76
89
except ImportError:
77
90
SO_BINDTODEVICE = None
82
logger = logging.Logger(u'mandos')
93
stored_state_file = "clients.pickle"
95
logger = logging.getLogger()
83
96
syslogger = (logging.handlers.SysLogHandler
84
97
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
85
address = "/dev/log"))
86
syslogger.setFormatter(logging.Formatter
87
(u'Mandos [%(process)d]: %(levelname)s:'
89
logger.addHandler(syslogger)
91
console = logging.StreamHandler()
92
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
95
logger.addHandler(console)
98
address = str("/dev/log")))
101
if_nametoindex = (ctypes.cdll.LoadLibrary
102
(ctypes.util.find_library("c"))
104
except (OSError, AttributeError):
105
def if_nametoindex(interface):
106
"Get an interface index the hard way, i.e. using fcntl()"
107
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
108
with contextlib.closing(socket.socket()) as s:
109
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
110
struct.pack(str("16s16x"),
112
interface_index = struct.unpack(str("I"),
114
return interface_index
117
def initlogger(debug, level=logging.WARNING):
118
"""init logger and add loglevel"""
120
syslogger.setFormatter(logging.Formatter
121
('Mandos [%(process)d]: %(levelname)s:'
123
logger.addHandler(syslogger)
126
console = logging.StreamHandler()
127
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
131
logger.addHandler(console)
132
logger.setLevel(level)
135
class PGPError(Exception):
136
"""Exception if encryption/decryption fails"""
140
class PGPEngine(object):
141
"""A simple class for OpenPGP symmetric encryption & decryption"""
143
self.gnupg = GnuPGInterface.GnuPG()
144
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
145
self.gnupg = GnuPGInterface.GnuPG()
146
self.gnupg.options.meta_interactive = False
147
self.gnupg.options.homedir = self.tempdir
148
self.gnupg.options.extra_args.extend(['--force-mdc',
155
def __exit__(self, exc_type, exc_value, traceback):
163
if self.tempdir is not None:
164
# Delete contents of tempdir
165
for root, dirs, files in os.walk(self.tempdir,
167
for filename in files:
168
os.remove(os.path.join(root, filename))
170
os.rmdir(os.path.join(root, dirname))
172
os.rmdir(self.tempdir)
175
def password_encode(self, password):
176
# Passphrase can not be empty and can not contain newlines or
177
# NUL bytes. So we prefix it and hex encode it.
178
return b"mandos" + binascii.hexlify(password)
180
def encrypt(self, data, password):
181
self.gnupg.passphrase = self.password_encode(password)
182
with open(os.devnull, "w") as devnull:
184
proc = self.gnupg.run(['--symmetric'],
185
create_fhs=['stdin', 'stdout'],
186
attach_fhs={'stderr': devnull})
187
with contextlib.closing(proc.handles['stdin']) as f:
189
with contextlib.closing(proc.handles['stdout']) as f:
190
ciphertext = f.read()
194
self.gnupg.passphrase = None
197
def decrypt(self, data, password):
198
self.gnupg.passphrase = self.password_encode(password)
199
with open(os.devnull, "w") as devnull:
201
proc = self.gnupg.run(['--decrypt'],
202
create_fhs=['stdin', 'stdout'],
203
attach_fhs={'stderr': devnull})
204
with contextlib.closing(proc.handles['stdin']) as f:
206
with contextlib.closing(proc.handles['stdout']) as f:
207
decrypted_plaintext = f.read()
211
self.gnupg.passphrase = None
212
return decrypted_plaintext
97
215
class AvahiError(Exception):
98
216
def __init__(self, value, *args, **kwargs):
186
316
dbus.UInt16(self.port),
187
317
avahi.string_array_to_txt_array(self.TXT))
188
318
self.group.Commit()
189
320
def entry_group_state_changed(self, state, error):
190
321
"""Derived from the Avahi example code"""
191
logger.debug(u"Avahi state change: %i", state)
322
logger.debug("Avahi entry group state change: %i", state)
193
324
if state == avahi.ENTRY_GROUP_ESTABLISHED:
194
logger.debug(u"Zeroconf service established.")
325
logger.debug("Zeroconf service established.")
195
326
elif state == avahi.ENTRY_GROUP_COLLISION:
196
logger.warning(u"Zeroconf service name collision.")
327
logger.info("Zeroconf service name collision.")
198
329
elif state == avahi.ENTRY_GROUP_FAILURE:
199
logger.critical(u"Avahi: Error in group state changed %s",
330
logger.critical("Avahi: Error in group state changed %s",
201
raise AvahiGroupError(u"State changed: %s"
332
raise AvahiGroupError("State changed: {0!s}"
203
335
def cleanup(self):
204
336
"""Derived from the Avahi example code"""
205
337
if self.group is not None:
340
except (dbus.exceptions.UnknownMethodException,
341
dbus.exceptions.DBusException):
207
343
self.group = None
208
def server_state_changed(self, state):
346
def server_state_changed(self, state, error=None):
209
347
"""Derived from the Avahi example code"""
210
if state == avahi.SERVER_COLLISION:
211
logger.error(u"Zeroconf server name collision")
348
logger.debug("Avahi server state change: %i", state)
349
bad_states = { avahi.SERVER_INVALID:
350
"Zeroconf server invalid",
351
avahi.SERVER_REGISTERING: None,
352
avahi.SERVER_COLLISION:
353
"Zeroconf server name collision",
354
avahi.SERVER_FAILURE:
355
"Zeroconf server failure" }
356
if state in bad_states:
357
if bad_states[state] is not None:
359
logger.error(bad_states[state])
361
logger.error(bad_states[state] + ": %r", error)
213
363
elif state == avahi.SERVER_RUNNING:
367
logger.debug("Unknown state: %r", state)
369
logger.debug("Unknown state: %r: %r", state, error)
215
371
def activate(self):
216
372
"""Derived from the Avahi example code"""
217
373
if self.server is None:
218
374
self.server = dbus.Interface(
219
375
self.bus.get_object(avahi.DBUS_NAME,
220
avahi.DBUS_PATH_SERVER),
376
avahi.DBUS_PATH_SERVER,
377
follow_name_owner_changes=True),
221
378
avahi.DBUS_INTERFACE_SERVER)
222
self.server.connect_to_signal(u"StateChanged",
379
self.server.connect_to_signal("StateChanged",
223
380
self.server_state_changed)
224
381
self.server_state_changed(self.server.GetState())
384
class AvahiServiceToSyslog(AvahiService):
386
"""Add the new name to the syslog messages"""
387
ret = AvahiService.rename(self)
388
syslogger.setFormatter(logging.Formatter
389
('Mandos ({0}) [%(process)d]:'
390
' %(levelname)s: %(message)s'
395
def timedelta_to_milliseconds(td):
396
"Convert a datetime.timedelta() to milliseconds"
397
return ((td.days * 24 * 60 * 60 * 1000)
398
+ (td.seconds * 1000)
399
+ (td.microseconds // 1000))
227
402
class Client(object):
228
403
"""A representation of a client host served by this server.
231
name: string; from the config file, used in log messages and
233
fingerprint: string (40 or 32 hexadecimal digits); used to
234
uniquely identify the client
235
secret: bytestring; sent verbatim (over TLS) to client
236
host: string; available for use by the checker command
237
created: datetime.datetime(); (UTC) object creation
238
last_enabled: datetime.datetime(); (UTC)
240
last_checked_ok: datetime.datetime(); (UTC) or None
241
timeout: datetime.timedelta(); How long from last_checked_ok
242
until this client is invalid
243
interval: datetime.timedelta(); How often to start a new checker
244
disable_hook: If set, called by disable() as disable_hook(self)
406
approved: bool(); 'None' if not yet approved/disapproved
407
approval_delay: datetime.timedelta(); Time to wait for approval
408
approval_duration: datetime.timedelta(); Duration of one approval
245
409
checker: subprocess.Popen(); a running checker process used
246
410
to see if the client lives.
247
411
'None' if no process is running.
248
checker_initiator_tag: a gobject event source tag, or None
249
disable_initiator_tag: - '' -
250
checker_callback_tag: - '' -
251
checker_command: string; External command which is run to check if
252
client lives. %() expansions are done at
412
checker_callback_tag: a gobject event source tag, or None
413
checker_command: string; External command which is run to check
414
if client lives. %() expansions are done at
253
415
runtime with vars(self) as dict, so that for
254
416
instance %(name)s can be used in the command.
417
checker_initiator_tag: a gobject event source tag, or None
418
created: datetime.datetime(); (UTC) object creation
419
client_structure: Object describing what attributes a client has
420
and is used for storing the client at exit
255
421
current_checker_command: string; current running checker_command
422
disable_initiator_tag: a gobject event source tag, or None
424
fingerprint: string (40 or 32 hexadecimal digits); used to
425
uniquely identify the client
426
host: string; available for use by the checker command
427
interval: datetime.timedelta(); How often to start a new checker
428
last_approval_request: datetime.datetime(); (UTC) or None
429
last_checked_ok: datetime.datetime(); (UTC) or None
430
last_checker_status: integer between 0 and 255 reflecting exit
431
status of last checker. -1 reflects crashed
432
checker, -2 means no checker completed yet.
433
last_enabled: datetime.datetime(); (UTC) or None
434
name: string; from the config file, used in log messages and
436
secret: bytestring; sent verbatim (over TLS) to client
437
timeout: datetime.timedelta(); How long from last_checked_ok
438
until this client is disabled
439
extended_timeout: extra long timeout when secret has been sent
440
runtime_expansions: Allowed attributes for runtime expansion.
441
expires: datetime.datetime(); time (UTC) when a client will be
259
def _datetime_to_milliseconds(dt):
260
"Convert a datetime.datetime() to milliseconds"
261
return ((dt.days * 24 * 60 * 60 * 1000)
262
+ (dt.seconds * 1000)
263
+ (dt.microseconds // 1000))
445
runtime_expansions = ("approval_delay", "approval_duration",
446
"created", "enabled", "expires",
447
"fingerprint", "host", "interval",
448
"last_approval_request", "last_checked_ok",
449
"last_enabled", "name", "timeout")
450
client_defaults = { "timeout": "PT5M",
451
"extended_timeout": "PT15M",
453
"checker": "fping -q -- %%(host)s",
455
"approval_delay": "PT0S",
456
"approval_duration": "PT1S",
457
"approved_by_default": "True",
265
461
def timeout_milliseconds(self):
266
462
"Return the 'timeout' attribute in milliseconds"
267
return self._datetime_to_milliseconds(self.timeout)
463
return timedelta_to_milliseconds(self.timeout)
465
def extended_timeout_milliseconds(self):
466
"Return the 'extended_timeout' attribute in milliseconds"
467
return timedelta_to_milliseconds(self.extended_timeout)
269
469
def interval_milliseconds(self):
270
470
"Return the 'interval' attribute in milliseconds"
271
return self._datetime_to_milliseconds(self.interval)
273
def __init__(self, name = None, disable_hook=None, config=None):
274
"""Note: the 'checker' key in 'config' sets the
275
'checker_command' attribute and *not* the 'checker'
471
return timedelta_to_milliseconds(self.interval)
473
def approval_delay_milliseconds(self):
474
return timedelta_to_milliseconds(self.approval_delay)
477
def config_parser(config):
478
"""Construct a new dict of client settings of this form:
479
{ client_name: {setting_name: value, ...}, ...}
480
with exceptions for any special settings as defined above.
