To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.333
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.333
- Committer: Teddy Hogeborn
- Date: 2015-08-10 09:00:23 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 325.
- Revision ID: teddy@recompile.se-20150810090023-fz6vjqr7zf33e2tf
Support the standard org.freedesktop.DBus.ObjectManager interface.
Now that the D-Bus standard has an interface to keep track of new and
removed objects, use that instead of our own methods. This deprecates
our D-Bus methods "GetAllClients" and "GetAllClientsWithProperties"
and the signals "ClientAdded" and "ClientRemoved", all on the server
interface "se.recompile.Mandos".
* DBUS-API: Removed references to deprecated methods and signals;
insert reference to the org.freedesktop.DBus.ObjectManager
interface.
* mandos (DBusObjectWithProperties._get_all_interface_names): New.
(dbus.OBJECT_MANAGER_IFACE): If not present, monkey patch.
(DBusObjectWithObjectManager): New.
(main/MandosDBusService): Inherit from DBusObjectWithObjectManager.
(main/MandosDBusService.ClientRemoved): Annotate as deprecated.
(main/MandosDBusService.GetAllClients): - '' -
(main/MandosDBusService.GetAllClientsWithProperties): Annotate as
deprecated.
Also only
return
properties on
client
interface.
(main/MandosDBusService.RemoveClient): Call client_removed_signal
instead of ClientRemoved.
(main/MandosDBusService.GetManagedObjects): New.
(main/MandosDBusService.client_added_signal): New.
(main/MandosDBusService.client_removed_signal): - '' -
(main/cleanup): Call "client_removed_signal" instead of sending
"ClientRemoved" signal directly.
(main): Call "client_added_signal" instead of sending "ClientAdded"
signal directly.
* mandos-ctl: Use GetManagedObjects instead of
GetAllClientsWithProperties. Also, show better error
message in case of failure to connect to the D-Bus
* mandos-monitor (MandosClientPropertyCache.properties_changed):
Bug fix; only update properties on client interface.
(UserInterface.find_and_remove_client): Change to accept arguments
from InterfacesRemoved
signal. Also, bug fix:
working error message when
removing unknown client.
(UserInterface.add_new_client): Change to accept arguments from
InterfacesRemoved signal. Pass
properties to MandosClientWidget
constructor.
(UserInterface.run): Connect find_and_remove_client method to
InterfacesRemoved signal and the add_new_client
method to the InterfacesAdded signal.
Now that the D-Bus standard has an interface to keep track of new and
removed objects, use that instead of our own methods. This deprecates
our D-Bus methods "GetAllClients" and "GetAllClientsWithProperties"
and the signals "ClientAdded" and "ClientRemoved", all on the server
interface "se.recompile.Mandos".
* DBUS-API: Removed references to deprecated methods and signals;
insert reference to the org.freedesktop.DBus.ObjectManager
interface.
* mandos (DBusObjectWithProperties._get_all_interface_names): New.
(dbus.OBJECT_MANAGER_IFACE): If not present, monkey patch.
(DBusObjectWithObjectManager): New.
(main/MandosDBusService): Inherit from DBusObjectWithObjectManager.
(main/MandosDBusService.ClientRemoved): Annotate as deprecated.
(main/MandosDBusService.GetAllClients): - '' -
(main/MandosDBusService.GetAllClientsWithProperties): Annotate as
deprecated.
Also only
return
properties on
client
interface.
(main/MandosDBusService.RemoveClient): Call client_removed_signal
instead of ClientRemoved.
(main/MandosDBusService.GetManagedObjects): New.
(main/MandosDBusService.client_added_signal): New.
(main/MandosDBusService.client_removed_signal): - '' -
(main/cleanup): Call "client_removed_signal" instead of sending
"ClientRemoved" signal directly.
(main): Call "client_added_signal" instead of sending "ClientAdded"
signal directly.
* mandos-ctl: Use GetManagedObjects instead of
GetAllClientsWithProperties. Also, show better error
message in case of failure to connect to the D-Bus
* mandos-monitor (MandosClientPropertyCache.properties_changed):
Bug fix; only update properties on client interface.
(UserInterface.find_and_remove_client): Change to accept arguments
from InterfacesRemoved
signal. Also, bug fix:
working error message when
removing unknown client.
(UserInterface.add_new_client): Change to accept arguments from
InterfacesRemoved signal. Pass
properties to MandosClientWidget
constructor.
(UserInterface.run): Connect find_and_remove_client method to
InterfacesRemoved signal and the add_new_client
method to the InterfacesAdded signal.
- files added:
- initramfs-tools-hook-conf
- files removed:
- bugs.xml
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python
1
#!/usr/bin/python2.7
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
37
from future_builtins import *
42
38
43
39
try:
44
40
import SocketServer as socketserver
48
44
import argparse
49
45
import datetime
50
46
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
51
53
try:
52
54
import ConfigParser as configparser
53
55
except ImportError:
80
82
81
83
import dbus
82
84
import dbus.service
83
from gi.repository import GLib
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
84
90
from dbus.mainloop.glib import DBusGMainLoop
85
91
import ctypes
86
92
import ctypes.util
87
93
import xml.dom.minidom
88
94
import inspect
89
95
90
# Try to find the value of SO_BINDTODEVICE:
91
96
try:
92
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
93
# newer, and it is also the most natural place for it:
94
97
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
95
98
except AttributeError:
96
99
try:
97
# This is where SO_BINDTODEVICE was up to and including Python
98
# 2.6, and also 3.2:
99
100
from IN import SO_BINDTODEVICE
100
101
except ImportError:
101
# In Python 2.7 it seems to have been removed entirely.
102
# Try running the C preprocessor:
103
try:
104
cc = subprocess.Popen(["cc", "--language=c", "-E",
105
"/dev/stdin"],
106
stdin=subprocess.PIPE,
107
stdout=subprocess.PIPE)
108
stdout = cc.communicate(
109
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
110
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
111
except (OSError, ValueError, IndexError):
112
# No value found
113
SO_BINDTODEVICE = None
102
SO_BINDTODEVICE = None
114
103
115
104
if sys.version_info.major == 2:
116
105
str = unicode
117
106
118
version = "1.8.4"
107
version = "1.6.9"
119
108
stored_state_file = "clients.pickle"
120
109
121
110
logger = logging.getLogger()
125
114
if_nametoindex = ctypes.cdll.LoadLibrary(
126
115
ctypes.util.find_library("c")).if_nametoindex
127
116
except (OSError, AttributeError):
128
117
129
118
def if_nametoindex(interface):
130
119
"Get an interface index the hard way, i.e. using fcntl()"
131
120
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
136
125
return interface_index
137
126
138
127
139
def copy_function(func):
140
"""Make a copy of a function"""
141
if sys.version_info.major == 2:
142
return types.FunctionType(func.func_code,
143
func.func_globals,
144
func.func_name,
145
func.func_defaults,
146
func.func_closure)
147
else:
148
return types.FunctionType(func.__code__,
149
func.__globals__,
150
func.__name__,
151
func.__defaults__,
152
func.__closure__)
153
154
155
128
def initlogger(debug, level=logging.WARNING):
156
129
"""init logger and add loglevel"""
157
130
158
131
global syslogger
159
132
syslogger = (logging.handlers.SysLogHandler(
160
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
161
address="/dev/log"))
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
162
135
syslogger.setFormatter(logging.Formatter
163
136
('Mandos [%(process)d]: %(levelname)s:'
164
137
' %(message)s'))
165
138
logger.addHandler(syslogger)
166
139
167
140
if debug:
168
141
console = logging.StreamHandler()
169
142
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
181
154
182
155
class PGPEngine(object):
183
156
"""A simple class for OpenPGP symmetric encryption & decryption"""
184
157
185
158
def __init__(self):
186
159
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
187
self.gpg = "gpg"
188
try:
189
output = subprocess.check_output(["gpgconf"])
190
for line in output.splitlines():
191
name, text, path = line.split(b":")
192
if name == "gpg":
193
self.gpg = path
194
break
195
except OSError as e:
196
if e.errno != errno.ENOENT:
197
raise
198
160
self.gnupgargs = ['--batch',
199
'--homedir', self.tempdir,
161
'--home', self.tempdir,
200
162
'--force-mdc',
201
'--quiet']
202
# Only GPG version 1 has the --no-use-agent option.
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
204
self.gnupgargs.append("--no-use-agent")
205
163
'--quiet',
164
'--no-use-agent']
165
206
166
def __enter__(self):
207
167
return self
208
168
209
169
def __exit__(self, exc_type, exc_value, traceback):
210
170
self._cleanup()
211
171
return False
212
172
213
173
def __del__(self):
214
174
self._cleanup()
215
175
216
176
def _cleanup(self):
217
177
if self.tempdir is not None:
218
178
# Delete contents of tempdir
219
179
for root, dirs, files in os.walk(self.tempdir,
220
topdown=False):
180
topdown = False):
221
181
for filename in files:
222
182
os.remove(os.path.join(root, filename))
223
183
for dirname in dirs:
225
185
# Remove tempdir
226
186
os.rmdir(self.tempdir)
227
187
self.tempdir = None
228
188
229
189
def password_encode(self, password):
230
190
# Passphrase can not be empty and can not contain newlines or
231
191
# NUL bytes. So we prefix it and hex encode it.
236
196
.replace(b"\n", b"\\n")
237
197
.replace(b"\0", b"\\x00"))
238
198
return encoded
239
199
240
200
def encrypt(self, data, password):
241
201
passphrase = self.password_encode(password)
242
202
with tempfile.NamedTemporaryFile(
243
203
dir=self.tempdir) as passfile:
244
204
passfile.write(passphrase)
245
205
passfile.flush()
246
proc = subprocess.Popen([self.gpg, '--symmetric',
206
proc = subprocess.Popen(['gpg', '--symmetric',
247
207
'--passphrase-file',
248
208
passfile.name]
249
209
+ self.gnupgargs,
250
stdin=subprocess.PIPE,
251
stdout=subprocess.PIPE,
252
stderr=subprocess.PIPE)
253
ciphertext, err = proc.communicate(input=data)
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
254
214
if proc.returncode != 0:
255
215
raise PGPError(err)
256
216
return ciphertext
257
217
258
218
def decrypt(self, data, password):
259
219
passphrase = self.password_encode(password)
260
220
with tempfile.NamedTemporaryFile(
261
dir=self.tempdir) as passfile:
221
dir = self.tempdir) as passfile:
262
222
passfile.write(passphrase)
263
223
passfile.flush()
264
proc = subprocess.Popen([self.gpg, '--decrypt',
224
proc = subprocess.Popen(['gpg', '--decrypt',
265
225
'--passphrase-file',
266
226
passfile.name]
267
227
+ self.gnupgargs,
268
stdin=subprocess.PIPE,
269
stdout=subprocess.PIPE,
270
stderr=subprocess.PIPE)
271
decrypted_plaintext, err = proc.communicate(input=data)
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
272
232
if proc.returncode != 0:
273
233
raise PGPError(err)
274
234
return decrypted_plaintext
275
235
276
236
277
# Pretend that we have an Avahi module
278
class avahi(object):
279
"""This isn't so much a class as it is a module-like namespace."""
280
IF_UNSPEC = -1 # avahi-common/address.h
281
PROTO_UNSPEC = -1 # avahi-common/address.h
282
PROTO_INET = 0 # avahi-common/address.h
283
PROTO_INET6 = 1 # avahi-common/address.h
284
DBUS_NAME = "org.freedesktop.Avahi"
285
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
286
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
DBUS_PATH_SERVER = "/"
288
289
@staticmethod
290
def string_array_to_txt_array(t):
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
for s in t), signature="ay")
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
294
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
295
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
296
SERVER_INVALID = 0 # avahi-common/defs.h
297
SERVER_REGISTERING = 1 # avahi-common/defs.h
298
SERVER_RUNNING = 2 # avahi-common/defs.h
299
SERVER_COLLISION = 3 # avahi-common/defs.h
300
SERVER_FAILURE = 4 # avahi-common/defs.h
301
302
303
237
class AvahiError(Exception):
304
238
def __init__(self, value, *args, **kwargs):
305
239
self.value = value
317
251
318
252
class AvahiService(object):
319
253
"""An Avahi (Zeroconf) service.
320
254
321
255
Attributes:
322
256
interface: integer; avahi.IF_UNSPEC or an interface index.
323
257
Used to optionally bind to the specified interface.
335
269
server: D-Bus Server
336
270
bus: dbus.SystemBus()
337
271
"""
338
272
339
273
def __init__(self,
340
interface=avahi.IF_UNSPEC,
341
name=None,
342
servicetype=None,
343
port=None,
344
TXT=None,
345
domain="",
346
host="",
347
max_renames=32768,
348
protocol=avahi.PROTO_UNSPEC,
349
bus=None):
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
350
284
self.interface = interface
351
285
self.name = name
352
286
self.type = servicetype
361
295
self.server = None
362
296
self.bus = bus
363
297
self.entry_group_state_changed_match = None
364
298
365
299
def rename(self, remove=True):
366
300
"""Derived from the Avahi example code"""
367
301
if self.rename_count >= self.max_renames:
387
321
logger.critical("D-Bus Exception", exc_info=error)
388
322
self.cleanup()
389
323
os._exit(1)
390
324
391
325
def remove(self):
392
326
"""Derived from the Avahi example code"""
393
327
if self.entry_group_state_changed_match is not None:
395
329
self.entry_group_state_changed_match = None
396
330
if self.group is not None:
397
331
self.group.Reset()
398
332
399
333
def add(self):
400
334
"""Derived from the Avahi example code"""
401
335
self.remove()
418
352
dbus.UInt16(self.port),
419
353
avahi.string_array_to_txt_array(self.TXT))
420
354
self.group.Commit()
421
355
422
356
def entry_group_state_changed(self, state, error):
423
357
"""Derived from the Avahi example code"""
424
358
logger.debug("Avahi entry group state change: %i", state)
425
359
426
360
if state == avahi.ENTRY_GROUP_ESTABLISHED:
427
361
logger.debug("Zeroconf service established.")
