To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.333
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.333
- Committer: Teddy Hogeborn
- Date: 2015-08-10 09:00:23 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 325.
- Revision ID: teddy@recompile.se-20150810090023-fz6vjqr7zf33e2tf
Support the standard org.freedesktop.DBus.ObjectManager interface.
Now that the D-Bus standard has an interface to keep track of new and
removed objects, use that instead of our own methods. This deprecates
our D-Bus methods "GetAllClients" and "GetAllClientsWithProperties"
and the signals "ClientAdded" and "ClientRemoved", all on the server
interface "se.recompile.Mandos".
* DBUS-API: Removed references to deprecated methods and signals;
insert reference to the org.freedesktop.DBus.ObjectManager
interface.
* mandos (DBusObjectWithProperties._get_all_interface_names): New.
(dbus.OBJECT_MANAGER_IFACE): If not present, monkey patch.
(DBusObjectWithObjectManager): New.
(main/MandosDBusService): Inherit from DBusObjectWithObjectManager.
(main/MandosDBusService.ClientRemoved): Annotate as deprecated.
(main/MandosDBusService.GetAllClients): - '' -
(main/MandosDBusService.GetAllClientsWithProperties): Annotate as
deprecated.
Also only
return
properties on
client
interface.
(main/MandosDBusService.RemoveClient): Call client_removed_signal
instead of ClientRemoved.
(main/MandosDBusService.GetManagedObjects): New.
(main/MandosDBusService.client_added_signal): New.
(main/MandosDBusService.client_removed_signal): - '' -
(main/cleanup): Call "client_removed_signal" instead of sending
"ClientRemoved" signal directly.
(main): Call "client_added_signal" instead of sending "ClientAdded"
signal directly.
* mandos-ctl: Use GetManagedObjects instead of
GetAllClientsWithProperties. Also, show better error
message in case of failure to connect to the D-Bus
* mandos-monitor (MandosClientPropertyCache.properties_changed):
Bug fix; only update properties on client interface.
(UserInterface.find_and_remove_client): Change to accept arguments
from InterfacesRemoved
signal. Also, bug fix:
working error message when
removing unknown client.
(UserInterface.add_new_client): Change to accept arguments from
InterfacesRemoved signal. Pass
properties to MandosClientWidget
constructor.
(UserInterface.run): Connect find_and_remove_client method to
InterfacesRemoved signal and the add_new_client
method to the InterfacesAdded signal.
Now that the D-Bus standard has an interface to keep track of new and
removed objects, use that instead of our own methods. This deprecates
our D-Bus methods "GetAllClients" and "GetAllClientsWithProperties"
and the signals "ClientAdded" and "ClientRemoved", all on the server
interface "se.recompile.Mandos".
* DBUS-API: Removed references to deprecated methods and signals;
insert reference to the org.freedesktop.DBus.ObjectManager
interface.
* mandos (DBusObjectWithProperties._get_all_interface_names): New.
(dbus.OBJECT_MANAGER_IFACE): If not present, monkey patch.
(DBusObjectWithObjectManager): New.
(main/MandosDBusService): Inherit from DBusObjectWithObjectManager.
(main/MandosDBusService.ClientRemoved): Annotate as deprecated.
(main/MandosDBusService.GetAllClients): - '' -
(main/MandosDBusService.GetAllClientsWithProperties): Annotate as
deprecated.
Also only
return
properties on
client
interface.
(main/MandosDBusService.RemoveClient): Call client_removed_signal
instead of ClientRemoved.
(main/MandosDBusService.GetManagedObjects): New.
(main/MandosDBusService.client_added_signal): New.
(main/MandosDBusService.client_removed_signal): - '' -
(main/cleanup): Call "client_removed_signal" instead of sending
"ClientRemoved" signal directly.
(main): Call "client_added_signal" instead of sending "ClientAdded"
signal directly.
* mandos-ctl: Use GetManagedObjects instead of
GetAllClientsWithProperties. Also, show better error
message in case of failure to connect to the D-Bus
* mandos-monitor (MandosClientPropertyCache.properties_changed):
Bug fix; only update properties on client interface.
(UserInterface.find_and_remove_client): Change to accept arguments
from InterfacesRemoved
signal. Also, bug fix:
working error message when
removing unknown client.
(UserInterface.add_new_client): Change to accept arguments from
InterfacesRemoved signal. Pass
properties to MandosClientWidget
constructor.
(UserInterface.run): Connect find_and_remove_client method to
InterfacesRemoved signal and the add_new_client
method to the InterfacesAdded signal.
- files added:
- initramfs-tools-hook-conf
- files removed:
- bugs.xml
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
1
#!/usr/bin/python2.7
2
# -*- mode: python; coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2020 Teddy Hogeborn
15
# Copyright © 2008-2020 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
37
from future_builtins import *
42
38
43
39
try:
44
40
import SocketServer as socketserver
48
44
import argparse
49
45
import datetime
50
46
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
51
53
try:
52
54
import ConfigParser as configparser
53
55
except ImportError:
77
79
import itertools
78
80
import collections
79
81
import codecs
80
import unittest
81
import random
82
import shlex
83
82
84
83
import dbus
85
84
import dbus.service
86
import gi
87
from gi.repository import GLib
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
88
90
from dbus.mainloop.glib import DBusGMainLoop
89
91
import ctypes
90
92
import ctypes.util
91
93
import xml.dom.minidom
92
94
import inspect
93
95
94
if sys.version_info.major == 2:
95
__metaclass__ = type
96
str = unicode
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
118
# Try to find the value of SO_BINDTODEVICE:
119
try:
120
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
121
# newer, and it is also the most natural place for it:
96
try:
122
97
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
123
98
except AttributeError:
124
99
try:
125
# This is where SO_BINDTODEVICE was up to and including Python
126
# 2.6, and also 3.2:
127
100
from IN import SO_BINDTODEVICE
128
101
except ImportError:
129
# In Python 2.7 it seems to have been removed entirely.
130
# Try running the C preprocessor:
131
try:
132
cc = subprocess.Popen(["cc", "--language=c", "-E",
133
"/dev/stdin"],
134
stdin=subprocess.PIPE,
135
stdout=subprocess.PIPE)
136
stdout = cc.communicate(
137
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
138
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
139
except (OSError, ValueError, IndexError):
140
# No value found
141
SO_BINDTODEVICE = None
142
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
145
146
version = "1.8.14"
102
SO_BINDTODEVICE = None
103
104
if sys.version_info.major == 2:
105
str = unicode
106
107
version = "1.6.9"
147
108
stored_state_file = "clients.pickle"
148
109
149
110
logger = logging.getLogger()
150
logging.captureWarnings(True) # Show warnings via the logging system
151
111
syslogger = None
152
112
153
113
try:
154
114
if_nametoindex = ctypes.cdll.LoadLibrary(
155
115
ctypes.util.find_library("c")).if_nametoindex
156
116
except (OSError, AttributeError):
157
117
158
118
def if_nametoindex(interface):
159
119
"Get an interface index the hard way, i.e. using fcntl()"
160
120
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
165
125
return interface_index
166
126
167
127
168
def copy_function(func):
169
"""Make a copy of a function"""
170
if sys.version_info.major == 2:
171
return types.FunctionType(func.func_code,
172
func.func_globals,
173
func.func_name,
174
func.func_defaults,
175
func.func_closure)
176
else:
177
return types.FunctionType(func.__code__,
178
func.__globals__,
179
func.__name__,
180
func.__defaults__,
181
func.__closure__)
182
183
184
128
def initlogger(debug, level=logging.WARNING):
185
129
"""init logger and add loglevel"""
186
130
187
131
global syslogger
188
132
syslogger = (logging.handlers.SysLogHandler(
189
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
190
address="/dev/log"))
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
191
135
syslogger.setFormatter(logging.Formatter
192
("Mandos [%(process)d]: %(levelname)s:"
193
" %(message)s"))
136
('Mandos [%(process)d]: %(levelname)s:'
137
' %(message)s'))
194
138
logger.addHandler(syslogger)
195
139
196
140
if debug:
197
141
console = logging.StreamHandler()
198
console.setFormatter(logging.Formatter("%(asctime)s %(name)s"
199
" [%(process)d]:"
200
" %(levelname)s:"
201
" %(message)s"))
142
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
143
' [%(process)d]:'
144
' %(levelname)s:'
145
' %(message)s'))
202
146
logger.addHandler(console)
203
147
logger.setLevel(level)
204
148
208
152
pass
209
153
210
154
211
class PGPEngine:
155
class PGPEngine(object):
212
156
"""A simple class for OpenPGP symmetric encryption & decryption"""
213
157
214
158
def __init__(self):
215
159
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
216
self.gpg = "gpg"
217
try:
218
output = subprocess.check_output(["gpgconf"])
219
for line in output.splitlines():
220
name, text, path = line.split(b":")
221
if name == b"gpg":
222
self.gpg = path
223
break
224
except OSError as e:
225
if e.errno != errno.ENOENT:
226
raise
227
self.gnupgargs = ["--batch",
228
"--homedir", self.tempdir,
229
"--force-mdc",
230
"--quiet"]