481
NOTE: Must be a pure function. Must return the same result
482
value given the same arguments.
485
for client_name in config.sections():
486
section = dict(config.items(client_name))
487
client = settings[client_name] = {}
489
client["host"] = section["host"]
490
# Reformat values from string types to Python types
491
client["approved_by_default"] = config.getboolean(
492
client_name, "approved_by_default")
493
client["enabled"] = config.getboolean(client_name,
496
client["fingerprint"] = (section["fingerprint"].upper()
498
if "secret" in section:
499
client["secret"] = section["secret"].decode("base64")
500
elif "secfile" in section:
501
with open(os.path.expanduser(os.path.expandvars
502
(section["secfile"])),
504
client["secret"] = secfile.read()
506
raise TypeError("No secret or secfile for section {0}"
508
client["timeout"] = string_to_delta(section["timeout"])
509
client["extended_timeout"] = string_to_delta(
510
section["extended_timeout"])
511
client["interval"] = string_to_delta(section["interval"])
512
client["approval_delay"] = string_to_delta(
513
section["approval_delay"])
514
client["approval_duration"] = string_to_delta(
515
section["approval_duration"])
516
client["checker_command"] = section["checker"]
517
client["last_approval_request"] = None
518
client["last_checked_ok"] = None
519
client["last_checker_status"] = -2
523
def __init__(self, settings, name = None):
280
logger.debug(u"Creating client %r", self.name)
525
# adding all client settings
526
for setting, value in settings.iteritems():
527
setattr(self, setting, value)
530
if not hasattr(self, "last_enabled"):
531
self.last_enabled = datetime.datetime.utcnow()
532
if not hasattr(self, "expires"):
533
self.expires = (datetime.datetime.utcnow()
536
self.last_enabled = None
539
logger.debug("Creating client %r", self.name)
281
540
# Uppercase and remove spaces from fingerprint for later
282
541
# comparison purposes with return value from the fingerprint()
284
self.fingerprint = (config[u"fingerprint"].upper()
286
logger.debug(u" Fingerprint: %s", self.fingerprint)
287
if u"secret" in config:
288
self.secret = config[u"secret"].decode(u"base64")
289
elif u"secfile" in config:
290
with closing(open(os.path.expanduser
292
(config[u"secfile"])))) as secfile:
293
self.secret = secfile.read()
295
raise TypeError(u"No secret or secfile for client %s"
297
self.host = config.get(u"host", u"")
298
self.created = datetime.datetime.utcnow()
300
self.last_enabled = None
301
self.last_checked_ok = None
302
self.timeout = string_to_delta(config[u"timeout"])
303
self.interval = string_to_delta(config[u"interval"])
304
self.disable_hook = disable_hook
543
logger.debug(" Fingerprint: %s", self.fingerprint)
544
self.created = settings.get("created",
545
datetime.datetime.utcnow())
547
# attributes specific for this server instance
305
548
self.checker = None
306
549
self.checker_initiator_tag = None
307
550
self.disable_initiator_tag = None
308
551
self.checker_callback_tag = None
309
self.checker_command = config[u"checker"]
310
552
self.current_checker_command = None
311
self.last_connect = None
554
self.approvals_pending = 0
555
self.changedstate = (multiprocessing_manager
556
.Condition(multiprocessing_manager
558
self.client_structure = [attr for attr in
559
self.__dict__.iterkeys()
560
if not attr.startswith("_")]
561
self.client_structure.append("client_structure")
563
for name, t in inspect.getmembers(type(self),
567
if not name.startswith("_"):
568
self.client_structure.append(name)
570
# Send notice to process children that client state has changed
571
def send_changedstate(self):
572
with self.changedstate:
573
self.changedstate.notify_all()
313
575
def enable(self):
314
576
"""Start this client's checker and timeout hooks"""
315
if getattr(self, u"enabled", False):
577
if getattr(self, "enabled", False):
316
578
# Already enabled
580
self.expires = datetime.datetime.utcnow() + self.timeout
318
582
self.last_enabled = datetime.datetime.utcnow()
584
self.send_changedstate()
586
def disable(self, quiet=True):
587
"""Disable this client."""
588
if not getattr(self, "enabled", False):
591
logger.info("Disabling client %s", self.name)
592
if getattr(self, "disable_initiator_tag", None) is not None:
593
gobject.source_remove(self.disable_initiator_tag)
594
self.disable_initiator_tag = None
596
if getattr(self, "checker_initiator_tag", None) is not None:
597
gobject.source_remove(self.checker_initiator_tag)
598
self.checker_initiator_tag = None
602
self.send_changedstate()
603
# Do not run this again if called by a gobject.timeout_add
609
def init_checker(self):
319
610
# Schedule a new checker to be started an 'interval' from now,
320
611
# and every interval from then on.
612
if self.checker_initiator_tag is not None:
613
gobject.source_remove(self.checker_initiator_tag)
321
614
self.checker_initiator_tag = (gobject.timeout_add
322
615
(self.interval_milliseconds(),
323
616
self.start_checker))
324
# Also start a new checker *right now*.
326
617
# Schedule a disable() when 'timeout' has passed
618
if self.disable_initiator_tag is not None:
619
gobject.source_remove(self.disable_initiator_tag)
327
620
self.disable_initiator_tag = (gobject.timeout_add
328
621
(self.timeout_milliseconds(),
333
"""Disable this client."""
334
if not getattr(self, "enabled", False):
336
logger.info(u"Disabling client %s", self.name)
337
if getattr(self, u"disable_initiator_tag", False):
338
gobject.source_remove(self.disable_initiator_tag)
339
self.disable_initiator_tag = None
340
if getattr(self, u"checker_initiator_tag", False):
341
gobject.source_remove(self.checker_initiator_tag)
342
self.checker_initiator_tag = None
344
if self.disable_hook:
345
self.disable_hook(self)
347
# Do not run this again if called by a gobject.timeout_add
351
self.disable_hook = None
623
# Also start a new checker *right now*.
354
626
def checker_callback(self, pid, condition, command):
355
627
"""The checker has completed, so take appropriate actions."""
356
628
self.checker_callback_tag = None
357
629
self.checker = None
358
630
if os.WIFEXITED(condition):
359
exitstatus = os.WEXITSTATUS(condition)
361
logger.info(u"Checker for %(name)s succeeded",
631
self.last_checker_status = os.WEXITSTATUS(condition)
632
if self.last_checker_status == 0:
633
logger.info("Checker for %(name)s succeeded",
363
635
self.checked_ok()
365
logger.info(u"Checker for %(name)s failed",
637
logger.info("Checker for %(name)s failed",
368
logger.warning(u"Checker for %(name)s crashed?",
640
self.last_checker_status = -1
641
logger.warning("Checker for %(name)s crashed?",
371
644
def checked_ok(self):
372
"""Bump up the timeout for this client.
374
This should only be called when the client has been seen,
645
"""Assert that the client has been seen, alive and well."""
377
646
self.last_checked_ok = datetime.datetime.utcnow()
378
gobject.source_remove(self.disable_initiator_tag)
379
self.disable_initiator_tag = (gobject.timeout_add
380
(self.timeout_milliseconds(),
647
self.last_checker_status = 0
650
def bump_timeout(self, timeout=None):
651
"""Bump up the timeout for this client."""
653
timeout = self.timeout
654
if self.disable_initiator_tag is not None:
655
gobject.source_remove(self.disable_initiator_tag)
656
self.disable_initiator_tag = None
657
if getattr(self, "enabled", False):
658
self.disable_initiator_tag = (gobject.timeout_add
659
(timedelta_to_milliseconds
660
(timeout), self.disable))
661
self.expires = datetime.datetime.utcnow() + timeout
663
def need_approval(self):
664
self.last_approval_request = datetime.datetime.utcnow()
383
666
def start_checker(self):
384
667
"""Start a new checker subprocess if one is not running.
453
735
if self.checker_callback_tag:
454
736
gobject.source_remove(self.checker_callback_tag)
455
737
self.checker_callback_tag = None
456
if getattr(self, u"checker", None) is None:
738
if getattr(self, "checker", None) is None:
458
logger.debug(u"Stopping checker for %(name)s", vars(self))
740
logger.debug("Stopping checker for %(name)s", vars(self))
460
os.kill(self.checker.pid, signal.SIGTERM)
742
self.checker.terminate()
462
744
#if self.checker.poll() is None:
463
# os.kill(self.checker.pid, signal.SIGKILL)
464
except OSError, error:
745
# self.checker.kill()
746
except OSError as error:
465
747
if error.errno != errno.ESRCH: # No such process
467
749
self.checker = None
469
def still_valid(self):
470
"""Has the timeout not yet passed for this client?"""
471
if not getattr(self, u"enabled", False):
473
now = datetime.datetime.utcnow()
474
if self.last_checked_ok is None:
475
return now < (self.created + self.timeout)
477
return now < (self.last_checked_ok + self.timeout)
480
class ClientDBus(Client, dbus.service.Object):
752
def dbus_service_property(dbus_interface, signature="v",
753
access="readwrite", byte_arrays=False):
754
"""Decorators for marking methods of a DBusObjectWithProperties to
755
become properties on the D-Bus.
757
The decorated method will be called with no arguments by "Get"
758
and with one argument by "Set".
760
The parameters, where they are supported, are the same as
761
dbus.service.method, except there is only "signature", since the
762
type from Get() and the type sent to Set() is the same.
764
# Encoding deeply encoded byte arrays is not supported yet by the
765
# "Set" method, so we fail early here:
766
if byte_arrays and signature != "ay":
767
raise ValueError("Byte arrays not supported for non-'ay'"
768
" signature {0!r}".format(signature))
770
func._dbus_is_property = True
771
func._dbus_interface = dbus_interface
772
func._dbus_signature = signature
773
func._dbus_access = access
774
func._dbus_name = func.__name__
775
if func._dbus_name.endswith("_dbus_property"):
776
func._dbus_name = func._dbus_name[:-14]
777
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
782
def dbus_interface_annotations(dbus_interface):
783
"""Decorator for marking functions returning interface annotations
787
@dbus_interface_annotations("org.example.Interface")
788
def _foo(self): # Function name does not matter
789
return {"org.freedesktop.DBus.Deprecated": "true",
790
"org.freedesktop.DBus.Property.EmitsChangedSignal":
794
func._dbus_is_interface = True
795
func._dbus_interface = dbus_interface
796
func._dbus_name = dbus_interface
801
def dbus_annotations(annotations):
802
"""Decorator to annotate D-Bus methods, signals or properties
805
@dbus_service_property("org.example.Interface", signature="b",
807
@dbus_annotations({{"org.freedesktop.DBus.Deprecated": "true",
808
"org.freedesktop.DBus.Property."
809
"EmitsChangedSignal": "false"})
810
def Property_dbus_property(self):
811
return dbus.Boolean(False)
814
func._dbus_annotations = annotations
819
class DBusPropertyException(dbus.exceptions.DBusException):
820
"""A base class for D-Bus property-related exceptions
822
def __unicode__(self):
823
return unicode(str(self))
826
class DBusPropertyAccessException(DBusPropertyException):
827
"""A property's access permissions disallows an operation.
832
class DBusPropertyNotFound(DBusPropertyException):
833
"""An attempt was made to access a non-existing property.
