To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 609
- compare with another revision
- download diff
- download tarball
- view history from revision 609
- Committer: Teddy Hogeborn
- Date: 2012-06-23 00:58:49 UTC
- Revision ID: teddy@recompile.se-20120623005849-02wj82cng433rt2k
* clients.conf: Convert all time intervals to new RFC 3339 syntax.
* mandos: All client options for time intervals now take an RFC 3339
duration.
(rfc3339_duration_to_delta): New function.
(string_to_delta): Try rfc3339_duration_to_delta first.
* mandos-clients.conf.xml (OPTIONS/timeout): Document new format.
(EXAMPLE): Update to new interval format.
(SEE ALSO): Reference RFC 3339.
* mandos: All client options for time intervals now take an RFC 3339
duration.
(rfc3339_duration_to_delta): New function.
(string_to_delta): Try rfc3339_duration_to_delta first.
* mandos-clients.conf.xml (OPTIONS/timeout): Document new format.
(EXAMPLE): Update to new interval format.
(SEE ALSO): Reference RFC 3339.
- files added:
- DBUS-API
- debian/source
- network-hooks.d
- files modified:
- .bzrignore
added
removed
mandos
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
14
# Copyright © 2008-2012 Teddy Hogeborn
15
# Copyright © 2008-2012 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
28
28
# along with this program. If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
30
#
31
# Contact the authors at <mandos@fukt.bsnet.se>.
31
# Contact the authors at <mandos@recompile.se>.
32
32
#
33
33
34
from __future__ import division, with_statement, absolute_import
34
from __future__ import (division, absolute_import, print_function,
35
unicode_literals)
36
37
from future_builtins import *
35
38
36
39
import SocketServer as socketserver
37
40
import socket
38
import optparse
41
import argparse
39
42
import datetime
40
43
import errno
41
44
import gnutls.crypto
55
58
import logging
56
59
import logging.handlers
57
60
import pwd
58
from contextlib import closing
61
import contextlib
59
62
import struct
60
63
import fcntl
61
64
import functools
65
import cPickle as pickle
66
import multiprocessing
67
import types
68
import binascii
69
import tempfile
70
import itertools
71
import collections
62
72
63
73
import dbus
64
74
import dbus.service
67
77
from dbus.mainloop.glib import DBusGMainLoop
68
78
import ctypes
69
79
import ctypes.util
80
import xml.dom.minidom
81
import inspect
82
import GnuPGInterface
70
83
71
84
try:
72
85
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
76
89
except ImportError:
77
90
SO_BINDTODEVICE = None
78
91
79
80
version = "1.0.8"
81
82
logger = logging.Logger(u'mandos')
92
version = "1.6.0"
93
stored_state_file = "clients.pickle"
94
95
logger = logging.getLogger()
83
96
syslogger = (logging.handlers.SysLogHandler
84
97
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
85
address = "/dev/log"))
86
syslogger.setFormatter(logging.Formatter
87
(u'Mandos [%(process)d]: %(levelname)s:'
88
u' %(message)s'))
89
logger.addHandler(syslogger)
90
91
console = logging.StreamHandler()
92
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
93
u' %(levelname)s:'
94
u' %(message)s'))
95
logger.addHandler(console)
98
address = str("/dev/log")))
99
100
try:
101
if_nametoindex = (ctypes.cdll.LoadLibrary
102
(ctypes.util.find_library("c"))
103
.if_nametoindex)
104
except (OSError, AttributeError):
105
def if_nametoindex(interface):
106
"Get an interface index the hard way, i.e. using fcntl()"
107
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
108
with contextlib.closing(socket.socket()) as s:
109
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
110
struct.pack(str("16s16x"),
111
interface))
112
interface_index = struct.unpack(str("I"),
113
ifreq[16:20])[0]
114
return interface_index
115
116
117
def initlogger(debug, level=logging.WARNING):
118
"""init logger and add loglevel"""
119
120
syslogger.setFormatter(logging.Formatter
121
('Mandos [%(process)d]: %(levelname)s:'
122
' %(message)s'))
123
logger.addHandler(syslogger)
124
125
if debug:
126
console = logging.StreamHandler()
127
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
128
' [%(process)d]:'
129
' %(levelname)s:'
130
' %(message)s'))
131
logger.addHandler(console)
132
logger.setLevel(level)
133
134
135
class PGPError(Exception):
136
"""Exception if encryption/decryption fails"""
137
pass
138
139
140
class PGPEngine(object):
141
"""A simple class for OpenPGP symmetric encryption & decryption"""
142
def __init__(self):
143
self.gnupg = GnuPGInterface.GnuPG()
144
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
145
self.gnupg = GnuPGInterface.GnuPG()
146
self.gnupg.options.meta_interactive = False
147
self.gnupg.options.homedir = self.tempdir
148
self.gnupg.options.extra_args.extend(['--force-mdc',
149
'--quiet',
150
'--no-use-agent'])
151
152
def __enter__(self):
153
return self
154
155
def __exit__(self, exc_type, exc_value, traceback):
156
self._cleanup()
157
return False
158
159
def __del__(self):
160
self._cleanup()
161
162
def _cleanup(self):
163
if self.tempdir is not None:
164
# Delete contents of tempdir
165
for root, dirs, files in os.walk(self.tempdir,
166
topdown = False):
167
for filename in files:
168
os.remove(os.path.join(root, filename))
169
for dirname in dirs:
170
os.rmdir(os.path.join(root, dirname))
171
# Remove tempdir
172
os.rmdir(self.tempdir)
173
self.tempdir = None
174
175
def password_encode(self, password):
176
# Passphrase can not be empty and can not contain newlines or
177
# NUL bytes. So we prefix it and hex encode it.
178
return b"mandos" + binascii.hexlify(password)
179
180
def encrypt(self, data, password):
181
self.gnupg.passphrase = self.password_encode(password)
182
with open(os.devnull, "w") as devnull:
183
try:
184
proc = self.gnupg.run(['--symmetric'],
185
create_fhs=['stdin', 'stdout'],
186
attach_fhs={'stderr': devnull})
187
with contextlib.closing(proc.handles['stdin']) as f:
188
f.write(data)
189
with contextlib.closing(proc.handles['stdout']) as f:
190
ciphertext = f.read()
191
proc.wait()
192
except IOError as e:
193
raise PGPError(e)
194
self.gnupg.passphrase = None
195
return ciphertext
196
197
def decrypt(self, data, password):
198
self.gnupg.passphrase = self.password_encode(password)
199
with open(os.devnull, "w") as devnull:
200
try:
201
proc = self.gnupg.run(['--decrypt'],
202
create_fhs=['stdin', 'stdout'],
203
attach_fhs={'stderr': devnull})
204
with contextlib.closing(proc.handles['stdin']) as f:
205
f.write(data)
206
with contextlib.closing(proc.handles['stdout']) as f:
207
decrypted_plaintext = f.read()
208
proc.wait()
209
except IOError as e:
210
raise PGPError(e)
211
self.gnupg.passphrase = None
212
return decrypted_plaintext
213
96
214
97
215
class AvahiError(Exception):
98
216
def __init__(self, value, *args, **kwargs):
114
232
Attributes:
115
233
interface: integer; avahi.IF_UNSPEC or an interface index.
116
234
Used to optionally bind to the specified interface.
117
name: string; Example: u'Mandos'
118
type: string; Example: u'_mandos._tcp'.
235
name: string; Example: 'Mandos'
236
type: string; Example: '_mandos._tcp'.
119
237
See <http://www.dns-sd.org/ServiceTypes.html>
120
238
port: integer; what port to announce
121
239
TXT: list of strings; TXT record for the service
128
246
server: D-Bus Server
129
247
bus: dbus.SystemBus()
130
248
"""
249
131
250
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
132
251
servicetype = None, port = None, TXT = None,
133
domain = u"", host = u"", max_renames = 32768,
252
domain = "", host = "", max_renames = 32768,
134
253
protocol = avahi.PROTO_UNSPEC, bus = None):
135
254
self.interface = interface
136
255
self.name = name
145
264
self.group = None # our entry group
146
265
self.server = None
147
266
self.bus = bus
267
self.entry_group_state_changed_match = None
268
148
269
def rename(self):
149
270
"""Derived from the Avahi example code"""
150
271
if self.rename_count >= self.max_renames:
151
logger.critical(u"No suitable Zeroconf service name found"
152
u" after %i retries, exiting.",
272
logger.critical("No suitable Zeroconf service name found"
273
" after %i retries, exiting.",
153
274
self.rename_count)
154
raise AvahiServiceError(u"Too many renames")
155
self.name = self.server.GetAlternativeServiceName(self.name)
156
logger.info(u"Changing Zeroconf service name to %r ...",
157
unicode(self.name))
158
syslogger.setFormatter(logging.Formatter
159
(u'Mandos (%s) [%%(process)d]:'
160
u' %%(levelname)s: %%(message)s'
161
% self.name))
275
raise AvahiServiceError("Too many renames")
276
self.name = unicode(self.server
277
.GetAlternativeServiceName(self.name))
278
logger.info("Changing Zeroconf service name to %r ...",
279
self.name)
162
280
self.remove()
163
self.add()
281
try:
282
self.add()
283
except dbus.exceptions.DBusException as error:
284
logger.critical("D-Bus Exception", exc_info=error)
285
self.cleanup()
286
os._exit(1)
164
287
self.rename_count += 1
288
165
289
def remove(self):
166
290
"""Derived from the Avahi example code"""
291
if self.entry_group_state_changed_match is not None:
292
self.entry_group_state_changed_match.remove()
293
self.entry_group_state_changed_match = None
167
294
if self.group is not None:
168
295
self.group.Reset()
296
169
297
def add(self):
170
298
"""Derived from the Avahi example code"""
299
self.remove()
171
300
if self.group is None:
172
301
self.group = dbus.Interface(
173
302
self.bus.get_object(avahi.DBUS_NAME,
174
303
self.server.EntryGroupNew()),
175
304
avahi.DBUS_INTERFACE_ENTRY_GROUP)
176
self.group.connect_to_signal('StateChanged',
177
self.entry_group_state_changed)
178
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
305
self.entry_group_state_changed_match = (
306
self.group.connect_to_signal(
307
'StateChanged', self.entry_group_state_changed))
308
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
179
309
self.name, self.type)
180
310
self.group.AddService(
181
311
self.interface,
186
316
dbus.UInt16(self.port),
187
317
avahi.string_array_to_txt_array(self.TXT))
188
318
self.group.Commit()
319
189
320
def entry_group_state_changed(self, state, error):
190
321
"""Derived from the Avahi example code"""
191
logger.debug(u"Avahi state change: %i", state)
322
logger.debug("Avahi entry group state change: %i", state)
192
323
193
324
if state == avahi.ENTRY_GROUP_ESTABLISHED:
194
logger.debug(u"Zeroconf service established.")
325
logger.debug("Zeroconf service established.")
195
326
elif state == avahi.ENTRY_GROUP_COLLISION:
196
logger.warning(u"Zeroconf service name collision.")
327
logger.info("Zeroconf service name collision.")
197
328
self.rename()
198
329
elif state == avahi.ENTRY_GROUP_FAILURE:
199
logger.critical(u"Avahi: Error in group state changed %s",
330
logger.critical("Avahi: Error in group state changed %s",
200
331
unicode(error))
201
raise AvahiGroupError(u"State changed: %s"
202
% unicode(error))
332
raise AvahiGroupError("State changed: {0!s}"
333
.format(error))
334
203
335
def cleanup(self):
204
336
"""Derived from the Avahi example code"""
205
337
if self.group is not None:
206
self.group.Free()
338
try:
339
self.group.Free()
340
except (dbus.exceptions.UnknownMethodException,
341
dbus.exceptions.DBusException):
342
pass
207
343
self.group = None
208
def server_state_changed(self, state):
344
self.remove()
345
346
def server_state_changed(self, state, error=None):
209
347
"""Derived from the Avahi example code"""
210
if state == avahi.SERVER_COLLISION:
211
logger.error(u"Zeroconf server name collision")
212
self.remove()
348
logger.debug("Avahi server state change: %i", state)
349
bad_states = { avahi.SERVER_INVALID:
350
"Zeroconf server invalid",
351
avahi.SERVER_REGISTERING: None,
352
avahi.SERVER_COLLISION:
353
"Zeroconf server name collision",
354
avahi.SERVER_FAILURE:
355
"Zeroconf server failure" }
356
if state in bad_states:
357
if bad_states[state] is not None:
358
if error is None:
359
logger.error(bad_states[state])
360
else:
361
logger.error(bad_states[state] + ": %r", error)
362
self.cleanup()
213
363
elif state == avahi.SERVER_RUNNING:
214
364
self.add()
365
else:
366
if error is None:
367
logger.debug("Unknown state: %r", state)
368
else:
369
logger.debug("Unknown state: %r: %r", state, error)
370
215
371
def activate(self):
216
372
"""Derived from the Avahi example code"""
217
373
if self.server is None:
218
374
self.server = dbus.Interface(
219
375
self.bus.get_object(avahi.DBUS_NAME,
220
avahi.DBUS_PATH_SERVER),
376
avahi.DBUS_PATH_SERVER,
377
follow_name_owner_changes=True),
221
378
avahi.DBUS_INTERFACE_SERVER)
222
self.server.connect_to_signal(u"StateChanged",
379
self.server.connect_to_signal("StateChanged",
223
380
self.server_state_changed)
224
381
self.server_state_changed(self.server.GetState())
225
382
226
383
384
class AvahiServiceToSyslog(AvahiService):
385
def rename(self):
386
"""Add the new name to the syslog messages"""
387
ret = AvahiService.rename(self)
388
syslogger.setFormatter(logging.Formatter
389
('Mandos ({0}) [%(process)d]:'
390
' %(levelname)s: %(message)s'
391
.format(self.name)))
392
return ret
393
394
395
def timedelta_to_milliseconds(td):
396
"Convert a datetime.timedelta() to milliseconds"
397
return ((td.days * 24 * 60 * 60 * 1000)
398
+ (td.seconds * 1000)
399
+ (td.microseconds // 1000))
400
401
227
402
class Client(object):
228
403
"""A representation of a client host served by this server.
229
404
230
405
Attributes:
231
name: string; from the config file, used in log messages and
232
D-Bus identifiers
233
fingerprint: string (40 or 32 hexadecimal digits); used to
234
uniquely identify the client
235
secret: bytestring; sent verbatim (over TLS) to client
236
host: string; available for use by the checker command
237
created: datetime.datetime(); (UTC) object creation
238
last_enabled: datetime.datetime(); (UTC)
239
enabled: bool()
240
last_checked_ok: datetime.datetime(); (UTC) or None
241
timeout: datetime.timedelta(); How long from last_checked_ok
242
until this client is invalid
243
interval: datetime.timedelta(); How often to start a new checker
244
disable_hook: If set, called by disable() as disable_hook(self)
406
approved: bool(); 'None' if not yet approved/disapproved
407
approval_delay: datetime.timedelta(); Time to wait for approval
408
approval_duration: datetime.timedelta(); Duration of one approval
245
409
checker: subprocess.Popen(); a running checker process used
246
410
to see if the client lives.
247
411
'None' if no process is running.
248
checker_initiator_tag: a gobject event source tag, or None
249
disable_initiator_tag: - '' -
250
checker_callback_tag: - '' -
251
checker_command: string; External command which is run to check if
252
client lives. %() expansions are done at
412
checker_callback_tag: a gobject event source tag, or None
413
checker_command: string; External command which is run to check
414
if client lives. %() expansions are done at
253
415
runtime with vars(self) as dict, so that for
254
416
instance %(name)s can be used in the command.