428
362
elif state == avahi.ENTRY_GROUP_COLLISION:
432
366
logger.critical("Avahi: Error in group state changed %s",
433
367
str(error))
434
368
raise AvahiGroupError("State changed: {!s}".format(error))
435
369
436
370
def cleanup(self):
437
371
"""Derived from the Avahi example code"""
438
372
if self.group is not None:
443
377
pass
444
378
self.group = None
445
379
self.remove()
446
380
447
381
def server_state_changed(self, state, error=None):
448
382
"""Derived from the Avahi example code"""
449
383
logger.debug("Avahi server state change: %i", state)
478
412
logger.debug("Unknown state: %r", state)
479
413
else:
480
414
logger.debug("Unknown state: %r: %r", state, error)
481
415
482
416
def activate(self):
483
417
"""Derived from the Avahi example code"""
484
418
if self.server is None:
495
429
class AvahiServiceToSyslog(AvahiService):
496
430
def rename(self, *args, **kwargs):
497
431
"""Add the new name to the syslog messages"""
498
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
432
ret = AvahiService.rename(self, *args, **kwargs)
499
433
syslogger.setFormatter(logging.Formatter(
500
434
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
501
435
.format(self.name)))
502
436
return ret
503
437
504
505
# Pretend that we have a GnuTLS module
506
class gnutls(object):
507
"""This isn't so much a class as it is a module-like namespace."""
508
509
library = ctypes.util.find_library("gnutls")
510
if library is None:
511
library = ctypes.util.find_library("gnutls-deb0")
512
_library = ctypes.cdll.LoadLibrary(library)
513
del library
514
515
# Unless otherwise indicated, the constants and types below are
516
# all from the gnutls/gnutls.h C header file.
517
518
# Constants
519
E_SUCCESS = 0
520
E_INTERRUPTED = -52
521
E_AGAIN = -28
522
CRT_OPENPGP = 2
523
CRT_RAWPK = 3
524
CLIENT = 2
525
SHUT_RDWR = 0
526
CRD_CERTIFICATE = 1
527
E_NO_CERTIFICATE_FOUND = -49
528
X509_FMT_DER = 0
529
NO_TICKETS = 1<<10
530
ENABLE_RAWPK = 1<<18
531
CTYPE_PEERS = 3
532
KEYID_USE_SHA256 = 1 # gnutls/x509.h
533
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
534
535
# Types
536
class session_int(ctypes.Structure):
537
_fields_ = []
538
session_t = ctypes.POINTER(session_int)
539
540
class certificate_credentials_st(ctypes.Structure):
541
_fields_ = []
542
certificate_credentials_t = ctypes.POINTER(
543
certificate_credentials_st)
544
certificate_type_t = ctypes.c_int
545
546
class datum_t(ctypes.Structure):
547
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
548
('size', ctypes.c_uint)]
549
550
class openpgp_crt_int(ctypes.Structure):
551
_fields_ = []
552
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
553
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
554
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
555
credentials_type_t = ctypes.c_int
556
transport_ptr_t = ctypes.c_void_p
557
close_request_t = ctypes.c_int
558
559
# Exceptions
560
class Error(Exception):
561
def __init__(self, message=None, code=None, args=()):
562
# Default usage is by a message string, but if a return
563
# code is passed, convert it to a string with
564
# gnutls.strerror()
565
self.code = code
566
if message is None and code is not None:
567
message = gnutls.strerror(code)
568
return super(gnutls.Error, self).__init__(
569
message, *args)
570
571
class CertificateSecurityError(Error):
572
pass
573
574
# Classes
575
class Credentials(object):
576
def __init__(self):
577
self._c_object = gnutls.certificate_credentials_t()
578
gnutls.certificate_allocate_credentials(
579
ctypes.byref(self._c_object))
580
self.type = gnutls.CRD_CERTIFICATE
581
582
def __del__(self):
583
gnutls.certificate_free_credentials(self._c_object)
584
585
class ClientSession(object):
586
def __init__(self, socket, credentials=None):
587
self._c_object = gnutls.session_t()
588
gnutls_flags = gnutls.CLIENT
589
if gnutls.check_version("3.5.6"):
590
gnutls_flags |= gnutls.NO_TICKETS
591
if gnutls.has_rawpk:
592
gnutls_flags |= gnutls.ENABLE_RAWPK
593
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
594
del gnutls_flags
595
gnutls.set_default_priority(self._c_object)
596
gnutls.transport_set_ptr(self._c_object, socket.fileno())
597
gnutls.handshake_set_private_extensions(self._c_object,
598
True)
599
self.socket = socket
600
if credentials is None:
601
credentials = gnutls.Credentials()
602
gnutls.credentials_set(self._c_object, credentials.type,
603
ctypes.cast(credentials._c_object,
604
ctypes.c_void_p))
605
self.credentials = credentials
606
607
def __del__(self):
608
gnutls.deinit(self._c_object)
609
610
def handshake(self):
611
return gnutls.handshake(self._c_object)
612
613
def send(self, data):
614
data = bytes(data)
615
data_len = len(data)
616
while data_len > 0:
617
data_len -= gnutls.record_send(self._c_object,
618
data[-data_len:],
619
data_len)
620
621
def bye(self):
622
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
623
624
# Error handling functions
625
def _error_code(result):
626
"""A function to raise exceptions on errors, suitable
627
for the 'restype' attribute on ctypes functions"""
628
if result >= 0:
629
return result
630
if result == gnutls.E_NO_CERTIFICATE_FOUND:
631
raise gnutls.CertificateSecurityError(code=result)
632
raise gnutls.Error(code=result)
633
634
def _retry_on_error(result, func, arguments):
635
"""A function to retry on some errors, suitable
636
for the 'errcheck' attribute on ctypes functions"""
637
while result < 0:
638
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
639
return _error_code(result)
640
result = func(*arguments)
641
return result
642
643
# Unless otherwise indicated, the function declarations below are
644
# all from the gnutls/gnutls.h C header file.
645
646
# Functions
647
priority_set_direct = _library.gnutls_priority_set_direct
648
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
649
ctypes.POINTER(ctypes.c_char_p)]
650
priority_set_direct.restype = _error_code
651
652
init = _library.gnutls_init
653
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
654
init.restype = _error_code
655
656
set_default_priority = _library.gnutls_set_default_priority
657
set_default_priority.argtypes = [session_t]
658
set_default_priority.restype = _error_code
659
660
record_send = _library.gnutls_record_send
661
record_send.argtypes = [session_t, ctypes.c_void_p,
662
ctypes.c_size_t]
663
record_send.restype = ctypes.c_ssize_t
664
record_send.errcheck = _retry_on_error
665
666
certificate_allocate_credentials = (
667
_library.gnutls_certificate_allocate_credentials)
668
certificate_allocate_credentials.argtypes = [
669
ctypes.POINTER(certificate_credentials_t)]
670
certificate_allocate_credentials.restype = _error_code
671
672
certificate_free_credentials = (
673
_library.gnutls_certificate_free_credentials)
674
certificate_free_credentials.argtypes = [
675
certificate_credentials_t]
676
certificate_free_credentials.restype = None
677
678
handshake_set_private_extensions = (
679
_library.gnutls_handshake_set_private_extensions)
680
handshake_set_private_extensions.argtypes = [session_t,
681
ctypes.c_int]
682
handshake_set_private_extensions.restype = None
683
684
credentials_set = _library.gnutls_credentials_set
685
credentials_set.argtypes = [session_t, credentials_type_t,
686
ctypes.c_void_p]
687
credentials_set.restype = _error_code
688
689
strerror = _library.gnutls_strerror
690
strerror.argtypes = [ctypes.c_int]
691
strerror.restype = ctypes.c_char_p
692
693
certificate_type_get = _library.gnutls_certificate_type_get
694
certificate_type_get.argtypes = [session_t]
695
certificate_type_get.restype = _error_code
696
697
certificate_get_peers = _library.gnutls_certificate_get_peers
698
certificate_get_peers.argtypes = [session_t,
699
ctypes.POINTER(ctypes.c_uint)]
700
certificate_get_peers.restype = ctypes.POINTER(datum_t)
701
702
global_set_log_level = _library.gnutls_global_set_log_level
703
global_set_log_level.argtypes = [ctypes.c_int]
704
global_set_log_level.restype = None
705
706
global_set_log_function = _library.gnutls_global_set_log_function
707
global_set_log_function.argtypes = [log_func]
708
global_set_log_function.restype = None
709
710
deinit = _library.gnutls_deinit
711
deinit.argtypes = [session_t]
712
deinit.restype = None
713
714
handshake = _library.gnutls_handshake
715
handshake.argtypes = [session_t]
716
handshake.restype = _error_code
717
handshake.errcheck = _retry_on_error
718
719
transport_set_ptr = _library.gnutls_transport_set_ptr
720
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
721
transport_set_ptr.restype = None
722
723
bye = _library.gnutls_bye
724
bye.argtypes = [session_t, close_request_t]
725
bye.restype = _error_code
726
bye.errcheck = _retry_on_error
727
728
check_version = _library.gnutls_check_version
729
check_version.argtypes = [ctypes.c_char_p]
730
check_version.restype = ctypes.c_char_p
731
732
_need_version = b"3.3.0"
733
if check_version(_need_version) is None:
734
raise self.Error("Needs GnuTLS {} or later"
735
.format(_need_version))
736
737
_tls_rawpk_version = b"3.6.6"
738
has_rawpk = bool(check_version(_tls_rawpk_version))
739
740
if has_rawpk:
741
# Types
742
class pubkey_st(ctypes.Structure):
743
_fields = []
744
pubkey_t = ctypes.POINTER(pubkey_st)
745
746
x509_crt_fmt_t = ctypes.c_int
747
748
# All the function declarations below are from gnutls/abstract.h
749
pubkey_init = _library.gnutls_pubkey_init
750
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
751
pubkey_init.restype = _error_code
752
753
pubkey_import = _library.gnutls_pubkey_import
754
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
755
x509_crt_fmt_t]
756
pubkey_import.restype = _error_code
757
758
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
759
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
760
ctypes.POINTER(ctypes.c_ubyte),
761
ctypes.POINTER(ctypes.c_size_t)]
762
pubkey_get_key_id.restype = _error_code
763
764
pubkey_deinit = _library.gnutls_pubkey_deinit
765
pubkey_deinit.argtypes = [pubkey_t]
766
pubkey_deinit.restype = None
767
else:
768
# All the function declarations below are from gnutls/openpgp.h
769
770
openpgp_crt_init = _library.gnutls_openpgp_crt_init
771
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
772
openpgp_crt_init.restype = _error_code
773
774
openpgp_crt_import = _library.gnutls_openpgp_crt_import
775
openpgp_crt_import.argtypes = [openpgp_crt_t,
776
ctypes.POINTER(datum_t),
777
openpgp_crt_fmt_t]
778
openpgp_crt_import.restype = _error_code
779
780
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
781
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
782
ctypes.POINTER(ctypes.c_uint)]
783
openpgp_crt_verify_self.restype = _error_code
784
785
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
786
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
787
openpgp_crt_deinit.restype = None
788
789
openpgp_crt_get_fingerprint = (
790
_library.gnutls_openpgp_crt_get_fingerprint)
791
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
792
ctypes.c_void_p,
793
ctypes.POINTER(
794
ctypes.c_size_t)]
795
openpgp_crt_get_fingerprint.restype = _error_code
796
797
if check_version("3.6.4"):
798
certificate_type_get2 = _library.gnutls_certificate_type_get2
799
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
800
certificate_type_get2.restype = _error_code
801
802
# Remove non-public functions
803
del _error_code, _retry_on_error
804
805
806
438
def call_pipe(connection, # : multiprocessing.Connection
807
439
func, *args, **kwargs):
808
440
"""This function is meant to be called by multiprocessing.Process
809
441
810
442
This function runs func(*args, **kwargs), and writes the resulting
811
443
return value on the provided multiprocessing.Connection.
812
444
"""
813
445
connection.send(func(*args, **kwargs))
814
446
connection.close()
815
447
816
817
448
class Client(object):
818
449
"""A representation of a client host served by this server.
819
450
820
451
Attributes:
821
452
approved: bool(); 'None' if not yet approved/disapproved
822
453
approval_delay: datetime.timedelta(); Time to wait for approval
824
455
checker: subprocess.Popen(); a running checker process used
825
456
to see if the client lives.
826
457
'None' if no process is running.
827
checker_callback_tag: a GLib event source tag, or None
458
checker_callback_tag: a gobject event source tag, or None
828
459
checker_command: string; External command which is run to check
829
460
if client lives. %() expansions are done at
830
461
runtime with vars(self) as dict, so that for
831
462
instance %(name)s can be used in the command.
832
checker_initiator_tag: a GLib event source tag, or None
463
checker_initiator_tag: a gobject event source tag, or None
833
464
created: datetime.datetime(); (UTC) object creation
834
465
client_structure: Object describing what attributes a client has
835
466
and is used for storing the client at exit
836
467
current_checker_command: string; current running checker_command
837
disable_initiator_tag: a GLib event source tag, or None
468
disable_initiator_tag: a gobject event source tag, or None
838
469
enabled: bool()
839
470
fingerprint: string (40 or 32 hexadecimal digits); used to
840
uniquely identify an OpenPGP client
841
key_id: string (64 hexadecimal digits); used to uniquely identify
842
a client using raw public keys
471
uniquely identify the client
843
472
host: string; available for use by the checker command
844
473
interval: datetime.timedelta(); How often to start a new checker
845
474
last_approval_request: datetime.datetime(); (UTC) or None
861
490
disabled, or None
862
491
server_settings: The server_settings dict from main()
863
492
"""
864
493
865
494
runtime_expansions = ("approval_delay", "approval_duration",
866
"created", "enabled", "expires", "key_id",
495
"created", "enabled", "expires",
867
496
"fingerprint", "host", "interval",
868
497
"last_approval_request", "last_checked_ok",
869
498
"last_enabled", "name", "timeout")
878
507
"approved_by_default": "True",
879
508
"enabled": "True",
880
509
}
881
510
882
511
@staticmethod
883
512
def config_parser(config):
884
513
"""Construct a new dict of client settings of this form:
891
520
for client_name in config.sections():
892
521
section = dict(config.items(client_name))
893
522
client = settings[client_name] = {}
894
523
895
524
client["host"] = section["host"]
896
525
# Reformat values from string types to Python types
897
526
client["approved_by_default"] = config.getboolean(
898
527
client_name, "approved_by_default")
899
528
client["enabled"] = config.getboolean(client_name,
900
529
"enabled")
901
902
# Uppercase and remove spaces from key_id and fingerprint
903
# for later comparison purposes with return value from the
904
# key_id() and fingerprint() functions
905
client["key_id"] = (section.get("key_id", "").upper()
906
.replace(" ", ""))
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
907
534
client["fingerprint"] = (section["fingerprint"].upper()
908
535
.replace(" ", ""))
909
536
if "secret" in section:
910
client["secret"] = codecs.decode(section["secret"]
911
.encode("utf-8"),
912
"base64")
537
client["secret"] = section["secret"].decode("base64")
913
538
elif "secfile" in section:
914
539
with open(os.path.expanduser(os.path.expandvars
915
540
(section["secfile"])),
930
555
client["last_approval_request"] = None
931
556
client["last_checked_ok"] = None
932
557
client["last_checker_status"] = -2
933
558
934
559
return settings
935
936
def __init__(self, settings, name=None, server_settings=None):
560
561
def __init__(self, settings, name = None, server_settings=None):
937
562
self.name = name
938
563
if server_settings is None:
939
564
server_settings = {}
941
566
# adding all client settings
942
567
for setting, value in settings.items():
943
568
setattr(self, setting, value)
944
569
945
570
if self.enabled:
946
571
if not hasattr(self, "last_enabled"):
947
572
self.last_enabled = datetime.datetime.utcnow()
951
576
else:
952
577
self.last_enabled = None
953
578
self.expires = None
954
579
955
580
logger.debug("Creating client %r", self.name)
956
logger.debug(" Key ID: %s", self.key_id)
957
581
logger.debug(" Fingerprint: %s", self.fingerprint)
958
582
self.created = settings.get("created",
959
583
datetime.datetime.utcnow())
960
584
961
585
# attributes specific for this server instance
962
586
self.checker = None
963
587
self.checker_initiator_tag = None
969
593
self.changedstate = multiprocessing_manager.Condition(
970
594
multiprocessing_manager.Lock())
971
595
self.client_structure = [attr
972
for attr in self.__dict__.keys()
596
for attr in self.__dict__.iterkeys()
973
597
if not attr.startswith("_")]
974
598
self.client_structure.append("client_structure")
975
599
976
600
for name, t in inspect.getmembers(
977
601
type(self), lambda obj: isinstance(obj, property)):
978
602
if not name.startswith("_"):
979
603
self.client_structure.append(name)
980
604
981
605
# Send notice to process children that client state has changed
982
606
def send_changedstate(self):
983
607
with self.changedstate:
984
608
self.changedstate.notify_all()
985
609
986
610
def enable(self):
987
611
"""Start this client's checker and timeout hooks"""
988
612
if getattr(self, "enabled", False):
993
617
self.last_enabled = datetime.datetime.utcnow()
994
618
self.init_checker()
995
619
self.send_changedstate()
996
620
997
621
def disable(self, quiet=True):
998
622
"""Disable this client."""
