11
11
# "AvahiService" class, and some lines in "main".
13
13
# Everything else is
14
# Copyright © 2008-2014 Teddy Hogeborn
15
# Copyright © 2008-2014 Björn Påhlsson
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
91
104
if sys.version_info.major == 2:
95
108
stored_state_file = "clients.pickle"
97
110
logger = logging.getLogger()
101
if_nametoindex = (ctypes.cdll.LoadLibrary
102
(ctypes.util.find_library("c"))
114
if_nametoindex = ctypes.cdll.LoadLibrary(
115
ctypes.util.find_library("c")).if_nametoindex
104
116
except (OSError, AttributeError):
105
118
def if_nametoindex(interface):
106
119
"Get an interface index the hard way, i.e. using fcntl()"
107
120
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
116
129
"""init logger and add loglevel"""
119
syslogger = (logging.handlers.SysLogHandler
121
logging.handlers.SysLogHandler.LOG_DAEMON,
122
address = "/dev/log"))
132
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
123
135
syslogger.setFormatter(logging.Formatter
124
136
('Mandos [%(process)d]: %(levelname)s:'
187
200
def encrypt(self, data, password):
188
201
passphrase = self.password_encode(password)
189
with tempfile.NamedTemporaryFile(dir=self.tempdir
202
with tempfile.NamedTemporaryFile(
203
dir=self.tempdir) as passfile:
191
204
passfile.write(passphrase)
193
206
proc = subprocess.Popen(['gpg', '--symmetric',
205
218
def decrypt(self, data, password):
206
219
passphrase = self.password_encode(password)
207
with tempfile.NamedTemporaryFile(dir = self.tempdir
220
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
209
222
passfile.write(passphrase)
211
224
proc = subprocess.Popen(['gpg', '--decrypt',
256
270
bus: dbus.SystemBus()
259
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
260
servicetype = None, port = None, TXT = None,
261
domain = "", host = "", max_renames = 32768,
262
protocol = avahi.PROTO_UNSPEC, bus = None):
274
interface = avahi.IF_UNSPEC,
282
protocol = avahi.PROTO_UNSPEC,
263
284
self.interface = interface
265
286
self.type = servicetype
276
297
self.entry_group_state_changed_match = None
299
def rename(self, remove=True):
279
300
"""Derived from the Avahi example code"""
280
301
if self.rename_count >= self.max_renames:
281
302
logger.critical("No suitable Zeroconf service name found"
282
303
" after %i retries, exiting.",
283
304
self.rename_count)
284
305
raise AvahiServiceError("Too many renames")
285
self.name = str(self.server
286
.GetAlternativeServiceName(self.name))
307
self.server.GetAlternativeServiceName(self.name))
308
self.rename_count += 1
287
309
logger.info("Changing Zeroconf service name to %r ...",
292
315
except dbus.exceptions.DBusException as error:
293
logger.critical("D-Bus Exception", exc_info=error)
296
self.rename_count += 1
316
if (error.get_dbus_name()
317
== "org.freedesktop.Avahi.CollisionError"):
318
logger.info("Local Zeroconf service name collision.")
319
return self.rename(remove=False)
321
logger.critical("D-Bus Exception", exc_info=error)
298
325
def remove(self):
299
326
"""Derived from the Avahi example code"""
355
381
def server_state_changed(self, state, error=None):
356
382
"""Derived from the Avahi example code"""
357
383
logger.debug("Avahi server state change: %i", state)
358
bad_states = { avahi.SERVER_INVALID:
359
"Zeroconf server invalid",
360
avahi.SERVER_REGISTERING: None,
361
avahi.SERVER_COLLISION:
362
"Zeroconf server name collision",
363
avahi.SERVER_FAILURE:
364
"Zeroconf server failure" }
385
avahi.SERVER_INVALID: "Zeroconf server invalid",
386
avahi.SERVER_REGISTERING: None,
387
avahi.SERVER_COLLISION: "Zeroconf server name collision",
388
avahi.SERVER_FAILURE: "Zeroconf server failure",
365
390
if state in bad_states:
366
391
if bad_states[state] is not None:
367
392
if error is None:
386
411
follow_name_owner_changes=True),
387
412
avahi.DBUS_INTERFACE_SERVER)
388
413
self.server.connect_to_signal("StateChanged",
389
self.server_state_changed)
414
self.server_state_changed)
390
415
self.server_state_changed(self.server.GetState())
393
418
class AvahiServiceToSyslog(AvahiService):
419
def rename(self, *args, **kwargs):
395
420
"""Add the new name to the syslog messages"""
396
ret = AvahiService.rename(self)
397
syslogger.setFormatter(logging.Formatter
398
('Mandos ({}) [%(process)d]:'
399
' %(levelname)s: %(message)s'
421
ret = AvahiService.rename(self, *args, **kwargs)
422
syslogger.setFormatter(logging.Formatter(
423
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
450
474
"fingerprint", "host", "interval",
451
475
"last_approval_request", "last_checked_ok",
452
476
"last_enabled", "name", "timeout")
453
client_defaults = { "timeout": "PT5M",
454
"extended_timeout": "PT15M",
456
"checker": "fping -q -- %%(host)s",
458
"approval_delay": "PT0S",
459
"approval_duration": "PT1S",
460
"approved_by_default": "True",
479
"extended_timeout": "PT15M",
481
"checker": "fping -q -- %%(host)s",
483
"approval_delay": "PT0S",
484
"approval_duration": "PT1S",
485
"approved_by_default": "True",
465
490
def config_parser(config):
528
556
self.expires = None
530
558
logger.debug("Creating client %r", self.name)
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the fingerprint()
534
559
logger.debug(" Fingerprint: %s", self.fingerprint)
535
560
self.created = settings.get("created",
536
561
datetime.datetime.utcnow())
543
568
self.current_checker_command = None
544
569
self.approved = None
545
570
self.approvals_pending = 0
546
self.changedstate = (multiprocessing_manager
547
.Condition(multiprocessing_manager
549
self.client_structure = [attr for attr in
550
self.__dict__.iterkeys()
571
self.changedstate = multiprocessing_manager.Condition(
572
multiprocessing_manager.Lock())
573
self.client_structure = [attr
574
for attr in self.__dict__.iterkeys()
551
575
if not attr.startswith("_")]
552
576
self.client_structure.append("client_structure")
554
for name, t in inspect.getmembers(type(self),
578
for name, t in inspect.getmembers(
579
type(self), lambda obj: isinstance(obj, property)):
558
580
if not name.startswith("_"):
559
581
self.client_structure.append(name)