417
checker_initiator_tag: a gobject event source tag, or None
418
created: datetime.datetime(); (UTC) object creation
419
client_structure: Object describing what attributes a client has
420
and is used for storing the client at exit
255
421
current_checker_command: string; current running checker_command
422
disable_initiator_tag: a gobject event source tag, or None
423
enabled: bool()
424
fingerprint: string (40 or 32 hexadecimal digits); used to
425
uniquely identify the client
426
host: string; available for use by the checker command
427
interval: datetime.timedelta(); How often to start a new checker
428
last_approval_request: datetime.datetime(); (UTC) or None
429
last_checked_ok: datetime.datetime(); (UTC) or None
430
last_checker_status: integer between 0 and 255 reflecting exit
431
status of last checker. -1 reflects crashed
432
checker, -2 means no checker completed yet.
433
last_enabled: datetime.datetime(); (UTC) or None
434
name: string; from the config file, used in log messages and
435
D-Bus identifiers
436
secret: bytestring; sent verbatim (over TLS) to client
437
timeout: datetime.timedelta(); How long from last_checked_ok
438
until this client is disabled
439
extended_timeout: extra long timeout when secret has been sent
440
runtime_expansions: Allowed attributes for runtime expansion.
441
expires: datetime.datetime(); time (UTC) when a client will be
442
disabled, or None
256
443
"""
257
444
258
@staticmethod
259
def _datetime_to_milliseconds(dt):
260
"Convert a datetime.datetime() to milliseconds"
261
return ((dt.days * 24 * 60 * 60 * 1000)
262
+ (dt.seconds * 1000)
263
+ (dt.microseconds // 1000))
445
runtime_expansions = ("approval_delay", "approval_duration",
446
"created", "enabled", "expires",
447
"fingerprint", "host", "interval",
448
"last_approval_request", "last_checked_ok",
449
"last_enabled", "name", "timeout")
450
client_defaults = { "timeout": "PT5M",
451
"extended_timeout": "PT15M",
452
"interval": "PT2M",
453
"checker": "fping -q -- %%(host)s",
454
"host": "",
455
"approval_delay": "PT0S",
456
"approval_duration": "PT1S",
457
"approved_by_default": "True",
458
"enabled": "True",
459
}
264
460
265
461
def timeout_milliseconds(self):
266
462
"Return the 'timeout' attribute in milliseconds"
267
return self._datetime_to_milliseconds(self.timeout)
463
return timedelta_to_milliseconds(self.timeout)
464
465
def extended_timeout_milliseconds(self):
466
"Return the 'extended_timeout' attribute in milliseconds"
467
return timedelta_to_milliseconds(self.extended_timeout)
268
468
269
469
def interval_milliseconds(self):
270
470
"Return the 'interval' attribute in milliseconds"
271
return self._datetime_to_milliseconds(self.interval)
272
273
def __init__(self, name = None, disable_hook=None, config=None):
274
"""Note: the 'checker' key in 'config' sets the
275
'checker_command' attribute and *not* the 'checker'
276
attribute."""
471
return timedelta_to_milliseconds(self.interval)
472
473
def approval_delay_milliseconds(self):
474
return timedelta_to_milliseconds(self.approval_delay)
475
476
@staticmethod
477
def config_parser(config):
478
"""Construct a new dict of client settings of this form:
479
{ client_name: {setting_name: value, ...}, ...}
480
with exceptions for any special settings as defined above.
481
NOTE: Must be a pure function. Must return the same result
482
value given the same arguments.
483
"""
484
settings = {}
485
for client_name in config.sections():
486
section = dict(config.items(client_name))
487
client = settings[client_name] = {}
488
489
client["host"] = section["host"]
490
# Reformat values from string types to Python types
491
client["approved_by_default"] = config.getboolean(
492
client_name, "approved_by_default")
493
client["enabled"] = config.getboolean(client_name,
494
"enabled")
495
496
client["fingerprint"] = (section["fingerprint"].upper()
497
.replace(" ", ""))
498
if "secret" in section:
499
client["secret"] = section["secret"].decode("base64")
500
elif "secfile" in section:
501
with open(os.path.expanduser(os.path.expandvars
502
(section["secfile"])),
503
"rb") as secfile:
504
client["secret"] = secfile.read()
505
else:
506
raise TypeError("No secret or secfile for section {0}"
507
.format(section))
508
client["timeout"] = string_to_delta(section["timeout"])
509
client["extended_timeout"] = string_to_delta(
510
section["extended_timeout"])
511
client["interval"] = string_to_delta(section["interval"])
512
client["approval_delay"] = string_to_delta(
513
section["approval_delay"])
514
client["approval_duration"] = string_to_delta(
515
section["approval_duration"])
516
client["checker_command"] = section["checker"]
517
client["last_approval_request"] = None
518
client["last_checked_ok"] = None
519
client["last_checker_status"] = -2
520
521
return settings
522
523
def __init__(self, settings, name = None):
277
524
self.name = name
278
if config is None:
279
config = {}
280
logger.debug(u"Creating client %r", self.name)
525
# adding all client settings
526
for setting, value in settings.iteritems():
527
setattr(self, setting, value)
528
529
if self.enabled:
530
if not hasattr(self, "last_enabled"):
531
self.last_enabled = datetime.datetime.utcnow()
532
if not hasattr(self, "expires"):
533
self.expires = (datetime.datetime.utcnow()
534
+ self.timeout)
535
else:
536
self.last_enabled = None
537
self.expires = None
538
539
logger.debug("Creating client %r", self.name)
281
540
# Uppercase and remove spaces from fingerprint for later
282
541
# comparison purposes with return value from the fingerprint()
283
542
# function
284
self.fingerprint = (config[u"fingerprint"].upper()
285
.replace(u" ", u""))
286
logger.debug(u" Fingerprint: %s", self.fingerprint)
287
if u"secret" in config:
288
self.secret = config[u"secret"].decode(u"base64")
289
elif u"secfile" in config:
290
with closing(open(os.path.expanduser
291
(os.path.expandvars
292
(config[u"secfile"])))) as secfile:
293
self.secret = secfile.read()
294
else:
295
raise TypeError(u"No secret or secfile for client %s"
296
% self.name)
297
self.host = config.get(u"host", u"")
298
self.created = datetime.datetime.utcnow()
299
self.enabled = False
300
self.last_enabled = None
301
self.last_checked_ok = None
302
self.timeout = string_to_delta(config[u"timeout"])
303
self.interval = string_to_delta(config[u"interval"])
304
self.disable_hook = disable_hook
543
logger.debug(" Fingerprint: %s", self.fingerprint)
544
self.created = settings.get("created",
545
datetime.datetime.utcnow())
546
547
# attributes specific for this server instance
305
548
self.checker = None
306
549
self.checker_initiator_tag = None
307
550
self.disable_initiator_tag = None
308
551
self.checker_callback_tag = None
309
self.checker_command = config[u"checker"]
310
552
self.current_checker_command = None
311
self.last_connect = None
553
self.approved = None
554
self.approvals_pending = 0
555
self.changedstate = (multiprocessing_manager
556
.Condition(multiprocessing_manager
557
.Lock()))
558
self.client_structure = [attr for attr in
559
self.__dict__.iterkeys()
560
if not attr.startswith("_")]
561
self.client_structure.append("client_structure")
562
563
for name, t in inspect.getmembers(type(self),
564
lambda obj:
565
isinstance(obj,
566
property)):
567
if not name.startswith("_"):
568
self.client_structure.append(name)
569
570
# Send notice to process children that client state has changed
571
def send_changedstate(self):
572
with self.changedstate:
573
self.changedstate.notify_all()
312
574
313
575
def enable(self):
314
576
"""Start this client's checker and timeout hooks"""
315
if getattr(self, u"enabled", False):
577
if getattr(self, "enabled", False):
316
578
# Already enabled
317
579
return
580
self.expires = datetime.datetime.utcnow() + self.timeout
581
self.enabled = True
318
582
self.last_enabled = datetime.datetime.utcnow()
583
self.init_checker()
584
self.send_changedstate()
585
586
def disable(self, quiet=True):
587
"""Disable this client."""
588
if not getattr(self, "enabled", False):
589
return False
590
if not quiet:
591
logger.info("Disabling client %s", self.name)
592
if getattr(self, "disable_initiator_tag", None) is not None:
593
gobject.source_remove(self.disable_initiator_tag)
594
self.disable_initiator_tag = None
595
self.expires = None
596
if getattr(self, "checker_initiator_tag", None) is not None:
597
gobject.source_remove(self.checker_initiator_tag)
598
self.checker_initiator_tag = None
599
self.stop_checker()
600
self.enabled = False
601
if not quiet:
602
self.send_changedstate()
603
# Do not run this again if called by a gobject.timeout_add
604
return False
605
606
def __del__(self):
607
self.disable()
608
609
def init_checker(self):
319
610
# Schedule a new checker to be started an 'interval' from now,
320
611
# and every interval from then on.
612
if self.checker_initiator_tag is not None:
613
gobject.source_remove(self.checker_initiator_tag)
321
614
self.checker_initiator_tag = (gobject.timeout_add
322
615
(self.interval_milliseconds(),
323
616
self.start_checker))
324
# Also start a new checker *right now*.
325
self.start_checker()
326
617
# Schedule a disable() when 'timeout' has passed
618
if self.disable_initiator_tag is not None:
619
gobject.source_remove(self.disable_initiator_tag)
327
620
self.disable_initiator_tag = (gobject.timeout_add
328
621
(self.timeout_milliseconds(),
329
622
self.disable))
330
self.enabled = True
331
332
def disable(self):
333
"""Disable this client."""
334
if not getattr(self, "enabled", False):
335
return False
336
logger.info(u"Disabling client %s", self.name)
337
if getattr(self, u"disable_initiator_tag", False):
338
gobject.source_remove(self.disable_initiator_tag)
339
self.disable_initiator_tag = None
340
if getattr(self, u"checker_initiator_tag", False):
341
gobject.source_remove(self.checker_initiator_tag)
342
self.checker_initiator_tag = None
343
self.stop_checker()
344
if self.disable_hook:
345
self.disable_hook(self)
346
self.enabled = False
347
# Do not run this again if called by a gobject.timeout_add
348
return False
349
350
def __del__(self):
351
self.disable_hook = None
352
self.disable()
623
# Also start a new checker *right now*.
624
self.start_checker()
353
625
354
626
def checker_callback(self, pid, condition, command):
355
627
"""The checker has completed, so take appropriate actions."""
356
628
self.checker_callback_tag = None
357
629
self.checker = None
358
630
if os.WIFEXITED(condition):
359
exitstatus = os.WEXITSTATUS(condition)
360
if exitstatus == 0:
361
logger.info(u"Checker for %(name)s succeeded",
631
self.last_checker_status = os.WEXITSTATUS(condition)
632
if self.last_checker_status == 0:
633
logger.info("Checker for %(name)s succeeded",
362
634
vars(self))
363
635
self.checked_ok()
364
636
else:
365
logger.info(u"Checker for %(name)s failed",
637
logger.info("Checker for %(name)s failed",
366
638
vars(self))
367
639
else:
368
logger.warning(u"Checker for %(name)s crashed?",
640
self.last_checker_status = -1
641
logger.warning("Checker for %(name)s crashed?",
369
642
vars(self))
370
643
371
644
def checked_ok(self):
372
"""Bump up the timeout for this client.
373
374
This should only be called when the client has been seen,
375
alive and well.
376
"""
645
"""Assert that the client has been seen, alive and well."""
377
646
self.last_checked_ok = datetime.datetime.utcnow()
378
gobject.source_remove(self.disable_initiator_tag)
379
self.disable_initiator_tag = (gobject.timeout_add
380
(self.timeout_milliseconds(),
381
self.disable))
647
self.last_checker_status = 0
648
self.bump_timeout()
649
650
def bump_timeout(self, timeout=None):
651
"""Bump up the timeout for this client."""
652
if timeout is None:
653
timeout = self.timeout
654
if self.disable_initiator_tag is not None:
655
gobject.source_remove(self.disable_initiator_tag)
656
self.disable_initiator_tag = None
657
if getattr(self, "enabled", False):
658
self.disable_initiator_tag = (gobject.timeout_add
659
(timedelta_to_milliseconds
660
(timeout), self.disable))
661
self.expires = datetime.datetime.utcnow() + timeout
662
663
def need_approval(self):
664
self.last_approval_request = datetime.datetime.utcnow()
382
665
383
666
def start_checker(self):
384
667
"""Start a new checker subprocess if one is not running.
386
669
If a checker already exists, leave it running and do
387
670
nothing."""
388
671
# The reason for not killing a running checker is that if we
389
# did that, then if a checker (for some reason) started
390
# running slowly and taking more than 'interval' time, the
391
# client would inevitably timeout, since no checker would get
392
# a chance to run to completion. If we instead leave running
672
# did that, and if a checker (for some reason) started running
673
# slowly and taking more than 'interval' time, then the client
674
# would inevitably timeout, since no checker would get a
675
# chance to run to completion. If we instead leave running
393
676
# checkers alone, the checker would have to take more time
394
# than 'timeout' for the client to be declared invalid, which
395
# is as it should be.
677
# than 'timeout' for the client to be disabled, which is as it
678
# should be.
396
679
397
680
# If a checker exists, make sure it is not a zombie
398
if self.checker is not None:
681
try:
399
682
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
683
except (AttributeError, OSError) as error:
684
if (isinstance(error, OSError)
685
and error.errno != errno.ECHILD):
686
raise error
687
else:
400
688
if pid:
401
logger.warning(u"Checker was a zombie")
689
logger.warning("Checker was a zombie")
402
690
gobject.source_remove(self.checker_callback_tag)
403
691
self.checker_callback(pid, status,
404
692
self.current_checker_command)
405
693
# Start a new checker if needed
406
694
if self.checker is None:
695
# Escape attributes for the shell
696
escaped_attrs = dict(
697
(attr, re.escape(unicode(getattr(self, attr))))
698
for attr in
699
self.runtime_expansions)
407
700
try:
408
# In case checker_command has exactly one % operator
409
command = self.checker_command % self.host
410
except TypeError:
411
# Escape attributes for the shell
412
escaped_attrs = dict((key,
413
re.escape(unicode(str(val),
414
errors=
415
u'replace')))
416
for key, val in
417
vars(self).iteritems())
418
try:
419
command = self.checker_command % escaped_attrs
420
except TypeError, error:
421
logger.error(u'Could not format string "%s":'
422
u' %s', self.checker_command, error)
423
return True # Try again later
701
command = self.checker_command % escaped_attrs
702
except TypeError as error:
703
logger.error('Could not format string "%s"',
704
self.checker_command, exc_info=error)
705
return True # Try again later
424
706
self.current_checker_command = command
425
707
try:
426
logger.info(u"Starting checker %r for %s",
708
logger.info("Starting checker %r for %s",
427
709
command, self.name)
428
710
# We don't need to redirect stdout and stderr, since
429
711
# in normal mode, that is already done by daemon(),
431
713
# always replaced by /dev/null.)
432
714
self.checker = subprocess.Popen(command,
433
715
close_fds=True,
434
shell=True, cwd=u"/")
435
self.checker_callback_tag = (gobject.child_watch_add
436
(self.checker.pid,
437
self.checker_callback,
438
data=command))
439
# The checker may have completed before the gobject
440
# watch was added. Check for this.
441
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
442
if pid:
443
gobject.source_remove(self.checker_callback_tag)
444
self.checker_callback(pid, status, command)
445
except OSError, error:
446
logger.error(u"Failed to start subprocess: %s",
447
error)
716
shell=True, cwd="/")
717
except OSError as error:
718
logger.error("Failed to start subprocess",
719
exc_info=error)
720
self.checker_callback_tag = (gobject.child_watch_add
721
(self.checker.pid,
722
self.checker_callback,
723
data=command))
724
# The checker may have completed before the gobject
725
# watch was added. Check for this.
726
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
727
if pid:
728
gobject.source_remove(self.checker_callback_tag)
729
self.checker_callback(pid, status, command)
448
730
# Re-run this periodically if run by gobject.timeout_add
449
731
return True
450
732
453
735
if self.checker_callback_tag:
454
736
gobject.source_remove(self.checker_callback_tag)
455
737
self.checker_callback_tag = None
456
if getattr(self, u"checker", None) is None:
738
if getattr(self, "checker", None) is None:
457
739
return
458
logger.debug(u"Stopping checker for %(name)s", vars(self))
740
logger.debug("Stopping checker for %(name)s", vars(self))
459
741
try:
460
os.kill(self.checker.pid, signal.SIGTERM)
461
#os.sleep(0.5)
742
self.checker.terminate()
743
#time.sleep(0.5)
462
744
#if self.checker.poll() is None:
463
# os.kill(self.checker.pid, signal.SIGKILL)
464
except OSError, error:
745
# self.checker.kill()
746
except OSError as error:
465
747
if error.errno != errno.ESRCH: # No such process
466
748
raise
467
749
self.checker = None
468
469
def still_valid(self):
470
"""Has the timeout not yet passed for this client?"""
