To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.333
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.333
- Committer: Teddy Hogeborn
- Date: 2015-08-10 09:00:23 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 325.
- Revision ID: teddy@recompile.se-20150810090023-fz6vjqr7zf33e2tf
Support the standard org.freedesktop.DBus.ObjectManager interface.
Now that the D-Bus standard has an interface to keep track of new and
removed objects, use that instead of our own methods. This deprecates
our D-Bus methods "GetAllClients" and "GetAllClientsWithProperties"
and the signals "ClientAdded" and "ClientRemoved", all on the server
interface "se.recompile.Mandos".
* DBUS-API: Removed references to deprecated methods and signals;
insert reference to the org.freedesktop.DBus.ObjectManager
interface.
* mandos (DBusObjectWithProperties._get_all_interface_names): New.
(dbus.OBJECT_MANAGER_IFACE): If not present, monkey patch.
(DBusObjectWithObjectManager): New.
(main/MandosDBusService): Inherit from DBusObjectWithObjectManager.
(main/MandosDBusService.ClientRemoved): Annotate as deprecated.
(main/MandosDBusService.GetAllClients): - '' -
(main/MandosDBusService.GetAllClientsWithProperties): Annotate as
deprecated.
Also only
return
properties on
client
interface.
(main/MandosDBusService.RemoveClient): Call client_removed_signal
instead of ClientRemoved.
(main/MandosDBusService.GetManagedObjects): New.
(main/MandosDBusService.client_added_signal): New.
(main/MandosDBusService.client_removed_signal): - '' -
(main/cleanup): Call "client_removed_signal" instead of sending
"ClientRemoved" signal directly.
(main): Call "client_added_signal" instead of sending "ClientAdded"
signal directly.
* mandos-ctl: Use GetManagedObjects instead of
GetAllClientsWithProperties. Also, show better error
message in case of failure to connect to the D-Bus
* mandos-monitor (MandosClientPropertyCache.properties_changed):
Bug fix; only update properties on client interface.
(UserInterface.find_and_remove_client): Change to accept arguments
from InterfacesRemoved
signal. Also, bug fix:
working error message when
removing unknown client.
(UserInterface.add_new_client): Change to accept arguments from
InterfacesRemoved signal. Pass
properties to MandosClientWidget
constructor.
(UserInterface.run): Connect find_and_remove_client method to
InterfacesRemoved signal and the add_new_client
method to the InterfacesAdded signal.
Now that the D-Bus standard has an interface to keep track of new and
removed objects, use that instead of our own methods. This deprecates
our D-Bus methods "GetAllClients" and "GetAllClientsWithProperties"
and the signals "ClientAdded" and "ClientRemoved", all on the server
interface "se.recompile.Mandos".
* DBUS-API: Removed references to deprecated methods and signals;
insert reference to the org.freedesktop.DBus.ObjectManager
interface.
* mandos (DBusObjectWithProperties._get_all_interface_names): New.
(dbus.OBJECT_MANAGER_IFACE): If not present, monkey patch.
(DBusObjectWithObjectManager): New.
(main/MandosDBusService): Inherit from DBusObjectWithObjectManager.
(main/MandosDBusService.ClientRemoved): Annotate as deprecated.
(main/MandosDBusService.GetAllClients): - '' -
(main/MandosDBusService.GetAllClientsWithProperties): Annotate as
deprecated.
Also only
return
properties on
client
interface.
(main/MandosDBusService.RemoveClient): Call client_removed_signal
instead of ClientRemoved.
(main/MandosDBusService.GetManagedObjects): New.
(main/MandosDBusService.client_added_signal): New.
(main/MandosDBusService.client_removed_signal): - '' -
(main/cleanup): Call "client_removed_signal" instead of sending
"ClientRemoved" signal directly.
(main): Call "client_added_signal" instead of sending "ClientAdded"
signal directly.
* mandos-ctl: Use GetManagedObjects instead of
GetAllClientsWithProperties. Also, show better error
message in case of failure to connect to the D-Bus
* mandos-monitor (MandosClientPropertyCache.properties_changed):
Bug fix; only update properties on client interface.
(UserInterface.find_and_remove_client): Change to accept arguments
from InterfacesRemoved
signal. Also, bug fix:
working error message when
removing unknown client.
(UserInterface.add_new_client): Change to accept arguments from
InterfacesRemoved signal. Pass
properties to MandosClientWidget
constructor.
(UserInterface.run): Connect find_and_remove_client method to
InterfacesRemoved signal and the add_new_client
method to the InterfacesAdded signal.
- files added:
- initramfs-tools-hook-conf
- files removed:
- bugs.xml
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python
1
#!/usr/bin/python2.7
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
37
from future_builtins import *
42
38
43
39
try:
44
40
import SocketServer as socketserver
48
44
import argparse
49
45
import datetime
50
46
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
51
53
try:
52
54
import ConfigParser as configparser
53
55
except ImportError:
80
82
81
83
import dbus
82
84
import dbus.service
83
import gi
84
from gi.repository import GLib
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
85
90
from dbus.mainloop.glib import DBusGMainLoop
86
91
import ctypes
87
92
import ctypes.util
88
93
import xml.dom.minidom
89
94
import inspect
90
95
91
# Try to find the value of SO_BINDTODEVICE:
92
96
try:
93
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
94
# newer, and it is also the most natural place for it:
95
97
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
96
98
except AttributeError:
97
99
try:
98
# This is where SO_BINDTODEVICE was up to and including Python
99
# 2.6, and also 3.2:
100
100
from IN import SO_BINDTODEVICE
101
101
except ImportError:
102
# In Python 2.7 it seems to have been removed entirely.
103
# Try running the C preprocessor:
104
try:
105
cc = subprocess.Popen(["cc", "--language=c", "-E",
106
"/dev/stdin"],
107
stdin=subprocess.PIPE,
108
stdout=subprocess.PIPE)
109
stdout = cc.communicate(
110
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
111
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
112
except (OSError, ValueError, IndexError):
113
# No value found
114
SO_BINDTODEVICE = None
102
SO_BINDTODEVICE = None
115
103
116
104
if sys.version_info.major == 2:
117
105
str = unicode
118
106
119
if sys.version_info < (3, 2):
120
configparser.Configparser = configparser.SafeConfigParser
121
122
version = "1.8.5"
107
version = "1.6.9"
123
108
stored_state_file = "clients.pickle"
124
109
125
110
logger = logging.getLogger()
129
114
if_nametoindex = ctypes.cdll.LoadLibrary(
130
115
ctypes.util.find_library("c")).if_nametoindex
131
116
except (OSError, AttributeError):
132
117
133
118
def if_nametoindex(interface):
134
119
"Get an interface index the hard way, i.e. using fcntl()"
135
120
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
140
125
return interface_index
141
126
142
127
143
def copy_function(func):
144
"""Make a copy of a function"""
145
if sys.version_info.major == 2:
146
return types.FunctionType(func.func_code,
147
func.func_globals,
148
func.func_name,
149
func.func_defaults,
150
func.func_closure)
151
else:
152
return types.FunctionType(func.__code__,
153
func.__globals__,
154
func.__name__,
155
func.__defaults__,
156
func.__closure__)
157
158
159
128
def initlogger(debug, level=logging.WARNING):
160
129
"""init logger and add loglevel"""
161
130
162
131
global syslogger
163
132
syslogger = (logging.handlers.SysLogHandler(
164
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
165
address="/dev/log"))
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
166
135
syslogger.setFormatter(logging.Formatter
167
136
('Mandos [%(process)d]: %(levelname)s:'
168
137
' %(message)s'))
169
138
logger.addHandler(syslogger)
170
139
171
140
if debug:
172
141
console = logging.StreamHandler()
173
142
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
185
154
186
155
class PGPEngine(object):
187
156
"""A simple class for OpenPGP symmetric encryption & decryption"""
188
157
189
158
def __init__(self):
190
159
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
191
self.gpg = "gpg"
192
try:
193
output = subprocess.check_output(["gpgconf"])
194
for line in output.splitlines():
195
name, text, path = line.split(b":")
196
if name == "gpg":
197
self.gpg = path
198
break
199
except OSError as e:
200
if e.errno != errno.ENOENT:
201
raise
202
160
self.gnupgargs = ['--batch',
203
'--homedir', self.tempdir,
161
'--home', self.tempdir,
204
162
'--force-mdc',
205
'--quiet']
206
# Only GPG version 1 has the --no-use-agent option.
207
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
208
self.gnupgargs.append("--no-use-agent")
209
163
'--quiet',
164
'--no-use-agent']
165
210
166
def __enter__(self):
211
167
return self
212
168
213
169
def __exit__(self, exc_type, exc_value, traceback):
214
170
self._cleanup()
215
171
return False
216
172
217
173
def __del__(self):
218
174
self._cleanup()
219
175
220
176
def _cleanup(self):
221
177
if self.tempdir is not None:
222
178
# Delete contents of tempdir
223
179
for root, dirs, files in os.walk(self.tempdir,
224
topdown=False):
180
topdown = False):
225
181
for filename in files:
226
182
os.remove(os.path.join(root, filename))
227
183
for dirname in dirs:
229
185
# Remove tempdir
230
186
os.rmdir(self.tempdir)
231
187
self.tempdir = None
232
188
233
189
def password_encode(self, password):
234
190
# Passphrase can not be empty and can not contain newlines or
235
191
# NUL bytes. So we prefix it and hex encode it.
240
196
.replace(b"\n", b"\\n")
241
197
.replace(b"\0", b"\\x00"))
242
198
return encoded
243
199
244
200
def encrypt(self, data, password):
245
201
passphrase = self.password_encode(password)
246
202
with tempfile.NamedTemporaryFile(
247
203
dir=self.tempdir) as passfile:
248
204
passfile.write(passphrase)
249
205
passfile.flush()
250
proc = subprocess.Popen([self.gpg, '--symmetric',
206
proc = subprocess.Popen(['gpg', '--symmetric',
251
207
'--passphrase-file',
252
208
passfile.name]
253
209
+ self.gnupgargs,
254
stdin=subprocess.PIPE,
255
stdout=subprocess.PIPE,
256
stderr=subprocess.PIPE)
257
ciphertext, err = proc.communicate(input=data)
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
258
214
if proc.returncode != 0:
259
215
raise PGPError(err)
260
216
return ciphertext
261
217
262
218
def decrypt(self, data, password):
263
219
passphrase = self.password_encode(password)
264
220
with tempfile.NamedTemporaryFile(
265
dir=self.tempdir) as passfile:
221
dir = self.tempdir) as passfile:
266
222
passfile.write(passphrase)
267
223
passfile.flush()
268
proc = subprocess.Popen([self.gpg, '--decrypt',
224
proc = subprocess.Popen(['gpg', '--decrypt',
269
225
'--passphrase-file',
270
226
passfile.name]
271
227
+ self.gnupgargs,
272
stdin=subprocess.PIPE,
273
stdout=subprocess.PIPE,
274
stderr=subprocess.PIPE)
275
decrypted_plaintext, err = proc.communicate(input=data)
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
276
232
if proc.returncode != 0:
277
233
raise PGPError(err)
278
234
return decrypted_plaintext
279
235
280
236
281
# Pretend that we have an Avahi module
282
class avahi(object):
283
"""This isn't so much a class as it is a module-like namespace."""
284
IF_UNSPEC = -1 # avahi-common/address.h
285
PROTO_UNSPEC = -1 # avahi-common/address.h
286
PROTO_INET = 0 # avahi-common/address.h
287
PROTO_INET6 = 1 # avahi-common/address.h
288
DBUS_NAME = "org.freedesktop.Avahi"
289
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
290
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
291
DBUS_PATH_SERVER = "/"
292
293
@staticmethod
294
def string_array_to_txt_array(t):
295
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
296
for s in t), signature="ay")
297
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
298
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
299
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
300
SERVER_INVALID = 0 # avahi-common/defs.h
301
SERVER_REGISTERING = 1 # avahi-common/defs.h
302
SERVER_RUNNING = 2 # avahi-common/defs.h
303
SERVER_COLLISION = 3 # avahi-common/defs.h
304
SERVER_FAILURE = 4 # avahi-common/defs.h
305
306
307
237
class AvahiError(Exception):
308
238
def __init__(self, value, *args, **kwargs):
309
239
self.value = value
321
251
322
252
class AvahiService(object):
323
253
"""An Avahi (Zeroconf) service.
324
254
325
255
Attributes:
326
256
interface: integer; avahi.IF_UNSPEC or an interface index.
327
257
Used to optionally bind to the specified interface.
339
269
server: D-Bus Server
340
270
bus: dbus.SystemBus()
341
271
"""
342
272
343
273
def __init__(self,
344
interface=avahi.IF_UNSPEC,
345
name=None,
346
servicetype=None,
347
port=None,
348
TXT=None,
349
domain="",
350
host="",
351
max_renames=32768,
352
protocol=avahi.PROTO_UNSPEC,
353
bus=None):
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
354
284
self.interface = interface
355
285
self.name = name
356
286
self.type = servicetype
365
295
self.server = None
366
296
self.bus = bus
367
297
self.entry_group_state_changed_match = None
368
298
369
299
def rename(self, remove=True):
370
300
"""Derived from the Avahi example code"""
371
301
if self.rename_count >= self.max_renames:
391
321
logger.critical("D-Bus Exception", exc_info=error)
392
322
self.cleanup()
393
323
os._exit(1)
394
324
395
325
def remove(self):
396
326
"""Derived from the Avahi example code"""
397
327
if self.entry_group_state_changed_match is not None:
399
329
self.entry_group_state_changed_match = None
400
330
if self.group is not None:
401
331
self.group.Reset()
402
332
403
333
def add(self):
404
334
"""Derived from the Avahi example code"""
405
335
self.remove()
422
352
dbus.UInt16(self.port),
423
353
avahi.string_array_to_txt_array(self.TXT))
424
354
self.group.Commit()
425
355
426
356
def entry_group_state_changed(self, state, error):
427
357
"""Derived from the Avahi example code"""
428
358
logger.debug("Avahi entry group state change: %i", state)
429
359
430
360
if state == avahi.ENTRY_GROUP_ESTABLISHED:
431
361
logger.debug("Zeroconf service established.")
