To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.333
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.333
- Committer: Teddy Hogeborn
- Date: 2015-08-10 09:00:23 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 325.
- Revision ID: teddy@recompile.se-20150810090023-fz6vjqr7zf33e2tf
Support the standard org.freedesktop.DBus.ObjectManager interface.
Now that the D-Bus standard has an interface to keep track of new and
removed objects, use that instead of our own methods. This deprecates
our D-Bus methods "GetAllClients" and "GetAllClientsWithProperties"
and the signals "ClientAdded" and "ClientRemoved", all on the server
interface "se.recompile.Mandos".
* DBUS-API: Removed references to deprecated methods and signals;
insert reference to the org.freedesktop.DBus.ObjectManager
interface.
* mandos (DBusObjectWithProperties._get_all_interface_names): New.
(dbus.OBJECT_MANAGER_IFACE): If not present, monkey patch.
(DBusObjectWithObjectManager): New.
(main/MandosDBusService): Inherit from DBusObjectWithObjectManager.
(main/MandosDBusService.ClientRemoved): Annotate as deprecated.
(main/MandosDBusService.GetAllClients): - '' -
(main/MandosDBusService.GetAllClientsWithProperties): Annotate as
deprecated.
Also only
return
properties on
client
interface.
(main/MandosDBusService.RemoveClient): Call client_removed_signal
instead of ClientRemoved.
(main/MandosDBusService.GetManagedObjects): New.
(main/MandosDBusService.client_added_signal): New.
(main/MandosDBusService.client_removed_signal): - '' -
(main/cleanup): Call "client_removed_signal" instead of sending
"ClientRemoved" signal directly.
(main): Call "client_added_signal" instead of sending "ClientAdded"
signal directly.
* mandos-ctl: Use GetManagedObjects instead of
GetAllClientsWithProperties. Also, show better error
message in case of failure to connect to the D-Bus
* mandos-monitor (MandosClientPropertyCache.properties_changed):
Bug fix; only update properties on client interface.
(UserInterface.find_and_remove_client): Change to accept arguments
from InterfacesRemoved
signal. Also, bug fix:
working error message when
removing unknown client.
(UserInterface.add_new_client): Change to accept arguments from
InterfacesRemoved signal. Pass
properties to MandosClientWidget
constructor.
(UserInterface.run): Connect find_and_remove_client method to
InterfacesRemoved signal and the add_new_client
method to the InterfacesAdded signal.
Now that the D-Bus standard has an interface to keep track of new and
removed objects, use that instead of our own methods. This deprecates
our D-Bus methods "GetAllClients" and "GetAllClientsWithProperties"
and the signals "ClientAdded" and "ClientRemoved", all on the server
interface "se.recompile.Mandos".
* DBUS-API: Removed references to deprecated methods and signals;
insert reference to the org.freedesktop.DBus.ObjectManager
interface.
* mandos (DBusObjectWithProperties._get_all_interface_names): New.
(dbus.OBJECT_MANAGER_IFACE): If not present, monkey patch.
(DBusObjectWithObjectManager): New.
(main/MandosDBusService): Inherit from DBusObjectWithObjectManager.
(main/MandosDBusService.ClientRemoved): Annotate as deprecated.
(main/MandosDBusService.GetAllClients): - '' -
(main/MandosDBusService.GetAllClientsWithProperties): Annotate as
deprecated.
Also only
return
properties on
client
interface.
(main/MandosDBusService.RemoveClient): Call client_removed_signal
instead of ClientRemoved.
(main/MandosDBusService.GetManagedObjects): New.
(main/MandosDBusService.client_added_signal): New.
(main/MandosDBusService.client_removed_signal): - '' -
(main/cleanup): Call "client_removed_signal" instead of sending
"ClientRemoved" signal directly.
(main): Call "client_added_signal" instead of sending "ClientAdded"
signal directly.
* mandos-ctl: Use GetManagedObjects instead of
GetAllClientsWithProperties. Also, show better error
message in case of failure to connect to the D-Bus
* mandos-monitor (MandosClientPropertyCache.properties_changed):
Bug fix; only update properties on client interface.
(UserInterface.find_and_remove_client): Change to accept arguments
from InterfacesRemoved
signal. Also, bug fix:
working error message when
removing unknown client.
(UserInterface.add_new_client): Change to accept arguments from
InterfacesRemoved signal. Pass
properties to MandosClientWidget
constructor.
(UserInterface.run): Connect find_and_remove_client method to
InterfacesRemoved signal and the add_new_client
method to the InterfacesAdded signal.
- files added:
- initramfs-tools-hook-conf
- files removed:
- bugs.xml
- files modified:
- DBUS-API
added
removed
mandos
1
#!/usr/bin/python
1
#!/usr/bin/python2.7
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
37
from future_builtins import *
42
38
43
39
try:
44
40
import SocketServer as socketserver
48
44
import argparse
49
45
import datetime
50
46
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
51
53
try:
52
54
import ConfigParser as configparser
53
55
except ImportError:
80
82
81
83
import dbus
82
84
import dbus.service
83
from gi.repository import GLib
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
84
90
from dbus.mainloop.glib import DBusGMainLoop
85
91
import ctypes
86
92
import ctypes.util
87
93
import xml.dom.minidom
88
94
import inspect
89
95
90
# Try to find the value of SO_BINDTODEVICE:
91
96
try:
92
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
93
# newer, and it is also the most natural place for it:
94
97
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
95
98
except AttributeError:
96
99
try:
97
# This is where SO_BINDTODEVICE was up to and including Python
98
# 2.6, and also 3.2:
99
100
from IN import SO_BINDTODEVICE
100
101
except ImportError:
101
# In Python 2.7 it seems to have been removed entirely.
102
# Try running the C preprocessor:
103
try:
104
cc = subprocess.Popen(["cc", "--language=c", "-E",
105
"/dev/stdin"],
106
stdin=subprocess.PIPE,
107
stdout=subprocess.PIPE)
108
stdout = cc.communicate(
109
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
110
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
111
except (OSError, ValueError, IndexError):
112
# No value found
113
SO_BINDTODEVICE = None
102
SO_BINDTODEVICE = None
114
103
115
104
if sys.version_info.major == 2:
116
105
str = unicode
117
106
118
version = "1.8.3"
107
version = "1.6.9"
119
108
stored_state_file = "clients.pickle"
120
109
121
110
logger = logging.getLogger()
125
114
if_nametoindex = ctypes.cdll.LoadLibrary(
126
115
ctypes.util.find_library("c")).if_nametoindex
127
116
except (OSError, AttributeError):
128
117
129
118
def if_nametoindex(interface):
130
119
"Get an interface index the hard way, i.e. using fcntl()"
131
120
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
136
125
return interface_index
137
126
138
127
139
def copy_function(func):
140
"""Make a copy of a function"""
141
if sys.version_info.major == 2:
142
return types.FunctionType(func.func_code,
143
func.func_globals,
144
func.func_name,
145
func.func_defaults,
146
func.func_closure)
147
else:
148
return types.FunctionType(func.__code__,
149
func.__globals__,
150
func.__name__,
151
func.__defaults__,
152
func.__closure__)
153
154
155
128
def initlogger(debug, level=logging.WARNING):
156
129
"""init logger and add loglevel"""
157
130
158
131
global syslogger
159
132
syslogger = (logging.handlers.SysLogHandler(
160
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
161
address="/dev/log"))
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
162
135
syslogger.setFormatter(logging.Formatter
163
136
('Mandos [%(process)d]: %(levelname)s:'
164
137
' %(message)s'))
165
138
logger.addHandler(syslogger)
166
139
167
140
if debug:
168
141
console = logging.StreamHandler()
169
142
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
181
154
182
155
class PGPEngine(object):
183
156
"""A simple class for OpenPGP symmetric encryption & decryption"""
184
157
185
158
def __init__(self):
186
159
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
187
self.gpg = "gpg"
188
try:
189
output = subprocess.check_output(["gpgconf"])
190
for line in output.splitlines():
191
name, text, path = line.split(b":")
192
if name == "gpg":
193
self.gpg = path
194
break
195
except OSError as e:
196
if e.errno != errno.ENOENT:
197
raise
198
160
self.gnupgargs = ['--batch',
199
'--homedir', self.tempdir,
161
'--home', self.tempdir,
200
162
'--force-mdc',
201
'--quiet']
202
# Only GPG version 1 has the --no-use-agent option.
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
204
self.gnupgargs.append("--no-use-agent")
205
163
'--quiet',
164
'--no-use-agent']
165
206
166
def __enter__(self):
207
167
return self
208
168
209
169
def __exit__(self, exc_type, exc_value, traceback):
210
170
self._cleanup()
211
171
return False
212
172
213
173
def __del__(self):
214
174
self._cleanup()
215
175
216
176
def _cleanup(self):
217
177
if self.tempdir is not None:
218
178
# Delete contents of tempdir
219
179
for root, dirs, files in os.walk(self.tempdir,
220
topdown=False):
180
topdown = False):
221
181
for filename in files:
222
182
os.remove(os.path.join(root, filename))
223
183
for dirname in dirs:
225
185
# Remove tempdir
226
186
os.rmdir(self.tempdir)
227
187
self.tempdir = None
228
188
229
189
def password_encode(self, password):
230
190
# Passphrase can not be empty and can not contain newlines or
231
191
# NUL bytes. So we prefix it and hex encode it.
236
196
.replace(b"\n", b"\\n")
237
197
.replace(b"\0", b"\\x00"))
238
198
return encoded
239
199
240
200
def encrypt(self, data, password):
241
201
passphrase = self.password_encode(password)
242
202
with tempfile.NamedTemporaryFile(
243
203
dir=self.tempdir) as passfile:
244
204
passfile.write(passphrase)
245
205
passfile.flush()
246
proc = subprocess.Popen([self.gpg, '--symmetric',
206
proc = subprocess.Popen(['gpg', '--symmetric',
247
207
'--passphrase-file',
248
208
passfile.name]
249
209
+ self.gnupgargs,
250
stdin=subprocess.PIPE,
251
stdout=subprocess.PIPE,
252
stderr=subprocess.PIPE)
253
ciphertext, err = proc.communicate(input=data)
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
254
214
if proc.returncode != 0:
255
215
raise PGPError(err)
256
216
return ciphertext
257
217
258
218
def decrypt(self, data, password):
259
219
passphrase = self.password_encode(password)
260
220
with tempfile.NamedTemporaryFile(
261
dir=self.tempdir) as passfile:
221
dir = self.tempdir) as passfile:
262
222
passfile.write(passphrase)
263
223
passfile.flush()
264
proc = subprocess.Popen([self.gpg, '--decrypt',
224
proc = subprocess.Popen(['gpg', '--decrypt',
265
225
'--passphrase-file',
266
226
passfile.name]
267
227
+ self.gnupgargs,
268
stdin=subprocess.PIPE,
269
stdout=subprocess.PIPE,
270
stderr=subprocess.PIPE)
271
decrypted_plaintext, err = proc.communicate(input=data)
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
272
232
if proc.returncode != 0:
273
233
raise PGPError(err)
274
234
return decrypted_plaintext
275
235
276
236
277
# Pretend that we have an Avahi module
278
class Avahi(object):
279
"""This isn't so much a class as it is a module-like namespace.
280
It is instantiated once, and simulates having an Avahi module."""
281
IF_UNSPEC = -1 # avahi-common/address.h
282
PROTO_UNSPEC = -1 # avahi-common/address.h
283
PROTO_INET = 0 # avahi-common/address.h
284
PROTO_INET6 = 1 # avahi-common/address.h
285
DBUS_NAME = "org.freedesktop.Avahi"
286
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
287
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
288
DBUS_PATH_SERVER = "/"
289
290
def string_array_to_txt_array(self, t):
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
for s in t), signature="ay")
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
294
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
295
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
296
SERVER_INVALID = 0 # avahi-common/defs.h
297
SERVER_REGISTERING = 1 # avahi-common/defs.h
298
SERVER_RUNNING = 2 # avahi-common/defs.h
299
SERVER_COLLISION = 3 # avahi-common/defs.h
300
SERVER_FAILURE = 4 # avahi-common/defs.h
301
avahi = Avahi()
302
303
304
237
class AvahiError(Exception):
305
238
def __init__(self, value, *args, **kwargs):
306
239
self.value = value
318
251
319
252
class AvahiService(object):
320
253
"""An Avahi (Zeroconf) service.
321
254
322
255
Attributes:
323
256
interface: integer; avahi.IF_UNSPEC or an interface index.
324
257
Used to optionally bind to the specified interface.
336
269
server: D-Bus Server
337
270
bus: dbus.SystemBus()
338
271
"""
339
272
340
273
def __init__(self,
341
interface=avahi.IF_UNSPEC,
342
name=None,
343
servicetype=None,
344
port=None,
345
TXT=None,
346
domain="",
347
host="",
348
max_renames=32768,
349
protocol=avahi.PROTO_UNSPEC,
350
bus=None):
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
351
284
self.interface = interface
352
285
self.name = name
353
286
self.type = servicetype
362
295
self.server = None
363
296
self.bus = bus
364
297
self.entry_group_state_changed_match = None
365
298
366
299
def rename(self, remove=True):
367
300
"""Derived from the Avahi example code"""
368
301
if self.rename_count >= self.max_renames:
388
321
logger.critical("D-Bus Exception", exc_info=error)
389
322
self.cleanup()
390
323
os._exit(1)
391
324
392
325
def remove(self):
393
326
"""Derived from the Avahi example code"""
394
327
if self.entry_group_state_changed_match is not None:
396
329
self.entry_group_state_changed_match = None
397
330
if self.group is not None:
398
331
self.group.Reset()
399
332
400
333
def add(self):
401
334
"""Derived from the Avahi example code"""
402
335
self.remove()
419
352
dbus.UInt16(self.port),
420
353
avahi.string_array_to_txt_array(self.TXT))
421
354
self.group.Commit()
422
355
423
356
def entry_group_state_changed(self, state, error):
424
357
"""Derived from the Avahi example code"""
425
358
logger.debug("Avahi entry group state change: %i", state)
426
359
427
360
if state == avahi.ENTRY_GROUP_ESTABLISHED:
428
361
logger.debug("Zeroconf service established.")