999
623
if not getattr(self, "enabled", False):
1001
625
if not quiet:
1002
626
logger.info("Disabling client %s", self.name)
1003
627
if getattr(self, "disable_initiator_tag", None) is not None:
1004
GLib.source_remove(self.disable_initiator_tag)
628
gobject.source_remove(self.disable_initiator_tag)
1005
629
self.disable_initiator_tag = None
1006
630
self.expires = None
1007
631
if getattr(self, "checker_initiator_tag", None) is not None:
1008
GLib.source_remove(self.checker_initiator_tag)
632
gobject.source_remove(self.checker_initiator_tag)
1009
633
self.checker_initiator_tag = None
1010
634
self.stop_checker()
1011
635
self.enabled = False
1012
636
if not quiet:
1013
637
self.send_changedstate()
1014
# Do not run this again if called by a GLib.timeout_add
638
# Do not run this again if called by a gobject.timeout_add
1015
639
return False
1016
640
1017
641
def __del__(self):
1018
642
self.disable()
1019
643
1020
644
def init_checker(self):
1021
645
# Schedule a new checker to be started an 'interval' from now,
1022
646
# and every interval from then on.
1023
647
if self.checker_initiator_tag is not None:
1024
GLib.source_remove(self.checker_initiator_tag)
1025
self.checker_initiator_tag = GLib.timeout_add(
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
1026
650
int(self.interval.total_seconds() * 1000),
1027
651
self.start_checker)
1028
652
# Schedule a disable() when 'timeout' has passed
1029
653
if self.disable_initiator_tag is not None:
1030
GLib.source_remove(self.disable_initiator_tag)
1031
self.disable_initiator_tag = GLib.timeout_add(
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1032
656
int(self.timeout.total_seconds() * 1000), self.disable)
1033
657
# Also start a new checker *right now*.
1034
658
self.start_checker()
1035
659
1036
660
def checker_callback(self, source, condition, connection,
1037
661
command):
1038
662
"""The checker has completed, so take appropriate actions."""
1041
665
# Read return code from connection (see call_pipe)
1042
666
returncode = connection.recv()
1043
667
connection.close()
1044
668
1045
669
if returncode >= 0:
1046
670
self.last_checker_status = returncode
1047
671
self.last_checker_signal = None
1057
681
logger.warning("Checker for %(name)s crashed?",
1058
682
vars(self))
1059
683
return False
1060
684
1061
685
def checked_ok(self):
1062
686
"""Assert that the client has been seen, alive and well."""
1063
687
self.last_checked_ok = datetime.datetime.utcnow()
1064
688
self.last_checker_status = 0
1065
689
self.last_checker_signal = None
1066
690
self.bump_timeout()
1067
691
1068
692
def bump_timeout(self, timeout=None):
1069
693
"""Bump up the timeout for this client."""
1070
694
if timeout is None:
1071
695
timeout = self.timeout
1072
696
if self.disable_initiator_tag is not None:
1073
GLib.source_remove(self.disable_initiator_tag)
697
gobject.source_remove(self.disable_initiator_tag)
1074
698
self.disable_initiator_tag = None
1075
699
if getattr(self, "enabled", False):
1076
self.disable_initiator_tag = GLib.timeout_add(
700
self.disable_initiator_tag = gobject.timeout_add(
1077
701
int(timeout.total_seconds() * 1000), self.disable)
1078
702
self.expires = datetime.datetime.utcnow() + timeout
1079
703
1080
704
def need_approval(self):
1081
705
self.last_approval_request = datetime.datetime.utcnow()
1082
706
1083
707
def start_checker(self):
1084
708
"""Start a new checker subprocess if one is not running.
1085
709
1086
710
If a checker already exists, leave it running and do
1087
711
nothing."""
1088
712
# The reason for not killing a running checker is that if we
1093
717
# checkers alone, the checker would have to take more time
1094
718
# than 'timeout' for the client to be disabled, which is as it
1095
719
# should be.
1096
720
1097
721
if self.checker is not None and not self.checker.is_alive():
1098
722
logger.warning("Checker was not alive; joining")
1099
723
self.checker.join()
1103
727
# Escape attributes for the shell
1104
728
escaped_attrs = {
1105
729
attr: re.escape(str(getattr(self, attr)))
1106
for attr in self.runtime_expansions}
730
for attr in self.runtime_expansions }
1107
731
try:
1108
732
command = self.checker_command % escaped_attrs
1109
733
except TypeError as error:
1121
745
# The exception is when not debugging but nevertheless
1122
746
# running in the foreground; use the previously
1123
747
# created wnull.
1124
popen_args = {"close_fds": True,
1125
"shell": True,
1126
"cwd": "/"}
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1127
751
if (not self.server_settings["debug"]
1128
752
and self.server_settings["foreground"]):
1129
753
popen_args.update({"stdout": wnull,
1130
"stderr": wnull})
1131
pipe = multiprocessing.Pipe(duplex=False)
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1132
756
self.checker = multiprocessing.Process(
1133
target=call_pipe,
1134
args=(pipe[1], subprocess.call, command),
1135
kwargs=popen_args)
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1136
760
self.checker.start()
1137
self.checker_callback_tag = GLib.io_add_watch(
1138
pipe[0].fileno(), GLib.IO_IN,
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1139
763
self.checker_callback, pipe[0], command)
1140
# Re-run this periodically if run by GLib.timeout_add
764
# Re-run this periodically if run by gobject.timeout_add
1141
765
return True
1142
766
1143
767
def stop_checker(self):
1144
768
"""Force the checker process, if any, to stop."""
1145
769
if self.checker_callback_tag:
1146
GLib.source_remove(self.checker_callback_tag)
770
gobject.source_remove(self.checker_callback_tag)
1147
771
self.checker_callback_tag = None
1148
772
if getattr(self, "checker", None) is None:
1149
773
return
1158
782
byte_arrays=False):
1159
783
"""Decorators for marking methods of a DBusObjectWithProperties to
1160
784
become properties on the D-Bus.
1161
785
1162
786
The decorated method will be called with no arguments by "Get"
1163
787
and with one argument by "Set".
1164
788
1165
789
The parameters, where they are supported, are the same as
1166
790
dbus.service.method, except there is only "signature", since the
1167
791
type from Get() and the type sent to Set() is the same.
1171
795
if byte_arrays and signature != "ay":
1172
796
raise ValueError("Byte arrays not supported for non-'ay'"
1173
797
" signature {!r}".format(signature))
1174
798
1175
799
def decorator(func):
1176
800
func._dbus_is_property = True
1177
801
func._dbus_interface = dbus_interface
1180
804
func._dbus_name = func.__name__
1181
805
if func._dbus_name.endswith("_dbus_property"):
1182
806
func._dbus_name = func._dbus_name[:-14]
1183
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1184
808
return func
1185
809
1186
810
return decorator
1187
811
1188
812
1189
813
def dbus_interface_annotations(dbus_interface):
1190
814
"""Decorator for marking functions returning interface annotations
1191
815
1192
816
Usage:
1193
817
1194
818
@dbus_interface_annotations("org.example.Interface")
1195
819
def _foo(self): # Function name does not matter
1196
820
return {"org.freedesktop.DBus.Deprecated": "true",
1197
821
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1198
822
"false"}
1199
823
"""
1200
824
1201
825
def decorator(func):
1202
826
func._dbus_is_interface = True
1203
827
func._dbus_interface = dbus_interface
1204
828
func._dbus_name = dbus_interface
1205
829
return func
1206
830
1207
831
return decorator
1208
832
1209
833
1210
834
def dbus_annotations(annotations):
1211
835
"""Decorator to annotate D-Bus methods, signals or properties
1212
836
Usage:
1213
837
1214
838
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1215
839
"org.freedesktop.DBus.Property."
1216
840
"EmitsChangedSignal": "false"})
1218
842
access="r")
1219
843
def Property_dbus_property(self):
1220
844
return dbus.Boolean(False)
1221
845
1222
846
See also the DBusObjectWithAnnotations class.
1223
847
"""
1224
848
1225
849
def decorator(func):
1226
850
func._dbus_annotations = annotations
1227
851
return func
1228
852
1229
853
return decorator
1230
854
1231
855
1249
873
1250
874
class DBusObjectWithAnnotations(dbus.service.Object):
1251
875
"""A D-Bus object with annotations.
1252
876
1253
877
Classes inheriting from this can use the dbus_annotations
1254
878
decorator to add annotations to methods or signals.
1255
879
"""
1256
880
1257
881
@staticmethod
1258
882
def _is_dbus_thing(thing):
1259
883
"""Returns a function testing if an attribute is a D-Bus thing
1260
884
1261
885
If called like _is_dbus_thing("method") it returns a function
1262
886
suitable for use as predicate to inspect.getmembers().
1263
887
"""
1264
888
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1265
889
False)
1266
890
1267
891
def _get_all_dbus_things(self, thing):
1268
892
"""Returns a generator of (name, attribute) pairs
1269
893
"""
1272
896
for cls in self.__class__.__mro__
1273
897
for name, athing in
1274
898
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1275
899
1276
900
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1277
out_signature="s",
1278
path_keyword='object_path',
1279
connection_keyword='connection')
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1280
904
def Introspect(self, object_path, connection):
1281
905
"""Overloading of standard D-Bus method.
1282
906
1283
907
Inserts annotation tags on methods and signals.
1284
908
"""
1285
909
xmlstring = dbus.service.Object.Introspect(self, object_path,
1286
910
connection)
1287
911
try:
1288
912
document = xml.dom.minidom.parseString(xmlstring)
1289
913
1290
914
for if_tag in document.getElementsByTagName("interface"):
1291
915
# Add annotation tags
1292
916
for typ in ("method", "signal"):
1319
943
if_tag.appendChild(ann_tag)
1320
944
# Fix argument name for the Introspect method itself
1321
945
if (if_tag.getAttribute("name")
1322
== dbus.INTROSPECTABLE_IFACE):
946
== dbus.INTROSPECTABLE_IFACE):
1323
947
for cn in if_tag.getElementsByTagName("method"):
1324
948
if cn.getAttribute("name") == "Introspect":
1325
949
for arg in cn.getElementsByTagName("arg"):
1338
962
1339
963
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1340
964
"""A D-Bus object with properties.
1341
965
1342
966
Classes inheriting from this can use the dbus_service_property
1343
967
decorator to expose methods as D-Bus properties. It exposes the
1344
968
standard Get(), Set(), and GetAll() methods on the D-Bus.
1345
969
"""
1346
970
1347
971
def _get_dbus_property(self, interface_name, property_name):
1348
972
"""Returns a bound method if one exists which is a D-Bus
1349
973
property with the specified name and interface.
1354
978
if (value._dbus_name == property_name
1355
979
and value._dbus_interface == interface_name):
1356
980
return value.__get__(self)
1357
981
1358
982
# No such property
1359
983
raise DBusPropertyNotFound("{}:{}.{}".format(
1360
984
self.dbus_object_path, interface_name, property_name))
1361
985
1362
986
@classmethod
1363
987
def _get_all_interface_names(cls):
1364
988
"""Get a sequence of all interfaces supported by an object"""
1367
991
for x in (inspect.getmro(cls))
1368
992
for attr in dir(x))
1369
993
if name is not None)
1370
994
1371
995
@dbus.service.method(dbus.PROPERTIES_IFACE,
1372
996
in_signature="ss",
1373
997
out_signature="v")
1381
1005
if not hasattr(value, "variant_level"):
1382
1006
return value
1383
1007
return type(value)(value, variant_level=value.variant_level+1)
1384
1008
1385
1009
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1386
1010
def Set(self, interface_name, property_name, value):
1387
1011
"""Standard D-Bus property Set() method, see D-Bus standard.
1399
1023
value = dbus.ByteArray(b''.join(chr(byte)
1400
1024
for byte in value))
1401
1025
prop(value)
1402
1026
1403
1027
@dbus.service.method(dbus.PROPERTIES_IFACE,
1404
1028
in_signature="s",
1405
1029
out_signature="a{sv}")
1406
1030
def GetAll(self, interface_name):
1407
1031
"""Standard D-Bus property GetAll() method, see D-Bus
1408
1032
standard.
1409
1033
1410
1034
Note: Will not include properties with access="write".
1411
1035
"""
1412
1036
properties = {}
1423
1047
properties[name] = value
1424
1048
continue
1425
1049
properties[name] = type(value)(
1426
value, variant_level=value.variant_level + 1)
1050
value, variant_level = value.variant_level + 1)
1427
1051
return dbus.Dictionary(properties, signature="sv")
1428
1052
1429
1053
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1430
1054
def PropertiesChanged(self, interface_name, changed_properties,
1431
1055
invalidated_properties):
1433
1057
standard.