432
362
elif state == avahi.ENTRY_GROUP_COLLISION:
436
366
logger.critical("Avahi: Error in group state changed %s",
437
367
str(error))
438
368
raise AvahiGroupError("State changed: {!s}".format(error))
439
369
440
370
def cleanup(self):
441
371
"""Derived from the Avahi example code"""
442
372
if self.group is not None:
447
377
pass
448
378
self.group = None
449
379
self.remove()
450
380
451
381
def server_state_changed(self, state, error=None):
452
382
"""Derived from the Avahi example code"""
453
383
logger.debug("Avahi server state change: %i", state)
482
412
logger.debug("Unknown state: %r", state)
483
413
else:
484
414
logger.debug("Unknown state: %r: %r", state, error)
485
415
486
416
def activate(self):
487
417
"""Derived from the Avahi example code"""
488
418
if self.server is None:
499
429
class AvahiServiceToSyslog(AvahiService):
500
430
def rename(self, *args, **kwargs):
501
431
"""Add the new name to the syslog messages"""
502
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
432
ret = AvahiService.rename(self, *args, **kwargs)
503
433
syslogger.setFormatter(logging.Formatter(
504
434
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
505
435
.format(self.name)))
506
436
return ret
507
437
508
509
# Pretend that we have a GnuTLS module
510
class gnutls(object):
511
"""This isn't so much a class as it is a module-like namespace."""
512
513
library = ctypes.util.find_library("gnutls")
514
if library is None:
515
library = ctypes.util.find_library("gnutls-deb0")
516
_library = ctypes.cdll.LoadLibrary(library)
517
del library
518
519
# Unless otherwise indicated, the constants and types below are
520
# all from the gnutls/gnutls.h C header file.
521
522
# Constants
523
E_SUCCESS = 0
524
E_INTERRUPTED = -52
525
E_AGAIN = -28
526
CRT_OPENPGP = 2
527
CRT_RAWPK = 3
528
CLIENT = 2
529
SHUT_RDWR = 0
530
CRD_CERTIFICATE = 1
531
E_NO_CERTIFICATE_FOUND = -49
532
X509_FMT_DER = 0
533
NO_TICKETS = 1<<10
534
ENABLE_RAWPK = 1<<18
535
CTYPE_PEERS = 3
536
KEYID_USE_SHA256 = 1 # gnutls/x509.h
537
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
538
539
# Types
540
class session_int(ctypes.Structure):
541
_fields_ = []
542
session_t = ctypes.POINTER(session_int)
543
544
class certificate_credentials_st(ctypes.Structure):
545
_fields_ = []
546
certificate_credentials_t = ctypes.POINTER(
547
certificate_credentials_st)
548
certificate_type_t = ctypes.c_int
549
550
class datum_t(ctypes.Structure):
551
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
552
('size', ctypes.c_uint)]
553
554
class openpgp_crt_int(ctypes.Structure):
555
_fields_ = []
556
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
557
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
558
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
559
credentials_type_t = ctypes.c_int
560
transport_ptr_t = ctypes.c_void_p
561
close_request_t = ctypes.c_int
562
563
# Exceptions
564
class Error(Exception):
565
def __init__(self, message=None, code=None, args=()):
566
# Default usage is by a message string, but if a return
567
# code is passed, convert it to a string with
568
# gnutls.strerror()
569
self.code = code
570
if message is None and code is not None:
571
message = gnutls.strerror(code)
572
return super(gnutls.Error, self).__init__(
573
message, *args)
574
575
class CertificateSecurityError(Error):
576
pass
577
578
# Classes
579
class Credentials(object):
580
def __init__(self):
581
self._c_object = gnutls.certificate_credentials_t()
582
gnutls.certificate_allocate_credentials(
583
ctypes.byref(self._c_object))
584
self.type = gnutls.CRD_CERTIFICATE
585
586
def __del__(self):
587
gnutls.certificate_free_credentials(self._c_object)
588
589
class ClientSession(object):
590
def __init__(self, socket, credentials=None):
591
self._c_object = gnutls.session_t()
592
gnutls_flags = gnutls.CLIENT
593
if gnutls.check_version(b"3.5.6"):
594
gnutls_flags |= gnutls.NO_TICKETS
595
if gnutls.has_rawpk:
596
gnutls_flags |= gnutls.ENABLE_RAWPK
597
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
598
del gnutls_flags
599
gnutls.set_default_priority(self._c_object)
600
gnutls.transport_set_ptr(self._c_object, socket.fileno())
601
gnutls.handshake_set_private_extensions(self._c_object,
602
True)
603
self.socket = socket
604
if credentials is None:
605
credentials = gnutls.Credentials()
606
gnutls.credentials_set(self._c_object, credentials.type,
607
ctypes.cast(credentials._c_object,
608
ctypes.c_void_p))
609
self.credentials = credentials
610
611
def __del__(self):
612
gnutls.deinit(self._c_object)
613
614
def handshake(self):
615
return gnutls.handshake(self._c_object)
616
617
def send(self, data):
618
data = bytes(data)
619
data_len = len(data)
620
while data_len > 0:
621
data_len -= gnutls.record_send(self._c_object,
622
data[-data_len:],
623
data_len)
624
625
def bye(self):
626
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
627
628
# Error handling functions
629
def _error_code(result):
630
"""A function to raise exceptions on errors, suitable
631
for the 'restype' attribute on ctypes functions"""
632
if result >= 0:
633
return result
634
if result == gnutls.E_NO_CERTIFICATE_FOUND:
635
raise gnutls.CertificateSecurityError(code=result)
636
raise gnutls.Error(code=result)
637
638
def _retry_on_error(result, func, arguments):
639
"""A function to retry on some errors, suitable
640
for the 'errcheck' attribute on ctypes functions"""
641
while result < 0:
642
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
643
return _error_code(result)
644
result = func(*arguments)
645
return result
646
647
# Unless otherwise indicated, the function declarations below are
648
# all from the gnutls/gnutls.h C header file.
649
650
# Functions
651
priority_set_direct = _library.gnutls_priority_set_direct
652
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
653
ctypes.POINTER(ctypes.c_char_p)]
654
priority_set_direct.restype = _error_code
655
656
init = _library.gnutls_init
657
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
658
init.restype = _error_code
659
660
set_default_priority = _library.gnutls_set_default_priority
661
set_default_priority.argtypes = [session_t]
662
set_default_priority.restype = _error_code
663
664
record_send = _library.gnutls_record_send
665
record_send.argtypes = [session_t, ctypes.c_void_p,
666
ctypes.c_size_t]
667
record_send.restype = ctypes.c_ssize_t
668
record_send.errcheck = _retry_on_error
669
670
certificate_allocate_credentials = (
671
_library.gnutls_certificate_allocate_credentials)
672
certificate_allocate_credentials.argtypes = [
673
ctypes.POINTER(certificate_credentials_t)]
674
certificate_allocate_credentials.restype = _error_code
675
676
certificate_free_credentials = (
677
_library.gnutls_certificate_free_credentials)
678
certificate_free_credentials.argtypes = [
679
certificate_credentials_t]
680
certificate_free_credentials.restype = None
681
682
handshake_set_private_extensions = (
683
_library.gnutls_handshake_set_private_extensions)
684
handshake_set_private_extensions.argtypes = [session_t,
685
ctypes.c_int]
686
handshake_set_private_extensions.restype = None
687
688
credentials_set = _library.gnutls_credentials_set
689
credentials_set.argtypes = [session_t, credentials_type_t,
690
ctypes.c_void_p]
691
credentials_set.restype = _error_code
692
693
strerror = _library.gnutls_strerror
694
strerror.argtypes = [ctypes.c_int]
695
strerror.restype = ctypes.c_char_p
696
697
certificate_type_get = _library.gnutls_certificate_type_get
698
certificate_type_get.argtypes = [session_t]
699
certificate_type_get.restype = _error_code
700
701
certificate_get_peers = _library.gnutls_certificate_get_peers
702
certificate_get_peers.argtypes = [session_t,
703
ctypes.POINTER(ctypes.c_uint)]
704
certificate_get_peers.restype = ctypes.POINTER(datum_t)
705
706
global_set_log_level = _library.gnutls_global_set_log_level
707
global_set_log_level.argtypes = [ctypes.c_int]
708
global_set_log_level.restype = None
709
710
global_set_log_function = _library.gnutls_global_set_log_function
711
global_set_log_function.argtypes = [log_func]
712
global_set_log_function.restype = None
713
714
deinit = _library.gnutls_deinit
715
deinit.argtypes = [session_t]
716
deinit.restype = None
717
718
handshake = _library.gnutls_handshake
719
handshake.argtypes = [session_t]
720
handshake.restype = _error_code
721
handshake.errcheck = _retry_on_error
722
723
transport_set_ptr = _library.gnutls_transport_set_ptr
724
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
725
transport_set_ptr.restype = None
726
727
bye = _library.gnutls_bye
728
bye.argtypes = [session_t, close_request_t]
729
bye.restype = _error_code
730
bye.errcheck = _retry_on_error
731
732
check_version = _library.gnutls_check_version
733
check_version.argtypes = [ctypes.c_char_p]
734
check_version.restype = ctypes.c_char_p
735
736
_need_version = b"3.3.0"
737
if check_version(_need_version) is None:
738
raise self.Error("Needs GnuTLS {} or later"
739
.format(_need_version))
740
741
_tls_rawpk_version = b"3.6.6"
742
has_rawpk = bool(check_version(_tls_rawpk_version))
743
744
if has_rawpk:
745
# Types
746
class pubkey_st(ctypes.Structure):
747
_fields = []
748
pubkey_t = ctypes.POINTER(pubkey_st)
749
750
x509_crt_fmt_t = ctypes.c_int
751
752
# All the function declarations below are from gnutls/abstract.h
753
pubkey_init = _library.gnutls_pubkey_init
754
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
755
pubkey_init.restype = _error_code
756
757
pubkey_import = _library.gnutls_pubkey_import
758
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
759
x509_crt_fmt_t]
760
pubkey_import.restype = _error_code
761
762
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
763
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
764
ctypes.POINTER(ctypes.c_ubyte),
765
ctypes.POINTER(ctypes.c_size_t)]
766
pubkey_get_key_id.restype = _error_code
767
768
pubkey_deinit = _library.gnutls_pubkey_deinit
769
pubkey_deinit.argtypes = [pubkey_t]
770
pubkey_deinit.restype = None
771
else:
772
# All the function declarations below are from gnutls/openpgp.h
773
774
openpgp_crt_init = _library.gnutls_openpgp_crt_init
775
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
776
openpgp_crt_init.restype = _error_code
777
778
openpgp_crt_import = _library.gnutls_openpgp_crt_import
779
openpgp_crt_import.argtypes = [openpgp_crt_t,
780
ctypes.POINTER(datum_t),
781
openpgp_crt_fmt_t]
782
openpgp_crt_import.restype = _error_code
783
784
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
785
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
786
ctypes.POINTER(ctypes.c_uint)]
787
openpgp_crt_verify_self.restype = _error_code
788
789
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
790
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
791
openpgp_crt_deinit.restype = None
792
793
openpgp_crt_get_fingerprint = (
794
_library.gnutls_openpgp_crt_get_fingerprint)
795
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
796
ctypes.c_void_p,
797
ctypes.POINTER(
798
ctypes.c_size_t)]
799
openpgp_crt_get_fingerprint.restype = _error_code
800
801
if check_version(b"3.6.4"):
802
certificate_type_get2 = _library.gnutls_certificate_type_get2
803
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
804
certificate_type_get2.restype = _error_code
805
806
# Remove non-public functions
807
del _error_code, _retry_on_error
808
809
810
438
def call_pipe(connection, # : multiprocessing.Connection
811
439
func, *args, **kwargs):
812
440
"""This function is meant to be called by multiprocessing.Process
813
441
814
442
This function runs func(*args, **kwargs), and writes the resulting
815
443
return value on the provided multiprocessing.Connection.
816
444
"""
817
445
connection.send(func(*args, **kwargs))
818
446
connection.close()
819
447
820
821
448
class Client(object):
822
449
"""A representation of a client host served by this server.
823
450
824
451
Attributes:
825
452
approved: bool(); 'None' if not yet approved/disapproved
826
453
approval_delay: datetime.timedelta(); Time to wait for approval
827
454
approval_duration: datetime.timedelta(); Duration of one approval
828
checker: multiprocessing.Process(); a running checker process used
829
to see if the client lives. 'None' if no process is
830
running.
831
checker_callback_tag: a GLib event source tag, or None
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
832
459
checker_command: string; External command which is run to check
833
460
if client lives. %() expansions are done at
834
461
runtime with vars(self) as dict, so that for
835
462
instance %(name)s can be used in the command.
836
checker_initiator_tag: a GLib event source tag, or None
463
checker_initiator_tag: a gobject event source tag, or None
837
464
created: datetime.datetime(); (UTC) object creation
838
465
client_structure: Object describing what attributes a client has
839
466
and is used for storing the client at exit
840
467
current_checker_command: string; current running checker_command
841
disable_initiator_tag: a GLib event source tag, or None
468
disable_initiator_tag: a gobject event source tag, or None
842
469
enabled: bool()
843
470
fingerprint: string (40 or 32 hexadecimal digits); used to
844
uniquely identify an OpenPGP client
845
key_id: string (64 hexadecimal digits); used to uniquely identify
846
a client using raw public keys
471
uniquely identify the client
847
472
host: string; available for use by the checker command
848
473
interval: datetime.timedelta(); How often to start a new checker
849
474
last_approval_request: datetime.datetime(); (UTC) or None
865
490
disabled, or None
866
491
server_settings: The server_settings dict from main()
867
492
"""
868
493
869
494
runtime_expansions = ("approval_delay", "approval_duration",
870
"created", "enabled", "expires", "key_id",
495
"created", "enabled", "expires",
871
496
"fingerprint", "host", "interval",
872
497
"last_approval_request", "last_checked_ok",
873
498
"last_enabled", "name", "timeout")
882
507
"approved_by_default": "True",
883
508
"enabled": "True",
884
509
}
885
510
886
511
@staticmethod
887
512
def config_parser(config):
888
513
"""Construct a new dict of client settings of this form:
895
520
for client_name in config.sections():
896
521
section = dict(config.items(client_name))
897
522
client = settings[client_name] = {}
898
523
899
524
client["host"] = section["host"]
900
525
# Reformat values from string types to Python types
901
526
client["approved_by_default"] = config.getboolean(
902
527
client_name, "approved_by_default")
903
528
client["enabled"] = config.getboolean(client_name,
904
529
"enabled")
905
906
# Uppercase and remove spaces from key_id and fingerprint
907
# for later comparison purposes with return value from the
908
# key_id() and fingerprint() functions
909
client["key_id"] = (section.get("key_id", "").upper()
910
.replace(" ", ""))
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
911
534
client["fingerprint"] = (section["fingerprint"].upper()
912
535
.replace(" ", ""))
913
536
if "secret" in section:
914
client["secret"] = codecs.decode(section["secret"]
915
.encode("utf-8"),
916
"base64")
537
client["secret"] = section["secret"].decode("base64")
917
538
elif "secfile" in section:
918
539
with open(os.path.expanduser(os.path.expandvars
919
540
(section["secfile"])),
934
555
client["last_approval_request"] = None
935
556
client["last_checked_ok"] = None
936
557
client["last_checker_status"] = -2
937
558
938
559
return settings
939
940
def __init__(self, settings, name=None, server_settings=None):
560
561
def __init__(self, settings, name = None, server_settings=None):
941
562
self.name = name
942
563
if server_settings is None:
943
564
server_settings = {}
945
566
# adding all client settings
946
567
for setting, value in settings.items():
947
568
setattr(self, setting, value)
948
569
949
570
if self.enabled:
950
571
if not hasattr(self, "last_enabled"):
951
572
self.last_enabled = datetime.datetime.utcnow()
955
576
else:
956
577
self.last_enabled = None
957
578
self.expires = None
958
579
959
580
logger.debug("Creating client %r", self.name)
960
logger.debug(" Key ID: %s", self.key_id)
961
581
logger.debug(" Fingerprint: %s", self.fingerprint)
962
582
self.created = settings.get("created",
963
583
datetime.datetime.utcnow())
964
584
965
585
# attributes specific for this server instance
966
586
self.checker = None
967
587
self.checker_initiator_tag = None
973
593
self.changedstate = multiprocessing_manager.Condition(
974
594
multiprocessing_manager.Lock())
975
595
self.client_structure = [attr
976
for attr in self.__dict__.keys()
596
for attr in self.__dict__.iterkeys()
977
597
if not attr.startswith("_")]
978
598
self.client_structure.append("client_structure")
979
599
980
600
for name, t in inspect.getmembers(
981
601
type(self), lambda obj: isinstance(obj, property)):
982
602
if not name.startswith("_"):
983
603
self.client_structure.append(name)
984
604
985
605
# Send notice to process children that client state has changed
986
606
def send_changedstate(self):
987
607
with self.changedstate:
988
608
self.changedstate.notify_all()
989
609
990
610
def enable(self):
991
611
"""Start this client's checker and timeout hooks"""
992
612
if getattr(self, "enabled", False):
997
617
self.last_enabled = datetime.datetime.utcnow()
998
618
self.init_checker()
999
619
self.send_changedstate()
1000
620
1001
621
def disable(self, quiet=True):
1002
622
"""Disable this client."""