429
362
elif state == avahi.ENTRY_GROUP_COLLISION:
433
366
logger.critical("Avahi: Error in group state changed %s",
434
367
str(error))
435
368
raise AvahiGroupError("State changed: {!s}".format(error))
436
369
437
370
def cleanup(self):
438
371
"""Derived from the Avahi example code"""
439
372
if self.group is not None:
444
377
pass
445
378
self.group = None
446
379
self.remove()
447
380
448
381
def server_state_changed(self, state, error=None):
449
382
"""Derived from the Avahi example code"""
450
383
logger.debug("Avahi server state change: %i", state)
479
412
logger.debug("Unknown state: %r", state)
480
413
else:
481
414
logger.debug("Unknown state: %r: %r", state, error)
482
415
483
416
def activate(self):
484
417
"""Derived from the Avahi example code"""
485
418
if self.server is None:
496
429
class AvahiServiceToSyslog(AvahiService):
497
430
def rename(self, *args, **kwargs):
498
431
"""Add the new name to the syslog messages"""
499
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
432
ret = AvahiService.rename(self, *args, **kwargs)
500
433
syslogger.setFormatter(logging.Formatter(
501
434
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
502
435
.format(self.name)))
503
436
return ret
504
437
505
506
# Pretend that we have a GnuTLS module
507
class GnuTLS(object):
508
"""This isn't so much a class as it is a module-like namespace.
509
It is instantiated once, and simulates having a GnuTLS module."""
510
511
library = ctypes.util.find_library("gnutls")
512
if library is None:
513
library = ctypes.util.find_library("gnutls-deb0")
514
_library = ctypes.cdll.LoadLibrary(library)
515
del library
516
_need_version = b"3.3.0"
517
_tls_rawpk_version = b"3.6.6"
518
519
def __init__(self):
520
# Need to use "self" here, since this method is called before
521
# the assignment to the "gnutls" global variable happens.
522
if self.check_version(self._need_version) is None:
523
raise self.Error("Needs GnuTLS {} or later"
524
.format(self._need_version))
525
526
# Unless otherwise indicated, the constants and types below are
527
# all from the gnutls/gnutls.h C header file.
528
529
# Constants
530
E_SUCCESS = 0
531
E_INTERRUPTED = -52
532
E_AGAIN = -28
533
CRT_OPENPGP = 2
534
CRT_RAWPK = 3
535
CLIENT = 2
536
SHUT_RDWR = 0
537
CRD_CERTIFICATE = 1
538
E_NO_CERTIFICATE_FOUND = -49
539
X509_FMT_DER = 0
540
NO_TICKETS = 1<<10
541
ENABLE_RAWPK = 1<<18
542
CTYPE_PEERS = 3
543
KEYID_USE_SHA256 = 1 # gnutls/x509.h
544
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
545
546
# Types
547
class session_int(ctypes.Structure):
548
_fields_ = []
549
session_t = ctypes.POINTER(session_int)
550
551
class certificate_credentials_st(ctypes.Structure):
552
_fields_ = []
553
certificate_credentials_t = ctypes.POINTER(
554
certificate_credentials_st)
555
certificate_type_t = ctypes.c_int
556
557
class datum_t(ctypes.Structure):
558
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
559
('size', ctypes.c_uint)]
560
561
class openpgp_crt_int(ctypes.Structure):
562
_fields_ = []
563
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
564
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
565
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
566
credentials_type_t = ctypes.c_int
567
transport_ptr_t = ctypes.c_void_p
568
close_request_t = ctypes.c_int
569
570
# Exceptions
571
class Error(Exception):
572
# We need to use the class name "GnuTLS" here, since this
573
# exception might be raised from within GnuTLS.__init__,
574
# which is called before the assignment to the "gnutls"
575
# global variable has happened.
576
def __init__(self, message=None, code=None, args=()):
577
# Default usage is by a message string, but if a return
578
# code is passed, convert it to a string with
579
# gnutls.strerror()
580
self.code = code
581
if message is None and code is not None:
582
message = GnuTLS.strerror(code)
583
return super(GnuTLS.Error, self).__init__(
584
message, *args)
585
586
class CertificateSecurityError(Error):
587
pass
588
589
# Classes
590
class Credentials(object):
591
def __init__(self):
592
self._c_object = gnutls.certificate_credentials_t()
593
gnutls.certificate_allocate_credentials(
594
ctypes.byref(self._c_object))
595
self.type = gnutls.CRD_CERTIFICATE
596
597
def __del__(self):
598
gnutls.certificate_free_credentials(self._c_object)
599
600
class ClientSession(object):
601
def __init__(self, socket, credentials=None):
602
self._c_object = gnutls.session_t()
603
gnutls_flags = gnutls.CLIENT
604
if gnutls.check_version("3.5.6"):
605
gnutls_flags |= gnutls.NO_TICKETS
606
if gnutls.has_rawpk:
607
gnutls_flags |= gnutls.ENABLE_RAWPK
608
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
609
del gnutls_flags
610
gnutls.set_default_priority(self._c_object)
611
gnutls.transport_set_ptr(self._c_object, socket.fileno())
612
gnutls.handshake_set_private_extensions(self._c_object,
613
True)
614
self.socket = socket
615
if credentials is None:
616
credentials = gnutls.Credentials()
617
gnutls.credentials_set(self._c_object, credentials.type,
618
ctypes.cast(credentials._c_object,
619
ctypes.c_void_p))
620
self.credentials = credentials
621
622
def __del__(self):
623
gnutls.deinit(self._c_object)
624
625
def handshake(self):
626
return gnutls.handshake(self._c_object)
627
628
def send(self, data):
629
data = bytes(data)
630
data_len = len(data)
631
while data_len > 0:
632
data_len -= gnutls.record_send(self._c_object,
633
data[-data_len:],
634
data_len)
635
636
def bye(self):
637
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
638
639
# Error handling functions
640
def _error_code(result):
641
"""A function to raise exceptions on errors, suitable
642
for the 'restype' attribute on ctypes functions"""
643
if result >= 0:
644
return result
645
if result == gnutls.E_NO_CERTIFICATE_FOUND:
646
raise gnutls.CertificateSecurityError(code=result)
647
raise gnutls.Error(code=result)
648
649
def _retry_on_error(result, func, arguments):
650
"""A function to retry on some errors, suitable
651
for the 'errcheck' attribute on ctypes functions"""
652
while result < 0:
653
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
654
return _error_code(result)
655
result = func(*arguments)
656
return result
657
658
# Unless otherwise indicated, the function declarations below are
659
# all from the gnutls/gnutls.h C header file.
660
661
# Functions
662
priority_set_direct = _library.gnutls_priority_set_direct
663
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
664
ctypes.POINTER(ctypes.c_char_p)]
665
priority_set_direct.restype = _error_code
666
667
init = _library.gnutls_init
668
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
669
init.restype = _error_code
670
671
set_default_priority = _library.gnutls_set_default_priority
672
set_default_priority.argtypes = [session_t]
673
set_default_priority.restype = _error_code
674
675
record_send = _library.gnutls_record_send
676
record_send.argtypes = [session_t, ctypes.c_void_p,
677
ctypes.c_size_t]
678
record_send.restype = ctypes.c_ssize_t
679
record_send.errcheck = _retry_on_error
680
681
certificate_allocate_credentials = (
682
_library.gnutls_certificate_allocate_credentials)
683
certificate_allocate_credentials.argtypes = [
684
ctypes.POINTER(certificate_credentials_t)]
685
certificate_allocate_credentials.restype = _error_code
686
687
certificate_free_credentials = (
688
_library.gnutls_certificate_free_credentials)
689
certificate_free_credentials.argtypes = [
690
certificate_credentials_t]
691
certificate_free_credentials.restype = None
692
693
handshake_set_private_extensions = (
694
_library.gnutls_handshake_set_private_extensions)
695
handshake_set_private_extensions.argtypes = [session_t,
696
ctypes.c_int]
697
handshake_set_private_extensions.restype = None
698
699
credentials_set = _library.gnutls_credentials_set
700
credentials_set.argtypes = [session_t, credentials_type_t,
701
ctypes.c_void_p]
702
credentials_set.restype = _error_code
703
704
strerror = _library.gnutls_strerror
705
strerror.argtypes = [ctypes.c_int]
706
strerror.restype = ctypes.c_char_p
707
708
certificate_type_get = _library.gnutls_certificate_type_get
709
certificate_type_get.argtypes = [session_t]
710
certificate_type_get.restype = _error_code
711
712
certificate_get_peers = _library.gnutls_certificate_get_peers
713
certificate_get_peers.argtypes = [session_t,
714
ctypes.POINTER(ctypes.c_uint)]
715
certificate_get_peers.restype = ctypes.POINTER(datum_t)
716
717
global_set_log_level = _library.gnutls_global_set_log_level
718
global_set_log_level.argtypes = [ctypes.c_int]
719
global_set_log_level.restype = None
720
721
global_set_log_function = _library.gnutls_global_set_log_function
722
global_set_log_function.argtypes = [log_func]
723
global_set_log_function.restype = None
724
725
deinit = _library.gnutls_deinit
726
deinit.argtypes = [session_t]
727
deinit.restype = None
728
729
handshake = _library.gnutls_handshake
730
handshake.argtypes = [session_t]
731
handshake.restype = _error_code
732
handshake.errcheck = _retry_on_error
733
734
transport_set_ptr = _library.gnutls_transport_set_ptr
735
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
736
transport_set_ptr.restype = None
737
738
bye = _library.gnutls_bye
739
bye.argtypes = [session_t, close_request_t]
740
bye.restype = _error_code
741
bye.errcheck = _retry_on_error
742
743
check_version = _library.gnutls_check_version
744
check_version.argtypes = [ctypes.c_char_p]
745
check_version.restype = ctypes.c_char_p
746
747
has_rawpk = bool(check_version(_tls_rawpk_version))
748
749
if has_rawpk:
750
# Types
751
class pubkey_st(ctypes.Structure):
752
_fields = []
753
pubkey_t = ctypes.POINTER(pubkey_st)
754
755
x509_crt_fmt_t = ctypes.c_int
756
757
# All the function declarations below are from gnutls/abstract.h
758
pubkey_init = _library.gnutls_pubkey_init
759
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
760
pubkey_init.restype = _error_code
761
762
pubkey_import = _library.gnutls_pubkey_import
763
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
764
x509_crt_fmt_t]
765
pubkey_import.restype = _error_code
766
767
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
768
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
769
ctypes.POINTER(ctypes.c_ubyte),
770
ctypes.POINTER(ctypes.c_size_t)]
771
pubkey_get_key_id.restype = _error_code
772
773
pubkey_deinit = _library.gnutls_pubkey_deinit
774
pubkey_deinit.argtypes = [pubkey_t]
775
pubkey_deinit.restype = None
776
else:
777
# All the function declarations below are from gnutls/openpgp.h
778
779
openpgp_crt_init = _library.gnutls_openpgp_crt_init
780
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
781
openpgp_crt_init.restype = _error_code
782
783
openpgp_crt_import = _library.gnutls_openpgp_crt_import
784
openpgp_crt_import.argtypes = [openpgp_crt_t,
785
ctypes.POINTER(datum_t),
786
openpgp_crt_fmt_t]
787
openpgp_crt_import.restype = _error_code
788
789
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
790
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
791
ctypes.POINTER(ctypes.c_uint)]
792
openpgp_crt_verify_self.restype = _error_code
793
794
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
795
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
796
openpgp_crt_deinit.restype = None
797
798
openpgp_crt_get_fingerprint = (
799
_library.gnutls_openpgp_crt_get_fingerprint)
800
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
801
ctypes.c_void_p,
802
ctypes.POINTER(
803
ctypes.c_size_t)]
804
openpgp_crt_get_fingerprint.restype = _error_code
805
806
if check_version("3.6.4"):
807
certificate_type_get2 = _library.gnutls_certificate_type_get2
808
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
809
certificate_type_get2.restype = _error_code
810
811
# Remove non-public functions
812
del _error_code, _retry_on_error
813
# Create the global "gnutls" object, simulating a module
814
gnutls = GnuTLS()
815
816
817
438
def call_pipe(connection, # : multiprocessing.Connection
818
439
func, *args, **kwargs):
819
440
"""This function is meant to be called by multiprocessing.Process
820
441
821
442
This function runs func(*args, **kwargs), and writes the resulting
822
443
return value on the provided multiprocessing.Connection.
823
444
"""
824
445
connection.send(func(*args, **kwargs))
825
446
connection.close()
826
447
827
828
448
class Client(object):
829
449
"""A representation of a client host served by this server.
830
450
831
451
Attributes:
832
452
approved: bool(); 'None' if not yet approved/disapproved
833
453
approval_delay: datetime.timedelta(); Time to wait for approval
835
455
checker: subprocess.Popen(); a running checker process used
836
456
to see if the client lives.
837
457
'None' if no process is running.
838
checker_callback_tag: a GLib event source tag, or None
458
checker_callback_tag: a gobject event source tag, or None
839
459
checker_command: string; External command which is run to check
840
460
if client lives. %() expansions are done at
841
461
runtime with vars(self) as dict, so that for
842
462
instance %(name)s can be used in the command.