602
624
# and every interval from then on.
603
625
if self.checker_initiator_tag is not None:
604
626
gobject.source_remove(self.checker_initiator_tag)
605
self.checker_initiator_tag = (gobject.timeout_add
607
.total_seconds() * 1000),
627
self.checker_initiator_tag = gobject.timeout_add(
628
int(self.interval.total_seconds() * 1000),
609
630
# Schedule a disable() when 'timeout' has passed
610
631
if self.disable_initiator_tag is not None:
611
632
gobject.source_remove(self.disable_initiator_tag)
612
self.disable_initiator_tag = (gobject.timeout_add
614
.total_seconds() * 1000),
633
self.disable_initiator_tag = gobject.timeout_add(
634
int(self.timeout.total_seconds() * 1000), self.disable)
616
635
# Also start a new checker *right now*.
617
636
self.start_checker()
648
666
gobject.source_remove(self.disable_initiator_tag)
649
667
self.disable_initiator_tag = None
650
668
if getattr(self, "enabled", False):
651
self.disable_initiator_tag = (gobject.timeout_add
652
(int(timeout.total_seconds()
653
* 1000), self.disable))
669
self.disable_initiator_tag = gobject.timeout_add(
670
int(timeout.total_seconds() * 1000), self.disable)
654
671
self.expires = datetime.datetime.utcnow() + timeout
656
673
def need_approval(self):
687
704
# Start a new checker if needed
688
705
if self.checker is None:
689
706
# Escape attributes for the shell
690
escaped_attrs = { attr:
691
re.escape(str(getattr(self, attr)))
692
for attr in self.runtime_expansions }
708
attr: re.escape(str(getattr(self, attr)))
709
for attr in self.runtime_expansions }
694
711
command = self.checker_command % escaped_attrs
695
712
except TypeError as error:
696
713
logger.error('Could not format string "%s"',
697
self.checker_command, exc_info=error)
698
return True # Try again later
714
self.checker_command,
716
return True # Try again later
699
717
self.current_checker_command = command
701
logger.info("Starting checker %r for %s",
719
logger.info("Starting checker %r for %s", command,
703
721
# We don't need to redirect stdout and stderr, since
704
722
# in normal mode, that is already done by daemon(),
705
723
# and in debug mode we don't want to. (Stdin is
714
732
"stderr": wnull })
715
733
self.checker = subprocess.Popen(command,
719
738
except OSError as error:
720
739
logger.error("Failed to start subprocess",
723
self.checker_callback_tag = (gobject.child_watch_add
725
self.checker_callback,
742
self.checker_callback_tag = gobject.child_watch_add(
743
self.checker.pid, self.checker_callback, data=command)
727
744
# The checker may have completed before the gobject
728
745
# watch was added. Check for this.
760
777
self.checker = None
763
def dbus_service_property(dbus_interface, signature="v",
764
access="readwrite", byte_arrays=False):
780
def dbus_service_property(dbus_interface,
765
784
"""Decorators for marking methods of a DBusObjectWithProperties to
766
785
become properties on the D-Bus.
865
891
def _get_all_dbus_things(self, thing):
866
892
"""Returns a generator of (name, attribute) pairs
868
return ((getattr(athing.__get__(self), "_dbus_name",
894
return ((getattr(athing.__get__(self), "_dbus_name", name),
870
895
athing.__get__(self))
871
896
for cls in self.__class__.__mro__
872
897
for name, athing in
873
inspect.getmembers(cls,
874
self._is_dbus_thing(thing)))
898
inspect.getmembers(cls, self._is_dbus_thing(thing)))
876
900
def _get_dbus_property(self, interface_name, property_name):
877
901
"""Returns a bound method if one exists which is a D-Bus
878
902
property with the specified name and interface.
880
for cls in self.__class__.__mro__:
881
for name, value in (inspect.getmembers
883
self._is_dbus_thing("property"))):
904
for cls in self.__class__.__mro__:
905
for name, value in inspect.getmembers(
906
cls, self._is_dbus_thing("property")):
884
907
if (value._dbus_name == property_name
885
908
and value._dbus_interface == interface_name):
886
909
return value.__get__(self)
888
911
# No such property
889
raise DBusPropertyNotFound(self.dbus_object_path + ":"
890
+ interface_name + "."
912
raise DBusPropertyNotFound("{}:{}.{}".format(
913
self.dbus_object_path, interface_name, property_name))
893
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
915
@dbus.service.method(dbus.PROPERTIES_IFACE,
894
917
out_signature="v")
895
918
def Get(self, interface_name, property_name):
896
919
"""Standard D-Bus property Get() method, see D-Bus standard.
