2141
uid = 65534
2142
gid = 65534
2480
2143
try:
2481
2144
os.setgid(gid)
2482
2145
os.setuid(uid)
2483
2146
except OSError as error:
2484
if error.errno != errno.EPERM:
2485
raise
2147
if error[0] != errno.EPERM:
2148
raise error
2486
2149
2487
2150
if debug:
2488
2151
# Enable all possible GnuTLS debugging
2499
2162
.gnutls_global_set_log_function(debug_gnutls))
2500
2163
2501
2164
# Redirect stdin so all checkers get /dev/null
2502
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2165
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2503
2166
os.dup2(null, sys.stdin.fileno())
2504
2167
if null > 2:
2505
2168
os.close(null)
2506
2169
2507
2170
# Need to fork before connecting to D-Bus
2508
if not foreground:
2171
if not debug:
2509
2172
# Close all input and output, do double fork, etc.
2510
2173
daemon()
2511
2174
2512
# multiprocessing will use threads, so before we use gobject we
2513
# need to inform gobject that threads will be used.
2514
2175
gobject.threads_init()
2515
2176
2516
2177
global main_loop
2517
2178
# From the Avahi example code
2518
DBusGMainLoop(set_as_default=True)
2179
DBusGMainLoop(set_as_default=True )
2519
2180
main_loop = gobject.MainLoop()
2520
2181
bus = dbus.SystemBus()
2521
2182
# End of Avahi example code
2527
2188
("se.bsnet.fukt.Mandos", bus,
2528
2189
do_not_queue=True))
2529
2190
except dbus.exceptions.NameExistsException as e:
2530
logger.error("Disabling D-Bus:", exc_info=e)
2191
logger.error(unicode(e) + ", disabling D-Bus")
2531
2192
use_dbus = False
2532
2193
server_settings["use_dbus"] = False
2533
2194
tcp_server.use_dbus = False
2545
2206
2546
2207
client_class = Client
2547
2208
if use_dbus:
2548
client_class = functools.partial(ClientDBus, bus = bus)
2209
client_class = functools.partial(ClientDBusTransitional,
2210
bus = bus)
2549
2211
2550
2212
client_settings = Client.config_parser(client_config)
2551
2213
old_client_settings = {}
2552
2214
clients_data = {}
2553
2215
2554
# This is used to redirect stdout and stderr for checker processes
2555
global wnull
2556
wnull = open(os.devnull, "w") # A writable /dev/null
2557
# Only used if server is running in foreground but not in debug
2558
# mode
2559
if debug or not foreground:
2560
wnull.close()
2561
2562
2216
# Get client data and settings from last running state.
2563
2217
if server_settings["restore"]:
2564
2218
try:
2567
2221
(stored_state))
2568
2222
os.remove(stored_state_path)
2569
2223
except IOError as e:
2570
if e.errno == errno.ENOENT:
2571
logger.warning("Could not load persistent state: {0}"
2572
.format(os.strerror(e.errno)))
2573
else:
2574
logger.critical("Could not load persistent state:",
2575
exc_info=e)
2224
logger.warning("Could not load persistent state: {0}"
2225
.format(e))
2226
if e.errno != errno.ENOENT:
2576
2227
raise
2577
2228
except EOFError as e:
2578
2229
logger.warning("Could not load persistent state: "
2579
"EOFError:", exc_info=e)
2230
"EOFError: {0}".format(e))
2580
2231
2581
2232
with PGPEngine() as pgp:
2582
2233
for client_name, client in clients_data.iteritems():
2583
# Skip removed clients
2584
if client_name not in client_settings:
2585
continue
2586
2587
2234
# Decide which value to use after restoring saved state.
2588
2235
# We have three different values: Old config file,
2589
2236
# new config file, and saved state.
2603
2250
2604
2251
# Clients who has passed its expire date can still be
2605
2252
# enabled if its last checker was successful. Clients
2606
# whose checker succeeded before we stored its state is
2607
# assumed to have successfully run all checkers during
2608
# downtime.
2253
# whose checker failed before we stored its state is
2254
# assumed to have failed all checkers during downtime.
2609
2255
if client["enabled"]:
2610
2256
if datetime.datetime.utcnow() >= client["expires"]:
2611
2257
if not client["last_checked_ok"]:
2612
2258
logger.warning(
2613
2259
"disabling client {0} - Client never "
2614
"performed a successful checker"
2615
.format(client_name))
2260
"performed a successfull checker"
2261
.format(client["name"]))
2616
2262
client["enabled"] = False
2617
2263
elif client["last_checker_status"] != 0:
2618
2264
logger.warning(
2619
2265
"disabling client {0} - Client "
2620
2266
"last checker failed with error code {1}"
2621
.format(client_name,
2267
.format(client["name"],
2622
2268
client["last_checker_status"]))
2623
2269
client["enabled"] = False
2624
2270
else:
2627
2273
+ client["timeout"])
2628
2274
logger.debug("Last checker succeeded,"
2629
2275
" keeping {0} enabled"
2630
.format(client_name))
2276
.format(client["name"]))
2631
2277
try:
2632
2278
client["secret"] = (
2633
2279
pgp.decrypt(client["encrypted_secret"],
2639
2285
.format(client_name))
2640
2286
client["secret"] = (
2641
2287
client_settings[client_name]["secret"])
2288
2642
2289
2643
2290
# Add/remove clients based on new changes made to config
2644
2291
for client_name in (set(old_client_settings)
2647
2294
for client_name in (set(client_settings)
2648
2295
- set(old_client_settings)):
2649
2296
clients_data[client_name] = client_settings[client_name]
2650
2651
# Create all client objects
2297
2298
# Create clients all clients
2652
2299
for client_name, client in clients_data.iteritems():
2653
2300
tcp_server.clients[client_name] = client_class(
2654
name = client_name, settings = client,
2655
server_settings = server_settings)
2301
name = client_name, settings = client)
2656
2302
2657
2303
if not tcp_server.clients:
2658
2304
logger.warning("No clients defined")
2659
2660
if not foreground:
2661
if pidfile is not None:
2662
try:
2663
with pidfile:
2664
pid = os.getpid()
2665
pidfile.write(str(pid) + "\n".encode("utf-8"))
2666
except IOError:
2667
logger.error("Could not write to file %r with PID %d",
2668
pidfilename, pid)
2669
del pidfile
2305
2306
if not debug:
2307
try:
2308
with pidfile:
2309
pid = os.getpid()
2310
pidfile.write(str(pid) + "\n".encode("utf-8"))
2311
del pidfile
2312
except IOError:
2313
logger.error("Could not write to file %r with PID %d",
2314
pidfilename, pid)
2315
except NameError:
2316
# "pidfile" was never created
2317
pass
2670
2318
del pidfilename
2319
signal.signal(signal.SIGINT, signal.SIG_IGN)
2671
2320
2672
2321
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2673
2322
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2674
2323
2675
2324
if use_dbus:
2676
@alternate_dbus_interfaces({"se.recompile.Mandos":
2677
"se.bsnet.fukt.Mandos"})
2678
class MandosDBusService(DBusObjectWithProperties):
2325
class MandosDBusService(dbus.service.Object):
2679
2326
"""A D-Bus proxy object"""
2680
2327
def __init__(self):
2681
2328
dbus.service.Object.__init__(self, bus, "/")
2682
2329
_interface = "se.recompile.Mandos"
2683
2330
2684
@dbus_interface_annotations(_interface)
2685
def _foo(self):
2686
return { "org.freedesktop.DBus.Property"
2687
".EmitsChangedSignal":
2688
"false"}
2689
2690
2331
@dbus.service.signal(_interface, signature="o")
2691
2332
def ClientAdded(self, objpath):
2692
2333
"D-Bus signal"
2734
2375
2735
2376
del _interface
2736
2377
2737
mandos_dbus_service = MandosDBusService()
2378
class MandosDBusServiceTransitional(MandosDBusService):
2379
__metaclass__ = AlternateDBusNamesMetaclass
2380
mandos_dbus_service = MandosDBusServiceTransitional()
2738
2381
2739
2382
def cleanup():
2740
2383
"Cleanup function; run on exit"
2741
2384
service.cleanup()
2742
2385
2743
2386
multiprocessing.active_children()
2744
wnull.close()
2745
2387
if not (tcp_server.clients or client_settings):