843
checker_initiator_tag: a GLib event source tag, or None
463
checker_initiator_tag: a gobject event source tag, or None
844
464
created: datetime.datetime(); (UTC) object creation
845
465
client_structure: Object describing what attributes a client has
846
466
and is used for storing the client at exit
847
467
current_checker_command: string; current running checker_command
848
disable_initiator_tag: a GLib event source tag, or None
468
disable_initiator_tag: a gobject event source tag, or None
849
469
enabled: bool()
850
470
fingerprint: string (40 or 32 hexadecimal digits); used to
851
uniquely identify an OpenPGP client
852
key_id: string (64 hexadecimal digits); used to uniquely identify
853
a client using raw public keys
471
uniquely identify the client
854
472
host: string; available for use by the checker command
855
473
interval: datetime.timedelta(); How often to start a new checker
856
474
last_approval_request: datetime.datetime(); (UTC) or None
872
490
disabled, or None
873
491
server_settings: The server_settings dict from main()
874
492
"""
875
493
876
494
runtime_expansions = ("approval_delay", "approval_duration",
877
"created", "enabled", "expires", "key_id",
495
"created", "enabled", "expires",
878
496
"fingerprint", "host", "interval",
879
497
"last_approval_request", "last_checked_ok",
880
498
"last_enabled", "name", "timeout")
889
507
"approved_by_default": "True",
890
508
"enabled": "True",
891
509
}
892
510
893
511
@staticmethod
894
512
def config_parser(config):
895
513
"""Construct a new dict of client settings of this form:
902
520
for client_name in config.sections():
903
521
section = dict(config.items(client_name))
904
522
client = settings[client_name] = {}
905
523
906
524
client["host"] = section["host"]
907
525
# Reformat values from string types to Python types
908
526
client["approved_by_default"] = config.getboolean(
909
527
client_name, "approved_by_default")
910
528
client["enabled"] = config.getboolean(client_name,
911
529
"enabled")
912
913
# Uppercase and remove spaces from key_id and fingerprint
914
# for later comparison purposes with return value from the
915
# key_id() and fingerprint() functions
916
client["key_id"] = (section.get("key_id", "").upper()
917
.replace(" ", ""))
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
918
534
client["fingerprint"] = (section["fingerprint"].upper()
919
535
.replace(" ", ""))
920
536
if "secret" in section:
921
client["secret"] = codecs.decode(section["secret"]
922
.encode("utf-8"),
923
"base64")
537
client["secret"] = section["secret"].decode("base64")
924
538
elif "secfile" in section:
925
539
with open(os.path.expanduser(os.path.expandvars
926
540
(section["secfile"])),
941
555
client["last_approval_request"] = None
942
556
client["last_checked_ok"] = None
943
557
client["last_checker_status"] = -2
944
558
945
559
return settings
946
947
def __init__(self, settings, name=None, server_settings=None):
560
561
def __init__(self, settings, name = None, server_settings=None):
948
562
self.name = name
949
563
if server_settings is None:
950
564
server_settings = {}
952
566
# adding all client settings
953
567
for setting, value in settings.items():
954
568
setattr(self, setting, value)
955
569
956
570
if self.enabled:
957
571
if not hasattr(self, "last_enabled"):
958
572
self.last_enabled = datetime.datetime.utcnow()
962
576
else:
963
577
self.last_enabled = None
964
578
self.expires = None
965
579
966
580
logger.debug("Creating client %r", self.name)
967
logger.debug(" Key ID: %s", self.key_id)
968
581
logger.debug(" Fingerprint: %s", self.fingerprint)
969
582
self.created = settings.get("created",
970
583
datetime.datetime.utcnow())
971
584
972
585
# attributes specific for this server instance
973
586
self.checker = None
974
587
self.checker_initiator_tag = None
980
593
self.changedstate = multiprocessing_manager.Condition(
981
594
multiprocessing_manager.Lock())
982
595
self.client_structure = [attr
983
for attr in self.__dict__.keys()
596
for attr in self.__dict__.iterkeys()
984
597
if not attr.startswith("_")]
985
598
self.client_structure.append("client_structure")
986
599
987
600
for name, t in inspect.getmembers(
988
601
type(self), lambda obj: isinstance(obj, property)):
989
602
if not name.startswith("_"):
990
603
self.client_structure.append(name)
991
604
992
605
# Send notice to process children that client state has changed
993
606
def send_changedstate(self):
994
607
with self.changedstate:
995
608
self.changedstate.notify_all()
996
609
997
610
def enable(self):
998
611
"""Start this client's checker and timeout hooks"""
999
612
if getattr(self, "enabled", False):
1004
617
self.last_enabled = datetime.datetime.utcnow()
1005
618
self.init_checker()
1006
619
self.send_changedstate()
1007
620
1008
621
def disable(self, quiet=True):
1009
622
"""Disable this client."""
1010
623
if not getattr(self, "enabled", False):
1012
625
if not quiet:
1013
626
logger.info("Disabling client %s", self.name)
1014
627
if getattr(self, "disable_initiator_tag", None) is not None:
1015
GLib.source_remove(self.disable_initiator_tag)
628
gobject.source_remove(self.disable_initiator_tag)
1016
629
self.disable_initiator_tag = None
1017
630
self.expires = None
1018
631
if getattr(self, "checker_initiator_tag", None) is not None:
1019
GLib.source_remove(self.checker_initiator_tag)
632
gobject.source_remove(self.checker_initiator_tag)
1020
633
self.checker_initiator_tag = None
1021
634
self.stop_checker()
1022
635
self.enabled = False
1023
636
if not quiet:
1024
637
self.send_changedstate()
1025
# Do not run this again if called by a GLib.timeout_add
638
# Do not run this again if called by a gobject.timeout_add
1026
639
return False
1027
640
1028
641
def __del__(self):
1029
642
self.disable()
1030
643
1031
644
def init_checker(self):
1032
645
# Schedule a new checker to be started an 'interval' from now,
1033
646
# and every interval from then on.
1034
647
if self.checker_initiator_tag is not None:
1035
GLib.source_remove(self.checker_initiator_tag)
1036
self.checker_initiator_tag = GLib.timeout_add(
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
1037
650
int(self.interval.total_seconds() * 1000),
1038
651
self.start_checker)
1039
652
# Schedule a disable() when 'timeout' has passed
1040
653
if self.disable_initiator_tag is not None:
1041
GLib.source_remove(self.disable_initiator_tag)
1042
self.disable_initiator_tag = GLib.timeout_add(
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1043
656
int(self.timeout.total_seconds() * 1000), self.disable)
1044
657
# Also start a new checker *right now*.
1045
658
self.start_checker()
1046
659
1047
660
def checker_callback(self, source, condition, connection,
1048
661
command):
1049
662
"""The checker has completed, so take appropriate actions."""
1052
665
# Read return code from connection (see call_pipe)
1053
666
returncode = connection.recv()
1054
667
connection.close()
1055
668
1056
669
if returncode >= 0:
1057
670
self.last_checker_status = returncode
1058
671
self.last_checker_signal = None
1068
681
logger.warning("Checker for %(name)s crashed?",
1069
682
vars(self))
1070
683
return False
1071
684
1072
685
def checked_ok(self):
1073
686
"""Assert that the client has been seen, alive and well."""
1074
687
self.last_checked_ok = datetime.datetime.utcnow()
1075
688
self.last_checker_status = 0
1076
689
self.last_checker_signal = None
1077
690
self.bump_timeout()
1078
691
1079
692
def bump_timeout(self, timeout=None):
1080
693
"""Bump up the timeout for this client."""
1081
694
if timeout is None:
1082
695
timeout = self.timeout
1083
696
if self.disable_initiator_tag is not None:
1084
GLib.source_remove(self.disable_initiator_tag)
697
gobject.source_remove(self.disable_initiator_tag)
1085
698
self.disable_initiator_tag = None
1086
699
if getattr(self, "enabled", False):
1087
self.disable_initiator_tag = GLib.timeout_add(
700
self.disable_initiator_tag = gobject.timeout_add(
1088
701
int(timeout.total_seconds() * 1000), self.disable)
1089
702
self.expires = datetime.datetime.utcnow() + timeout
1090
703
1091
704
def need_approval(self):
1092
705
self.last_approval_request = datetime.datetime.utcnow()
1093
706
1094
707
def start_checker(self):
1095
708
"""Start a new checker subprocess if one is not running.
1096
709
1097
710
If a checker already exists, leave it running and do
1098
711
nothing."""
1099
712
# The reason for not killing a running checker is that if we
1104
717
# checkers alone, the checker would have to take more time
1105
718
# than 'timeout' for the client to be disabled, which is as it
1106
719
# should be.
1107
720
1108
721
if self.checker is not None and not self.checker.is_alive():
1109
722
logger.warning("Checker was not alive; joining")
1110
723
self.checker.join()
1114
727
# Escape attributes for the shell
1115
728
escaped_attrs = {
1116
729
attr: re.escape(str(getattr(self, attr)))
1117
for attr in self.runtime_expansions}
730
for attr in self.runtime_expansions }
1118
731
try:
1119
732
command = self.checker_command % escaped_attrs
1120
733
except TypeError as error:
1132
745
# The exception is when not debugging but nevertheless
1133
746
# running in the foreground; use the previously
1134
747
# created wnull.
1135
popen_args = {"close_fds": True,
1136
"shell": True,
1137
"cwd": "/"}
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1138
751
if (not self.server_settings["debug"]
1139
752
and self.server_settings["foreground"]):
1140
753
popen_args.update({"stdout": wnull,
1141
"stderr": wnull})
1142
pipe = multiprocessing.Pipe(duplex=False)
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1143
756
self.checker = multiprocessing.Process(
1144
target=call_pipe,
1145
args=(pipe[1], subprocess.call, command),
1146
kwargs=popen_args)
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1147
760
self.checker.start()
1148
self.checker_callback_tag = GLib.io_add_watch(
1149
pipe[0].fileno(), GLib.IO_IN,
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1150
763
self.checker_callback, pipe[0], command)
1151
# Re-run this periodically if run by GLib.timeout_add
764
# Re-run this periodically if run by gobject.timeout_add
1152
765
return True
1153
766
1154
767
def stop_checker(self):
1155
768
"""Force the checker process, if any, to stop."""
1156
769
if self.checker_callback_tag:
1157
GLib.source_remove(self.checker_callback_tag)
770
gobject.source_remove(self.checker_callback_tag)
1158
771
self.checker_callback_tag = None
1159
772
if getattr(self, "checker", None) is None:
1160
773
return
1169
782
byte_arrays=False):
1170
783
"""Decorators for marking methods of a DBusObjectWithProperties to
1171
784
become properties on the D-Bus.
1172
785
1173
786
The decorated method will be called with no arguments by "Get"
1174
787
and with one argument by "Set".
1175
788
1176
789
The parameters, where they are supported, are the same as
1177
790
dbus.service.method, except there is only "signature", since the
1178
791
type from Get() and the type sent to Set() is the same.
1182
795
if byte_arrays and signature != "ay":
1183
796
raise ValueError("Byte arrays not supported for non-'ay'"
1184
797
" signature {!r}".format(signature))
1185
798
1186
799
def decorator(func):
1187
800
func._dbus_is_property = True
1188
801
func._dbus_interface = dbus_interface
1191
804
func._dbus_name = func.__name__
1192
805
if func._dbus_name.endswith("_dbus_property"):
1193
806
func._dbus_name = func._dbus_name[:-14]
1194
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1195
808
return func
1196
809
1197
810
return decorator
1198
811
1199
812
1200
813
def dbus_interface_annotations(dbus_interface):
1201
814
"""Decorator for marking functions returning interface annotations
1202
815
1203
816
Usage:
1204
817
1205
818
@dbus_interface_annotations("org.example.Interface")
1206
819
def _foo(self): # Function name does not matter
1207
820
return {"org.freedesktop.DBus.Deprecated": "true",
1208
821
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1209
822
"false"}
1210
823
"""
1211
824
1212
825
def decorator(func):
1213
826
func._dbus_is_interface = True
1214
827
func._dbus_interface = dbus_interface
1215
828
func._dbus_name = dbus_interface
1216
829
return func
1217
830
1218
831
return decorator
1219
832
1220
833
1221
834
def dbus_annotations(annotations):
1222
835
"""Decorator to annotate D-Bus methods, signals or properties
1223
836
Usage:
1224
837
1225
838
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1226
839
"org.freedesktop.DBus.Property."
1227
840
"EmitsChangedSignal": "false"})
1229
842
access="r")
1230
843
def Property_dbus_property(self):
1231
844
return dbus.Boolean(False)
1232
845
1233
846
See also the DBusObjectWithAnnotations class.
1234
847
"""
1235
848
1236
849
def decorator(func):
1237
850
func._dbus_annotations = annotations
1238
851
return func
1239
852
1240
853
return decorator
1241
854
1242
855
1260
873
1261
874
class DBusObjectWithAnnotations(dbus.service.Object):
1262
875
"""A D-Bus object with annotations.
1263
876
1264
877
Classes inheriting from this can use the dbus_annotations
1265
878
decorator to add annotations to methods or signals.
1266
879
"""
1267
880
1268
881
@staticmethod
1269
882
def _is_dbus_thing(thing):
1270
883
"""Returns a function testing if an attribute is a D-Bus thing
1271
884
1272
885
If called like _is_dbus_thing("method") it returns a function
1273
886
suitable for use as predicate to inspect.getmembers().
1274
887
"""
1275
888
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1276
889
False)
1277
890
1278
891
def _get_all_dbus_things(self, thing):
1279
892
"""Returns a generator of (name, attribute) pairs
1280
893
"""
1283
896
for cls in self.__class__.__mro__
1284
897
for name, athing in
1285
898
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1286
899
1287
900
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1288
out_signature="s",
1289
path_keyword='object_path',
1290
connection_keyword='connection')
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1291
904
def Introspect(self, object_path, connection):
1292
905
"""Overloading of standard D-Bus method.
1293
906
1294
907
Inserts annotation tags on methods and signals.
1295
908
"""
1296
909
xmlstring = dbus.service.Object.Introspect(self, object_path,
1297
910
connection)
1298
911
try:
1299
912
document = xml.dom.minidom.parseString(xmlstring)
1300
913
1301
914
for if_tag in document.getElementsByTagName("interface"):
1302
915
# Add annotation tags
1303
916
for typ in ("method", "signal"):
1330
943
if_tag.appendChild(ann_tag)
1331
944
# Fix argument name for the Introspect method itself
1332
945
if (if_tag.getAttribute("name")
1333
== dbus.INTROSPECTABLE_IFACE):
946
== dbus.INTROSPECTABLE_IFACE):
1334
947
for cn in if_tag.getElementsByTagName("method"):
1335
948
if cn.getAttribute("name") == "Introspect":
1336
949
for arg in cn.getElementsByTagName("arg"):
1349
962
1350
963
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1351
964
"""A D-Bus object with properties.
1352
965
1353
966
Classes inheriting from this can use the dbus_service_property
1354
967
decorator to expose methods as D-Bus properties. It exposes the
1355
968
standard Get(), Set(), and GetAll() methods on the D-Bus.
1356
969
"""
1357
970
1358
971
def _get_dbus_property(self, interface_name, property_name):
1359
972
"""Returns a bound method if one exists which is a D-Bus
1360
973
property with the specified name and interface.
1365
978
if (value._dbus_name == property_name
1366
979
and value._dbus_interface == interface_name):
1367
980
return value.__get__(self)
1368
981
1369
982
# No such property
1370
983
raise DBusPropertyNotFound("{}:{}.{}".format(
1371
984
self.dbus_object_path, interface_name, property_name))
1372
985
1373
986
@classmethod
1374
987
def _get_all_interface_names(cls):
1375
988
"""Get a sequence of all interfaces supported by an object"""
1378
991
for x in (inspect.getmro(cls))
1379
992
for attr in dir(x))
1380
993
if name is not None)
1381
994
1382
995
@dbus.service.method(dbus.PROPERTIES_IFACE,
1383
996
in_signature="ss",
1384
997
out_signature="v")
1392
1005
if not hasattr(value, "variant_level"):
1393
1006
return value
1394
1007
return type(value)(value, variant_level=value.variant_level+1)
1395
1008
1396
1009
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1397
1010
def Set(self, interface_name, property_name, value):
1398
1011
"""Standard D-Bus property Set() method, see D-Bus standard.
1410
1023
value = dbus.ByteArray(b''.join(chr(byte)
1411
1024
for byte in value))
1412
1025
prop(value)
1413
1026
1414
1027
@dbus.service.method(dbus.PROPERTIES_IFACE,
1415
1028
in_signature="s",
1416
1029
out_signature="a{sv}")
1417
1030
def GetAll(self, interface_name):
1418
1031
"""Standard D-Bus property GetAll() method, see D-Bus
1419
1032
standard.
1420
1033
1421
1034
Note: Will not include properties with access="write".
