To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 752
- compare with another revision
- download diff
- download tarball
- view history from revision 752
- Committer: Teddy Hogeborn
- Date: 2015-05-31 15:56:58 UTC
- Revision ID: teddy@recompile.se-20150531155658-l7znu7zlqr2dmuwd
mandos: Generate better messages in exceptions.
mandos (ProxyClient.__init__): Include fingerprint in KeyError().
(rfc3339_duration_to_delta): Include duration in ValueError().
mandos (ProxyClient.__init__): Include fingerprint in KeyError().
(rfc3339_duration_to_delta): Include duration in ValueError().
- files added:
- DBUS-API
- debian/source
- debian/upstream
- network-hooks.d
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python
1
#!/usr/bin/python2.7
2
2
# -*- mode: python; coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008,2009 Teddy Hogeborn
15
# Copyright © 2008,2009 Björn Påhlsson
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
28
28
# along with this program. If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
30
#
31
# Contact the authors at <mandos@fukt.bsnet.se>.
31
# Contact the authors at <mandos@recompile.se>.
32
32
#
33
33
34
from __future__ import division, with_statement, absolute_import
35
36
import SocketServer as socketserver
34
from __future__ import (division, absolute_import, print_function,
35
unicode_literals)
36
37
from future_builtins import *
38
39
try:
40
import SocketServer as socketserver
41
except ImportError:
42
import socketserver
37
43
import socket
38
import optparse
44
import argparse
39
45
import datetime
40
46
import errno
41
47
import gnutls.crypto
44
50
import gnutls.library.functions
45
51
import gnutls.library.constants
46
52
import gnutls.library.types
47
import ConfigParser as configparser
53
try:
54
import ConfigParser as configparser
55
except ImportError:
56
import configparser
48
57
import sys
49
58
import re
50
59
import os
55
64
import logging
56
65
import logging.handlers
57
66
import pwd
58
from contextlib import closing
67
import contextlib
59
68
import struct
60
69
import fcntl
61
70
import functools
71
try:
72
import cPickle as pickle
73
except ImportError:
74
import pickle
75
import multiprocessing
76
import types
77
import binascii
78
import tempfile
79
import itertools
80
import collections
81
import codecs
62
82
63
83
import dbus
64
84
import dbus.service
65
import gobject
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
66
89
import avahi
67
90
from dbus.mainloop.glib import DBusGMainLoop
68
91
import ctypes
78
101
except ImportError:
79
102
SO_BINDTODEVICE = None
80
103
81
82
version = "1.0.12"
83
84
logger = logging.Logger(u'mandos')
85
syslogger = (logging.handlers.SysLogHandler
86
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
87
address = "/dev/log"))
88
syslogger.setFormatter(logging.Formatter
89
(u'Mandos [%(process)d]: %(levelname)s:'
90
u' %(message)s'))
91
logger.addHandler(syslogger)
92
93
console = logging.StreamHandler()
94
console.setFormatter(logging.Formatter(u'%(name)s [%(process)d]:'
95
u' %(levelname)s:'
96
u' %(message)s'))
97
logger.addHandler(console)
104
if sys.version_info.major == 2:
105
str = unicode
106
107
version = "1.6.9"
108
stored_state_file = "clients.pickle"
109
110
logger = logging.getLogger()
111
syslogger = None
112
113
try:
114
if_nametoindex = ctypes.cdll.LoadLibrary(
115
ctypes.util.find_library("c")).if_nametoindex
116
except (OSError, AttributeError):
117
118
def if_nametoindex(interface):
119
"Get an interface index the hard way, i.e. using fcntl()"
120
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
121
with contextlib.closing(socket.socket()) as s:
122
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
123
struct.pack(b"16s16x", interface))
124
interface_index = struct.unpack("I", ifreq[16:20])[0]
125
return interface_index
126
127
128
def initlogger(debug, level=logging.WARNING):
129
"""init logger and add loglevel"""
130
131
global syslogger
132
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
135
syslogger.setFormatter(logging.Formatter
136
('Mandos [%(process)d]: %(levelname)s:'
137
' %(message)s'))
138
logger.addHandler(syslogger)
139
140
if debug:
141
console = logging.StreamHandler()
142
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
143
' [%(process)d]:'
144
' %(levelname)s:'
145
' %(message)s'))
146
logger.addHandler(console)
147
logger.setLevel(level)
148
149
150
class PGPError(Exception):
151
"""Exception if encryption/decryption fails"""
152
pass
153
154
155
class PGPEngine(object):
156
"""A simple class for OpenPGP symmetric encryption & decryption"""
157
158
def __init__(self):
159
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
160
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
162
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
165
166
def __enter__(self):
167
return self
168
169
def __exit__(self, exc_type, exc_value, traceback):
170
self._cleanup()
171
return False
172
173
def __del__(self):
174
self._cleanup()
175
176
def _cleanup(self):
177
if self.tempdir is not None:
178
# Delete contents of tempdir
179
for root, dirs, files in os.walk(self.tempdir,
180
topdown = False):
181
for filename in files:
182
os.remove(os.path.join(root, filename))
183
for dirname in dirs:
184
os.rmdir(os.path.join(root, dirname))
185
# Remove tempdir
186
os.rmdir(self.tempdir)
187
self.tempdir = None
188
189
def password_encode(self, password):
190
# Passphrase can not be empty and can not contain newlines or
191
# NUL bytes. So we prefix it and hex encode it.
192
encoded = b"mandos" + binascii.hexlify(password)
193
if len(encoded) > 2048:
194
# GnuPG can't handle long passwords, so encode differently
195
encoded = (b"mandos" + password.replace(b"\\", b"\\\\")
196
.replace(b"\n", b"\\n")
197
.replace(b"\0", b"\\x00"))
198
return encoded
199
200
def encrypt(self, data, password):
201
passphrase = self.password_encode(password)
202
with tempfile.NamedTemporaryFile(
203
dir=self.tempdir) as passfile:
204
passfile.write(passphrase)
205
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
207
'--passphrase-file',
208
passfile.name]
209
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
214
if proc.returncode != 0:
215
raise PGPError(err)
216
return ciphertext
217
218
def decrypt(self, data, password):
219
passphrase = self.password_encode(password)
220
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
222
passfile.write(passphrase)
223
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
225
'--passphrase-file',
226
passfile.name]
227
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
232
if proc.returncode != 0:
233
raise PGPError(err)
234
return decrypted_plaintext
235
98
236
99
237
class AvahiError(Exception):
100
238
def __init__(self, value, *args, **kwargs):
101
239
self.value = value
102
super(AvahiError, self).__init__(value, *args, **kwargs)
103
def __unicode__(self):
104
return unicode(repr(self.value))
240
return super(AvahiError, self).__init__(value, *args,
241
**kwargs)
242
105
243
106
244
class AvahiServiceError(AvahiError):
107
245
pass
108
246
247
109
248
class AvahiGroupError(AvahiError):
110
249
pass
111
250
116
255
Attributes:
117
256
interface: integer; avahi.IF_UNSPEC or an interface index.
118
257
Used to optionally bind to the specified interface.
119
name: string; Example: u'Mandos'
120
type: string; Example: u'_mandos._tcp'.
121
See <http://www.dns-sd.org/ServiceTypes.html>
258
name: string; Example: 'Mandos'
259
type: string; Example: '_mandos._tcp'.
260
See <https://www.iana.org/assignments/service-names-port-numbers>
122
261
port: integer; what port to announce
123
262
TXT: list of strings; TXT record for the service
124
263
domain: string; Domain to publish on, default to .local if empty.
130
269
server: D-Bus Server
131
270
bus: dbus.SystemBus()
132
271
"""
133
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
134
servicetype = None, port = None, TXT = None,
135
domain = u"", host = u"", max_renames = 32768,
136
protocol = avahi.PROTO_UNSPEC, bus = None):
272
273
def __init__(self,
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
137
284
self.interface = interface
138
285
self.name = name
139
286
self.type = servicetype
147
294
self.group = None # our entry group
148
295
self.server = None
149
296
self.bus = bus
150
def rename(self):
297
self.entry_group_state_changed_match = None
298
299
def rename(self, remove=True):
151
300
"""Derived from the Avahi example code"""
152
301
if self.rename_count >= self.max_renames:
153
logger.critical(u"No suitable Zeroconf service name found"
154
u" after %i retries, exiting.",
302
logger.critical("No suitable Zeroconf service name found"
303
" after %i retries, exiting.",
155
304
self.rename_count)
156
raise AvahiServiceError(u"Too many renames")
157
self.name = self.server.GetAlternativeServiceName(self.name)
158
logger.info(u"Changing Zeroconf service name to %r ...",
159
unicode(self.name))
160
syslogger.setFormatter(logging.Formatter
161
(u'Mandos (%s) [%%(process)d]:'
162
u' %%(levelname)s: %%(message)s'
163
% self.name))
164
self.remove()
165
self.add()
305
raise AvahiServiceError("Too many renames")
306
self.name = str(
307
self.server.GetAlternativeServiceName(self.name))
166
308
self.rename_count += 1
309
logger.info("Changing Zeroconf service name to %r ...",
310
self.name)
311
if remove:
312
self.remove()
313
try:
314
self.add()
315
except dbus.exceptions.DBusException as error:
316
if (error.get_dbus_name()
317
== "org.freedesktop.Avahi.CollisionError"):
318
logger.info("Local Zeroconf service name collision.")
319
return self.rename(remove=False)
320
else:
321
logger.critical("D-Bus Exception", exc_info=error)
322
self.cleanup()
323
os._exit(1)
324
167
325
def remove(self):
168
326
"""Derived from the Avahi example code"""
327
if self.entry_group_state_changed_match is not None:
328
self.entry_group_state_changed_match.remove()
329
self.entry_group_state_changed_match = None
169
330
if self.group is not None:
170
331
self.group.Reset()
332
171
333
def add(self):
172
334
"""Derived from the Avahi example code"""
335
self.remove()
173
336
if self.group is None:
174
337
self.group = dbus.Interface(
175
338
self.bus.get_object(avahi.DBUS_NAME,
176
339
self.server.EntryGroupNew()),
177
340
avahi.DBUS_INTERFACE_ENTRY_GROUP)
178
self.group.connect_to_signal('StateChanged',
179
self
180
.entry_group_state_changed)
181
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
341
self.entry_group_state_changed_match = (
342
self.group.connect_to_signal(
343
'StateChanged', self.entry_group_state_changed))
344
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
182
345
self.name, self.type)
183
346
self.group.AddService(
184
347
self.interface,
189
352
dbus.UInt16(self.port),
190
353
avahi.string_array_to_txt_array(self.TXT))
191
354
self.group.Commit()
355
192
356
def entry_group_state_changed(self, state, error):
193
357
"""Derived from the Avahi example code"""
194
logger.debug(u"Avahi state change: %i", state)
358
logger.debug("Avahi entry group state change: %i", state)
195
359
196
360
if state == avahi.ENTRY_GROUP_ESTABLISHED:
197
logger.debug(u"Zeroconf service established.")
361
logger.debug("Zeroconf service established.")
198
362
elif state == avahi.ENTRY_GROUP_COLLISION:
199
logger.warning(u"Zeroconf service name collision.")
363
logger.info("Zeroconf service name collision.")
200
364
self.rename()
201
365
elif state == avahi.ENTRY_GROUP_FAILURE:
202
logger.critical(u"Avahi: Error in group state changed %s",
203
unicode(error))
204
raise AvahiGroupError(u"State changed: %s"
205
% unicode(error))
366
logger.critical("Avahi: Error in group state changed %s",
367
str(error))
368
raise AvahiGroupError("State changed: {!s}".format(error))
369
206
370
def cleanup(self):
207
371
"""Derived from the Avahi example code"""
208
372
if self.group is not None:
209
self.group.Free()
373
try:
374
self.group.Free()
375
except (dbus.exceptions.UnknownMethodException,
376
dbus.exceptions.DBusException):
377
pass
210
378
self.group = None
211
def server_state_changed(self, state):
379
self.remove()
380
381
def server_state_changed(self, state, error=None):
212
382
"""Derived from the Avahi example code"""
213
if state == avahi.SERVER_COLLISION:
214
logger.error(u"Zeroconf server name collision")
215
self.remove()
383
logger.debug("Avahi server state change: %i", state)
384
bad_states = {
385
avahi.SERVER_INVALID: "Zeroconf server invalid",
386
avahi.SERVER_REGISTERING: None,
387
avahi.SERVER_COLLISION: "Zeroconf server name collision",
388
avahi.SERVER_FAILURE: "Zeroconf server failure",
389
}
390
if state in bad_states:
391
if bad_states[state] is not None:
392
if error is None:
393
logger.error(bad_states[state])
394
else:
395
logger.error(bad_states[state] + ": %r", error)
396
self.cleanup()
216
397
elif state == avahi.SERVER_RUNNING:
217
398
self.add()
399
else:
400
if error is None:
401
logger.debug("Unknown state: %r", state)
402
else:
403
logger.debug("Unknown state: %r: %r", state, error)
404
218
405
def activate(self):
219
406
"""Derived from the Avahi example code"""
220
407
if self.server is None:
221
408
self.server = dbus.Interface(
222
409
self.bus.get_object(avahi.DBUS_NAME,
223
avahi.DBUS_PATH_SERVER),
410
avahi.DBUS_PATH_SERVER,
411
follow_name_owner_changes=True),
224
412
avahi.DBUS_INTERFACE_SERVER)
225
self.server.connect_to_signal(u"StateChanged",
226
self.server_state_changed)
413
self.server.connect_to_signal("StateChanged",
414
self.server_state_changed)
227
415
self.server_state_changed(self.server.GetState())
228
416
229
417
418
class AvahiServiceToSyslog(AvahiService):
419
def rename(self, *args, **kwargs):
420
"""Add the new name to the syslog messages"""
421
ret = AvahiService.rename(self, *args, **kwargs)
422
syslogger.setFormatter(logging.Formatter(
423
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
424
.format(self.name)))
425
return ret
426
427
230
428
class Client(object):
231
429
"""A representation of a client host served by this server.
232
430
233
431
Attributes:
234
name: string; from the config file, used in log messages and
235
D-Bus identifiers
236
fingerprint: string (40 or 32 hexadecimal digits); used to
237
uniquely identify the client
238
secret: bytestring; sent verbatim (over TLS) to client
239
host: string; available for use by the checker command
240
created: datetime.datetime(); (UTC) object creation
241
last_enabled: datetime.datetime(); (UTC)
242
enabled: bool()
243
last_checked_ok: datetime.datetime(); (UTC) or None
244
timeout: datetime.timedelta(); How long from last_checked_ok
245
until this client is invalid
246
interval: datetime.timedelta(); How often to start a new checker
247
disable_hook: If set, called by disable() as disable_hook(self)
432
approved: bool(); 'None' if not yet approved/disapproved
433
approval_delay: datetime.timedelta(); Time to wait for approval
434
approval_duration: datetime.timedelta(); Duration of one approval
248
435
checker: subprocess.Popen(); a running checker process used
249
436
to see if the client lives.
250
437
'None' if no process is running.
251
checker_initiator_tag: a gobject event source tag, or None
252
disable_initiator_tag: - '' -
253
checker_callback_tag: - '' -
254
checker_command: string; External command which is run to check if
255
client lives. %() expansions are done at
438
checker_callback_tag: a gobject event source tag, or None
439
checker_command: string; External command which is run to check
440
if client lives. %() expansions are done at
256
441
runtime with vars(self) as dict, so that for
257
442
instance %(name)s can be used in the command.
443
checker_initiator_tag: a gobject event source tag, or None
444
created: datetime.datetime(); (UTC) object creation
445
client_structure: Object describing what attributes a client has
446
and is used for storing the client at exit
258
447
current_checker_command: string; current running checker_command
448
disable_initiator_tag: a gobject event source tag, or None
449
enabled: bool()
450
fingerprint: string (40 or 32 hexadecimal digits); used to
451
uniquely identify the client
452
host: string; available for use by the checker command
453
interval: datetime.timedelta(); How often to start a new checker
454
last_approval_request: datetime.datetime(); (UTC) or None
455
last_checked_ok: datetime.datetime(); (UTC) or None
456
last_checker_status: integer between 0 and 255 reflecting exit
457
status of last checker. -1 reflects crashed
458
checker, -2 means no checker completed yet.
459
last_enabled: datetime.datetime(); (UTC) or None
460
name: string; from the config file, used in log messages and
461
D-Bus identifiers
462
secret: bytestring; sent verbatim (over TLS) to client
463
timeout: datetime.timedelta(); How long from last_checked_ok
464
until this client is disabled
465
extended_timeout: extra long timeout when secret has been sent
466
runtime_expansions: Allowed attributes for runtime expansion.