471
if not getattr(self, u"enabled", False):
472
return False
473
now = datetime.datetime.utcnow()
474
if self.last_checked_ok is None:
475
return now < (self.created + self.timeout)
476
else:
477
return now < (self.last_checked_ok + self.timeout)
478
479
480
class ClientDBus(Client, dbus.service.Object):
750
751
752
def dbus_service_property(dbus_interface, signature="v",
753
access="readwrite", byte_arrays=False):
754
"""Decorators for marking methods of a DBusObjectWithProperties to
755
become properties on the D-Bus.
756
757
The decorated method will be called with no arguments by "Get"
758
and with one argument by "Set".
759
760
The parameters, where they are supported, are the same as
761
dbus.service.method, except there is only "signature", since the
762
type from Get() and the type sent to Set() is the same.
763
"""
764
# Encoding deeply encoded byte arrays is not supported yet by the
765
# "Set" method, so we fail early here:
766
if byte_arrays and signature != "ay":
767
raise ValueError("Byte arrays not supported for non-'ay'"
768
" signature {0!r}".format(signature))
769
def decorator(func):
770
func._dbus_is_property = True
771
func._dbus_interface = dbus_interface
772
func._dbus_signature = signature
773
func._dbus_access = access
774
func._dbus_name = func.__name__
775
if func._dbus_name.endswith("_dbus_property"):
776
func._dbus_name = func._dbus_name[:-14]
777
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
778
return func
779
return decorator
780
781
782
def dbus_interface_annotations(dbus_interface):
783
"""Decorator for marking functions returning interface annotations
784
785
Usage:
786
787
@dbus_interface_annotations("org.example.Interface")
788
def _foo(self): # Function name does not matter
789
return {"org.freedesktop.DBus.Deprecated": "true",
790
"org.freedesktop.DBus.Property.EmitsChangedSignal":
791
"false"}
792
"""
793
def decorator(func):
794
func._dbus_is_interface = True
795
func._dbus_interface = dbus_interface
796
func._dbus_name = dbus_interface
797
return func
798
return decorator
799
800
801
def dbus_annotations(annotations):
802
"""Decorator to annotate D-Bus methods, signals or properties
803
Usage:
804
805
@dbus_service_property("org.example.Interface", signature="b",
806
access="r")
807
@dbus_annotations({{"org.freedesktop.DBus.Deprecated": "true",
808
"org.freedesktop.DBus.Property."
809
"EmitsChangedSignal": "false"})
810
def Property_dbus_property(self):
811
return dbus.Boolean(False)
812
"""
813
def decorator(func):
814
func._dbus_annotations = annotations
815
return func
816
return decorator
817
818
819
class DBusPropertyException(dbus.exceptions.DBusException):
820
"""A base class for D-Bus property-related exceptions
821
"""
822
def __unicode__(self):
823
return unicode(str(self))
824
825
826
class DBusPropertyAccessException(DBusPropertyException):
827
"""A property's access permissions disallows an operation.
828
"""
829
pass
830
831
832
class DBusPropertyNotFound(DBusPropertyException):
833
"""An attempt was made to access a non-existing property.
834
"""
835
pass
836
837
838
class DBusObjectWithProperties(dbus.service.Object):
839
"""A D-Bus object with properties.
840
841
Classes inheriting from this can use the dbus_service_property
842
decorator to expose methods as D-Bus properties. It exposes the
843
standard Get(), Set(), and GetAll() methods on the D-Bus.
844
"""
845
846
@staticmethod
847
def _is_dbus_thing(thing):
848
"""Returns a function testing if an attribute is a D-Bus thing
849
850
If called like _is_dbus_thing("method") it returns a function
851
suitable for use as predicate to inspect.getmembers().
852
"""
853
return lambda obj: getattr(obj, "_dbus_is_{0}".format(thing),
854
False)
855
856
def _get_all_dbus_things(self, thing):
857
"""Returns a generator of (name, attribute) pairs
858
"""
859
return ((getattr(athing.__get__(self), "_dbus_name",
860
name),
861
athing.__get__(self))
862
for cls in self.__class__.__mro__
863
for name, athing in
864
inspect.getmembers(cls,
865
self._is_dbus_thing(thing)))
866
867
def _get_dbus_property(self, interface_name, property_name):
868
"""Returns a bound method if one exists which is a D-Bus
869
property with the specified name and interface.
870
"""
871
for cls in self.__class__.__mro__:
872
for name, value in (inspect.getmembers
873
(cls,
874
self._is_dbus_thing("property"))):
875
if (value._dbus_name == property_name
876
and value._dbus_interface == interface_name):
877
return value.__get__(self)
878
879
# No such property
880
raise DBusPropertyNotFound(self.dbus_object_path + ":"
881
+ interface_name + "."
882
+ property_name)
883
884
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
885
out_signature="v")
886
def Get(self, interface_name, property_name):
887
"""Standard D-Bus property Get() method, see D-Bus standard.
888
"""
889
prop = self._get_dbus_property(interface_name, property_name)
890
if prop._dbus_access == "write":
891
raise DBusPropertyAccessException(property_name)
892
value = prop()
893
if not hasattr(value, "variant_level"):
894
return value
895
return type(value)(value, variant_level=value.variant_level+1)
896
897
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
898
def Set(self, interface_name, property_name, value):
899
"""Standard D-Bus property Set() method, see D-Bus standard.
900
"""
901
prop = self._get_dbus_property(interface_name, property_name)
902
if prop._dbus_access == "read":
903
raise DBusPropertyAccessException(property_name)
904
if prop._dbus_get_args_options["byte_arrays"]:
905
# The byte_arrays option is not supported yet on
906
# signatures other than "ay".
907
if prop._dbus_signature != "ay":
908
raise ValueError
909
value = dbus.ByteArray(b''.join(chr(byte)
910
for byte in value))
911
prop(value)
912
913
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
914
out_signature="a{sv}")
915
def GetAll(self, interface_name):
916
"""Standard D-Bus property GetAll() method, see D-Bus
917
standard.
918
919
Note: Will not include properties with access="write".
920
"""
921
properties = {}
922
for name, prop in self._get_all_dbus_things("property"):
923
if (interface_name
924
and interface_name != prop._dbus_interface):
925
# Interface non-empty but did not match
926
continue
927
# Ignore write-only properties
928
if prop._dbus_access == "write":
929
continue
930
value = prop()
931
if not hasattr(value, "variant_level"):
932
properties[name] = value
933
continue
934
properties[name] = type(value)(value, variant_level=
935
value.variant_level+1)
936
return dbus.Dictionary(properties, signature="sv")
937
938
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
939
out_signature="s",
940
path_keyword='object_path',
941
connection_keyword='connection')
942
def Introspect(self, object_path, connection):
943
"""Overloading of standard D-Bus method.
944
945
Inserts property tags and interface annotation tags.
946
"""
947
xmlstring = dbus.service.Object.Introspect(self, object_path,
948
connection)
949
try:
950
document = xml.dom.minidom.parseString(xmlstring)
951
def make_tag(document, name, prop):
952
e = document.createElement("property")
953
e.setAttribute("name", name)
954
e.setAttribute("type", prop._dbus_signature)
955
e.setAttribute("access", prop._dbus_access)
956
return e
957
for if_tag in document.getElementsByTagName("interface"):
958
# Add property tags
959
for tag in (make_tag(document, name, prop)
960
for name, prop
961
in self._get_all_dbus_things("property")
962
if prop._dbus_interface
963
== if_tag.getAttribute("name")):
964
if_tag.appendChild(tag)
965
# Add annotation tags
966
for typ in ("method", "signal", "property"):
967
for tag in if_tag.getElementsByTagName(typ):
968
annots = dict()
969
for name, prop in (self.
970
_get_all_dbus_things(typ)):
971
if (name == tag.getAttribute("name")
972
and prop._dbus_interface
973
== if_tag.getAttribute("name")):
974
annots.update(getattr
975
(prop,
976
"_dbus_annotations",
977
{}))
978
for name, value in annots.iteritems():
979
ann_tag = document.createElement(
980
"annotation")
981
ann_tag.setAttribute("name", name)
982
ann_tag.setAttribute("value", value)
983
tag.appendChild(ann_tag)
984
# Add interface annotation tags
985
for annotation, value in dict(
986
itertools.chain.from_iterable(
987
annotations().iteritems()
988
for name, annotations in
989
self._get_all_dbus_things("interface")
990
if name == if_tag.getAttribute("name")
991
)).iteritems():
992
ann_tag = document.createElement("annotation")
993
ann_tag.setAttribute("name", annotation)
994
ann_tag.setAttribute("value", value)
995
if_tag.appendChild(ann_tag)
996
# Add the names to the return values for the
997
# "org.freedesktop.DBus.Properties" methods
998
if (if_tag.getAttribute("name")
999
== "org.freedesktop.DBus.Properties"):
1000
for cn in if_tag.getElementsByTagName("method"):
1001
if cn.getAttribute("name") == "Get":
1002
for arg in cn.getElementsByTagName("arg"):
1003
if (arg.getAttribute("direction")
1004
== "out"):
1005
arg.setAttribute("name", "value")
1006
elif cn.getAttribute("name") == "GetAll":
1007
for arg in cn.getElementsByTagName("arg"):
1008
if (arg.getAttribute("direction")
1009
== "out"):
1010
arg.setAttribute("name", "props")
1011
xmlstring = document.toxml("utf-8")
1012
document.unlink()
1013
except (AttributeError, xml.dom.DOMException,
1014
xml.parsers.expat.ExpatError) as error:
1015
logger.error("Failed to override Introspection method",
1016
exc_info=error)
1017
return xmlstring
1018
1019
1020
def datetime_to_dbus(dt, variant_level=0):
1021
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1022
if dt is None:
1023
return dbus.String("", variant_level = variant_level)
1024
return dbus.String(dt.isoformat(),
1025
variant_level=variant_level)
1026
1027
1028
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1029
"""A class decorator; applied to a subclass of
1030
dbus.service.Object, it will add alternate D-Bus attributes with
1031
interface names according to the "alt_interface_names" mapping.
1032
Usage:
1033
1034
@alternate_dbus_interfaces({"org.example.Interface":
1035
"net.example.AlternateInterface"})
1036
class SampleDBusObject(dbus.service.Object):
1037
@dbus.service.method("org.example.Interface")
1038
def SampleDBusMethod():
1039
pass
1040
1041
The above "SampleDBusMethod" on "SampleDBusObject" will be
1042
reachable via two interfaces: "org.example.Interface" and
1043
"net.example.AlternateInterface", the latter of which will have
1044
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1045
"true", unless "deprecate" is passed with a False value.
1046
1047
This works for methods and signals, and also for D-Bus properties
1048
(from DBusObjectWithProperties) and interfaces (from the
1049
dbus_interface_annotations decorator).
1050
"""
1051
def wrapper(cls):
1052
for orig_interface_name, alt_interface_name in (
1053
alt_interface_names.iteritems()):
1054
attr = {}
1055
interface_names = set()
1056
# Go though all attributes of the class
1057
for attrname, attribute in inspect.getmembers(cls):
1058
# Ignore non-D-Bus attributes, and D-Bus attributes
1059
# with the wrong interface name
1060
if (not hasattr(attribute, "_dbus_interface")
1061
or not attribute._dbus_interface
1062
.startswith(orig_interface_name)):
1063
continue
1064
# Create an alternate D-Bus interface name based on
1065
# the current name
1066
alt_interface = (attribute._dbus_interface
1067
.replace(orig_interface_name,
1068
alt_interface_name))
1069
interface_names.add(alt_interface)
1070
# Is this a D-Bus signal?
1071
if getattr(attribute, "_dbus_is_signal", False):
1072
# Extract the original non-method function by
1073
# black magic
1074
nonmethod_func = (dict(
1075
zip(attribute.func_code.co_freevars,
1076
attribute.__closure__))["func"]
1077
.cell_contents)
1078
# Create a new, but exactly alike, function
1079
# object, and decorate it to be a new D-Bus signal
1080
# with the alternate D-Bus interface name
1081
new_function = (dbus.service.signal
1082
(alt_interface,
1083
attribute._dbus_signature)
1084
(types.FunctionType(
1085
nonmethod_func.func_code,
1086
nonmethod_func.func_globals,
1087
nonmethod_func.func_name,
1088
nonmethod_func.func_defaults,
1089
nonmethod_func.func_closure)))
1090
# Copy annotations, if any
1091
try:
1092
new_function._dbus_annotations = (
1093
dict(attribute._dbus_annotations))
1094
except AttributeError:
1095
pass
1096
# Define a creator of a function to call both the
1097
# original and alternate functions, so both the
1098
# original and alternate signals gets sent when
1099
# the function is called
1100
def fixscope(func1, func2):
1101
"""This function is a scope container to pass
1102
func1 and func2 to the "call_both" function
1103
outside of its arguments"""
1104
def call_both(*args, **kwargs):
1105
"""This function will emit two D-Bus
1106
signals by calling func1 and func2"""
1107
func1(*args, **kwargs)
1108
func2(*args, **kwargs)
1109
return call_both
1110
# Create the "call_both" function and add it to
1111
# the class
1112
attr[attrname] = fixscope(attribute, new_function)
1113
# Is this a D-Bus method?
1114
elif getattr(attribute, "_dbus_is_method", False):
1115
# Create a new, but exactly alike, function
1116
# object. Decorate it to be a new D-Bus method
1117
# with the alternate D-Bus interface name. Add it
1118
# to the class.
1119
attr[attrname] = (dbus.service.method
1120
(alt_interface,
1121
attribute._dbus_in_signature,
1122
attribute._dbus_out_signature)
1123
(types.FunctionType
1124
(attribute.func_code,
1125
attribute.func_globals,
1126
attribute.func_name,
1127
attribute.func_defaults,
1128
attribute.func_closure)))
1129
# Copy annotations, if any
1130
try:
1131
attr[attrname]._dbus_annotations = (
1132
dict(attribute._dbus_annotations))
1133
except AttributeError:
1134
pass
1135
# Is this a D-Bus property?
1136
elif getattr(attribute, "_dbus_is_property", False):