1422
1035
"""
1423
1036
properties = {}
1434
1047
properties[name] = value
1435
1048
continue
1436
1049
properties[name] = type(value)(
1437
value, variant_level=value.variant_level + 1)
1050
value, variant_level = value.variant_level + 1)
1438
1051
return dbus.Dictionary(properties, signature="sv")
1439
1052
1440
1053
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1441
1054
def PropertiesChanged(self, interface_name, changed_properties,
1442
1055
invalidated_properties):
1444
1057
standard.
1445
1058
"""
1446
1059
pass
1447
1060
1448
1061
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1449
1062
out_signature="s",
1450
1063
path_keyword='object_path',
1451
1064
connection_keyword='connection')
1452
1065
def Introspect(self, object_path, connection):
1453
1066
"""Overloading of standard D-Bus method.
1454
1067
1455
1068
Inserts property tags and interface annotation tags.
1456
1069
"""
1457
1070
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1459
1072
connection)
1460
1073
try:
1461
1074
document = xml.dom.minidom.parseString(xmlstring)
1462
1075
1463
1076
def make_tag(document, name, prop):
1464
1077
e = document.createElement("property")
1465
1078
e.setAttribute("name", name)
1466
1079
e.setAttribute("type", prop._dbus_signature)
1467
1080
e.setAttribute("access", prop._dbus_access)
1468
1081
return e
1469
1082
1470
1083
for if_tag in document.getElementsByTagName("interface"):
1471
1084
# Add property tags
1472
1085
for tag in (make_tag(document, name, prop)
1514
1127
exc_info=error)
1515
1128
return xmlstring
1516
1129
1517
1518
1130
try:
1519
1131
dbus.OBJECT_MANAGER_IFACE
1520
1132
except AttributeError:
1521
1133
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1522
1134
1523
1524
1135
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1525
1136
"""A D-Bus object with an ObjectManager.
1526
1137
1527
1138
Classes inheriting from this exposes the standard
1528
1139
GetManagedObjects call and the InterfacesAdded and
1529
1140
InterfacesRemoved signals on the standard
1530
1141
"org.freedesktop.DBus.ObjectManager" interface.
1531
1142
1532
1143
Note: No signals are sent automatically; they must be sent
1533
1144
manually.
1534
1145
"""
1535
1146
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1536
out_signature="a{oa{sa{sv}}}")
1147
out_signature = "a{oa{sa{sv}}}")
1537
1148
def GetManagedObjects(self):
1538
1149
"""This function must be overridden"""
1539
1150
raise NotImplementedError()
1540
1151
1541
1152
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1542
signature="oa{sa{sv}}")
1153
signature = "oa{sa{sv}}")
1543
1154
def InterfacesAdded(self, object_path, interfaces_and_properties):
1544
1155
pass
1545
1546
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1158
signature = "oas")
1547
1159
def InterfacesRemoved(self, object_path, interfaces):
1548
1160
pass
1549
1161
1550
1162
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1551
out_signature="s",
1552
path_keyword='object_path',
1553
connection_keyword='connection')
1163
out_signature = "s",
1164
path_keyword = 'object_path',
1165
connection_keyword = 'connection')
1554
1166
def Introspect(self, object_path, connection):
1555
1167
"""Overloading of standard D-Bus method.
1556
1168
1557
1169
Override return argument name of GetManagedObjects to be
1558
1170
"objpath_interfaces_and_properties"
1559
1171
"""
1560
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1561
object_path,
1562
connection)
1172
xmlstring = DBusObjectWithAnnotations(self, object_path,
1173
connection)
1563
1174
try:
1564
1175
document = xml.dom.minidom.parseString(xmlstring)
1565
1176
1566
1177
for if_tag in document.getElementsByTagName("interface"):
1567
1178
# Fix argument name for the GetManagedObjects method
1568
1179
if (if_tag.getAttribute("name")
1569
== dbus.OBJECT_MANAGER_IFACE):
1180
== dbus.OBJECT_MANAGER_IFACE):
1570
1181
for cn in if_tag.getElementsByTagName("method"):
1571
1182
if (cn.getAttribute("name")
1572
1183
== "GetManagedObjects"):
1582
1193
except (AttributeError, xml.dom.DOMException,
1583
1194
xml.parsers.expat.ExpatError) as error:
1584
1195
logger.error("Failed to override Introspection method",
1585
exc_info=error)
1196
exc_info = error)
1586
1197
return xmlstring
1587
1198
1588
1589
1199
def datetime_to_dbus(dt, variant_level=0):
1590
1200
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1591
1201
if dt is None:
1592
return dbus.String("", variant_level=variant_level)
1202
return dbus.String("", variant_level = variant_level)
1593
1203
return dbus.String(dt.isoformat(), variant_level=variant_level)
1594
1204
1595
1205
1598
1208
dbus.service.Object, it will add alternate D-Bus attributes with
1599
1209
interface names according to the "alt_interface_names" mapping.
1600
1210
Usage:
1601
1211
1602
1212
@alternate_dbus_interfaces({"org.example.Interface":
1603
1213
"net.example.AlternateInterface"})
1604
1214
class SampleDBusObject(dbus.service.Object):
1605
1215
@dbus.service.method("org.example.Interface")
1606
1216
def SampleDBusMethod():
1607
1217
pass
1608
1218
1609
1219
The above "SampleDBusMethod" on "SampleDBusObject" will be
1610
1220
reachable via two interfaces: "org.example.Interface" and
1611
1221
"net.example.AlternateInterface", the latter of which will have
1612
1222
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1613
1223
"true", unless "deprecate" is passed with a False value.
1614
1224
1615
1225
This works for methods and signals, and also for D-Bus properties
1616
1226
(from DBusObjectWithProperties) and interfaces (from the
1617
1227
dbus_interface_annotations decorator).
1618
1228
"""
1619
1229
1620
1230
def wrapper(cls):
1621
1231
for orig_interface_name, alt_interface_name in (
1622
1232
alt_interface_names.items()):
1637
1247
interface_names.add(alt_interface)
1638
1248
# Is this a D-Bus signal?
1639
1249
if getattr(attribute, "_dbus_is_signal", False):
1640
# Extract the original non-method undecorated
1641
# function by black magic
1642
1250
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1643
1253
nonmethod_func = (dict(
1644
1254
zip(attribute.func_code.co_freevars,
1645
1255
attribute.__closure__))
1646
1256
["func"].cell_contents)
1647
1257
else:
1648
nonmethod_func = (dict(
1649
zip(attribute.__code__.co_freevars,
1650
attribute.__closure__))
1651
["func"].cell_contents)
1258
nonmethod_func = attribute
1652
1259
# Create a new, but exactly alike, function
1653
1260
# object, and decorate it to be a new D-Bus signal
1654
1261
# with the alternate D-Bus interface name
1655
new_function = copy_function(nonmethod_func)
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1656
1276
new_function = (dbus.service.signal(
1657
1277
alt_interface,
1658
1278
attribute._dbus_signature)(new_function))
1662
1282
attribute._dbus_annotations)
1663
1283
except AttributeError:
1664
1284
pass
1665
1666
1285
# Define a creator of a function to call both the
1667
1286
# original and alternate functions, so both the
1668
1287
# original and alternate signals gets sent when
1671
1290
"""This function is a scope container to pass
1672
1291
func1 and func2 to the "call_both" function
1673
1292
outside of its arguments"""
1674
1675
@functools.wraps(func2)
1293
1676
1294
def call_both(*args, **kwargs):
1677
1295
"""This function will emit two D-Bus
1678
1296
signals by calling func1 and func2"""
1679
1297
func1(*args, **kwargs)
1680
1298
func2(*args, **kwargs)
1681
# Make wrapper function look like a D-Bus
1682
# signal
1683
for name, attr in inspect.getmembers(func2):
1684
if name.startswith("_dbus_"):
1685
setattr(call_both, name, attr)
1686
1299
1687
1300
return call_both
1688
1301
# Create the "call_both" function and add it to
1689
1302
# the class
1699
1312
alt_interface,
1700
1313
attribute._dbus_in_signature,
1701
1314
attribute._dbus_out_signature)
1702
(copy_function(attribute)))
1315
(types.FunctionType(attribute.func_code,
1316
attribute.func_globals,
1317
attribute.func_name,
1318
attribute.func_defaults,
1319
attribute.func_closure)))
1703
1320
# Copy annotations, if any
1704
1321
try:
1705
1322
attr[attrname]._dbus_annotations = dict(
1717
1334
attribute._dbus_access,
1718
1335
attribute._dbus_get_args_options
1719
1336
["byte_arrays"])
1720
(copy_function(attribute)))
1337
(types.FunctionType(
1338
attribute.func_code,
1339
attribute.func_globals,
1340
attribute.func_name,
1341
attribute.func_defaults,
1342
attribute.func_closure)))
1721
1343
# Copy annotations, if any
1722
1344
try:
1723
1345
attr[attrname]._dbus_annotations = dict(
1732
1354
# to the class.
1733
1355
attr[attrname] = (
1734
1356
dbus_interface_annotations(alt_interface)
1735
(copy_function(attribute)))
1357
(types.FunctionType(attribute.func_code,
1358
attribute.func_globals,
1359
attribute.func_name,
1360
attribute.func_defaults,
1361
attribute.func_closure)))
1736
1362
if deprecate:
1737
1363
# Deprecate all alternate interfaces
1738
iname = "_AlternateDBusNames_interface_annotation{}"
1364
iname="_AlternateDBusNames_interface_annotation{}"
1739
1365
for interface_name in interface_names:
1740
1366
1741
1367
@dbus_interface_annotations(interface_name)
1742
1368
def func(self):
1743
return {"org.freedesktop.DBus.Deprecated":
1744
"true"}
1369
return { "org.freedesktop.DBus.Deprecated":
1370
"true" }
1745
1371
# Find an unused name
1746
1372
for aname in (iname.format(i)
1747
1373
for i in itertools.count()):
1751
1377
if interface_names:
1752
1378
# Replace the class with a new subclass of it with
1753
1379
# methods, signals, etc. as created above.
1754
if sys.version_info.major == 2:
1755
cls = type(b"{}Alternate".format(cls.__name__),
1756
(cls, ), attr)
1757
else:
1758
cls = type("{}Alternate".format(cls.__name__),
1759
(cls, ), attr)
1380
cls = type(b"{}Alternate".format(cls.__name__),
1381
(cls, ), attr)
1760
1382
return cls
1761
1383
1762
1384
return wrapper
1763
1385
1764
1386
1766
1388
"se.bsnet.fukt.Mandos"})
1767
1389
class ClientDBus(Client, DBusObjectWithProperties):
1768
1390
"""A Client class using D-Bus
1769
1391
1770
1392
Attributes:
1771
1393
dbus_object_path: dbus.ObjectPath
1772
1394
bus: dbus.SystemBus()
1773
1395
"""
1774
1396
1775
1397
runtime_expansions = (Client.runtime_expansions
1776
1398
+ ("dbus_object_path", ))
1777
1399
1778
1400
_interface = "se.recompile.Mandos.Client"
1779
1401
1780
1402
# dbus.service.Object doesn't use super(), so we can't either.
1781
1782
def __init__(self, bus=None, *args, **kwargs):
1403
1404
def __init__(self, bus = None, *args, **kwargs):
1783
1405
self.bus = bus
1784
1406
Client.__init__(self, *args, **kwargs)
1785
1407
# Only now, when this client is initialized, can it show up on
1791
1413
"/clients/" + client_object_name)
1792
1414
DBusObjectWithProperties.__init__(self, self.bus,
1793
1415
self.dbus_object_path)
1794
1416
1795
1417
def notifychangeproperty(transform_func, dbus_name,
1796
1418
type_func=lambda x: x,
1797
1419
variant_level=1,
1799
1421
_interface=_interface):
1800
1422
""" Modify a variable so that it's a property which announces
1801
1423
its changes to DBus.
1802
1424
1803
1425
transform_fun: Function that takes a value and a variant_level
1804
1426
and transforms it to a D-Bus type.