1434
1058
"""
1435
1059
pass
1436
1060
1437
1061
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1438
1062
out_signature="s",
1439
1063
path_keyword='object_path',
1440
1064
connection_keyword='connection')
1441
1065
def Introspect(self, object_path, connection):
1442
1066
"""Overloading of standard D-Bus method.
1443
1067
1444
1068
Inserts property tags and interface annotation tags.
1445
1069
"""
1446
1070
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1448
1072
connection)
1449
1073
try:
1450
1074
document = xml.dom.minidom.parseString(xmlstring)
1451
1075
1452
1076
def make_tag(document, name, prop):
1453
1077
e = document.createElement("property")
1454
1078
e.setAttribute("name", name)
1455
1079
e.setAttribute("type", prop._dbus_signature)
1456
1080
e.setAttribute("access", prop._dbus_access)
1457
1081
return e
1458
1082
1459
1083
for if_tag in document.getElementsByTagName("interface"):
1460
1084
# Add property tags
1461
1085
for tag in (make_tag(document, name, prop)
1503
1127
exc_info=error)
1504
1128
return xmlstring
1505
1129
1506
1507
1130
try:
1508
1131
dbus.OBJECT_MANAGER_IFACE
1509
1132
except AttributeError:
1510
1133
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1511
1134
1512
1513
1135
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1514
1136
"""A D-Bus object with an ObjectManager.
1515
1137
1516
1138
Classes inheriting from this exposes the standard
1517
1139
GetManagedObjects call and the InterfacesAdded and
1518
1140
InterfacesRemoved signals on the standard
1519
1141
"org.freedesktop.DBus.ObjectManager" interface.
1520
1142
1521
1143
Note: No signals are sent automatically; they must be sent
1522
1144
manually.
1523
1145
"""
1524
1146
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1525
out_signature="a{oa{sa{sv}}}")
1147
out_signature = "a{oa{sa{sv}}}")
1526
1148
def GetManagedObjects(self):
1527
1149
"""This function must be overridden"""
1528
1150
raise NotImplementedError()
1529
1151
1530
1152
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1531
signature="oa{sa{sv}}")
1153
signature = "oa{sa{sv}}")
1532
1154
def InterfacesAdded(self, object_path, interfaces_and_properties):
1533
1155
pass
1534
1535
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1158
signature = "oas")
1536
1159
def InterfacesRemoved(self, object_path, interfaces):
1537
1160
pass
1538
1161
1539
1162
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1540
out_signature="s",
1541
path_keyword='object_path',
1542
connection_keyword='connection')
1163
out_signature = "s",
1164
path_keyword = 'object_path',
1165
connection_keyword = 'connection')
1543
1166
def Introspect(self, object_path, connection):
1544
1167
"""Overloading of standard D-Bus method.
1545
1168
1546
1169
Override return argument name of GetManagedObjects to be
1547
1170
"objpath_interfaces_and_properties"
1548
1171
"""
1549
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1550
object_path,
1551
connection)
1172
xmlstring = DBusObjectWithAnnotations(self, object_path,
1173
connection)
1552
1174
try:
1553
1175
document = xml.dom.minidom.parseString(xmlstring)
1554
1176
1555
1177
for if_tag in document.getElementsByTagName("interface"):
1556
1178
# Fix argument name for the GetManagedObjects method
1557
1179
if (if_tag.getAttribute("name")
1558
== dbus.OBJECT_MANAGER_IFACE):
1180
== dbus.OBJECT_MANAGER_IFACE):
1559
1181
for cn in if_tag.getElementsByTagName("method"):
1560
1182
if (cn.getAttribute("name")
1561
1183
== "GetManagedObjects"):
1571
1193
except (AttributeError, xml.dom.DOMException,
1572
1194
xml.parsers.expat.ExpatError) as error:
1573
1195
logger.error("Failed to override Introspection method",
1574
exc_info=error)
1196
exc_info = error)
1575
1197
return xmlstring
1576
1198
1577
1578
1199
def datetime_to_dbus(dt, variant_level=0):
1579
1200
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1580
1201
if dt is None:
1581
return dbus.String("", variant_level=variant_level)
1202
return dbus.String("", variant_level = variant_level)
1582
1203
return dbus.String(dt.isoformat(), variant_level=variant_level)
1583
1204
1584
1205
1587
1208
dbus.service.Object, it will add alternate D-Bus attributes with
1588
1209
interface names according to the "alt_interface_names" mapping.
1589
1210
Usage:
1590
1211
1591
1212
@alternate_dbus_interfaces({"org.example.Interface":
1592
1213
"net.example.AlternateInterface"})
1593
1214
class SampleDBusObject(dbus.service.Object):
1594
1215
@dbus.service.method("org.example.Interface")
1595
1216
def SampleDBusMethod():
1596
1217
pass
1597
1218
1598
1219
The above "SampleDBusMethod" on "SampleDBusObject" will be
1599
1220
reachable via two interfaces: "org.example.Interface" and
1600
1221
"net.example.AlternateInterface", the latter of which will have
1601
1222
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1602
1223
"true", unless "deprecate" is passed with a False value.
1603
1224
1604
1225
This works for methods and signals, and also for D-Bus properties
1605
1226
(from DBusObjectWithProperties) and interfaces (from the
1606
1227
dbus_interface_annotations decorator).
1607
1228
"""
1608
1229
1609
1230
def wrapper(cls):
1610
1231
for orig_interface_name, alt_interface_name in (
1611
1232
alt_interface_names.items()):
1626
1247
interface_names.add(alt_interface)
1627
1248
# Is this a D-Bus signal?
1628
1249
if getattr(attribute, "_dbus_is_signal", False):
1629
# Extract the original non-method undecorated
1630
# function by black magic
1631
1250
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1632
1253
nonmethod_func = (dict(
1633
1254
zip(attribute.func_code.co_freevars,
1634
1255
attribute.__closure__))
1635
1256
["func"].cell_contents)
1636
1257
else:
1637
nonmethod_func = (dict(
1638
zip(attribute.__code__.co_freevars,
1639
attribute.__closure__))
1640
["func"].cell_contents)
1258
nonmethod_func = attribute
1641
1259
# Create a new, but exactly alike, function
1642
1260
# object, and decorate it to be a new D-Bus signal
1643
1261
# with the alternate D-Bus interface name
1644
new_function = copy_function(nonmethod_func)
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1645
1276
new_function = (dbus.service.signal(
1646
1277
alt_interface,
1647
1278
attribute._dbus_signature)(new_function))
1651
1282
attribute._dbus_annotations)
1652
1283
except AttributeError:
1653
1284
pass
1654
1655
1285
# Define a creator of a function to call both the
1656
1286
# original and alternate functions, so both the
1657
1287
# original and alternate signals gets sent when
1660
1290
"""This function is a scope container to pass
1661
1291
func1 and func2 to the "call_both" function
1662
1292
outside of its arguments"""
1663
1664
@functools.wraps(func2)
1293
1665
1294
def call_both(*args, **kwargs):
1666
1295
"""This function will emit two D-Bus
1667
1296
signals by calling func1 and func2"""
1668
1297
func1(*args, **kwargs)
1669
1298
func2(*args, **kwargs)
1670
# Make wrapper function look like a D-Bus
1671
# signal
1672
for name, attr in inspect.getmembers(func2):
1673
if name.startswith("_dbus_"):
1674
setattr(call_both, name, attr)
1675
1299
1676
1300
return call_both
1677
1301
# Create the "call_both" function and add it to
1678
1302
# the class
1688
1312
alt_interface,
1689
1313
attribute._dbus_in_signature,
1690
1314
attribute._dbus_out_signature)
1691
(copy_function(attribute)))
1315
(types.FunctionType(attribute.func_code,
1316
attribute.func_globals,
1317
attribute.func_name,
1318
attribute.func_defaults,
1319
attribute.func_closure)))
1692
1320
# Copy annotations, if any
1693
1321
try:
1694
1322
attr[attrname]._dbus_annotations = dict(
1706
1334
attribute._dbus_access,
1707
1335
attribute._dbus_get_args_options
1708
1336
["byte_arrays"])
1709
(copy_function(attribute)))
1337
(types.FunctionType(
1338
attribute.func_code,
1339
attribute.func_globals,
1340
attribute.func_name,
1341
attribute.func_defaults,
1342
attribute.func_closure)))
1710
1343
# Copy annotations, if any
1711
1344
try:
1712
1345
attr[attrname]._dbus_annotations = dict(
1721
1354
# to the class.
1722
1355
attr[attrname] = (
1723
1356
dbus_interface_annotations(alt_interface)
1724
(copy_function(attribute)))
1357
(types.FunctionType(attribute.func_code,
1358
attribute.func_globals,
1359
attribute.func_name,
1360
attribute.func_defaults,
1361
attribute.func_closure)))
1725
1362
if deprecate:
1726
1363
# Deprecate all alternate interfaces
1727
iname = "_AlternateDBusNames_interface_annotation{}"
1364
iname="_AlternateDBusNames_interface_annotation{}"
1728
1365
for interface_name in interface_names:
1729
1366
1730
1367
@dbus_interface_annotations(interface_name)
1731
1368
def func(self):
1732
return {"org.freedesktop.DBus.Deprecated":
1733
"true"}
1369
return { "org.freedesktop.DBus.Deprecated":
1370
"true" }
1734
1371
# Find an unused name
1735
1372
for aname in (iname.format(i)
1736
1373
for i in itertools.count()):
1740
1377
if interface_names:
1741
1378
# Replace the class with a new subclass of it with
1742
1379
# methods, signals, etc. as created above.
1743
if sys.version_info.major == 2:
1744
cls = type(b"{}Alternate".format(cls.__name__),
1745
(cls, ), attr)
1746
else:
1747
cls = type("{}Alternate".format(cls.__name__),
1748
(cls, ), attr)
1380
cls = type(b"{}Alternate".format(cls.__name__),
1381
(cls, ), attr)
1749
1382
return cls
1750
1383
1751
1384
return wrapper
1752
1385
1753
1386
1755
1388
"se.bsnet.fukt.Mandos"})
1756
1389
class ClientDBus(Client, DBusObjectWithProperties):
1757
1390
"""A Client class using D-Bus
1758
1391
1759
1392
Attributes:
1760
1393
dbus_object_path: dbus.ObjectPath
1761
1394
bus: dbus.SystemBus()
1762
1395
"""
1763
1396
1764
1397
runtime_expansions = (Client.runtime_expansions
1765
1398
+ ("dbus_object_path", ))
1766
1399
1767
1400
_interface = "se.recompile.Mandos.Client"
1768
1401
1769
1402
# dbus.service.Object doesn't use super(), so we can't either.
1770
1771
def __init__(self, bus=None, *args, **kwargs):
1403
1404
def __init__(self, bus = None, *args, **kwargs):
1772
1405
self.bus = bus
1773
1406
Client.__init__(self, *args, **kwargs)
1774
1407
# Only now, when this client is initialized, can it show up on
1780
1413
"/clients/" + client_object_name)
1781
1414
DBusObjectWithProperties.__init__(self, self.bus,
1782
1415
self.dbus_object_path)
1783
1416
1784
1417
def notifychangeproperty(transform_func, dbus_name,
1785
1418
type_func=lambda x: x,
1786
1419
variant_level=1,
1788
1421
_interface=_interface):
1789
1422
""" Modify a variable so that it's a property which announces
1790
1423
its changes to DBus.
1791
1424
1792
1425
transform_fun: Function that takes a value and a variant_level
1793
1426
and transforms it to a D-Bus type.