2746
2388
return
2747
2389
2759
2401
# A list of attributes that can not be pickled
2760
2402
# + secret.
2761
2403
exclude = set(("bus", "changedstate", "secret",
2762
"checker", "server_settings"))
2404
"checker"))
2763
2405
for name, typ in (inspect.getmembers
2764
2406
(dbus.service.Object)):
2765
2407
exclude.add(name)
2774
2416
del client_settings[client.name]["secret"]
2775
2417
2776
2418
try:
2777
with (tempfile.NamedTemporaryFile
2778
(mode='wb', suffix=".pickle", prefix='clients-',
2779
dir=os.path.dirname(stored_state_path),
2780
delete=False)) as stored_state:
2419
tempfd, tempname = tempfile.mkstemp(suffix=".pickle",
2420
prefix="clients-",
2421
dir=os.path.dirname
2422
(stored_state_path))
2423
with os.fdopen(tempfd, "wb") as stored_state:
2781
2424
pickle.dump((clients, client_settings), stored_state)
2782
tempname=stored_state.name
2783
2425
os.rename(tempname, stored_state_path)
2784
2426
except (IOError, OSError) as e:
2427
logger.warning("Could not save persistent state: {0}"
2428
.format(e))
2785
2429
if not debug:
2786
2430
try:
2787
2431
os.remove(tempname)
2788
2432
except NameError:
2789
2433
pass
2790
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
2791
logger.warning("Could not save persistent state: {0}"
2792
.format(os.strerror(e.errno)))
2793
else:
2794
logger.warning("Could not save persistent state:",
2795
exc_info=e)
2796
raise
2434
if e.errno not in set((errno.ENOENT, errno.EACCES,
2435
errno.EEXIST)):
2436
raise e
2797
2437
2798
2438
# Delete all clients, and settings from config
2799
2439
while tcp_server.clients:
2826
2466
service.port = tcp_server.socket.getsockname()[1]
2827
2467
if use_ipv6:
2828
2468
logger.info("Now listening on address %r, port %d,"
2829
" flowinfo %d, scope_id %d",
2830
*tcp_server.socket.getsockname())
2469
" flowinfo %d, scope_id %d"
2470
% tcp_server.socket.getsockname())
2831
2471
else: # IPv4
2832
logger.info("Now listening on address %r, port %d",
2833
*tcp_server.socket.getsockname())
2472
logger.info("Now listening on address %r, port %d"
2473
% tcp_server.socket.getsockname())
2834
2474
2835
2475
#service.interface = tcp_server.socket.getsockname()[3]
2836
2476
2839
2479
try:
2840
2480
service.activate()
2841
2481
except dbus.exceptions.DBusException as error:
2842
logger.critical("D-Bus Exception", exc_info=error)
2482
logger.critical("DBusException: %s", error)
2843
2483
cleanup()
2844
2484
sys.exit(1)
2845
2485
# End of Avahi example code
2852
2492
logger.debug("Starting main loop")
2853
2493
main_loop.run()
2854
2494
except AvahiError as error:
2855
logger.critical("Avahi Error", exc_info=error)
2495
logger.critical("AvahiError: %s", error)
2856
2496
cleanup()
2857
2497
sys.exit(1)
2858
2498
except KeyboardInterrupt:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0