1003
623
if not getattr(self, "enabled", False):
1005
625
if not quiet:
1006
626
logger.info("Disabling client %s", self.name)
1007
627
if getattr(self, "disable_initiator_tag", None) is not None:
1008
GLib.source_remove(self.disable_initiator_tag)
628
gobject.source_remove(self.disable_initiator_tag)
1009
629
self.disable_initiator_tag = None
1010
630
self.expires = None
1011
631
if getattr(self, "checker_initiator_tag", None) is not None:
1012
GLib.source_remove(self.checker_initiator_tag)
632
gobject.source_remove(self.checker_initiator_tag)
1013
633
self.checker_initiator_tag = None
1014
634
self.stop_checker()
1015
635
self.enabled = False
1016
636
if not quiet:
1017
637
self.send_changedstate()
1018
# Do not run this again if called by a GLib.timeout_add
638
# Do not run this again if called by a gobject.timeout_add
1019
639
return False
1020
640
1021
641
def __del__(self):
1022
642
self.disable()
1023
643
1024
644
def init_checker(self):
1025
645
# Schedule a new checker to be started an 'interval' from now,
1026
646
# and every interval from then on.
1027
647
if self.checker_initiator_tag is not None:
1028
GLib.source_remove(self.checker_initiator_tag)
1029
self.checker_initiator_tag = GLib.timeout_add(
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
1030
650
int(self.interval.total_seconds() * 1000),
1031
651
self.start_checker)
1032
652
# Schedule a disable() when 'timeout' has passed
1033
653
if self.disable_initiator_tag is not None:
1034
GLib.source_remove(self.disable_initiator_tag)
1035
self.disable_initiator_tag = GLib.timeout_add(
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1036
656
int(self.timeout.total_seconds() * 1000), self.disable)
1037
657
# Also start a new checker *right now*.
1038
658
self.start_checker()
1039
659
1040
660
def checker_callback(self, source, condition, connection,
1041
661
command):
1042
662
"""The checker has completed, so take appropriate actions."""
663
self.checker_callback_tag = None
664
self.checker = None
1043
665
# Read return code from connection (see call_pipe)
1044
666
returncode = connection.recv()
1045
667
connection.close()
1046
self.checker.join()
1047
self.checker_callback_tag = None
1048
self.checker = None
1049
668
1050
669
if returncode >= 0:
1051
670
self.last_checker_status = returncode
1052
671
self.last_checker_signal = None
1062
681
logger.warning("Checker for %(name)s crashed?",
1063
682
vars(self))
1064
683
return False
1065
684
1066
685
def checked_ok(self):
1067
686
"""Assert that the client has been seen, alive and well."""
1068
687
self.last_checked_ok = datetime.datetime.utcnow()
1069
688
self.last_checker_status = 0
1070
689
self.last_checker_signal = None
1071
690
self.bump_timeout()
1072
691
1073
692
def bump_timeout(self, timeout=None):
1074
693
"""Bump up the timeout for this client."""
1075
694
if timeout is None:
1076
695
timeout = self.timeout
1077
696
if self.disable_initiator_tag is not None:
1078
GLib.source_remove(self.disable_initiator_tag)
697
gobject.source_remove(self.disable_initiator_tag)
1079
698
self.disable_initiator_tag = None
1080
699
if getattr(self, "enabled", False):
1081
self.disable_initiator_tag = GLib.timeout_add(
700
self.disable_initiator_tag = gobject.timeout_add(
1082
701
int(timeout.total_seconds() * 1000), self.disable)
1083
702
self.expires = datetime.datetime.utcnow() + timeout
1084
703
1085
704
def need_approval(self):
1086
705
self.last_approval_request = datetime.datetime.utcnow()
1087
706
1088
707
def start_checker(self):
1089
708
"""Start a new checker subprocess if one is not running.
1090
709
1091
710
If a checker already exists, leave it running and do
1092
711
nothing."""
1093
712
# The reason for not killing a running checker is that if we
1098
717
# checkers alone, the checker would have to take more time
1099
718
# than 'timeout' for the client to be disabled, which is as it
1100
719
# should be.
1101
720
1102
721
if self.checker is not None and not self.checker.is_alive():
1103
722
logger.warning("Checker was not alive; joining")
1104
723
self.checker.join()
1108
727
# Escape attributes for the shell
1109
728
escaped_attrs = {
1110
729
attr: re.escape(str(getattr(self, attr)))
1111
for attr in self.runtime_expansions}
730
for attr in self.runtime_expansions }
1112
731
try:
1113
732
command = self.checker_command % escaped_attrs
1114
733
except TypeError as error:
1126
745
# The exception is when not debugging but nevertheless
1127
746
# running in the foreground; use the previously
1128
747
# created wnull.
1129
popen_args = {"close_fds": True,
1130
"shell": True,
1131
"cwd": "/"}
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1132
751
if (not self.server_settings["debug"]
1133
752
and self.server_settings["foreground"]):
1134
753
popen_args.update({"stdout": wnull,
1135
"stderr": wnull})
1136
pipe = multiprocessing.Pipe(duplex=False)
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1137
756
self.checker = multiprocessing.Process(
1138
target=call_pipe,
1139
args=(pipe[1], subprocess.call, command),
1140
kwargs=popen_args)
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1141
760
self.checker.start()
1142
self.checker_callback_tag = GLib.io_add_watch(
1143
pipe[0].fileno(), GLib.IO_IN,
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1144
763
self.checker_callback, pipe[0], command)
1145
# Re-run this periodically if run by GLib.timeout_add
764
# Re-run this periodically if run by gobject.timeout_add
1146
765
return True
1147
766
1148
767
def stop_checker(self):
1149
768
"""Force the checker process, if any, to stop."""
1150
769
if self.checker_callback_tag:
1151
GLib.source_remove(self.checker_callback_tag)
770
gobject.source_remove(self.checker_callback_tag)
1152
771
self.checker_callback_tag = None
1153
772
if getattr(self, "checker", None) is None:
1154
773
return
1163
782
byte_arrays=False):
1164
783
"""Decorators for marking methods of a DBusObjectWithProperties to
1165
784
become properties on the D-Bus.
1166
785
1167
786
The decorated method will be called with no arguments by "Get"
1168
787
and with one argument by "Set".
1169
788
1170
789
The parameters, where they are supported, are the same as
1171
790
dbus.service.method, except there is only "signature", since the
1172
791
type from Get() and the type sent to Set() is the same.
1176
795
if byte_arrays and signature != "ay":
1177
796
raise ValueError("Byte arrays not supported for non-'ay'"
1178
797
" signature {!r}".format(signature))
1179
798
1180
799
def decorator(func):
1181
800
func._dbus_is_property = True
1182
801
func._dbus_interface = dbus_interface
1185
804
func._dbus_name = func.__name__
1186
805
if func._dbus_name.endswith("_dbus_property"):
1187
806
func._dbus_name = func._dbus_name[:-14]
1188
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1189
808
return func
1190
809
1191
810
return decorator
1192
811
1193
812
1194
813
def dbus_interface_annotations(dbus_interface):
1195
814
"""Decorator for marking functions returning interface annotations
1196
815
1197
816
Usage:
1198
817
1199
818
@dbus_interface_annotations("org.example.Interface")
1200
819
def _foo(self): # Function name does not matter
1201
820
return {"org.freedesktop.DBus.Deprecated": "true",
1202
821
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1203
822
"false"}
1204
823
"""
1205
824
1206
825
def decorator(func):
1207
826
func._dbus_is_interface = True
1208
827
func._dbus_interface = dbus_interface
1209
828
func._dbus_name = dbus_interface
1210
829
return func
1211
830
1212
831
return decorator
1213
832
1214
833
1215
834
def dbus_annotations(annotations):
1216
835
"""Decorator to annotate D-Bus methods, signals or properties
1217
836
Usage:
1218
837
1219
838
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1220
839
"org.freedesktop.DBus.Property."
1221
840
"EmitsChangedSignal": "false"})
1223
842
access="r")
1224
843
def Property_dbus_property(self):
1225
844
return dbus.Boolean(False)
1226
845
1227
846
See also the DBusObjectWithAnnotations class.
1228
847
"""
1229
848
1230
849
def decorator(func):
1231
850
func._dbus_annotations = annotations
1232
851
return func
1233
852
1234
853
return decorator
1235
854
1236
855
1254
873
1255
874
class DBusObjectWithAnnotations(dbus.service.Object):
1256
875
"""A D-Bus object with annotations.
1257
876
1258
877
Classes inheriting from this can use the dbus_annotations
1259
878
decorator to add annotations to methods or signals.
1260
879
"""
1261
880
1262
881
@staticmethod
1263
882
def _is_dbus_thing(thing):
1264
883
"""Returns a function testing if an attribute is a D-Bus thing
1265
884
1266
885
If called like _is_dbus_thing("method") it returns a function
1267
886
suitable for use as predicate to inspect.getmembers().
1268
887
"""
1269
888
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1270
889
False)
1271
890
1272
891
def _get_all_dbus_things(self, thing):
1273
892
"""Returns a generator of (name, attribute) pairs
1274
893
"""
1277
896
for cls in self.__class__.__mro__
1278
897
for name, athing in
1279
898
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1280
899
1281
900
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1282
out_signature="s",
1283
path_keyword='object_path',
1284
connection_keyword='connection')
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1285
904
def Introspect(self, object_path, connection):
1286
905
"""Overloading of standard D-Bus method.
1287
906
1288
907
Inserts annotation tags on methods and signals.
1289
908
"""
1290
909
xmlstring = dbus.service.Object.Introspect(self, object_path,
1291
910
connection)
1292
911
try:
1293
912
document = xml.dom.minidom.parseString(xmlstring)
1294
913
1295
914
for if_tag in document.getElementsByTagName("interface"):
1296
915
# Add annotation tags
1297
916
for typ in ("method", "signal"):
1324
943
if_tag.appendChild(ann_tag)
1325
944
# Fix argument name for the Introspect method itself
1326
945
if (if_tag.getAttribute("name")
1327
== dbus.INTROSPECTABLE_IFACE):
946
== dbus.INTROSPECTABLE_IFACE):
1328
947
for cn in if_tag.getElementsByTagName("method"):
1329
948
if cn.getAttribute("name") == "Introspect":
1330
949
for arg in cn.getElementsByTagName("arg"):
1343
962
1344
963
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1345
964
"""A D-Bus object with properties.
1346
965
1347
966
Classes inheriting from this can use the dbus_service_property
1348
967
decorator to expose methods as D-Bus properties. It exposes the
1349
968
standard Get(), Set(), and GetAll() methods on the D-Bus.
1350
969
"""
1351
970
1352
971
def _get_dbus_property(self, interface_name, property_name):
1353
972
"""Returns a bound method if one exists which is a D-Bus
1354
973
property with the specified name and interface.
1359
978
if (value._dbus_name == property_name
1360
979
and value._dbus_interface == interface_name):
1361
980
return value.__get__(self)
1362
981
1363
982
# No such property
1364
983
raise DBusPropertyNotFound("{}:{}.{}".format(
1365
984
self.dbus_object_path, interface_name, property_name))
1366
985
1367
986
@classmethod
1368
987
def _get_all_interface_names(cls):
1369
988
"""Get a sequence of all interfaces supported by an object"""
1372
991
for x in (inspect.getmro(cls))
1373
992
for attr in dir(x))
1374
993
if name is not None)
1375
994
1376
995
@dbus.service.method(dbus.PROPERTIES_IFACE,
1377
996
in_signature="ss",
1378
997
out_signature="v")
1386
1005
if not hasattr(value, "variant_level"):
1387
1006
return value
1388
1007
return type(value)(value, variant_level=value.variant_level+1)
1389
1008
1390
1009
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1391
1010
def Set(self, interface_name, property_name, value):
1392
1011
"""Standard D-Bus property Set() method, see D-Bus standard.
1404
1023
value = dbus.ByteArray(b''.join(chr(byte)
1405
1024
for byte in value))
1406
1025
prop(value)
1407
1026
1408
1027
@dbus.service.method(dbus.PROPERTIES_IFACE,
1409
1028
in_signature="s",
1410
1029
out_signature="a{sv}")
1411
1030
def GetAll(self, interface_name):
1412
1031
"""Standard D-Bus property GetAll() method, see D-Bus
1413
1032
standard.
1414
1033
1415
1034
Note: Will not include properties with access="write".
1416
1035
"""
1417
1036
properties = {}
1428
1047
properties[name] = value
1429
1048
continue
1430
1049
properties[name] = type(value)(
1431
value, variant_level=value.variant_level + 1)
1050
value, variant_level = value.variant_level + 1)
1432
1051
return dbus.Dictionary(properties, signature="sv")
1433
1052
1434
1053
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1435
1054
def PropertiesChanged(self, interface_name, changed_properties,
1436
1055
invalidated_properties):
1438
1057
standard.
1439
1058
"""
1440
1059
pass
1441
1060
1442
1061
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1443
1062
out_signature="s",
1444
1063
path_keyword='object_path',
1445
1064
connection_keyword='connection')
1446
1065
def Introspect(self, object_path, connection):
1447
1066
"""Overloading of standard D-Bus method.
1448
1067
1449
1068
Inserts property tags and interface annotation tags.
1450
1069
"""
1451
1070
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1453
1072
connection)
1454
1073
try:
1455
1074
document = xml.dom.minidom.parseString(xmlstring)
1456
1075
1457
1076
def make_tag(document, name, prop):
1458
1077
e = document.createElement("property")
1459
1078
e.setAttribute("name", name)
1460
1079
e.setAttribute("type", prop._dbus_signature)
1461
1080
e.setAttribute("access", prop._dbus_access)
1462
1081
return e
1463
1082
1464
1083
for if_tag in document.getElementsByTagName("interface"):
1465
1084
# Add property tags
1466
1085
for tag in (make_tag(document, name, prop)
1508
1127
exc_info=error)
1509
1128
return xmlstring
1510
1129
1511
1512
1130
try:
1513
1131
dbus.OBJECT_MANAGER_IFACE
1514
1132
except AttributeError:
1515
1133
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1516
1134
1517
1518
1135
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1519
1136
"""A D-Bus object with an ObjectManager.
1520
1137
1521
1138
Classes inheriting from this exposes the standard
1522
1139
GetManagedObjects call and the InterfacesAdded and
1523
1140
InterfacesRemoved signals on the standard
1524
1141
"org.freedesktop.DBus.ObjectManager" interface.
1525
1142
1526
1143
Note: No signals are sent automatically; they must be sent
1527
1144
manually.
1528
1145
"""
1529
1146
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1530
out_signature="a{oa{sa{sv}}}")
1147
out_signature = "a{oa{sa{sv}}}")
1531
1148
def GetManagedObjects(self):
1532
1149
"""This function must be overridden"""
1533
1150
raise NotImplementedError()
1534
1151
1535
1152
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1536
signature="oa{sa{sv}}")
1153
signature = "oa{sa{sv}}")
1537
1154
def InterfacesAdded(self, object_path, interfaces_and_properties):
1538
1155
pass
1539
1540
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1158
signature = "oas")
1541
1159
def InterfacesRemoved(self, object_path, interfaces):
1542
1160
pass
1543
1161
1544
1162
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1545
out_signature="s",
1546
path_keyword='object_path',
1547
connection_keyword='connection')
1163
out_signature = "s",
1164
path_keyword = 'object_path',
1165
connection_keyword = 'connection')
1548
1166
def Introspect(self, object_path, connection):
1549
1167
"""Overloading of standard D-Bus method.
1550
1168
1551
1169
Override return argument name of GetManagedObjects to be
1552
1170
"objpath_interfaces_and_properties"
1553
1171
"""
1554
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1555
object_path,
1556
connection)
1172
xmlstring = DBusObjectWithAnnotations(self, object_path,
1173
connection)
1557
1174
try:
1558
1175
document = xml.dom.minidom.parseString(xmlstring)
1559
1176
1560
1177
for if_tag in document.getElementsByTagName("interface"):
1561
1178
# Fix argument name for the GetManagedObjects method
1562
1179
if (if_tag.getAttribute("name")
1563
== dbus.OBJECT_MANAGER_IFACE):
1180
== dbus.OBJECT_MANAGER_IFACE):
1564
1181
for cn in if_tag.getElementsByTagName("method"):
1565
1182
if (cn.getAttribute("name")
1566
1183
== "GetManagedObjects"):
1576
1193
except (AttributeError, xml.dom.DOMException,
1577
1194
xml.parsers.expat.ExpatError) as error:
1578
1195
logger.error("Failed to override Introspection method",
1579
exc_info=error)
1196
exc_info = error)
1580
1197
return xmlstring
1581
1198
1582
1583
1199
def datetime_to_dbus(dt, variant_level=0):
1584
1200
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1585
1201
if dt is None:
1586
return dbus.String("", variant_level=variant_level)
1202
return dbus.String("", variant_level = variant_level)
1587
1203
return dbus.String(dt.isoformat(), variant_level=variant_level)
1588
1204
1589
1205
1592
1208
dbus.service.Object, it will add alternate D-Bus attributes with
1593
1209
interface names according to the "alt_interface_names" mapping.
1594
1210
Usage:
1595
1211
1596
1212
@alternate_dbus_interfaces({"org.example.Interface":
1597
1213
"net.example.AlternateInterface"})
1598
1214
class SampleDBusObject(dbus.service.Object):
1599
1215
@dbus.service.method("org.example.Interface")
1600
1216
def SampleDBusMethod():
1601
1217
pass
1602
1218
1603
1219
The above "SampleDBusMethod" on "SampleDBusObject" will be
1604
1220
reachable via two interfaces: "org.example.Interface" and
1605
1221
"net.example.AlternateInterface", the latter of which will have
1606
1222
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1607
1223
"true", unless "deprecate" is passed with a False value.
1608
1224
1609
1225
This works for methods and signals, and also for D-Bus properties
1610
1226
(from DBusObjectWithProperties) and interfaces (from the
1611
1227
dbus_interface_annotations decorator).
1612
1228
"""
1613
1229
1614
1230
def wrapper(cls):
1615
1231
for orig_interface_name, alt_interface_name in (
1616
1232
alt_interface_names.items()):
1631
1247
interface_names.add(alt_interface)
1632
1248
# Is this a D-Bus signal?
1633
1249
if getattr(attribute, "_dbus_is_signal", False):
1634
# Extract the original non-method undecorated
1635
# function by black magic
1636
1250
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1637
1253
nonmethod_func = (dict(
1638
1254
zip(attribute.func_code.co_freevars,
1639
1255
attribute.__closure__))
1640
1256
["func"].cell_contents)
1641
1257
else:
1642
nonmethod_func = (dict(
1643
zip(attribute.__code__.co_freevars,
1644
attribute.__closure__))
1645
["func"].cell_contents)
1258
nonmethod_func = attribute
1646
1259
# Create a new, but exactly alike, function
1647
1260
# object, and decorate it to be a new D-Bus signal
1648
1261
# with the alternate D-Bus interface name
1649
new_function = copy_function(nonmethod_func)
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1650
1276
new_function = (dbus.service.signal(
1651
1277
alt_interface,
1652
1278
attribute._dbus_signature)(new_function))
1656
1282
attribute._dbus_annotations)
1657
1283
except AttributeError:
1658
1284
pass
1659
1660
1285
# Define a creator of a function to call both the
1661
1286
# original and alternate functions, so both the
1662
1287
# original and alternate signals gets sent when
1665
1290
"""This function is a scope container to pass
1666
1291
func1 and func2 to the "call_both" function
1667
1292
outside of its arguments"""
1668
1669
@functools.wraps(func2)
1293
1670
1294
def call_both(*args, **kwargs):
1671
1295
"""This function will emit two D-Bus
1672
1296
signals by calling func1 and func2"""
1673
1297
func1(*args, **kwargs)
1674
1298
func2(*args, **kwargs)
1675
# Make wrapper function look like a D-Bus
1676
# signal
1677
for name, attr in inspect.getmembers(func2):
1678
if name.startswith("_dbus_"):
1679
setattr(call_both, name, attr)
1680
1299
1681
1300
return call_both
1682
1301
# Create the "call_both" function and add it to
1683
1302
# the class
1693
1312
alt_interface,
1694
1313
attribute._dbus_in_signature,
1695
1314
attribute._dbus_out_signature)
1696
(copy_function(attribute)))
1315
(types.FunctionType(attribute.func_code,
1316
attribute.func_globals,
1317
attribute.func_name,
1318
attribute.func_defaults,
1319
attribute.func_closure)))
1697
1320
# Copy annotations, if any
1698
1321
try:
1699
1322
attr[attrname]._dbus_annotations = dict(
1711
1334
attribute._dbus_access,
1712
1335
attribute._dbus_get_args_options
1713
1336
["byte_arrays"])
1714
(copy_function(attribute)))
1337
(types.FunctionType(
1338
attribute.func_code,
1339
attribute.func_globals,
1340
attribute.func_name,
1341
attribute.func_defaults,
1342
attribute.func_closure)))
1715
1343
# Copy annotations, if any
1716
1344
try:
1717
1345
attr[attrname]._dbus_annotations = dict(
1726
1354
# to the class.
1727
1355
attr[attrname] = (
1728
1356
dbus_interface_annotations(alt_interface)
1729
(copy_function(attribute)))
1357
(types.FunctionType(attribute.func_code,
1358
attribute.func_globals,
1359
attribute.func_name,
1360
attribute.func_defaults,
1361
attribute.func_closure)))
1730
1362
if deprecate:
1731
1363
# Deprecate all alternate interfaces
1732
iname = "_AlternateDBusNames_interface_annotation{}"
1364
iname="_AlternateDBusNames_interface_annotation{}"
1733
1365
for interface_name in interface_names:
1734
1366
1735
1367
@dbus_interface_annotations(interface_name)
1736
1368
def func(self):
1737
return {"org.freedesktop.DBus.Deprecated":
1738
"true"}
1369
return { "org.freedesktop.DBus.Deprecated":
1370
"true" }
1739
1371
# Find an unused name
1740
1372
for aname in (iname.format(i)
1741
1373
for i in itertools.count()):
1745
1377
if interface_names:
1746
1378
# Replace the class with a new subclass of it with
1747
1379
# methods, signals, etc. as created above.
1748
if sys.version_info.major == 2:
1749
cls = type(b"{}Alternate".format(cls.__name__),
1750
(cls, ), attr)
1751
else:
1752
cls = type("{}Alternate".format(cls.__name__),
1753
(cls, ), attr)
1380
cls = type(b"{}Alternate".format(cls.__name__),
1381
(cls, ), attr)
1754
1382
return cls
1755
1383
1756
1384
return wrapper
1757
1385
1758
1386
1760
1388
"se.bsnet.fukt.Mandos"})
1761
1389
class ClientDBus(Client, DBusObjectWithProperties):
1762
1390
"""A Client class using D-Bus
1763
1391
1764
1392
Attributes:
1765
1393
dbus_object_path: dbus.ObjectPath
1766
1394
bus: dbus.SystemBus()
1767
1395
"""
1768
1396
1769
1397
runtime_expansions = (Client.runtime_expansions
1770
1398
+ ("dbus_object_path", ))
1771
1399
1772
1400
_interface = "se.recompile.Mandos.Client"
1773
1401
1774
1402
# dbus.service.Object doesn't use super(), so we can't either.
1775
1776
def __init__(self, bus=None, *args, **kwargs):
1403
1404
def __init__(self, bus = None, *args, **kwargs):
1777
1405
self.bus = bus
1778
1406
Client.__init__(self, *args, **kwargs)
1779
1407
# Only now, when this client is initialized, can it show up on
1785
1413
"/clients/" + client_object_name)
1786
1414
DBusObjectWithProperties.__init__(self, self.bus,
1787
1415
self.dbus_object_path)
1788
1416
1789
1417
def notifychangeproperty(transform_func, dbus_name,
1790
1418
type_func=lambda x: x,
1791
1419
variant_level=1,
1793
1421
_interface=_interface):
1794
1422
""" Modify a variable so that it's a property which announces
1795
1423
its changes to DBus.
1796
1424
1797
1425
transform_fun: Function that takes a value and a variant_level
1798
1426
and transforms it to a D-Bus type.
1799
1427
dbus_name: D-Bus name of the variable
1802
1430
variant_level: D-Bus variant level. Default: 1
1803
1431
"""
1804
1432
attrname = "_{}".format(dbus_name)
1805
1433
1806
1434
def setter(self, value):
1807
1435
if hasattr(self, "dbus_object_path"):
1808
1436
if (not hasattr(self, attrname) or
1815
1443
else:
1816
1444
dbus_value = transform_func(
1817
1445
type_func(value),
1818
variant_level=variant_level)
1446
variant_level = variant_level)
1819
1447
self.PropertyChanged(dbus.String(dbus_name),
1820
1448
dbus_value)
1821
1449
self.PropertiesChanged(
1822
1450
_interface,
1823
dbus.Dictionary({dbus.String(dbus_name):
1824
dbus_value}),
1451
dbus.Dictionary({ dbus.String(dbus_name):
1452
dbus_value }),
1825
1453
dbus.Array())
1826
1454
setattr(self, attrname, value)
1827
1455
1828
1456
return property(lambda self: getattr(self, attrname), setter)
1829
1457
1830
1458
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1831
1459
approvals_pending = notifychangeproperty(dbus.Boolean,
1832
1460
"ApprovalPending",
1833
type_func=bool)
1461
type_func = bool)
1834
1462
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1835
1463
last_enabled = notifychangeproperty(datetime_to_dbus,
1836
1464
"LastEnabled")
1837
1465
checker = notifychangeproperty(
1838
1466
dbus.Boolean, "CheckerRunning",
1839
type_func=lambda checker: checker is not None)
1467
type_func = lambda checker: checker is not None)
1840
1468
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1841
1469
"LastCheckedOK")
1842
1470
last_checker_status = notifychangeproperty(dbus.Int16,
1847
1475
"ApprovedByDefault")
1848
1476
approval_delay = notifychangeproperty(
1849
1477
dbus.UInt64, "ApprovalDelay",
1850
type_func=lambda td: td.total_seconds() * 1000)
1478
type_func = lambda td: td.total_seconds() * 1000)
1851
1479
approval_duration = notifychangeproperty(
1852
1480
dbus.UInt64, "ApprovalDuration",
1853
type_func=lambda td: td.total_seconds() * 1000)
1481
type_func = lambda td: td.total_seconds() * 1000)
1854
1482
host = notifychangeproperty(dbus.String, "Host")
1855
1483
timeout = notifychangeproperty(
1856
1484
dbus.UInt64, "Timeout",
1857
type_func=lambda td: td.total_seconds() * 1000)
1485
type_func = lambda td: td.total_seconds() * 1000)
1858
1486
extended_timeout = notifychangeproperty(
1859
1487
dbus.UInt64, "ExtendedTimeout",
1860
type_func=lambda td: td.total_seconds() * 1000)
1488
type_func = lambda td: td.total_seconds() * 1000)
1861
1489
interval = notifychangeproperty(
1862
1490
dbus.UInt64, "Interval",
1863
type_func=lambda td: td.total_seconds() * 1000)
1491
type_func = lambda td: td.total_seconds() * 1000)
1864
1492
checker_command = notifychangeproperty(dbus.String, "Checker")
1865
1493
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1866
1494
invalidate_only=True)
1867
1495
1868
1496
del notifychangeproperty
1869
1497
1870
1498
def __del__(self, *args, **kwargs):
1871
1499
try:
1872
1500
self.remove_from_connection()
1875
1503
if hasattr(DBusObjectWithProperties, "__del__"):
1876
1504
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1877
1505
Client.__del__(self, *args, **kwargs)
1878
1506
1879
1507
def checker_callback(self, source, condition,
1880
1508
connection, command, *args, **kwargs):
1881
1509
ret = Client.checker_callback(self, source, condition,
1897
1525
| self.last_checker_signal),
1898
1526
dbus.String(command))
1899
1527
return ret
1900
1528
1901
1529
def start_checker(self, *args, **kwargs):
1902
1530
old_checker_pid = getattr(self.checker, "pid", None)
1903
1531
r = Client.start_checker(self, *args, **kwargs)
1907
1535
# Emit D-Bus signal
1908
1536
self.CheckerStarted(self.current_checker_command)
1909
1537
return r
1910
1538
1911
1539
def _reset_approved(self):
1912
1540
self.approved = None
1913
1541
return False
1914
1542
1915
1543
def approve(self, value=True):
1916
1544
self.approved = value
1917
GLib.timeout_add(int(self.approval_duration.total_seconds()
1918
* 1000), self._reset_approved)
1545
gobject.timeout_add(int(self.approval_duration.total_seconds()
1546
* 1000), self._reset_approved)
1919
1547
self.send_changedstate()
1920
1921
# D-Bus methods, signals & properties
1922
1923
# Interfaces
1924
1925
# Signals
1926
1548
1549
## D-Bus methods, signals & properties
1550
1551
## Interfaces
1552
1553
## Signals
1554
1927
1555
# CheckerCompleted - signal
1928
1556
@dbus.service.signal(_interface, signature="nxs")
1929
1557
def CheckerCompleted(self, exitcode, waitstatus, command):
1930
1558
"D-Bus signal"
1931
1559
pass
1932
1560
1933
1561
# CheckerStarted - signal
1934
1562
@dbus.service.signal(_interface, signature="s")
1935
1563
def CheckerStarted(self, command):
1936
1564
"D-Bus signal"
1937
1565
pass
1938
1566
1939
1567
# PropertyChanged - signal
1940
1568
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1941
1569
@dbus.service.signal(_interface, signature="sv")
1942
1570
def PropertyChanged(self, property, value):
1943
1571
"D-Bus signal"
1944
1572
pass
1945
1573
1946
1574
# GotSecret - signal
1947
1575
@dbus.service.signal(_interface)
1948
1576
def GotSecret(self):
1951
1579
server to mandos-client
1952
1580
"""
1953
1581
pass
1954
1582
1955
1583
# Rejected - signal
1956
1584
@dbus.service.signal(_interface, signature="s")
1957
1585
def Rejected(self, reason):
1958
1586
"D-Bus signal"
1959
1587
pass
1960
1588
1961
1589
# NeedApproval - signal
1962
1590
@dbus.service.signal(_interface, signature="tb")
1963
1591
def NeedApproval(self, timeout, default):
1964
1592
"D-Bus signal"
1965
1593
return self.need_approval()
1966
1967
# Methods
1968
1594
1595
## Methods
1596
1969
1597
# Approve - method
1970
1598
@dbus.service.method(_interface, in_signature="b")
1971
1599
def Approve(self, value):
1972
1600
self.approve(value)
1973
1601
1974
1602
# CheckedOK - method
1975
1603
@dbus.service.method(_interface)
1976
1604
def CheckedOK(self):
1977
1605
self.checked_ok()
1978
1606
1979
1607
# Enable - method
1980
1608
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1981
1609
@dbus.service.method(_interface)
1982
1610
def Enable(self):
1983
1611
"D-Bus method"
1984
1612
self.enable()
1985
1613
1986
1614
# StartChecker - method
1987
1615
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1988
1616
@dbus.service.method(_interface)
1989
1617
def StartChecker(self):
1990
1618
"D-Bus method"
1991
1619
self.start_checker()
1992
1620
1993
1621
# Disable - method
1994
1622
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1995
1623
@dbus.service.method(_interface)
1996
1624
def Disable(self):
1997
1625
"D-Bus method"
1998
1626
self.disable()
1999
1627
2000
1628
# StopChecker - method
2001
1629
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2002
1630
@dbus.service.method(_interface)
2003
1631
def StopChecker(self):
2004
1632
self.stop_checker()
2005
2006
# Properties
2007
1633
1634
## Properties
1635
2008
1636
# ApprovalPending - property
2009
1637
@dbus_service_property(_interface, signature="b", access="read")
2010
1638
def ApprovalPending_dbus_property(self):
2011
1639
return dbus.Boolean(bool(self.approvals_pending))
2012
1640
2013
1641
# ApprovedByDefault - property
2014
1642
@dbus_service_property(_interface,
2015
1643
signature="b",
2018
1646
if value is None: # get
2019
1647
return dbus.Boolean(self.approved_by_default)
2020
1648
self.approved_by_default = bool(value)
2021
1649
2022
1650
# ApprovalDelay - property
2023
1651
@dbus_service_property(_interface,
2024
1652
signature="t",
2028
1656
return dbus.UInt64(self.approval_delay.total_seconds()
2029
1657
* 1000)
2030
1658
self.approval_delay = datetime.timedelta(0, 0, 0, value)
2031
1659
2032
1660
# ApprovalDuration - property
2033
1661
@dbus_service_property(_interface,
2034
1662
signature="t",
2038
1666
return dbus.UInt64(self.approval_duration.total_seconds()
2039
1667
* 1000)
2040
1668
self.approval_duration = datetime.timedelta(0, 0, 0, value)
2041
1669
2042
1670
# Name - property
2043
1671
@dbus_annotations(
2044
1672
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2045
1673
@dbus_service_property(_interface, signature="s", access="read")
2046
1674
def Name_dbus_property(self):
2047
1675
return dbus.String(self.name)
2048
2049
# KeyID - property
2050
@dbus_annotations(
2051
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2052
@dbus_service_property(_interface, signature="s", access="read")
2053
def KeyID_dbus_property(self):
2054
return dbus.String(self.key_id)
2055
1676
2056
1677
# Fingerprint - property
2057
1678
@dbus_annotations(
2058
1679
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2059
1680
@dbus_service_property(_interface, signature="s", access="read")
2060
1681
def Fingerprint_dbus_property(self):
2061
1682
return dbus.String(self.fingerprint)
2062
1683
2063
1684
# Host - property
2064
1685
@dbus_service_property(_interface,
2065
1686
signature="s",
2068
1689
if value is None: # get
2069
1690
return dbus.String(self.host)
2070
1691
self.host = str(value)
2071
1692
2072
1693
# Created - property
2073
1694
@dbus_annotations(
2074
1695
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2075
1696
@dbus_service_property(_interface, signature="s", access="read")
2076
1697
def Created_dbus_property(self):
2077
1698
return datetime_to_dbus(self.created)
2078
1699
2079
1700
# LastEnabled - property
2080
1701
@dbus_service_property(_interface, signature="s", access="read")
2081
1702
def LastEnabled_dbus_property(self):
2082
1703
return datetime_to_dbus(self.last_enabled)
2083
1704
2084
1705
# Enabled - property
2085
1706
@dbus_service_property(_interface,
2086
1707
signature="b",
2092
1713
self.enable()
2093
1714
else:
2094
1715
self.disable()
2095
1716
2096
1717
# LastCheckedOK - property
2097
1718
@dbus_service_property(_interface,
2098
1719
signature="s",
2102
1723
self.checked_ok()
2103
1724
return
2104
1725
return datetime_to_dbus(self.last_checked_ok)
2105
1726
2106
1727
# LastCheckerStatus - property
2107
1728
@dbus_service_property(_interface, signature="n", access="read")
2108
1729
def LastCheckerStatus_dbus_property(self):
2109
1730
return dbus.Int16(self.last_checker_status)
2110
1731
2111
1732
# Expires - property
2112
1733
@dbus_service_property(_interface, signature="s", access="read")
2113
1734
def Expires_dbus_property(self):
2114
1735
return datetime_to_dbus(self.expires)
2115
1736
2116
1737
# LastApprovalRequest - property
2117
1738
@dbus_service_property(_interface, signature="s", access="read")
2118
1739
def LastApprovalRequest_dbus_property(self):
2119
1740
return datetime_to_dbus(self.last_approval_request)
2120
1741
2121
1742
# Timeout - property
2122
1743
@dbus_service_property(_interface,
2123
1744
signature="t",
2138
1759
if (getattr(self, "disable_initiator_tag", None)
2139
1760
is None):
2140
1761
return
2141
GLib.source_remove(self.disable_initiator_tag)
2142
self.disable_initiator_tag = GLib.timeout_add(
1762
gobject.source_remove(self.disable_initiator_tag)
1763
self.disable_initiator_tag = gobject.timeout_add(
2143
1764
int((self.expires - now).total_seconds() * 1000),
2144
1765
self.disable)
2145
1766
2146
1767
# ExtendedTimeout - property
2147
1768
@dbus_service_property(_interface,
2148
1769
signature="t",
2152
1773
return dbus.UInt64(self.extended_timeout.total_seconds()
2153
1774
* 1000)
2154
1775
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2155
1776
2156
1777
# Interval - property
2157
1778
@dbus_service_property(_interface,
2158
1779
signature="t",
2165
1786
return
2166
1787
if self.enabled:
2167
1788
# Reschedule checker run
2168
GLib.source_remove(self.checker_initiator_tag)
2169
self.checker_initiator_tag = GLib.timeout_add(
1789
gobject.source_remove(self.checker_initiator_tag)
1790
self.checker_initiator_tag = gobject.timeout_add(
2170
1791
value, self.start_checker)
2171
self.start_checker() # Start one now, too
2172
1792
self.start_checker() # Start one now, too
1793
2173
1794
# Checker - property
2174
1795
@dbus_service_property(_interface,
2175
1796
signature="s",
2178
1799
if value is None: # get
2179
1800
return dbus.String(self.checker_command)
2180
1801
self.checker_command = str(value)
2181
1802
2182
1803
# CheckerRunning - property
2183
1804
@dbus_service_property(_interface,
2184
1805
signature="b",
2190
1811
self.start_checker()
2191
1812
else:
2192
1813
self.stop_checker()
2193
1814
2194
1815
# ObjectPath - property
2195
1816
@dbus_annotations(
2196
1817
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2197
1818
"org.freedesktop.DBus.Deprecated": "true"})
2198
1819
@dbus_service_property(_interface, signature="o", access="read")
2199
1820
def ObjectPath_dbus_property(self):
2200
return self.dbus_object_path # is already a dbus.ObjectPath
2201
1821
return self.dbus_object_path # is already a dbus.ObjectPath
1822
2202
1823
# Secret = property
2203
1824
@dbus_annotations(
2204
1825
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2209
1830
byte_arrays=True)
2210
1831
def Secret_dbus_property(self, value):
2211
1832
self.secret = bytes(value)
2212
1833
2213
1834
del _interface
2214
1835
2215
1836
2216
1837
class ProxyClient(object):
2217
def __init__(self, child_pipe, key_id, fpr, address):
1838
def __init__(self, child_pipe, fpr, address):
2218
1839
self._pipe = child_pipe
2219
self._pipe.send(('init', key_id, fpr, address))
1840
self._pipe.send(('init', fpr, address))
2220
1841
if not self._pipe.recv():
2221
raise KeyError(key_id or fpr)
2222
1842
raise KeyError(fpr)
1843
2223
1844
def __getattribute__(self, name):
2224
1845
if name == '_pipe':
2225
1846
return super(ProxyClient, self).__getattribute__(name)
2228
1849
if data[0] == 'data':
2229
1850
return data[1]
2230
1851
if data[0] == 'function':
2231
1852
2232
1853
def func(*args, **kwargs):
2233
1854
self._pipe.send(('funcall', name, args, kwargs))
2234
1855
return self._pipe.recv()[1]
2235
1856
2236
1857
return func
2237
1858
2238
1859
def __setattr__(self, name, value):
2239
1860
if name == '_pipe':
2240
1861
return super(ProxyClient, self).__setattr__(name, value)
2243
1864
2244
1865
class ClientHandler(socketserver.BaseRequestHandler, object):
2245
1866
"""A class to handle client connections.
2246
1867
2247
1868
Instantiated once for each connection to handle it.
2248
1869
Note: This will run in its own forked process."""
2249
1870
2250
1871
def handle(self):
2251
1872
with contextlib.closing(self.server.child_pipe) as child_pipe:
2252
1873
logger.info("TCP connection from: %s",
2253
1874
str(self.client_address))
2254
1875
logger.debug("Pipe FD: %d",
2255
1876
self.server.child_pipe.fileno())
2256
2257
session = gnutls.ClientSession(self.request)
2258
2259
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2260
# "+AES-256-CBC", "+SHA1",
2261
# "+COMP-NULL", "+CTYPE-OPENPGP",
2262
# "+DHE-DSS"))
1877
1878
session = gnutls.connection.ClientSession(
1879
self.request, gnutls.connection .X509Credentials())
1880
1881
# Note: gnutls.connection.X509Credentials is really a
1882
# generic GnuTLS certificate credentials object so long as
1883
# no X.509 keys are added to it. Therefore, we can use it
1884
# here despite using OpenPGP certificates.
1885
1886
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1887
# "+AES-256-CBC", "+SHA1",
1888
# "+COMP-NULL", "+CTYPE-OPENPGP",
1889
# "+DHE-DSS"))
2263
1890
# Use a fallback default, since this MUST be set.
2264
1891
priority = self.server.gnutls_priority
2265
1892
if priority is None:
2266
1893
priority = "NORMAL"
2267
gnutls.priority_set_direct(session._c_object,
2268
priority.encode("utf-8"),
2269
None)
2270
1894
gnutls.library.functions.gnutls_priority_set_direct(
1895
session._c_object, priority, None)
1896
2271
1897
# Start communication using the Mandos protocol
2272
1898
# Get protocol number
2273
1899
line = self.request.makefile().readline()
2278
1904
except (ValueError, IndexError, RuntimeError) as error:
2279
1905
logger.error("Unknown protocol version: %s", error)
2280
1906
return
2281
1907
2282
1908
# Start GnuTLS connection
2283
1909
try:
2284
1910
session.handshake()
2285
except gnutls.Error as error:
1911
except gnutls.errors.GNUTLSError as error:
2286
1912
logger.warning("Handshake failed: %s", error)
2287
1913
# Do not run session.bye() here: the session is not
2288
1914
# established. Just abandon the request.
2289
1915
return
2290
1916
logger.debug("Handshake succeeded")
2291
1917
2292
1918
approval_required = False
2293
1919
try:
2294
if gnutls.has_rawpk:
2295
fpr = b""
2296
try:
2297
key_id = self.key_id(
2298
self.peer_certificate(session))
2299
except (TypeError, gnutls.Error) as error:
2300
logger.warning("Bad certificate: %s", error)
2301
return
2302
logger.debug("Key ID: %s", key_id)
2303
2304
else:
2305
key_id = b""
2306
try:
2307
fpr = self.fingerprint(
2308
self.peer_certificate(session))
2309
except (TypeError, gnutls.Error) as error:
2310
logger.warning("Bad certificate: %s", error)
2311
return
2312
logger.debug("Fingerprint: %s", fpr)
2313
2314
try:
2315
client = ProxyClient(child_pipe, key_id, fpr,
1920
try:
1921
fpr = self.fingerprint(
1922
self.peer_certificate(session))
1923
except (TypeError,
1924
gnutls.errors.GNUTLSError) as error:
1925
logger.warning("Bad certificate: %s", error)
1926
return
1927
logger.debug("Fingerprint: %s", fpr)
1928
1929
try:
1930
client = ProxyClient(child_pipe, fpr,
2316
1931
self.client_address)
2317
1932
except KeyError:
2318
1933
return
2319
1934
2320
1935
if client.approval_delay:
2321
1936
delay = client.approval_delay
2322
1937
client.approvals_pending += 1
2323
1938
approval_required = True
2324
1939
2325
1940
while True:
2326
1941
if not client.enabled:
2327
1942
logger.info("Client %s is disabled",
2330
1945
# Emit D-Bus signal
2331
1946
client.Rejected("Disabled")
2332
1947
return
2333
1948
2334
1949
if client.approved or not client.approval_delay:
2335
# We are approved or approval is disabled
1950
#We are approved or approval is disabled
2336
1951
break
2337
1952
elif client.approved is None:
2338
1953
logger.info("Client %s needs approval",
2349
1964
# Emit D-Bus signal
2350
1965
client.Rejected("Denied")
2351
1966
return
2352
2353
# wait until timeout or approved
1967
1968
#wait until timeout or approved
2354
1969
time = datetime.datetime.now()
2355
1970
client.changedstate.acquire()
2356
1971
client.changedstate.wait(delay.total_seconds())
2369
1984
break
2370
1985
else:
2371
1986
delay -= time2 - time
2372
2373
try:
2374
session.send(client.secret)
2375
except gnutls.Error as error:
2376
logger.warning("gnutls send failed",
2377
exc_info=error)
2378
return
2379
1987
1988
sent_size = 0
1989
while sent_size < len(client.secret):
1990
try:
1991
sent = session.send(client.secret[sent_size:])
1992
except gnutls.errors.GNUTLSError as error:
1993
logger.warning("gnutls send failed",
1994
exc_info=error)
1995
return
1996
logger.debug("Sent: %d, remaining: %d", sent,
1997
len(client.secret) - (sent_size
1998
+ sent))
1999
sent_size += sent
2000
2380
2001
logger.info("Sending secret to %s", client.name)
2381
2002
# bump the timeout using extended_timeout
2382
2003
client.bump_timeout(client.extended_timeout)
2383
2004
if self.server.use_dbus:
2384
2005
# Emit D-Bus signal
2385
2006
client.GotSecret()
2386
2007
2387
2008
finally:
2388
2009
if approval_required:
2389
2010
client.approvals_pending -= 1
2390
2011
try:
2391
2012
session.bye()
2392
except gnutls.Error as error:
2013
except gnutls.errors.GNUTLSError as error:
2393
2014
logger.warning("GnuTLS bye failed",
2394
2015
exc_info=error)
2395
2016
2396
2017
@staticmethod
2397
2018
def peer_certificate(session):
2398
"Return the peer's certificate as a bytestring"
2399
try:
2400
cert_type = gnutls.certificate_type_get2(session._c_object,
2401
gnutls.CTYPE_PEERS)
2402
except AttributeError:
2403
cert_type = gnutls.certificate_type_get(session._c_object)
2404
if gnutls.has_rawpk:
2405
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2406
else:
2407
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2408
# If not a valid certificate type...
2409
if cert_type not in valid_cert_types:
2410
logger.info("Cert type %r not in %r", cert_type,
2411
valid_cert_types)
2412
# ...return invalid data
2413
return b""
2019
"Return the peer's OpenPGP certificate as a bytestring"
2020
# If not an OpenPGP certificate...
2021
if (gnutls.library.functions.gnutls_certificate_type_get(
2022
session._c_object)
2023
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2024
# ...do the normal thing
2025
return session.peer_certificate
2414
2026
list_size = ctypes.c_uint(1)
2415
cert_list = (gnutls.certificate_get_peers
2027
cert_list = (gnutls.library.functions
2028
.gnutls_certificate_get_peers
2416
2029
(session._c_object, ctypes.byref(list_size)))
2417
2030
if not bool(cert_list) and list_size.value != 0:
2418
raise gnutls.Error("error getting peer certificate")
2031
raise gnutls.errors.GNUTLSError("error getting peer"
2032
" certificate")
2419
2033
if list_size.value == 0:
2420
2034
return None
2421
2035
cert = cert_list[0]
2422
2036
return ctypes.string_at(cert.data, cert.size)
2423
2424
@staticmethod
2425
def key_id(certificate):
2426
"Convert a certificate bytestring to a hexdigit key ID"
2427
# New GnuTLS "datum" with the public key
2428
datum = gnutls.datum_t(
2429
ctypes.cast(ctypes.c_char_p(certificate),
2430
ctypes.POINTER(ctypes.c_ubyte)),
2431
ctypes.c_uint(len(certificate)))
2432
# XXX all these need to be created in the gnutls "module"
2433
# New empty GnuTLS certificate
2434
pubkey = gnutls.pubkey_t()
2435
gnutls.pubkey_init(ctypes.byref(pubkey))
2436
# Import the raw public key into the certificate
2437
gnutls.pubkey_import(pubkey,
2438
ctypes.byref(datum),
2439
gnutls.X509_FMT_DER)
2440
# New buffer for the key ID
2441
buf = ctypes.create_string_buffer(32)
2442
buf_len = ctypes.c_size_t(len(buf))
2443
# Get the key ID from the raw public key into the buffer
2444
gnutls.pubkey_get_key_id(pubkey,
2445
gnutls.KEYID_USE_SHA256,
2446
ctypes.cast(ctypes.byref(buf),
2447
ctypes.POINTER(ctypes.c_ubyte)),
2448
ctypes.byref(buf_len))
2449
# Deinit the certificate
2450
gnutls.pubkey_deinit(pubkey)
2451
2452
# Convert the buffer to a Python bytestring
2453
key_id = ctypes.string_at(buf, buf_len.value)
2454
# Convert the bytestring to hexadecimal notation
2455
hex_key_id = binascii.hexlify(key_id).upper()
2456
return hex_key_id
2457
2037
2458
2038
@staticmethod
2459
2039
def fingerprint(openpgp):
2460
2040
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2461
2041
# New GnuTLS "datum" with the OpenPGP public key
2462
datum = gnutls.datum_t(
2042
datum = gnutls.library.types.gnutls_datum_t(
2463
2043
ctypes.cast(ctypes.c_char_p(openpgp),
2464
2044
ctypes.POINTER(ctypes.c_ubyte)),
2465
2045
ctypes.c_uint(len(openpgp)))
2466
2046
# New empty GnuTLS certificate
2467
crt = gnutls.openpgp_crt_t()
2468
gnutls.openpgp_crt_init(ctypes.byref(crt))
2047
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2048
gnutls.library.functions.gnutls_openpgp_crt_init(
2049
ctypes.byref(crt))
2469
2050
# Import the OpenPGP public key into the certificate
2470
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2471
gnutls.OPENPGP_FMT_RAW)
2051
gnutls.library.functions.gnutls_openpgp_crt_import(
2052
crt, ctypes.byref(datum),
2053
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2472
2054
# Verify the self signature in the key
2473
2055
crtverify = ctypes.c_uint()
2474
gnutls.openpgp_crt_verify_self(crt, 0,
2475
ctypes.byref(crtverify))
2056
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2057
crt, 0, ctypes.byref(crtverify))
2476
2058
if crtverify.value != 0:
2477
gnutls.openpgp_crt_deinit(crt)
2478
raise gnutls.CertificateSecurityError(code
2479
=crtverify.value)
2059
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2060
raise gnutls.errors.CertificateSecurityError(
2061
"Verify failed")
2480
2062
# New buffer for the fingerprint
2481
2063
buf = ctypes.create_string_buffer(20)
2482
2064
buf_len = ctypes.c_size_t()
2483
2065
# Get the fingerprint from the certificate into the buffer
2484
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2485
ctypes.byref(buf_len))
2066
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2067
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2486
2068
# Deinit the certificate
2487
gnutls.openpgp_crt_deinit(crt)
2069
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2488
2070
# Convert the buffer to a Python bytestring
2489
2071
fpr = ctypes.string_at(buf, buf_len.value)
2490
2072
# Convert the bytestring to hexadecimal notation
2494
2076
2495
2077
class MultiprocessingMixIn(object):
2496
2078
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2497
2079
2498
2080
def sub_process_main(self, request, address):
2499
2081
try:
2500
2082
self.finish_request(request, address)
2501
2083
except Exception:
2502
2084
self.handle_error(request, address)
2503
2085
self.close_request(request)
2504
2086
2505
2087
def process_request(self, request, address):
2506
2088
"""Start a new process to process the request."""
2507
proc = multiprocessing.Process(target=self.sub_process_main,
2508
args=(request, address))
2089
proc = multiprocessing.Process(target = self.sub_process_main,
2090
args = (request, address))
2509
2091
proc.start()
2510
2092
return proc
2511
2093
2512
2094
2513
2095
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2514
2096
""" adds a pipe to the MixIn """
2515
2097
2516
2098
def process_request(self, request, client_address):
2517
2099
"""Overrides and wraps the original process_request().
2518
2100
2519
2101
This function creates a new pipe in self.pipe
2520
2102
"""
2521
2103
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2522
2104
2523
2105
proc = MultiprocessingMixIn.process_request(self, request,
2524
2106
client_address)
2525
2107
self.child_pipe.close()
2526
2108
self.add_pipe(parent_pipe, proc)
2527
2109
2528
2110
def add_pipe(self, parent_pipe, proc):
2529
2111
"""Dummy function; override as necessary"""
2530
2112
raise NotImplementedError()
2533
2115
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2534
2116
socketserver.TCPServer, object):
2535
2117
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2536
2118
2537
2119
Attributes:
2538
2120
enabled: Boolean; whether this server is activated yet
2539
2121
interface: None or a network interface name (string)
2540
2122
use_ipv6: Boolean; to use IPv6 or not
2541
2123
"""
2542
2124
2543
2125
def __init__(self, server_address, RequestHandlerClass,
2544
2126
interface=None,
2545
2127
use_ipv6=True,
2555
2137
self.socketfd = socketfd
2556
2138
# Save the original socket.socket() function
2557
2139
self.socket_socket = socket.socket
2558
2559
2140
# To implement --socket, we monkey patch socket.socket.
2560
#
2141
#
2561
2142
# (When socketserver.TCPServer is a new-style class, we
2562
2143
# could make self.socket into a property instead of monkey
2563
2144
# patching socket.socket.)
2564
#
2145
#
2565
2146
# Create a one-time-only replacement for socket.socket()
2566
2147
@functools.wraps(socket.socket)
2567
2148
def socket_wrapper(*args, **kwargs):
2579
2160
# socket_wrapper(), if socketfd was set.
2580
2161
socketserver.TCPServer.__init__(self, server_address,
2581
2162
RequestHandlerClass)
2582
2163
2583
2164
def server_bind(self):
2584
2165
"""This overrides the normal server_bind() function
2585
2166
to bind to an interface if one was specified, and also NOT to
2586
2167
bind to an address or port if they were not specified."""
2587
global SO_BINDTODEVICE
2588
2168
if self.interface is not None:
2589
2169
if SO_BINDTODEVICE is None:
2590
# Fall back to a hard-coded value which seems to be
2591
# common enough.
2592
logger.warning("SO_BINDTODEVICE not found, trying 25")
2593
SO_BINDTODEVICE = 25
2594
try:
2595
self.socket.setsockopt(
2596
socket.SOL_SOCKET, SO_BINDTODEVICE,
2597
(self.interface + "\0").encode("utf-8"))
2598
except socket.error as error:
2599
if error.errno == errno.EPERM:
2600
logger.error("No permission to bind to"
2601
" interface %s", self.interface)
2602
elif error.errno == errno.ENOPROTOOPT:
2603
logger.error("SO_BINDTODEVICE not available;"
2604
" cannot bind to interface %s",
2605
self.interface)
2606
elif error.errno == errno.ENODEV:
2607
logger.error("Interface %s does not exist,"
2608
" cannot bind", self.interface)
2609
else:
2610
raise
2170
logger.error("SO_BINDTODEVICE does not exist;"
2171
" cannot bind to interface %s",
2172
self.interface)
2173
else:
2174
try:
2175
self.socket.setsockopt(
2176
socket.SOL_SOCKET, SO_BINDTODEVICE,
2177
(self.interface + "\0").encode("utf-8"))
2178
except socket.error as error:
2179
if error.errno == errno.EPERM:
2180
logger.error("No permission to bind to"
2181
" interface %s", self.interface)
2182
elif error.errno == errno.ENOPROTOOPT:
2183
logger.error("SO_BINDTODEVICE not available;"
2184
" cannot bind to interface %s",
2185
self.interface)
2186
elif error.errno == errno.ENODEV:
2187
logger.error("Interface %s does not exist,"
2188
" cannot bind", self.interface)
2189
else:
2190
raise
2611
2191
# Only bind(2) the socket if we really need to.
2612
2192
if self.server_address[0] or self.server_address[1]:
2613
if self.server_address[1]:
2614
self.allow_reuse_address = True
2615
2193
if not self.server_address[0]:
2616
2194
if self.address_family == socket.AF_INET6:
2617
any_address = "::" # in6addr_any
2195
any_address = "::" # in6addr_any
2618
2196
else:
2619
any_address = "0.0.0.0" # INADDR_ANY
2197
any_address = "0.0.0.0" # INADDR_ANY
2620
2198
self.server_address = (any_address,
2621
2199
self.server_address[1])
2622
2200
elif not self.server_address[1]:
2632
2210
2633
2211
class MandosServer(IPv6_TCPServer):
2634
2212
"""Mandos server.
