To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.333
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.333
- Committer: Teddy Hogeborn
- Date: 2015-08-10 09:00:23 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 325.
- Revision ID: teddy@recompile.se-20150810090023-fz6vjqr7zf33e2tf
Support the standard org.freedesktop.DBus.ObjectManager interface.
Now that the D-Bus standard has an interface to keep track of new and
removed objects, use that instead of our own methods. This deprecates
our D-Bus methods "GetAllClients" and "GetAllClientsWithProperties"
and the signals "ClientAdded" and "ClientRemoved", all on the server
interface "se.recompile.Mandos".
* DBUS-API: Removed references to deprecated methods and signals;
insert reference to the org.freedesktop.DBus.ObjectManager
interface.
* mandos (DBusObjectWithProperties._get_all_interface_names): New.
(dbus.OBJECT_MANAGER_IFACE): If not present, monkey patch.
(DBusObjectWithObjectManager): New.
(main/MandosDBusService): Inherit from DBusObjectWithObjectManager.
(main/MandosDBusService.ClientRemoved): Annotate as deprecated.
(main/MandosDBusService.GetAllClients): - '' -
(main/MandosDBusService.GetAllClientsWithProperties): Annotate as
deprecated.
Also only
return
properties on
client
interface.
(main/MandosDBusService.RemoveClient): Call client_removed_signal
instead of ClientRemoved.
(main/MandosDBusService.GetManagedObjects): New.
(main/MandosDBusService.client_added_signal): New.
(main/MandosDBusService.client_removed_signal): - '' -
(main/cleanup): Call "client_removed_signal" instead of sending
"ClientRemoved" signal directly.
(main): Call "client_added_signal" instead of sending "ClientAdded"
signal directly.
* mandos-ctl: Use GetManagedObjects instead of
GetAllClientsWithProperties. Also, show better error
message in case of failure to connect to the D-Bus
* mandos-monitor (MandosClientPropertyCache.properties_changed):
Bug fix; only update properties on client interface.
(UserInterface.find_and_remove_client): Change to accept arguments
from InterfacesRemoved
signal. Also, bug fix:
working error message when
removing unknown client.
(UserInterface.add_new_client): Change to accept arguments from
InterfacesRemoved signal. Pass
properties to MandosClientWidget
constructor.
(UserInterface.run): Connect find_and_remove_client method to
InterfacesRemoved signal and the add_new_client
method to the InterfacesAdded signal.
Now that the D-Bus standard has an interface to keep track of new and
removed objects, use that instead of our own methods. This deprecates
our D-Bus methods "GetAllClients" and "GetAllClientsWithProperties"
and the signals "ClientAdded" and "ClientRemoved", all on the server
interface "se.recompile.Mandos".
* DBUS-API: Removed references to deprecated methods and signals;
insert reference to the org.freedesktop.DBus.ObjectManager
interface.
* mandos (DBusObjectWithProperties._get_all_interface_names): New.
(dbus.OBJECT_MANAGER_IFACE): If not present, monkey patch.
(DBusObjectWithObjectManager): New.
(main/MandosDBusService): Inherit from DBusObjectWithObjectManager.
(main/MandosDBusService.ClientRemoved): Annotate as deprecated.
(main/MandosDBusService.GetAllClients): - '' -
(main/MandosDBusService.GetAllClientsWithProperties): Annotate as
deprecated.
Also only
return
properties on
client
interface.
(main/MandosDBusService.RemoveClient): Call client_removed_signal
instead of ClientRemoved.
(main/MandosDBusService.GetManagedObjects): New.
(main/MandosDBusService.client_added_signal): New.
(main/MandosDBusService.client_removed_signal): - '' -
(main/cleanup): Call "client_removed_signal" instead of sending
"ClientRemoved" signal directly.
(main): Call "client_added_signal" instead of sending "ClientAdded"
signal directly.
* mandos-ctl: Use GetManagedObjects instead of
GetAllClientsWithProperties. Also, show better error
message in case of failure to connect to the D-Bus
* mandos-monitor (MandosClientPropertyCache.properties_changed):
Bug fix; only update properties on client interface.
(UserInterface.find_and_remove_client): Change to accept arguments
from InterfacesRemoved
signal. Also, bug fix:
working error message when
removing unknown client.
(UserInterface.add_new_client): Change to accept arguments from
InterfacesRemoved signal. Pass
properties to MandosClientWidget
constructor.
(UserInterface.run): Connect find_and_remove_client method to
InterfacesRemoved signal and the add_new_client
method to the InterfacesAdded signal.
- files added:
- initramfs-tools-hook-conf
- files removed:
- bugs.xml
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
1
#!/usr/bin/python2.7
2
# -*- mode: python; coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2020 Teddy Hogeborn
15
# Copyright © 2008-2020 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
37
from future_builtins import *
42
38
43
39
try:
44
40
import SocketServer as socketserver
48
44
import argparse
49
45
import datetime
50
46
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
51
53
try:
52
54
import ConfigParser as configparser
53
55
except ImportError:
77
79
import itertools
78
80
import collections
79
81
import codecs
80
import unittest
81
import random
82
import shlex
83
82
84
83
import dbus
85
84
import dbus.service
86
import gi
87
from gi.repository import GLib
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
88
90
from dbus.mainloop.glib import DBusGMainLoop
89
91
import ctypes
90
92
import ctypes.util
91
93
import xml.dom.minidom
92
94
import inspect
93
95
94
if sys.version_info.major == 2:
95
__metaclass__ = type
96
str = unicode
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
118
# Try to find the value of SO_BINDTODEVICE:
119
try:
120
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
121
# newer, and it is also the most natural place for it:
96
try:
122
97
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
123
98
except AttributeError:
124
99
try:
125
# This is where SO_BINDTODEVICE was up to and including Python
126
# 2.6, and also 3.2:
127
100
from IN import SO_BINDTODEVICE
128
101
except ImportError:
129
# In Python 2.7 it seems to have been removed entirely.
130
# Try running the C preprocessor:
131
try:
132
cc = subprocess.Popen(["cc", "--language=c", "-E",
133
"/dev/stdin"],
134
stdin=subprocess.PIPE,
135
stdout=subprocess.PIPE)
136
stdout = cc.communicate(
137
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
138
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
139
except (OSError, ValueError, IndexError):
140
# No value found
141
SO_BINDTODEVICE = None
142
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
145
146
version = "1.8.11"
102
SO_BINDTODEVICE = None
103
104
if sys.version_info.major == 2:
105
str = unicode
106
107
version = "1.6.9"
147
108
stored_state_file = "clients.pickle"
148
109
149
110
logger = logging.getLogger()
150
logging.captureWarnings(True) # Show warnings via the logging system
151
111
syslogger = None
152
112
153
113
try:
154
114
if_nametoindex = ctypes.cdll.LoadLibrary(
155
115
ctypes.util.find_library("c")).if_nametoindex
156
116
except (OSError, AttributeError):
157
117
158
118
def if_nametoindex(interface):
159
119
"Get an interface index the hard way, i.e. using fcntl()"
160
120
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
165
125
return interface_index
166
126
167
127
168
def copy_function(func):
169
"""Make a copy of a function"""
170
if sys.version_info.major == 2:
171
return types.FunctionType(func.func_code,
172
func.func_globals,
173
func.func_name,
174
func.func_defaults,
175
func.func_closure)
176
else:
177
return types.FunctionType(func.__code__,
178
func.__globals__,
179
func.__name__,
180
func.__defaults__,
181
func.__closure__)
182
183
184
128
def initlogger(debug, level=logging.WARNING):
185
129
"""init logger and add loglevel"""
186
130
187
131
global syslogger
188
132
syslogger = (logging.handlers.SysLogHandler(
189
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
190
address="/dev/log"))
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
191
135
syslogger.setFormatter(logging.Formatter
192
136
('Mandos [%(process)d]: %(levelname)s:'
193
137
' %(message)s'))
194
138
logger.addHandler(syslogger)
195
139
196
140
if debug:
197
141
console = logging.StreamHandler()
198
142
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
208
152
pass
209
153
210
154
211
class PGPEngine:
155
class PGPEngine(object):
212
156
"""A simple class for OpenPGP symmetric encryption & decryption"""
213
157
214
158
def __init__(self):
215
159
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
216
self.gpg = "gpg"
217
try:
218
output = subprocess.check_output(["gpgconf"])
219
for line in output.splitlines():
220
name, text, path = line.split(b":")
221
if name == b"gpg":
222
self.gpg = path
223
break
224
except OSError as e:
225
if e.errno != errno.ENOENT:
226
raise
227
160
self.gnupgargs = ['--batch',
228
'--homedir', self.tempdir,
161
'--home', self.tempdir,
229
162
'--force-mdc',
230
'--quiet']
231
# Only GPG version 1 has the --no-use-agent option.
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
233
self.gnupgargs.append("--no-use-agent")
234
163
'--quiet',
164
'--no-use-agent']
165
235
166
def __enter__(self):
236
167
return self
237
168
238
169
def __exit__(self, exc_type, exc_value, traceback):
239
170
self._cleanup()
240
171
return False
241
172
242
173
def __del__(self):
243
174
self._cleanup()
244
175
245
176
def _cleanup(self):
246
177
if self.tempdir is not None:
247
178
# Delete contents of tempdir
248
179
for root, dirs, files in os.walk(self.tempdir,
249
topdown=False):
180
topdown = False):
250
181
for filename in files:
251
182
os.remove(os.path.join(root, filename))
252
183
for dirname in dirs:
254
185
# Remove tempdir
255
186
os.rmdir(self.tempdir)
256
187
self.tempdir = None
257
188
258
189
def password_encode(self, password):
259
190
# Passphrase can not be empty and can not contain newlines or
260
191
# NUL bytes. So we prefix it and hex encode it.
265
196
.replace(b"\n", b"\\n")
266
197
.replace(b"\0", b"\\x00"))
267
198
return encoded
268
199
269
200
def encrypt(self, data, password):
270
201
passphrase = self.password_encode(password)
271
202
with tempfile.NamedTemporaryFile(
272
203
dir=self.tempdir) as passfile:
273
204
passfile.write(passphrase)
274
205
passfile.flush()
275
proc = subprocess.Popen([self.gpg, '--symmetric',
206
proc = subprocess.Popen(['gpg', '--symmetric',
276
207
'--passphrase-file',
277
208
passfile.name]
278
209
+ self.gnupgargs,
279
stdin=subprocess.PIPE,
280
stdout=subprocess.PIPE,
281
stderr=subprocess.PIPE)
282
ciphertext, err = proc.communicate(input=data)
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
283
214
if proc.returncode != 0:
284
215
raise PGPError(err)
285
216
return ciphertext
286
217
287
218
def decrypt(self, data, password):
288
219
passphrase = self.password_encode(password)
289
220
with tempfile.NamedTemporaryFile(
290
dir=self.tempdir) as passfile:
221
dir = self.tempdir) as passfile:
291
222
passfile.write(passphrase)
292
223
passfile.flush()
293
proc = subprocess.Popen([self.gpg, '--decrypt',
224
proc = subprocess.Popen(['gpg', '--decrypt',
294
225
'--passphrase-file',
295
226
passfile.name]
296
227
+ self.gnupgargs,
297
stdin=subprocess.PIPE,
298
stdout=subprocess.PIPE,
299
stderr=subprocess.PIPE)
300
decrypted_plaintext, err = proc.communicate(input=data)
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
301
232
if proc.returncode != 0:
302
233
raise PGPError(err)
303
234
return decrypted_plaintext
304
235
305
236
306
# Pretend that we have an Avahi module
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
309
IF_UNSPEC = -1 # avahi-common/address.h
310
PROTO_UNSPEC = -1 # avahi-common/address.h
311
PROTO_INET = 0 # avahi-common/address.h
312
PROTO_INET6 = 1 # avahi-common/address.h
313
DBUS_NAME = "org.freedesktop.Avahi"
314
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
DBUS_PATH_SERVER = "/"
317
318
@staticmethod
319
def string_array_to_txt_array(t):
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
for s in t), signature="ay")
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
323
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
324
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
325
SERVER_INVALID = 0 # avahi-common/defs.h
326
SERVER_REGISTERING = 1 # avahi-common/defs.h
327
SERVER_RUNNING = 2 # avahi-common/defs.h
328
SERVER_COLLISION = 3 # avahi-common/defs.h
329
SERVER_FAILURE = 4 # avahi-common/defs.h
330
331
332
237
class AvahiError(Exception):
333
238
def __init__(self, value, *args, **kwargs):
334
239
self.value = value
344
249
pass
345
250
346
251
347
class AvahiService:
252
class AvahiService(object):
348
253
"""An Avahi (Zeroconf) service.
349
254
350
255
Attributes:
351
256
interface: integer; avahi.IF_UNSPEC or an interface index.
352
257
Used to optionally bind to the specified interface.
364
269
server: D-Bus Server
365
270
bus: dbus.SystemBus()
366
271
"""
367
272
368
273
def __init__(self,
369
interface=avahi.IF_UNSPEC,
370
name=None,
371
servicetype=None,
372
port=None,
373
TXT=None,
374
domain="",
375
host="",
376
max_renames=32768,
377
protocol=avahi.PROTO_UNSPEC,
378
bus=None):
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
379
284
self.interface = interface
380
285
self.name = name
381
286
self.type = servicetype
390
295
self.server = None
391
296
self.bus = bus
392
297
self.entry_group_state_changed_match = None
393
298
394
299
def rename(self, remove=True):
395
300
"""Derived from the Avahi example code"""
396
301
if self.rename_count >= self.max_renames:
416
321
logger.critical("D-Bus Exception", exc_info=error)
417
322
self.cleanup()
418
323
os._exit(1)
419
324
420
325
def remove(self):
421
326
"""Derived from the Avahi example code"""
422
327
if self.entry_group_state_changed_match is not None:
424
329
self.entry_group_state_changed_match = None
425
330
if self.group is not None:
426
331
self.group.Reset()
427
332
428
333
def add(self):
429
334
"""Derived from the Avahi example code"""
430
335
self.remove()
447
352
dbus.UInt16(self.port),
448
353
avahi.string_array_to_txt_array(self.TXT))
449
354
self.group.Commit()
450
355
451
356
def entry_group_state_changed(self, state, error):
452
357
"""Derived from the Avahi example code"""
453
358
logger.debug("Avahi entry group state change: %i", state)
454
359
455
360
if state == avahi.ENTRY_GROUP_ESTABLISHED:
456
361
logger.debug("Zeroconf service established.")