467
expires: datetime.datetime(); time (UTC) when a client will be
468
disabled, or None
469
server_settings: The server_settings dict from main()
259
470
"""
260
471
472
runtime_expansions = ("approval_delay", "approval_duration",
473
"created", "enabled", "expires",
474
"fingerprint", "host", "interval",
475
"last_approval_request", "last_checked_ok",
476
"last_enabled", "name", "timeout")
477
client_defaults = {
478
"timeout": "PT5M",
479
"extended_timeout": "PT15M",
480
"interval": "PT2M",
481
"checker": "fping -q -- %%(host)s",
482
"host": "",
483
"approval_delay": "PT0S",
484
"approval_duration": "PT1S",
485
"approved_by_default": "True",
486
"enabled": "True",
487
}
488
261
489
@staticmethod
262
def _timedelta_to_milliseconds(td):
263
"Convert a datetime.timedelta() to milliseconds"
264
return ((td.days * 24 * 60 * 60 * 1000)
265
+ (td.seconds * 1000)
266
+ (td.microseconds // 1000))
267
268
def timeout_milliseconds(self):
269
"Return the 'timeout' attribute in milliseconds"
270
return self._timedelta_to_milliseconds(self.timeout)
271
272
def interval_milliseconds(self):
273
"Return the 'interval' attribute in milliseconds"
274
return self._timedelta_to_milliseconds(self.interval)
275
276
def __init__(self, name = None, disable_hook=None, config=None):
277
"""Note: the 'checker' key in 'config' sets the
278
'checker_command' attribute and *not* the 'checker'
279
attribute."""
490
def config_parser(config):
491
"""Construct a new dict of client settings of this form:
492
{ client_name: {setting_name: value, ...}, ...}
493
with exceptions for any special settings as defined above.
494
NOTE: Must be a pure function. Must return the same result
495
value given the same arguments.
496
"""
497
settings = {}
498
for client_name in config.sections():
499
section = dict(config.items(client_name))
500
client = settings[client_name] = {}
501
502
client["host"] = section["host"]
503
# Reformat values from string types to Python types
504
client["approved_by_default"] = config.getboolean(
505
client_name, "approved_by_default")
506
client["enabled"] = config.getboolean(client_name,
507
"enabled")
508
509
# Uppercase and remove spaces from fingerprint for later
510
# comparison purposes with return value from the
511
# fingerprint() function
512
client["fingerprint"] = (section["fingerprint"].upper()
513
.replace(" ", ""))
514
if "secret" in section:
515
client["secret"] = section["secret"].decode("base64")
516
elif "secfile" in section:
517
with open(os.path.expanduser(os.path.expandvars
518
(section["secfile"])),
519
"rb") as secfile:
520
client["secret"] = secfile.read()
521
else:
522
raise TypeError("No secret or secfile for section {}"
523
.format(section))
524
client["timeout"] = string_to_delta(section["timeout"])
525
client["extended_timeout"] = string_to_delta(
526
section["extended_timeout"])
527
client["interval"] = string_to_delta(section["interval"])
528
client["approval_delay"] = string_to_delta(
529
section["approval_delay"])
530
client["approval_duration"] = string_to_delta(
531
section["approval_duration"])
532
client["checker_command"] = section["checker"]
533
client["last_approval_request"] = None
534
client["last_checked_ok"] = None
535
client["last_checker_status"] = -2
536
537
return settings
538
539
def __init__(self, settings, name = None, server_settings=None):
280
540
self.name = name
281
if config is None:
282
config = {}
283
logger.debug(u"Creating client %r", self.name)
284
# Uppercase and remove spaces from fingerprint for later
285
# comparison purposes with return value from the fingerprint()
286
# function
287
self.fingerprint = (config[u"fingerprint"].upper()
288
.replace(u" ", u""))
289
logger.debug(u" Fingerprint: %s", self.fingerprint)
290
if u"secret" in config:
291
self.secret = config[u"secret"].decode(u"base64")
292
elif u"secfile" in config:
293
with closing(open(os.path.expanduser
294
(os.path.expandvars
295
(config[u"secfile"])))) as secfile:
296
self.secret = secfile.read()
541
if server_settings is None:
542
server_settings = {}
543
self.server_settings = server_settings
544
# adding all client settings
545
for setting, value in settings.items():
546
setattr(self, setting, value)
547
548
if self.enabled:
549
if not hasattr(self, "last_enabled"):
550
self.last_enabled = datetime.datetime.utcnow()
551
if not hasattr(self, "expires"):
552
self.expires = (datetime.datetime.utcnow()
553
+ self.timeout)
297
554
else:
298
raise TypeError(u"No secret or secfile for client %s"
299
% self.name)
300
self.host = config.get(u"host", u"")
301
self.created = datetime.datetime.utcnow()
302
self.enabled = False
303
self.last_enabled = None
304
self.last_checked_ok = None
305
self.timeout = string_to_delta(config[u"timeout"])
306
self.interval = string_to_delta(config[u"interval"])
307
self.disable_hook = disable_hook
555
self.last_enabled = None
556
self.expires = None
557
558
logger.debug("Creating client %r", self.name)
559
logger.debug(" Fingerprint: %s", self.fingerprint)
560
self.created = settings.get("created",
561
datetime.datetime.utcnow())
562
563
# attributes specific for this server instance
308
564
self.checker = None
309
565
self.checker_initiator_tag = None
310
566
self.disable_initiator_tag = None
311
567
self.checker_callback_tag = None
312
self.checker_command = config[u"checker"]
313
568
self.current_checker_command = None
314
self.last_connect = None
569
self.approved = None
570
self.approvals_pending = 0
571
self.changedstate = multiprocessing_manager.Condition(
572
multiprocessing_manager.Lock())
573
self.client_structure = [attr
574
for attr in self.__dict__.iterkeys()
575
if not attr.startswith("_")]
576
self.client_structure.append("client_structure")
577
578
for name, t in inspect.getmembers(
579
type(self), lambda obj: isinstance(obj, property)):
580
if not name.startswith("_"):
581
self.client_structure.append(name)
582
583
# Send notice to process children that client state has changed
584
def send_changedstate(self):
585
with self.changedstate:
586
self.changedstate.notify_all()
315
587
316
588
def enable(self):
317
589
"""Start this client's checker and timeout hooks"""
318
if getattr(self, u"enabled", False):
590
if getattr(self, "enabled", False):
319
591
# Already enabled
320
592
return
593
self.expires = datetime.datetime.utcnow() + self.timeout
594
self.enabled = True
321
595
self.last_enabled = datetime.datetime.utcnow()
322
# Schedule a new checker to be started an 'interval' from now,
323
# and every interval from then on.
324
self.checker_initiator_tag = (gobject.timeout_add
325
(self.interval_milliseconds(),
326
self.start_checker))
327
# Also start a new checker *right now*.
328
self.start_checker()
329
# Schedule a disable() when 'timeout' has passed
330
self.disable_initiator_tag = (gobject.timeout_add
331
(self.timeout_milliseconds(),
332
self.disable))
333
self.enabled = True
596
self.init_checker()
597
self.send_changedstate()
334
598
335
def disable(self):
599
def disable(self, quiet=True):
336
600
"""Disable this client."""
337
601
if not getattr(self, "enabled", False):
338
602
return False
339
logger.info(u"Disabling client %s", self.name)
340
if getattr(self, u"disable_initiator_tag", False):
603
if not quiet:
604
logger.info("Disabling client %s", self.name)
605
if getattr(self, "disable_initiator_tag", None) is not None:
341
606
gobject.source_remove(self.disable_initiator_tag)
342
607
self.disable_initiator_tag = None
343
if getattr(self, u"checker_initiator_tag", False):
608
self.expires = None
609
if getattr(self, "checker_initiator_tag", None) is not None:
344
610
gobject.source_remove(self.checker_initiator_tag)
345
611
self.checker_initiator_tag = None
346
612
self.stop_checker()
347
if self.disable_hook:
348
self.disable_hook(self)
349
613
self.enabled = False
614
if not quiet:
615
self.send_changedstate()
350
616
# Do not run this again if called by a gobject.timeout_add
351
617
return False
352
618
353
619
def __del__(self):
354
self.disable_hook = None
355
620
self.disable()
356
621
622
def init_checker(self):
623
# Schedule a new checker to be started an 'interval' from now,
624
# and every interval from then on.
625
if self.checker_initiator_tag is not None:
626
gobject.source_remove(self.checker_initiator_tag)
627
self.checker_initiator_tag = gobject.timeout_add(
628
int(self.interval.total_seconds() * 1000),
629
self.start_checker)
630
# Schedule a disable() when 'timeout' has passed
631
if self.disable_initiator_tag is not None:
632
gobject.source_remove(self.disable_initiator_tag)
633
self.disable_initiator_tag = gobject.timeout_add(
634
int(self.timeout.total_seconds() * 1000), self.disable)
635
# Also start a new checker *right now*.
636
self.start_checker()
637
357
638
def checker_callback(self, pid, condition, command):
358
639
"""The checker has completed, so take appropriate actions."""
359
640
self.checker_callback_tag = None
360
641
self.checker = None
361
642
if os.WIFEXITED(condition):
362
exitstatus = os.WEXITSTATUS(condition)
363
if exitstatus == 0:
364
logger.info(u"Checker for %(name)s succeeded",
643
self.last_checker_status = os.WEXITSTATUS(condition)
644
if self.last_checker_status == 0:
645
logger.info("Checker for %(name)s succeeded",
365
646
vars(self))
366
647
self.checked_ok()
367
648
else:
368
logger.info(u"Checker for %(name)s failed",
369
vars(self))
649
logger.info("Checker for %(name)s failed", vars(self))
370
650
else:
371
logger.warning(u"Checker for %(name)s crashed?",
651
self.last_checker_status = -1
652
logger.warning("Checker for %(name)s crashed?",
372
653
vars(self))
373
654
374
655
def checked_ok(self):
375
"""Bump up the timeout for this client.
376
377
This should only be called when the client has been seen,
378
alive and well.
379
"""
656
"""Assert that the client has been seen, alive and well."""
380
657
self.last_checked_ok = datetime.datetime.utcnow()
381
gobject.source_remove(self.disable_initiator_tag)
382
self.disable_initiator_tag = (gobject.timeout_add
383
(self.timeout_milliseconds(),
384
self.disable))
658
self.last_checker_status = 0
659
self.bump_timeout()
660
661
def bump_timeout(self, timeout=None):
662
"""Bump up the timeout for this client."""
663
if timeout is None:
664
timeout = self.timeout
665
if self.disable_initiator_tag is not None:
666
gobject.source_remove(self.disable_initiator_tag)
667
self.disable_initiator_tag = None
668
if getattr(self, "enabled", False):
669
self.disable_initiator_tag = gobject.timeout_add(
670
int(timeout.total_seconds() * 1000), self.disable)
671
self.expires = datetime.datetime.utcnow() + timeout
672
673
def need_approval(self):
674
self.last_approval_request = datetime.datetime.utcnow()
385
675
386
676
def start_checker(self):
387
677
"""Start a new checker subprocess if one is not running.
389
679
If a checker already exists, leave it running and do
390
680
nothing."""
391
681
# The reason for not killing a running checker is that if we
392
# did that, then if a checker (for some reason) started
393
# running slowly and taking more than 'interval' time, the
394
# client would inevitably timeout, since no checker would get
395
# a chance to run to completion. If we instead leave running
682
# did that, and if a checker (for some reason) started running
683
# slowly and taking more than 'interval' time, then the client
684
# would inevitably timeout, since no checker would get a
685
# chance to run to completion. If we instead leave running
396
686
# checkers alone, the checker would have to take more time
397
# than 'timeout' for the client to be declared invalid, which
398
# is as it should be.
687
# than 'timeout' for the client to be disabled, which is as it
688
# should be.
399
689
400
690
# If a checker exists, make sure it is not a zombie
401
if self.checker is not None:
691
try:
402
692
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
693
except AttributeError:
694
pass
695
except OSError as error:
696
if error.errno != errno.ECHILD:
697
raise
698
else:
403
699
if pid:
404
logger.warning(u"Checker was a zombie")
700
logger.warning("Checker was a zombie")
405
701
gobject.source_remove(self.checker_callback_tag)
406
702
self.checker_callback(pid, status,
407
703
self.current_checker_command)
408
704
# Start a new checker if needed
409
705
if self.checker is None:
706
# Escape attributes for the shell
707
escaped_attrs = {
708
attr: re.escape(str(getattr(self, attr)))
709
for attr in self.runtime_expansions }
410
710
try:
411
# In case checker_command has exactly one % operator
412
command = self.checker_command % self.host
413
except TypeError:
414
# Escape attributes for the shell
415
escaped_attrs = dict((key,
416
re.escape(unicode(str(val),
417
errors=
418
u'replace')))
419
for key, val in
420
vars(self).iteritems())
421
try:
422
command = self.checker_command % escaped_attrs
423
except TypeError, error:
424
logger.error(u'Could not format string "%s":'
425
u' %s', self.checker_command, error)
426
return True # Try again later
711
command = self.checker_command % escaped_attrs
712
except TypeError as error:
713
logger.error('Could not format string "%s"',
714
self.checker_command,
715
exc_info=error)
716
return True # Try again later
427
717
self.current_checker_command = command
428
718
try:
429
logger.info(u"Starting checker %r for %s",
430
command, self.name)
719
logger.info("Starting checker %r for %s", command,
720
self.name)
431
721
# We don't need to redirect stdout and stderr, since
432
722
# in normal mode, that is already done by daemon(),
433
723
# and in debug mode we don't want to. (Stdin is
434
724
# always replaced by /dev/null.)
725
# The exception is when not debugging but nevertheless
726
# running in the foreground; use the previously
727
# created wnull.
728
popen_args = {}
729
if (not self.server_settings["debug"]
730
and self.server_settings["foreground"]):
731
popen_args.update({"stdout": wnull,
732
"stderr": wnull })
435
733
self.checker = subprocess.Popen(command,
436
734
close_fds=True,
437
shell=True, cwd=u"/")
438
self.checker_callback_tag = (gobject.child_watch_add
439
(self.checker.pid,
440
self.checker_callback,
441
data=command))
442
# The checker may have completed before the gobject
443
# watch was added. Check for this.
735
shell=True,
736
cwd="/",
737
**popen_args)
738
except OSError as error:
739
logger.error("Failed to start subprocess",
740
exc_info=error)
741
return True
742
self.checker_callback_tag = gobject.child_watch_add(
743
self.checker.pid, self.checker_callback, data=command)
744
# The checker may have completed before the gobject
745
# watch was added. Check for this.
746
try:
444
747
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
445
if pid:
446
gobject.source_remove(self.checker_callback_tag)
447
self.checker_callback(pid, status, command)
448
except OSError, error:
449
logger.error(u"Failed to start subprocess: %s",
450
error)
748
except OSError as error:
749
if error.errno == errno.ECHILD:
750
# This should never happen
751
logger.error("Child process vanished",
752
exc_info=error)
753
return True
754
raise
755
if pid:
756
gobject.source_remove(self.checker_callback_tag)
757
self.checker_callback(pid, status, command)
451
758
# Re-run this periodically if run by gobject.timeout_add
452
759
return True
453
760
456
763
if self.checker_callback_tag:
457
764
gobject.source_remove(self.checker_callback_tag)
458
765
self.checker_callback_tag = None
459
if getattr(self, u"checker", None) is None:
766
if getattr(self, "checker", None) is None:
460
767
return
461
logger.debug(u"Stopping checker for %(name)s", vars(self))
768
logger.debug("Stopping checker for %(name)s", vars(self))
462
769
try:
463
os.kill(self.checker.pid, signal.SIGTERM)
464
#os.sleep(0.5)
770
self.checker.terminate()
771
#time.sleep(0.5)
465
772
#if self.checker.poll() is None:
466
# os.kill(self.checker.pid, signal.SIGKILL)
467
except OSError, error:
773
# self.checker.kill()
774
except OSError as error:
468
775
if error.errno != errno.ESRCH: # No such process
469
776
raise
470
777
self.checker = None
471
472
def still_valid(self):
473
"""Has the timeout not yet passed for this client?"""
474
if not getattr(self, u"enabled", False):
475
return False
476
now = datetime.datetime.utcnow()
477
if self.last_checked_ok is None:
478
return now < (self.created + self.timeout)
479
else:
480
return now < (self.last_checked_ok + self.timeout)
481
482
483
def dbus_service_property(dbus_interface, signature=u"v",
484
access=u"readwrite", byte_arrays=False):
778
779
780
def dbus_service_property(dbus_interface,
781
signature="v",
782
access="readwrite",
783
byte_arrays=False):
485
784
"""Decorators for marking methods of a DBusObjectWithProperties to
486
785
become properties on the D-Bus.
487
786
492
791
dbus.service.method, except there is only "signature", since the
493
792
type from Get() and the type sent to Set() is the same.