942
966
if not hasattr(value, "variant_level"):
943
967
properties[name] = value
945
properties[name] = type(value)(value, variant_level=
946
value.variant_level+1)
969
properties[name] = type(value)(
970
value, variant_level = value.variant_level + 1)
947
971
return dbus.Dictionary(properties, signature="sv")
949
973
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
969
993
document = xml.dom.minidom.parseString(xmlstring)
970
995
def make_tag(document, name, prop):
971
996
e = document.createElement("property")
972
997
e.setAttribute("name", name)
973
998
e.setAttribute("type", prop._dbus_signature)
974
999
e.setAttribute("access", prop._dbus_access)
976
1002
for if_tag in document.getElementsByTagName("interface"):
977
1003
# Add property tags
978
1004
for tag in (make_tag(document, name, prop)
1040
1064
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1042
1066
return dbus.String("", variant_level = variant_level)
1043
return dbus.String(dt.isoformat(),
1044
variant_level=variant_level)
1067
return dbus.String(dt.isoformat(), variant_level=variant_level)
1047
1070
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1077
1101
# Ignore non-D-Bus attributes, and D-Bus attributes
1078
1102
# with the wrong interface name
1079
1103
if (not hasattr(attribute, "_dbus_interface")
1080
or not attribute._dbus_interface
1081
.startswith(orig_interface_name)):
1104
or not attribute._dbus_interface.startswith(
1105
orig_interface_name)):
1083
1107
# Create an alternate D-Bus interface name based on
1084
1108
# the current name
1085
alt_interface = (attribute._dbus_interface
1086
.replace(orig_interface_name,
1087
alt_interface_name))
1109
alt_interface = attribute._dbus_interface.replace(
1110
orig_interface_name, alt_interface_name)
1088
1111
interface_names.add(alt_interface)
1089
1112
# Is this a D-Bus signal?
1090
1113
if getattr(attribute, "_dbus_is_signal", False):
1091
1114
# Extract the original non-method undecorated
1092
1115
# function by black magic
1093
1116
nonmethod_func = (dict(
1094
zip(attribute.func_code.co_freevars,
1095
attribute.__closure__))["func"]
1117
zip(attribute.func_code.co_freevars,
1118
attribute.__closure__))
1119
["func"].cell_contents)
1097
1120
# Create a new, but exactly alike, function
1098
1121
# object, and decorate it to be a new D-Bus signal
1099
1122
# with the alternate D-Bus interface name
1100
new_function = (dbus.service.signal
1102
attribute._dbus_signature)
1123
new_function = (dbus.service.signal(
1124
alt_interface, attribute._dbus_signature)
1103
1125
(types.FunctionType(
1104
nonmethod_func.func_code,
1105
nonmethod_func.func_globals,
1106
nonmethod_func.func_name,
1107
nonmethod_func.func_defaults,
1108
nonmethod_func.func_closure)))
1126
nonmethod_func.func_code,
1127
nonmethod_func.func_globals,
1128
nonmethod_func.func_name,
1129
nonmethod_func.func_defaults,
1130
nonmethod_func.func_closure)))
1109
1131
# Copy annotations, if any
1111
new_function._dbus_annotations = (
1112
dict(attribute._dbus_annotations))
1133
new_function._dbus_annotations = dict(
1134
attribute._dbus_annotations)
1113
1135
except AttributeError:
1115
1137
# Define a creator of a function to call both the
1120
1142
"""This function is a scope container to pass
1121
1143
func1 and func2 to the "call_both" function
1122
1144
outside of its arguments"""
1123
1146
def call_both(*args, **kwargs):
1124
1147
"""This function will emit two D-Bus
1125
1148
signals by calling func1 and func2"""
1126
1149
func1(*args, **kwargs)
1127
1150
func2(*args, **kwargs)
1128
1152
return call_both
1129
1153
# Create the "call_both" function and add it to
1135
1159
# object. Decorate it to be a new D-Bus method
1136
1160
# with the alternate D-Bus interface name. Add it
1137
1161
# to the class.
1138
attr[attrname] = (dbus.service.method
1140
attribute._dbus_in_signature,
1141
attribute._dbus_out_signature)
1143
(attribute.func_code,
1144
attribute.func_globals,
1145
attribute.func_name,
1146
attribute.func_defaults,
1147
attribute.func_closure)))
1163
dbus.service.method(
1165
attribute._dbus_in_signature,
1166
attribute._dbus_out_signature)
1167
(types.FunctionType(attribute.func_code,
1168
attribute.func_globals,
1169
attribute.func_name,
1170
attribute.func_defaults,
1171
attribute.func_closure)))
1148
1172
# Copy annotations, if any
1150
attr[attrname]._dbus_annotations = (
1151
dict(attribute._dbus_annotations))
1174
attr[attrname]._dbus_annotations = dict(
1175
attribute._dbus_annotations)
1152
1176
except AttributeError:
1154
1178
# Is this a D-Bus property?
1157
1181
# object, and decorate it to be a new D-Bus
1158
1182
# property with the alternate D-Bus interface
1159
1183
# name. Add it to the class.
1160
attr[attrname] = (dbus_service_property
1162
attribute._dbus_signature,
1163
attribute._dbus_access,
1165
._dbus_get_args_options
1168
(attribute.func_code,
1169
attribute.func_globals,
1170
attribute.func_name,
1171
attribute.func_defaults,
1172
attribute.func_closure)))
1184
attr[attrname] = (dbus_service_property(
1185
alt_interface, attribute._dbus_signature,
1186
attribute._dbus_access,
1187
attribute._dbus_get_args_options
1189
(types.FunctionType(
1190
attribute.func_code,
1191
attribute.func_globals,
1192
attribute.func_name,
1193
attribute.func_defaults,
1194
attribute.func_closure)))
1173
1195
# Copy annotations, if any
1175
attr[attrname]._dbus_annotations = (
1176
dict(attribute._dbus_annotations))
1197
attr[attrname]._dbus_annotations = dict(
1198
attribute._dbus_annotations)
1177
1199
except AttributeError:
1179
1201
# Is this a D-Bus interface?
1182
1204
# object. Decorate it to be a new D-Bus interface
1183
1205
# with the alternate D-Bus interface name. Add it
1184
1206
# to the class.
1185
attr[attrname] = (dbus_interface_annotations
1188
(attribute.func_code,
1189
attribute.func_globals,
1190
attribute.func_name,
1191
attribute.func_defaults,
1192
attribute.func_closure)))
1208
dbus_interface_annotations(alt_interface)
1209
(types.FunctionType(attribute.func_code,
1210
attribute.func_globals,
1211
attribute.func_name,
1212
attribute.func_defaults,
1213
attribute.func_closure)))
1194
1215
# Deprecate all alternate interfaces
1195
1216
iname="_AlternateDBusNames_interface_annotation{}"
1196
1217
for interface_name in interface_names:
1197
1219
@dbus_interface_annotations(interface_name)
1198
1220
def func(self):
1199
1221
return { "org.freedesktop.DBus.Deprecated":
1201
1223
# Find an unused name
1202
1224
for aname in (iname.format(i)
1203
1225
for i in itertools.count()):
1208
1230
# Replace the class with a new subclass of it with
1209
1231
# methods, signals, etc. as created above.
1210
1232
cls = type(b"{}Alternate".format(cls.__name__),
1216
1239
@alternate_dbus_interfaces({"se.recompile.Mandos":
1217
"se.bsnet.fukt.Mandos"})
1240
"se.bsnet.fukt.Mandos"})
1218
1241
class ClientDBus(Client, DBusObjectWithProperties):
1219
1242
"""A Client class using D-Bus
1238
1261
client_object_name = str(self.name).translate(
1239
1262
{ord("."): ord("_"),
1240
1263
ord("-"): ord("_")})
1241
self.dbus_object_path = (dbus.ObjectPath
1242
("/clients/" + client_object_name))
1264
self.dbus_object_path = dbus.ObjectPath(
1265
"/clients/" + client_object_name)
1243
1266
DBusObjectWithProperties.__init__(self, self.bus,
1244
1267
self.dbus_object_path)
1246
def notifychangeproperty(transform_func,
1247
dbus_name, type_func=lambda x: x,
1248
variant_level=1, invalidate_only=False,
1269
def notifychangeproperty(transform_func, dbus_name,
1270
type_func=lambda x: x,
1272
invalidate_only=False,
1249
1273
_interface=_interface):
1250
1274
""" Modify a variable so that it's a property which announces
1251
1275
its changes to DBus.
1258
1282
variant_level: D-Bus variant level. Default: 1
1260
1284
attrname = "_{}".format(dbus_name)
1261
1286
def setter(self, value):
1262
1287
if hasattr(self, "dbus_object_path"):
1263
1288
if (not hasattr(self, attrname) or
1264
1289
type_func(getattr(self, attrname, None))
1265
1290
!= type_func(value)):
1266
1291
if invalidate_only:
1267
self.PropertiesChanged(_interface,
1292
self.PropertiesChanged(
1293
_interface, dbus.Dictionary(),
1294
dbus.Array((dbus_name, )))
1272
dbus_value = transform_func(type_func(value),
1296
dbus_value = transform_func(
1298
variant_level = variant_level)
1275
1299
self.PropertyChanged(dbus.String(dbus_name),
1277
self.PropertiesChanged(_interface,
1279
dbus.String(dbus_name):
1280
dbus_value }), dbus.Array())
1301
self.PropertiesChanged(
1303
dbus.Dictionary({ dbus.String(dbus_name):
1281
1306
setattr(self, attrname, value)
1283
1308
return property(lambda self: getattr(self, attrname), setter)
1289
1314
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1290
1315
last_enabled = notifychangeproperty(datetime_to_dbus,
1292
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1293
type_func = lambda checker:
1294
checker is not None)
1317
checker = notifychangeproperty(
1318
dbus.Boolean, "CheckerRunning",
1319
type_func = lambda checker: checker is not None)
1295
1320
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1296
1321
"LastCheckedOK")
1297
1322
last_checker_status = notifychangeproperty(dbus.Int16,
1300
1325
datetime_to_dbus, "LastApprovalRequest")
1301
1326
approved_by_default = notifychangeproperty(dbus.Boolean,
1302
1327
"ApprovedByDefault")
1303
approval_delay = notifychangeproperty(dbus.UInt64,
1306
lambda td: td.total_seconds()
1328
approval_delay = notifychangeproperty(
1329
dbus.UInt64, "ApprovalDelay",
1330
type_func = lambda td: td.total_seconds() * 1000)
1308
1331
approval_duration = notifychangeproperty(
1309
1332
dbus.UInt64, "ApprovalDuration",
1310
1333
type_func = lambda td: td.total_seconds() * 1000)
1311
1334
host = notifychangeproperty(dbus.String, "Host")
1312
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1313
type_func = lambda td:
1314
td.total_seconds() * 1000)
1335
timeout = notifychangeproperty(
1336
dbus.UInt64, "Timeout",
1337
type_func = lambda td: td.total_seconds() * 1000)
1315
1338
extended_timeout = notifychangeproperty(
1316
1339
dbus.UInt64, "ExtendedTimeout",
1317
1340
type_func = lambda td: td.total_seconds() * 1000)
1318
interval = notifychangeproperty(dbus.UInt64,
1321
lambda td: td.total_seconds()
1341
interval = notifychangeproperty(
1342
dbus.UInt64, "Interval",
1343
type_func = lambda td: td.total_seconds() * 1000)