1794
1427
dbus_name: D-Bus name of the variable
1797
1430
variant_level: D-Bus variant level. Default: 1
1798
1431
"""
1799
1432
attrname = "_{}".format(dbus_name)
1800
1433
1801
1434
def setter(self, value):
1802
1435
if hasattr(self, "dbus_object_path"):
1803
1436
if (not hasattr(self, attrname) or
1810
1443
else:
1811
1444
dbus_value = transform_func(
1812
1445
type_func(value),
1813
variant_level=variant_level)
1446
variant_level = variant_level)
1814
1447
self.PropertyChanged(dbus.String(dbus_name),
1815
1448
dbus_value)
1816
1449
self.PropertiesChanged(
1817
1450
_interface,
1818
dbus.Dictionary({dbus.String(dbus_name):
1819
dbus_value}),
1451
dbus.Dictionary({ dbus.String(dbus_name):
1452
dbus_value }),
1820
1453
dbus.Array())
1821
1454
setattr(self, attrname, value)
1822
1455
1823
1456
return property(lambda self: getattr(self, attrname), setter)
1824
1457
1825
1458
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1826
1459
approvals_pending = notifychangeproperty(dbus.Boolean,
1827
1460
"ApprovalPending",
1828
type_func=bool)
1461
type_func = bool)
1829
1462
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1830
1463
last_enabled = notifychangeproperty(datetime_to_dbus,
1831
1464
"LastEnabled")
1832
1465
checker = notifychangeproperty(
1833
1466
dbus.Boolean, "CheckerRunning",
1834
type_func=lambda checker: checker is not None)
1467
type_func = lambda checker: checker is not None)
1835
1468
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1836
1469
"LastCheckedOK")
1837
1470
last_checker_status = notifychangeproperty(dbus.Int16,
1842
1475
"ApprovedByDefault")
1843
1476
approval_delay = notifychangeproperty(
1844
1477
dbus.UInt64, "ApprovalDelay",
1845
type_func=lambda td: td.total_seconds() * 1000)
1478
type_func = lambda td: td.total_seconds() * 1000)
1846
1479
approval_duration = notifychangeproperty(
1847
1480
dbus.UInt64, "ApprovalDuration",
1848
type_func=lambda td: td.total_seconds() * 1000)
1481
type_func = lambda td: td.total_seconds() * 1000)
1849
1482
host = notifychangeproperty(dbus.String, "Host")
1850
1483
timeout = notifychangeproperty(
1851
1484
dbus.UInt64, "Timeout",
1852
type_func=lambda td: td.total_seconds() * 1000)
1485
type_func = lambda td: td.total_seconds() * 1000)
1853
1486
extended_timeout = notifychangeproperty(
1854
1487
dbus.UInt64, "ExtendedTimeout",
1855
type_func=lambda td: td.total_seconds() * 1000)
1488
type_func = lambda td: td.total_seconds() * 1000)
1856
1489
interval = notifychangeproperty(
1857
1490
dbus.UInt64, "Interval",
1858
type_func=lambda td: td.total_seconds() * 1000)
1491
type_func = lambda td: td.total_seconds() * 1000)
1859
1492
checker_command = notifychangeproperty(dbus.String, "Checker")
1860
1493
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1861
1494
invalidate_only=True)
1862
1495
1863
1496
del notifychangeproperty
1864
1497
1865
1498
def __del__(self, *args, **kwargs):
1866
1499
try:
1867
1500
self.remove_from_connection()
1870
1503
if hasattr(DBusObjectWithProperties, "__del__"):
1871
1504
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1872
1505
Client.__del__(self, *args, **kwargs)
1873
1506
1874
1507
def checker_callback(self, source, condition,
1875
1508
connection, command, *args, **kwargs):
1876
1509
ret = Client.checker_callback(self, source, condition,
1892
1525
| self.last_checker_signal),
1893
1526
dbus.String(command))
1894
1527
return ret
1895
1528
1896
1529
def start_checker(self, *args, **kwargs):
1897
1530
old_checker_pid = getattr(self.checker, "pid", None)
1898
1531
r = Client.start_checker(self, *args, **kwargs)
1902
1535
# Emit D-Bus signal
1903
1536
self.CheckerStarted(self.current_checker_command)
1904
1537
return r
1905
1538
1906
1539
def _reset_approved(self):
1907
1540
self.approved = None
1908
1541
return False
1909
1542
1910
1543
def approve(self, value=True):
1911
1544
self.approved = value
1912
GLib.timeout_add(int(self.approval_duration.total_seconds()
1913
* 1000), self._reset_approved)
1545
gobject.timeout_add(int(self.approval_duration.total_seconds()
1546
* 1000), self._reset_approved)
1914
1547
self.send_changedstate()
1915
1916
# D-Bus methods, signals & properties
1917
1918
# Interfaces
1919
1920
# Signals
1921
1548
1549
## D-Bus methods, signals & properties
1550
1551
## Interfaces
1552
1553
## Signals
1554
1922
1555
# CheckerCompleted - signal
1923
1556
@dbus.service.signal(_interface, signature="nxs")
1924
1557
def CheckerCompleted(self, exitcode, waitstatus, command):
1925
1558
"D-Bus signal"
1926
1559
pass
1927
1560
1928
1561
# CheckerStarted - signal
1929
1562
@dbus.service.signal(_interface, signature="s")
1930
1563
def CheckerStarted(self, command):
1931
1564
"D-Bus signal"
1932
1565
pass
1933
1566
1934
1567
# PropertyChanged - signal
1935
1568
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1936
1569
@dbus.service.signal(_interface, signature="sv")
1937
1570
def PropertyChanged(self, property, value):
1938
1571
"D-Bus signal"
1939
1572
pass
1940
1573
1941
1574
# GotSecret - signal
1942
1575
@dbus.service.signal(_interface)
1943
1576
def GotSecret(self):
1946
1579
server to mandos-client
1947
1580
"""
1948
1581
pass
1949
1582
1950
1583
# Rejected - signal
1951
1584
@dbus.service.signal(_interface, signature="s")
1952
1585
def Rejected(self, reason):
1953
1586
"D-Bus signal"
1954
1587
pass
1955
1588
1956
1589
# NeedApproval - signal
1957
1590
@dbus.service.signal(_interface, signature="tb")
1958
1591
def NeedApproval(self, timeout, default):
1959
1592
"D-Bus signal"
1960
1593
return self.need_approval()
1961
1962
# Methods
1963
1594
1595
## Methods
1596
1964
1597
# Approve - method
1965
1598
@dbus.service.method(_interface, in_signature="b")
1966
1599
def Approve(self, value):
1967
1600
self.approve(value)
1968
1601
1969
1602
# CheckedOK - method
1970
1603
@dbus.service.method(_interface)
1971
1604
def CheckedOK(self):
1972
1605
self.checked_ok()
1973
1606
1974
1607
# Enable - method
1975
1608
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1976
1609
@dbus.service.method(_interface)
1977
1610
def Enable(self):
1978
1611
"D-Bus method"
1979
1612
self.enable()
1980
1613
1981
1614
# StartChecker - method
1982
1615
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1983
1616
@dbus.service.method(_interface)
1984
1617
def StartChecker(self):
1985
1618
"D-Bus method"
1986
1619
self.start_checker()
1987
1620
1988
1621
# Disable - method
1989
1622
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1990
1623
@dbus.service.method(_interface)
1991
1624
def Disable(self):
1992
1625
"D-Bus method"
1993
1626
self.disable()
1994
1627
1995
1628
# StopChecker - method
1996
1629
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1997
1630
@dbus.service.method(_interface)
1998
1631
def StopChecker(self):
1999
1632
self.stop_checker()
2000
2001
# Properties
2002
1633
1634
## Properties
1635
2003
1636
# ApprovalPending - property
2004
1637
@dbus_service_property(_interface, signature="b", access="read")
2005
1638
def ApprovalPending_dbus_property(self):
2006
1639
return dbus.Boolean(bool(self.approvals_pending))
2007
1640
2008
1641
# ApprovedByDefault - property
2009
1642
@dbus_service_property(_interface,
2010
1643
signature="b",
2013
1646
if value is None: # get
2014
1647
return dbus.Boolean(self.approved_by_default)
2015
1648
self.approved_by_default = bool(value)
2016
1649
2017
1650
# ApprovalDelay - property
2018
1651
@dbus_service_property(_interface,
2019
1652
signature="t",
2023
1656
return dbus.UInt64(self.approval_delay.total_seconds()
2024
1657
* 1000)
2025
1658
self.approval_delay = datetime.timedelta(0, 0, 0, value)
2026
1659
2027
1660
# ApprovalDuration - property
2028
1661
@dbus_service_property(_interface,
2029
1662
signature="t",
2033
1666
return dbus.UInt64(self.approval_duration.total_seconds()
2034
1667
* 1000)
2035
1668
self.approval_duration = datetime.timedelta(0, 0, 0, value)
2036
1669
2037
1670
# Name - property
2038
1671
@dbus_annotations(
2039
1672
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2040
1673
@dbus_service_property(_interface, signature="s", access="read")
2041
1674
def Name_dbus_property(self):
2042
1675
return dbus.String(self.name)
2043
2044
# KeyID - property
2045
@dbus_annotations(
2046
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2047
@dbus_service_property(_interface, signature="s", access="read")
2048
def KeyID_dbus_property(self):
2049
return dbus.String(self.key_id)
2050
1676
2051
1677
# Fingerprint - property
2052
1678
@dbus_annotations(
2053
1679
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2054
1680
@dbus_service_property(_interface, signature="s", access="read")
2055
1681
def Fingerprint_dbus_property(self):
2056
1682
return dbus.String(self.fingerprint)
2057
1683
2058
1684
# Host - property
2059
1685
@dbus_service_property(_interface,
2060
1686
signature="s",
2063
1689
if value is None: # get
2064
1690
return dbus.String(self.host)
2065
1691
self.host = str(value)
2066
1692
2067
1693
# Created - property
2068
1694
@dbus_annotations(
2069
1695
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2070
1696
@dbus_service_property(_interface, signature="s", access="read")
2071
1697
def Created_dbus_property(self):
2072
1698
return datetime_to_dbus(self.created)
2073
1699
2074
1700
# LastEnabled - property
2075
1701
@dbus_service_property(_interface, signature="s", access="read")
2076
1702
def LastEnabled_dbus_property(self):
2077
1703
return datetime_to_dbus(self.last_enabled)
2078
1704
2079
1705
# Enabled - property
2080
1706
@dbus_service_property(_interface,
2081
1707
signature="b",
2087
1713
self.enable()
2088
1714
else:
2089
1715
self.disable()
2090
1716
2091
1717
# LastCheckedOK - property
2092
1718
@dbus_service_property(_interface,
2093
1719
signature="s",
2097
1723
self.checked_ok()
2098
1724
return
2099
1725
return datetime_to_dbus(self.last_checked_ok)
2100
1726
2101
1727
# LastCheckerStatus - property
2102
1728
@dbus_service_property(_interface, signature="n", access="read")
2103
1729
def LastCheckerStatus_dbus_property(self):
2104
1730
return dbus.Int16(self.last_checker_status)
2105
1731
2106
1732
# Expires - property
2107
1733
@dbus_service_property(_interface, signature="s", access="read")
2108
1734
def Expires_dbus_property(self):
2109
1735
return datetime_to_dbus(self.expires)
2110
1736
2111
1737
# LastApprovalRequest - property
2112
1738
@dbus_service_property(_interface, signature="s", access="read")
2113
1739
def LastApprovalRequest_dbus_property(self):
2114
1740
return datetime_to_dbus(self.last_approval_request)
2115
1741
2116
1742
# Timeout - property
2117
1743
@dbus_service_property(_interface,
2118
1744
signature="t",
2133
1759
if (getattr(self, "disable_initiator_tag", None)
2134
1760
is None):
2135
1761
return
2136
GLib.source_remove(self.disable_initiator_tag)
2137
self.disable_initiator_tag = GLib.timeout_add(
1762
gobject.source_remove(self.disable_initiator_tag)
1763
self.disable_initiator_tag = gobject.timeout_add(
2138
1764
int((self.expires - now).total_seconds() * 1000),
2139
1765
self.disable)
2140
1766
2141
1767
# ExtendedTimeout - property
2142
1768
@dbus_service_property(_interface,
2143
1769
signature="t",
2147
1773
return dbus.UInt64(self.extended_timeout.total_seconds()
2148
1774
* 1000)
2149
1775
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2150
1776
2151
1777
# Interval - property
2152
1778
@dbus_service_property(_interface,
2153
1779
signature="t",
2160
1786
return
2161
1787
if self.enabled:
2162
1788
# Reschedule checker run
2163
GLib.source_remove(self.checker_initiator_tag)
2164
self.checker_initiator_tag = GLib.timeout_add(
1789
gobject.source_remove(self.checker_initiator_tag)
1790
self.checker_initiator_tag = gobject.timeout_add(
2165
1791
value, self.start_checker)
2166
self.start_checker() # Start one now, too
2167
1792
self.start_checker() # Start one now, too
1793
2168
1794
# Checker - property
2169
1795
@dbus_service_property(_interface,
2170
1796
signature="s",
2173
1799
if value is None: # get
2174
1800
return dbus.String(self.checker_command)
2175
1801
self.checker_command = str(value)
2176
1802
2177
1803
# CheckerRunning - property
2178
1804
@dbus_service_property(_interface,
2179
1805
signature="b",
2185
1811
self.start_checker()
2186
1812
else:
2187
1813
self.stop_checker()
2188
1814
2189
1815
# ObjectPath - property
2190
1816
@dbus_annotations(
2191
1817
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2192
1818
"org.freedesktop.DBus.Deprecated": "true"})
2193
1819
@dbus_service_property(_interface, signature="o", access="read")
2194
1820
def ObjectPath_dbus_property(self):
2195
return self.dbus_object_path # is already a dbus.ObjectPath
2196
1821
return self.dbus_object_path # is already a dbus.ObjectPath
1822
2197
1823
# Secret = property
2198
1824
@dbus_annotations(
2199
1825
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2204
1830
byte_arrays=True)
2205
1831
def Secret_dbus_property(self, value):
2206
1832
self.secret = bytes(value)
2207
1833
2208
1834
del _interface
2209
1835
2210
1836
2211
1837
class ProxyClient(object):
2212
def __init__(self, child_pipe, key_id, fpr, address):
1838
def __init__(self, child_pipe, fpr, address):
2213
1839
self._pipe = child_pipe
2214
self._pipe.send(('init', key_id, fpr, address))
1840
self._pipe.send(('init', fpr, address))
2215
1841
if not self._pipe.recv():
2216
raise KeyError(key_id or fpr)
2217
1842
raise KeyError(fpr)
1843
2218
1844
def __getattribute__(self, name):
2219
1845
if name == '_pipe':
2220
1846
return super(ProxyClient, self).__getattribute__(name)
2223
1849
if data[0] == 'data':
2224
1850
return data[1]
2225
1851
if data[0] == 'function':
2226
1852
2227
1853
def func(*args, **kwargs):
2228
1854
self._pipe.send(('funcall', name, args, kwargs))
2229
1855
return self._pipe.recv()[1]
2230
1856
2231
1857
return func
2232
1858
2233
1859
def __setattr__(self, name, value):
2234
1860
if name == '_pipe':
2235
1861
return super(ProxyClient, self).__setattr__(name, value)
2238
1864
2239
1865
class ClientHandler(socketserver.BaseRequestHandler, object):
2240
1866
"""A class to handle client connections.
2241
1867
2242
1868
Instantiated once for each connection to handle it.
2243
1869
Note: This will run in its own forked process."""
