To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 587
- compare with another revision
- download diff
- download tarball
- view history from revision 587
- Committer: Teddy Hogeborn
- Date: 2012-05-24 18:10:10 UTC
- Revision ID: teddy@recompile.se-20120524181010-cg4zcc6e5igbanbc
* Makefile (DOCBOOKTOMAN): Only run man --warnings if both "man" and
the en_US.utf8 locale exists.
* debian/control (Build-Depends): Removed "man, locales-all".
(Standards-Version): Updated to "3.9.3".
* debian/copyright (Format): Updated to
"http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/".
* mandos (PGPEngine.__exit__, datetime_to_dbus): White space fixes.
(alternate_dbus_interfaces): Doc string fix.
the en_US.utf8 locale exists.
* debian/control (Build-Depends): Removed "man, locales-all".
(Standards-Version): Updated to "3.9.3".
* debian/copyright (Format): Updated to
"http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/".
* mandos (PGPEngine.__exit__, datetime_to_dbus): White space fixes.
(alternate_dbus_interfaces): Doc string fix.
- files removed:
- debian/mandos-client.examples
- debian/upstream
- files modified:
- DBUS-API
added
removed
mandos
1
#!/usr/bin/python2.7
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
14
# Copyright © 2008-2012 Teddy Hogeborn
15
# Copyright © 2008-2012 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
36
36
37
37
from future_builtins import *
38
38
39
try:
40
import SocketServer as socketserver
41
except ImportError:
42
import socketserver
39
import SocketServer as socketserver
43
40
import socket
44
41
import argparse
45
42
import datetime
50
47
import gnutls.library.functions
51
48
import gnutls.library.constants
52
49
import gnutls.library.types
53
try:
54
import ConfigParser as configparser
55
except ImportError:
56
import configparser
50
import ConfigParser as configparser
57
51
import sys
58
52
import re
59
53
import os
68
62
import struct
69
63
import fcntl
70
64
import functools
71
try:
72
import cPickle as pickle
73
except ImportError:
74
import pickle
65
import cPickle as pickle
75
66
import multiprocessing
76
67
import types
77
68
import binascii
78
69
import tempfile
79
70
import itertools
80
import collections
81
71
82
72
import dbus
83
73
import dbus.service
84
try:
85
import gobject
86
except ImportError:
87
from gi.repository import GObject as gobject
74
import gobject
88
75
import avahi
89
76
from dbus.mainloop.glib import DBusGMainLoop
90
77
import ctypes
91
78
import ctypes.util
92
79
import xml.dom.minidom
93
80
import inspect
81
import GnuPGInterface
94
82
95
83
try:
96
84
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
100
88
except ImportError:
101
89
SO_BINDTODEVICE = None
102
90
103
if sys.version_info.major == 2:
104
str = unicode
105
106
version = "1.6.9"
91
version = "1.5.4"
107
92
stored_state_file = "clients.pickle"
108
93
109
94
logger = logging.getLogger()
110
syslogger = None
95
syslogger = (logging.handlers.SysLogHandler
96
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
97
address = str("/dev/log")))
111
98
112
99
try:
113
if_nametoindex = ctypes.cdll.LoadLibrary(
114
ctypes.util.find_library("c")).if_nametoindex
100
if_nametoindex = (ctypes.cdll.LoadLibrary
101
(ctypes.util.find_library("c"))
102
.if_nametoindex)
115
103
except (OSError, AttributeError):
116
117
104
def if_nametoindex(interface):
118
105
"Get an interface index the hard way, i.e. using fcntl()"
119
106
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
120
107
with contextlib.closing(socket.socket()) as s:
121
108
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
122
struct.pack(b"16s16x", interface))
123
interface_index = struct.unpack("I", ifreq[16:20])[0]
109
struct.pack(str("16s16x"),
110
interface))
111
interface_index = struct.unpack(str("I"),
112
ifreq[16:20])[0]
124
113
return interface_index
125
114
126
115
127
116
def initlogger(debug, level=logging.WARNING):
128
117
"""init logger and add loglevel"""
129
118
130
global syslogger
131
syslogger = (logging.handlers.SysLogHandler(
132
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
133
address = "/dev/log"))
134
119
syslogger.setFormatter(logging.Formatter
135
120
('Mandos [%(process)d]: %(levelname)s:'
136
121
' %(message)s'))
153
138
154
139
class PGPEngine(object):
155
140
"""A simple class for OpenPGP symmetric encryption & decryption"""
156
157
141
def __init__(self):
142
self.gnupg = GnuPGInterface.GnuPG()
158
143
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
159
self.gnupgargs = ['--batch',
160
'--home', self.tempdir,
161
'--force-mdc',
162
'--quiet',
163
'--no-use-agent']
144
self.gnupg = GnuPGInterface.GnuPG()
145
self.gnupg.options.meta_interactive = False
146
self.gnupg.options.homedir = self.tempdir
147
self.gnupg.options.extra_args.extend(['--force-mdc',
148
'--quiet',
149
'--no-use-agent'])
164
150
165
151
def __enter__(self):
166
152
return self
188
174
def password_encode(self, password):
189
175
# Passphrase can not be empty and can not contain newlines or
190
176
# NUL bytes. So we prefix it and hex encode it.
191
encoded = b"mandos" + binascii.hexlify(password)
192
if len(encoded) > 2048:
193
# GnuPG can't handle long passwords, so encode differently
194
encoded = (b"mandos" + password.replace(b"\\", b"\\\\")
195
.replace(b"\n", b"\\n")
196
.replace(b"\0", b"\\x00"))
197
return encoded
177
return b"mandos" + binascii.hexlify(password)
198
178
199
179
def encrypt(self, data, password):
200
passphrase = self.password_encode(password)
201
with tempfile.NamedTemporaryFile(
202
dir=self.tempdir) as passfile:
203
passfile.write(passphrase)
204
passfile.flush()
205
proc = subprocess.Popen(['gpg', '--symmetric',
206
'--passphrase-file',
207
passfile.name]
208
+ self.gnupgargs,
209
stdin = subprocess.PIPE,
210
stdout = subprocess.PIPE,
211
stderr = subprocess.PIPE)
212
ciphertext, err = proc.communicate(input = data)
213
if proc.returncode != 0:
214
raise PGPError(err)
180
self.gnupg.passphrase = self.password_encode(password)
181
with open(os.devnull, "w") as devnull:
182
try:
183
proc = self.gnupg.run(['--symmetric'],
184
create_fhs=['stdin', 'stdout'],
185
attach_fhs={'stderr': devnull})
186
with contextlib.closing(proc.handles['stdin']) as f:
187
f.write(data)
188
with contextlib.closing(proc.handles['stdout']) as f:
189
ciphertext = f.read()
190
proc.wait()
191
except IOError as e:
192
raise PGPError(e)
193
self.gnupg.passphrase = None
215
194
return ciphertext
216
195
217
196
def decrypt(self, data, password):
218
passphrase = self.password_encode(password)
219
with tempfile.NamedTemporaryFile(
220
dir = self.tempdir) as passfile:
221
passfile.write(passphrase)
222
passfile.flush()
223
proc = subprocess.Popen(['gpg', '--decrypt',
224
'--passphrase-file',
225
passfile.name]
226
+ self.gnupgargs,
227
stdin = subprocess.PIPE,
228
stdout = subprocess.PIPE,
229
stderr = subprocess.PIPE)
230
decrypted_plaintext, err = proc.communicate(input = data)
231
if proc.returncode != 0:
232
raise PGPError(err)
197
self.gnupg.passphrase = self.password_encode(password)
198
with open(os.devnull, "w") as devnull:
199
try:
200
proc = self.gnupg.run(['--decrypt'],
201
create_fhs=['stdin', 'stdout'],
202
attach_fhs={'stderr': devnull})
203
with contextlib.closing(proc.handles['stdin']) as f:
204
f.write(data)
205
with contextlib.closing(proc.handles['stdout']) as f:
206
decrypted_plaintext = f.read()
207
proc.wait()
208
except IOError as e:
209
raise PGPError(e)
210
self.gnupg.passphrase = None
233
211
return decrypted_plaintext
234
212
235
213
236
214
class AvahiError(Exception):
237
215
def __init__(self, value, *args, **kwargs):
238
216
self.value = value
239
return super(AvahiError, self).__init__(value, *args,
240
**kwargs)
241
217
super(AvahiError, self).__init__(value, *args, **kwargs)
218
def __unicode__(self):
219
return unicode(repr(self.value))
242
220
243
221
class AvahiServiceError(AvahiError):
244
222
pass
245
223
246
247
224
class AvahiGroupError(AvahiError):
248
225
pass
249
226
256
233
Used to optionally bind to the specified interface.
257
234
name: string; Example: 'Mandos'
258
235
type: string; Example: '_mandos._tcp'.
259
See <https://www.iana.org/assignments/service-names-port-numbers>
236
See <http://www.dns-sd.org/ServiceTypes.html>
260
237
port: integer; what port to announce
261
238
TXT: list of strings; TXT record for the service
262
239
domain: string; Domain to publish on, default to .local if empty.
269
246
bus: dbus.SystemBus()
270
247
"""
271
248
272
def __init__(self,
273
interface = avahi.IF_UNSPEC,
274
name = None,
275
servicetype = None,
276
port = None,
277
TXT = None,
278
domain = "",
279
host = "",
280
max_renames = 32768,
281
protocol = avahi.PROTO_UNSPEC,
282
bus = None):
249
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
250
servicetype = None, port = None, TXT = None,
251
domain = "", host = "", max_renames = 32768,
252
protocol = avahi.PROTO_UNSPEC, bus = None):
283
253
self.interface = interface
284
254
self.name = name
285
255
self.type = servicetype
295
265
self.bus = bus
296
266
self.entry_group_state_changed_match = None
297
267
298
def rename(self, remove=True):
268
def rename(self):
299
269
"""Derived from the Avahi example code"""
300
270
if self.rename_count >= self.max_renames:
301
271
logger.critical("No suitable Zeroconf service name found"
302
272
" after %i retries, exiting.",
303
273
self.rename_count)
304
274
raise AvahiServiceError("Too many renames")
305
self.name = str(
306
self.server.GetAlternativeServiceName(self.name))
307
self.rename_count += 1
275
self.name = unicode(self.server
276
.GetAlternativeServiceName(self.name))
308
277
logger.info("Changing Zeroconf service name to %r ...",
309
278
self.name)
310
if remove:
311
self.remove()
279
self.remove()
312
280
try:
313
281
self.add()
314
282
except dbus.exceptions.DBusException as error:
315
if (error.get_dbus_name()
316
== "org.freedesktop.Avahi.CollisionError"):
317
logger.info("Local Zeroconf service name collision.")