1137
# Create a new, but exactly alike, function
1138
# object, and decorate it to be a new D-Bus
1139
# property with the alternate D-Bus interface
1140
# name. Add it to the class.
1141
attr[attrname] = (dbus_service_property
1142
(alt_interface,
1143
attribute._dbus_signature,
1144
attribute._dbus_access,
1145
attribute
1146
._dbus_get_args_options
1147
["byte_arrays"])
1148
(types.FunctionType
1149
(attribute.func_code,
1150
attribute.func_globals,
1151
attribute.func_name,
1152
attribute.func_defaults,
1153
attribute.func_closure)))
1154
# Copy annotations, if any
1155
try:
1156
attr[attrname]._dbus_annotations = (
1157
dict(attribute._dbus_annotations))
1158
except AttributeError:
1159
pass
1160
# Is this a D-Bus interface?
1161
elif getattr(attribute, "_dbus_is_interface", False):
1162
# Create a new, but exactly alike, function
1163
# object. Decorate it to be a new D-Bus interface
1164
# with the alternate D-Bus interface name. Add it
1165
# to the class.
1166
attr[attrname] = (dbus_interface_annotations
1167
(alt_interface)
1168
(types.FunctionType
1169
(attribute.func_code,
1170
attribute.func_globals,
1171
attribute.func_name,
1172
attribute.func_defaults,
1173
attribute.func_closure)))
1174
if deprecate:
1175
# Deprecate all alternate interfaces
1176
iname="_AlternateDBusNames_interface_annotation{0}"
1177
for interface_name in interface_names:
1178
@dbus_interface_annotations(interface_name)
1179
def func(self):
1180
return { "org.freedesktop.DBus.Deprecated":
1181
"true" }
1182
# Find an unused name
1183
for aname in (iname.format(i)
1184
for i in itertools.count()):
1185
if aname not in attr:
1186
attr[aname] = func
1187
break
1188
if interface_names:
1189
# Replace the class with a new subclass of it with
1190
# methods, signals, etc. as created above.
1191
cls = type(b"{0}Alternate".format(cls.__name__),
1192
(cls,), attr)
1193
return cls
1194
return wrapper
1195
1196
1197
@alternate_dbus_interfaces({"se.recompile.Mandos":
1198
"se.bsnet.fukt.Mandos"})
1199
class ClientDBus(Client, DBusObjectWithProperties):
481
1200
"""A Client class using D-Bus
482
1201
483
1202
Attributes:
484
1203
dbus_object_path: dbus.ObjectPath
485
1204
bus: dbus.SystemBus()
486
1205
"""
1206
1207
runtime_expansions = (Client.runtime_expansions
1208
+ ("dbus_object_path",))
1209
487
1210
# dbus.service.Object doesn't use super(), so we can't either.
488
1211
489
1212
def __init__(self, bus = None, *args, **kwargs):
491
1214
Client.__init__(self, *args, **kwargs)
492
1215
# Only now, when this client is initialized, can it show up on
493
1216
# the D-Bus
1217
client_object_name = unicode(self.name).translate(
1218
{ord("."): ord("_"),
1219
ord("-"): ord("_")})
494
1220
self.dbus_object_path = (dbus.ObjectPath
495
(u"/clients/"
496
+ self.name.replace(u".", u"_")))
497
dbus.service.Object.__init__(self, self.bus,
498
self.dbus_object_path)
499
500
@staticmethod
501
def _datetime_to_dbus(dt, variant_level=0):
502
"""Convert a UTC datetime.datetime() to a D-Bus type."""
503
return dbus.String(dt.isoformat(),
504
variant_level=variant_level)
505
506
def enable(self):
507
oldstate = getattr(self, u"enabled", False)
508
r = Client.enable(self)
509
if oldstate != self.enabled:
510
# Emit D-Bus signals
511
self.PropertyChanged(dbus.String(u"enabled"),
512
dbus.Boolean(True, variant_level=1))
513
self.PropertyChanged(
514
dbus.String(u"last_enabled"),
515
self._datetime_to_dbus(self.last_enabled,
516
variant_level=1))
517
return r
518
519
def disable(self, signal = True):
520
oldstate = getattr(self, u"enabled", False)
521
r = Client.disable(self)
522
if signal and oldstate != self.enabled:
523
# Emit D-Bus signal
524
self.PropertyChanged(dbus.String(u"enabled"),
525
dbus.Boolean(False, variant_level=1))
526
return r
1221
("/clients/" + client_object_name))
1222
DBusObjectWithProperties.__init__(self, self.bus,
1223
self.dbus_object_path)
1224
1225
def notifychangeproperty(transform_func,
1226
dbus_name, type_func=lambda x: x,
1227
variant_level=1):
1228
""" Modify a variable so that it's a property which announces
1229
its changes to DBus.
1230
1231
transform_fun: Function that takes a value and a variant_level
1232
and transforms it to a D-Bus type.
1233
dbus_name: D-Bus name of the variable
1234
type_func: Function that transform the value before sending it
1235
to the D-Bus. Default: no transform
1236
variant_level: D-Bus variant level. Default: 1
1237
"""
1238
attrname = "_{0}".format(dbus_name)
1239
def setter(self, value):
1240
if hasattr(self, "dbus_object_path"):
1241
if (not hasattr(self, attrname) or
1242
type_func(getattr(self, attrname, None))
1243
!= type_func(value)):
1244
dbus_value = transform_func(type_func(value),
1245
variant_level
1246
=variant_level)
1247
self.PropertyChanged(dbus.String(dbus_name),
1248
dbus_value)
1249
setattr(self, attrname, value)
1250
1251
return property(lambda self: getattr(self, attrname), setter)
1252
1253
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1254
approvals_pending = notifychangeproperty(dbus.Boolean,
1255
"ApprovalPending",
1256
type_func = bool)
1257
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1258
last_enabled = notifychangeproperty(datetime_to_dbus,
1259
"LastEnabled")
1260
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1261
type_func = lambda checker:
1262
checker is not None)
1263
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1264
"LastCheckedOK")
1265
last_checker_status = notifychangeproperty(dbus.Int16,
1266
"LastCheckerStatus")
1267
last_approval_request = notifychangeproperty(
1268
datetime_to_dbus, "LastApprovalRequest")
1269
approved_by_default = notifychangeproperty(dbus.Boolean,
1270
"ApprovedByDefault")
1271
approval_delay = notifychangeproperty(dbus.UInt64,
1272
"ApprovalDelay",
1273
type_func =
1274
timedelta_to_milliseconds)
1275
approval_duration = notifychangeproperty(
1276
dbus.UInt64, "ApprovalDuration",
1277
type_func = timedelta_to_milliseconds)
1278
host = notifychangeproperty(dbus.String, "Host")
1279
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1280
type_func =
1281
timedelta_to_milliseconds)
1282
extended_timeout = notifychangeproperty(
1283
dbus.UInt64, "ExtendedTimeout",
1284
type_func = timedelta_to_milliseconds)
1285
interval = notifychangeproperty(dbus.UInt64,
1286
"Interval",
1287
type_func =
1288
timedelta_to_milliseconds)
1289
checker_command = notifychangeproperty(dbus.String, "Checker")
1290
1291
del notifychangeproperty
527
1292
528
1293
def __del__(self, *args, **kwargs):
529
1294
try:
530
1295
self.remove_from_connection()
531
1296
except LookupError:
532
1297
pass
533
if hasattr(dbus.service.Object, u"__del__"):
534
dbus.service.Object.__del__(self, *args, **kwargs)
1298
if hasattr(DBusObjectWithProperties, "__del__"):
1299
DBusObjectWithProperties.__del__(self, *args, **kwargs)
535
1300
Client.__del__(self, *args, **kwargs)
536
1301
537
1302
def checker_callback(self, pid, condition, command,
538
1303
*args, **kwargs):
539
1304
self.checker_callback_tag = None
540
1305
self.checker = None
541
# Emit D-Bus signal
542
self.PropertyChanged(dbus.String(u"checker_running"),
543
dbus.Boolean(False, variant_level=1))
544
1306
if os.WIFEXITED(condition):
545
1307
exitstatus = os.WEXITSTATUS(condition)
546
1308
# Emit D-Bus signal
556
1318
return Client.checker_callback(self, pid, condition, command,
557
1319
*args, **kwargs)
558
1320
559
def checked_ok(self, *args, **kwargs):
560
r = Client.checked_ok(self, *args, **kwargs)
561
# Emit D-Bus signal
562
self.PropertyChanged(
563
dbus.String(u"last_checked_ok"),
564
(self._datetime_to_dbus(self.last_checked_ok,
565
variant_level=1)))
566
return r
567
568
1321
def start_checker(self, *args, **kwargs):
569
1322
old_checker = self.checker
570
1323
if self.checker is not None:
577
1330
and old_checker_pid != self.checker.pid):
578
1331
# Emit D-Bus signal
579
1332
self.CheckerStarted(self.current_checker_command)
580
self.PropertyChanged(
581
dbus.String(u"checker_running"),
582
dbus.Boolean(True, variant_level=1))
583
return r
584
585
def stop_checker(self, *args, **kwargs):
586
old_checker = getattr(self, u"checker", None)
587
r = Client.stop_checker(self, *args, **kwargs)
588
if (old_checker is not None
589
and getattr(self, u"checker", None) is None):
590
self.PropertyChanged(dbus.String(u"checker_running"),
591
dbus.Boolean(False, variant_level=1))
592
return r
593
594
## D-Bus methods & signals
595
_interface = u"se.bsnet.fukt.Mandos.Client"
596
597
# CheckedOK - method
598
@dbus.service.method(_interface)
599
def CheckedOK(self):
600
return self.checked_ok()
1333
return r
1334
1335
def _reset_approved(self):
1336
self.approved = None
1337
return False
1338
1339
def approve(self, value=True):
1340
self.approved = value
1341
gobject.timeout_add(timedelta_to_milliseconds
1342
(self.approval_duration),
1343
self._reset_approved)
1344
self.send_changedstate()
1345
1346
## D-Bus methods, signals & properties
1347
_interface = "se.recompile.Mandos.Client"
1348
1349
## Interfaces
1350
1351
@dbus_interface_annotations(_interface)
1352
def _foo(self):
1353
return { "org.freedesktop.DBus.Property.EmitsChangedSignal":
1354
"false"}
1355
1356
## Signals
601
1357
602
1358
# CheckerCompleted - signal
603
@dbus.service.signal(_interface, signature=u"nxs")
1359
@dbus.service.signal(_interface, signature="nxs")
604
1360
def CheckerCompleted(self, exitcode, waitstatus, command):
605
1361
"D-Bus signal"
606
1362
pass
607
1363
608
1364
# CheckerStarted - signal
609
@dbus.service.signal(_interface, signature=u"s")
1365
@dbus.service.signal(_interface, signature="s")
610
1366
def CheckerStarted(self, command):
611
1367
"D-Bus signal"
612
1368
pass
613
1369
614
# GetAllProperties - method
615
@dbus.service.method(_interface, out_signature=u"a{sv}")
616
def GetAllProperties(self):
617
"D-Bus method"
618
return dbus.Dictionary({
619
dbus.String(u"name"):
620
dbus.String(self.name, variant_level=1),
621
dbus.String(u"fingerprint"):
622
dbus.String(self.fingerprint, variant_level=1),
623
dbus.String(u"host"):
624
dbus.String(self.host, variant_level=1),
625
dbus.String(u"created"):
626
self._datetime_to_dbus(self.created,
627
variant_level=1),
628
dbus.String(u"last_enabled"):
629
(self._datetime_to_dbus(self.last_enabled,
630
variant_level=1)
631
if self.last_enabled is not None
632
else dbus.Boolean(False, variant_level=1)),
633
dbus.String(u"enabled"):
634
dbus.Boolean(self.enabled, variant_level=1),
635
dbus.String(u"last_checked_ok"):
636
(self._datetime_to_dbus(self.last_checked_ok,
637
variant_level=1)
638
if self.last_checked_ok is not None
639
else dbus.Boolean (False, variant_level=1)),
640
dbus.String(u"timeout"):
641
dbus.UInt64(self.timeout_milliseconds(),
642
variant_level=1),
643
dbus.String(u"interval"):
644
dbus.UInt64(self.interval_milliseconds(),
645
variant_level=1),
646
dbus.String(u"checker"):
647
dbus.String(self.checker_command,
648
variant_level=1),
649
dbus.String(u"checker_running"):
650
dbus.Boolean(self.checker is not None,
651
variant_level=1),
652
dbus.String(u"object_path"):
653
dbus.ObjectPath(self.dbus_object_path,
654
variant_level=1)
655
}, signature=u"sv")
656
657
# IsStillValid - method
658
@dbus.service.method(_interface, out_signature=u"b")
659
def IsStillValid(self):
660
return self.still_valid()
661
662
1370
# PropertyChanged - signal
663
@dbus.service.signal(_interface, signature=u"sv")
1371
@dbus.service.signal(_interface, signature="sv")
664
1372
def PropertyChanged(self, property, value):
665
1373
"D-Bus signal"
666
1374
pass
667
1375
668
# ReceivedSecret - signal
1376
# GotSecret - signal
669
1377
@dbus.service.signal(_interface)
670
def ReceivedSecret(self):
671
"D-Bus signal"
1378
def GotSecret(self):
1379
"""D-Bus signal
1380
Is sent after a successful transfer of secret from the Mandos
1381
server to mandos-client
1382
"""
672
1383
pass
673
1384
674
1385
# Rejected - signal
675
@dbus.service.signal(_interface)
676
def Rejected(self):
1386
@dbus.service.signal(_interface, signature="s")
1387
def Rejected(self, reason):
677
1388
"D-Bus signal"
678
1389
pass
679
1390
680
# SetChecker - method
681
@dbus.service.method(_interface, in_signature=u"s")
682
def SetChecker(self, checker):
683
"D-Bus setter method"
684
self.checker_command = checker
685
# Emit D-Bus signal
686
self.PropertyChanged(dbus.String(u"checker"),
687
dbus.String(self.checker_command,
688
variant_level=1))
689
690
# SetHost - method
691
@dbus.service.method(_interface, in_signature=u"s")
692
def SetHost(self, host):
693
"D-Bus setter method"
694
self.host = host
695
# Emit D-Bus signal
696
self.PropertyChanged(dbus.String(u"host"),
697
dbus.String(self.host, variant_level=1))
698
699
# SetInterval - method
700
@dbus.service.method(_interface, in_signature=u"t")
701
def SetInterval(self, milliseconds):
702
self.interval = datetime.timedelta(0, 0, 0, milliseconds)
703
# Emit D-Bus signal
704
self.PropertyChanged(dbus.String(u"interval"),
705
(dbus.UInt64(self.interval_milliseconds(),
706
variant_level=1)))
707
708
# SetSecret - method
709
@dbus.service.method(_interface, in_signature=u"ay",
710
byte_arrays=True)
711
def SetSecret(self, secret):
712
"D-Bus setter method"
713
self.secret = str(secret)
714
715
# SetTimeout - method
716
@dbus.service.method(_interface, in_signature=u"t")
717
def SetTimeout(self, milliseconds):
718
self.timeout = datetime.timedelta(0, 0, 0, milliseconds)
719
# Emit D-Bus signal
720
self.PropertyChanged(dbus.String(u"timeout"),
721
(dbus.UInt64(self.timeout_milliseconds(),
722
variant_level=1)))
1391
# NeedApproval - signal
1392
@dbus.service.signal(_interface, signature="tb")
1393
def NeedApproval(self, timeout, default):
1394
"D-Bus signal"
1395
return self.need_approval()
1396
1397
## Methods
1398
1399
# Approve - method
1400
@dbus.service.method(_interface, in_signature="b")
1401
def Approve(self, value):
1402
self.approve(value)
1403
1404
# CheckedOK - method
1405
@dbus.service.method(_interface)
1406
def CheckedOK(self):
1407
self.checked_ok()
723
1408
724
1409
# Enable - method
725
1410
@dbus.service.method(_interface)
744
1429
def StopChecker(self):
745
1430
self.stop_checker()
746
1431
1432
## Properties
1433
1434
# ApprovalPending - property
1435
@dbus_service_property(_interface, signature="b", access="read")
1436
def ApprovalPending_dbus_property(self):
1437
return dbus.Boolean(bool(self.approvals_pending))
1438
1439
# ApprovedByDefault - property
1440
@dbus_service_property(_interface, signature="b",
1441
access="readwrite")