1805
1427
dbus_name: D-Bus name of the variable
1808
1430
variant_level: D-Bus variant level. Default: 1
1809
1431
"""
1810
1432
attrname = "_{}".format(dbus_name)
1811
1433
1812
1434
def setter(self, value):
1813
1435
if hasattr(self, "dbus_object_path"):
1814
1436
if (not hasattr(self, attrname) or
1821
1443
else:
1822
1444
dbus_value = transform_func(
1823
1445
type_func(value),
1824
variant_level=variant_level)
1446
variant_level = variant_level)
1825
1447
self.PropertyChanged(dbus.String(dbus_name),
1826
1448
dbus_value)
1827
1449
self.PropertiesChanged(
1828
1450
_interface,
1829
dbus.Dictionary({dbus.String(dbus_name):
1830
dbus_value}),
1451
dbus.Dictionary({ dbus.String(dbus_name):
1452
dbus_value }),
1831
1453
dbus.Array())
1832
1454
setattr(self, attrname, value)
1833
1455
1834
1456
return property(lambda self: getattr(self, attrname), setter)
1835
1457
1836
1458
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1837
1459
approvals_pending = notifychangeproperty(dbus.Boolean,
1838
1460
"ApprovalPending",
1839
type_func=bool)
1461
type_func = bool)
1840
1462
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1841
1463
last_enabled = notifychangeproperty(datetime_to_dbus,
1842
1464
"LastEnabled")
1843
1465
checker = notifychangeproperty(
1844
1466
dbus.Boolean, "CheckerRunning",
1845
type_func=lambda checker: checker is not None)
1467
type_func = lambda checker: checker is not None)
1846
1468
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1847
1469
"LastCheckedOK")
1848
1470
last_checker_status = notifychangeproperty(dbus.Int16,
1853
1475
"ApprovedByDefault")
1854
1476
approval_delay = notifychangeproperty(
1855
1477
dbus.UInt64, "ApprovalDelay",
1856
type_func=lambda td: td.total_seconds() * 1000)
1478
type_func = lambda td: td.total_seconds() * 1000)
1857
1479
approval_duration = notifychangeproperty(
1858
1480
dbus.UInt64, "ApprovalDuration",
1859
type_func=lambda td: td.total_seconds() * 1000)
1481
type_func = lambda td: td.total_seconds() * 1000)
1860
1482
host = notifychangeproperty(dbus.String, "Host")
1861
1483
timeout = notifychangeproperty(
1862
1484
dbus.UInt64, "Timeout",
1863
type_func=lambda td: td.total_seconds() * 1000)
1485
type_func = lambda td: td.total_seconds() * 1000)
1864
1486
extended_timeout = notifychangeproperty(
1865
1487
dbus.UInt64, "ExtendedTimeout",
1866
type_func=lambda td: td.total_seconds() * 1000)
1488
type_func = lambda td: td.total_seconds() * 1000)
1867
1489
interval = notifychangeproperty(
1868
1490
dbus.UInt64, "Interval",
1869
type_func=lambda td: td.total_seconds() * 1000)
1491
type_func = lambda td: td.total_seconds() * 1000)
1870
1492
checker_command = notifychangeproperty(dbus.String, "Checker")
1871
1493
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1872
1494
invalidate_only=True)
1873
1495
1874
1496
del notifychangeproperty
1875
1497
1876
1498
def __del__(self, *args, **kwargs):
1877
1499
try:
1878
1500
self.remove_from_connection()
1881
1503
if hasattr(DBusObjectWithProperties, "__del__"):
1882
1504
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1883
1505
Client.__del__(self, *args, **kwargs)
1884
1506
1885
1507
def checker_callback(self, source, condition,
1886
1508
connection, command, *args, **kwargs):
1887
1509
ret = Client.checker_callback(self, source, condition,
1903
1525
| self.last_checker_signal),
1904
1526
dbus.String(command))
1905
1527
return ret
1906
1528
1907
1529
def start_checker(self, *args, **kwargs):
1908
1530
old_checker_pid = getattr(self.checker, "pid", None)
1909
1531
r = Client.start_checker(self, *args, **kwargs)
1913
1535
# Emit D-Bus signal
1914
1536
self.CheckerStarted(self.current_checker_command)
1915
1537
return r
1916
1538
1917
1539
def _reset_approved(self):
1918
1540
self.approved = None
1919
1541
return False
1920
1542
1921
1543
def approve(self, value=True):
1922
1544
self.approved = value
1923
GLib.timeout_add(int(self.approval_duration.total_seconds()
1924
* 1000), self._reset_approved)
1545
gobject.timeout_add(int(self.approval_duration.total_seconds()
1546
* 1000), self._reset_approved)
1925
1547
self.send_changedstate()
1926
1927
# D-Bus methods, signals & properties
1928
1929
# Interfaces
1930
1931
# Signals
1932
1548
1549
## D-Bus methods, signals & properties
1550
1551
## Interfaces
1552
1553
## Signals
1554
1933
1555
# CheckerCompleted - signal
1934
1556
@dbus.service.signal(_interface, signature="nxs")
1935
1557
def CheckerCompleted(self, exitcode, waitstatus, command):
1936
1558
"D-Bus signal"
1937
1559
pass
1938
1560
1939
1561
# CheckerStarted - signal
1940
1562
@dbus.service.signal(_interface, signature="s")
1941
1563
def CheckerStarted(self, command):
1942
1564
"D-Bus signal"
1943
1565
pass
1944
1566
1945
1567
# PropertyChanged - signal
1946
1568
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1947
1569
@dbus.service.signal(_interface, signature="sv")
1948
1570
def PropertyChanged(self, property, value):
1949
1571
"D-Bus signal"
1950
1572
pass
1951
1573
1952
1574
# GotSecret - signal
1953
1575
@dbus.service.signal(_interface)
1954
1576
def GotSecret(self):
1957
1579
server to mandos-client
1958
1580
"""
1959
1581
pass
1960
1582
1961
1583
# Rejected - signal
1962
1584
@dbus.service.signal(_interface, signature="s")
1963
1585
def Rejected(self, reason):
1964
1586
"D-Bus signal"
1965
1587
pass
1966
1588
1967
1589
# NeedApproval - signal
1968
1590
@dbus.service.signal(_interface, signature="tb")
1969
1591
def NeedApproval(self, timeout, default):
1970
1592
"D-Bus signal"
1971
1593
return self.need_approval()
1972
1973
# Methods
1974
1594
1595
## Methods
1596
1975
1597
# Approve - method
1976
1598
@dbus.service.method(_interface, in_signature="b")
1977
1599
def Approve(self, value):
1978
1600
self.approve(value)
1979
1601
1980
1602
# CheckedOK - method
1981
1603
@dbus.service.method(_interface)
1982
1604
def CheckedOK(self):
1983
1605
self.checked_ok()
1984
1606
1985
1607
# Enable - method
1986
1608
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1987
1609
@dbus.service.method(_interface)
1988
1610
def Enable(self):
1989
1611
"D-Bus method"
1990
1612
self.enable()
1991
1613
1992
1614
# StartChecker - method
1993
1615
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1994
1616
@dbus.service.method(_interface)
1995
1617
def StartChecker(self):
1996
1618
"D-Bus method"
1997
1619
self.start_checker()
1998
1620
1999
1621
# Disable - method
2000
1622
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2001
1623
@dbus.service.method(_interface)
2002
1624
def Disable(self):
2003
1625
"D-Bus method"
2004
1626
self.disable()
2005
1627
2006
1628
# StopChecker - method
2007
1629
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2008
1630
@dbus.service.method(_interface)
2009
1631
def StopChecker(self):
2010
1632
self.stop_checker()
2011
2012
# Properties
2013
1633
1634
## Properties
1635
2014
1636
# ApprovalPending - property
2015
1637
@dbus_service_property(_interface, signature="b", access="read")
2016
1638
def ApprovalPending_dbus_property(self):
2017
1639
return dbus.Boolean(bool(self.approvals_pending))
2018
1640
2019
1641
# ApprovedByDefault - property
2020
1642
@dbus_service_property(_interface,
2021
1643
signature="b",
2024
1646
if value is None: # get
2025
1647
return dbus.Boolean(self.approved_by_default)
2026
1648
self.approved_by_default = bool(value)
2027
1649
2028
1650
# ApprovalDelay - property
2029
1651
@dbus_service_property(_interface,
2030
1652
signature="t",
2034
1656
return dbus.UInt64(self.approval_delay.total_seconds()
2035
1657
* 1000)
2036
1658
self.approval_delay = datetime.timedelta(0, 0, 0, value)
2037
1659
2038
1660
# ApprovalDuration - property
2039
1661
@dbus_service_property(_interface,
2040
1662
signature="t",
2044
1666
return dbus.UInt64(self.approval_duration.total_seconds()
2045
1667
* 1000)
2046
1668
self.approval_duration = datetime.timedelta(0, 0, 0, value)
2047
1669
2048
1670
# Name - property
2049
1671
@dbus_annotations(
2050
1672
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2051
1673
@dbus_service_property(_interface, signature="s", access="read")
2052
1674
def Name_dbus_property(self):
2053
1675
return dbus.String(self.name)
2054
2055
# KeyID - property
2056
@dbus_annotations(
2057
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2058
@dbus_service_property(_interface, signature="s", access="read")
2059
def KeyID_dbus_property(self):
2060
return dbus.String(self.key_id)
2061
1676
2062
1677
# Fingerprint - property
2063
1678
@dbus_annotations(
2064
1679
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2065
1680
@dbus_service_property(_interface, signature="s", access="read")
2066
1681
def Fingerprint_dbus_property(self):
2067
1682
return dbus.String(self.fingerprint)
2068
1683
2069
1684
# Host - property
2070
1685
@dbus_service_property(_interface,
2071
1686
signature="s",
2074
1689
if value is None: # get
2075
1690
return dbus.String(self.host)
2076
1691
self.host = str(value)
2077
1692
2078
1693
# Created - property
2079
1694
@dbus_annotations(
2080
1695
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2081
1696
@dbus_service_property(_interface, signature="s", access="read")
2082
1697
def Created_dbus_property(self):
2083
1698
return datetime_to_dbus(self.created)
2084
1699
2085
1700
# LastEnabled - property
2086
1701
@dbus_service_property(_interface, signature="s", access="read")
2087
1702
def LastEnabled_dbus_property(self):
2088
1703
return datetime_to_dbus(self.last_enabled)
2089
1704
2090
1705
# Enabled - property
2091
1706
@dbus_service_property(_interface,
2092
1707
signature="b",
2098
1713
self.enable()
2099
1714
else:
2100
1715
self.disable()
2101
1716
2102
1717
# LastCheckedOK - property
2103
1718
@dbus_service_property(_interface,
2104
1719
signature="s",
2108
1723
self.checked_ok()
2109
1724
return
2110
1725
return datetime_to_dbus(self.last_checked_ok)
2111
1726
2112
1727
# LastCheckerStatus - property
2113
1728
@dbus_service_property(_interface, signature="n", access="read")
2114
1729
def LastCheckerStatus_dbus_property(self):
2115
1730
return dbus.Int16(self.last_checker_status)
2116
1731
2117
1732
# Expires - property
2118
1733
@dbus_service_property(_interface, signature="s", access="read")
2119
1734
def Expires_dbus_property(self):
2120
1735
return datetime_to_dbus(self.expires)
2121
1736
2122
1737
# LastApprovalRequest - property
2123
1738
@dbus_service_property(_interface, signature="s", access="read")
2124
1739
def LastApprovalRequest_dbus_property(self):
2125
1740
return datetime_to_dbus(self.last_approval_request)
2126
1741
2127
1742
# Timeout - property
2128
1743
@dbus_service_property(_interface,
2129
1744
signature="t",
2144
1759
if (getattr(self, "disable_initiator_tag", None)
2145
1760
is None):
2146
1761
return
2147
GLib.source_remove(self.disable_initiator_tag)
2148
self.disable_initiator_tag = GLib.timeout_add(
1762
gobject.source_remove(self.disable_initiator_tag)
1763
self.disable_initiator_tag = gobject.timeout_add(
2149
1764
int((self.expires - now).total_seconds() * 1000),
2150
1765
self.disable)
2151
1766
2152
1767
# ExtendedTimeout - property
2153
1768
@dbus_service_property(_interface,
2154
1769
signature="t",
2158
1773
return dbus.UInt64(self.extended_timeout.total_seconds()
2159
1774
* 1000)
2160
1775
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2161
1776
2162
1777
# Interval - property
2163
1778
@dbus_service_property(_interface,
2164
1779
signature="t",
2171
1786
return
2172
1787
if self.enabled:
2173
1788
# Reschedule checker run
2174
GLib.source_remove(self.checker_initiator_tag)
2175
self.checker_initiator_tag = GLib.timeout_add(
1789
gobject.source_remove(self.checker_initiator_tag)
1790
self.checker_initiator_tag = gobject.timeout_add(
2176
1791
value, self.start_checker)
2177
self.start_checker() # Start one now, too
2178
1792
self.start_checker() # Start one now, too
1793
2179
1794
# Checker - property
2180
1795
@dbus_service_property(_interface,
2181
1796
signature="s",
2184
1799
if value is None: # get
2185
1800
return dbus.String(self.checker_command)
2186
1801
self.checker_command = str(value)
2187
1802
2188
1803
# CheckerRunning - property
2189
1804
@dbus_service_property(_interface,
2190
1805
signature="b",
2196
1811
self.start_checker()
2197
1812
else:
2198
1813
self.stop_checker()
2199
1814
2200
1815
# ObjectPath - property
2201
1816
@dbus_annotations(
2202
1817
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2203
1818
"org.freedesktop.DBus.Deprecated": "true"})
2204
1819
@dbus_service_property(_interface, signature="o", access="read")
2205
1820
def ObjectPath_dbus_property(self):
2206
return self.dbus_object_path # is already a dbus.ObjectPath
2207
1821
return self.dbus_object_path # is already a dbus.ObjectPath
1822
2208
1823
# Secret = property
2209
1824
@dbus_annotations(
2210
1825
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2215
1830
byte_arrays=True)
2216
1831
def Secret_dbus_property(self, value):
2217
1832
self.secret = bytes(value)
2218
1833
2219
1834
del _interface
2220
1835
2221
1836
2222
1837
class ProxyClient(object):
2223
def __init__(self, child_pipe, key_id, fpr, address):
1838
def __init__(self, child_pipe, fpr, address):
2224
1839
self._pipe = child_pipe
2225
self._pipe.send(('init', key_id, fpr, address))
1840
self._pipe.send(('init', fpr, address))
2226
1841
if not self._pipe.recv():
2227
raise KeyError(key_id or fpr)
2228
1842
raise KeyError(fpr)
1843
2229
1844
def __getattribute__(self, name):
2230
1845
if name == '_pipe':
2231
1846
return super(ProxyClient, self).__getattribute__(name)
2234
1849
if data[0] == 'data':
2235
1850
return data[1]
2236
1851
if data[0] == 'function':
2237
1852
2238
1853
def func(*args, **kwargs):
2239
1854
self._pipe.send(('funcall', name, args, kwargs))
2240
1855
return self._pipe.recv()[1]
2241
1856
2242
1857
return func
2243
1858
2244
1859
def __setattr__(self, name, value):
2245
1860
if name == '_pipe':
2246
1861
return super(ProxyClient, self).__setattr__(name, value)
2249
1864
2250
1865
class ClientHandler(socketserver.BaseRequestHandler, object):
2251
1866
"""A class to handle client connections.
2252
1867
2253
1868
Instantiated once for each connection to handle it.
2254
1869
Note: This will run in its own forked process."""