318
return self.rename(remove=False)
319
else:
320
logger.critical("D-Bus Exception", exc_info=error)
321
self.cleanup()
322
os._exit(1)
283
logger.critical("D-Bus Exception", exc_info=error)
284
self.cleanup()
285
os._exit(1)
286
self.rename_count += 1
323
287
324
288
def remove(self):
325
289
"""Derived from the Avahi example code"""
363
327
self.rename()
364
328
elif state == avahi.ENTRY_GROUP_FAILURE:
365
329
logger.critical("Avahi: Error in group state changed %s",
366
str(error))
367
raise AvahiGroupError("State changed: {!s}".format(error))
330
unicode(error))
331
raise AvahiGroupError("State changed: {0!s}"
332
.format(error))
368
333
369
334
def cleanup(self):
370
335
"""Derived from the Avahi example code"""
380
345
def server_state_changed(self, state, error=None):
381
346
"""Derived from the Avahi example code"""
382
347
logger.debug("Avahi server state change: %i", state)
383
bad_states = {
384
avahi.SERVER_INVALID: "Zeroconf server invalid",
385
avahi.SERVER_REGISTERING: None,
386
avahi.SERVER_COLLISION: "Zeroconf server name collision",
387
avahi.SERVER_FAILURE: "Zeroconf server failure",
388
}
348
bad_states = { avahi.SERVER_INVALID:
349
"Zeroconf server invalid",
350
avahi.SERVER_REGISTERING: None,
351
avahi.SERVER_COLLISION:
352
"Zeroconf server name collision",
353
avahi.SERVER_FAILURE:
354
"Zeroconf server failure" }
389
355
if state in bad_states:
390
356
if bad_states[state] is not None:
391
357
if error is None:
410
376
follow_name_owner_changes=True),
411
377
avahi.DBUS_INTERFACE_SERVER)
412
378
self.server.connect_to_signal("StateChanged",
413
self.server_state_changed)
379
self.server_state_changed)
414
380
self.server_state_changed(self.server.GetState())
415
381
416
382
417
383
class AvahiServiceToSyslog(AvahiService):
418
def rename(self, *args, **kwargs):
384
def rename(self):
419
385
"""Add the new name to the syslog messages"""
420
ret = AvahiService.rename(self, *args, **kwargs)
421
syslogger.setFormatter(logging.Formatter(
422
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
423
.format(self.name)))
386
ret = AvahiService.rename(self)
387
syslogger.setFormatter(logging.Formatter
388
('Mandos ({0}) [%(process)d]:'
389
' %(levelname)s: %(message)s'
390
.format(self.name)))
424
391
return ret
425
392
426
393
394
def timedelta_to_milliseconds(td):
395
"Convert a datetime.timedelta() to milliseconds"
396
return ((td.days * 24 * 60 * 60 * 1000)
397
+ (td.seconds * 1000)
398
+ (td.microseconds // 1000))
399
400
427
401
class Client(object):
428
402
"""A representation of a client host served by this server.
429
403
465
439
runtime_expansions: Allowed attributes for runtime expansion.
466
440
expires: datetime.datetime(); time (UTC) when a client will be
467
441
disabled, or None
468
server_settings: The server_settings dict from main()
469
442
"""
470
443
471
444
runtime_expansions = ("approval_delay", "approval_duration",
473
446
"fingerprint", "host", "interval",
474
447
"last_approval_request", "last_checked_ok",
475
448
"last_enabled", "name", "timeout")
476
client_defaults = {
477
"timeout": "PT5M",
478
"extended_timeout": "PT15M",
479
"interval": "PT2M",
480
"checker": "fping -q -- %%(host)s",
481
"host": "",
482
"approval_delay": "PT0S",
483
"approval_duration": "PT1S",
484
"approved_by_default": "True",
485
"enabled": "True",
486
}
449
client_defaults = { "timeout": "5m",
450
"extended_timeout": "15m",
451
"interval": "2m",
452
"checker": "fping -q -- %%(host)s",
453
"host": "",
454
"approval_delay": "0s",
455
"approval_duration": "1s",
456
"approved_by_default": "True",
457
"enabled": "True",
458
}
459
460
def timeout_milliseconds(self):
461
"Return the 'timeout' attribute in milliseconds"
462
return timedelta_to_milliseconds(self.timeout)
463
464
def extended_timeout_milliseconds(self):
465
"Return the 'extended_timeout' attribute in milliseconds"
466
return timedelta_to_milliseconds(self.extended_timeout)
467
468
def interval_milliseconds(self):
469
"Return the 'interval' attribute in milliseconds"
470
return timedelta_to_milliseconds(self.interval)
471
472
def approval_delay_milliseconds(self):
473
return timedelta_to_milliseconds(self.approval_delay)
487
474
488
475
@staticmethod
489
476
def config_parser(config):
505
492
client["enabled"] = config.getboolean(client_name,
506
493
"enabled")
507
494
508
# Uppercase and remove spaces from fingerprint for later
509
# comparison purposes with return value from the
510
# fingerprint() function
511
495
client["fingerprint"] = (section["fingerprint"].upper()
512
496
.replace(" ", ""))
513
497
if "secret" in section:
518
502
"rb") as secfile:
519
503
client["secret"] = secfile.read()
520
504
else:
521
raise TypeError("No secret or secfile for section {}"
505
raise TypeError("No secret or secfile for section {0}"
522
506
.format(section))
523
507
client["timeout"] = string_to_delta(section["timeout"])
524
508
client["extended_timeout"] = string_to_delta(
535
519
536
520
return settings
537
521
538
def __init__(self, settings, name = None, server_settings=None):
522
def __init__(self, settings, name = None):
539
523
self.name = name
540
if server_settings is None:
541
server_settings = {}
542
self.server_settings = server_settings
543
524
# adding all client settings
544
for setting, value in settings.items():
525
for setting, value in settings.iteritems():
545
526
setattr(self, setting, value)
546
527
547
528
if self.enabled:
555
536
self.expires = None
556
537
557
538
logger.debug("Creating client %r", self.name)
539
# Uppercase and remove spaces from fingerprint for later
540
# comparison purposes with return value from the fingerprint()
541
# function
558
542
logger.debug(" Fingerprint: %s", self.fingerprint)
559
543
self.created = settings.get("created",
560
544
datetime.datetime.utcnow())
567
551
self.current_checker_command = None
568
552
self.approved = None
569
553
self.approvals_pending = 0
570
self.changedstate = multiprocessing_manager.Condition(
571
multiprocessing_manager.Lock())
572
self.client_structure = [attr
573
for attr in self.__dict__.iterkeys()
554
self.changedstate = (multiprocessing_manager
555
.Condition(multiprocessing_manager
556
.Lock()))
557
self.client_structure = [attr for attr in
558
self.__dict__.iterkeys()
574
559
if not attr.startswith("_")]
575
560
self.client_structure.append("client_structure")
576
561
577
for name, t in inspect.getmembers(
578
type(self), lambda obj: isinstance(obj, property)):
562
for name, t in inspect.getmembers(type(self),
563
lambda obj:
564
isinstance(obj,
565
property)):
579
566
if not name.startswith("_"):
580
567
self.client_structure.append(name)
581
568
623
610
# and every interval from then on.
624
611
if self.checker_initiator_tag is not None:
625
612
gobject.source_remove(self.checker_initiator_tag)
626
self.checker_initiator_tag = gobject.timeout_add(
627
int(self.interval.total_seconds() * 1000),
628
self.start_checker)
613
self.checker_initiator_tag = (gobject.timeout_add
614
(self.interval_milliseconds(),
615
self.start_checker))
629
616
# Schedule a disable() when 'timeout' has passed
630
617
if self.disable_initiator_tag is not None:
631
618
gobject.source_remove(self.disable_initiator_tag)
632
self.disable_initiator_tag = gobject.timeout_add(
633
int(self.timeout.total_seconds() * 1000), self.disable)
619
self.disable_initiator_tag = (gobject.timeout_add
620
(self.timeout_milliseconds(),
621
self.disable))
634
622
# Also start a new checker *right now*.
635
623
self.start_checker()
636
624
645
633
vars(self))
646
634
self.checked_ok()
647
635
else:
648
logger.info("Checker for %(name)s failed", vars(self))
636
logger.info("Checker for %(name)s failed",
637
vars(self))
649
638
else:
650
639
self.last_checker_status = -1
651
640
logger.warning("Checker for %(name)s crashed?",
665
654
gobject.source_remove(self.disable_initiator_tag)
666
655
self.disable_initiator_tag = None
667
656
if getattr(self, "enabled", False):
668
self.disable_initiator_tag = gobject.timeout_add(
669
int(timeout.total_seconds() * 1000), self.disable)
657
self.disable_initiator_tag = (gobject.timeout_add
658
(timedelta_to_milliseconds
659
(timeout), self.disable))
670
660
self.expires = datetime.datetime.utcnow() + timeout
671
661
672
662
def need_approval(self):
689
679
# If a checker exists, make sure it is not a zombie
690
680
try:
691
681
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
692
except AttributeError:
693
pass
694
except OSError as error:
695
if error.errno != errno.ECHILD:
696
raise
682
except (AttributeError, OSError) as error:
683
if (isinstance(error, OSError)
684
and error.errno != errno.ECHILD):
685
raise error
697
686
else:
698
687
if pid:
699
688
logger.warning("Checker was a zombie")
703
692
# Start a new checker if needed
704
693
if self.checker is None:
705
694
# Escape attributes for the shell
706
escaped_attrs = {
707
attr: re.escape(str(getattr(self, attr)))
708
for attr in self.runtime_expansions }
695
escaped_attrs = dict(
696
(attr, re.escape(unicode(getattr(self, attr))))
697
for attr in
698
self.runtime_expansions)
709
699
try:
710
700
command = self.checker_command % escaped_attrs
711
701
except TypeError as error:
712
702
logger.error('Could not format string "%s"',
713
self.checker_command,
714
exc_info=error)
715
return True # Try again later
703
self.checker_command, exc_info=error)
704
return True # Try again later
716
705
self.current_checker_command = command
717
706
try:
718
logger.info("Starting checker %r for %s", command,
719
self.name)
707
logger.info("Starting checker %r for %s",
708
command, self.name)
720
709
# We don't need to redirect stdout and stderr, since
721
710
# in normal mode, that is already done by daemon(),
722
711
# and in debug mode we don't want to. (Stdin is
723
712
# always replaced by /dev/null.)
724
# The exception is when not debugging but nevertheless
725
# running in the foreground; use the previously
726
# created wnull.
727
popen_args = {}
728
if (not self.server_settings["debug"]
729
and self.server_settings["foreground"]):
730
popen_args.update({"stdout": wnull,
731
"stderr": wnull })
732
713
self.checker = subprocess.Popen(command,
733
714
close_fds=True,
734
shell=True,
735
cwd="/",
736
**popen_args)
715
shell=True, cwd="/")
737
716
except OSError as error:
738
717
logger.error("Failed to start subprocess",
739
718
exc_info=error)
740
return True
741
self.checker_callback_tag = gobject.child_watch_add(
742
self.checker.pid, self.checker_callback, data=command)
719
self.checker_callback_tag = (gobject.child_watch_add
720
(self.checker.pid,
721
self.checker_callback,
722
data=command))
743
723
# The checker may have completed before the gobject
744
724
# watch was added. Check for this.
745
try:
746
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
747
except OSError as error:
748
if error.errno == errno.ECHILD:
749
# This should never happen
750
logger.error("Child process vanished",
751
exc_info=error)
752
return True
753
raise
725
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
754
726
if pid:
755
727
gobject.source_remove(self.checker_callback_tag)
756
728
self.checker_callback(pid, status, command)
776
748
self.checker = None
777
749
778
750
779
def dbus_service_property(dbus_interface,
780
signature="v",
781
access="readwrite",
782
byte_arrays=False):
751
def dbus_service_property(dbus_interface, signature="v",
752
access="readwrite", byte_arrays=False):
783
753
"""Decorators for marking methods of a DBusObjectWithProperties to
784
754
become properties on the D-Bus.
785
755
794
764
# "Set" method, so we fail early here:
795
765
if byte_arrays and signature != "ay":
796
766
raise ValueError("Byte arrays not supported for non-'ay'"
797
" signature {!r}".format(signature))
798
767
" signature {0!r}".format(signature))
799
768
def decorator(func):
800
769
func._dbus_is_property = True
801
770
func._dbus_interface = dbus_interface
806
775
func._dbus_name = func._dbus_name[:-14]
807
776
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
808
777
return func
809
810
778
return decorator
811
779
812
780
821
789
"org.freedesktop.DBus.Property.EmitsChangedSignal":
822
790
"false"}
823
791
"""
824
825
792
def decorator(func):
826
793
func._dbus_is_interface = True
827
794
func._dbus_interface = dbus_interface
828
795
func._dbus_name = dbus_interface
829
796
return func
830
831
797
return decorator
832
798
833
799
835
801
"""Decorator to annotate D-Bus methods, signals or properties
836
802
Usage:
837
803
838
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
839
"org.freedesktop.DBus.Property."
