To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 780
- compare with another revision
- download diff
- download tarball
- view history from revision 780
- Committer: Teddy Hogeborn
- Date: 2015-08-02 09:36:40 UTC
- Revision ID: teddy@recompile.se-20150802093640-nc0n17rbmqlbaxuf
Add D-Bus annotations on a few properties on the Client object.
The D-Bus property "Secret" on the interface
"se.recompile.Mandos.Client" should have the annotation
"org.freedesktop.DBus.Property.EmitsChangedSignal" set to
"invalidates". Also, the properties "Created", "Fingerprint", "Name",
and "ObjectPath" should have the same annotation set to "const".
* mandos (ClientDBus.Name_dbus_property): Set annotation
"org.freedesktop.DBus.Property.EmitsChangedSignal"
to "const".
(ClientDBus.Fingerprint_dbus_property): - '' -
(ClientDBus.Created_dbus_property): - '' -
(ClientDBus.ObjectPath_dbus_property): - '' -
(ClientDBus.Secret_dbus_property): Set annotation
"org.freedesktop.DBus.Property.EmitsChangedSignal"
to "invalidates".
The D-Bus property "Secret" on the interface
"se.recompile.Mandos.Client" should have the annotation
"org.freedesktop.DBus.Property.EmitsChangedSignal" set to
"invalidates". Also, the properties "Created", "Fingerprint", "Name",
and "ObjectPath" should have the same annotation set to "const".
* mandos (ClientDBus.Name_dbus_property): Set annotation
"org.freedesktop.DBus.Property.EmitsChangedSignal"
to "const".
(ClientDBus.Fingerprint_dbus_property): - '' -
(ClientDBus.Created_dbus_property): - '' -
(ClientDBus.ObjectPath_dbus_property): - '' -
(ClientDBus.Secret_dbus_property): Set annotation
"org.freedesktop.DBus.Property.EmitsChangedSignal"
to "invalidates".
- files added:
- debian/mandos-client.examples
- debian/upstream
- network-hooks.d
- plugin-helpers
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python
1
#!/usr/bin/python2.7
2
2
# -*- mode: python; coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2011 Teddy Hogeborn
15
# Copyright © 2008-2011 Björn Påhlsson
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
34
34
from __future__ import (division, absolute_import, print_function,
35
35
unicode_literals)
36
36
37
import SocketServer as socketserver
37
from future_builtins import *
38
39
try:
40
import SocketServer as socketserver
41
except ImportError:
42
import socketserver
38
43
import socket
39
44
import argparse
40
45
import datetime
45
50
import gnutls.library.functions
46
51
import gnutls.library.constants
47
52
import gnutls.library.types
48
import ConfigParser as configparser
53
try:
54
import ConfigParser as configparser
55
except ImportError:
56
import configparser
49
57
import sys
50
58
import re
51
59
import os
60
68
import struct
61
69
import fcntl
62
70
import functools
63
import cPickle as pickle
71
try:
72
import cPickle as pickle
73
except ImportError:
74
import pickle
64
75
import multiprocessing
65
76
import types
66
77
import binascii
67
78
import tempfile
79
import itertools
80
import collections
81
import codecs
68
82
69
83
import dbus
70
84
import dbus.service
71
import gobject
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
72
89
import avahi
73
90
from dbus.mainloop.glib import DBusGMainLoop
74
91
import ctypes
75
92
import ctypes.util
76
93
import xml.dom.minidom
77
94
import inspect
78
import GnuPGInterface
79
95
80
96
try:
81
97
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
85
101
except ImportError:
86
102
SO_BINDTODEVICE = None
87
103
104
if sys.version_info.major == 2:
105
str = unicode
88
106
89
version = "1.4.1"
107
version = "1.6.9"
90
108
stored_state_file = "clients.pickle"
91
109
92
110
logger = logging.getLogger()
93
syslogger = (logging.handlers.SysLogHandler
94
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
95
address = str("/dev/log")))
111
syslogger = None
96
112
97
113
try:
98
if_nametoindex = (ctypes.cdll.LoadLibrary
99
(ctypes.util.find_library("c"))
100
.if_nametoindex)
114
if_nametoindex = ctypes.cdll.LoadLibrary(
115
ctypes.util.find_library("c")).if_nametoindex
101
116
except (OSError, AttributeError):
117
102
118
def if_nametoindex(interface):
103
119
"Get an interface index the hard way, i.e. using fcntl()"
104
120
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
105
121
with contextlib.closing(socket.socket()) as s:
106
122
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
107
struct.pack(str("16s16x"),
108
interface))
109
interface_index = struct.unpack(str("I"),
110
ifreq[16:20])[0]
123
struct.pack(b"16s16x", interface))
124
interface_index = struct.unpack("I", ifreq[16:20])[0]
111
125
return interface_index
112
126
113
127
114
def initlogger(level=logging.WARNING):
128
def initlogger(debug, level=logging.WARNING):
115
129
"""init logger and add loglevel"""
116
130
131
global syslogger
132
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
117
135
syslogger.setFormatter(logging.Formatter
118
136
('Mandos [%(process)d]: %(levelname)s:'
119
137
' %(message)s'))
120
138
logger.addHandler(syslogger)
121
139
122
console = logging.StreamHandler()
123
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
124
' [%(process)d]:'
125
' %(levelname)s:'
126
' %(message)s'))
127
logger.addHandler(console)
140
if debug:
141
console = logging.StreamHandler()
142
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
143
' [%(process)d]:'
144
' %(levelname)s:'
145
' %(message)s'))
146
logger.addHandler(console)
128
147
logger.setLevel(level)
129
148
130
149
135
154
136
155
class PGPEngine(object):
137
156
"""A simple class for OpenPGP symmetric encryption & decryption"""
157
138
158
def __init__(self):
139
self.gnupg = GnuPGInterface.GnuPG()
140
159
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
141
self.gnupg = GnuPGInterface.GnuPG()
142
self.gnupg.options.meta_interactive = False
143
self.gnupg.options.homedir = self.tempdir
144
self.gnupg.options.extra_args.extend(['--force-mdc',
145
'--quiet'])
160
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
162
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
146
165
147
166
def __enter__(self):
148
167
return self
149
168
150
def __exit__ (self, exc_type, exc_value, traceback):
169
def __exit__(self, exc_type, exc_value, traceback):
151
170
self._cleanup()
152
171
return False
153
172
170
189
def password_encode(self, password):
171
190
# Passphrase can not be empty and can not contain newlines or
172
191
# NUL bytes. So we prefix it and hex encode it.
173
return b"mandos" + binascii.hexlify(password)
192
encoded = b"mandos" + binascii.hexlify(password)
193
if len(encoded) > 2048:
194
# GnuPG can't handle long passwords, so encode differently
195
encoded = (b"mandos" + password.replace(b"\\", b"\\\\")
196
.replace(b"\n", b"\\n")
197
.replace(b"\0", b"\\x00"))
198
return encoded
174
199
175
200
def encrypt(self, data, password):
176
self.gnupg.passphrase = self.password_encode(password)
177
with open(os.devnull) as devnull:
178
try:
179
proc = self.gnupg.run(['--symmetric'],
180
create_fhs=['stdin', 'stdout'],
181
attach_fhs={'stderr': devnull})
182
with contextlib.closing(proc.handles['stdin']) as f:
183
f.write(data)
184
with contextlib.closing(proc.handles['stdout']) as f:
185
ciphertext = f.read()
186
proc.wait()
187
except IOError as e:
188
raise PGPError(e)
189
self.gnupg.passphrase = None
201
passphrase = self.password_encode(password)
202
with tempfile.NamedTemporaryFile(
203
dir=self.tempdir) as passfile:
204
passfile.write(passphrase)
205
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
207
'--passphrase-file',
208
passfile.name]
209
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
214
if proc.returncode != 0:
215
raise PGPError(err)
190
216
return ciphertext
191
217
192
218
def decrypt(self, data, password):
193
self.gnupg.passphrase = self.password_encode(password)
194
with open(os.devnull) as devnull:
195
try:
196
proc = self.gnupg.run(['--decrypt'],
197
create_fhs=['stdin', 'stdout'],
198
attach_fhs={'stderr': devnull})
199
with contextlib.closing(proc.handles['stdin'] ) as f:
200
f.write(data)
201
with contextlib.closing(proc.handles['stdout']) as f:
202
decrypted_plaintext = f.read()
203
proc.wait()
204
except IOError as e:
205
raise PGPError(e)
206
self.gnupg.passphrase = None
219
passphrase = self.password_encode(password)
220
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
222
passfile.write(passphrase)
223
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
225
'--passphrase-file',
226
passfile.name]
227
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
232
if proc.returncode != 0:
233
raise PGPError(err)
207
234
return decrypted_plaintext
208
235
209
236
210
211
237
class AvahiError(Exception):
212
238
def __init__(self, value, *args, **kwargs):
213
239
self.value = value
214
super(AvahiError, self).__init__(value, *args, **kwargs)
215
def __unicode__(self):
216
return unicode(repr(self.value))
240
return super(AvahiError, self).__init__(value, *args,
241
**kwargs)
242
217
243
218
244
class AvahiServiceError(AvahiError):
219
245
pass
220
246
247
221
248
class AvahiGroupError(AvahiError):
222
249
pass
223
250
230
257
Used to optionally bind to the specified interface.
231
258
name: string; Example: 'Mandos'
232
259
type: string; Example: '_mandos._tcp'.
233
See <http://www.dns-sd.org/ServiceTypes.html>
260
See <https://www.iana.org/assignments/service-names-port-numbers>
234
261
port: integer; what port to announce
235
262
TXT: list of strings; TXT record for the service
236
263
domain: string; Domain to publish on, default to .local if empty.
242
269
server: D-Bus Server
243
270
bus: dbus.SystemBus()
244
271
"""
245
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
246
servicetype = None, port = None, TXT = None,
247
domain = "", host = "", max_renames = 32768,
248
protocol = avahi.PROTO_UNSPEC, bus = None):
272
273
def __init__(self,
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
249
284
self.interface = interface
250
285
self.name = name
251
286
self.type = servicetype
260
295
self.server = None
261
296
self.bus = bus
262
297
self.entry_group_state_changed_match = None
263
def rename(self):
298
299
def rename(self, remove=True):
264
300
"""Derived from the Avahi example code"""
265
301
if self.rename_count >= self.max_renames:
266
302
logger.critical("No suitable Zeroconf service name found"
267
303
" after %i retries, exiting.",
268
304
self.rename_count)
269
305
raise AvahiServiceError("Too many renames")
270
self.name = unicode(self.server
271
.GetAlternativeServiceName(self.name))
306
self.name = str(
307
self.server.GetAlternativeServiceName(self.name))
308
self.rename_count += 1
272
309
logger.info("Changing Zeroconf service name to %r ...",
273
310
self.name)
274
self.remove()
311
if remove:
312
self.remove()
275
313
try:
276
314
self.add()
277
315
except dbus.exceptions.DBusException as error:
278
logger.critical("DBusException: %s", error)
279
self.cleanup()
280
os._exit(1)
281
self.rename_count += 1
316
if (error.get_dbus_name()
317
== "org.freedesktop.Avahi.CollisionError"):
318
logger.info("Local Zeroconf service name collision.")
319
return self.rename(remove=False)
320
else:
321
logger.critical("D-Bus Exception", exc_info=error)
322
self.cleanup()
323
os._exit(1)
324
282
325
def remove(self):
283
326
"""Derived from the Avahi example code"""
284
327
if self.entry_group_state_changed_match is not None:
286
329
self.entry_group_state_changed_match = None
287
330
if self.group is not None:
288
331
self.group.Reset()
332
289
333
def add(self):
290
334
"""Derived from the Avahi example code"""
291
335
self.remove()
308
352
dbus.UInt16(self.port),
309
353
avahi.string_array_to_txt_array(self.TXT))
310
354
self.group.Commit()
355
311
356
def entry_group_state_changed(self, state, error):
312
357
"""Derived from the Avahi example code"""
313
358
logger.debug("Avahi entry group state change: %i", state)
319
364
self.rename()
320
365
elif state == avahi.ENTRY_GROUP_FAILURE:
321
366
logger.critical("Avahi: Error in group state changed %s",
322
unicode(error))
323
raise AvahiGroupError("State changed: %s"
324
% unicode(error))
367
str(error))
368
raise AvahiGroupError("State changed: {!s}".format(error))
369
325
370
def cleanup(self):
326
371
"""Derived from the Avahi example code"""
327
372
if self.group is not None:
332
377
pass
333
378
self.group = None
334
379
self.remove()
380
335
381
def server_state_changed(self, state, error=None):
336
382
"""Derived from the Avahi example code"""
337
383
logger.debug("Avahi server state change: %i", state)
338
bad_states = { avahi.SERVER_INVALID:
339
"Zeroconf server invalid",
340
avahi.SERVER_REGISTERING: None,
341
avahi.SERVER_COLLISION:
342
"Zeroconf server name collision",
343
avahi.SERVER_FAILURE:
344
"Zeroconf server failure" }
384
bad_states = {
385
avahi.SERVER_INVALID: "Zeroconf server invalid",
386
avahi.SERVER_REGISTERING: None,
387
avahi.SERVER_COLLISION: "Zeroconf server name collision",
388
avahi.SERVER_FAILURE: "Zeroconf server failure",
389
}
345
390
if state in bad_states:
346
391
if bad_states[state] is not None:
347
392
if error is None:
350
395
logger.error(bad_states[state] + ": %r", error)
351
396
self.cleanup()
352
397
elif state == avahi.SERVER_RUNNING:
353
self.add()
398
try:
399
self.add()
400
except dbus.exceptions.DBusException as error:
401
if (error.get_dbus_name()
402
== "org.freedesktop.Avahi.CollisionError"):
403
logger.info("Local Zeroconf service name"
404
" collision.")
405
return self.rename(remove=False)
406
else:
407
logger.critical("D-Bus Exception", exc_info=error)
408
self.cleanup()
409
os._exit(1)
354
410
else:
355
411
if error is None:
356
412
logger.debug("Unknown state: %r", state)
357
413
else:
358
414
logger.debug("Unknown state: %r: %r", state, error)
415
359
416
def activate(self):
360
417
"""Derived from the Avahi example code"""
361
418
if self.server is None:
365
422
follow_name_owner_changes=True),
366
423
avahi.DBUS_INTERFACE_SERVER)
367
424
self.server.connect_to_signal("StateChanged",
368
self.server_state_changed)
425
self.server_state_changed)
369
426
self.server_state_changed(self.server.GetState())
370
427
428
371
429
class AvahiServiceToSyslog(AvahiService):
372
def rename(self):
430
def rename(self, *args, **kwargs):
373
431
"""Add the new name to the syslog messages"""
374
ret = AvahiService.rename(self)
375
syslogger.setFormatter(logging.Formatter
376
('Mandos (%s) [%%(process)d]:'
377
' %%(levelname)s: %%(message)s'
378
% self.name))
432
ret = AvahiService.rename(self, *args, **kwargs)
433
syslogger.setFormatter(logging.Formatter(
434
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
435
.format(self.name)))
379
436
return ret
380
437
381
def timedelta_to_milliseconds(td):
382
"Convert a datetime.timedelta() to milliseconds"
383
return ((td.days * 24 * 60 * 60 * 1000)
384
+ (td.seconds * 1000)
385
+ (td.microseconds // 1000))
386
438
def call_pipe(connection, # : multiprocessing.Connection
439
func, *args, **kwargs):
440
"""This function is meant to be called by multiprocessing.Process
441
442
This function runs func(*args, **kwargs), and writes the resulting
443
return value on the provided multiprocessing.Connection.
444
"""
445
connection.send(func(*args, **kwargs))
446
connection.close()
447
387
448
class Client(object):
388
449
"""A representation of a client host served by this server.
389
450
412
473
interval: datetime.timedelta(); How often to start a new checker
413
474
last_approval_request: datetime.datetime(); (UTC) or None
414
475
last_checked_ok: datetime.datetime(); (UTC) or None
415
416
476
last_checker_status: integer between 0 and 255 reflecting exit
417
477
status of last checker. -1 reflects crashed
418
checker, or None.
478
checker, -2 means no checker completed yet.
479
last_checker_signal: The signal which killed the last checker, if
480
last_checker_status is -1
419
481
last_enabled: datetime.datetime(); (UTC) or None
420
482
name: string; from the config file, used in log messages and
421
483
D-Bus identifiers
422
484
secret: bytestring; sent verbatim (over TLS) to client
423
485
timeout: datetime.timedelta(); How long from last_checked_ok
424
486
until this client is disabled
425
extended_timeout: extra long timeout when password has been sent
487
extended_timeout: extra long timeout when secret has been sent
426
488
runtime_expansions: Allowed attributes for runtime expansion.
427
489
expires: datetime.datetime(); time (UTC) when a client will be
428
490
disabled, or None
491
server_settings: The server_settings dict from main()
429
492
"""
430
493
431
494
runtime_expansions = ("approval_delay", "approval_duration",
432
"created", "enabled", "fingerprint",
433
"host", "interval", "last_checked_ok",
495
"created", "enabled", "expires",
496
"fingerprint", "host", "interval",
497
"last_approval_request", "last_checked_ok",
434
498
"last_enabled", "name", "timeout")
435
436
def timeout_milliseconds(self):
437
"Return the 'timeout' attribute in milliseconds"
438
return timedelta_to_milliseconds(self.timeout)
439
440
def extended_timeout_milliseconds(self):
441
"Return the 'extended_timeout' attribute in milliseconds"
442
return timedelta_to_milliseconds(self.extended_timeout)
443
444
def interval_milliseconds(self):
445
"Return the 'interval' attribute in milliseconds"
446
return timedelta_to_milliseconds(self.interval)
447
448
def approval_delay_milliseconds(self):
449
return timedelta_to_milliseconds(self.approval_delay)
450
451
def __init__(self, name = None, config=None):
452
"""Note: the 'checker' key in 'config' sets the
453
'checker_command' attribute and *not* the 'checker'
454
attribute."""
499
client_defaults = {
500
"timeout": "PT5M",
501
"extended_timeout": "PT15M",
502
"interval": "PT2M",
503
"checker": "fping -q -- %%(host)s",
504
"host": "",
505
"approval_delay": "PT0S",
506
"approval_duration": "PT1S",
507
"approved_by_default": "True",
508
"enabled": "True",
509
}
510
511
@staticmethod
512
def config_parser(config):
513
"""Construct a new dict of client settings of this form:
514
{ client_name: {setting_name: value, ...}, ...}
515
with exceptions for any special settings as defined above.
516
NOTE: Must be a pure function. Must return the same result
517
value given the same arguments.
518
"""
519
settings = {}
520
for client_name in config.sections():
521
section = dict(config.items(client_name))
522
client = settings[client_name] = {}
523
524
client["host"] = section["host"]
525
# Reformat values from string types to Python types
526
client["approved_by_default"] = config.getboolean(
527
client_name, "approved_by_default")
528
client["enabled"] = config.getboolean(client_name,
529
"enabled")
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
534
client["fingerprint"] = (section["fingerprint"].upper()
535
.replace(" ", ""))
536
if "secret" in section:
537
client["secret"] = section["secret"].decode("base64")
538
elif "secfile" in section:
539
with open(os.path.expanduser(os.path.expandvars
540
(section["secfile"])),
541
"rb") as secfile:
542
client["secret"] = secfile.read()
543
else:
544
raise TypeError("No secret or secfile for section {}"
545
.format(section))
546
client["timeout"] = string_to_delta(section["timeout"])
547
client["extended_timeout"] = string_to_delta(
548
section["extended_timeout"])
549
client["interval"] = string_to_delta(section["interval"])
550
client["approval_delay"] = string_to_delta(
551
section["approval_delay"])
552
client["approval_duration"] = string_to_delta(
553
section["approval_duration"])
554
client["checker_command"] = section["checker"]
555
client["last_approval_request"] = None
556
client["last_checked_ok"] = None
557
client["last_checker_status"] = -2
558
559
return settings
560
561
def __init__(self, settings, name = None, server_settings=None):
455
562
self.name = name
456
if config is None:
457
config = {}
563
if server_settings is None:
564
server_settings = {}
565
self.server_settings = server_settings
566
# adding all client settings
567
for setting, value in settings.items():
568
setattr(self, setting, value)
569
570
if self.enabled:
571
if not hasattr(self, "last_enabled"):
572
self.last_enabled = datetime.datetime.utcnow()
573
if not hasattr(self, "expires"):
574
self.expires = (datetime.datetime.utcnow()
575
+ self.timeout)
576
else:
577
self.last_enabled = None
578
self.expires = None
579
458
580
logger.debug("Creating client %r", self.name)
459
# Uppercase and remove spaces from fingerprint for later
460
# comparison purposes with return value from the fingerprint()
461
# function
462
self.fingerprint = (config["fingerprint"].upper()
463
.replace(" ", ""))
464
581
logger.debug(" Fingerprint: %s", self.fingerprint)
465
if "secret" in config:
466
self.secret = config["secret"].decode("base64")
467
elif "secfile" in config:
468
with open(os.path.expanduser(os.path.expandvars
469
(config["secfile"])),
470
"rb") as secfile:
471
self.secret = secfile.read()
472
else:
473
raise TypeError("No secret or secfile for client %s"
474
% self.name)
475
self.host = config.get("host", "")
476
self.created = datetime.datetime.utcnow()
477
self.enabled = config.get("enabled", True)
478
self.last_approval_request = None
479
if self.enabled:
480
self.last_enabled = datetime.datetime.utcnow()
481
else:
482
self.last_enabled = None
483
self.last_checked_ok = None
484
self.last_checker_status = None
485
self.timeout = string_to_delta(config["timeout"])
486
self.extended_timeout = string_to_delta(config
487
["extended_timeout"])
488
self.interval = string_to_delta(config["interval"])
582
self.created = settings.get("created",
583
datetime.datetime.utcnow())
584
585
# attributes specific for this server instance
489
586
self.checker = None
490
587
self.checker_initiator_tag = None
491
588
self.disable_initiator_tag = None
492
if self.enabled:
493
self.expires = datetime.datetime.utcnow() + self.timeout
494
else:
495
self.expires = None
496
589
self.checker_callback_tag = None
497
self.checker_command = config["checker"]
498
590
self.current_checker_command = None
499
591
self.approved = None
500
self.approved_by_default = config.get("approved_by_default",
501
True)
502
592
self.approvals_pending = 0
503
self.approval_delay = string_to_delta(
504
config["approval_delay"])
505
self.approval_duration = string_to_delta(
506
config["approval_duration"])
507
self.changedstate = (multiprocessing_manager
508
.Condition(multiprocessing_manager
509
.Lock()))
510
self.client_structure = [attr for attr in
511
self.__dict__.iterkeys()
593
self.changedstate = multiprocessing_manager.Condition(
594
multiprocessing_manager.Lock())
595
self.client_structure = [attr
596
for attr in self.__dict__.iterkeys()
512
597
if not attr.startswith("_")]
513
598
self.client_structure.append("client_structure")
514
599
515
for name, t in inspect.getmembers(type(self),
516
lambda obj:
517
isinstance(obj,
518
property)):
600
for name, t in inspect.getmembers(
601
type(self), lambda obj: isinstance(obj, property)):
519
602
if not name.startswith("_"):
520
603
self.client_structure.append(name)
521
604
529
612
if getattr(self, "enabled", False):
530
613
# Already enabled
531
614
return
532
self.send_changedstate()
533
615
self.expires = datetime.datetime.utcnow() + self.timeout
534
616
self.enabled = True
535
617
self.last_enabled = datetime.datetime.utcnow()
536
618
self.init_checker()
619
self.send_changedstate()
537
620
538
621
def disable(self, quiet=True):
539
622
"""Disable this client."""
540
623
if not getattr(self, "enabled", False):
541
624
return False
542
625
if not quiet:
543
self.send_changedstate()
544
if not quiet:
545
626
logger.info("Disabling client %s", self.name)
546
if getattr(self, "disable_initiator_tag", False):
627
if getattr(self, "disable_initiator_tag", None) is not None:
547
628
gobject.source_remove(self.disable_initiator_tag)
548
629
self.disable_initiator_tag = None
549
630
self.expires = None
550
if getattr(self, "checker_initiator_tag", False):
631
if getattr(self, "checker_initiator_tag", None) is not None:
551
632
gobject.source_remove(self.checker_initiator_tag)
552
633
self.checker_initiator_tag = None
553
634
self.stop_checker()
554
635
self.enabled = False
636
if not quiet:
637
self.send_changedstate()
555
638
# Do not run this again if called by a gobject.timeout_add
556
639
return False
557
640
561
644
def init_checker(self):
562
645
# Schedule a new checker to be started an 'interval' from now,
563
646
# and every interval from then on.
564
self.checker_initiator_tag = (gobject.timeout_add
565
(self.interval_milliseconds(),
566
self.start_checker))
647
if self.checker_initiator_tag is not None:
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
650
int(self.interval.total_seconds() * 1000),
651
self.start_checker)
567
652
# Schedule a disable() when 'timeout' has passed
568
self.disable_initiator_tag = (gobject.timeout_add
569
(self.timeout_milliseconds(),
570
self.disable))
653
if self.disable_initiator_tag is not None:
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
656
int(self.timeout.total_seconds() * 1000), self.disable)
571
657
# Also start a new checker *right now*.
572
658
self.start_checker()
573
659
574
def checker_callback(self, pid, condition, command):
660
def checker_callback(self, source, condition, connection,
661
command):
575
662
"""The checker has completed, so take appropriate actions."""
576
663
self.checker_callback_tag = None
577
664
self.checker = None
578
if os.WIFEXITED(condition):
579
self.last_checker_status = os.WEXITSTATUS(condition)
665
# Read return code from connection (see call_pipe)
666
returncode = connection.recv()
667
connection.close()
668
669
if returncode >= 0:
670
self.last_checker_status = returncode
671
self.last_checker_signal = None
580
672
if self.last_checker_status == 0:
581
673
logger.info("Checker for %(name)s succeeded",
582
674
vars(self))
583
675
self.checked_ok()
584
676
else:
585
logger.info("Checker for %(name)s failed",
586
vars(self))
677
logger.info("Checker for %(name)s failed", vars(self))
587
678
else:
588
679
self.last_checker_status = -1
680
self.last_checker_signal = -returncode
589
681
logger.warning("Checker for %(name)s crashed?",
590
682
vars(self))
591
592
def checked_ok(self, timeout=None):
593
"""Bump up the timeout for this client.
594
595
This should only be called when the client has been seen,
596
alive and well.
597
"""
683
return False
684
685
def checked_ok(self):
686
"""Assert that the client has been seen, alive and well."""
687
self.last_checked_ok = datetime.datetime.utcnow()
688
self.last_checker_status = 0
689
self.last_checker_signal = None
690
self.bump_timeout()
691
692
def bump_timeout(self, timeout=None):
693
"""Bump up the timeout for this client."""
598
694
if timeout is None:
599
695
timeout = self.timeout
600
self.last_checked_ok = datetime.datetime.utcnow()
601
696
if self.disable_initiator_tag is not None:
602
697
gobject.source_remove(self.disable_initiator_tag)
698
self.disable_initiator_tag = None
603
699
if getattr(self, "enabled", False):
604
self.disable_initiator_tag = (gobject.timeout_add
605
(timedelta_to_milliseconds
606
(timeout), self.disable))
700
self.disable_initiator_tag = gobject.timeout_add(
701
int(timeout.total_seconds() * 1000), self.disable)
607
702
self.expires = datetime.datetime.utcnow() + timeout
608
703
609
704
def need_approval(self):
615
710
If a checker already exists, leave it running and do
616
711
nothing."""
617
712
# The reason for not killing a running checker is that if we
618
# did that, then if a checker (for some reason) started
619
# running slowly and taking more than 'interval' time, the
620
# client would inevitably timeout, since no checker would get
621
# a chance to run to completion. If we instead leave running
713
# did that, and if a checker (for some reason) started running
714
# slowly and taking more than 'interval' time, then the client
715
# would inevitably timeout, since no checker would get a
716
# chance to run to completion. If we instead leave running
622
717
# checkers alone, the checker would have to take more time
623
718
# than 'timeout' for the client to be disabled, which is as it
624
719
# should be.
625
720
626
# If a checker exists, make sure it is not a zombie
627
try:
628
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
629
except (AttributeError, OSError) as error:
630
if (isinstance(error, OSError)
631
and error.errno != errno.ECHILD):
632
raise error
633
else:
634
if pid:
635
logger.warning("Checker was a zombie")
636
gobject.source_remove(self.checker_callback_tag)
637
self.checker_callback(pid, status,
638
self.current_checker_command)
721
if self.checker is not None and not self.checker.is_alive():
722
logger.warning("Checker was not alive; joining")
723
self.checker.join()
724
self.checker = None
639
725
# Start a new checker if needed
640
726
if self.checker is None:
727
# Escape attributes for the shell
728
escaped_attrs = {
729
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
641
731
try:
642
# In case checker_command has exactly one % operator
643
command = self.checker_command % self.host
644
except TypeError:
645
# Escape attributes for the shell
646
escaped_attrs = dict(
647
(attr,
648
re.escape(unicode(str(getattr(self, attr, "")),
649
errors=
650
'replace')))
651
for attr in
652
self.runtime_expansions)
653
654
try:
655
command = self.checker_command % escaped_attrs
656
except TypeError as error:
657
logger.error('Could not format string "%s":'
658
' %s', self.checker_command, error)
659
return True # Try again later
732
command = self.checker_command % escaped_attrs
733
except TypeError as error:
734
logger.error('Could not format string "%s"',
735
self.checker_command,
736
exc_info=error)
737
return True # Try again later
660
738
self.current_checker_command = command
661
try:
662
logger.info("Starting checker %r for %s",
663
command, self.name)
664
# We don't need to redirect stdout and stderr, since
665
# in normal mode, that is already done by daemon(),
666
# and in debug mode we don't want to. (Stdin is
667
# always replaced by /dev/null.)
668
self.checker = subprocess.Popen(command,
669
close_fds=True,
670
shell=True, cwd="/")
671
self.checker_callback_tag = (gobject.child_watch_add
672
(self.checker.pid,
673
self.checker_callback,
674
data=command))
675
# The checker may have completed before the gobject
676
# watch was added. Check for this.
677
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
678
if pid:
679
gobject.source_remove(self.checker_callback_tag)
680
self.checker_callback(pid, status, command)
681
except OSError as error:
682
logger.error("Failed to start subprocess: %s",
683
error)
739
logger.info("Starting checker %r for %s", command,
740
self.name)
741
# We don't need to redirect stdout and stderr, since
742
# in normal mode, that is already done by daemon(),
743
# and in debug mode we don't want to. (Stdin is
744
# always replaced by /dev/null.)
745
# The exception is when not debugging but nevertheless
746
# running in the foreground; use the previously
747
# created wnull.
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
751
if (not self.server_settings["debug"]
752
and self.server_settings["foreground"]):
753
popen_args.update({"stdout": wnull,
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
756
self.checker = multiprocessing.Process(
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
760
self.checker.start()
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
763
self.checker_callback, pipe[0], command)
684
764
# Re-run this periodically if run by gobject.timeout_add
685
765
return True
686
766
692
772
if getattr(self, "checker", None) is None:
693
773
return
694
774
logger.debug("Stopping checker for %(name)s", vars(self))
695
try:
696
os.kill(self.checker.pid, signal.SIGTERM)
697
#time.sleep(0.5)
698
#if self.checker.poll() is None:
699
# os.kill(self.checker.pid, signal.SIGKILL)
700
except OSError as error:
701
if error.errno != errno.ESRCH: # No such process
702
raise
775
self.checker.terminate()
703
776
self.checker = None
704
777
705
778
706
def dbus_service_property(dbus_interface, signature="v",
707
access="readwrite", byte_arrays=False):
779
def dbus_service_property(dbus_interface,
780
signature="v",
781
access="readwrite",
782
byte_arrays=False):
708
783
"""Decorators for marking methods of a DBusObjectWithProperties to
709
784
become properties on the D-Bus.
710
785
719
794
# "Set" method, so we fail early here:
720
795
if byte_arrays and signature != "ay":
721
796
raise ValueError("Byte arrays not supported for non-'ay'"
722
" signature %r" % signature)
797
" signature {!r}".format(signature))
798
723
799
def decorator(func):
724
800
func._dbus_is_property = True
725
801
func._dbus_interface = dbus_interface
730
806
func._dbus_name = func._dbus_name[:-14]
731
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
732
808
return func
809
810
return decorator
811
812
813
def dbus_interface_annotations(dbus_interface):
814
"""Decorator for marking functions returning interface annotations
815
816
Usage:
817
818
@dbus_interface_annotations("org.example.Interface")
819
def _foo(self): # Function name does not matter
820
return {"org.freedesktop.DBus.Deprecated": "true",
821
"org.freedesktop.DBus.Property.EmitsChangedSignal":
822
"false"}
823
"""
824
825
def decorator(func):
826
func._dbus_is_interface = True
827
func._dbus_interface = dbus_interface
828
func._dbus_name = dbus_interface
829
return func
830
831
return decorator
832
833
834
def dbus_annotations(annotations):
835
"""Decorator to annotate D-Bus methods, signals or properties
836
Usage:
837
838
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
839
"org.freedesktop.DBus.Property."
840
"EmitsChangedSignal": "false"})
841
@dbus_service_property("org.example.Interface", signature="b",
842
access="r")
843
def Property_dbus_property(self):
844
return dbus.Boolean(False)
845
"""
846
847
def decorator(func):
848
func._dbus_annotations = annotations
849
return func
850
733
851
return decorator
734
852
735
853
736
854
class DBusPropertyException(dbus.exceptions.DBusException):
737
855
"""A base class for D-Bus property-related exceptions
738
856
"""
739
def __unicode__(self):
740
return unicode(str(self))
857
pass
741
858
742
859
743
860
class DBusPropertyAccessException(DBusPropertyException):
761
878
"""
762
879
763
880
@staticmethod
764
def _is_dbus_property(obj):
765
return getattr(obj, "_dbus_is_property", False)
881
def _is_dbus_thing(thing):
882
"""Returns a function testing if an attribute is a D-Bus thing
883
884
If called like _is_dbus_thing("method") it returns a function
885
suitable for use as predicate to inspect.getmembers().
886
"""
887
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
888
False)
766
889
767
def _get_all_dbus_properties(self):
890
def _get_all_dbus_things(self, thing):
768
891
"""Returns a generator of (name, attribute) pairs
769
892
"""
770
return ((prop.__get__(self)._dbus_name, prop.__get__(self))
893
return ((getattr(athing.__get__(self), "_dbus_name", name),
894
athing.__get__(self))
771
895
for cls in self.__class__.__mro__
772
for name, prop in
773
inspect.getmembers(cls, self._is_dbus_property))
896
for name, athing in
897
inspect.getmembers(cls, self._is_dbus_thing(thing)))
774
898
775
899
def _get_dbus_property(self, interface_name, property_name):
776
900
"""Returns a bound method if one exists which is a D-Bus
777
901
property with the specified name and interface.
778
902
"""
779
for cls in self.__class__.__mro__:
780
for name, value in (inspect.getmembers
781
(cls, self._is_dbus_property)):
903
for cls in self.__class__.__mro__:
904
for name, value in inspect.getmembers(
905
cls, self._is_dbus_thing("property")):
782
906
if (value._dbus_name == property_name
783
907
and value._dbus_interface == interface_name):
784
908
return value.__get__(self)
785
909
786
910
# No such property
787
raise DBusPropertyNotFound(self.dbus_object_path + ":"
788
+ interface_name + "."
789
+ property_name)
911
raise DBusPropertyNotFound("{}:{}.{}".format(
912
self.dbus_object_path, interface_name, property_name))
790
913
791
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
914
@dbus.service.method(dbus.PROPERTIES_IFACE,
915
in_signature="ss",
792
916
out_signature="v")
793
917
def Get(self, interface_name, property_name):
794
918
"""Standard D-Bus property Get() method, see D-Bus standard.
812
936
# The byte_arrays option is not supported yet on
813
937
# signatures other than "ay".
814
938
if prop._dbus_signature != "ay":
815
raise ValueError
816
value = dbus.ByteArray(''.join(unichr(byte)
817
for byte in value))
939
raise ValueError("Byte arrays not supported for non-"
940
"'ay' signature {!r}"
941
.format(prop._dbus_signature))
942
value = dbus.ByteArray(b''.join(chr(byte)
943
for byte in value))
818
944
prop(value)
819
945
820
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
946
@dbus.service.method(dbus.PROPERTIES_IFACE,
947
in_signature="s",
821
948
out_signature="a{sv}")
822
949
def GetAll(self, interface_name):
823
950
"""Standard D-Bus property GetAll() method, see D-Bus
826
953
Note: Will not include properties with access="write".
827
954
"""
828
955
properties = {}
829
for name, prop in self._get_all_dbus_properties():
956
for name, prop in self._get_all_dbus_things("property"):
830
957
if (interface_name
831
958
and interface_name != prop._dbus_interface):
832
959
# Interface non-empty but did not match
838
965
if not hasattr(value, "variant_level"):
839
966
properties[name] = value
840
967
continue
841
properties[name] = type(value)(value, variant_level=
842
value.variant_level+1)
968
properties[name] = type(value)(
969
value, variant_level = value.variant_level + 1)
843
970
return dbus.Dictionary(properties, signature="sv")
844
971
972
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
973
def PropertiesChanged(self, interface_name, changed_properties,
974
invalidated_properties):
975
"""Standard D-Bus PropertiesChanged() signal, see D-Bus
976
standard.
977
"""
978
pass
979
845
980
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
846
981
out_signature="s",
847
982
path_keyword='object_path',
848
983
connection_keyword='connection')
849
984
def Introspect(self, object_path, connection):
850
"""Standard D-Bus method, overloaded to insert property tags.
985
"""Overloading of standard D-Bus method.
986
987
Inserts property tags and interface annotation tags.
851
988
"""
852
989
xmlstring = dbus.service.Object.Introspect(self, object_path,
853
990
connection)
854
991
try:
855
992
document = xml.dom.minidom.parseString(xmlstring)
993
856
994
def make_tag(document, name, prop):
857
995
e = document.createElement("property")
858
996
e.setAttribute("name", name)
859
997
e.setAttribute("type", prop._dbus_signature)
860
998
e.setAttribute("access", prop._dbus_access)
861
999
return e
1000
862
1001
for if_tag in document.getElementsByTagName("interface"):
1002
# Add property tags
863
1003
for tag in (make_tag(document, name, prop)
864
1004
for name, prop
865
in self._get_all_dbus_properties()
1005
in self._get_all_dbus_things("property")
866
1006
if prop._dbus_interface
867
1007
== if_tag.getAttribute("name")):
868
1008
if_tag.appendChild(tag)
1009
# Add annotation tags
1010
for typ in ("method", "signal", "property"):
1011
for tag in if_tag.getElementsByTagName(typ):
1012
annots = dict()
1013
for name, prop in (self.
1014
_get_all_dbus_things(typ)):
1015
if (name == tag.getAttribute("name")
1016
and prop._dbus_interface
1017
== if_tag.getAttribute("name")):
1018
annots.update(getattr(
1019
prop, "_dbus_annotations", {}))
1020
for name, value in annots.items():
1021
ann_tag = document.createElement(
1022
"annotation")
1023
ann_tag.setAttribute("name", name)
1024
ann_tag.setAttribute("value", value)
1025
tag.appendChild(ann_tag)
1026
# Add interface annotation tags
1027
for annotation, value in dict(
1028
itertools.chain.from_iterable(
1029
annotations().items()
1030
for name, annotations
1031
in self._get_all_dbus_things("interface")
1032
if name == if_tag.getAttribute("name")
1033
)).items():
1034
ann_tag = document.createElement("annotation")
1035
ann_tag.setAttribute("name", annotation)
1036
ann_tag.setAttribute("value", value)
1037
if_tag.appendChild(ann_tag)
869
1038
# Add the names to the return values for the
870
1039
# "org.freedesktop.DBus.Properties" methods
871
1040
if (if_tag.getAttribute("name")
886
1055
except (AttributeError, xml.dom.DOMException,
887
1056
xml.parsers.expat.ExpatError) as error:
888
1057
logger.error("Failed to override Introspection method",
889
error)
1058
exc_info=error)
890
1059
return xmlstring
891
1060
892
1061
893
def datetime_to_dbus (dt, variant_level=0):
1062
def datetime_to_dbus(dt, variant_level=0):
894
1063
"""Convert a UTC datetime.datetime() to a D-Bus type."""
895
1064
if dt is None:
896
1065
return dbus.String("", variant_level = variant_level)
897
return dbus.String(dt.isoformat(),
898
variant_level=variant_level)
899
900
901
class AlternateDBusNamesMetaclass(DBusObjectWithProperties
902
.__metaclass__):
903
"""Applied to an empty subclass of a D-Bus object, this metaclass
904
will add additional D-Bus attributes matching a certain pattern.
1066
return dbus.String(dt.isoformat(), variant_level=variant_level)
1067
1068
1069
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1070
"""A class decorator; applied to a subclass of
1071
dbus.service.Object, it will add alternate D-Bus attributes with
1072
interface names according to the "alt_interface_names" mapping.
1073
Usage:
1074
1075
@alternate_dbus_interfaces({"org.example.Interface":
1076
"net.example.AlternateInterface"})
1077
class SampleDBusObject(dbus.service.Object):
1078
@dbus.service.method("org.example.Interface")
1079
def SampleDBusMethod():
1080
pass
1081
1082
The above "SampleDBusMethod" on "SampleDBusObject" will be
1083
reachable via two interfaces: "org.example.Interface" and
1084
"net.example.AlternateInterface", the latter of which will have
1085
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1086
"true", unless "deprecate" is passed with a False value.
1087
1088
This works for methods and signals, and also for D-Bus properties
1089
(from DBusObjectWithProperties) and interfaces (from the
1090
dbus_interface_annotations decorator).
905
1091
"""
906
def __new__(mcs, name, bases, attr):
907
# Go through all the base classes which could have D-Bus
908
# methods, signals, or properties in them
909
for base in (b for b in bases
910
if issubclass(b, dbus.service.Object)):
911
# Go though all attributes of the base class
912
for attrname, attribute in inspect.getmembers(base):
1092
1093
def wrapper(cls):
1094
for orig_interface_name, alt_interface_name in (
1095
alt_interface_names.items()):
1096
attr = {}
1097
interface_names = set()
1098
# Go though all attributes of the class
1099
for attrname, attribute in inspect.getmembers(cls):
913
1100
# Ignore non-D-Bus attributes, and D-Bus attributes
914
1101
# with the wrong interface name
915
1102
if (not hasattr(attribute, "_dbus_interface")
916
or not attribute._dbus_interface
917
.startswith("se.recompile.Mandos")):
1103
or not attribute._dbus_interface.startswith(
1104
orig_interface_name)):
918
1105
continue
919
1106
# Create an alternate D-Bus interface name based on
920
1107
# the current name
921
alt_interface = (attribute._dbus_interface
922
.replace("se.recompile.Mandos",
923
"se.bsnet.fukt.Mandos"))
1108
alt_interface = attribute._dbus_interface.replace(
1109
orig_interface_name, alt_interface_name)
1110
interface_names.add(alt_interface)
924
1111
# Is this a D-Bus signal?
925
1112
if getattr(attribute, "_dbus_is_signal", False):
926
# Extract the original non-method function by
927
# black magic
928
nonmethod_func = (dict(
1113
if sys.version_info.major == 2:
1114
# Extract the original non-method undecorated
1115
# function by black magic
1116
nonmethod_func = (dict(
929
1117
zip(attribute.func_code.co_freevars,
930
attribute.__closure__))["func"]
931
.cell_contents)
1118
attribute.__closure__))
1119
["func"].cell_contents)
1120
else:
1121
nonmethod_func = attribute
932
1122
# Create a new, but exactly alike, function
933
1123
# object, and decorate it to be a new D-Bus signal
934
1124
# with the alternate D-Bus interface name
935
new_function = (dbus.service.signal
936
(alt_interface,
937
attribute._dbus_signature)
938
(types.FunctionType(
939
nonmethod_func.func_code,
940
nonmethod_func.func_globals,
941
nonmethod_func.func_name,
942
nonmethod_func.func_defaults,
943
nonmethod_func.func_closure)))
1125
if sys.version_info.major == 2:
1126
new_function = types.FunctionType(
1127
nonmethod_func.func_code,
1128
nonmethod_func.func_globals,
1129
nonmethod_func.func_name,
1130
nonmethod_func.func_defaults,
1131
nonmethod_func.func_closure)
1132
else:
1133
new_function = types.FunctionType(
1134
nonmethod_func.__code__,
1135
nonmethod_func.__globals__,
1136
nonmethod_func.__name__,
1137
nonmethod_func.__defaults__,
1138
nonmethod_func.__closure__)
1139
new_function = (dbus.service.signal(
1140
alt_interface,
1141
attribute._dbus_signature)(new_function))
1142
# Copy annotations, if any
1143
try:
1144
new_function._dbus_annotations = dict(
1145
attribute._dbus_annotations)
1146
except AttributeError:
1147
pass
944
1148
# Define a creator of a function to call both the
945
# old and new functions, so both the old and new
946
# signals gets sent when the function is called
1149
# original and alternate functions, so both the
1150
# original and alternate signals gets sent when
1151
# the function is called
947
1152
def fixscope(func1, func2):
948
1153
"""This function is a scope container to pass
949
1154
func1 and func2 to the "call_both" function
950
1155
outside of its arguments"""
1156
951
1157
def call_both(*args, **kwargs):
952
1158
"""This function will emit two D-Bus
953
1159
signals by calling func1 and func2"""
954
1160
func1(*args, **kwargs)
955
1161
func2(*args, **kwargs)
1162
956
1163
return call_both
957
1164
# Create the "call_both" function and add it to
958
1165
# the class
959
attr[attrname] = fixscope(attribute,
960
new_function)
1166
attr[attrname] = fixscope(attribute, new_function)
961
1167
# Is this a D-Bus method?
962
1168
elif getattr(attribute, "_dbus_is_method", False):
963
1169
# Create a new, but exactly alike, function
964
1170
# object. Decorate it to be a new D-Bus method
965
1171
# with the alternate D-Bus interface name. Add it
966
1172
# to the class.
967
attr[attrname] = (dbus.service.method
968
(alt_interface,
969
attribute._dbus_in_signature,
970
attribute._dbus_out_signature)
971
(types.FunctionType
972
(attribute.func_code,
973
attribute.func_globals,
974
attribute.func_name,
975
attribute.func_defaults,
976
attribute.func_closure)))
1173
attr[attrname] = (
1174
dbus.service.method(
1175
alt_interface,
1176
attribute._dbus_in_signature,
1177
attribute._dbus_out_signature)
1178
(types.FunctionType(attribute.func_code,
1179
attribute.func_globals,
1180
attribute.func_name,
1181
attribute.func_defaults,
1182
attribute.func_closure)))
1183
# Copy annotations, if any
1184
try:
1185
attr[attrname]._dbus_annotations = dict(
1186
attribute._dbus_annotations)
1187
except AttributeError:
1188
pass
977
1189
# Is this a D-Bus property?
978
1190
elif getattr(attribute, "_dbus_is_property", False):
979
1191
# Create a new, but exactly alike, function
980
1192
# object, and decorate it to be a new D-Bus
981
1193
# property with the alternate D-Bus interface
982
1194
# name. Add it to the class.
983
attr[attrname] = (dbus_service_property
984
(alt_interface,
985
attribute._dbus_signature,
986
attribute._dbus_access,
987
attribute
988
._dbus_get_args_options
989
["byte_arrays"])
990
(types.FunctionType
991
(attribute.func_code,
992
attribute.func_globals,
993
attribute.func_name,
994
attribute.func_defaults,
995
attribute.func_closure)))
996
return type.__new__(mcs, name, bases, attr)
997
998
1195
attr[attrname] = (dbus_service_property(
1196
alt_interface, attribute._dbus_signature,
1197
attribute._dbus_access,
1198
attribute._dbus_get_args_options
1199
["byte_arrays"])
1200
(types.FunctionType(
1201
attribute.func_code,
1202
attribute.func_globals,
1203
attribute.func_name,
1204
attribute.func_defaults,
1205
attribute.func_closure)))
1206
# Copy annotations, if any
1207
try:
1208
attr[attrname]._dbus_annotations = dict(
1209
attribute._dbus_annotations)
1210
except AttributeError:
1211
pass
1212
# Is this a D-Bus interface?
1213
elif getattr(attribute, "_dbus_is_interface", False):
1214
# Create a new, but exactly alike, function
1215
# object. Decorate it to be a new D-Bus interface
1216
# with the alternate D-Bus interface name. Add it
1217
# to the class.
1218
attr[attrname] = (
1219
dbus_interface_annotations(alt_interface)
1220
(types.FunctionType(attribute.func_code,
1221
attribute.func_globals,
1222
attribute.func_name,
1223
attribute.func_defaults,
1224
attribute.func_closure)))
1225
if deprecate:
1226
# Deprecate all alternate interfaces
1227
iname="_AlternateDBusNames_interface_annotation{}"
1228
for interface_name in interface_names:
1229
1230
@dbus_interface_annotations(interface_name)
1231
def func(self):
1232
return { "org.freedesktop.DBus.Deprecated":
1233
"true" }
1234
# Find an unused name
1235
for aname in (iname.format(i)
1236
for i in itertools.count()):
1237
if aname not in attr:
1238
attr[aname] = func
1239
break
1240
if interface_names:
1241
# Replace the class with a new subclass of it with
1242
# methods, signals, etc. as created above.
1243
cls = type(b"{}Alternate".format(cls.__name__),
1244
(cls, ), attr)
1245
return cls
1246
1247
return wrapper
1248
1249
1250
@alternate_dbus_interfaces({"se.recompile.Mandos":
1251
"se.bsnet.fukt.Mandos"})
999
1252
class ClientDBus(Client, DBusObjectWithProperties):
1000
1253
"""A Client class using D-Bus
1001
1254
1005
1258
"""
1006
1259
1007
1260
runtime_expansions = (Client.runtime_expansions
1008
+ ("dbus_object_path",))
1261
+ ("dbus_object_path", ))
1262
1263
_interface = "se.recompile.Mandos.Client"
1009
1264
1010
1265
# dbus.service.Object doesn't use super(), so we can't either.
1011
1266
1012
1267
def __init__(self, bus = None, *args, **kwargs):
1013
1268
self.bus = bus
1014
1269
Client.__init__(self, *args, **kwargs)
1015
1016
self._approvals_pending = 0
1017
1270
# Only now, when this client is initialized, can it show up on
1018
1271
# the D-Bus
1019
client_object_name = unicode(self.name).translate(
1272
client_object_name = str(self.name).translate(
1020
1273
{ord("."): ord("_"),
1021
1274
ord("-"): ord("_")})
1022
self.dbus_object_path = (dbus.ObjectPath
1023
("/clients/" + client_object_name))
1275
self.dbus_object_path = dbus.ObjectPath(
1276
"/clients/" + client_object_name)
1024
1277
DBusObjectWithProperties.__init__(self, self.bus,
1025
1278
self.dbus_object_path)
1026
1027
def notifychangeproperty(transform_func,
1028
dbus_name, type_func=lambda x: x,
1029
variant_level=1):
1279
1280
def notifychangeproperty(transform_func, dbus_name,
1281
type_func=lambda x: x,
1282
variant_level=1,
1283
invalidate_only=False,
1284
_interface=_interface):
1030
1285
""" Modify a variable so that it's a property which announces
1031
1286
its changes to DBus.
1032
1287
1037
1292
to the D-Bus. Default: no transform
1038
1293
variant_level: D-Bus variant level. Default: 1
1039
1294
"""
1040
attrname = "_{0}".format(dbus_name)
1295
attrname = "_{}".format(dbus_name)
1296
1041
1297
def setter(self, value):
1042
1298
if hasattr(self, "dbus_object_path"):
1043
1299
if (not hasattr(self, attrname) or
1044
1300
type_func(getattr(self, attrname, None))
1045
1301
!= type_func(value)):
1046
dbus_value = transform_func(type_func(value),
1047
variant_level
1048
=variant_level)
1049
self.PropertyChanged(dbus.String(dbus_name),
1050
dbus_value)
1302
if invalidate_only:
1303
self.PropertiesChanged(
1304
_interface, dbus.Dictionary(),
1305
dbus.Array((dbus_name, )))
1306
else:
1307
dbus_value = transform_func(
1308
type_func(value),
1309
variant_level = variant_level)
1310
self.PropertyChanged(dbus.String(dbus_name),
1311
dbus_value)
1312
self.PropertiesChanged(
1313
_interface,
1314
dbus.Dictionary({ dbus.String(dbus_name):
1315
dbus_value }),
1316
dbus.Array())
1051
1317
setattr(self, attrname, value)
1052
1318
1053
1319
return property(lambda self: getattr(self, attrname), setter)
1054
1320
1055
1056
1321
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1057
1322
approvals_pending = notifychangeproperty(dbus.Boolean,
1058
1323
"ApprovalPending",
1060
1325
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1061
1326
last_enabled = notifychangeproperty(datetime_to_dbus,
1062
1327
"LastEnabled")
1063
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1064
type_func = lambda checker:
1065
checker is not None)
1328
checker = notifychangeproperty(
1329
dbus.Boolean, "CheckerRunning",
1330
type_func = lambda checker: checker is not None)
1066
1331
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1067
1332
"LastCheckedOK")
1333
last_checker_status = notifychangeproperty(dbus.Int16,
1334
"LastCheckerStatus")
1068
1335
last_approval_request = notifychangeproperty(
1069
1336
datetime_to_dbus, "LastApprovalRequest")
1070
1337
approved_by_default = notifychangeproperty(dbus.Boolean,
1071
1338
"ApprovedByDefault")
1072
approval_delay = notifychangeproperty(dbus.UInt16,
1073
"ApprovalDelay",
1074
type_func =
1075
timedelta_to_milliseconds)
1339
approval_delay = notifychangeproperty(
1340
dbus.UInt64, "ApprovalDelay",
1341
type_func = lambda td: td.total_seconds() * 1000)
1076
1342
approval_duration = notifychangeproperty(
1077
dbus.UInt16, "ApprovalDuration",
1078
type_func = timedelta_to_milliseconds)
1343
dbus.UInt64, "ApprovalDuration",
1344
type_func = lambda td: td.total_seconds() * 1000)
1079
1345
host = notifychangeproperty(dbus.String, "Host")
1080
timeout = notifychangeproperty(dbus.UInt16, "Timeout",
1081
type_func =
1082
timedelta_to_milliseconds)
1346
timeout = notifychangeproperty(
1347
dbus.UInt64, "Timeout",
1348
type_func = lambda td: td.total_seconds() * 1000)
1083
1349
extended_timeout = notifychangeproperty(
1084
dbus.UInt16, "ExtendedTimeout",
1085
type_func = timedelta_to_milliseconds)
1086
interval = notifychangeproperty(dbus.UInt16,
1087
"Interval",
1088
type_func =
1089
timedelta_to_milliseconds)
1350
dbus.UInt64, "ExtendedTimeout",
1351
type_func = lambda td: td.total_seconds() * 1000)
1352
interval = notifychangeproperty(
1353
dbus.UInt64, "Interval",
1354
type_func = lambda td: td.total_seconds() * 1000)
1090
1355
checker_command = notifychangeproperty(dbus.String, "Checker")
1356
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1357
invalidate_only=True)
1091
1358
1092
1359
del notifychangeproperty
1093
1360
1100
1367
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1101
1368
Client.__del__(self, *args, **kwargs)
1102
1369
1103
def checker_callback(self, pid, condition, command,
1104
*args, **kwargs):
1105
self.checker_callback_tag = None
1106
self.checker = None
1107
if os.WIFEXITED(condition):
1108
exitstatus = os.WEXITSTATUS(condition)
1370
def checker_callback(self, source, condition,
1371
connection, command, *args, **kwargs):
1372
ret = Client.checker_callback(self, source, condition,
1373
connection, command, *args,
1374
**kwargs)
1375
exitstatus = self.last_checker_status
1376
if exitstatus >= 0:
1109
1377
# Emit D-Bus signal
1110
1378
self.CheckerCompleted(dbus.Int16(exitstatus),
1111
dbus.Int64(condition),
1379
dbus.Int64(0),
1112
1380
dbus.String(command))
1113
1381
else:
1114
1382
# Emit D-Bus signal
1115
1383
self.CheckerCompleted(dbus.Int16(-1),
1116
dbus.Int64(condition),
1384
dbus.Int64(
1385
self.last_checker_signal),
1117
1386
dbus.String(command))
1118
1119
return Client.checker_callback(self, pid, condition, command,
1120
*args, **kwargs)
1387
return ret
1121
1388
1122
1389
def start_checker(self, *args, **kwargs):
1123
old_checker = self.checker
1124
if self.checker is not None:
1125
old_checker_pid = self.checker.pid
1126
else:
1127
old_checker_pid = None
1390
old_checker_pid = getattr(self.checker, "pid", None)
1128
1391
r = Client.start_checker(self, *args, **kwargs)
1129
1392
# Only if new checker process was started
1130
1393
if (self.checker is not None
1138
1401
return False
1139
1402
1140
1403
def approve(self, value=True):
1141
self.send_changedstate()
1142
1404
self.approved = value
1143
gobject.timeout_add(timedelta_to_milliseconds
1144
(self.approval_duration),
1145
self._reset_approved)
1146
1405
gobject.timeout_add(int(self.approval_duration.total_seconds()
1406
* 1000), self._reset_approved)
1407
self.send_changedstate()
1147
1408
1148
1409
## D-Bus methods, signals & properties
1149
_interface = "se.recompile.Mandos.Client"
1410
1411
## Interfaces
1150
1412
1151
1413
## Signals
1152
1414
1163
1425
pass
1164
1426
1165
1427
# PropertyChanged - signal
1428
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1166
1429
@dbus.service.signal(_interface, signature="sv")
1167
1430
def PropertyChanged(self, property, value):
1168
1431
"D-Bus signal"
1189
1452
"D-Bus signal"
1190
1453
return self.need_approval()
1191
1454
1192
# NeRwequest - signal
1193
@dbus.service.signal(_interface, signature="s")
1194
def NewRequest(self, ip):
1195
"""D-Bus signal
1196
Is sent after a client request a password.
1197
"""
1198
pass
1199
1200
1455
## Methods
1201
1456
1202
1457
# Approve - method
1240
1495
return dbus.Boolean(bool(self.approvals_pending))
1241
1496
1242
1497
# ApprovedByDefault - property
1243
@dbus_service_property(_interface, signature="b",
1498
@dbus_service_property(_interface,
1499
signature="b",
1244
1500
access="readwrite")
1245
1501
def ApprovedByDefault_dbus_property(self, value=None):
1246
1502
if value is None: # get
1248
1504
self.approved_by_default = bool(value)
1249
1505
1250
1506
# ApprovalDelay - property
1251
@dbus_service_property(_interface, signature="t",
1507
@dbus_service_property(_interface,
1508
signature="t",
1252
1509
access="readwrite")
1253
1510
def ApprovalDelay_dbus_property(self, value=None):
1254
1511
if value is None: # get
1255
return dbus.UInt64(self.approval_delay_milliseconds())
1512
return dbus.UInt64(self.approval_delay.total_seconds()
1513
* 1000)
1256
1514
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1257
1515
1258
1516
# ApprovalDuration - property
1259
@dbus_service_property(_interface, signature="t",
1517
@dbus_service_property(_interface,
1518
signature="t",
1260
1519
access="readwrite")
1261
1520
def ApprovalDuration_dbus_property(self, value=None):
1262
1521
if value is None: # get
1263
return dbus.UInt64(timedelta_to_milliseconds(
1264
self.approval_duration))
1522
return dbus.UInt64(self.approval_duration.total_seconds()
1523
* 1000)
1265
1524
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1266
1525
1267
1526
# Name - property
1527
@dbus_annotations(
1528
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1268
1529
@dbus_service_property(_interface, signature="s", access="read")
1269
1530
def Name_dbus_property(self):
1270
1531
return dbus.String(self.name)
1271
1532
1272
1533
# Fingerprint - property
1534
@dbus_annotations(
1535
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1273
1536
@dbus_service_property(_interface, signature="s", access="read")
1274
1537
def Fingerprint_dbus_property(self):
1275
1538
return dbus.String(self.fingerprint)
1276
1539
1277
1540
# Host - property
1278
@dbus_service_property(_interface, signature="s",
1541
@dbus_service_property(_interface,
1542
signature="s",
1279
1543
access="readwrite")
1280
1544
def Host_dbus_property(self, value=None):
1281
1545
if value is None: # get
1282
1546
return dbus.String(self.host)
1283
self.host = unicode(value)
1547
self.host = str(value)
1284
1548
1285
1549
# Created - property
1550
@dbus_annotations(
1551
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1286
1552
@dbus_service_property(_interface, signature="s", access="read")
1287
1553
def Created_dbus_property(self):
1288
1554
return datetime_to_dbus(self.created)
1293
1559
return datetime_to_dbus(self.last_enabled)
1294
1560
1295
1561
# Enabled - property
1296
@dbus_service_property(_interface, signature="b",
1562
@dbus_service_property(_interface,
1563
signature="b",
1297
1564
access="readwrite")
1298
1565
def Enabled_dbus_property(self, value=None):
1299
1566
if value is None: # get
1304
1571
self.disable()
1305
1572
1306
1573
# LastCheckedOK - property
1307
@dbus_service_property(_interface, signature="s",
1574
@dbus_service_property(_interface,
1575
signature="s",
1308
1576
access="readwrite")
1309
1577
def LastCheckedOK_dbus_property(self, value=None):
1310
1578
if value is not None:
1312
1580
return
1313
1581
return datetime_to_dbus(self.last_checked_ok)
1314
1582
1583
# LastCheckerStatus - property
1584
@dbus_service_property(_interface, signature="n", access="read")
1585
def LastCheckerStatus_dbus_property(self):
1586
return dbus.Int16(self.last_checker_status)
1587
1315
1588
# Expires - property
1316
1589
@dbus_service_property(_interface, signature="s", access="read")
1317
1590
def Expires_dbus_property(self):
1323
1596
return datetime_to_dbus(self.last_approval_request)
1324
1597
1325
1598
# Timeout - property
1326
@dbus_service_property(_interface, signature="t",
1599
@dbus_service_property(_interface,
1600
signature="t",
1327
1601
access="readwrite")
1328
1602
def Timeout_dbus_property(self, value=None):
1329
1603
if value is None: # get
1330
return dbus.UInt64(self.timeout_milliseconds())
1604
return dbus.UInt64(self.timeout.total_seconds() * 1000)
1605
old_timeout = self.timeout
1331
1606
self.timeout = datetime.timedelta(0, 0, 0, value)
1332
if getattr(self, "disable_initiator_tag", None) is None:
1333
return
1334
# Reschedule timeout
1335
gobject.source_remove(self.disable_initiator_tag)
1336
self.disable_initiator_tag = None
1337
self.expires = None
1338
time_to_die = timedelta_to_milliseconds((self
1339
.last_checked_ok
1340
+ self.timeout)
1341
- datetime.datetime
1342
.utcnow())
1343
if time_to_die <= 0:
1344
# The timeout has passed
1345
self.disable()
1346
else:
1347
self.expires = (datetime.datetime.utcnow()
1348
+ datetime.timedelta(milliseconds =
1349
time_to_die))
1350
self.disable_initiator_tag = (gobject.timeout_add
1351
(time_to_die, self.disable))
1607
# Reschedule disabling
1608
if self.enabled:
1609
now = datetime.datetime.utcnow()
1610
self.expires += self.timeout - old_timeout
1611
if self.expires <= now:
1612
# The timeout has passed
1613
self.disable()
1614
else:
1615
if (getattr(self, "disable_initiator_tag", None)
1616
is None):
1617
return
1618
gobject.source_remove(self.disable_initiator_tag)
1619
self.disable_initiator_tag = gobject.timeout_add(
1620
int((self.expires - now).total_seconds() * 1000),
1621
self.disable)
1352
1622
1353
1623
# ExtendedTimeout - property
1354
@dbus_service_property(_interface, signature="t",
1624
@dbus_service_property(_interface,
1625
signature="t",
1355
1626
access="readwrite")
1356
1627
def ExtendedTimeout_dbus_property(self, value=None):
1357
1628
if value is None: # get
1358
return dbus.UInt64(self.extended_timeout_milliseconds())
1629
return dbus.UInt64(self.extended_timeout.total_seconds()
1630
* 1000)
1359
1631
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1360
1632
1361
1633
# Interval - property
1362
@dbus_service_property(_interface, signature="t",
1634
@dbus_service_property(_interface,
1635
signature="t",
1363
1636
access="readwrite")
1364
1637
def Interval_dbus_property(self, value=None):
1365
1638
if value is None: # get
1366
return dbus.UInt64(self.interval_milliseconds())
1639
return dbus.UInt64(self.interval.total_seconds() * 1000)
1367
1640
self.interval = datetime.timedelta(0, 0, 0, value)
1368
1641
if getattr(self, "checker_initiator_tag", None) is None:
1369
1642
return
1370
1643
if self.enabled:
1371
1644
# Reschedule checker run
1372
1645
gobject.source_remove(self.checker_initiator_tag)
1373
self.checker_initiator_tag = (gobject.timeout_add
1374
(value, self.start_checker))
1375
self.start_checker() # Start one now, too
1646
self.checker_initiator_tag = gobject.timeout_add(
1647
value, self.start_checker)
1648
self.start_checker() # Start one now, too
1376
1649
1377
1650
# Checker - property
1378
@dbus_service_property(_interface, signature="s",
1651
@dbus_service_property(_interface,
1652
signature="s",
1379
1653
access="readwrite")
1380
1654
def Checker_dbus_property(self, value=None):
1381
1655
if value is None: # get
1382
1656
return dbus.String(self.checker_command)
1383
self.checker_command = unicode(value)
1657
self.checker_command = str(value)
1384
1658
1385
1659
# CheckerRunning - property
1386
@dbus_service_property(_interface, signature="b",
1660
@dbus_service_property(_interface,
1661
signature="b",
1387
1662
access="readwrite")
1388
1663
def CheckerRunning_dbus_property(self, value=None):
1389
1664
if value is None: # get
1394
1669
self.stop_checker()
1395
1670
1396
1671
# ObjectPath - property
1672
@dbus_annotations(
1673
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1397
1674
@dbus_service_property(_interface, signature="o", access="read")
1398
1675
def ObjectPath_dbus_property(self):
1399
1676
return self.dbus_object_path # is already a dbus.ObjectPath
1400
1677
1401
1678
# Secret = property
1402
@dbus_service_property(_interface, signature="ay",
1403
access="write", byte_arrays=True)
1679
@dbus_annotations(
1680
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
1681
"invalidates"})
1682
@dbus_service_property(_interface,
1683
signature="ay",
1684
access="write",
1685
byte_arrays=True)
1404
1686
def Secret_dbus_property(self, value):
1405
self.secret = str(value)
1687
self.secret = bytes(value)
1406
1688
1407
1689
del _interface
1408
1690
1412
1694
self._pipe = child_pipe
1413
1695
self._pipe.send(('init', fpr, address))
1414
1696
if not self._pipe.recv():
1415
raise KeyError()
1697
raise KeyError(fpr)
1416
1698
1417
1699
def __getattribute__(self, name):
1418
1700
if name == '_pipe':
1422
1704
if data[0] == 'data':
1423
1705
return data[1]
1424
1706
if data[0] == 'function':
1707
1425
1708
def func(*args, **kwargs):
1426
1709
self._pipe.send(('funcall', name, args, kwargs))
1427
1710
return self._pipe.recv()[1]
1711
1428
1712
return func
1429
1713
1430
1714
def __setattr__(self, name, value):
1433
1717
self._pipe.send(('setattr', name, value))
1434
1718
1435
1719
1436
class ClientDBusTransitional(ClientDBus):
1437
__metaclass__ = AlternateDBusNamesMetaclass
1438
1439
1440
1720
class ClientHandler(socketserver.BaseRequestHandler, object):
1441
1721
"""A class to handle client connections.
1442
1722
1446
1726
def handle(self):
1447
1727
with contextlib.closing(self.server.child_pipe) as child_pipe:
1448
1728
logger.info("TCP connection from: %s",
1449
unicode(self.client_address))
1729
str(self.client_address))
1450
1730
logger.debug("Pipe FD: %d",
1451
1731
self.server.child_pipe.fileno())
1452
1732
1453
session = (gnutls.connection
1454
.ClientSession(self.request,
1455
gnutls.connection
1456
.X509Credentials()))
1733
session = gnutls.connection.ClientSession(
1734
self.request, gnutls.connection .X509Credentials())
1457
1735
1458
1736
# Note: gnutls.connection.X509Credentials is really a
1459
1737
# generic GnuTLS certificate credentials object so long as
1468
1746
priority = self.server.gnutls_priority
1469
1747
if priority is None:
1470
1748
priority = "NORMAL"
1471
(gnutls.library.functions
1472
.gnutls_priority_set_direct(session._c_object,
1473
priority, None))
1749
gnutls.library.functions.gnutls_priority_set_direct(
1750
session._c_object, priority, None)
1474
1751
1475
1752
# Start communication using the Mandos protocol
1476
1753
# Get protocol number
1478
1755
logger.debug("Protocol version: %r", line)
1479
1756
try:
1480
1757
if int(line.strip().split()[0]) > 1:
1481
raise RuntimeError
1758
raise RuntimeError(line)
1482
1759
except (ValueError, IndexError, RuntimeError) as error:
1483
1760
logger.error("Unknown protocol version: %s", error)
1484
1761
return
1496
1773
approval_required = False
1497
1774
try:
1498
1775
try:
1499
fpr = self.fingerprint(self.peer_certificate
1500
(session))
1776
fpr = self.fingerprint(
1777
self.peer_certificate(session))
1501
1778
except (TypeError,
1502
1779
gnutls.errors.GNUTLSError) as error:
1503
1780
logger.warning("Bad certificate: %s", error)
1510
1787
except KeyError:
1511
1788
return
1512
1789
1513
if self.server.use_dbus:
1514
# Emit D-Bus signal
1515
client.NewRequest(str(self.client_address))
1516
1517
1790
if client.approval_delay:
1518
1791
delay = client.approval_delay
1519
1792
client.approvals_pending += 1
1522
1795
while True:
1523
1796
if not client.enabled:
1524
1797
logger.info("Client %s is disabled",
1525
client.name)
1798
client.name)
1526
1799
if self.server.use_dbus:
1527
1800
# Emit D-Bus signal
1528
1801
client.Rejected("Disabled")
1537
1810
if self.server.use_dbus:
1538
1811
# Emit D-Bus signal
1539
1812
client.NeedApproval(
1540
client.approval_delay_milliseconds(),
1541
client.approved_by_default)
1813
client.approval_delay.total_seconds()
1814
* 1000, client.approved_by_default)
1542
1815
else:
1543
1816
logger.warning("Client %s was not approved",
1544
1817
client.name)
1550
1823
#wait until timeout or approved
1551
1824
time = datetime.datetime.now()
1552
1825
client.changedstate.acquire()
1553
(client.changedstate.wait
1554
(float(client.timedelta_to_milliseconds(delay)
1555
/ 1000)))
1826
client.changedstate.wait(delay.total_seconds())
1556
1827
client.changedstate.release()
1557
1828
time2 = datetime.datetime.now()
1558
1829
if (time2 - time) >= delay:
1574
1845
try:
1575
1846
sent = session.send(client.secret[sent_size:])
1576
1847
except gnutls.errors.GNUTLSError as error:
1577
logger.warning("gnutls send failed")
1848
logger.warning("gnutls send failed",
1849
exc_info=error)
1578
1850
return
1579
logger.debug("Sent: %d, remaining: %d",
1580
sent, len(client.secret)
1581
- (sent_size + sent))
1851
logger.debug("Sent: %d, remaining: %d", sent,
1852
len(client.secret) - (sent_size
1853
+ sent))
1582
1854
sent_size += sent
1583
1855
1584
1856
logger.info("Sending secret to %s", client.name)
1585
1857
# bump the timeout using extended_timeout
1586
client.checked_ok(client.extended_timeout)
1858
client.bump_timeout(client.extended_timeout)
1587
1859
if self.server.use_dbus:
1588
1860
# Emit D-Bus signal
1589
1861
client.GotSecret()
1594
1866
try:
1595
1867
session.bye()
1596
1868
except gnutls.errors.GNUTLSError as error:
1597
logger.warning("GnuTLS bye failed")
1869
logger.warning("GnuTLS bye failed",
1870
exc_info=error)
1598
1871
1599
1872
@staticmethod
1600
1873
def peer_certificate(session):
1601
1874
"Return the peer's OpenPGP certificate as a bytestring"
1602
1875
# If not an OpenPGP certificate...
1603
if (gnutls.library.functions
1604
.gnutls_certificate_type_get(session._c_object)
1876
if (gnutls.library.functions.gnutls_certificate_type_get(
1877
session._c_object)
1605
1878
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1606
1879
# ...do the normal thing
1607
1880
return session.peer_certificate
1621
1894
def fingerprint(openpgp):
1622
1895
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1623
1896
# New GnuTLS "datum" with the OpenPGP public key
1624
datum = (gnutls.library.types
1625
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1626
ctypes.POINTER
1627
(ctypes.c_ubyte)),
1628
ctypes.c_uint(len(openpgp))))
1897
datum = gnutls.library.types.gnutls_datum_t(
1898
ctypes.cast(ctypes.c_char_p(openpgp),
1899
ctypes.POINTER(ctypes.c_ubyte)),
1900
ctypes.c_uint(len(openpgp)))
1629
1901
# New empty GnuTLS certificate
1630
1902
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1631
(gnutls.library.functions
1632
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1903
gnutls.library.functions.gnutls_openpgp_crt_init(
1904
ctypes.byref(crt))
1633
1905
# Import the OpenPGP public key into the certificate
1634
(gnutls.library.functions
1635
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1636
gnutls.library.constants
1637
.GNUTLS_OPENPGP_FMT_RAW))
1906
gnutls.library.functions.gnutls_openpgp_crt_import(
1907
crt, ctypes.byref(datum),
1908
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
1638
1909
# Verify the self signature in the key
1639
1910
crtverify = ctypes.c_uint()
1640
(gnutls.library.functions
1641
.gnutls_openpgp_crt_verify_self(crt, 0,
1642
ctypes.byref(crtverify)))
1911
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
1912
crt, 0, ctypes.byref(crtverify))
1643
1913
if crtverify.value != 0:
1644
1914
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1645
raise (gnutls.errors.CertificateSecurityError
1646
("Verify failed"))
1915
raise gnutls.errors.CertificateSecurityError(
1916
"Verify failed")
1647
1917
# New buffer for the fingerprint
1648
1918
buf = ctypes.create_string_buffer(20)
1649
1919
buf_len = ctypes.c_size_t()
1650
1920
# Get the fingerprint from the certificate into the buffer
1651
(gnutls.library.functions
1652
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1653
ctypes.byref(buf_len)))
1921
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
1922
crt, ctypes.byref(buf), ctypes.byref(buf_len))
1654
1923
# Deinit the certificate
1655
1924
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1656
1925
# Convert the buffer to a Python bytestring
1662
1931
1663
1932
class MultiprocessingMixIn(object):
1664
1933
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1934
1665
1935
def sub_process_main(self, request, address):
1666
1936
try:
1667
1937
self.finish_request(request, address)
1668
except:
1938
except Exception:
1669
1939
self.handle_error(request, address)
1670
1940
self.close_request(request)
1671
1941
1672
1942
def process_request(self, request, address):
1673
1943
"""Start a new process to process the request."""
1674
1944
proc = multiprocessing.Process(target = self.sub_process_main,
1675
args = (request,
1676
address))
1945
args = (request, address))
1677
1946
proc.start()
1678
1947
return proc
1679
1948
1680
1949
1681
1950
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1682
1951
""" adds a pipe to the MixIn """
1952
1683
1953
def process_request(self, request, client_address):
1684
1954
"""Overrides and wraps the original process_request().
1685
1955
1694
1964
1695
1965
def add_pipe(self, parent_pipe, proc):
1696
1966
"""Dummy function; override as necessary"""
1697
raise NotImplementedError
1967
raise NotImplementedError()
1698
1968
1699
1969
1700
1970
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1706
1976
interface: None or a network interface name (string)
1707
1977
use_ipv6: Boolean; to use IPv6 or not
1708
1978
"""
1979
1709
1980
def __init__(self, server_address, RequestHandlerClass,
1710
interface=None, use_ipv6=True):
1981
interface=None,
1982
use_ipv6=True,
1983
socketfd=None):
1984
"""If socketfd is set, use that file descriptor instead of
1985
creating a new one with socket.socket().
1986
"""
1711
1987
self.interface = interface
1712
1988
if use_ipv6:
1713
1989
self.address_family = socket.AF_INET6
1990
if socketfd is not None:
1991
# Save the file descriptor
1992
self.socketfd = socketfd
1993
# Save the original socket.socket() function
1994
self.socket_socket = socket.socket
1995
# To implement --socket, we monkey patch socket.socket.
1996
#
1997
# (When socketserver.TCPServer is a new-style class, we
1998
# could make self.socket into a property instead of monkey
1999
# patching socket.socket.)
2000
#
2001
# Create a one-time-only replacement for socket.socket()
2002
@functools.wraps(socket.socket)
2003
def socket_wrapper(*args, **kwargs):
2004
# Restore original function so subsequent calls are
2005
# not affected.
2006
socket.socket = self.socket_socket
2007
del self.socket_socket
2008
# This time only, return a new socket object from the
2009
# saved file descriptor.
2010
return socket.fromfd(self.socketfd, *args, **kwargs)
2011
# Replace socket.socket() function with wrapper
2012
socket.socket = socket_wrapper
2013
# The socketserver.TCPServer.__init__ will call
2014
# socket.socket(), which might be our replacement,
2015
# socket_wrapper(), if socketfd was set.
1714
2016
socketserver.TCPServer.__init__(self, server_address,
1715
2017
RequestHandlerClass)
2018
1716
2019
def server_bind(self):
1717
2020
"""This overrides the normal server_bind() function
1718
2021
to bind to an interface if one was specified, and also NOT to
1724
2027
self.interface)
1725
2028
else:
1726
2029
try:
1727
self.socket.setsockopt(socket.SOL_SOCKET,
1728
SO_BINDTODEVICE,
1729
str(self.interface
1730
+ '\0'))
2030
self.socket.setsockopt(
2031
socket.SOL_SOCKET, SO_BINDTODEVICE,
2032
(self.interface + "\0").encode("utf-8"))
1731
2033
except socket.error as error:
1732
if error[0] == errno.EPERM:
1733
logger.error("No permission to"
1734
" bind to interface %s",
1735
self.interface)
1736
elif error[0] == errno.ENOPROTOOPT:
2034
if error.errno == errno.EPERM:
2035
logger.error("No permission to bind to"
2036
" interface %s", self.interface)
2037
elif error.errno == errno.ENOPROTOOPT:
1737
2038
logger.error("SO_BINDTODEVICE not available;"
1738
2039
" cannot bind to interface %s",
1739
2040
self.interface)
2041
elif error.errno == errno.ENODEV:
2042
logger.error("Interface %s does not exist,"
2043
" cannot bind", self.interface)
1740
2044
else:
1741
2045
raise
1742
2046
# Only bind(2) the socket if we really need to.
1745
2049
if self.address_family == socket.AF_INET6:
1746
2050
any_address = "::" # in6addr_any
1747
2051
else:
1748
any_address = socket.INADDR_ANY
2052
any_address = "0.0.0.0" # INADDR_ANY
1749
2053
self.server_address = (any_address,
1750
2054
self.server_address[1])
1751
2055
elif not self.server_address[1]:
1752
self.server_address = (self.server_address[0],
1753
0)
2056
self.server_address = (self.server_address[0], 0)
1754
2057
# if self.interface:
1755
2058
# self.server_address = (self.server_address[0],
1756
2059
# 0, # port
1770
2073
1771
2074
Assumes a gobject.MainLoop event loop.
1772
2075
"""
2076
1773
2077
def __init__(self, server_address, RequestHandlerClass,
1774
interface=None, use_ipv6=True, clients=None,
1775
gnutls_priority=None, use_dbus=True):
2078
interface=None,
2079
use_ipv6=True,
2080
clients=None,
2081
gnutls_priority=None,
2082
use_dbus=True,
2083
socketfd=None):
1776
2084
self.enabled = False
1777
2085
self.clients = clients
1778
2086
if self.clients is None:
1782
2090
IPv6_TCPServer.__init__(self, server_address,
1783
2091
RequestHandlerClass,
1784
2092
interface = interface,
1785
use_ipv6 = use_ipv6)
2093
use_ipv6 = use_ipv6,
2094
socketfd = socketfd)
2095
1786
2096
def server_activate(self):
1787
2097
if self.enabled:
1788
2098
return socketserver.TCPServer.server_activate(self)
1792
2102
1793
2103
def add_pipe(self, parent_pipe, proc):
1794
2104
# Call "handle_ipc" for both data and EOF events
1795
gobject.io_add_watch(parent_pipe.fileno(),
1796
gobject.IO_IN | gobject.IO_HUP,
1797
functools.partial(self.handle_ipc,
1798
parent_pipe =
1799
parent_pipe,
1800
proc = proc))
2105
gobject.io_add_watch(
2106
parent_pipe.fileno(),
2107
gobject.IO_IN | gobject.IO_HUP,
2108
functools.partial(self.handle_ipc,
2109
parent_pipe = parent_pipe,
2110
proc = proc))
1801
2111
1802
def handle_ipc(self, source, condition, parent_pipe=None,
1803
proc = None, client_object=None):
1804
condition_names = {
1805
gobject.IO_IN: "IN", # There is data to read.
1806
gobject.IO_OUT: "OUT", # Data can be written (without
1807
# blocking).
1808
gobject.IO_PRI: "PRI", # There is urgent data to read.
1809
gobject.IO_ERR: "ERR", # Error condition.
1810
gobject.IO_HUP: "HUP" # Hung up (the connection has been
1811
# broken, usually for pipes and
1812
# sockets).
1813
}
1814
conditions_string = ' | '.join(name
1815
for cond, name in
1816
condition_names.iteritems()
1817
if cond & condition)
2112
def handle_ipc(self, source, condition,
2113
parent_pipe=None,
2114
proc = None,
2115
client_object=None):
1818
2116
# error, or the other end of multiprocessing.Pipe has closed
1819
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
2117
if condition & (gobject.IO_ERR | gobject.IO_HUP):
1820
2118
# Wait for other process to exit
1821
2119
proc.join()
1822
2120
return False
1843
2141
parent_pipe.send(False)
1844
2142
return False
1845
2143
1846
gobject.io_add_watch(parent_pipe.fileno(),
1847
gobject.IO_IN | gobject.IO_HUP,
1848
functools.partial(self.handle_ipc,
1849
parent_pipe =
1850
parent_pipe,
1851
proc = proc,
1852
client_object =
1853
client))
2144
gobject.io_add_watch(
2145
parent_pipe.fileno(),
2146
gobject.IO_IN | gobject.IO_HUP,
2147
functools.partial(self.handle_ipc,
2148
parent_pipe = parent_pipe,
2149
proc = proc,
2150
client_object = client))
1854
2151
parent_pipe.send(True)
1855
2152
# remove the old hook in favor of the new above hook on
1856
2153
# same fileno
1862
2159
1863
2160
parent_pipe.send(('data', getattr(client_object,
1864
2161
funcname)(*args,
1865
**kwargs)))
2162
**kwargs)))
1866
2163
1867
2164
if command == 'getattr':
1868
2165
attrname = request[1]
1869
if callable(client_object.__getattribute__(attrname)):
1870
parent_pipe.send(('function',))
2166
if isinstance(client_object.__getattribute__(attrname),
2167
collections.Callable):
2168
parent_pipe.send(('function', ))
1871
2169
else:
1872
parent_pipe.send(('data', client_object
1873
.__getattribute__(attrname)))
2170
parent_pipe.send((
2171
'data', client_object.__getattribute__(attrname)))
1874
2172
1875
2173
if command == 'setattr':
1876
2174
attrname = request[1]
1880
2178
return True
1881
2179
1882
2180
2181
def rfc3339_duration_to_delta(duration):
2182
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2183
2184
>>> rfc3339_duration_to_delta("P7D")
2185
datetime.timedelta(7)
2186
>>> rfc3339_duration_to_delta("PT60S")
2187
datetime.timedelta(0, 60)
2188
>>> rfc3339_duration_to_delta("PT60M")
2189
datetime.timedelta(0, 3600)
2190
>>> rfc3339_duration_to_delta("PT24H")
2191
datetime.timedelta(1)
2192
>>> rfc3339_duration_to_delta("P1W")
2193
datetime.timedelta(7)
2194
>>> rfc3339_duration_to_delta("PT5M30S")
2195
datetime.timedelta(0, 330)
2196
>>> rfc3339_duration_to_delta("P1DT3M20S")
2197
datetime.timedelta(1, 200)
2198
"""
2199
2200
# Parsing an RFC 3339 duration with regular expressions is not
2201
# possible - there would have to be multiple places for the same
2202
# values, like seconds. The current code, while more esoteric, is
2203
# cleaner without depending on a parsing library. If Python had a
2204
# built-in library for parsing we would use it, but we'd like to
2205
# avoid excessive use of external libraries.
2206
2207
# New type for defining tokens, syntax, and semantics all-in-one
2208
Token = collections.namedtuple("Token", (
2209
"regexp", # To match token; if "value" is not None, must have
2210
# a "group" containing digits
2211
"value", # datetime.timedelta or None
2212
"followers")) # Tokens valid after this token
2213
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2214
# the "duration" ABNF definition in RFC 3339, Appendix A.
2215
token_end = Token(re.compile(r"$"), None, frozenset())
2216
token_second = Token(re.compile(r"(\d+)S"),
2217
datetime.timedelta(seconds=1),
2218
frozenset((token_end, )))
2219
token_minute = Token(re.compile(r"(\d+)M"),
2220
datetime.timedelta(minutes=1),
2221
frozenset((token_second, token_end)))
2222
token_hour = Token(re.compile(r"(\d+)H"),
2223
datetime.timedelta(hours=1),
2224
frozenset((token_minute, token_end)))
2225
token_time = Token(re.compile(r"T"),
2226
None,
2227
frozenset((token_hour, token_minute,
2228
token_second)))
2229
token_day = Token(re.compile(r"(\d+)D"),
2230
datetime.timedelta(days=1),
2231
frozenset((token_time, token_end)))
2232
token_month = Token(re.compile(r"(\d+)M"),
2233
datetime.timedelta(weeks=4),
2234
frozenset((token_day, token_end)))
2235
token_year = Token(re.compile(r"(\d+)Y"),
2236
datetime.timedelta(weeks=52),
2237
frozenset((token_month, token_end)))
2238
token_week = Token(re.compile(r"(\d+)W"),
2239
datetime.timedelta(weeks=1),
2240
frozenset((token_end, )))
2241
token_duration = Token(re.compile(r"P"), None,
2242
frozenset((token_year, token_month,
2243
token_day, token_time,
2244
token_week)))
2245
# Define starting values
2246
value = datetime.timedelta() # Value so far
2247
found_token = None
2248
followers = frozenset((token_duration, )) # Following valid tokens
2249
s = duration # String left to parse
2250
# Loop until end token is found
2251
while found_token is not token_end:
2252
# Search for any currently valid tokens
2253
for token in followers:
2254
match = token.regexp.match(s)
2255
if match is not None:
2256
# Token found
2257
if token.value is not None:
2258
# Value found, parse digits
2259
factor = int(match.group(1), 10)
2260
# Add to value so far
2261
value += factor * token.value
2262
# Strip token from string
2263
s = token.regexp.sub("", s, 1)
2264
# Go to found token
2265
found_token = token
2266
# Set valid next tokens
2267
followers = found_token.followers
2268
break
2269
else:
2270
# No currently valid tokens were found
2271
raise ValueError("Invalid RFC 3339 duration: {!r}"
2272
.format(duration))
2273
# End token found
2274
return value
2275
2276
1883
2277
def string_to_delta(interval):
1884
2278
"""Parse a string and return a datetime.timedelta
1885
2279
1896
2290
>>> string_to_delta('5m 30s')
1897
2291
datetime.timedelta(0, 330)
1898
2292
"""
2293
2294
try:
2295
return rfc3339_duration_to_delta(interval)
2296
except ValueError:
2297
pass
2298
1899
2299
timevalue = datetime.timedelta(0)
1900
2300
for s in interval.split():
1901
2301
try:
1902
suffix = unicode(s[-1])
2302
suffix = s[-1]
1903
2303
value = int(s[:-1])
1904
2304
if suffix == "d":
1905
2305
delta = datetime.timedelta(value)
1912
2312
elif suffix == "w":
1913
2313
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1914
2314
else:
1915
raise ValueError("Unknown suffix %r" % suffix)
1916
except (ValueError, IndexError) as e:
2315
raise ValueError("Unknown suffix {!r}".format(suffix))
2316
except IndexError as e:
1917
2317
raise ValueError(*(e.args))
1918
2318
timevalue += delta
1919
2319
return timevalue
1932
2332
sys.exit()
1933
2333
if not noclose:
1934
2334
# Close all standard open file descriptors
1935
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2335
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
1936
2336
if not stat.S_ISCHR(os.fstat(null).st_mode):
1937
2337
raise OSError(errno.ENODEV,
1938
"%s not a character device"
1939
% os.path.devnull)
2338
"{} not a character device"
2339
.format(os.devnull))
1940
2340
os.dup2(null, sys.stdin.fileno())
1941
2341
os.dup2(null, sys.stdout.fileno())
1942
2342
os.dup2(null, sys.stderr.fileno())
1951
2351
1952
2352
parser = argparse.ArgumentParser()
1953
2353
parser.add_argument("-v", "--version", action="version",
1954
version = "%%(prog)s %s" % version,
2354
version = "%(prog)s {}".format(version),
1955
2355
help="show version number and exit")
1956
2356
parser.add_argument("-i", "--interface", metavar="IF",
1957
2357
help="Bind to interface IF")
1963
2363
help="Run self-test")
1964
2364
parser.add_argument("--debug", action="store_true",
1965
2365
help="Debug mode; run in foreground and log"
1966
" to terminal")
2366
" to terminal", default=None)
1967
2367
parser.add_argument("--debuglevel", metavar="LEVEL",
1968
2368
help="Debug level for stdout output")
1969
2369
parser.add_argument("--priority", help="GnuTLS"
1976
2376
" files")
1977
2377
parser.add_argument("--no-dbus", action="store_false",
1978
2378
dest="use_dbus", help="Do not provide D-Bus"
1979
" system bus interface")
2379
" system bus interface", default=None)
1980
2380
parser.add_argument("--no-ipv6", action="store_false",
1981
dest="use_ipv6", help="Do not use IPv6")
2381
dest="use_ipv6", help="Do not use IPv6",
2382
default=None)
1982
2383
parser.add_argument("--no-restore", action="store_false",
1983
2384
dest="restore", help="Do not restore stored"
1984
" state")
2385
" state", default=None)
2386
parser.add_argument("--socket", type=int,
2387
help="Specify a file descriptor to a network"
2388
" socket to use instead of creating one")
1985
2389
parser.add_argument("--statedir", metavar="DIR",
1986
2390
help="Directory to save/restore state in")
2391
parser.add_argument("--foreground", action="store_true",
2392
help="Run in foreground", default=None)
2393
parser.add_argument("--no-zeroconf", action="store_false",
2394
dest="zeroconf", help="Do not use Zeroconf",
2395
default=None)
1987
2396
1988
2397
options = parser.parse_args()
1989
2398
1990
2399
if options.check:
1991
2400
import doctest
1992
doctest.testmod()
1993
sys.exit()
2401
fail_count, test_count = doctest.testmod()
2402
sys.exit(os.EX_OK if fail_count == 0 else 1)
1994
2403
1995
2404
# Default values for config file for server-global settings
1996
2405
server_defaults = { "interface": "",
1998
2407
"port": "",
1999
2408
"debug": "False",
2000
2409
"priority":
2001
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
2410
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2411
":+SIGN-DSA-SHA256",
2002
2412
"servicename": "Mandos",
2003
2413
"use_dbus": "True",
2004
2414
"use_ipv6": "True",
2005
2415
"debuglevel": "",
2006
2416
"restore": "True",
2007
"statedir": "/var/lib/mandos"
2008
}
2417
"socket": "",
2418
"statedir": "/var/lib/mandos",
2419
"foreground": "False",
2420
"zeroconf": "True",
2421
}
2009
2422
2010
2423
# Parse config file for server-global settings
2011
2424
server_config = configparser.SafeConfigParser(server_defaults)
2012
2425
del server_defaults
2013
server_config.read(os.path.join(options.configdir,
2014
"mandos.conf"))
2426
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2015
2427
# Convert the SafeConfigParser object to a dict
2016
2428
server_settings = server_config.defaults()
2017
2429
# Use the appropriate methods on the non-string config options
2018
for option in ("debug", "use_dbus", "use_ipv6"):
2430
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
2019
2431
server_settings[option] = server_config.getboolean("DEFAULT",
2020
2432
option)
2021
2433
if server_settings["port"]:
2022
2434
server_settings["port"] = server_config.getint("DEFAULT",
2023
2435
"port")
2436
if server_settings["socket"]:
2437
server_settings["socket"] = server_config.getint("DEFAULT",
2438
"socket")
2439
# Later, stdin will, and stdout and stderr might, be dup'ed
2440
# over with an opened os.devnull. But we don't want this to
2441
# happen with a supplied network socket.
2442
if 0 <= server_settings["socket"] <= 2:
2443
server_settings["socket"] = os.dup(server_settings
2444
["socket"])
2024
2445
del server_config
2025
2446
2026
2447
# Override the settings from the config file with command line
2027
2448
# options, if set.
2028
2449
for option in ("interface", "address", "port", "debug",
2029
"priority", "servicename", "configdir",
2030
"use_dbus", "use_ipv6", "debuglevel", "restore",
2031
"statedir"):
2450
"priority", "servicename", "configdir", "use_dbus",
2451
"use_ipv6", "debuglevel", "restore", "statedir",
2452
"socket", "foreground", "zeroconf"):
2032
2453
value = getattr(options, option)
2033
2454
if value is not None:
2034
2455
server_settings[option] = value
2035
2456
del options
2036
2457
# Force all strings to be unicode
2037
2458
for option in server_settings.keys():
2038
if type(server_settings[option]) is str:
2039
server_settings[option] = unicode(server_settings[option])
2459
if isinstance(server_settings[option], bytes):
2460
server_settings[option] = (server_settings[option]
2461
.decode("utf-8"))
2462
# Force all boolean options to be boolean
2463
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2464
"foreground", "zeroconf"):
2465
server_settings[option] = bool(server_settings[option])
2466
# Debug implies foreground
2467
if server_settings["debug"]:
2468
server_settings["foreground"] = True
2040
2469
# Now we have our good server settings in "server_settings"
2041
2470
2042
2471
##################################################################
2043
2472
2473
if (not server_settings["zeroconf"]
2474
and not (server_settings["port"]
2475
or server_settings["socket"] != "")):
2476
parser.error("Needs port or socket to work without Zeroconf")
2477
2044
2478
# For convenience
2045
2479
debug = server_settings["debug"]
2046
2480
debuglevel = server_settings["debuglevel"]
2048
2482
use_ipv6 = server_settings["use_ipv6"]
2049
2483
stored_state_path = os.path.join(server_settings["statedir"],
2050
2484
stored_state_file)
2485
foreground = server_settings["foreground"]
2486
zeroconf = server_settings["zeroconf"]
2051
2487
2052
2488
if debug:
2053
initlogger(logging.DEBUG)
2489
initlogger(debug, logging.DEBUG)
2054
2490
else:
2055
2491
if not debuglevel:
2056
initlogger()
2492
initlogger(debug)
2057
2493
else:
2058
2494
level = getattr(logging, debuglevel.upper())
2059
initlogger(level)
2495
initlogger(debug, level)
2060
2496
2061
2497
if server_settings["servicename"] != "Mandos":
2062
syslogger.setFormatter(logging.Formatter
2063
('Mandos (%s) [%%(process)d]:'
2064
' %%(levelname)s: %%(message)s'
2065
% server_settings["servicename"]))
2498
syslogger.setFormatter(
2499
logging.Formatter('Mandos ({}) [%(process)d]:'
2500
' %(levelname)s: %(message)s'.format(
2501
server_settings["servicename"])))
2066
2502
2067
2503
# Parse config file with clients
2068
client_defaults = { "timeout": "5m",
2069
"extended_timeout": "15m",
2070
"interval": "2m",
2071
"checker": "fping -q -- %%(host)s",
2072
"host": "",
2073
"approval_delay": "0s",
2074
"approval_duration": "1s",
2075
}
2076
client_config = configparser.SafeConfigParser(client_defaults)
2504
client_config = configparser.SafeConfigParser(Client
2505
.client_defaults)
2077
2506
client_config.read(os.path.join(server_settings["configdir"],
2078
2507
"clients.conf"))
2079
2508
2080
2509
global mandos_dbus_service
2081
2510
mandos_dbus_service = None
2082
2511
2083
tcp_server = MandosServer((server_settings["address"],
2084
server_settings["port"]),
2085
ClientHandler,
2086
interface=(server_settings["interface"]
2087
or None),
2088
use_ipv6=use_ipv6,
2089
gnutls_priority=
2090
server_settings["priority"],
2091
use_dbus=use_dbus)
2092
if not debug:
2093
pidfilename = "/var/run/mandos.pid"
2512
socketfd = None
2513
if server_settings["socket"] != "":
2514
socketfd = server_settings["socket"]
2515
tcp_server = MandosServer(
2516
(server_settings["address"], server_settings["port"]),
2517
ClientHandler,
2518
interface=(server_settings["interface"] or None),
2519
use_ipv6=use_ipv6,
2520
gnutls_priority=server_settings["priority"],
2521
use_dbus=use_dbus,
2522
socketfd=socketfd)
2523
if not foreground:
2524
pidfilename = "/run/mandos.pid"
2525
if not os.path.isdir("/run/."):
2526
pidfilename = "/var/run/mandos.pid"
2527
pidfile = None
2094
2528
try:
2095
pidfile = open(pidfilename, "w")
2096
except IOError:
2097
logger.error("Could not open file %r", pidfilename)
2529
pidfile = codecs.open(pidfilename, "w", encoding="utf-8")
2530
except IOError as e:
2531
logger.error("Could not open file %r", pidfilename,
2532
exc_info=e)
2098
2533
2099
try:
2100
uid = pwd.getpwnam("_mandos").pw_uid
2101
gid = pwd.getpwnam("_mandos").pw_gid
2102
except KeyError:
2534
for name in ("_mandos", "mandos", "nobody"):
2103
2535
try:
2104
uid = pwd.getpwnam("mandos").pw_uid
2105
gid = pwd.getpwnam("mandos").pw_gid
2536
uid = pwd.getpwnam(name).pw_uid
2537
gid = pwd.getpwnam(name).pw_gid
2538
break
2106
2539
except KeyError:
2107
try:
2108
uid = pwd.getpwnam("nobody").pw_uid
2109
gid = pwd.getpwnam("nobody").pw_gid
2110
except KeyError:
2111
uid = 65534
2112
gid = 65534
2540
continue
2541
else:
2542
uid = 65534
2543
gid = 65534
2113
2544
try:
2114
2545
os.setgid(gid)
2115
2546
os.setuid(uid)
2116
2547
except OSError as error:
2117
if error[0] != errno.EPERM:
2118
raise error
2548
if error.errno != errno.EPERM:
2549
raise
2119
2550
2120
2551
if debug:
2121
2552
# Enable all possible GnuTLS debugging
2128
2559
def debug_gnutls(level, string):
2129
2560
logger.debug("GnuTLS: %s", string[:-1])
2130
2561
2131
(gnutls.library.functions
2132
.gnutls_global_set_log_function(debug_gnutls))
2562
gnutls.library.functions.gnutls_global_set_log_function(
2563
debug_gnutls)
2133
2564
2134
2565
# Redirect stdin so all checkers get /dev/null
2135
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2566
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2136
2567
os.dup2(null, sys.stdin.fileno())
2137
2568
if null > 2:
2138
2569
os.close(null)
2139
else:
2140
# No console logging
2141
logger.removeHandler(console)
2142
2570
2143
2571
# Need to fork before connecting to D-Bus
2144
if not debug:
2572
if not foreground:
2145
2573
# Close all input and output, do double fork, etc.
2146
2574
daemon()
2147
2575
2576
# multiprocessing will use threads, so before we use gobject we
2577
# need to inform gobject that threads will be used.
2578
gobject.threads_init()
2579
2148
2580
global main_loop
2149
2581
# From the Avahi example code
2150
DBusGMainLoop(set_as_default=True )
2582
DBusGMainLoop(set_as_default=True)
2151
2583
main_loop = gobject.MainLoop()
2152
2584
bus = dbus.SystemBus()
2153
2585
# End of Avahi example code
2154
2586
if use_dbus:
2155
2587
try:
2156
2588
bus_name = dbus.service.BusName("se.recompile.Mandos",
2157
bus, do_not_queue=True)
2158
old_bus_name = (dbus.service.BusName
2159
("se.bsnet.fukt.Mandos", bus,
2160
do_not_queue=True))
2161
except dbus.exceptions.NameExistsException as e:
2162
logger.error(unicode(e) + ", disabling D-Bus")
2589
bus,
2590
do_not_queue=True)
2591
old_bus_name = dbus.service.BusName(
2592
"se.bsnet.fukt.Mandos", bus,
2593
do_not_queue=True)
2594
except dbus.exceptions.DBusException as e:
2595
logger.error("Disabling D-Bus:", exc_info=e)
2163
2596
use_dbus = False
2164
2597
server_settings["use_dbus"] = False
2165
2598
tcp_server.use_dbus = False
2166
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2167
service = AvahiServiceToSyslog(name =
2168
server_settings["servicename"],
2169
servicetype = "_mandos._tcp",
2170
protocol = protocol, bus = bus)
2171
if server_settings["interface"]:
2172
service.interface = (if_nametoindex
2173
(str(server_settings["interface"])))
2599
if zeroconf:
2600
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2601
service = AvahiServiceToSyslog(
2602
name = server_settings["servicename"],
2603
servicetype = "_mandos._tcp",
2604
protocol = protocol,
2605
bus = bus)
2606
if server_settings["interface"]:
2607
service.interface = if_nametoindex(
2608
server_settings["interface"].encode("utf-8"))
2174
2609
2175
2610
global multiprocessing_manager
2176
2611
multiprocessing_manager = multiprocessing.Manager()
2177
2612
2178
2613
client_class = Client
2179
2614
if use_dbus:
2180
client_class = functools.partial(ClientDBusTransitional,
2181
bus = bus)
2182
2183
special_settings = {
2184
# Some settings need to be accessd by special methods;
2185
# booleans need .getboolean(), etc. Here is a list of them:
2186
"approved_by_default":
2187
lambda section:
2188
client_config.getboolean(section, "approved_by_default"),
2189
"enabled":
2190
lambda section:
2191
client_config.getboolean(section, "enabled"),
2192
}
2193
# Construct a new dict of client settings of this form:
2194
# { client_name: {setting_name: value, ...}, ...}
2195
# with exceptions for any special settings as defined above
2196
client_settings = dict((clientname,
2197
dict((setting,
2198
(value
2199
if setting not in special_settings
2200
else special_settings[setting]
2201
(clientname)))
2202
for setting, value in
2203
client_config.items(clientname)))
2204
for clientname in client_config.sections())
2205
2615
client_class = functools.partial(ClientDBus, bus = bus)
2616
2617
client_settings = Client.config_parser(client_config)
2206
2618
old_client_settings = {}
2207
clients_data = []
2619
clients_data = {}
2620
2621
# This is used to redirect stdout and stderr for checker processes
2622
global wnull
2623
wnull = open(os.devnull, "w") # A writable /dev/null
2624
# Only used if server is running in foreground but not in debug
2625
# mode
2626
if debug or not foreground:
2627
wnull.close()
2208
2628
2209
2629
# Get client data and settings from last running state.
2210
2630
if server_settings["restore"]:
2211
2631
try:
2212
2632
with open(stored_state_path, "rb") as stored_state:
2213
clients_data, old_client_settings = (pickle.load
2214
(stored_state))
2633
clients_data, old_client_settings = pickle.load(
2634
stored_state)
2215
2635
os.remove(stored_state_path)
2216
2636
except IOError as e:
2217
logger.warning("Could not load persistent state: {0}"
2218
.format(e))
2219
if e.errno != errno.ENOENT:
2637
if e.errno == errno.ENOENT:
2638
logger.warning("Could not load persistent state:"
2639
" {}".format(os.strerror(e.errno)))
2640
else:
2641
logger.critical("Could not load persistent state:",
2642
exc_info=e)
2220
2643
raise
2644
except EOFError as e:
2645
logger.warning("Could not load persistent state: "
2646
"EOFError:",
2647
exc_info=e)
2221
2648
2222
2649
with PGPEngine() as pgp:
2223
for client in clients_data:
2224
client_name = client["name"]
2650
for client_name, client in clients_data.items():
2651
# Skip removed clients
2652
if client_name not in client_settings:
2653
continue
2225
2654
2226
2655
# Decide which value to use after restoring saved state.
2227
2656
# We have three different values: Old config file,
2233
2662
# For each value in new config, check if it
2234
2663
# differs from the old config value (Except for
2235
2664
# the "secret" attribute)
2236
if (name != "secret" and
2237
value != old_client_settings[client_name]
2238
[name]):
2239
setattr(client, name, value)
2665
if (name != "secret"
2666
and (value !=
2667
old_client_settings[client_name][name])):
2668
client[name] = value
2240
2669
except KeyError:
2241
2670
pass
2242
2671
2243
2672
# Clients who has passed its expire date can still be
2244
# enabled if its last checker was sucessful. Clients
2245
# whose checker failed before we stored its state is
2246
# assumed to have failed all checkers during downtime.
2673
# enabled if its last checker was successful. A Client
2674
# whose checker succeeded before we stored its state is
2675
# assumed to have successfully run all checkers during
2676
# downtime.
2247
2677
if client["enabled"]:
2248
if client["expires"] <= (datetime.datetime
2249
.utcnow()):
2250
# Client has expired
2251
if client["last_checker_status"] != 0:
2678
if datetime.datetime.utcnow() >= client["expires"]:
2679
if not client["last_checked_ok"]:
2680
logger.warning(
2681
"disabling client {} - Client never "
2682
"performed a successful checker".format(
2683
client_name))
2684
client["enabled"] = False
2685
elif client["last_checker_status"] != 0:
2686
logger.warning(
2687
"disabling client {} - Client last"
2688
" checker failed with error code"
2689
" {}".format(
2690
client_name,
2691
client["last_checker_status"]))
2252
2692
client["enabled"] = False
2253
2693
else:
2254
client["expires"] = (datetime.datetime
2255
.utcnow()
2256
+ client["timeout"])
2257
2258
client["changedstate"] = (multiprocessing_manager
2259
.Condition
2260
(multiprocessing_manager
2261
.Lock()))
2262
if use_dbus:
2263
new_client = (ClientDBusTransitional.__new__
2264
(ClientDBusTransitional))
2265
tcp_server.clients[client_name] = new_client
2266
new_client.bus = bus
2267
for name, value in client.iteritems():
2268
setattr(new_client, name, value)
2269
client_object_name = unicode(client_name).translate(
2270
{ord("."): ord("_"),
2271
ord("-"): ord("_")})
2272
new_client.dbus_object_path = (dbus.ObjectPath
2273
("/clients/"
2274
+ client_object_name))
2275
DBusObjectWithProperties.__init__(new_client,
2276
new_client.bus,
2277
new_client
2278
.dbus_object_path)
2279
else:
2280
tcp_server.clients[client_name] = (Client.__new__
2281
(Client))
2282
for name, value in client.iteritems():
2283
setattr(tcp_server.clients[client_name],
2284
name, value)
2285
2694
client["expires"] = (
2695
datetime.datetime.utcnow()
2696
+ client["timeout"])
2697
logger.debug("Last checker succeeded,"
2698
" keeping {} enabled".format(
2699
client_name))
2286
2700
try:
2287
tcp_server.clients[client_name].secret = (
2288
pgp.decrypt(tcp_server.clients[client_name]
2289
.encrypted_secret,
2290
client_settings[client_name]
2291
["secret"]))
2701
client["secret"] = pgp.decrypt(
2702
client["encrypted_secret"],
2703
client_settings[client_name]["secret"])
2292
2704
except PGPError:
2293
2705
# If decryption fails, we use secret from new settings
2294
logger.debug("Failed to decrypt {0} old secret"
2295
.format(client_name))
2296
tcp_server.clients[client_name].secret = (
2297
client_settings[client_name]["secret"])
2298
2299
# Create/remove clients based on new changes made to config
2300
for clientname in set(old_client_settings) - set(client_settings):
2301
del tcp_server.clients[clientname]
2302
for clientname in set(client_settings) - set(old_client_settings):
2303
tcp_server.clients[clientname] = (client_class(name
2304
= clientname,
2305
config =
2306
client_settings
2307
[clientname]))
2706
logger.debug("Failed to decrypt {} old secret".format(
2707
client_name))
2708
client["secret"] = (client_settings[client_name]
2709
["secret"])
2710
2711
# Add/remove clients based on new changes made to config
2712
for client_name in (set(old_client_settings)
2713
- set(client_settings)):
2714
del clients_data[client_name]
2715
for client_name in (set(client_settings)
2716
- set(old_client_settings)):
2717
clients_data[client_name] = client_settings[client_name]
2718
2719
# Create all client objects
2720
for client_name, client in clients_data.items():
2721
tcp_server.clients[client_name] = client_class(
2722
name = client_name,
2723
settings = client,
2724
server_settings = server_settings)
2308
2725
2309
2726
if not tcp_server.clients:
2310
2727
logger.warning("No clients defined")
2311
2312
if not debug:
2313
try:
2314
with pidfile:
2315
pid = os.getpid()
2316
pidfile.write(str(pid) + "\n".encode("utf-8"))
2317
del pidfile
2318
except IOError:
2319
logger.error("Could not write to file %r with PID %d",
2320
pidfilename, pid)
2321
except NameError:
2322
# "pidfile" was never created
2323
pass
2728
2729
if not foreground:
2730
if pidfile is not None:
2731
pid = os.getpid()
2732
try:
2733
with pidfile:
2734
print(pid, file=pidfile)
2735
except IOError:
2736
logger.error("Could not write to file %r with PID %d",
2737
pidfilename, pid)
2738
del pidfile
2324
2739
del pidfilename
2325
2326
signal.signal(signal.SIGINT, signal.SIG_IGN)
2327
2740
2328
2741
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2329
2742
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2330
2743
2331
2744
if use_dbus:
2332
class MandosDBusService(dbus.service.Object):
2745
2746
@alternate_dbus_interfaces(
2747
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
2748
class MandosDBusService(DBusObjectWithProperties):
2333
2749
"""A D-Bus proxy object"""
2750
2334
2751
def __init__(self):
2335
2752
dbus.service.Object.__init__(self, bus, "/")
2753
2336
2754
_interface = "se.recompile.Mandos"
2337
2755
2756
@dbus_interface_annotations(_interface)
2757
def _foo(self):
2758
return {
2759
"org.freedesktop.DBus.Property.EmitsChangedSignal":
2760
"false" }
2761
2338
2762
@dbus.service.signal(_interface, signature="o")
2339
2763
def ClientAdded(self, objpath):
2340
2764
"D-Bus signal"
2353
2777
@dbus.service.method(_interface, out_signature="ao")
2354
2778
def GetAllClients(self):
2355
2779
"D-Bus method"
2356
return dbus.Array(c.dbus_object_path
2357
for c in
2780
return dbus.Array(c.dbus_object_path for c in
2358
2781
tcp_server.clients.itervalues())
2359
2782
2360
2783
@dbus.service.method(_interface,
2362
2785
def GetAllClientsWithProperties(self):
2363
2786
"D-Bus method"
2364
2787
return dbus.Dictionary(
2365
((c.dbus_object_path, c.GetAll(""))
2366
for c in tcp_server.clients.itervalues()),
2788
{ c.dbus_object_path: c.GetAll("")
2789
for c in tcp_server.clients.itervalues() },
2367
2790
signature="oa{sv}")
2368
2791
2369
2792
@dbus.service.method(_interface, in_signature="o")
2382
2805
2383
2806
del _interface
2384
2807
2385
class MandosDBusServiceTransitional(MandosDBusService):
2386
__metaclass__ = AlternateDBusNamesMetaclass
2387
mandos_dbus_service = MandosDBusServiceTransitional()
2808
mandos_dbus_service = MandosDBusService()
2388
2809
2389
2810
def cleanup():
2390
2811
"Cleanup function; run on exit"
2391
service.cleanup()
2812
if zeroconf:
2813
service.cleanup()
2392
2814
2393
2815
multiprocessing.active_children()
2816
wnull.close()
2394
2817
if not (tcp_server.clients or client_settings):
2395
2818
return
2396
2819
2397
2820
# Store client before exiting. Secrets are encrypted with key
2398
2821
# based on what config file has. If config file is
2399
2822
# removed/edited, old secret will thus be unrecovable.
2400
clients = []
2823
clients = {}
2401
2824
with PGPEngine() as pgp:
2402
2825
for client in tcp_server.clients.itervalues():
2403
2826
key = client_settings[client.name]["secret"]
2405
2828
key)
2406
2829
client_dict = {}
2407
2830
2408
# A list of attributes that will not be stored when
2409
# shutting down.
2410
exclude = set(("bus", "changedstate", "secret"))
2411
for name, typ in (inspect.getmembers
2412
(dbus.service.Object)):
2831
# A list of attributes that can not be pickled
2832
# + secret.
2833
exclude = { "bus", "changedstate", "secret",
2834
"checker", "server_settings" }
2835
for name, typ in inspect.getmembers(dbus.service
2836
.Object):
2413
2837
exclude.add(name)
2414
2838
2415
2839
client_dict["encrypted_secret"] = (client
2418
2842
if attr not in exclude:
2419
2843
client_dict[attr] = getattr(client, attr)
2420
2844
2421
clients.append(client_dict)
2845
clients[client.name] = client_dict
2422
2846
del client_settings[client.name]["secret"]
2423
2847
2424
2848
try:
2425
with os.fdopen(os.open(stored_state_path,
2426
os.O_CREAT|os.O_WRONLY|os.O_TRUNC,
2427
0600), "wb") as stored_state:
2849
with tempfile.NamedTemporaryFile(
2850
mode='wb',
2851
suffix=".pickle",
2852
prefix='clients-',
2853
dir=os.path.dirname(stored_state_path),
2854
delete=False) as stored_state:
2428
2855
pickle.dump((clients, client_settings), stored_state)
2856
tempname = stored_state.name
2857
os.rename(tempname, stored_state_path)
2429
2858
except (IOError, OSError) as e:
2430
logger.warning("Could not save persistent state: {0}"
2431
.format(e))
2432
if e.errno not in (errno.ENOENT, errno.EACCES):
2859
if not debug:
2860
try:
2861
os.remove(tempname)
2862
except NameError:
2863
pass
2864
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
2865
logger.warning("Could not save persistent state: {}"
2866
.format(os.strerror(e.errno)))
2867
else:
2868
logger.warning("Could not save persistent state:",
2869
exc_info=e)
2433
2870
raise
2434
2871
2435
2872
# Delete all clients, and settings from config
2441
2878
client.disable(quiet=True)
2442
2879
if use_dbus:
2443
2880
# Emit D-Bus signal
2444
mandos_dbus_service.ClientRemoved(client
2445
.dbus_object_path,
2446
client.name)
2881
mandos_dbus_service.ClientRemoved(
2882
client.dbus_object_path, client.name)
2447
2883
client_settings.clear()
2448
2884
2449
2885
atexit.register(cleanup)
2460
2896
tcp_server.server_activate()
2461
2897
2462
2898
# Find out what port we got
2463
service.port = tcp_server.socket.getsockname()[1]
2899
if zeroconf:
2900
service.port = tcp_server.socket.getsockname()[1]
2464
2901
if use_ipv6:
2465
2902
logger.info("Now listening on address %r, port %d,"
2466
" flowinfo %d, scope_id %d"
2467
% tcp_server.socket.getsockname())
2903
" flowinfo %d, scope_id %d",
2904
*tcp_server.socket.getsockname())
2468
2905
else: # IPv4
2469
logger.info("Now listening on address %r, port %d"
2470
% tcp_server.socket.getsockname())
2906
logger.info("Now listening on address %r, port %d",
2907
*tcp_server.socket.getsockname())
2471
2908
2472
2909
#service.interface = tcp_server.socket.getsockname()[3]
2473
2910
2474
2911
try:
2475
# From the Avahi example code
2476
try:
2477
service.activate()
2478
except dbus.exceptions.DBusException as error:
2479
logger.critical("DBusException: %s", error)
2480
cleanup()
2481
sys.exit(1)
2482
# End of Avahi example code
2912
if zeroconf:
2913
# From the Avahi example code
2914
try:
2915
service.activate()
2916
except dbus.exceptions.DBusException as error:
2917
logger.critical("D-Bus Exception", exc_info=error)
2918
cleanup()
2919
sys.exit(1)
2920
# End of Avahi example code
2483
2921
2484
2922
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
2485
2923
lambda *args, **kwargs:
2489
2927
logger.debug("Starting main loop")
2490
2928
main_loop.run()
2491
2929
except AvahiError as error:
2492
logger.critical("AvahiError: %s", error)
2930
logger.critical("Avahi Error", exc_info=error)
2493
2931
cleanup()
2494
2932
sys.exit(1)
2495
2933
except KeyboardInterrupt:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0