2255
1870
2256
1871
def handle(self):
2257
1872
with contextlib.closing(self.server.child_pipe) as child_pipe:
2258
1873
logger.info("TCP connection from: %s",
2259
1874
str(self.client_address))
2260
1875
logger.debug("Pipe FD: %d",
2261
1876
self.server.child_pipe.fileno())
2262
2263
session = gnutls.ClientSession(self.request)
2264
2265
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2266
# "+AES-256-CBC", "+SHA1",
2267
# "+COMP-NULL", "+CTYPE-OPENPGP",
2268
# "+DHE-DSS"))
1877
1878
session = gnutls.connection.ClientSession(
1879
self.request, gnutls.connection .X509Credentials())
1880
1881
# Note: gnutls.connection.X509Credentials is really a
1882
# generic GnuTLS certificate credentials object so long as
1883
# no X.509 keys are added to it. Therefore, we can use it
1884
# here despite using OpenPGP certificates.
1885
1886
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1887
# "+AES-256-CBC", "+SHA1",
1888
# "+COMP-NULL", "+CTYPE-OPENPGP",
1889
# "+DHE-DSS"))
2269
1890
# Use a fallback default, since this MUST be set.
2270
1891
priority = self.server.gnutls_priority
2271
1892
if priority is None:
2272
1893
priority = "NORMAL"
2273
gnutls.priority_set_direct(session._c_object,
2274
priority.encode("utf-8"),
2275
None)
2276
1894
gnutls.library.functions.gnutls_priority_set_direct(
1895
session._c_object, priority, None)
1896
2277
1897
# Start communication using the Mandos protocol
2278
1898
# Get protocol number
2279
1899
line = self.request.makefile().readline()
2284
1904
except (ValueError, IndexError, RuntimeError) as error:
2285
1905
logger.error("Unknown protocol version: %s", error)
2286
1906
return
2287
1907
2288
1908
# Start GnuTLS connection
2289
1909
try:
2290
1910
session.handshake()
2291
except gnutls.Error as error:
1911
except gnutls.errors.GNUTLSError as error:
2292
1912
logger.warning("Handshake failed: %s", error)
2293
1913
# Do not run session.bye() here: the session is not
2294
1914
# established. Just abandon the request.
2295
1915
return
2296
1916
logger.debug("Handshake succeeded")
2297
1917
2298
1918
approval_required = False
2299
1919
try:
2300
if gnutls.has_rawpk:
2301
fpr = ""
2302
try:
2303
key_id = self.key_id(
2304
self.peer_certificate(session))
2305
except (TypeError, gnutls.Error) as error:
2306
logger.warning("Bad certificate: %s", error)
2307
return
2308
logger.debug("Key ID: %s", key_id)
2309
2310
else:
2311
key_id = ""
2312
try:
2313
fpr = self.fingerprint(
2314
self.peer_certificate(session))
2315
except (TypeError, gnutls.Error) as error:
2316
logger.warning("Bad certificate: %s", error)
2317
return
2318
logger.debug("Fingerprint: %s", fpr)
2319
2320
try:
2321
client = ProxyClient(child_pipe, key_id, fpr,
1920
try:
1921
fpr = self.fingerprint(
1922
self.peer_certificate(session))
1923
except (TypeError,
1924
gnutls.errors.GNUTLSError) as error:
1925
logger.warning("Bad certificate: %s", error)
1926
return
1927
logger.debug("Fingerprint: %s", fpr)
1928
1929
try:
1930
client = ProxyClient(child_pipe, fpr,
2322
1931
self.client_address)
2323
1932
except KeyError:
2324
1933
return
2325
1934
2326
1935
if client.approval_delay:
2327
1936
delay = client.approval_delay
2328
1937
client.approvals_pending += 1
2329
1938
approval_required = True
2330
1939
2331
1940
while True:
2332
1941
if not client.enabled:
2333
1942
logger.info("Client %s is disabled",
2336
1945
# Emit D-Bus signal
2337
1946
client.Rejected("Disabled")
2338
1947
return
2339
1948
2340
1949
if client.approved or not client.approval_delay:
2341
# We are approved or approval is disabled
1950
#We are approved or approval is disabled
2342
1951
break
2343
1952
elif client.approved is None:
2344
1953
logger.info("Client %s needs approval",
2355
1964
# Emit D-Bus signal
2356
1965
client.Rejected("Denied")
2357
1966
return
2358
2359
# wait until timeout or approved
1967
1968
#wait until timeout or approved
2360
1969
time = datetime.datetime.now()
2361
1970
client.changedstate.acquire()
2362
1971
client.changedstate.wait(delay.total_seconds())
2375
1984
break
2376
1985
else:
2377
1986
delay -= time2 - time
2378
2379
try:
2380
session.send(client.secret)
2381
except gnutls.Error as error:
2382
logger.warning("gnutls send failed",
2383
exc_info=error)
2384
return
2385
1987
1988
sent_size = 0
1989
while sent_size < len(client.secret):
1990
try:
1991
sent = session.send(client.secret[sent_size:])
1992
except gnutls.errors.GNUTLSError as error:
1993
logger.warning("gnutls send failed",
1994
exc_info=error)
1995
return
1996
logger.debug("Sent: %d, remaining: %d", sent,
1997
len(client.secret) - (sent_size
1998
+ sent))
1999
sent_size += sent
2000
2386
2001
logger.info("Sending secret to %s", client.name)
2387
2002
# bump the timeout using extended_timeout
2388
2003
client.bump_timeout(client.extended_timeout)
2389
2004
if self.server.use_dbus:
2390
2005
# Emit D-Bus signal
2391
2006
client.GotSecret()
2392
2007
2393
2008
finally:
2394
2009
if approval_required:
2395
2010
client.approvals_pending -= 1
2396
2011
try:
2397
2012
session.bye()
2398
except gnutls.Error as error:
2013
except gnutls.errors.GNUTLSError as error:
2399
2014
logger.warning("GnuTLS bye failed",
2400
2015
exc_info=error)
2401
2016
2402
2017
@staticmethod
2403
2018
def peer_certificate(session):
2404
"Return the peer's certificate as a bytestring"
2405
try:
2406
cert_type = gnutls.certificate_type_get2(session._c_object,
2407
gnutls.CTYPE_PEERS)
2408
except AttributeError:
2409
cert_type = gnutls.certificate_type_get(session._c_object)
2410
if gnutls.has_rawpk:
2411
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2412
else:
2413
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2414
# If not a valid certificate type...
2415
if cert_type not in valid_cert_types:
2416
logger.info("Cert type %r not in %r", cert_type,
2417
valid_cert_types)
2418
# ...return invalid data
2419
return b""
2019
"Return the peer's OpenPGP certificate as a bytestring"
2020
# If not an OpenPGP certificate...
2021
if (gnutls.library.functions.gnutls_certificate_type_get(
2022
session._c_object)
2023
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2024
# ...do the normal thing
2025
return session.peer_certificate
2420
2026
list_size = ctypes.c_uint(1)
2421
cert_list = (gnutls.certificate_get_peers
2027
cert_list = (gnutls.library.functions
2028
.gnutls_certificate_get_peers
2422
2029
(session._c_object, ctypes.byref(list_size)))
2423
2030
if not bool(cert_list) and list_size.value != 0:
2424
raise gnutls.Error("error getting peer certificate")
2031
raise gnutls.errors.GNUTLSError("error getting peer"
2032
" certificate")
2425
2033
if list_size.value == 0:
2426
2034
return None
2427
2035
cert = cert_list[0]
2428
2036
return ctypes.string_at(cert.data, cert.size)
2429
2430
@staticmethod
2431
def key_id(certificate):
2432
"Convert a certificate bytestring to a hexdigit key ID"
2433
# New GnuTLS "datum" with the public key
2434
datum = gnutls.datum_t(
2435
ctypes.cast(ctypes.c_char_p(certificate),
2436
ctypes.POINTER(ctypes.c_ubyte)),
2437
ctypes.c_uint(len(certificate)))
2438
# XXX all these need to be created in the gnutls "module"
2439
# New empty GnuTLS certificate
2440
pubkey = gnutls.pubkey_t()
2441
gnutls.pubkey_init(ctypes.byref(pubkey))
2442
# Import the raw public key into the certificate
2443
gnutls.pubkey_import(pubkey,
2444
ctypes.byref(datum),
2445
gnutls.X509_FMT_DER)
2446
# New buffer for the key ID
2447
buf = ctypes.create_string_buffer(32)
2448
buf_len = ctypes.c_size_t(len(buf))
2449
# Get the key ID from the raw public key into the buffer
2450
gnutls.pubkey_get_key_id(pubkey,
2451
gnutls.KEYID_USE_SHA256,
2452
ctypes.cast(ctypes.byref(buf),
2453
ctypes.POINTER(ctypes.c_ubyte)),
2454
ctypes.byref(buf_len))
2455
# Deinit the certificate
2456
gnutls.pubkey_deinit(pubkey)
2457
2458
# Convert the buffer to a Python bytestring
2459
key_id = ctypes.string_at(buf, buf_len.value)
2460
# Convert the bytestring to hexadecimal notation
2461
hex_key_id = binascii.hexlify(key_id).upper()
2462
return hex_key_id
2463
2037
2464
2038
@staticmethod
2465
2039
def fingerprint(openpgp):
2466
2040
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2467
2041
# New GnuTLS "datum" with the OpenPGP public key
2468
datum = gnutls.datum_t(
2042
datum = gnutls.library.types.gnutls_datum_t(
2469
2043
ctypes.cast(ctypes.c_char_p(openpgp),
2470
2044
ctypes.POINTER(ctypes.c_ubyte)),
2471
2045
ctypes.c_uint(len(openpgp)))
2472
2046
# New empty GnuTLS certificate
2473
crt = gnutls.openpgp_crt_t()
2474
gnutls.openpgp_crt_init(ctypes.byref(crt))
2047
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2048
gnutls.library.functions.gnutls_openpgp_crt_init(
2049
ctypes.byref(crt))
2475
2050
# Import the OpenPGP public key into the certificate
2476
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2477
gnutls.OPENPGP_FMT_RAW)
2051
gnutls.library.functions.gnutls_openpgp_crt_import(
2052
crt, ctypes.byref(datum),
2053
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2478
2054
# Verify the self signature in the key
2479
2055
crtverify = ctypes.c_uint()
2480
gnutls.openpgp_crt_verify_self(crt, 0,
2481
ctypes.byref(crtverify))
2056
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2057
crt, 0, ctypes.byref(crtverify))
2482
2058
if crtverify.value != 0:
2483
gnutls.openpgp_crt_deinit(crt)
2484
raise gnutls.CertificateSecurityError(code
2485
=crtverify.value)
2059
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2060
raise gnutls.errors.CertificateSecurityError(
2061
"Verify failed")
2486
2062
# New buffer for the fingerprint
2487
2063
buf = ctypes.create_string_buffer(20)
2488
2064
buf_len = ctypes.c_size_t()
2489
2065
# Get the fingerprint from the certificate into the buffer
2490
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2491
ctypes.byref(buf_len))
2066
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2067
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2492
2068
# Deinit the certificate
2493
gnutls.openpgp_crt_deinit(crt)
2069
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2494
2070
# Convert the buffer to a Python bytestring
2495
2071
fpr = ctypes.string_at(buf, buf_len.value)
2496
2072
# Convert the bytestring to hexadecimal notation
2500
2076
2501
2077
class MultiprocessingMixIn(object):
2502
2078
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2503
2079
2504
2080
def sub_process_main(self, request, address):
2505
2081
try:
2506
2082
self.finish_request(request, address)
2507
2083
except Exception:
2508
2084
self.handle_error(request, address)
2509
2085
self.close_request(request)
2510
2086
2511
2087
def process_request(self, request, address):
2512
2088
"""Start a new process to process the request."""
2513
proc = multiprocessing.Process(target=self.sub_process_main,
2514
args=(request, address))
2089
proc = multiprocessing.Process(target = self.sub_process_main,
2090
args = (request, address))
2515
2091
proc.start()
2516
2092
return proc
2517
2093
2518
2094
2519
2095
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2520
2096
""" adds a pipe to the MixIn """
2521
2097
2522
2098
def process_request(self, request, client_address):
2523
2099
"""Overrides and wraps the original process_request().
2524
2100
2525
2101
This function creates a new pipe in self.pipe
2526
2102
"""
2527
2103
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2528
2104
2529
2105
proc = MultiprocessingMixIn.process_request(self, request,
2530
2106
client_address)
2531
2107
self.child_pipe.close()
2532
2108
self.add_pipe(parent_pipe, proc)
2533
2109
2534
2110
def add_pipe(self, parent_pipe, proc):
2535
2111
"""Dummy function; override as necessary"""
2536
2112
raise NotImplementedError()
2539
2115
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2540
2116
socketserver.TCPServer, object):
2541
2117
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2542
2118
2543
2119
Attributes:
2544
2120
enabled: Boolean; whether this server is activated yet
2545
2121
interface: None or a network interface name (string)
2546
2122
use_ipv6: Boolean; to use IPv6 or not
2547
2123
"""
2548
2124
2549
2125
def __init__(self, server_address, RequestHandlerClass,
2550
2126
interface=None,
2551
2127
use_ipv6=True,
2561
2137
self.socketfd = socketfd
2562
2138
# Save the original socket.socket() function
2563
2139
self.socket_socket = socket.socket
2564
2565
2140
# To implement --socket, we monkey patch socket.socket.
2566
#
2141
#
2567
2142
# (When socketserver.TCPServer is a new-style class, we
2568
2143
# could make self.socket into a property instead of monkey
2569
2144
# patching socket.socket.)
2570
#
2145
#
2571
2146
# Create a one-time-only replacement for socket.socket()
2572
2147
@functools.wraps(socket.socket)
2573
2148
def socket_wrapper(*args, **kwargs):
2585
2160
# socket_wrapper(), if socketfd was set.
2586
2161
socketserver.TCPServer.__init__(self, server_address,
2587
2162
RequestHandlerClass)
2588
2163
2589
2164
def server_bind(self):
2590
2165
"""This overrides the normal server_bind() function
2591
2166
to bind to an interface if one was specified, and also NOT to
2592
2167
bind to an address or port if they were not specified."""
2593
global SO_BINDTODEVICE
2594
2168
if self.interface is not None:
2595
2169
if SO_BINDTODEVICE is None:
2596
# Fall back to a hard-coded value which seems to be
2597
# common enough.
2598
logger.warning("SO_BINDTODEVICE not found, trying 25")
2599
SO_BINDTODEVICE = 25
2600
try:
2601
self.socket.setsockopt(
2602
socket.SOL_SOCKET, SO_BINDTODEVICE,
2603
(self.interface + "\0").encode("utf-8"))
2604
except socket.error as error:
2605
if error.errno == errno.EPERM:
2606
logger.error("No permission to bind to"
2607
" interface %s", self.interface)
2608
elif error.errno == errno.ENOPROTOOPT:
2609
logger.error("SO_BINDTODEVICE not available;"
2610
" cannot bind to interface %s",
2611
self.interface)
2612
elif error.errno == errno.ENODEV:
2613
logger.error("Interface %s does not exist,"
2614
" cannot bind", self.interface)
2615
else:
2616
raise
2170
logger.error("SO_BINDTODEVICE does not exist;"
2171
" cannot bind to interface %s",
2172
self.interface)
2173
else:
2174
try:
2175
self.socket.setsockopt(
2176
socket.SOL_SOCKET, SO_BINDTODEVICE,
2177
(self.interface + "\0").encode("utf-8"))
2178
except socket.error as error:
2179
if error.errno == errno.EPERM:
2180
logger.error("No permission to bind to"
2181
" interface %s", self.interface)
2182
elif error.errno == errno.ENOPROTOOPT:
2183
logger.error("SO_BINDTODEVICE not available;"
2184
" cannot bind to interface %s",
2185
self.interface)
2186
elif error.errno == errno.ENODEV:
2187
logger.error("Interface %s does not exist,"
2188
" cannot bind", self.interface)
2189
else:
2190
raise
2617
2191
# Only bind(2) the socket if we really need to.
2618
2192
if self.server_address[0] or self.server_address[1]:
2619
2193
if not self.server_address[0]:
2620
2194
if self.address_family == socket.AF_INET6:
2621
any_address = "::" # in6addr_any
2195
any_address = "::" # in6addr_any
2622
2196
else:
2623
any_address = "0.0.0.0" # INADDR_ANY
2197
any_address = "0.0.0.0" # INADDR_ANY
2624
2198
self.server_address = (any_address,
2625
2199
self.server_address[1])
2626
2200
elif not self.server_address[1]:
2636
2210
2637
2211
class MandosServer(IPv6_TCPServer):
2638
2212
"""Mandos server.