457
362
elif state == avahi.ENTRY_GROUP_COLLISION:
461
366
logger.critical("Avahi: Error in group state changed %s",
462
367
str(error))
463
368
raise AvahiGroupError("State changed: {!s}".format(error))
464
369
465
370
def cleanup(self):
466
371
"""Derived from the Avahi example code"""
467
372
if self.group is not None:
472
377
pass
473
378
self.group = None
474
379
self.remove()
475
380
476
381
def server_state_changed(self, state, error=None):
477
382
"""Derived from the Avahi example code"""
478
383
logger.debug("Avahi server state change: %i", state)
507
412
logger.debug("Unknown state: %r", state)
508
413
else:
509
414
logger.debug("Unknown state: %r: %r", state, error)
510
415
511
416
def activate(self):
512
417
"""Derived from the Avahi example code"""
513
418
if self.server is None:
524
429
class AvahiServiceToSyslog(AvahiService):
525
430
def rename(self, *args, **kwargs):
526
431
"""Add the new name to the syslog messages"""
527
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
432
ret = AvahiService.rename(self, *args, **kwargs)
528
433
syslogger.setFormatter(logging.Formatter(
529
434
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
530
435
.format(self.name)))
531
436
return ret
532
437
533
534
# Pretend that we have a GnuTLS module
535
class gnutls:
536
"""This isn't so much a class as it is a module-like namespace."""
537
538
library = ctypes.util.find_library("gnutls")
539
if library is None:
540
library = ctypes.util.find_library("gnutls-deb0")
541
_library = ctypes.cdll.LoadLibrary(library)
542
del library
543
544
# Unless otherwise indicated, the constants and types below are
545
# all from the gnutls/gnutls.h C header file.
546
547
# Constants
548
E_SUCCESS = 0
549
E_INTERRUPTED = -52
550
E_AGAIN = -28
551
CRT_OPENPGP = 2
552
CRT_RAWPK = 3
553
CLIENT = 2
554
SHUT_RDWR = 0
555
CRD_CERTIFICATE = 1
556
E_NO_CERTIFICATE_FOUND = -49
557
X509_FMT_DER = 0
558
NO_TICKETS = 1<<10
559
ENABLE_RAWPK = 1<<18
560
CTYPE_PEERS = 3
561
KEYID_USE_SHA256 = 1 # gnutls/x509.h
562
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
563
564
# Types
565
class session_int(ctypes.Structure):
566
_fields_ = []
567
session_t = ctypes.POINTER(session_int)
568
569
class certificate_credentials_st(ctypes.Structure):
570
_fields_ = []
571
certificate_credentials_t = ctypes.POINTER(
572
certificate_credentials_st)
573
certificate_type_t = ctypes.c_int
574
575
class datum_t(ctypes.Structure):
576
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
577
('size', ctypes.c_uint)]
578
579
class openpgp_crt_int(ctypes.Structure):
580
_fields_ = []
581
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
582
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
583
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
584
credentials_type_t = ctypes.c_int
585
transport_ptr_t = ctypes.c_void_p
586
close_request_t = ctypes.c_int
587
588
# Exceptions
589
class Error(Exception):
590
def __init__(self, message=None, code=None, args=()):
591
# Default usage is by a message string, but if a return
592
# code is passed, convert it to a string with
593
# gnutls.strerror()
594
self.code = code
595
if message is None and code is not None:
596
message = gnutls.strerror(code)
597
return super(gnutls.Error, self).__init__(
598
message, *args)
599
600
class CertificateSecurityError(Error):
601
pass
602
603
# Classes
604
class Credentials:
605
def __init__(self):
606
self._c_object = gnutls.certificate_credentials_t()
607
gnutls.certificate_allocate_credentials(
608
ctypes.byref(self._c_object))
609
self.type = gnutls.CRD_CERTIFICATE
610
611
def __del__(self):
612
gnutls.certificate_free_credentials(self._c_object)
613
614
class ClientSession:
615
def __init__(self, socket, credentials=None):
616
self._c_object = gnutls.session_t()
617
gnutls_flags = gnutls.CLIENT
618
if gnutls.check_version(b"3.5.6"):
619
gnutls_flags |= gnutls.NO_TICKETS
620
if gnutls.has_rawpk:
621
gnutls_flags |= gnutls.ENABLE_RAWPK
622
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
623
del gnutls_flags
624
gnutls.set_default_priority(self._c_object)
625
gnutls.transport_set_ptr(self._c_object, socket.fileno())
626
gnutls.handshake_set_private_extensions(self._c_object,
627
True)
628
self.socket = socket
629
if credentials is None:
630
credentials = gnutls.Credentials()
631
gnutls.credentials_set(self._c_object, credentials.type,
632
ctypes.cast(credentials._c_object,
633
ctypes.c_void_p))
634
self.credentials = credentials
635
636
def __del__(self):
637
gnutls.deinit(self._c_object)
638
639
def handshake(self):
640
return gnutls.handshake(self._c_object)
641
642
def send(self, data):
643
data = bytes(data)
644
data_len = len(data)
645
while data_len > 0:
646
data_len -= gnutls.record_send(self._c_object,
647
data[-data_len:],
648
data_len)
649
650
def bye(self):
651
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
652
653
# Error handling functions
654
def _error_code(result):
655
"""A function to raise exceptions on errors, suitable
656
for the 'restype' attribute on ctypes functions"""
657
if result >= 0:
658
return result
659
if result == gnutls.E_NO_CERTIFICATE_FOUND:
660
raise gnutls.CertificateSecurityError(code=result)
661
raise gnutls.Error(code=result)
662
663
def _retry_on_error(result, func, arguments):
664
"""A function to retry on some errors, suitable
665
for the 'errcheck' attribute on ctypes functions"""
666
while result < 0:
667
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
668
return _error_code(result)
669
result = func(*arguments)
670
return result
671
672
# Unless otherwise indicated, the function declarations below are
673
# all from the gnutls/gnutls.h C header file.
674
675
# Functions
676
priority_set_direct = _library.gnutls_priority_set_direct
677
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
678
ctypes.POINTER(ctypes.c_char_p)]
679
priority_set_direct.restype = _error_code
680
681
init = _library.gnutls_init
682
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
683
init.restype = _error_code
684
685
set_default_priority = _library.gnutls_set_default_priority
686
set_default_priority.argtypes = [session_t]
687
set_default_priority.restype = _error_code
688
689
record_send = _library.gnutls_record_send
690
record_send.argtypes = [session_t, ctypes.c_void_p,
691
ctypes.c_size_t]
692
record_send.restype = ctypes.c_ssize_t
693
record_send.errcheck = _retry_on_error
694
695
certificate_allocate_credentials = (
696
_library.gnutls_certificate_allocate_credentials)
697
certificate_allocate_credentials.argtypes = [
698
ctypes.POINTER(certificate_credentials_t)]
699
certificate_allocate_credentials.restype = _error_code
700
701
certificate_free_credentials = (
702
_library.gnutls_certificate_free_credentials)
703
certificate_free_credentials.argtypes = [
704
certificate_credentials_t]
705
certificate_free_credentials.restype = None
706
707
handshake_set_private_extensions = (
708
_library.gnutls_handshake_set_private_extensions)
709
handshake_set_private_extensions.argtypes = [session_t,
710
ctypes.c_int]
711
handshake_set_private_extensions.restype = None
712
713
credentials_set = _library.gnutls_credentials_set
714
credentials_set.argtypes = [session_t, credentials_type_t,
715
ctypes.c_void_p]
716
credentials_set.restype = _error_code
717
718
strerror = _library.gnutls_strerror
719
strerror.argtypes = [ctypes.c_int]
720
strerror.restype = ctypes.c_char_p
721
722
certificate_type_get = _library.gnutls_certificate_type_get
723
certificate_type_get.argtypes = [session_t]
724
certificate_type_get.restype = _error_code
725
726
certificate_get_peers = _library.gnutls_certificate_get_peers
727
certificate_get_peers.argtypes = [session_t,
728
ctypes.POINTER(ctypes.c_uint)]
729
certificate_get_peers.restype = ctypes.POINTER(datum_t)
730
731
global_set_log_level = _library.gnutls_global_set_log_level
732
global_set_log_level.argtypes = [ctypes.c_int]
733
global_set_log_level.restype = None
734
735
global_set_log_function = _library.gnutls_global_set_log_function
736
global_set_log_function.argtypes = [log_func]
737
global_set_log_function.restype = None
738
739
deinit = _library.gnutls_deinit
740
deinit.argtypes = [session_t]
741
deinit.restype = None
742
743
handshake = _library.gnutls_handshake
744
handshake.argtypes = [session_t]
745
handshake.restype = _error_code
746
handshake.errcheck = _retry_on_error
747
748
transport_set_ptr = _library.gnutls_transport_set_ptr
749
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
750
transport_set_ptr.restype = None
751
752
bye = _library.gnutls_bye
753
bye.argtypes = [session_t, close_request_t]
754
bye.restype = _error_code
755
bye.errcheck = _retry_on_error
756
757
check_version = _library.gnutls_check_version
758
check_version.argtypes = [ctypes.c_char_p]
759
check_version.restype = ctypes.c_char_p
760
761
_need_version = b"3.3.0"
762
if check_version(_need_version) is None:
763
raise self.Error("Needs GnuTLS {} or later"
764
.format(_need_version))
765
766
_tls_rawpk_version = b"3.6.6"
767
has_rawpk = bool(check_version(_tls_rawpk_version))
768
769
if has_rawpk:
770
# Types
771
class pubkey_st(ctypes.Structure):
772
_fields = []
773
pubkey_t = ctypes.POINTER(pubkey_st)
774
775
x509_crt_fmt_t = ctypes.c_int
776
777
# All the function declarations below are from gnutls/abstract.h
778
pubkey_init = _library.gnutls_pubkey_init
779
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
780
pubkey_init.restype = _error_code
781
782
pubkey_import = _library.gnutls_pubkey_import
783
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
784
x509_crt_fmt_t]
785
pubkey_import.restype = _error_code
786
787
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
788
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
789
ctypes.POINTER(ctypes.c_ubyte),
790
ctypes.POINTER(ctypes.c_size_t)]
791
pubkey_get_key_id.restype = _error_code
792
793
pubkey_deinit = _library.gnutls_pubkey_deinit
794
pubkey_deinit.argtypes = [pubkey_t]
795
pubkey_deinit.restype = None
796
else:
797
# All the function declarations below are from gnutls/openpgp.h
798
799
openpgp_crt_init = _library.gnutls_openpgp_crt_init
800
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
801
openpgp_crt_init.restype = _error_code
802
803
openpgp_crt_import = _library.gnutls_openpgp_crt_import
804
openpgp_crt_import.argtypes = [openpgp_crt_t,
805
ctypes.POINTER(datum_t),
806
openpgp_crt_fmt_t]
807
openpgp_crt_import.restype = _error_code
808
809
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
810
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
811
ctypes.POINTER(ctypes.c_uint)]
812
openpgp_crt_verify_self.restype = _error_code
813
814
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
815
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
816
openpgp_crt_deinit.restype = None
817
818
openpgp_crt_get_fingerprint = (
819
_library.gnutls_openpgp_crt_get_fingerprint)
820
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
821
ctypes.c_void_p,
822
ctypes.POINTER(
823
ctypes.c_size_t)]
824
openpgp_crt_get_fingerprint.restype = _error_code
825
826
if check_version(b"3.6.4"):
827
certificate_type_get2 = _library.gnutls_certificate_type_get2
828
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
829
certificate_type_get2.restype = _error_code
830
831
# Remove non-public functions
832
del _error_code, _retry_on_error
833
834
835
438
def call_pipe(connection, # : multiprocessing.Connection
836
439
func, *args, **kwargs):
837
440
"""This function is meant to be called by multiprocessing.Process
838
441
839
442
This function runs func(*args, **kwargs), and writes the resulting
840
443
return value on the provided multiprocessing.Connection.
841
444
"""
842
445
connection.send(func(*args, **kwargs))
843
446
connection.close()
844
447
845
846
class Client:
448
class Client(object):
847
449
"""A representation of a client host served by this server.
848
450
849
451
Attributes:
850
452
approved: bool(); 'None' if not yet approved/disapproved
851
453
approval_delay: datetime.timedelta(); Time to wait for approval
852
454
approval_duration: datetime.timedelta(); Duration of one approval
853
checker: multiprocessing.Process(); a running checker process used
854
to see if the client lives. 'None' if no process is
855
running.
856
checker_callback_tag: a GLib event source tag, or None
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
857
459
checker_command: string; External command which is run to check
858
460
if client lives. %() expansions are done at
859
461
runtime with vars(self) as dict, so that for
860
462
instance %(name)s can be used in the command.
861
checker_initiator_tag: a GLib event source tag, or None
463
checker_initiator_tag: a gobject event source tag, or None
862
464
created: datetime.datetime(); (UTC) object creation
863
465
client_structure: Object describing what attributes a client has
864
466
and is used for storing the client at exit
865
467
current_checker_command: string; current running checker_command
866
disable_initiator_tag: a GLib event source tag, or None
468
disable_initiator_tag: a gobject event source tag, or None
867
469
enabled: bool()
868
470
fingerprint: string (40 or 32 hexadecimal digits); used to
869
uniquely identify an OpenPGP client
870
key_id: string (64 hexadecimal digits); used to uniquely identify
871
a client using raw public keys
471
uniquely identify the client
872
472
host: string; available for use by the checker command
873
473
interval: datetime.timedelta(); How often to start a new checker
874
474
last_approval_request: datetime.datetime(); (UTC) or None
890
490
disabled, or None
891
491
server_settings: The server_settings dict from main()
892
492
"""
893
493
894
494
runtime_expansions = ("approval_delay", "approval_duration",
895
"created", "enabled", "expires", "key_id",
495
"created", "enabled", "expires",
896
496
"fingerprint", "host", "interval",
897
497
"last_approval_request", "last_checked_ok",
898
498
"last_enabled", "name", "timeout")
907
507
"approved_by_default": "True",
908
508
"enabled": "True",
909
509
}
910
510
911
511
@staticmethod
912
512
def config_parser(config):
913
513
"""Construct a new dict of client settings of this form:
920
520
for client_name in config.sections():
921
521
section = dict(config.items(client_name))
922
522
client = settings[client_name] = {}
923
523
924
524
client["host"] = section["host"]
925
525
# Reformat values from string types to Python types
926
526
client["approved_by_default"] = config.getboolean(
927
527
client_name, "approved_by_default")
928
528
client["enabled"] = config.getboolean(client_name,
929
529
"enabled")
930
931
# Uppercase and remove spaces from key_id and fingerprint
932
# for later comparison purposes with return value from the
933
# key_id() and fingerprint() functions
934
client["key_id"] = (section.get("key_id", "").upper()
935
.replace(" ", ""))
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
936
534
client["fingerprint"] = (section["fingerprint"].upper()
937
535
.replace(" ", ""))
938
536
if "secret" in section:
939
client["secret"] = codecs.decode(section["secret"]
940
.encode("utf-8"),
941
"base64")
537
client["secret"] = section["secret"].decode("base64")
942
538
elif "secfile" in section:
943
539
with open(os.path.expanduser(os.path.expandvars
944
540
(section["secfile"])),
959
555
client["last_approval_request"] = None
960
556
client["last_checked_ok"] = None
961
557
client["last_checker_status"] = -2
962
558
963
559
return settings
964
965
def __init__(self, settings, name=None, server_settings=None):
560
561
def __init__(self, settings, name = None, server_settings=None):
966
562
self.name = name
967
563
if server_settings is None:
968
564
server_settings = {}
970
566
# adding all client settings
971
567
for setting, value in settings.items():
972
568
setattr(self, setting, value)
973
569
974
570
if self.enabled:
975
571
if not hasattr(self, "last_enabled"):
976
572
self.last_enabled = datetime.datetime.utcnow()
980
576
else:
981
577
self.last_enabled = None
982
578
self.expires = None
983
579
984
580
logger.debug("Creating client %r", self.name)
985
logger.debug(" Key ID: %s", self.key_id)
986
581
logger.debug(" Fingerprint: %s", self.fingerprint)
987
582
self.created = settings.get("created",
988
583
datetime.datetime.utcnow())
989
584
990
585
# attributes specific for this server instance
991
586
self.checker = None
992
587
self.checker_initiator_tag = None
998
593
self.changedstate = multiprocessing_manager.Condition(
999
594
multiprocessing_manager.Lock())
1000
595
self.client_structure = [attr
1001
for attr in self.__dict__.keys()
596
for attr in self.__dict__.iterkeys()
1002
597
if not attr.startswith("_")]
1003
598
self.client_structure.append("client_structure")
1004
599
1005
600
for name, t in inspect.getmembers(
1006
601
type(self), lambda obj: isinstance(obj, property)):
1007
602
if not name.startswith("_"):
1008
603
self.client_structure.append(name)
1009
604
1010
605
# Send notice to process children that client state has changed
1011
606
def send_changedstate(self):
1012
607
with self.changedstate:
1013
608
self.changedstate.notify_all()
1014
609
1015
610
def enable(self):
1016
611
"""Start this client's checker and timeout hooks"""
1017
612
if getattr(self, "enabled", False):
1022
617
self.last_enabled = datetime.datetime.utcnow()
1023
618
self.init_checker()
1024
619
self.send_changedstate()
1025
620
1026
621
def disable(self, quiet=True):
1027
622
"""Disable this client."""