231
# Only GPG version 1 has the --no-use-agent option.
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
233
self.gnupgargs.append("--no-use-agent")
234
160
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
162
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
165
235
166
def __enter__(self):
236
167
return self
237
168
238
169
def __exit__(self, exc_type, exc_value, traceback):
239
170
self._cleanup()
240
171
return False
241
172
242
173
def __del__(self):
243
174
self._cleanup()
244
175
245
176
def _cleanup(self):
246
177
if self.tempdir is not None:
247
178
# Delete contents of tempdir
248
179
for root, dirs, files in os.walk(self.tempdir,
249
topdown=False):
180
topdown = False):
250
181
for filename in files:
251
182
os.remove(os.path.join(root, filename))
252
183
for dirname in dirs:
254
185
# Remove tempdir
255
186
os.rmdir(self.tempdir)
256
187
self.tempdir = None
257
188
258
189
def password_encode(self, password):
259
190
# Passphrase can not be empty and can not contain newlines or
260
191
# NUL bytes. So we prefix it and hex encode it.
265
196
.replace(b"\n", b"\\n")
266
197
.replace(b"\0", b"\\x00"))
267
198
return encoded
268
199
269
200
def encrypt(self, data, password):
270
201
passphrase = self.password_encode(password)
271
202
with tempfile.NamedTemporaryFile(
272
203
dir=self.tempdir) as passfile:
273
204
passfile.write(passphrase)
274
205
passfile.flush()
275
proc = subprocess.Popen([self.gpg, "--symmetric",
276
"--passphrase-file",
206
proc = subprocess.Popen(['gpg', '--symmetric',
207
'--passphrase-file',
277
208
passfile.name]
278
209
+ self.gnupgargs,
279
stdin=subprocess.PIPE,
280
stdout=subprocess.PIPE,
281
stderr=subprocess.PIPE)
282
ciphertext, err = proc.communicate(input=data)
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
283
214
if proc.returncode != 0:
284
215
raise PGPError(err)
285
216
return ciphertext
286
217
287
218
def decrypt(self, data, password):
288
219
passphrase = self.password_encode(password)
289
220
with tempfile.NamedTemporaryFile(
290
dir=self.tempdir) as passfile:
221
dir = self.tempdir) as passfile:
291
222
passfile.write(passphrase)
292
223
passfile.flush()
293
proc = subprocess.Popen([self.gpg, "--decrypt",
294
"--passphrase-file",
224
proc = subprocess.Popen(['gpg', '--decrypt',
225
'--passphrase-file',
295
226
passfile.name]
296
227
+ self.gnupgargs,
297
stdin=subprocess.PIPE,
298
stdout=subprocess.PIPE,
299
stderr=subprocess.PIPE)
300
decrypted_plaintext, err = proc.communicate(input=data)
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
301
232
if proc.returncode != 0:
302
233
raise PGPError(err)
303
234
return decrypted_plaintext
304
235
305
236
306
# Pretend that we have an Avahi module
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
309
IF_UNSPEC = -1 # avahi-common/address.h
310
PROTO_UNSPEC = -1 # avahi-common/address.h
311
PROTO_INET = 0 # avahi-common/address.h
312
PROTO_INET6 = 1 # avahi-common/address.h
313
DBUS_NAME = "org.freedesktop.Avahi"
314
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
DBUS_PATH_SERVER = "/"
317
318
@staticmethod
319
def string_array_to_txt_array(t):
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
for s in t), signature="ay")
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
323
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
324
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
325
SERVER_INVALID = 0 # avahi-common/defs.h
326
SERVER_REGISTERING = 1 # avahi-common/defs.h
327
SERVER_RUNNING = 2 # avahi-common/defs.h
328
SERVER_COLLISION = 3 # avahi-common/defs.h
329
SERVER_FAILURE = 4 # avahi-common/defs.h
330
331
332
237
class AvahiError(Exception):
333
238
def __init__(self, value, *args, **kwargs):
334
239
self.value = value
344
249
pass
345
250
346
251
347
class AvahiService:
252
class AvahiService(object):
348
253
"""An Avahi (Zeroconf) service.
349
254
350
255
Attributes:
351
256
interface: integer; avahi.IF_UNSPEC or an interface index.
352
257
Used to optionally bind to the specified interface.
353
name: string; Example: "Mandos"
354
type: string; Example: "_mandos._tcp".
258
name: string; Example: 'Mandos'
259
type: string; Example: '_mandos._tcp'.
355
260
See <https://www.iana.org/assignments/service-names-port-numbers>
356
261
port: integer; what port to announce
357
262
TXT: list of strings; TXT record for the service
364
269
server: D-Bus Server
365
270
bus: dbus.SystemBus()
366
271
"""
367
272
368
273
def __init__(self,
369
interface=avahi.IF_UNSPEC,
370
name=None,
371
servicetype=None,
372
port=None,
373
TXT=None,
374
domain="",
375
host="",
376
max_renames=32768,
377
protocol=avahi.PROTO_UNSPEC,
378
bus=None):
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
379
284
self.interface = interface
380
285
self.name = name
381
286
self.type = servicetype
390
295
self.server = None
391
296
self.bus = bus
392
297
self.entry_group_state_changed_match = None
393
298
394
299
def rename(self, remove=True):
395
300
"""Derived from the Avahi example code"""
396
301
if self.rename_count >= self.max_renames:
416
321
logger.critical("D-Bus Exception", exc_info=error)
417
322
self.cleanup()
418
323
os._exit(1)
419
324
420
325
def remove(self):
421
326
"""Derived from the Avahi example code"""
422
327
if self.entry_group_state_changed_match is not None:
424
329
self.entry_group_state_changed_match = None
425
330
if self.group is not None:
426
331
self.group.Reset()
427
332
428
333
def add(self):
429
334
"""Derived from the Avahi example code"""
430
335
self.remove()
435
340
avahi.DBUS_INTERFACE_ENTRY_GROUP)
436
341
self.entry_group_state_changed_match = (
437
342
self.group.connect_to_signal(
438
"StateChanged", self.entry_group_state_changed))
343
'StateChanged', self.entry_group_state_changed))
439
344
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
440
345
self.name, self.type)
441
346
self.group.AddService(
447
352
dbus.UInt16(self.port),
448
353
avahi.string_array_to_txt_array(self.TXT))
449
354
self.group.Commit()
450
355
451
356
def entry_group_state_changed(self, state, error):
452
357
"""Derived from the Avahi example code"""
453
358
logger.debug("Avahi entry group state change: %i", state)
454
359
455
360
if state == avahi.ENTRY_GROUP_ESTABLISHED:
456
361
logger.debug("Zeroconf service established.")