2639
2213
2640
2214
Attributes:
2641
2215
clients: set of Client objects
2642
2216
gnutls_priority GnuTLS priority string
2643
2217
use_dbus: Boolean; to emit D-Bus signals or not
2644
2645
Assumes a GLib.MainLoop event loop.
2218
2219
Assumes a gobject.MainLoop event loop.
2646
2220
"""
2647
2221
2648
2222
def __init__(self, server_address, RequestHandlerClass,
2649
2223
interface=None,
2650
2224
use_ipv6=True,
2660
2234
self.gnutls_priority = gnutls_priority
2661
2235
IPv6_TCPServer.__init__(self, server_address,
2662
2236
RequestHandlerClass,
2663
interface=interface,
2664
use_ipv6=use_ipv6,
2665
socketfd=socketfd)
2666
2237
interface = interface,
2238
use_ipv6 = use_ipv6,
2239
socketfd = socketfd)
2240
2667
2241
def server_activate(self):
2668
2242
if self.enabled:
2669
2243
return socketserver.TCPServer.server_activate(self)
2670
2244
2671
2245
def enable(self):
2672
2246
self.enabled = True
2673
2247
2674
2248
def add_pipe(self, parent_pipe, proc):
2675
2249
# Call "handle_ipc" for both data and EOF events
2676
GLib.io_add_watch(
2250
gobject.io_add_watch(
2677
2251
parent_pipe.fileno(),
2678
GLib.IO_IN | GLib.IO_HUP,
2252
gobject.IO_IN | gobject.IO_HUP,
2679
2253
functools.partial(self.handle_ipc,
2680
parent_pipe=parent_pipe,
2681
proc=proc))
2682
2254
parent_pipe = parent_pipe,
2255
proc = proc))
2256
2683
2257
def handle_ipc(self, source, condition,
2684
2258
parent_pipe=None,
2685
proc=None,
2259
proc = None,
2686
2260
client_object=None):
2687
2261
# error, or the other end of multiprocessing.Pipe has closed
2688
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2262
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2689
2263
# Wait for other process to exit
2690
2264
proc.join()
2691
2265
return False
2692
2266
2693
2267
# Read a request from the child
2694
2268
request = parent_pipe.recv()
2695
2269
command = request[0]
2696
2270
2697
2271
if command == 'init':
2698
key_id = request[1].decode("ascii")
2699
fpr = request[2].decode("ascii")
2700
address = request[3]
2701
2702
for c in self.clients.values():
2703
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2704
continue
2705
if key_id and c.key_id == key_id:
2706
client = c
2707
break
2708
if fpr and c.fingerprint == fpr:
2272
fpr = request[1]
2273
address = request[2]
2274
2275
for c in self.clients.itervalues():
2276
if c.fingerprint == fpr:
2709
2277
client = c
2710
2278
break
2711
2279
else:
2712
logger.info("Client not found for key ID: %s, address"
2713
": %s", key_id or fpr, address)
2280
logger.info("Client not found for fingerprint: %s, ad"
2281
"dress: %s", fpr, address)
2714
2282
if self.use_dbus:
2715
2283
# Emit D-Bus signal
2716
mandos_dbus_service.ClientNotFound(key_id or fpr,
2284
mandos_dbus_service.ClientNotFound(fpr,
2717
2285
address[0])
2718
2286
parent_pipe.send(False)
2719
2287
return False
2720
2721
GLib.io_add_watch(
2288
2289
gobject.io_add_watch(
2722
2290
parent_pipe.fileno(),
2723
GLib.IO_IN | GLib.IO_HUP,
2291
gobject.IO_IN | gobject.IO_HUP,
2724
2292
functools.partial(self.handle_ipc,
2725
parent_pipe=parent_pipe,
2726
proc=proc,
2727
client_object=client))
2293
parent_pipe = parent_pipe,
2294
proc = proc,
2295
client_object = client))
2728
2296
parent_pipe.send(True)
2729
2297
# remove the old hook in favor of the new above hook on
2730
2298
# same fileno
2733
2301
funcname = request[1]
2734
2302
args = request[2]
2735
2303
kwargs = request[3]
2736
2304
2737
2305
parent_pipe.send(('data', getattr(client_object,
2738
2306
funcname)(*args,
2739
2307
**kwargs)))
2740
2308
2741
2309
if command == 'getattr':
2742
2310
attrname = request[1]
2743
2311
if isinstance(client_object.__getattribute__(attrname),
2746
2314
else:
2747
2315
parent_pipe.send((
2748
2316
'data', client_object.__getattribute__(attrname)))
2749
2317
2750
2318
if command == 'setattr':
2751
2319
attrname = request[1]
2752
2320
value = request[2]
2753
2321
setattr(client_object, attrname, value)
2754
2322
2755
2323
return True
2756
2324
2757
2325
2758
2326
def rfc3339_duration_to_delta(duration):
2759
2327
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2760
2328
2761
2329
>>> rfc3339_duration_to_delta("P7D")
2762
2330
datetime.timedelta(7)
2763
2331
>>> rfc3339_duration_to_delta("PT60S")
2773
2341
>>> rfc3339_duration_to_delta("P1DT3M20S")
2774
2342
datetime.timedelta(1, 200)
2775
2343
"""
2776
2344
2777
2345
# Parsing an RFC 3339 duration with regular expressions is not
2778
2346
# possible - there would have to be multiple places for the same
2779
2347
# values, like seconds. The current code, while more esoteric, is
2780
2348
# cleaner without depending on a parsing library. If Python had a
2781
2349
# built-in library for parsing we would use it, but we'd like to
2782
2350
# avoid excessive use of external libraries.
2783
2351
2784
2352
# New type for defining tokens, syntax, and semantics all-in-one
2785
2353
Token = collections.namedtuple("Token", (
2786
2354
"regexp", # To match token; if "value" is not None, must have
2819
2387
frozenset((token_year, token_month,
2820
2388
token_day, token_time,
2821
2389
token_week)))
2822
# Define starting values:
2823
# Value so far
2824
value = datetime.timedelta()
2390
# Define starting values
2391
value = datetime.timedelta() # Value so far
2825
2392
found_token = None
2826
# Following valid tokens
2827
followers = frozenset((token_duration, ))
2828
# String left to parse
2829
s = duration
2393
followers = frozenset((token_duration, )) # Following valid tokens
2394
s = duration # String left to parse
2830
2395
# Loop until end token is found
2831
2396
while found_token is not token_end:
2832
2397
# Search for any currently valid tokens
2856
2421
2857
2422
def string_to_delta(interval):
2858
2423
"""Parse a string and return a datetime.timedelta
2859
2424
2860
2425
>>> string_to_delta('7d')
2861
2426
datetime.timedelta(7)
2862
2427
>>> string_to_delta('60s')
2870
2435
>>> string_to_delta('5m 30s')
2871
2436
datetime.timedelta(0, 330)
2872
2437
"""
2873
2438
2874
2439
try:
2875
2440
return rfc3339_duration_to_delta(interval)
2876
2441
except ValueError:
2877
2442
pass
2878
2443
2879
2444
timevalue = datetime.timedelta(0)
2880
2445
for s in interval.split():
2881
2446
try:
2899
2464
return timevalue
2900
2465
2901
2466
2902
def daemon(nochdir=False, noclose=False):
2467
def daemon(nochdir = False, noclose = False):
2903
2468
"""See daemon(3). Standard BSD Unix function.
2904
2469
2905
2470
This should really exist as os.daemon, but it doesn't (yet)."""
2906
2471
if os.fork():
2907
2472
sys.exit()
2925
2490
2926
2491
2927
2492
def main():
2928
2493
2929
2494
##################################################################
2930
2495
# Parsing of options, both command line and config file
2931
2496
2932
2497
parser = argparse.ArgumentParser()
2933
2498
parser.add_argument("-v", "--version", action="version",
2934
version="%(prog)s {}".format(version),
2499
version = "%(prog)s {}".format(version),
2935
2500
help="show version number and exit")
2936
2501
parser.add_argument("-i", "--interface", metavar="IF",
2937
2502
help="Bind to interface IF")
2973
2538
parser.add_argument("--no-zeroconf", action="store_false",
2974
2539
dest="zeroconf", help="Do not use Zeroconf",
2975
2540
default=None)
2976
2541
2977
2542
options = parser.parse_args()
2978
2543
2979
2544
if options.check:
2980
2545
import doctest
2981
2546
fail_count, test_count = doctest.testmod()
2982
2547
sys.exit(os.EX_OK if fail_count == 0 else 1)
2983
2548
2984
2549
# Default values for config file for server-global settings
2985
if gnutls.has_rawpk:
2986
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2987
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2988
else:
2989
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2990
":+SIGN-DSA-SHA256")
2991
server_defaults = {"interface": "",
2992
"address": "",
2993
"port": "",
2994
"debug": "False",
2995
"priority": priority,
2996
"servicename": "Mandos",
2997
"use_dbus": "True",
2998
"use_ipv6": "True",
2999
"debuglevel": "",
3000
"restore": "True",
3001
"socket": "",
3002
"statedir": "/var/lib/mandos",
3003
"foreground": "False",
3004
"zeroconf": "True",
3005
}
3006
del priority
3007
2550
server_defaults = { "interface": "",
2551
"address": "",
2552
"port": "",
2553
"debug": "False",
2554
"priority":
2555
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2556
":+SIGN-DSA-SHA256",
2557
"servicename": "Mandos",
2558
"use_dbus": "True",
2559
"use_ipv6": "True",
2560
"debuglevel": "",
2561
"restore": "True",
2562
"socket": "",
2563
"statedir": "/var/lib/mandos",
2564
"foreground": "False",
2565
"zeroconf": "True",
2566
}
2567
3008
2568
# Parse config file for server-global settings
3009
2569
server_config = configparser.SafeConfigParser(server_defaults)
3010
2570
del server_defaults
3012
2572
# Convert the SafeConfigParser object to a dict
3013
2573
server_settings = server_config.defaults()
3014
2574
# Use the appropriate methods on the non-string config options
3015
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3016
"foreground", "zeroconf"):
2575
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3017
2576
server_settings[option] = server_config.getboolean("DEFAULT",
3018
2577
option)
3019
2578
if server_settings["port"]:
3029
2588
server_settings["socket"] = os.dup(server_settings
3030
2589
["socket"])
3031
2590
del server_config
3032
2591
3033
2592
# Override the settings from the config file with command line
3034
2593
# options, if set.
3035
2594
for option in ("interface", "address", "port", "debug",
3053
2612
if server_settings["debug"]:
3054
2613
server_settings["foreground"] = True
3055
2614
# Now we have our good server settings in "server_settings"
3056
2615
3057
2616
##################################################################
3058
2617
3059
2618
if (not server_settings["zeroconf"]
3060
2619
and not (server_settings["port"]
3061
2620
or server_settings["socket"] != "")):
3062
2621
parser.error("Needs port or socket to work without Zeroconf")
3063
2622
3064
2623
# For convenience
3065
2624
debug = server_settings["debug"]
3066
2625
debuglevel = server_settings["debuglevel"]
3070
2629
stored_state_file)
3071
2630
foreground = server_settings["foreground"]
3072
2631
zeroconf = server_settings["zeroconf"]
3073
2632
3074
2633
if debug:
3075
2634
initlogger(debug, logging.DEBUG)
3076
2635
else:
3079
2638
else:
3080
2639
level = getattr(logging, debuglevel.upper())
3081
2640
initlogger(debug, level)
3082
2641
3083
2642
if server_settings["servicename"] != "Mandos":
3084
2643
syslogger.setFormatter(
3085
2644
logging.Formatter('Mandos ({}) [%(process)d]:'
3086
2645
' %(levelname)s: %(message)s'.format(
3087
2646
server_settings["servicename"])))
3088
2647
3089
2648
# Parse config file with clients
3090
2649
client_config = configparser.SafeConfigParser(Client
3091
2650
.client_defaults)
3092
2651
client_config.read(os.path.join(server_settings["configdir"],
3093
2652
"clients.conf"))
3094
2653
3095
2654
global mandos_dbus_service
3096
2655
mandos_dbus_service = None
3097
2656
3098
2657
socketfd = None
3099
2658
if server_settings["socket"] != "":
3100
2659
socketfd = server_settings["socket"]
3116
2675
except IOError as e:
3117
2676
logger.error("Could not open file %r", pidfilename,
3118
2677
exc_info=e)
3119
3120
for name, group in (("_mandos", "_mandos"),
3121
("mandos", "mandos"),
3122
("nobody", "nogroup")):
2678
2679
for name in ("_mandos", "mandos", "nobody"):
3123
2680
try:
3124
2681
uid = pwd.getpwnam(name).pw_uid
3125
gid = pwd.getpwnam(group).pw_gid
2682
gid = pwd.getpwnam(name).pw_gid
3126
2683
break
3127
2684
except KeyError:
3128
2685
continue
3132
2689
try:
3133
2690
os.setgid(gid)
3134
2691
os.setuid(uid)
3135
if debug:
3136
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3137
gid))
3138
2692
except OSError as error:
3139
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3140
.format(uid, gid, os.strerror(error.errno)))
3141
2693
if error.errno != errno.EPERM:
3142
2694
raise
3143
2695
3144
2696
if debug:
3145
2697
# Enable all possible GnuTLS debugging
3146
2698
3147
2699
# "Use a log level over 10 to enable all debugging options."
3148
2700
# - GnuTLS manual
3149
gnutls.global_set_log_level(11)
3150
3151
@gnutls.log_func
2701
gnutls.library.functions.gnutls_global_set_log_level(11)
2702
2703
@gnutls.library.types.gnutls_log_func
3152
2704
def debug_gnutls(level, string):
3153
2705
logger.debug("GnuTLS: %s", string[:-1])
3154
3155
gnutls.global_set_log_function(debug_gnutls)
3156
2706
2707
gnutls.library.functions.gnutls_global_set_log_function(
2708
debug_gnutls)
2709
3157
2710
# Redirect stdin so all checkers get /dev/null
3158
2711
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3159
2712
os.dup2(null, sys.stdin.fileno())
3160
2713
if null > 2:
3161
2714
os.close(null)
3162
2715
3163
2716
# Need to fork before connecting to D-Bus
3164
2717
if not foreground:
3165
2718
# Close all input and output, do double fork, etc.
3166
2719
daemon()
3167
3168
# multiprocessing will use threads, so before we use GLib we need
3169
# to inform GLib that threads will be used.
3170
GLib.threads_init()