1323
1344
checker_command = notifychangeproperty(dbus.String, "Checker")
1324
1345
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1325
1346
invalidate_only=True)
1463
1484
return dbus.Boolean(bool(self.approvals_pending))
1465
1486
# ApprovedByDefault - property
1466
@dbus_service_property(_interface, signature="b",
1487
@dbus_service_property(_interface,
1467
1489
access="readwrite")
1468
1490
def ApprovedByDefault_dbus_property(self, value=None):
1469
1491
if value is None: # get
1471
1493
self.approved_by_default = bool(value)
1473
1495
# ApprovalDelay - property
1474
@dbus_service_property(_interface, signature="t",
1496
@dbus_service_property(_interface,
1475
1498
access="readwrite")
1476
1499
def ApprovalDelay_dbus_property(self, value=None):
1477
1500
if value is None: # get
1480
1503
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1482
1505
# ApprovalDuration - property
1483
@dbus_service_property(_interface, signature="t",
1506
@dbus_service_property(_interface,
1484
1508
access="readwrite")
1485
1509
def ApprovalDuration_dbus_property(self, value=None):
1486
1510
if value is None: # get
1537
1564
return datetime_to_dbus(self.last_checked_ok)
1539
1566
# LastCheckerStatus - property
1540
@dbus_service_property(_interface, signature="n",
1567
@dbus_service_property(_interface, signature="n", access="read")
1542
1568
def LastCheckerStatus_dbus_property(self):
1543
1569
return dbus.Int16(self.last_checker_status)
1574
1601
gobject.source_remove(self.disable_initiator_tag)
1575
self.disable_initiator_tag = (
1576
gobject.timeout_add(
1577
int((self.expires - now).total_seconds()
1578
* 1000), self.disable))
1602
self.disable_initiator_tag = gobject.timeout_add(
1603
int((self.expires - now).total_seconds() * 1000),
1580
1606
# ExtendedTimeout - property
1581
@dbus_service_property(_interface, signature="t",
1607
@dbus_service_property(_interface,
1582
1609
access="readwrite")
1583
1610
def ExtendedTimeout_dbus_property(self, value=None):
1584
1611
if value is None: # get
1587
1614
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1589
1616
# Interval - property
1590
@dbus_service_property(_interface, signature="t",
1617
@dbus_service_property(_interface,
1591
1619
access="readwrite")
1592
1620
def Interval_dbus_property(self, value=None):
1593
1621
if value is None: # get
1598
1626
if self.enabled:
1599
1627
# Reschedule checker run
1600
1628
gobject.source_remove(self.checker_initiator_tag)
1601
self.checker_initiator_tag = (gobject.timeout_add
1602
(value, self.start_checker))
1603
self.start_checker() # Start one now, too
1629
self.checker_initiator_tag = gobject.timeout_add(
1630
value, self.start_checker)
1631
self.start_checker() # Start one now, too
1605
1633
# Checker - property
1606
@dbus_service_property(_interface, signature="s",
1634
@dbus_service_property(_interface,
1607
1636
access="readwrite")
1608
1637
def Checker_dbus_property(self, value=None):
1609
1638
if value is None: # get
1627
1657
return self.dbus_object_path # is already a dbus.ObjectPath
1629
1659
# Secret = property
1630
@dbus_service_property(_interface, signature="ay",
1631
access="write", byte_arrays=True)
1660
@dbus_service_property(_interface,
1632
1664
def Secret_dbus_property(self, value):
1633
1665
self.secret = bytes(value)
1650
1682
if data[0] == 'data':
1652
1684
if data[0] == 'function':
1653
1686
def func(*args, **kwargs):
1654
1687
self._pipe.send(('funcall', name, args, kwargs))
1655
1688
return self._pipe.recv()[1]
1658
1692
def __setattr__(self, name, value):
1674
1708
logger.debug("Pipe FD: %d",
1675
1709
self.server.child_pipe.fileno())
1677
session = (gnutls.connection
1678
.ClientSession(self.request,
1680
.X509Credentials()))
1711
session = gnutls.connection.ClientSession(
1712
self.request, gnutls.connection .X509Credentials())
1682
1714
# Note: gnutls.connection.X509Credentials is really a
1683
1715
# generic GnuTLS certificate credentials object so long as
1692
1724
priority = self.server.gnutls_priority
1693
1725
if priority is None:
1694
1726
priority = "NORMAL"
1695
(gnutls.library.functions
1696
.gnutls_priority_set_direct(session._c_object,
1727
gnutls.library.functions.gnutls_priority_set_direct(
1728
session._c_object, priority, None)
1699
1730
# Start communication using the Mandos protocol
1700
1731
# Get protocol number
1795
1826
logger.warning("gnutls send failed",
1796
1827
exc_info=error)
1798
logger.debug("Sent: %d, remaining: %d",
1799
sent, len(client.secret)
1800
- (sent_size + sent))
1829
logger.debug("Sent: %d, remaining: %d", sent,
1830
len(client.secret) - (sent_size
1801
1832
sent_size += sent
1803
1834
logger.info("Sending secret to %s", client.name)
1820
1851
def peer_certificate(session):
1821
1852
"Return the peer's OpenPGP certificate as a bytestring"