457
362
elif state == avahi.ENTRY_GROUP_COLLISION:
461
366
logger.critical("Avahi: Error in group state changed %s",
462
367
str(error))
463
368
raise AvahiGroupError("State changed: {!s}".format(error))
464
369
465
370
def cleanup(self):
466
371
"""Derived from the Avahi example code"""
467
372
if self.group is not None:
472
377
pass
473
378
self.group = None
474
379
self.remove()
475
380
476
381
def server_state_changed(self, state, error=None):
477
382
"""Derived from the Avahi example code"""
478
383
logger.debug("Avahi server state change: %i", state)
507
412
logger.debug("Unknown state: %r", state)
508
413
else:
509
414
logger.debug("Unknown state: %r: %r", state, error)
510
415
511
416
def activate(self):
512
417
"""Derived from the Avahi example code"""
513
418
if self.server is None:
524
429
class AvahiServiceToSyslog(AvahiService):
525
430
def rename(self, *args, **kwargs):
526
431
"""Add the new name to the syslog messages"""
527
ret = super(AvahiServiceToSyslog, self).rename(*args,
528
**kwargs)
432
ret = AvahiService.rename(self, *args, **kwargs)
529
433
syslogger.setFormatter(logging.Formatter(
530
"Mandos ({}) [%(process)d]: %(levelname)s: %(message)s"
434
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
531
435
.format(self.name)))
532
436
return ret
533
437
534
535
# Pretend that we have a GnuTLS module
536
class gnutls:
537
"""This isn't so much a class as it is a module-like namespace."""
538
539
library = ctypes.util.find_library("gnutls")
540
if library is None:
541
library = ctypes.util.find_library("gnutls-deb0")
542
_library = ctypes.cdll.LoadLibrary(library)
543
del library
544
545
# Unless otherwise indicated, the constants and types below are
546
# all from the gnutls/gnutls.h C header file.
547
548
# Constants
549
E_SUCCESS = 0
550
E_INTERRUPTED = -52
551
E_AGAIN = -28
552
CRT_OPENPGP = 2
553
CRT_RAWPK = 3
554
CLIENT = 2
555
SHUT_RDWR = 0
556
CRD_CERTIFICATE = 1
557
E_NO_CERTIFICATE_FOUND = -49
558
X509_FMT_DER = 0
559
NO_TICKETS = 1<<10
560
ENABLE_RAWPK = 1<<18
561
CTYPE_PEERS = 3
562
KEYID_USE_SHA256 = 1 # gnutls/x509.h
563
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
564
565
# Types
566
class _session_int(ctypes.Structure):
567
_fields_ = []
568
session_t = ctypes.POINTER(_session_int)
569
570
class certificate_credentials_st(ctypes.Structure):
571
_fields_ = []
572
certificate_credentials_t = ctypes.POINTER(
573
certificate_credentials_st)
574
certificate_type_t = ctypes.c_int
575
576
class datum_t(ctypes.Structure):
577
_fields_ = [("data", ctypes.POINTER(ctypes.c_ubyte)),
578
("size", ctypes.c_uint)]
579
580
class _openpgp_crt_int(ctypes.Structure):
581
_fields_ = []
582
openpgp_crt_t = ctypes.POINTER(_openpgp_crt_int)
583
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
584
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
585
credentials_type_t = ctypes.c_int
586
transport_ptr_t = ctypes.c_void_p
587
close_request_t = ctypes.c_int
588
589
# Exceptions
590
class Error(Exception):
591
def __init__(self, message=None, code=None, args=()):
592
# Default usage is by a message string, but if a return
593
# code is passed, convert it to a string with
594
# gnutls.strerror()
595
self.code = code
596
if message is None and code is not None:
597
message = gnutls.strerror(code).decode(
598
"utf-8", errors="replace")
599
return super(gnutls.Error, self).__init__(
600
message, *args)
601
602
class CertificateSecurityError(Error):
603
pass
604
605
class PointerTo:
606
def __init__(self, cls):
607
self.cls = cls
608
609
def from_param(self, obj):
610
if not isinstance(obj, self.cls):
611
raise TypeError("Not of type {}: {!r}"
612
.format(self.cls.__name__, obj))
613
return ctypes.byref(obj.from_param(obj))
614
615
class CastToVoidPointer:
616
def __init__(self, cls):
617
self.cls = cls
618
619
def from_param(self, obj):
620
if not isinstance(obj, self.cls):
621
raise TypeError("Not of type {}: {!r}"
622
.format(self.cls.__name__, obj))
623
return ctypes.cast(obj.from_param(obj), ctypes.c_void_p)
624
625
class With_from_param:
626
@classmethod
627
def from_param(cls, obj):
628
return obj._as_parameter_
629
630
# Classes
631
class Credentials(With_from_param):
632
def __init__(self):
633
self._as_parameter_ = gnutls.certificate_credentials_t()
634
gnutls.certificate_allocate_credentials(self)
635
self.type = gnutls.CRD_CERTIFICATE
636
637
def __del__(self):
638
gnutls.certificate_free_credentials(self)
639
640
class ClientSession(With_from_param):
641
def __init__(self, socket, credentials=None):
642
self._as_parameter_ = gnutls.session_t()
643
gnutls_flags = gnutls.CLIENT
644
if gnutls.check_version(b"3.5.6"):
645
gnutls_flags |= gnutls.NO_TICKETS
646
if gnutls.has_rawpk:
647
gnutls_flags |= gnutls.ENABLE_RAWPK
648
gnutls.init(self, gnutls_flags)
649
del gnutls_flags
650
gnutls.set_default_priority(self)
651
gnutls.transport_set_ptr(self, socket.fileno())
652
gnutls.handshake_set_private_extensions(self, True)
653
self.socket = socket
654
if credentials is None:
655
credentials = gnutls.Credentials()
656
gnutls.credentials_set(self, credentials.type,
657
credentials)
658
self.credentials = credentials
659
660
def __del__(self):
661
gnutls.deinit(self)
662
663
def handshake(self):
664
return gnutls.handshake(self)
665
666
def send(self, data):
667
data = bytes(data)
668
data_len = len(data)
669
while data_len > 0:
670
data_len -= gnutls.record_send(self, data[-data_len:],
671
data_len)
672
673
def bye(self):
674
return gnutls.bye(self, gnutls.SHUT_RDWR)
675
676
# Error handling functions
677
def _error_code(result):
678
"""A function to raise exceptions on errors, suitable
679
for the "restype" attribute on ctypes functions"""
680
if result >= gnutls.E_SUCCESS:
681
return result
682
if result == gnutls.E_NO_CERTIFICATE_FOUND:
683
raise gnutls.CertificateSecurityError(code=result)
684
raise gnutls.Error(code=result)
685
686
def _retry_on_error(result, func, arguments,
687
_error_code=_error_code):
688
"""A function to retry on some errors, suitable
689
for the "errcheck" attribute on ctypes functions"""
690
while result < gnutls.E_SUCCESS:
691
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
692
return _error_code(result)
693
result = func(*arguments)