2635
2213
2636
2214
Attributes:
2637
2215
clients: set of Client objects
2638
2216
gnutls_priority GnuTLS priority string
2639
2217
use_dbus: Boolean; to emit D-Bus signals or not
2640
2641
Assumes a GLib.MainLoop event loop.
2218
2219
Assumes a gobject.MainLoop event loop.
2642
2220
"""
2643
2221
2644
2222
def __init__(self, server_address, RequestHandlerClass,
2645
2223
interface=None,
2646
2224
use_ipv6=True,
2656
2234
self.gnutls_priority = gnutls_priority
2657
2235
IPv6_TCPServer.__init__(self, server_address,
2658
2236
RequestHandlerClass,
2659
interface=interface,
2660
use_ipv6=use_ipv6,
2661
socketfd=socketfd)
2662
2237
interface = interface,
2238
use_ipv6 = use_ipv6,
2239
socketfd = socketfd)
2240
2663
2241
def server_activate(self):
2664
2242
if self.enabled:
2665
2243
return socketserver.TCPServer.server_activate(self)
2666
2244
2667
2245
def enable(self):
2668
2246
self.enabled = True
2669
2247
2670
2248
def add_pipe(self, parent_pipe, proc):
2671
2249
# Call "handle_ipc" for both data and EOF events
2672
GLib.io_add_watch(
2250
gobject.io_add_watch(
2673
2251
parent_pipe.fileno(),
2674
GLib.IO_IN | GLib.IO_HUP,
2252
gobject.IO_IN | gobject.IO_HUP,
2675
2253
functools.partial(self.handle_ipc,
2676
parent_pipe=parent_pipe,
2677
proc=proc))
2678
2254
parent_pipe = parent_pipe,
2255
proc = proc))
2256
2679
2257
def handle_ipc(self, source, condition,
2680
2258
parent_pipe=None,
2681
proc=None,
2259
proc = None,
2682
2260
client_object=None):
2683
2261
# error, or the other end of multiprocessing.Pipe has closed
2684
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2262
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2685
2263
# Wait for other process to exit
2686
2264
proc.join()
2687
2265
return False
2688
2266
2689
2267
# Read a request from the child
2690
2268
request = parent_pipe.recv()
2691
2269
command = request[0]
2692
2270
2693
2271
if command == 'init':
2694
key_id = request[1].decode("ascii")
2695
fpr = request[2].decode("ascii")
2696
address = request[3]
2697
2698
for c in self.clients.values():
2699
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2700
continue
2701
if key_id and c.key_id == key_id:
2702
client = c
2703
break
2704
if fpr and c.fingerprint == fpr:
2272
fpr = request[1]
2273
address = request[2]
2274
2275
for c in self.clients.itervalues():
2276
if c.fingerprint == fpr:
2705
2277
client = c
2706
2278
break
2707
2279
else:
2708
logger.info("Client not found for key ID: %s, address"
2709
": %s", key_id or fpr, address)
2280
logger.info("Client not found for fingerprint: %s, ad"
2281
"dress: %s", fpr, address)
2710
2282
if self.use_dbus:
2711
2283
# Emit D-Bus signal
2712
mandos_dbus_service.ClientNotFound(key_id or fpr,
2284
mandos_dbus_service.ClientNotFound(fpr,
2713
2285
address[0])
2714
2286
parent_pipe.send(False)
2715
2287
return False
2716
2717
GLib.io_add_watch(
2288
2289
gobject.io_add_watch(
2718
2290
parent_pipe.fileno(),
2719
GLib.IO_IN | GLib.IO_HUP,
2291
gobject.IO_IN | gobject.IO_HUP,
2720
2292
functools.partial(self.handle_ipc,
2721
parent_pipe=parent_pipe,
2722
proc=proc,
2723
client_object=client))
2293
parent_pipe = parent_pipe,
2294
proc = proc,
2295
client_object = client))
2724
2296
parent_pipe.send(True)
2725
2297
# remove the old hook in favor of the new above hook on
2726
2298
# same fileno
2729
2301
funcname = request[1]
2730
2302
args = request[2]
2731
2303
kwargs = request[3]
2732
2304
2733
2305
parent_pipe.send(('data', getattr(client_object,
2734
2306
funcname)(*args,
2735
2307
**kwargs)))
2736
2308
2737
2309
if command == 'getattr':
2738
2310
attrname = request[1]
2739
2311
if isinstance(client_object.__getattribute__(attrname),
2742
2314
else:
2743
2315
parent_pipe.send((
2744
2316
'data', client_object.__getattribute__(attrname)))
2745
2317
2746
2318
if command == 'setattr':
2747
2319
attrname = request[1]
2748
2320
value = request[2]
2749
2321
setattr(client_object, attrname, value)
2750
2322
2751
2323
return True
2752
2324
2753
2325
2754
2326
def rfc3339_duration_to_delta(duration):
2755
2327
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2756
2328
2757
2329
>>> rfc3339_duration_to_delta("P7D")
2758
2330
datetime.timedelta(7)
2759
2331
>>> rfc3339_duration_to_delta("PT60S")
2769
2341
>>> rfc3339_duration_to_delta("P1DT3M20S")
2770
2342
datetime.timedelta(1, 200)
2771
2343
"""
2772
2344
2773
2345
# Parsing an RFC 3339 duration with regular expressions is not
2774
2346
# possible - there would have to be multiple places for the same
2775
2347
# values, like seconds. The current code, while more esoteric, is
2776
2348
# cleaner without depending on a parsing library. If Python had a
2777
2349
# built-in library for parsing we would use it, but we'd like to
2778
2350
# avoid excessive use of external libraries.
2779
2351
2780
2352
# New type for defining tokens, syntax, and semantics all-in-one
2781
2353
Token = collections.namedtuple("Token", (
2782
2354
"regexp", # To match token; if "value" is not None, must have
2815
2387
frozenset((token_year, token_month,
2816
2388
token_day, token_time,
2817
2389
token_week)))
2818
# Define starting values:
2819
# Value so far
2820
value = datetime.timedelta()
2390
# Define starting values
2391
value = datetime.timedelta() # Value so far
2821
2392
found_token = None
2822
# Following valid tokens
2823
followers = frozenset((token_duration, ))
2824
# String left to parse
2825
s = duration
2393
followers = frozenset((token_duration, )) # Following valid tokens
2394
s = duration # String left to parse
2826
2395
# Loop until end token is found
2827
2396
while found_token is not token_end:
2828
2397
# Search for any currently valid tokens
2852
2421
2853
2422
def string_to_delta(interval):
2854
2423
"""Parse a string and return a datetime.timedelta
2855
2424
2856
2425
>>> string_to_delta('7d')
2857
2426
datetime.timedelta(7)
2858
2427
>>> string_to_delta('60s')
2866
2435
>>> string_to_delta('5m 30s')
2867
2436
datetime.timedelta(0, 330)
2868
2437
"""
2869
2438
2870
2439
try:
2871
2440
return rfc3339_duration_to_delta(interval)
2872
2441
except ValueError:
2873
2442
pass
2874
2443
2875
2444
timevalue = datetime.timedelta(0)
2876
2445
for s in interval.split():
2877
2446
try:
2895
2464
return timevalue
2896
2465
2897
2466
2898
def daemon(nochdir=False, noclose=False):
2467
def daemon(nochdir = False, noclose = False):
2899
2468
"""See daemon(3). Standard BSD Unix function.
2900
2469
2901
2470
This should really exist as os.daemon, but it doesn't (yet)."""
2902
2471
if os.fork():
2903
2472
sys.exit()
2921
2490
2922
2491
2923
2492
def main():
2924
2493
2925
2494
##################################################################
2926
2495
# Parsing of options, both command line and config file
2927
2496
2928
2497
parser = argparse.ArgumentParser()
2929
2498
parser.add_argument("-v", "--version", action="version",
2930
version="%(prog)s {}".format(version),
2499
version = "%(prog)s {}".format(version),
2931
2500
help="show version number and exit")
2932
2501
parser.add_argument("-i", "--interface", metavar="IF",
2933
2502
help="Bind to interface IF")
2969
2538
parser.add_argument("--no-zeroconf", action="store_false",
2970
2539
dest="zeroconf", help="Do not use Zeroconf",
2971
2540
default=None)
2972
2541
2973
2542
options = parser.parse_args()
2974
2543
2975
2544
if options.check:
2976
2545
import doctest
2977
2546
fail_count, test_count = doctest.testmod()
2978
2547
sys.exit(os.EX_OK if fail_count == 0 else 1)
2979
2548
2980
2549
# Default values for config file for server-global settings
2981
if gnutls.has_rawpk:
2982
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2983
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2984
else:
2985
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2986
":+SIGN-DSA-SHA256")
2987
server_defaults = {"interface": "",
2988
"address": "",
2989
"port": "",
2990
"debug": "False",
2991
"priority": priority,
2992
"servicename": "Mandos",
2993
"use_dbus": "True",
2994
"use_ipv6": "True",
2995
"debuglevel": "",
2996
"restore": "True",
2997
"socket": "",
2998
"statedir": "/var/lib/mandos",
2999
"foreground": "False",
3000
"zeroconf": "True",
3001
}
3002
del priority
3003
2550
server_defaults = { "interface": "",
2551
"address": "",
2552
"port": "",
2553
"debug": "False",
2554
"priority":
2555
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2556
":+SIGN-DSA-SHA256",
2557
"servicename": "Mandos",
2558
"use_dbus": "True",
2559
"use_ipv6": "True",
2560
"debuglevel": "",
2561
"restore": "True",
2562
"socket": "",
2563
"statedir": "/var/lib/mandos",
2564
"foreground": "False",
2565
"zeroconf": "True",
2566
}
2567
3004
2568
# Parse config file for server-global settings
3005
server_config = configparser.ConfigParser(server_defaults)
2569
server_config = configparser.SafeConfigParser(server_defaults)
3006
2570
del server_defaults
3007
2571
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3008
# Convert the ConfigParser object to a dict
2572
# Convert the SafeConfigParser object to a dict
3009
2573
server_settings = server_config.defaults()
3010
2574
# Use the appropriate methods on the non-string config options
3011
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3012
"foreground", "zeroconf"):
2575
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3013
2576
server_settings[option] = server_config.getboolean("DEFAULT",
3014
2577
option)
3015
2578
if server_settings["port"]:
3025
2588
server_settings["socket"] = os.dup(server_settings
3026
2589
["socket"])
3027
2590
del server_config
3028
2591
3029
2592
# Override the settings from the config file with command line
3030
2593
# options, if set.
3031
2594
for option in ("interface", "address", "port", "debug",
3049
2612
if server_settings["debug"]:
3050
2613
server_settings["foreground"] = True
3051
2614
# Now we have our good server settings in "server_settings"
3052
2615
3053
2616
##################################################################
3054
2617
3055
2618
if (not server_settings["zeroconf"]
3056
2619
and not (server_settings["port"]
3057
2620
or server_settings["socket"] != "")):
3058
2621
parser.error("Needs port or socket to work without Zeroconf")
3059
2622
3060
2623
# For convenience
3061
2624
debug = server_settings["debug"]
3062
2625
debuglevel = server_settings["debuglevel"]
3066
2629
stored_state_file)
3067
2630
foreground = server_settings["foreground"]
3068
2631
zeroconf = server_settings["zeroconf"]
3069
2632
3070
2633
if debug:
3071
2634
initlogger(debug, logging.DEBUG)
3072
2635
else:
3075
2638
else:
3076
2639
level = getattr(logging, debuglevel.upper())
3077
2640
initlogger(debug, level)
3078
2641
3079
2642
if server_settings["servicename"] != "Mandos":
3080
2643
syslogger.setFormatter(
3081
2644
logging.Formatter('Mandos ({}) [%(process)d]:'
3082
2645
' %(levelname)s: %(message)s'.format(
3083
2646
server_settings["servicename"])))
3084
2647
3085
2648
# Parse config file with clients
3086
client_config = configparser.ConfigParser(Client.client_defaults)
2649
client_config = configparser.SafeConfigParser(Client
2650
.client_defaults)
3087
2651
client_config.read(os.path.join(server_settings["configdir"],
3088
2652
"clients.conf"))
3089
2653
3090
2654
global mandos_dbus_service
3091
2655
mandos_dbus_service = None
3092
2656
3093
2657
socketfd = None
3094
2658
if server_settings["socket"] != "":
3095
2659
socketfd = server_settings["socket"]
3111
2675
except IOError as e:
3112
2676
logger.error("Could not open file %r", pidfilename,
3113
2677
exc_info=e)
3114
3115
for name, group in (("_mandos", "_mandos"),
3116
("mandos", "mandos"),
3117
("nobody", "nogroup")):
2678
2679
for name in ("_mandos", "mandos", "nobody"):
3118
2680
try:
3119
2681
uid = pwd.getpwnam(name).pw_uid
3120
gid = pwd.getpwnam(group).pw_gid
2682
gid = pwd.getpwnam(name).pw_gid
3121
2683
break
3122
2684
except KeyError:
3123
2685
continue
3127
2689
try:
3128
2690
os.setgid(gid)
3129
2691
os.setuid(uid)
3130
if debug:
3131
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3132
gid))
3133
2692
except OSError as error:
3134
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3135
.format(uid, gid, os.strerror(error.errno)))
3136
2693
if error.errno != errno.EPERM:
3137
2694
raise
3138
2695
3139
2696
if debug:
3140
2697
# Enable all possible GnuTLS debugging
3141
2698
3142
2699
# "Use a log level over 10 to enable all debugging options."
3143
2700
# - GnuTLS manual
3144
gnutls.global_set_log_level(11)
3145
3146
@gnutls.log_func
2701
gnutls.library.functions.gnutls_global_set_log_level(11)
2702
2703
@gnutls.library.types.gnutls_log_func
3147
2704
def debug_gnutls(level, string):
3148
2705
logger.debug("GnuTLS: %s", string[:-1])
3149
3150
gnutls.global_set_log_function(debug_gnutls)
3151
2706
2707
gnutls.library.functions.gnutls_global_set_log_function(
2708
debug_gnutls)
2709
3152
2710
# Redirect stdin so all checkers get /dev/null
3153
2711
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3154
2712
os.dup2(null, sys.stdin.fileno())
3155
2713
if null > 2:
3156
2714
os.close(null)
3157
2715
3158
2716
# Need to fork before connecting to D-Bus
3159
2717
if not foreground:
3160
2718
# Close all input and output, do double fork, etc.
3161
2719
daemon()
3162
3163
if gi.version_info < (3, 10, 2):
3164
# multiprocessing will use threads, so before we use GLib we
3165
# need to inform GLib that threads will be used.
3166
GLib.threads_init()