1822
1853
# If not an OpenPGP certificate...
1823
if (gnutls.library.functions
1824
.gnutls_certificate_type_get(session._c_object)
1854
if (gnutls.library.functions.gnutls_certificate_type_get(
1825
1856
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1826
1857
# ...do the normal thing
1827
1858
return session.peer_certificate
1841
1872
def fingerprint(openpgp):
1842
1873
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1843
1874
# New GnuTLS "datum" with the OpenPGP public key
1844
datum = (gnutls.library.types
1845
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1848
ctypes.c_uint(len(openpgp))))
1875
datum = gnutls.library.types.gnutls_datum_t(
1876
ctypes.cast(ctypes.c_char_p(openpgp),
1877
ctypes.POINTER(ctypes.c_ubyte)),
1878
ctypes.c_uint(len(openpgp)))
1849
1879
# New empty GnuTLS certificate
1850
1880
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1851
(gnutls.library.functions
1852
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1881
gnutls.library.functions.gnutls_openpgp_crt_init(
1853
1883
# Import the OpenPGP public key into the certificate
1854
(gnutls.library.functions
1855
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1856
gnutls.library.constants
1857
.GNUTLS_OPENPGP_FMT_RAW))
1884
gnutls.library.functions.gnutls_openpgp_crt_import(
1885
crt, ctypes.byref(datum),
1886
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
1858
1887
# Verify the self signature in the key
1859
1888
crtverify = ctypes.c_uint()
1860
(gnutls.library.functions
1861
.gnutls_openpgp_crt_verify_self(crt, 0,
1862
ctypes.byref(crtverify)))
1889
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
1890
crt, 0, ctypes.byref(crtverify))
1863
1891
if crtverify.value != 0:
1864
1892
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1865
raise (gnutls.errors.CertificateSecurityError
1893
raise gnutls.errors.CertificateSecurityError(
1867
1895
# New buffer for the fingerprint
1868
1896
buf = ctypes.create_string_buffer(20)
1869
1897
buf_len = ctypes.c_size_t()
1870
1898
# Get the fingerprint from the certificate into the buffer
1871
(gnutls.library.functions
1872
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1873
ctypes.byref(buf_len)))
1899
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
1900
crt, ctypes.byref(buf), ctypes.byref(buf_len))
1874
1901
# Deinit the certificate
1875
1902
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1876
1903
# Convert the buffer to a Python bytestring
1925
1954
interface: None or a network interface name (string)
1926
1955
use_ipv6: Boolean; to use IPv6 or not
1928
1958
def __init__(self, server_address, RequestHandlerClass,
1929
interface=None, use_ipv6=True, socketfd=None):
1930
1962
"""If socketfd is set, use that file descriptor instead of
1931
1963
creating a new one with socket.socket().
1973
2005
self.interface)
1976
self.socket.setsockopt(socket.SOL_SOCKET,
1978
(self.interface + "\0")
2008
self.socket.setsockopt(
2009
socket.SOL_SOCKET, SO_BINDTODEVICE,
2010
(self.interface + "\0").encode("utf-8"))
1980
2011
except socket.error as error:
1981
2012
if error.errno == errno.EPERM:
1982
2013
logger.error("No permission to bind to"
2000
2031
self.server_address = (any_address,
2001
2032
self.server_address[1])
2002
2033
elif not self.server_address[1]:
2003
self.server_address = (self.server_address[0],
2034
self.server_address = (self.server_address[0], 0)
2005
2035
# if self.interface:
2006
2036
# self.server_address = (self.server_address[0],
2022
2052
Assumes a gobject.MainLoop event loop.
2024
2055
def __init__(self, server_address, RequestHandlerClass,
2025
interface=None, use_ipv6=True, clients=None,
2026
gnutls_priority=None, use_dbus=True, socketfd=None):
2059
gnutls_priority=None,
2027
2062
self.enabled = False
2028
2063
self.clients = clients
2029
2064
if self.clients is None:
2045
2081
def add_pipe(self, parent_pipe, proc):
2046
2082
# Call "handle_ipc" for both data and EOF events
2047
gobject.io_add_watch(parent_pipe.fileno(),
2048
gobject.IO_IN | gobject.IO_HUP,
2049
functools.partial(self.handle_ipc,
2083
gobject.io_add_watch(
2084
parent_pipe.fileno(),
2085
gobject.IO_IN | gobject.IO_HUP,
2086
functools.partial(self.handle_ipc,
2087
parent_pipe = parent_pipe,
2054
def handle_ipc(self, source, condition, parent_pipe=None,
2055
proc = None, client_object=None):
2090
def handle_ipc(self, source, condition,
2093
client_object=None):
2056
2094
# error, or the other end of multiprocessing.Pipe has closed
2057
2095
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2058
2096
# Wait for other process to exit
2081
2119
parent_pipe.send(False)
2084
gobject.io_add_watch(parent_pipe.fileno(),
2085
gobject.IO_IN | gobject.IO_HUP,
2086
functools.partial(self.handle_ipc,
2122
gobject.io_add_watch(
2123
parent_pipe.fileno(),
2124
gobject.IO_IN | gobject.IO_HUP,
2125
functools.partial(self.handle_ipc,
2126
parent_pipe = parent_pipe,
2128
client_object = client))
2092
2129
parent_pipe.send(True)
2093
2130
# remove the old hook in favor of the new above hook on
2101
2138
parent_pipe.send(('data', getattr(client_object,
2102
2139
funcname)(*args,
2105
2142
if command == 'getattr':
2106
2143
attrname = request[1]
2107
2144
if callable(client_object.__getattribute__(attrname)):
2108
parent_pipe.send(('function',))
2145
parent_pipe.send(('function', ))
2110
parent_pipe.send(('data', client_object
2111
.__getattribute__(attrname)))
2148
'data', client_object.__getattribute__(attrname)))
2113
2150
if command == 'setattr':
2114
2151
attrname = request[1]