2244
1870
2245
1871
def handle(self):
2246
1872
with contextlib.closing(self.server.child_pipe) as child_pipe:
2247
1873
logger.info("TCP connection from: %s",
2248
1874
str(self.client_address))
2249
1875
logger.debug("Pipe FD: %d",
2250
1876
self.server.child_pipe.fileno())
2251
2252
session = gnutls.ClientSession(self.request)
2253
2254
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2255
# "+AES-256-CBC", "+SHA1",
2256
# "+COMP-NULL", "+CTYPE-OPENPGP",
2257
# "+DHE-DSS"))
1877
1878
session = gnutls.connection.ClientSession(
1879
self.request, gnutls.connection .X509Credentials())
1880
1881
# Note: gnutls.connection.X509Credentials is really a
1882
# generic GnuTLS certificate credentials object so long as
1883
# no X.509 keys are added to it. Therefore, we can use it
1884
# here despite using OpenPGP certificates.
1885
1886
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1887
# "+AES-256-CBC", "+SHA1",
1888
# "+COMP-NULL", "+CTYPE-OPENPGP",
1889
# "+DHE-DSS"))
2258
1890
# Use a fallback default, since this MUST be set.
2259
1891
priority = self.server.gnutls_priority
2260
1892
if priority is None:
2261
1893
priority = "NORMAL"
2262
gnutls.priority_set_direct(session._c_object,
2263
priority.encode("utf-8"),
2264
None)
2265
1894
gnutls.library.functions.gnutls_priority_set_direct(
1895
session._c_object, priority, None)
1896
2266
1897
# Start communication using the Mandos protocol
2267
1898
# Get protocol number
2268
1899
line = self.request.makefile().readline()
2273
1904
except (ValueError, IndexError, RuntimeError) as error:
2274
1905
logger.error("Unknown protocol version: %s", error)
2275
1906
return
2276
1907
2277
1908
# Start GnuTLS connection
2278
1909
try:
2279
1910
session.handshake()
2280
except gnutls.Error as error:
1911
except gnutls.errors.GNUTLSError as error:
2281
1912
logger.warning("Handshake failed: %s", error)
2282
1913
# Do not run session.bye() here: the session is not
2283
1914
# established. Just abandon the request.
2284
1915
return
2285
1916
logger.debug("Handshake succeeded")
2286
1917
2287
1918
approval_required = False
2288
1919
try:
2289
if gnutls.has_rawpk:
2290
fpr = ""
2291
try:
2292
key_id = self.key_id(
2293
self.peer_certificate(session))
2294
except (TypeError, gnutls.Error) as error:
2295
logger.warning("Bad certificate: %s", error)
2296
return
2297
logger.debug("Key ID: %s", key_id)
2298
2299
else:
2300
key_id = ""
2301
try:
2302
fpr = self.fingerprint(
2303
self.peer_certificate(session))
2304
except (TypeError, gnutls.Error) as error:
2305
logger.warning("Bad certificate: %s", error)
2306
return
2307
logger.debug("Fingerprint: %s", fpr)
2308
2309
try:
2310
client = ProxyClient(child_pipe, key_id, fpr,
1920
try:
1921
fpr = self.fingerprint(
1922
self.peer_certificate(session))
1923
except (TypeError,
1924
gnutls.errors.GNUTLSError) as error:
1925
logger.warning("Bad certificate: %s", error)
1926
return
1927
logger.debug("Fingerprint: %s", fpr)
1928
1929
try:
1930
client = ProxyClient(child_pipe, fpr,
2311
1931
self.client_address)
2312
1932
except KeyError:
2313
1933
return
2314
1934
2315
1935
if client.approval_delay:
2316
1936
delay = client.approval_delay
2317
1937
client.approvals_pending += 1
2318
1938
approval_required = True
2319
1939
2320
1940
while True:
2321
1941
if not client.enabled:
2322
1942
logger.info("Client %s is disabled",
2325
1945
# Emit D-Bus signal
2326
1946
client.Rejected("Disabled")
2327
1947
return
2328
1948
2329
1949
if client.approved or not client.approval_delay:
2330
# We are approved or approval is disabled
1950
#We are approved or approval is disabled
2331
1951
break
2332
1952
elif client.approved is None:
2333
1953
logger.info("Client %s needs approval",
2344
1964
# Emit D-Bus signal
2345
1965
client.Rejected("Denied")
2346
1966
return
2347
2348
# wait until timeout or approved
1967
1968
#wait until timeout or approved
2349
1969
time = datetime.datetime.now()
2350
1970
client.changedstate.acquire()
2351
1971
client.changedstate.wait(delay.total_seconds())
2364
1984
break
2365
1985
else:
2366
1986
delay -= time2 - time
2367
2368
try:
2369
session.send(client.secret)
2370
except gnutls.Error as error:
2371
logger.warning("gnutls send failed",
2372
exc_info=error)
2373
return
2374
1987
1988
sent_size = 0
1989
while sent_size < len(client.secret):
1990
try:
1991
sent = session.send(client.secret[sent_size:])
1992
except gnutls.errors.GNUTLSError as error:
1993
logger.warning("gnutls send failed",
1994
exc_info=error)
1995
return
1996
logger.debug("Sent: %d, remaining: %d", sent,
1997
len(client.secret) - (sent_size
1998
+ sent))
1999
sent_size += sent
2000
2375
2001
logger.info("Sending secret to %s", client.name)
2376
2002
# bump the timeout using extended_timeout
2377
2003
client.bump_timeout(client.extended_timeout)
2378
2004
if self.server.use_dbus:
2379
2005
# Emit D-Bus signal
2380
2006
client.GotSecret()
2381
2007
2382
2008
finally:
2383
2009
if approval_required:
2384
2010
client.approvals_pending -= 1
2385
2011
try:
2386
2012
session.bye()
2387
except gnutls.Error as error:
2013
except gnutls.errors.GNUTLSError as error:
2388
2014
logger.warning("GnuTLS bye failed",
2389
2015
exc_info=error)
2390
2016
2391
2017
@staticmethod
2392
2018
def peer_certificate(session):
2393
"Return the peer's certificate as a bytestring"
2394
try:
2395
cert_type = gnutls.certificate_type_get2(session._c_object,
2396
gnutls.CTYPE_PEERS)
2397
except AttributeError:
2398
cert_type = gnutls.certificate_type_get(session._c_object)
2399
if gnutls.has_rawpk:
2400
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2401
else:
2402
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2403
# If not a valid certificate type...
2404
if cert_type not in valid_cert_types:
2405
logger.info("Cert type %r not in %r", cert_type,
2406
valid_cert_types)
2407
# ...return invalid data
2408
return b""
2019
"Return the peer's OpenPGP certificate as a bytestring"
2020
# If not an OpenPGP certificate...
2021
if (gnutls.library.functions.gnutls_certificate_type_get(
2022
session._c_object)
2023
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2024
# ...do the normal thing
2025
return session.peer_certificate
2409
2026
list_size = ctypes.c_uint(1)
2410
cert_list = (gnutls.certificate_get_peers
2027
cert_list = (gnutls.library.functions
2028
.gnutls_certificate_get_peers
2411
2029
(session._c_object, ctypes.byref(list_size)))
2412
2030
if not bool(cert_list) and list_size.value != 0:
2413
raise gnutls.Error("error getting peer certificate")
2031
raise gnutls.errors.GNUTLSError("error getting peer"
2032
" certificate")
2414
2033
if list_size.value == 0:
2415
2034
return None
2416
2035
cert = cert_list[0]
2417
2036
return ctypes.string_at(cert.data, cert.size)
2418
2419
@staticmethod
2420
def key_id(certificate):
2421
"Convert a certificate bytestring to a hexdigit key ID"
2422
# New GnuTLS "datum" with the public key
2423
datum = gnutls.datum_t(
2424
ctypes.cast(ctypes.c_char_p(certificate),
2425
ctypes.POINTER(ctypes.c_ubyte)),
2426
ctypes.c_uint(len(certificate)))
2427
# XXX all these need to be created in the gnutls "module"
2428
# New empty GnuTLS certificate
2429
pubkey = gnutls.pubkey_t()
2430
gnutls.pubkey_init(ctypes.byref(pubkey))
2431
# Import the raw public key into the certificate
2432
gnutls.pubkey_import(pubkey,
2433
ctypes.byref(datum),
2434
gnutls.X509_FMT_DER)
2435
# New buffer for the key ID
2436
buf = ctypes.create_string_buffer(32)
2437
buf_len = ctypes.c_size_t(len(buf))
2438
# Get the key ID from the raw public key into the buffer
2439
gnutls.pubkey_get_key_id(pubkey,
2440
gnutls.KEYID_USE_SHA256,
2441
ctypes.cast(ctypes.byref(buf),
2442
ctypes.POINTER(ctypes.c_ubyte)),
2443
ctypes.byref(buf_len))
2444
# Deinit the certificate
2445
gnutls.pubkey_deinit(pubkey)
2446
2447
# Convert the buffer to a Python bytestring
2448
key_id = ctypes.string_at(buf, buf_len.value)
2449
# Convert the bytestring to hexadecimal notation
2450
hex_key_id = binascii.hexlify(key_id).upper()
2451
return hex_key_id
2452
2037
2453
2038
@staticmethod
2454
2039
def fingerprint(openpgp):
2455
2040
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2456
2041
# New GnuTLS "datum" with the OpenPGP public key
2457
datum = gnutls.datum_t(
2042
datum = gnutls.library.types.gnutls_datum_t(
2458
2043
ctypes.cast(ctypes.c_char_p(openpgp),
2459
2044
ctypes.POINTER(ctypes.c_ubyte)),
2460
2045
ctypes.c_uint(len(openpgp)))
2461
2046
# New empty GnuTLS certificate
2462
crt = gnutls.openpgp_crt_t()
2463
gnutls.openpgp_crt_init(ctypes.byref(crt))
2047
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2048
gnutls.library.functions.gnutls_openpgp_crt_init(
2049
ctypes.byref(crt))
2464
2050
# Import the OpenPGP public key into the certificate
2465
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2466
gnutls.OPENPGP_FMT_RAW)
2051
gnutls.library.functions.gnutls_openpgp_crt_import(
2052
crt, ctypes.byref(datum),
2053
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2467
2054
# Verify the self signature in the key
2468
2055
crtverify = ctypes.c_uint()
2469
gnutls.openpgp_crt_verify_self(crt, 0,
2470
ctypes.byref(crtverify))
2056
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2057
crt, 0, ctypes.byref(crtverify))
2471
2058
if crtverify.value != 0:
2472
gnutls.openpgp_crt_deinit(crt)
2473
raise gnutls.CertificateSecurityError(code
2474
=crtverify.value)
2059
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2060
raise gnutls.errors.CertificateSecurityError(
2061
"Verify failed")
2475
2062
# New buffer for the fingerprint
2476
2063
buf = ctypes.create_string_buffer(20)
2477
2064
buf_len = ctypes.c_size_t()
2478
2065
# Get the fingerprint from the certificate into the buffer
2479
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2480
ctypes.byref(buf_len))
2066
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2067
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2481
2068
# Deinit the certificate
2482
gnutls.openpgp_crt_deinit(crt)
2069
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2483
2070
# Convert the buffer to a Python bytestring
2484
2071
fpr = ctypes.string_at(buf, buf_len.value)
2485
2072
# Convert the bytestring to hexadecimal notation
2489
2076
2490
2077
class MultiprocessingMixIn(object):
2491
2078
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2492
2079
2493
2080
def sub_process_main(self, request, address):
2494
2081
try:
2495
2082
self.finish_request(request, address)
2496
2083
except Exception:
2497
2084
self.handle_error(request, address)
2498
2085
self.close_request(request)
2499
2086
2500
2087
def process_request(self, request, address):
2501
2088
"""Start a new process to process the request."""
2502
proc = multiprocessing.Process(target=self.sub_process_main,
2503
args=(request, address))
2089
proc = multiprocessing.Process(target = self.sub_process_main,
2090
args = (request, address))
2504
2091
proc.start()
2505
2092
return proc
2506
2093
2507
2094
2508
2095
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2509
2096
""" adds a pipe to the MixIn """
2510
2097
2511
2098
def process_request(self, request, client_address):
2512
2099
"""Overrides and wraps the original process_request().
2513
2100
2514
2101
This function creates a new pipe in self.pipe
2515
2102
"""
2516
2103
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2517
2104
2518
2105
proc = MultiprocessingMixIn.process_request(self, request,
2519
2106
client_address)
2520
2107
self.child_pipe.close()
2521
2108
self.add_pipe(parent_pipe, proc)
2522
2109
2523
2110
def add_pipe(self, parent_pipe, proc):
2524
2111
"""Dummy function; override as necessary"""
2525
2112
raise NotImplementedError()
2528
2115
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2529
2116
socketserver.TCPServer, object):
2530
2117
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2531
2118
2532
2119
Attributes:
2533
2120
enabled: Boolean; whether this server is activated yet
2534
2121
interface: None or a network interface name (string)
2535
2122
use_ipv6: Boolean; to use IPv6 or not
2536
2123
"""
2537
2124
2538
2125
def __init__(self, server_address, RequestHandlerClass,
2539
2126
interface=None,
2540
2127
use_ipv6=True,
2550
2137
self.socketfd = socketfd
2551
2138
# Save the original socket.socket() function
2552
2139
self.socket_socket = socket.socket
2553
2554
2140
# To implement --socket, we monkey patch socket.socket.
2555
#
2141
#
2556
2142
# (When socketserver.TCPServer is a new-style class, we
2557
2143
# could make self.socket into a property instead of monkey
2558
2144
# patching socket.socket.)
2559
#
2145
#
2560
2146
# Create a one-time-only replacement for socket.socket()
2561
2147
@functools.wraps(socket.socket)
2562
2148
def socket_wrapper(*args, **kwargs):
2574
2160
# socket_wrapper(), if socketfd was set.
2575
2161
socketserver.TCPServer.__init__(self, server_address,
2576
2162
RequestHandlerClass)
2577
2163
2578
2164
def server_bind(self):
2579
2165
"""This overrides the normal server_bind() function
2580
2166
to bind to an interface if one was specified, and also NOT to
2581
2167
bind to an address or port if they were not specified."""
2582
global SO_BINDTODEVICE
2583
2168
if self.interface is not None:
2584
2169
if SO_BINDTODEVICE is None:
2585
# Fall back to a hard-coded value which seems to be
2586
# common enough.
2587
logger.warning("SO_BINDTODEVICE not found, trying 25")
2588
SO_BINDTODEVICE = 25
2589
try:
2590
self.socket.setsockopt(
2591
socket.SOL_SOCKET, SO_BINDTODEVICE,
2592
(self.interface + "\0").encode("utf-8"))
2593
except socket.error as error:
2594
if error.errno == errno.EPERM:
2595
logger.error("No permission to bind to"
2596
" interface %s", self.interface)
2597
elif error.errno == errno.ENOPROTOOPT:
2598
logger.error("SO_BINDTODEVICE not available;"
2599
" cannot bind to interface %s",
2600
self.interface)
2601
elif error.errno == errno.ENODEV:
2602
logger.error("Interface %s does not exist,"
2603
" cannot bind", self.interface)
2604
else:
2605
raise
2170
logger.error("SO_BINDTODEVICE does not exist;"
2171
" cannot bind to interface %s",
2172
self.interface)
2173
else:
2174
try:
2175
self.socket.setsockopt(
2176
socket.SOL_SOCKET, SO_BINDTODEVICE,
2177
(self.interface + "\0").encode("utf-8"))
2178
except socket.error as error:
2179
if error.errno == errno.EPERM:
2180
logger.error("No permission to bind to"
2181
" interface %s", self.interface)
2182
elif error.errno == errno.ENOPROTOOPT:
2183
logger.error("SO_BINDTODEVICE not available;"
2184
" cannot bind to interface %s",
2185
self.interface)
2186
elif error.errno == errno.ENODEV:
2187
logger.error("Interface %s does not exist,"
2188
" cannot bind", self.interface)
2189
else:
2190
raise
2606
2191
# Only bind(2) the socket if we really need to.
2607
2192
if self.server_address[0] or self.server_address[1]:
2608
2193
if not self.server_address[0]:
2609
2194
if self.address_family == socket.AF_INET6:
2610
any_address = "::" # in6addr_any
2195
any_address = "::" # in6addr_any
2611
2196
else:
2612
any_address = "0.0.0.0" # INADDR_ANY
2197
any_address = "0.0.0.0" # INADDR_ANY
2613
2198
self.server_address = (any_address,
2614
2199
self.server_address[1])
2615
2200
elif not self.server_address[1]:
2625
2210
2626
2211
class MandosServer(IPv6_TCPServer):
2627
2212
"""Mandos server.