840
"EmitsChangedSignal": "false"})
841
804
@dbus_service_property("org.example.Interface", signature="b",
842
805
access="r")
806
@dbus_annotations({{"org.freedesktop.DBus.Deprecated": "true",
807
"org.freedesktop.DBus.Property."
808
"EmitsChangedSignal": "false"})
843
809
def Property_dbus_property(self):
844
810
return dbus.Boolean(False)
845
811
"""
846
847
812
def decorator(func):
848
813
func._dbus_annotations = annotations
849
814
return func
850
851
815
return decorator
852
816
853
817
854
818
class DBusPropertyException(dbus.exceptions.DBusException):
855
819
"""A base class for D-Bus property-related exceptions
856
820
"""
857
pass
821
def __unicode__(self):
822
return unicode(str(self))
858
823
859
824
860
825
class DBusPropertyAccessException(DBusPropertyException):
884
849
If called like _is_dbus_thing("method") it returns a function
885
850
suitable for use as predicate to inspect.getmembers().
886
851
"""
887
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
852
return lambda obj: getattr(obj, "_dbus_is_{0}".format(thing),
888
853
False)
889
854
890
855
def _get_all_dbus_things(self, thing):
891
856
"""Returns a generator of (name, attribute) pairs
892
857
"""
893
return ((getattr(athing.__get__(self), "_dbus_name", name),
858
return ((getattr(athing.__get__(self), "_dbus_name",
859
name),
894
860
athing.__get__(self))
895
861
for cls in self.__class__.__mro__
896
862
for name, athing in
897
inspect.getmembers(cls, self._is_dbus_thing(thing)))
863
inspect.getmembers(cls,
864
self._is_dbus_thing(thing)))
898
865
899
866
def _get_dbus_property(self, interface_name, property_name):
900
867
"""Returns a bound method if one exists which is a D-Bus
901
868
property with the specified name and interface.
902
869
"""
903
for cls in self.__class__.__mro__:
904
for name, value in inspect.getmembers(
905
cls, self._is_dbus_thing("property")):
870
for cls in self.__class__.__mro__:
871
for name, value in (inspect.getmembers
872
(cls,
873
self._is_dbus_thing("property"))):
906
874
if (value._dbus_name == property_name
907
875
and value._dbus_interface == interface_name):
908
876
return value.__get__(self)
909
877
910
878
# No such property
911
raise DBusPropertyNotFound("{}:{}.{}".format(
912
self.dbus_object_path, interface_name, property_name))
879
raise DBusPropertyNotFound(self.dbus_object_path + ":"
880
+ interface_name + "."
881
+ property_name)
913
882
914
@dbus.service.method(dbus.PROPERTIES_IFACE,
915
in_signature="ss",
883
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
916
884
out_signature="v")
917
885
def Get(self, interface_name, property_name):
918
886
"""Standard D-Bus property Get() method, see D-Bus standard.
936
904
# The byte_arrays option is not supported yet on
937
905
# signatures other than "ay".
938
906
if prop._dbus_signature != "ay":
939
raise ValueError("Byte arrays not supported for non-"
940
"'ay' signature {!r}"
941
.format(prop._dbus_signature))
907
raise ValueError
942
908
value = dbus.ByteArray(b''.join(chr(byte)
943
909
for byte in value))
944
910
prop(value)
945
911
946
@dbus.service.method(dbus.PROPERTIES_IFACE,
947
in_signature="s",
912
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
948
913
out_signature="a{sv}")
949
914
def GetAll(self, interface_name):
950
915
"""Standard D-Bus property GetAll() method, see D-Bus
965
930
if not hasattr(value, "variant_level"):
966
931
properties[name] = value
967
932
continue
968
properties[name] = type(value)(
969
value, variant_level = value.variant_level + 1)
933
properties[name] = type(value)(value, variant_level=
934
value.variant_level+1)
970
935
return dbus.Dictionary(properties, signature="sv")
971
936
972
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
973
def PropertiesChanged(self, interface_name, changed_properties,
974
invalidated_properties):
975
"""Standard D-Bus PropertiesChanged() signal, see D-Bus
976
standard.
977
"""
978
pass
979
980
937
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
981
938
out_signature="s",
982
939
path_keyword='object_path',
990
947
connection)
991
948
try:
992
949
document = xml.dom.minidom.parseString(xmlstring)
993
994
950
def make_tag(document, name, prop):
995
951
e = document.createElement("property")
996
952
e.setAttribute("name", name)
997
953
e.setAttribute("type", prop._dbus_signature)
998
954
e.setAttribute("access", prop._dbus_access)
999
955
return e
1000
1001
956
for if_tag in document.getElementsByTagName("interface"):
1002
957
# Add property tags
1003
958
for tag in (make_tag(document, name, prop)
1015
970
if (name == tag.getAttribute("name")
1016
971
and prop._dbus_interface
1017
972
== if_tag.getAttribute("name")):
1018
annots.update(getattr(
1019
prop, "_dbus_annotations", {}))
1020
for name, value in annots.items():
973
annots.update(getattr
974
(prop,
975
"_dbus_annotations",
976
{}))
977
for name, value in annots.iteritems():
1021
978
ann_tag = document.createElement(
1022
979
"annotation")
1023
980
ann_tag.setAttribute("name", name)
1026
983
# Add interface annotation tags
1027
984
for annotation, value in dict(
1028
985
itertools.chain.from_iterable(
1029
annotations().items()
1030
for name, annotations
1031
in self._get_all_dbus_things("interface")
986
annotations().iteritems()
987
for name, annotations in
988
self._get_all_dbus_things("interface")
1032
989
if name == if_tag.getAttribute("name")
1033
)).items():
990
)).iteritems():
1034
991
ann_tag = document.createElement("annotation")
1035
992
ann_tag.setAttribute("name", annotation)
1036
993
ann_tag.setAttribute("value", value)
1063
1020
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1064
1021
if dt is None:
1065
1022
return dbus.String("", variant_level = variant_level)
1066
return dbus.String(dt.isoformat(), variant_level=variant_level)
1023
return dbus.String(dt.isoformat(),
1024
variant_level=variant_level)
1067
1025
1068
1026
1069
1027
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1089
1047
(from DBusObjectWithProperties) and interfaces (from the
1090
1048
dbus_interface_annotations decorator).
1091
1049
"""
1092
1093
1050
def wrapper(cls):
1094
1051
for orig_interface_name, alt_interface_name in (
1095
alt_interface_names.items()):
1052
alt_interface_names.iteritems()):
1096
1053
attr = {}
1097
1054
interface_names = set()
1098
1055
# Go though all attributes of the class
1100
1057
# Ignore non-D-Bus attributes, and D-Bus attributes
1101
1058
# with the wrong interface name
1102
1059
if (not hasattr(attribute, "_dbus_interface")
1103
or not attribute._dbus_interface.startswith(
1104
orig_interface_name)):
1060
or not attribute._dbus_interface
1061
.startswith(orig_interface_name)):
1105
1062
continue
1106
1063
# Create an alternate D-Bus interface name based on
1107
1064
# the current name
1108
alt_interface = attribute._dbus_interface.replace(
1109
orig_interface_name, alt_interface_name)
1065
alt_interface = (attribute._dbus_interface
1066
.replace(orig_interface_name,
1067
alt_interface_name))
1110
1068
interface_names.add(alt_interface)
1111
1069
# Is this a D-Bus signal?
1112
1070
if getattr(attribute, "_dbus_is_signal", False):
1113
# Extract the original non-method undecorated
1114
# function by black magic
1071
# Extract the original non-method function by
1072
# black magic
1115
1073
nonmethod_func = (dict(
1116
zip(attribute.func_code.co_freevars,
1117
attribute.__closure__))
1118
["func"].cell_contents)
1074
zip(attribute.func_code.co_freevars,
1075
attribute.__closure__))["func"]
1076
.cell_contents)
1119
1077
# Create a new, but exactly alike, function
1120
1078
# object, and decorate it to be a new D-Bus signal
1121
1079
# with the alternate D-Bus interface name
1122
new_function = (dbus.service.signal(
1123
alt_interface, attribute._dbus_signature)
1080
new_function = (dbus.service.signal
1081
(alt_interface,
1082
attribute._dbus_signature)
1124
1083
(types.FunctionType(
1125
nonmethod_func.func_code,
1126
nonmethod_func.func_globals,
1127
nonmethod_func.func_name,
1128
nonmethod_func.func_defaults,
1129
nonmethod_func.func_closure)))
1084
nonmethod_func.func_code,
1085
nonmethod_func.func_globals,
1086
nonmethod_func.func_name,
1087
nonmethod_func.func_defaults,
1088
nonmethod_func.func_closure)))
1130
1089
# Copy annotations, if any
1131
1090
try:
1132
new_function._dbus_annotations = dict(
1133
attribute._dbus_annotations)
1091
new_function._dbus_annotations = (
1092
dict(attribute._dbus_annotations))
1134
1093
except AttributeError:
1135
1094
pass
1136
1095
# Define a creator of a function to call both the
1141
1100
"""This function is a scope container to pass
1142
1101
func1 and func2 to the "call_both" function
1143
1102
outside of its arguments"""
1144
1145
1103
def call_both(*args, **kwargs):
1146
1104
"""This function will emit two D-Bus
1147
1105
signals by calling func1 and func2"""
1148
1106
func1(*args, **kwargs)
1149
1107
func2(*args, **kwargs)
1150
1151
1108
return call_both
1152
1109
# Create the "call_both" function and add it to
1153
1110
# the class
1158
1115
# object. Decorate it to be a new D-Bus method
1159
1116
# with the alternate D-Bus interface name. Add it
1160
1117
# to the class.
1161
attr[attrname] = (
1162
dbus.service.method(
1163
alt_interface,
1164
attribute._dbus_in_signature,
1165
attribute._dbus_out_signature)
1166
(types.FunctionType(attribute.func_code,
1167
attribute.func_globals,
1168
attribute.func_name,
1169
attribute.func_defaults,
1170
attribute.func_closure)))
1118
attr[attrname] = (dbus.service.method
1119
(alt_interface,
1120
attribute._dbus_in_signature,
1121
attribute._dbus_out_signature)
1122
(types.FunctionType
1123
(attribute.func_code,
1124
attribute.func_globals,
1125
attribute.func_name,
1126
attribute.func_defaults,
1127
attribute.func_closure)))
1171
1128
# Copy annotations, if any
1172
1129
try:
1173
attr[attrname]._dbus_annotations = dict(
1174
attribute._dbus_annotations)
1130
attr[attrname]._dbus_annotations = (
1131
dict(attribute._dbus_annotations))
1175
1132
except AttributeError:
1176
1133
pass
1177
1134
# Is this a D-Bus property?
1180
1137
# object, and decorate it to be a new D-Bus
1181
1138
# property with the alternate D-Bus interface
1182
1139
# name. Add it to the class.
1183
attr[attrname] = (dbus_service_property(
1184
alt_interface, attribute._dbus_signature,
1185
attribute._dbus_access,
1186
attribute._dbus_get_args_options
1187
["byte_arrays"])
1188
(types.FunctionType(
1189
attribute.func_code,
1190
attribute.func_globals,
1191
attribute.func_name,
1192
attribute.func_defaults,
1193
attribute.func_closure)))
1140
attr[attrname] = (dbus_service_property
1141
(alt_interface,
1142
attribute._dbus_signature,
1143
attribute._dbus_access,
1144
attribute
1145
._dbus_get_args_options
1146
["byte_arrays"])
1147
(types.FunctionType
1148
(attribute.func_code,
1149
attribute.func_globals,
1150
attribute.func_name,
1151
attribute.func_defaults,
1152
attribute.func_closure)))
1194
1153
# Copy annotations, if any
1195
1154
try:
1196
attr[attrname]._dbus_annotations = dict(
1197
attribute._dbus_annotations)
1155
attr[attrname]._dbus_annotations = (
1156
dict(attribute._dbus_annotations))
1198
1157
except AttributeError:
1199
1158
pass
1200
1159
# Is this a D-Bus interface?
1203
1162
# object. Decorate it to be a new D-Bus interface
1204
1163
# with the alternate D-Bus interface name. Add it
1205
1164
# to the class.
1206
attr[attrname] = (
1207
dbus_interface_annotations(alt_interface)
1208
(types.FunctionType(attribute.func_code,
1209
attribute.func_globals,
1210
attribute.func_name,
1211
attribute.func_defaults,
1212
attribute.func_closure)))
1165
attr[attrname] = (dbus_interface_annotations
1166
(alt_interface)
1167
(types.FunctionType
1168
(attribute.func_code,
1169
attribute.func_globals,
1170
attribute.func_name,
1171
attribute.func_defaults,
1172
attribute.func_closure)))
1213
1173
if deprecate:
1214
1174
# Deprecate all alternate interfaces
1215
iname="_AlternateDBusNames_interface_annotation{}"
1175
iname="_AlternateDBusNames_interface_annotation{0}"
1216
1176
for interface_name in interface_names:
1217
1218
1177
@dbus_interface_annotations(interface_name)
1219
1178
def func(self):
1220
1179
return { "org.freedesktop.DBus.Deprecated":
1221
"true" }
1180
"true" }
1222
1181
# Find an unused name
1223
1182
for aname in (iname.format(i)
1224
1183
for i in itertools.count()):
1228
1187
if interface_names:
1229
1188
# Replace the class with a new subclass of it with
1230
1189
# methods, signals, etc. as created above.
1231
cls = type(b"{}Alternate".format(cls.__name__),
1232
(cls, ), attr)
1190
cls = type(b"{0}Alternate".format(cls.__name__),
1191
(cls,), attr)
1233
1192
return cls
1234
1235
1193
return wrapper
1236
1194
1237
1195
1238
1196
@alternate_dbus_interfaces({"se.recompile.Mandos":
1239
"se.bsnet.fukt.Mandos"})
1197
"se.bsnet.fukt.Mandos"})
1240
1198
class ClientDBus(Client, DBusObjectWithProperties):
1241
1199
"""A Client class using D-Bus
1242
1200
1246
1204
"""
1247
1205
1248
1206
runtime_expansions = (Client.runtime_expansions
1249
+ ("dbus_object_path", ))
1250
1251
_interface = "se.recompile.Mandos.Client"
1207
+ ("dbus_object_path",))
1252
1208
1253
1209
# dbus.service.Object doesn't use super(), so we can't either.
1254
1210
1257
1213
Client.__init__(self, *args, **kwargs)
1258
1214
# Only now, when this client is initialized, can it show up on
1259
1215
# the D-Bus
1260
client_object_name = str(self.name).translate(
1216
client_object_name = unicode(self.name).translate(
1261
1217
{ord("."): ord("_"),
1262
1218
ord("-"): ord("_")})
1263
self.dbus_object_path = dbus.ObjectPath(
1264
"/clients/" + client_object_name)
1219
self.dbus_object_path = (dbus.ObjectPath
1220
("/clients/" + client_object_name))
1265
1221
DBusObjectWithProperties.__init__(self, self.bus,
1266
1222
self.dbus_object_path)
1267
1223
1268
def notifychangeproperty(transform_func, dbus_name,
1269
type_func=lambda x: x,
1270
variant_level=1,
1271
invalidate_only=False,
1272
_interface=_interface):
1224
def notifychangeproperty(transform_func,
1225
dbus_name, type_func=lambda x: x,
1226
variant_level=1):
1273
1227
""" Modify a variable so that it's a property which announces
1274
1228
its changes to DBus.
1275
1229
1280
1234
to the D-Bus. Default: no transform
1281
1235
variant_level: D-Bus variant level. Default: 1
1282
1236
"""
1283
attrname = "_{}".format(dbus_name)
1284
1237
attrname = "_{0}".format(dbus_name)
1285
1238
def setter(self, value):
1286
1239
if hasattr(self, "dbus_object_path"):
1287
1240
if (not hasattr(self, attrname) or
1288
1241
type_func(getattr(self, attrname, None))
1289
1242
!= type_func(value)):
1290
if invalidate_only:
1291
self.PropertiesChanged(
1292
_interface, dbus.Dictionary(),
1293
dbus.Array((dbus_name, )))
1294
else:
1295
dbus_value = transform_func(
1296
type_func(value),
1297
variant_level = variant_level)
1298
self.PropertyChanged(dbus.String(dbus_name),
1299
dbus_value)
1300
self.PropertiesChanged(
1301
_interface,
1302
dbus.Dictionary({ dbus.String(dbus_name):
1303
dbus_value }),
1304
dbus.Array())
1243
dbus_value = transform_func(type_func(value),
1244
variant_level
1245
=variant_level)
1246
self.PropertyChanged(dbus.String(dbus_name),
1247
dbus_value)
1305
1248
setattr(self, attrname, value)
1306
1249
1307
1250
return property(lambda self: getattr(self, attrname), setter)
1313
1256
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1314
1257
last_enabled = notifychangeproperty(datetime_to_dbus,
1315
1258
"LastEnabled")
1316
checker = notifychangeproperty(
1317
dbus.Boolean, "CheckerRunning",
1318
type_func = lambda checker: checker is not None)
1259
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1260
type_func = lambda checker:
1261
checker is not None)
1319
1262
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1320
1263
"LastCheckedOK")
1321
1264
last_checker_status = notifychangeproperty(dbus.Int16,
1324
1267
datetime_to_dbus, "LastApprovalRequest")
1325
1268
approved_by_default = notifychangeproperty(dbus.Boolean,
1326
1269
"ApprovedByDefault")
1327
approval_delay = notifychangeproperty(
1328
dbus.UInt64, "ApprovalDelay",
1329
type_func = lambda td: td.total_seconds() * 1000)
1270
approval_delay = notifychangeproperty(dbus.UInt64,
1271
"ApprovalDelay",
1272
type_func =
1273
timedelta_to_milliseconds)
1330
1274
approval_duration = notifychangeproperty(
1331
1275
dbus.UInt64, "ApprovalDuration",
1332
type_func = lambda td: td.total_seconds() * 1000)
1276
type_func = timedelta_to_milliseconds)
1333
1277
host = notifychangeproperty(dbus.String, "Host")
1334
timeout = notifychangeproperty(
1335
dbus.UInt64, "Timeout",
1336
type_func = lambda td: td.total_seconds() * 1000)
1278
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1279
type_func =
1280
timedelta_to_milliseconds)
1337
1281
extended_timeout = notifychangeproperty(
1338
1282
dbus.UInt64, "ExtendedTimeout",
1339
type_func = lambda td: td.total_seconds() * 1000)
1340
interval = notifychangeproperty(
1341
dbus.UInt64, "Interval",
1342
type_func = lambda td: td.total_seconds() * 1000)
1283
type_func = timedelta_to_milliseconds)
1284
interval = notifychangeproperty(dbus.UInt64,
1285
"Interval",
1286
type_func =
1287
timedelta_to_milliseconds)
1343
1288
checker_command = notifychangeproperty(dbus.String, "Checker")
1344
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1345
invalidate_only=True)
1346
1289
1347
1290
del notifychangeproperty
1348
1291
1375
1318
*args, **kwargs)
1376
1319
1377
1320
def start_checker(self, *args, **kwargs):
1378
old_checker_pid = getattr(self.checker, "pid", None)
1321
old_checker = self.checker
1322
if self.checker is not None:
1323
old_checker_pid = self.checker.pid
1324
else:
1325
old_checker_pid = None
1379
1326
r = Client.start_checker(self, *args, **kwargs)
1380
1327
# Only if new checker process was started
1381
1328
if (self.checker is not None
1390
1337
1391
1338
def approve(self, value=True):
1392
1339
self.approved = value
1393
gobject.timeout_add(int(self.approval_duration.total_seconds()
1394
* 1000), self._reset_approved)
1340
gobject.timeout_add(timedelta_to_milliseconds
1341
(self.approval_duration),
1342
self._reset_approved)
1395
1343
self.send_changedstate()
1396
1344
1397
1345
## D-Bus methods, signals & properties
1346
_interface = "se.recompile.Mandos.Client"
1398
1347
1399
1348
## Interfaces
1400
1349
1350
@dbus_interface_annotations(_interface)
1351
def _foo(self):
1352
return { "org.freedesktop.DBus.Property.EmitsChangedSignal":
1353
"false"}
1354
1401
1355
## Signals
1402
1356
1403
1357
# CheckerCompleted - signal
1413
1367
pass
1414
1368
1415
1369
# PropertyChanged - signal
1416
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1417
1370
@dbus.service.signal(_interface, signature="sv")
1418
1371
def PropertyChanged(self, property, value):
1419
1372
"D-Bus signal"
1483
1436
return dbus.Boolean(bool(self.approvals_pending))
1484
1437
1485
1438
# ApprovedByDefault - property
1486
@dbus_service_property(_interface,
1487
signature="b",
1439
@dbus_service_property(_interface, signature="b",
1488
1440
access="readwrite")
1489
1441
def ApprovedByDefault_dbus_property(self, value=None):
1490
1442
if value is None: # get
1492
1444
self.approved_by_default = bool(value)
1493
1445
1494
1446
# ApprovalDelay - property
1495
@dbus_service_property(_interface,
1496
signature="t",
1447
@dbus_service_property(_interface, signature="t",
1497
1448
access="readwrite")
1498
1449
def ApprovalDelay_dbus_property(self, value=None):
1499
1450
if value is None: # get
1500
return dbus.UInt64(self.approval_delay.total_seconds()
1501
* 1000)
1451
return dbus.UInt64(self.approval_delay_milliseconds())
1502
1452
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1503
1453
1504
1454
# ApprovalDuration - property
1505
@dbus_service_property(_interface,
1506
signature="t",
1455
@dbus_service_property(_interface, signature="t",
1507
1456
access="readwrite")
1508
1457
def ApprovalDuration_dbus_property(self, value=None):
1509
1458
if value is None: # get
1510
return dbus.UInt64(self.approval_duration.total_seconds()
1511
* 1000)
1459
return dbus.UInt64(timedelta_to_milliseconds(
1460
self.approval_duration))
1512
1461
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1513
1462
1514
1463
# Name - property
1522
1471
return dbus.String(self.fingerprint)
1523
1472
1524
1473
# Host - property
1525
@dbus_service_property(_interface,
1526
signature="s",
1474
@dbus_service_property(_interface, signature="s",
1527
1475
access="readwrite")
1528
1476
def Host_dbus_property(self, value=None):
1529
1477
if value is None: # get
1530
1478
return dbus.String(self.host)
1531
self.host = str(value)
1479
self.host = unicode(value)
1532
1480
1533
1481
# Created - property
1534
1482
@dbus_service_property(_interface, signature="s", access="read")
1541
1489
return datetime_to_dbus(self.last_enabled)
1542
1490
1543
1491
# Enabled - property
1544
@dbus_service_property(_interface,
1545
signature="b",
1492
@dbus_service_property(_interface, signature="b",
1546
1493
access="readwrite")
1547
1494
def Enabled_dbus_property(self, value=None):
1548
1495
if value is None: # get
1553
1500
self.disable()
1554
1501
1555
1502
# LastCheckedOK - property
1556
@dbus_service_property(_interface,
1557
signature="s",
1503
@dbus_service_property(_interface, signature="s",
1558
1504
access="readwrite")
1559
1505
def LastCheckedOK_dbus_property(self, value=None):
1560
1506
if value is not None:
1563
1509
return datetime_to_dbus(self.last_checked_ok)
1564
1510
1565
1511
# LastCheckerStatus - property
1566