494
793
"""
794
# Encoding deeply encoded byte arrays is not supported yet by the
795
# "Set" method, so we fail early here:
796
if byte_arrays and signature != "ay":
797
raise ValueError("Byte arrays not supported for non-'ay'"
798
" signature {!r}".format(signature))
799
495
800
def decorator(func):
496
801
func._dbus_is_property = True
497
802
func._dbus_interface = dbus_interface
498
803
func._dbus_signature = signature
499
804
func._dbus_access = access
500
805
func._dbus_name = func.__name__
501
if func._dbus_name.endswith(u"_dbus_property"):
806
if func._dbus_name.endswith("_dbus_property"):
502
807
func._dbus_name = func._dbus_name[:-14]
503
func._dbus_get_args_options = {u'byte_arrays': byte_arrays }
504
return func
808
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
809
return func
810
811
return decorator
812
813
814
def dbus_interface_annotations(dbus_interface):
815
"""Decorator for marking functions returning interface annotations
816
817
Usage:
818
819
@dbus_interface_annotations("org.example.Interface")
820
def _foo(self): # Function name does not matter
821
return {"org.freedesktop.DBus.Deprecated": "true",
822
"org.freedesktop.DBus.Property.EmitsChangedSignal":
823
"false"}
824
"""
825
826
def decorator(func):
827
func._dbus_is_interface = True
828
func._dbus_interface = dbus_interface
829
func._dbus_name = dbus_interface
830
return func
831
832
return decorator
833
834
835
def dbus_annotations(annotations):
836
"""Decorator to annotate D-Bus methods, signals or properties
837
Usage:
838
839
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
840
"org.freedesktop.DBus.Property."
841
"EmitsChangedSignal": "false"})
842
@dbus_service_property("org.example.Interface", signature="b",
843
access="r")
844
def Property_dbus_property(self):
845
return dbus.Boolean(False)
846
"""
847
848
def decorator(func):
849
func._dbus_annotations = annotations
850
return func
851
505
852
return decorator
506
853
507
854
508
855
class DBusPropertyException(dbus.exceptions.DBusException):
509
856
"""A base class for D-Bus property-related exceptions
510
857
"""
511
def __unicode__(self):
512
return unicode(str(self))
858
pass
513
859
514
860
515
861
class DBusPropertyAccessException(DBusPropertyException):
526
872
527
873
class DBusObjectWithProperties(dbus.service.Object):
528
874
"""A D-Bus object with properties.
529
875
530
876
Classes inheriting from this can use the dbus_service_property
531
877
decorator to expose methods as D-Bus properties. It exposes the
532
878
standard Get(), Set(), and GetAll() methods on the D-Bus.
533
879
"""
534
880
535
881
@staticmethod
536
def _is_dbus_property(obj):
537
return getattr(obj, u"_dbus_is_property", False)
882
def _is_dbus_thing(thing):
883
"""Returns a function testing if an attribute is a D-Bus thing
884
885
If called like _is_dbus_thing("method") it returns a function
886
suitable for use as predicate to inspect.getmembers().
887
"""
888
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
889
False)
538
890
539
def _get_all_dbus_properties(self):
891
def _get_all_dbus_things(self, thing):
540
892
"""Returns a generator of (name, attribute) pairs
541
893
"""
542
return ((prop._dbus_name, prop)
543
for name, prop in
544
inspect.getmembers(self, self._is_dbus_property))
894
return ((getattr(athing.__get__(self), "_dbus_name", name),
895
athing.__get__(self))
896
for cls in self.__class__.__mro__
897
for name, athing in
898
inspect.getmembers(cls, self._is_dbus_thing(thing)))
545
899
546
900
def _get_dbus_property(self, interface_name, property_name):
547
901
"""Returns a bound method if one exists which is a D-Bus
548
902
property with the specified name and interface.
549
903
"""
550
for name in (property_name,
551
property_name + u"_dbus_property"):
552
prop = getattr(self, name, None)
553
if (prop is None
554
or not self._is_dbus_property(prop)
555
or prop._dbus_name != property_name
556
or (interface_name and prop._dbus_interface
557
and interface_name != prop._dbus_interface)):
558
continue
559
return prop
904
for cls in self.__class__.__mro__:
905
for name, value in inspect.getmembers(
906
cls, self._is_dbus_thing("property")):
907
if (value._dbus_name == property_name
908
and value._dbus_interface == interface_name):
909
return value.__get__(self)
910
560
911
# No such property
561
raise DBusPropertyNotFound(self.dbus_object_path + u":"
562
+ interface_name + u"."
563
+ property_name)
912
raise DBusPropertyNotFound("{}:{}.{}".format(
913
self.dbus_object_path, interface_name, property_name))
564
914
565
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ss",
566
out_signature=u"v")
915
@dbus.service.method(dbus.PROPERTIES_IFACE,
916
in_signature="ss",
917
out_signature="v")
567
918
def Get(self, interface_name, property_name):
568
919
"""Standard D-Bus property Get() method, see D-Bus standard.
569
920
"""
570
921
prop = self._get_dbus_property(interface_name, property_name)
571
if prop._dbus_access == u"write":
922
if prop._dbus_access == "write":
572
923
raise DBusPropertyAccessException(property_name)
573
924
value = prop()
574
if not hasattr(value, u"variant_level"):
925
if not hasattr(value, "variant_level"):
575
926
return value
576
927
return type(value)(value, variant_level=value.variant_level+1)
577
928
578
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"ssv")
929
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
579
930
def Set(self, interface_name, property_name, value):
580
931
"""Standard D-Bus property Set() method, see D-Bus standard.
581
932
"""
582
933
prop = self._get_dbus_property(interface_name, property_name)
583
if prop._dbus_access == u"read":
934
if prop._dbus_access == "read":
584
935
raise DBusPropertyAccessException(property_name)
585
if prop._dbus_get_args_options[u"byte_arrays"]:
586
value = dbus.ByteArray(''.join(unichr(byte)
587
for byte in value))
936
if prop._dbus_get_args_options["byte_arrays"]:
937
# The byte_arrays option is not supported yet on
938
# signatures other than "ay".
939
if prop._dbus_signature != "ay":
940
raise ValueError("Byte arrays not supported for non-"
941
"'ay' signature {!r}"
942
.format(prop._dbus_signature))
943
value = dbus.ByteArray(b''.join(chr(byte)
944
for byte in value))
588
945
prop(value)
589
946
590
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature=u"s",
591
out_signature=u"a{sv}")
947
@dbus.service.method(dbus.PROPERTIES_IFACE,
948
in_signature="s",
949
out_signature="a{sv}")
592
950
def GetAll(self, interface_name):
593
951
"""Standard D-Bus property GetAll() method, see D-Bus
594
952
standard.
595
953
596
954
Note: Will not include properties with access="write".
597
955
"""
598
all = {}
599
for name, prop in self._get_all_dbus_properties():
956
properties = {}
957
for name, prop in self._get_all_dbus_things("property"):
600
958
if (interface_name
601
959
and interface_name != prop._dbus_interface):
602
960
# Interface non-empty but did not match
603
961
continue
604
962
# Ignore write-only properties
605
if prop._dbus_access == u"write":
963
if prop._dbus_access == "write":
606
964
continue
607
965
value = prop()
608
if not hasattr(value, u"variant_level"):
609
all[name] = value
966
if not hasattr(value, "variant_level"):
967
properties[name] = value
610
968
continue
611
all[name] = type(value)(value, variant_level=
612
value.variant_level+1)
613
return dbus.Dictionary(all, signature=u"sv")
969
properties[name] = type(value)(
970
value, variant_level = value.variant_level + 1)
971
return dbus.Dictionary(properties, signature="sv")
972
973
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
974
def PropertiesChanged(self, interface_name, changed_properties,
975
invalidated_properties):
976
"""Standard D-Bus PropertiesChanged() signal, see D-Bus
977
standard.
978
"""
979
pass
614
980
615
981
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
616
out_signature=u"s",
982
out_signature="s",
617
983
path_keyword='object_path',
618
984
connection_keyword='connection')
619
985
def Introspect(self, object_path, connection):
620
"""Standard D-Bus method, overloaded to insert property tags.
986
"""Overloading of standard D-Bus method.
987
988
Inserts property tags and interface annotation tags.
621
989
"""
622
990
xmlstring = dbus.service.Object.Introspect(self, object_path,
623
connection)
624
document = xml.dom.minidom.parseString(xmlstring)
625
del xmlstring
626
def make_tag(document, name, prop):
627
e = document.createElement(u"property")
628
e.setAttribute(u"name", name)
629
e.setAttribute(u"type", prop._dbus_signature)
630
e.setAttribute(u"access", prop._dbus_access)
631
return e
632
for if_tag in document.getElementsByTagName(u"interface"):
633
for tag in (make_tag(document, name, prop)
634
for name, prop
635
in self._get_all_dbus_properties()
636
if prop._dbus_interface
637
== if_tag.getAttribute(u"name")):
638
if_tag.appendChild(tag)
639
xmlstring = document.toxml(u"utf-8")
640
document.unlink()
991
connection)
992
try:
993
document = xml.dom.minidom.parseString(xmlstring)
994
995
def make_tag(document, name, prop):
996
e = document.createElement("property")
997
e.setAttribute("name", name)
998
e.setAttribute("type", prop._dbus_signature)
999
e.setAttribute("access", prop._dbus_access)
1000
return e
1001
1002
for if_tag in document.getElementsByTagName("interface"):
1003
# Add property tags
1004
for tag in (make_tag(document, name, prop)
1005
for name, prop
1006
in self._get_all_dbus_things("property")
1007
if prop._dbus_interface
1008
== if_tag.getAttribute("name")):
1009
if_tag.appendChild(tag)
1010
# Add annotation tags
1011
for typ in ("method", "signal", "property"):
1012
for tag in if_tag.getElementsByTagName(typ):
1013
annots = dict()
1014
for name, prop in (self.
1015
_get_all_dbus_things(typ)):
1016
if (name == tag.getAttribute("name")
1017
and prop._dbus_interface
1018
== if_tag.getAttribute("name")):
1019
annots.update(getattr(
1020
prop, "_dbus_annotations", {}))
1021
for name, value in annots.items():
1022
ann_tag = document.createElement(
1023
"annotation")
1024
ann_tag.setAttribute("name", name)
1025
ann_tag.setAttribute("value", value)
1026
tag.appendChild(ann_tag)
1027
# Add interface annotation tags
1028
for annotation, value in dict(
1029
itertools.chain.from_iterable(
1030
annotations().items()
1031
for name, annotations
1032
in self._get_all_dbus_things("interface")
1033
if name == if_tag.getAttribute("name")
1034
)).items():
1035
ann_tag = document.createElement("annotation")
1036
ann_tag.setAttribute("name", annotation)
1037
ann_tag.setAttribute("value", value)
1038
if_tag.appendChild(ann_tag)
1039
# Add the names to the return values for the
1040
# "org.freedesktop.DBus.Properties" methods
1041
if (if_tag.getAttribute("name")
1042
== "org.freedesktop.DBus.Properties"):
1043
for cn in if_tag.getElementsByTagName("method"):
1044
if cn.getAttribute("name") == "Get":
1045
for arg in cn.getElementsByTagName("arg"):
1046
if (arg.getAttribute("direction")
1047
== "out"):
1048
arg.setAttribute("name", "value")
1049
elif cn.getAttribute("name") == "GetAll":
1050
for arg in cn.getElementsByTagName("arg"):
1051
if (arg.getAttribute("direction")
1052
== "out"):
1053
arg.setAttribute("name", "props")
1054
xmlstring = document.toxml("utf-8")
1055
document.unlink()
1056
except (AttributeError, xml.dom.DOMException,
1057
xml.parsers.expat.ExpatError) as error:
1058
logger.error("Failed to override Introspection method",
1059
exc_info=error)
641
1060
return xmlstring
642
1061
643
1062
1063
def datetime_to_dbus(dt, variant_level=0):
1064
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1065
if dt is None:
1066
return dbus.String("", variant_level = variant_level)
1067
return dbus.String(dt.isoformat(), variant_level=variant_level)
1068
1069
1070
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1071
"""A class decorator; applied to a subclass of
1072
dbus.service.Object, it will add alternate D-Bus attributes with
1073
interface names according to the "alt_interface_names" mapping.
1074
Usage:
1075
1076
@alternate_dbus_interfaces({"org.example.Interface":
1077
"net.example.AlternateInterface"})
1078
class SampleDBusObject(dbus.service.Object):
1079
@dbus.service.method("org.example.Interface")
1080
def SampleDBusMethod():
1081
pass
1082
1083
The above "SampleDBusMethod" on "SampleDBusObject" will be
1084
reachable via two interfaces: "org.example.Interface" and
1085
"net.example.AlternateInterface", the latter of which will have
1086
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1087
"true", unless "deprecate" is passed with a False value.
1088
1089
This works for methods and signals, and also for D-Bus properties
1090
(from DBusObjectWithProperties) and interfaces (from the
1091
dbus_interface_annotations decorator).
1092
"""
1093
1094
def wrapper(cls):
1095
for orig_interface_name, alt_interface_name in (
1096
alt_interface_names.items()):
1097
attr = {}
1098
interface_names = set()
1099
# Go though all attributes of the class
1100
for attrname, attribute in inspect.getmembers(cls):
1101
# Ignore non-D-Bus attributes, and D-Bus attributes
1102
# with the wrong interface name
1103
if (not hasattr(attribute, "_dbus_interface")
1104
or not attribute._dbus_interface.startswith(
1105
orig_interface_name)):
1106
continue
1107
# Create an alternate D-Bus interface name based on
1108
# the current name
1109
alt_interface = attribute._dbus_interface.replace(
1110
orig_interface_name, alt_interface_name)
1111
interface_names.add(alt_interface)
1112
# Is this a D-Bus signal?
1113
if getattr(attribute, "_dbus_is_signal", False):
1114
# Extract the original non-method undecorated
1115
# function by black magic
1116
nonmethod_func = (dict(
1117
zip(attribute.func_code.co_freevars,
1118
attribute.__closure__))
1119
["func"].cell_contents)
1120
# Create a new, but exactly alike, function
1121
# object, and decorate it to be a new D-Bus signal
1122
# with the alternate D-Bus interface name
1123
new_function = (dbus.service.signal(
1124
alt_interface, attribute._dbus_signature)
1125
(types.FunctionType(
1126
nonmethod_func.func_code,
1127
nonmethod_func.func_globals,
1128
nonmethod_func.func_name,
1129
nonmethod_func.func_defaults,
1130
nonmethod_func.func_closure)))
1131
# Copy annotations, if any
1132
try:
1133
new_function._dbus_annotations = dict(
1134
attribute._dbus_annotations)
1135
except AttributeError:
1136
pass
1137
# Define a creator of a function to call both the
1138
# original and alternate functions, so both the
1139
# original and alternate signals gets sent when
1140
# the function is called
1141
def fixscope(func1, func2):
1142
"""This function is a scope container to pass
1143
func1 and func2 to the "call_both" function
1144
outside of its arguments"""
1145
1146
def call_both(*args, **kwargs):
1147
"""This function will emit two D-Bus
1148
signals by calling func1 and func2"""
1149
func1(*args, **kwargs)
1150
func2(*args, **kwargs)
1151
1152
return call_both
1153
# Create the "call_both" function and add it to
1154
# the class
1155
attr[attrname] = fixscope(attribute, new_function)
1156
# Is this a D-Bus method?
1157
elif getattr(attribute, "_dbus_is_method", False):
1158
# Create a new, but exactly alike, function
1159
# object. Decorate it to be a new D-Bus method
1160
# with the alternate D-Bus interface name. Add it
1161
# to the class.
1162
attr[attrname] = (
1163
dbus.service.method(
1164
alt_interface,
1165
attribute._dbus_in_signature,
1166
attribute._dbus_out_signature)
1167
(types.FunctionType(attribute.func_code,
1168
attribute.func_globals,
1169
attribute.func_name,
1170
attribute.func_defaults,
1171
attribute.func_closure)))
1172
# Copy annotations, if any
1173
try:
1174
attr[attrname]._dbus_annotations = dict(
1175
attribute._dbus_annotations)
1176
except AttributeError:
1177
pass
1178
# Is this a D-Bus property?
1179
elif getattr(attribute, "_dbus_is_property", False):
1180
# Create a new, but exactly alike, function
1181
# object, and decorate it to be a new D-Bus
1182
# property with the alternate D-Bus interface
1183
# name. Add it to the class.
1184
attr[attrname] = (dbus_service_property(
1185
alt_interface, attribute._dbus_signature,
1186
attribute._dbus_access,
1187
attribute._dbus_get_args_options
1188
["byte_arrays"])
1189
(types.FunctionType(
1190
attribute.func_code,
1191
attribute.func_globals,
1192
attribute.func_name,
1193
attribute.func_defaults,
1194
attribute.func_closure)))
1195
# Copy annotations, if any
1196
try:
1197
attr[attrname]._dbus_annotations = dict(
1198
attribute._dbus_annotations)
1199
except AttributeError:
1200
pass
1201
# Is this a D-Bus interface?
1202
elif getattr(attribute, "_dbus_is_interface", False):
1203
# Create a new, but exactly alike, function
1204
# object. Decorate it to be a new D-Bus interface
1205
# with the alternate D-Bus interface name. Add it
1206
# to the class.
1207
attr[attrname] = (
1208
dbus_interface_annotations(alt_interface)
1209
(types.FunctionType(attribute.func_code,
1210
attribute.func_globals,
1211
attribute.func_name,
1212
attribute.func_defaults,
1213
attribute.func_closure)))
1214
if deprecate:
1215
# Deprecate all alternate interfaces
1216
iname="_AlternateDBusNames_interface_annotation{}"
1217
for interface_name in interface_names:
1218
1219
@dbus_interface_annotations(interface_name)
1220
def func(self):
1221
return { "org.freedesktop.DBus.Deprecated":
1222
"true" }
1223
# Find an unused name
1224
for aname in (iname.format(i)
1225
for i in itertools.count()):
1226
if aname not in attr:
1227
attr[aname] = func
1228
break
1229
if interface_names:
1230
# Replace the class with a new subclass of it with
1231
# methods, signals, etc. as created above.
1232
cls = type(b"{}Alternate".format(cls.__name__),
1233
(cls, ), attr)
1234
return cls
1235
1236
return wrapper
1237
1238
1239
@alternate_dbus_interfaces({"se.recompile.Mandos":
1240
"se.bsnet.fukt.Mandos"})
644
1241
class ClientDBus(Client, DBusObjectWithProperties):
645
1242
"""A Client class using D-Bus
646
1243
648
1245
dbus_object_path: dbus.ObjectPath
649
1246
bus: dbus.SystemBus()
650
1247
"""
1248
1249
runtime_expansions = (Client.runtime_expansions
1250
+ ("dbus_object_path", ))
1251
1252
_interface = "se.recompile.Mandos.Client"
1253
651
1254
# dbus.service.Object doesn't use super(), so we can't either.
652
1255
653
1256
def __init__(self, bus = None, *args, **kwargs):
655
1258
Client.__init__(self, *args, **kwargs)
656
1259
# Only now, when this client is initialized, can it show up on
657
1260
# the D-Bus
658
self.dbus_object_path = (dbus.ObjectPath
659
(u"/clients/"
660
+ self.name.replace(u".", u"_")))
1261
client_object_name = str(self.name).translate(
1262
{ord("."): ord("_"),
1263
ord("-"): ord("_")})
1264
self.dbus_object_path = dbus.ObjectPath(
1265
"/clients/" + client_object_name)
661
1266
DBusObjectWithProperties.__init__(self, self.bus,
662
1267
self.dbus_object_path)
663
1268
664
@staticmethod
665
def _datetime_to_dbus(dt, variant_level=0):
666
"""Convert a UTC datetime.datetime() to a D-Bus type."""