694
return result
695
696
# Unless otherwise indicated, the function declarations below are
697
# all from the gnutls/gnutls.h C header file.
698
699
# Functions
700
priority_set_direct = _library.gnutls_priority_set_direct
701
priority_set_direct.argtypes = [ClientSession, ctypes.c_char_p,
702
ctypes.POINTER(ctypes.c_char_p)]
703
priority_set_direct.restype = _error_code
704
705
init = _library.gnutls_init
706
init.argtypes = [PointerTo(ClientSession), ctypes.c_int]
707
init.restype = _error_code
708
709
set_default_priority = _library.gnutls_set_default_priority
710
set_default_priority.argtypes = [ClientSession]
711
set_default_priority.restype = _error_code
712
713
record_send = _library.gnutls_record_send
714
record_send.argtypes = [ClientSession, ctypes.c_void_p,
715
ctypes.c_size_t]
716
record_send.restype = ctypes.c_ssize_t
717
record_send.errcheck = _retry_on_error
718
719
certificate_allocate_credentials = (
720
_library.gnutls_certificate_allocate_credentials)
721
certificate_allocate_credentials.argtypes = [
722
PointerTo(Credentials)]
723
certificate_allocate_credentials.restype = _error_code
724
725
certificate_free_credentials = (
726
_library.gnutls_certificate_free_credentials)
727
certificate_free_credentials.argtypes = [Credentials]
728
certificate_free_credentials.restype = None
729
730
handshake_set_private_extensions = (
731
_library.gnutls_handshake_set_private_extensions)
732
handshake_set_private_extensions.argtypes = [ClientSession,
733
ctypes.c_int]
734
handshake_set_private_extensions.restype = None
735
736
credentials_set = _library.gnutls_credentials_set
737
credentials_set.argtypes = [ClientSession, credentials_type_t,
738
CastToVoidPointer(Credentials)]
739
credentials_set.restype = _error_code
740
741
strerror = _library.gnutls_strerror
742
strerror.argtypes = [ctypes.c_int]
743
strerror.restype = ctypes.c_char_p
744
745
certificate_type_get = _library.gnutls_certificate_type_get
746
certificate_type_get.argtypes = [ClientSession]
747
certificate_type_get.restype = _error_code
748
749
certificate_get_peers = _library.gnutls_certificate_get_peers
750
certificate_get_peers.argtypes = [ClientSession,
751
ctypes.POINTER(ctypes.c_uint)]
752
certificate_get_peers.restype = ctypes.POINTER(datum_t)
753
754
global_set_log_level = _library.gnutls_global_set_log_level
755
global_set_log_level.argtypes = [ctypes.c_int]
756
global_set_log_level.restype = None
757
758
global_set_log_function = _library.gnutls_global_set_log_function
759
global_set_log_function.argtypes = [log_func]
760
global_set_log_function.restype = None
761
762
deinit = _library.gnutls_deinit
763
deinit.argtypes = [ClientSession]
764
deinit.restype = None
765
766
handshake = _library.gnutls_handshake
767
handshake.argtypes = [ClientSession]
768
handshake.restype = ctypes.c_int
769
handshake.errcheck = _retry_on_error
770
771
transport_set_ptr = _library.gnutls_transport_set_ptr
772
transport_set_ptr.argtypes = [ClientSession, transport_ptr_t]
773
transport_set_ptr.restype = None
774
775
bye = _library.gnutls_bye
776
bye.argtypes = [ClientSession, close_request_t]
777
bye.restype = ctypes.c_int
778
bye.errcheck = _retry_on_error
779
780
check_version = _library.gnutls_check_version
781
check_version.argtypes = [ctypes.c_char_p]
782
check_version.restype = ctypes.c_char_p
783
784
_need_version = b"3.3.0"
785
if check_version(_need_version) is None:
786
raise self.Error("Needs GnuTLS {} or later"
787
.format(_need_version))
788
789
_tls_rawpk_version = b"3.6.6"
790
has_rawpk = bool(check_version(_tls_rawpk_version))
791
792
if has_rawpk:
793
# Types
794
class pubkey_st(ctypes.Structure):
795
_fields = []
796
pubkey_t = ctypes.POINTER(pubkey_st)
797
798
x509_crt_fmt_t = ctypes.c_int
799
800
# All the function declarations below are from
801
# gnutls/abstract.h
802
pubkey_init = _library.gnutls_pubkey_init
803
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
804
pubkey_init.restype = _error_code
805
806
pubkey_import = _library.gnutls_pubkey_import
807
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
808
x509_crt_fmt_t]
809
pubkey_import.restype = _error_code
810
811
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
812
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
813
ctypes.POINTER(ctypes.c_ubyte),
814
ctypes.POINTER(ctypes.c_size_t)]
815
pubkey_get_key_id.restype = _error_code
816
817
pubkey_deinit = _library.gnutls_pubkey_deinit
818
pubkey_deinit.argtypes = [pubkey_t]
819
pubkey_deinit.restype = None
820
else:
821
# All the function declarations below are from
822
# gnutls/openpgp.h
823
824
openpgp_crt_init = _library.gnutls_openpgp_crt_init
825
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
826
openpgp_crt_init.restype = _error_code
827
828
openpgp_crt_import = _library.gnutls_openpgp_crt_import
829
openpgp_crt_import.argtypes = [openpgp_crt_t,
830
ctypes.POINTER(datum_t),
831
openpgp_crt_fmt_t]
832
openpgp_crt_import.restype = _error_code
833
834
openpgp_crt_verify_self = \
835
_library.gnutls_openpgp_crt_verify_self
836
openpgp_crt_verify_self.argtypes = [
837
openpgp_crt_t,
838
ctypes.c_uint,
839
ctypes.POINTER(ctypes.c_uint),
840
]
841
openpgp_crt_verify_self.restype = _error_code
842
843
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
844
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
845
openpgp_crt_deinit.restype = None
846
847
openpgp_crt_get_fingerprint = (
848
_library.gnutls_openpgp_crt_get_fingerprint)
849
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
850
ctypes.c_void_p,
851
ctypes.POINTER(
852
ctypes.c_size_t)]
853
openpgp_crt_get_fingerprint.restype = _error_code
854
855
if check_version(b"3.6.4"):
856
certificate_type_get2 = _library.gnutls_certificate_type_get2
857
certificate_type_get2.argtypes = [ClientSession, ctypes.c_int]
858
certificate_type_get2.restype = _error_code
859
860
# Remove non-public functions
861
del _error_code, _retry_on_error
862
863
864
438
def call_pipe(connection, # : multiprocessing.Connection
865
439
func, *args, **kwargs):
866
440
"""This function is meant to be called by multiprocessing.Process
867
441
868
442
This function runs func(*args, **kwargs), and writes the resulting
869
443
return value on the provided multiprocessing.Connection.
870
444
"""
871
445
connection.send(func(*args, **kwargs))
872
446
connection.close()
873
447
874
875
class Client:
448
class Client(object):
876
449
"""A representation of a client host served by this server.
877
450
878
451
Attributes:
879
approved: bool(); None if not yet approved/disapproved
452
approved: bool(); 'None' if not yet approved/disapproved
880
453
approval_delay: datetime.timedelta(); Time to wait for approval
881
454
approval_duration: datetime.timedelta(); Duration of one approval
882
checker: multiprocessing.Process(); a running checker process used
883
to see if the client lives. None if no process is
884
running.
885
checker_callback_tag: a GLib event source tag, or None
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
886
459
checker_command: string; External command which is run to check
887
460
if client lives. %() expansions are done at
888
461
runtime with vars(self) as dict, so that for
889
462
instance %(name)s can be used in the command.