@dbus_service_property(_interface, signature="n", access="read")
1512
@dbus_service_property(_interface, signature="n",
1513
access="read")
1567
1514
def LastCheckerStatus_dbus_property(self):
1568
1515
return dbus.Int16(self.last_checker_status)
1569
1516
1578
1525
return datetime_to_dbus(self.last_approval_request)
1579
1526
1580
1527
# Timeout - property
1581
@dbus_service_property(_interface,
1582
signature="t",
1528
@dbus_service_property(_interface, signature="t",
1583
1529
access="readwrite")
1584
1530
def Timeout_dbus_property(self, value=None):
1585
1531
if value is None: # get
1586
return dbus.UInt64(self.timeout.total_seconds() * 1000)
1532
return dbus.UInt64(self.timeout_milliseconds())
1587
1533
old_timeout = self.timeout
1588
1534
self.timeout = datetime.timedelta(0, 0, 0, value)
1589
1535
# Reschedule disabling
1598
1544
is None):
1599
1545
return
1600
1546
gobject.source_remove(self.disable_initiator_tag)
1601
self.disable_initiator_tag = gobject.timeout_add(
1602
int((self.expires - now).total_seconds() * 1000),
1603
self.disable)
1547
self.disable_initiator_tag = (
1548
gobject.timeout_add(
1549
timedelta_to_milliseconds(self.expires - now),
1550
self.disable))
1604
1551
1605
1552
# ExtendedTimeout - property
1606
@dbus_service_property(_interface,
1607
signature="t",
1553
@dbus_service_property(_interface, signature="t",
1608
1554
access="readwrite")
1609
1555
def ExtendedTimeout_dbus_property(self, value=None):
1610
1556
if value is None: # get
1611
return dbus.UInt64(self.extended_timeout.total_seconds()
1612
* 1000)
1557
return dbus.UInt64(self.extended_timeout_milliseconds())
1613
1558
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1614
1559
1615
1560
# Interval - property
1616
@dbus_service_property(_interface,
1617
signature="t",
1561
@dbus_service_property(_interface, signature="t",
1618
1562
access="readwrite")
1619
1563
def Interval_dbus_property(self, value=None):
1620
1564
if value is None: # get
1621
return dbus.UInt64(self.interval.total_seconds() * 1000)
1565
return dbus.UInt64(self.interval_milliseconds())
1622
1566
self.interval = datetime.timedelta(0, 0, 0, value)
1623
1567
if getattr(self, "checker_initiator_tag", None) is None:
1624
1568
return
1625
1569
if self.enabled:
1626
1570
# Reschedule checker run
1627
1571
gobject.source_remove(self.checker_initiator_tag)
1628
self.checker_initiator_tag = gobject.timeout_add(
1629
value, self.start_checker)
1630
self.start_checker() # Start one now, too
1572
self.checker_initiator_tag = (gobject.timeout_add
1573
(value, self.start_checker))
1574
self.start_checker() # Start one now, too
1631
1575
1632
1576
# Checker - property
1633
@dbus_service_property(_interface,
1634
signature="s",
1577
@dbus_service_property(_interface, signature="s",
1635
1578
access="readwrite")
1636
1579
def Checker_dbus_property(self, value=None):
1637
1580
if value is None: # get
1638
1581
return dbus.String(self.checker_command)
1639
self.checker_command = str(value)
1582
self.checker_command = unicode(value)
1640
1583
1641
1584
# CheckerRunning - property
1642
@dbus_service_property(_interface,
1643
signature="b",
1585
@dbus_service_property(_interface, signature="b",
1644
1586
access="readwrite")
1645
1587
def CheckerRunning_dbus_property(self, value=None):
1646
1588
if value is None: # get
1656
1598
return self.dbus_object_path # is already a dbus.ObjectPath
1657
1599
1658
1600
# Secret = property
1659
@dbus_service_property(_interface,
1660
signature="ay",
1661
access="write",
1662
byte_arrays=True)
1601
@dbus_service_property(_interface, signature="ay",
1602
access="write", byte_arrays=True)
1663
1603
def Secret_dbus_property(self, value):
1664
self.secret = bytes(value)
1604
self.secret = str(value)
1665
1605
1666
1606
del _interface
1667
1607
1681
1621
if data[0] == 'data':
1682
1622
return data[1]
1683
1623
if data[0] == 'function':
1684
1685
1624
def func(*args, **kwargs):
1686
1625
self._pipe.send(('funcall', name, args, kwargs))
1687
1626
return self._pipe.recv()[1]
1688
1689
1627
return func
1690
1628
1691
1629
def __setattr__(self, name, value):
1703
1641
def handle(self):
1704
1642
with contextlib.closing(self.server.child_pipe) as child_pipe:
1705
1643
logger.info("TCP connection from: %s",
1706
str(self.client_address))
1644
unicode(self.client_address))
1707
1645
logger.debug("Pipe FD: %d",
1708
1646
self.server.child_pipe.fileno())
1709
1647
1710
session = gnutls.connection.ClientSession(
1711
self.request, gnutls.connection .X509Credentials())
1648
session = (gnutls.connection
1649
.ClientSession(self.request,
1650
gnutls.connection
1651
.X509Credentials()))
1712
1652
1713
1653
# Note: gnutls.connection.X509Credentials is really a
1714
1654
# generic GnuTLS certificate credentials object so long as
1723
1663
priority = self.server.gnutls_priority
1724
1664
if priority is None:
1725
1665
priority = "NORMAL"
1726
gnutls.library.functions.gnutls_priority_set_direct(
1727
session._c_object, priority, None)
1666
(gnutls.library.functions
1667
.gnutls_priority_set_direct(session._c_object,
1668
priority, None))
1728
1669
1729
1670
# Start communication using the Mandos protocol
1730
1671
# Get protocol number
1732
1673
logger.debug("Protocol version: %r", line)
1733
1674
try:
1734
1675
if int(line.strip().split()[0]) > 1:
1735
raise RuntimeError(line)
1676
raise RuntimeError
1736
1677
except (ValueError, IndexError, RuntimeError) as error:
1737
1678
logger.error("Unknown protocol version: %s", error)
1738
1679
return
1750
1691
approval_required = False
1751
1692
try:
1752
1693
try:
1753
fpr = self.fingerprint(
1754
self.peer_certificate(session))
1694
fpr = self.fingerprint(self.peer_certificate
1695
(session))
1755
1696
except (TypeError,
1756
1697
gnutls.errors.GNUTLSError) as error:
1757
1698
logger.warning("Bad certificate: %s", error)
1772
1713
while True:
1773
1714
if not client.enabled:
1774
1715
logger.info("Client %s is disabled",
1775
client.name)
1716
client.name)
1776
1717
if self.server.use_dbus:
1777
1718
# Emit D-Bus signal
1778
1719
client.Rejected("Disabled")
1787
1728
if self.server.use_dbus:
1788
1729
# Emit D-Bus signal
1789
1730
client.NeedApproval(
1790
client.approval_delay.total_seconds()
1791
* 1000, client.approved_by_default)
1731
client.approval_delay_milliseconds(),
1732
client.approved_by_default)
1792
1733
else:
1793
1734
logger.warning("Client %s was not approved",
1794
1735
client.name)
1800
1741
#wait until timeout or approved
1801
1742
time = datetime.datetime.now()
1802
1743
client.changedstate.acquire()
1803
client.changedstate.wait(delay.total_seconds())
1744
client.changedstate.wait(
1745
float(timedelta_to_milliseconds(delay)
1746
/ 1000))
1804
1747
client.changedstate.release()
1805
1748
time2 = datetime.datetime.now()
1806
1749
if (time2 - time) >= delay:
1825
1768
logger.warning("gnutls send failed",
1826
1769
exc_info=error)
1827
1770
return
1828
logger.debug("Sent: %d, remaining: %d", sent,
1829
len(client.secret) - (sent_size
1830
+ sent))
1771
logger.debug("Sent: %d, remaining: %d",
1772
sent, len(client.secret)
1773
- (sent_size + sent))
1831
1774
sent_size += sent
1832
1775
1833
1776
logger.info("Sending secret to %s", client.name)
1850
1793
def peer_certificate(session):
1851
1794
"Return the peer's OpenPGP certificate as a bytestring"
1852
1795
# If not an OpenPGP certificate...
1853
if (gnutls.library.functions.gnutls_certificate_type_get(
1854
session._c_object)
1796
if (gnutls.library.functions
1797
.gnutls_certificate_type_get(session._c_object)
1855
1798
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1856
1799
# ...do the normal thing
1857
1800
return session.peer_certificate
1871
1814
def fingerprint(openpgp):
1872
1815
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1873
1816
# New GnuTLS "datum" with the OpenPGP public key
1874
datum = gnutls.library.types.gnutls_datum_t(
1875
ctypes.cast(ctypes.c_char_p(openpgp),
1876
ctypes.POINTER(ctypes.c_ubyte)),
1877
ctypes.c_uint(len(openpgp)))
1817
datum = (gnutls.library.types
1818
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1819
ctypes.POINTER
1820
(ctypes.c_ubyte)),
1821
ctypes.c_uint(len(openpgp))))
1878
1822
# New empty GnuTLS certificate
1879
1823
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1880
gnutls.library.functions.gnutls_openpgp_crt_init(
1881
ctypes.byref(crt))
1824
(gnutls.library.functions
1825
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1882
1826
# Import the OpenPGP public key into the certificate
1883
gnutls.library.functions.gnutls_openpgp_crt_import(
1884
crt, ctypes.byref(datum),
1885
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
1827
(gnutls.library.functions
1828
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1829
gnutls.library.constants
1830
.GNUTLS_OPENPGP_FMT_RAW))
1886
1831
# Verify the self signature in the key
1887
1832
crtverify = ctypes.c_uint()
1888
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
1889
crt, 0, ctypes.byref(crtverify))
1833
(gnutls.library.functions
1834
.gnutls_openpgp_crt_verify_self(crt, 0,
1835
ctypes.byref(crtverify)))
1890
1836
if crtverify.value != 0:
1891
1837
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1892
raise gnutls.errors.CertificateSecurityError(
1893
"Verify failed")
1838
raise (gnutls.errors.CertificateSecurityError
1839
("Verify failed"))
1894
1840
# New buffer for the fingerprint
1895
1841
buf = ctypes.create_string_buffer(20)
1896
1842
buf_len = ctypes.c_size_t()
1897
1843
# Get the fingerprint from the certificate into the buffer
1898
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
1899
crt, ctypes.byref(buf), ctypes.byref(buf_len))
1844
(gnutls.library.functions
1845
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1846
ctypes.byref(buf_len)))
1900
1847
# Deinit the certificate
1901
1848
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1902
1849
# Convert the buffer to a Python bytestring
1908
1855
1909
1856
class MultiprocessingMixIn(object):
1910
1857
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1911
1912
1858
def sub_process_main(self, request, address):
1913
1859
try:
1914
1860
self.finish_request(request, address)
1926
1872
1927
1873
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1928
1874
""" adds a pipe to the MixIn """
1929
1930
1875
def process_request(self, request, client_address):
1931
1876
"""Overrides and wraps the original process_request().