1442
def ApprovedByDefault_dbus_property(self, value=None):
1443
if value is None: # get
1444
return dbus.Boolean(self.approved_by_default)
1445
self.approved_by_default = bool(value)
1446
1447
# ApprovalDelay - property
1448
@dbus_service_property(_interface, signature="t",
1449
access="readwrite")
1450
def ApprovalDelay_dbus_property(self, value=None):
1451
if value is None: # get
1452
return dbus.UInt64(self.approval_delay_milliseconds())
1453
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1454
1455
# ApprovalDuration - property
1456
@dbus_service_property(_interface, signature="t",
1457
access="readwrite")
1458
def ApprovalDuration_dbus_property(self, value=None):
1459
if value is None: # get
1460
return dbus.UInt64(timedelta_to_milliseconds(
1461
self.approval_duration))
1462
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1463
1464
# Name - property
1465
@dbus_service_property(_interface, signature="s", access="read")
1466
def Name_dbus_property(self):
1467
return dbus.String(self.name)
1468
1469
# Fingerprint - property
1470
@dbus_service_property(_interface, signature="s", access="read")
1471
def Fingerprint_dbus_property(self):
1472
return dbus.String(self.fingerprint)
1473
1474
# Host - property
1475
@dbus_service_property(_interface, signature="s",
1476
access="readwrite")
1477
def Host_dbus_property(self, value=None):
1478
if value is None: # get
1479
return dbus.String(self.host)
1480
self.host = unicode(value)
1481
1482
# Created - property
1483
@dbus_service_property(_interface, signature="s", access="read")
1484
def Created_dbus_property(self):
1485
return datetime_to_dbus(self.created)
1486
1487
# LastEnabled - property
1488
@dbus_service_property(_interface, signature="s", access="read")
1489
def LastEnabled_dbus_property(self):
1490
return datetime_to_dbus(self.last_enabled)
1491
1492
# Enabled - property
1493
@dbus_service_property(_interface, signature="b",
1494
access="readwrite")
1495
def Enabled_dbus_property(self, value=None):
1496
if value is None: # get
1497
return dbus.Boolean(self.enabled)
1498
if value:
1499
self.enable()
1500
else:
1501
self.disable()
1502
1503
# LastCheckedOK - property
1504
@dbus_service_property(_interface, signature="s",
1505
access="readwrite")
1506
def LastCheckedOK_dbus_property(self, value=None):
1507
if value is not None:
1508
self.checked_ok()
1509
return
1510
return datetime_to_dbus(self.last_checked_ok)
1511
1512
# LastCheckerStatus - property
1513
@dbus_service_property(_interface, signature="n",
1514
access="read")
1515
def LastCheckerStatus_dbus_property(self):
1516
return dbus.Int16(self.last_checker_status)
1517
1518
# Expires - property
1519
@dbus_service_property(_interface, signature="s", access="read")
1520
def Expires_dbus_property(self):
1521
return datetime_to_dbus(self.expires)
1522
1523
# LastApprovalRequest - property
1524
@dbus_service_property(_interface, signature="s", access="read")
1525
def LastApprovalRequest_dbus_property(self):
1526
return datetime_to_dbus(self.last_approval_request)
1527
1528
# Timeout - property
1529
@dbus_service_property(_interface, signature="t",
1530
access="readwrite")
1531
def Timeout_dbus_property(self, value=None):
1532
if value is None: # get
1533
return dbus.UInt64(self.timeout_milliseconds())
1534
old_timeout = self.timeout
1535
self.timeout = datetime.timedelta(0, 0, 0, value)
1536
# Reschedule disabling
1537
if self.enabled:
1538
now = datetime.datetime.utcnow()
1539
self.expires += self.timeout - old_timeout
1540
if self.expires <= now:
1541
# The timeout has passed
1542
self.disable()
1543
else:
1544
if (getattr(self, "disable_initiator_tag", None)
1545
is None):
1546
return
1547
gobject.source_remove(self.disable_initiator_tag)
1548
self.disable_initiator_tag = (
1549
gobject.timeout_add(
1550
timedelta_to_milliseconds(self.expires - now),
1551
self.disable))
1552
1553
# ExtendedTimeout - property
1554
@dbus_service_property(_interface, signature="t",
1555
access="readwrite")
1556
def ExtendedTimeout_dbus_property(self, value=None):
1557
if value is None: # get
1558
return dbus.UInt64(self.extended_timeout_milliseconds())
1559
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1560
1561
# Interval - property
1562
@dbus_service_property(_interface, signature="t",
1563
access="readwrite")
1564
def Interval_dbus_property(self, value=None):
1565
if value is None: # get
1566
return dbus.UInt64(self.interval_milliseconds())
1567
self.interval = datetime.timedelta(0, 0, 0, value)
1568
if getattr(self, "checker_initiator_tag", None) is None:
1569
return
1570
if self.enabled:
1571
# Reschedule checker run
1572
gobject.source_remove(self.checker_initiator_tag)
1573
self.checker_initiator_tag = (gobject.timeout_add
1574
(value, self.start_checker))
1575
self.start_checker() # Start one now, too
1576
1577
# Checker - property
1578
@dbus_service_property(_interface, signature="s",
1579
access="readwrite")
1580
def Checker_dbus_property(self, value=None):
1581
if value is None: # get
1582
return dbus.String(self.checker_command)
1583
self.checker_command = unicode(value)
1584
1585
# CheckerRunning - property
1586
@dbus_service_property(_interface, signature="b",
1587
access="readwrite")
1588
def CheckerRunning_dbus_property(self, value=None):
1589
if value is None: # get
1590
return dbus.Boolean(self.checker is not None)
1591
if value:
1592
self.start_checker()
1593
else:
1594
self.stop_checker()
1595
1596
# ObjectPath - property
1597
@dbus_service_property(_interface, signature="o", access="read")
1598
def ObjectPath_dbus_property(self):
1599
return self.dbus_object_path # is already a dbus.ObjectPath
1600
1601
# Secret = property
1602
@dbus_service_property(_interface, signature="ay",
1603
access="write", byte_arrays=True)
1604
def Secret_dbus_property(self, value):
1605
self.secret = str(value)
1606
747
1607
del _interface
748
1608
749
1609
1610
class ProxyClient(object):
1611
def __init__(self, child_pipe, fpr, address):
1612
self._pipe = child_pipe
1613
self._pipe.send(('init', fpr, address))
1614
if not self._pipe.recv():
1615
raise KeyError()
1616
1617
def __getattribute__(self, name):
1618
if name == '_pipe':
1619
return super(ProxyClient, self).__getattribute__(name)
1620
self._pipe.send(('getattr', name))
1621
data = self._pipe.recv()
1622
if data[0] == 'data':
1623
return data[1]
1624
if data[0] == 'function':
1625
def func(*args, **kwargs):
1626
self._pipe.send(('funcall', name, args, kwargs))
1627
return self._pipe.recv()[1]
1628
return func
1629
1630
def __setattr__(self, name, value):
1631
if name == '_pipe':
1632
return super(ProxyClient, self).__setattr__(name, value)
1633
self._pipe.send(('setattr', name, value))
1634
1635
750
1636
class ClientHandler(socketserver.BaseRequestHandler, object):
751
1637
"""A class to handle client connections.
752
1638
754
1640
Note: This will run in its own forked process."""
755
1641
756
1642
def handle(self):
757
logger.info(u"TCP connection from: %s",
758
unicode(self.client_address))
759
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
760
# Open IPC pipe to parent process
761
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
1643
with contextlib.closing(self.server.child_pipe) as child_pipe:
1644
logger.info("TCP connection from: %s",
1645
unicode(self.client_address))
1646
logger.debug("Pipe FD: %d",
1647
self.server.child_pipe.fileno())
1648
762
1649
session = (gnutls.connection
763
1650
.ClientSession(self.request,
764
1651
gnutls.connection
765
1652
.X509Credentials()))
766
1653
767
line = self.request.makefile().readline()
768
logger.debug(u"Protocol version: %r", line)
769
try:
770
if int(line.strip().split()[0]) > 1:
771
raise RuntimeError
772
except (ValueError, IndexError, RuntimeError), error:
773
logger.error(u"Unknown protocol version: %s", error)
774
return
775
776
1654
# Note: gnutls.connection.X509Credentials is really a
777
1655
# generic GnuTLS certificate credentials object so long as
778
1656
# no X.509 keys are added to it. Therefore, we can use it
779
1657
# here despite using OpenPGP certificates.
780
1658
781
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
782
# u"+AES-256-CBC", u"+SHA1",
783
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
784
# u"+DHE-DSS"))
1659
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1660
# "+AES-256-CBC", "+SHA1",
1661
# "+COMP-NULL", "+CTYPE-OPENPGP",
1662
# "+DHE-DSS"))
785
1663
# Use a fallback default, since this MUST be set.
786
1664
priority = self.server.gnutls_priority
787
1665
if priority is None:
788
priority = u"NORMAL"
1666
priority = "NORMAL"
789
1667
(gnutls.library.functions
790
1668
.gnutls_priority_set_direct(session._c_object,
791
1669
priority, None))
792
1670
1671
# Start communication using the Mandos protocol
1672
# Get protocol number
1673
line = self.request.makefile().readline()
1674
logger.debug("Protocol version: %r", line)
1675
try:
1676
if int(line.strip().split()[0]) > 1:
1677
raise RuntimeError
1678
except (ValueError, IndexError, RuntimeError) as error:
1679
logger.error("Unknown protocol version: %s", error)
1680
return
1681
1682
# Start GnuTLS connection
793
1683
try:
794
1684
session.handshake()
795
except gnutls.errors.GNUTLSError, error:
796
logger.warning(u"Handshake failed: %s", error)
1685
except gnutls.errors.GNUTLSError as error:
1686
logger.warning("Handshake failed: %s", error)
797
1687
# Do not run session.bye() here: the session is not
798
1688
# established. Just abandon the request.
799
1689
return
800
logger.debug(u"Handshake succeeded")
1690
logger.debug("Handshake succeeded")
1691
1692
approval_required = False
801
1693
try:
802
fpr = self.fingerprint(self.peer_certificate(session))
803
except (TypeError, gnutls.errors.GNUTLSError), error:
804
logger.warning(u"Bad certificate: %s", error)
805
session.bye()
806
return
807
logger.debug(u"Fingerprint: %s", fpr)
1694
try:
1695
fpr = self.fingerprint(self.peer_certificate
1696
(session))
1697
except (TypeError,
1698
gnutls.errors.GNUTLSError) as error:
1699
logger.warning("Bad certificate: %s", error)
1700
return
1701
logger.debug("Fingerprint: %s", fpr)
1702
1703
try:
1704
client = ProxyClient(child_pipe, fpr,
1705
self.client_address)
1706
except KeyError:
1707
return
1708
1709
if client.approval_delay:
1710
delay = client.approval_delay
1711
client.approvals_pending += 1
1712
approval_required = True
1713
1714
while True:
1715
if not client.enabled:
1716
logger.info("Client %s is disabled",
1717
client.name)
1718
if self.server.use_dbus:
1719
# Emit D-Bus signal
1720
client.Rejected("Disabled")
1721
return
1722
1723
if client.approved or not client.approval_delay:
1724
#We are approved or approval is disabled
1725
break
1726
elif client.approved is None:
1727
logger.info("Client %s needs approval",
1728
client.name)
1729
if self.server.use_dbus:
1730
# Emit D-Bus signal
1731
client.NeedApproval(
1732
client.approval_delay_milliseconds(),
1733
client.approved_by_default)
1734
else:
1735
logger.warning("Client %s was not approved",
1736
client.name)
1737
if self.server.use_dbus:
1738
# Emit D-Bus signal
1739
client.Rejected("Denied")
1740
return
1741
1742
#wait until timeout or approved
1743
time = datetime.datetime.now()
1744
client.changedstate.acquire()
1745
client.changedstate.wait(
1746
float(timedelta_to_milliseconds(delay)
1747
/ 1000))
1748
client.changedstate.release()
1749
time2 = datetime.datetime.now()
1750
if (time2 - time) >= delay:
1751
if not client.approved_by_default:
1752
logger.warning("Client %s timed out while"
1753
" waiting for approval",
1754
client.name)
1755
if self.server.use_dbus:
1756
# Emit D-Bus signal
1757
client.Rejected("Approval timed out")
1758
return
1759
else:
1760
break
1761
else:
1762
delay -= time2 - time
1763
1764
sent_size = 0
1765
while sent_size < len(client.secret):
1766
try:
1767
sent = session.send(client.secret[sent_size:])
1768
except gnutls.errors.GNUTLSError as error:
1769
logger.warning("gnutls send failed",
1770
exc_info=error)
1771
return
1772
logger.debug("Sent: %d, remaining: %d",
1773
sent, len(client.secret)
1774
- (sent_size + sent))
1775
sent_size += sent
1776
1777
logger.info("Sending secret to %s", client.name)
1778
# bump the timeout using extended_timeout
1779
client.bump_timeout(client.extended_timeout)
1780
if self.server.use_dbus:
1781
# Emit D-Bus signal
1782
client.GotSecret()
808
1783
809
for c in self.server.clients:
810
if c.fingerprint == fpr:
811
client = c
812
break
813
else:
814
ipc.write(u"NOTFOUND %s\n" % fpr)
815
session.bye()
816
return
817
# Have to check if client.still_valid(), since it is
818
# possible that the client timed out while establishing
819
# the GnuTLS session.
820
if not client.still_valid():
821
ipc.write(u"INVALID %s\n" % client.name)
822
session.bye()
823
return
824
ipc.write(u"SENDING %s\n" % client.name)
825
sent_size = 0
826
while sent_size < len(client.secret):
827
sent = session.send(client.secret[sent_size:])
828
logger.debug(u"Sent: %d, remaining: %d",
829
sent, len(client.secret)
830
- (sent_size + sent))
831
sent_size += sent
832
session.bye()
1784
finally:
1785
if approval_required:
1786
client.approvals_pending -= 1
1787
try:
1788
session.bye()
1789
except gnutls.errors.GNUTLSError as error:
1790
logger.warning("GnuTLS bye failed",
1791
exc_info=error)
833
1792
834
1793
@staticmethod
835
1794
def peer_certificate(session):
845
1804
.gnutls_certificate_get_peers
846
1805
(session._c_object, ctypes.byref(list_size)))
847
1806
if not bool(cert_list) and list_size.value != 0:
848
raise gnutls.errors.GNUTLSError(u"error getting peer"
849
u" certificate")
1807
raise gnutls.errors.GNUTLSError("error getting peer"
1808
" certificate")
850
1809
if list_size.value == 0:
851
1810
return None
852
1811
cert = cert_list[0]
878
1837
if crtverify.value != 0:
879
1838
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
880
1839
raise (gnutls.errors.CertificateSecurityError
881
(u"Verify failed"))
1840
("Verify failed"))
882
1841
# New buffer for the fingerprint
883
1842
buf = ctypes.create_string_buffer(20)
884
1843
buf_len = ctypes.c_size_t()
891
1850
# Convert the buffer to a Python bytestring
892
1851
fpr = ctypes.string_at(buf, buf_len.value)
893
1852
# Convert the bytestring to hexadecimal notation
894
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1853
hex_fpr = binascii.hexlify(fpr).upper()
895
1854
return hex_fpr
896
1855
897
1856
898
class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):
899
"""Like socketserver.ForkingMixIn, but also pass a pipe."""