890
checker_initiator_tag: a GLib event source tag, or None
463
checker_initiator_tag: a gobject event source tag, or None
891
464
created: datetime.datetime(); (UTC) object creation
892
465
client_structure: Object describing what attributes a client has
893
466
and is used for storing the client at exit
894
467
current_checker_command: string; current running checker_command
895
disable_initiator_tag: a GLib event source tag, or None
468
disable_initiator_tag: a gobject event source tag, or None
896
469
enabled: bool()
897
470
fingerprint: string (40 or 32 hexadecimal digits); used to
898
uniquely identify an OpenPGP client
899
key_id: string (64 hexadecimal digits); used to uniquely identify
900
a client using raw public keys
471
uniquely identify the client
901
472
host: string; available for use by the checker command
902
473
interval: datetime.timedelta(); How often to start a new checker
903
474
last_approval_request: datetime.datetime(); (UTC) or None
919
490
disabled, or None
920
491
server_settings: The server_settings dict from main()
921
492
"""
922
493
923
494
runtime_expansions = ("approval_delay", "approval_duration",
924
"created", "enabled", "expires", "key_id",
495
"created", "enabled", "expires",
925
496
"fingerprint", "host", "interval",
926
497
"last_approval_request", "last_checked_ok",
927
498
"last_enabled", "name", "timeout")
936
507
"approved_by_default": "True",
937
508
"enabled": "True",
938
509
}
939
510
940
511
@staticmethod
941
512
def config_parser(config):
942
513
"""Construct a new dict of client settings of this form:
949
520
for client_name in config.sections():
950
521
section = dict(config.items(client_name))
951
522
client = settings[client_name] = {}
952
523
953
524
client["host"] = section["host"]
954
525
# Reformat values from string types to Python types
955
526
client["approved_by_default"] = config.getboolean(
956
527
client_name, "approved_by_default")
957
528
client["enabled"] = config.getboolean(client_name,
958
529
"enabled")
959
960
# Uppercase and remove spaces from key_id and fingerprint
961
# for later comparison purposes with return value from the
962
# key_id() and fingerprint() functions
963
client["key_id"] = (section.get("key_id", "").upper()
964
.replace(" ", ""))
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
965
534
client["fingerprint"] = (section["fingerprint"].upper()
966
535
.replace(" ", ""))
967
536
if "secret" in section:
968
client["secret"] = codecs.decode(section["secret"]
969
.encode("utf-8"),
970
"base64")
537
client["secret"] = section["secret"].decode("base64")
971
538
elif "secfile" in section:
972
539
with open(os.path.expanduser(os.path.expandvars
973
540
(section["secfile"])),
988
555
client["last_approval_request"] = None
989
556
client["last_checked_ok"] = None
990
557
client["last_checker_status"] = -2
991
558
992
559
return settings
993
994
def __init__(self, settings, name=None, server_settings=None):
560
561
def __init__(self, settings, name = None, server_settings=None):
995
562
self.name = name
996
563
if server_settings is None:
997
564
server_settings = {}
999
566
# adding all client settings
1000
567
for setting, value in settings.items():
1001
568
setattr(self, setting, value)
1002
569
1003
570
if self.enabled:
1004
571
if not hasattr(self, "last_enabled"):
1005
572
self.last_enabled = datetime.datetime.utcnow()
1009
576
else:
1010
577
self.last_enabled = None
1011
578
self.expires = None
1012
579
1013
580
logger.debug("Creating client %r", self.name)
1014
logger.debug(" Key ID: %s", self.key_id)
1015
581
logger.debug(" Fingerprint: %s", self.fingerprint)
1016
582
self.created = settings.get("created",
1017
583
datetime.datetime.utcnow())
1018
584
1019
585
# attributes specific for this server instance
1020
586
self.checker = None
1021
587
self.checker_initiator_tag = None
1027
593
self.changedstate = multiprocessing_manager.Condition(
1028
594
multiprocessing_manager.Lock())
1029
595
self.client_structure = [attr
1030
for attr in self.__dict__.keys()
596
for attr in self.__dict__.iterkeys()
1031
597
if not attr.startswith("_")]
1032
598
self.client_structure.append("client_structure")
1033
599
1034
600
for name, t in inspect.getmembers(
1035
601
type(self), lambda obj: isinstance(obj, property)):
1036
602
if not name.startswith("_"):
1037
603
self.client_structure.append(name)
1038
604
1039
605
# Send notice to process children that client state has changed
1040
606
def send_changedstate(self):
1041
607
with self.changedstate:
1042
608
self.changedstate.notify_all()
1043
609
1044
610
def enable(self):
1045
611
"""Start this client's checker and timeout hooks"""
1046
612
if getattr(self, "enabled", False):
1051
617
self.last_enabled = datetime.datetime.utcnow()
1052
618
self.init_checker()
1053
619
self.send_changedstate()
1054
620
1055
621
def disable(self, quiet=True):
1056
622
"""Disable this client."""
1057
623
if not getattr(self, "enabled", False):
1059
625
if not quiet:
1060
626
logger.info("Disabling client %s", self.name)
1061
627
if getattr(self, "disable_initiator_tag", None) is not None:
1062
GLib.source_remove(self.disable_initiator_tag)
628
gobject.source_remove(self.disable_initiator_tag)
1063
629
self.disable_initiator_tag = None
1064
630
self.expires = None
1065
631
if getattr(self, "checker_initiator_tag", None) is not None:
1066
GLib.source_remove(self.checker_initiator_tag)
632
gobject.source_remove(self.checker_initiator_tag)
1067
633
self.checker_initiator_tag = None
1068
634
self.stop_checker()
1069
635
self.enabled = False
1070
636
if not quiet:
1071
637
self.send_changedstate()
1072
# Do not run this again if called by a GLib.timeout_add
638
# Do not run this again if called by a gobject.timeout_add
1073
639
return False
1074
640
1075
641
def __del__(self):
1076
642
self.disable()
1077
643
1078
644
def init_checker(self):
1079
645
# Schedule a new checker to be started an 'interval' from now,
1080
646
# and every interval from then on.
1081
647
if self.checker_initiator_tag is not None:
1082
GLib.source_remove(self.checker_initiator_tag)
1083
self.checker_initiator_tag = GLib.timeout_add(
1084
random.randrange(int(self.interval.total_seconds() * 1000
1085
+ 1)),
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
650
int(self.interval.total_seconds() * 1000),
1086
651
self.start_checker)
1087
652
# Schedule a disable() when 'timeout' has passed
1088
653
if self.disable_initiator_tag is not None:
1089
GLib.source_remove(self.disable_initiator_tag)
1090
self.disable_initiator_tag = GLib.timeout_add(
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1091
656
int(self.timeout.total_seconds() * 1000), self.disable)
1092
657
# Also start a new checker *right now*.
1093
658
self.start_checker()
1094
659
1095
660
def checker_callback(self, source, condition, connection,
1096
661
command):
1097
662
"""The checker has completed, so take appropriate actions."""
663
self.checker_callback_tag = None
664
self.checker = None
1098
665
# Read return code from connection (see call_pipe)
1099
666
returncode = connection.recv()
1100
667
connection.close()
1101
if self.checker is not None:
1102
self.checker.join()
1103
self.checker_callback_tag = None
1104
self.checker = None
1105
668
1106
669
if returncode >= 0:
1107
670
self.last_checker_status = returncode
1108
671
self.last_checker_signal = None
1118
681
logger.warning("Checker for %(name)s crashed?",
1119
682
vars(self))
1120
683
return False
1121
684
1122
685
def checked_ok(self):
1123
686
"""Assert that the client has been seen, alive and well."""
1124
687
self.last_checked_ok = datetime.datetime.utcnow()
1125
688
self.last_checker_status = 0
1126
689
self.last_checker_signal = None
1127
690
self.bump_timeout()
1128
691
1129
692
def bump_timeout(self, timeout=None):
1130
693
"""Bump up the timeout for this client."""
1131
694
if timeout is None:
1132
695
timeout = self.timeout
1133
696
if self.disable_initiator_tag is not None:
1134
GLib.source_remove(self.disable_initiator_tag)
697
gobject.source_remove(self.disable_initiator_tag)
1135
698
self.disable_initiator_tag = None
1136
699
if getattr(self, "enabled", False):
1137
self.disable_initiator_tag = GLib.timeout_add(
700
self.disable_initiator_tag = gobject.timeout_add(
1138
701
int(timeout.total_seconds() * 1000), self.disable)
1139
702
self.expires = datetime.datetime.utcnow() + timeout
1140
703
1141
704
def need_approval(self):
1142
705
self.last_approval_request = datetime.datetime.utcnow()
1143
706
1144
707
def start_checker(self):
1145
708
"""Start a new checker subprocess if one is not running.