667
return dbus.String(dt.isoformat(),
668
variant_level=variant_level)
669
670
def enable(self):
671
oldstate = getattr(self, u"enabled", False)
672
r = Client.enable(self)
673
if oldstate != self.enabled:
674
# Emit D-Bus signals
675
self.PropertyChanged(dbus.String(u"enabled"),
676
dbus.Boolean(True, variant_level=1))
677
self.PropertyChanged(
678
dbus.String(u"last_enabled"),
679
self._datetime_to_dbus(self.last_enabled,
680
variant_level=1))
681
return r
682
683
def disable(self, signal = True):
684
oldstate = getattr(self, u"enabled", False)
685
r = Client.disable(self)
686
if signal and oldstate != self.enabled:
687
# Emit D-Bus signal
688
self.PropertyChanged(dbus.String(u"enabled"),
689
dbus.Boolean(False, variant_level=1))
690
return r
1269
def notifychangeproperty(transform_func, dbus_name,
1270
type_func=lambda x: x,
1271
variant_level=1,
1272
invalidate_only=False,
1273
_interface=_interface):
1274
""" Modify a variable so that it's a property which announces
1275
its changes to DBus.
1276
1277
transform_fun: Function that takes a value and a variant_level
1278
and transforms it to a D-Bus type.
1279
dbus_name: D-Bus name of the variable
1280
type_func: Function that transform the value before sending it
1281
to the D-Bus. Default: no transform
1282
variant_level: D-Bus variant level. Default: 1
1283
"""
1284
attrname = "_{}".format(dbus_name)
1285
1286
def setter(self, value):
1287
if hasattr(self, "dbus_object_path"):
1288
if (not hasattr(self, attrname) or
1289
type_func(getattr(self, attrname, None))
1290
!= type_func(value)):
1291
if invalidate_only:
1292
self.PropertiesChanged(
1293
_interface, dbus.Dictionary(),
1294
dbus.Array((dbus_name, )))
1295
else:
1296
dbus_value = transform_func(
1297
type_func(value),
1298
variant_level = variant_level)
1299
self.PropertyChanged(dbus.String(dbus_name),
1300
dbus_value)
1301
self.PropertiesChanged(
1302
_interface,
1303
dbus.Dictionary({ dbus.String(dbus_name):
1304
dbus_value }),
1305
dbus.Array())
1306
setattr(self, attrname, value)
1307
1308
return property(lambda self: getattr(self, attrname), setter)
1309
1310
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1311
approvals_pending = notifychangeproperty(dbus.Boolean,
1312
"ApprovalPending",
1313
type_func = bool)
1314
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1315
last_enabled = notifychangeproperty(datetime_to_dbus,
1316
"LastEnabled")
1317
checker = notifychangeproperty(
1318
dbus.Boolean, "CheckerRunning",
1319
type_func = lambda checker: checker is not None)
1320
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1321
"LastCheckedOK")
1322
last_checker_status = notifychangeproperty(dbus.Int16,
1323
"LastCheckerStatus")
1324
last_approval_request = notifychangeproperty(
1325
datetime_to_dbus, "LastApprovalRequest")
1326
approved_by_default = notifychangeproperty(dbus.Boolean,
1327
"ApprovedByDefault")
1328
approval_delay = notifychangeproperty(
1329
dbus.UInt64, "ApprovalDelay",
1330
type_func = lambda td: td.total_seconds() * 1000)
1331
approval_duration = notifychangeproperty(
1332
dbus.UInt64, "ApprovalDuration",
1333
type_func = lambda td: td.total_seconds() * 1000)
1334
host = notifychangeproperty(dbus.String, "Host")
1335
timeout = notifychangeproperty(
1336
dbus.UInt64, "Timeout",
1337
type_func = lambda td: td.total_seconds() * 1000)
1338
extended_timeout = notifychangeproperty(
1339
dbus.UInt64, "ExtendedTimeout",
1340
type_func = lambda td: td.total_seconds() * 1000)
1341
interval = notifychangeproperty(
1342
dbus.UInt64, "Interval",
1343
type_func = lambda td: td.total_seconds() * 1000)
1344
checker_command = notifychangeproperty(dbus.String, "Checker")
1345
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1346
invalidate_only=True)
1347
1348
del notifychangeproperty
691
1349
692
1350
def __del__(self, *args, **kwargs):
693
1351
try:
694
1352
self.remove_from_connection()
695
1353
except LookupError:
696
1354
pass
697
if hasattr(DBusObjectWithProperties, u"__del__"):
1355
if hasattr(DBusObjectWithProperties, "__del__"):
698
1356
DBusObjectWithProperties.__del__(self, *args, **kwargs)
699
1357
Client.__del__(self, *args, **kwargs)
700
1358
702
1360
*args, **kwargs):
703
1361
self.checker_callback_tag = None
704
1362
self.checker = None
705
# Emit D-Bus signal
706
self.PropertyChanged(dbus.String(u"checker_running"),
707
dbus.Boolean(False, variant_level=1))
708
1363
if os.WIFEXITED(condition):
709
1364
exitstatus = os.WEXITSTATUS(condition)
710
1365
# Emit D-Bus signal
720
1375
return Client.checker_callback(self, pid, condition, command,
721
1376
*args, **kwargs)
722
1377
723
def checked_ok(self, *args, **kwargs):
724
r = Client.checked_ok(self, *args, **kwargs)
725
# Emit D-Bus signal
726
self.PropertyChanged(
727
dbus.String(u"last_checked_ok"),
728
(self._datetime_to_dbus(self.last_checked_ok,
729
variant_level=1)))
730
return r
731
732
1378
def start_checker(self, *args, **kwargs):
733
old_checker = self.checker
734
if self.checker is not None:
735
old_checker_pid = self.checker.pid
736
else:
737
old_checker_pid = None
1379
old_checker_pid = getattr(self.checker, "pid", None)
738
1380
r = Client.start_checker(self, *args, **kwargs)
739
1381
# Only if new checker process was started
740
1382
if (self.checker is not None
741
1383
and old_checker_pid != self.checker.pid):
742
1384
# Emit D-Bus signal
743
1385
self.CheckerStarted(self.current_checker_command)
744
self.PropertyChanged(
745
dbus.String(u"checker_running"),
746
dbus.Boolean(True, variant_level=1))
747
return r
748
749
def stop_checker(self, *args, **kwargs):
750
old_checker = getattr(self, u"checker", None)
751
r = Client.stop_checker(self, *args, **kwargs)
752
if (old_checker is not None
753
and getattr(self, u"checker", None) is None):
754
self.PropertyChanged(dbus.String(u"checker_running"),
755
dbus.Boolean(False, variant_level=1))
756
return r
757
758
## D-Bus methods & signals
759
_interface = u"se.bsnet.fukt.Mandos.Client"
760
761
# CheckedOK - method
762
@dbus.service.method(_interface)
763
def CheckedOK(self):
764
return self.checked_ok()
1386
return r
1387
1388
def _reset_approved(self):
1389
self.approved = None
1390
return False
1391
1392
def approve(self, value=True):
1393
self.approved = value
1394
gobject.timeout_add(int(self.approval_duration.total_seconds()
1395
* 1000), self._reset_approved)
1396
self.send_changedstate()
1397
1398
## D-Bus methods, signals & properties
1399
1400
## Interfaces
1401
1402
## Signals
765
1403
766
1404
# CheckerCompleted - signal
767
@dbus.service.signal(_interface, signature=u"nxs")
1405
@dbus.service.signal(_interface, signature="nxs")
768
1406
def CheckerCompleted(self, exitcode, waitstatus, command):
769
1407
"D-Bus signal"
770
1408
pass
771
1409
772
1410
# CheckerStarted - signal
773
@dbus.service.signal(_interface, signature=u"s")
1411
@dbus.service.signal(_interface, signature="s")
774
1412
def CheckerStarted(self, command):
775
1413
"D-Bus signal"
776
1414
pass
777
1415
778
1416
# PropertyChanged - signal
779
@dbus.service.signal(_interface, signature=u"sv")
1417
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1418
@dbus.service.signal(_interface, signature="sv")
780
1419
def PropertyChanged(self, property, value):
781
1420
"D-Bus signal"
782
1421
pass
783
1422
784
# ReceivedSecret - signal
1423
# GotSecret - signal
785
1424
@dbus.service.signal(_interface)
786
def ReceivedSecret(self):
787
"D-Bus signal"
1425
def GotSecret(self):
1426
"""D-Bus signal
1427
Is sent after a successful transfer of secret from the Mandos
1428
server to mandos-client
1429
"""
788
1430
pass
789
1431
790
1432
# Rejected - signal
791
@dbus.service.signal(_interface)
792
def Rejected(self):
1433
@dbus.service.signal(_interface, signature="s")
1434
def Rejected(self, reason):
793
1435
"D-Bus signal"
794
1436
pass
795
1437
1438
# NeedApproval - signal
1439
@dbus.service.signal(_interface, signature="tb")
1440
def NeedApproval(self, timeout, default):
1441
"D-Bus signal"
1442
return self.need_approval()
1443
1444
## Methods
1445
1446
# Approve - method
1447
@dbus.service.method(_interface, in_signature="b")
1448
def Approve(self, value):
1449
self.approve(value)
1450
1451
# CheckedOK - method
1452
@dbus.service.method(_interface)
1453
def CheckedOK(self):
1454
self.checked_ok()
1455
796
1456
# Enable - method
797
1457
@dbus.service.method(_interface)
798
1458
def Enable(self):
816
1476
def StopChecker(self):
817
1477
self.stop_checker()
818
1478
819
# name - property
820
@dbus_service_property(_interface, signature=u"s", access=u"read")
821
def name_dbus_property(self):
1479
## Properties
1480
1481
# ApprovalPending - property
1482
@dbus_service_property(_interface, signature="b", access="read")
1483
def ApprovalPending_dbus_property(self):
1484
return dbus.Boolean(bool(self.approvals_pending))
1485
1486
# ApprovedByDefault - property
1487
@dbus_service_property(_interface,
1488
signature="b",
1489
access="readwrite")
1490
def ApprovedByDefault_dbus_property(self, value=None):
1491
if value is None: # get
1492
return dbus.Boolean(self.approved_by_default)
1493
self.approved_by_default = bool(value)
1494
1495
# ApprovalDelay - property
1496
@dbus_service_property(_interface,
1497
signature="t",
1498
access="readwrite")
1499
def ApprovalDelay_dbus_property(self, value=None):
1500
if value is None: # get
1501
return dbus.UInt64(self.approval_delay.total_seconds()
1502
* 1000)
1503
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1504
1505
# ApprovalDuration - property
1506
@dbus_service_property(_interface,
1507
signature="t",
1508
access="readwrite")
1509
def ApprovalDuration_dbus_property(self, value=None):
1510
if value is None: # get
1511
return dbus.UInt64(self.approval_duration.total_seconds()
1512
* 1000)
1513
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1514
1515
# Name - property
1516
@dbus_service_property(_interface, signature="s", access="read")
1517
def Name_dbus_property(self):
822
1518
return dbus.String(self.name)
823
1519
824
# fingerprint - property
825
@dbus_service_property(_interface, signature=u"s", access=u"read")
826
def fingerprint_dbus_property(self):
1520
# Fingerprint - property
1521
@dbus_service_property(_interface, signature="s", access="read")
1522
def Fingerprint_dbus_property(self):
827
1523
return dbus.String(self.fingerprint)
828
1524
829
# host - property
830
@dbus_service_property(_interface, signature=u"s",
831
access=u"readwrite")
832
def host_dbus_property(self, value=None):
1525
# Host - property
1526
@dbus_service_property(_interface,
1527
signature="s",
1528
access="readwrite")
1529
def Host_dbus_property(self, value=None):
833
1530
if value is None: # get
834
1531
return dbus.String(self.host)
835
self.host = value
836
# Emit D-Bus signal
837
self.PropertyChanged(dbus.String(u"host"),
838
dbus.String(value, variant_level=1))
839
840
# created - property
841
@dbus_service_property(_interface, signature=u"s", access=u"read")
842
def created_dbus_property(self):
843
return dbus.String(self._datetime_to_dbus(self.created))
844
845
# last_enabled - property
846
@dbus_service_property(_interface, signature=u"s", access=u"read")
847
def last_enabled_dbus_property(self):
848
if self.last_enabled is None:
849
return dbus.String(u"")
850
return dbus.String(self._datetime_to_dbus(self.last_enabled))
851
852
# enabled - property
853
@dbus_service_property(_interface, signature=u"b",
854
access=u"readwrite")
855
def enabled_dbus_property(self, value=None):
1532
self.host = str(value)
1533
1534
# Created - property
1535
@dbus_service_property(_interface, signature="s", access="read")
1536
def Created_dbus_property(self):
1537
return datetime_to_dbus(self.created)
1538
1539
# LastEnabled - property
1540
@dbus_service_property(_interface, signature="s", access="read")
1541
def LastEnabled_dbus_property(self):
1542
return datetime_to_dbus(self.last_enabled)
1543
1544
# Enabled - property
1545
@dbus_service_property(_interface,
1546
signature="b",
1547
access="readwrite")
1548
def Enabled_dbus_property(self, value=None):
856
1549
if value is None: # get
857
1550
return dbus.Boolean(self.enabled)
858
1551
if value:
860
1553
else:
861
1554
self.disable()
862
1555
863
# last_checked_ok - property
864
@dbus_service_property(_interface, signature=u"s",
865
access=u"readwrite")
866
def last_checked_ok_dbus_property(self, value=None):
1556
# LastCheckedOK - property
1557
@dbus_service_property(_interface,
1558
signature="s",
1559
access="readwrite")
1560
def LastCheckedOK_dbus_property(self, value=None):
867
1561
if value is not None:
868
1562
self.checked_ok()
869
1563
return
870
if self.last_checked_ok is None:
871
return dbus.String(u"")
872
return dbus.String(self._datetime_to_dbus(self
873
.last_checked_ok))
874
875
# timeout - property
876
@dbus_service_property(_interface, signature=u"t",
877
access=u"readwrite")
878
def timeout_dbus_property(self, value=None):
1564
return datetime_to_dbus(self.last_checked_ok)
1565
1566
# LastCheckerStatus - property
1567
@dbus_service_property(_interface, signature="n", access="read")
1568
def LastCheckerStatus_dbus_property(self):
1569
return dbus.Int16(self.last_checker_status)
1570
1571
# Expires - property
1572
@dbus_service_property(_interface, signature="s", access="read")
1573
def Expires_dbus_property(self):
1574
return datetime_to_dbus(self.expires)
1575
1576
# LastApprovalRequest - property
1577
@dbus_service_property(_interface, signature="s", access="read")
1578
def LastApprovalRequest_dbus_property(self):
1579
return datetime_to_dbus(self.last_approval_request)
1580
1581
# Timeout - property
1582
@dbus_service_property(_interface,
1583
signature="t",
1584
access="readwrite")
1585
def Timeout_dbus_property(self, value=None):
879
1586
if value is None: # get
880
return dbus.UInt64(self.timeout_milliseconds())
1587
return dbus.UInt64(self.timeout.total_seconds() * 1000)
1588
old_timeout = self.timeout
881
1589
self.timeout = datetime.timedelta(0, 0, 0, value)
882
# Emit D-Bus signal
883
self.PropertyChanged(dbus.String(u"timeout"),
884
dbus.UInt64(value, variant_level=1))
885
if getattr(self, u"disable_initiator_tag", None) is None:
886
return
887
# Reschedule timeout
888
gobject.source_remove(self.disable_initiator_tag)
889
self.disable_initiator_tag = None
890
time_to_die = (self.