1857
class MultiprocessingMixIn(object):
1858
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1859
def sub_process_main(self, request, address):
1860
try:
1861
self.finish_request(request, address)
1862
except Exception:
1863
self.handle_error(request, address)
1864
self.close_request(request)
1865
1866
def process_request(self, request, address):
1867
"""Start a new process to process the request."""
1868
proc = multiprocessing.Process(target = self.sub_process_main,
1869
args = (request, address))
1870
proc.start()
1871
return proc
1872
1873
1874
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1875
""" adds a pipe to the MixIn """
900
1876
def process_request(self, request, client_address):
901
1877
"""Overrides and wraps the original process_request().
902
1878
903
This function creates a new pipe in self.pipe
1879
This function creates a new pipe in self.pipe
904
1880
"""
905
self.pipe = os.pipe()
906
super(ForkingMixInWithPipe,
907
self).process_request(request, client_address)
908
os.close(self.pipe[1]) # close write end
909
self.add_pipe(self.pipe[0])
910
def add_pipe(self, pipe):
1881
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1882
1883
proc = MultiprocessingMixIn.process_request(self, request,
1884
client_address)
1885
self.child_pipe.close()
1886
self.add_pipe(parent_pipe, proc)
1887
1888
def add_pipe(self, parent_pipe, proc):
911
1889
"""Dummy function; override as necessary"""
912
os.close(pipe)
913
914
915
class IPv6_TCPServer(ForkingMixInWithPipe,
1890
raise NotImplementedError
1891
1892
1893
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
916
1894
socketserver.TCPServer, object):
917
1895
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
918
1896
922
1900
use_ipv6: Boolean; to use IPv6 or not
923
1901
"""
924
1902
def __init__(self, server_address, RequestHandlerClass,
925
interface=None, use_ipv6=True):
1903
interface=None, use_ipv6=True, socketfd=None):
1904
"""If socketfd is set, use that file descriptor instead of
1905
creating a new one with socket.socket().
1906
"""
926
1907
self.interface = interface
927
1908
if use_ipv6:
928
1909
self.address_family = socket.AF_INET6
1910
if socketfd is not None:
1911
# Save the file descriptor
1912
self.socketfd = socketfd
1913
# Save the original socket.socket() function
1914
self.socket_socket = socket.socket
1915
# To implement --socket, we monkey patch socket.socket.
1916
#
1917
# (When socketserver.TCPServer is a new-style class, we
1918
# could make self.socket into a property instead of monkey
1919
# patching socket.socket.)
1920
#
1921
# Create a one-time-only replacement for socket.socket()
1922
@functools.wraps(socket.socket)
1923
def socket_wrapper(*args, **kwargs):
1924
# Restore original function so subsequent calls are
1925
# not affected.
1926
socket.socket = self.socket_socket
1927
del self.socket_socket
1928
# This time only, return a new socket object from the
1929
# saved file descriptor.
1930
return socket.fromfd(self.socketfd, *args, **kwargs)
1931
# Replace socket.socket() function with wrapper
1932
socket.socket = socket_wrapper
1933
# The socketserver.TCPServer.__init__ will call
1934
# socket.socket(), which might be our replacement,
1935
# socket_wrapper(), if socketfd was set.
929
1936
socketserver.TCPServer.__init__(self, server_address,
930
1937
RequestHandlerClass)
1938
931
1939
def server_bind(self):
932
1940
"""This overrides the normal server_bind() function
933
1941
to bind to an interface if one was specified, and also NOT to
934
1942
bind to an address or port if they were not specified."""
935
1943
if self.interface is not None:
936
1944
if SO_BINDTODEVICE is None:
937
logger.error(u"SO_BINDTODEVICE does not exist;"
938
u" cannot bind to interface %s",
1945
logger.error("SO_BINDTODEVICE does not exist;"
1946
" cannot bind to interface %s",
939
1947
self.interface)
940
1948
else:
941
1949
try:
942
1950
self.socket.setsockopt(socket.SOL_SOCKET,
943
1951
SO_BINDTODEVICE,
944
str(self.interface
945
+ u'\0'))
946
except socket.error, error:
947
if error[0] == errno.EPERM:
948
logger.error(u"No permission to"
949
u" bind to interface %s",
950
self.interface)
951
elif error[0] == errno.ENOPROTOOPT:
952
logger.error(u"SO_BINDTODEVICE not available;"
953
u" cannot bind to interface %s",
954
self.interface)
1952
str(self.interface + '\0'))
1953
except socket.error as error:
1954
if error.errno == errno.EPERM:
1955
logger.error("No permission to bind to"
1956
" interface %s", self.interface)
1957
elif error.errno == errno.ENOPROTOOPT:
1958
logger.error("SO_BINDTODEVICE not available;"
1959
" cannot bind to interface %s",
1960
self.interface)
1961
elif error.errno == errno.ENODEV:
1962
logger.error("Interface %s does not exist,"
1963
" cannot bind", self.interface)
955
1964
else:
956
1965
raise
957
1966
# Only bind(2) the socket if we really need to.
958
1967
if self.server_address[0] or self.server_address[1]:
959
1968
if not self.server_address[0]:
960
1969
if self.address_family == socket.AF_INET6:
961
any_address = u"::" # in6addr_any
1970
any_address = "::" # in6addr_any
962
1971
else:
963
1972
any_address = socket.INADDR_ANY
964
1973
self.server_address = (any_address,
982
1991
clients: set of Client objects
983
1992
gnutls_priority GnuTLS priority string
984
1993
use_dbus: Boolean; to emit D-Bus signals or not
985
clients: set of Client objects
986
gnutls_priority GnuTLS priority string
987
use_dbus: Boolean; to emit D-Bus signals or not
988
1994
989
1995
Assumes a gobject.MainLoop event loop.
990
1996
"""
991
1997
def __init__(self, server_address, RequestHandlerClass,
992
1998
interface=None, use_ipv6=True, clients=None,
993
gnutls_priority=None, use_dbus=True):
1999
gnutls_priority=None, use_dbus=True, socketfd=None):
994
2000
self.enabled = False
995
2001
self.clients = clients
996
2002
if self.clients is None:
997
self.clients = set()
2003
self.clients = {}
998
2004
self.use_dbus = use_dbus
999
2005
self.gnutls_priority = gnutls_priority
1000
2006
IPv6_TCPServer.__init__(self, server_address,
1001
2007
RequestHandlerClass,
1002
2008
interface = interface,
1003
use_ipv6 = use_ipv6)
2009
use_ipv6 = use_ipv6,
2010
socketfd = socketfd)
1004
2011
def server_activate(self):
1005
2012
if self.enabled:
1006
2013
return socketserver.TCPServer.server_activate(self)
2014
1007
2015
def enable(self):
1008
2016
self.enabled = True
1009
def add_pipe(self, pipe):
2017
2018
def add_pipe(self, parent_pipe, proc):
1010
2019
# Call "handle_ipc" for both data and EOF events
1011
gobject.io_add_watch(pipe, gobject.IO_IN | gobject.IO_HUP,
1012
self.handle_ipc)
1013
def handle_ipc(self, source, condition, file_objects={}):
1014
condition_names = {
1015
gobject.IO_IN: u"IN", # There is data to read.
1016
gobject.IO_OUT: u"OUT", # Data can be written (without
1017
# blocking).
1018
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1019
gobject.IO_ERR: u"ERR", # Error condition.
1020
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1021
# broken, usually for pipes and
1022
# sockets).
1023
}
1024
conditions_string = ' | '.join(name
1025
for cond, name in
1026
condition_names.iteritems()
1027
if cond & condition)
1028
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1029
conditions_string)
1030
1031
# Turn the pipe file descriptor into a Python file object
1032
if source not in file_objects:
1033
file_objects[source] = os.fdopen(source, u"r", 1)
1034
1035
# Read a line from the file object
1036
cmdline = file_objects[source].readline()
1037
if not cmdline: # Empty line means end of file
1038
# close the IPC pipe
1039
file_objects[source].close()
1040
del file_objects[source]
1041
1042
# Stop calling this function
1043
return False
1044
1045
logger.debug(u"IPC command: %r", cmdline)
1046
1047
# Parse and act on command
1048
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1049
1050
if cmd == u"NOTFOUND":
1051
logger.warning(u"Client not found for fingerprint: %s",
1052
args)
1053
if self.use_dbus:
1054
# Emit D-Bus signal
1055
mandos_dbus_service.ClientNotFound(args)
1056
elif cmd == u"INVALID":
1057
for client in self.clients:
1058
if client.name == args:
1059
logger.warning(u"Client %s is invalid", args)
1060
if self.use_dbus:
1061
# Emit D-Bus signal
1062
client.Rejected()
1063
break
1064
else:
1065
logger.error(u"Unknown client %s is invalid", args)
1066
elif cmd == u"SENDING":
1067
for client in self.clients:
1068
if client.name == args:
1069
logger.info(u"Sending secret to %s", client.name)
1070
client.checked_ok()
1071
if self.use_dbus:
1072
# Emit D-Bus signal
1073
client.ReceivedSecret()
1074
break
1075
else:
1076
logger.error(u"Sending secret to unknown client %s",
1077
args)
2020
gobject.io_add_watch(parent_pipe.fileno(),
2021
gobject.IO_IN | gobject.IO_HUP,
2022
functools.partial(self.handle_ipc,
2023
parent_pipe =
2024
parent_pipe,
2025
proc = proc))
2026
2027
def handle_ipc(self, source, condition, parent_pipe=None,
2028
proc = None, client_object=None):
2029
# error, or the other end of multiprocessing.Pipe has closed
2030
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2031
# Wait for other process to exit
2032
proc.join()
2033
return False
2034
2035
# Read a request from the child
2036
request = parent_pipe.recv()
2037
command = request[0]
2038
2039
if command == 'init':
2040
fpr = request[1]
2041
address = request[2]
2042
2043
for c in self.clients.itervalues():
2044
if c.fingerprint == fpr:
2045
client = c
2046
break
2047
else:
2048
logger.info("Client not found for fingerprint: %s, ad"
2049
"dress: %s", fpr, address)
2050
if self.use_dbus:
2051
# Emit D-Bus signal
2052
mandos_dbus_service.ClientNotFound(fpr,
2053
address[0])
2054
parent_pipe.send(False)
2055
return False
2056
2057
gobject.io_add_watch(parent_pipe.fileno(),
2058
gobject.IO_IN | gobject.IO_HUP,
2059
functools.partial(self.handle_ipc,
2060
parent_pipe =
2061
parent_pipe,
2062
proc = proc,
2063
client_object =
2064
client))
2065
parent_pipe.send(True)
2066
# remove the old hook in favor of the new above hook on
2067
# same fileno
2068
return False
2069
if command == 'funcall':
2070
funcname = request[1]
2071
args = request[2]
2072
kwargs = request[3]
2073
2074
parent_pipe.send(('data', getattr(client_object,
2075
funcname)(*args,
2076
**kwargs)))
2077
2078
if command == 'getattr':
2079
attrname = request[1]
2080
if callable(client_object.__getattribute__(attrname)):
2081
parent_pipe.send(('function',))
2082
else:
2083
parent_pipe.send(('data', client_object
2084
.__getattribute__(attrname)))
2085
2086
if command == 'setattr':
2087
attrname = request[1]
2088
value = request[2]
2089
setattr(client_object, attrname, value)
2090
2091
return True
2092
2093
2094
def rfc3339_duration_to_delta(duration):
2095
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2096
2097
>>> rfc3339_duration_to_delta("P7D")
2098
datetime.timedelta(7)
2099
>>> rfc3339_duration_to_delta("PT60S")
2100
datetime.timedelta(0, 60)
2101
>>> rfc3339_duration_to_delta("PT60M")
2102
datetime.timedelta(0, 3600)
2103
>>> rfc3339_duration_to_delta("PT24H")
2104
datetime.timedelta(1)
2105
>>> rfc3339_duration_to_delta("P1W")
2106
datetime.timedelta(7)
2107
>>> rfc3339_duration_to_delta("PT5M30S")
2108
datetime.timedelta(0, 330)
2109
>>> rfc3339_duration_to_delta("P1DT3M20S")
2110
datetime.timedelta(1, 200)
2111
"""
2112
2113
# Parsing an RFC 3339 duration with regular expressions is not
2114
# possible - there would have to be multiple places for the same
2115
# values, like seconds. The current code, while more esoteric, is
2116
# cleaner without depending on a parsing library. If Python had a
2117
# built-in library for parsing we would use it, but we'd like to
2118
# avoid excessive use of external libraries.
2119
2120
# New type for defining tokens, syntax, and semantics all-in-one
2121
Token = collections.namedtuple("Token",
2122
("regexp", # To match token; if
2123
# "value" is not None,
2124
# must have a "group"
2125
# containing digits
2126
"value", # datetime.timedelta or
2127
# None
2128
"followers")) # Tokens valid after
2129
# this token
2130
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2131
# the "duration" ABNF definition in RFC 3339, Appendix A.
2132
token_end = Token(re.compile(r"$"), None, frozenset())
2133
token_second = Token(re.compile(r"(\d+)S"),
2134
datetime.timedelta(seconds=1),
2135
frozenset((token_end,)))
2136
token_minute = Token(re.compile(r"(\d+)M"),
2137
datetime.timedelta(minutes=1),
2138
frozenset((token_second, token_end)))
2139
token_hour = Token(re.compile(r"(\d+)H"),
2140
datetime.timedelta(hours=1),
2141
frozenset((token_minute, token_end)))
2142
token_time = Token(re.compile(r"T"),
2143
None,
2144
frozenset((token_hour, token_minute,
2145
token_second)))
2146
token_day = Token(re.compile(r"(\d+)D"),
2147
datetime.timedelta(days=1),
2148
frozenset((token_time, token_end)))
2149
token_month = Token(re.compile(r"(\d+)M"),
2150
datetime.timedelta(weeks=4),
2151
frozenset((token_day, token_end)))
2152
token_year = Token(re.compile(r"(\d+)Y"),
2153
datetime.timedelta(weeks=52),
2154
frozenset((token_month, token_end)))
2155
token_week = Token(re.compile(r"(\d+)W"),
2156
datetime.timedelta(weeks=1),
2157
frozenset((token_end,)))
2158
token_duration = Token(re.compile(r"P"), None,
2159
frozenset((token_year, token_month,
2160
token_day, token_time,
2161
token_week))),
2162
# Define starting values
2163
value = datetime.timedelta() # Value so far
2164
found_token = None
2165
followers = frozenset(token_duration,) # Following valid tokens
2166
s = duration # String left to parse
2167
# Loop until end token is found
2168
while found_token is not token_end:
2169
# Search for any currently valid tokens
2170
for token in followers:
2171
match = token.regexp.match(s)
2172
if match is not None:
2173
# Token found
2174
if token.value is not None:
2175
# Value found, parse digits
2176
factor = int(match.group(1), 10)
2177
# Add to value so far
2178
value += factor * token.value
2179
# Strip token from string
2180
s = token.regexp.sub("", s, 1)
2181
# Go to found token
2182
found_token = token
2183
# Set valid next tokens
2184
followers = found_token.followers
2185
break
1078
2186
else:
1079
logger.error(u"Unknown IPC command: %r", cmdline)
1080
1081
# Keep calling this function
1082
return True
2187
# No currently valid tokens were found
2188
raise ValueError("Invalid RFC 3339 duration")
2189
# End token found
2190
return value
1083
2191
1084
2192
1085
2193
def string_to_delta(interval):
1086
2194
"""Parse a string and return a datetime.timedelta
1087
2195
1088
>>> string_to_delta(u'7d')
2196
>>> string_to_delta('7d')
1089
2197
datetime.timedelta(7)
1090
>>> string_to_delta(u'60s')
2198
>>> string_to_delta('60s')
1091
2199
datetime.timedelta(0, 60)
1092
>>> string_to_delta(u'60m')
2200
>>> string_to_delta('60m')
1093
2201
datetime.timedelta(0, 3600)
1094
>>> string_to_delta(u'24h')
2202
>>> string_to_delta('24h')
1095
2203
datetime.timedelta(1)
1096
>>> string_to_delta(u'1w')
2204
>>> string_to_delta('1w')
1097
2205
datetime.timedelta(7)
1098
>>> string_to_delta(u'5m 30s')
2206
>>> string_to_delta('5m 30s')
1099
2207
datetime.timedelta(0, 330)
1100
2208
"""
2209
2210
try:
2211
return rfc3339_duration_to_delta(interval)
2212
except ValueError:
2213
pass
2214
1101
2215
timevalue = datetime.timedelta(0)
1102
2216
for s in interval.split():
1103
2217
try:
1104
2218
suffix = unicode(s[-1])
1105
2219
value = int(s[:-1])
1106
if suffix == u"d":
2220
if suffix == "d":
1107
2221
delta = datetime.timedelta(value)
1108
elif suffix == u"s":
2222
elif suffix == "s":
1109
2223
delta = datetime.timedelta(0, value)
1110
elif suffix == u"m":
2224
elif suffix == "m":
1111
2225
delta = datetime.timedelta(0, 0, 0, 0, value)
1112
elif suffix == u"h":
2226
elif suffix == "h":
1113
2227
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
1114
elif suffix == u"w":
2228
elif suffix == "w":
1115
2229
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1116
2230
else:
1117
raise ValueError
1118
except (ValueError, IndexError):
1119
raise ValueError
2231
raise ValueError("Unknown suffix {0!r}"
2232
.format(suffix))
2233
except (ValueError, IndexError) as e:
2234
raise ValueError(*(e.args))
1120
2235
timevalue += delta
1121
2236
return timevalue
1122
2237
1123
2238
1124
def if_nametoindex(interface):
1125
"""Call the C function if_nametoindex(), or equivalent
1126
1127
Note: This function cannot accept a unicode string."""