2145
2182
# avoid excessive use of external libraries.
2147
2184
# New type for defining tokens, syntax, and semantics all-in-one
2148
Token = collections.namedtuple("Token",
2149
("regexp", # To match token; if
2150
# "value" is not None,
2151
# must have a "group"
2153
"value", # datetime.timedelta or
2155
"followers")) # Tokens valid after
2185
Token = collections.namedtuple("Token", (
2186
"regexp", # To match token; if "value" is not None, must have
2187
# a "group" containing digits
2188
"value", # datetime.timedelta or None
2189
"followers")) # Tokens valid after this token
2157
2190
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2158
2191
# the "duration" ABNF definition in RFC 3339, Appendix A.
2159
2192
token_end = Token(re.compile(r"$"), None, frozenset())
2160
2193
token_second = Token(re.compile(r"(\d+)S"),
2161
2194
datetime.timedelta(seconds=1),
2162
frozenset((token_end,)))
2195
frozenset((token_end, )))
2163
2196
token_minute = Token(re.compile(r"(\d+)M"),
2164
2197
datetime.timedelta(minutes=1),
2165
2198
frozenset((token_second, token_end)))
2181
2214
frozenset((token_month, token_end)))
2182
2215
token_week = Token(re.compile(r"(\d+)W"),
2183
2216
datetime.timedelta(weeks=1),
2184
frozenset((token_end,)))
2217
frozenset((token_end, )))
2185
2218
token_duration = Token(re.compile(r"P"), None,
2186
2219
frozenset((token_year, token_month,
2187
2220
token_day, token_time,
2189
2222
# Define starting values
2190
2223
value = datetime.timedelta() # Value so far
2191
2224
found_token = None
2192
followers = frozenset((token_duration,)) # Following valid tokens
2225
followers = frozenset((token_duration, )) # Following valid tokens
2193
2226
s = duration # String left to parse
2194
2227
# Loop until end token is found
2195
2228
while found_token is not token_end:
2278
2311
# Close all standard open file descriptors
2279
2312
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2280
2313
if not stat.S_ISCHR(os.fstat(null).st_mode):
2281
raise OSError(errno.ENODEV, "{} not a character device"
2314
raise OSError(errno.ENODEV,
2315
"{} not a character device"
2282
2316
.format(os.devnull))
2283
2317
os.dup2(null, sys.stdin.fileno())
2284
2318
os.dup2(null, sys.stdout.fileno())
2360
2395
"statedir": "/var/lib/mandos",
2361
2396
"foreground": "False",
2362
2397
"zeroconf": "True",
2365
2400
# Parse config file for server-global settings
2366
2401
server_config = configparser.SafeConfigParser(server_defaults)
2367
2402
del server_defaults
2368
server_config.read(os.path.join(options.configdir,
2403
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2370
2404
# Convert the SafeConfigParser object to a dict
2371
2405
server_settings = server_config.defaults()
2372
2406
# Use the appropriate methods on the non-string config options
2390
2424
# Override the settings from the config file with command line
2391
2425
# options, if set.
2392
2426
for option in ("interface", "address", "port", "debug",
2393
"priority", "servicename", "configdir",
2394
"use_dbus", "use_ipv6", "debuglevel", "restore",
2395
"statedir", "socket", "foreground", "zeroconf"):
2427
"priority", "servicename", "configdir", "use_dbus",
2428
"use_ipv6", "debuglevel", "restore", "statedir",
2429
"socket", "foreground", "zeroconf"):
2396
2430
value = getattr(options, option)
2397
2431
if value is not None:
2398
2432
server_settings[option] = value
2414
2448
##################################################################
2416
if (not server_settings["zeroconf"] and
2417
not (server_settings["port"]
2418
or server_settings["socket"] != "")):
2419
parser.error("Needs port or socket to work without"
2450
if (not server_settings["zeroconf"]
2451
and not (server_settings["port"]
2452
or server_settings["socket"] != "")):
2453
parser.error("Needs port or socket to work without Zeroconf")
2422
2455
# For convenience
2423
2456
debug = server_settings["debug"]
2439
2472
initlogger(debug, level)
2441
2474
if server_settings["servicename"] != "Mandos":
2442
syslogger.setFormatter(logging.Formatter
2443
('Mandos ({}) [%(process)d]:'
2444
' %(levelname)s: %(message)s'
2445
.format(server_settings
2475
syslogger.setFormatter(
2476
logging.Formatter('Mandos ({}) [%(process)d]:'
2477
' %(levelname)s: %(message)s'.format(
2478
server_settings["servicename"])))
2448
2480
# Parse config file with clients
2449
2481
client_config = configparser.SafeConfigParser(Client
2457
2489
socketfd = None
2458
2490
if server_settings["socket"] != "":
2459
2491
socketfd = server_settings["socket"]
2460
tcp_server = MandosServer((server_settings["address"],
2461
server_settings["port"]),
2463
interface=(server_settings["interface"]
2467
server_settings["priority"],
2492
tcp_server = MandosServer(
2493
(server_settings["address"], server_settings["port"]),
2495
interface=(server_settings["interface"] or None),
2497
gnutls_priority=server_settings["priority"],
2470
2500
if not foreground:
2471
2501
pidfilename = "/run/mandos.pid"
2472
2502
if not os.path.isdir("/run/."):
2473
2503
pidfilename = "/var/run/mandos.pid"
2476
pidfile = open(pidfilename, "w")
2506
pidfile = codecs.open(pidfilename, "w", encoding="utf-8")
2477
2507
except IOError as e:
2478
2508
logger.error("Could not open file %r", pidfilename,
2506
2536
def debug_gnutls(level, string):
2507
2537
logger.debug("GnuTLS: %s", string[:-1])
2509
(gnutls.library.functions
2510
.gnutls_global_set_log_function(debug_gnutls))
2539
gnutls.library.functions.gnutls_global_set_log_function(
2512
2542
# Redirect stdin so all checkers get /dev/null
2513
2543