838
class DBusObjectWithProperties(dbus.service.Object):
839
"""A D-Bus object with properties.
841
Classes inheriting from this can use the dbus_service_property
842
decorator to expose methods as D-Bus properties. It exposes the
843
standard Get(), Set(), and GetAll() methods on the D-Bus.
847
def _is_dbus_thing(thing):
848
"""Returns a function testing if an attribute is a D-Bus thing
850
If called like _is_dbus_thing("method") it returns a function
851
suitable for use as predicate to inspect.getmembers().
853
return lambda obj: getattr(obj, "_dbus_is_{0}".format(thing),
856
def _get_all_dbus_things(self, thing):
857
"""Returns a generator of (name, attribute) pairs
859
return ((getattr(athing.__get__(self), "_dbus_name",
861
athing.__get__(self))
862
for cls in self.__class__.__mro__
864
inspect.getmembers(cls,
865
self._is_dbus_thing(thing)))
867
def _get_dbus_property(self, interface_name, property_name):
868
"""Returns a bound method if one exists which is a D-Bus
869
property with the specified name and interface.
871
for cls in self.__class__.__mro__:
872
for name, value in (inspect.getmembers
874
self._is_dbus_thing("property"))):
875
if (value._dbus_name == property_name
876
and value._dbus_interface == interface_name):
877
return value.__get__(self)
880
raise DBusPropertyNotFound(self.dbus_object_path + ":"
881
+ interface_name + "."
884
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
886
def Get(self, interface_name, property_name):
887
"""Standard D-Bus property Get() method, see D-Bus standard.
889
prop = self._get_dbus_property(interface_name, property_name)
890
if prop._dbus_access == "write":
891
raise DBusPropertyAccessException(property_name)
893
if not hasattr(value, "variant_level"):
895
return type(value)(value, variant_level=value.variant_level+1)
897
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
898
def Set(self, interface_name, property_name, value):
899
"""Standard D-Bus property Set() method, see D-Bus standard.
901
prop = self._get_dbus_property(interface_name, property_name)
902
if prop._dbus_access == "read":
903
raise DBusPropertyAccessException(property_name)
904
if prop._dbus_get_args_options["byte_arrays"]:
905
# The byte_arrays option is not supported yet on
906
# signatures other than "ay".
907
if prop._dbus_signature != "ay":
909
value = dbus.ByteArray(b''.join(chr(byte)
913
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
914
out_signature="a{sv}")
915
def GetAll(self, interface_name):
916
"""Standard D-Bus property GetAll() method, see D-Bus
919
Note: Will not include properties with access="write".
922
for name, prop in self._get_all_dbus_things("property"):
924
and interface_name != prop._dbus_interface):
925
# Interface non-empty but did not match
927
# Ignore write-only properties
928
if prop._dbus_access == "write":
931
if not hasattr(value, "variant_level"):
932
properties[name] = value
934
properties[name] = type(value)(value, variant_level=
935
value.variant_level+1)
936
return dbus.Dictionary(properties, signature="sv")
938
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
940
path_keyword='object_path',
941
connection_keyword='connection')
942
def Introspect(self, object_path, connection):
943
"""Overloading of standard D-Bus method.
945
Inserts property tags and interface annotation tags.
947
xmlstring = dbus.service.Object.Introspect(self, object_path,
950
document = xml.dom.minidom.parseString(xmlstring)
951
def make_tag(document, name, prop):
952
e = document.createElement("property")
953
e.setAttribute("name", name)
954
e.setAttribute("type", prop._dbus_signature)
955
e.setAttribute("access", prop._dbus_access)
957
for if_tag in document.getElementsByTagName("interface"):
959
for tag in (make_tag(document, name, prop)
961
in self._get_all_dbus_things("property")
962
if prop._dbus_interface
963
== if_tag.getAttribute("name")):
964
if_tag.appendChild(tag)
965
# Add annotation tags
966
for typ in ("method", "signal", "property"):
967
for tag in if_tag.getElementsByTagName(typ):
969
for name, prop in (self.
970
_get_all_dbus_things(typ)):
971
if (name == tag.getAttribute("name")
972
and prop._dbus_interface
973
== if_tag.getAttribute("name")):
974
annots.update(getattr
978
for name, value in annots.iteritems():
979
ann_tag = document.createElement(
981
ann_tag.setAttribute("name", name)
982
ann_tag.setAttribute("value", value)
983
tag.appendChild(ann_tag)
984
# Add interface annotation tags
985
for annotation, value in dict(
986
itertools.chain.from_iterable(
987
annotations().iteritems()
988
for name, annotations in
989
self._get_all_dbus_things("interface")
990
if name == if_tag.getAttribute("name")
992
ann_tag = document.createElement("annotation")
993
ann_tag.setAttribute("name", annotation)
994
ann_tag.setAttribute("value", value)
995
if_tag.appendChild(ann_tag)
996
# Add the names to the return values for the
997
# "org.freedesktop.DBus.Properties" methods
998
if (if_tag.getAttribute("name")
999
== "org.freedesktop.DBus.Properties"):
1000
for cn in if_tag.getElementsByTagName("method"):
1001
if cn.getAttribute("name") == "Get":
1002
for arg in cn.getElementsByTagName("arg"):
1003
if (arg.getAttribute("direction")
1005
arg.setAttribute("name", "value")
1006
elif cn.getAttribute("name") == "GetAll":
1007
for arg in cn.getElementsByTagName("arg"):
1008
if (arg.getAttribute("direction")
1010
arg.setAttribute("name", "props")
1011
xmlstring = document.toxml("utf-8")
1013
except (AttributeError, xml.dom.DOMException,
1014
xml.parsers.expat.ExpatError) as error:
1015
logger.error("Failed to override Introspection method",
1020
def datetime_to_dbus(dt, variant_level=0):
1021
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1023
return dbus.String("", variant_level = variant_level)
1024
return dbus.String(dt.isoformat(),
1025
variant_level=variant_level)
1028
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1029
"""A class decorator; applied to a subclass of
1030
dbus.service.Object, it will add alternate D-Bus attributes with
1031
interface names according to the "alt_interface_names" mapping.
1034
@alternate_dbus_interfaces({"org.example.Interface":
1035
"net.example.AlternateInterface"})
1036
class SampleDBusObject(dbus.service.Object):
1037
@dbus.service.method("org.example.Interface")
1038
def SampleDBusMethod():
1041
The above "SampleDBusMethod" on "SampleDBusObject" will be
1042
reachable via two interfaces: "org.example.Interface" and
1043
"net.example.AlternateInterface", the latter of which will have
1044
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1045
"true", unless "deprecate" is passed with a False value.
1047
This works for methods and signals, and also for D-Bus properties
1048
(from DBusObjectWithProperties) and interfaces (from the
1049
dbus_interface_annotations decorator).
1052
for orig_interface_name, alt_interface_name in (
1053
alt_interface_names.iteritems()):
1055
interface_names = set()
1056
# Go though all attributes of the class
1057
for attrname, attribute in inspect.getmembers(cls):
1058
# Ignore non-D-Bus attributes, and D-Bus attributes
1059
# with the wrong interface name
1060
if (not hasattr(attribute, "_dbus_interface")
1061
or not attribute._dbus_interface
1062
.startswith(orig_interface_name)):
1064
# Create an alternate D-Bus interface name based on
1066
alt_interface = (attribute._dbus_interface
1067
.replace(orig_interface_name,
1068
alt_interface_name))
1069
interface_names.add(alt_interface)
1070
# Is this a D-Bus signal?
1071
if getattr(attribute, "_dbus_is_signal", False):
1072
# Extract the original non-method function by
1074
nonmethod_func = (dict(
1075
zip(attribute.func_code.co_freevars,
1076
attribute.__closure__))["func"]
1078
# Create a new, but exactly alike, function
1079
# object, and decorate it to be a new D-Bus signal
1080
# with the alternate D-Bus interface name
1081
new_function = (dbus.service.signal
1083
attribute._dbus_signature)
1084
(types.FunctionType(
1085
nonmethod_func.func_code,
1086
nonmethod_func.func_globals,
1087
nonmethod_func.func_name,
1088
nonmethod_func.func_defaults,
1089
nonmethod_func.func_closure)))
1090
# Copy annotations, if any
1092
new_function._dbus_annotations = (
1093
dict(attribute._dbus_annotations))
1094
except AttributeError:
1096
# Define a creator of a function to call both the
1097
# original and alternate functions, so both the
1098
# original and alternate signals gets sent when
1099
# the function is called
1100
def fixscope(func1, func2):
1101
"""This function is a scope container to pass
1102
func1 and func2 to the "call_both" function
1103
outside of its arguments"""
1104
def call_both(*args, **kwargs):
1105
"""This function will emit two D-Bus
1106
signals by calling func1 and func2"""
1107
func1(*args, **kwargs)
1108
func2(*args, **kwargs)
1110
# Create the "call_both" function and add it to
1112
attr[attrname] = fixscope(attribute, new_function)
1113
# Is this a D-Bus method?
1114
elif getattr(attribute, "_dbus_is_method", False):
1115
# Create a new, but exactly alike, function
1116
# object. Decorate it to be a new D-Bus method
1117
# with the alternate D-Bus interface name. Add it
1119
attr[attrname] = (dbus.service.method
1121
attribute._dbus_in_signature,
1122
attribute._dbus_out_signature)
1124
(attribute.func_code,
1125
attribute.func_globals,
1126
attribute.func_name,
1127
attribute.func_defaults,
1128
attribute.func_closure)))
1129
# Copy annotations, if any
1131
attr[attrname]._dbus_annotations = (
1132
dict(attribute._dbus_annotations))
1133
except AttributeError:
1135
# Is this a D-Bus property?
1136
elif getattr(attribute, "_dbus_is_property", False):
1137
# Create a new, but exactly alike, function
1138
# object, and decorate it to be a new D-Bus
1139
# property with the alternate D-Bus interface
1140
# name. Add it to the class.
1141
attr[attrname] = (dbus_service_property
1143
attribute._dbus_signature,
1144
attribute._dbus_access,
1146
._dbus_get_args_options
1149
(attribute.func_code,
1150
attribute.func_globals,
1151
attribute.func_name,
1152
attribute.func_defaults,
1153
attribute.func_closure)))
1154
# Copy annotations, if any
1156
attr[attrname]._dbus_annotations = (
1157
dict(attribute._dbus_annotations))
1158
except AttributeError:
1160
# Is this a D-Bus interface?
1161
elif getattr(attribute, "_dbus_is_interface", False):
1162
# Create a new, but exactly alike, function
1163
# object. Decorate it to be a new D-Bus interface
1164
# with the alternate D-Bus interface name. Add it
1166
attr[attrname] = (dbus_interface_annotations
1169
(attribute.func_code,
1170
attribute.func_globals,
1171
attribute.func_name,
1172
attribute.func_defaults,
1173
attribute.func_closure)))
1175
# Deprecate all alternate interfaces
1176
iname="_AlternateDBusNames_interface_annotation{0}"
1177
for interface_name in interface_names:
1178
@dbus_interface_annotations(interface_name)
1180
return { "org.freedesktop.DBus.Deprecated":
1182
# Find an unused name
1183
for aname in (iname.format(i)
1184
for i in itertools.count()):
1185
if aname not in attr:
1189
# Replace the class with a new subclass of it with
1190
# methods, signals, etc. as created above.
1191
cls = type(b"{0}Alternate".format(cls.__name__),
1197
@alternate_dbus_interfaces({"se.recompile.Mandos":
1198
"se.bsnet.fukt.Mandos"})
1199
class ClientDBus(Client, DBusObjectWithProperties):
481
1200
"""A Client class using D-Bus
484
1203
dbus_object_path: dbus.ObjectPath
485
1204
bus: dbus.SystemBus()
1207
runtime_expansions = (Client.runtime_expansions
1208
+ ("dbus_object_path",))
487
1210
# dbus.service.Object doesn't use super(), so we can't either.
489
1212
def __init__(self, bus = None, *args, **kwargs):
491
1214
Client.__init__(self, *args, **kwargs)
492
1215
# Only now, when this client is initialized, can it show up on
1217
client_object_name = unicode(self.name).translate(
1218
{ord("."): ord("_"),
1219
ord("-"): ord("_")})
494
1220
self.dbus_object_path = (dbus.ObjectPath
496
+ self.name.replace(u".", u"_")))
497
dbus.service.Object.__init__(self, self.bus,
498
self.dbus_object_path)
501
def _datetime_to_dbus(dt, variant_level=0):
502
"""Convert a UTC datetime.datetime() to a D-Bus type."""