1128
global if_nametoindex
1129
try:
1130
if_nametoindex = (ctypes.cdll.LoadLibrary
1131
(ctypes.util.find_library(u"c"))
1132
.if_nametoindex)
1133
except (OSError, AttributeError):
1134
logger.warning(u"Doing if_nametoindex the hard way")
1135
def if_nametoindex(interface):
1136
"Get an interface index the hard way, i.e. using fcntl()"
1137
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1138
with closing(socket.socket()) as s:
1139
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1140
struct.pack(str(u"16s16x"),
1141
interface))
1142
interface_index = struct.unpack(str(u"I"),
1143
ifreq[16:20])[0]
1144
return interface_index
1145
return if_nametoindex(interface)
1146
1147
1148
2239
def daemon(nochdir = False, noclose = False):
1149
2240
"""See daemon(3). Standard BSD Unix function.
1150
2241
1153
2244
sys.exit()
1154
2245
os.setsid()
1155
2246
if not nochdir:
1156
os.chdir(u"/")
2247
os.chdir("/")
1157
2248
if os.fork():
1158
2249
sys.exit()
1159
2250
if not noclose:
1160
2251
# Close all standard open file descriptors
1161
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2252
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
1162
2253
if not stat.S_ISCHR(os.fstat(null).st_mode):
1163
2254
raise OSError(errno.ENODEV,
1164
u"/dev/null not a character device")
2255
"{0} not a character device"
2256
.format(os.devnull))
1165
2257
os.dup2(null, sys.stdin.fileno())
1166
2258
os.dup2(null, sys.stdout.fileno())
1167
2259
os.dup2(null, sys.stderr.fileno())
1171
2263
1172
2264
def main():
1173
2265
1174
######################################################################
2266
##################################################################
1175
2267
# Parsing of options, both command line and config file
1176
2268
1177
parser = optparse.OptionParser(version = "%%prog %s" % version)
1178
parser.add_option("-i", u"--interface", type=u"string",
1179
metavar="IF", help=u"Bind to interface IF")
1180
parser.add_option("-a", u"--address", type=u"string",
1181
help=u"Address to listen for requests on")
1182
parser.add_option("-p", u"--port", type=u"int",
1183
help=u"Port number to receive requests on")
1184
parser.add_option("--check", action=u"store_true",
1185
help=u"Run self-test")
1186
parser.add_option("--debug", action=u"store_true",
1187
help=u"Debug mode; run in foreground and log to"
1188
u" terminal")
1189
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1190
u" priority string (see GnuTLS documentation)")
1191
parser.add_option("--servicename", type=u"string",
1192
metavar=u"NAME", help=u"Zeroconf service name")
1193
parser.add_option("--configdir", type=u"string",
1194
default=u"/etc/mandos", metavar=u"DIR",
1195
help=u"Directory to search for configuration"
1196
u" files")
1197
parser.add_option("--no-dbus", action=u"store_false",
1198
dest=u"use_dbus", help=u"Do not provide D-Bus"
1199
u" system bus interface")
1200
parser.add_option("--no-ipv6", action=u"store_false",
1201
dest=u"use_ipv6", help=u"Do not use IPv6")
1202
options = parser.parse_args()[0]
2269
parser = argparse.ArgumentParser()
2270
parser.add_argument("-v", "--version", action="version",
2271
version = "%(prog)s {0}".format(version),
2272
help="show version number and exit")
2273
parser.add_argument("-i", "--interface", metavar="IF",
2274
help="Bind to interface IF")
2275
parser.add_argument("-a", "--address",
2276
help="Address to listen for requests on")
2277
parser.add_argument("-p", "--port", type=int,
2278
help="Port number to receive requests on")
2279
parser.add_argument("--check", action="store_true",
2280
help="Run self-test")
2281
parser.add_argument("--debug", action="store_true",
2282
help="Debug mode; run in foreground and log"
2283
" to terminal")
2284
parser.add_argument("--debuglevel", metavar="LEVEL",
2285
help="Debug level for stdout output")
2286
parser.add_argument("--priority", help="GnuTLS"
2287
" priority string (see GnuTLS documentation)")
2288
parser.add_argument("--servicename",
2289
metavar="NAME", help="Zeroconf service name")
2290
parser.add_argument("--configdir",
2291
default="/etc/mandos", metavar="DIR",
2292
help="Directory to search for configuration"
2293
" files")
2294
parser.add_argument("--no-dbus", action="store_false",
2295
dest="use_dbus", help="Do not provide D-Bus"
2296
" system bus interface")
2297
parser.add_argument("--no-ipv6", action="store_false",
2298
dest="use_ipv6", help="Do not use IPv6")
2299
parser.add_argument("--no-restore", action="store_false",
2300
dest="restore", help="Do not restore stored"
2301
" state")
2302
parser.add_argument("--socket", type=int,
2303
help="Specify a file descriptor to a network"
2304
" socket to use instead of creating one")
2305
parser.add_argument("--statedir", metavar="DIR",
2306
help="Directory to save/restore state in")
2307
parser.add_argument("--foreground", action="store_true",
2308
help="Run in foreground")
2309
2310
options = parser.parse_args()
1203
2311
1204
2312
if options.check:
1205
2313
import doctest
1207
2315
sys.exit()
1208
2316
1209
2317
# Default values for config file for server-global settings
1210
server_defaults = { u"interface": u"",
1211
u"address": u"",
1212
u"port": u"",
1213
u"debug": u"False",
1214
u"priority":
1215
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1216
u"servicename": u"Mandos",
1217
u"use_dbus": u"True",
1218
u"use_ipv6": u"True",
2318
server_defaults = { "interface": "",
2319
"address": "",
2320
"port": "",
2321
"debug": "False",
2322
"priority":
2323
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
2324
"servicename": "Mandos",
2325
"use_dbus": "True",
2326
"use_ipv6": "True",
2327
"debuglevel": "",
2328
"restore": "True",
2329
"socket": "",
2330
"statedir": "/var/lib/mandos",
2331
"foreground": "False",
1219
2332
}
1220
2333
1221
2334
# Parse config file for server-global settings
1222
2335
server_config = configparser.SafeConfigParser(server_defaults)
1223
2336
del server_defaults
1224
2337
server_config.read(os.path.join(options.configdir,
1225
u"mandos.conf"))
2338
"mandos.conf"))
1226
2339
# Convert the SafeConfigParser object to a dict
1227
2340
server_settings = server_config.defaults()
1228
2341
# Use the appropriate methods on the non-string config options
1229
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1230
server_settings[option] = server_config.getboolean(u"DEFAULT",
2342
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
2343
server_settings[option] = server_config.getboolean("DEFAULT",
1231
2344
option)
1232
2345
if server_settings["port"]:
1233
server_settings["port"] = server_config.getint(u"DEFAULT",
1234
u"port")
2346
server_settings["port"] = server_config.getint("DEFAULT",
2347
"port")
2348
if server_settings["socket"]:
2349
server_settings["socket"] = server_config.getint("DEFAULT",
2350
"socket")
2351
# Later, stdin will, and stdout and stderr might, be dup'ed
2352
# over with an opened os.devnull. But we don't want this to
2353
# happen with a supplied network socket.
2354
if 0 <= server_settings["socket"] <= 2:
2355
server_settings["socket"] = os.dup(server_settings
2356
["socket"])
1235
2357
del server_config
1236
2358
1237
2359
# Override the settings from the config file with command line
1238
2360
# options, if set.
1239
for option in (u"interface", u"address", u"port", u"debug",
1240
u"priority", u"servicename", u"configdir",
1241
u"use_dbus", u"use_ipv6"):
2361
for option in ("interface", "address", "port", "debug",
2362
"priority", "servicename", "configdir",
2363
"use_dbus", "use_ipv6", "debuglevel", "restore",
2364
"statedir", "socket", "foreground"):
1242
2365
value = getattr(options, option)
1243
2366
if value is not None:
1244
2367
server_settings[option] = value
1247
2370
for option in server_settings.keys():
1248
2371
if type(server_settings[option]) is str:
1249
2372
server_settings[option] = unicode(server_settings[option])
2373
# Debug implies foreground
2374
if server_settings["debug"]:
2375
server_settings["foreground"] = True
1250
2376
# Now we have our good server settings in "server_settings"
1251
2377
1252
2378
##################################################################
1253
2379
1254
2380
# For convenience
1255
debug = server_settings[u"debug"]
1256
use_dbus = server_settings[u"use_dbus"]
1257
use_ipv6 = server_settings[u"use_ipv6"]
1258
1259
if not debug:
1260
syslogger.setLevel(logging.WARNING)
1261
console.setLevel(logging.WARNING)
1262
1263
if server_settings[u"servicename"] != u"Mandos":
2381
debug = server_settings["debug"]
2382
debuglevel = server_settings["debuglevel"]
2383
use_dbus = server_settings["use_dbus"]
2384
use_ipv6 = server_settings["use_ipv6"]
2385
stored_state_path = os.path.join(server_settings["statedir"],
2386
stored_state_file)
2387
foreground = server_settings["foreground"]
2388
2389
if debug:
2390
initlogger(debug, logging.DEBUG)
2391
else:
2392
if not debuglevel:
2393
initlogger(debug)
2394
else:
2395
level = getattr(logging, debuglevel.upper())
2396
initlogger(debug, level)
2397
2398
if server_settings["servicename"] != "Mandos":
1264
2399
syslogger.setFormatter(logging.Formatter
1265
(u'Mandos (%s) [%%(process)d]:'
1266
u' %%(levelname)s: %%(message)s'
1267
% server_settings[u"servicename"]))
2400
('Mandos ({0}) [%(process)d]:'
2401
' %(levelname)s: %(message)s'
2402
.format(server_settings
2403
["servicename"])))
1268
2404
1269
2405
# Parse config file with clients
1270
client_defaults = { u"timeout": u"1h",
1271
u"interval": u"5m",
1272
u"checker": u"fping -q -- %%(host)s",
1273
u"host": u"",
1274
}
1275
client_config = configparser.SafeConfigParser(client_defaults)
1276
client_config.read(os.path.join(server_settings[u"configdir"],
1277
u"clients.conf"))
2406
client_config = configparser.SafeConfigParser(Client
2407
.client_defaults)
2408
client_config.read(os.path.join(server_settings["configdir"],
2409
"clients.conf"))
1278
2410
1279
2411
global mandos_dbus_service
1280
2412
mandos_dbus_service = None
1281
2413
1282
tcp_server = MandosServer((server_settings[u"address"],
1283
server_settings[u"port"]),
2414
tcp_server = MandosServer((server_settings["address"],
2415
server_settings["port"]),
1284
2416
ClientHandler,
1285
interface=server_settings[u"interface"],
2417
interface=(server_settings["interface"]
2418
or None),
1286
2419
use_ipv6=use_ipv6,
1287
2420
gnutls_priority=
1288
server_settings[u"priority"],
1289
use_dbus=use_dbus)
1290
pidfilename = u"/var/run/mandos.pid"
1291
try:
1292
pidfile = open(pidfilename, u"w")
1293
except IOError:
1294
logger.error(u"Could not open file %r", pidfilename)
2421
server_settings["priority"],
2422
use_dbus=use_dbus,
2423
socketfd=(server_settings["socket"]
2424
or None))
2425
if not foreground:
2426
pidfilename = "/var/run/mandos.pid"
2427
pidfile = None
2428
try:
2429
pidfile = open(pidfilename, "w")
2430
except IOError as e:
2431
logger.error("Could not open file %r", pidfilename,
2432
exc_info=e)
1295
2433
1296
try:
1297
uid = pwd.getpwnam(u"_mandos").pw_uid
1298
gid = pwd.getpwnam(u"_mandos").pw_gid
1299
except KeyError:
2434
for name in ("_mandos", "mandos", "nobody"):
1300
2435
try:
1301
uid = pwd.getpwnam(u"mandos").pw_uid
1302
gid = pwd.getpwnam(u"mandos").pw_gid
2436
uid = pwd.getpwnam(name).pw_uid
2437
gid = pwd.getpwnam(name).pw_gid
2438
break
1303
2439
except KeyError:
1304
try:
1305
uid = pwd.getpwnam(u"nobody").pw_uid
1306
gid = pwd.getpwnam(u"nobody").pw_gid
1307
except KeyError:
1308
uid = 65534
1309
gid = 65534
2440
continue
2441
else:
2442
uid = 65534
2443
gid = 65534
1310
2444
try:
1311
2445
os.setgid(gid)
1312
2446
os.setuid(uid)
1313
except OSError, error:
1314
if error[0] != errno.EPERM:
2447
except OSError as error:
2448
if error.errno != errno.EPERM:
1315
2449
raise error
1316
2450
1317
# Enable all possible GnuTLS debugging
1318
2451
if debug:
2452
# Enable all possible GnuTLS debugging
2453
1319
2454
# "Use a log level over 10 to enable all debugging options."
1320
2455
# - GnuTLS manual
1321
2456
gnutls.library.functions.gnutls_global_set_log_level(11)
1322
2457
1323
2458
@gnutls.library.types.gnutls_log_func
1324
2459
def debug_gnutls(level, string):
1325
logger.debug(u"GnuTLS: %s", string[:-1])
2460
logger.debug("GnuTLS: %s", string[:-1])
1326
2461
1327
2462
(gnutls.library.functions
1328
2463
.gnutls_global_set_log_function(debug_gnutls))
2464
2465
# Redirect stdin so all checkers get /dev/null
2466
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2467
os.dup2(null, sys.stdin.fileno())
2468
if null > 2:
2469
os.close(null)
2470
2471
# Need to fork before connecting to D-Bus
2472
if not foreground:
2473
# Close all input and output, do double fork, etc.
2474
daemon()
2475
2476
# multiprocessing will use threads, so before we use gobject we
2477
# need to inform gobject that threads will be used.
2478
gobject.threads_init()
1329
2479
1330
2480
global main_loop
1331
2481
# From the Avahi example code
1332
DBusGMainLoop(set_as_default=True )
2482
DBusGMainLoop(set_as_default=True)
1333
2483
main_loop = gobject.MainLoop()
1334
2484
bus = dbus.SystemBus()
1335
2485
# End of Avahi example code
1336
2486
if use_dbus:
1337
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
2487
try:
2488
bus_name = dbus.service.BusName("se.recompile.Mandos",
2489
bus, do_not_queue=True)
2490
old_bus_name = (dbus.service.BusName
2491
("se.bsnet.fukt.Mandos", bus,
2492
do_not_queue=True))
2493
except dbus.exceptions.NameExistsException as e:
2494
logger.error("Disabling D-Bus:", exc_info=e)
2495
use_dbus = False
2496
server_settings["use_dbus"] = False
2497
tcp_server.use_dbus = False
1338
2498
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1339
service = AvahiService(name = server_settings[u"servicename"],
1340
servicetype = u"_mandos._tcp",
1341
protocol = protocol, bus = bus)
2499
service = AvahiServiceToSyslog(name =
2500
server_settings["servicename"],
2501
servicetype = "_mandos._tcp",
2502
protocol = protocol, bus = bus)
1342
2503
if server_settings["interface"]:
1343
2504
service.interface = (if_nametoindex
1344
(str(server_settings[u"interface"])))
2505
(str(server_settings["interface"])))
2506
2507
global multiprocessing_manager
2508
multiprocessing_manager = multiprocessing.Manager()
1345
2509
1346
2510
client_class = Client
1347
2511
if use_dbus:
1348
2512
client_class = functools.partial(ClientDBus, bus = bus)
1349
tcp_server.clients.update(set(
1350
client_class(name = section,
1351
config= dict(client_config.items(section)))
1352
for section in client_config.sections()))
2513
2514
client_settings = Client.config_parser(client_config)
2515
old_client_settings = {}
2516
clients_data = {}
2517
2518
# Get client data and settings from last running state.
2519
if server_settings["restore"]:
2520
try:
2521
with open(stored_state_path, "rb") as stored_state:
2522
clients_data, old_client_settings = (pickle.load
2523
(stored_state))
2524
os.remove(stored_state_path)
2525
except IOError as e:
2526
if e.errno == errno.ENOENT:
2527
logger.warning("Could not load persistent state: {0}"
2528
.format(os.strerror(e.errno)))
2529
else:
2530
logger.critical("Could not load persistent state:",
2531
exc_info=e)
2532
raise
2533
except EOFError as e:
2534
logger.warning("Could not load persistent state: "
2535
"EOFError:", exc_info=e)
2536
2537
with PGPEngine() as pgp:
2538
for client_name, client in clients_data.iteritems():
2539
# Decide which value to use after restoring saved state.
2540
# We have three different values: Old config file,
2541
# new config file, and saved state.
2542
# New config value takes precedence if it differs from old
2543
# config value, otherwise use saved state.
2544
for name, value in client_settings[client_name].items():
2545
try:
2546
# For each value in new config, check if it
2547
# differs from the old config value (Except for
2548
# the "secret" attribute)
2549
if (name != "secret" and
2550
value != old_client_settings[client_name]
2551
[name]):
2552
client[name] = value
2553
except KeyError:
2554
pass
2555
2556
# Clients who has passed its expire date can still be
2557
# enabled if its last checker was successful. Clients
2558
# whose checker succeeded before we stored its state is
2559
# assumed to have successfully run all checkers during
2560
# downtime.
2561
if client["enabled"]:
2562
if datetime.datetime.utcnow() >= client["expires"]:
2563
if not client["last_checked_ok"]:
2564
logger.warning(
2565
"disabling client {0} - Client never "
2566
"performed a successful checker"
2567
.format(client_name))
2568
client["enabled"] = False
2569
elif client["last_checker_status"] != 0:
2570
logger.warning(
2571
"disabling client {0} - Client "
2572
"last checker failed with error code {1}"
2573
.format(client_name,
2574
client["last_checker_status"]))
2575
client["enabled"] = False
2576
else:
2577
client["expires"] = (datetime.datetime
2578
.utcnow()
2579
+ client["timeout"])
2580
logger.debug("Last checker succeeded,"
2581
" keeping {0} enabled"
2582
.format(client_name))
2583
try:
2584
client["secret"] = (
2585
pgp.decrypt(client["encrypted_secret"],
2586
client_settings[client_name]
2587
["secret"]))
2588
except PGPError:
2589
# If decryption fails, we use secret from new settings
2590
logger.debug("Failed to decrypt {0} old secret"
2591
.format(client_name))
2592
client["secret"] = (
2593
client_settings[client_name]["secret"])
2594
2595
# Add/remove clients based on new changes made to config
2596
for client_name in (set(old_client_settings)
2597
- set(client_settings)):
2598
del clients_data[client_name]
2599
for client_name in (set(client_settings)
2600
- set(old_client_settings)):
2601
clients_data[client_name] = client_settings[client_name]
2602
2603
# Create all client objects
2604
for client_name, client in clients_data.iteritems():
2605
tcp_server.clients[client_name] = client_class(
2606
name = client_name, settings = client)
2607
1353
2608
if not tcp_server.clients:
1354
logger.warning(u"No clients defined")
1355
1356
if debug:
1357
# Redirect stdin so all checkers get /dev/null
1358
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1359
os.dup2(null, sys.stdin.fileno())
1360
if null > 2:
1361
os.close(null)
1362
else:
1363
# No console logging
1364
logger.removeHandler(console)
1365
# Close all input and output, do double fork, etc.
1366
daemon()
1367
1368
try:
1369
with closing(pidfile):
1370
pid = os.getpid()
1371
pidfile.write(str(pid) + "\n")
2609
logger.warning("No clients defined")
2610
2611
if not foreground:
2612
if pidfile is not None:
2613
try:
2614
with pidfile:
2615
pid = os.getpid()
2616
pidfile.write(str(pid) + "\n".encode("utf-8"))
2617
except IOError:
2618
logger.error("Could not write to file %r with PID %d",
2619
pidfilename, pid)
1372
2620
del pidfile
1373
except IOError:
1374
logger.error(u"Could not write to file %r with PID %d",
1375
pidfilename, pid)
1376
except NameError:
1377
# "pidfile" was never created
1378
pass
1379
del pidfilename
1380
1381
def cleanup():
1382
"Cleanup function; run on exit"
1383
service.cleanup()
1384
1385
while tcp_server.clients:
1386
client = tcp_server.clients.pop()
1387
client.disable_hook = None
1388
client.disable()
1389
1390
atexit.register(cleanup)
1391
1392
if not debug:
1393
signal.signal(signal.SIGINT, signal.SIG_IGN)
2621
del pidfilename
2622
1394
2623
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1395
2624
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1396
2625
1397
2626
if use_dbus:
1398
class MandosDBusService(dbus.service.Object):
2627
@alternate_dbus_interfaces({"se.recompile.Mandos":
2628
"se.bsnet.fukt.Mandos"})
2629
class MandosDBusService(DBusObjectWithProperties):
1399
2630
"""A D-Bus proxy object"""
1400
2631
def __init__(self):
1401
dbus.service.Object.__init__(self, bus, u"/")
1402
_interface = u"se.bsnet.fukt.Mandos"
1403
1404
@dbus.service.signal(_interface, signature=u"oa{sv}")
1405
def ClientAdded(self, objpath, properties):
1406
"D-Bus signal"
1407
pass
1408
1409
@dbus.service.signal(_interface, signature=u"s")
1410
def ClientNotFound(self, fingerprint):
1411
"D-Bus signal"
1412
pass
1413
1414
@dbus.service.signal(_interface, signature=u"os")
2632
dbus.service.Object.__init__(self, bus, "/")
2633
_interface = "se.recompile.Mandos"
2634
2635
@dbus_interface_annotations(_interface)
2636
def _foo(self):
2637
return { "org.freedesktop.DBus.Property"
2638
".EmitsChangedSignal":
2639
"false"}
2640
2641
@dbus.service.signal(_interface, signature="o")
2642
def ClientAdded(self, objpath):
2643
"D-Bus signal"
2644
pass
2645
2646
@dbus.service.signal(_interface, signature="ss")
2647
def ClientNotFound(self, fingerprint, address):
2648
"D-Bus signal"
2649
pass
2650
2651
@dbus.service.signal(_interface, signature="os")
1415
2652
def ClientRemoved(self, objpath, name):
1416
2653
"D-Bus signal"
1417
2654
pass
1418
2655
1419
@dbus.service.method(_interface, out_signature=u"ao")
2656
@dbus.service.method(_interface, out_signature="ao")
1420
2657
def GetAllClients(self):
1421
2658
"D-Bus method"
1422
2659
return dbus.Array(c.dbus_object_path
1423
for c in tcp_server.clients)
2660
for c in
2661
tcp_server.clients.itervalues())
1424
2662
1425
2663
@dbus.service.method(_interface,
1426
out_signature=u"a{oa{sv}}")
2664
out_signature="a{oa{sv}}")
1427
2665
def GetAllClientsWithProperties(self):
1428
2666
"D-Bus method"
1429
2667
return dbus.Dictionary(
1430
((c.dbus_object_path, c.GetAllProperties())
1431
for c in tcp_server.clients),
1432
signature=u"oa{sv}")
2668
((c.dbus_object_path, c.GetAll(""))
2669
for c in tcp_server.clients.itervalues()),
2670
signature="oa{sv}")
1433
2671
1434
@dbus.service.method(_interface, in_signature=u"o")
2672
@dbus.service.method(_interface, in_signature="o")
1435
2673
def RemoveClient(self, object_path):
1436
2674
"D-Bus method"
1437
for c in tcp_server.clients:
2675
for c in tcp_server.clients.itervalues():
1438
2676
if c.dbus_object_path == object_path:
1439
tcp_server.clients.remove(c)
2677
del tcp_server.clients[c.name]
1440
2678
c.remove_from_connection()
1441
2679
# Don't signal anything except ClientRemoved
1442
c.disable(signal=False)
2680
c.disable(quiet=True)
1443
2681
# Emit D-Bus signal
1444
2682
self.ClientRemoved(object_path, c.name)
1445
2683
return
1446
raise KeyError
2684
raise KeyError(object_path)
1447
2685
1448
2686
del _interface
1449
2687
1450
2688
mandos_dbus_service = MandosDBusService()
1451
2689
1452
for client in tcp_server.clients:
2690
def cleanup():
2691
"Cleanup function; run on exit"
2692
service.cleanup()
2693
2694
multiprocessing.active_children()
2695
if not (tcp_server.clients or client_settings):
2696
return
2697
2698
# Store client before exiting. Secrets are encrypted with key
2699
# based on what config file has. If config file is
2700
# removed/edited, old secret will thus be unrecovable.
2701
clients = {}
2702
with PGPEngine() as pgp:
2703
for client in tcp_server.clients.itervalues():
2704
key = client_settings[client.name]["secret"]
2705
client.encrypted_secret = pgp.encrypt(client.secret,
2706
key)
2707
client_dict = {}
2708
2709
# A list of attributes that can not be pickled
2710
# + secret.
2711
exclude = set(("bus", "changedstate", "secret",
2712
"checker"))
2713
for name, typ in (inspect.getmembers
2714
(dbus.service.Object)):
2715
exclude.add(name)
2716
2717
client_dict["encrypted_secret"] = (client
2718
.encrypted_secret)
2719
for attr in client.client_structure:
2720
if attr not in exclude:
2721
client_dict[attr] = getattr(client, attr)
2722
2723
clients[client.name] = client_dict
2724
del client_settings[client.name]["secret"]
2725
2726
try:
2727
with (tempfile.NamedTemporaryFile
2728
(mode='wb', suffix=".pickle", prefix='clients-',
2729
dir=os.path.dirname(stored_state_path),
2730
delete=False)) as stored_state:
2731
pickle.dump((clients, client_settings), stored_state)
2732
tempname=stored_state.name
2733
os.rename(tempname, stored_state_path)
2734
except (IOError, OSError) as e:
2735
if not debug:
2736
try:
2737
os.remove(tempname)
2738
except NameError:
2739
pass
2740
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
2741
logger.warning("Could not save persistent state: {0}"
2742
.format(os.strerror(e.errno)))
2743
else:
2744
logger.warning("Could not save persistent state:",
2745
exc_info=e)
2746
raise e
2747
2748
# Delete all clients, and settings from config
2749
while tcp_server.clients:
2750
name, client = tcp_server.clients.popitem()
2751
if use_dbus:
2752
client.remove_from_connection()
2753
# Don't signal anything except ClientRemoved
2754
client.disable(quiet=True)
2755
if use_dbus:
2756
# Emit D-Bus signal
2757
mandos_dbus_service.ClientRemoved(client
2758
.dbus_object_path,
2759
client.name)
2760
client_settings.clear()
2761
2762
atexit.register(cleanup)
2763
2764
for client in tcp_server.clients.itervalues():
1453
2765
if use_dbus:
1454
2766
# Emit D-Bus signal
1455
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1456
client.GetAllProperties())
1457
client.enable()
2767
mandos_dbus_service.ClientAdded(client.dbus_object_path)
2768
# Need to initiate checking of clients
2769
if client.enabled:
2770
client.init_checker()
1458
2771
1459
2772
tcp_server.enable()
1460
2773
tcp_server.server_activate()
1462
2775
# Find out what port we got
1463
2776
service.port = tcp_server.socket.getsockname()[1]
1464
2777
if use_ipv6:
1465
logger.info(u"Now listening on address %r, port %d,"
1466
" flowinfo %d, scope_id %d"
1467
% tcp_server.socket.getsockname())
2778
logger.info("Now listening on address %r, port %d,"
2779
" flowinfo %d, scope_id %d",
2780
*tcp_server.socket.getsockname())
1468
2781
else: # IPv4
1469
logger.info(u"Now listening on address %r, port %d"
1470
% tcp_server.socket.getsockname())
2782
logger.info("Now listening on address %r, port %d",
2783
*tcp_server.socket.getsockname())
1471
2784
1472
2785
#service.interface = tcp_server.socket.getsockname()[3]
1473
2786
1475
2788
# From the Avahi example code
1476
2789
try:
1477
2790
service.activate()
1478
except dbus.exceptions.DBusException, error:
1479
logger.critical(u"DBusException: %s", error)
2791
except dbus.exceptions.DBusException as error:
2792
logger.critical("D-Bus Exception", exc_info=error)
2793
cleanup()
1480
2794
sys.exit(1)
1481
2795
# End of Avahi example code
1482
2796
1485
2799
(tcp_server.handle_request
1486
2800
(*args[2:], **kwargs) or True))
1487
2801
1488
logger.debug(u"Starting main loop")
2802
logger.debug("Starting main loop")
1489
2803
main_loop.run()
1490
except AvahiError, error:
1491
logger.critical(u"AvahiError: %s", error)
2804
except AvahiError as error:
2805
logger.critical("Avahi Error", exc_info=error)
2806
cleanup()
1492
2807
sys.exit(1)
1493
2808
except KeyboardInterrupt:
1494
2809
if debug:
1495
print >> sys.stderr
1496
logger.debug(u"Server received KeyboardInterrupt")
1497
logger.debug(u"Server exiting")
2810
print("", file=sys.stderr)
2811
logger.debug("Server received KeyboardInterrupt")
2812
logger.debug("Server exiting")
2813
# Must run before the D-Bus bus name gets deregistered
2814
cleanup()
1498
2815
1499
2816
if __name__ == '__main__':
1500
2817
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0