1028
623
if not getattr(self, "enabled", False):
1030
625
if not quiet:
1031
626
logger.info("Disabling client %s", self.name)
1032
627
if getattr(self, "disable_initiator_tag", None) is not None:
1033
GLib.source_remove(self.disable_initiator_tag)
628
gobject.source_remove(self.disable_initiator_tag)
1034
629
self.disable_initiator_tag = None
1035
630
self.expires = None
1036
631
if getattr(self, "checker_initiator_tag", None) is not None:
1037
GLib.source_remove(self.checker_initiator_tag)
632
gobject.source_remove(self.checker_initiator_tag)
1038
633
self.checker_initiator_tag = None
1039
634
self.stop_checker()
1040
635
self.enabled = False
1041
636
if not quiet:
1042
637
self.send_changedstate()
1043
# Do not run this again if called by a GLib.timeout_add
638
# Do not run this again if called by a gobject.timeout_add
1044
639
return False
1045
640
1046
641
def __del__(self):
1047
642
self.disable()
1048
643
1049
644
def init_checker(self):
1050
645
# Schedule a new checker to be started an 'interval' from now,
1051
646
# and every interval from then on.
1052
647
if self.checker_initiator_tag is not None:
1053
GLib.source_remove(self.checker_initiator_tag)
1054
self.checker_initiator_tag = GLib.timeout_add(
1055
random.randrange(int(self.interval.total_seconds() * 1000
1056
+ 1)),
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
650
int(self.interval.total_seconds() * 1000),
1057
651
self.start_checker)
1058
652
# Schedule a disable() when 'timeout' has passed
1059
653
if self.disable_initiator_tag is not None:
1060
GLib.source_remove(self.disable_initiator_tag)
1061
self.disable_initiator_tag = GLib.timeout_add(
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1062
656
int(self.timeout.total_seconds() * 1000), self.disable)
1063
657
# Also start a new checker *right now*.
1064
658
self.start_checker()
1065
659
1066
660
def checker_callback(self, source, condition, connection,
1067
661
command):
1068
662
"""The checker has completed, so take appropriate actions."""
663
self.checker_callback_tag = None
664
self.checker = None
1069
665
# Read return code from connection (see call_pipe)
1070
666
returncode = connection.recv()
1071
667
connection.close()
1072
if self.checker is not None:
1073
self.checker.join()
1074
self.checker_callback_tag = None
1075
self.checker = None
1076
668
1077
669
if returncode >= 0:
1078
670
self.last_checker_status = returncode
1079
671
self.last_checker_signal = None
1089
681
logger.warning("Checker for %(name)s crashed?",
1090
682
vars(self))
1091
683
return False
1092
684
1093
685
def checked_ok(self):
1094
686
"""Assert that the client has been seen, alive and well."""
1095
687
self.last_checked_ok = datetime.datetime.utcnow()
1096
688
self.last_checker_status = 0
1097
689
self.last_checker_signal = None
1098
690
self.bump_timeout()
1099
691
1100
692
def bump_timeout(self, timeout=None):
1101
693
"""Bump up the timeout for this client."""
1102
694
if timeout is None:
1103
695
timeout = self.timeout
1104
696
if self.disable_initiator_tag is not None:
1105
GLib.source_remove(self.disable_initiator_tag)
697
gobject.source_remove(self.disable_initiator_tag)
1106
698
self.disable_initiator_tag = None
1107
699
if getattr(self, "enabled", False):
1108
self.disable_initiator_tag = GLib.timeout_add(
700
self.disable_initiator_tag = gobject.timeout_add(
1109
701
int(timeout.total_seconds() * 1000), self.disable)
1110
702
self.expires = datetime.datetime.utcnow() + timeout
1111
703
1112
704
def need_approval(self):
1113
705
self.last_approval_request = datetime.datetime.utcnow()
1114
706
1115
707
def start_checker(self):
1116
708
"""Start a new checker subprocess if one is not running.
1117
709
1118
710
If a checker already exists, leave it running and do
1119
711
nothing."""
1120
712
# The reason for not killing a running checker is that if we
1125
717
# checkers alone, the checker would have to take more time
1126
718
# than 'timeout' for the client to be disabled, which is as it
1127
719
# should be.
1128
720
1129
721
if self.checker is not None and not self.checker.is_alive():
1130
722
logger.warning("Checker was not alive; joining")
1131
723
self.checker.join()
1134
726
if self.checker is None:
1135
727
# Escape attributes for the shell
1136
728
escaped_attrs = {
1137
attr: shlex.quote(str(getattr(self, attr)))
1138
for attr in self.runtime_expansions}
729
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
1139
731
try:
1140
732
command = self.checker_command % escaped_attrs
1141
733
except TypeError as error:
1153
745
# The exception is when not debugging but nevertheless
1154
746
# running in the foreground; use the previously
1155
747
# created wnull.
1156
popen_args = {"close_fds": True,
1157
"shell": True,
1158
"cwd": "/"}
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1159
751
if (not self.server_settings["debug"]
1160
752
and self.server_settings["foreground"]):
1161
753
popen_args.update({"stdout": wnull,
1162
"stderr": wnull})
1163
pipe = multiprocessing.Pipe(duplex=False)
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1164
756
self.checker = multiprocessing.Process(
1165
target=call_pipe,
1166
args=(pipe[1], subprocess.call, command),
1167
kwargs=popen_args)
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1168
760
self.checker.start()
1169
self.checker_callback_tag = GLib.io_add_watch(
1170
GLib.IOChannel.unix_new(pipe[0].fileno()),
1171
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1172
763
self.checker_callback, pipe[0], command)
1173
# Re-run this periodically if run by GLib.timeout_add
764
# Re-run this periodically if run by gobject.timeout_add
1174
765
return True
1175
766
1176
767
def stop_checker(self):
1177
768
"""Force the checker process, if any, to stop."""
1178
769
if self.checker_callback_tag:
1179
GLib.source_remove(self.checker_callback_tag)
770
gobject.source_remove(self.checker_callback_tag)
1180
771
self.checker_callback_tag = None
1181
772
if getattr(self, "checker", None) is None:
1182
773
return
1191
782
byte_arrays=False):
1192
783
"""Decorators for marking methods of a DBusObjectWithProperties to
1193
784
become properties on the D-Bus.
1194
785
1195
786
The decorated method will be called with no arguments by "Get"
1196
787
and with one argument by "Set".
1197
788
1198
789
The parameters, where they are supported, are the same as
1199
790
dbus.service.method, except there is only "signature", since the
1200
791
type from Get() and the type sent to Set() is the same.
1204
795
if byte_arrays and signature != "ay":
1205
796
raise ValueError("Byte arrays not supported for non-'ay'"
1206
797
" signature {!r}".format(signature))
1207
798
1208
799
def decorator(func):
1209
800
func._dbus_is_property = True
1210
801
func._dbus_interface = dbus_interface
1213
804
func._dbus_name = func.__name__
1214
805
if func._dbus_name.endswith("_dbus_property"):
1215
806
func._dbus_name = func._dbus_name[:-14]
1216
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1217
808
return func
1218
809
1219
810
return decorator
1220
811
1221
812
1222
813
def dbus_interface_annotations(dbus_interface):
1223
814
"""Decorator for marking functions returning interface annotations
1224
815
1225
816
Usage:
1226
817
1227
818
@dbus_interface_annotations("org.example.Interface")
1228
819
def _foo(self): # Function name does not matter
1229
820
return {"org.freedesktop.DBus.Deprecated": "true",
1230
821
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1231
822
"false"}
1232
823
"""
1233
824
1234
825
def decorator(func):
1235
826
func._dbus_is_interface = True
1236
827
func._dbus_interface = dbus_interface
1237
828
func._dbus_name = dbus_interface
1238
829
return func
1239
830
1240
831
return decorator
1241
832
1242
833
1243
834
def dbus_annotations(annotations):
1244
835
"""Decorator to annotate D-Bus methods, signals or properties
1245
836
Usage:
1246
837
1247
838
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1248
839
"org.freedesktop.DBus.Property."
1249
840
"EmitsChangedSignal": "false"})
1251
842
access="r")
1252
843
def Property_dbus_property(self):
1253
844
return dbus.Boolean(False)
1254
845
1255
846
See also the DBusObjectWithAnnotations class.
1256
847
"""
1257
848
1258
849
def decorator(func):
1259
850
func._dbus_annotations = annotations
1260
851
return func
1261
852
1262
853
return decorator
1263
854
1264
855
1282
873
1283
874
class DBusObjectWithAnnotations(dbus.service.Object):
1284
875
"""A D-Bus object with annotations.
1285
876
1286
877
Classes inheriting from this can use the dbus_annotations
1287
878
decorator to add annotations to methods or signals.
1288
879
"""
1289
880
1290
881
@staticmethod
1291
882
def _is_dbus_thing(thing):
1292
883
"""Returns a function testing if an attribute is a D-Bus thing
1293
884
1294
885
If called like _is_dbus_thing("method") it returns a function
1295
886
suitable for use as predicate to inspect.getmembers().
1296
887
"""
1297
888
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1298
889
False)
1299
890
1300
891
def _get_all_dbus_things(self, thing):
1301
892
"""Returns a generator of (name, attribute) pairs
1302
893
"""
1305
896
for cls in self.__class__.__mro__
1306
897
for name, athing in
1307
898
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1308
899
1309
900
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1310
out_signature="s",
1311
path_keyword='object_path',
1312
connection_keyword='connection')
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1313
904
def Introspect(self, object_path, connection):
1314
905
"""Overloading of standard D-Bus method.
1315
906
1316
907
Inserts annotation tags on methods and signals.
1317
908
"""
1318
909
xmlstring = dbus.service.Object.Introspect(self, object_path,
1319
910
connection)
1320
911
try:
1321
912
document = xml.dom.minidom.parseString(xmlstring)
1322
913
1323
914
for if_tag in document.getElementsByTagName("interface"):
1324
915
# Add annotation tags
1325
916
for typ in ("method", "signal"):
1352
943
if_tag.appendChild(ann_tag)
1353
944
# Fix argument name for the Introspect method itself
1354
945
if (if_tag.getAttribute("name")
1355
== dbus.INTROSPECTABLE_IFACE):
946
== dbus.INTROSPECTABLE_IFACE):
1356
947
for cn in if_tag.getElementsByTagName("method"):
1357
948
if cn.getAttribute("name") == "Introspect":
1358
949
for arg in cn.getElementsByTagName("arg"):
1371
962
1372
963
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1373
964
"""A D-Bus object with properties.
1374
965
1375
966
Classes inheriting from this can use the dbus_service_property
1376
967
decorator to expose methods as D-Bus properties. It exposes the
1377
968
standard Get(), Set(), and GetAll() methods on the D-Bus.
1378
969
"""
1379
970
1380
971
def _get_dbus_property(self, interface_name, property_name):
1381
972
"""Returns a bound method if one exists which is a D-Bus
1382
973
property with the specified name and interface.
1387
978
if (value._dbus_name == property_name
1388
979
and value._dbus_interface == interface_name):
1389
980
return value.__get__(self)
1390
981
1391
982
# No such property
1392
983
raise DBusPropertyNotFound("{}:{}.{}".format(
1393
984
self.dbus_object_path, interface_name, property_name))
1394
985
1395
986
@classmethod
1396
987
def _get_all_interface_names(cls):
1397
988
"""Get a sequence of all interfaces supported by an object"""
1400
991
for x in (inspect.getmro(cls))
1401
992
for attr in dir(x))
1402
993
if name is not None)
1403
994
1404
995
@dbus.service.method(dbus.PROPERTIES_IFACE,
1405
996
in_signature="ss",
1406
997
out_signature="v")
1414
1005
if not hasattr(value, "variant_level"):
1415
1006
return value
1416
1007
return type(value)(value, variant_level=value.variant_level+1)
1417
1008
1418
1009
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1419
1010
def Set(self, interface_name, property_name, value):
1420
1011
"""Standard D-Bus property Set() method, see D-Bus standard.
1429
1020
raise ValueError("Byte arrays not supported for non-"
1430
1021
"'ay' signature {!r}"
1431
1022
.format(prop._dbus_signature))
1432
value = dbus.ByteArray(bytes(value))
1023
value = dbus.ByteArray(b''.join(chr(byte)
1024
for byte in value))
1433
1025
prop(value)
1434
1026
1435
1027
@dbus.service.method(dbus.PROPERTIES_IFACE,
1436
1028
in_signature="s",
1437
1029
out_signature="a{sv}")
1438
1030
def GetAll(self, interface_name):
1439
1031
"""Standard D-Bus property GetAll() method, see D-Bus
1440
1032
standard.
1441
1033
1442
1034
Note: Will not include properties with access="write".
1443
1035
"""
1444
1036
properties = {}
1455
1047
properties[name] = value
1456
1048
continue
1457
1049
properties[name] = type(value)(
1458
value, variant_level=value.variant_level + 1)
1050
value, variant_level = value.variant_level + 1)
1459
1051
return dbus.Dictionary(properties, signature="sv")
1460
1052
1461
1053
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1462
1054
def PropertiesChanged(self, interface_name, changed_properties,
1463
1055
invalidated_properties):
1465
1057
standard.
1466
1058
"""
1467
1059
pass
1468
1060
1469
1061
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1470
1062
out_signature="s",
1471
1063
path_keyword='object_path',
1472
1064
connection_keyword='connection')
1473
1065
def Introspect(self, object_path, connection):
1474
1066
"""Overloading of standard D-Bus method.