1146
709
1147
710
If a checker already exists, leave it running and do
1148
711
nothing."""
1149
712
# The reason for not killing a running checker is that if we
1154
717
# checkers alone, the checker would have to take more time
1155
718
# than 'timeout' for the client to be disabled, which is as it
1156
719
# should be.
1157
720
1158
721
if self.checker is not None and not self.checker.is_alive():
1159
722
logger.warning("Checker was not alive; joining")
1160
723
self.checker.join()
1163
726
if self.checker is None:
1164
727
# Escape attributes for the shell
1165
728
escaped_attrs = {
1166
attr: shlex.quote(str(getattr(self, attr)))
1167
for attr in self.runtime_expansions}
729
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
1168
731
try:
1169
732
command = self.checker_command % escaped_attrs
1170
733
except TypeError as error:
1182
745
# The exception is when not debugging but nevertheless
1183
746
# running in the foreground; use the previously
1184
747
# created wnull.
1185
popen_args = {"close_fds": True,
1186
"shell": True,
1187
"cwd": "/"}
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1188
751
if (not self.server_settings["debug"]
1189
752
and self.server_settings["foreground"]):
1190
753
popen_args.update({"stdout": wnull,
1191
"stderr": wnull})
1192
pipe = multiprocessing.Pipe(duplex=False)
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1193
756
self.checker = multiprocessing.Process(
1194
target=call_pipe,
1195
args=(pipe[1], subprocess.call, command),
1196
kwargs=popen_args)
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1197
760
self.checker.start()
1198
self.checker_callback_tag = GLib.io_add_watch(
1199
GLib.IOChannel.unix_new(pipe[0].fileno()),
1200
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1201
763
self.checker_callback, pipe[0], command)
1202
# Re-run this periodically if run by GLib.timeout_add
764
# Re-run this periodically if run by gobject.timeout_add
1203
765
return True
1204
766
1205
767
def stop_checker(self):
1206
768
"""Force the checker process, if any, to stop."""
1207
769
if self.checker_callback_tag:
1208
GLib.source_remove(self.checker_callback_tag)
770
gobject.source_remove(self.checker_callback_tag)
1209
771
self.checker_callback_tag = None
1210
772
if getattr(self, "checker", None) is None:
1211
773
return
1220
782
byte_arrays=False):
1221
783
"""Decorators for marking methods of a DBusObjectWithProperties to
1222
784
become properties on the D-Bus.
1223
785
1224
786
The decorated method will be called with no arguments by "Get"
1225
787
and with one argument by "Set".
1226
788
1227
789
The parameters, where they are supported, are the same as
1228
790
dbus.service.method, except there is only "signature", since the
1229
791
type from Get() and the type sent to Set() is the same.
1233
795
if byte_arrays and signature != "ay":
1234
796
raise ValueError("Byte arrays not supported for non-'ay'"
1235
797
" signature {!r}".format(signature))
1236
798
1237
799
def decorator(func):
1238
800
func._dbus_is_property = True
1239
801
func._dbus_interface = dbus_interface
1242
804
func._dbus_name = func.__name__
1243
805
if func._dbus_name.endswith("_dbus_property"):
1244
806
func._dbus_name = func._dbus_name[:-14]
1245
func._dbus_get_args_options = {"byte_arrays": byte_arrays}
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1246
808
return func
1247
809
1248
810
return decorator
1249
811
1250
812
1251
813
def dbus_interface_annotations(dbus_interface):
1252
814
"""Decorator for marking functions returning interface annotations
1253
815
1254
816
Usage:
1255
817
1256
818
@dbus_interface_annotations("org.example.Interface")
1257
819
def _foo(self): # Function name does not matter
1258
820
return {"org.freedesktop.DBus.Deprecated": "true",
1259
821
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1260
822
"false"}
1261
823
"""
1262
824
1263
825
def decorator(func):
1264
826
func._dbus_is_interface = True
1265
827
func._dbus_interface = dbus_interface
1266
828
func._dbus_name = dbus_interface
1267
829
return func
1268
830
1269
831
return decorator
1270
832
1271
833
1272
834
def dbus_annotations(annotations):
1273
835
"""Decorator to annotate D-Bus methods, signals or properties
1274
836
Usage:
1275
837
1276
838
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1277
839
"org.freedesktop.DBus.Property."
1278
840
"EmitsChangedSignal": "false"})
1280
842
access="r")
1281
843
def Property_dbus_property(self):
1282
844
return dbus.Boolean(False)
1283
845
1284
846
See also the DBusObjectWithAnnotations class.
1285
847
"""
1286
848
1287
849
def decorator(func):
1288
850
func._dbus_annotations = annotations
1289
851
return func
1290
852
1291
853
return decorator
1292
854
1293
855
1311
873
1312
874
class DBusObjectWithAnnotations(dbus.service.Object):
1313
875
"""A D-Bus object with annotations.
1314
876
1315
877
Classes inheriting from this can use the dbus_annotations
1316
878
decorator to add annotations to methods or signals.
1317
879
"""
1318
880
1319
881
@staticmethod
1320
882
def _is_dbus_thing(thing):
1321
883
"""Returns a function testing if an attribute is a D-Bus thing
1322
884
1323
885
If called like _is_dbus_thing("method") it returns a function
1324
886
suitable for use as predicate to inspect.getmembers().
1325
887
"""
1326
888
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1327
889
False)
1328
890
1329
891
def _get_all_dbus_things(self, thing):
1330
892
"""Returns a generator of (name, attribute) pairs
1331
893
"""
1334
896
for cls in self.__class__.__mro__
1335
897
for name, athing in
1336
898
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1337
899
1338
900
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1339
out_signature="s",
1340
path_keyword="object_path",
1341
connection_keyword="connection")
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1342
904
def Introspect(self, object_path, connection):
1343
905
"""Overloading of standard D-Bus method.
1344
906
1345
907
Inserts annotation tags on methods and signals.
1346
908
"""
1347
909
xmlstring = dbus.service.Object.Introspect(self, object_path,
1348
910
connection)
1349
911
try:
1350
912
document = xml.dom.minidom.parseString(xmlstring)
1351
913
1352
914
for if_tag in document.getElementsByTagName("interface"):
1353
915
# Add annotation tags
1354
916
for typ in ("method", "signal"):
1381
943
if_tag.appendChild(ann_tag)
1382
944
# Fix argument name for the Introspect method itself
1383
945
if (if_tag.getAttribute("name")
1384
== dbus.INTROSPECTABLE_IFACE):
946
== dbus.INTROSPECTABLE_IFACE):
1385
947
for cn in if_tag.getElementsByTagName("method"):
1386
948
if cn.getAttribute("name") == "Introspect":
1387
949
for arg in cn.getElementsByTagName("arg"):
1400
962
1401
963
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1402
964
"""A D-Bus object with properties.
1403
965
1404
966
Classes inheriting from this can use the dbus_service_property
1405
967
decorator to expose methods as D-Bus properties. It exposes the
1406
968
standard Get(), Set(), and GetAll() methods on the D-Bus.
1407
969
"""
1408
970
1409
971
def _get_dbus_property(self, interface_name, property_name):
1410
972
"""Returns a bound method if one exists which is a D-Bus
1411
973
property with the specified name and interface.