891
_timedelta_to_milliseconds((self
892
.last_checked_ok
893
+ self.timeout)
894
- datetime.datetime
895
.utcnow()))
896
if time_to_die <= 0:
897
# The timeout has passed
898
self.disable()
899
else:
900
self.disable_initiator_tag = (gobject.timeout_add
901
(time_to_die, self.disable))
902
903
# interval - property
904
@dbus_service_property(_interface, signature=u"t",
905
access=u"readwrite")
906
def interval_dbus_property(self, value=None):
907
if value is None: # get
908
return dbus.UInt64(self.interval_milliseconds())
1590
# Reschedule disabling
1591
if self.enabled:
1592
now = datetime.datetime.utcnow()
1593
self.expires += self.timeout - old_timeout
1594
if self.expires <= now:
1595
# The timeout has passed
1596
self.disable()
1597
else:
1598
if (getattr(self, "disable_initiator_tag", None)
1599
is None):
1600
return
1601
gobject.source_remove(self.disable_initiator_tag)
1602
self.disable_initiator_tag = gobject.timeout_add(
1603
int((self.expires - now).total_seconds() * 1000),
1604
self.disable)
1605
1606
# ExtendedTimeout - property
1607
@dbus_service_property(_interface,
1608
signature="t",
1609
access="readwrite")
1610
def ExtendedTimeout_dbus_property(self, value=None):
1611
if value is None: # get
1612
return dbus.UInt64(self.extended_timeout.total_seconds()
1613
* 1000)
1614
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1615
1616
# Interval - property
1617
@dbus_service_property(_interface,
1618
signature="t",
1619
access="readwrite")
1620
def Interval_dbus_property(self, value=None):
1621
if value is None: # get
1622
return dbus.UInt64(self.interval.total_seconds() * 1000)
909
1623
self.interval = datetime.timedelta(0, 0, 0, value)
910
# Emit D-Bus signal
911
self.PropertyChanged(dbus.String(u"interval"),
912
dbus.UInt64(value, variant_level=1))
913
if getattr(self, u"checker_initiator_tag", None) is None:
1624
if getattr(self, "checker_initiator_tag", None) is None:
914
1625
return
915
# Reschedule checker run
916
gobject.source_remove(self.checker_initiator_tag)
917
self.checker_initiator_tag = (gobject.timeout_add
918
(value, self.start_checker))
919
self.start_checker() # Start one now, too
920
921
# checker - property
922
@dbus_service_property(_interface, signature=u"s",
923
access=u"readwrite")
924
def checker_dbus_property(self, value=None):
1626
if self.enabled:
1627
# Reschedule checker run
1628
gobject.source_remove(self.checker_initiator_tag)
1629
self.checker_initiator_tag = gobject.timeout_add(
1630
value, self.start_checker)
1631
self.start_checker() # Start one now, too
1632
1633
# Checker - property
1634
@dbus_service_property(_interface,
1635
signature="s",
1636
access="readwrite")
1637
def Checker_dbus_property(self, value=None):
925
1638
if value is None: # get
926
1639
return dbus.String(self.checker_command)
927
self.checker_command = value
928
# Emit D-Bus signal
929
self.PropertyChanged(dbus.String(u"checker"),
930
dbus.String(self.checker_command,
931
variant_level=1))
1640
self.checker_command = str(value)
932
1641
933
# checker_running - property
934
@dbus_service_property(_interface, signature=u"b",
935
access=u"readwrite")
936
def checker_running_dbus_property(self, value=None):
1642
# CheckerRunning - property
1643
@dbus_service_property(_interface,
1644
signature="b",
1645
access="readwrite")
1646
def CheckerRunning_dbus_property(self, value=None):
937
1647
if value is None: # get
938
1648
return dbus.Boolean(self.checker is not None)
939
1649
if value:
941
1651
else:
942
1652
self.stop_checker()
943
1653
944
# object_path - property
945
@dbus_service_property(_interface, signature=u"o", access=u"read")
946
def object_path_dbus_property(self):
1654
# ObjectPath - property
1655
@dbus_service_property(_interface, signature="o", access="read")
1656
def ObjectPath_dbus_property(self):
947
1657
return self.dbus_object_path # is already a dbus.ObjectPath
948
1658
949
# secret = property
950
@dbus_service_property(_interface, signature=u"ay",
951
access=u"write", byte_arrays=True)
952
def secret_dbus_property(self, value):
953
self.secret = str(value)
1659
# Secret = property
1660
@dbus_service_property(_interface,
1661
signature="ay",
1662
access="write",
1663
byte_arrays=True)
1664
def Secret_dbus_property(self, value):
1665
self.secret = bytes(value)
954
1666
955
1667
del _interface
956
1668
957
1669
1670
class ProxyClient(object):
1671
def __init__(self, child_pipe, fpr, address):
1672
self._pipe = child_pipe
1673
self._pipe.send(('init', fpr, address))
1674
if not self._pipe.recv():
1675
raise KeyError(fpr)
1676
1677
def __getattribute__(self, name):
1678
if name == '_pipe':
1679
return super(ProxyClient, self).__getattribute__(name)
1680
self._pipe.send(('getattr', name))
1681
data = self._pipe.recv()
1682
if data[0] == 'data':
1683
return data[1]
1684
if data[0] == 'function':
1685
1686
def func(*args, **kwargs):
1687
self._pipe.send(('funcall', name, args, kwargs))
1688
return self._pipe.recv()[1]
1689
1690
return func
1691
1692
def __setattr__(self, name, value):
1693
if name == '_pipe':
1694
return super(ProxyClient, self).__setattr__(name, value)
1695
self._pipe.send(('setattr', name, value))
1696
1697
958
1698
class ClientHandler(socketserver.BaseRequestHandler, object):
959
1699
"""A class to handle client connections.
960
1700
962
1702
Note: This will run in its own forked process."""
963
1703
964
1704
def handle(self):
965
logger.info(u"TCP connection from: %s",
966
unicode(self.client_address))
967
logger.debug(u"IPC Pipe FD: %d", self.server.pipe[1])
968
# Open IPC pipe to parent process
969
with closing(os.fdopen(self.server.pipe[1], u"w", 1)) as ipc:
970
session = (gnutls.connection
971
.ClientSession(self.request,
972
gnutls.connection
973
.X509Credentials()))
1705
with contextlib.closing(self.server.child_pipe) as child_pipe:
1706
logger.info("TCP connection from: %s",
1707
str(self.client_address))
1708
logger.debug("Pipe FD: %d",
1709
self.server.child_pipe.fileno())
974
1710
975
line = self.request.makefile().readline()
976
logger.debug(u"Protocol version: %r", line)
977
try:
978
if int(line.strip().split()[0]) > 1:
979
raise RuntimeError
980
except (ValueError, IndexError, RuntimeError), error:
981
logger.error(u"Unknown protocol version: %s", error)
982
return
1711
session = gnutls.connection.ClientSession(
1712
self.request, gnutls.connection .X509Credentials())
983
1713
984
1714
# Note: gnutls.connection.X509Credentials is really a
985
1715
# generic GnuTLS certificate credentials object so long as
986
1716
# no X.509 keys are added to it. Therefore, we can use it
987
1717
# here despite using OpenPGP certificates.
988
1718
989
#priority = u':'.join((u"NONE", u"+VERS-TLS1.1",
990
# u"+AES-256-CBC", u"+SHA1",
991
# u"+COMP-NULL", u"+CTYPE-OPENPGP",
992
# u"+DHE-DSS"))
1719
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1720
# "+AES-256-CBC", "+SHA1",
1721
# "+COMP-NULL", "+CTYPE-OPENPGP",
1722
# "+DHE-DSS"))
993
1723
# Use a fallback default, since this MUST be set.
994
1724
priority = self.server.gnutls_priority
995
1725
if priority is None:
996
priority = u"NORMAL"
997
(gnutls.library.functions
998
.gnutls_priority_set_direct(session._c_object,
999
priority, None))
1000
1726
priority = "NORMAL"
1727
gnutls.library.functions.gnutls_priority_set_direct(
1728
session._c_object, priority, None)
1729
1730
# Start communication using the Mandos protocol
1731
# Get protocol number
1732
line = self.request.makefile().readline()
1733
logger.debug("Protocol version: %r", line)
1734
try:
1735
if int(line.strip().split()[0]) > 1:
1736
raise RuntimeError(line)
1737
except (ValueError, IndexError, RuntimeError) as error:
1738
logger.error("Unknown protocol version: %s", error)
1739
return
1740
1741
# Start GnuTLS connection
1001
1742
try:
1002
1743
session.handshake()
1003
except gnutls.errors.GNUTLSError, error:
1004
logger.warning(u"Handshake failed: %s", error)
1744
except gnutls.errors.GNUTLSError as error:
1745
logger.warning("Handshake failed: %s", error)
1005
1746
# Do not run session.bye() here: the session is not
1006
1747
# established. Just abandon the request.
1007
1748
return
1008
logger.debug(u"Handshake succeeded")
1749
logger.debug("Handshake succeeded")
1750
1751
approval_required = False
1009
1752
try:
1010
fpr = self.fingerprint(self.peer_certificate(session))
1011
except (TypeError, gnutls.errors.GNUTLSError), error:
1012
logger.warning(u"Bad certificate: %s", error)
1013
session.bye()
1014
return
1015
logger.debug(u"Fingerprint: %s", fpr)
1753
try:
1754
fpr = self.fingerprint(
1755
self.peer_certificate(session))
1756
except (TypeError,
1757
gnutls.errors.GNUTLSError) as error:
1758
logger.warning("Bad certificate: %s", error)
1759
return
1760
logger.debug("Fingerprint: %s", fpr)
1761
1762
try:
1763
client = ProxyClient(child_pipe, fpr,
1764
self.client_address)
1765
except KeyError:
1766
return
1767
1768
if client.approval_delay:
1769
delay = client.approval_delay
1770
client.approvals_pending += 1
1771
approval_required = True
1772
1773
while True:
1774
if not client.enabled:
1775
logger.info("Client %s is disabled",
1776
client.name)
1777
if self.server.use_dbus:
1778
# Emit D-Bus signal
1779
client.Rejected("Disabled")
1780
return
1781
1782
if client.approved or not client.approval_delay:
1783
#We are approved or approval is disabled
1784
break
1785
elif client.approved is None:
1786
logger.info("Client %s needs approval",
1787
client.name)
1788
if self.server.use_dbus:
1789
# Emit D-Bus signal
1790
client.NeedApproval(
1791
client.approval_delay.total_seconds()
1792
* 1000, client.approved_by_default)
1793
else:
1794
logger.warning("Client %s was not approved",
1795
client.name)
1796
if self.server.use_dbus:
1797
# Emit D-Bus signal
1798
client.Rejected("Denied")
1799
return
1800
1801
#wait until timeout or approved
1802
time = datetime.datetime.now()
1803
client.changedstate.acquire()
1804
client.changedstate.wait(delay.total_seconds())
1805
client.changedstate.release()
1806
time2 = datetime.datetime.now()
1807
if (time2 - time) >= delay:
1808
if not client.approved_by_default:
1809
logger.warning("Client %s timed out while"
1810
" waiting for approval",
1811
client.name)
1812
if self.server.use_dbus:
1813
# Emit D-Bus signal
1814
client.Rejected("Approval timed out")
1815
return
1816
else:
1817
break
1818
else:
1819
delay -= time2 - time
1820
1821
sent_size = 0
1822
while sent_size < len(client.secret):
1823
try:
1824
sent = session.send(client.secret[sent_size:])
1825
except gnutls.errors.GNUTLSError as error:
1826
logger.warning("gnutls send failed",
1827
exc_info=error)
1828
return
1829
logger.debug("Sent: %d, remaining: %d", sent,
1830
len(client.secret) - (sent_size
1831
+ sent))
1832
sent_size += sent
1833
1834
logger.info("Sending secret to %s", client.name)
1835
# bump the timeout using extended_timeout
1836
client.bump_timeout(client.extended_timeout)
1837
if self.server.use_dbus:
1838
# Emit D-Bus signal
1839
client.GotSecret()
1016
1840
1017
for c in self.server.clients:
1018
if c.fingerprint == fpr:
1019
client = c
1020
break
1021
else:
1022
ipc.write(u"NOTFOUND %s %s\n"
1023
% (fpr, unicode(self.client_address)))
1024
session.bye()
1025
return
1026
# Have to check if client.still_valid(), since it is
1027
# possible that the client timed out while establishing
1028
# the GnuTLS session.
1029
if not client.still_valid():
1030
ipc.write(u"INVALID %s\n" % client.name)
1031
session.bye()
1032
return
1033
ipc.write(u"SENDING %s\n" % client.name)
1034
sent_size = 0
1035
while sent_size < len(client.secret):
1036
sent = session.send(client.secret[sent_size:])
1037
logger.debug(u"Sent: %d, remaining: %d",
1038
sent, len(client.secret)
1039
- (sent_size + sent))
1040
sent_size += sent
1041
session.bye()
1841
finally:
1842
if approval_required:
1843
client.approvals_pending -= 1
1844
try:
1845
session.bye()
1846
except gnutls.errors.GNUTLSError as error:
1847
logger.warning("GnuTLS bye failed",
1848
exc_info=error)
1042
1849
1043
1850
@staticmethod
1044
1851
def peer_certificate(session):
1045
1852
"Return the peer's OpenPGP certificate as a bytestring"
1046
1853
# If not an OpenPGP certificate...
1047
if (gnutls.library.functions
1048
.gnutls_certificate_type_get(session._c_object)
1854
if (gnutls.library.functions.gnutls_certificate_type_get(
1855
session._c_object)
1049
1856
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1050
1857
# ...do the normal thing
1051
1858
return session.peer_certificate
1054
1861
.gnutls_certificate_get_peers
1055
1862
(session._c_object, ctypes.byref(list_size)))
1056
1863
if not bool(cert_list) and list_size.value != 0:
1057
raise gnutls.errors.GNUTLSError(u"error getting peer"
1058
u" certificate")
1864
raise gnutls.errors.GNUTLSError("error getting peer"
1865
" certificate")
1059
1866
if list_size.value == 0:
1060
1867
return None
1061
1868
cert = cert_list[0]
1065
1872
def fingerprint(openpgp):
1066
1873
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1067
1874
# New GnuTLS "datum" with the OpenPGP public key
1068
datum = (gnutls.library.types
1069
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1070
ctypes.POINTER
1071
(ctypes.c_ubyte)),
1072
ctypes.c_uint(len(openpgp))))
1875
datum = gnutls.library.types.gnutls_datum_t(
1876
ctypes.cast(ctypes.c_char_p(openpgp),
1877
ctypes.POINTER(ctypes.c_ubyte)),
1878
ctypes.c_uint(len(openpgp)))
1073
1879
# New empty GnuTLS certificate
1074
1880
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1075
(gnutls.library.functions
1076
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1881
gnutls.library.functions.gnutls_openpgp_crt_init(
1882
ctypes.byref(crt))
1077
1883
# Import the OpenPGP public key into the certificate
1078
(gnutls.library.functions
1079
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1080
gnutls.library.constants
1081
.GNUTLS_OPENPGP_FMT_RAW))
1884
gnutls.library.functions.gnutls_openpgp_crt_import(
1885
crt, ctypes.byref(datum),
1886
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
1082
1887
# Verify the self signature in the key
1083
1888
crtverify = ctypes.c_uint()
1084
(gnutls.library.functions
1085
.gnutls_openpgp_crt_verify_self(crt, 0,
1086
ctypes.byref(crtverify)))
1889
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
1890
crt, 0, ctypes.byref(crtverify))
1087
1891
if crtverify.value != 0:
1088
1892
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1089
raise (gnutls.errors.CertificateSecurityError
1090
(u"Verify failed"))
1893
raise gnutls.errors.CertificateSecurityError(
1894
"Verify failed")
1091
1895
# New buffer for the fingerprint
1092
1896
buf = ctypes.create_string_buffer(20)
1093
1897
buf_len = ctypes.c_size_t()
1094
1898
# Get the fingerprint from the certificate into the buffer
1095
(gnutls.library.functions
1096
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1097
ctypes.byref(buf_len)))
1899
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
1900
crt, ctypes.byref(buf), ctypes.byref(buf_len))
1098
1901
# Deinit the certificate
1099
1902
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1100
1903
# Convert the buffer to a Python bytestring
1101
1904
fpr = ctypes.string_at(buf, buf_len.value)
1102
1905
# Convert the bytestring to hexadecimal notation
1103
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
1906
hex_fpr = binascii.hexlify(fpr).upper()
1104
1907
return hex_fpr
1105
1908
1106
1909
1107
class ForkingMixInWithPipe(socketserver.ForkingMixIn, object):
1108
"""Like socketserver.ForkingMixIn, but also pass a pipe."""