503
return dbus.String(dt.isoformat(),
504
variant_level=variant_level)
507
oldstate = getattr(self, u"enabled", False)
508
r = Client.enable(self)
509
if oldstate != self.enabled:
511
self.PropertyChanged(dbus.String(u"enabled"),
512
dbus.Boolean(True, variant_level=1))
513
self.PropertyChanged(
514
dbus.String(u"last_enabled"),
515
self._datetime_to_dbus(self.last_enabled,
519
def disable(self, signal = True):
520
oldstate = getattr(self, u"enabled", False)
521
r = Client.disable(self)
522
if signal and oldstate != self.enabled:
524
self.PropertyChanged(dbus.String(u"enabled"),
525
dbus.Boolean(False, variant_level=1))
1221
("/clients/" + client_object_name))
1222
DBusObjectWithProperties.__init__(self, self.bus,
1223
self.dbus_object_path)
1225
def notifychangeproperty(transform_func,
1226
dbus_name, type_func=lambda x: x,
1228
""" Modify a variable so that it's a property which announces
1229
its changes to DBus.
1231
transform_fun: Function that takes a value and a variant_level
1232
and transforms it to a D-Bus type.
1233
dbus_name: D-Bus name of the variable
1234
type_func: Function that transform the value before sending it
1235
to the D-Bus. Default: no transform
1236
variant_level: D-Bus variant level. Default: 1
1238
attrname = "_{0}".format(dbus_name)
1239
def setter(self, value):
1240
if hasattr(self, "dbus_object_path"):
1241
if (not hasattr(self, attrname) or
1242
type_func(getattr(self, attrname, None))
1243
!= type_func(value)):
1244
dbus_value = transform_func(type_func(value),
1247
self.PropertyChanged(dbus.String(dbus_name),
1249
setattr(self, attrname, value)
1251
return property(lambda self: getattr(self, attrname), setter)
1253
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1254
approvals_pending = notifychangeproperty(dbus.Boolean,
1257
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1258
last_enabled = notifychangeproperty(datetime_to_dbus,
1260
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1261
type_func = lambda checker:
1262
checker is not None)
1263
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1265
last_checker_status = notifychangeproperty(dbus.Int16,
1266
"LastCheckerStatus")
1267
last_approval_request = notifychangeproperty(
1268
datetime_to_dbus, "LastApprovalRequest")
1269
approved_by_default = notifychangeproperty(dbus.Boolean,
1270
"ApprovedByDefault")
1271
approval_delay = notifychangeproperty(dbus.UInt64,
1274
timedelta_to_milliseconds)
1275
approval_duration = notifychangeproperty(
1276
dbus.UInt64, "ApprovalDuration",
1277
type_func = timedelta_to_milliseconds)
1278
host = notifychangeproperty(dbus.String, "Host")
1279
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1281
timedelta_to_milliseconds)
1282
extended_timeout = notifychangeproperty(
1283
dbus.UInt64, "ExtendedTimeout",
1284
type_func = timedelta_to_milliseconds)
1285
interval = notifychangeproperty(dbus.UInt64,
1288
timedelta_to_milliseconds)
1289
checker_command = notifychangeproperty(dbus.String, "Checker")
1291
del notifychangeproperty
528
1293
def __del__(self, *args, **kwargs):
530
1295
self.remove_from_connection()
531
1296
except LookupError:
533
if hasattr(dbus.service.Object, u"__del__"):
534
dbus.service.Object.__del__(self, *args, **kwargs)
1298
if hasattr(DBusObjectWithProperties, "__del__"):
1299
DBusObjectWithProperties.__del__(self, *args, **kwargs)
535
1300
Client.__del__(self, *args, **kwargs)
537
1302
def checker_callback(self, pid, condition, command,
538
1303
*args, **kwargs):
539
1304
self.checker_callback_tag = None
540
1305
self.checker = None
542
self.PropertyChanged(dbus.String(u"checker_running"),
543
dbus.Boolean(False, variant_level=1))
544
1306
if os.WIFEXITED(condition):
545
1307
exitstatus = os.WEXITSTATUS(condition)
546
1308
# Emit D-Bus signal
577
1330
and old_checker_pid != self.checker.pid):
578
1331
# Emit D-Bus signal
579
1332
self.CheckerStarted(self.current_checker_command)
580
self.PropertyChanged(
581
dbus.String(u"checker_running"),
582
dbus.Boolean(True, variant_level=1))
585
def stop_checker(self, *args, **kwargs):
586
old_checker = getattr(self, u"checker", None)
587
r = Client.stop_checker(self, *args, **kwargs)
588
if (old_checker is not None
589
and getattr(self, u"checker", None) is None):
590
self.PropertyChanged(dbus.String(u"checker_running"),
591
dbus.Boolean(False, variant_level=1))
594
## D-Bus methods & signals
595
_interface = u"se.bsnet.fukt.Mandos.Client"
598
@dbus.service.method(_interface)
600
return self.checked_ok()
1335
def _reset_approved(self):
1336
self.approved = None
1339
def approve(self, value=True):
1340
self.approved = value
1341
gobject.timeout_add(timedelta_to_milliseconds
1342
(self.approval_duration),
1343
self._reset_approved)
1344
self.send_changedstate()
1346
## D-Bus methods, signals & properties
1347
_interface = "se.recompile.Mandos.Client"
1351
@dbus_interface_annotations(_interface)
1353
return { "org.freedesktop.DBus.Property.EmitsChangedSignal":
602
1358
# CheckerCompleted - signal
603
@dbus.service.signal(_interface, signature=u"nxs")
1359
@dbus.service.signal(_interface, signature="nxs")
604
1360
def CheckerCompleted(self, exitcode, waitstatus, command):
608
1364
# CheckerStarted - signal
609
@dbus.service.signal(_interface, signature=u"s")
1365
@dbus.service.signal(_interface, signature="s")
610
1366
def CheckerStarted(self, command):
614
# GetAllProperties - method
615
@dbus.service.method(_interface, out_signature=u"a{sv}")
616
def GetAllProperties(self):
618
return dbus.Dictionary({
619
dbus.String(u"name"):
620
dbus.String(self.name, variant_level=1),
621
dbus.String(u"fingerprint"):
622
dbus.String(self.fingerprint, variant_level=1),
623
dbus.String(u"host"):
624
dbus.String(self.host, variant_level=1),
625
dbus.String(u"created"):
626
self._datetime_to_dbus(self.created,
628
dbus.String(u"last_enabled"):
629
(self._datetime_to_dbus(self.last_enabled,
631
if self.last_enabled is not None
632
else dbus.Boolean(False, variant_level=1)),
633
dbus.String(u"enabled"):
634
dbus.Boolean(self.enabled, variant_level=1),
635
dbus.String(u"last_checked_ok"):
636
(self._datetime_to_dbus(self.last_checked_ok,
638
if self.last_checked_ok is not None
639
else dbus.Boolean (False, variant_level=1)),
640
dbus.String(u"timeout"):
641
dbus.UInt64(self.timeout_milliseconds(),
643
dbus.String(u"interval"):
644
dbus.UInt64(self.interval_milliseconds(),
646
dbus.String(u"checker"):
647
dbus.String(self.checker_command,
649
dbus.String(u"checker_running"):
650
dbus.Boolean(self.checker is not None,
652
dbus.String(u"object_path"):
653
dbus.ObjectPath(self.dbus_object_path,
657
# IsStillValid - method
658
@dbus.service.method(_interface, out_signature=u"b")
659
def IsStillValid(self):
660
return self.still_valid()
662
1370
# PropertyChanged - signal
663
@dbus.service.signal(_interface, signature=u"sv")
1371
@dbus.service.signal(_interface, signature="sv")
664
1372
def PropertyChanged(self, property, value):
668
# ReceivedSecret - signal
1376
# GotSecret - signal
669
1377
@dbus.service.signal(_interface)
670
def ReceivedSecret(self):
1378
def GotSecret(self):
1380
Is sent after a successful transfer of secret from the Mandos
1381
server to mandos-client
674
1385
# Rejected - signal
675
@dbus.service.signal(_interface)
1386
@dbus.service.signal(_interface, signature="s")
1387
def Rejected(self, reason):
680
# SetChecker - method
681
@dbus.service.method(_interface, in_signature=u"s")
682
def SetChecker(self, checker):
683
"D-Bus setter method"
684
self.checker_command = checker
686
self.PropertyChanged(dbus.String(u"checker"),
687
dbus.String(self.checker_command,
691
@dbus.service.method(_interface, in_signature=u"s")
692
def SetHost(self, host):
693
"D-Bus setter method"
696
self.PropertyChanged(dbus.String(u"host"),
697
dbus.String(self.host, variant_level=1))
699
# SetInterval - method
700
@dbus.service.method(_interface, in_signature=u"t")
701
def SetInterval(self, milliseconds):
702
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
704
self.PropertyChanged(dbus.String(u"interval"),
705
(dbus.UInt64(self.interval_milliseconds(),
709
@dbus.service.method(_interface, in_signature=u"ay",
711
def SetSecret(self, secret):
712
"D-Bus setter method"
713
self.secret = str(secret)
715
# SetTimeout - method
716
@dbus.service.method(_interface, in_signature=u"t")
717
def SetTimeout(self, milliseconds):
718
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
720
self.PropertyChanged(dbus.String(u"timeout"),
721
(dbus.UInt64(self.timeout_milliseconds(),
1391
# NeedApproval - signal
1392
@dbus.service.signal(_interface, signature="tb")
1393
def NeedApproval(self, timeout, default):
1395
return self.need_approval()
1400
@dbus.service.method(_interface, in_signature="b")
1401
def Approve(self, value):
1404
# CheckedOK - method
1405
@dbus.service.method(_interface)
1406
def CheckedOK(self):
724
1409
# Enable - method
725
1410
@dbus.service.method(_interface)
744
1429
def StopChecker(self):
745
1430
self.stop_checker()
1434
# ApprovalPending - property
1435
@dbus_service_property(_interface, signature="b", access="read")
1436
def ApprovalPending_dbus_property(self):
1437
return dbus.Boolean(bool(self.approvals_pending))
1439
# ApprovedByDefault - property
1440
@dbus_service_property(_interface, signature="b",
1442
def ApprovedByDefault_dbus_property(self, value=None):
1443
if value is None: # get
1444
return dbus.Boolean(self.approved_by_default)
1445
self.approved_by_default = bool(value)
1447
# ApprovalDelay - property
1448
@dbus_service_property(_interface, signature="t",
1450
def ApprovalDelay_dbus_property(self, value=None):
1451
if value is None: # get
1452
return dbus.UInt64(self.approval_delay_milliseconds())
1453
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1455
# ApprovalDuration - property
1456
@dbus_service_property(_interface, signature="t",
1458
def ApprovalDuration_dbus_property(self, value=None):
1459
if value is None: # get
1460
return dbus.UInt64(timedelta_to_milliseconds(
1461
self.approval_duration))
1462
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1465
@dbus_service_property(_interface, signature="s", access="read")
1466
def Name_dbus_property(self):
1467
return dbus.String(self.name)
1469
# Fingerprint - property
1470
@dbus_service_property(_interface, signature="s", access="read")
1471
def Fingerprint_dbus_property(self):
1472
return dbus.String(self.fingerprint)
1475
@dbus_service_property(_interface, signature="s",