1475
1067
1476
1068
Inserts property tags and interface annotation tags.
1477
1069
"""
1478
1070
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1480
1072
connection)
1481
1073
try:
1482
1074
document = xml.dom.minidom.parseString(xmlstring)
1483
1075
1484
1076
def make_tag(document, name, prop):
1485
1077
e = document.createElement("property")
1486
1078
e.setAttribute("name", name)
1487
1079
e.setAttribute("type", prop._dbus_signature)
1488
1080
e.setAttribute("access", prop._dbus_access)
1489
1081
return e
1490
1082
1491
1083
for if_tag in document.getElementsByTagName("interface"):
1492
1084
# Add property tags
1493
1085
for tag in (make_tag(document, name, prop)
1535
1127
exc_info=error)
1536
1128
return xmlstring
1537
1129
1538
1539
1130
try:
1540
1131
dbus.OBJECT_MANAGER_IFACE
1541
1132
except AttributeError:
1542
1133
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1543
1134
1544
1545
1135
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1546
1136
"""A D-Bus object with an ObjectManager.
1547
1137
1548
1138
Classes inheriting from this exposes the standard
1549
1139
GetManagedObjects call and the InterfacesAdded and
1550
1140
InterfacesRemoved signals on the standard
1551
1141
"org.freedesktop.DBus.ObjectManager" interface.
1552
1142
1553
1143
Note: No signals are sent automatically; they must be sent
1554
1144
manually.
1555
1145
"""
1556
1146
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1557
out_signature="a{oa{sa{sv}}}")
1147
out_signature = "a{oa{sa{sv}}}")
1558
1148
def GetManagedObjects(self):
1559
1149
"""This function must be overridden"""
1560
1150
raise NotImplementedError()
1561
1151
1562
1152
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1563
signature="oa{sa{sv}}")
1153
signature = "oa{sa{sv}}")
1564
1154
def InterfacesAdded(self, object_path, interfaces_and_properties):
1565
1155
pass
1566
1567
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1158
signature = "oas")
1568
1159
def InterfacesRemoved(self, object_path, interfaces):
1569
1160
pass
1570
1161
1571
1162
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1572
out_signature="s",
1573
path_keyword='object_path',
1574
connection_keyword='connection')
1163
out_signature = "s",
1164
path_keyword = 'object_path',
1165
connection_keyword = 'connection')
1575
1166
def Introspect(self, object_path, connection):
1576
1167
"""Overloading of standard D-Bus method.
1577
1168
1578
1169
Override return argument name of GetManagedObjects to be
1579
1170
"objpath_interfaces_and_properties"
1580
1171
"""
1581
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1582
object_path,
1583
connection)
1172
xmlstring = DBusObjectWithAnnotations(self, object_path,
1173
connection)
1584
1174
try:
1585
1175
document = xml.dom.minidom.parseString(xmlstring)
1586
1176
1587
1177
for if_tag in document.getElementsByTagName("interface"):
1588
1178
# Fix argument name for the GetManagedObjects method
1589
1179
if (if_tag.getAttribute("name")
1590
== dbus.OBJECT_MANAGER_IFACE):
1180
== dbus.OBJECT_MANAGER_IFACE):
1591
1181
for cn in if_tag.getElementsByTagName("method"):
1592
1182
if (cn.getAttribute("name")
1593
1183
== "GetManagedObjects"):
1603
1193
except (AttributeError, xml.dom.DOMException,
1604
1194
xml.parsers.expat.ExpatError) as error:
1605
1195
logger.error("Failed to override Introspection method",
1606
exc_info=error)
1196
exc_info = error)
1607
1197
return xmlstring
1608
1198
1609
1610
1199
def datetime_to_dbus(dt, variant_level=0):
1611
1200
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1612
1201
if dt is None:
1613
return dbus.String("", variant_level=variant_level)
1202
return dbus.String("", variant_level = variant_level)
1614
1203
return dbus.String(dt.isoformat(), variant_level=variant_level)
1615
1204
1616
1205
1619
1208
dbus.service.Object, it will add alternate D-Bus attributes with
1620
1209
interface names according to the "alt_interface_names" mapping.
1621
1210
Usage:
1622
1211
1623
1212
@alternate_dbus_interfaces({"org.example.Interface":
1624
1213
"net.example.AlternateInterface"})
1625
1214
class SampleDBusObject(dbus.service.Object):
1626
1215
@dbus.service.method("org.example.Interface")
1627
1216
def SampleDBusMethod():
1628
1217
pass
1629
1218
1630
1219
The above "SampleDBusMethod" on "SampleDBusObject" will be
1631
1220
reachable via two interfaces: "org.example.Interface" and
1632
1221
"net.example.AlternateInterface", the latter of which will have
1633
1222
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1634
1223
"true", unless "deprecate" is passed with a False value.
1635
1224
1636
1225
This works for methods and signals, and also for D-Bus properties
1637
1226
(from DBusObjectWithProperties) and interfaces (from the
1638
1227
dbus_interface_annotations decorator).
1639
1228
"""
1640
1229
1641
1230
def wrapper(cls):
1642
1231
for orig_interface_name, alt_interface_name in (
1643
1232
alt_interface_names.items()):
1658
1247
interface_names.add(alt_interface)
1659
1248
# Is this a D-Bus signal?
1660
1249
if getattr(attribute, "_dbus_is_signal", False):
1661
# Extract the original non-method undecorated
1662
# function by black magic
1663
1250
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1664
1253
nonmethod_func = (dict(
1665
1254
zip(attribute.func_code.co_freevars,
1666
1255
attribute.__closure__))
1667
1256
["func"].cell_contents)
1668
1257
else:
1669
nonmethod_func = (dict(
1670
zip(attribute.__code__.co_freevars,
1671
attribute.__closure__))
1672
["func"].cell_contents)
1258
nonmethod_func = attribute
1673
1259
# Create a new, but exactly alike, function
1674
1260
# object, and decorate it to be a new D-Bus signal
1675
1261
# with the alternate D-Bus interface name
1676
new_function = copy_function(nonmethod_func)
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1677
1276
new_function = (dbus.service.signal(
1678
1277
alt_interface,
1679
1278
attribute._dbus_signature)(new_function))
1683
1282
attribute._dbus_annotations)
1684
1283
except AttributeError:
1685
1284
pass
1686
1687
1285
# Define a creator of a function to call both the
1688
1286
# original and alternate functions, so both the
1689
1287
# original and alternate signals gets sent when
1692
1290
"""This function is a scope container to pass
1693
1291
func1 and func2 to the "call_both" function
1694
1292
outside of its arguments"""
1695
1696
@functools.wraps(func2)
1293
1697
1294
def call_both(*args, **kwargs):
1698
1295
"""This function will emit two D-Bus
1699
1296
signals by calling func1 and func2"""
1700
1297
func1(*args, **kwargs)
1701
1298
func2(*args, **kwargs)
1702
# Make wrapper function look like a D-Bus
1703
# signal
1704
for name, attr in inspect.getmembers(func2):
1705
if name.startswith("_dbus_"):
1706
setattr(call_both, name, attr)
1707
1299
1708
1300
return call_both
1709
1301
# Create the "call_both" function and add it to
1710
1302
# the class
1720
1312
alt_interface,
1721
1313
attribute._dbus_in_signature,
1722
1314
attribute._dbus_out_signature)
1723
(copy_function(attribute)))
1315
(types.FunctionType(attribute.func_code,
1316
attribute.func_globals,
1317
attribute.func_name,
1318
attribute.func_defaults,
1319
attribute.func_closure)))
1724
1320
# Copy annotations, if any
1725
1321
try:
1726
1322
attr[attrname]._dbus_annotations = dict(
1738
1334
attribute._dbus_access,
1739
1335
attribute._dbus_get_args_options
1740
1336
["byte_arrays"])
1741
(copy_function(attribute)))
1337
(types.FunctionType(
1338
attribute.func_code,
1339
attribute.func_globals,
1340
attribute.func_name,
1341
attribute.func_defaults,
1342
attribute.func_closure)))
1742
1343
# Copy annotations, if any
1743
1344
try:
1744
1345
attr[attrname]._dbus_annotations = dict(
1753
1354
# to the class.
1754
1355
attr[attrname] = (
1755
1356
dbus_interface_annotations(alt_interface)
1756
(copy_function(attribute)))
1357
(types.FunctionType(attribute.func_code,
1358
attribute.func_globals,
1359
attribute.func_name,
1360
attribute.func_defaults,
1361
attribute.func_closure)))
1757
1362
if deprecate:
1758
1363
# Deprecate all alternate interfaces
1759
iname = "_AlternateDBusNames_interface_annotation{}"
1364
iname="_AlternateDBusNames_interface_annotation{}"
1760
1365
for interface_name in interface_names:
1761
1366
1762
1367
@dbus_interface_annotations(interface_name)
1763
1368
def func(self):
1764
return {"org.freedesktop.DBus.Deprecated":
1765
"true"}
1369
return { "org.freedesktop.DBus.Deprecated":
1370
"true" }
1766
1371
# Find an unused name
1767
1372
for aname in (iname.format(i)
1768
1373
for i in itertools.count()):
1772
1377
if interface_names:
1773
1378
# Replace the class with a new subclass of it with
1774
1379
# methods, signals, etc. as created above.
1775
if sys.version_info.major == 2:
1776
cls = type(b"{}Alternate".format(cls.__name__),
1777
(cls, ), attr)
1778
else:
1779
cls = type("{}Alternate".format(cls.__name__),
1780
(cls, ), attr)
1380
cls = type(b"{}Alternate".format(cls.__name__),
1381
(cls, ), attr)
1781
1382
return cls
1782
1383
1783
1384
return wrapper
1784
1385
1785
1386
1787
1388
"se.bsnet.fukt.Mandos"})
1788
1389
class ClientDBus(Client, DBusObjectWithProperties):
1789
1390
"""A Client class using D-Bus
1790
1391
1791
1392
Attributes:
1792
1393
dbus_object_path: dbus.ObjectPath
1793
1394
bus: dbus.SystemBus()
1794
1395
"""
1795
1396
1796
1397
runtime_expansions = (Client.runtime_expansions
1797
1398
+ ("dbus_object_path", ))
1798
1399
1799
1400
_interface = "se.recompile.Mandos.Client"
1800
1401
1801
1402
# dbus.service.Object doesn't use super(), so we can't either.
1802
1803
def __init__(self, bus=None, *args, **kwargs):
1403
1404
def __init__(self, bus = None, *args, **kwargs):
1804
1405
self.bus = bus
1805
1406
Client.__init__(self, *args, **kwargs)
1806
1407
# Only now, when this client is initialized, can it show up on
1812
1413
"/clients/" + client_object_name)
1813
1414
DBusObjectWithProperties.__init__(self, self.bus,
1814
1415
self.dbus_object_path)
1815
1416
1816
1417
def notifychangeproperty(transform_func, dbus_name,
1817
1418
type_func=lambda x: x,
1818
1419
variant_level=1,
1820
1421
_interface=_interface):
1821
1422
""" Modify a variable so that it's a property which announces
1822
1423
its changes to DBus.
1823
1424
1824
1425
transform_fun: Function that takes a value and a variant_level
1825
1426
and transforms it to a D-Bus type.