1910
class MultiprocessingMixIn(object):
1911
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1912
1913
def sub_process_main(self, request, address):
1914
try:
1915
self.finish_request(request, address)
1916
except Exception:
1917
self.handle_error(request, address)
1918
self.close_request(request)
1919
1920
def process_request(self, request, address):
1921
"""Start a new process to process the request."""
1922
proc = multiprocessing.Process(target = self.sub_process_main,
1923
args = (request, address))
1924
proc.start()
1925
return proc
1926
1927
1928
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1929
""" adds a pipe to the MixIn """
1930
1109
1931
def process_request(self, request, client_address):
1110
1932
"""Overrides and wraps the original process_request().
1111
1933
1112
1934
This function creates a new pipe in self.pipe
1113
1935
"""
1114
self.pipe = os.pipe()
1115
super(ForkingMixInWithPipe,
1116
self).process_request(request, client_address)
1117
os.close(self.pipe[1]) # close write end
1118
self.add_pipe(self.pipe[0])
1119
def add_pipe(self, pipe):
1936
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1937
1938
proc = MultiprocessingMixIn.process_request(self, request,
1939
client_address)
1940
self.child_pipe.close()
1941
self.add_pipe(parent_pipe, proc)
1942
1943
def add_pipe(self, parent_pipe, proc):
1120
1944
"""Dummy function; override as necessary"""
1121
os.close(pipe)
1122
1123
1124
class IPv6_TCPServer(ForkingMixInWithPipe,
1945
raise NotImplementedError()
1946
1947
1948
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1125
1949
socketserver.TCPServer, object):
1126
1950
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1127
1951
1130
1954
interface: None or a network interface name (string)
1131
1955
use_ipv6: Boolean; to use IPv6 or not
1132
1956
"""
1957
1133
1958
def __init__(self, server_address, RequestHandlerClass,
1134
interface=None, use_ipv6=True):
1959
interface=None,
1960
use_ipv6=True,
1961
socketfd=None):
1962
"""If socketfd is set, use that file descriptor instead of
1963
creating a new one with socket.socket().
1964
"""
1135
1965
self.interface = interface
1136
1966
if use_ipv6:
1137
1967
self.address_family = socket.AF_INET6
1968
if socketfd is not None:
1969
# Save the file descriptor
1970
self.socketfd = socketfd
1971
# Save the original socket.socket() function
1972
self.socket_socket = socket.socket
1973
# To implement --socket, we monkey patch socket.socket.
1974
#
1975
# (When socketserver.TCPServer is a new-style class, we
1976
# could make self.socket into a property instead of monkey
1977
# patching socket.socket.)
1978
#
1979
# Create a one-time-only replacement for socket.socket()
1980
@functools.wraps(socket.socket)
1981
def socket_wrapper(*args, **kwargs):
1982
# Restore original function so subsequent calls are
1983
# not affected.
1984
socket.socket = self.socket_socket
1985
del self.socket_socket
1986
# This time only, return a new socket object from the
1987
# saved file descriptor.
1988
return socket.fromfd(self.socketfd, *args, **kwargs)
1989
# Replace socket.socket() function with wrapper
1990
socket.socket = socket_wrapper
1991
# The socketserver.TCPServer.__init__ will call
1992
# socket.socket(), which might be our replacement,
1993
# socket_wrapper(), if socketfd was set.
1138
1994
socketserver.TCPServer.__init__(self, server_address,
1139
1995
RequestHandlerClass)
1996
1140
1997
def server_bind(self):
1141
1998
"""This overrides the normal server_bind() function
1142
1999
to bind to an interface if one was specified, and also NOT to
1143
2000
bind to an address or port if they were not specified."""
1144
2001
if self.interface is not None:
1145
2002
if SO_BINDTODEVICE is None:
1146
logger.error(u"SO_BINDTODEVICE does not exist;"
1147
u" cannot bind to interface %s",
2003
logger.error("SO_BINDTODEVICE does not exist;"
2004
" cannot bind to interface %s",
1148
2005
self.interface)
1149
2006
else:
1150
2007
try:
1151
self.socket.setsockopt(socket.SOL_SOCKET,
1152
SO_BINDTODEVICE,
1153
str(self.interface
1154
+ u'\0'))
1155
except socket.error, error:
1156
if error[0] == errno.EPERM:
1157
logger.error(u"No permission to"
1158
u" bind to interface %s",
1159
self.interface)
1160
elif error[0] == errno.ENOPROTOOPT:
1161
logger.error(u"SO_BINDTODEVICE not available;"
1162
u" cannot bind to interface %s",
1163
self.interface)
2008
self.socket.setsockopt(
2009
socket.SOL_SOCKET, SO_BINDTODEVICE,
2010
(self.interface + "\0").encode("utf-8"))
2011
except socket.error as error:
2012
if error.errno == errno.EPERM:
2013
logger.error("No permission to bind to"
2014
" interface %s", self.interface)
2015
elif error.errno == errno.ENOPROTOOPT:
2016
logger.error("SO_BINDTODEVICE not available;"
2017
" cannot bind to interface %s",
2018
self.interface)
2019
elif error.errno == errno.ENODEV:
2020
logger.error("Interface %s does not exist,"
2021
" cannot bind", self.interface)
1164
2022
else:
1165
2023
raise
1166
2024
# Only bind(2) the socket if we really need to.
1167
2025
if self.server_address[0] or self.server_address[1]:
1168
2026
if not self.server_address[0]:
1169
2027
if self.address_family == socket.AF_INET6:
1170
any_address = u"::" # in6addr_any
2028
any_address = "::" # in6addr_any
1171
2029
else:
1172
any_address = socket.INADDR_ANY
2030
any_address = "0.0.0.0" # INADDR_ANY
1173
2031
self.server_address = (any_address,
1174
2032
self.server_address[1])
1175
2033
elif not self.server_address[1]:
1176
self.server_address = (self.server_address[0],
1177
0)
2034
self.server_address = (self.server_address[0], 0)
1178
2035
# if self.interface:
1179
2036
# self.server_address = (self.server_address[0],
1180
2037
# 0, # port
1194
2051
1195
2052
Assumes a gobject.MainLoop event loop.
1196
2053
"""
2054
1197
2055
def __init__(self, server_address, RequestHandlerClass,
1198
interface=None, use_ipv6=True, clients=None,
1199
gnutls_priority=None, use_dbus=True):
2056
interface=None,
2057
use_ipv6=True,
2058
clients=None,
2059
gnutls_priority=None,
2060
use_dbus=True,
2061
socketfd=None):
1200
2062
self.enabled = False
1201
2063
self.clients = clients
1202
2064
if self.clients is None:
1203
self.clients = set()
2065
self.clients = {}
1204
2066
self.use_dbus = use_dbus
1205
2067
self.gnutls_priority = gnutls_priority
1206
2068
IPv6_TCPServer.__init__(self, server_address,
1207
2069
RequestHandlerClass,
1208
2070
interface = interface,
1209
use_ipv6 = use_ipv6)
2071
use_ipv6 = use_ipv6,
2072
socketfd = socketfd)
2073
1210
2074
def server_activate(self):
1211
2075
if self.enabled:
1212
2076
return socketserver.TCPServer.server_activate(self)
2077
1213
2078
def enable(self):
1214
2079
self.enabled = True
1215
def add_pipe(self, pipe):
2080
2081
def add_pipe(self, parent_pipe, proc):
1216
2082
# Call "handle_ipc" for both data and EOF events
1217
gobject.io_add_watch(pipe, gobject.IO_IN | gobject.IO_HUP,
1218
self.handle_ipc)
1219
def handle_ipc(self, source, condition, file_objects={}):
1220
condition_names = {
1221
gobject.IO_IN: u"IN", # There is data to read.
1222
gobject.IO_OUT: u"OUT", # Data can be written (without
1223
# blocking).
1224
gobject.IO_PRI: u"PRI", # There is urgent data to read.
1225
gobject.IO_ERR: u"ERR", # Error condition.
1226
gobject.IO_HUP: u"HUP" # Hung up (the connection has been
1227
# broken, usually for pipes and
1228
# sockets).
1229
}
1230
conditions_string = ' | '.join(name
1231
for cond, name in
1232
condition_names.iteritems()
1233
if cond & condition)
1234
logger.debug(u"Handling IPC: FD = %d, condition = %s", source,
1235
conditions_string)
1236
1237
# Turn the pipe file descriptor into a Python file object
1238
if source not in file_objects:
1239
file_objects[source] = os.fdopen(source, u"r", 1)
1240
1241
# Read a line from the file object
1242
cmdline = file_objects[source].readline()
1243
if not cmdline: # Empty line means end of file
1244
# close the IPC pipe
1245
file_objects[source].close()
1246
del file_objects[source]
1247
1248
# Stop calling this function
1249
return False
1250
1251
logger.debug(u"IPC command: %r", cmdline)
1252
1253
# Parse and act on command
1254
cmd, args = cmdline.rstrip(u"\r\n").split(None, 1)
1255
1256
if cmd == u"NOTFOUND":
1257
logger.warning(u"Client not found for fingerprint: %s",
1258
args)
1259
if self.use_dbus:
1260
# Emit D-Bus signal
1261
mandos_dbus_service.ClientNotFound(args)
1262
elif cmd == u"INVALID":
1263
for client in self.clients:
1264
if client.name == args:
1265
logger.warning(u"Client %s is invalid", args)
1266
if self.use_dbus:
1267
# Emit D-Bus signal
1268
client.Rejected()
1269
break
1270
else:
1271
logger.error(u"Unknown client %s is invalid", args)
1272
elif cmd == u"SENDING":
1273
for client in self.clients:
1274
if client.name == args:
1275
logger.info(u"Sending secret to %s", client.name)
1276
client.checked_ok()
1277
if self.use_dbus:
1278
# Emit D-Bus signal
1279
client.ReceivedSecret()
1280
break
1281
else:
1282
logger.error(u"Sending secret to unknown client %s",
1283
args)
2083
gobject.io_add_watch(
2084
parent_pipe.fileno(),
2085
gobject.IO_IN | gobject.IO_HUP,
2086
functools.partial(self.handle_ipc,
2087
parent_pipe = parent_pipe,
2088
proc = proc))
2089
2090
def handle_ipc(self, source, condition,
2091
parent_pipe=None,
2092
proc = None,
2093
client_object=None):
2094
# error, or the other end of multiprocessing.Pipe has closed
2095
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2096
# Wait for other process to exit
2097
proc.join()
2098
return False
2099
2100
# Read a request from the child
2101
request = parent_pipe.recv()
2102
command = request[0]
2103
2104
if command == 'init':
2105
fpr = request[1]
2106
address = request[2]
2107
2108
for c in self.clients.itervalues():
2109
if c.fingerprint == fpr:
2110
client = c
2111
break
2112
else:
2113
logger.info("Client not found for fingerprint: %s, ad"
2114
"dress: %s", fpr, address)
2115
if self.use_dbus:
2116
# Emit D-Bus signal
2117
mandos_dbus_service.ClientNotFound(fpr,
2118
address[0])
2119
parent_pipe.send(False)
2120
return False
2121
2122
gobject.io_add_watch(
2123
parent_pipe.fileno(),
2124
gobject.IO_IN | gobject.IO_HUP,
2125
functools.partial(self.handle_ipc,
2126
parent_pipe = parent_pipe,
2127
proc = proc,
2128
client_object = client))
2129
parent_pipe.send(True)
2130
# remove the old hook in favor of the new above hook on
2131
# same fileno
2132
return False
2133
if command == 'funcall':
2134
funcname = request[1]
2135
args = request[2]
2136
kwargs = request[3]
2137
2138
parent_pipe.send(('data', getattr(client_object,
2139
funcname)(*args,
2140
**kwargs)))
2141
2142
if command == 'getattr':
2143
attrname = request[1]
2144
if callable(client_object.__getattribute__(attrname)):
2145
parent_pipe.send(('function', ))
2146
else:
2147
parent_pipe.send((
2148
'data', client_object.__getattribute__(attrname)))
2149
2150
if command == 'setattr':
2151
attrname = request[1]
2152
value = request[2]
2153
setattr(client_object, attrname, value)
2154
2155
return True
2156
2157
2158
def rfc3339_duration_to_delta(duration):
2159
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2160
2161
>>> rfc3339_duration_to_delta("P7D")
2162
datetime.timedelta(7)
2163
>>> rfc3339_duration_to_delta("PT60S")
2164
datetime.timedelta(0, 60)
2165
>>> rfc3339_duration_to_delta("PT60M")
2166
datetime.timedelta(0, 3600)
2167
>>> rfc3339_duration_to_delta("PT24H")
2168
datetime.timedelta(1)
2169
>>> rfc3339_duration_to_delta("P1W")
2170
datetime.timedelta(7)
2171
>>> rfc3339_duration_to_delta("PT5M30S")
2172
datetime.timedelta(0, 330)
2173
>>> rfc3339_duration_to_delta("P1DT3M20S")
2174
datetime.timedelta(1, 200)
2175
"""
2176
2177
# Parsing an RFC 3339 duration with regular expressions is not
2178
# possible - there would have to be multiple places for the same
2179
# values, like seconds. The current code, while more esoteric, is
2180
# cleaner without depending on a parsing library. If Python had a
2181
# built-in library for parsing we would use it, but we'd like to
2182
# avoid excessive use of external libraries.
2183
2184
# New type for defining tokens, syntax, and semantics all-in-one
2185
Token = collections.namedtuple("Token",
2186
("regexp", # To match token; if
2187
# "value" is not None,
2188
# must have a "group"
2189
# containing digits
2190
"value", # datetime.timedelta or
2191
# None
2192
"followers")) # Tokens valid after
2193
# this token
2194
Token = collections.namedtuple("Token", (
2195
"regexp", # To match token; if "value" is not None, must have
2196
# a "group" containing digits
2197
"value", # datetime.timedelta or None
2198
"followers")) # Tokens valid after this token
2199
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2200
# the "duration" ABNF definition in RFC 3339, Appendix A.
2201
token_end = Token(re.compile(r"$"), None, frozenset())
2202
token_second = Token(re.compile(r"(\d+)S"),
2203
datetime.timedelta(seconds=1),
2204
frozenset((token_end, )))
2205
token_minute = Token(re.compile(r"(\d+)M"),
2206
datetime.timedelta(minutes=1),
2207
frozenset((token_second, token_end)))
2208
token_hour = Token(re.compile(r"(\d+)H"),
2209
datetime.timedelta(hours=1),
2210
frozenset((token_minute, token_end)))
2211
token_time = Token(re.compile(r"T"),
2212
None,
2213
frozenset((token_hour, token_minute,
2214
token_second)))
2215
token_day = Token(re.compile(r"(\d+)D"),
2216
datetime.timedelta(days=1),
2217
frozenset((token_time, token_end)))
2218
token_month = Token(re.compile(r"(\d+)M"),
2219
datetime.timedelta(weeks=4),
2220
frozenset((token_day, token_end)))
2221
token_year = Token(re.compile(r"(\d+)Y"),
2222
datetime.timedelta(weeks=52),
2223
frozenset((token_month, token_end)))
2224
token_week = Token(re.compile(r"(\d+)W"),
2225
datetime.timedelta(weeks=1),
2226
frozenset((token_end, )))
2227
token_duration = Token(re.compile(r"P"), None,
2228
frozenset((token_year, token_month,
2229
token_day, token_time,
2230
token_week)))
2231
# Define starting values
2232
value = datetime.timedelta() # Value so far
2233
found_token = None
2234
followers = frozenset((token_duration,)) # Following valid tokens
2235
s = duration # String left to parse
2236
# Loop until end token is found
2237
while found_token is not token_end:
2238
# Search for any currently valid tokens
2239
for token in followers:
2240
match = token.regexp.match(s)
2241
if match is not None:
2242
# Token found
2243
if token.value is not None:
2244
# Value found, parse digits
2245
factor = int(match.group(1), 10)
2246
# Add to value so far
2247
value += factor * token.value
2248
# Strip token from string
2249
s = token.regexp.sub("", s, 1)
2250
# Go to found token
2251
found_token = token
2252
# Set valid next tokens
2253
followers = found_token.followers
2254
break
1284
2255
else:
1285
logger.error(u"Unknown IPC command: %r", cmdline)
1286
1287
# Keep calling this function
1288
return True
2256
# No currently valid tokens were found
2257
raise ValueError("Invalid RFC 3339 duration: {!r}"
2258
.format(duration))
2259
# End token found
2260
return value
1289
2261
1290
2262
1291
2263
def string_to_delta(interval):
1292
2264
"""Parse a string and return a datetime.timedelta
1293
2265
1294
>>> string_to_delta(u'7d')
2266
>>> string_to_delta('7d')
1295
2267
datetime.timedelta(7)
1296
>>> string_to_delta(u'60s')
2268
>>> string_to_delta('60s')
1297
2269
datetime.timedelta(0, 60)
1298
>>> string_to_delta(u'60m')
2270
>>> string_to_delta('60m')
1299
2271
datetime.timedelta(0, 3600)
1300
>>> string_to_delta(u'24h')
2272
>>> string_to_delta('24h')
1301
2273
datetime.timedelta(1)
1302
>>> string_to_delta(u'1w')
2274
>>> string_to_delta('1w')
1303
2275
datetime.timedelta(7)
1304
>>> string_to_delta(u'5m 30s')
2276
>>> string_to_delta('5m 30s')
1305
2277
datetime.timedelta(0, 330)
1306
2278
"""
2279
2280
try:
2281
return rfc3339_duration_to_delta(interval)
2282
except ValueError:
2283
pass
2284
1307
2285
timevalue = datetime.timedelta(0)
1308
2286
for s in interval.split():
1309
2287
try:
1310
suffix = unicode(s[-1])
2288
suffix = s[-1]
1311
2289
value = int(s[:-1])
1312
if suffix == u"d":
2290
if suffix == "d":
1313
2291
delta = datetime.timedelta(value)
1314
elif suffix == u"s":
2292
elif suffix == "s":
1315
2293
delta = datetime.timedelta(0, value)
1316
elif suffix == u"m":
2294
elif suffix == "m":
1317
2295
delta = datetime.timedelta(0, 0, 0, 0, value)
1318
elif suffix == u"h":
2296
elif suffix == "h":
1319
2297
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
1320
elif suffix == u"w":
2298
elif suffix == "w":
1321
2299
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1322
2300
else:
1323
raise ValueError
1324
except (ValueError, IndexError):
1325
raise ValueError
2301
raise ValueError("Unknown suffix {!r}".format(suffix))
2302
except IndexError as e:
2303
raise ValueError(*(e.args))
1326
2304
timevalue += delta
1327
2305
return timevalue
1328
2306
1329
2307
1330
def if_nametoindex(interface):
1331
"""Call the C function if_nametoindex(), or equivalent
1332
1333
Note: This function cannot accept a unicode string."""
