86
88
except ImportError:
87
89
SO_BINDTODEVICE = None
91
if sys.version_info.major == 2:
90
95
stored_state_file = "clients.pickle"
92
97
logger = logging.getLogger()
93
syslogger = (logging.handlers.SysLogHandler
94
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
95
address = str("/dev/log")))
98
if_nametoindex = (ctypes.cdll.LoadLibrary
99
(ctypes.util.find_library("c"))
101
if_nametoindex = ctypes.cdll.LoadLibrary(
102
ctypes.util.find_library("c")).if_nametoindex
101
103
except (OSError, AttributeError):
102
105
def if_nametoindex(interface):
103
106
"Get an interface index the hard way, i.e. using fcntl()"
104
107
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
105
108
with contextlib.closing(socket.socket()) as s:
106
109
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
107
struct.pack(str("16s16x"),
109
interface_index = struct.unpack(str("I"),
110
struct.pack(b"16s16x", interface))
111
interface_index = struct.unpack("I", ifreq[16:20])[0]
111
112
return interface_index
114
115
def initlogger(debug, level=logging.WARNING):
115
116
"""init logger and add loglevel"""
119
syslogger = (logging.handlers.SysLogHandler(
120
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
121
address = "/dev/log"))
117
122
syslogger.setFormatter(logging.Formatter
118
123
('Mandos [%(process)d]: %(levelname)s:'
172
176
def password_encode(self, password):
173
177
# Passphrase can not be empty and can not contain newlines or
174
178
# NUL bytes. So we prefix it and hex encode it.
175
return b"mandos" + binascii.hexlify(password)
179
encoded = b"mandos" + binascii.hexlify(password)
180
if len(encoded) > 2048:
181
# GnuPG can't handle long passwords, so encode differently
182
encoded = (b"mandos" + password.replace(b"\\", b"\\\\")
183
.replace(b"\n", b"\\n")
184
.replace(b"\0", b"\\x00"))
177
187
def encrypt(self, data, password):
178
self.gnupg.passphrase = self.password_encode(password)
179
with open(os.devnull, "w") as devnull:
181
proc = self.gnupg.run(['--symmetric'],
182
create_fhs=['stdin', 'stdout'],
183
attach_fhs={'stderr': devnull})
184
with contextlib.closing(proc.handles['stdin']) as f:
186
with contextlib.closing(proc.handles['stdout']) as f:
187
ciphertext = f.read()
191
self.gnupg.passphrase = None
188
passphrase = self.password_encode(password)
189
with tempfile.NamedTemporaryFile(
190
dir=self.tempdir) as passfile:
191
passfile.write(passphrase)
193
proc = subprocess.Popen(['gpg', '--symmetric',
197
stdin = subprocess.PIPE,
198
stdout = subprocess.PIPE,
199
stderr = subprocess.PIPE)
200
ciphertext, err = proc.communicate(input = data)
201
if proc.returncode != 0:
192
203
return ciphertext
194
205
def decrypt(self, data, password):
195
self.gnupg.passphrase = self.password_encode(password)
196
with open(os.devnull, "w") as devnull:
198
proc = self.gnupg.run(['--decrypt'],
199
create_fhs=['stdin', 'stdout'],
200
attach_fhs={'stderr': devnull})
201
with contextlib.closing(proc.handles['stdin']) as f:
203
with contextlib.closing(proc.handles['stdout']) as f:
204
decrypted_plaintext = f.read()
208
self.gnupg.passphrase = None
206
passphrase = self.password_encode(password)
207
with tempfile.NamedTemporaryFile(
208
dir = self.tempdir) as passfile:
209
passfile.write(passphrase)
211
proc = subprocess.Popen(['gpg', '--decrypt',
215
stdin = subprocess.PIPE,
216
stdout = subprocess.PIPE,
217
stderr = subprocess.PIPE)
218
decrypted_plaintext, err = proc.communicate(input = data)
219
if proc.returncode != 0:
209
221
return decrypted_plaintext
212
224
class AvahiError(Exception):
213
225
def __init__(self, value, *args, **kwargs):
214
226
self.value = value
215
super(AvahiError, self).__init__(value, *args, **kwargs)
216
def __unicode__(self):
217
return unicode(repr(self.value))
227
return super(AvahiError, self).__init__(value, *args,
219
231
class AvahiServiceError(AvahiError):
222
235
class AvahiGroupError(AvahiError):
264
284
self.entry_group_state_changed_match = None
286
def rename(self, remove=True):
267
287
"""Derived from the Avahi example code"""
268
288
if self.rename_count >= self.max_renames:
269
289
logger.critical("No suitable Zeroconf service name found"
270
290
" after %i retries, exiting.",
271
291
self.rename_count)
272
292
raise AvahiServiceError("Too many renames")
273
self.name = unicode(self.server
274
.GetAlternativeServiceName(self.name))
294
self.server.GetAlternativeServiceName(self.name))
295
self.rename_count += 1
275
296
logger.info("Changing Zeroconf service name to %r ...",
280
302
except dbus.exceptions.DBusException as error:
281
logger.critical("D-Bus Exception", exc_info=error)
284
self.rename_count += 1
303
if (error.get_dbus_name()
304
== "org.freedesktop.Avahi.CollisionError"):
305
logger.info("Local Zeroconf service name collision.")
306
return self.rename(remove=False)
308
logger.critical("D-Bus Exception", exc_info=error)
286
312
def remove(self):
287
313
"""Derived from the Avahi example code"""
343
368
def server_state_changed(self, state, error=None):
344
369
"""Derived from the Avahi example code"""
345
370
logger.debug("Avahi server state change: %i", state)
346
bad_states = { avahi.SERVER_INVALID:
347
"Zeroconf server invalid",
348
avahi.SERVER_REGISTERING: None,
349
avahi.SERVER_COLLISION:
350
"Zeroconf server name collision",
351
avahi.SERVER_FAILURE:
352
"Zeroconf server failure" }
372
avahi.SERVER_INVALID: "Zeroconf server invalid",
373
avahi.SERVER_REGISTERING: None,
374
avahi.SERVER_COLLISION: "Zeroconf server name collision",
375
avahi.SERVER_FAILURE: "Zeroconf server failure",
353
377
if state in bad_states:
354
378
if bad_states[state] is not None:
355
379
if error is None:
374
398
follow_name_owner_changes=True),
375
399
avahi.DBUS_INTERFACE_SERVER)
376
400
self.server.connect_to_signal("StateChanged",
377
self.server_state_changed)
401
self.server_state_changed)
378
402
self.server_state_changed(self.server.GetState())
380
405
class AvahiServiceToSyslog(AvahiService):
406
def rename(self, *args, **kwargs):
382
407
"""Add the new name to the syslog messages"""
383
ret = AvahiService.rename(self)
384
syslogger.setFormatter(logging.Formatter
385
('Mandos ({0}) [%(process)d]:'
386
' %(levelname)s: %(message)s'
408
ret = AvahiService.rename(self, *args, **kwargs)
409
syslogger.setFormatter(logging.Formatter(
410
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
390
def timedelta_to_milliseconds(td):
391
"Convert a datetime.timedelta() to milliseconds"
392
return ((td.days * 24 * 60 * 60 * 1000)
393
+ (td.seconds * 1000)
394
+ (td.microseconds // 1000))
396
415
class Client(object):
397
416
"""A representation of a client host served by this server.
434
453
runtime_expansions: Allowed attributes for runtime expansion.
435
454
expires: datetime.datetime(); time (UTC) when a client will be
436
455
disabled, or None
456
server_settings: The server_settings dict from main()
439
459
runtime_expansions = ("approval_delay", "approval_duration",
440
"created", "enabled", "fingerprint",
441
"host", "interval", "last_checked_ok",
460
"created", "enabled", "expires",
461
"fingerprint", "host", "interval",
462
"last_approval_request", "last_checked_ok",
442
463
"last_enabled", "name", "timeout")
443
client_defaults = { "timeout": "5m",
444
"extended_timeout": "15m",
446
"checker": "fping -q -- %%(host)s",
448
"approval_delay": "0s",
449
"approval_duration": "1s",
450
"approved_by_default": "True",
454
def timeout_milliseconds(self):
455
"Return the 'timeout' attribute in milliseconds"
456
return timedelta_to_milliseconds(self.timeout)
458
def extended_timeout_milliseconds(self):
459
"Return the 'extended_timeout' attribute in milliseconds"
460
return timedelta_to_milliseconds(self.extended_timeout)
462
def interval_milliseconds(self):
463
"Return the 'interval' attribute in milliseconds"
464
return timedelta_to_milliseconds(self.interval)
466
def approval_delay_milliseconds(self):
467
return timedelta_to_milliseconds(self.approval_delay)
466
"extended_timeout": "PT15M",
468
"checker": "fping -q -- %%(host)s",
470
"approval_delay": "PT0S",
471
"approval_duration": "PT1S",
472
"approved_by_default": "True",
470
477
def config_parser(config):
545
555
self.current_checker_command = None
546
556
self.approved = None
547
557
self.approvals_pending = 0
548
self.changedstate = (multiprocessing_manager
549
.Condition(multiprocessing_manager
551
self.client_structure = [attr for attr in
552
self.__dict__.iterkeys()
558
self.changedstate = multiprocessing_manager.Condition(
559
multiprocessing_manager.Lock())
560
self.client_structure = [attr
561
for attr in self.__dict__.iterkeys()
553
562
if not attr.startswith("_")]
554
563
self.client_structure.append("client_structure")
556
for name, t in inspect.getmembers(type(self),
565
for name, t in inspect.getmembers(
566
type(self), lambda obj: isinstance(obj, property)):
560
567
if not name.startswith("_"):
561
568
self.client_structure.append(name)
570
577
if getattr(self, "enabled", False):
571
578
# Already enabled
573
self.send_changedstate()
574
580
self.expires = datetime.datetime.utcnow() + self.timeout
575
581
self.enabled = True
576
582
self.last_enabled = datetime.datetime.utcnow()
577
583
self.init_checker()
584
self.send_changedstate()
579
586
def disable(self, quiet=True):
580
587
"""Disable this client."""
581
588
if not getattr(self, "enabled", False):
584
self.send_changedstate()
586
591
logger.info("Disabling client %s", self.name)
587
if getattr(self, "disable_initiator_tag", False):
592
if getattr(self, "disable_initiator_tag", None) is not None:
588
593
gobject.source_remove(self.disable_initiator_tag)
589
594
self.disable_initiator_tag = None
590
595
self.expires = None
591
if getattr(self, "checker_initiator_tag", False):
596
if getattr(self, "checker_initiator_tag", None) is not None:
592
597
gobject.source_remove(self.checker_initiator_tag)
593
598
self.checker_initiator_tag = None
594
599
self.stop_checker()
595
600
self.enabled = False
602
self.send_changedstate()
596
603
# Do not run this again if called by a gobject.timeout_add
602
609
def init_checker(self):
603
610
# Schedule a new checker to be started an 'interval' from now,
604
611
# and every interval from then on.
605
self.checker_initiator_tag = (gobject.timeout_add
606
(self.interval_milliseconds(),
612
if self.checker_initiator_tag is not None:
613
gobject.source_remove(self.checker_initiator_tag)
614
self.checker_initiator_tag = gobject.timeout_add(
615
int(self.interval.total_seconds() * 1000),
608
617
# Schedule a disable() when 'timeout' has passed
609
self.disable_initiator_tag = (gobject.timeout_add
610
(self.timeout_milliseconds(),
618
if self.disable_initiator_tag is not None:
619
gobject.source_remove(self.disable_initiator_tag)
620
self.disable_initiator_tag = gobject.timeout_add(
621
int(self.timeout.total_seconds() * 1000), self.disable)
612
622
# Also start a new checker *right now*.
613
623
self.start_checker()
680
690
self.current_checker_command)
681
691
# Start a new checker if needed
682
692
if self.checker is None:
693
# Escape attributes for the shell
695
attr: re.escape(str(getattr(self, attr)))
696
for attr in self.runtime_expansions }
684
# In case checker_command has exactly one % operator
685
command = self.checker_command % self.host
687
# Escape attributes for the shell
688
escaped_attrs = dict(
690
re.escape(unicode(str(getattr(self, attr, "")),
694
self.runtime_expansions)
697
command = self.checker_command % escaped_attrs
698
except TypeError as error:
699
logger.error('Could not format string "%s"',
700
self.checker_command, exc_info=error)
701
return True # Try again later
698
command = self.checker_command % escaped_attrs
699
except TypeError as error:
700
logger.error('Could not format string "%s"',
701
self.checker_command,
703
return True # Try again later
702
704
self.current_checker_command = command
704
logger.info("Starting checker %r for %s",
706
logger.info("Starting checker %r for %s", command,
706
708
# We don't need to redirect stdout and stderr, since
707
709
# in normal mode, that is already done by daemon(),
708
710
# and in debug mode we don't want to. (Stdin is
709
711
# always replaced by /dev/null.)
712
# The exception is when not debugging but nevertheless
713
# running in the foreground; use the previously
716
if (not self.server_settings["debug"]
717
and self.server_settings["foreground"]):
718
popen_args.update({"stdout": wnull,
710
720
self.checker = subprocess.Popen(command,
713
self.checker_callback_tag = (gobject.child_watch_add
715
self.checker_callback,
717
# The checker may have completed before the gobject
718
# watch was added. Check for this.
725
except OSError as error:
726
logger.error("Failed to start subprocess",
729
self.checker_callback_tag = gobject.child_watch_add(
730
self.checker.pid, self.checker_callback, data=command)
731
# The checker may have completed before the gobject
732
# watch was added. Check for this.
719
734
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
721
gobject.source_remove(self.checker_callback_tag)
722
self.checker_callback(pid, status, command)
723
735
except OSError as error:
724
logger.error("Failed to start subprocess",
736
if error.errno == errno.ECHILD:
737
# This should never happen
738
logger.error("Child process vanished",
743
gobject.source_remove(self.checker_callback_tag)
744
self.checker_callback(pid, status, command)
726
745
# Re-run this periodically if run by gobject.timeout_add
798
823
"""Decorator to annotate D-Bus methods, signals or properties
826
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
827
"org.freedesktop.DBus.Property."
828
"EmitsChangedSignal": "false"})
801
829
@dbus_service_property("org.example.Interface", signature="b",
803
@dbus_annotations({{"org.freedesktop.DBus.Deprecated": "true",
804
"org.freedesktop.DBus.Property."
805
"EmitsChangedSignal": "false"})
806
831
def Property_dbus_property(self):
807
832
return dbus.Boolean(False)
809
835
def decorator(func):
810
836
func._dbus_annotations = annotations
815
842
class DBusPropertyException(dbus.exceptions.DBusException):
816
843
"""A base class for D-Bus property-related exceptions
818
def __unicode__(self):
819
return unicode(str(self))
822
848
class DBusPropertyAccessException(DBusPropertyException):
846
872
If called like _is_dbus_thing("method") it returns a function
847
873
suitable for use as predicate to inspect.getmembers().
849
return lambda obj: getattr(obj, "_dbus_is_{0}".format(thing),
875
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
852
878
def _get_all_dbus_things(self, thing):
853
879
"""Returns a generator of (name, attribute) pairs
855
return ((getattr(athing.__get__(self), "_dbus_name",
881
return ((getattr(athing.__get__(self), "_dbus_name", name),
857
882
athing.__get__(self))
858
883
for cls in self.__class__.__mro__
859
884
for name, athing in
860
inspect.getmembers(cls,
861
self._is_dbus_thing(thing)))
885
inspect.getmembers(cls, self._is_dbus_thing(thing)))
863
887
def _get_dbus_property(self, interface_name, property_name):
864
888
"""Returns a bound method if one exists which is a D-Bus
865
889
property with the specified name and interface.
867
for cls in self.__class__.__mro__:
868
for name, value in (inspect.getmembers
870
self._is_dbus_thing("property"))):
891
for cls in self.__class__.__mro__:
892
for name, value in inspect.getmembers(
893
cls, self._is_dbus_thing("property")):
871
894
if (value._dbus_name == property_name
872
895
and value._dbus_interface == interface_name):
873
896
return value.__get__(self)
875
898
# No such property
876
raise DBusPropertyNotFound(self.dbus_object_path + ":"
877
+ interface_name + "."
899
raise DBusPropertyNotFound("{}:{}.{}".format(
900
self.dbus_object_path, interface_name, property_name))
880
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
902
@dbus.service.method(dbus.PROPERTIES_IFACE,
881
904
out_signature="v")
882
905
def Get(self, interface_name, property_name):
883
906
"""Standard D-Bus property Get() method, see D-Bus standard.
1054
1088
# Ignore non-D-Bus attributes, and D-Bus attributes
1055
1089
# with the wrong interface name
1056
1090
if (not hasattr(attribute, "_dbus_interface")
1057
or not attribute._dbus_interface
1058
.startswith(orig_interface_name)):
1091
or not attribute._dbus_interface.startswith(
1092
orig_interface_name)):
1060
1094
# Create an alternate D-Bus interface name based on
1061
1095
# the current name
1062
alt_interface = (attribute._dbus_interface
1063
.replace(orig_interface_name,
1064
alt_interface_name))
1096
alt_interface = attribute._dbus_interface.replace(
1097
orig_interface_name, alt_interface_name)
1065
1098
interface_names.add(alt_interface)
1066
1099
# Is this a D-Bus signal?
1067
1100
if getattr(attribute, "_dbus_is_signal", False):
1068
# Extract the original non-method function by
1101
# Extract the original non-method undecorated
1102
# function by black magic
1070
1103
nonmethod_func = (dict(
1071
zip(attribute.func_code.co_freevars,
1072
attribute.__closure__))["func"]
1104
zip(attribute.func_code.co_freevars,
1105
attribute.__closure__))
1106
["func"].cell_contents)
1074
1107
# Create a new, but exactly alike, function
1075
1108
# object, and decorate it to be a new D-Bus signal
1076
1109
# with the alternate D-Bus interface name
1077
new_function = (dbus.service.signal
1079
attribute._dbus_signature)
1110
new_function = (dbus.service.signal(
1111
alt_interface, attribute._dbus_signature)
1080
1112
(types.FunctionType(
1081
nonmethod_func.func_code,
1082
nonmethod_func.func_globals,
1083
nonmethod_func.func_name,
1084
nonmethod_func.func_defaults,
1085
nonmethod_func.func_closure)))
1113
nonmethod_func.func_code,
1114
nonmethod_func.func_globals,
1115
nonmethod_func.func_name,
1116
nonmethod_func.func_defaults,
1117
nonmethod_func.func_closure)))
1086
1118
# Copy annotations, if any
1088
new_function._dbus_annotations = (
1089
dict(attribute._dbus_annotations))
1120
new_function._dbus_annotations = dict(
1121
attribute._dbus_annotations)
1090
1122
except AttributeError:
1092
1124
# Define a creator of a function to call both the
1112
1146
# object. Decorate it to be a new D-Bus method
1113
1147
# with the alternate D-Bus interface name. Add it
1114
1148
# to the class.
1115
attr[attrname] = (dbus.service.method
1117
attribute._dbus_in_signature,
1118
attribute._dbus_out_signature)
1120
(attribute.func_code,
1121
attribute.func_globals,
1122
attribute.func_name,
1123
attribute.func_defaults,
1124
attribute.func_closure)))
1150
dbus.service.method(
1152
attribute._dbus_in_signature,
1153
attribute._dbus_out_signature)
1154
(types.FunctionType(attribute.func_code,
1155
attribute.func_globals,
1156
attribute.func_name,
1157
attribute.func_defaults,
1158
attribute.func_closure)))
1125
1159
# Copy annotations, if any
1127
attr[attrname]._dbus_annotations = (
1128
dict(attribute._dbus_annotations))
1161
attr[attrname]._dbus_annotations = dict(
1162
attribute._dbus_annotations)
1129
1163
except AttributeError:
1131
1165
# Is this a D-Bus property?
1134
1168
# object, and decorate it to be a new D-Bus
1135
1169
# property with the alternate D-Bus interface
1136
1170
# name. Add it to the class.
1137
attr[attrname] = (dbus_service_property
1139
attribute._dbus_signature,
1140
attribute._dbus_access,
1142
._dbus_get_args_options
1145
(attribute.func_code,
1146
attribute.func_globals,
1147
attribute.func_name,
1148
attribute.func_defaults,
1149
attribute.func_closure)))
1171
attr[attrname] = (dbus_service_property(
1172
alt_interface, attribute._dbus_signature,
1173
attribute._dbus_access,
1174
attribute._dbus_get_args_options
1176
(types.FunctionType(
1177
attribute.func_code,
1178
attribute.func_globals,
1179
attribute.func_name,
1180
attribute.func_defaults,
1181
attribute.func_closure)))
1150
1182
# Copy annotations, if any
1152
attr[attrname]._dbus_annotations = (
1153
dict(attribute._dbus_annotations))
1184
attr[attrname]._dbus_annotations = dict(
1185
attribute._dbus_annotations)
1154
1186
except AttributeError:
1156
1188
# Is this a D-Bus interface?
1210
1245
Client.__init__(self, *args, **kwargs)
1211
1246
# Only now, when this client is initialized, can it show up on
1213
client_object_name = unicode(self.name).translate(
1248
client_object_name = str(self.name).translate(
1214
1249
{ord("."): ord("_"),
1215
1250
ord("-"): ord("_")})
1216
self.dbus_object_path = (dbus.ObjectPath
1217
("/clients/" + client_object_name))
1251
self.dbus_object_path = dbus.ObjectPath(
1252
"/clients/" + client_object_name)
1218
1253
DBusObjectWithProperties.__init__(self, self.bus,
1219
1254
self.dbus_object_path)
1221
def notifychangeproperty(transform_func,
1222
dbus_name, type_func=lambda x: x,
1256
def notifychangeproperty(transform_func, dbus_name,
1257
type_func=lambda x: x,
1259
invalidate_only=False,
1260
_interface=_interface):
1224
1261
""" Modify a variable so that it's a property which announces
1225
1262
its changes to DBus.
1231
1268
to the D-Bus. Default: no transform
1232
1269
variant_level: D-Bus variant level. Default: 1
1234
attrname = "_{0}".format(dbus_name)
1271
attrname = "_{}".format(dbus_name)
1235
1273
def setter(self, value):
1236
1274
if hasattr(self, "dbus_object_path"):
1237
1275
if (not hasattr(self, attrname) or
1238
1276
type_func(getattr(self, attrname, None))
1239
1277
!= type_func(value)):
1240
dbus_value = transform_func(type_func(value),
1243
self.PropertyChanged(dbus.String(dbus_name),
1279
self.PropertiesChanged(
1280
_interface, dbus.Dictionary(),
1281
dbus.Array((dbus_name, )))
1283
dbus_value = transform_func(
1285
variant_level = variant_level)
1286
self.PropertyChanged(dbus.String(dbus_name),
1288
self.PropertiesChanged(
1290
dbus.Dictionary({ dbus.String(dbus_name):
1245
1293
setattr(self, attrname, value)
1247
1295
return property(lambda self: getattr(self, attrname), setter)
1264
1312
datetime_to_dbus, "LastApprovalRequest")
1265
1313
approved_by_default = notifychangeproperty(dbus.Boolean,
1266
1314
"ApprovedByDefault")
1267
approval_delay = notifychangeproperty(dbus.UInt64,
1270
timedelta_to_milliseconds)
1315
approval_delay = notifychangeproperty(
1316
dbus.UInt64, "ApprovalDelay",
1317
type_func = lambda td: td.total_seconds() * 1000)
1271
1318
approval_duration = notifychangeproperty(
1272
1319
dbus.UInt64, "ApprovalDuration",
1273
type_func = timedelta_to_milliseconds)
1320
type_func = lambda td: td.total_seconds() * 1000)
1274
1321
host = notifychangeproperty(dbus.String, "Host")
1275
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1277
timedelta_to_milliseconds)
1322
timeout = notifychangeproperty(
1323
dbus.UInt64, "Timeout",
1324
type_func = lambda td: td.total_seconds() * 1000)
1278
1325
extended_timeout = notifychangeproperty(
1279
1326
dbus.UInt64, "ExtendedTimeout",
1280
type_func = timedelta_to_milliseconds)
1281
interval = notifychangeproperty(dbus.UInt64,
1284
timedelta_to_milliseconds)
1327
type_func = lambda td: td.total_seconds() * 1000)
1328
interval = notifychangeproperty(
1329
dbus.UInt64, "Interval",
1330
type_func = lambda td: td.total_seconds() * 1000)
1285
1331
checker_command = notifychangeproperty(dbus.String, "Checker")
1332
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1333
invalidate_only=True)
1287
1335
del notifychangeproperty
1441
1480
self.approved_by_default = bool(value)
1443
1482
# ApprovalDelay - property
1444
@dbus_service_property(_interface, signature="t",
1483
@dbus_service_property(_interface,
1445
1485
access="readwrite")
1446
1486
def ApprovalDelay_dbus_property(self, value=None):
1447
1487
if value is None: # get
1448
return dbus.UInt64(self.approval_delay_milliseconds())
1488
return dbus.UInt64(self.approval_delay.total_seconds()
1449
1490
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1451
1492
# ApprovalDuration - property
1452
@dbus_service_property(_interface, signature="t",
1493
@dbus_service_property(_interface,
1453
1495
access="readwrite")
1454
1496
def ApprovalDuration_dbus_property(self, value=None):
1455
1497
if value is None: # get
1456
return dbus.UInt64(timedelta_to_milliseconds(
1457
self.approval_duration))
1498
return dbus.UInt64(self.approval_duration.total_seconds()
1458
1500
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1460
1502
# Name - property
1522
1566
return datetime_to_dbus(self.last_approval_request)
1524
1568
# Timeout - property
1525
@dbus_service_property(_interface, signature="t",
1569
@dbus_service_property(_interface,
1526
1571
access="readwrite")
1527
1572
def Timeout_dbus_property(self, value=None):
1528
1573
if value is None: # get
1529
return dbus.UInt64(self.timeout_milliseconds())
1574
return dbus.UInt64(self.timeout.total_seconds() * 1000)
1575
old_timeout = self.timeout
1530
1576
self.timeout = datetime.timedelta(0, 0, 0, value)
1531
# Reschedule timeout
1577
# Reschedule disabling
1532
1578
if self.enabled:
1533
1579
now = datetime.datetime.utcnow()
1534
time_to_die = timedelta_to_milliseconds(
1535
(self.last_checked_ok + self.timeout) - now)
1536
if time_to_die <= 0:
1580
self.expires += self.timeout - old_timeout
1581
if self.expires <= now:
1537
1582
# The timeout has passed
1540
self.expires = (now +
1541
datetime.timedelta(milliseconds =
1543
1585
if (getattr(self, "disable_initiator_tag", None)
1546
1588
gobject.source_remove(self.disable_initiator_tag)
1547
self.disable_initiator_tag = (gobject.timeout_add
1589
self.disable_initiator_tag = gobject.timeout_add(
1590
int((self.expires - now).total_seconds() * 1000),
1551
1593
# ExtendedTimeout - property
1552
@dbus_service_property(_interface, signature="t",
1594
@dbus_service_property(_interface,
1553
1596
access="readwrite")
1554
1597
def ExtendedTimeout_dbus_property(self, value=None):
1555
1598
if value is None: # get
1556
return dbus.UInt64(self.extended_timeout_milliseconds())
1599
return dbus.UInt64(self.extended_timeout.total_seconds()
1557
1601
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1559
1603
# Interval - property
1560
@dbus_service_property(_interface, signature="t",
1604
@dbus_service_property(_interface,
1561
1606
access="readwrite")
1562
1607
def Interval_dbus_property(self, value=None):
1563
1608
if value is None: # get
1564
return dbus.UInt64(self.interval_milliseconds())
1609
return dbus.UInt64(self.interval.total_seconds() * 1000)
1565
1610
self.interval = datetime.timedelta(0, 0, 0, value)
1566
1611
if getattr(self, "checker_initiator_tag", None) is None:
1568
1613
if self.enabled:
1569
1614
# Reschedule checker run
1570
1615
gobject.source_remove(self.checker_initiator_tag)
1571
self.checker_initiator_tag = (gobject.timeout_add
1572
(value, self.start_checker))
1573
self.start_checker() # Start one now, too
1616
self.checker_initiator_tag = gobject.timeout_add(
1617
value, self.start_checker)
1618
self.start_checker() # Start one now, too
1575
1620
# Checker - property
1576
@dbus_service_property(_interface, signature="s",
1621
@dbus_service_property(_interface,
1577
1623
access="readwrite")
1578
1624
def Checker_dbus_property(self, value=None):
1579
1625
if value is None: # get
1580
1626
return dbus.String(self.checker_command)
1581
self.checker_command = unicode(value)
1627
self.checker_command = str(value)
1583
1629
# CheckerRunning - property
1584
@dbus_service_property(_interface, signature="b",
1630
@dbus_service_property(_interface,
1585
1632
access="readwrite")
1586
1633
def CheckerRunning_dbus_property(self, value=None):
1587
1634
if value is None: # get
1813
1859
def fingerprint(openpgp):
1814
1860
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1815
1861
# New GnuTLS "datum" with the OpenPGP public key
1816
datum = (gnutls.library.types
1817
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1820
ctypes.c_uint(len(openpgp))))
1862
datum = gnutls.library.types.gnutls_datum_t(
1863
ctypes.cast(ctypes.c_char_p(openpgp),
1864
ctypes.POINTER(ctypes.c_ubyte)),
1865
ctypes.c_uint(len(openpgp)))
1821
1866
# New empty GnuTLS certificate
1822
1867
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1823
(gnutls.library.functions
1824
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1868
gnutls.library.functions.gnutls_openpgp_crt_init(
1825
1870
# Import the OpenPGP public key into the certificate
1826
(gnutls.library.functions
1827
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1828
gnutls.library.constants
1829
.GNUTLS_OPENPGP_FMT_RAW))
1871
gnutls.library.functions.gnutls_openpgp_crt_import(
1872
crt, ctypes.byref(datum),
1873
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
1830
1874
# Verify the self signature in the key
1831
1875
crtverify = ctypes.c_uint()
1832
(gnutls.library.functions
1833
.gnutls_openpgp_crt_verify_self(crt, 0,
1834
ctypes.byref(crtverify)))
1876
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
1877
crt, 0, ctypes.byref(crtverify))
1835
1878
if crtverify.value != 0:
1836
1879
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1837
raise (gnutls.errors.CertificateSecurityError
1880
raise gnutls.errors.CertificateSecurityError(
1839
1882
# New buffer for the fingerprint
1840
1883
buf = ctypes.create_string_buffer(20)
1841
1884
buf_len = ctypes.c_size_t()
1842
1885
# Get the fingerprint from the certificate into the buffer
1843
(gnutls.library.functions
1844
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1845
ctypes.byref(buf_len)))
1886
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
1887
crt, ctypes.byref(buf), ctypes.byref(buf_len))
1846
1888
# Deinit the certificate
1847
1889
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1848
1890
# Convert the buffer to a Python bytestring
1898
1941
interface: None or a network interface name (string)
1899
1942
use_ipv6: Boolean; to use IPv6 or not
1901
1945
def __init__(self, server_address, RequestHandlerClass,
1902
interface=None, use_ipv6=True):
1949
"""If socketfd is set, use that file descriptor instead of
1950
creating a new one with socket.socket().
1903
1952
self.interface = interface
1905
1954
self.address_family = socket.AF_INET6
1955
if socketfd is not None:
1956
# Save the file descriptor
1957
self.socketfd = socketfd
1958
# Save the original socket.socket() function
1959
self.socket_socket = socket.socket
1960
# To implement --socket, we monkey patch socket.socket.
1962
# (When socketserver.TCPServer is a new-style class, we
1963
# could make self.socket into a property instead of monkey
1964
# patching socket.socket.)
1966
# Create a one-time-only replacement for socket.socket()
1967
@functools.wraps(socket.socket)
1968
def socket_wrapper(*args, **kwargs):
1969
# Restore original function so subsequent calls are
1971
socket.socket = self.socket_socket
1972
del self.socket_socket
1973
# This time only, return a new socket object from the
1974
# saved file descriptor.
1975
return socket.fromfd(self.socketfd, *args, **kwargs)
1976
# Replace socket.socket() function with wrapper
1977
socket.socket = socket_wrapper
1978
# The socketserver.TCPServer.__init__ will call
1979
# socket.socket(), which might be our replacement,
1980
# socket_wrapper(), if socketfd was set.
1906
1981
socketserver.TCPServer.__init__(self, server_address,
1907
1982
RequestHandlerClass)
1908
1984
def server_bind(self):
1909
1985
"""This overrides the normal server_bind() function
1910
1986
to bind to an interface if one was specified, and also NOT to
1916
1992
self.interface)
1919
self.socket.setsockopt(socket.SOL_SOCKET,
1995
self.socket.setsockopt(
1996
socket.SOL_SOCKET, SO_BINDTODEVICE,
1997
(self.interface + "\0").encode("utf-8"))
1923
1998
except socket.error as error:
1924
if error[0] == errno.EPERM:
1925
logger.error("No permission to"
1926
" bind to interface %s",
1928
elif error[0] == errno.ENOPROTOOPT:
1999
if error.errno == errno.EPERM:
2000
logger.error("No permission to bind to"
2001
" interface %s", self.interface)
2002
elif error.errno == errno.ENOPROTOOPT:
1929
2003
logger.error("SO_BINDTODEVICE not available;"
1930
2004
" cannot bind to interface %s",
1931
2005
self.interface)
2006
elif error.errno == errno.ENODEV:
2007
logger.error("Interface %s does not exist,"
2008
" cannot bind", self.interface)
1934
2011
# Only bind(2) the socket if we really need to.
1985
2068
def add_pipe(self, parent_pipe, proc):
1986
2069
# Call "handle_ipc" for both data and EOF events
1987
gobject.io_add_watch(parent_pipe.fileno(),
1988
gobject.IO_IN | gobject.IO_HUP,
1989
functools.partial(self.handle_ipc,
2070
gobject.io_add_watch(
2071
parent_pipe.fileno(),
2072
gobject.IO_IN | gobject.IO_HUP,
2073
functools.partial(self.handle_ipc,
2074
parent_pipe = parent_pipe,
1994
def handle_ipc(self, source, condition, parent_pipe=None,
1995
proc = None, client_object=None):
2077
def handle_ipc(self, source, condition,
2080
client_object=None):
1996
2081
# error, or the other end of multiprocessing.Pipe has closed
1997
2082
if condition & (gobject.IO_ERR | gobject.IO_HUP):
1998
2083
# Wait for other process to exit
2145
def rfc3339_duration_to_delta(duration):
2146
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2148
>>> rfc3339_duration_to_delta("P7D")
2149
datetime.timedelta(7)
2150
>>> rfc3339_duration_to_delta("PT60S")
2151
datetime.timedelta(0, 60)
2152
>>> rfc3339_duration_to_delta("PT60M")
2153
datetime.timedelta(0, 3600)
2154
>>> rfc3339_duration_to_delta("PT24H")
2155
datetime.timedelta(1)
2156
>>> rfc3339_duration_to_delta("P1W")
2157
datetime.timedelta(7)
2158
>>> rfc3339_duration_to_delta("PT5M30S")
2159
datetime.timedelta(0, 330)
2160
>>> rfc3339_duration_to_delta("P1DT3M20S")
2161
datetime.timedelta(1, 200)
2164
# Parsing an RFC 3339 duration with regular expressions is not
2165
# possible - there would have to be multiple places for the same
2166
# values, like seconds. The current code, while more esoteric, is
2167
# cleaner without depending on a parsing library. If Python had a
2168
# built-in library for parsing we would use it, but we'd like to
2169
# avoid excessive use of external libraries.
2171
# New type for defining tokens, syntax, and semantics all-in-one
2172
Token = collections.namedtuple("Token",
2173
("regexp", # To match token; if
2174
# "value" is not None,
2175
# must have a "group"
2177
"value", # datetime.timedelta or
2179
"followers")) # Tokens valid after
2181
Token = collections.namedtuple("Token", (
2182
"regexp", # To match token; if "value" is not None, must have
2183
# a "group" containing digits
2184
"value", # datetime.timedelta or None
2185
"followers")) # Tokens valid after this token
2186
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2187
# the "duration" ABNF definition in RFC 3339, Appendix A.
2188
token_end = Token(re.compile(r"$"), None, frozenset())
2189
token_second = Token(re.compile(r"(\d+)S"),
2190
datetime.timedelta(seconds=1),
2191
frozenset((token_end, )))
2192
token_minute = Token(re.compile(r"(\d+)M"),
2193
datetime.timedelta(minutes=1),
2194
frozenset((token_second, token_end)))
2195
token_hour = Token(re.compile(r"(\d+)H"),
2196
datetime.timedelta(hours=1),
2197
frozenset((token_minute, token_end)))
2198
token_time = Token(re.compile(r"T"),
2200
frozenset((token_hour, token_minute,
2202
token_day = Token(re.compile(r"(\d+)D"),
2203
datetime.timedelta(days=1),
2204
frozenset((token_time, token_end)))
2205
token_month = Token(re.compile(r"(\d+)M"),
2206
datetime.timedelta(weeks=4),
2207
frozenset((token_day, token_end)))
2208
token_year = Token(re.compile(r"(\d+)Y"),
2209
datetime.timedelta(weeks=52),
2210
frozenset((token_month, token_end)))
2211
token_week = Token(re.compile(r"(\d+)W"),
2212
datetime.timedelta(weeks=1),
2213
frozenset((token_end, )))
2214
token_duration = Token(re.compile(r"P"), None,
2215
frozenset((token_year, token_month,
2216
token_day, token_time,
2218
# Define starting values
2219
value = datetime.timedelta() # Value so far
2221
followers = frozenset((token_duration,)) # Following valid tokens
2222
s = duration # String left to parse
2223
# Loop until end token is found
2224
while found_token is not token_end:
2225
# Search for any currently valid tokens
2226
for token in followers:
2227
match = token.regexp.match(s)
2228
if match is not None:
2230
if token.value is not None:
2231
# Value found, parse digits
2232
factor = int(match.group(1), 10)
2233
# Add to value so far
2234
value += factor * token.value
2235
# Strip token from string
2236
s = token.regexp.sub("", s, 1)
2239
# Set valid next tokens
2240
followers = found_token.followers
2243
# No currently valid tokens were found
2244
raise ValueError("Invalid RFC 3339 duration")
2061
2249
def string_to_delta(interval):
2062
2250
"""Parse a string and return a datetime.timedelta
2156
2349
parser.add_argument("--no-dbus", action="store_false",
2157
2350
dest="use_dbus", help="Do not provide D-Bus"
2158
" system bus interface")
2351
" system bus interface", default=None)
2159
2352
parser.add_argument("--no-ipv6", action="store_false",
2160
dest="use_ipv6", help="Do not use IPv6")
2353
dest="use_ipv6", help="Do not use IPv6",
2161
2355
parser.add_argument("--no-restore", action="store_false",
2162
2356
dest="restore", help="Do not restore stored"
2357
" state", default=None)
2358
parser.add_argument("--socket", type=int,
2359
help="Specify a file descriptor to a network"
2360
" socket to use instead of creating one")
2164
2361
parser.add_argument("--statedir", metavar="DIR",
2165
2362
help="Directory to save/restore state in")
2363
parser.add_argument("--foreground", action="store_true",
2364
help="Run in foreground", default=None)
2365
parser.add_argument("--no-zeroconf", action="store_false",
2366
dest="zeroconf", help="Do not use Zeroconf",
2167
2369
options = parser.parse_args()
2169
2371
if options.check:
2373
fail_count, test_count = doctest.testmod()
2374
sys.exit(os.EX_OK if fail_count == 0 else 1)
2174
2376
# Default values for config file for server-global settings
2175
2377
server_defaults = { "interface": "",
2178
2380
"debug": "False",
2180
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
2382
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2383
":+SIGN-RSA-SHA224:+SIGN-RSA-RMD160",
2181
2384
"servicename": "Mandos",
2182
2385
"use_dbus": "True",
2183
2386
"use_ipv6": "True",
2184
2387
"debuglevel": "",
2185
2388
"restore": "True",
2186
"statedir": "/var/lib/mandos"
2390
"statedir": "/var/lib/mandos",
2391
"foreground": "False",
2189
2395
# Parse config file for server-global settings
2190
2396
server_config = configparser.SafeConfigParser(server_defaults)
2191
2397
del server_defaults
2192
server_config.read(os.path.join(options.configdir,
2398
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2194
2399
# Convert the SafeConfigParser object to a dict
2195
2400
server_settings = server_config.defaults()
2196
2401
# Use the appropriate methods on the non-string config options
2197
for option in ("debug", "use_dbus", "use_ipv6"):
2402
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
2198
2403
server_settings[option] = server_config.getboolean("DEFAULT",
2200
2405
if server_settings["port"]:
2201
2406
server_settings["port"] = server_config.getint("DEFAULT",
2408
if server_settings["socket"]:
2409
server_settings["socket"] = server_config.getint("DEFAULT",
2411
# Later, stdin will, and stdout and stderr might, be dup'ed
2412
# over with an opened os.devnull. But we don't want this to
2413
# happen with a supplied network socket.
2414
if 0 <= server_settings["socket"] <= 2:
2415
server_settings["socket"] = os.dup(server_settings
2203
2417
del server_config
2205
2419
# Override the settings from the config file with command line
2206
2420
# options, if set.
2207
2421
for option in ("interface", "address", "port", "debug",
2208
"priority", "servicename", "configdir",
2209
"use_dbus", "use_ipv6", "debuglevel", "restore",
2422
"priority", "servicename", "configdir", "use_dbus",
2423
"use_ipv6", "debuglevel", "restore", "statedir",
2424
"socket", "foreground", "zeroconf"):
2211
2425
value = getattr(options, option)
2212
2426
if value is not None:
2213
2427
server_settings[option] = value
2215
2429
# Force all strings to be unicode
2216
2430
for option in server_settings.keys():
2217
if type(server_settings[option]) is str:
2218
server_settings[option] = unicode(server_settings[option])
2431
if isinstance(server_settings[option], bytes):
2432
server_settings[option] = (server_settings[option]
2434
# Force all boolean options to be boolean
2435
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2436
"foreground", "zeroconf"):
2437
server_settings[option] = bool(server_settings[option])
2438
# Debug implies foreground
2439
if server_settings["debug"]:
2440
server_settings["foreground"] = True
2219
2441
# Now we have our good server settings in "server_settings"
2221
2443
##################################################################
2445
if (not server_settings["zeroconf"]
2446
and not (server_settings["port"]
2447
or server_settings["socket"] != "")):
2448
parser.error("Needs port or socket to work without Zeroconf")
2223
2450
# For convenience
2224
2451
debug = server_settings["debug"]
2225
2452
debuglevel = server_settings["debuglevel"]
2253
2481
global mandos_dbus_service
2254
2482
mandos_dbus_service = None
2256
tcp_server = MandosServer((server_settings["address"],
2257
server_settings["port"]),
2259
interface=(server_settings["interface"]
2263
server_settings["priority"],
2266
pidfilename = "/var/run/mandos.pid"
2485
if server_settings["socket"] != "":
2486
socketfd = server_settings["socket"]
2487
tcp_server = MandosServer(
2488
(server_settings["address"], server_settings["port"]),
2490
interface=(server_settings["interface"] or None),
2492
gnutls_priority=server_settings["priority"],
2496
pidfilename = "/run/mandos.pid"
2497
if not os.path.isdir("/run/."):
2498
pidfilename = "/var/run/mandos.pid"
2268
2501
pidfile = open(pidfilename, "w")
2269
2502
except IOError as e:
2325
2560
bus_name = dbus.service.BusName("se.recompile.Mandos",
2326
bus, do_not_queue=True)
2327
old_bus_name = (dbus.service.BusName
2328
("se.bsnet.fukt.Mandos", bus,
2563
old_bus_name = dbus.service.BusName(
2564
"se.bsnet.fukt.Mandos", bus,
2330
2566
except dbus.exceptions.NameExistsException as e:
2331
2567
logger.error("Disabling D-Bus:", exc_info=e)
2332
2568
use_dbus = False
2333
2569
server_settings["use_dbus"] = False
2334
2570
tcp_server.use_dbus = False
2335
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2336
service = AvahiServiceToSyslog(name =
2337
server_settings["servicename"],
2338
servicetype = "_mandos._tcp",
2339
protocol = protocol, bus = bus)
2340
if server_settings["interface"]:
2341
service.interface = (if_nametoindex
2342
(str(server_settings["interface"])))
2572
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2573
service = AvahiServiceToSyslog(
2574
name = server_settings["servicename"],
2575
servicetype = "_mandos._tcp",
2576
protocol = protocol,
2578
if server_settings["interface"]:
2579
service.interface = if_nametoindex(
2580
server_settings["interface"].encode("utf-8"))
2344
2582
global multiprocessing_manager
2345
2583
multiprocessing_manager = multiprocessing.Manager()
2352
2590
old_client_settings = {}
2353
2591
clients_data = {}
2593
# This is used to redirect stdout and stderr for checker processes
2595
wnull = open(os.devnull, "w") # A writable /dev/null
2596
# Only used if server is running in foreground but not in debug
2598
if debug or not foreground:
2355
2601
# Get client data and settings from last running state.
2356
2602
if server_settings["restore"]:
2358
2604
with open(stored_state_path, "rb") as stored_state:
2359
clients_data, old_client_settings = (pickle.load
2605
clients_data, old_client_settings = pickle.load(
2361
2607
os.remove(stored_state_path)
2362
2608
except IOError as e:
2363
2609
if e.errno == errno.ENOENT:
2364
logger.warning("Could not load persistent state: {0}"
2365
.format(os.strerror(e.errno)))
2610
logger.warning("Could not load persistent state:"
2611
" {}".format(os.strerror(e.errno)))
2367
2613
logger.critical("Could not load persistent state:",
2370
2616
except EOFError as e:
2371
2617
logger.warning("Could not load persistent state: "
2372
"EOFError:", exc_info=e)
2374
2621
with PGPEngine() as pgp:
2375
for client_name, client in clients_data.iteritems():
2622
for client_name, client in clients_data.items():
2623
# Skip removed clients
2624
if client_name not in client_settings:
2376
2627
# Decide which value to use after restoring saved state.
2377
2628
# We have three different values: Old config file,
2378
2629
# new config file, and saved state.
2399
2650
if datetime.datetime.utcnow() >= client["expires"]:
2400
2651
if not client["last_checked_ok"]:
2401
2652
logger.warning(
2402
"disabling client {0} - Client never "
2403
"performed a successful checker"
2404
.format(client_name))
2653
"disabling client {} - Client never "
2654
"performed a successful checker".format(
2405
2656
client["enabled"] = False
2406
2657
elif client["last_checker_status"] != 0:
2407
2658
logger.warning(
2408
"disabling client {0} - Client "
2409
"last checker failed with error code {1}"
2410
.format(client_name,
2411
client["last_checker_status"]))
2659
"disabling client {} - Client last"
2660
" checker failed with error code"
2663
client["last_checker_status"]))
2412
2664
client["enabled"] = False
2414
client["expires"] = (datetime.datetime
2416
+ client["timeout"])
2666
client["expires"] = (
2667
datetime.datetime.utcnow()
2668
+ client["timeout"])
2417
2669
logger.debug("Last checker succeeded,"
2418
" keeping {0} enabled"
2419
.format(client_name))
2670
" keeping {} enabled".format(
2421
client["secret"] = (
2422
pgp.decrypt(client["encrypted_secret"],
2423
client_settings[client_name]
2673
client["secret"] = pgp.decrypt(
2674
client["encrypted_secret"],
2675
client_settings[client_name]["secret"])
2425
2676
except PGPError:
2426
2677
# If decryption fails, we use secret from new settings
2427
logger.debug("Failed to decrypt {0} old secret"
2428
.format(client_name))
2429
client["secret"] = (
2430
client_settings[client_name]["secret"])
2678
logger.debug("Failed to decrypt {} old secret".format(
2680
client["secret"] = (client_settings[client_name]
2432
2683
# Add/remove clients based on new changes made to config
2433
2684
for client_name in (set(old_client_settings)
2438
2689
clients_data[client_name] = client_settings[client_name]
2440
2691
# Create all client objects
2441
for client_name, client in clients_data.iteritems():
2692
for client_name, client in clients_data.items():
2442
2693
tcp_server.clients[client_name] = client_class(
2443
name = client_name, settings = client)
2696
server_settings = server_settings)
2445
2698
if not tcp_server.clients:
2446
2699
logger.warning("No clients defined")
2452
pidfile.write(str(pid) + "\n".encode("utf-8"))
2455
logger.error("Could not write to file %r with PID %d",
2458
# "pidfile" was never created
2702
if pidfile is not None:
2706
pidfile.write("{}\n".format(pid).encode("utf-8"))
2708
logger.error("Could not write to file %r with PID %d",
2460
2711
del pidfilename
2461
signal.signal(signal.SIGINT, signal.SIG_IGN)
2463
2713
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2464
2714
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2467
@alternate_dbus_interfaces({"se.recompile.Mandos":
2468
"se.bsnet.fukt.Mandos"})
2718
@alternate_dbus_interfaces(
2719
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
2469
2720
class MandosDBusService(DBusObjectWithProperties):
2470
2721
"""A D-Bus proxy object"""
2471
2723
def __init__(self):
2472
2724
dbus.service.Object.__init__(self, bus, "/")
2473
2726
_interface = "se.recompile.Mandos"
2475
2728
@dbus_interface_annotations(_interface)
2476
2729
def _foo(self):
2477
return { "org.freedesktop.DBus.Property"
2478
".EmitsChangedSignal":
2731
"org.freedesktop.DBus.Property.EmitsChangedSignal":
2481
2734
@dbus.service.signal(_interface, signature="o")
2482
2735
def ClientAdded(self, objpath):