1477
def Host_dbus_property(self, value=None):
1478
if value is None: # get
1479
return dbus.String(self.host)
1480
self.host = unicode(value)
1482
# Created - property
1483
@dbus_service_property(_interface, signature="s", access="read")
1484
def Created_dbus_property(self):
1485
return datetime_to_dbus(self.created)
1487
# LastEnabled - property
1488
@dbus_service_property(_interface, signature="s", access="read")
1489
def LastEnabled_dbus_property(self):
1490
return datetime_to_dbus(self.last_enabled)
1492
# Enabled - property
1493
@dbus_service_property(_interface, signature="b",
1495
def Enabled_dbus_property(self, value=None):
1496
if value is None: # get
1497
return dbus.Boolean(self.enabled)
1503
# LastCheckedOK - property
1504
@dbus_service_property(_interface, signature="s",
1506
def LastCheckedOK_dbus_property(self, value=None):
1507
if value is not None:
1510
return datetime_to_dbus(self.last_checked_ok)
1512
# LastCheckerStatus - property
1513
@dbus_service_property(_interface, signature="n",
1515
def LastCheckerStatus_dbus_property(self):
1516
return dbus.Int16(self.last_checker_status)
1518
# Expires - property
1519
@dbus_service_property(_interface, signature="s", access="read")
1520
def Expires_dbus_property(self):
1521
return datetime_to_dbus(self.expires)
1523
# LastApprovalRequest - property
1524
@dbus_service_property(_interface, signature="s", access="read")
1525
def LastApprovalRequest_dbus_property(self):
1526
return datetime_to_dbus(self.last_approval_request)
1528
# Timeout - property
1529
@dbus_service_property(_interface, signature="t",
1531
def Timeout_dbus_property(self, value=None):
1532
if value is None: # get
1533
return dbus.UInt64(self.timeout_milliseconds())
1534
old_timeout = self.timeout
1535
self.timeout = datetime.timedelta(0, 0, 0, value)
1536
# Reschedule disabling
1538
now = datetime.datetime.utcnow()
1539
self.expires += self.timeout - old_timeout
1540
if self.expires <= now:
1541
# The timeout has passed
1544
if (getattr(self, "disable_initiator_tag", None)
1547
gobject.source_remove(self.disable_initiator_tag)
1548
self.disable_initiator_tag = (
1549
gobject.timeout_add(
1550
timedelta_to_milliseconds(self.expires - now),
1553
# ExtendedTimeout - property
1554
@dbus_service_property(_interface, signature="t",
1556
def ExtendedTimeout_dbus_property(self, value=None):
1557
if value is None: # get
1558
return dbus.UInt64(self.extended_timeout_milliseconds())
1559
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1561
# Interval - property
1562
@dbus_service_property(_interface, signature="t",
1564
def Interval_dbus_property(self, value=None):
1565
if value is None: # get
1566
return dbus.UInt64(self.interval_milliseconds())
1567
self.interval = datetime.timedelta(0, 0, 0, value)
1568
if getattr(self, "checker_initiator_tag", None) is None:
1571
# Reschedule checker run
1572
gobject.source_remove(self.checker_initiator_tag)
1573
self.checker_initiator_tag = (gobject.timeout_add
1574
(value, self.start_checker))
1575
self.start_checker() # Start one now, too
1577
# Checker - property
1578
@dbus_service_property(_interface, signature="s",
1580
def Checker_dbus_property(self, value=None):
1581
if value is None: # get
1582
return dbus.String(self.checker_command)
1583
self.checker_command = unicode(value)
1585
# CheckerRunning - property
1586
@dbus_service_property(_interface, signature="b",
1588
def CheckerRunning_dbus_property(self, value=None):
1589
if value is None: # get
1590
return dbus.Boolean(self.checker is not None)
1592
self.start_checker()
1596
# ObjectPath - property
1597
@dbus_service_property(_interface, signature="o", access="read")
1598
def ObjectPath_dbus_property(self):
1599
return self.dbus_object_path # is already a dbus.ObjectPath
1602
@dbus_service_property(_interface, signature="ay",
1603
access="write", byte_arrays=True)
1604
def Secret_dbus_property(self, value):
1605
self.secret = str(value)
1610
class ProxyClient(object):
1611
def __init__(self, child_pipe, fpr, address):
1612
self._pipe = child_pipe
1613
self._pipe.send(('init', fpr, address))
1614
if not self._pipe.recv():
1617
def __getattribute__(self, name):
1619
return super(ProxyClient, self).__getattribute__(name)
1620
self._pipe.send(('getattr', name))
1621
data = self._pipe.recv()
1622
if data[0] == 'data':
1624
if data[0] == 'function':
1625
def func(*args, **kwargs):
1626
self._pipe.send(('funcall', name, args, kwargs))
1627
return self._pipe.recv()[1]
1630
def __setattr__(self, name, value):
1632
return super(ProxyClient, self).__setattr__(name, value)
1633
self._pipe.send(('setattr', name, value))
750
1636
class ClientHandler(socketserver.BaseRequestHandler, object):
751
1637
"""A class to handle client connections.
754
1640
Note: This will run in its own forked process."""
756
1642
def handle(self):
757
logger.info(u"TCP connection from: %s",
758
unicode(self.client_address))
759
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
760
# Open IPC pipe to parent process
761
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
1643
with contextlib.closing(self.server.child_pipe) as child_pipe:
1644
logger.info("TCP connection from: %s",
1645
unicode(self.client_address))
1646
logger.debug("Pipe FD: %d",
1647
self.server.child_pipe.fileno())
762
1649
session = (gnutls.connection
763
1650
.ClientSession(self.request,
764
1651
gnutls.connection
765
1652
.X509Credentials()))
767
line = self.request.makefile().readline()
768
logger.debug(u"Protocol version: %r", line)
770
if int(line.strip().split()[0]) > 1:
772
except (ValueError, IndexError, RuntimeError), error:
773
logger.error(u"Unknown protocol version: %s", error)
776
1654
# Note: gnutls.connection.X509Credentials is really a
777
1655
# generic GnuTLS certificate credentials object so long as
778
1656
# no X.509 keys are added to it. Therefore, we can use it
779
1657
# here despite using OpenPGP certificates.
781
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
782
# u"+AES-256-CBC", u"+SHA1",
783
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
1659
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1660
# "+AES-256-CBC", "+SHA1",
1661
# "+COMP-NULL", "+CTYPE-OPENPGP",
785
1663
# Use a fallback default, since this MUST be set.
786
1664
priority = self.server.gnutls_priority
787
1665
if priority is None:
789
1667
(gnutls.library.functions
790
1668
.gnutls_priority_set_direct(session._c_object,
791
1669
priority, None))
1671
# Start communication using the Mandos protocol
1672
# Get protocol number
1673
line = self.request.makefile().readline()
1674
logger.debug("Protocol version: %r", line)
1676
if int(line.strip().split()[0]) > 1:
1678
except (ValueError, IndexError, RuntimeError) as error:
1679
logger.error("Unknown protocol version: %s", error)
1682
# Start GnuTLS connection
794
1684
session.handshake()
795
except gnutls.errors.GNUTLSError, error:
796
logger.warning(u"Handshake failed: %s", error)
1685
except gnutls.errors.GNUTLSError as error:
1686
logger.warning("Handshake failed: %s", error)
797
1687
# Do not run session.bye() here: the session is not
798
1688
# established. Just abandon the request.
800
logger.debug(u"Handshake succeeded")
1690
logger.debug("Handshake succeeded")
1692
approval_required = False
802
fpr = self.fingerprint(self.peer_certificate(session))
803
except (TypeError, gnutls.errors.GNUTLSError), error:
804
logger.warning(u"Bad certificate: %s", error)
807
logger.debug(u"Fingerprint: %s", fpr)
1695
fpr = self.fingerprint(self.peer_certificate
1698
gnutls.errors.GNUTLSError) as error:
1699
logger.warning("Bad certificate: %s", error)
1701
logger.debug("Fingerprint: %s", fpr)
1704
client = ProxyClient(child_pipe, fpr,
1705
self.client_address)
1709
if client.approval_delay:
1710
delay = client.approval_delay
1711
client.approvals_pending += 1
1712
approval_required = True
1715
if not client.enabled:
1716
logger.info("Client %s is disabled",
1718
if self.server.use_dbus:
1720
client.Rejected("Disabled")
1723
if client.approved or not client.approval_delay:
1724
#We are approved or approval is disabled
1726
elif client.approved is None:
1727
logger.info("Client %s needs approval",
1729
if self.server.use_dbus:
1731
client.NeedApproval(
1732
client.approval_delay_milliseconds(),
1733
client.approved_by_default)
1735
logger.warning("Client %s was not approved",
1737
if self.server.use_dbus:
1739
client.Rejected("Denied")
1742
#wait until timeout or approved
1743
time = datetime.datetime.now()
1744
client.changedstate.acquire()
1745
client.changedstate.wait(
1746
float(timedelta_to_milliseconds(delay)
1748
client.changedstate.release()
1749
time2 = datetime.datetime.now()
1750
if (time2 - time) >= delay:
1751
if not client.approved_by_default:
1752
logger.warning("Client %s timed out while"
1753
" waiting for approval",
1755
if self.server.use_dbus:
1757
client.Rejected("Approval timed out")
1762
delay -= time2 - time
1765
while sent_size < len(client.secret):
1767
sent = session.send(client.secret[sent_size:])
1768
except gnutls.errors.GNUTLSError as error:
1769
logger.warning("gnutls send failed",
1772
logger.debug("Sent: %d, remaining: %d",
1773
sent, len(client.secret)
1774
- (sent_size + sent))
1777
logger.info("Sending secret to %s", client.name)
1778
# bump the timeout using extended_timeout
1779
client.bump_timeout(client.extended_timeout)
1780
if self.server.use_dbus:
809
for c in self.server.clients:
810
if c.fingerprint == fpr:
814
ipc.write(u"NOTFOUND %s\n" % fpr)
817
# Have to check if client.still_valid(), since it is
818
# possible that the client timed out while establishing
819
# the GnuTLS session.
820
if not client.still_valid():
821
ipc.write(u"INVALID %s\n" % client.name)
824
ipc.write(u"SENDING %s\n" % client.name)
826
while sent_size < len(client.secret):
827
sent = session.send(client.secret[sent_size:])
828
logger.debug(u"Sent: %d, remaining: %d",
829
sent, len(client.secret)
830
- (sent_size + sent))
1785
if approval_required:
1786
client.approvals_pending -= 1
1789
except gnutls.errors.GNUTLSError as error:
1790
logger.warning("GnuTLS bye failed",
835
1794
def peer_certificate(session):
922
1900
use_ipv6: Boolean; to use IPv6 or not
924
1902
def __init__(self, server_address, RequestHandlerClass,
925
interface=None, use_ipv6=True):
1903
interface=None, use_ipv6=True, socketfd=None):
1904
"""If socketfd is set, use that file descriptor instead of
1905
creating a new one with socket.socket().