1416
978
if (value._dbus_name == property_name
1417
979
and value._dbus_interface == interface_name):
1418
980
return value.__get__(self)
1419
981
1420
982
# No such property
1421
983
raise DBusPropertyNotFound("{}:{}.{}".format(
1422
984
self.dbus_object_path, interface_name, property_name))
1423
985
1424
986
@classmethod
1425
987
def _get_all_interface_names(cls):
1426
988
"""Get a sequence of all interfaces supported by an object"""
1429
991
for x in (inspect.getmro(cls))
1430
992
for attr in dir(x))
1431
993
if name is not None)
1432
994
1433
995
@dbus.service.method(dbus.PROPERTIES_IFACE,
1434
996
in_signature="ss",
1435
997
out_signature="v")
1443
1005
if not hasattr(value, "variant_level"):
1444
1006
return value
1445
1007
return type(value)(value, variant_level=value.variant_level+1)
1446
1008
1447
1009
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1448
1010
def Set(self, interface_name, property_name, value):
1449
1011
"""Standard D-Bus property Set() method, see D-Bus standard.
1458
1020
raise ValueError("Byte arrays not supported for non-"
1459
1021
"'ay' signature {!r}"
1460
1022
.format(prop._dbus_signature))
1461
value = dbus.ByteArray(bytes(value))
1023
value = dbus.ByteArray(b''.join(chr(byte)
1024
for byte in value))
1462
1025
prop(value)
1463
1026
1464
1027
@dbus.service.method(dbus.PROPERTIES_IFACE,
1465
1028
in_signature="s",
1466
1029
out_signature="a{sv}")
1467
1030
def GetAll(self, interface_name):
1468
1031
"""Standard D-Bus property GetAll() method, see D-Bus
1469
1032
standard.
1470
1033
1471
1034
Note: Will not include properties with access="write".
1472
1035
"""
1473
1036
properties = {}
1484
1047
properties[name] = value
1485
1048
continue
1486
1049
properties[name] = type(value)(
1487
value, variant_level=value.variant_level + 1)
1050
value, variant_level = value.variant_level + 1)
1488
1051
return dbus.Dictionary(properties, signature="sv")
1489
1052
1490
1053
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1491
1054
def PropertiesChanged(self, interface_name, changed_properties,
1492
1055
invalidated_properties):
1494
1057
standard.
1495
1058
"""
1496
1059
pass
1497
1060
1498
1061
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1499
1062
out_signature="s",
1500
path_keyword="object_path",
1501
connection_keyword="connection")
1063
path_keyword='object_path',
1064
connection_keyword='connection')
1502
1065
def Introspect(self, object_path, connection):
1503
1066
"""Overloading of standard D-Bus method.
1504
1067
1505
1068
Inserts property tags and interface annotation tags.
1506
1069
"""
1507
1070
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1509
1072
connection)
1510
1073
try:
1511
1074
document = xml.dom.minidom.parseString(xmlstring)
1512
1075
1513
1076
def make_tag(document, name, prop):
1514
1077
e = document.createElement("property")
1515
1078
e.setAttribute("name", name)
1516
1079
e.setAttribute("type", prop._dbus_signature)
1517
1080
e.setAttribute("access", prop._dbus_access)
1518
1081
return e
1519
1082
1520
1083
for if_tag in document.getElementsByTagName("interface"):
1521
1084
# Add property tags
1522
1085
for tag in (make_tag(document, name, prop)
1564
1127
exc_info=error)
1565
1128
return xmlstring
1566
1129
1567
1568
1130
try:
1569
1131
dbus.OBJECT_MANAGER_IFACE
1570
1132
except AttributeError:
1571
1133
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1572
1134
1573
1574
1135
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1575
1136
"""A D-Bus object with an ObjectManager.
1576
1137
1577
1138
Classes inheriting from this exposes the standard
1578
1139
GetManagedObjects call and the InterfacesAdded and
1579
1140
InterfacesRemoved signals on the standard
1580
1141
"org.freedesktop.DBus.ObjectManager" interface.
1581
1142
1582
1143
Note: No signals are sent automatically; they must be sent
1583
1144
manually.
1584
1145
"""
1585
1146
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1586
out_signature="a{oa{sa{sv}}}")
1147
out_signature = "a{oa{sa{sv}}}")
1587
1148
def GetManagedObjects(self):
1588
1149
"""This function must be overridden"""
1589
1150
raise NotImplementedError()
1590
1151
1591
1152
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1592
signature="oa{sa{sv}}")
1153
signature = "oa{sa{sv}}")
1593
1154
def InterfacesAdded(self, object_path, interfaces_and_properties):
1594
1155
pass
1595
1596
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1158
signature = "oas")
1597
1159
def InterfacesRemoved(self, object_path, interfaces):
1598
1160
pass
1599
1161
1600
1162
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1601
out_signature="s",
1602
path_keyword="object_path",
1603
connection_keyword="connection")
1163
out_signature = "s",
1164
path_keyword = 'object_path',
1165
connection_keyword = 'connection')
1604
1166
def Introspect(self, object_path, connection):
1605
1167
"""Overloading of standard D-Bus method.
1606
1168
1607
1169
Override return argument name of GetManagedObjects to be
1608
1170
"objpath_interfaces_and_properties"
1609
1171
"""
1610
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1611
object_path,
1612
connection)
1172
xmlstring = DBusObjectWithAnnotations(self, object_path,
1173
connection)
1613
1174
try:
1614
1175
document = xml.dom.minidom.parseString(xmlstring)
1615
1176
1616
1177
for if_tag in document.getElementsByTagName("interface"):
1617
1178
# Fix argument name for the GetManagedObjects method
1618
1179
if (if_tag.getAttribute("name")
1619
== dbus.OBJECT_MANAGER_IFACE):
1180
== dbus.OBJECT_MANAGER_IFACE):
1620
1181
for cn in if_tag.getElementsByTagName("method"):
1621
1182
if (cn.getAttribute("name")
1622
1183
== "GetManagedObjects"):
1632
1193
except (AttributeError, xml.dom.DOMException,
1633
1194
xml.parsers.expat.ExpatError) as error:
1634
1195
logger.error("Failed to override Introspection method",
1635
exc_info=error)
1196
exc_info = error)
1636
1197
return xmlstring
1637
1198
1638
1639
1199
def datetime_to_dbus(dt, variant_level=0):
1640
1200
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1641
1201
if dt is None:
1642
return dbus.String("", variant_level=variant_level)
1202
return dbus.String("", variant_level = variant_level)
1643
1203
return dbus.String(dt.isoformat(), variant_level=variant_level)
1644
1204
1645
1205
1648
1208
dbus.service.Object, it will add alternate D-Bus attributes with
1649
1209
interface names according to the "alt_interface_names" mapping.
1650
1210
Usage:
1651
1211
1652
1212
@alternate_dbus_interfaces({"org.example.Interface":
1653
1213
"net.example.AlternateInterface"})
1654
1214
class SampleDBusObject(dbus.service.Object):
1655
1215
@dbus.service.method("org.example.Interface")
1656
1216
def SampleDBusMethod():
1657
1217
pass
1658
1218
1659
1219
The above "SampleDBusMethod" on "SampleDBusObject" will be
1660
1220
reachable via two interfaces: "org.example.Interface" and
1661
1221
"net.example.AlternateInterface", the latter of which will have
1662
1222
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1663
1223
"true", unless "deprecate" is passed with a False value.
1664
1224
1665
1225
This works for methods and signals, and also for D-Bus properties
1666
1226
(from DBusObjectWithProperties) and interfaces (from the
1667
1227
dbus_interface_annotations decorator).