3171
2720
2721
# multiprocessing will use threads, so before we use gobject we
2722
# need to inform gobject that threads will be used.
2723
gobject.threads_init()
2724
3172
2725
global main_loop
3173
2726
# From the Avahi example code
3174
2727
DBusGMainLoop(set_as_default=True)
3175
main_loop = GLib.MainLoop()
2728
main_loop = gobject.MainLoop()
3176
2729
bus = dbus.SystemBus()
3177
2730
# End of Avahi example code
3178
2731
if use_dbus:
3191
2744
if zeroconf:
3192
2745
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3193
2746
service = AvahiServiceToSyslog(
3194
name=server_settings["servicename"],
3195
servicetype="_mandos._tcp",
3196
protocol=protocol,
3197
bus=bus)
2747
name = server_settings["servicename"],
2748
servicetype = "_mandos._tcp",
2749
protocol = protocol,
2750
bus = bus)
3198
2751
if server_settings["interface"]:
3199
2752
service.interface = if_nametoindex(
3200
2753
server_settings["interface"].encode("utf-8"))
3201
2754
3202
2755
global multiprocessing_manager
3203
2756
multiprocessing_manager = multiprocessing.Manager()
3204
2757
3205
2758
client_class = Client
3206
2759
if use_dbus:
3207
client_class = functools.partial(ClientDBus, bus=bus)
3208
2760
client_class = functools.partial(ClientDBus, bus = bus)
2761
3209
2762
client_settings = Client.config_parser(client_config)
3210
2763
old_client_settings = {}
3211
2764
clients_data = {}
3212
2765
3213
2766
# This is used to redirect stdout and stderr for checker processes
3214
2767
global wnull
3215
wnull = open(os.devnull, "w") # A writable /dev/null
2768
wnull = open(os.devnull, "w") # A writable /dev/null
3216
2769
# Only used if server is running in foreground but not in debug
3217
2770
# mode
3218
2771
if debug or not foreground:
3219
2772
wnull.close()
3220
2773
3221
2774
# Get client data and settings from last running state.
3222
2775
if server_settings["restore"]:
3223
2776
try:
3224
2777
with open(stored_state_path, "rb") as stored_state:
3225
if sys.version_info.major == 2:
3226
clients_data, old_client_settings = pickle.load(
3227
stored_state)
3228
else:
3229
bytes_clients_data, bytes_old_client_settings = (
3230
pickle.load(stored_state, encoding="bytes"))
3231
# Fix bytes to strings
3232
# clients_data
3233
# .keys()
3234
clients_data = {(key.decode("utf-8")
3235
if isinstance(key, bytes)
3236
else key): value
3237
for key, value in
3238
bytes_clients_data.items()}
3239
del bytes_clients_data
3240
for key in clients_data:
3241
value = {(k.decode("utf-8")
3242
if isinstance(k, bytes) else k): v
3243
for k, v in
3244
clients_data[key].items()}
3245
clients_data[key] = value
3246
# .client_structure
3247
value["client_structure"] = [
3248
(s.decode("utf-8")
3249
if isinstance(s, bytes)
3250
else s) for s in
3251
value["client_structure"]]
3252
# .name & .host
3253
for k in ("name", "host"):
3254
if isinstance(value[k], bytes):
3255
value[k] = value[k].decode("utf-8")
3256
if not value.has_key("key_id"):
3257
value["key_id"] = ""
3258
elif not value.has_key("fingerprint"):
3259
value["fingerprint"] = ""
3260
# old_client_settings
3261
# .keys()
3262
old_client_settings = {
3263
(key.decode("utf-8")
3264
if isinstance(key, bytes)
3265
else key): value
3266
for key, value in
3267
bytes_old_client_settings.items()}
3268
del bytes_old_client_settings
3269
# .host
3270
for value in old_client_settings.values():
3271
if isinstance(value["host"], bytes):
3272
value["host"] = (value["host"]
3273
.decode("utf-8"))
2778
clients_data, old_client_settings = pickle.load(
2779
stored_state)
3274
2780
os.remove(stored_state_path)
3275
2781
except IOError as e:
3276
2782
if e.errno == errno.ENOENT:
3284
2790
logger.warning("Could not load persistent state: "
3285
2791
"EOFError:",
3286
2792
exc_info=e)
3287
2793
3288
2794
with PGPEngine() as pgp:
3289
2795
for client_name, client in clients_data.items():
3290
2796
# Skip removed clients
3291
2797
if client_name not in client_settings:
3292
2798
continue
3293
2799
3294
2800
# Decide which value to use after restoring saved state.
3295
2801
# We have three different values: Old config file,
3296
2802
# new config file, and saved state.
3307
2813
client[name] = value
3308
2814
except KeyError:
3309
2815
pass
3310
2816
3311
2817
# Clients who has passed its expire date can still be
3312
2818
# enabled if its last checker was successful. A Client
3313
2819
# whose checker succeeded before we stored its state is
3346
2852
client_name))
3347
2853
client["secret"] = (client_settings[client_name]
3348
2854
["secret"])
3349
2855
3350
2856
# Add/remove clients based on new changes made to config
3351
2857
for client_name in (set(old_client_settings)
3352
2858
- set(client_settings)):
3354
2860
for client_name in (set(client_settings)
3355
2861
- set(old_client_settings)):
3356
2862
clients_data[client_name] = client_settings[client_name]
3357
2863
3358
2864
# Create all client objects
3359
2865
for client_name, client in clients_data.items():
3360
2866
tcp_server.clients[client_name] = client_class(
3361
name=client_name,
3362
settings=client,
3363
server_settings=server_settings)
3364
2867
name = client_name,
2868
settings = client,
2869
server_settings = server_settings)
2870
3365
2871
if not tcp_server.clients:
3366
2872
logger.warning("No clients defined")
3367
2873
3368
2874
if not foreground:
3369
2875
if pidfile is not None:
3370
2876
pid = os.getpid()
3376
2882
pidfilename, pid)
3377
2883
del pidfile
3378
2884
del pidfilename
3379
3380
for termsig in (signal.SIGHUP, signal.SIGTERM):
3381
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3382
lambda: main_loop.quit() and False)
3383
2885
2886
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2887
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2888
3384
2889
if use_dbus:
3385
2890
3386
2891
@alternate_dbus_interfaces(
3387
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2892
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3388
2893
class MandosDBusService(DBusObjectWithObjectManager):
3389
2894
"""A D-Bus proxy object"""
3390
2895
3391
2896
def __init__(self):
3392
2897
dbus.service.Object.__init__(self, bus, "/")
3393
2898
3394
2899
_interface = "se.recompile.Mandos"
3395
2900
3396
2901
@dbus.service.signal(_interface, signature="o")
3397
2902
def ClientAdded(self, objpath):
3398
2903
"D-Bus signal"
3399
2904
pass
3400
2905
3401
2906
@dbus.service.signal(_interface, signature="ss")
3402
def ClientNotFound(self, key_id, address):
2907
def ClientNotFound(self, fingerprint, address):
3403
2908
"D-Bus signal"
3404
2909
pass
3405
2910
3406
2911
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3407
2912
"true"})
3408
2913
@dbus.service.signal(_interface, signature="os")
3409
2914
def ClientRemoved(self, objpath, name):
3410
2915
"D-Bus signal"
3411
2916
pass
3412
2917
3413
2918
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3414
2919
"true"})
3415
2920
@dbus.service.method(_interface, out_signature="ao")
3416
2921
def GetAllClients(self):
3417
2922
"D-Bus method"
3418
2923
return dbus.Array(c.dbus_object_path for c in
3419
tcp_server.clients.values())
3420
2924
tcp_server.clients.itervalues())
2925
3421
2926
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3422
2927
"true"})
3423
2928
@dbus.service.method(_interface,
3425
2930
def GetAllClientsWithProperties(self):
3426
2931
"D-Bus method"
3427
2932
return dbus.Dictionary(
3428
{c.dbus_object_path: c.GetAll(
2933
{ c.dbus_object_path: c.GetAll(
3429
2934
"se.recompile.Mandos.Client")
3430
for c in tcp_server.clients.values()},
2935
for c in tcp_server.clients.itervalues() },
3431
2936
signature="oa{sv}")
3432
2937
3433
2938
@dbus.service.method(_interface, in_signature="o")
3434
2939
def RemoveClient(self, object_path):
3435
2940
"D-Bus method"
3436
for c in tcp_server.clients.values():
2941
for c in tcp_server.clients.itervalues():
3437
2942
if c.dbus_object_path == object_path:
3438
2943
del tcp_server.clients[c.name]
3439
2944
c.remove_from_connection()
3443
2948
self.client_removed_signal(c)
3444
2949
return
3445
2950
raise KeyError(object_path)
3446
2951
3447
2952
del _interface
3448
2953
3449
2954
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3450
out_signature="a{oa{sa{sv}}}")
2955
out_signature = "a{oa{sa{sv}}}")
3451
2956
def GetManagedObjects(self):
3452
2957
"""D-Bus method"""
3453
2958
return dbus.Dictionary(
3454
{client.dbus_object_path:
3455
dbus.Dictionary(
3456
{interface: client.GetAll(interface)
3457
for interface in
3458
client._get_all_interface_names()})
3459
for client in tcp_server.clients.values()})
3460
2959
{ client.dbus_object_path:
2960
dbus.Dictionary(
2961
{ interface: client.GetAll(interface)
2962
for interface in
2963
client._get_all_interface_names()})
2964
for client in tcp_server.clients.values()})
2965
3461
2966
def client_added_signal(self, client):
3462
2967
"""Send the new standard signal and the old signal"""
3463
2968
if use_dbus:
3465
2970
self.InterfacesAdded(
3466
2971
client.dbus_object_path,
3467
2972
dbus.Dictionary(
3468
{interface: client.GetAll(interface)
3469
for interface in
3470
client._get_all_interface_names()}))
2973
{ interface: client.GetAll(interface)
2974
for interface in
2975
client._get_all_interface_names()}))
3471
2976
# Old signal
3472
2977
self.ClientAdded(client.dbus_object_path)
3473
2978
3474
2979
def client_removed_signal(self, client):
3475
2980
"""Send the new standard signal and the old signal"""
3476
2981
if use_dbus:
3481
2986
# Old signal
3482
2987
self.ClientRemoved(client.dbus_object_path,
3483
2988
client.name)
3484
2989
3485
2990
mandos_dbus_service = MandosDBusService()
3486
3487
# Save modules to variables to exempt the modules from being
3488
# unloaded before the function registered with atexit() is run.
3489
mp = multiprocessing
3490
wn = wnull
3491
2991
3492
2992
def cleanup():
3493
2993
"Cleanup function; run on exit"
3494
2994
if zeroconf:
3495
2995
service.cleanup()
3496
3497
mp.active_children()
3498
wn.close()
2996
2997
multiprocessing.active_children()
2998
wnull.close()
3499
2999
if not (tcp_server.clients or client_settings):
3500
3000
return
3501
3001
3502
3002
# Store client before exiting. Secrets are encrypted with key
3503
3003
# based on what config file has. If config file is
3504
3004
# removed/edited, old secret will thus be unrecovable.
3505
3005
clients = {}
3506
3006
with PGPEngine() as pgp:
3507
for client in tcp_server.clients.values():
3007
for client in tcp_server.clients.itervalues():
3508
3008
key = client_settings[client.name]["secret"]
3509
3009
client.encrypted_secret = pgp.encrypt(client.secret,
3510
3010
key)
3511
3011
client_dict = {}
3512
3012
3513
3013
# A list of attributes that can not be pickled
3514
3014
# + secret.
3515
exclude = {"bus", "changedstate", "secret",
3516
"checker", "server_settings"}
3015
exclude = { "bus", "changedstate", "secret",
3016
"checker", "server_settings" }
3517
3017
for name, typ in inspect.getmembers(dbus.service
3518
3018
.Object):
3519
3019
exclude.add(name)
3520
3020
3521
3021
client_dict["encrypted_secret"] = (client
3522
3022
.encrypted_secret)
3523
3023
for attr in client.client_structure:
3524
3024
if attr not in exclude:
3525
3025
client_dict[attr] = getattr(client, attr)
3526
3026
3527
3027
clients[client.name] = client_dict
3528
3028
del client_settings[client.name]["secret"]
3529
3029
3530
3030
try:
3531
3031
with tempfile.NamedTemporaryFile(
3532
3032
mode='wb',
3534
3034
prefix='clients-',
3535
3035
dir=os.path.dirname(stored_state_path),
3536
3036
delete=False) as stored_state:
3537
pickle.dump((clients, client_settings), stored_state,
3538
protocol=2)
3037
pickle.dump((clients, client_settings), stored_state)
3539
3038
tempname = stored_state.name
3540
3039
os.rename(tempname, stored_state_path)
3541
3040
except (IOError, OSError) as e:
3551
3050
logger.warning("Could not save persistent state:",
3552
3051
exc_info=e)
3553
3052
raise
3554
3053
3555
3054
# Delete all clients, and settings from config
3556
3055
while tcp_server.clients:
3557
3056
name, client = tcp_server.clients.popitem()
3560
3059
# Don't signal the disabling
3561
3060
client.disable(quiet=True)
3562
3061
# Emit D-Bus signal for removal
3563
if use_dbus:
3564
mandos_dbus_service.client_removed_signal(client)
3062
mandos_dbus_service.client_removed_signal(client)
3565
3063
client_settings.clear()
3566
3064
3567
3065
atexit.register(cleanup)
3568
3569
for client in tcp_server.clients.values():
3066
3067
for client in tcp_server.clients.itervalues():
3570
3068
if use_dbus:
3571
3069
# Emit D-Bus signal for adding
3572
3070
mandos_dbus_service.client_added_signal(client)
3573
3071
# Need to initiate checking of clients
3574
3072
if client.enabled:
3575
3073
client.init_checker()
3576
3074
3577
3075
tcp_server.enable()
3578
3076
tcp_server.server_activate()
3579
3077
3580
3078
# Find out what port we got
3581
3079
if zeroconf:
3582
3080
service.port = tcp_server.socket.getsockname()[1]
3587
3085
else: # IPv4
3588
3086
logger.info("Now listening on address %r, port %d",
3589
3087
*tcp_server.socket.getsockname())
3590
3591
# service.interface = tcp_server.socket.getsockname()[3]
3592
3088
3089
#service.interface = tcp_server.socket.getsockname()[3]
3090
3593
3091
try:
3594
3092
if zeroconf:
3595
3093
# From the Avahi example code
3600
3098
cleanup()
3601
3099
sys.exit(1)
3602
3100
# End of Avahi example code
3603
3604
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3605
lambda *args, **kwargs:
3606
(tcp_server.handle_request
3607
(*args[2:], **kwargs) or True))
3608
3101
3102
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3103
lambda *args, **kwargs:
3104
(tcp_server.handle_request
3105
(*args[2:], **kwargs) or True))
3106
3609
3107
logger.debug("Starting main loop")
3610
3108
main_loop.run()
3611
3109
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0