926
1907
self.interface = interface
928
1909
self.address_family = socket.AF_INET6
1910
if socketfd is not None:
1911
# Save the file descriptor
1912
self.socketfd = socketfd
1913
# Save the original socket.socket() function
1914
self.socket_socket = socket.socket
1915
# To implement --socket, we monkey patch socket.socket.
1917
# (When socketserver.TCPServer is a new-style class, we
1918
# could make self.socket into a property instead of monkey
1919
# patching socket.socket.)
1921
# Create a one-time-only replacement for socket.socket()
1922
@functools.wraps(socket.socket)
1923
def socket_wrapper(*args, **kwargs):
1924
# Restore original function so subsequent calls are
1926
socket.socket = self.socket_socket
1927
del self.socket_socket
1928
# This time only, return a new socket object from the
1929
# saved file descriptor.
1930
return socket.fromfd(self.socketfd, *args, **kwargs)
1931
# Replace socket.socket() function with wrapper
1932
socket.socket = socket_wrapper
1933
# The socketserver.TCPServer.__init__ will call
1934
# socket.socket(), which might be our replacement,
1935
# socket_wrapper(), if socketfd was set.
929
1936
socketserver.TCPServer.__init__(self, server_address,
930
1937
RequestHandlerClass)
931
1939
def server_bind(self):
932
1940
"""This overrides the normal server_bind() function
933
1941
to bind to an interface if one was specified, and also NOT to
934
1942
bind to an address or port if they were not specified."""
935
1943
if self.interface is not None:
936
1944
if SO_BINDTODEVICE is None:
937
logger.error(u"SO_BINDTODEVICE does not exist;"
938
u" cannot bind to interface %s",
1945
logger.error("SO_BINDTODEVICE does not exist;"
1946
" cannot bind to interface %s",
942
1950
self.socket.setsockopt(socket.SOL_SOCKET,
943
1951
SO_BINDTODEVICE,
946
except socket.error, error:
947
if error[0] == errno.EPERM:
948
logger.error(u"No permission to"
949
u" bind to interface %s",
951
elif error[0] == errno.ENOPROTOOPT:
952
logger.error(u"SO_BINDTODEVICE not available;"
953
u" cannot bind to interface %s",
1952
str(self.interface + '\0'))
1953
except socket.error as error:
1954
if error.errno == errno.EPERM:
1955
logger.error("No permission to bind to"
1956
" interface %s", self.interface)
1957
elif error.errno == errno.ENOPROTOOPT:
1958
logger.error("SO_BINDTODEVICE not available;"
1959
" cannot bind to interface %s",
1961
elif error.errno == errno.ENODEV:
1962
logger.error("Interface %s does not exist,"
1963
" cannot bind", self.interface)
957
1966
# Only bind(2) the socket if we really need to.
958
1967
if self.server_address[0] or self.server_address[1]:
959
1968
if not self.server_address[0]:
960
1969
if self.address_family == socket.AF_INET6:
961
any_address = u"::" # in6addr_any
1970
any_address = "::" # in6addr_any
963
1972
any_address = socket.INADDR_ANY
964
1973
self.server_address = (any_address,
982
1991
clients: set of Client objects
983
1992
gnutls_priority GnuTLS priority string
984
1993
use_dbus: Boolean; to emit D-Bus signals or not
985
clients: set of Client objects
986
gnutls_priority GnuTLS priority string
987
use_dbus: Boolean; to emit D-Bus signals or not
989
1995
Assumes a gobject.MainLoop event loop.
991
1997
def __init__(self, server_address, RequestHandlerClass,
992
1998
interface=None, use_ipv6=True, clients=None,
993
gnutls_priority=None, use_dbus=True):
1999
gnutls_priority=None, use_dbus=True, socketfd=None):
994
2000
self.enabled = False
995
2001
self.clients = clients
996
2002
if self.clients is None:
998
2004
self.use_dbus = use_dbus
999
2005
self.gnutls_priority = gnutls_priority
1000
2006
IPv6_TCPServer.__init__(self, server_address,
1001
2007
RequestHandlerClass,
1002
2008
interface = interface,
1003
use_ipv6 = use_ipv6)
2009
use_ipv6 = use_ipv6,
2010
socketfd = socketfd)
1004
2011
def server_activate(self):
1005
2012
if self.enabled:
1006
2013
return socketserver.TCPServer.server_activate(self)
1007
2015
def enable(self):
1008
2016
self.enabled = True
1009
def add_pipe(self, pipe):
2018
def add_pipe(self, parent_pipe, proc):
1010
2019
# Call "handle_ipc" for both data and EOF events
1011
gobject.io_add_watch(pipe, gobject.IO_IN | gobject.IO_HUP,
1013
def handle_ipc(self, source, condition, file_objects={}):
1015
gobject.IO_IN: u"IN", # There is data to read.
1016
gobject.IO_OUT: u"OUT", # Data can be written (without
1018
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1019
gobject.IO_ERR: u"ERR", # Error condition.
1020
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1021
# broken, usually for pipes and
1024
conditions_string = ' | '.join(name
1026
condition_names.iteritems()
1027
if cond & condition)
1028
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1031
# Turn the pipe file descriptor into a Python file object
1032
if source not in file_objects:
1033
file_objects[source] = os.fdopen(source, u"r", 1)
1035
# Read a line from the file object
1036
cmdline = file_objects[source].readline()
1037
if not cmdline: # Empty line means end of file
1038
# close the IPC pipe
1039
file_objects[source].close()
1040
del file_objects[source]
1042
# Stop calling this function
1045
logger.debug(u"IPC command: %r", cmdline)
1047
# Parse and act on command
1048
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1050
if cmd == u"NOTFOUND":
1051
logger.warning(u"Client not found for fingerprint: %s",
1055
mandos_dbus_service.ClientNotFound(args)
1056
elif cmd == u"INVALID":
1057
for client in self.clients:
1058
if client.name == args:
1059
logger.warning(u"Client %s is invalid", args)
1065
logger.error(u"Unknown client %s is invalid", args)
1066
elif cmd == u"SENDING":
1067
for client in self.clients:
1068
if client.name == args:
1069
logger.info(u"Sending secret to %s", client.name)
1073
client.ReceivedSecret()
1076
logger.error(u"Sending secret to unknown client %s",
2020
gobject.io_add_watch(parent_pipe.fileno(),
2021
gobject.IO_IN | gobject.IO_HUP,
2022
functools.partial(self.handle_ipc,
2027
def handle_ipc(self, source, condition, parent_pipe=None,
2028
proc = None, client_object=None):
2029
# error, or the other end of multiprocessing.Pipe has closed
2030
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2031
# Wait for other process to exit
2035
# Read a request from the child
2036
request = parent_pipe.recv()
2037
command = request[0]
2039
if command == 'init':
2041
address = request[2]
2043
for c in self.clients.itervalues():
2044
if c.fingerprint == fpr:
2048
logger.info("Client not found for fingerprint: %s, ad"
2049
"dress: %s", fpr, address)
2052
mandos_dbus_service.ClientNotFound(fpr,
2054
parent_pipe.send(False)
2057
gobject.io_add_watch(parent_pipe.fileno(),
2058
gobject.IO_IN | gobject.IO_HUP,
2059
functools.partial(self.handle_ipc,
2065
parent_pipe.send(True)
2066
# remove the old hook in favor of the new above hook on
2069
if command == 'funcall':
2070
funcname = request[1]
2074
parent_pipe.send(('data', getattr(client_object,
2078
if command == 'getattr':
2079
attrname = request[1]
2080
if callable(client_object.__getattribute__(attrname)):
2081
parent_pipe.send(('function',))
2083
parent_pipe.send(('data', client_object
2084
.__getattribute__(attrname)))
2086
if command == 'setattr':
2087
attrname = request[1]
2089
setattr(client_object, attrname, value)
2094
def rfc3339_duration_to_delta(duration):
2095
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2097
>>> rfc3339_duration_to_delta("P7D")
2098
datetime.timedelta(7)
2099
>>> rfc3339_duration_to_delta("PT60S")
2100
datetime.timedelta(0, 60)
2101
>>> rfc3339_duration_to_delta("PT60M")
2102
datetime.timedelta(0, 3600)
2103
>>> rfc3339_duration_to_delta("PT24H")
2104
datetime.timedelta(1)
2105
>>> rfc3339_duration_to_delta("P1W")
2106
datetime.timedelta(7)
2107
>>> rfc3339_duration_to_delta("PT5M30S")
2108
datetime.timedelta(0, 330)
2109
>>> rfc3339_duration_to_delta("P1DT3M20S")
2110
datetime.timedelta(1, 200)