2628
2213
2629
2214
Attributes:
2630
2215
clients: set of Client objects
2631
2216
gnutls_priority GnuTLS priority string
2632
2217
use_dbus: Boolean; to emit D-Bus signals or not
2633
2634
Assumes a GLib.MainLoop event loop.
2218
2219
Assumes a gobject.MainLoop event loop.
2635
2220
"""
2636
2221
2637
2222
def __init__(self, server_address, RequestHandlerClass,
2638
2223
interface=None,
2639
2224
use_ipv6=True,
2649
2234
self.gnutls_priority = gnutls_priority
2650
2235
IPv6_TCPServer.__init__(self, server_address,
2651
2236
RequestHandlerClass,
2652
interface=interface,
2653
use_ipv6=use_ipv6,
2654
socketfd=socketfd)
2655
2237
interface = interface,
2238
use_ipv6 = use_ipv6,
2239
socketfd = socketfd)
2240
2656
2241
def server_activate(self):
2657
2242
if self.enabled:
2658
2243
return socketserver.TCPServer.server_activate(self)
2659
2244
2660
2245
def enable(self):
2661
2246
self.enabled = True
2662
2247
2663
2248
def add_pipe(self, parent_pipe, proc):
2664
2249
# Call "handle_ipc" for both data and EOF events
2665
GLib.io_add_watch(
2250
gobject.io_add_watch(
2666
2251
parent_pipe.fileno(),
2667
GLib.IO_IN | GLib.IO_HUP,
2252
gobject.IO_IN | gobject.IO_HUP,
2668
2253
functools.partial(self.handle_ipc,
2669
parent_pipe=parent_pipe,
2670
proc=proc))
2671
2254
parent_pipe = parent_pipe,
2255
proc = proc))
2256
2672
2257
def handle_ipc(self, source, condition,
2673
2258
parent_pipe=None,
2674
proc=None,
2259
proc = None,
2675
2260
client_object=None):
2676
2261
# error, or the other end of multiprocessing.Pipe has closed
2677
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2262
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2678
2263
# Wait for other process to exit
2679
2264
proc.join()
2680
2265
return False
2681
2266
2682
2267
# Read a request from the child
2683
2268
request = parent_pipe.recv()
2684
2269
command = request[0]
2685
2270
2686
2271
if command == 'init':
2687
key_id = request[1].decode("ascii")
2688
fpr = request[2].decode("ascii")
2689
address = request[3]
2690
2691
for c in self.clients.values():
2692
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2693
continue
2694
if key_id and c.key_id == key_id:
2695
client = c
2696
break
2697
if fpr and c.fingerprint == fpr:
2272
fpr = request[1]
2273
address = request[2]
2274
2275
for c in self.clients.itervalues():
2276
if c.fingerprint == fpr:
2698
2277
client = c
2699
2278
break
2700
2279
else:
2701
logger.info("Client not found for key ID: %s, address"
2702
": %s", key_id or fpr, address)
2280
logger.info("Client not found for fingerprint: %s, ad"
2281
"dress: %s", fpr, address)
2703
2282
if self.use_dbus:
2704
2283
# Emit D-Bus signal
2705
mandos_dbus_service.ClientNotFound(key_id or fpr,
2284
mandos_dbus_service.ClientNotFound(fpr,
2706
2285
address[0])
2707
2286
parent_pipe.send(False)
2708
2287
return False
2709
2710
GLib.io_add_watch(
2288
2289
gobject.io_add_watch(
2711
2290
parent_pipe.fileno(),
2712
GLib.IO_IN | GLib.IO_HUP,
2291
gobject.IO_IN | gobject.IO_HUP,
2713
2292
functools.partial(self.handle_ipc,
2714
parent_pipe=parent_pipe,
2715
proc=proc,
2716
client_object=client))
2293
parent_pipe = parent_pipe,
2294
proc = proc,
2295
client_object = client))
2717
2296
parent_pipe.send(True)
2718
2297
# remove the old hook in favor of the new above hook on
2719
2298
# same fileno
2722
2301
funcname = request[1]
2723
2302
args = request[2]
2724
2303
kwargs = request[3]
2725
2304
2726
2305
parent_pipe.send(('data', getattr(client_object,
2727
2306
funcname)(*args,
2728
2307
**kwargs)))
2729
2308
2730
2309
if command == 'getattr':
2731
2310
attrname = request[1]
2732
2311
if isinstance(client_object.__getattribute__(attrname),
2735
2314
else:
2736
2315
parent_pipe.send((
2737
2316
'data', client_object.__getattribute__(attrname)))
2738
2317
2739
2318
if command == 'setattr':
2740
2319
attrname = request[1]
2741
2320
value = request[2]
2742
2321
setattr(client_object, attrname, value)
2743
2322
2744
2323
return True
2745
2324
2746
2325
2747
2326
def rfc3339_duration_to_delta(duration):
2748
2327
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2749
2328
2750
2329
>>> rfc3339_duration_to_delta("P7D")
2751
2330
datetime.timedelta(7)
2752
2331
>>> rfc3339_duration_to_delta("PT60S")
2762
2341
>>> rfc3339_duration_to_delta("P1DT3M20S")
2763
2342
datetime.timedelta(1, 200)
2764
2343
"""
2765
2344
2766
2345
# Parsing an RFC 3339 duration with regular expressions is not
2767
2346
# possible - there would have to be multiple places for the same
2768
2347
# values, like seconds. The current code, while more esoteric, is
2769
2348
# cleaner without depending on a parsing library. If Python had a
2770
2349
# built-in library for parsing we would use it, but we'd like to
2771
2350
# avoid excessive use of external libraries.
2772
2351
2773
2352
# New type for defining tokens, syntax, and semantics all-in-one
2774
2353
Token = collections.namedtuple("Token", (
2775
2354
"regexp", # To match token; if "value" is not None, must have
2808
2387
frozenset((token_year, token_month,
2809
2388
token_day, token_time,
2810
2389
token_week)))
2811
# Define starting values:
2812
# Value so far
2813
value = datetime.timedelta()
2390
# Define starting values
2391
value = datetime.timedelta() # Value so far
2814
2392
found_token = None
2815
# Following valid tokens
2816
followers = frozenset((token_duration, ))
2817
# String left to parse
2818
s = duration
2393
followers = frozenset((token_duration, )) # Following valid tokens
2394
s = duration # String left to parse
2819
2395
# Loop until end token is found
2820
2396
while found_token is not token_end:
2821
2397
# Search for any currently valid tokens
2845
2421
2846
2422
def string_to_delta(interval):
2847
2423
"""Parse a string and return a datetime.timedelta
2848
2424
2849
2425
>>> string_to_delta('7d')
2850
2426
datetime.timedelta(7)
2851
2427
>>> string_to_delta('60s')
2859
2435
>>> string_to_delta('5m 30s')
2860
2436
datetime.timedelta(0, 330)
2861
2437
"""
2862
2438
2863
2439
try:
2864
2440
return rfc3339_duration_to_delta(interval)
2865
2441
except ValueError:
2866
2442
pass
2867
2443
2868
2444
timevalue = datetime.timedelta(0)
2869
2445
for s in interval.split():
2870
2446
try:
2888
2464
return timevalue
2889
2465
2890
2466
2891
def daemon(nochdir=False, noclose=False):
2467
def daemon(nochdir = False, noclose = False):
2892
2468
"""See daemon(3). Standard BSD Unix function.
2893
2469
2894
2470
This should really exist as os.daemon, but it doesn't (yet)."""
2895
2471
if os.fork():
2896
2472
sys.exit()
2914
2490
2915
2491
2916
2492
def main():
2917
2493
2918
2494
##################################################################
2919
2495
# Parsing of options, both command line and config file
2920
2496
2921
2497
parser = argparse.ArgumentParser()
2922
2498
parser.add_argument("-v", "--version", action="version",
2923
version="%(prog)s {}".format(version),
2499
version = "%(prog)s {}".format(version),
2924
2500
help="show version number and exit")
2925
2501
parser.add_argument("-i", "--interface", metavar="IF",
2926
2502
help="Bind to interface IF")
2962
2538
parser.add_argument("--no-zeroconf", action="store_false",
2963
2539
dest="zeroconf", help="Do not use Zeroconf",
2964
2540
default=None)
2965
2541
2966
2542
options = parser.parse_args()
2967
2543
2968
2544
if options.check:
2969
2545
import doctest
2970
2546
fail_count, test_count = doctest.testmod()
2971
2547
sys.exit(os.EX_OK if fail_count == 0 else 1)
2972
2548
2973
2549
# Default values for config file for server-global settings
2974
if gnutls.has_rawpk:
2975
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2976
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2977
else:
2978
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2979
":+SIGN-DSA-SHA256")
2980
server_defaults = {"interface": "",
2981
"address": "",
2982
"port": "",
2983
"debug": "False",
2984
"priority": priority,
2985
"servicename": "Mandos",
2986
"use_dbus": "True",
2987
"use_ipv6": "True",
2988
"debuglevel": "",
2989
"restore": "True",
2990
"socket": "",
2991
"statedir": "/var/lib/mandos",
2992
"foreground": "False",
2993
"zeroconf": "True",
2994
}
2995
del priority
2996
2550
server_defaults = { "interface": "",
2551
"address": "",
2552
"port": "",
2553
"debug": "False",
2554
"priority":
2555
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2556
":+SIGN-DSA-SHA256",
2557
"servicename": "Mandos",
2558
"use_dbus": "True",
2559
"use_ipv6": "True",
2560
"debuglevel": "",
2561
"restore": "True",
2562
"socket": "",
2563
"statedir": "/var/lib/mandos",
2564
"foreground": "False",
2565
"zeroconf": "True",
2566
}
2567
2997
2568
# Parse config file for server-global settings
2998
2569
server_config = configparser.SafeConfigParser(server_defaults)
2999
2570
del server_defaults
3001
2572
# Convert the SafeConfigParser object to a dict
3002
2573
server_settings = server_config.defaults()
3003
2574
# Use the appropriate methods on the non-string config options
3004
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3005
"foreground", "zeroconf"):
2575
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3006
2576
server_settings[option] = server_config.getboolean("DEFAULT",
3007
2577
option)
3008
2578
if server_settings["port"]:
3018
2588
server_settings["socket"] = os.dup(server_settings
3019
2589
["socket"])
3020
2590
del server_config
3021
2591
3022
2592
# Override the settings from the config file with command line
3023
2593
# options, if set.
3024
2594
for option in ("interface", "address", "port", "debug",
3042
2612
if server_settings["debug"]:
3043
2613
server_settings["foreground"] = True
3044
2614
# Now we have our good server settings in "server_settings"
3045
2615
3046
2616
##################################################################
3047
2617
3048
2618
if (not server_settings["zeroconf"]
3049
2619
and not (server_settings["port"]
3050
2620
or server_settings["socket"] != "")):
3051
2621
parser.error("Needs port or socket to work without Zeroconf")
3052
2622
3053
2623
# For convenience
3054
2624
debug = server_settings["debug"]
3055
2625
debuglevel = server_settings["debuglevel"]
3059
2629
stored_state_file)
3060
2630
foreground = server_settings["foreground"]
3061
2631
zeroconf = server_settings["zeroconf"]
3062
2632
3063
2633
if debug:
3064
2634
initlogger(debug, logging.DEBUG)
3065
2635
else:
3068
2638
else:
3069
2639
level = getattr(logging, debuglevel.upper())
3070
2640
initlogger(debug, level)
3071
2641
3072
2642
if server_settings["servicename"] != "Mandos":
3073
2643
syslogger.setFormatter(
3074
2644
logging.Formatter('Mandos ({}) [%(process)d]:'
3075
2645
' %(levelname)s: %(message)s'.format(
3076
2646
server_settings["servicename"])))
3077
2647
3078
2648
# Parse config file with clients
3079
2649
client_config = configparser.SafeConfigParser(Client
3080
2650
.client_defaults)
3081
2651
client_config.read(os.path.join(server_settings["configdir"],
3082
2652
"clients.conf"))
3083
2653
3084
2654
global mandos_dbus_service
3085
2655
mandos_dbus_service = None
3086
2656
3087
2657
socketfd = None
3088
2658
if server_settings["socket"] != "":
3089
2659
socketfd = server_settings["socket"]
3105
2675
except IOError as e:
3106
2676
logger.error("Could not open file %r", pidfilename,
3107
2677
exc_info=e)
3108
3109
for name, group in (("_mandos", "_mandos"),
3110
("mandos", "mandos"),
3111
("nobody", "nogroup")):
2678
2679
for name in ("_mandos", "mandos", "nobody"):
3112
2680
try:
3113
2681
uid = pwd.getpwnam(name).pw_uid
3114
gid = pwd.getpwnam(group).pw_gid
2682
gid = pwd.getpwnam(name).pw_gid
3115
2683
break
3116
2684
except KeyError:
3117
2685
continue
3121
2689
try:
3122
2690
os.setgid(gid)
3123
2691
os.setuid(uid)
3124
if debug:
3125
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3126
gid))
3127
2692
except OSError as error:
3128
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3129
.format(uid, gid, os.strerror(error.errno)))
3130
2693
if error.errno != errno.EPERM:
3131
2694
raise
3132
2695
3133
2696
if debug:
3134
2697
# Enable all possible GnuTLS debugging
3135
2698
3136
2699
# "Use a log level over 10 to enable all debugging options."
3137
2700
# - GnuTLS manual
3138
gnutls.global_set_log_level(11)
3139
3140
@gnutls.log_func
2701
gnutls.library.functions.gnutls_global_set_log_level(11)
2702
2703
@gnutls.library.types.gnutls_log_func
3141
2704
def debug_gnutls(level, string):
3142
2705
logger.debug("GnuTLS: %s", string[:-1])
3143
3144
gnutls.global_set_log_function(debug_gnutls)
3145
2706
2707
gnutls.library.functions.gnutls_global_set_log_function(
2708
debug_gnutls)
2709
3146
2710
# Redirect stdin so all checkers get /dev/null
3147
2711
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3148
2712
os.dup2(null, sys.stdin.fileno())
3149
2713
if null > 2:
3150
2714
os.close(null)
3151
2715
3152
2716
# Need to fork before connecting to D-Bus
3153
2717
if not foreground:
3154
2718
# Close all input and output, do double fork, etc.
3155
2719
daemon()
3156
3157
# multiprocessing will use threads, so before we use GLib we need
3158
# to inform GLib that threads will be used.
3159
GLib.threads_init()