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2535
2565
bus_name = dbus.service.BusName("se.recompile.Mandos",
2536
bus, do_not_queue=True)
2537
old_bus_name = (dbus.service.BusName
2538
("se.bsnet.fukt.Mandos", bus,
2540
except dbus.exceptions.NameExistsException as e:
2568
old_bus_name = dbus.service.BusName(
2569
"se.bsnet.fukt.Mandos", bus,
2571
except dbus.exceptions.DBusException as e:
2541
2572
logger.error("Disabling D-Bus:", exc_info=e)
2542
2573
use_dbus = False
2543
2574
server_settings["use_dbus"] = False
2544
2575
tcp_server.use_dbus = False
2546
2577
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2547
service = AvahiServiceToSyslog(name =
2548
server_settings["servicename"],
2549
servicetype = "_mandos._tcp",
2550
protocol = protocol, bus = bus)
2578
service = AvahiServiceToSyslog(
2579
name = server_settings["servicename"],
2580
servicetype = "_mandos._tcp",
2581
protocol = protocol,
2551
2583
if server_settings["interface"]:
2552
service.interface = (if_nametoindex
2553
(server_settings["interface"]
2584
service.interface = if_nametoindex(
2585
server_settings["interface"].encode("utf-8"))
2556
2587
global multiprocessing_manager
2557
2588
multiprocessing_manager = multiprocessing.Manager()
2576
2607
if server_settings["restore"]:
2578
2609
with open(stored_state_path, "rb") as stored_state:
2579
clients_data, old_client_settings = (pickle.load
2610
clients_data, old_client_settings = pickle.load(
2581
2612
os.remove(stored_state_path)
2582
2613
except IOError as e:
2583
2614
if e.errno == errno.ENOENT:
2584
logger.warning("Could not load persistent state: {}"
2585
.format(os.strerror(e.errno)))
2615
logger.warning("Could not load persistent state:"
2616
" {}".format(os.strerror(e.errno)))
2587
2618
logger.critical("Could not load persistent state:",
2590
2621
except EOFError as e:
2591
2622
logger.warning("Could not load persistent state: "
2592
"EOFError:", exc_info=e)
2594
2626
with PGPEngine() as pgp:
2595
2627
for client_name, client in clients_data.items():
2624
2656
if not client["last_checked_ok"]:
2625
2657
logger.warning(
2626
2658
"disabling client {} - Client never "
2627
"performed a successful checker"
2628
.format(client_name))
2659
"performed a successful checker".format(
2629
2661
client["enabled"] = False
2630
2662
elif client["last_checker_status"] != 0:
2631
2663
logger.warning(
2632
2664
"disabling client {} - Client last"
2633
" checker failed with error code {}"
2634
.format(client_name,
2635
client["last_checker_status"]))
2665
" checker failed with error code"
2668
client["last_checker_status"]))
2636
2669
client["enabled"] = False
2638
client["expires"] = (datetime.datetime
2640
+ client["timeout"])
2671
client["expires"] = (
2672
datetime.datetime.utcnow()
2673
+ client["timeout"])
2641
2674
logger.debug("Last checker succeeded,"
2642
" keeping {} enabled"
2643
.format(client_name))
2675
" keeping {} enabled".format(
2645
client["secret"] = (
2646
pgp.decrypt(client["encrypted_secret"],
2647
client_settings[client_name]
2678
client["secret"] = pgp.decrypt(
2679
client["encrypted_secret"],
2680
client_settings[client_name]["secret"])
2649
2681
except PGPError:
2650
2682
# If decryption fails, we use secret from new settings
2651
logger.debug("Failed to decrypt {} old secret"
2652
.format(client_name))
2653
client["secret"] = (
2654
client_settings[client_name]["secret"])
2683
logger.debug("Failed to decrypt {} old secret".format(
2685
client["secret"] = (client_settings[client_name]
2656
2688
# Add/remove clients based on new changes made to config
2657
2689
for client_name in (set(old_client_settings)
2664
2696
# Create all client objects
2665
2697
for client_name, client in clients_data.items():
2666
2698
tcp_server.clients[client_name] = client_class(
2667
name = client_name, settings = client,
2668
2701
server_settings = server_settings)
2670
2703
if not tcp_server.clients:
2686
2719
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2689
@alternate_dbus_interfaces({"se.recompile.Mandos":
2690
"se.bsnet.fukt.Mandos"})
2723
@alternate_dbus_interfaces(
2724
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
2691
2725
class MandosDBusService(DBusObjectWithProperties):
2692
2726
"""A D-Bus proxy object"""
2693
2728
def __init__(self):
2694
2729
dbus.service.Object.__init__(self, bus, "/")
2695
2731
_interface = "se.recompile.Mandos"
2697
2733
@dbus_interface_annotations(_interface)
2698
2734
def _foo(self):
2699
return { "org.freedesktop.DBus.Property"
2700
".EmitsChangedSignal":
2736
"org.freedesktop.DBus.Property.EmitsChangedSignal":
2703
2739
@dbus.service.signal(_interface, signature="o")
2704
2740
def ClientAdded(self, objpath):
2775
2810
exclude = { "bus", "changedstate", "secret",
2776
2811
"checker", "server_settings" }
2777
for name, typ in (inspect.getmembers
2778
(dbus.service.Object)):
2812
for name, typ in inspect.getmembers(dbus.service
2779
2814
exclude.add(name)
2781
2816
client_dict["encrypted_secret"] = (client
2788
2823
del client_settings[client.name]["secret"]
2791
with (tempfile.NamedTemporaryFile
2792
(mode='wb', suffix=".pickle", prefix='clients-',
2793
dir=os.path.dirname(stored_state_path),
2794
delete=False)) as stored_state:
2826
with tempfile.NamedTemporaryFile(
2830
dir=os.path.dirname(stored_state_path),
2831
delete=False) as stored_state:
2795
2832
pickle.dump((clients, client_settings), stored_state)
2796
tempname=stored_state.name
2833
tempname = stored_state.name
2797
2834
os.rename(tempname, stored_state_path)
2798
2835
except (IOError, OSError) as e: