89
100
except ImportError:
90
101
SO_BINDTODEVICE = None
103
if sys.version_info.major == 2:
93
107
stored_state_file = "clients.pickle"
95
109
logger = logging.getLogger()
96
syslogger = (logging.handlers.SysLogHandler
97
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
98
address = str("/dev/log")))
101
if_nametoindex = (ctypes.cdll.LoadLibrary
102
(ctypes.util.find_library("c"))
113
if_nametoindex = ctypes.cdll.LoadLibrary(
114
ctypes.util.find_library("c")).if_nametoindex
104
115
except (OSError, AttributeError):
105
117
def if_nametoindex(interface):
106
118
"Get an interface index the hard way, i.e. using fcntl()"
107
119
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
108
120
with contextlib.closing(socket.socket()) as s:
109
121
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
110
struct.pack(str("16s16x"),
112
interface_index = struct.unpack(str("I"),
122
struct.pack(b"16s16x", interface))
123
interface_index = struct.unpack("I", ifreq[16:20])[0]
114
124
return interface_index
117
127
def initlogger(debug, level=logging.WARNING):
118
128
"""init logger and add loglevel"""
131
syslogger = (logging.handlers.SysLogHandler(
132
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
133
address = "/dev/log"))
120
134
syslogger.setFormatter(logging.Formatter
121
135
('Mandos [%(process)d]: %(levelname)s:'
175
188
def password_encode(self, password):
176
189
# Passphrase can not be empty and can not contain newlines or
177
190
# NUL bytes. So we prefix it and hex encode it.
178
return b"mandos" + binascii.hexlify(password)
191
encoded = b"mandos" + binascii.hexlify(password)
192
if len(encoded) > 2048:
193
# GnuPG can't handle long passwords, so encode differently
194
encoded = (b"mandos" + password.replace(b"\\", b"\\\\")
195
.replace(b"\n", b"\\n")
196
.replace(b"\0", b"\\x00"))
180
199
def encrypt(self, data, password):
181
self.gnupg.passphrase = self.password_encode(password)
182
with open(os.devnull, "w") as devnull:
184
proc = self.gnupg.run(['--symmetric'],
185
create_fhs=['stdin', 'stdout'],
186
attach_fhs={'stderr': devnull})
187
with contextlib.closing(proc.handles['stdin']) as f:
189
with contextlib.closing(proc.handles['stdout']) as f:
190
ciphertext = f.read()
194
self.gnupg.passphrase = None
200
passphrase = self.password_encode(password)
201
with tempfile.NamedTemporaryFile(
202
dir=self.tempdir) as passfile:
203
passfile.write(passphrase)
205
proc = subprocess.Popen(['gpg', '--symmetric',
209
stdin = subprocess.PIPE,
210
stdout = subprocess.PIPE,
211
stderr = subprocess.PIPE)
212
ciphertext, err = proc.communicate(input = data)
213
if proc.returncode != 0:
195
215
return ciphertext
197
217
def decrypt(self, data, password):
198
self.gnupg.passphrase = self.password_encode(password)
199
with open(os.devnull, "w") as devnull:
201
proc = self.gnupg.run(['--decrypt'],
202
create_fhs=['stdin', 'stdout'],
203
attach_fhs={'stderr': devnull})
204
with contextlib.closing(proc.handles['stdin']) as f:
206
with contextlib.closing(proc.handles['stdout']) as f:
207
decrypted_plaintext = f.read()
211
self.gnupg.passphrase = None
218
passphrase = self.password_encode(password)
219
with tempfile.NamedTemporaryFile(
220
dir = self.tempdir) as passfile:
221
passfile.write(passphrase)
223
proc = subprocess.Popen(['gpg', '--decrypt',
227
stdin = subprocess.PIPE,
228
stdout = subprocess.PIPE,
229
stderr = subprocess.PIPE)
230
decrypted_plaintext, err = proc.communicate(input = data)
231
if proc.returncode != 0:
212
233
return decrypted_plaintext
215
236
class AvahiError(Exception):
216
237
def __init__(self, value, *args, **kwargs):
217
238
self.value = value
218
super(AvahiError, self).__init__(value, *args, **kwargs)
219
def __unicode__(self):
220
return unicode(repr(self.value))
239
return super(AvahiError, self).__init__(value, *args,
222
243
class AvahiServiceError(AvahiError):
225
247
class AvahiGroupError(AvahiError):
267
296
self.entry_group_state_changed_match = None
298
def rename(self, remove=True):
270
299
"""Derived from the Avahi example code"""
271
300
if self.rename_count >= self.max_renames:
272
301
logger.critical("No suitable Zeroconf service name found"
273
302
" after %i retries, exiting.",
274
303
self.rename_count)
275
304
raise AvahiServiceError("Too many renames")
276
self.name = unicode(self.server
277
.GetAlternativeServiceName(self.name))
306
self.server.GetAlternativeServiceName(self.name))
307
self.rename_count += 1
278
308
logger.info("Changing Zeroconf service name to %r ...",
283
314
except dbus.exceptions.DBusException as error:
284
logger.critical("D-Bus Exception", exc_info=error)
287
self.rename_count += 1
315
if (error.get_dbus_name()
316
== "org.freedesktop.Avahi.CollisionError"):
317
logger.info("Local Zeroconf service name collision.")
318
return self.rename(remove=False)
320
logger.critical("D-Bus Exception", exc_info=error)
289
324
def remove(self):
290
325
"""Derived from the Avahi example code"""
346
380
def server_state_changed(self, state, error=None):
347
381
"""Derived from the Avahi example code"""
348
382
logger.debug("Avahi server state change: %i", state)
349
bad_states = { avahi.SERVER_INVALID:
350
"Zeroconf server invalid",
351
avahi.SERVER_REGISTERING: None,
352
avahi.SERVER_COLLISION:
353
"Zeroconf server name collision",
354
avahi.SERVER_FAILURE:
355
"Zeroconf server failure" }
384
avahi.SERVER_INVALID: "Zeroconf server invalid",
385
avahi.SERVER_REGISTERING: None,
386
avahi.SERVER_COLLISION: "Zeroconf server name collision",
387
avahi.SERVER_FAILURE: "Zeroconf server failure",
356
389
if state in bad_states:
357
390
if bad_states[state] is not None:
358
391
if error is None:
377
421
follow_name_owner_changes=True),
378
422
avahi.DBUS_INTERFACE_SERVER)
379
423
self.server.connect_to_signal("StateChanged",
380
self.server_state_changed)
424
self.server_state_changed)
381
425
self.server_state_changed(self.server.GetState())
384
428
class AvahiServiceToSyslog(AvahiService):
429
def rename(self, *args, **kwargs):
386
430
"""Add the new name to the syslog messages"""
387
ret = AvahiService.rename(self)
388
syslogger.setFormatter(logging.Formatter
389
('Mandos ({0}) [%(process)d]:'
390
' %(levelname)s: %(message)s'
431
ret = AvahiService.rename(self, *args, **kwargs)
432
syslogger.setFormatter(logging.Formatter(
433
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
395
def timedelta_to_milliseconds(td):
396
"Convert a datetime.timedelta() to milliseconds"
397
return ((td.days * 24 * 60 * 60 * 1000)
398
+ (td.seconds * 1000)
399
+ (td.microseconds // 1000))
437
def call_pipe(connection, # : multiprocessing.Connection
438
func, *args, **kwargs):
439
"""This function is meant to be called by multiprocessing.Process
441
This function runs func(*args, **kwargs), and writes the resulting
442
return value on the provided multiprocessing.Connection.
444
connection.send(func(*args, **kwargs))
402
447
class Client(object):
403
448
"""A representation of a client host served by this server.
447
495
"fingerprint", "host", "interval",
448
496
"last_approval_request", "last_checked_ok",
449
497
"last_enabled", "name", "timeout")
450
client_defaults = { "timeout": "PT5M",
451
"extended_timeout": "PT15M",
453
"checker": "fping -q -- %%(host)s",
455
"approval_delay": "PT0S",
456
"approval_duration": "PT1S",
457
"approved_by_default": "True",
461
def timeout_milliseconds(self):
462
"Return the 'timeout' attribute in milliseconds"
463
return timedelta_to_milliseconds(self.timeout)
465
def extended_timeout_milliseconds(self):
466
"Return the 'extended_timeout' attribute in milliseconds"
467
return timedelta_to_milliseconds(self.extended_timeout)
469
def interval_milliseconds(self):
470
"Return the 'interval' attribute in milliseconds"
471
return timedelta_to_milliseconds(self.interval)
473
def approval_delay_milliseconds(self):
474
return timedelta_to_milliseconds(self.approval_delay)
500
"extended_timeout": "PT15M",
502
"checker": "fping -q -- %%(host)s",
504
"approval_delay": "PT0S",
505
"approval_duration": "PT1S",
506
"approved_by_default": "True",
477
511
def config_parser(config):
552
589
self.current_checker_command = None
553
590
self.approved = None
554
591
self.approvals_pending = 0
555
self.changedstate = (multiprocessing_manager
556
.Condition(multiprocessing_manager
558
self.client_structure = [attr for attr in
559
self.__dict__.iterkeys()
592
self.changedstate = multiprocessing_manager.Condition(
593
multiprocessing_manager.Lock())
594
self.client_structure = [attr
595
for attr in self.__dict__.iterkeys()
560
596
if not attr.startswith("_")]
561
597
self.client_structure.append("client_structure")
563
for name, t in inspect.getmembers(type(self),
599
for name, t in inspect.getmembers(
600
type(self), lambda obj: isinstance(obj, property)):
567
601
if not name.startswith("_"):
568
602
self.client_structure.append(name)
611
645
# and every interval from then on.
612
646
if self.checker_initiator_tag is not None:
613
647
gobject.source_remove(self.checker_initiator_tag)
614
self.checker_initiator_tag = (gobject.timeout_add
615
(self.interval_milliseconds(),
648
self.checker_initiator_tag = gobject.timeout_add(
649
int(self.interval.total_seconds() * 1000),
617
651
# Schedule a disable() when 'timeout' has passed
618
652
if self.disable_initiator_tag is not None:
619
653
gobject.source_remove(self.disable_initiator_tag)
620
self.disable_initiator_tag = (gobject.timeout_add
621
(self.timeout_milliseconds(),
654
self.disable_initiator_tag = gobject.timeout_add(
655
int(self.timeout.total_seconds() * 1000), self.disable)
623
656
# Also start a new checker *right now*.
624
657
self.start_checker()
626
def checker_callback(self, pid, condition, command):
659
def checker_callback(self, source, condition, connection,
627
661
"""The checker has completed, so take appropriate actions."""
628
662
self.checker_callback_tag = None
629
663
self.checker = None
630
if os.WIFEXITED(condition):
631
self.last_checker_status = os.WEXITSTATUS(condition)
664
# Read return code from connection (see call_pipe)
665
returncode = connection.recv()
669
self.last_checker_status = returncode
670
self.last_checker_signal = None
632
671
if self.last_checker_status == 0:
633
672
logger.info("Checker for %(name)s succeeded",
635
674
self.checked_ok()
637
logger.info("Checker for %(name)s failed",
676
logger.info("Checker for %(name)s failed", vars(self))
640
678
self.last_checker_status = -1
679
self.last_checker_signal = -returncode
641
680
logger.warning("Checker for %(name)s crashed?",
644
684
def checked_ok(self):
645
685
"""Assert that the client has been seen, alive and well."""
646
686
self.last_checked_ok = datetime.datetime.utcnow()
647
687
self.last_checker_status = 0
688
self.last_checker_signal = None
648
689
self.bump_timeout()
650
691
def bump_timeout(self, timeout=None):
677
717
# than 'timeout' for the client to be disabled, which is as it
680
# If a checker exists, make sure it is not a zombie
682
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
683
except (AttributeError, OSError) as error:
684
if (isinstance(error, OSError)
685
and error.errno != errno.ECHILD):
689
logger.warning("Checker was a zombie")
690
gobject.source_remove(self.checker_callback_tag)
691
self.checker_callback(pid, status,
692
self.current_checker_command)
720
if self.checker is not None and not self.checker.is_alive():
721
logger.warning("Checker was not alive; joining")
693
724
# Start a new checker if needed
694
725
if self.checker is None:
695
726
# Escape attributes for the shell
696
escaped_attrs = dict(
697
(attr, re.escape(unicode(getattr(self, attr))))
699
self.runtime_expansions)
728
attr: re.escape(str(getattr(self, attr)))
729
for attr in self.runtime_expansions }
701
731
command = self.checker_command % escaped_attrs
702
732
except TypeError as error:
703
733
logger.error('Could not format string "%s"',
704
self.checker_command, exc_info=error)
705
return True # Try again later
734
self.checker_command,
736
return True # Try again later
706
737
self.current_checker_command = command
708
logger.info("Starting checker %r for %s",
710
# We don't need to redirect stdout and stderr, since
711
# in normal mode, that is already done by daemon(),
712
# and in debug mode we don't want to. (Stdin is
713
# always replaced by /dev/null.)
714
self.checker = subprocess.Popen(command,
717
except OSError as error:
718
logger.error("Failed to start subprocess",
721
self.checker_callback_tag = (gobject.child_watch_add
723
self.checker_callback,
725
# The checker may have completed before the gobject
726
# watch was added. Check for this.
728
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
729
except OSError as error:
730
if error.errno == errno.ECHILD:
731
# This should never happen
732
logger.error("Child process vanished",
737
gobject.source_remove(self.checker_callback_tag)
738
self.checker_callback(pid, status, command)
738
logger.info("Starting checker %r for %s", command,
740
# We don't need to redirect stdout and stderr, since
741
# in normal mode, that is already done by daemon(),
742
# and in debug mode we don't want to. (Stdin is
743
# always replaced by /dev/null.)
744
# The exception is when not debugging but nevertheless
745
# running in the foreground; use the previously
747
popen_args = { "close_fds": True,
750
if (not self.server_settings["debug"]
751
and self.server_settings["foreground"]):
752
popen_args.update({"stdout": wnull,
754
pipe = multiprocessing.Pipe(duplex = False)
755
self.checker = multiprocessing.Process(
757
args = (pipe[1], subprocess.call, command),
760
self.checker_callback_tag = gobject.io_add_watch(
761
pipe[0].fileno(), gobject.IO_IN,
762
self.checker_callback, pipe[0], command)
739
763
# Re-run this periodically if run by gobject.timeout_add
811
834
"""Decorator to annotate D-Bus methods, signals or properties
837
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
838
"org.freedesktop.DBus.Property."
839
"EmitsChangedSignal": "false"})
814
840
@dbus_service_property("org.example.Interface", signature="b",
816
@dbus_annotations({{"org.freedesktop.DBus.Deprecated": "true",
817
"org.freedesktop.DBus.Property."
818
"EmitsChangedSignal": "false"})
819
842
def Property_dbus_property(self):
820
843
return dbus.Boolean(False)
845
See also the DBusObjectWithAnnotations class.
822
848
def decorator(func):
823
849
func._dbus_annotations = annotations
828
855
class DBusPropertyException(dbus.exceptions.DBusException):
829
856
"""A base class for D-Bus property-related exceptions
831
def __unicode__(self):
832
return unicode(str(self))
835
861
class DBusPropertyAccessException(DBusPropertyException):
859
884
If called like _is_dbus_thing("method") it returns a function
860
885
suitable for use as predicate to inspect.getmembers().
862
return lambda obj: getattr(obj, "_dbus_is_{0}".format(thing),
887
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
865
890
def _get_all_dbus_things(self, thing):
866
891
"""Returns a generator of (name, attribute) pairs
868
return ((getattr(athing.__get__(self), "_dbus_name",
893
return ((getattr(athing.__get__(self), "_dbus_name", name),
870
894
athing.__get__(self))
871
895
for cls in self.__class__.__mro__
872
896
for name, athing in
873
inspect.getmembers(cls,
874
self._is_dbus_thing(thing)))
897
inspect.getmembers(cls, self._is_dbus_thing(thing)))
899
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
901
path_keyword = 'object_path',
902
connection_keyword = 'connection')
903
def Introspect(self, object_path, connection):
904
"""Overloading of standard D-Bus method.
906
Inserts annotation tags on methods and signals.
908
xmlstring = dbus.service.Object.Introspect(self, object_path,
911
document = xml.dom.minidom.parseString(xmlstring)
913
for if_tag in document.getElementsByTagName("interface"):
914
# Add annotation tags
915
for typ in ("method", "signal"):
916
for tag in if_tag.getElementsByTagName(typ):
918
for name, prop in (self.
919
_get_all_dbus_things(typ)):
920
if (name == tag.getAttribute("name")
921
and prop._dbus_interface
922
== if_tag.getAttribute("name")):
923
annots.update(getattr(
924
prop, "_dbus_annotations", {}))
925
for name, value in annots.items():
926
ann_tag = document.createElement(
928
ann_tag.setAttribute("name", name)
929
ann_tag.setAttribute("value", value)
930
tag.appendChild(ann_tag)
931
# Add interface annotation tags
932
for annotation, value in dict(
933
itertools.chain.from_iterable(
934
annotations().items()
935
for name, annotations
936
in self._get_all_dbus_things("interface")
937
if name == if_tag.getAttribute("name")
939
ann_tag = document.createElement("annotation")
940
ann_tag.setAttribute("name", annotation)
941
ann_tag.setAttribute("value", value)
942
if_tag.appendChild(ann_tag)
943
# Fix argument name for the Introspect method itself
944
if (if_tag.getAttribute("name")
945
== dbus.INTROSPECTABLE_IFACE):
946
for cn in if_tag.getElementsByTagName("method"):
947
if cn.getAttribute("name") == "Introspect":
948
for arg in cn.getElementsByTagName("arg"):
949
if (arg.getAttribute("direction")
951
arg.setAttribute("name",
953
xmlstring = document.toxml("utf-8")
955
except (AttributeError, xml.dom.DOMException,
956
xml.parsers.expat.ExpatError) as error:
957
logger.error("Failed to override Introspection method",
962
class DBusObjectWithProperties(DBusObjectWithAnnotations):
963
"""A D-Bus object with properties.
965
Classes inheriting from this can use the dbus_service_property
966
decorator to expose methods as D-Bus properties. It exposes the
967
standard Get(), Set(), and GetAll() methods on the D-Bus.
876
970
def _get_dbus_property(self, interface_name, property_name):
877
971
"""Returns a bound method if one exists which is a D-Bus
878
972
property with the specified name and interface.
880
for cls in self.__class__.__mro__:
881
for name, value in (inspect.getmembers
883
self._is_dbus_thing("property"))):
974
for cls in self.__class__.__mro__:
975
for name, value in inspect.getmembers(
976
cls, self._is_dbus_thing("property")):
884
977
if (value._dbus_name == property_name
885
978
and value._dbus_interface == interface_name):
886
979
return value.__get__(self)
888
981
# No such property
889
raise DBusPropertyNotFound(self.dbus_object_path + ":"
890
+ interface_name + "."
893
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
982
raise DBusPropertyNotFound("{}:{}.{}".format(
983
self.dbus_object_path, interface_name, property_name))
986
def _get_all_interface_names(cls):
987
"""Get a sequence of all interfaces supported by an object"""
988
return (name for name in set(getattr(getattr(x, attr),
989
"_dbus_interface", None)
990
for x in (inspect.getmro(cls))
994
@dbus.service.method(dbus.PROPERTIES_IFACE,
894
996
out_signature="v")
895
997
def Get(self, interface_name, property_name):
896
998
"""Standard D-Bus property Get() method, see D-Bus standard.
971
1087
if prop._dbus_interface
972
1088
== if_tag.getAttribute("name")):
973
1089
if_tag.appendChild(tag)
974
# Add annotation tags
975
for typ in ("method", "signal", "property"):
976
for tag in if_tag.getElementsByTagName(typ):
978
for name, prop in (self.
979
_get_all_dbus_things(typ)):
980
if (name == tag.getAttribute("name")
981
and prop._dbus_interface
982
== if_tag.getAttribute("name")):
983
annots.update(getattr
987
for name, value in annots.iteritems():
988
ann_tag = document.createElement(
990
ann_tag.setAttribute("name", name)
991
ann_tag.setAttribute("value", value)
992
tag.appendChild(ann_tag)
993
# Add interface annotation tags
994
for annotation, value in dict(
995
itertools.chain.from_iterable(
996
annotations().iteritems()
997
for name, annotations in
998
self._get_all_dbus_things("interface")
999
if name == if_tag.getAttribute("name")
1001
ann_tag = document.createElement("annotation")
1002
ann_tag.setAttribute("name", annotation)
1003
ann_tag.setAttribute("value", value)
1004
if_tag.appendChild(ann_tag)
1090
# Add annotation tags for properties
1091
for tag in if_tag.getElementsByTagName("property"):
1093
for name, prop in self._get_all_dbus_things(
1095
if (name == tag.getAttribute("name")
1096
and prop._dbus_interface
1097
== if_tag.getAttribute("name")):
1098
annots.update(getattr(
1099
prop, "_dbus_annotations", {}))
1100
for name, value in annots.items():
1101
ann_tag = document.createElement(
1103
ann_tag.setAttribute("name", name)
1104
ann_tag.setAttribute("value", value)
1105
tag.appendChild(ann_tag)
1005
1106
# Add the names to the return values for the
1006
1107
# "org.freedesktop.DBus.Properties" methods
1007
1108
if (if_tag.getAttribute("name")
1025
1126
exc_info=error)
1026
1127
return xmlstring
1130
dbus.OBJECT_MANAGER_IFACE
1131
except AttributeError:
1132
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1134
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1135
"""A D-Bus object with an ObjectManager.
1137
Classes inheriting from this exposes the standard
1138
GetManagedObjects call and the InterfacesAdded and
1139
InterfacesRemoved signals on the standard
1140
"org.freedesktop.DBus.ObjectManager" interface.
1142
Note: No signals are sent automatically; they must be sent
1145
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1146
out_signature = "a{oa{sa{sv}}}")
1147
def GetManagedObjects(self):
1148
"""This function must be overridden"""
1149
raise NotImplementedError()
1151
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1152
signature = "oa{sa{sv}}")
1153
def InterfacesAdded(self, object_path, interfaces_and_properties):
1156
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1157
def InterfacesRemoved(self, object_path, interfaces):
1160
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1161
out_signature = "s",
1162
path_keyword = 'object_path',
1163
connection_keyword = 'connection')
1164
def Introspect(self, object_path, connection):
1165
"""Overloading of standard D-Bus method.
1167
Override return argument name of GetManagedObjects to be
1168
"objpath_interfaces_and_properties"
1170
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1174
document = xml.dom.minidom.parseString(xmlstring)
1176
for if_tag in document.getElementsByTagName("interface"):
1177
# Fix argument name for the GetManagedObjects method
1178
if (if_tag.getAttribute("name")
1179
== dbus.OBJECT_MANAGER_IFACE):
1180
for cn in if_tag.getElementsByTagName("method"):
1181
if (cn.getAttribute("name")
1182
== "GetManagedObjects"):
1183
for arg in cn.getElementsByTagName("arg"):
1184
if (arg.getAttribute("direction")
1188
"objpath_interfaces"
1190
xmlstring = document.toxml("utf-8")
1192
except (AttributeError, xml.dom.DOMException,
1193
xml.parsers.expat.ExpatError) as error:
1194
logger.error("Failed to override Introspection method",
1029
1198
def datetime_to_dbus(dt, variant_level=0):
1030
1199
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1032
1201
return dbus.String("", variant_level = variant_level)
1033
return dbus.String(dt.isoformat(),
1034
variant_level=variant_level)
1202
return dbus.String(dt.isoformat(), variant_level=variant_level)
1037
1205
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1067
1236
# Ignore non-D-Bus attributes, and D-Bus attributes
1068
1237
# with the wrong interface name
1069
1238
if (not hasattr(attribute, "_dbus_interface")
1070
or not attribute._dbus_interface
1071
.startswith(orig_interface_name)):
1239
or not attribute._dbus_interface.startswith(
1240
orig_interface_name)):
1073
1242
# Create an alternate D-Bus interface name based on
1074
1243
# the current name
1075
alt_interface = (attribute._dbus_interface
1076
.replace(orig_interface_name,
1077
alt_interface_name))
1244
alt_interface = attribute._dbus_interface.replace(
1245
orig_interface_name, alt_interface_name)
1078
1246
interface_names.add(alt_interface)
1079
1247
# Is this a D-Bus signal?
1080
1248
if getattr(attribute, "_dbus_is_signal", False):
1081
# Extract the original non-method undecorated
1082
# function by black magic
1083
nonmethod_func = (dict(
1249
if sys.version_info.major == 2:
1250
# Extract the original non-method undecorated
1251
# function by black magic
1252
nonmethod_func = (dict(
1084
1253
zip(attribute.func_code.co_freevars,
1085
attribute.__closure__))["func"]
1254
attribute.__closure__))
1255
["func"].cell_contents)
1257
nonmethod_func = attribute
1087
1258
# Create a new, but exactly alike, function
1088
1259
# object, and decorate it to be a new D-Bus signal
1089
1260
# with the alternate D-Bus interface name
1090
new_function = (dbus.service.signal
1092
attribute._dbus_signature)
1093
(types.FunctionType(
1094
nonmethod_func.func_code,
1095
nonmethod_func.func_globals,
1096
nonmethod_func.func_name,
1097
nonmethod_func.func_defaults,
1098
nonmethod_func.func_closure)))
1261
if sys.version_info.major == 2:
1262
new_function = types.FunctionType(
1263
nonmethod_func.func_code,
1264
nonmethod_func.func_globals,
1265
nonmethod_func.func_name,
1266
nonmethod_func.func_defaults,
1267
nonmethod_func.func_closure)
1269
new_function = types.FunctionType(
1270
nonmethod_func.__code__,
1271
nonmethod_func.__globals__,
1272
nonmethod_func.__name__,
1273
nonmethod_func.__defaults__,
1274
nonmethod_func.__closure__)
1275
new_function = (dbus.service.signal(
1277
attribute._dbus_signature)(new_function))
1099
1278
# Copy annotations, if any
1101
new_function._dbus_annotations = (
1102
dict(attribute._dbus_annotations))
1280
new_function._dbus_annotations = dict(
1281
attribute._dbus_annotations)
1103
1282
except AttributeError:
1105
1284
# Define a creator of a function to call both the
1125
1311
# object. Decorate it to be a new D-Bus method
1126
1312
# with the alternate D-Bus interface name. Add it
1127
1313
# to the class.
1128
attr[attrname] = (dbus.service.method
1130
attribute._dbus_in_signature,
1131
attribute._dbus_out_signature)
1133
(attribute.func_code,
1134
attribute.func_globals,
1135
attribute.func_name,
1136
attribute.func_defaults,
1137
attribute.func_closure)))
1315
dbus.service.method(
1317
attribute._dbus_in_signature,
1318
attribute._dbus_out_signature)
1319
(types.FunctionType(attribute.func_code,
1320
attribute.func_globals,
1321
attribute.func_name,
1322
attribute.func_defaults,
1323
attribute.func_closure)))
1138
1324
# Copy annotations, if any
1140
attr[attrname]._dbus_annotations = (
1141
dict(attribute._dbus_annotations))
1326
attr[attrname]._dbus_annotations = dict(
1327
attribute._dbus_annotations)
1142
1328
except AttributeError:
1144
1330
# Is this a D-Bus property?
1147
1333
# object, and decorate it to be a new D-Bus
1148
1334
# property with the alternate D-Bus interface
1149
1335
# name. Add it to the class.
1150
attr[attrname] = (dbus_service_property
1152
attribute._dbus_signature,
1153
attribute._dbus_access,
1155
._dbus_get_args_options
1158
(attribute.func_code,
1159
attribute.func_globals,
1160
attribute.func_name,
1161
attribute.func_defaults,
1162
attribute.func_closure)))
1336
attr[attrname] = (dbus_service_property(
1337
alt_interface, attribute._dbus_signature,
1338
attribute._dbus_access,
1339
attribute._dbus_get_args_options
1341
(types.FunctionType(
1342
attribute.func_code,
1343
attribute.func_globals,
1344
attribute.func_name,
1345
attribute.func_defaults,
1346
attribute.func_closure)))
1163
1347
# Copy annotations, if any
1165
attr[attrname]._dbus_annotations = (
1166
dict(attribute._dbus_annotations))
1349
attr[attrname]._dbus_annotations = dict(
1350
attribute._dbus_annotations)
1167
1351
except AttributeError:
1169
1353
# Is this a D-Bus interface?
1223
1410
Client.__init__(self, *args, **kwargs)
1224
1411
# Only now, when this client is initialized, can it show up on
1226
client_object_name = unicode(self.name).translate(
1413
client_object_name = str(self.name).translate(
1227
1414
{ord("."): ord("_"),
1228
1415
ord("-"): ord("_")})
1229
self.dbus_object_path = (dbus.ObjectPath
1230
("/clients/" + client_object_name))
1416
self.dbus_object_path = dbus.ObjectPath(
1417
"/clients/" + client_object_name)
1231
1418
DBusObjectWithProperties.__init__(self, self.bus,
1232
1419
self.dbus_object_path)
1234
def notifychangeproperty(transform_func,
1235
dbus_name, type_func=lambda x: x,
1421
def notifychangeproperty(transform_func, dbus_name,
1422
type_func=lambda x: x,
1424
invalidate_only=False,
1425
_interface=_interface):
1237
1426
""" Modify a variable so that it's a property which announces
1238
1427
its changes to DBus.
1244
1433
to the D-Bus. Default: no transform
1245
1434
variant_level: D-Bus variant level. Default: 1
1247
attrname = "_{0}".format(dbus_name)
1436
attrname = "_{}".format(dbus_name)
1248
1438
def setter(self, value):
1249
1439
if hasattr(self, "dbus_object_path"):
1250
1440
if (not hasattr(self, attrname) or
1251
1441
type_func(getattr(self, attrname, None))
1252
1442
!= type_func(value)):
1253
dbus_value = transform_func(type_func(value),
1256
self.PropertyChanged(dbus.String(dbus_name),
1444
self.PropertiesChanged(
1445
_interface, dbus.Dictionary(),
1446
dbus.Array((dbus_name, )))
1448
dbus_value = transform_func(
1450
variant_level = variant_level)
1451
self.PropertyChanged(dbus.String(dbus_name),
1453
self.PropertiesChanged(
1455
dbus.Dictionary({ dbus.String(dbus_name):
1258
1458
setattr(self, attrname, value)
1260
1460
return property(lambda self: getattr(self, attrname), setter)
1277
1477
datetime_to_dbus, "LastApprovalRequest")
1278
1478
approved_by_default = notifychangeproperty(dbus.Boolean,
1279
1479
"ApprovedByDefault")
1280
approval_delay = notifychangeproperty(dbus.UInt64,
1283
timedelta_to_milliseconds)
1480
approval_delay = notifychangeproperty(
1481
dbus.UInt64, "ApprovalDelay",
1482
type_func = lambda td: td.total_seconds() * 1000)
1284
1483
approval_duration = notifychangeproperty(
1285
1484
dbus.UInt64, "ApprovalDuration",
1286
type_func = timedelta_to_milliseconds)
1485
type_func = lambda td: td.total_seconds() * 1000)
1287
1486
host = notifychangeproperty(dbus.String, "Host")
1288
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1290
timedelta_to_milliseconds)
1487
timeout = notifychangeproperty(
1488
dbus.UInt64, "Timeout",
1489
type_func = lambda td: td.total_seconds() * 1000)
1291
1490
extended_timeout = notifychangeproperty(
1292
1491
dbus.UInt64, "ExtendedTimeout",
1293
type_func = timedelta_to_milliseconds)
1294
interval = notifychangeproperty(dbus.UInt64,
1297
timedelta_to_milliseconds)
1492
type_func = lambda td: td.total_seconds() * 1000)
1493
interval = notifychangeproperty(
1494
dbus.UInt64, "Interval",
1495
type_func = lambda td: td.total_seconds() * 1000)
1298
1496
checker_command = notifychangeproperty(dbus.String, "Checker")
1497
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1498
invalidate_only=True)
1300
1500
del notifychangeproperty
1308
1508
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1309
1509
Client.__del__(self, *args, **kwargs)
1311
def checker_callback(self, pid, condition, command,
1313
self.checker_callback_tag = None
1315
if os.WIFEXITED(condition):
1316
exitstatus = os.WEXITSTATUS(condition)
1511
def checker_callback(self, source, condition,
1512
connection, command, *args, **kwargs):
1513
ret = Client.checker_callback(self, source, condition,
1514
connection, command, *args,
1516
exitstatus = self.last_checker_status
1317
1518
# Emit D-Bus signal
1318
1519
self.CheckerCompleted(dbus.Int16(exitstatus),
1319
dbus.Int64(condition),
1520
# This is specific to GNU libC
1521
dbus.Int64(exitstatus << 8),
1320
1522
dbus.String(command))
1322
1524
# Emit D-Bus signal
1323
1525
self.CheckerCompleted(dbus.Int16(-1),
1324
dbus.Int64(condition),
1527
# This is specific to GNU libC
1529
| self.last_checker_signal),
1325
1530
dbus.String(command))
1327
return Client.checker_callback(self, pid, condition, command,
1330
1533
def start_checker(self, *args, **kwargs):
1331
old_checker = self.checker
1332
if self.checker is not None:
1333
old_checker_pid = self.checker.pid
1335
old_checker_pid = None
1534
old_checker_pid = getattr(self.checker, "pid", None)
1336
1535
r = Client.start_checker(self, *args, **kwargs)
1337
1536
# Only if new checker process was started
1338
1537
if (self.checker is not None
1454
1652
self.approved_by_default = bool(value)
1456
1654
# ApprovalDelay - property
1457
@dbus_service_property(_interface, signature="t",
1655
@dbus_service_property(_interface,
1458
1657
access="readwrite")
1459
1658
def ApprovalDelay_dbus_property(self, value=None):
1460
1659
if value is None: # get
1461
return dbus.UInt64(self.approval_delay_milliseconds())
1660
return dbus.UInt64(self.approval_delay.total_seconds()
1462
1662
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1464
1664
# ApprovalDuration - property
1465
@dbus_service_property(_interface, signature="t",
1665
@dbus_service_property(_interface,
1466
1667
access="readwrite")
1467
1668
def ApprovalDuration_dbus_property(self, value=None):
1468
1669
if value is None: # get
1469
return dbus.UInt64(timedelta_to_milliseconds(
1470
self.approval_duration))
1670
return dbus.UInt64(self.approval_duration.total_seconds()
1471
1672
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1473
1674
# Name - property
1676
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1474
1677
@dbus_service_property(_interface, signature="s", access="read")
1475
1678
def Name_dbus_property(self):
1476
1679
return dbus.String(self.name)
1478
1681
# Fingerprint - property
1683
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1479
1684
@dbus_service_property(_interface, signature="s", access="read")
1480
1685
def Fingerprint_dbus_property(self):
1481
1686
return dbus.String(self.fingerprint)
1483
1688
# Host - property
1484
@dbus_service_property(_interface, signature="s",
1689
@dbus_service_property(_interface,
1485
1691
access="readwrite")
1486
1692
def Host_dbus_property(self, value=None):
1487
1693
if value is None: # get
1488
1694
return dbus.String(self.host)
1489
self.host = unicode(value)
1695
self.host = str(value)
1491
1697
# Created - property
1699
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1492
1700
@dbus_service_property(_interface, signature="s", access="read")
1493
1701
def Created_dbus_property(self):
1494
1702
return datetime_to_dbus(self.created)
1556
1766
gobject.source_remove(self.disable_initiator_tag)
1557
self.disable_initiator_tag = (
1558
gobject.timeout_add(
1559
timedelta_to_milliseconds(self.expires - now),
1767
self.disable_initiator_tag = gobject.timeout_add(
1768
int((self.expires - now).total_seconds() * 1000),
1562
1771
# ExtendedTimeout - property
1563
@dbus_service_property(_interface, signature="t",
1772
@dbus_service_property(_interface,
1564
1774
access="readwrite")
1565
1775
def ExtendedTimeout_dbus_property(self, value=None):
1566
1776
if value is None: # get
1567
return dbus.UInt64(self.extended_timeout_milliseconds())
1777
return dbus.UInt64(self.extended_timeout.total_seconds()
1568
1779
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1570
1781
# Interval - property
1571
@dbus_service_property(_interface, signature="t",
1782
@dbus_service_property(_interface,
1572
1784
access="readwrite")
1573
1785
def Interval_dbus_property(self, value=None):
1574
1786
if value is None: # get
1575
return dbus.UInt64(self.interval_milliseconds())
1787
return dbus.UInt64(self.interval.total_seconds() * 1000)
1576
1788
self.interval = datetime.timedelta(0, 0, 0, value)
1577
1789
if getattr(self, "checker_initiator_tag", None) is None:
1579
1791
if self.enabled:
1580
1792
# Reschedule checker run
1581
1793
gobject.source_remove(self.checker_initiator_tag)
1582
self.checker_initiator_tag = (gobject.timeout_add
1583
(value, self.start_checker))
1584
self.start_checker() # Start one now, too
1794
self.checker_initiator_tag = gobject.timeout_add(
1795
value, self.start_checker)
1796
self.start_checker() # Start one now, too
1586
1798
# Checker - property
1587
@dbus_service_property(_interface, signature="s",
1799
@dbus_service_property(_interface,
1588
1801
access="readwrite")
1589
1802
def Checker_dbus_property(self, value=None):
1590
1803
if value is None: # get
1591
1804
return dbus.String(self.checker_command)
1592
self.checker_command = unicode(value)
1805
self.checker_command = str(value)
1594
1807
# CheckerRunning - property
1595
@dbus_service_property(_interface, signature="b",
1808
@dbus_service_property(_interface,
1596
1810
access="readwrite")
1597
1811
def CheckerRunning_dbus_property(self, value=None):
1598
1812
if value is None: # get
1824
2043
def fingerprint(openpgp):
1825
2044
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1826
2045
# New GnuTLS "datum" with the OpenPGP public key
1827
datum = (gnutls.library.types
1828
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1831
ctypes.c_uint(len(openpgp))))
2046
datum = gnutls.library.types.gnutls_datum_t(
2047
ctypes.cast(ctypes.c_char_p(openpgp),
2048
ctypes.POINTER(ctypes.c_ubyte)),
2049
ctypes.c_uint(len(openpgp)))
1832
2050
# New empty GnuTLS certificate
1833
2051
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1834
(gnutls.library.functions
1835
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
2052
gnutls.library.functions.gnutls_openpgp_crt_init(
1836
2054
# Import the OpenPGP public key into the certificate
1837
(gnutls.library.functions
1838
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1839
gnutls.library.constants
1840
.GNUTLS_OPENPGP_FMT_RAW))
2055
gnutls.library.functions.gnutls_openpgp_crt_import(
2056
crt, ctypes.byref(datum),
2057
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
1841
2058
# Verify the self signature in the key
1842
2059
crtverify = ctypes.c_uint()
1843
(gnutls.library.functions
1844
.gnutls_openpgp_crt_verify_self(crt, 0,
1845
ctypes.byref(crtverify)))
2060
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2061
crt, 0, ctypes.byref(crtverify))
1846
2062
if crtverify.value != 0:
1847
2063
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1848
raise (gnutls.errors.CertificateSecurityError
2064
raise gnutls.errors.CertificateSecurityError(
1850
2066
# New buffer for the fingerprint
1851
2067
buf = ctypes.create_string_buffer(20)
1852
2068
buf_len = ctypes.c_size_t()
1853
2069
# Get the fingerprint from the certificate into the buffer
1854
(gnutls.library.functions
1855
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1856
ctypes.byref(buf_len)))
2070
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2071
crt, ctypes.byref(buf), ctypes.byref(buf_len))
1857
2072
# Deinit the certificate
1858
2073
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1859
2074
# Convert the buffer to a Python bytestring
2027
2252
def add_pipe(self, parent_pipe, proc):
2028
2253
# Call "handle_ipc" for both data and EOF events
2029
gobject.io_add_watch(parent_pipe.fileno(),
2030
gobject.IO_IN | gobject.IO_HUP,
2031
functools.partial(self.handle_ipc,
2254
gobject.io_add_watch(
2255
parent_pipe.fileno(),
2256
gobject.IO_IN | gobject.IO_HUP,
2257
functools.partial(self.handle_ipc,
2258
parent_pipe = parent_pipe,
2036
def handle_ipc(self, source, condition, parent_pipe=None,
2037
proc = None, client_object=None):
2261
def handle_ipc(self, source, condition,
2264
client_object=None):
2038
2265
# error, or the other end of multiprocessing.Pipe has closed
2039
2266
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2040
2267
# Wait for other process to exit
2127
2354
# avoid excessive use of external libraries.
2129
2356
# New type for defining tokens, syntax, and semantics all-in-one
2130
Token = collections.namedtuple("Token",
2131
("regexp", # To match token; if
2132
# "value" is not None,
2133
# must have a "group"
2135
"value", # datetime.timedelta or
2137
"followers")) # Tokens valid after
2357
Token = collections.namedtuple("Token", (
2358
"regexp", # To match token; if "value" is not None, must have
2359
# a "group" containing digits
2360
"value", # datetime.timedelta or None
2361
"followers")) # Tokens valid after this token
2139
2362
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2140
2363
# the "duration" ABNF definition in RFC 3339, Appendix A.
2141
2364
token_end = Token(re.compile(r"$"), None, frozenset())
2142
2365
token_second = Token(re.compile(r"(\d+)S"),
2143
2366
datetime.timedelta(seconds=1),
2144
frozenset((token_end,)))
2367
frozenset((token_end, )))
2145
2368
token_minute = Token(re.compile(r"(\d+)M"),
2146
2369
datetime.timedelta(minutes=1),
2147
2370
frozenset((token_second, token_end)))
2303
2526
parser.add_argument("--no-dbus", action="store_false",
2304
2527
dest="use_dbus", help="Do not provide D-Bus"
2305
" system bus interface")
2528
" system bus interface", default=None)
2306
2529
parser.add_argument("--no-ipv6", action="store_false",
2307
dest="use_ipv6", help="Do not use IPv6")
2530
dest="use_ipv6", help="Do not use IPv6",
2308
2532
parser.add_argument("--no-restore", action="store_false",
2309
2533
dest="restore", help="Do not restore stored"
2534
" state", default=None)
2311
2535
parser.add_argument("--socket", type=int,
2312
2536
help="Specify a file descriptor to a network"
2313
2537
" socket to use instead of creating one")
2314
2538
parser.add_argument("--statedir", metavar="DIR",
2315
2539
help="Directory to save/restore state in")
2316
2540
parser.add_argument("--foreground", action="store_true",
2317
help="Run in foreground")
2541
help="Run in foreground", default=None)
2542
parser.add_argument("--no-zeroconf", action="store_false",
2543
dest="zeroconf", help="Do not use Zeroconf",
2319
2546
options = parser.parse_args()
2321
2548
if options.check:
2550
fail_count, test_count = doctest.testmod()
2551
sys.exit(os.EX_OK if fail_count == 0 else 1)
2326
2553
# Default values for config file for server-global settings
2327
2554
server_defaults = { "interface": "",
2368
2596
# Override the settings from the config file with command line
2369
2597
# options, if set.
2370
2598
for option in ("interface", "address", "port", "debug",
2371
"priority", "servicename", "configdir",
2372
"use_dbus", "use_ipv6", "debuglevel", "restore",
2373
"statedir", "socket", "foreground"):
2599
"priority", "servicename", "configdir", "use_dbus",
2600
"use_ipv6", "debuglevel", "restore", "statedir",
2601
"socket", "foreground", "zeroconf"):
2374
2602
value = getattr(options, option)
2375
2603
if value is not None:
2376
2604
server_settings[option] = value
2378
2606
# Force all strings to be unicode
2379
2607
for option in server_settings.keys():
2380
if type(server_settings[option]) is str:
2381
server_settings[option] = unicode(server_settings[option])
2608
if isinstance(server_settings[option], bytes):
2609
server_settings[option] = (server_settings[option]
2611
# Force all boolean options to be boolean
2612
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2613
"foreground", "zeroconf"):
2614
server_settings[option] = bool(server_settings[option])
2382
2615
# Debug implies foreground
2383
2616
if server_settings["debug"]:
2384
2617
server_settings["foreground"] = True
2420
2658
global mandos_dbus_service
2421
2659
mandos_dbus_service = None
2423
tcp_server = MandosServer((server_settings["address"],
2424
server_settings["port"]),
2426
interface=(server_settings["interface"]
2430
server_settings["priority"],
2432
socketfd=(server_settings["socket"]
2662
if server_settings["socket"] != "":
2663
socketfd = server_settings["socket"]
2664
tcp_server = MandosServer(
2665
(server_settings["address"], server_settings["port"]),
2667
interface=(server_settings["interface"] or None),
2669
gnutls_priority=server_settings["priority"],
2434
2672
if not foreground:
2435
pidfilename = "/var/run/mandos.pid"
2673
pidfilename = "/run/mandos.pid"
2674
if not os.path.isdir("/run/."):
2675
pidfilename = "/var/run/mandos.pid"
2438
pidfile = open(pidfilename, "w")
2678
pidfile = codecs.open(pidfilename, "w", encoding="utf-8")
2439
2679
except IOError as e:
2440
2680
logger.error("Could not open file %r", pidfilename,
2497
2737
bus_name = dbus.service.BusName("se.recompile.Mandos",
2498
bus, do_not_queue=True)
2499
old_bus_name = (dbus.service.BusName
2500
("se.bsnet.fukt.Mandos", bus,
2502
except dbus.exceptions.NameExistsException as e:
2740
old_bus_name = dbus.service.BusName(
2741
"se.bsnet.fukt.Mandos", bus,
2743
except dbus.exceptions.DBusException as e:
2503
2744
logger.error("Disabling D-Bus:", exc_info=e)
2504
2745
use_dbus = False
2505
2746
server_settings["use_dbus"] = False
2506
2747
tcp_server.use_dbus = False
2507
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2508
service = AvahiServiceToSyslog(name =
2509
server_settings["servicename"],
2510
servicetype = "_mandos._tcp",
2511
protocol = protocol, bus = bus)
2512
if server_settings["interface"]:
2513
service.interface = (if_nametoindex
2514
(str(server_settings["interface"])))
2749
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2750
service = AvahiServiceToSyslog(
2751
name = server_settings["servicename"],
2752
servicetype = "_mandos._tcp",
2753
protocol = protocol,
2755
if server_settings["interface"]:
2756
service.interface = if_nametoindex(
2757
server_settings["interface"].encode("utf-8"))
2516
2759
global multiprocessing_manager
2517
2760
multiprocessing_manager = multiprocessing.Manager()
2524
2767
old_client_settings = {}
2525
2768
clients_data = {}
2770
# This is used to redirect stdout and stderr for checker processes
2772
wnull = open(os.devnull, "w") # A writable /dev/null
2773
# Only used if server is running in foreground but not in debug
2775
if debug or not foreground:
2527
2778
# Get client data and settings from last running state.
2528
2779
if server_settings["restore"]:
2530
2781
with open(stored_state_path, "rb") as stored_state:
2531
clients_data, old_client_settings = (pickle.load
2782
clients_data, old_client_settings = pickle.load(
2533
2784
os.remove(stored_state_path)
2534
2785
except IOError as e:
2535
2786
if e.errno == errno.ENOENT:
2536
logger.warning("Could not load persistent state: {0}"
2537
.format(os.strerror(e.errno)))
2787
logger.warning("Could not load persistent state:"
2788
" {}".format(os.strerror(e.errno)))
2539
2790
logger.critical("Could not load persistent state:",
2542
2793
except EOFError as e:
2543
2794
logger.warning("Could not load persistent state: "
2544
"EOFError:", exc_info=e)
2546
2798
with PGPEngine() as pgp:
2547
for client_name, client in clients_data.iteritems():
2799
for client_name, client in clients_data.items():
2800
# Skip removed clients
2801
if client_name not in client_settings:
2548
2804
# Decide which value to use after restoring saved state.
2549
2805
# We have three different values: Old config file,
2550
2806
# new config file, and saved state.
2571
2827
if datetime.datetime.utcnow() >= client["expires"]:
2572
2828
if not client["last_checked_ok"]:
2573
2829
logger.warning(
2574
"disabling client {0} - Client never "
2575
"performed a successful checker"
2576
.format(client_name))
2830
"disabling client {} - Client never "
2831
"performed a successful checker".format(
2577
2833
client["enabled"] = False
2578
2834
elif client["last_checker_status"] != 0:
2579
2835
logger.warning(
2580
"disabling client {0} - Client "
2581
"last checker failed with error code {1}"
2582
.format(client_name,
2583
client["last_checker_status"]))
2836
"disabling client {} - Client last"
2837
" checker failed with error code"
2840
client["last_checker_status"]))
2584
2841
client["enabled"] = False
2586
client["expires"] = (datetime.datetime
2588
+ client["timeout"])
2843
client["expires"] = (
2844
datetime.datetime.utcnow()
2845
+ client["timeout"])
2589
2846
logger.debug("Last checker succeeded,"
2590
" keeping {0} enabled"
2591
.format(client_name))
2847
" keeping {} enabled".format(
2593
client["secret"] = (
2594
pgp.decrypt(client["encrypted_secret"],
2595
client_settings[client_name]
2850
client["secret"] = pgp.decrypt(
2851
client["encrypted_secret"],
2852
client_settings[client_name]["secret"])
2597
2853
except PGPError:
2598
2854
# If decryption fails, we use secret from new settings
2599
logger.debug("Failed to decrypt {0} old secret"
2600
.format(client_name))
2601
client["secret"] = (
2602
client_settings[client_name]["secret"])
2855
logger.debug("Failed to decrypt {} old secret".format(
2857
client["secret"] = (client_settings[client_name]
2604
2860
# Add/remove clients based on new changes made to config
2605
2861
for client_name in (set(old_client_settings)
2915
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2660
2917
@dbus.service.signal(_interface, signature="os")
2661
2918
def ClientRemoved(self, objpath, name):
2922
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2665
2924
@dbus.service.method(_interface, out_signature="ao")
2666
2925
def GetAllClients(self):
2668
return dbus.Array(c.dbus_object_path
2927
return dbus.Array(c.dbus_object_path for c in
2670
2928
tcp_server.clients.itervalues())
2930
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2672
2932
@dbus.service.method(_interface,
2673
2933
out_signature="a{oa{sv}}")
2674
2934
def GetAllClientsWithProperties(self):
2676
2936
return dbus.Dictionary(
2677
((c.dbus_object_path, c.GetAll(""))
2678
for c in tcp_server.clients.itervalues()),
2937
{ c.dbus_object_path: c.GetAll(
2938
"se.recompile.Mandos.Client")
2939
for c in tcp_server.clients.itervalues() },
2679
2940
signature="oa{sv}")
2681
2942
@dbus.service.method(_interface, in_signature="o")
2685
2946
if c.dbus_object_path == object_path:
2686
2947
del tcp_server.clients[c.name]
2687
2948
c.remove_from_connection()
2688
# Don't signal anything except ClientRemoved
2949
# Don't signal the disabling
2689
2950
c.disable(quiet=True)
2691
self.ClientRemoved(object_path, c.name)
2951
# Emit D-Bus signal for removal
2952
self.client_removed_signal(c)
2693
2954
raise KeyError(object_path)
2958
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
2959
out_signature = "a{oa{sa{sv}}}")
2960
def GetManagedObjects(self):
2962
return dbus.Dictionary(
2963
{ client.dbus_object_path:
2965
{ interface: client.GetAll(interface)
2967
client._get_all_interface_names()})
2968
for client in tcp_server.clients.values()})
2970
def client_added_signal(self, client):
2971
"""Send the new standard signal and the old signal"""
2973
# New standard signal
2974
self.InterfacesAdded(
2975
client.dbus_object_path,
2977
{ interface: client.GetAll(interface)
2979
client._get_all_interface_names()}))
2981
self.ClientAdded(client.dbus_object_path)
2983
def client_removed_signal(self, client):
2984
"""Send the new standard signal and the old signal"""
2986
# New standard signal
2987
self.InterfacesRemoved(
2988
client.dbus_object_path,
2989
client._get_all_interface_names())
2991
self.ClientRemoved(client.dbus_object_path,
2697
2994
mandos_dbus_service = MandosDBusService()
2700
2997
"Cleanup function; run on exit"
2703
3001
multiprocessing.active_children()
2704
3003
if not (tcp_server.clients or client_settings):
2733
3032
del client_settings[client.name]["secret"]
2736
with (tempfile.NamedTemporaryFile
2737
(mode='wb', suffix=".pickle", prefix='clients-',
2738
dir=os.path.dirname(stored_state_path),
2739
delete=False)) as stored_state:
3035
with tempfile.NamedTemporaryFile(
3039
dir=os.path.dirname(stored_state_path),
3040
delete=False) as stored_state:
2740
3041
pickle.dump((clients, client_settings), stored_state)
2741
tempname=stored_state.name
3042
tempname = stored_state.name
2742
3043
os.rename(tempname, stored_state_path)
2743
3044
except (IOError, OSError) as e:
2747
3048
except NameError:
2749
3050
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
2750
logger.warning("Could not save persistent state: {0}"
3051
logger.warning("Could not save persistent state: {}"
2751
3052
.format(os.strerror(e.errno)))
2753
3054
logger.warning("Could not save persistent state:",
2757
3058
# Delete all clients, and settings from config
2758
3059
while tcp_server.clients:
2759
3060
name, client = tcp_server.clients.popitem()
2761
3062
client.remove_from_connection()
2762
# Don't signal anything except ClientRemoved
3063
# Don't signal the disabling
2763
3064
client.disable(quiet=True)
3065
# Emit D-Bus signal for removal
2766
mandos_dbus_service.ClientRemoved(client
3067
mandos_dbus_service.client_removed_signal(client)
2769
3068
client_settings.clear()
2771
3070
atexit.register(cleanup)
2773
3072
for client in tcp_server.clients.itervalues():
2776
mandos_dbus_service.ClientAdded(client.dbus_object_path)
3074
# Emit D-Bus signal for adding
3075
mandos_dbus_service.client_added_signal(client)
2777
3076
# Need to initiate checking of clients
2778
3077
if client.enabled:
2779
3078
client.init_checker()