1334
global if_nametoindex
1335
try:
1336
if_nametoindex = (ctypes.cdll.LoadLibrary
1337
(ctypes.util.find_library(u"c"))
1338
.if_nametoindex)
1339
except (OSError, AttributeError):
1340
logger.warning(u"Doing if_nametoindex the hard way")
1341
def if_nametoindex(interface):
1342
"Get an interface index the hard way, i.e. using fcntl()"
1343
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1344
with closing(socket.socket()) as s:
1345
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1346
struct.pack(str(u"16s16x"),
1347
interface))
1348
interface_index = struct.unpack(str(u"I"),
1349
ifreq[16:20])[0]
1350
return interface_index
1351
return if_nametoindex(interface)
1352
1353
1354
2308
def daemon(nochdir = False, noclose = False):
1355
2309
"""See daemon(3). Standard BSD Unix function.
1356
2310
1359
2313
sys.exit()
1360
2314
os.setsid()
1361
2315
if not nochdir:
1362
os.chdir(u"/")
2316
os.chdir("/")
1363
2317
if os.fork():
1364
2318
sys.exit()
1365
2319
if not noclose:
1366
2320
# Close all standard open file descriptors
1367
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2321
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
1368
2322
if not stat.S_ISCHR(os.fstat(null).st_mode):
1369
2323
raise OSError(errno.ENODEV,
1370
u"/dev/null not a character device")
2324
"{} not a character device"
2325
.format(os.devnull))
1371
2326
os.dup2(null, sys.stdin.fileno())
1372
2327
os.dup2(null, sys.stdout.fileno())
1373
2328
os.dup2(null, sys.stderr.fileno())
1380
2335
##################################################################
1381
2336
# Parsing of options, both command line and config file
1382
2337
1383
parser = optparse.OptionParser(version = "%%prog %s" % version)
1384
parser.add_option("-i", u"--interface", type=u"string",
1385
metavar="IF", help=u"Bind to interface IF")
1386
parser.add_option("-a", u"--address", type=u"string",
1387
help=u"Address to listen for requests on")
1388
parser.add_option("-p", u"--port", type=u"int",
1389
help=u"Port number to receive requests on")
1390
parser.add_option("--check", action=u"store_true",
1391
help=u"Run self-test")
1392
parser.add_option("--debug", action=u"store_true",
1393
help=u"Debug mode; run in foreground and log to"
1394
u" terminal")
1395
parser.add_option("--priority", type=u"string", help=u"GnuTLS"
1396
u" priority string (see GnuTLS documentation)")
1397
parser.add_option("--servicename", type=u"string",
1398
metavar=u"NAME", help=u"Zeroconf service name")
1399
parser.add_option("--configdir", type=u"string",
1400
default=u"/etc/mandos", metavar=u"DIR",
1401
help=u"Directory to search for configuration"
1402
u" files")
1403
parser.add_option("--no-dbus", action=u"store_false",
1404
dest=u"use_dbus", help=u"Do not provide D-Bus"
1405
u" system bus interface")
1406
parser.add_option("--no-ipv6", action=u"store_false",
1407
dest=u"use_ipv6", help=u"Do not use IPv6")
1408
options = parser.parse_args()[0]
2338
parser = argparse.ArgumentParser()
2339
parser.add_argument("-v", "--version", action="version",
2340
version = "%(prog)s {}".format(version),
2341
help="show version number and exit")
2342
parser.add_argument("-i", "--interface", metavar="IF",
2343
help="Bind to interface IF")
2344
parser.add_argument("-a", "--address",
2345
help="Address to listen for requests on")
2346
parser.add_argument("-p", "--port", type=int,
2347
help="Port number to receive requests on")
2348
parser.add_argument("--check", action="store_true",
2349
help="Run self-test")
2350
parser.add_argument("--debug", action="store_true",
2351
help="Debug mode; run in foreground and log"
2352
" to terminal", default=None)
2353
parser.add_argument("--debuglevel", metavar="LEVEL",
2354
help="Debug level for stdout output")
2355
parser.add_argument("--priority", help="GnuTLS"
2356
" priority string (see GnuTLS documentation)")
2357
parser.add_argument("--servicename",
2358
metavar="NAME", help="Zeroconf service name")
2359
parser.add_argument("--configdir",
2360
default="/etc/mandos", metavar="DIR",
2361
help="Directory to search for configuration"
2362
" files")
2363
parser.add_argument("--no-dbus", action="store_false",
2364
dest="use_dbus", help="Do not provide D-Bus"
2365
" system bus interface", default=None)
2366
parser.add_argument("--no-ipv6", action="store_false",
2367
dest="use_ipv6", help="Do not use IPv6",
2368
default=None)
2369
parser.add_argument("--no-restore", action="store_false",
2370
dest="restore", help="Do not restore stored"
2371
" state", default=None)
2372
parser.add_argument("--socket", type=int,
2373
help="Specify a file descriptor to a network"
2374
" socket to use instead of creating one")
2375
parser.add_argument("--statedir", metavar="DIR",
2376
help="Directory to save/restore state in")
2377
parser.add_argument("--foreground", action="store_true",
2378
help="Run in foreground", default=None)
2379
parser.add_argument("--no-zeroconf", action="store_false",
2380
dest="zeroconf", help="Do not use Zeroconf",
2381
default=None)
2382
2383
options = parser.parse_args()
1409
2384
1410
2385
if options.check:
1411
2386
import doctest
1412
doctest.testmod()
1413
sys.exit()
2387
fail_count, test_count = doctest.testmod()
2388
sys.exit(os.EX_OK if fail_count == 0 else 1)
1414
2389
1415
2390
# Default values for config file for server-global settings
1416
server_defaults = { u"interface": u"",
1417
u"address": u"",
1418
u"port": u"",
1419
u"debug": u"False",
1420
u"priority":
1421
u"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
1422
u"servicename": u"Mandos",
1423
u"use_dbus": u"True",
1424
u"use_ipv6": u"True",
1425
}
2391
server_defaults = { "interface": "",
2392
"address": "",
2393
"port": "",
2394
"debug": "False",
2395
"priority":
2396
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2397
":+SIGN-RSA-SHA224:+SIGN-RSA-RMD160",
2398
"servicename": "Mandos",
2399
"use_dbus": "True",
2400
"use_ipv6": "True",
2401
"debuglevel": "",
2402
"restore": "True",
2403
"socket": "",
2404
"statedir": "/var/lib/mandos",
2405
"foreground": "False",
2406
"zeroconf": "True",
2407
}
1426
2408
1427
2409
# Parse config file for server-global settings
1428
2410
server_config = configparser.SafeConfigParser(server_defaults)
1429
2411
del server_defaults
1430
server_config.read(os.path.join(options.configdir,
1431
u"mandos.conf"))
2412
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1432
2413
# Convert the SafeConfigParser object to a dict
1433
2414
server_settings = server_config.defaults()
1434
2415
# Use the appropriate methods on the non-string config options
1435
for option in (u"debug", u"use_dbus", u"use_ipv6"):
1436
server_settings[option] = server_config.getboolean(u"DEFAULT",
2416
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
2417
server_settings[option] = server_config.getboolean("DEFAULT",
1437
2418
option)
1438
2419
if server_settings["port"]:
1439
server_settings["port"] = server_config.getint(u"DEFAULT",
1440
u"port")
2420
server_settings["port"] = server_config.getint("DEFAULT",
2421
"port")
2422
if server_settings["socket"]:
2423
server_settings["socket"] = server_config.getint("DEFAULT",
2424
"socket")
2425
# Later, stdin will, and stdout and stderr might, be dup'ed
2426
# over with an opened os.devnull. But we don't want this to
2427
# happen with a supplied network socket.
2428
if 0 <= server_settings["socket"] <= 2:
2429
server_settings["socket"] = os.dup(server_settings
2430
["socket"])
1441
2431
del server_config
1442
2432
1443
2433
# Override the settings from the config file with command line
1444
2434
# options, if set.
1445
for option in (u"interface", u"address", u"port", u"debug",
1446
u"priority", u"servicename", u"configdir",
1447
u"use_dbus", u"use_ipv6"):
2435
for option in ("interface", "address", "port", "debug",
2436
"priority", "servicename", "configdir", "use_dbus",
2437
"use_ipv6", "debuglevel", "restore", "statedir",
2438
"socket", "foreground", "zeroconf"):
1448
2439
value = getattr(options, option)
1449
2440
if value is not None:
1450
2441
server_settings[option] = value
1451
2442
del options
1452
2443
# Force all strings to be unicode
1453
2444
for option in server_settings.keys():
1454
if type(server_settings[option]) is str:
1455
server_settings[option] = unicode(server_settings[option])
2445
if isinstance(server_settings[option], bytes):
2446
server_settings[option] = (server_settings[option]
2447
.decode("utf-8"))
2448
# Force all boolean options to be boolean
2449
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2450
"foreground", "zeroconf"):
2451
server_settings[option] = bool(server_settings[option])
2452
# Debug implies foreground
2453
if server_settings["debug"]:
2454
server_settings["foreground"] = True
1456
2455
# Now we have our good server settings in "server_settings"
1457
2456
1458
2457
##################################################################
1459
2458
2459
if (not server_settings["zeroconf"]
2460
and not (server_settings["port"]
2461
or server_settings["socket"] != "")):
2462
parser.error("Needs port or socket to work without Zeroconf")
2463
1460
2464
# For convenience
1461
debug = server_settings[u"debug"]
1462
use_dbus = server_settings[u"use_dbus"]
1463
use_ipv6 = server_settings[u"use_ipv6"]
1464
1465
if not debug:
1466
syslogger.setLevel(logging.WARNING)
1467
console.setLevel(logging.WARNING)
1468
1469
if server_settings[u"servicename"] != u"Mandos":
1470
syslogger.setFormatter(logging.Formatter
1471
(u'Mandos (%s) [%%(process)d]:'
1472
u' %%(levelname)s: %%(message)s'
1473
% server_settings[u"servicename"]))
2465
debug = server_settings["debug"]
2466
debuglevel = server_settings["debuglevel"]
2467
use_dbus = server_settings["use_dbus"]
2468
use_ipv6 = server_settings["use_ipv6"]
2469
stored_state_path = os.path.join(server_settings["statedir"],
2470
stored_state_file)
2471
foreground = server_settings["foreground"]
2472
zeroconf = server_settings["zeroconf"]
2473
2474
if debug:
2475
initlogger(debug, logging.DEBUG)
2476
else:
2477
if not debuglevel:
2478
initlogger(debug)
2479
else:
2480
level = getattr(logging, debuglevel.upper())
2481
initlogger(debug, level)
2482
2483
if server_settings["servicename"] != "Mandos":
2484
syslogger.setFormatter(
2485
logging.Formatter('Mandos ({}) [%(process)d]:'
2486
' %(levelname)s: %(message)s'.format(
2487
server_settings["servicename"])))
1474
2488
1475
2489
# Parse config file with clients
1476
client_defaults = { u"timeout": u"1h",
1477
u"interval": u"5m",
1478
u"checker": u"fping -q -- %%(host)s",
1479
u"host": u"",
1480
}
1481
client_config = configparser.SafeConfigParser(client_defaults)
1482
client_config.read(os.path.join(server_settings[u"configdir"],
1483
u"clients.conf"))
2490
client_config = configparser.SafeConfigParser(Client
2491
.client_defaults)
2492
client_config.read(os.path.join(server_settings["configdir"],
2493
"clients.conf"))
1484
2494
1485
2495
global mandos_dbus_service
1486
2496
mandos_dbus_service = None
1487
2497
1488
tcp_server = MandosServer((server_settings[u"address"],
1489
server_settings[u"port"]),
1490
ClientHandler,
1491
interface=server_settings[u"interface"],
1492
use_ipv6=use_ipv6,
1493
gnutls_priority=
1494
server_settings[u"priority"],
1495
use_dbus=use_dbus)
1496
pidfilename = u"/var/run/mandos.pid"
1497
try:
1498
pidfile = open(pidfilename, u"w")
1499
except IOError:
1500
logger.error(u"Could not open file %r", pidfilename)
2498
socketfd = None
2499
if server_settings["socket"] != "":
2500
socketfd = server_settings["socket"]
2501
tcp_server = MandosServer(
2502
(server_settings["address"], server_settings["port"]),
2503
ClientHandler,
2504
interface=(server_settings["interface"] or None),
2505
use_ipv6=use_ipv6,
2506
gnutls_priority=server_settings["priority"],
2507
use_dbus=use_dbus,
2508
socketfd=socketfd)
2509
if not foreground:
2510
pidfilename = "/run/mandos.pid"
2511
if not os.path.isdir("/run/."):
2512
pidfilename = "/var/run/mandos.pid"
2513
pidfile = None
2514
try:
2515
pidfile = codecs.open(pidfilename, "w", encoding="utf-8")
2516
except IOError as e:
2517
logger.error("Could not open file %r", pidfilename,
2518
exc_info=e)
1501
2519
1502
try:
1503
uid = pwd.getpwnam(u"_mandos").pw_uid
1504
gid = pwd.getpwnam(u"_mandos").pw_gid
1505
except KeyError:
2520
for name in ("_mandos", "mandos", "nobody"):
1506
2521
try:
1507
uid = pwd.getpwnam(u"mandos").pw_uid
1508
gid = pwd.getpwnam(u"mandos").pw_gid
2522
uid = pwd.getpwnam(name).pw_uid
2523
gid = pwd.getpwnam(name).pw_gid
2524
break
1509
2525
except KeyError:
1510
try:
1511
uid = pwd.getpwnam(u"nobody").pw_uid
1512
gid = pwd.getpwnam(u"nobody").pw_gid
1513
except KeyError:
1514
uid = 65534
1515
gid = 65534
2526
continue
2527
else:
2528
uid = 65534
2529
gid = 65534
1516
2530
try:
1517
2531
os.setgid(gid)
1518
2532
os.setuid(uid)
1519
except OSError, error:
1520
if error[0] != errno.EPERM:
1521
raise error
2533
except OSError as error:
2534
if error.errno != errno.EPERM:
2535
raise
1522
2536
1523
# Enable all possible GnuTLS debugging
1524
2537
if debug:
2538
# Enable all possible GnuTLS debugging
2539
1525
2540
# "Use a log level over 10 to enable all debugging options."
1526
2541
# - GnuTLS manual
1527
2542
gnutls.library.functions.gnutls_global_set_log_level(11)
1528
2543
1529
2544
@gnutls.library.types.gnutls_log_func
1530
2545
def debug_gnutls(level, string):
1531
logger.debug(u"GnuTLS: %s", string[:-1])
1532
1533
(gnutls.library.functions
1534
.gnutls_global_set_log_function(debug_gnutls))
2546
logger.debug("GnuTLS: %s", string[:-1])
2547
2548
gnutls.library.functions.gnutls_global_set_log_function(
2549
debug_gnutls)
2550
2551
# Redirect stdin so all checkers get /dev/null
2552
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2553
os.dup2(null, sys.stdin.fileno())
2554
if null > 2:
2555
os.close(null)
2556
2557
# Need to fork before connecting to D-Bus
2558
if not foreground:
2559
# Close all input and output, do double fork, etc.
2560
daemon()
2561
2562
# multiprocessing will use threads, so before we use gobject we
2563
# need to inform gobject that threads will be used.
2564
gobject.threads_init()
1535
2565
1536
2566
global main_loop
1537
2567
# From the Avahi example code
1538
DBusGMainLoop(set_as_default=True )
2568
DBusGMainLoop(set_as_default=True)
1539
2569
main_loop = gobject.MainLoop()
1540
2570
bus = dbus.SystemBus()
1541
2571
# End of Avahi example code
1542
2572
if use_dbus:
1543
bus_name = dbus.service.BusName(u"se.bsnet.fukt.Mandos", bus)
1544
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
1545
service = AvahiService(name = server_settings[u"servicename"],
1546
servicetype = u"_mandos._tcp",
1547
protocol = protocol, bus = bus)
1548
if server_settings["interface"]:
1549
service.interface = (if_nametoindex
1550
(str(server_settings[u"interface"])))
2573
try:
2574
bus_name = dbus.service.BusName("se.recompile.Mandos",
2575
bus,
2576
do_not_queue=True)
2577
old_bus_name = dbus.service.BusName(
2578
"se.bsnet.fukt.Mandos", bus,
2579
do_not_queue=True)
2580
except dbus.exceptions.DBusException as e:
2581
logger.error("Disabling D-Bus:", exc_info=e)
2582
use_dbus = False
2583
server_settings["use_dbus"] = False
2584
tcp_server.use_dbus = False
2585
if zeroconf:
2586
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2587
service = AvahiServiceToSyslog(
2588
name = server_settings["servicename"],
2589
servicetype = "_mandos._tcp",
2590
protocol = protocol,
2591
bus = bus)
2592
if server_settings["interface"]:
2593
service.interface = if_nametoindex(
2594
server_settings["interface"].encode("utf-8"))
2595
2596
global multiprocessing_manager
2597
multiprocessing_manager = multiprocessing.Manager()
1551
2598
1552
2599
client_class = Client
1553
2600
if use_dbus:
1554
2601
client_class = functools.partial(ClientDBus, bus = bus)
1555
tcp_server.clients.update(set(
1556
client_class(name = section,
1557
config= dict(client_config.items(section)))
1558
for section in client_config.sections()))
2602
2603
client_settings = Client.config_parser(client_config)
2604
old_client_settings = {}
2605
clients_data = {}
2606
2607
# This is used to redirect stdout and stderr for checker processes
2608
global wnull
2609
wnull = open(os.devnull, "w") # A writable /dev/null
2610
# Only used if server is running in foreground but not in debug
2611
# mode
2612
if debug or not foreground:
2613
wnull.close()
2614
2615
# Get client data and settings from last running state.
2616
if server_settings["restore"]:
2617
try:
2618
with open(stored_state_path, "rb") as stored_state:
2619
clients_data, old_client_settings = pickle.load(
2620
stored_state)
2621
os.remove(stored_state_path)
2622
except IOError as e:
2623
if e.errno == errno.ENOENT:
2624
logger.warning("Could not load persistent state:"
2625
" {}".format(os.strerror(e.errno)))
2626
else:
2627
logger.critical("Could not load persistent state:",
2628
exc_info=e)
2629
raise
2630
except EOFError as e:
2631
logger.warning("Could not load persistent state: "
2632
"EOFError:",
2633
exc_info=e)
2634
2635
with PGPEngine() as pgp:
2636
for client_name, client in clients_data.items():
2637
# Skip removed clients
2638
if client_name not in client_settings:
2639
continue
2640
2641
# Decide which value to use after restoring saved state.
2642
# We have three different values: Old config file,
2643
# new config file, and saved state.
2644
# New config value takes precedence if it differs from old
2645
# config value, otherwise use saved state.
2646
for name, value in client_settings[client_name].items():
2647
try:
2648
# For each value in new config, check if it
2649
# differs from the old config value (Except for
2650
# the "secret" attribute)
2651
if (name != "secret"
2652
and (value !=
2653
old_client_settings[client_name][name])):
2654
client[name] = value
2655
except KeyError:
2656
pass
2657
2658
# Clients who has passed its expire date can still be
2659
# enabled if its last checker was successful. Clients
2660
# whose checker succeeded before we stored its state is
2661
# assumed to have successfully run all checkers during
2662
# downtime.
2663
if client["enabled"]:
2664
if datetime.datetime.utcnow() >= client["expires"]:
2665
if not client["last_checked_ok"]:
2666
logger.warning(
2667
"disabling client {} - Client never "
2668
"performed a successful checker".format(
2669
client_name))
2670
client["enabled"] = False
2671
elif client["last_checker_status"] != 0:
2672
logger.warning(
2673
"disabling client {} - Client last"
2674
" checker failed with error code"
2675
" {}".format(
2676
client_name,
2677
client["last_checker_status"]))
2678
client["enabled"] = False
2679
else:
2680
client["expires"] = (
2681
datetime.datetime.utcnow()
2682
+ client["timeout"])
2683
logger.debug("Last checker succeeded,"
2684
" keeping {} enabled".format(
2685
client_name))
2686
try:
2687
client["secret"] = pgp.decrypt(
2688
client["encrypted_secret"],
2689
client_settings[client_name]["secret"])
2690
except PGPError:
2691
# If decryption fails, we use secret from new settings
2692
logger.debug("Failed to decrypt {} old secret".format(
2693
client_name))
2694
client["secret"] = (client_settings[client_name]
2695
["secret"])
2696
2697
# Add/remove clients based on new changes made to config
2698
for client_name in (set(old_client_settings)
2699
- set(client_settings)):
2700
del clients_data[client_name]
2701
for client_name in (set(client_settings)
2702
- set(old_client_settings)):
2703
clients_data[client_name] = client_settings[client_name]
2704
2705
# Create all client objects
2706
for client_name, client in clients_data.items():
2707
tcp_server.clients[client_name] = client_class(
2708
name = client_name,
2709
settings = client,
2710
server_settings = server_settings)
2711
1559
2712
if not tcp_server.clients:
1560
logger.warning(u"No clients defined")
1561
1562
if debug:
1563
# Redirect stdin so all checkers get /dev/null
1564
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
1565
os.dup2(null, sys.stdin.fileno())
1566
if null > 2:
1567
os.close(null)
1568
else:
1569
# No console logging
1570
logger.removeHandler(console)
1571
# Close all input and output, do double fork, etc.
1572
daemon()
1573
1574
try:
1575
with closing(pidfile):
2713
logger.warning("No clients defined")
2714
2715
if not foreground:
2716
if pidfile is not None:
1576
2717
pid = os.getpid()
1577
pidfile.write(str(pid) + "\n")
2718
try:
2719
with pidfile:
2720
print(pid, file=pidfile)
2721
except IOError:
2722
logger.error("Could not write to file %r with PID %d",
2723
pidfilename, pid)
1578
2724
del pidfile
1579
except IOError:
1580
logger.error(u"Could not write to file %r with PID %d",
1581
pidfilename, pid)
1582
except NameError:
1583
# "pidfile" was never created
1584
pass
1585
del pidfilename
1586
1587
def cleanup():
1588
"Cleanup function; run on exit"
1589
service.cleanup()
1590
1591
while tcp_server.clients:
1592
client = tcp_server.clients.pop()
1593
client.disable_hook = None
1594
client.disable()
1595
1596
atexit.register(cleanup)
1597
1598
if not debug:
1599
signal.signal(signal.SIGINT, signal.SIG_IGN)
2725
del pidfilename
2726
1600
2727
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
1601
2728
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
1602
2729
1603
2730
if use_dbus:
1604
class MandosDBusService(dbus.service.Object):
2731
2732
@alternate_dbus_interfaces(
2733
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
2734
class MandosDBusService(DBusObjectWithProperties):
1605
2735
"""A D-Bus proxy object"""
2736
1606
2737
def __init__(self):
1607
dbus.service.Object.__init__(self, bus, u"/")
1608
_interface = u"se.bsnet.fukt.Mandos"
1609
1610
@dbus.service.signal(_interface, signature=u"oa{sv}")
1611
def ClientAdded(self, objpath, properties):
1612
"D-Bus signal"
1613
pass
1614
1615
@dbus.service.signal(_interface, signature=u"s")
1616
def ClientNotFound(self, fingerprint):
1617
"D-Bus signal"
1618
pass
1619
1620
@dbus.service.signal(_interface, signature=u"os")
2738
dbus.service.Object.__init__(self, bus, "/")
2739
2740
_interface = "se.recompile.Mandos"
2741
2742
@dbus_interface_annotations(_interface)
2743
def _foo(self):
2744
return {
2745
"org.freedesktop.DBus.Property.EmitsChangedSignal":
2746
"false" }
2747
2748
@dbus.service.signal(_interface, signature="o")
2749
def ClientAdded(self, objpath):
2750
"D-Bus signal"
2751
pass
2752
2753
@dbus.service.signal(_interface, signature="ss")
2754
def ClientNotFound(self, fingerprint, address):
2755
"D-Bus signal"
2756
pass
2757
2758
@dbus.service.signal(_interface, signature="os")
1621
2759
def ClientRemoved(self, objpath, name):
1622
2760
"D-Bus signal"
1623
2761
pass
1624
2762
1625
@dbus.service.method(_interface, out_signature=u"ao")
2763
@dbus.service.method(_interface, out_signature="ao")
1626
2764
def GetAllClients(self):
1627
2765
"D-Bus method"
1628
return dbus.Array(c.dbus_object_path
1629
for c in tcp_server.clients)
2766
return dbus.Array(c.dbus_object_path for c in
2767
tcp_server.clients.itervalues())
1630
2768
1631
2769
@dbus.service.method(_interface,
1632
out_signature=u"a{oa{sv}}")
2770
out_signature="a{oa{sv}}")
1633
2771
def GetAllClientsWithProperties(self):
1634
2772
"D-Bus method"
1635
2773
return dbus.Dictionary(
1636
((c.dbus_object_path, c.GetAll(u""))
1637
for c in tcp_server.clients),
1638
signature=u"oa{sv}")
2774
{ c.dbus_object_path: c.GetAll("")
2775
for c in tcp_server.clients.itervalues() },
2776
signature="oa{sv}")
1639
2777
1640
@dbus.service.method(_interface, in_signature=u"o")
2778
@dbus.service.method(_interface, in_signature="o")
1641
2779
def RemoveClient(self, object_path):
1642
2780
"D-Bus method"
1643
for c in tcp_server.clients:
2781
for c in tcp_server.clients.itervalues():
1644
2782
if c.dbus_object_path == object_path:
1645
tcp_server.clients.remove(c)
2783
del tcp_server.clients[c.name]
1646
2784
c.remove_from_connection()
1647
2785
# Don't signal anything except ClientRemoved
1648
c.disable(signal=False)
2786
c.disable(quiet=True)
1649
2787
# Emit D-Bus signal
1650
2788
self.ClientRemoved(object_path, c.name)
1651
2789
return
1652
raise KeyError
2790
raise KeyError(object_path)
1653
2791
1654
2792
del _interface
1655
2793
1656
2794
mandos_dbus_service = MandosDBusService()
1657
2795
1658
for client in tcp_server.clients:
2796
def cleanup():
2797
"Cleanup function; run on exit"
2798
if zeroconf:
2799
service.cleanup()
2800
2801
multiprocessing.active_children()
2802
wnull.close()
2803
if not (tcp_server.clients or client_settings):
2804
return
2805
2806
# Store client before exiting. Secrets are encrypted with key
2807
# based on what config file has. If config file is
2808
# removed/edited, old secret will thus be unrecovable.
2809
clients = {}
2810
with PGPEngine() as pgp:
2811
for client in tcp_server.clients.itervalues():
2812
key = client_settings[client.name]["secret"]
2813
client.encrypted_secret = pgp.encrypt(client.secret,
2814
key)
2815
client_dict = {}
2816
2817
# A list of attributes that can not be pickled
2818
# + secret.
2819
exclude = { "bus", "changedstate", "secret",
2820
"checker", "server_settings" }
2821
for name, typ in inspect.getmembers(dbus.service
2822
.Object):
2823
exclude.add(name)
2824
2825
client_dict["encrypted_secret"] = (client
2826
.encrypted_secret)
2827
for attr in client.client_structure:
2828
if attr not in exclude:
2829
client_dict[attr] = getattr(client, attr)
2830
2831
clients[client.name] = client_dict
2832
del client_settings[client.name]["secret"]
2833
2834
try:
2835
with tempfile.NamedTemporaryFile(
2836
mode='wb',
2837
suffix=".pickle",
2838
prefix='clients-',
2839
dir=os.path.dirname(stored_state_path),
2840
delete=False) as stored_state:
2841
pickle.dump((clients, client_settings), stored_state)
2842
tempname = stored_state.name
2843
os.rename(tempname, stored_state_path)
2844
except (IOError, OSError) as e:
2845
if not debug:
2846
try:
2847
os.remove(tempname)
2848
except NameError:
2849
pass
2850
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
2851
logger.warning("Could not save persistent state: {}"
2852
.format(os.strerror(e.errno)))
2853
else:
2854
logger.warning("Could not save persistent state:",
2855
exc_info=e)
2856
raise
2857
2858
# Delete all clients, and settings from config
2859
while tcp_server.clients:
2860
name, client = tcp_server.clients.popitem()
2861
if use_dbus:
2862
client.remove_from_connection()
2863
# Don't signal anything except ClientRemoved
2864
client.disable(quiet=True)
2865
if use_dbus:
2866
# Emit D-Bus signal
2867
mandos_dbus_service.ClientRemoved(
2868
client.dbus_object_path, client.name)
2869
client_settings.clear()
2870
2871
atexit.register(cleanup)
2872
2873
for client in tcp_server.clients.itervalues():
1659
2874
if use_dbus:
1660
2875
# Emit D-Bus signal
1661
mandos_dbus_service.ClientAdded(client.dbus_object_path,
1662
client.GetAll(u""))
1663
client.enable()
2876
mandos_dbus_service.ClientAdded(client.dbus_object_path)
2877
# Need to initiate checking of clients
2878
if client.enabled:
2879
client.init_checker()
1664
2880
1665
2881
tcp_server.enable()
1666
2882
tcp_server.server_activate()
1667
2883
1668
2884
# Find out what port we got
1669
service.port = tcp_server.socket.getsockname()[1]
2885
if zeroconf:
2886
service.port = tcp_server.socket.getsockname()[1]
1670
2887
if use_ipv6:
1671
logger.info(u"Now listening on address %r, port %d,"
1672
" flowinfo %d, scope_id %d"
1673
% tcp_server.socket.getsockname())
2888
logger.info("Now listening on address %r, port %d,"
2889
" flowinfo %d, scope_id %d",
2890
*tcp_server.socket.getsockname())
1674
2891
else: # IPv4
1675
logger.info(u"Now listening on address %r, port %d"
1676
% tcp_server.socket.getsockname())
2892
logger.info("Now listening on address %r, port %d",
2893
*tcp_server.socket.getsockname())
1677
2894
1678
2895
#service.interface = tcp_server.socket.getsockname()[3]
1679
2896
1680
2897
try:
1681
# From the Avahi example code
1682
try:
1683
service.activate()
1684
except dbus.exceptions.DBusException, error:
1685
logger.critical(u"DBusException: %s", error)
1686
sys.exit(1)
1687
# End of Avahi example code
2898
if zeroconf:
2899
# From the Avahi example code
2900
try:
2901
service.activate()
2902
except dbus.exceptions.DBusException as error:
2903
logger.critical("D-Bus Exception", exc_info=error)
2904
cleanup()
2905
sys.exit(1)
2906
# End of Avahi example code
1688
2907
1689
2908
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
1690
2909
lambda *args, **kwargs:
1691
2910
(tcp_server.handle_request
1692
2911
(*args[2:], **kwargs) or True))
1693
2912
1694
logger.debug(u"Starting main loop")
2913
logger.debug("Starting main loop")
1695
2914
main_loop.run()
1696
except AvahiError, error:
1697
logger.critical(u"AvahiError: %s", error)
2915
except AvahiError as error:
2916
logger.critical("Avahi Error", exc_info=error)
2917
cleanup()
1698
2918
sys.exit(1)
1699
2919
except KeyboardInterrupt:
1700
2920
if debug:
1701
print >> sys.stderr
1702
logger.debug(u"Server received KeyboardInterrupt")
1703
logger.debug(u"Server exiting")
2921
print("", file=sys.stderr)
2922
logger.debug("Server received KeyboardInterrupt")
2923
logger.debug("Server exiting")
2924
# Must run before the D-Bus bus name gets deregistered
2925
cleanup()
2926
1704
2927
1705
2928
if __name__ == '__main__':
1706
2929
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0