2113
# Parsing an RFC 3339 duration with regular expressions is not
2114
# possible - there would have to be multiple places for the same
2115
# values, like seconds. The current code, while more esoteric, is
2116
# cleaner without depending on a parsing library. If Python had a
2117
# built-in library for parsing we would use it, but we'd like to
2118
# avoid excessive use of external libraries.
2120
# New type for defining tokens, syntax, and semantics all-in-one
2121
Token = collections.namedtuple("Token",
2122
("regexp", # To match token; if
2123
# "value" is not None,
2124
# must have a "group"
2126
"value", # datetime.timedelta or
2128
"followers")) # Tokens valid after
2130
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2131
# the "duration" ABNF definition in RFC 3339, Appendix A.
2132
token_end = Token(re.compile(r"$"), None, frozenset())
2133
token_second = Token(re.compile(r"(\d+)S"),
2134
datetime.timedelta(seconds=1),
2135
frozenset((token_end,)))
2136
token_minute = Token(re.compile(r"(\d+)M"),
2137
datetime.timedelta(minutes=1),
2138
frozenset((token_second, token_end)))
2139
token_hour = Token(re.compile(r"(\d+)H"),
2140
datetime.timedelta(hours=1),
2141
frozenset((token_minute, token_end)))
2142
token_time = Token(re.compile(r"T"),
2144
frozenset((token_hour, token_minute,
2146
token_day = Token(re.compile(r"(\d+)D"),
2147
datetime.timedelta(days=1),
2148
frozenset((token_time, token_end)))
2149
token_month = Token(re.compile(r"(\d+)M"),
2150
datetime.timedelta(weeks=4),
2151
frozenset((token_day, token_end)))
2152
token_year = Token(re.compile(r"(\d+)Y"),
2153
datetime.timedelta(weeks=52),
2154
frozenset((token_month, token_end)))
2155
token_week = Token(re.compile(r"(\d+)W"),
2156
datetime.timedelta(weeks=1),
2157
frozenset((token_end,)))
2158
token_duration = Token(re.compile(r"P"), None,
2159
frozenset((token_year, token_month,
2160
token_day, token_time,
2162
# Define starting values
2163
value = datetime.timedelta() # Value so far
2165
followers = frozenset(token_duration,) # Following valid tokens
2166
s = duration # String left to parse
2167
# Loop until end token is found
2168
while found_token is not token_end:
2169
# Search for any currently valid tokens
2170
for token in followers:
2171
match = token.regexp.match(s)
2172
if match is not None:
2174
if token.value is not None:
2175
# Value found, parse digits
2176
factor = int(match.group(1), 10)
2177
# Add to value so far
2178
value += factor * token.value
2179
# Strip token from string
2180
s = token.regexp.sub("", s, 1)
2183
# Set valid next tokens
2184
followers = found_token.followers
1079
logger.error(u"Unknown IPC command: %r", cmdline)
1081
# Keep calling this function
2187
# No currently valid tokens were found
2188
raise ValueError("Invalid RFC 3339 duration")
1085
2193
def string_to_delta(interval):
1086
2194
"""Parse a string and return a datetime.timedelta
1088
>>> string_to_delta(u'7d')
2196
>>> string_to_delta('7d')
1089
2197
datetime.timedelta(7)
1090
>>> string_to_delta(u'60s')
2198
>>> string_to_delta('60s')
1091
2199
datetime.timedelta(0, 60)
1092
>>> string_to_delta(u'60m')
2200
>>> string_to_delta('60m')
1093
2201
datetime.timedelta(0, 3600)
1094
>>> string_to_delta(u'24h')
2202
>>> string_to_delta('24h')
1095
2203
datetime.timedelta(1)
1096
>>> string_to_delta(u'1w')
2204
>>> string_to_delta('1w')
1097
2205
datetime.timedelta(7)
1098
>>> string_to_delta(u'5m 30s')
2206
>>> string_to_delta('5m 30s')
1099
2207
datetime.timedelta(0, 330)
2211
return rfc3339_duration_to_delta(interval)
1101
2215
timevalue = datetime.timedelta(0)
1102
2216
for s in interval.split():
1104
2218
suffix = unicode(s[-1])
1105
2219
value = int(s[:-1])
1107
2221
delta = datetime.timedelta(value)
1108
elif suffix == u"s":
1109
2223
delta = datetime.timedelta(0, value)
1110
elif suffix == u"m":
1111
2225
delta = datetime.timedelta(0, 0, 0, 0, value)
1112
elif suffix == u"h":
1113
2227
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
1114
elif suffix == u"w":
1115
2229
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1118
except (ValueError, IndexError):
2231
raise ValueError("Unknown suffix {0!r}"
2233
except (ValueError, IndexError) as e:
2234
raise ValueError(*(e.args))
1120
2235
timevalue += delta
1121
2236
return timevalue
1124
def if_nametoindex(interface):
1125
"""Call the C function if_nametoindex(), or equivalent
1127
Note: This function cannot accept a unicode string."""
1128
global if_nametoindex
1130
if_nametoindex = (ctypes.cdll.LoadLibrary
1131
(ctypes.util.find_library(u"c"))
1133
except (OSError, AttributeError):
1134
logger.warning(u"Doing if_nametoindex the hard way")
1135
def if_nametoindex(interface):
1136
"Get an interface index the hard way, i.e. using fcntl()"
1137
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1138
with closing(socket.socket()) as s:
1139
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1140
struct.pack(str(u"16s16x"),
1142
interface_index = struct.unpack(str(u"I"),
1144
return interface_index
1145
return if_nametoindex(interface)
1148
2239
def daemon(nochdir = False, noclose = False):
1149
2240
"""See daemon(3). Standard BSD Unix function.
1174
######################################################################
2266
##################################################################
1175
2267
# Parsing of options, both command line and config file
1177
parser = optparse.OptionParser(version = "%%prog %s" % version)
1178
parser.add_option("-i", u"--interface", type=u"string",
1179
metavar="IF", help=u"Bind to interface IF")
1180
parser.add_option("-a", u"--address", type=u"string",
1181
help=u"Address to listen for requests on")
1182
parser.add_option("-p", u"--port", type=u"int",
1183
help=u"Port number to receive requests on")
1184
parser.add_option("--check", action=u"store_true",
1185
help=u"Run self-test")
1186
parser.add_option("--debug", action=u"store_true",
1187
help=u"Debug mode; run in foreground and log to"
1189
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1190
u" priority string (see GnuTLS documentation)")
1191
parser.add_option("--servicename", type=u"string",
1192
metavar=u"NAME", help=u"Zeroconf service name")
1193
parser.add_option("--configdir", type=u"string",
1194
default=u"/etc/mandos", metavar=u"DIR",
1195
help=u"Directory to search for configuration"
1197
parser.add_option("--no-dbus", action=u"store_false",
1198
dest=u"use_dbus", help=u"Do not provide D-Bus"
1199
u" system bus interface")
1200
parser.add_option("--no-ipv6", action=u"store_false",
1201
dest=u"use_ipv6", help=u"Do not use IPv6")
1202
options = parser.parse_args()[0]
2269
parser = argparse.ArgumentParser()
2270
parser.add_argument("-v", "--version", action="version",
2271
version = "%(prog)s {0}".format(version),
2272
help="show version number and exit")
2273
parser.add_argument("-i", "--interface", metavar="IF",
2274
help="Bind to interface IF")
2275
parser.add_argument("-a", "--address",
2276
help="Address to listen for requests on")
2277
parser.add_argument("-p", "--port", type=int,
2278
help="Port number to receive requests on")
2279
parser.add_argument("--check", action="store_true",
2280
help="Run self-test")
2281
parser.add_argument("--debug", action="store_true",
2282
help="Debug mode; run in foreground and log"
2284
parser.add_argument("--debuglevel", metavar="LEVEL",
2285
help="Debug level for stdout output")
2286
parser.add_argument("--priority", help="GnuTLS"
2287
" priority string (see GnuTLS documentation)")
2288
parser.add_argument("--servicename",
2289
metavar="NAME", help="Zeroconf service name")
2290
parser.add_argument("--configdir",
2291
default="/etc/mandos", metavar="DIR",
2292
help="Directory to search for configuration"
2294
parser.add_argument("--no-dbus", action="store_false",
2295
dest="use_dbus", help="Do not provide D-Bus"
2296
" system bus interface")
2297
parser.add_argument("--no-ipv6", action="store_false",
2298
dest="use_ipv6", help="Do not use IPv6")
2299
parser.add_argument("--no-restore", action="store_false",
2300
dest="restore", help="Do not restore stored"
2302
parser.add_argument("--socket", type=int,
2303
help="Specify a file descriptor to a network"
2304
" socket to use instead of creating one")
2305
parser.add_argument("--statedir", metavar="DIR",
2306
help="Directory to save/restore state in")
2307
parser.add_argument("--foreground", action="store_true",
2308
help="Run in foreground")
2310
options = parser.parse_args()
1204
2312
if options.check:
1247
2370
for option in server_settings.keys():
1248
2371
if type(server_settings[option]) is str:
1249
2372
server_settings[option] = unicode(server_settings[option])
2373
# Debug implies foreground
2374
if server_settings["debug"]:
2375
server_settings["foreground"] = True
1250
2376
# Now we have our good server settings in "server_settings"
1252
2378
##################################################################
1254
2380
# For convenience
1255
debug = server_settings[u"debug"]
1256
use_dbus = server_settings[u"use_dbus"]
1257
use_ipv6 = server_settings[u"use_ipv6"]
1260
syslogger.setLevel(logging.WARNING)
1261
console.setLevel(logging.WARNING)
1263
if server_settings[u"servicename"] != u"Mandos":
2381
debug = server_settings["debug"]
2382
debuglevel = server_settings["debuglevel"]
2383
use_dbus = server_settings["use_dbus"]
2384
use_ipv6 = server_settings["use_ipv6"]
2385
stored_state_path = os.path.join(server_settings["statedir"],
2387
foreground = server_settings["foreground"]
2390
initlogger(debug, logging.DEBUG)
2395
level = getattr(logging, debuglevel.upper())
2396
initlogger(debug, level)
2398
if server_settings["servicename"] != "Mandos":
1264
2399
syslogger.setFormatter(logging.Formatter
1265
(u'Mandos (%s) [%%(process)d]:'
1266
u' %%(levelname)s: %%(message)s'
1267
% server_settings[u"servicename"]))
2400
('Mandos ({0}) [%(process)d]:'
2401
' %(levelname)s: %(message)s'
2402
.format(server_settings
1269
2405
# Parse config file with clients
1270
client_defaults = { u"timeout": u"1h",
1272
u"checker": u"fping -q -- %%(host)s",
1275
client_config = configparser.SafeConfigParser(client_defaults)
1276
client_config.read(os.path.join(server_settings[u"configdir"],
2406
client_config = configparser.SafeConfigParser(Client
2408
client_config.read(os.path.join(server_settings["configdir"],
1279
2411
global mandos_dbus_service
1280
2412
mandos_dbus_service = None
1282
tcp_server = MandosServer((server_settings[u"address"],
1283
server_settings[u"port"]),
2414
tcp_server = MandosServer((server_settings["address"],
2415
server_settings["port"]),
1285
interface=server_settings[u"interface"],
2417
interface=(server_settings["interface"]
1286
2419
use_ipv6=use_ipv6,
1287
2420
gnutls_priority=
1288
server_settings[u"priority"],
1290
pidfilename = u"/var/run/mandos.pid"
1292
pidfile = open(pidfilename, u"w")
1294
logger.error(u"Could not open file %r", pidfilename)
2421
server_settings["priority"],
2423
socketfd=(server_settings["socket"]
2426
pidfilename = "/var/run/mandos.pid"
2429
pidfile = open(pidfilename, "w")
2430
except IOError as e:
2431
logger.error("Could not open file %r", pidfilename,
1297
uid = pwd.getpwnam(u"_mandos").pw_uid
1298
gid = pwd.getpwnam(u"_mandos").pw_gid
2434
for name in ("_mandos", "mandos", "nobody"):
1301
uid = pwd.getpwnam(u"mandos").pw_uid
1302
gid = pwd.getpwnam(u"mandos").pw_gid
2436
uid = pwd.getpwnam(name).pw_uid
2437
gid = pwd.getpwnam(name).pw_gid
1303
2439
except KeyError:
1305
uid = pwd.getpwnam(u"nobody").pw_uid
1306
gid = pwd.getpwnam(u"nobody").pw_gid
1313
except OSError, error:
1314
if error[0] != errno.EPERM:
2447
except OSError as error:
2448
if error.errno != errno.EPERM:
1317
# Enable all possible GnuTLS debugging
2452
# Enable all possible GnuTLS debugging
1319
2454
# "Use a log level over 10 to enable all debugging options."
1320
2455
# - GnuTLS manual
1321
2456
gnutls.library.functions.gnutls_global_set_log_level(11)
1323
2458
@gnutls.library.types.gnutls_log_func
1324
2459
def debug_gnutls(level, string):
1325
logger.debug(u"GnuTLS: %s", string[:-1])
2460
logger.debug("GnuTLS: %s", string[:-1])
1327
2462
(gnutls.library.functions
1328
2463
.gnutls_global_set_log_function(debug_gnutls))
2465
# Redirect stdin so all checkers get /dev/null
2466
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2467
os.dup2(null, sys.stdin.fileno())
2471
# Need to fork before connecting to D-Bus
2473
# Close all input and output, do double fork, etc.
2476
# multiprocessing will use threads, so before we use gobject we
2477
# need to inform gobject that threads will be used.
2478
gobject.threads_init()
1330
2480
global main_loop
1331
2481
# From the Avahi example code
1332
DBusGMainLoop(set_as_default=True )
2482
DBusGMainLoop(set_as_default=True)
1333
2483
main_loop = gobject.MainLoop()
1334
2484
bus = dbus.SystemBus()
1335
2485
# End of Avahi example code
1337
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
2488
bus_name = dbus.service.BusName("se.recompile.Mandos",
2489
bus, do_not_queue=True)
2490
old_bus_name = (dbus.service.BusName
2491
("se.bsnet.fukt.Mandos", bus,
2493
except dbus.exceptions.NameExistsException as e:
2494
logger.error("Disabling D-Bus:", exc_info=e)
2496
server_settings["use_dbus"] = False
2497
tcp_server.use_dbus = False
1338
2498
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1339
service = AvahiService(name = server_settings[u"servicename"],
1340
servicetype = u"_mandos._tcp",
1341
protocol = protocol, bus = bus)
2499
service = AvahiServiceToSyslog(name =
2500
server_settings["servicename"],
2501
servicetype = "_mandos._tcp",
2502
protocol = protocol, bus = bus)
1342
2503
if server_settings["interface"]:
1343
2504
service.interface = (if_nametoindex
1344
(str(server_settings[u"interface"])))
2505
(str(server_settings["interface"])))
2507
global multiprocessing_manager
2508
multiprocessing_manager = multiprocessing.Manager()
1346
2510
client_class = Client
1348
2512
client_class = functools.partial(ClientDBus, bus = bus)
1349
tcp_server.clients.update(set(
1350
client_class(name = section,
1351
config= dict(client_config.items(section)))
1352
for section in client_config.sections()))
2514
client_settings = Client.config_parser(client_config)
2515
old_client_settings = {}
2518
# Get client data and settings from last running state.
2519
if server_settings["restore"]:
2521
with open(stored_state_path, "rb") as stored_state:
2522
clients_data, old_client_settings = (pickle.load
2524
os.remove(stored_state_path)
2525
except IOError as e:
2526
if e.errno == errno.ENOENT:
2527
logger.warning("Could not load persistent state: {0}"
2528
.format(os.strerror(e.errno)))
2530
logger.critical("Could not load persistent state:",
2533
except EOFError as e:
2534
logger.warning("Could not load persistent state: "
2535
"EOFError:", exc_info=e)
2537
with PGPEngine() as pgp:
2538
for client_name, client in clients_data.iteritems():
2539
# Decide which value to use after restoring saved state.
2540
# We have three different values: Old config file,
2541
# new config file, and saved state.
2542
# New config value takes precedence if it differs from old
2543
# config value, otherwise use saved state.
2544
for name, value in client_settings[client_name].items():
2546
# For each value in new config, check if it
2547
# differs from the old config value (Except for
2548
# the "secret" attribute)
2549
if (name != "secret" and
2550
value != old_client_settings[client_name]
2552
client[name] = value
2556
# Clients who has passed its expire date can still be
2557
# enabled if its last checker was successful. Clients
2558
# whose checker succeeded before we stored its state is
2559
# assumed to have successfully run all checkers during
2561
if client["enabled"]:
2562
if datetime.datetime.utcnow() >= client["expires"]:
2563
if not client["last_checked_ok"]:
2565
"disabling client {0} - Client never "
2566
"performed a successful checker"
2567
.format(client_name))
2568
client["enabled"] = False
2569
elif client["last_checker_status"] != 0:
2571
"disabling client {0} - Client "
2572
"last checker failed with error code {1}"
2573
.format(client_name,
2574
client["last_checker_status"]))
2575
client["enabled"] = False
2577
client["expires"] = (datetime.datetime
2579
+ client["timeout"])
2580
logger.debug("Last checker succeeded,"
2581
" keeping {0} enabled"
2582
.format(client_name))
2584
client["secret"] = (
2585
pgp.decrypt(client["encrypted_secret"],
2586
client_settings[client_name]
2589
# If decryption fails, we use secret from new settings
2590
logger.debug("Failed to decrypt {0} old secret"
2591
.format(client_name))
2592
client["secret"] = (
2593
client_settings[client_name]["secret"])
2595
# Add/remove clients based on new changes made to config
2596
for client_name in (set(old_client_settings)
2597
- set(client_settings)):
2598
del clients_data[client_name]
2599
for client_name in (set(client_settings)
2600
- set(old_client_settings)):
2601
clients_data[client_name] = client_settings[client_name]
2603
# Create all client objects
2604
for client_name, client in clients_data.iteritems():
2605
tcp_server.clients[client_name] = client_class(
2606
name = client_name, settings = client)
1353
2608
if not tcp_server.clients:
1354
logger.warning(u"No clients defined")
1357
# Redirect stdin so all checkers get /dev/null
1358
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1359
os.dup2(null, sys.stdin.fileno())
1363
# No console logging
1364
logger.removeHandler(console)
1365
# Close all input and output, do double fork, etc.
1369
with closing(pidfile):
1371
pidfile.write(str(pid) + "\n")
2609
logger.warning("No clients defined")
2612
if pidfile is not None:
2616
pidfile.write(str(pid) + "\n".encode("utf-8"))
2618
logger.error("Could not write to file %r with PID %d",
1374
logger.error(u"Could not write to file %r with PID %d",
1377
# "pidfile" was never created
1382
"Cleanup function; run on exit"
1385
while tcp_server.clients:
1386
client = tcp_server.clients.pop()
1387
client.disable_hook = None
1390
atexit.register(cleanup)
1393
signal.signal(signal.SIGINT, signal.SIG_IGN)
1394
2623
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1395
2624
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1398
class MandosDBusService(dbus.service.Object):
2627
@alternate_dbus_interfaces({"se.recompile.Mandos":
2628
"se.bsnet.fukt.Mandos"})
2629
class MandosDBusService(DBusObjectWithProperties):
1399
2630
"""A D-Bus proxy object"""
1400
2631
def __init__(self):
1401
dbus.service.Object.__init__(self, bus, u"/")
1402
_interface = u"se.bsnet.fukt.Mandos"
1404
@dbus.service.signal(_interface, signature=u"oa{sv}")
1405
def ClientAdded(self, objpath, properties):
1409
@dbus.service.signal(_interface, signature=u"s")
1410
def ClientNotFound(self, fingerprint):
1414
@dbus.service.signal(_interface, signature=u"os")
2632
dbus.service.Object.__init__(self, bus, "/")
2633
_interface = "se.recompile.Mandos"
2635
@dbus_interface_annotations(_interface)
2637
return { "org.freedesktop.DBus.Property"
2638
".EmitsChangedSignal":
2641
@dbus.service.signal(_interface, signature="o")
2642
def ClientAdded(self, objpath):
2646
@dbus.service.signal(_interface, signature="ss")
2647
def ClientNotFound(self, fingerprint, address):
2651
@dbus.service.signal(_interface, signature="os")
1415
2652
def ClientRemoved(self, objpath, name):
1419
@dbus.service.method(_interface, out_signature=u"ao")
2656
@dbus.service.method(_interface, out_signature="ao")
1420
2657
def GetAllClients(self):
1422
2659
return dbus.Array(c.dbus_object_path
1423
for c in tcp_server.clients)
2661
tcp_server.clients.itervalues())
1425
2663
@dbus.service.method(_interface,
1426
out_signature=u"a{oa{sv}}")
2664
out_signature="a{oa{sv}}")
1427
2665
def GetAllClientsWithProperties(self):
1429
2667
return dbus.Dictionary(
1430
((c.dbus_object_path, c.GetAllProperties())
1431
for c in tcp_server.clients),
1432
signature=u"oa{sv}")
2668
((c.dbus_object_path, c.GetAll(""))
2669
for c in tcp_server.clients.itervalues()),
1434
@dbus.service.method(_interface, in_signature=u"o")
2672
@dbus.service.method(_interface, in_signature="o")
1435
2673
def RemoveClient(self, object_path):
1437
for c in tcp_server.clients:
2675
for c in tcp_server.clients.itervalues():
1438
2676
if c.dbus_object_path == object_path:
1439
tcp_server.clients.remove(c)
2677
del tcp_server.clients[c.name]
1440
2678
c.remove_from_connection()
1441
2679
# Don't signal anything except ClientRemoved
1442
c.disable(signal=False)
2680
c.disable(quiet=True)
1443
2681
# Emit D-Bus signal
1444
2682
self.ClientRemoved(object_path, c.name)
2684
raise KeyError(object_path)
1450
2688
mandos_dbus_service = MandosDBusService()
1452
for client in tcp_server.clients:
2691
"Cleanup function; run on exit"
2694
multiprocessing.active_children()
2695
if not (tcp_server.clients or client_settings):
2698
# Store client before exiting. Secrets are encrypted with key
2699
# based on what config file has. If config file is
2700
# removed/edited, old secret will thus be unrecovable.
2702
with PGPEngine() as pgp:
2703
for client in tcp_server.clients.itervalues():
2704
key = client_settings[client.name]["secret"]
2705
client.encrypted_secret = pgp.encrypt(client.secret,
2709
# A list of attributes that can not be pickled
2711
exclude = set(("bus", "changedstate", "secret",
2713
for name, typ in (inspect.getmembers
2714
(dbus.service.Object)):
2717
client_dict["encrypted_secret"] = (client
2719
for attr in client.client_structure:
2720
if attr not in exclude:
2721
client_dict[attr] = getattr(client, attr)
2723
clients[client.name] = client_dict
2724
del client_settings[client.name]["secret"]
2727
with (tempfile.NamedTemporaryFile
2728
(mode='wb', suffix=".pickle", prefix='clients-',
2729
dir=os.path.dirname(stored_state_path),
2730
delete=False)) as stored_state:
2731
pickle.dump((clients, client_settings), stored_state)
2732
tempname=stored_state.name
2733
os.rename(tempname, stored_state_path)
2734
except (IOError, OSError) as e:
2740
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
2741
logger.warning("Could not save persistent state: {0}"
2742
.format(os.strerror(e.errno)))
2744
logger.warning("Could not save persistent state:",
2748
# Delete all clients, and settings from config
2749
while tcp_server.clients:
2750
name, client = tcp_server.clients.popitem()
2752
client.remove_from_connection()
2753
# Don't signal anything except ClientRemoved
2754
client.disable(quiet=True)
2757
mandos_dbus_service.ClientRemoved(client
2760
client_settings.clear()
2762
atexit.register(cleanup)
2764
for client in tcp_server.clients.itervalues():
1454
2766
# Emit D-Bus signal
1455
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1456
client.GetAllProperties())
2767
mandos_dbus_service.ClientAdded(client.dbus_object_path)
2768
# Need to initiate checking of clients
2770
client.init_checker()
1459
2772
tcp_server.enable()
1460
2773
tcp_server.server_activate()