1826
1427
dbus_name: D-Bus name of the variable
1829
1430
variant_level: D-Bus variant level. Default: 1
1830
1431
"""
1831
1432
attrname = "_{}".format(dbus_name)
1832
1433
1833
1434
def setter(self, value):
1834
1435
if hasattr(self, "dbus_object_path"):
1835
1436
if (not hasattr(self, attrname) or
1842
1443
else:
1843
1444
dbus_value = transform_func(
1844
1445
type_func(value),
1845
variant_level=variant_level)
1446
variant_level = variant_level)
1846
1447
self.PropertyChanged(dbus.String(dbus_name),
1847
1448
dbus_value)
1848
1449
self.PropertiesChanged(
1849
1450
_interface,
1850
dbus.Dictionary({dbus.String(dbus_name):
1851
dbus_value}),
1451
dbus.Dictionary({ dbus.String(dbus_name):
1452
dbus_value }),
1852
1453
dbus.Array())
1853
1454
setattr(self, attrname, value)
1854
1455
1855
1456
return property(lambda self: getattr(self, attrname), setter)
1856
1457
1857
1458
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1858
1459
approvals_pending = notifychangeproperty(dbus.Boolean,
1859
1460
"ApprovalPending",
1860
type_func=bool)
1461
type_func = bool)
1861
1462
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1862
1463
last_enabled = notifychangeproperty(datetime_to_dbus,
1863
1464
"LastEnabled")
1864
1465
checker = notifychangeproperty(
1865
1466
dbus.Boolean, "CheckerRunning",
1866
type_func=lambda checker: checker is not None)
1467
type_func = lambda checker: checker is not None)
1867
1468
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1868
1469
"LastCheckedOK")
1869
1470
last_checker_status = notifychangeproperty(dbus.Int16,
1874
1475
"ApprovedByDefault")
1875
1476
approval_delay = notifychangeproperty(
1876
1477
dbus.UInt64, "ApprovalDelay",
1877
type_func=lambda td: td.total_seconds() * 1000)
1478
type_func = lambda td: td.total_seconds() * 1000)
1878
1479
approval_duration = notifychangeproperty(
1879
1480
dbus.UInt64, "ApprovalDuration",
1880
type_func=lambda td: td.total_seconds() * 1000)
1481
type_func = lambda td: td.total_seconds() * 1000)
1881
1482
host = notifychangeproperty(dbus.String, "Host")
1882
1483
timeout = notifychangeproperty(
1883
1484
dbus.UInt64, "Timeout",
1884
type_func=lambda td: td.total_seconds() * 1000)
1485
type_func = lambda td: td.total_seconds() * 1000)
1885
1486
extended_timeout = notifychangeproperty(
1886
1487
dbus.UInt64, "ExtendedTimeout",
1887
type_func=lambda td: td.total_seconds() * 1000)
1488
type_func = lambda td: td.total_seconds() * 1000)
1888
1489
interval = notifychangeproperty(
1889
1490
dbus.UInt64, "Interval",
1890
type_func=lambda td: td.total_seconds() * 1000)
1491
type_func = lambda td: td.total_seconds() * 1000)
1891
1492
checker_command = notifychangeproperty(dbus.String, "Checker")
1892
1493
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1893
1494
invalidate_only=True)
1894
1495
1895
1496
del notifychangeproperty
1896
1497
1897
1498
def __del__(self, *args, **kwargs):
1898
1499
try:
1899
1500
self.remove_from_connection()
1902
1503
if hasattr(DBusObjectWithProperties, "__del__"):
1903
1504
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1904
1505
Client.__del__(self, *args, **kwargs)
1905
1506
1906
1507
def checker_callback(self, source, condition,
1907
1508
connection, command, *args, **kwargs):
1908
1509
ret = Client.checker_callback(self, source, condition,
1924
1525
| self.last_checker_signal),
1925
1526
dbus.String(command))
1926
1527
return ret
1927
1528
1928
1529
def start_checker(self, *args, **kwargs):
1929
1530
old_checker_pid = getattr(self.checker, "pid", None)
1930
1531
r = Client.start_checker(self, *args, **kwargs)
1934
1535
# Emit D-Bus signal
1935
1536
self.CheckerStarted(self.current_checker_command)
1936
1537
return r
1937
1538
1938
1539
def _reset_approved(self):
1939
1540
self.approved = None
1940
1541
return False
1941
1542
1942
1543
def approve(self, value=True):
1943
1544
self.approved = value
1944
GLib.timeout_add(int(self.approval_duration.total_seconds()
1945
* 1000), self._reset_approved)
1545
gobject.timeout_add(int(self.approval_duration.total_seconds()
1546
* 1000), self._reset_approved)
1946
1547
self.send_changedstate()
1947
1948
# D-Bus methods, signals & properties
1949
1950
# Interfaces
1951
1952
# Signals
1953
1548
1549
## D-Bus methods, signals & properties
1550
1551
## Interfaces
1552
1553
## Signals
1554
1954
1555
# CheckerCompleted - signal
1955
1556
@dbus.service.signal(_interface, signature="nxs")
1956
1557
def CheckerCompleted(self, exitcode, waitstatus, command):
1957
1558
"D-Bus signal"
1958
1559
pass
1959
1560
1960
1561
# CheckerStarted - signal
1961
1562
@dbus.service.signal(_interface, signature="s")
1962
1563
def CheckerStarted(self, command):
1963
1564
"D-Bus signal"
1964
1565
pass
1965
1566
1966
1567
# PropertyChanged - signal
1967
1568
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1968
1569
@dbus.service.signal(_interface, signature="sv")
1969
1570
def PropertyChanged(self, property, value):
1970
1571
"D-Bus signal"
1971
1572
pass
1972
1573
1973
1574
# GotSecret - signal
1974
1575
@dbus.service.signal(_interface)
1975
1576
def GotSecret(self):
1978
1579
server to mandos-client
1979
1580
"""
1980
1581
pass
1981
1582
1982
1583
# Rejected - signal
1983
1584
@dbus.service.signal(_interface, signature="s")
1984
1585
def Rejected(self, reason):
1985
1586
"D-Bus signal"
1986
1587
pass
1987
1588
1988
1589
# NeedApproval - signal
1989
1590
@dbus.service.signal(_interface, signature="tb")
1990
1591
def NeedApproval(self, timeout, default):
1991
1592
"D-Bus signal"
1992
1593
return self.need_approval()
1993
1994
# Methods
1995
1594
1595
## Methods
1596
1996
1597
# Approve - method
1997
1598
@dbus.service.method(_interface, in_signature="b")
1998
1599
def Approve(self, value):
1999
1600
self.approve(value)
2000
1601
2001
1602
# CheckedOK - method
2002
1603
@dbus.service.method(_interface)
2003
1604
def CheckedOK(self):
2004
1605
self.checked_ok()
2005
1606
2006
1607
# Enable - method
2007
1608
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2008
1609
@dbus.service.method(_interface)
2009
1610
def Enable(self):
2010
1611
"D-Bus method"
2011
1612
self.enable()
2012
1613
2013
1614
# StartChecker - method
2014
1615
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2015
1616
@dbus.service.method(_interface)
2016
1617
def StartChecker(self):
2017
1618
"D-Bus method"
2018
1619
self.start_checker()
2019
1620
2020
1621
# Disable - method
2021
1622
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2022
1623
@dbus.service.method(_interface)
2023
1624
def Disable(self):
2024
1625
"D-Bus method"
2025
1626
self.disable()
2026
1627
2027
1628
# StopChecker - method
2028
1629
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2029
1630
@dbus.service.method(_interface)
2030
1631
def StopChecker(self):
2031
1632
self.stop_checker()
2032
2033
# Properties
2034
1633
1634
## Properties
1635
2035
1636
# ApprovalPending - property
2036
1637
@dbus_service_property(_interface, signature="b", access="read")
2037
1638
def ApprovalPending_dbus_property(self):
2038
1639
return dbus.Boolean(bool(self.approvals_pending))
2039
1640
2040
1641
# ApprovedByDefault - property
2041
1642
@dbus_service_property(_interface,
2042
1643
signature="b",
2045
1646
if value is None: # get
2046
1647
return dbus.Boolean(self.approved_by_default)
2047
1648
self.approved_by_default = bool(value)
2048
1649
2049
1650
# ApprovalDelay - property
2050
1651
@dbus_service_property(_interface,
2051
1652
signature="t",
2055
1656
return dbus.UInt64(self.approval_delay.total_seconds()
2056
1657
* 1000)
2057
1658
self.approval_delay = datetime.timedelta(0, 0, 0, value)
2058
1659
2059
1660
# ApprovalDuration - property
2060
1661
@dbus_service_property(_interface,
2061
1662
signature="t",
2065
1666
return dbus.UInt64(self.approval_duration.total_seconds()
2066
1667
* 1000)
2067
1668
self.approval_duration = datetime.timedelta(0, 0, 0, value)
2068
1669
2069
1670
# Name - property
2070
1671
@dbus_annotations(
2071
1672
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2072
1673
@dbus_service_property(_interface, signature="s", access="read")
2073
1674
def Name_dbus_property(self):
2074
1675
return dbus.String(self.name)
2075
2076
# KeyID - property
2077
@dbus_annotations(
2078
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2079
@dbus_service_property(_interface, signature="s", access="read")
2080
def KeyID_dbus_property(self):
2081
return dbus.String(self.key_id)
2082
1676
2083
1677
# Fingerprint - property
2084
1678
@dbus_annotations(
2085
1679
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2086
1680
@dbus_service_property(_interface, signature="s", access="read")
2087
1681
def Fingerprint_dbus_property(self):
2088
1682
return dbus.String(self.fingerprint)
2089
1683
2090
1684
# Host - property
2091
1685
@dbus_service_property(_interface,
2092
1686
signature="s",
2095
1689
if value is None: # get
2096
1690
return dbus.String(self.host)
2097
1691
self.host = str(value)
2098
1692
2099
1693
# Created - property
2100
1694
@dbus_annotations(
2101
1695
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2102
1696
@dbus_service_property(_interface, signature="s", access="read")
2103
1697
def Created_dbus_property(self):
2104
1698
return datetime_to_dbus(self.created)
2105
1699
2106
1700
# LastEnabled - property
2107
1701
@dbus_service_property(_interface, signature="s", access="read")
2108
1702
def LastEnabled_dbus_property(self):
2109
1703
return datetime_to_dbus(self.last_enabled)
2110
1704
2111
1705
# Enabled - property
2112
1706
@dbus_service_property(_interface,
2113
1707
signature="b",
2119
1713
self.enable()
2120
1714
else:
2121
1715
self.disable()
2122
1716
2123
1717
# LastCheckedOK - property
2124
1718
@dbus_service_property(_interface,
2125
1719
signature="s",
2129
1723
self.checked_ok()
2130
1724
return
2131
1725
return datetime_to_dbus(self.last_checked_ok)
2132
1726
2133
1727
# LastCheckerStatus - property
2134
1728
@dbus_service_property(_interface, signature="n", access="read")
2135
1729
def LastCheckerStatus_dbus_property(self):
2136
1730
return dbus.Int16(self.last_checker_status)
2137
1731
2138
1732
# Expires - property
2139
1733
@dbus_service_property(_interface, signature="s", access="read")
2140
1734
def Expires_dbus_property(self):
2141
1735
return datetime_to_dbus(self.expires)
2142
1736
2143
1737
# LastApprovalRequest - property
2144
1738
@dbus_service_property(_interface, signature="s", access="read")
2145
1739
def LastApprovalRequest_dbus_property(self):
2146
1740
return datetime_to_dbus(self.last_approval_request)
2147
1741
2148
1742
# Timeout - property
2149
1743
@dbus_service_property(_interface,
2150
1744
signature="t",
2165
1759
if (getattr(self, "disable_initiator_tag", None)
2166
1760
is None):
2167
1761
return
2168
GLib.source_remove(self.disable_initiator_tag)
2169
self.disable_initiator_tag = GLib.timeout_add(
1762
gobject.source_remove(self.disable_initiator_tag)
1763
self.disable_initiator_tag = gobject.timeout_add(
2170
1764
int((self.expires - now).total_seconds() * 1000),
2171
1765
self.disable)
2172
1766
2173
1767
# ExtendedTimeout - property
2174
1768
@dbus_service_property(_interface,
2175
1769
signature="t",
2179
1773
return dbus.UInt64(self.extended_timeout.total_seconds()
2180
1774
* 1000)
2181
1775
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2182
1776
2183
1777
# Interval - property
2184
1778
@dbus_service_property(_interface,
2185
1779
signature="t",
2192
1786
return
2193
1787
if self.enabled:
2194
1788
# Reschedule checker run
2195
GLib.source_remove(self.checker_initiator_tag)
2196
self.checker_initiator_tag = GLib.timeout_add(
1789
gobject.source_remove(self.checker_initiator_tag)
1790
self.checker_initiator_tag = gobject.timeout_add(
2197
1791
value, self.start_checker)
2198
self.start_checker() # Start one now, too
2199
1792
self.start_checker() # Start one now, too
1793
2200
1794
# Checker - property
2201
1795
@dbus_service_property(_interface,
2202
1796
signature="s",
2205
1799
if value is None: # get
2206
1800
return dbus.String(self.checker_command)
2207
1801
self.checker_command = str(value)
2208
1802
2209
1803
# CheckerRunning - property
2210
1804
@dbus_service_property(_interface,
2211
1805
signature="b",
2217
1811
self.start_checker()
2218
1812
else:
2219
1813
self.stop_checker()
2220
1814
2221
1815
# ObjectPath - property
2222
1816
@dbus_annotations(
2223
1817
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2224
1818
"org.freedesktop.DBus.Deprecated": "true"})
2225
1819
@dbus_service_property(_interface, signature="o", access="read")
2226
1820
def ObjectPath_dbus_property(self):
2227
return self.dbus_object_path # is already a dbus.ObjectPath
2228
1821
return self.dbus_object_path # is already a dbus.ObjectPath
1822
2229
1823
# Secret = property
2230
1824
@dbus_annotations(
2231
1825
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2236
1830
byte_arrays=True)
2237
1831
def Secret_dbus_property(self, value):
2238
1832
self.secret = bytes(value)
2239
1833
2240
1834
del _interface
2241
1835
2242
1836
2243
class ProxyClient:
2244
def __init__(self, child_pipe, key_id, fpr, address):
1837
class ProxyClient(object):
1838
def __init__(self, child_pipe, fpr, address):
2245
1839
self._pipe = child_pipe
2246
self._pipe.send(('init', key_id, fpr, address))
1840
self._pipe.send(('init', fpr, address))
2247
1841
if not self._pipe.recv():
2248
raise KeyError(key_id or fpr)
2249
1842
raise KeyError(fpr)
1843
2250
1844
def __getattribute__(self, name):
2251
1845
if name == '_pipe':
2252
1846
return super(ProxyClient, self).__getattribute__(name)
2255
1849
if data[0] == 'data':
2256
1850
return data[1]
2257
1851
if data[0] == 'function':
2258
1852
2259
1853
def func(*args, **kwargs):
2260
1854
self._pipe.send(('funcall', name, args, kwargs))
2261
1855
return self._pipe.recv()[1]
2262
1856
2263
1857
return func
2264
1858
2265
1859
def __setattr__(self, name, value):
2266
1860
if name == '_pipe':
2267
1861
return super(ProxyClient, self).__setattr__(name, value)
2270
1864
2271
1865
class ClientHandler(socketserver.BaseRequestHandler, object):
2272
1866
"""A class to handle client connections.
2273
1867
2274
1868
Instantiated once for each connection to handle it.
2275
1869
Note: This will run in its own forked process."""
2276
1870
2277
1871
def handle(self):
2278
1872
with contextlib.closing(self.server.child_pipe) as child_pipe:
2279
1873
logger.info("TCP connection from: %s",
2280
1874
str(self.client_address))
2281
1875
logger.debug("Pipe FD: %d",
2282
1876
self.server.child_pipe.fileno())
2283
2284
session = gnutls.ClientSession(self.request)
2285
2286
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2287
# "+AES-256-CBC", "+SHA1",
2288
# "+COMP-NULL", "+CTYPE-OPENPGP",
2289
# "+DHE-DSS"))
1877
1878
session = gnutls.connection.ClientSession(
1879
self.request, gnutls.connection .X509Credentials())
1880
1881
# Note: gnutls.connection.X509Credentials is really a
1882
# generic GnuTLS certificate credentials object so long as
1883
# no X.509 keys are added to it. Therefore, we can use it
1884
# here despite using OpenPGP certificates.
1885
1886
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1887
# "+AES-256-CBC", "+SHA1",
1888
# "+COMP-NULL", "+CTYPE-OPENPGP",
1889
# "+DHE-DSS"))
2290
1890
# Use a fallback default, since this MUST be set.
2291
1891
priority = self.server.gnutls_priority
2292
1892
if priority is None:
2293
1893
priority = "NORMAL"
2294
gnutls.priority_set_direct(session._c_object,
2295
priority.encode("utf-8"),
2296
None)
2297
1894
gnutls.library.functions.gnutls_priority_set_direct(
1895
session._c_object, priority, None)
1896
2298
1897
# Start communication using the Mandos protocol
2299
1898
# Get protocol number
2300
1899
line = self.request.makefile().readline()
2305
1904
except (ValueError, IndexError, RuntimeError) as error:
2306
1905
logger.error("Unknown protocol version: %s", error)
2307
1906
return
2308
1907
2309
1908
# Start GnuTLS connection
2310
1909
try:
2311
1910
session.handshake()
2312
except gnutls.Error as error:
1911
except gnutls.errors.GNUTLSError as error:
2313
1912
logger.warning("Handshake failed: %s", error)
2314
1913
# Do not run session.bye() here: the session is not
2315
1914
# established. Just abandon the request.
2316
1915
return
2317
1916
logger.debug("Handshake succeeded")
2318
1917
2319
1918
approval_required = False
2320
1919
try:
2321
if gnutls.has_rawpk:
2322
fpr = b""
2323
try:
2324
key_id = self.key_id(
2325
self.peer_certificate(session))
2326
except (TypeError, gnutls.Error) as error:
2327
logger.warning("Bad certificate: %s", error)
2328
return
2329
logger.debug("Key ID: %s", key_id)
2330
2331
else:
2332
key_id = b""
2333
try:
2334
fpr = self.fingerprint(
2335
self.peer_certificate(session))
2336
except (TypeError, gnutls.Error) as error:
2337
logger.warning("Bad certificate: %s", error)
2338
return
2339
logger.debug("Fingerprint: %s", fpr)
2340
2341
try:
2342
client = ProxyClient(child_pipe, key_id, fpr,
1920
try:
1921
fpr = self.fingerprint(
1922
self.peer_certificate(session))
1923
except (TypeError,
1924
gnutls.errors.GNUTLSError) as error:
1925
logger.warning("Bad certificate: %s", error)
1926
return
1927
logger.debug("Fingerprint: %s", fpr)
1928
1929
try:
1930
client = ProxyClient(child_pipe, fpr,
2343
1931
self.client_address)
2344
1932
except KeyError:
2345
1933
return
2346
1934
2347
1935
if client.approval_delay:
2348
1936
delay = client.approval_delay
2349
1937
client.approvals_pending += 1
2350
1938
approval_required = True
2351
1939
2352
1940
while True:
2353
1941
if not client.enabled:
2354
1942
logger.info("Client %s is disabled",
2357
1945
# Emit D-Bus signal
2358
1946
client.Rejected("Disabled")
2359
1947
return
2360
1948
2361
1949
if client.approved or not client.approval_delay:
2362
# We are approved or approval is disabled
1950
#We are approved or approval is disabled
2363
1951
break
2364
1952
elif client.approved is None:
2365
1953
logger.info("Client %s needs approval",
2376
1964
# Emit D-Bus signal
2377
1965
client.Rejected("Denied")
2378
1966
return
2379
2380
# wait until timeout or approved
1967
1968
#wait until timeout or approved
2381
1969
time = datetime.datetime.now()
2382
1970
client.changedstate.acquire()
2383
1971
client.changedstate.wait(delay.total_seconds())
2396
1984
break
2397
1985
else:
2398
1986
delay -= time2 - time
2399
2400
try:
2401
session.send(client.secret)
2402
except gnutls.Error as error:
2403
logger.warning("gnutls send failed",
2404
exc_info=error)
2405
return
2406
1987
1988
sent_size = 0
1989
while sent_size < len(client.secret):
1990
try:
1991
sent = session.send(client.secret[sent_size:])
1992
except gnutls.errors.GNUTLSError as error:
1993
logger.warning("gnutls send failed",
1994
exc_info=error)
1995
return
1996
logger.debug("Sent: %d, remaining: %d", sent,
1997
len(client.secret) - (sent_size
1998
+ sent))
1999
sent_size += sent
2000
2407
2001
logger.info("Sending secret to %s", client.name)
2408
2002
# bump the timeout using extended_timeout
2409
2003
client.bump_timeout(client.extended_timeout)
2410
2004
if self.server.use_dbus:
2411
2005
# Emit D-Bus signal
2412
2006
client.GotSecret()
2413
2007
2414
2008
finally:
2415
2009
if approval_required:
2416
2010
client.approvals_pending -= 1
2417
2011
try:
2418
2012
session.bye()
2419
except gnutls.Error as error:
2013
except gnutls.errors.GNUTLSError as error:
2420
2014
logger.warning("GnuTLS bye failed",
2421
2015
exc_info=error)
2422
2016
2423
2017
@staticmethod
2424
2018
def peer_certificate(session):
2425
"Return the peer's certificate as a bytestring"
2426
try:
2427
cert_type = gnutls.certificate_type_get2(session._c_object,
2428
gnutls.CTYPE_PEERS)
2429
except AttributeError:
2430
cert_type = gnutls.certificate_type_get(session._c_object)
2431
if gnutls.has_rawpk:
2432
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2433
else:
2434
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2435
# If not a valid certificate type...
2436
if cert_type not in valid_cert_types:
2437
logger.info("Cert type %r not in %r", cert_type,
2438
valid_cert_types)
2439
# ...return invalid data
2440
return b""
2019
"Return the peer's OpenPGP certificate as a bytestring"
2020
# If not an OpenPGP certificate...
2021
if (gnutls.library.functions.gnutls_certificate_type_get(
2022
session._c_object)
2023
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2024
# ...do the normal thing
2025
return session.peer_certificate
2441
2026
list_size = ctypes.c_uint(1)
2442
cert_list = (gnutls.certificate_get_peers
2027
cert_list = (gnutls.library.functions
2028
.gnutls_certificate_get_peers
2443
2029
(session._c_object, ctypes.byref(list_size)))
2444
2030
if not bool(cert_list) and list_size.value != 0:
2445
raise gnutls.Error("error getting peer certificate")
2031
raise gnutls.errors.GNUTLSError("error getting peer"
2032
" certificate")
2446
2033
if list_size.value == 0:
2447
2034
return None
2448
2035
cert = cert_list[0]
2449
2036
return ctypes.string_at(cert.data, cert.size)
2450
2451
@staticmethod
2452
def key_id(certificate):
2453
"Convert a certificate bytestring to a hexdigit key ID"
2454
# New GnuTLS "datum" with the public key
2455
datum = gnutls.datum_t(
2456
ctypes.cast(ctypes.c_char_p(certificate),
2457
ctypes.POINTER(ctypes.c_ubyte)),
2458
ctypes.c_uint(len(certificate)))
2459
# XXX all these need to be created in the gnutls "module"
2460
# New empty GnuTLS certificate
2461
pubkey = gnutls.pubkey_t()
2462
gnutls.pubkey_init(ctypes.byref(pubkey))
2463
# Import the raw public key into the certificate
2464
gnutls.pubkey_import(pubkey,
2465
ctypes.byref(datum),
2466
gnutls.X509_FMT_DER)
2467
# New buffer for the key ID
2468
buf = ctypes.create_string_buffer(32)
2469
buf_len = ctypes.c_size_t(len(buf))
2470
# Get the key ID from the raw public key into the buffer
2471
gnutls.pubkey_get_key_id(pubkey,
2472
gnutls.KEYID_USE_SHA256,
2473
ctypes.cast(ctypes.byref(buf),
2474
ctypes.POINTER(ctypes.c_ubyte)),
2475
ctypes.byref(buf_len))
2476
# Deinit the certificate
2477
gnutls.pubkey_deinit(pubkey)
2478
2479
# Convert the buffer to a Python bytestring
2480
key_id = ctypes.string_at(buf, buf_len.value)
2481
# Convert the bytestring to hexadecimal notation
2482
hex_key_id = binascii.hexlify(key_id).upper()
2483
return hex_key_id
2484
2037
2485
2038
@staticmethod
2486
2039
def fingerprint(openpgp):
2487
2040
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2488
2041
# New GnuTLS "datum" with the OpenPGP public key
2489
datum = gnutls.datum_t(
2042
datum = gnutls.library.types.gnutls_datum_t(
2490
2043
ctypes.cast(ctypes.c_char_p(openpgp),
2491
2044
ctypes.POINTER(ctypes.c_ubyte)),
2492
2045
ctypes.c_uint(len(openpgp)))
2493
2046
# New empty GnuTLS certificate
2494
crt = gnutls.openpgp_crt_t()
2495
gnutls.openpgp_crt_init(ctypes.byref(crt))
2047
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2048
gnutls.library.functions.gnutls_openpgp_crt_init(
2049
ctypes.byref(crt))
2496
2050
# Import the OpenPGP public key into the certificate
2497
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2498
gnutls.OPENPGP_FMT_RAW)
2051
gnutls.library.functions.gnutls_openpgp_crt_import(
2052
crt, ctypes.byref(datum),
2053
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2499
2054
# Verify the self signature in the key
2500
2055
crtverify = ctypes.c_uint()
2501
gnutls.openpgp_crt_verify_self(crt, 0,
2502
ctypes.byref(crtverify))
2056
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2057
crt, 0, ctypes.byref(crtverify))
2503
2058
if crtverify.value != 0:
2504
gnutls.openpgp_crt_deinit(crt)
2505
raise gnutls.CertificateSecurityError(code
2506
=crtverify.value)
2059
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2060
raise gnutls.errors.CertificateSecurityError(
2061
"Verify failed")
2507
2062
# New buffer for the fingerprint
2508
2063
buf = ctypes.create_string_buffer(20)
2509
2064
buf_len = ctypes.c_size_t()
2510
2065
# Get the fingerprint from the certificate into the buffer
2511
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2512
ctypes.byref(buf_len))
2066
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2067
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2513
2068
# Deinit the certificate
2514
gnutls.openpgp_crt_deinit(crt)
2069
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2515
2070
# Convert the buffer to a Python bytestring
2516
2071
fpr = ctypes.string_at(buf, buf_len.value)
2517
2072
# Convert the bytestring to hexadecimal notation
2519
2074
return hex_fpr
2520
2075
2521
2076
2522
class MultiprocessingMixIn:
2077
class MultiprocessingMixIn(object):
2523
2078
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2524
2079
2525
2080
def sub_process_main(self, request, address):
2526
2081
try:
2527
2082
self.finish_request(request, address)
2528
2083
except Exception:
2529
2084
self.handle_error(request, address)
2530
2085
self.close_request(request)
2531
2086
2532
2087
def process_request(self, request, address):
2533
2088
"""Start a new process to process the request."""
2534
proc = multiprocessing.Process(target=self.sub_process_main,
2535
args=(request, address))
2089
proc = multiprocessing.Process(target = self.sub_process_main,
2090
args = (request, address))
2536
2091
proc.start()
2537
2092
return proc
2538
2093
2539
2094
2540
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2095
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2541
2096
""" adds a pipe to the MixIn """
2542
2097
2543
2098
def process_request(self, request, client_address):
2544
2099
"""Overrides and wraps the original process_request().
2545
2100
2546
2101
This function creates a new pipe in self.pipe
2547
2102
"""
2548
2103
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2549
2104
2550
2105
proc = MultiprocessingMixIn.process_request(self, request,
2551
2106
client_address)
2552
2107
self.child_pipe.close()
2553
2108
self.add_pipe(parent_pipe, proc)
2554
2109
2555
2110
def add_pipe(self, parent_pipe, proc):
2556
2111
"""Dummy function; override as necessary"""
2557
2112
raise NotImplementedError()
2558
2113
2559
2114
2560
2115
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2561
socketserver.TCPServer):
2116
socketserver.TCPServer, object):
2562
2117
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2563
2118
2564
2119
Attributes:
2565
2120
enabled: Boolean; whether this server is activated yet
2566
2121
interface: None or a network interface name (string)
2567
2122
use_ipv6: Boolean; to use IPv6 or not
2568
2123
"""
2569
2124
2570
2125
def __init__(self, server_address, RequestHandlerClass,
2571
2126
interface=None,
2572
2127
use_ipv6=True,
2582
2137
self.socketfd = socketfd
2583
2138
# Save the original socket.socket() function
2584
2139
self.socket_socket = socket.socket
2585
2586
2140
# To implement --socket, we monkey patch socket.socket.
2587
#
2141
#
2588
2142
# (When socketserver.TCPServer is a new-style class, we
2589
2143
# could make self.socket into a property instead of monkey
2590
2144
# patching socket.socket.)
2591
#
2145
#
2592
2146
# Create a one-time-only replacement for socket.socket()
2593
2147
@functools.wraps(socket.socket)
2594
2148
def socket_wrapper(*args, **kwargs):
2606
2160
# socket_wrapper(), if socketfd was set.
2607
2161
socketserver.TCPServer.__init__(self, server_address,
2608
2162
RequestHandlerClass)
2609
2163
2610
2164
def server_bind(self):
2611
2165
"""This overrides the normal server_bind() function
2612
2166
to bind to an interface if one was specified, and also NOT to
2613
2167
bind to an address or port if they were not specified."""
2614
global SO_BINDTODEVICE
2615
2168
if self.interface is not None:
2616
2169
if SO_BINDTODEVICE is None:
2617
# Fall back to a hard-coded value which seems to be
2618
# common enough.
2619
logger.warning("SO_BINDTODEVICE not found, trying 25")
2620
SO_BINDTODEVICE = 25
2621
try:
2622
self.socket.setsockopt(
2623
socket.SOL_SOCKET, SO_BINDTODEVICE,
2624
(self.interface + "\0").encode("utf-8"))
2625
except socket.error as error:
2626
if error.errno == errno.EPERM:
2627
logger.error("No permission to bind to"
2628
" interface %s", self.interface)
2629
elif error.errno == errno.ENOPROTOOPT:
2630
logger.error("SO_BINDTODEVICE not available;"
2631
" cannot bind to interface %s",
2632
self.interface)
2633
elif error.errno == errno.ENODEV:
2634
logger.error("Interface %s does not exist,"
2635
" cannot bind", self.interface)
2636
else:
2637
raise
2170
logger.error("SO_BINDTODEVICE does not exist;"
2171
" cannot bind to interface %s",
2172
self.interface)
2173
else:
2174
try:
2175
self.socket.setsockopt(
2176
socket.SOL_SOCKET, SO_BINDTODEVICE,
2177
(self.interface + "\0").encode("utf-8"))
2178
except socket.error as error:
2179
if error.errno == errno.EPERM:
2180
logger.error("No permission to bind to"
2181
" interface %s", self.interface)
2182
elif error.errno == errno.ENOPROTOOPT:
2183
logger.error("SO_BINDTODEVICE not available;"
2184
" cannot bind to interface %s",
2185
self.interface)
2186
elif error.errno == errno.ENODEV:
2187
logger.error("Interface %s does not exist,"
2188
" cannot bind", self.interface)
2189
else:
2190
raise
2638
2191
# Only bind(2) the socket if we really need to.
2639
2192
if self.server_address[0] or self.server_address[1]:
2640
if self.server_address[1]:
2641
self.allow_reuse_address = True
2642
2193
if not self.server_address[0]:
2643
2194
if self.address_family == socket.AF_INET6:
2644
any_address = "::" # in6addr_any
2195
any_address = "::" # in6addr_any
2645
2196
else:
2646
any_address = "0.0.0.0" # INADDR_ANY
2197
any_address = "0.0.0.0" # INADDR_ANY
2647
2198
self.server_address = (any_address,
2648
2199
self.server_address[1])
2649
2200
elif not self.server_address[1]:
2659
2210
2660
2211
class MandosServer(IPv6_TCPServer):
2661
2212
"""Mandos server.
2662
2213
2663
2214
Attributes:
2664
2215
clients: set of Client objects
2665
2216
gnutls_priority GnuTLS priority string
2666
2217
use_dbus: Boolean; to emit D-Bus signals or not
2667
2668
Assumes a GLib.MainLoop event loop.
2218
2219
Assumes a gobject.MainLoop event loop.
2669
2220
"""
2670
2221
2671
2222
def __init__(self, server_address, RequestHandlerClass,
2672
2223
interface=None,
2673
2224
use_ipv6=True,
2683
2234
self.gnutls_priority = gnutls_priority
2684
2235
IPv6_TCPServer.__init__(self, server_address,
2685
2236
RequestHandlerClass,
2686
interface=interface,
2687
use_ipv6=use_ipv6,
2688
socketfd=socketfd)
2689
2237
interface = interface,
2238
use_ipv6 = use_ipv6,
2239
socketfd = socketfd)
2240
2690
2241
def server_activate(self):
2691
2242
if self.enabled:
2692
2243
return socketserver.TCPServer.server_activate(self)
2693
2244
2694
2245
def enable(self):
2695
2246
self.enabled = True
2696
2247
2697
2248
def add_pipe(self, parent_pipe, proc):
2698
2249
# Call "handle_ipc" for both data and EOF events
2699
GLib.io_add_watch(
2700
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2701
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2250
gobject.io_add_watch(
2251
parent_pipe.fileno(),
2252
gobject.IO_IN | gobject.IO_HUP,
2702
2253
functools.partial(self.handle_ipc,
2703
parent_pipe=parent_pipe,
2704
proc=proc))
2705
2254
parent_pipe = parent_pipe,
2255
proc = proc))
2256
2706
2257
def handle_ipc(self, source, condition,
2707
2258
parent_pipe=None,
2708
proc=None,
2259
proc = None,
2709
2260
client_object=None):
2710
2261
# error, or the other end of multiprocessing.Pipe has closed
2711
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2262
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2712
2263
# Wait for other process to exit
2713
2264
proc.join()
2714
2265
return False
2715
2266
2716
2267
# Read a request from the child
2717
2268
request = parent_pipe.recv()
2718
2269
command = request[0]
2719
2270
2720
2271
if command == 'init':
2721
key_id = request[1].decode("ascii")
2722
fpr = request[2].decode("ascii")
2723
address = request[3]
2724
2725
for c in self.clients.values():
2726
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2727
continue
2728
if key_id and c.key_id == key_id:
2729
client = c
2730
break
2731
if fpr and c.fingerprint == fpr:
2272
fpr = request[1]
2273
address = request[2]
2274
2275
for c in self.clients.itervalues():
2276
if c.fingerprint == fpr:
2732
2277
client = c
2733
2278
break
2734
2279
else:
2735
logger.info("Client not found for key ID: %s, address"
2736
": %s", key_id or fpr, address)
2280
logger.info("Client not found for fingerprint: %s, ad"
2281
"dress: %s", fpr, address)
2737
2282
if self.use_dbus:
2738
2283
# Emit D-Bus signal
2739
mandos_dbus_service.ClientNotFound(key_id or fpr,
2284
mandos_dbus_service.ClientNotFound(fpr,
2740
2285
address[0])
2741
2286
parent_pipe.send(False)
2742
2287
return False
2743
2744
GLib.io_add_watch(
2745
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2746
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2288
2289
gobject.io_add_watch(
2290
parent_pipe.fileno(),
2291
gobject.IO_IN | gobject.IO_HUP,
2747
2292
functools.partial(self.handle_ipc,
2748
parent_pipe=parent_pipe,
2749
proc=proc,
2750
client_object=client))
2293
parent_pipe = parent_pipe,
2294
proc = proc,
2295
client_object = client))
2751
2296
parent_pipe.send(True)
2752
2297
# remove the old hook in favor of the new above hook on
2753
2298
# same fileno
2756
2301
funcname = request[1]
2757
2302
args = request[2]
2758
2303
kwargs = request[3]
2759
2304
2760
2305
parent_pipe.send(('data', getattr(client_object,
2761
2306
funcname)(*args,
2762
2307
**kwargs)))
2763
2308
2764
2309
if command == 'getattr':
2765
2310
attrname = request[1]
2766
2311
if isinstance(client_object.__getattribute__(attrname),
2767
collections.abc.Callable):
2312
collections.Callable):
2768
2313
parent_pipe.send(('function', ))
2769
2314
else:
2770
2315
parent_pipe.send((
2771
2316
'data', client_object.__getattribute__(attrname)))
2772
2317
2773
2318
if command == 'setattr':
2774
2319
attrname = request[1]
2775
2320
value = request[2]
2776
2321
setattr(client_object, attrname, value)
2777
2322
2778
2323
return True
2779
2324
2780
2325
2781
2326
def rfc3339_duration_to_delta(duration):
2782
2327
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2783
2784
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2785
True
2786
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2787
True
2788
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2789
True
2790
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2791
True
2792
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2793
True
2794
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2795
True
2796
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2797
True
2328
2329
>>> rfc3339_duration_to_delta("P7D")
2330
datetime.timedelta(7)
2331
>>> rfc3339_duration_to_delta("PT60S")
2332
datetime.timedelta(0, 60)
2333
>>> rfc3339_duration_to_delta("PT60M")
2334
datetime.timedelta(0, 3600)
2335
>>> rfc3339_duration_to_delta("PT24H")
2336
datetime.timedelta(1)
2337
>>> rfc3339_duration_to_delta("P1W")
2338
datetime.timedelta(7)
2339
>>> rfc3339_duration_to_delta("PT5M30S")
2340
datetime.timedelta(0, 330)
2341
>>> rfc3339_duration_to_delta("P1DT3M20S")
2342
datetime.timedelta(1, 200)
2798
2343
"""
2799
2344
2800
2345
# Parsing an RFC 3339 duration with regular expressions is not
2801
2346
# possible - there would have to be multiple places for the same
2802
2347
# values, like seconds. The current code, while more esoteric, is
2803
2348
# cleaner without depending on a parsing library. If Python had a
2804
2349
# built-in library for parsing we would use it, but we'd like to
2805
2350
# avoid excessive use of external libraries.
2806
2351
2807
2352
# New type for defining tokens, syntax, and semantics all-in-one
2808
2353
Token = collections.namedtuple("Token", (
2809
2354
"regexp", # To match token; if "value" is not None, must have
2842
2387
frozenset((token_year, token_month,
2843
2388
token_day, token_time,
2844
2389
token_week)))
2845
# Define starting values:
2846
# Value so far
2847
value = datetime.timedelta()
2390
# Define starting values
2391
value = datetime.timedelta() # Value so far
2848
2392
found_token = None
2849
# Following valid tokens
2850
followers = frozenset((token_duration, ))
2851
# String left to parse
2852
s = duration
2393
followers = frozenset((token_duration, )) # Following valid tokens
2394
s = duration # String left to parse
2853
2395
# Loop until end token is found
2854
2396
while found_token is not token_end:
2855
2397
# Search for any currently valid tokens
2879
2421
2880
2422
def string_to_delta(interval):
2881
2423
"""Parse a string and return a datetime.timedelta
2882
2883
>>> string_to_delta('7d') == datetime.timedelta(7)
2884
True
2885
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2886
True
2887
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2888
True
2889
>>> string_to_delta('24h') == datetime.timedelta(1)
2890
True
2891
>>> string_to_delta('1w') == datetime.timedelta(7)
2892
True
2893
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2894
True
2424
2425
>>> string_to_delta('7d')
2426
datetime.timedelta(7)
2427
>>> string_to_delta('60s')
2428
datetime.timedelta(0, 60)
2429
>>> string_to_delta('60m')
2430
datetime.timedelta(0, 3600)
2431
>>> string_to_delta('24h')
2432
datetime.timedelta(1)
2433
>>> string_to_delta('1w')
2434
datetime.timedelta(7)
2435
>>> string_to_delta('5m 30s')
2436
datetime.timedelta(0, 330)
2895
2437
"""
2896
2438
2897
2439
try:
2898
2440
return rfc3339_duration_to_delta(interval)
2899
2441
except ValueError:
2900
2442
pass
2901
2443
2902
2444
timevalue = datetime.timedelta(0)
2903
2445
for s in interval.split():
2904
2446
try:
2922
2464
return timevalue
2923
2465
2924
2466
2925
def daemon(nochdir=False, noclose=False):
2467
def daemon(nochdir = False, noclose = False):
2926
2468
"""See daemon(3). Standard BSD Unix function.
2927
2469
2928
2470
This should really exist as os.daemon, but it doesn't (yet)."""
2929
2471
if os.fork():
2930
2472
sys.exit()
2948
2490
2949
2491
2950
2492
def main():
2951
2493
2952
2494
##################################################################
2953
2495
# Parsing of options, both command line and config file
2954
2496
2955
2497
parser = argparse.ArgumentParser()
2956
2498
parser.add_argument("-v", "--version", action="version",
2957
version="%(prog)s {}".format(version),
2499
version = "%(prog)s {}".format(version),
2958
2500
help="show version number and exit")
2959
2501
parser.add_argument("-i", "--interface", metavar="IF",
2960
2502
help="Bind to interface IF")
2996
2538
parser.add_argument("--no-zeroconf", action="store_false",
2997
2539
dest="zeroconf", help="Do not use Zeroconf",
2998
2540
default=None)
2999
2541
3000
2542
options = parser.parse_args()
3001
2543
2544
if options.check:
2545
import doctest
2546
fail_count, test_count = doctest.testmod()
2547
sys.exit(os.EX_OK if fail_count == 0 else 1)
2548
3002
2549
# Default values for config file for server-global settings
3003
if gnutls.has_rawpk:
3004
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3005
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3006
else:
3007
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3008
":+SIGN-DSA-SHA256")
3009
server_defaults = {"interface": "",
3010
"address": "",
3011
"port": "",
3012
"debug": "False",
3013
"priority": priority,
3014
"servicename": "Mandos",
3015
"use_dbus": "True",
3016
"use_ipv6": "True",
3017
"debuglevel": "",
3018
"restore": "True",
3019
"socket": "",
3020
"statedir": "/var/lib/mandos",
3021
"foreground": "False",
3022
"zeroconf": "True",
3023
}
3024
del priority
3025
2550
server_defaults = { "interface": "",
2551
"address": "",
2552
"port": "",
2553
"debug": "False",
2554
"priority":
2555
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2556
":+SIGN-DSA-SHA256",
2557
"servicename": "Mandos",
2558
"use_dbus": "True",
2559
"use_ipv6": "True",
2560
"debuglevel": "",
2561
"restore": "True",
2562
"socket": "",
2563
"statedir": "/var/lib/mandos",
2564
"foreground": "False",
2565
"zeroconf": "True",
2566
}
2567
3026
2568
# Parse config file for server-global settings
3027
server_config = configparser.ConfigParser(server_defaults)
2569
server_config = configparser.SafeConfigParser(server_defaults)
3028
2570
del server_defaults
3029
2571
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3030
# Convert the ConfigParser object to a dict
2572
# Convert the SafeConfigParser object to a dict
3031
2573
server_settings = server_config.defaults()
3032
2574
# Use the appropriate methods on the non-string config options
3033
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3034
"foreground", "zeroconf"):
2575
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3035
2576
server_settings[option] = server_config.getboolean("DEFAULT",
3036
2577
option)
3037
2578
if server_settings["port"]:
3047
2588
server_settings["socket"] = os.dup(server_settings
3048
2589
["socket"])
3049
2590
del server_config
3050
2591
3051
2592
# Override the settings from the config file with command line
3052
2593
# options, if set.
3053
2594
for option in ("interface", "address", "port", "debug",
3071
2612
if server_settings["debug"]:
3072
2613
server_settings["foreground"] = True
3073
2614
# Now we have our good server settings in "server_settings"
3074
2615
3075
2616
##################################################################
3076
2617
3077
2618
if (not server_settings["zeroconf"]
3078
2619
and not (server_settings["port"]
3079
2620
or server_settings["socket"] != "")):
3080
2621
parser.error("Needs port or socket to work without Zeroconf")
3081
2622
3082
2623
# For convenience
3083
2624
debug = server_settings["debug"]
3084
2625
debuglevel = server_settings["debuglevel"]
3088
2629
stored_state_file)
3089
2630
foreground = server_settings["foreground"]
3090
2631
zeroconf = server_settings["zeroconf"]
3091
2632
3092
2633
if debug:
3093
2634
initlogger(debug, logging.DEBUG)
3094
2635
else:
3097
2638
else:
3098
2639
level = getattr(logging, debuglevel.upper())
3099
2640
initlogger(debug, level)
3100
2641
3101
2642
if server_settings["servicename"] != "Mandos":
3102
2643
syslogger.setFormatter(
3103
2644
logging.Formatter('Mandos ({}) [%(process)d]:'
3104
2645
' %(levelname)s: %(message)s'.format(
3105
2646
server_settings["servicename"])))
3106
2647
3107
2648
# Parse config file with clients
3108
client_config = configparser.ConfigParser(Client.client_defaults)
2649
client_config = configparser.SafeConfigParser(Client
2650
.client_defaults)
3109
2651
client_config.read(os.path.join(server_settings["configdir"],
3110
2652
"clients.conf"))
3111
2653
3112
2654
global mandos_dbus_service
3113
2655
mandos_dbus_service = None
3114
2656
3115
2657
socketfd = None
3116
2658
if server_settings["socket"] != "":
3117
2659
socketfd = server_settings["socket"]
3133
2675
except IOError as e:
3134
2676
logger.error("Could not open file %r", pidfilename,
3135
2677
exc_info=e)
3136
3137
for name, group in (("_mandos", "_mandos"),
3138
("mandos", "mandos"),
3139
("nobody", "nogroup")):
2678
2679
for name in ("_mandos", "mandos", "nobody"):
3140
2680
try:
3141
2681
uid = pwd.getpwnam(name).pw_uid
3142
gid = pwd.getpwnam(group).pw_gid
2682
gid = pwd.getpwnam(name).pw_gid
3143
2683
break
3144
2684
except KeyError:
3145
2685
continue
3149
2689
try:
3150
2690
os.setgid(gid)
3151
2691
os.setuid(uid)
3152
if debug:
3153
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3154
gid))
3155
2692
except OSError as error:
3156
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3157
.format(uid, gid, os.strerror(error.errno)))
3158
2693
if error.errno != errno.EPERM:
3159
2694
raise
3160
2695
3161
2696
if debug:
3162
2697
# Enable all possible GnuTLS debugging
3163
2698
3164
2699
# "Use a log level over 10 to enable all debugging options."
3165
2700
# - GnuTLS manual
3166
gnutls.global_set_log_level(11)
3167
3168
@gnutls.log_func
2701
gnutls.library.functions.gnutls_global_set_log_level(11)
2702
2703
@gnutls.library.types.gnutls_log_func
3169
2704
def debug_gnutls(level, string):
3170
2705
logger.debug("GnuTLS: %s", string[:-1])
3171
3172
gnutls.global_set_log_function(debug_gnutls)
3173
2706
2707
gnutls.library.functions.gnutls_global_set_log_function(
2708
debug_gnutls)
2709
3174
2710
# Redirect stdin so all checkers get /dev/null
3175
2711
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3176
2712
os.dup2(null, sys.stdin.fileno())
3177
2713
if null > 2:
3178
2714
os.close(null)
3179
2715
3180
2716
# Need to fork before connecting to D-Bus
3181
2717
if not foreground:
3182
2718
# Close all input and output, do double fork, etc.
3183
2719
daemon()
3184
3185
if gi.version_info < (3, 10, 2):
3186
# multiprocessing will use threads, so before we use GLib we
3187
# need to inform GLib that threads will be used.
3188
GLib.threads_init()
3189
2720
2721
# multiprocessing will use threads, so before we use gobject we
2722
# need to inform gobject that threads will be used.
2723
gobject.threads_init()
2724
3190
2725
global main_loop
3191
2726
# From the Avahi example code
3192
2727
DBusGMainLoop(set_as_default=True)
3193
main_loop = GLib.MainLoop()
2728
main_loop = gobject.MainLoop()
3194
2729
bus = dbus.SystemBus()
3195
2730
# End of Avahi example code
3196
2731
if use_dbus:
3209
2744
if zeroconf:
3210
2745
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3211
2746
service = AvahiServiceToSyslog(
3212
name=server_settings["servicename"],
3213
servicetype="_mandos._tcp",
3214
protocol=protocol,
3215
bus=bus)
2747
name = server_settings["servicename"],
2748
servicetype = "_mandos._tcp",
2749
protocol = protocol,
2750
bus = bus)
3216
2751
if server_settings["interface"]:
3217
2752
service.interface = if_nametoindex(
3218
2753
server_settings["interface"].encode("utf-8"))
3219
2754
3220
2755
global multiprocessing_manager
3221
2756
multiprocessing_manager = multiprocessing.Manager()
3222
2757
3223
2758
client_class = Client
3224
2759
if use_dbus:
3225
client_class = functools.partial(ClientDBus, bus=bus)
3226
2760
client_class = functools.partial(ClientDBus, bus = bus)
2761
3227
2762
client_settings = Client.config_parser(client_config)
3228
2763
old_client_settings = {}
3229
2764
clients_data = {}
3230
2765
3231
2766
# This is used to redirect stdout and stderr for checker processes
3232
2767
global wnull
3233
wnull = open(os.devnull, "w") # A writable /dev/null
2768
wnull = open(os.devnull, "w") # A writable /dev/null
3234
2769
# Only used if server is running in foreground but not in debug
3235
2770
# mode
3236
2771
if debug or not foreground:
3237
2772
wnull.close()
3238
2773
3239
2774
# Get client data and settings from last running state.
3240
2775
if server_settings["restore"]:
3241
2776
try:
3242
2777
with open(stored_state_path, "rb") as stored_state:
3243
if sys.version_info.major == 2:
3244
clients_data, old_client_settings = pickle.load(
3245
stored_state)
3246
else:
3247
bytes_clients_data, bytes_old_client_settings = (
3248
pickle.load(stored_state, encoding="bytes"))
3249
# Fix bytes to strings
3250
# clients_data
3251
# .keys()
3252
clients_data = {(key.decode("utf-8")
3253
if isinstance(key, bytes)
3254
else key): value
3255
for key, value in
3256
bytes_clients_data.items()}
3257
del bytes_clients_data
3258
for key in clients_data:
3259
value = {(k.decode("utf-8")
3260
if isinstance(k, bytes) else k): v
3261
for k, v in
3262
clients_data[key].items()}
3263
clients_data[key] = value
3264
# .client_structure
3265
value["client_structure"] = [
3266
(s.decode("utf-8")
3267
if isinstance(s, bytes)
3268
else s) for s in
3269
value["client_structure"]]
3270
# .name, .host, and .checker_command
3271
for k in ("name", "host", "checker_command"):
3272
if isinstance(value[k], bytes):
3273
value[k] = value[k].decode("utf-8")
3274
if "key_id" not in value:
3275
value["key_id"] = ""
3276
elif "fingerprint" not in value:
3277
value["fingerprint"] = ""
3278
# old_client_settings
3279
# .keys()
3280
old_client_settings = {
3281
(key.decode("utf-8")
3282
if isinstance(key, bytes)
3283
else key): value
3284
for key, value in
3285
bytes_old_client_settings.items()}
3286
del bytes_old_client_settings
3287
# .host and .checker_command
3288
for value in old_client_settings.values():
3289
for attribute in ("host", "checker_command"):
3290
if isinstance(value[attribute], bytes):
3291
value[attribute] = (value[attribute]
3292
.decode("utf-8"))
2778
clients_data, old_client_settings = pickle.load(
2779
stored_state)
3293
2780
os.remove(stored_state_path)
3294
2781
except IOError as e:
3295
2782
if e.errno == errno.ENOENT:
3303
2790
logger.warning("Could not load persistent state: "
3304
2791
"EOFError:",
3305
2792
exc_info=e)
3306
2793
3307
2794
with PGPEngine() as pgp:
3308
2795
for client_name, client in clients_data.items():
3309
2796
# Skip removed clients
3310
2797
if client_name not in client_settings:
3311
2798
continue
3312
2799
3313
2800
# Decide which value to use after restoring saved state.
3314
2801
# We have three different values: Old config file,
3315
2802
# new config file, and saved state.
3326
2813
client[name] = value
3327
2814
except KeyError:
3328
2815
pass
3329
2816
3330
2817
# Clients who has passed its expire date can still be
3331
2818
# enabled if its last checker was successful. A Client
3332
2819
# whose checker succeeded before we stored its state is
3365
2852
client_name))
3366
2853
client["secret"] = (client_settings[client_name]
3367
2854
["secret"])
3368
2855
3369
2856
# Add/remove clients based on new changes made to config
3370
2857
for client_name in (set(old_client_settings)
3371
2858
- set(client_settings)):
3373
2860
for client_name in (set(client_settings)
3374
2861
- set(old_client_settings)):
3375
2862
clients_data[client_name] = client_settings[client_name]
3376
2863
3377
2864
# Create all client objects
3378
2865
for client_name, client in clients_data.items():
3379
2866
tcp_server.clients[client_name] = client_class(
3380
name=client_name,
3381
settings=client,
3382
server_settings=server_settings)
3383
2867
name = client_name,
2868
settings = client,
2869
server_settings = server_settings)
2870
3384
2871
if not tcp_server.clients:
3385
2872
logger.warning("No clients defined")
3386
2873
3387
2874
if not foreground:
3388
2875
if pidfile is not None:
3389
2876
pid = os.getpid()
3395
2882
pidfilename, pid)
3396
2883
del pidfile
3397
2884
del pidfilename
3398
3399
for termsig in (signal.SIGHUP, signal.SIGTERM):
3400
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3401
lambda: main_loop.quit() and False)
3402
2885
2886
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2887
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2888
3403
2889
if use_dbus:
3404
2890
3405
2891
@alternate_dbus_interfaces(
3406
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2892
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3407
2893
class MandosDBusService(DBusObjectWithObjectManager):
3408
2894
"""A D-Bus proxy object"""
3409
2895
3410
2896
def __init__(self):
3411
2897
dbus.service.Object.__init__(self, bus, "/")
3412
2898
3413
2899
_interface = "se.recompile.Mandos"
3414
2900
3415
2901
@dbus.service.signal(_interface, signature="o")
3416
2902
def ClientAdded(self, objpath):
3417
2903
"D-Bus signal"
3418
2904
pass
3419
2905
3420
2906
@dbus.service.signal(_interface, signature="ss")
3421
def ClientNotFound(self, key_id, address):
2907
def ClientNotFound(self, fingerprint, address):
3422
2908
"D-Bus signal"
3423
2909
pass
3424
2910
3425
2911
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3426
2912
"true"})
3427
2913
@dbus.service.signal(_interface, signature="os")
3428
2914
def ClientRemoved(self, objpath, name):
3429
2915
"D-Bus signal"
3430
2916
pass
3431
2917
3432
2918
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3433
2919
"true"})
3434
2920
@dbus.service.method(_interface, out_signature="ao")
3435
2921
def GetAllClients(self):
3436
2922
"D-Bus method"
3437
2923
return dbus.Array(c.dbus_object_path for c in
3438
tcp_server.clients.values())
3439
2924
tcp_server.clients.itervalues())
2925
3440
2926
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3441
2927
"true"})
3442
2928
@dbus.service.method(_interface,
3444
2930
def GetAllClientsWithProperties(self):
3445
2931
"D-Bus method"
3446
2932
return dbus.Dictionary(
3447
{c.dbus_object_path: c.GetAll(
2933
{ c.dbus_object_path: c.GetAll(
3448
2934
"se.recompile.Mandos.Client")
3449
for c in tcp_server.clients.values()},
2935
for c in tcp_server.clients.itervalues() },
3450
2936
signature="oa{sv}")
3451
2937
3452
2938
@dbus.service.method(_interface, in_signature="o")
3453
2939
def RemoveClient(self, object_path):
3454
2940
"D-Bus method"
3455
for c in tcp_server.clients.values():
2941
for c in tcp_server.clients.itervalues():
3456
2942
if c.dbus_object_path == object_path:
3457
2943
del tcp_server.clients[c.name]
3458
2944
c.remove_from_connection()
3462
2948
self.client_removed_signal(c)
3463
2949
return
3464
2950
raise KeyError(object_path)
3465
2951
3466
2952
del _interface
3467
2953
3468
2954
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3469
out_signature="a{oa{sa{sv}}}")
2955
out_signature = "a{oa{sa{sv}}}")
3470
2956
def GetManagedObjects(self):
3471
2957
"""D-Bus method"""
3472
2958
return dbus.Dictionary(
3473
{client.dbus_object_path:
3474
dbus.Dictionary(
3475
{interface: client.GetAll(interface)
3476
for interface in
3477
client._get_all_interface_names()})
3478
for client in tcp_server.clients.values()})
3479
2959
{ client.dbus_object_path:
2960
dbus.Dictionary(
2961
{ interface: client.GetAll(interface)
2962
for interface in
2963
client._get_all_interface_names()})
2964
for client in tcp_server.clients.values()})
2965
3480
2966
def client_added_signal(self, client):
3481
2967
"""Send the new standard signal and the old signal"""
3482
2968
if use_dbus:
3484
2970
self.InterfacesAdded(
3485
2971
client.dbus_object_path,
3486
2972
dbus.Dictionary(
3487
{interface: client.GetAll(interface)
3488
for interface in
3489
client._get_all_interface_names()}))
2973
{ interface: client.GetAll(interface)
2974
for interface in
2975
client._get_all_interface_names()}))
3490
2976
# Old signal
3491
2977
self.ClientAdded(client.dbus_object_path)
3492
2978
3493
2979
def client_removed_signal(self, client):
3494
2980
"""Send the new standard signal and the old signal"""
3495
2981
if use_dbus:
3500
2986
# Old signal
3501
2987
self.ClientRemoved(client.dbus_object_path,
3502
2988
client.name)
3503
2989
3504
2990
mandos_dbus_service = MandosDBusService()
3505
3506
# Save modules to variables to exempt the modules from being
3507
# unloaded before the function registered with atexit() is run.
3508
mp = multiprocessing
3509
wn = wnull
3510
2991
3511
2992
def cleanup():
3512
2993
"Cleanup function; run on exit"
3513
2994
if zeroconf:
3514
2995
service.cleanup()
3515
3516
mp.active_children()
3517
wn.close()
2996
2997
multiprocessing.active_children()
2998
wnull.close()
3518
2999
if not (tcp_server.clients or client_settings):
3519
3000
return
3520
3001
3521
3002
# Store client before exiting. Secrets are encrypted with key
3522
3003
# based on what config file has. If config file is
3523
3004
# removed/edited, old secret will thus be unrecovable.
3524
3005
clients = {}
3525
3006
with PGPEngine() as pgp:
3526
for client in tcp_server.clients.values():
3007
for client in tcp_server.clients.itervalues():
3527
3008
key = client_settings[client.name]["secret"]
3528
3009
client.encrypted_secret = pgp.encrypt(client.secret,
3529
3010
key)
3530
3011
client_dict = {}
3531
3012
3532
3013
# A list of attributes that can not be pickled
3533
3014
# + secret.
3534
exclude = {"bus", "changedstate", "secret",
3535
"checker", "server_settings"}
3015
exclude = { "bus", "changedstate", "secret",
3016
"checker", "server_settings" }
3536
3017
for name, typ in inspect.getmembers(dbus.service
3537
3018
.Object):
3538
3019
exclude.add(name)
3539
3020
3540
3021
client_dict["encrypted_secret"] = (client
3541
3022
.encrypted_secret)
3542
3023
for attr in client.client_structure:
3543
3024
if attr not in exclude:
3544
3025
client_dict[attr] = getattr(client, attr)
3545
3026
3546
3027
clients[client.name] = client_dict
3547
3028
del client_settings[client.name]["secret"]
3548
3029
3549
3030
try:
3550
3031
with tempfile.NamedTemporaryFile(
3551
3032
mode='wb',
3553
3034
prefix='clients-',
3554
3035
dir=os.path.dirname(stored_state_path),
3555
3036
delete=False) as stored_state:
3556
pickle.dump((clients, client_settings), stored_state,
3557
protocol=2)
3037
pickle.dump((clients, client_settings), stored_state)
3558
3038
tempname = stored_state.name
3559
3039
os.rename(tempname, stored_state_path)
3560
3040
except (IOError, OSError) as e:
3570
3050
logger.warning("Could not save persistent state:",
3571
3051
exc_info=e)
3572
3052
raise
3573
3053
3574
3054
# Delete all clients, and settings from config
3575
3055
while tcp_server.clients:
3576
3056
name, client = tcp_server.clients.popitem()
3579
3059
# Don't signal the disabling
3580
3060
client.disable(quiet=True)
3581
3061
# Emit D-Bus signal for removal
3582
if use_dbus:
3583
mandos_dbus_service.client_removed_signal(client)
3062
mandos_dbus_service.client_removed_signal(client)
3584
3063
client_settings.clear()
3585
3064
3586
3065
atexit.register(cleanup)
3587
3588
for client in tcp_server.clients.values():
3066
3067
for client in tcp_server.clients.itervalues():
3589
3068
if use_dbus:
3590
3069
# Emit D-Bus signal for adding
3591
3070
mandos_dbus_service.client_added_signal(client)
3592
3071
# Need to initiate checking of clients
3593
3072
if client.enabled:
3594
3073
client.init_checker()
3595
3074
3596
3075
tcp_server.enable()
3597
3076
tcp_server.server_activate()
3598
3077
3599
3078
# Find out what port we got
3600
3079
if zeroconf:
3601
3080
service.port = tcp_server.socket.getsockname()[1]
3606
3085
else: # IPv4
3607
3086
logger.info("Now listening on address %r, port %d",
3608
3087
*tcp_server.socket.getsockname())
3609
3610
# service.interface = tcp_server.socket.getsockname()[3]
3611
3088
3089
#service.interface = tcp_server.socket.getsockname()[3]
3090
3612
3091
try:
3613
3092
if zeroconf:
3614
3093
# From the Avahi example code
3619
3098
cleanup()
3620
3099
sys.exit(1)
3621
3100
# End of Avahi example code
3622
3623
GLib.io_add_watch(
3624
GLib.IOChannel.unix_new(tcp_server.fileno()),
3625
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3626
lambda *args, **kwargs: (tcp_server.handle_request
3627
(*args[2:], **kwargs) or True))
3628
3101
3102
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3103
lambda *args, **kwargs:
3104
(tcp_server.handle_request
3105
(*args[2:], **kwargs) or True))
3106
3629
3107
logger.debug("Starting main loop")
3630
3108
main_loop.run()
3631
3109
except AvahiError as error:
3640
3118
# Must run before the D-Bus bus name gets deregistered
3641
3119
cleanup()
3642
3120
3643
3644
def should_only_run_tests():
3645
parser = argparse.ArgumentParser(add_help=False)
3646
parser.add_argument("--check", action='store_true')
3647
args, unknown_args = parser.parse_known_args()
3648
run_tests = args.check
3649
if run_tests:
3650
# Remove --check argument from sys.argv
3651
sys.argv[1:] = unknown_args
3652
return run_tests
3653
3654
# Add all tests from doctest strings
3655
def load_tests(loader, tests, none):
3656
import doctest
3657
tests.addTests(doctest.DocTestSuite())
3658
return tests
3659
3121
3660
3122
if __name__ == '__main__':
3661
try:
3662
if should_only_run_tests():
3663
# Call using ./mandos --check [--verbose]
3664
unittest.main()
3665
else:
3666
main()
3667
finally:
3668
logging.shutdown()
3123
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0