To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.333
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.333
- Committer: Teddy Hogeborn
- Date: 2015-08-10 09:00:23 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 325.
- Revision ID: teddy@recompile.se-20150810090023-fz6vjqr7zf33e2tf
Support the standard org.freedesktop.DBus.ObjectManager interface.
Now that the D-Bus standard has an interface to keep track of new and
removed objects, use that instead of our own methods. This deprecates
our D-Bus methods "GetAllClients" and "GetAllClientsWithProperties"
and the signals "ClientAdded" and "ClientRemoved", all on the server
interface "se.recompile.Mandos".
* DBUS-API: Removed references to deprecated methods and signals;
insert reference to the org.freedesktop.DBus.ObjectManager
interface.
* mandos (DBusObjectWithProperties._get_all_interface_names): New.
(dbus.OBJECT_MANAGER_IFACE): If not present, monkey patch.
(DBusObjectWithObjectManager): New.
(main/MandosDBusService): Inherit from DBusObjectWithObjectManager.
(main/MandosDBusService.ClientRemoved): Annotate as deprecated.
(main/MandosDBusService.GetAllClients): - '' -
(main/MandosDBusService.GetAllClientsWithProperties): Annotate as
deprecated.
Also only
return
properties on
client
interface.
(main/MandosDBusService.RemoveClient): Call client_removed_signal
instead of ClientRemoved.
(main/MandosDBusService.GetManagedObjects): New.
(main/MandosDBusService.client_added_signal): New.
(main/MandosDBusService.client_removed_signal): - '' -
(main/cleanup): Call "client_removed_signal" instead of sending
"ClientRemoved" signal directly.
(main): Call "client_added_signal" instead of sending "ClientAdded"
signal directly.
* mandos-ctl: Use GetManagedObjects instead of
GetAllClientsWithProperties. Also, show better error
message in case of failure to connect to the D-Bus
* mandos-monitor (MandosClientPropertyCache.properties_changed):
Bug fix; only update properties on client interface.
(UserInterface.find_and_remove_client): Change to accept arguments
from InterfacesRemoved
signal. Also, bug fix:
working error message when
removing unknown client.
(UserInterface.add_new_client): Change to accept arguments from
InterfacesRemoved signal. Pass
properties to MandosClientWidget
constructor.
(UserInterface.run): Connect find_and_remove_client method to
InterfacesRemoved signal and the add_new_client
method to the InterfacesAdded signal.
Now that the D-Bus standard has an interface to keep track of new and
removed objects, use that instead of our own methods. This deprecates
our D-Bus methods "GetAllClients" and "GetAllClientsWithProperties"
and the signals "ClientAdded" and "ClientRemoved", all on the server
interface "se.recompile.Mandos".
* DBUS-API: Removed references to deprecated methods and signals;
insert reference to the org.freedesktop.DBus.ObjectManager
interface.
* mandos (DBusObjectWithProperties._get_all_interface_names): New.
(dbus.OBJECT_MANAGER_IFACE): If not present, monkey patch.
(DBusObjectWithObjectManager): New.
(main/MandosDBusService): Inherit from DBusObjectWithObjectManager.
(main/MandosDBusService.ClientRemoved): Annotate as deprecated.
(main/MandosDBusService.GetAllClients): - '' -
(main/MandosDBusService.GetAllClientsWithProperties): Annotate as
deprecated.
Also only
return
properties on
client
interface.
(main/MandosDBusService.RemoveClient): Call client_removed_signal
instead of ClientRemoved.
(main/MandosDBusService.GetManagedObjects): New.
(main/MandosDBusService.client_added_signal): New.
(main/MandosDBusService.client_removed_signal): - '' -
(main/cleanup): Call "client_removed_signal" instead of sending
"ClientRemoved" signal directly.
(main): Call "client_added_signal" instead of sending "ClientAdded"
signal directly.
* mandos-ctl: Use GetManagedObjects instead of
GetAllClientsWithProperties. Also, show better error
message in case of failure to connect to the D-Bus
* mandos-monitor (MandosClientPropertyCache.properties_changed):
Bug fix; only update properties on client interface.
(UserInterface.find_and_remove_client): Change to accept arguments
from InterfacesRemoved
signal. Also, bug fix:
working error message when
removing unknown client.
(UserInterface.add_new_client): Change to accept arguments from
InterfacesRemoved signal. Pass
properties to MandosClientWidget
constructor.
(UserInterface.run): Connect find_and_remove_client method to
InterfacesRemoved signal and the add_new_client
method to the InterfacesAdded signal.
- files added:
- initramfs-tools-hook-conf
- files removed:
- bugs.xml
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python
1
#!/usr/bin/python2.7
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
37
from future_builtins import *
42
38
43
39
try:
44
40
import SocketServer as socketserver
48
44
import argparse
49
45
import datetime
50
46
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
51
53
try:
52
54
import ConfigParser as configparser
53
55
except ImportError:
80
82
81
83
import dbus
82
84
import dbus.service
83
import gi
84
from gi.repository import GLib
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
85
90
from dbus.mainloop.glib import DBusGMainLoop
86
91
import ctypes
87
92
import ctypes.util
88
93
import xml.dom.minidom
89
94
import inspect
90
95
91
if sys.version_info.major == 2:
92
__metaclass__ = type
93
94
# Try to find the value of SO_BINDTODEVICE:
95
96
try:
96
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
97
# newer, and it is also the most natural place for it:
98
97
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
99
98
except AttributeError:
100
99
try:
101
# This is where SO_BINDTODEVICE was up to and including Python
102
# 2.6, and also 3.2:
103
100
from IN import SO_BINDTODEVICE
104
101
except ImportError:
105
# In Python 2.7 it seems to have been removed entirely.
106
# Try running the C preprocessor:
107
try:
108
cc = subprocess.Popen(["cc", "--language=c", "-E",
109
"/dev/stdin"],
110
stdin=subprocess.PIPE,
111
stdout=subprocess.PIPE)
112
stdout = cc.communicate(
113
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
114
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
115
except (OSError, ValueError, IndexError):
116
# No value found
117
SO_BINDTODEVICE = None
102
SO_BINDTODEVICE = None
118
103
119
104
if sys.version_info.major == 2:
120
105
str = unicode
121
106
122
if sys.version_info < (3, 2):
123
configparser.Configparser = configparser.SafeConfigParser
124
125
version = "1.8.7"
107
version = "1.6.9"
126
108
stored_state_file = "clients.pickle"
127
109
128
110
logger = logging.getLogger()
132
114
if_nametoindex = ctypes.cdll.LoadLibrary(
133
115
ctypes.util.find_library("c")).if_nametoindex
134
116
except (OSError, AttributeError):
135
117
136
118
def if_nametoindex(interface):
137
119
"Get an interface index the hard way, i.e. using fcntl()"
138
120
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
143
125
return interface_index
144
126
145
127
146
def copy_function(func):
147
"""Make a copy of a function"""
148
if sys.version_info.major == 2:
149
return types.FunctionType(func.func_code,
150
func.func_globals,
151
func.func_name,
152
func.func_defaults,
153
func.func_closure)
154
else:
155
return types.FunctionType(func.__code__,
156
func.__globals__,
157
func.__name__,
158
func.__defaults__,
159
func.__closure__)
160
161
162
128
def initlogger(debug, level=logging.WARNING):
163
129
"""init logger and add loglevel"""
164
130
165
131
global syslogger
166
132
syslogger = (logging.handlers.SysLogHandler(
167
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
168
address="/dev/log"))
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
169
135
syslogger.setFormatter(logging.Formatter
170
136
('Mandos [%(process)d]: %(levelname)s:'
171
137
' %(message)s'))
172
138
logger.addHandler(syslogger)
173
139
174
140
if debug:
175
141
console = logging.StreamHandler()
176
142
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
186
152
pass
187
153
188
154
189
class PGPEngine:
155
class PGPEngine(object):
190
156
"""A simple class for OpenPGP symmetric encryption & decryption"""
191
157
192
158
def __init__(self):
193
159
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
194
self.gpg = "gpg"
195
try:
196
output = subprocess.check_output(["gpgconf"])
197
for line in output.splitlines():
198
name, text, path = line.split(b":")
199
if name == "gpg":
200
self.gpg = path
201
break
202
except OSError as e:
203
if e.errno != errno.ENOENT:
204
raise
205
160
self.gnupgargs = ['--batch',
206
'--homedir', self.tempdir,
161
'--home', self.tempdir,
207
162
'--force-mdc',
208
'--quiet']
209
# Only GPG version 1 has the --no-use-agent option.
210
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
211
self.gnupgargs.append("--no-use-agent")
212
163
'--quiet',
164
'--no-use-agent']
165
213
166
def __enter__(self):
214
167
return self
215
168
216
169
def __exit__(self, exc_type, exc_value, traceback):
217
170
self._cleanup()
218
171
return False
219
172
220
173
def __del__(self):
221
174
self._cleanup()
222
175
223
176
def _cleanup(self):
224
177
if self.tempdir is not None:
225
178
# Delete contents of tempdir
226
179
for root, dirs, files in os.walk(self.tempdir,
227
topdown=False):
180
topdown = False):
228
181
for filename in files:
229
182
os.remove(os.path.join(root, filename))
230
183
for dirname in dirs:
232
185
# Remove tempdir
233
186
os.rmdir(self.tempdir)
234
187
self.tempdir = None
235
188
236
189
def password_encode(self, password):
237
190
# Passphrase can not be empty and can not contain newlines or
238
191
# NUL bytes. So we prefix it and hex encode it.
243
196
.replace(b"\n", b"\\n")
244
197
.replace(b"\0", b"\\x00"))
245
198
return encoded
246
199
247
200
def encrypt(self, data, password):
248
201
passphrase = self.password_encode(password)
249
202
with tempfile.NamedTemporaryFile(
250
203
dir=self.tempdir) as passfile:
251
204
passfile.write(passphrase)
252
205
passfile.flush()
253
proc = subprocess.Popen([self.gpg, '--symmetric',
206
proc = subprocess.Popen(['gpg', '--symmetric',
254
207
'--passphrase-file',
255
208
passfile.name]
256
209
+ self.gnupgargs,
257
stdin=subprocess.PIPE,
258
stdout=subprocess.PIPE,
259
stderr=subprocess.PIPE)
260
ciphertext, err = proc.communicate(input=data)
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
261
214
if proc.returncode != 0:
262
215
raise PGPError(err)
263
216
return ciphertext
264
217
265
218
def decrypt(self, data, password):
266
219
passphrase = self.password_encode(password)
267
220
with tempfile.NamedTemporaryFile(
268
dir=self.tempdir) as passfile:
221
dir = self.tempdir) as passfile:
269
222
passfile.write(passphrase)
270
223
passfile.flush()
271
proc = subprocess.Popen([self.gpg, '--decrypt',
224
proc = subprocess.Popen(['gpg', '--decrypt',
272
225
'--passphrase-file',
273
226
passfile.name]
274
227
+ self.gnupgargs,
275
stdin=subprocess.PIPE,
276
stdout=subprocess.PIPE,
277
stderr=subprocess.PIPE)
278
decrypted_plaintext, err = proc.communicate(input=data)
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
279
232
if proc.returncode != 0:
280
233
raise PGPError(err)
281
234
return decrypted_plaintext
282
235
283
236
284
# Pretend that we have an Avahi module
285
class avahi:
286
"""This isn't so much a class as it is a module-like namespace."""
287
IF_UNSPEC = -1 # avahi-common/address.h
288
PROTO_UNSPEC = -1 # avahi-common/address.h
289
PROTO_INET = 0 # avahi-common/address.h
290
PROTO_INET6 = 1 # avahi-common/address.h
291
DBUS_NAME = "org.freedesktop.Avahi"
292
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
293
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
294
DBUS_PATH_SERVER = "/"
295
296
@staticmethod
297
def string_array_to_txt_array(t):
298
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
299
for s in t), signature="ay")
300
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
301
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
302
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
303
SERVER_INVALID = 0 # avahi-common/defs.h
304
SERVER_REGISTERING = 1 # avahi-common/defs.h
305
SERVER_RUNNING = 2 # avahi-common/defs.h
306
SERVER_COLLISION = 3 # avahi-common/defs.h
307
SERVER_FAILURE = 4 # avahi-common/defs.h
308
309
310
237
class AvahiError(Exception):
311
238
def __init__(self, value, *args, **kwargs):
312
239
self.value = value
322
249
pass
323
250
324
251
325
class AvahiService:
252
class AvahiService(object):
326
253
"""An Avahi (Zeroconf) service.
327
254
328
255
Attributes:
329
256
interface: integer; avahi.IF_UNSPEC or an interface index.
330
257
Used to optionally bind to the specified interface.
342
269
server: D-Bus Server
343
270
bus: dbus.SystemBus()
344
271
"""
345
272
346
273
def __init__(self,
347
interface=avahi.IF_UNSPEC,
348
name=None,
349
servicetype=None,
350
port=None,
351
TXT=None,
352
domain="",
353
host="",
354
max_renames=32768,
355
protocol=avahi.PROTO_UNSPEC,
356
bus=None):
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
357
284
self.interface = interface
358
285
self.name = name
359
286
self.type = servicetype
368
295
self.server = None
369
296
self.bus = bus
370
297
self.entry_group_state_changed_match = None
371
298
372
299
def rename(self, remove=True):
373
300
"""Derived from the Avahi example code"""
374
301
if self.rename_count >= self.max_renames:
394
321
logger.critical("D-Bus Exception", exc_info=error)
395
322
self.cleanup()
396
323
os._exit(1)
397
324
398
325
def remove(self):
399
326
"""Derived from the Avahi example code"""
400
327
if self.entry_group_state_changed_match is not None:
402
329
self.entry_group_state_changed_match = None
403
330
if self.group is not None:
404
331
self.group.Reset()
405
332
406
333
def add(self):
407
334
"""Derived from the Avahi example code"""
408
335
self.remove()
425
352
dbus.UInt16(self.port),
426
353
avahi.string_array_to_txt_array(self.TXT))
427
354
self.group.Commit()
428
355
429
356
def entry_group_state_changed(self, state, error):
430
357
"""Derived from the Avahi example code"""
431
358
logger.debug("Avahi entry group state change: %i", state)
432
359
433
360
if state == avahi.ENTRY_GROUP_ESTABLISHED:
434
361
logger.debug("Zeroconf service established.")
435
362
elif state == avahi.ENTRY_GROUP_COLLISION:
439
366
logger.critical("Avahi: Error in group state changed %s",
440
367
str(error))
441
368
raise AvahiGroupError("State changed: {!s}".format(error))
442
369
443
370
def cleanup(self):
444
371
"""Derived from the Avahi example code"""
445
372
if self.group is not None:
450
377
pass
451
378
self.group = None
452
379
self.remove()
453
380
454
381
def server_state_changed(self, state, error=None):
455
382
"""Derived from the Avahi example code"""
456
383
logger.debug("Avahi server state change: %i", state)
485
412
logger.debug("Unknown state: %r", state)
486
413
else:
487
414
logger.debug("Unknown state: %r: %r", state, error)
488
415
489
416
def activate(self):
490
417
"""Derived from the Avahi example code"""
491
418
if self.server is None:
502
429
class AvahiServiceToSyslog(AvahiService):
503
430
def rename(self, *args, **kwargs):
504
431
"""Add the new name to the syslog messages"""
505
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
432
ret = AvahiService.rename(self, *args, **kwargs)
506
433
syslogger.setFormatter(logging.Formatter(
507
434
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
508
435
.format(self.name)))
509
436
return ret
510
437
511
512
# Pretend that we have a GnuTLS module
513
class gnutls:
514
"""This isn't so much a class as it is a module-like namespace."""
515
516
library = ctypes.util.find_library("gnutls")
517
if library is None:
518
library = ctypes.util.find_library("gnutls-deb0")
519
_library = ctypes.cdll.LoadLibrary(library)
520
del library
521
522
# Unless otherwise indicated, the constants and types below are
523
# all from the gnutls/gnutls.h C header file.
524
525
# Constants
526
E_SUCCESS = 0
527
E_INTERRUPTED = -52
528
E_AGAIN = -28
529
CRT_OPENPGP = 2
530
CRT_RAWPK = 3
531
CLIENT = 2
532
SHUT_RDWR = 0
533
CRD_CERTIFICATE = 1
534
E_NO_CERTIFICATE_FOUND = -49
535
X509_FMT_DER = 0
536
NO_TICKETS = 1<<10
537
ENABLE_RAWPK = 1<<18
538
CTYPE_PEERS = 3
539
KEYID_USE_SHA256 = 1 # gnutls/x509.h
540
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
541
542
# Types
543
class session_int(ctypes.Structure):
544
_fields_ = []
545
session_t = ctypes.POINTER(session_int)
546
547
class certificate_credentials_st(ctypes.Structure):
548
_fields_ = []
549
certificate_credentials_t = ctypes.POINTER(
550
certificate_credentials_st)
551
certificate_type_t = ctypes.c_int
552
553
class datum_t(ctypes.Structure):
554
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
555
('size', ctypes.c_uint)]
556
557
class openpgp_crt_int(ctypes.Structure):
558
_fields_ = []
559
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
560
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
561
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
562
credentials_type_t = ctypes.c_int
563
transport_ptr_t = ctypes.c_void_p
564
close_request_t = ctypes.c_int
565
566
# Exceptions
567
class Error(Exception):
568
def __init__(self, message=None, code=None, args=()):
569
# Default usage is by a message string, but if a return
570
# code is passed, convert it to a string with
571
# gnutls.strerror()
572
self.code = code
573
if message is None and code is not None:
574
message = gnutls.strerror(code)
575
return super(gnutls.Error, self).__init__(
576
message, *args)
577
578
class CertificateSecurityError(Error):
579
pass
580
581
# Classes
582
class Credentials:
583
def __init__(self):
584
self._c_object = gnutls.certificate_credentials_t()
585
gnutls.certificate_allocate_credentials(
586
ctypes.byref(self._c_object))
587
self.type = gnutls.CRD_CERTIFICATE
588
589
def __del__(self):
590
gnutls.certificate_free_credentials(self._c_object)
591
592
class ClientSession:
593
def __init__(self, socket, credentials=None):
594
self._c_object = gnutls.session_t()
595
gnutls_flags = gnutls.CLIENT
596
if gnutls.check_version(b"3.5.6"):
597
gnutls_flags |= gnutls.NO_TICKETS
598
if gnutls.has_rawpk:
599
gnutls_flags |= gnutls.ENABLE_RAWPK
600
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
601
del gnutls_flags
602
gnutls.set_default_priority(self._c_object)
603
gnutls.transport_set_ptr(self._c_object, socket.fileno())
604
gnutls.handshake_set_private_extensions(self._c_object,
605
True)
606
self.socket = socket
607
if credentials is None:
608
credentials = gnutls.Credentials()
609
gnutls.credentials_set(self._c_object, credentials.type,
610
ctypes.cast(credentials._c_object,
611
ctypes.c_void_p))
612
self.credentials = credentials
613
614
def __del__(self):
615
gnutls.deinit(self._c_object)
616
617
def handshake(self):
618
return gnutls.handshake(self._c_object)
619
620
def send(self, data):
621
data = bytes(data)
622
data_len = len(data)
623
while data_len > 0:
624
data_len -= gnutls.record_send(self._c_object,
625
data[-data_len:],
626
data_len)
627
628
def bye(self):
629
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
630
631
# Error handling functions
632
def _error_code(result):
633
"""A function to raise exceptions on errors, suitable
634
for the 'restype' attribute on ctypes functions"""
635
if result >= 0:
636
return result
637
if result == gnutls.E_NO_CERTIFICATE_FOUND:
638
raise gnutls.CertificateSecurityError(code=result)
639
raise gnutls.Error(code=result)
640
641
def _retry_on_error(result, func, arguments):
642
"""A function to retry on some errors, suitable
643
for the 'errcheck' attribute on ctypes functions"""
644
while result < 0:
645
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
646
return _error_code(result)
647
result = func(*arguments)
648
return result
649
650
# Unless otherwise indicated, the function declarations below are
651
# all from the gnutls/gnutls.h C header file.
652
653
# Functions
654
priority_set_direct = _library.gnutls_priority_set_direct
655
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
656
ctypes.POINTER(ctypes.c_char_p)]
657
priority_set_direct.restype = _error_code
658
659
init = _library.gnutls_init
660
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
661
init.restype = _error_code
662
663
set_default_priority = _library.gnutls_set_default_priority
664
set_default_priority.argtypes = [session_t]
665
set_default_priority.restype = _error_code
666
667
record_send = _library.gnutls_record_send
668
record_send.argtypes = [session_t, ctypes.c_void_p,
669
ctypes.c_size_t]
670
record_send.restype = ctypes.c_ssize_t
671
record_send.errcheck = _retry_on_error
672
673
certificate_allocate_credentials = (
674
_library.gnutls_certificate_allocate_credentials)
675
certificate_allocate_credentials.argtypes = [
676
ctypes.POINTER(certificate_credentials_t)]
677
certificate_allocate_credentials.restype = _error_code
678
679
certificate_free_credentials = (
680
_library.gnutls_certificate_free_credentials)
681
certificate_free_credentials.argtypes = [
682
certificate_credentials_t]
683
certificate_free_credentials.restype = None
684
685
handshake_set_private_extensions = (
686
_library.gnutls_handshake_set_private_extensions)
687
handshake_set_private_extensions.argtypes = [session_t,
688
ctypes.c_int]
689
handshake_set_private_extensions.restype = None
690
691
credentials_set = _library.gnutls_credentials_set
692
credentials_set.argtypes = [session_t, credentials_type_t,
693
ctypes.c_void_p]
694
credentials_set.restype = _error_code
695
696
strerror = _library.gnutls_strerror
697
strerror.argtypes = [ctypes.c_int]
698
strerror.restype = ctypes.c_char_p
699
700
certificate_type_get = _library.gnutls_certificate_type_get
701
certificate_type_get.argtypes = [session_t]
702
certificate_type_get.restype = _error_code
703
704
certificate_get_peers = _library.gnutls_certificate_get_peers
705
certificate_get_peers.argtypes = [session_t,
706
ctypes.POINTER(ctypes.c_uint)]
707
certificate_get_peers.restype = ctypes.POINTER(datum_t)
708
709
global_set_log_level = _library.gnutls_global_set_log_level
710
global_set_log_level.argtypes = [ctypes.c_int]
711
global_set_log_level.restype = None
712
713
global_set_log_function = _library.gnutls_global_set_log_function
714
global_set_log_function.argtypes = [log_func]
715
global_set_log_function.restype = None
716
717
deinit = _library.gnutls_deinit
718
deinit.argtypes = [session_t]
719
deinit.restype = None
720
721
handshake = _library.gnutls_handshake
722
handshake.argtypes = [session_t]
723
handshake.restype = _error_code
724
handshake.errcheck = _retry_on_error
725
726
transport_set_ptr = _library.gnutls_transport_set_ptr
727
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
728
transport_set_ptr.restype = None
729
730
bye = _library.gnutls_bye
731
bye.argtypes = [session_t, close_request_t]
732
bye.restype = _error_code
733
bye.errcheck = _retry_on_error
734
735
check_version = _library.gnutls_check_version
736
check_version.argtypes = [ctypes.c_char_p]
737
check_version.restype = ctypes.c_char_p
738
739
_need_version = b"3.3.0"
740
if check_version(_need_version) is None:
741
raise self.Error("Needs GnuTLS {} or later"
742
.format(_need_version))
743
744
_tls_rawpk_version = b"3.6.6"
745
has_rawpk = bool(check_version(_tls_rawpk_version))
746
747
if has_rawpk:
748
# Types
749
class pubkey_st(ctypes.Structure):
750
_fields = []
751
pubkey_t = ctypes.POINTER(pubkey_st)
752
753
x509_crt_fmt_t = ctypes.c_int
754
755
# All the function declarations below are from gnutls/abstract.h
756
pubkey_init = _library.gnutls_pubkey_init
757
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
758
pubkey_init.restype = _error_code
759
760
pubkey_import = _library.gnutls_pubkey_import
761
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
762
x509_crt_fmt_t]
763
pubkey_import.restype = _error_code
764
765
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
766
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
767
ctypes.POINTER(ctypes.c_ubyte),
768
ctypes.POINTER(ctypes.c_size_t)]
769
pubkey_get_key_id.restype = _error_code
770
771
pubkey_deinit = _library.gnutls_pubkey_deinit
772
pubkey_deinit.argtypes = [pubkey_t]
773
pubkey_deinit.restype = None
774
else:
775
# All the function declarations below are from gnutls/openpgp.h
776
777
openpgp_crt_init = _library.gnutls_openpgp_crt_init
778
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
779
openpgp_crt_init.restype = _error_code
780
781
openpgp_crt_import = _library.gnutls_openpgp_crt_import
782
openpgp_crt_import.argtypes = [openpgp_crt_t,
783
ctypes.POINTER(datum_t),
784
openpgp_crt_fmt_t]
785
openpgp_crt_import.restype = _error_code
786
787
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
788
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
789
ctypes.POINTER(ctypes.c_uint)]
790
openpgp_crt_verify_self.restype = _error_code
791
792
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
793
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
794
openpgp_crt_deinit.restype = None
795
796
openpgp_crt_get_fingerprint = (
797
_library.gnutls_openpgp_crt_get_fingerprint)
798
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
799
ctypes.c_void_p,
800
ctypes.POINTER(
801
ctypes.c_size_t)]
802
openpgp_crt_get_fingerprint.restype = _error_code
803
804
if check_version(b"3.6.4"):
805
certificate_type_get2 = _library.gnutls_certificate_type_get2
806
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
807
certificate_type_get2.restype = _error_code
808
809
# Remove non-public functions
810
del _error_code, _retry_on_error
811
812
813
438
def call_pipe(connection, # : multiprocessing.Connection
814
439
func, *args, **kwargs):
815
440
"""This function is meant to be called by multiprocessing.Process
816
441
817
442
This function runs func(*args, **kwargs), and writes the resulting
818
443
return value on the provided multiprocessing.Connection.
819
444
"""
820
445
connection.send(func(*args, **kwargs))
821
446
connection.close()
822
447
823
824
class Client:
448
class Client(object):
825
449
"""A representation of a client host served by this server.
826
450
827
451
Attributes:
828
452
approved: bool(); 'None' if not yet approved/disapproved
829
453
approval_delay: datetime.timedelta(); Time to wait for approval
830
454
approval_duration: datetime.timedelta(); Duration of one approval
831
checker: multiprocessing.Process(); a running checker process used
832
to see if the client lives. 'None' if no process is
833
running.
834
checker_callback_tag: a GLib event source tag, or None
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
835
459
checker_command: string; External command which is run to check
836
460
if client lives. %() expansions are done at
837
461
runtime with vars(self) as dict, so that for
838
462
instance %(name)s can be used in the command.
839
checker_initiator_tag: a GLib event source tag, or None
463
checker_initiator_tag: a gobject event source tag, or None
840
464
created: datetime.datetime(); (UTC) object creation
841
465
client_structure: Object describing what attributes a client has
842
466
and is used for storing the client at exit
843
467
current_checker_command: string; current running checker_command
844
disable_initiator_tag: a GLib event source tag, or None
468
disable_initiator_tag: a gobject event source tag, or None
845
469
enabled: bool()
846
470
fingerprint: string (40 or 32 hexadecimal digits); used to
847
uniquely identify an OpenPGP client
848
key_id: string (64 hexadecimal digits); used to uniquely identify
849
a client using raw public keys
471
uniquely identify the client
850
472
host: string; available for use by the checker command
851
473
interval: datetime.timedelta(); How often to start a new checker
852
474
last_approval_request: datetime.datetime(); (UTC) or None
868
490
disabled, or None
869
491
server_settings: The server_settings dict from main()
870
492
"""
871
493
872
494
runtime_expansions = ("approval_delay", "approval_duration",
873
"created", "enabled", "expires", "key_id",
495
"created", "enabled", "expires",
874
496
"fingerprint", "host", "interval",
875
497
"last_approval_request", "last_checked_ok",
876
498
"last_enabled", "name", "timeout")
885
507
"approved_by_default": "True",
886
508
"enabled": "True",
887
509
}
888
510
889
511
@staticmethod
890
512
def config_parser(config):
891
513
"""Construct a new dict of client settings of this form:
898
520
for client_name in config.sections():
899
521
section = dict(config.items(client_name))
900
522
client = settings[client_name] = {}
901
523
902
524
client["host"] = section["host"]
903
525
# Reformat values from string types to Python types
904
526
client["approved_by_default"] = config.getboolean(
905
527
client_name, "approved_by_default")
906
528
client["enabled"] = config.getboolean(client_name,
907
529
"enabled")
908
909
# Uppercase and remove spaces from key_id and fingerprint
910
# for later comparison purposes with return value from the
911
# key_id() and fingerprint() functions
912
client["key_id"] = (section.get("key_id", "").upper()
913
.replace(" ", ""))
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
914
534
client["fingerprint"] = (section["fingerprint"].upper()
915
535
.replace(" ", ""))
916
536
if "secret" in section:
917
client["secret"] = codecs.decode(section["secret"]
918
.encode("utf-8"),
919
"base64")
537
client["secret"] = section["secret"].decode("base64")
920
538
elif "secfile" in section:
921
539
with open(os.path.expanduser(os.path.expandvars
922
540
(section["secfile"])),
937
555
client["last_approval_request"] = None
938
556
client["last_checked_ok"] = None
939
557
client["last_checker_status"] = -2
940
558
941
559
return settings
942
943
def __init__(self, settings, name=None, server_settings=None):
560
561
def __init__(self, settings, name = None, server_settings=None):
944
562
self.name = name
945
563
if server_settings is None:
946
564
server_settings = {}
948
566
# adding all client settings
949
567
for setting, value in settings.items():
950
568
setattr(self, setting, value)
951
569
952
570
if self.enabled:
953
571
if not hasattr(self, "last_enabled"):
954
572
self.last_enabled = datetime.datetime.utcnow()
958
576
else:
959
577
self.last_enabled = None
960
578
self.expires = None
961
579
962
580
logger.debug("Creating client %r", self.name)
963
logger.debug(" Key ID: %s", self.key_id)
964
581
logger.debug(" Fingerprint: %s", self.fingerprint)
965
582
self.created = settings.get("created",
966
583
datetime.datetime.utcnow())
967
584
968
585
# attributes specific for this server instance
969
586
self.checker = None
970
587
self.checker_initiator_tag = None
976
593
self.changedstate = multiprocessing_manager.Condition(
977
594
multiprocessing_manager.Lock())
978
595
self.client_structure = [attr
979
for attr in self.__dict__.keys()
596
for attr in self.__dict__.iterkeys()
980
597
if not attr.startswith("_")]
981
598
self.client_structure.append("client_structure")
982
599
983
600
for name, t in inspect.getmembers(
984
601
type(self), lambda obj: isinstance(obj, property)):
985
602
if not name.startswith("_"):
986
603
self.client_structure.append(name)
987
604
988
605
# Send notice to process children that client state has changed
989
606
def send_changedstate(self):
990
607
with self.changedstate:
991
608
self.changedstate.notify_all()
992
609
993
610
def enable(self):
994
611
"""Start this client's checker and timeout hooks"""
995
612
if getattr(self, "enabled", False):
1000
617
self.last_enabled = datetime.datetime.utcnow()
1001
618
self.init_checker()
1002
619
self.send_changedstate()
1003
620
1004
621
def disable(self, quiet=True):
1005
622
"""Disable this client."""
1006
623
if not getattr(self, "enabled", False):
1008
625
if not quiet:
1009
626
logger.info("Disabling client %s", self.name)
1010
627
if getattr(self, "disable_initiator_tag", None) is not None:
1011
GLib.source_remove(self.disable_initiator_tag)
628
gobject.source_remove(self.disable_initiator_tag)
1012
629
self.disable_initiator_tag = None
1013
630
self.expires = None
1014
631
if getattr(self, "checker_initiator_tag", None) is not None:
1015
GLib.source_remove(self.checker_initiator_tag)
632
gobject.source_remove(self.checker_initiator_tag)
1016
633
self.checker_initiator_tag = None
1017
634
self.stop_checker()
1018
635
self.enabled = False
1019
636
if not quiet:
1020
637
self.send_changedstate()
1021
# Do not run this again if called by a GLib.timeout_add
638
# Do not run this again if called by a gobject.timeout_add
1022
639
return False
1023
640
1024
641
def __del__(self):
1025
642
self.disable()
1026
643
1027
644
def init_checker(self):
1028
645
# Schedule a new checker to be started an 'interval' from now,
1029
646
# and every interval from then on.
1030
647
if self.checker_initiator_tag is not None:
1031
GLib.source_remove(self.checker_initiator_tag)
1032
self.checker_initiator_tag = GLib.timeout_add(
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
1033
650
int(self.interval.total_seconds() * 1000),
1034
651
self.start_checker)
1035
652
# Schedule a disable() when 'timeout' has passed
1036
653
if self.disable_initiator_tag is not None:
1037
GLib.source_remove(self.disable_initiator_tag)
1038
self.disable_initiator_tag = GLib.timeout_add(
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1039
656
int(self.timeout.total_seconds() * 1000), self.disable)
1040
657
# Also start a new checker *right now*.
1041
658
self.start_checker()
1042
659
1043
660
def checker_callback(self, source, condition, connection,
1044
661
command):
1045
662
"""The checker has completed, so take appropriate actions."""
663
self.checker_callback_tag = None
664
self.checker = None
1046
665
# Read return code from connection (see call_pipe)
1047
666
returncode = connection.recv()
1048
667
connection.close()
1049
self.checker.join()
1050
self.checker_callback_tag = None
1051
self.checker = None
1052
668
1053
669
if returncode >= 0:
1054
670
self.last_checker_status = returncode
1055
671
self.last_checker_signal = None
1065
681
logger.warning("Checker for %(name)s crashed?",
1066
682
vars(self))
1067
683
return False
1068
684
1069
685
def checked_ok(self):
1070
686
"""Assert that the client has been seen, alive and well."""
1071
687
self.last_checked_ok = datetime.datetime.utcnow()
1072
688
self.last_checker_status = 0
1073
689
self.last_checker_signal = None
1074
690
self.bump_timeout()
1075
691
1076
692
def bump_timeout(self, timeout=None):
1077
693
"""Bump up the timeout for this client."""
1078
694
if timeout is None:
1079
695
timeout = self.timeout
1080
696
if self.disable_initiator_tag is not None:
1081
GLib.source_remove(self.disable_initiator_tag)
697
gobject.source_remove(self.disable_initiator_tag)
1082
698
self.disable_initiator_tag = None
1083
699
if getattr(self, "enabled", False):
1084
self.disable_initiator_tag = GLib.timeout_add(
700
self.disable_initiator_tag = gobject.timeout_add(
1085
701
int(timeout.total_seconds() * 1000), self.disable)
1086
702
self.expires = datetime.datetime.utcnow() + timeout
1087
703
1088
704
def need_approval(self):
1089
705
self.last_approval_request = datetime.datetime.utcnow()
1090
706
1091
707
def start_checker(self):
1092
708
"""Start a new checker subprocess if one is not running.
1093
709
1094
710
If a checker already exists, leave it running and do
1095
711
nothing."""
1096
712
# The reason for not killing a running checker is that if we
1101
717
# checkers alone, the checker would have to take more time
1102
718
# than 'timeout' for the client to be disabled, which is as it
1103
719
# should be.
1104
720
1105
721
if self.checker is not None and not self.checker.is_alive():
1106
722
logger.warning("Checker was not alive; joining")
1107
723
self.checker.join()
1111
727
# Escape attributes for the shell
1112
728
escaped_attrs = {
1113
729
attr: re.escape(str(getattr(self, attr)))
1114
for attr in self.runtime_expansions}
730
for attr in self.runtime_expansions }
1115
731
try:
1116
732
command = self.checker_command % escaped_attrs
1117
733
except TypeError as error:
1129
745
# The exception is when not debugging but nevertheless
1130
746
# running in the foreground; use the previously
1131
747
# created wnull.
1132
popen_args = {"close_fds": True,
1133
"shell": True,
1134
"cwd": "/"}
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1135
751
if (not self.server_settings["debug"]
1136
752
and self.server_settings["foreground"]):
1137
753
popen_args.update({"stdout": wnull,
1138
"stderr": wnull})
1139
pipe = multiprocessing.Pipe(duplex=False)
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1140
756
self.checker = multiprocessing.Process(
1141
target=call_pipe,
1142
args=(pipe[1], subprocess.call, command),
1143
kwargs=popen_args)
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1144
760
self.checker.start()
1145
self.checker_callback_tag = GLib.io_add_watch(
1146
pipe[0].fileno(), GLib.IO_IN,
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1147
763
self.checker_callback, pipe[0], command)
1148
# Re-run this periodically if run by GLib.timeout_add
764
# Re-run this periodically if run by gobject.timeout_add
1149
765
return True
1150
766
1151
767
def stop_checker(self):
1152
768
"""Force the checker process, if any, to stop."""
1153
769
if self.checker_callback_tag:
1154
GLib.source_remove(self.checker_callback_tag)
770
gobject.source_remove(self.checker_callback_tag)
1155
771
self.checker_callback_tag = None
1156
772
if getattr(self, "checker", None) is None:
1157
773
return
1166
782
byte_arrays=False):
1167
783
"""Decorators for marking methods of a DBusObjectWithProperties to
1168
784
become properties on the D-Bus.
1169
785
1170
786
The decorated method will be called with no arguments by "Get"
1171
787
and with one argument by "Set".
1172
788
1173
789
The parameters, where they are supported, are the same as
1174
790
dbus.service.method, except there is only "signature", since the
1175
791
type from Get() and the type sent to Set() is the same.
1179
795
if byte_arrays and signature != "ay":
1180
796
raise ValueError("Byte arrays not supported for non-'ay'"
1181
797
" signature {!r}".format(signature))
1182
798
1183
799
def decorator(func):
1184
800
func._dbus_is_property = True
1185
801
func._dbus_interface = dbus_interface
1188
804
func._dbus_name = func.__name__
1189
805
if func._dbus_name.endswith("_dbus_property"):
1190
806
func._dbus_name = func._dbus_name[:-14]
1191
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1192
808
return func
1193
809
1194
810
return decorator
1195
811
1196
812
1197
813
def dbus_interface_annotations(dbus_interface):
1198
814
"""Decorator for marking functions returning interface annotations
1199
815
1200
816
Usage:
1201
817
1202
818
@dbus_interface_annotations("org.example.Interface")
1203
819
def _foo(self): # Function name does not matter
1204
820
return {"org.freedesktop.DBus.Deprecated": "true",
1205
821
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1206
822
"false"}
1207
823
"""
1208
824
1209
825
def decorator(func):
1210
826
func._dbus_is_interface = True
1211
827
func._dbus_interface = dbus_interface
1212
828
func._dbus_name = dbus_interface
1213
829
return func
1214
830
1215
831
return decorator
1216
832
1217
833
1218
834
def dbus_annotations(annotations):
1219
835
"""Decorator to annotate D-Bus methods, signals or properties
1220
836
Usage:
1221
837
1222
838
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1223
839
"org.freedesktop.DBus.Property."
1224
840
"EmitsChangedSignal": "false"})
1226
842
access="r")
1227
843
def Property_dbus_property(self):
1228
844
return dbus.Boolean(False)
1229
845
1230
846
See also the DBusObjectWithAnnotations class.
1231
847
"""
1232
848
1233
849
def decorator(func):
1234
850
func._dbus_annotations = annotations
1235
851
return func
1236
852
1237
853
return decorator
1238
854
1239
855
1257
873
1258
874
class DBusObjectWithAnnotations(dbus.service.Object):
1259
875
"""A D-Bus object with annotations.
1260
876
1261
877
Classes inheriting from this can use the dbus_annotations
1262
878
decorator to add annotations to methods or signals.
1263
879
"""
1264
880
1265
881
@staticmethod
1266
882
def _is_dbus_thing(thing):
1267
883
"""Returns a function testing if an attribute is a D-Bus thing
1268
884
1269
885
If called like _is_dbus_thing("method") it returns a function
1270
886
suitable for use as predicate to inspect.getmembers().
1271
887
"""
1272
888
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1273
889
False)
1274
890
1275
891
def _get_all_dbus_things(self, thing):
1276
892
"""Returns a generator of (name, attribute) pairs
1277
893
"""
1280
896
for cls in self.__class__.__mro__
1281
897
for name, athing in
1282
898
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1283
899
1284
900
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1285
out_signature="s",
1286
path_keyword='object_path',
1287
connection_keyword='connection')
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1288
904
def Introspect(self, object_path, connection):
1289
905
"""Overloading of standard D-Bus method.
1290
906
1291
907
Inserts annotation tags on methods and signals.
1292
908
"""
1293
909
xmlstring = dbus.service.Object.Introspect(self, object_path,
1294
910
connection)
1295
911
try:
1296
912
document = xml.dom.minidom.parseString(xmlstring)
1297
913
1298
914
for if_tag in document.getElementsByTagName("interface"):
1299
915
# Add annotation tags
1300
916
for typ in ("method", "signal"):
1327
943
if_tag.appendChild(ann_tag)
1328
944
# Fix argument name for the Introspect method itself
1329
945
if (if_tag.getAttribute("name")
1330
== dbus.INTROSPECTABLE_IFACE):
946
== dbus.INTROSPECTABLE_IFACE):
1331
947
for cn in if_tag.getElementsByTagName("method"):
1332
948
if cn.getAttribute("name") == "Introspect":
1333
949
for arg in cn.getElementsByTagName("arg"):
1346
962
1347
963
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1348
964
"""A D-Bus object with properties.
1349
965
1350
966
Classes inheriting from this can use the dbus_service_property
1351
967
decorator to expose methods as D-Bus properties. It exposes the
1352
968
standard Get(), Set(), and GetAll() methods on the D-Bus.
1353
969
"""
1354
970
1355
971
def _get_dbus_property(self, interface_name, property_name):
1356
972
"""Returns a bound method if one exists which is a D-Bus
1357
973
property with the specified name and interface.
1362
978
if (value._dbus_name == property_name
1363
979
and value._dbus_interface == interface_name):
1364
980
return value.__get__(self)
1365
981
1366
982
# No such property
1367
983
raise DBusPropertyNotFound("{}:{}.{}".format(
1368
984
self.dbus_object_path, interface_name, property_name))
1369
985
1370
986
@classmethod
1371
987
def _get_all_interface_names(cls):
1372
988
"""Get a sequence of all interfaces supported by an object"""
1375
991
for x in (inspect.getmro(cls))
1376
992
for attr in dir(x))
1377
993
if name is not None)
1378
994
1379
995
@dbus.service.method(dbus.PROPERTIES_IFACE,
1380
996
in_signature="ss",
1381
997
out_signature="v")
1389
1005
if not hasattr(value, "variant_level"):
1390
1006
return value
1391
1007
return type(value)(value, variant_level=value.variant_level+1)
1392
1008
1393
1009
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1394
1010
def Set(self, interface_name, property_name, value):
1395
1011
"""Standard D-Bus property Set() method, see D-Bus standard.
1407
1023
value = dbus.ByteArray(b''.join(chr(byte)
1408
1024
for byte in value))
1409
1025
prop(value)
1410
1026
1411
1027
@dbus.service.method(dbus.PROPERTIES_IFACE,
1412
1028
in_signature="s",
1413
1029
out_signature="a{sv}")
1414
1030
def GetAll(self, interface_name):
1415
1031
"""Standard D-Bus property GetAll() method, see D-Bus
1416
1032
standard.
1417
1033
1418
1034
Note: Will not include properties with access="write".
1419
1035
"""
1420
1036
properties = {}
1431
1047
properties[name] = value
1432
1048
continue
1433
1049
properties[name] = type(value)(
1434
value, variant_level=value.variant_level + 1)
1050
value, variant_level = value.variant_level + 1)
1435
1051
return dbus.Dictionary(properties, signature="sv")
1436
1052
1437
1053
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1438
1054
def PropertiesChanged(self, interface_name, changed_properties,
1439
1055
invalidated_properties):
1441
1057
standard.
1442
1058
"""
1443
1059
pass
1444
1060
1445
1061
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1446
1062
out_signature="s",
1447
1063
path_keyword='object_path',
1448
1064
connection_keyword='connection')
1449
1065
def Introspect(self, object_path, connection):
1450
1066
"""Overloading of standard D-Bus method.
1451
1067
1452
1068
Inserts property tags and interface annotation tags.
1453
1069
"""
1454
1070
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1456
1072
connection)
1457
1073
try:
1458
1074
document = xml.dom.minidom.parseString(xmlstring)
1459
1075
1460
1076
def make_tag(document, name, prop):
1461
1077
e = document.createElement("property")
1462
1078
e.setAttribute("name", name)
1463
1079
e.setAttribute("type", prop._dbus_signature)
1464
1080
e.setAttribute("access", prop._dbus_access)
1465
1081
return e
1466
1082
1467
1083
for if_tag in document.getElementsByTagName("interface"):
1468
1084
# Add property tags
1469
1085
for tag in (make_tag(document, name, prop)
1511
1127
exc_info=error)
1512
1128
return xmlstring
1513
1129
1514
1515
1130
try:
1516
1131
dbus.OBJECT_MANAGER_IFACE
1517
1132
except AttributeError:
1518
1133
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1519
1134
1520
1521
1135
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1522
1136
"""A D-Bus object with an ObjectManager.
1523
1137
1524
1138
Classes inheriting from this exposes the standard
1525
1139
GetManagedObjects call and the InterfacesAdded and
1526
1140
InterfacesRemoved signals on the standard
1527
1141
"org.freedesktop.DBus.ObjectManager" interface.
1528
1142
1529
1143
Note: No signals are sent automatically; they must be sent
1530
1144
manually.
1531
1145
"""
1532
1146
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1533
out_signature="a{oa{sa{sv}}}")
1147
out_signature = "a{oa{sa{sv}}}")
1534
1148
def GetManagedObjects(self):
1535
1149
"""This function must be overridden"""
1536
1150
raise NotImplementedError()
1537
1151
1538
1152
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1539
signature="oa{sa{sv}}")
1153
signature = "oa{sa{sv}}")
1540
1154
def InterfacesAdded(self, object_path, interfaces_and_properties):
1541
1155
pass
1542
1543
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1158
signature = "oas")
1544
1159
def InterfacesRemoved(self, object_path, interfaces):
1545
1160
pass
1546
1161
1547
1162
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1548
out_signature="s",
1549
path_keyword='object_path',
1550
connection_keyword='connection')
1163
out_signature = "s",
1164
path_keyword = 'object_path',
1165
connection_keyword = 'connection')
1551
1166
def Introspect(self, object_path, connection):
1552
1167
"""Overloading of standard D-Bus method.
1553
1168
1554
1169
Override return argument name of GetManagedObjects to be
1555
1170
"objpath_interfaces_and_properties"
1556
1171
"""
1557
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1558
object_path,
1559
connection)
1172
xmlstring = DBusObjectWithAnnotations(self, object_path,
1173
connection)
1560
1174
try:
1561
1175
document = xml.dom.minidom.parseString(xmlstring)
1562
1176
1563
1177
for if_tag in document.getElementsByTagName("interface"):
1564
1178
# Fix argument name for the GetManagedObjects method
1565
1179
if (if_tag.getAttribute("name")
1566
== dbus.OBJECT_MANAGER_IFACE):
1180
== dbus.OBJECT_MANAGER_IFACE):
1567
1181
for cn in if_tag.getElementsByTagName("method"):
1568
1182
if (cn.getAttribute("name")
1569
1183
== "GetManagedObjects"):
1579
1193
except (AttributeError, xml.dom.DOMException,
1580
1194
xml.parsers.expat.ExpatError) as error:
1581
1195
logger.error("Failed to override Introspection method",
1582
exc_info=error)
1196
exc_info = error)
1583
1197
return xmlstring
1584
1198
1585
1586
1199
def datetime_to_dbus(dt, variant_level=0):
1587
1200
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1588
1201
if dt is None:
1589
return dbus.String("", variant_level=variant_level)
1202
return dbus.String("", variant_level = variant_level)
1590
1203
return dbus.String(dt.isoformat(), variant_level=variant_level)
1591
1204
1592
1205
1595
1208
dbus.service.Object, it will add alternate D-Bus attributes with
1596
1209
interface names according to the "alt_interface_names" mapping.
1597
1210
Usage:
1598
1211
1599
1212
@alternate_dbus_interfaces({"org.example.Interface":
1600
1213
"net.example.AlternateInterface"})
1601
1214
class SampleDBusObject(dbus.service.Object):
1602
1215
@dbus.service.method("org.example.Interface")
1603
1216
def SampleDBusMethod():
1604
1217
pass
1605
1218
1606
1219
The above "SampleDBusMethod" on "SampleDBusObject" will be
1607
1220
reachable via two interfaces: "org.example.Interface" and
1608
1221
"net.example.AlternateInterface", the latter of which will have
1609
1222
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1610
1223
"true", unless "deprecate" is passed with a False value.
1611
1224
1612
1225
This works for methods and signals, and also for D-Bus properties
1613
1226
(from DBusObjectWithProperties) and interfaces (from the
1614
1227
dbus_interface_annotations decorator).
1615
1228
"""
1616
1229
1617
1230
def wrapper(cls):
1618
1231
for orig_interface_name, alt_interface_name in (
1619
1232
alt_interface_names.items()):
1634
1247
interface_names.add(alt_interface)
1635
1248
# Is this a D-Bus signal?
1636
1249
if getattr(attribute, "_dbus_is_signal", False):
1637
# Extract the original non-method undecorated
1638
# function by black magic
1639
1250
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1640
1253
nonmethod_func = (dict(
1641
1254
zip(attribute.func_code.co_freevars,
1642
1255
attribute.__closure__))
1643
1256
["func"].cell_contents)
1644
1257
else:
1645
nonmethod_func = (dict(
1646
zip(attribute.__code__.co_freevars,
1647
attribute.__closure__))
1648
["func"].cell_contents)
1258
nonmethod_func = attribute
1649
1259
# Create a new, but exactly alike, function
1650
1260
# object, and decorate it to be a new D-Bus signal
1651
1261
# with the alternate D-Bus interface name
1652
new_function = copy_function(nonmethod_func)
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1653
1276
new_function = (dbus.service.signal(
1654
1277
alt_interface,
1655
1278
attribute._dbus_signature)(new_function))
1659
1282
attribute._dbus_annotations)
1660
1283
except AttributeError:
1661
1284
pass
1662
1663
1285
# Define a creator of a function to call both the
1664
1286
# original and alternate functions, so both the
1665
1287
# original and alternate signals gets sent when
1668
1290
"""This function is a scope container to pass
1669
1291
func1 and func2 to the "call_both" function
1670
1292
outside of its arguments"""
1671
1672
@functools.wraps(func2)
1293
1673
1294
def call_both(*args, **kwargs):
1674
1295
"""This function will emit two D-Bus
1675
1296
signals by calling func1 and func2"""
1676
1297
func1(*args, **kwargs)
1677
1298
func2(*args, **kwargs)
1678
# Make wrapper function look like a D-Bus
1679
# signal
1680
for name, attr in inspect.getmembers(func2):
1681
if name.startswith("_dbus_"):
1682
setattr(call_both, name, attr)
1683
1299
1684
1300
return call_both
1685
1301
# Create the "call_both" function and add it to
1686
1302
# the class
1696
1312
alt_interface,
1697
1313
attribute._dbus_in_signature,
1698
1314
attribute._dbus_out_signature)
1699
(copy_function(attribute)))
1315
(types.FunctionType(attribute.func_code,
1316
attribute.func_globals,
1317
attribute.func_name,
1318
attribute.func_defaults,
1319
attribute.func_closure)))
1700
1320
# Copy annotations, if any
1701
1321
try:
1702
1322
attr[attrname]._dbus_annotations = dict(
1714
1334
attribute._dbus_access,
1715
1335
attribute._dbus_get_args_options
1716
1336
["byte_arrays"])
1717
(copy_function(attribute)))
1337
(types.FunctionType(
1338
attribute.func_code,
1339
attribute.func_globals,
1340
attribute.func_name,
1341
attribute.func_defaults,
1342
attribute.func_closure)))
1718
1343
# Copy annotations, if any
1719
1344
try:
1720
1345
attr[attrname]._dbus_annotations = dict(
1729
1354
# to the class.
1730
1355
attr[attrname] = (
1731
1356
dbus_interface_annotations(alt_interface)
1732
(copy_function(attribute)))
1357
(types.FunctionType(attribute.func_code,
1358
attribute.func_globals,
1359
attribute.func_name,
1360
attribute.func_defaults,
1361
attribute.func_closure)))
1733
1362
if deprecate:
1734
1363
# Deprecate all alternate interfaces
1735
iname = "_AlternateDBusNames_interface_annotation{}"
1364
iname="_AlternateDBusNames_interface_annotation{}"
1736
1365
for interface_name in interface_names:
1737
1366
1738
1367
@dbus_interface_annotations(interface_name)
1739
1368
def func(self):
1740
return {"org.freedesktop.DBus.Deprecated":
1741
"true"}
1369
return { "org.freedesktop.DBus.Deprecated":
1370
"true" }
1742
1371
# Find an unused name
1743
1372
for aname in (iname.format(i)
1744
1373
for i in itertools.count()):
1748
1377
if interface_names:
1749
1378
# Replace the class with a new subclass of it with
1750
1379
# methods, signals, etc. as created above.
1751
if sys.version_info.major == 2:
1752
cls = type(b"{}Alternate".format(cls.__name__),
1753
(cls, ), attr)
1754
else:
1755
cls = type("{}Alternate".format(cls.__name__),
1756
(cls, ), attr)
1380
cls = type(b"{}Alternate".format(cls.__name__),
1381
(cls, ), attr)
1757
1382
return cls
1758
1383
1759
1384
return wrapper
1760
1385
1761
1386
1763
1388
"se.bsnet.fukt.Mandos"})
1764
1389
class ClientDBus(Client, DBusObjectWithProperties):
1765
1390
"""A Client class using D-Bus
1766
1391
1767
1392
Attributes:
1768
1393
dbus_object_path: dbus.ObjectPath
1769
1394
bus: dbus.SystemBus()
1770
1395
"""
1771
1396
1772
1397
runtime_expansions = (Client.runtime_expansions
1773
1398
+ ("dbus_object_path", ))
1774
1399
1775
1400
_interface = "se.recompile.Mandos.Client"
1776
1401
1777
1402
# dbus.service.Object doesn't use super(), so we can't either.
1778
1779
def __init__(self, bus=None, *args, **kwargs):
1403
1404
def __init__(self, bus = None, *args, **kwargs):
1780
1405
self.bus = bus
1781
1406
Client.__init__(self, *args, **kwargs)
1782
1407
# Only now, when this client is initialized, can it show up on
1788
1413
"/clients/" + client_object_name)
1789
1414
DBusObjectWithProperties.__init__(self, self.bus,
1790
1415
self.dbus_object_path)
1791
1416
1792
1417
def notifychangeproperty(transform_func, dbus_name,
1793
1418
type_func=lambda x: x,
1794
1419
variant_level=1,
1796
1421
_interface=_interface):
1797
1422
""" Modify a variable so that it's a property which announces
1798
1423
its changes to DBus.
1799
1424
1800
1425
transform_fun: Function that takes a value and a variant_level
1801
1426
and transforms it to a D-Bus type.
1802
1427
dbus_name: D-Bus name of the variable
1805
1430
variant_level: D-Bus variant level. Default: 1
1806
1431
"""
1807
1432
attrname = "_{}".format(dbus_name)
1808
1433
1809
1434
def setter(self, value):
1810
1435
if hasattr(self, "dbus_object_path"):
1811
1436
if (not hasattr(self, attrname) or
1818
1443
else:
1819
1444
dbus_value = transform_func(
1820
1445
type_func(value),
1821
variant_level=variant_level)
1446
variant_level = variant_level)
1822
1447
self.PropertyChanged(dbus.String(dbus_name),
1823
1448
dbus_value)
1824
1449
self.PropertiesChanged(
1825
1450
_interface,
1826
dbus.Dictionary({dbus.String(dbus_name):
1827
dbus_value}),
1451
dbus.Dictionary({ dbus.String(dbus_name):
1452
dbus_value }),
1828
1453
dbus.Array())
1829
1454
setattr(self, attrname, value)
1830
1455
1831
1456
return property(lambda self: getattr(self, attrname), setter)
1832
1457
1833
1458
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1834
1459
approvals_pending = notifychangeproperty(dbus.Boolean,
1835
1460
"ApprovalPending",
1836
type_func=bool)
1461
type_func = bool)
1837
1462
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1838
1463
last_enabled = notifychangeproperty(datetime_to_dbus,
1839
1464
"LastEnabled")
1840
1465
checker = notifychangeproperty(
1841
1466
dbus.Boolean, "CheckerRunning",
1842
type_func=lambda checker: checker is not None)
1467
type_func = lambda checker: checker is not None)
1843
1468
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1844
1469
"LastCheckedOK")
1845
1470
last_checker_status = notifychangeproperty(dbus.Int16,
1850
1475
"ApprovedByDefault")
1851
1476
approval_delay = notifychangeproperty(
1852
1477
dbus.UInt64, "ApprovalDelay",
1853
type_func=lambda td: td.total_seconds() * 1000)
1478
type_func = lambda td: td.total_seconds() * 1000)
1854
1479
approval_duration = notifychangeproperty(
1855
1480
dbus.UInt64, "ApprovalDuration",
1856
type_func=lambda td: td.total_seconds() * 1000)
1481
type_func = lambda td: td.total_seconds() * 1000)
1857
1482
host = notifychangeproperty(dbus.String, "Host")
1858
1483
timeout = notifychangeproperty(
1859
1484
dbus.UInt64, "Timeout",
1860
type_func=lambda td: td.total_seconds() * 1000)
1485
type_func = lambda td: td.total_seconds() * 1000)
1861
1486
extended_timeout = notifychangeproperty(
1862
1487
dbus.UInt64, "ExtendedTimeout",
1863
type_func=lambda td: td.total_seconds() * 1000)
1488
type_func = lambda td: td.total_seconds() * 1000)
1864
1489
interval = notifychangeproperty(
1865
1490
dbus.UInt64, "Interval",
1866
type_func=lambda td: td.total_seconds() * 1000)
1491
type_func = lambda td: td.total_seconds() * 1000)
1867
1492
checker_command = notifychangeproperty(dbus.String, "Checker")
1868
1493
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1869
1494
invalidate_only=True)
1870
1495
1871
1496
del notifychangeproperty
1872
1497
1873
1498
def __del__(self, *args, **kwargs):
1874
1499
try:
1875
1500
self.remove_from_connection()
1878
1503
if hasattr(DBusObjectWithProperties, "__del__"):
1879
1504
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1880
1505
Client.__del__(self, *args, **kwargs)
1881
1506
1882
1507
def checker_callback(self, source, condition,
1883
1508
connection, command, *args, **kwargs):
1884
1509
ret = Client.checker_callback(self, source, condition,
1900
1525
| self.last_checker_signal),
1901
1526
dbus.String(command))
1902
1527
return ret
1903
1528
1904
1529
def start_checker(self, *args, **kwargs):
1905
1530
old_checker_pid = getattr(self.checker, "pid", None)
1906
1531
r = Client.start_checker(self, *args, **kwargs)
1910
1535
# Emit D-Bus signal
1911
1536
self.CheckerStarted(self.current_checker_command)
1912
1537
return r
1913
1538
1914
1539
def _reset_approved(self):
1915
1540
self.approved = None
1916
1541
return False
1917
1542
1918
1543
def approve(self, value=True):
1919
1544
self.approved = value
1920
GLib.timeout_add(int(self.approval_duration.total_seconds()
1921
* 1000), self._reset_approved)
1545
gobject.timeout_add(int(self.approval_duration.total_seconds()
1546
* 1000), self._reset_approved)
1922
1547
self.send_changedstate()
1923
1924
# D-Bus methods, signals & properties
1925
1926
# Interfaces
1927
1928
# Signals
1929
1548
1549
## D-Bus methods, signals & properties
1550
1551
## Interfaces
1552
1553
## Signals
1554
1930
1555
# CheckerCompleted - signal
1931
1556
@dbus.service.signal(_interface, signature="nxs")
1932
1557
def CheckerCompleted(self, exitcode, waitstatus, command):
1933
1558
"D-Bus signal"
1934
1559
pass
1935
1560
1936
1561
# CheckerStarted - signal
1937
1562
@dbus.service.signal(_interface, signature="s")
1938
1563
def CheckerStarted(self, command):
1939
1564
"D-Bus signal"
1940
1565
pass
1941
1566
1942
1567
# PropertyChanged - signal
1943
1568
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1944
1569
@dbus.service.signal(_interface, signature="sv")
1945
1570
def PropertyChanged(self, property, value):
1946
1571
"D-Bus signal"
1947
1572
pass
1948
1573
1949
1574
# GotSecret - signal
1950
1575
@dbus.service.signal(_interface)
1951
1576
def GotSecret(self):
1954
1579
server to mandos-client
1955
1580
"""
1956
1581
pass
1957
1582
1958
1583
# Rejected - signal
1959
1584
@dbus.service.signal(_interface, signature="s")
1960
1585
def Rejected(self, reason):
1961
1586
"D-Bus signal"
1962
1587
pass
1963
1588
1964
1589
# NeedApproval - signal
1965
1590
@dbus.service.signal(_interface, signature="tb")
1966
1591
def NeedApproval(self, timeout, default):
1967
1592
"D-Bus signal"
1968
1593
return self.need_approval()
1969
1970
# Methods
1971
1594
1595
## Methods
1596
1972
1597
# Approve - method
1973
1598
@dbus.service.method(_interface, in_signature="b")
1974
1599
def Approve(self, value):
1975
1600
self.approve(value)
1976
1601
1977
1602
# CheckedOK - method
1978
1603
@dbus.service.method(_interface)
1979
1604
def CheckedOK(self):
1980
1605
self.checked_ok()
1981
1606
1982
1607
# Enable - method
1983
1608
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1984
1609
@dbus.service.method(_interface)
1985
1610
def Enable(self):
1986
1611
"D-Bus method"
1987
1612
self.enable()
1988
1613
1989
1614
# StartChecker - method
1990
1615
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1991
1616
@dbus.service.method(_interface)
1992
1617
def StartChecker(self):
1993
1618
"D-Bus method"
1994
1619
self.start_checker()
1995
1620
1996
1621
# Disable - method
1997
1622
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1998
1623
@dbus.service.method(_interface)
1999
1624
def Disable(self):
2000
1625
"D-Bus method"
2001
1626
self.disable()
2002
1627
2003
1628
# StopChecker - method
2004
1629
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2005
1630
@dbus.service.method(_interface)
2006
1631
def StopChecker(self):
2007
1632
self.stop_checker()
2008
2009
# Properties
2010
1633
1634
## Properties
1635
2011
1636
# ApprovalPending - property
2012
1637
@dbus_service_property(_interface, signature="b", access="read")
2013
1638
def ApprovalPending_dbus_property(self):
2014
1639
return dbus.Boolean(bool(self.approvals_pending))
2015
1640
2016
1641
# ApprovedByDefault - property
2017
1642
@dbus_service_property(_interface,
2018
1643
signature="b",
2021
1646
if value is None: # get
2022
1647
return dbus.Boolean(self.approved_by_default)
2023
1648
self.approved_by_default = bool(value)
2024
1649
2025
1650
# ApprovalDelay - property
2026
1651
@dbus_service_property(_interface,
2027
1652
signature="t",
2031
1656
return dbus.UInt64(self.approval_delay.total_seconds()
2032
1657
* 1000)
2033
1658
self.approval_delay = datetime.timedelta(0, 0, 0, value)
2034
1659
2035
1660
# ApprovalDuration - property
2036
1661
@dbus_service_property(_interface,
2037
1662
signature="t",
2041
1666
return dbus.UInt64(self.approval_duration.total_seconds()
2042
1667
* 1000)
2043
1668
self.approval_duration = datetime.timedelta(0, 0, 0, value)
2044
1669
2045
1670
# Name - property
2046
1671
@dbus_annotations(
2047
1672
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2048
1673
@dbus_service_property(_interface, signature="s", access="read")
2049
1674
def Name_dbus_property(self):
2050
1675
return dbus.String(self.name)
2051
2052
# KeyID - property
2053
@dbus_annotations(
2054
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2055
@dbus_service_property(_interface, signature="s", access="read")
2056
def KeyID_dbus_property(self):
2057
return dbus.String(self.key_id)
2058
1676
2059
1677
# Fingerprint - property
2060
1678
@dbus_annotations(
2061
1679
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2062
1680
@dbus_service_property(_interface, signature="s", access="read")
2063
1681
def Fingerprint_dbus_property(self):
2064
1682
return dbus.String(self.fingerprint)
2065
1683
2066
1684
# Host - property
2067
1685
@dbus_service_property(_interface,
2068
1686
signature="s",
2071
1689
if value is None: # get
2072
1690
return dbus.String(self.host)
2073
1691
self.host = str(value)
2074
1692
2075
1693
# Created - property
2076
1694
@dbus_annotations(
2077
1695
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2078
1696
@dbus_service_property(_interface, signature="s", access="read")
2079
1697
def Created_dbus_property(self):
2080
1698
return datetime_to_dbus(self.created)
2081
1699
2082
1700
# LastEnabled - property
2083
1701
@dbus_service_property(_interface, signature="s", access="read")
2084
1702
def LastEnabled_dbus_property(self):
2085
1703
return datetime_to_dbus(self.last_enabled)
2086
1704
2087
1705
# Enabled - property
2088
1706
@dbus_service_property(_interface,
2089
1707
signature="b",
2095
1713
self.enable()
2096
1714
else:
2097
1715
self.disable()
2098
1716
2099
1717
# LastCheckedOK - property
2100
1718
@dbus_service_property(_interface,
2101
1719
signature="s",
2105
1723
self.checked_ok()
2106
1724
return
2107
1725
return datetime_to_dbus(self.last_checked_ok)
2108
1726
2109
1727
# LastCheckerStatus - property
2110
1728
@dbus_service_property(_interface, signature="n", access="read")
2111
1729
def LastCheckerStatus_dbus_property(self):
2112
1730
return dbus.Int16(self.last_checker_status)
2113
1731
2114
1732
# Expires - property
2115
1733
@dbus_service_property(_interface, signature="s", access="read")
2116
1734
def Expires_dbus_property(self):
2117
1735
return datetime_to_dbus(self.expires)
2118
1736
2119
1737
# LastApprovalRequest - property
2120
1738
@dbus_service_property(_interface, signature="s", access="read")
2121
1739
def LastApprovalRequest_dbus_property(self):
2122
1740
return datetime_to_dbus(self.last_approval_request)
2123
1741
2124
1742
# Timeout - property
2125
1743
@dbus_service_property(_interface,
2126
1744
signature="t",
2141
1759
if (getattr(self, "disable_initiator_tag", None)
2142
1760
is None):
2143
1761
return
2144
GLib.source_remove(self.disable_initiator_tag)
2145
self.disable_initiator_tag = GLib.timeout_add(
1762
gobject.source_remove(self.disable_initiator_tag)
1763
self.disable_initiator_tag = gobject.timeout_add(
2146
1764
int((self.expires - now).total_seconds() * 1000),
2147
1765
self.disable)
2148
1766
2149
1767
# ExtendedTimeout - property
2150
1768
@dbus_service_property(_interface,
2151
1769
signature="t",
2155
1773
return dbus.UInt64(self.extended_timeout.total_seconds()
2156
1774
* 1000)
2157
1775
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2158
1776
2159
1777
# Interval - property
2160
1778
@dbus_service_property(_interface,
2161
1779
signature="t",
2168
1786
return
2169
1787
if self.enabled:
2170
1788
# Reschedule checker run
2171
GLib.source_remove(self.checker_initiator_tag)
2172
self.checker_initiator_tag = GLib.timeout_add(
1789
gobject.source_remove(self.checker_initiator_tag)
1790
self.checker_initiator_tag = gobject.timeout_add(
2173
1791
value, self.start_checker)
2174
self.start_checker() # Start one now, too
2175
1792
self.start_checker() # Start one now, too
1793
2176
1794
# Checker - property
2177
1795
@dbus_service_property(_interface,
2178
1796
signature="s",
2181
1799
if value is None: # get
2182
1800
return dbus.String(self.checker_command)
2183
1801
self.checker_command = str(value)
2184
1802
2185
1803
# CheckerRunning - property
2186
1804
@dbus_service_property(_interface,
2187
1805
signature="b",
2193
1811
self.start_checker()
2194
1812
else:
2195
1813
self.stop_checker()
2196
1814
2197
1815
# ObjectPath - property
2198
1816
@dbus_annotations(
2199
1817
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2200
1818
"org.freedesktop.DBus.Deprecated": "true"})
2201
1819
@dbus_service_property(_interface, signature="o", access="read")
2202
1820
def ObjectPath_dbus_property(self):
2203
return self.dbus_object_path # is already a dbus.ObjectPath
2204
1821
return self.dbus_object_path # is already a dbus.ObjectPath
1822
2205
1823
# Secret = property
2206
1824
@dbus_annotations(
2207
1825
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2212
1830
byte_arrays=True)
2213
1831
def Secret_dbus_property(self, value):
2214
1832
self.secret = bytes(value)
2215
1833
2216
1834
del _interface
2217
1835
2218
1836
2219
class ProxyClient:
2220
def __init__(self, child_pipe, key_id, fpr, address):
1837
class ProxyClient(object):
1838
def __init__(self, child_pipe, fpr, address):
2221
1839
self._pipe = child_pipe
2222
self._pipe.send(('init', key_id, fpr, address))
1840
self._pipe.send(('init', fpr, address))
2223
1841
if not self._pipe.recv():
2224
raise KeyError(key_id or fpr)
2225
1842
raise KeyError(fpr)
1843
2226
1844
def __getattribute__(self, name):
2227
1845
if name == '_pipe':
2228
1846
return super(ProxyClient, self).__getattribute__(name)
2231
1849
if data[0] == 'data':
2232
1850
return data[1]
2233
1851
if data[0] == 'function':
2234
1852
2235
1853
def func(*args, **kwargs):
2236
1854
self._pipe.send(('funcall', name, args, kwargs))
2237
1855
return self._pipe.recv()[1]
2238
1856
2239
1857
return func
2240
1858
2241
1859
def __setattr__(self, name, value):
2242
1860
if name == '_pipe':
2243
1861
return super(ProxyClient, self).__setattr__(name, value)
2246
1864
2247
1865
class ClientHandler(socketserver.BaseRequestHandler, object):
2248
1866
"""A class to handle client connections.
2249
1867
2250
1868
Instantiated once for each connection to handle it.
2251
1869
Note: This will run in its own forked process."""
2252
1870
2253
1871
def handle(self):
2254
1872
with contextlib.closing(self.server.child_pipe) as child_pipe:
2255
1873
logger.info("TCP connection from: %s",
2256
1874
str(self.client_address))
2257
1875
logger.debug("Pipe FD: %d",
2258
1876
self.server.child_pipe.fileno())
2259
2260
session = gnutls.ClientSession(self.request)
2261
2262
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2263
# "+AES-256-CBC", "+SHA1",
2264
# "+COMP-NULL", "+CTYPE-OPENPGP",
2265
# "+DHE-DSS"))
1877
1878
session = gnutls.connection.ClientSession(
1879
self.request, gnutls.connection .X509Credentials())
1880
1881
# Note: gnutls.connection.X509Credentials is really a
1882
# generic GnuTLS certificate credentials object so long as
1883
# no X.509 keys are added to it. Therefore, we can use it
1884
# here despite using OpenPGP certificates.
1885
1886
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1887
# "+AES-256-CBC", "+SHA1",
1888
# "+COMP-NULL", "+CTYPE-OPENPGP",
1889
# "+DHE-DSS"))
2266
1890
# Use a fallback default, since this MUST be set.
2267
1891
priority = self.server.gnutls_priority
2268
1892
if priority is None:
2269
1893
priority = "NORMAL"
2270
gnutls.priority_set_direct(session._c_object,
2271
priority.encode("utf-8"),
2272
None)
2273
1894
gnutls.library.functions.gnutls_priority_set_direct(
1895
session._c_object, priority, None)
1896
2274
1897
# Start communication using the Mandos protocol
2275
1898
# Get protocol number
2276
1899
line = self.request.makefile().readline()
2281
1904
except (ValueError, IndexError, RuntimeError) as error:
2282
1905
logger.error("Unknown protocol version: %s", error)
2283
1906
return
2284
1907
2285
1908
# Start GnuTLS connection
2286
1909
try:
2287
1910
session.handshake()
2288
except gnutls.Error as error:
1911
except gnutls.errors.GNUTLSError as error:
2289
1912
logger.warning("Handshake failed: %s", error)
2290
1913
# Do not run session.bye() here: the session is not
2291
1914
# established. Just abandon the request.
2292
1915
return
2293
1916
logger.debug("Handshake succeeded")
2294
1917
2295
1918
approval_required = False
2296
1919
try:
2297
if gnutls.has_rawpk:
2298
fpr = b""
2299
try:
2300
key_id = self.key_id(
2301
self.peer_certificate(session))
2302
except (TypeError, gnutls.Error) as error:
2303
logger.warning("Bad certificate: %s", error)
2304
return
2305
logger.debug("Key ID: %s", key_id)
2306
2307
else:
2308
key_id = b""
2309
try:
2310
fpr = self.fingerprint(
2311
self.peer_certificate(session))
2312
except (TypeError, gnutls.Error) as error:
2313
logger.warning("Bad certificate: %s", error)
2314
return
2315
logger.debug("Fingerprint: %s", fpr)
2316
2317
try:
2318
client = ProxyClient(child_pipe, key_id, fpr,
1920
try:
1921
fpr = self.fingerprint(
1922
self.peer_certificate(session))
1923
except (TypeError,
1924
gnutls.errors.GNUTLSError) as error:
1925
logger.warning("Bad certificate: %s", error)
1926
return
1927
logger.debug("Fingerprint: %s", fpr)
1928
1929
try:
1930
client = ProxyClient(child_pipe, fpr,
2319
1931
self.client_address)
2320
1932
except KeyError:
2321
1933
return
2322
1934
2323
1935
if client.approval_delay:
2324
1936
delay = client.approval_delay
2325
1937
client.approvals_pending += 1
2326
1938
approval_required = True
2327
1939
2328
1940
while True:
2329
1941
if not client.enabled:
2330
1942
logger.info("Client %s is disabled",
2333
1945
# Emit D-Bus signal
2334
1946
client.Rejected("Disabled")
2335
1947
return
2336
1948
2337
1949
if client.approved or not client.approval_delay:
2338
# We are approved or approval is disabled
1950
#We are approved or approval is disabled
2339
1951
break
2340
1952
elif client.approved is None:
2341
1953
logger.info("Client %s needs approval",
2352
1964
# Emit D-Bus signal
2353
1965
client.Rejected("Denied")
2354
1966
return
2355
2356
# wait until timeout or approved
1967
1968
#wait until timeout or approved
2357
1969
time = datetime.datetime.now()
2358
1970
client.changedstate.acquire()
2359
1971
client.changedstate.wait(delay.total_seconds())
2372
1984
break
2373
1985
else:
2374
1986
delay -= time2 - time
2375
2376
try:
2377
session.send(client.secret)
2378
except gnutls.Error as error:
2379
logger.warning("gnutls send failed",
2380
exc_info=error)
2381
return
2382
1987
1988
sent_size = 0
1989
while sent_size < len(client.secret):
1990
try:
1991
sent = session.send(client.secret[sent_size:])
1992
except gnutls.errors.GNUTLSError as error:
1993
logger.warning("gnutls send failed",
1994
exc_info=error)
1995
return
1996
logger.debug("Sent: %d, remaining: %d", sent,
1997
len(client.secret) - (sent_size
1998
+ sent))
1999
sent_size += sent
2000
2383
2001
logger.info("Sending secret to %s", client.name)
2384
2002
# bump the timeout using extended_timeout
2385
2003
client.bump_timeout(client.extended_timeout)
2386
2004
if self.server.use_dbus:
2387
2005
# Emit D-Bus signal
2388
2006
client.GotSecret()
2389
2007
2390
2008
finally:
2391
2009
if approval_required:
2392
2010
client.approvals_pending -= 1
2393
2011
try:
2394
2012
session.bye()
2395
except gnutls.Error as error:
2013
except gnutls.errors.GNUTLSError as error:
2396
2014
logger.warning("GnuTLS bye failed",
2397
2015
exc_info=error)
2398
2016
2399
2017
@staticmethod
2400
2018
def peer_certificate(session):
2401
"Return the peer's certificate as a bytestring"
2402
try:
2403
cert_type = gnutls.certificate_type_get2(session._c_object,
2404
gnutls.CTYPE_PEERS)
2405
except AttributeError:
2406
cert_type = gnutls.certificate_type_get(session._c_object)
2407
if gnutls.has_rawpk:
2408
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2409
else:
2410
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2411
# If not a valid certificate type...
2412
if cert_type not in valid_cert_types:
2413
logger.info("Cert type %r not in %r", cert_type,
2414
valid_cert_types)
2415
# ...return invalid data
2416
return b""
2019
"Return the peer's OpenPGP certificate as a bytestring"
2020
# If not an OpenPGP certificate...
2021
if (gnutls.library.functions.gnutls_certificate_type_get(
2022
session._c_object)
2023
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2024
# ...do the normal thing
2025
return session.peer_certificate
2417
2026
list_size = ctypes.c_uint(1)
2418
cert_list = (gnutls.certificate_get_peers
2027
cert_list = (gnutls.library.functions
2028
.gnutls_certificate_get_peers
2419
2029
(session._c_object, ctypes.byref(list_size)))
2420
2030
if not bool(cert_list) and list_size.value != 0:
2421
raise gnutls.Error("error getting peer certificate")
2031
raise gnutls.errors.GNUTLSError("error getting peer"
2032
" certificate")
2422
2033
if list_size.value == 0:
2423
2034
return None
2424
2035
cert = cert_list[0]
2425
2036
return ctypes.string_at(cert.data, cert.size)
2426
2427
@staticmethod
2428
def key_id(certificate):
2429
"Convert a certificate bytestring to a hexdigit key ID"
2430
# New GnuTLS "datum" with the public key
2431
datum = gnutls.datum_t(
2432
ctypes.cast(ctypes.c_char_p(certificate),
2433
ctypes.POINTER(ctypes.c_ubyte)),
2434
ctypes.c_uint(len(certificate)))
2435
# XXX all these need to be created in the gnutls "module"
2436
# New empty GnuTLS certificate
2437
pubkey = gnutls.pubkey_t()
2438
gnutls.pubkey_init(ctypes.byref(pubkey))
2439
# Import the raw public key into the certificate
2440
gnutls.pubkey_import(pubkey,
2441
ctypes.byref(datum),
2442
gnutls.X509_FMT_DER)
2443
# New buffer for the key ID
2444
buf = ctypes.create_string_buffer(32)
2445
buf_len = ctypes.c_size_t(len(buf))
2446
# Get the key ID from the raw public key into the buffer
2447
gnutls.pubkey_get_key_id(pubkey,
2448
gnutls.KEYID_USE_SHA256,
2449
ctypes.cast(ctypes.byref(buf),
2450
ctypes.POINTER(ctypes.c_ubyte)),
2451
ctypes.byref(buf_len))
2452
# Deinit the certificate
2453
gnutls.pubkey_deinit(pubkey)
2454
2455
# Convert the buffer to a Python bytestring
2456
key_id = ctypes.string_at(buf, buf_len.value)
2457
# Convert the bytestring to hexadecimal notation
2458
hex_key_id = binascii.hexlify(key_id).upper()
2459
return hex_key_id
2460
2037
2461
2038
@staticmethod
2462
2039
def fingerprint(openpgp):
2463
2040
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2464
2041
# New GnuTLS "datum" with the OpenPGP public key
2465
datum = gnutls.datum_t(
2042
datum = gnutls.library.types.gnutls_datum_t(
2466
2043
ctypes.cast(ctypes.c_char_p(openpgp),
2467
2044
ctypes.POINTER(ctypes.c_ubyte)),
2468
2045
ctypes.c_uint(len(openpgp)))
2469
2046
# New empty GnuTLS certificate
2470
crt = gnutls.openpgp_crt_t()
2471
gnutls.openpgp_crt_init(ctypes.byref(crt))
2047
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2048
gnutls.library.functions.gnutls_openpgp_crt_init(
2049
ctypes.byref(crt))
2472
2050
# Import the OpenPGP public key into the certificate
2473
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2474
gnutls.OPENPGP_FMT_RAW)
2051
gnutls.library.functions.gnutls_openpgp_crt_import(
2052
crt, ctypes.byref(datum),
2053
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2475
2054
# Verify the self signature in the key
2476
2055
crtverify = ctypes.c_uint()
2477
gnutls.openpgp_crt_verify_self(crt, 0,
2478
ctypes.byref(crtverify))
2056
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2057
crt, 0, ctypes.byref(crtverify))
2479
2058
if crtverify.value != 0:
2480
gnutls.openpgp_crt_deinit(crt)
2481
raise gnutls.CertificateSecurityError(code
2482
=crtverify.value)
2059
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2060
raise gnutls.errors.CertificateSecurityError(
2061
"Verify failed")
2483
2062
# New buffer for the fingerprint
2484
2063
buf = ctypes.create_string_buffer(20)
2485
2064
buf_len = ctypes.c_size_t()
2486
2065
# Get the fingerprint from the certificate into the buffer
2487
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2488
ctypes.byref(buf_len))
2066
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2067
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2489
2068
# Deinit the certificate
2490
gnutls.openpgp_crt_deinit(crt)
2069
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2491
2070
# Convert the buffer to a Python bytestring
2492
2071
fpr = ctypes.string_at(buf, buf_len.value)
2493
2072
# Convert the bytestring to hexadecimal notation
2495
2074
return hex_fpr
2496
2075
2497
2076
2498
class MultiprocessingMixIn:
2077
class MultiprocessingMixIn(object):
2499
2078
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2500
2079
2501
2080
def sub_process_main(self, request, address):
2502
2081
try:
2503
2082
self.finish_request(request, address)
2504
2083
except Exception:
2505
2084
self.handle_error(request, address)
2506
2085
self.close_request(request)
2507
2086
2508
2087
def process_request(self, request, address):
2509
2088
"""Start a new process to process the request."""
2510
proc = multiprocessing.Process(target=self.sub_process_main,
2511
args=(request, address))
2089
proc = multiprocessing.Process(target = self.sub_process_main,
2090
args = (request, address))
2512
2091
proc.start()
2513
2092
return proc
2514
2093
2515
2094
2516
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2095
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2517
2096
""" adds a pipe to the MixIn """
2518
2097
2519
2098
def process_request(self, request, client_address):
2520
2099
"""Overrides and wraps the original process_request().
2521
2100
2522
2101
This function creates a new pipe in self.pipe
2523
2102
"""
2524
2103
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2525
2104
2526
2105
proc = MultiprocessingMixIn.process_request(self, request,
2527
2106
client_address)
2528
2107
self.child_pipe.close()
2529
2108
self.add_pipe(parent_pipe, proc)
2530
2109
2531
2110
def add_pipe(self, parent_pipe, proc):
2532
2111
"""Dummy function; override as necessary"""
2533
2112
raise NotImplementedError()
2534
2113
2535
2114
2536
2115
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2537
socketserver.TCPServer):
2116
socketserver.TCPServer, object):
2538
2117
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2539
2118
2540
2119
Attributes:
2541
2120
enabled: Boolean; whether this server is activated yet
2542
2121
interface: None or a network interface name (string)
2543
2122
use_ipv6: Boolean; to use IPv6 or not
2544
2123
"""
2545
2124
2546
2125
def __init__(self, server_address, RequestHandlerClass,
2547
2126
interface=None,
2548
2127
use_ipv6=True,
2558
2137
self.socketfd = socketfd
2559
2138
# Save the original socket.socket() function
2560
2139
self.socket_socket = socket.socket
2561
2562
2140
# To implement --socket, we monkey patch socket.socket.
2563
#
2141
#
2564
2142
# (When socketserver.TCPServer is a new-style class, we
2565
2143
# could make self.socket into a property instead of monkey
2566
2144
# patching socket.socket.)
2567
#
2145
#
2568
2146
# Create a one-time-only replacement for socket.socket()
2569
2147
@functools.wraps(socket.socket)
2570
2148
def socket_wrapper(*args, **kwargs):
2582
2160
# socket_wrapper(), if socketfd was set.
2583
2161
socketserver.TCPServer.__init__(self, server_address,
2584
2162
RequestHandlerClass)
2585
2163
2586
2164
def server_bind(self):
2587
2165
"""This overrides the normal server_bind() function
2588
2166
to bind to an interface if one was specified, and also NOT to
2589
2167
bind to an address or port if they were not specified."""
2590
global SO_BINDTODEVICE
2591
2168
if self.interface is not None:
2592
2169
if SO_BINDTODEVICE is None:
2593
# Fall back to a hard-coded value which seems to be
2594
# common enough.
2595
logger.warning("SO_BINDTODEVICE not found, trying 25")
2596
SO_BINDTODEVICE = 25
2597
try:
2598
self.socket.setsockopt(
2599
socket.SOL_SOCKET, SO_BINDTODEVICE,
2600
(self.interface + "\0").encode("utf-8"))
2601
except socket.error as error:
2602
if error.errno == errno.EPERM:
2603
logger.error("No permission to bind to"
2604
" interface %s", self.interface)
2605
elif error.errno == errno.ENOPROTOOPT:
2606
logger.error("SO_BINDTODEVICE not available;"
2607
" cannot bind to interface %s",
2608
self.interface)
2609
elif error.errno == errno.ENODEV:
2610
logger.error("Interface %s does not exist,"
2611
" cannot bind", self.interface)
2612
else:
2613
raise
2170
logger.error("SO_BINDTODEVICE does not exist;"
2171
" cannot bind to interface %s",
2172
self.interface)
2173
else:
2174
try:
2175
self.socket.setsockopt(
2176
socket.SOL_SOCKET, SO_BINDTODEVICE,
2177
(self.interface + "\0").encode("utf-8"))
2178
except socket.error as error:
2179
if error.errno == errno.EPERM:
2180
logger.error("No permission to bind to"
2181
" interface %s", self.interface)
2182
elif error.errno == errno.ENOPROTOOPT:
2183
logger.error("SO_BINDTODEVICE not available;"
2184
" cannot bind to interface %s",
2185
self.interface)
2186
elif error.errno == errno.ENODEV:
2187
logger.error("Interface %s does not exist,"
2188
" cannot bind", self.interface)
2189
else:
2190
raise
2614
2191
# Only bind(2) the socket if we really need to.
2615
2192
if self.server_address[0] or self.server_address[1]:
2616
if self.server_address[1]:
2617
self.allow_reuse_address = True
2618
2193
if not self.server_address[0]:
2619
2194
if self.address_family == socket.AF_INET6:
2620
any_address = "::" # in6addr_any
2195
any_address = "::" # in6addr_any
2621
2196
else:
2622
any_address = "0.0.0.0" # INADDR_ANY
2197
any_address = "0.0.0.0" # INADDR_ANY
2623
2198
self.server_address = (any_address,
2624
2199
self.server_address[1])
2625
2200
elif not self.server_address[1]:
2635
2210
2636
2211
class MandosServer(IPv6_TCPServer):
2637
2212
"""Mandos server.
2638
2213
2639
2214
Attributes:
2640
2215
clients: set of Client objects
2641
2216
gnutls_priority GnuTLS priority string
2642
2217
use_dbus: Boolean; to emit D-Bus signals or not
2643
2644
Assumes a GLib.MainLoop event loop.
2218
2219
Assumes a gobject.MainLoop event loop.
2645
2220
"""
2646
2221
2647
2222
def __init__(self, server_address, RequestHandlerClass,
2648
2223
interface=None,
2649
2224
use_ipv6=True,
2659
2234
self.gnutls_priority = gnutls_priority
2660
2235
IPv6_TCPServer.__init__(self, server_address,
2661
2236
RequestHandlerClass,
2662
interface=interface,
2663
use_ipv6=use_ipv6,
2664
socketfd=socketfd)
2665
2237
interface = interface,
2238
use_ipv6 = use_ipv6,
2239
socketfd = socketfd)
2240
2666
2241
def server_activate(self):
2667
2242
if self.enabled:
2668
2243
return socketserver.TCPServer.server_activate(self)
2669
2244
2670
2245
def enable(self):
2671
2246
self.enabled = True
2672
2247
2673
2248
def add_pipe(self, parent_pipe, proc):
2674
2249
# Call "handle_ipc" for both data and EOF events
2675
GLib.io_add_watch(
2250
gobject.io_add_watch(
2676
2251
parent_pipe.fileno(),
2677
GLib.IO_IN | GLib.IO_HUP,
2252
gobject.IO_IN | gobject.IO_HUP,
2678
2253
functools.partial(self.handle_ipc,
2679
parent_pipe=parent_pipe,
2680
proc=proc))
2681
2254
parent_pipe = parent_pipe,
2255
proc = proc))
2256
2682
2257
def handle_ipc(self, source, condition,
2683
2258
parent_pipe=None,
2684
proc=None,
2259
proc = None,
2685
2260
client_object=None):
2686
2261
# error, or the other end of multiprocessing.Pipe has closed
2687
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2262
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2688
2263
# Wait for other process to exit
2689
2264
proc.join()
2690
2265
return False
2691
2266
2692
2267
# Read a request from the child
2693
2268
request = parent_pipe.recv()
2694
2269
command = request[0]
2695
2270
2696
2271
if command == 'init':
2697
key_id = request[1].decode("ascii")
2698
fpr = request[2].decode("ascii")
2699
address = request[3]
2700
2701
for c in self.clients.values():
2702
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2703
continue
2704
if key_id and c.key_id == key_id:
2705
client = c
2706
break
2707
if fpr and c.fingerprint == fpr:
2272
fpr = request[1]
2273
address = request[2]
2274
2275
for c in self.clients.itervalues():
2276
if c.fingerprint == fpr:
2708
2277
client = c
2709
2278
break
2710
2279
else:
2711
logger.info("Client not found for key ID: %s, address"
2712
": %s", key_id or fpr, address)
2280
logger.info("Client not found for fingerprint: %s, ad"
2281
"dress: %s", fpr, address)
2713
2282
if self.use_dbus:
2714
2283
# Emit D-Bus signal
2715
mandos_dbus_service.ClientNotFound(key_id or fpr,
2284
mandos_dbus_service.ClientNotFound(fpr,
2716
2285
address[0])
2717
2286
parent_pipe.send(False)
2718
2287
return False
2719
2720
GLib.io_add_watch(
2288
2289
gobject.io_add_watch(
2721
2290
parent_pipe.fileno(),
2722
GLib.IO_IN | GLib.IO_HUP,
2291
gobject.IO_IN | gobject.IO_HUP,
2723
2292
functools.partial(self.handle_ipc,
2724
parent_pipe=parent_pipe,
2725
proc=proc,
2726
client_object=client))
2293
parent_pipe = parent_pipe,
2294
proc = proc,
2295
client_object = client))
2727
2296
parent_pipe.send(True)
2728
2297
# remove the old hook in favor of the new above hook on
2729
2298
# same fileno
2732
2301
funcname = request[1]
2733
2302
args = request[2]
2734
2303
kwargs = request[3]
2735
2304
2736
2305
parent_pipe.send(('data', getattr(client_object,
2737
2306
funcname)(*args,
2738
2307
**kwargs)))
2739
2308
2740
2309
if command == 'getattr':
2741
2310
attrname = request[1]
2742
2311
if isinstance(client_object.__getattribute__(attrname),
2745
2314
else:
2746
2315
parent_pipe.send((
2747
2316
'data', client_object.__getattribute__(attrname)))
2748
2317
2749
2318
if command == 'setattr':
2750
2319
attrname = request[1]
2751
2320
value = request[2]
2752
2321
setattr(client_object, attrname, value)
2753
2322
2754
2323
return True
2755
2324
2756
2325
2757
2326
def rfc3339_duration_to_delta(duration):
2758
2327
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2759
2328
2760
2329
>>> rfc3339_duration_to_delta("P7D")
2761
2330
datetime.timedelta(7)
2762
2331
>>> rfc3339_duration_to_delta("PT60S")
2772
2341
>>> rfc3339_duration_to_delta("P1DT3M20S")
2773
2342
datetime.timedelta(1, 200)
2774
2343
"""
2775
2344
2776
2345
# Parsing an RFC 3339 duration with regular expressions is not
2777
2346
# possible - there would have to be multiple places for the same
2778
2347
# values, like seconds. The current code, while more esoteric, is
2779
2348
# cleaner without depending on a parsing library. If Python had a
2780
2349
# built-in library for parsing we would use it, but we'd like to
2781
2350
# avoid excessive use of external libraries.
2782
2351
2783
2352
# New type for defining tokens, syntax, and semantics all-in-one
2784
2353
Token = collections.namedtuple("Token", (
2785
2354
"regexp", # To match token; if "value" is not None, must have
2818
2387
frozenset((token_year, token_month,
2819
2388
token_day, token_time,
2820
2389
token_week)))
2821
# Define starting values:
2822
# Value so far
2823
value = datetime.timedelta()
2390
# Define starting values
2391
value = datetime.timedelta() # Value so far
2824
2392
found_token = None
2825
# Following valid tokens
2826
followers = frozenset((token_duration, ))
2827
# String left to parse
2828
s = duration
2393
followers = frozenset((token_duration, )) # Following valid tokens
2394
s = duration # String left to parse
2829
2395
# Loop until end token is found
2830
2396
while found_token is not token_end:
2831
2397
# Search for any currently valid tokens
2855
2421
2856
2422
def string_to_delta(interval):
2857
2423
"""Parse a string and return a datetime.timedelta
2858
2424
2859
2425
>>> string_to_delta('7d')
2860
2426
datetime.timedelta(7)
2861
2427
>>> string_to_delta('60s')
2869
2435
>>> string_to_delta('5m 30s')
2870
2436
datetime.timedelta(0, 330)
2871
2437
"""
2872
2438
2873
2439
try:
2874
2440
return rfc3339_duration_to_delta(interval)
2875
2441
except ValueError:
2876
2442
pass
2877
2443
2878
2444
timevalue = datetime.timedelta(0)
2879
2445
for s in interval.split():
2880
2446
try:
2898
2464
return timevalue
2899
2465
2900
2466
2901
def daemon(nochdir=False, noclose=False):
2467
def daemon(nochdir = False, noclose = False):
2902
2468
"""See daemon(3). Standard BSD Unix function.
2903
2469
2904
2470
This should really exist as os.daemon, but it doesn't (yet)."""
2905
2471
if os.fork():
2906
2472
sys.exit()
2924
2490
2925
2491
2926
2492
def main():
2927
2493
2928
2494
##################################################################
2929
2495
# Parsing of options, both command line and config file
2930
2496
2931
2497
parser = argparse.ArgumentParser()
2932
2498
parser.add_argument("-v", "--version", action="version",
2933
version="%(prog)s {}".format(version),
2499
version = "%(prog)s {}".format(version),
2934
2500
help="show version number and exit")
2935
2501
parser.add_argument("-i", "--interface", metavar="IF",
2936
2502
help="Bind to interface IF")
2972
2538
parser.add_argument("--no-zeroconf", action="store_false",
2973
2539
dest="zeroconf", help="Do not use Zeroconf",
2974
2540
default=None)
2975
2541
2976
2542
options = parser.parse_args()
2977
2543
2978
2544
if options.check:
2979
2545
import doctest
2980
2546
fail_count, test_count = doctest.testmod()
2981
2547
sys.exit(os.EX_OK if fail_count == 0 else 1)
2982
2548
2983
2549
# Default values for config file for server-global settings
2984
if gnutls.has_rawpk:
2985
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2986
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2987
else:
2988
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2989
":+SIGN-DSA-SHA256")
2990
server_defaults = {"interface": "",
2991
"address": "",
2992
"port": "",
2993
"debug": "False",
2994
"priority": priority,
2995
"servicename": "Mandos",
2996
"use_dbus": "True",
2997
"use_ipv6": "True",
2998
"debuglevel": "",
2999
"restore": "True",
3000
"socket": "",
3001
"statedir": "/var/lib/mandos",
3002
"foreground": "False",
3003
"zeroconf": "True",
3004
}
3005
del priority
3006
2550
server_defaults = { "interface": "",
2551
"address": "",
2552
"port": "",
2553
"debug": "False",
2554
"priority":
2555
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2556
":+SIGN-DSA-SHA256",
2557
"servicename": "Mandos",
2558
"use_dbus": "True",
2559
"use_ipv6": "True",
2560
"debuglevel": "",
2561
"restore": "True",
2562
"socket": "",
2563
"statedir": "/var/lib/mandos",
2564
"foreground": "False",
2565
"zeroconf": "True",
2566
}
2567
3007
2568
# Parse config file for server-global settings
3008
server_config = configparser.ConfigParser(server_defaults)
2569
server_config = configparser.SafeConfigParser(server_defaults)
3009
2570
del server_defaults
3010
2571
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3011
# Convert the ConfigParser object to a dict
2572
# Convert the SafeConfigParser object to a dict
3012
2573
server_settings = server_config.defaults()
3013
2574
# Use the appropriate methods on the non-string config options
3014
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3015
"foreground", "zeroconf"):
2575
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3016
2576
server_settings[option] = server_config.getboolean("DEFAULT",
3017
2577
option)
3018
2578
if server_settings["port"]:
3028
2588
server_settings["socket"] = os.dup(server_settings
3029
2589
["socket"])
3030
2590
del server_config
3031
2591
3032
2592
# Override the settings from the config file with command line
3033
2593
# options, if set.
3034
2594
for option in ("interface", "address", "port", "debug",
3052
2612
if server_settings["debug"]:
3053
2613
server_settings["foreground"] = True
3054
2614
# Now we have our good server settings in "server_settings"
3055
2615
3056
2616
##################################################################
3057
2617
3058
2618
if (not server_settings["zeroconf"]
3059
2619
and not (server_settings["port"]
3060
2620
or server_settings["socket"] != "")):
3061
2621
parser.error("Needs port or socket to work without Zeroconf")
3062
2622
3063
2623
# For convenience
3064
2624
debug = server_settings["debug"]
3065
2625
debuglevel = server_settings["debuglevel"]
3069
2629
stored_state_file)
3070
2630
foreground = server_settings["foreground"]
3071
2631
zeroconf = server_settings["zeroconf"]
3072
2632
3073
2633
if debug:
3074
2634
initlogger(debug, logging.DEBUG)
3075
2635
else:
3078
2638
else:
3079
2639
level = getattr(logging, debuglevel.upper())
3080
2640
initlogger(debug, level)
3081
2641
3082
2642
if server_settings["servicename"] != "Mandos":
3083
2643
syslogger.setFormatter(
3084
2644
logging.Formatter('Mandos ({}) [%(process)d]:'
3085
2645
' %(levelname)s: %(message)s'.format(
3086
2646
server_settings["servicename"])))
3087
2647
3088
2648
# Parse config file with clients
3089
client_config = configparser.ConfigParser(Client.client_defaults)
2649
client_config = configparser.SafeConfigParser(Client
2650
.client_defaults)
3090
2651
client_config.read(os.path.join(server_settings["configdir"],
3091
2652
"clients.conf"))
3092
2653
3093
2654
global mandos_dbus_service
3094
2655
mandos_dbus_service = None
3095
2656
3096
2657
socketfd = None
3097
2658
if server_settings["socket"] != "":
3098
2659
socketfd = server_settings["socket"]
3114
2675
except IOError as e:
3115
2676
logger.error("Could not open file %r", pidfilename,
3116
2677
exc_info=e)
3117
3118
for name, group in (("_mandos", "_mandos"),
3119
("mandos", "mandos"),
3120
("nobody", "nogroup")):
2678
2679
for name in ("_mandos", "mandos", "nobody"):
3121
2680
try:
3122
2681
uid = pwd.getpwnam(name).pw_uid
3123
gid = pwd.getpwnam(group).pw_gid
2682
gid = pwd.getpwnam(name).pw_gid
3124
2683
break
3125
2684
except KeyError:
3126
2685
continue
3130
2689
try:
3131
2690
os.setgid(gid)
3132
2691
os.setuid(uid)
3133
if debug:
3134
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3135
gid))
3136
2692
except OSError as error:
3137
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3138
.format(uid, gid, os.strerror(error.errno)))
3139
2693
if error.errno != errno.EPERM:
3140
2694
raise
3141
2695
3142
2696
if debug:
3143
2697
# Enable all possible GnuTLS debugging
3144
2698
3145
2699
# "Use a log level over 10 to enable all debugging options."
3146
2700
# - GnuTLS manual
3147
gnutls.global_set_log_level(11)
3148
3149
@gnutls.log_func
2701
gnutls.library.functions.gnutls_global_set_log_level(11)
2702
2703
@gnutls.library.types.gnutls_log_func
3150
2704
def debug_gnutls(level, string):
3151
2705
logger.debug("GnuTLS: %s", string[:-1])
3152
3153
gnutls.global_set_log_function(debug_gnutls)
3154
2706
2707
gnutls.library.functions.gnutls_global_set_log_function(
2708
debug_gnutls)
2709
3155
2710
# Redirect stdin so all checkers get /dev/null
3156
2711
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3157
2712
os.dup2(null, sys.stdin.fileno())
3158
2713
if null > 2:
3159
2714
os.close(null)
3160
2715
3161
2716
# Need to fork before connecting to D-Bus
3162
2717
if not foreground:
3163
2718
# Close all input and output, do double fork, etc.
3164
2719
daemon()
3165
3166
if gi.version_info < (3, 10, 2):
3167
# multiprocessing will use threads, so before we use GLib we
3168
# need to inform GLib that threads will be used.
3169
GLib.threads_init()
3170
2720
2721
# multiprocessing will use threads, so before we use gobject we
2722
# need to inform gobject that threads will be used.
2723
gobject.threads_init()
2724
3171
2725
global main_loop
3172
2726
# From the Avahi example code
3173
2727
DBusGMainLoop(set_as_default=True)
3174
main_loop = GLib.MainLoop()
2728
main_loop = gobject.MainLoop()
3175
2729
bus = dbus.SystemBus()
3176
2730
# End of Avahi example code
3177
2731
if use_dbus:
3190
2744
if zeroconf:
3191
2745
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3192
2746
service = AvahiServiceToSyslog(
3193
name=server_settings["servicename"],
3194
servicetype="_mandos._tcp",
3195
protocol=protocol,
3196
bus=bus)
2747
name = server_settings["servicename"],
2748
servicetype = "_mandos._tcp",
2749
protocol = protocol,
2750
bus = bus)
3197
2751
if server_settings["interface"]:
3198
2752
service.interface = if_nametoindex(
3199
2753
server_settings["interface"].encode("utf-8"))
3200
2754
3201
2755
global multiprocessing_manager
3202
2756
multiprocessing_manager = multiprocessing.Manager()
3203
2757
3204
2758
client_class = Client
3205
2759
if use_dbus:
3206
client_class = functools.partial(ClientDBus, bus=bus)
3207
2760
client_class = functools.partial(ClientDBus, bus = bus)
2761
3208
2762
client_settings = Client.config_parser(client_config)
3209
2763
old_client_settings = {}
3210
2764
clients_data = {}
3211
2765
3212
2766
# This is used to redirect stdout and stderr for checker processes
3213
2767
global wnull
3214
wnull = open(os.devnull, "w") # A writable /dev/null
2768
wnull = open(os.devnull, "w") # A writable /dev/null
3215
2769
# Only used if server is running in foreground but not in debug
3216
2770
# mode
3217
2771
if debug or not foreground:
3218
2772
wnull.close()
3219
2773
3220
2774
# Get client data and settings from last running state.
3221
2775
if server_settings["restore"]:
3222
2776
try:
3223
2777
with open(stored_state_path, "rb") as stored_state:
3224
if sys.version_info.major == 2:
3225
clients_data, old_client_settings = pickle.load(
3226
stored_state)
3227
else:
3228
bytes_clients_data, bytes_old_client_settings = (
3229
pickle.load(stored_state, encoding="bytes"))
3230
# Fix bytes to strings
3231
# clients_data
3232
# .keys()
3233
clients_data = {(key.decode("utf-8")
3234
if isinstance(key, bytes)
3235
else key): value
3236
for key, value in
3237
bytes_clients_data.items()}
3238
del bytes_clients_data
3239
for key in clients_data:
3240
value = {(k.decode("utf-8")
3241
if isinstance(k, bytes) else k): v
3242
for k, v in
3243
clients_data[key].items()}
3244
clients_data[key] = value
3245
# .client_structure
3246
value["client_structure"] = [
3247
(s.decode("utf-8")
3248
if isinstance(s, bytes)
3249
else s) for s in
3250
value["client_structure"]]
3251
# .name & .host
3252
for k in ("name", "host"):
3253
if isinstance(value[k], bytes):
3254
value[k] = value[k].decode("utf-8")
3255
if "key_id" not in value:
3256
value["key_id"] = ""
3257
elif "fingerprint" not in value:
3258
value["fingerprint"] = ""
3259
# old_client_settings
3260
# .keys()
3261
old_client_settings = {
3262
(key.decode("utf-8")
3263
if isinstance(key, bytes)
3264
else key): value
3265
for key, value in
3266
bytes_old_client_settings.items()}
3267
del bytes_old_client_settings
3268
# .host
3269
for value in old_client_settings.values():
3270
if isinstance(value["host"], bytes):
3271
value["host"] = (value["host"]
3272
.decode("utf-8"))
2778
clients_data, old_client_settings = pickle.load(
2779
stored_state)
3273
2780
os.remove(stored_state_path)
3274
2781
except IOError as e:
3275
2782
if e.errno == errno.ENOENT:
3283
2790
logger.warning("Could not load persistent state: "
3284
2791
"EOFError:",
3285
2792
exc_info=e)
3286
2793
3287
2794
with PGPEngine() as pgp:
3288
2795
for client_name, client in clients_data.items():
3289
2796
# Skip removed clients
3290
2797
if client_name not in client_settings:
3291
2798
continue
3292
2799
3293
2800
# Decide which value to use after restoring saved state.
3294
2801
# We have three different values: Old config file,
3295
2802
# new config file, and saved state.
3306
2813
client[name] = value
3307
2814
except KeyError:
3308
2815
pass
3309
2816
3310
2817
# Clients who has passed its expire date can still be
3311
2818
# enabled if its last checker was successful. A Client
3312
2819
# whose checker succeeded before we stored its state is
3345
2852
client_name))
3346
2853
client["secret"] = (client_settings[client_name]
3347
2854
["secret"])
3348
2855
3349
2856
# Add/remove clients based on new changes made to config
3350
2857
for client_name in (set(old_client_settings)
3351
2858
- set(client_settings)):
3353
2860
for client_name in (set(client_settings)
3354
2861
- set(old_client_settings)):
3355
2862
clients_data[client_name] = client_settings[client_name]
3356
2863
3357
2864
# Create all client objects
3358
2865
for client_name, client in clients_data.items():
3359
2866
tcp_server.clients[client_name] = client_class(
3360
name=client_name,
3361
settings=client,
3362
server_settings=server_settings)
3363
2867
name = client_name,
2868
settings = client,
2869
server_settings = server_settings)
2870
3364
2871
if not tcp_server.clients:
3365
2872
logger.warning("No clients defined")
3366
2873
3367
2874
if not foreground:
3368
2875
if pidfile is not None:
3369
2876
pid = os.getpid()
3375
2882
pidfilename, pid)
3376
2883
del pidfile
3377
2884
del pidfilename
3378
3379
for termsig in (signal.SIGHUP, signal.SIGTERM):
3380
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3381
lambda: main_loop.quit() and False)
3382
2885
2886
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2887
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2888
3383
2889
if use_dbus:
3384
2890
3385
2891
@alternate_dbus_interfaces(
3386
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2892
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3387
2893
class MandosDBusService(DBusObjectWithObjectManager):
3388
2894
"""A D-Bus proxy object"""
3389
2895
3390
2896
def __init__(self):
3391
2897
dbus.service.Object.__init__(self, bus, "/")
3392
2898
3393
2899
_interface = "se.recompile.Mandos"
3394
2900
3395
2901
@dbus.service.signal(_interface, signature="o")
3396
2902
def ClientAdded(self, objpath):
3397
2903
"D-Bus signal"
3398
2904
pass
3399
2905
3400
2906
@dbus.service.signal(_interface, signature="ss")
3401
def ClientNotFound(self, key_id, address):
2907
def ClientNotFound(self, fingerprint, address):
3402
2908
"D-Bus signal"
3403
2909
pass
3404
2910
3405
2911
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3406
2912
"true"})
3407
2913
@dbus.service.signal(_interface, signature="os")
3408
2914
def ClientRemoved(self, objpath, name):
3409
2915
"D-Bus signal"
3410
2916
pass
3411
2917
3412
2918
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3413
2919
"true"})
3414
2920
@dbus.service.method(_interface, out_signature="ao")
3415
2921
def GetAllClients(self):
3416
2922
"D-Bus method"
3417
2923
return dbus.Array(c.dbus_object_path for c in
3418
tcp_server.clients.values())
3419
2924
tcp_server.clients.itervalues())
2925
3420
2926
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3421
2927
"true"})
3422
2928
@dbus.service.method(_interface,
3424
2930
def GetAllClientsWithProperties(self):
3425
2931
"D-Bus method"
3426
2932
return dbus.Dictionary(
3427
{c.dbus_object_path: c.GetAll(
2933
{ c.dbus_object_path: c.GetAll(
3428
2934
"se.recompile.Mandos.Client")
3429
for c in tcp_server.clients.values()},
2935
for c in tcp_server.clients.itervalues() },
3430
2936
signature="oa{sv}")
3431
2937
3432
2938
@dbus.service.method(_interface, in_signature="o")
3433
2939
def RemoveClient(self, object_path):
3434
2940
"D-Bus method"
3435
for c in tcp_server.clients.values():
2941
for c in tcp_server.clients.itervalues():
3436
2942
if c.dbus_object_path == object_path:
3437
2943
del tcp_server.clients[c.name]
3438
2944
c.remove_from_connection()
3442
2948
self.client_removed_signal(c)
3443
2949
return
3444
2950
raise KeyError(object_path)
3445
2951
3446
2952
del _interface
3447
2953
3448
2954
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3449
out_signature="a{oa{sa{sv}}}")
2955
out_signature = "a{oa{sa{sv}}}")
3450
2956
def GetManagedObjects(self):
3451
2957
"""D-Bus method"""
3452
2958
return dbus.Dictionary(
3453
{client.dbus_object_path:
3454
dbus.Dictionary(
3455
{interface: client.GetAll(interface)
3456
for interface in
3457
client._get_all_interface_names()})
3458
for client in tcp_server.clients.values()})
3459
2959
{ client.dbus_object_path:
2960
dbus.Dictionary(
2961
{ interface: client.GetAll(interface)
2962
for interface in
2963
client._get_all_interface_names()})
2964
for client in tcp_server.clients.values()})
2965
3460
2966
def client_added_signal(self, client):
3461
2967
"""Send the new standard signal and the old signal"""
3462
2968
if use_dbus:
3464
2970
self.InterfacesAdded(
3465
2971
client.dbus_object_path,
3466
2972
dbus.Dictionary(
3467
{interface: client.GetAll(interface)
3468
for interface in
3469
client._get_all_interface_names()}))
2973
{ interface: client.GetAll(interface)
2974
for interface in
2975
client._get_all_interface_names()}))
3470
2976
# Old signal
3471
2977
self.ClientAdded(client.dbus_object_path)
3472
2978
3473
2979
def client_removed_signal(self, client):
3474
2980
"""Send the new standard signal and the old signal"""
3475
2981
if use_dbus:
3480
2986
# Old signal
3481
2987
self.ClientRemoved(client.dbus_object_path,
3482
2988
client.name)
3483
2989
3484
2990
mandos_dbus_service = MandosDBusService()
3485
3486
# Save modules to variables to exempt the modules from being
3487
# unloaded before the function registered with atexit() is run.
3488
mp = multiprocessing
3489
wn = wnull
3490
2991
3491
2992
def cleanup():
3492
2993
"Cleanup function; run on exit"
3493
2994
if zeroconf:
3494
2995
service.cleanup()
3495
3496
mp.active_children()
3497
wn.close()
2996
2997
multiprocessing.active_children()
2998
wnull.close()
3498
2999
if not (tcp_server.clients or client_settings):
3499
3000
return
3500
3001
3501
3002
# Store client before exiting. Secrets are encrypted with key
3502
3003
# based on what config file has. If config file is
3503
3004
# removed/edited, old secret will thus be unrecovable.
3504
3005
clients = {}
3505
3006
with PGPEngine() as pgp:
3506
for client in tcp_server.clients.values():
3007
for client in tcp_server.clients.itervalues():
3507
3008
key = client_settings[client.name]["secret"]
3508
3009
client.encrypted_secret = pgp.encrypt(client.secret,
3509
3010
key)
3510
3011
client_dict = {}
3511
3012
3512
3013
# A list of attributes that can not be pickled
3513
3014
# + secret.
3514
exclude = {"bus", "changedstate", "secret",
3515
"checker", "server_settings"}
3015
exclude = { "bus", "changedstate", "secret",
3016
"checker", "server_settings" }
3516
3017
for name, typ in inspect.getmembers(dbus.service
3517
3018
.Object):
3518
3019
exclude.add(name)
3519
3020
3520
3021
client_dict["encrypted_secret"] = (client
3521
3022
.encrypted_secret)
3522
3023
for attr in client.client_structure:
3523
3024
if attr not in exclude:
3524
3025
client_dict[attr] = getattr(client, attr)
3525
3026
3526
3027
clients[client.name] = client_dict
3527
3028
del client_settings[client.name]["secret"]
3528
3029
3529
3030
try:
3530
3031
with tempfile.NamedTemporaryFile(
3531
3032
mode='wb',
3533
3034
prefix='clients-',
3534
3035
dir=os.path.dirname(stored_state_path),
3535
3036
delete=False) as stored_state:
3536
pickle.dump((clients, client_settings), stored_state,
3537
protocol=2)
3037
pickle.dump((clients, client_settings), stored_state)
3538
3038
tempname = stored_state.name
3539
3039
os.rename(tempname, stored_state_path)
3540
3040
except (IOError, OSError) as e:
3550
3050
logger.warning("Could not save persistent state:",
3551
3051
exc_info=e)
3552
3052
raise
3553
3053
3554
3054
# Delete all clients, and settings from config
3555
3055
while tcp_server.clients:
3556
3056
name, client = tcp_server.clients.popitem()
3559
3059
# Don't signal the disabling
3560
3060
client.disable(quiet=True)
3561
3061
# Emit D-Bus signal for removal
3562
if use_dbus:
3563
mandos_dbus_service.client_removed_signal(client)
3062
mandos_dbus_service.client_removed_signal(client)
3564
3063
client_settings.clear()
3565
3064
3566
3065
atexit.register(cleanup)
3567
3568
for client in tcp_server.clients.values():
3066
3067
for client in tcp_server.clients.itervalues():
3569
3068
if use_dbus:
3570
3069
# Emit D-Bus signal for adding
3571
3070
mandos_dbus_service.client_added_signal(client)
3572
3071
# Need to initiate checking of clients
3573
3072
if client.enabled:
3574
3073
client.init_checker()
3575
3074
3576
3075
tcp_server.enable()
3577
3076
tcp_server.server_activate()
3578
3077
3579
3078
# Find out what port we got
3580
3079
if zeroconf:
3581
3080
service.port = tcp_server.socket.getsockname()[1]
3586
3085
else: # IPv4
3587
3086
logger.info("Now listening on address %r, port %d",
3588
3087
*tcp_server.socket.getsockname())
3589
3590
# service.interface = tcp_server.socket.getsockname()[3]
3591
3088
3089
#service.interface = tcp_server.socket.getsockname()[3]
3090
3592
3091
try:
3593
3092
if zeroconf:
3594
3093
# From the Avahi example code
3599
3098
cleanup()
3600
3099
sys.exit(1)
3601
3100
# End of Avahi example code
3602
3603
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3604
lambda *args, **kwargs:
3605
(tcp_server.handle_request
3606
(*args[2:], **kwargs) or True))
3607
3101
3102
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3103
lambda *args, **kwargs:
3104
(tcp_server.handle_request
3105
(*args[2:], **kwargs) or True))
3106
3608
3107
logger.debug("Starting main loop")
3609
3108
main_loop.run()
3610
3109
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0