1932
1877
1941
1886
1942
1887
def add_pipe(self, parent_pipe, proc):
1943
1888
"""Dummy function; override as necessary"""
1944
raise NotImplementedError()
1889
raise NotImplementedError
1945
1890
1946
1891
1947
1892
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1953
1898
interface: None or a network interface name (string)
1954
1899
use_ipv6: Boolean; to use IPv6 or not
1955
1900
"""
1956
1957
1901
def __init__(self, server_address, RequestHandlerClass,
1958
interface=None,
1959
use_ipv6=True,
1960
socketfd=None):
1961
"""If socketfd is set, use that file descriptor instead of
1962
creating a new one with socket.socket().
1963
"""
1902
interface=None, use_ipv6=True):
1964
1903
self.interface = interface
1965
1904
if use_ipv6:
1966
1905
self.address_family = socket.AF_INET6
1967
if socketfd is not None:
1968
# Save the file descriptor
1969
self.socketfd = socketfd
1970
# Save the original socket.socket() function
1971
self.socket_socket = socket.socket
1972
# To implement --socket, we monkey patch socket.socket.
1973
#
1974
# (When socketserver.TCPServer is a new-style class, we
1975
# could make self.socket into a property instead of monkey
1976
# patching socket.socket.)
1977
#
1978
# Create a one-time-only replacement for socket.socket()
1979
@functools.wraps(socket.socket)
1980
def socket_wrapper(*args, **kwargs):
1981
# Restore original function so subsequent calls are
1982
# not affected.
1983
socket.socket = self.socket_socket
1984
del self.socket_socket
1985
# This time only, return a new socket object from the
1986
# saved file descriptor.
1987
return socket.fromfd(self.socketfd, *args, **kwargs)
1988
# Replace socket.socket() function with wrapper
1989
socket.socket = socket_wrapper
1990
# The socketserver.TCPServer.__init__ will call
1991
# socket.socket(), which might be our replacement,
1992
# socket_wrapper(), if socketfd was set.
1993
1906
socketserver.TCPServer.__init__(self, server_address,
1994
1907
RequestHandlerClass)
1995
1996
1908
def server_bind(self):
1997
1909
"""This overrides the normal server_bind() function
1998
1910
to bind to an interface if one was specified, and also NOT to
2004
1916
self.interface)
2005
1917
else:
2006
1918
try:
2007
self.socket.setsockopt(
2008
socket.SOL_SOCKET, SO_BINDTODEVICE,
2009
(self.interface + "\0").encode("utf-8"))
1919
self.socket.setsockopt(socket.SOL_SOCKET,
1920
SO_BINDTODEVICE,
1921
str(self.interface
1922
+ '\0'))
2010
1923
except socket.error as error:
2011
1924
if error.errno == errno.EPERM:
2012
logger.error("No permission to bind to"
2013
" interface %s", self.interface)
1925
logger.error("No permission to"
1926
" bind to interface %s",
1927
self.interface)
2014
1928
elif error.errno == errno.ENOPROTOOPT:
2015
1929
logger.error("SO_BINDTODEVICE not available;"
2016
1930
" cannot bind to interface %s",
2017
1931
self.interface)
2018
1932
elif error.errno == errno.ENODEV:
2019
logger.error("Interface %s does not exist,"
2020
" cannot bind", self.interface)
1933
logger.error("Interface %s does not"
1934
" exist, cannot bind",
1935
self.interface)
2021
1936
else:
2022
1937
raise
2023
1938
# Only bind(2) the socket if we really need to.
2026
1941
if self.address_family == socket.AF_INET6:
2027
1942
any_address = "::" # in6addr_any
2028
1943
else:
2029
any_address = "0.0.0.0" # INADDR_ANY
1944
any_address = socket.INADDR_ANY
2030
1945
self.server_address = (any_address,
2031
1946
self.server_address[1])
2032
1947
elif not self.server_address[1]:
2033
self.server_address = (self.server_address[0], 0)
1948
self.server_address = (self.server_address[0],
1949
0)
2034
1950
# if self.interface:
2035
1951
# self.server_address = (self.server_address[0],
2036
1952
# 0, # port
2050
1966
2051
1967
Assumes a gobject.MainLoop event loop.
2052
1968
"""
2053
2054
1969
def __init__(self, server_address, RequestHandlerClass,
2055
interface=None,
2056
use_ipv6=True,
2057
clients=None,
2058
gnutls_priority=None,
2059
use_dbus=True,
2060
socketfd=None):
1970
interface=None, use_ipv6=True, clients=None,
1971
gnutls_priority=None, use_dbus=True):
2061
1972
self.enabled = False
2062
1973
self.clients = clients
2063
1974
if self.clients is None:
2067
1978
IPv6_TCPServer.__init__(self, server_address,
2068
1979
RequestHandlerClass,
2069
1980
interface = interface,
2070
use_ipv6 = use_ipv6,
2071
socketfd = socketfd)
2072
1981
use_ipv6 = use_ipv6)
2073
1982
def server_activate(self):
2074
1983
if self.enabled:
2075
1984
return socketserver.TCPServer.server_activate(self)
2079
1988
2080
1989
def add_pipe(self, parent_pipe, proc):
2081
1990
# Call "handle_ipc" for both data and EOF events
2082
gobject.io_add_watch(
2083
parent_pipe.fileno(),
2084
gobject.IO_IN | gobject.IO_HUP,
2085
functools.partial(self.handle_ipc,
2086
parent_pipe = parent_pipe,
2087
proc = proc))
1991
gobject.io_add_watch(parent_pipe.fileno(),
1992
gobject.IO_IN | gobject.IO_HUP,
1993
functools.partial(self.handle_ipc,
1994
parent_pipe =
1995
parent_pipe,
1996
proc = proc))
2088
1997
2089
def handle_ipc(self, source, condition,
2090
parent_pipe=None,
2091
proc = None,
2092
client_object=None):
1998
def handle_ipc(self, source, condition, parent_pipe=None,
1999
proc = None, client_object=None):
2093
2000
# error, or the other end of multiprocessing.Pipe has closed
2094
2001
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2095
2002
# Wait for other process to exit
2118
2025
parent_pipe.send(False)
2119
2026
return False
2120
2027
2121
gobject.io_add_watch(
2122
parent_pipe.fileno(),
2123
gobject.IO_IN | gobject.IO_HUP,
2124
functools.partial(self.handle_ipc,
2125
parent_pipe = parent_pipe,
2126
proc = proc,
2127
client_object = client))
2028
gobject.io_add_watch(parent_pipe.fileno(),
2029
gobject.IO_IN | gobject.IO_HUP,
2030
functools.partial(self.handle_ipc,
2031
parent_pipe =
2032
parent_pipe,
2033
proc = proc,
2034
client_object =
2035
client))
2128
2036
parent_pipe.send(True)
2129
2037
# remove the old hook in favor of the new above hook on
2130
2038
# same fileno
2136
2044
2137
2045
parent_pipe.send(('data', getattr(client_object,
2138
2046
funcname)(*args,
2139
**kwargs)))
2047
**kwargs)))
2140
2048
2141
2049
if command == 'getattr':
2142
2050
attrname = request[1]
2143
2051
if callable(client_object.__getattribute__(attrname)):
2144
parent_pipe.send(('function', ))
2052
parent_pipe.send(('function',))
2145
2053
else:
2146
parent_pipe.send((
2147
'data', client_object.__getattribute__(attrname)))
2054
parent_pipe.send(('data', client_object
2055
.__getattribute__(attrname)))
2148
2056
2149
2057
if command == 'setattr':
2150
2058
attrname = request[1]
2154
2062
return True
2155
2063
2156
2064
2157
def rfc3339_duration_to_delta(duration):
2158
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2159
2160
>>> rfc3339_duration_to_delta("P7D")
2161
datetime.timedelta(7)
2162
>>> rfc3339_duration_to_delta("PT60S")
2163
datetime.timedelta(0, 60)
2164
>>> rfc3339_duration_to_delta("PT60M")
2165
datetime.timedelta(0, 3600)
2166
>>> rfc3339_duration_to_delta("PT24H")
2167
datetime.timedelta(1)
2168
>>> rfc3339_duration_to_delta("P1W")
2169
datetime.timedelta(7)
2170
>>> rfc3339_duration_to_delta("PT5M30S")
2171
datetime.timedelta(0, 330)
2172
>>> rfc3339_duration_to_delta("P1DT3M20S")
2173
datetime.timedelta(1, 200)
2174
"""