3160
2720
2721
# multiprocessing will use threads, so before we use gobject we
2722
# need to inform gobject that threads will be used.
2723
gobject.threads_init()
2724
3161
2725
global main_loop
3162
2726
# From the Avahi example code
3163
2727
DBusGMainLoop(set_as_default=True)
3164
main_loop = GLib.MainLoop()
2728
main_loop = gobject.MainLoop()
3165
2729
bus = dbus.SystemBus()
3166
2730
# End of Avahi example code
3167
2731
if use_dbus:
3180
2744
if zeroconf:
3181
2745
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3182
2746
service = AvahiServiceToSyslog(
3183
name=server_settings["servicename"],
3184
servicetype="_mandos._tcp",
3185
protocol=protocol,
3186
bus=bus)
2747
name = server_settings["servicename"],
2748
servicetype = "_mandos._tcp",
2749
protocol = protocol,
2750
bus = bus)
3187
2751
if server_settings["interface"]:
3188
2752
service.interface = if_nametoindex(
3189
2753
server_settings["interface"].encode("utf-8"))
3190
2754
3191
2755
global multiprocessing_manager
3192
2756
multiprocessing_manager = multiprocessing.Manager()
3193
2757
3194
2758
client_class = Client
3195
2759
if use_dbus:
3196
client_class = functools.partial(ClientDBus, bus=bus)
3197
2760
client_class = functools.partial(ClientDBus, bus = bus)
2761
3198
2762
client_settings = Client.config_parser(client_config)
3199
2763
old_client_settings = {}
3200
2764
clients_data = {}
3201
2765
3202
2766
# This is used to redirect stdout and stderr for checker processes
3203
2767
global wnull
3204
wnull = open(os.devnull, "w") # A writable /dev/null
2768
wnull = open(os.devnull, "w") # A writable /dev/null
3205
2769
# Only used if server is running in foreground but not in debug
3206
2770
# mode
3207
2771
if debug or not foreground:
3208
2772
wnull.close()
3209
2773
3210
2774
# Get client data and settings from last running state.
3211
2775
if server_settings["restore"]:
3212
2776
try:
3213
2777
with open(stored_state_path, "rb") as stored_state:
3214
if sys.version_info.major == 2:
3215
clients_data, old_client_settings = pickle.load(
3216
stored_state)
3217
else:
3218
bytes_clients_data, bytes_old_client_settings = (
3219
pickle.load(stored_state, encoding="bytes"))
3220
# Fix bytes to strings
3221
# clients_data
3222
# .keys()
3223
clients_data = {(key.decode("utf-8")
3224
if isinstance(key, bytes)
3225
else key): value
3226
for key, value in
3227
bytes_clients_data.items()}
3228
del bytes_clients_data
3229
for key in clients_data:
3230
value = {(k.decode("utf-8")
3231
if isinstance(k, bytes) else k): v
3232
for k, v in
3233
clients_data[key].items()}
3234
clients_data[key] = value
3235
# .client_structure
3236
value["client_structure"] = [
3237
(s.decode("utf-8")
3238
if isinstance(s, bytes)
3239
else s) for s in
3240
value["client_structure"]]
3241
# .name & .host
3242
for k in ("name", "host"):
3243
if isinstance(value[k], bytes):
3244
value[k] = value[k].decode("utf-8")
3245
if not value.has_key("key_id"):
3246
value["key_id"] = ""
3247
elif not value.has_key("fingerprint"):
3248
value["fingerprint"] = ""
3249
# old_client_settings
3250
# .keys()
3251
old_client_settings = {
3252
(key.decode("utf-8")
3253
if isinstance(key, bytes)
3254
else key): value
3255
for key, value in
3256
bytes_old_client_settings.items()}
3257
del bytes_old_client_settings
3258
# .host
3259
for value in old_client_settings.values():
3260
if isinstance(value["host"], bytes):
3261
value["host"] = (value["host"]
3262
.decode("utf-8"))
2778
clients_data, old_client_settings = pickle.load(
2779
stored_state)
3263
2780
os.remove(stored_state_path)
3264
2781
except IOError as e:
3265
2782
if e.errno == errno.ENOENT:
3273
2790
logger.warning("Could not load persistent state: "
3274
2791
"EOFError:",
3275
2792
exc_info=e)
3276
2793
3277
2794
with PGPEngine() as pgp:
3278
2795
for client_name, client in clients_data.items():
3279
2796
# Skip removed clients
3280
2797
if client_name not in client_settings:
3281
2798
continue
3282
2799
3283
2800
# Decide which value to use after restoring saved state.
3284
2801
# We have three different values: Old config file,
3285
2802
# new config file, and saved state.
3296
2813
client[name] = value
3297
2814
except KeyError:
3298
2815
pass
3299
2816
3300
2817
# Clients who has passed its expire date can still be
3301
2818
# enabled if its last checker was successful. A Client
3302
2819
# whose checker succeeded before we stored its state is
3335
2852
client_name))
3336
2853
client["secret"] = (client_settings[client_name]
3337
2854
["secret"])
3338
2855
3339
2856
# Add/remove clients based on new changes made to config
3340
2857
for client_name in (set(old_client_settings)
3341
2858
- set(client_settings)):
3343
2860
for client_name in (set(client_settings)
3344
2861
- set(old_client_settings)):
3345
2862
clients_data[client_name] = client_settings[client_name]
3346
2863
3347
2864
# Create all client objects
3348
2865
for client_name, client in clients_data.items():
3349
2866
tcp_server.clients[client_name] = client_class(
3350
name=client_name,
3351
settings=client,
3352
server_settings=server_settings)
3353
2867
name = client_name,
2868
settings = client,
2869
server_settings = server_settings)
2870
3354
2871
if not tcp_server.clients:
3355
2872
logger.warning("No clients defined")
3356
2873
3357
2874
if not foreground:
3358
2875
if pidfile is not None:
3359
2876
pid = os.getpid()
3365
2882
pidfilename, pid)
3366
2883
del pidfile
3367
2884
del pidfilename
3368
3369
for termsig in (signal.SIGHUP, signal.SIGTERM):
3370
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3371
lambda: main_loop.quit() and False)
3372
2885
2886
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2887
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2888
3373
2889
if use_dbus:
3374
2890
3375
2891
@alternate_dbus_interfaces(
3376
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2892
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3377
2893
class MandosDBusService(DBusObjectWithObjectManager):
3378
2894
"""A D-Bus proxy object"""
3379
2895
3380
2896
def __init__(self):
3381
2897
dbus.service.Object.__init__(self, bus, "/")
3382
2898
3383
2899
_interface = "se.recompile.Mandos"
3384
2900
3385
2901
@dbus.service.signal(_interface, signature="o")
3386
2902
def ClientAdded(self, objpath):
3387
2903
"D-Bus signal"
3388
2904
pass
3389
2905
3390
2906
@dbus.service.signal(_interface, signature="ss")
3391
def ClientNotFound(self, key_id, address):
2907
def ClientNotFound(self, fingerprint, address):
3392
2908
"D-Bus signal"
3393
2909
pass
3394
2910
3395
2911
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3396
2912
"true"})
3397
2913
@dbus.service.signal(_interface, signature="os")
3398
2914
def ClientRemoved(self, objpath, name):
3399
2915
"D-Bus signal"
3400
2916
pass
3401
2917
3402
2918
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3403
2919
"true"})
3404
2920
@dbus.service.method(_interface, out_signature="ao")
3405
2921
def GetAllClients(self):
3406
2922
"D-Bus method"
3407
2923
return dbus.Array(c.dbus_object_path for c in
3408
tcp_server.clients.values())
3409
2924
tcp_server.clients.itervalues())
2925
3410
2926
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3411
2927
"true"})
3412
2928
@dbus.service.method(_interface,
3414
2930
def GetAllClientsWithProperties(self):
3415
2931
"D-Bus method"
3416
2932
return dbus.Dictionary(
3417
{c.dbus_object_path: c.GetAll(
2933
{ c.dbus_object_path: c.GetAll(
3418
2934
"se.recompile.Mandos.Client")
3419
for c in tcp_server.clients.values()},
2935
for c in tcp_server.clients.itervalues() },
3420
2936
signature="oa{sv}")
3421
2937
3422
2938
@dbus.service.method(_interface, in_signature="o")
3423
2939
def RemoveClient(self, object_path):
3424
2940
"D-Bus method"
3425
for c in tcp_server.clients.values():
2941
for c in tcp_server.clients.itervalues():
3426
2942
if c.dbus_object_path == object_path:
3427
2943
del tcp_server.clients[c.name]
3428
2944
c.remove_from_connection()
3432
2948
self.client_removed_signal(c)
3433
2949
return
3434
2950
raise KeyError(object_path)
3435
2951
3436
2952
del _interface
3437
2953
3438
2954
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3439
out_signature="a{oa{sa{sv}}}")
2955
out_signature = "a{oa{sa{sv}}}")
3440
2956
def GetManagedObjects(self):
3441
2957
"""D-Bus method"""
3442
2958
return dbus.Dictionary(
3443
{client.dbus_object_path:
3444
dbus.Dictionary(
3445
{interface: client.GetAll(interface)
3446
for interface in
3447
client._get_all_interface_names()})
3448
for client in tcp_server.clients.values()})
3449
2959
{ client.dbus_object_path:
2960
dbus.Dictionary(
2961
{ interface: client.GetAll(interface)
2962
for interface in
2963
client._get_all_interface_names()})
2964
for client in tcp_server.clients.values()})
2965
3450
2966
def client_added_signal(self, client):
3451
2967
"""Send the new standard signal and the old signal"""
3452
2968
if use_dbus:
3454
2970
self.InterfacesAdded(
3455
2971
client.dbus_object_path,
3456
2972
dbus.Dictionary(
3457
{interface: client.GetAll(interface)
3458
for interface in
3459
client._get_all_interface_names()}))
2973
{ interface: client.GetAll(interface)
2974
for interface in
2975
client._get_all_interface_names()}))
3460
2976
# Old signal
3461
2977
self.ClientAdded(client.dbus_object_path)
3462
2978
3463
2979
def client_removed_signal(self, client):
3464
2980
"""Send the new standard signal and the old signal"""
3465
2981
if use_dbus:
3470
2986
# Old signal
3471
2987
self.ClientRemoved(client.dbus_object_path,
3472
2988
client.name)
3473
2989
3474
2990
mandos_dbus_service = MandosDBusService()
3475
3476
# Save modules to variables to exempt the modules from being
3477
# unloaded before the function registered with atexit() is run.
3478
mp = multiprocessing
3479
wn = wnull
3480
2991
3481
2992
def cleanup():
3482
2993
"Cleanup function; run on exit"
3483
2994
if zeroconf:
3484
2995
service.cleanup()
3485
3486
mp.active_children()
3487
wn.close()
2996
2997
multiprocessing.active_children()
2998
wnull.close()
3488
2999
if not (tcp_server.clients or client_settings):
3489
3000
return
3490
3001
3491
3002
# Store client before exiting. Secrets are encrypted with key
3492
3003
# based on what config file has. If config file is
3493
3004
# removed/edited, old secret will thus be unrecovable.
3494
3005
clients = {}
3495
3006
with PGPEngine() as pgp:
3496
for client in tcp_server.clients.values():
3007
for client in tcp_server.clients.itervalues():
3497
3008
key = client_settings[client.name]["secret"]
3498
3009
client.encrypted_secret = pgp.encrypt(client.secret,
3499
3010
key)
3500
3011
client_dict = {}
3501
3012
3502
3013
# A list of attributes that can not be pickled
3503
3014
# + secret.
3504
exclude = {"bus", "changedstate", "secret",
3505
"checker", "server_settings"}
3015
exclude = { "bus", "changedstate", "secret",
3016
"checker", "server_settings" }
3506
3017
for name, typ in inspect.getmembers(dbus.service
3507
3018
.Object):
3508
3019
exclude.add(name)
3509
3020
3510
3021
client_dict["encrypted_secret"] = (client
3511
3022
.encrypted_secret)
3512
3023
for attr in client.client_structure:
3513
3024
if attr not in exclude:
3514
3025
client_dict[attr] = getattr(client, attr)
3515
3026
3516
3027
clients[client.name] = client_dict
3517
3028
del client_settings[client.name]["secret"]
3518
3029
3519
3030
try:
3520
3031
with tempfile.NamedTemporaryFile(
3521
3032
mode='wb',
3523
3034
prefix='clients-',
3524
3035
dir=os.path.dirname(stored_state_path),
3525
3036
delete=False) as stored_state:
3526
pickle.dump((clients, client_settings), stored_state,
3527
protocol=2)
3037
pickle.dump((clients, client_settings), stored_state)
3528
3038
tempname = stored_state.name
3529
3039
os.rename(tempname, stored_state_path)
3530
3040
except (IOError, OSError) as e:
3540
3050
logger.warning("Could not save persistent state:",
3541
3051
exc_info=e)
3542
3052
raise
3543
3053
3544
3054
# Delete all clients, and settings from config
3545
3055
while tcp_server.clients:
3546
3056
name, client = tcp_server.clients.popitem()
3549
3059
# Don't signal the disabling
3550
3060
client.disable(quiet=True)
3551
3061
# Emit D-Bus signal for removal
3552
if use_dbus:
3553
mandos_dbus_service.client_removed_signal(client)
3062
mandos_dbus_service.client_removed_signal(client)
3554
3063
client_settings.clear()
3555
3064
3556
3065
atexit.register(cleanup)
3557
3558
for client in tcp_server.clients.values():
3066
3067
for client in tcp_server.clients.itervalues():
3559
3068
if use_dbus:
3560
3069
# Emit D-Bus signal for adding
3561
3070
mandos_dbus_service.client_added_signal(client)
3562
3071
# Need to initiate checking of clients
3563
3072
if client.enabled:
3564
3073
client.init_checker()
3565
3074
3566
3075
tcp_server.enable()
3567
3076
tcp_server.server_activate()
3568
3077
3569
3078
# Find out what port we got
3570
3079
if zeroconf:
3571
3080
service.port = tcp_server.socket.getsockname()[1]
3576
3085
else: # IPv4
3577
3086
logger.info("Now listening on address %r, port %d",
3578
3087
*tcp_server.socket.getsockname())
3579
3580
# service.interface = tcp_server.socket.getsockname()[3]
3581
3088
3089
#service.interface = tcp_server.socket.getsockname()[3]
3090
3582
3091
try:
3583
3092
if zeroconf:
3584
3093
# From the Avahi example code
3589
3098
cleanup()
3590
3099
sys.exit(1)
3591
3100
# End of Avahi example code
3592
3593
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3594
lambda *args, **kwargs:
3595
(tcp_server.handle_request
3596
(*args[2:], **kwargs) or True))
3597
3101
3102
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3103
lambda *args, **kwargs:
3104
(tcp_server.handle_request
3105
(*args[2:], **kwargs) or True))
3106
3598
3107
logger.debug("Starting main loop")
3599
3108
main_loop.run()
3600
3109
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0