3167
2720
2721
# multiprocessing will use threads, so before we use gobject we
2722
# need to inform gobject that threads will be used.
2723
gobject.threads_init()
2724
3168
2725
global main_loop
3169
2726
# From the Avahi example code
3170
2727
DBusGMainLoop(set_as_default=True)
3171
main_loop = GLib.MainLoop()
2728
main_loop = gobject.MainLoop()
3172
2729
bus = dbus.SystemBus()
3173
2730
# End of Avahi example code
3174
2731
if use_dbus:
3187
2744
if zeroconf:
3188
2745
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3189
2746
service = AvahiServiceToSyslog(
3190
name=server_settings["servicename"],
3191
servicetype="_mandos._tcp",
3192
protocol=protocol,
3193
bus=bus)
2747
name = server_settings["servicename"],
2748
servicetype = "_mandos._tcp",
2749
protocol = protocol,
2750
bus = bus)
3194
2751
if server_settings["interface"]:
3195
2752
service.interface = if_nametoindex(
3196
2753
server_settings["interface"].encode("utf-8"))
3197
2754
3198
2755
global multiprocessing_manager
3199
2756
multiprocessing_manager = multiprocessing.Manager()
3200
2757
3201
2758
client_class = Client
3202
2759
if use_dbus:
3203
client_class = functools.partial(ClientDBus, bus=bus)
3204
2760
client_class = functools.partial(ClientDBus, bus = bus)
2761
3205
2762
client_settings = Client.config_parser(client_config)
3206
2763
old_client_settings = {}
3207
2764
clients_data = {}
3208
2765
3209
2766
# This is used to redirect stdout and stderr for checker processes
3210
2767
global wnull
3211
wnull = open(os.devnull, "w") # A writable /dev/null
2768
wnull = open(os.devnull, "w") # A writable /dev/null
3212
2769
# Only used if server is running in foreground but not in debug
3213
2770
# mode
3214
2771
if debug or not foreground:
3215
2772
wnull.close()
3216
2773
3217
2774
# Get client data and settings from last running state.
3218
2775
if server_settings["restore"]:
3219
2776
try:
3220
2777
with open(stored_state_path, "rb") as stored_state:
3221
if sys.version_info.major == 2:
3222
clients_data, old_client_settings = pickle.load(
3223
stored_state)
3224
else:
3225
bytes_clients_data, bytes_old_client_settings = (
3226
pickle.load(stored_state, encoding="bytes"))
3227
# Fix bytes to strings
3228
# clients_data
3229
# .keys()
3230
clients_data = {(key.decode("utf-8")
3231
if isinstance(key, bytes)
3232
else key): value
3233
for key, value in
3234
bytes_clients_data.items()}
3235
del bytes_clients_data
3236
for key in clients_data:
3237
value = {(k.decode("utf-8")
3238
if isinstance(k, bytes) else k): v
3239
for k, v in
3240
clients_data[key].items()}
3241
clients_data[key] = value
3242
# .client_structure
3243
value["client_structure"] = [
3244
(s.decode("utf-8")
3245
if isinstance(s, bytes)
3246
else s) for s in
3247
value["client_structure"]]
3248
# .name & .host
3249
for k in ("name", "host"):
3250
if isinstance(value[k], bytes):
3251
value[k] = value[k].decode("utf-8")
3252
if "key_id" not in value:
3253
value["key_id"] = ""
3254
elif "fingerprint" not in value:
3255
value["fingerprint"] = ""
3256
# old_client_settings
3257
# .keys()
3258
old_client_settings = {
3259
(key.decode("utf-8")
3260
if isinstance(key, bytes)
3261
else key): value
3262
for key, value in
3263
bytes_old_client_settings.items()}
3264
del bytes_old_client_settings
3265
# .host
3266
for value in old_client_settings.values():
3267
if isinstance(value["host"], bytes):
3268
value["host"] = (value["host"]
3269
.decode("utf-8"))
2778
clients_data, old_client_settings = pickle.load(
2779
stored_state)
3270
2780
os.remove(stored_state_path)
3271
2781
except IOError as e:
3272
2782
if e.errno == errno.ENOENT:
3280
2790
logger.warning("Could not load persistent state: "
3281
2791
"EOFError:",
3282
2792
exc_info=e)
3283
2793
3284
2794
with PGPEngine() as pgp:
3285
2795
for client_name, client in clients_data.items():
3286
2796
# Skip removed clients
3287
2797
if client_name not in client_settings:
3288
2798
continue
3289
2799
3290
2800
# Decide which value to use after restoring saved state.
3291
2801
# We have three different values: Old config file,
3292
2802
# new config file, and saved state.
3303
2813
client[name] = value
3304
2814
except KeyError:
3305
2815
pass
3306
2816
3307
2817
# Clients who has passed its expire date can still be
3308
2818
# enabled if its last checker was successful. A Client
3309
2819
# whose checker succeeded before we stored its state is
3342
2852
client_name))
3343
2853
client["secret"] = (client_settings[client_name]
3344
2854
["secret"])
3345
2855
3346
2856
# Add/remove clients based on new changes made to config
3347
2857
for client_name in (set(old_client_settings)
3348
2858
- set(client_settings)):
3350
2860
for client_name in (set(client_settings)
3351
2861
- set(old_client_settings)):
3352
2862
clients_data[client_name] = client_settings[client_name]
3353
2863
3354
2864
# Create all client objects
3355
2865
for client_name, client in clients_data.items():
3356
2866
tcp_server.clients[client_name] = client_class(
3357
name=client_name,
3358
settings=client,
3359
server_settings=server_settings)
3360
2867
name = client_name,
2868
settings = client,
2869
server_settings = server_settings)
2870
3361
2871
if not tcp_server.clients:
3362
2872
logger.warning("No clients defined")
3363
2873
3364
2874
if not foreground:
3365
2875
if pidfile is not None:
3366
2876
pid = os.getpid()
3372
2882
pidfilename, pid)
3373
2883
del pidfile
3374
2884
del pidfilename
3375
3376
for termsig in (signal.SIGHUP, signal.SIGTERM):
3377
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3378
lambda: main_loop.quit() and False)
3379
2885
2886
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2887
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2888
3380
2889
if use_dbus:
3381
2890
3382
2891
@alternate_dbus_interfaces(
3383
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2892
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3384
2893
class MandosDBusService(DBusObjectWithObjectManager):
3385
2894
"""A D-Bus proxy object"""
3386
2895
3387
2896
def __init__(self):
3388
2897
dbus.service.Object.__init__(self, bus, "/")
3389
2898
3390
2899
_interface = "se.recompile.Mandos"
3391
2900
3392
2901
@dbus.service.signal(_interface, signature="o")
3393
2902
def ClientAdded(self, objpath):
3394
2903
"D-Bus signal"
3395
2904
pass
3396
2905
3397
2906
@dbus.service.signal(_interface, signature="ss")
3398
def ClientNotFound(self, key_id, address):
2907
def ClientNotFound(self, fingerprint, address):
3399
2908
"D-Bus signal"
3400
2909
pass
3401
2910
3402
2911
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3403
2912
"true"})
3404
2913
@dbus.service.signal(_interface, signature="os")
3405
2914
def ClientRemoved(self, objpath, name):
3406
2915
"D-Bus signal"
3407
2916
pass
3408
2917
3409
2918
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3410
2919
"true"})
3411
2920
@dbus.service.method(_interface, out_signature="ao")
3412
2921
def GetAllClients(self):
3413
2922
"D-Bus method"
3414
2923
return dbus.Array(c.dbus_object_path for c in
3415
tcp_server.clients.values())
3416
2924
tcp_server.clients.itervalues())
2925
3417
2926
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3418
2927
"true"})
3419
2928
@dbus.service.method(_interface,
3421
2930
def GetAllClientsWithProperties(self):
3422
2931
"D-Bus method"
3423
2932
return dbus.Dictionary(
3424
{c.dbus_object_path: c.GetAll(
2933
{ c.dbus_object_path: c.GetAll(
3425
2934
"se.recompile.Mandos.Client")
3426
for c in tcp_server.clients.values()},
2935
for c in tcp_server.clients.itervalues() },
3427
2936
signature="oa{sv}")
3428
2937
3429
2938
@dbus.service.method(_interface, in_signature="o")
3430
2939
def RemoveClient(self, object_path):
3431
2940
"D-Bus method"
3432
for c in tcp_server.clients.values():
2941
for c in tcp_server.clients.itervalues():
3433
2942
if c.dbus_object_path == object_path:
3434
2943
del tcp_server.clients[c.name]
3435
2944
c.remove_from_connection()
3439
2948
self.client_removed_signal(c)
3440
2949
return
3441
2950
raise KeyError(object_path)
3442
2951
3443
2952
del _interface
3444
2953
3445
2954
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3446
out_signature="a{oa{sa{sv}}}")
2955
out_signature = "a{oa{sa{sv}}}")
3447
2956
def GetManagedObjects(self):
3448
2957
"""D-Bus method"""
3449
2958
return dbus.Dictionary(
3450
{client.dbus_object_path:
3451
dbus.Dictionary(
3452
{interface: client.GetAll(interface)
3453
for interface in
3454
client._get_all_interface_names()})
3455
for client in tcp_server.clients.values()})
3456
2959
{ client.dbus_object_path:
2960
dbus.Dictionary(
2961
{ interface: client.GetAll(interface)
2962
for interface in
2963
client._get_all_interface_names()})
2964
for client in tcp_server.clients.values()})
2965
3457
2966
def client_added_signal(self, client):
3458
2967
"""Send the new standard signal and the old signal"""
3459
2968
if use_dbus:
3461
2970
self.InterfacesAdded(
3462
2971
client.dbus_object_path,
3463
2972
dbus.Dictionary(
3464
{interface: client.GetAll(interface)
3465
for interface in
3466
client._get_all_interface_names()}))
2973
{ interface: client.GetAll(interface)
2974
for interface in
2975
client._get_all_interface_names()}))
3467
2976
# Old signal
3468
2977
self.ClientAdded(client.dbus_object_path)
3469
2978
3470
2979
def client_removed_signal(self, client):
3471
2980
"""Send the new standard signal and the old signal"""
3472
2981
if use_dbus:
3477
2986
# Old signal
3478
2987
self.ClientRemoved(client.dbus_object_path,
3479
2988
client.name)
3480
2989
3481
2990
mandos_dbus_service = MandosDBusService()
3482
3483
# Save modules to variables to exempt the modules from being
3484
# unloaded before the function registered with atexit() is run.
3485
mp = multiprocessing
3486
wn = wnull
3487
2991
3488
2992
def cleanup():
3489
2993
"Cleanup function; run on exit"
3490
2994
if zeroconf:
3491
2995
service.cleanup()
3492
3493
mp.active_children()
3494
wn.close()
2996
2997
multiprocessing.active_children()
2998
wnull.close()
3495
2999
if not (tcp_server.clients or client_settings):
3496
3000
return
3497
3001
3498
3002
# Store client before exiting. Secrets are encrypted with key
3499
3003
# based on what config file has. If config file is
3500
3004
# removed/edited, old secret will thus be unrecovable.
3501
3005
clients = {}
3502
3006
with PGPEngine() as pgp:
3503
for client in tcp_server.clients.values():
3007
for client in tcp_server.clients.itervalues():
3504
3008
key = client_settings[client.name]["secret"]
3505
3009
client.encrypted_secret = pgp.encrypt(client.secret,
3506
3010
key)
3507
3011
client_dict = {}
3508
3012
3509
3013
# A list of attributes that can not be pickled
3510
3014
# + secret.
3511
exclude = {"bus", "changedstate", "secret",
3512
"checker", "server_settings"}
3015
exclude = { "bus", "changedstate", "secret",
3016
"checker", "server_settings" }
3513
3017
for name, typ in inspect.getmembers(dbus.service
3514
3018
.Object):
3515
3019
exclude.add(name)
3516
3020
3517
3021
client_dict["encrypted_secret"] = (client
3518
3022
.encrypted_secret)
3519
3023
for attr in client.client_structure:
3520
3024
if attr not in exclude:
3521
3025
client_dict[attr] = getattr(client, attr)
3522
3026
3523
3027
clients[client.name] = client_dict
3524
3028
del client_settings[client.name]["secret"]
3525
3029
3526
3030
try:
3527
3031
with tempfile.NamedTemporaryFile(
3528
3032
mode='wb',
3530
3034
prefix='clients-',
3531
3035
dir=os.path.dirname(stored_state_path),
3532
3036
delete=False) as stored_state:
3533
pickle.dump((clients, client_settings), stored_state,
3534
protocol=2)
3037
pickle.dump((clients, client_settings), stored_state)
3535
3038
tempname = stored_state.name
3536
3039
os.rename(tempname, stored_state_path)
3537
3040
except (IOError, OSError) as e:
3547
3050
logger.warning("Could not save persistent state:",
3548
3051
exc_info=e)
3549
3052
raise
3550
3053
3551
3054
# Delete all clients, and settings from config
3552
3055
while tcp_server.clients:
3553
3056
name, client = tcp_server.clients.popitem()
3556
3059
# Don't signal the disabling
3557
3060
client.disable(quiet=True)
3558
3061
# Emit D-Bus signal for removal
3559
if use_dbus:
3560
mandos_dbus_service.client_removed_signal(client)
3062
mandos_dbus_service.client_removed_signal(client)
3561
3063
client_settings.clear()
3562
3064
3563
3065
atexit.register(cleanup)
3564
3565
for client in tcp_server.clients.values():
3066
3067
for client in tcp_server.clients.itervalues():
3566
3068
if use_dbus:
3567
3069
# Emit D-Bus signal for adding
3568
3070
mandos_dbus_service.client_added_signal(client)
3569
3071
# Need to initiate checking of clients
3570
3072
if client.enabled:
3571
3073
client.init_checker()
3572
3074
3573
3075
tcp_server.enable()
3574
3076
tcp_server.server_activate()
3575
3077
3576
3078
# Find out what port we got
3577
3079
if zeroconf:
3578
3080
service.port = tcp_server.socket.getsockname()[1]
3583
3085
else: # IPv4
3584
3086
logger.info("Now listening on address %r, port %d",
3585
3087
*tcp_server.socket.getsockname())
3586
3587
# service.interface = tcp_server.socket.getsockname()[3]
3588
3088
3089
#service.interface = tcp_server.socket.getsockname()[3]
3090
3589
3091
try:
3590
3092
if zeroconf:
3591
3093
# From the Avahi example code
3596
3098
cleanup()
3597
3099
sys.exit(1)
3598
3100
# End of Avahi example code
3599
3600
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3601
lambda *args, **kwargs:
3602
(tcp_server.handle_request
3603
(*args[2:], **kwargs) or True))
3604
3101
3102
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3103
lambda *args, **kwargs:
3104
(tcp_server.handle_request
3105
(*args[2:], **kwargs) or True))
3106
3605
3107
logger.debug("Starting main loop")
3606
3108
main_loop.run()
3607
3109
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0