2175
2176
# Parsing an RFC 3339 duration with regular expressions is not
2177
# possible - there would have to be multiple places for the same
2178
# values, like seconds. The current code, while more esoteric, is
2179
# cleaner without depending on a parsing library. If Python had a
2180
# built-in library for parsing we would use it, but we'd like to
2181
# avoid excessive use of external libraries.
2182
2183
# New type for defining tokens, syntax, and semantics all-in-one
2184
Token = collections.namedtuple("Token",
2185
("regexp", # To match token; if
2186
# "value" is not None,
2187
# must have a "group"
2188
# containing digits
2189
"value", # datetime.timedelta or
2190
# None
2191
"followers")) # Tokens valid after
2192
# this token
2193
Token = collections.namedtuple("Token", (
2194
"regexp", # To match token; if "value" is not None, must have
2195
# a "group" containing digits
2196
"value", # datetime.timedelta or None
2197
"followers")) # Tokens valid after this token
2198
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2199
# the "duration" ABNF definition in RFC 3339, Appendix A.
2200
token_end = Token(re.compile(r"$"), None, frozenset())
2201
token_second = Token(re.compile(r"(\d+)S"),
2202
datetime.timedelta(seconds=1),
2203
frozenset((token_end, )))
2204
token_minute = Token(re.compile(r"(\d+)M"),
2205
datetime.timedelta(minutes=1),
2206
frozenset((token_second, token_end)))
2207
token_hour = Token(re.compile(r"(\d+)H"),
2208
datetime.timedelta(hours=1),
2209
frozenset((token_minute, token_end)))
2210
token_time = Token(re.compile(r"T"),
2211
None,
2212
frozenset((token_hour, token_minute,
2213
token_second)))
2214
token_day = Token(re.compile(r"(\d+)D"),
2215
datetime.timedelta(days=1),
2216
frozenset((token_time, token_end)))
2217
token_month = Token(re.compile(r"(\d+)M"),
2218
datetime.timedelta(weeks=4),
2219
frozenset((token_day, token_end)))
2220
token_year = Token(re.compile(r"(\d+)Y"),
2221
datetime.timedelta(weeks=52),
2222
frozenset((token_month, token_end)))
2223
token_week = Token(re.compile(r"(\d+)W"),
2224
datetime.timedelta(weeks=1),
2225
frozenset((token_end, )))
2226
token_duration = Token(re.compile(r"P"), None,
2227
frozenset((token_year, token_month,
2228
token_day, token_time,
2229
token_week)))
2230
# Define starting values
2231
value = datetime.timedelta() # Value so far
2232
found_token = None
2233
followers = frozenset((token_duration,)) # Following valid tokens
2234
s = duration # String left to parse
2235
# Loop until end token is found
2236
while found_token is not token_end:
2237
# Search for any currently valid tokens
2238
for token in followers:
2239
match = token.regexp.match(s)
2240
if match is not None:
2241
# Token found
2242
if token.value is not None:
2243
# Value found, parse digits
2244
factor = int(match.group(1), 10)
2245
# Add to value so far
2246
value += factor * token.value
2247
# Strip token from string
2248
s = token.regexp.sub("", s, 1)
2249
# Go to found token
2250
found_token = token
2251
# Set valid next tokens
2252
followers = found_token.followers
2253
break
2254
else:
2255
# No currently valid tokens were found
2256
raise ValueError("Invalid RFC 3339 duration")
2257
# End token found
2258
return value
2259
2260
2261
2065
def string_to_delta(interval):
2262
2066
"""Parse a string and return a datetime.timedelta
2263
2067
2274
2078
>>> string_to_delta('5m 30s')
2275
2079
datetime.timedelta(0, 330)
2276
2080
"""
2277
2278
try:
2279
return rfc3339_duration_to_delta(interval)
2280
except ValueError:
2281
pass
2282
2283
2081
timevalue = datetime.timedelta(0)
2284
2082
for s in interval.split():
2285
2083
try:
2286
suffix = s[-1]
2084
suffix = unicode(s[-1])
2287
2085
value = int(s[:-1])
2288
2086
if suffix == "d":
2289
2087
delta = datetime.timedelta(value)
2296
2094
elif suffix == "w":
2297
2095
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
2298
2096
else:
2299
raise ValueError("Unknown suffix {!r}".format(suffix))
2300
except IndexError as e:
2097
raise ValueError("Unknown suffix {0!r}"
2098
.format(suffix))
2099
except (ValueError, IndexError) as e:
2301
2100
raise ValueError(*(e.args))
2302
2101
timevalue += delta
2303
2102
return timevalue
2319
2118
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2320
2119
if not stat.S_ISCHR(os.fstat(null).st_mode):
2321
2120
raise OSError(errno.ENODEV,
2322
"{} not a character device"
2121
"{0} not a character device"
2323
2122
.format(os.devnull))
2324
2123
os.dup2(null, sys.stdin.fileno())
2325
2124
os.dup2(null, sys.stdout.fileno())
2335
2134
2336
2135
parser = argparse.ArgumentParser()
2337
2136
parser.add_argument("-v", "--version", action="version",
2338
version = "%(prog)s {}".format(version),
2137
version = "%(prog)s {0}".format(version),
2339
2138
help="show version number and exit")
2340
2139
parser.add_argument("-i", "--interface", metavar="IF",
2341
2140
help="Bind to interface IF")
2347
2146
help="Run self-test")
2348
2147
parser.add_argument("--debug", action="store_true",
2349
2148
help="Debug mode; run in foreground and log"
2350
" to terminal", default=None)
2149
" to terminal")
2351
2150
parser.add_argument("--debuglevel", metavar="LEVEL",
2352
2151
help="Debug level for stdout output")
2353
2152
parser.add_argument("--priority", help="GnuTLS"
2360
2159
" files")
2361
2160
parser.add_argument("--no-dbus", action="store_false",
2362
2161
dest="use_dbus", help="Do not provide D-Bus"
2363
" system bus interface", default=None)
2162
" system bus interface")
2364
2163
parser.add_argument("--no-ipv6", action="store_false",
2365
dest="use_ipv6", help="Do not use IPv6",
2366
default=None)
2164
dest="use_ipv6", help="Do not use IPv6")
2367
2165
parser.add_argument("--no-restore", action="store_false",
2368
2166
dest="restore", help="Do not restore stored"
2369
" state", default=None)
2370
parser.add_argument("--socket", type=int,
2371
help="Specify a file descriptor to a network"
2372
" socket to use instead of creating one")
2167
" state")
2373
2168
parser.add_argument("--statedir", metavar="DIR",
2374
2169
help="Directory to save/restore state in")
2375
parser.add_argument("--foreground", action="store_true",
2376
help="Run in foreground", default=None)
2377
parser.add_argument("--no-zeroconf", action="store_false",
2378
dest="zeroconf", help="Do not use Zeroconf",
2379
default=None)
2380
2170
2381
2171
options = parser.parse_args()
2382
2172
2383
2173
if options.check:
2384
2174
import doctest
2385
fail_count, test_count = doctest.testmod()
2386
sys.exit(os.EX_OK if fail_count == 0 else 1)
2175
doctest.testmod()
2176
sys.exit()
2387
2177
2388
2178
# Default values for config file for server-global settings
2389
2179
server_defaults = { "interface": "",
2391
2181
"port": "",
2392
2182
"debug": "False",
2393
2183
"priority":
2394
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2395
":+SIGN-RSA-SHA224:+SIGN-RSA-RMD160",
2184
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
2396
2185
"servicename": "Mandos",
2397
2186
"use_dbus": "True",
2398
2187
"use_ipv6": "True",
2399
2188
"debuglevel": "",
2400
2189
"restore": "True",
2401
"socket": "",
2402
"statedir": "/var/lib/mandos",
2403
"foreground": "False",
2404
"zeroconf": "True",
2405
}
2190
"statedir": "/var/lib/mandos"
2191
}
2406
2192
2407
2193
# Parse config file for server-global settings
2408
2194
server_config = configparser.SafeConfigParser(server_defaults)
2409
2195
del server_defaults
2410
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2196
server_config.read(os.path.join(options.configdir,
2197
"mandos.conf"))
2411
2198
# Convert the SafeConfigParser object to a dict
2412
2199
server_settings = server_config.defaults()
2413
2200
# Use the appropriate methods on the non-string config options
2414
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
2201
for option in ("debug", "use_dbus", "use_ipv6"):
2415
2202
server_settings[option] = server_config.getboolean("DEFAULT",
2416
2203
option)
2417
2204
if server_settings["port"]:
2418
2205
server_settings["port"] = server_config.getint("DEFAULT",
2419
2206
"port")
2420
if server_settings["socket"]:
2421
server_settings["socket"] = server_config.getint("DEFAULT",
2422
"socket")
2423
# Later, stdin will, and stdout and stderr might, be dup'ed
2424
# over with an opened os.devnull. But we don't want this to
2425
# happen with a supplied network socket.
2426
if 0 <= server_settings["socket"] <= 2:
2427
server_settings["socket"] = os.dup(server_settings
2428
["socket"])
2429
2207
del server_config
2430
2208
2431
2209
# Override the settings from the config file with command line
2432
2210
# options, if set.
2433
2211
for option in ("interface", "address", "port", "debug",
2434
"priority", "servicename", "configdir", "use_dbus",
2435
"use_ipv6", "debuglevel", "restore", "statedir",
2436
"socket", "foreground", "zeroconf"):
2212
"priority", "servicename", "configdir",
2213
"use_dbus", "use_ipv6", "debuglevel", "restore",
2214
"statedir"):
2437
2215
value = getattr(options, option)
2438
2216
if value is not None:
2439
2217
server_settings[option] = value
2440
2218
del options
2441
2219
# Force all strings to be unicode
2442
2220
for option in server_settings.keys():
2443
if isinstance(server_settings[option], bytes):
2444
server_settings[option] = (server_settings[option]
2445
.decode("utf-8"))
2446
# Force all boolean options to be boolean
2447
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2448
"foreground", "zeroconf"):
2449
server_settings[option] = bool(server_settings[option])
2450
# Debug implies foreground
2451
if server_settings["debug"]:
2452
server_settings["foreground"] = True
2221
if type(server_settings[option]) is str:
2222
server_settings[option] = unicode(server_settings[option])
2453
2223
# Now we have our good server settings in "server_settings"
2454
2224
2455
2225
##################################################################
2456
2226
2457
if (not server_settings["zeroconf"]
2458
and not (server_settings["port"]
2459
or server_settings["socket"] != "")):
2460
parser.error("Needs port or socket to work without Zeroconf")
2461
2462
2227
# For convenience
2463
2228
debug = server_settings["debug"]
2464
2229
debuglevel = server_settings["debuglevel"]
2466
2231
use_ipv6 = server_settings["use_ipv6"]
2467
2232
stored_state_path = os.path.join(server_settings["statedir"],
2468
2233
stored_state_file)
2469
foreground = server_settings["foreground"]
2470
zeroconf = server_settings["zeroconf"]
2471
2234
2472
2235
if debug:
2473
2236
initlogger(debug, logging.DEBUG)
2479
2242
initlogger(debug, level)
2480
2243
2481
2244
if server_settings["servicename"] != "Mandos":
2482
syslogger.setFormatter(
2483
logging.Formatter('Mandos ({}) [%(process)d]:'
2484
' %(levelname)s: %(message)s'.format(
2485
server_settings["servicename"])))
2245
syslogger.setFormatter(logging.Formatter
2246
('Mandos ({0}) [%(process)d]:'
2247
' %(levelname)s: %(message)s'
2248
.format(server_settings
2249
["servicename"])))
2486
2250
2487
2251
# Parse config file with clients
2488
2252
client_config = configparser.SafeConfigParser(Client
2493
2257
global mandos_dbus_service
2494
2258
mandos_dbus_service = None
2495
2259
2496
socketfd = None
2497
if server_settings["socket"] != "":
2498
socketfd = server_settings["socket"]
2499
tcp_server = MandosServer(
2500
(server_settings["address"], server_settings["port"]),
2501
ClientHandler,
2502
interface=(server_settings["interface"] or None),
2503
use_ipv6=use_ipv6,
2504
gnutls_priority=server_settings["priority"],
2505
use_dbus=use_dbus,
2506
socketfd=socketfd)
2507
if not foreground:
2508
pidfilename = "/run/mandos.pid"
2509
if not os.path.isdir("/run/."):
2510
pidfilename = "/var/run/mandos.pid"
2511
pidfile = None
2260
tcp_server = MandosServer((server_settings["address"],
2261
server_settings["port"]),
2262
ClientHandler,
2263
interface=(server_settings["interface"]
2264
or None),
2265
use_ipv6=use_ipv6,
2266
gnutls_priority=
2267
server_settings["priority"],
2268
use_dbus=use_dbus)
2269
if not debug:
2270
pidfilename = "/var/run/mandos.pid"
2512
2271
try:
2513
2272
pidfile = open(pidfilename, "w")
2514
2273
except IOError as e:
2530
2289
os.setuid(uid)
2531
2290
except OSError as error:
2532
2291
if error.errno != errno.EPERM:
2533
raise
2292
raise error
2534
2293
2535
2294
if debug:
2536
2295
# Enable all possible GnuTLS debugging
2543
2302
def debug_gnutls(level, string):
2544
2303
logger.debug("GnuTLS: %s", string[:-1])
2545
2304
2546
gnutls.library.functions.gnutls_global_set_log_function(
2547
debug_gnutls)
2305
(gnutls.library.functions
2306
.gnutls_global_set_log_function(debug_gnutls))
2548
2307
2549
2308
# Redirect stdin so all checkers get /dev/null
2550
2309
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2553
2312
os.close(null)
2554
2313
2555
2314
# Need to fork before connecting to D-Bus
2556
if not foreground:
2315
if not debug:
2557
2316
# Close all input and output, do double fork, etc.
2558
2317
daemon()
2559
2318
2560
# multiprocessing will use threads, so before we use gobject we
2561
# need to inform gobject that threads will be used.
2562
2319
gobject.threads_init()
2563
2320
2564
2321
global main_loop
2570
2327
if use_dbus:
2571
2328
try:
2572
2329
bus_name = dbus.service.BusName("se.recompile.Mandos",
2573
bus,
2574
do_not_queue=True)
2575
old_bus_name = dbus.service.BusName(
2576
"se.bsnet.fukt.Mandos", bus,
2577
do_not_queue=True)
2330
bus, do_not_queue=True)
2331
old_bus_name = (dbus.service.BusName
2332
("se.bsnet.fukt.Mandos", bus,
2333
do_not_queue=True))
2578
2334
except dbus.exceptions.NameExistsException as e:
2579
2335
logger.error("Disabling D-Bus:", exc_info=e)
2580
2336
use_dbus = False
2581
2337
server_settings["use_dbus"] = False
2582
2338
tcp_server.use_dbus = False
2583
if zeroconf:
2584
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2585
service = AvahiServiceToSyslog(
2586
name = server_settings["servicename"],
2587
servicetype = "_mandos._tcp",
2588
protocol = protocol,
2589
bus = bus)
2590
if server_settings["interface"]:
2591
service.interface = if_nametoindex(
2592
server_settings["interface"].encode("utf-8"))
2339
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2340
service = AvahiServiceToSyslog(name =
2341
server_settings["servicename"],
2342
servicetype = "_mandos._tcp",
2343
protocol = protocol, bus = bus)
2344
if server_settings["interface"]:
2345
service.interface = (if_nametoindex
2346
(str(server_settings["interface"])))
2593
2347
2594
2348
global multiprocessing_manager
2595
2349
multiprocessing_manager = multiprocessing.Manager()
2602
2356
old_client_settings = {}
2603
2357
clients_data = {}
2604
2358
2605
# This is used to redirect stdout and stderr for checker processes
2606
global wnull
2607
wnull = open(os.devnull, "w") # A writable /dev/null
2608
# Only used if server is running in foreground but not in debug
2609
# mode
2610
if debug or not foreground:
2611
wnull.close()
2612
2613
2359
# Get client data and settings from last running state.
2614
2360
if server_settings["restore"]:
2615
2361
try:
2616
2362
with open(stored_state_path, "rb") as stored_state:
2617
clients_data, old_client_settings = pickle.load(
2618
stored_state)
2363
clients_data, old_client_settings = (pickle.load
2364
(stored_state))
2619
2365
os.remove(stored_state_path)
2620
2366
except IOError as e:
2621
2367
if e.errno == errno.ENOENT:
2622
logger.warning("Could not load persistent state:"
2623
" {}".format(os.strerror(e.errno)))
2368
logger.warning("Could not load persistent state: {0}"
2369
.format(os.strerror(e.errno)))
2624
2370
else:
2625
2371
logger.critical("Could not load persistent state:",
2626
2372
exc_info=e)
2627
2373
raise
2628
2374
except EOFError as e:
2629
2375
logger.warning("Could not load persistent state: "
2630
"EOFError:",
2631
exc_info=e)
2376
"EOFError:", exc_info=e)
2632
2377
2633
2378
with PGPEngine() as pgp:
2634
for client_name, client in clients_data.items():
2635
# Skip removed clients
2636
if client_name not in client_settings:
2637
continue
2638
2379
for client_name, client in clients_data.iteritems():
2639
2380
# Decide which value to use after restoring saved state.
2640
2381
# We have three different values: Old config file,
2641
2382
# new config file, and saved state.
2646
2387
# For each value in new config, check if it
2647
2388
# differs from the old config value (Except for
2648
2389
# the "secret" attribute)
2649
if (name != "secret"
2650
and (value !=
2651
old_client_settings[client_name][name])):
2390
if (name != "secret" and
2391
value != old_client_settings[client_name]
2392
[name]):
2652
2393
client[name] = value
2653
2394
except KeyError:
2654
2395
pass
2662
2403
if datetime.datetime.utcnow() >= client["expires"]:
2663
2404
if not client["last_checked_ok"]:
2664
2405
logger.warning(
2665
"disabling client {} - Client never "
2666
"performed a successful checker".format(
2667
client_name))
2406
"disabling client {0} - Client never "
2407
"performed a successful checker"
2408
.format(client_name))
2668
2409
client["enabled"] = False
2669
2410
elif client["last_checker_status"] != 0:
2670
2411
logger.warning(
2671
"disabling client {} - Client last"
2672
" checker failed with error code"
2673
" {}".format(
2674
client_name,
2675
client["last_checker_status"]))
2412
"disabling client {0} - Client "
2413
"last checker failed with error code {1}"
2414
.format(client_name,
2415
client["last_checker_status"]))
2676
2416
client["enabled"] = False
2677
2417
else:
2678
client["expires"] = (
2679
datetime.datetime.utcnow()
2680
+ client["timeout"])
2418
client["expires"] = (datetime.datetime
2419
.utcnow()
2420
+ client["timeout"])
2681
2421
logger.debug("Last checker succeeded,"
2682
" keeping {} enabled".format(
2683
client_name))
2422
" keeping {0} enabled"
2423
.format(client_name))
2684
2424
try:
2685
client["secret"] = pgp.decrypt(
2686
client["encrypted_secret"],
2687
client_settings[client_name]["secret"])
2425
client["secret"] = (
2426
pgp.decrypt(client["encrypted_secret"],
2427
client_settings[client_name]
2428
["secret"]))
2688
2429
except PGPError:
2689
2430
# If decryption fails, we use secret from new settings
2690
logger.debug("Failed to decrypt {} old secret".format(
2691
client_name))
2692
client["secret"] = (client_settings[client_name]
2693
["secret"])
2431
logger.debug("Failed to decrypt {0} old secret"
2432
.format(client_name))
2433
client["secret"] = (
2434
client_settings[client_name]["secret"])
2694
2435
2695
2436
# Add/remove clients based on new changes made to config
2696
2437
for client_name in (set(old_client_settings)
2701
2442
clients_data[client_name] = client_settings[client_name]
2702
2443
2703
2444
# Create all client objects
2704
for client_name, client in clients_data.items():
2445
for client_name, client in clients_data.iteritems():
2705
2446
tcp_server.clients[client_name] = client_class(
2706
name = client_name,
2707
settings = client,
2708
server_settings = server_settings)
2447
name = client_name, settings = client)
2709
2448
2710
2449
if not tcp_server.clients:
2711
2450
logger.warning("No clients defined")
2712
2451
2713
if not foreground:
2714
if pidfile is not None:
2715
try:
2716
with pidfile:
2717
pid = os.getpid()
2718
pidfile.write("{}\n".format(pid).encode("utf-8"))
2719
except IOError:
2720
logger.error("Could not write to file %r with PID %d",
2721
pidfilename, pid)
2722
del pidfile
2452
if not debug:
2453
try:
2454
with pidfile:
2455
pid = os.getpid()
2456
pidfile.write(str(pid) + "\n".encode("utf-8"))
2457
del pidfile
2458
except IOError:
2459
logger.error("Could not write to file %r with PID %d",
2460
pidfilename, pid)
2461
except NameError:
2462
# "pidfile" was never created
2463
pass
2723
2464
del pidfilename
2724
2465
2725
2466
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2726
2467
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2727
2468
2728
2469
if use_dbus:
2729
2730
@alternate_dbus_interfaces(
2731
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
2470
@alternate_dbus_interfaces({"se.recompile.Mandos":
2471
"se.bsnet.fukt.Mandos"})
2732
2472
class MandosDBusService(DBusObjectWithProperties):
2733
2473
"""A D-Bus proxy object"""
2734
2735
2474
def __init__(self):
2736
2475
dbus.service.Object.__init__(self, bus, "/")
2737
2738
2476
_interface = "se.recompile.Mandos"
2739
2477
2740
2478
@dbus_interface_annotations(_interface)
2741
2479
def _foo(self):
2742
return {
2743
"org.freedesktop.DBus.Property.EmitsChangedSignal":
2744
"false" }
2480
return { "org.freedesktop.DBus.Property"
2481
".EmitsChangedSignal":
2482
"false"}
2745
2483
2746
2484
@dbus.service.signal(_interface, signature="o")
2747
2485
def ClientAdded(self, objpath):
2761
2499
@dbus.service.method(_interface, out_signature="ao")
2762
2500
def GetAllClients(self):
2763
2501
"D-Bus method"
2764
return dbus.Array(c.dbus_object_path for c in
2502
return dbus.Array(c.dbus_object_path
2503
for c in
2765
2504
tcp_server.clients.itervalues())
2766
2505
2767
2506
@dbus.service.method(_interface,
2769
2508
def GetAllClientsWithProperties(self):
2770
2509
"D-Bus method"
2771
2510
return dbus.Dictionary(
2772
{ c.dbus_object_path: c.GetAll("")
2773
for c in tcp_server.clients.itervalues() },
2511
((c.dbus_object_path, c.GetAll(""))
2512
for c in tcp_server.clients.itervalues()),
2774
2513
signature="oa{sv}")
2775
2514
2776
2515
@dbus.service.method(_interface, in_signature="o")
2793
2532
2794
2533
def cleanup():
2795
2534
"Cleanup function; run on exit"
2796
if zeroconf:
2797
service.cleanup()
2535
service.cleanup()
2798
2536
2799
2537
multiprocessing.active_children()
2800
wnull.close()
2801
2538
if not (tcp_server.clients or client_settings):
2802
2539
return
2803
2540
2814
2551
2815
2552
# A list of attributes that can not be pickled
2816
2553
# + secret.
2817
exclude = { "bus", "changedstate", "secret",
2818
"checker", "server_settings" }
2819
for name, typ in inspect.getmembers(dbus.service
2820
.Object):
2554
exclude = set(("bus", "changedstate", "secret",
2555
"checker"))
2556
for name, typ in (inspect.getmembers
2557
(dbus.service.Object)):
2821
2558
exclude.add(name)
2822
2559
2823
2560
client_dict["encrypted_secret"] = (client
2830
2567
del client_settings[client.name]["secret"]
2831
2568
2832
2569
try:
2833
with tempfile.NamedTemporaryFile(
2834
mode='wb',
2835
suffix=".pickle",
2836
prefix='clients-',
2837
dir=os.path.dirname(stored_state_path),
2838
delete=False) as stored_state:
2570
with (tempfile.NamedTemporaryFile
2571
(mode='wb', suffix=".pickle", prefix='clients-',
2572
dir=os.path.dirname(stored_state_path),
2573
delete=False)) as stored_state:
2839
2574
pickle.dump((clients, client_settings), stored_state)
2840
tempname = stored_state.name
2575
tempname=stored_state.name
2841
2576
os.rename(tempname, stored_state_path)
2842
2577
except (IOError, OSError) as e:
2843
2578
if not debug:
2846
2581
except NameError:
2847
2582
pass
2848
2583
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
2849
logger.warning("Could not save persistent state: {}"
2584
logger.warning("Could not save persistent state: {0}"
2850
2585
.format(os.strerror(e.errno)))
2851
2586
else:
2852
2587
logger.warning("Could not save persistent state:",
2853
2588
exc_info=e)
2854
raise
2589
raise e
2855
2590
2856
2591
# Delete all clients, and settings from config
2857
2592
while tcp_server.clients:
2862
2597
client.disable(quiet=True)
2863
2598
if use_dbus:
2864
2599
# Emit D-Bus signal
2865
mandos_dbus_service.ClientRemoved(
2866
client.dbus_object_path, client.name)
2600
mandos_dbus_service.ClientRemoved(client
2601
.dbus_object_path,
2602
client.name)
2867
2603
client_settings.clear()
2868
2604
2869
2605
atexit.register(cleanup)
2880
2616
tcp_server.server_activate()
2881
2617
2882
2618
# Find out what port we got
2883
if zeroconf:
2884
service.port = tcp_server.socket.getsockname()[1]
2619
service.port = tcp_server.socket.getsockname()[1]
2885
2620
if use_ipv6:
2886
2621
logger.info("Now listening on address %r, port %d,"
2887
2622
" flowinfo %d, scope_id %d",
2893
2628
#service.interface = tcp_server.socket.getsockname()[3]
2894
2629
2895
2630
try:
2896
if zeroconf:
2897
# From the Avahi example code
2898
try:
2899
service.activate()
2900
except dbus.exceptions.DBusException as error:
2901
logger.critical("D-Bus Exception", exc_info=error)
2902
cleanup()
2903
sys.exit(1)
2904
# End of Avahi example code
2631
# From the Avahi example code
2632
try:
2633
service.activate()
2634
except dbus.exceptions.DBusException as error:
2635
logger.critical("D-Bus Exception", exc_info=error)
2636
cleanup()
2637
sys.exit(1)
2638
# End of Avahi example code
2905
2639
2906
2640
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
2907
2641
lambda *args, **kwargs:
2922
2656
# Must run before the D-Bus bus name gets deregistered
2923
2657
cleanup()
2924
2658
2925
2926
2659
if __name__ == '__main__':
2927
2660
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0