1668
1228
"""
1669
1229
1670
1230
def wrapper(cls):
1671
1231
for orig_interface_name, alt_interface_name in (
1672
1232
alt_interface_names.items()):
1687
1247
interface_names.add(alt_interface)
1688
1248
# Is this a D-Bus signal?
1689
1249
if getattr(attribute, "_dbus_is_signal", False):
1690
# Extract the original non-method undecorated
1691
# function by black magic
1692
1250
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1693
1253
nonmethod_func = (dict(
1694
1254
zip(attribute.func_code.co_freevars,
1695
1255
attribute.__closure__))
1696
1256
["func"].cell_contents)
1697
1257
else:
1698
nonmethod_func = (dict(
1699
zip(attribute.__code__.co_freevars,
1700
attribute.__closure__))
1701
["func"].cell_contents)
1258
nonmethod_func = attribute
1702
1259
# Create a new, but exactly alike, function
1703
1260
# object, and decorate it to be a new D-Bus signal
1704
1261
# with the alternate D-Bus interface name
1705
new_function = copy_function(nonmethod_func)
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1706
1276
new_function = (dbus.service.signal(
1707
1277
alt_interface,
1708
1278
attribute._dbus_signature)(new_function))
1712
1282
attribute._dbus_annotations)
1713
1283
except AttributeError:
1714
1284
pass
1715
1716
1285
# Define a creator of a function to call both the
1717
1286
# original and alternate functions, so both the
1718
1287
# original and alternate signals gets sent when
1721
1290
"""This function is a scope container to pass
1722
1291
func1 and func2 to the "call_both" function
1723
1292
outside of its arguments"""
1724
1725
@functools.wraps(func2)
1293
1726
1294
def call_both(*args, **kwargs):
1727
1295
"""This function will emit two D-Bus
1728
1296
signals by calling func1 and func2"""
1729
1297
func1(*args, **kwargs)
1730
1298
func2(*args, **kwargs)
1731
# Make wrapper function look like a D-Bus
1732
# signal
1733
for name, attr in inspect.getmembers(func2):
1734
if name.startswith("_dbus_"):
1735
setattr(call_both, name, attr)
1736
1299
1737
1300
return call_both
1738
1301
# Create the "call_both" function and add it to
1739
1302
# the class
1749
1312
alt_interface,
1750
1313
attribute._dbus_in_signature,
1751
1314
attribute._dbus_out_signature)
1752
(copy_function(attribute)))
1315
(types.FunctionType(attribute.func_code,
1316
attribute.func_globals,
1317
attribute.func_name,
1318
attribute.func_defaults,
1319
attribute.func_closure)))
1753
1320
# Copy annotations, if any
1754
1321
try:
1755
1322
attr[attrname]._dbus_annotations = dict(
1767
1334
attribute._dbus_access,
1768
1335
attribute._dbus_get_args_options
1769
1336
["byte_arrays"])
1770
(copy_function(attribute)))
1337
(types.FunctionType(
1338
attribute.func_code,
1339
attribute.func_globals,
1340
attribute.func_name,
1341
attribute.func_defaults,
1342
attribute.func_closure)))
1771
1343
# Copy annotations, if any
1772
1344
try:
1773
1345
attr[attrname]._dbus_annotations = dict(
1782
1354
# to the class.
1783
1355
attr[attrname] = (
1784
1356
dbus_interface_annotations(alt_interface)
1785
(copy_function(attribute)))
1357
(types.FunctionType(attribute.func_code,
1358
attribute.func_globals,
1359
attribute.func_name,
1360
attribute.func_defaults,
1361
attribute.func_closure)))
1786
1362
if deprecate:
1787
1363
# Deprecate all alternate interfaces
1788
iname = "_AlternateDBusNames_interface_annotation{}"
1364
iname="_AlternateDBusNames_interface_annotation{}"
1789
1365
for interface_name in interface_names:
1790
1366
1791
1367
@dbus_interface_annotations(interface_name)
1792
1368
def func(self):
1793
return {"org.freedesktop.DBus.Deprecated":
1794
"true"}
1369
return { "org.freedesktop.DBus.Deprecated":
1370
"true" }
1795
1371
# Find an unused name
1796
1372
for aname in (iname.format(i)
1797
1373
for i in itertools.count()):
1801
1377
if interface_names:
1802
1378
# Replace the class with a new subclass of it with
1803
1379
# methods, signals, etc. as created above.
1804
if sys.version_info.major == 2:
1805
cls = type(b"{}Alternate".format(cls.__name__),
1806
(cls, ), attr)
1807
else:
1808
cls = type("{}Alternate".format(cls.__name__),
1809
(cls, ), attr)
1380
cls = type(b"{}Alternate".format(cls.__name__),
1381
(cls, ), attr)
1810
1382
return cls
1811
1383
1812
1384
return wrapper
1813
1385
1814
1386
1816
1388
"se.bsnet.fukt.Mandos"})
1817
1389
class ClientDBus(Client, DBusObjectWithProperties):
1818
1390
"""A Client class using D-Bus
1819
1391
1820
1392
Attributes:
1821
1393
dbus_object_path: dbus.ObjectPath
1822
1394
bus: dbus.SystemBus()
1823
1395
"""
1824
1396
1825
1397
runtime_expansions = (Client.runtime_expansions
1826
1398
+ ("dbus_object_path", ))
1827
1399
1828
1400
_interface = "se.recompile.Mandos.Client"
1829
1401
1830
1402
# dbus.service.Object doesn't use super(), so we can't either.
1831
1832
def __init__(self, bus=None, *args, **kwargs):
1403
1404
def __init__(self, bus = None, *args, **kwargs):
1833
1405
self.bus = bus
1834
1406
Client.__init__(self, *args, **kwargs)
1835
1407
# Only now, when this client is initialized, can it show up on
1841
1413
"/clients/" + client_object_name)
1842
1414
DBusObjectWithProperties.__init__(self, self.bus,
1843
1415
self.dbus_object_path)
1844
1416
1845
1417
def notifychangeproperty(transform_func, dbus_name,
1846
1418
type_func=lambda x: x,
1847
1419
variant_level=1,
1849
1421
_interface=_interface):
1850
1422
""" Modify a variable so that it's a property which announces
1851
1423
its changes to DBus.
1852
1424
1853
1425
transform_fun: Function that takes a value and a variant_level
1854
1426
and transforms it to a D-Bus type.
1855
1427
dbus_name: D-Bus name of the variable
1858
1430
variant_level: D-Bus variant level. Default: 1
1859
1431
"""
1860
1432
attrname = "_{}".format(dbus_name)
1861
1433
1862
1434
def setter(self, value):
1863
1435
if hasattr(self, "dbus_object_path"):
1864
1436
if (not hasattr(self, attrname) or
1871
1443
else:
1872
1444
dbus_value = transform_func(
1873
1445
type_func(value),
1874
variant_level=variant_level)
1446
variant_level = variant_level)
1875
1447
self.PropertyChanged(dbus.String(dbus_name),
1876
1448
dbus_value)
1877
1449
self.PropertiesChanged(
1878
1450
_interface,
1879
dbus.Dictionary({dbus.String(dbus_name):
1880
dbus_value}),
1451
dbus.Dictionary({ dbus.String(dbus_name):
1452
dbus_value }),
1881
1453
dbus.Array())
1882
1454
setattr(self, attrname, value)
1883
1455
1884
1456
return property(lambda self: getattr(self, attrname), setter)
1885
1457
1886
1458
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1887
1459
approvals_pending = notifychangeproperty(dbus.Boolean,
1888
1460
"ApprovalPending",
1889
type_func=bool)
1461
type_func = bool)
1890
1462
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1891
1463
last_enabled = notifychangeproperty(datetime_to_dbus,
1892
1464
"LastEnabled")
1893
1465
checker = notifychangeproperty(
1894
1466
dbus.Boolean, "CheckerRunning",
1895
type_func=lambda checker: checker is not None)
1467
type_func = lambda checker: checker is not None)
1896
1468
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1897
1469
"LastCheckedOK")
1898
1470
last_checker_status = notifychangeproperty(dbus.Int16,
1903
1475
"ApprovedByDefault")
1904
1476
approval_delay = notifychangeproperty(
1905
1477
dbus.UInt64, "ApprovalDelay",
1906
type_func=lambda td: td.total_seconds() * 1000)
1478
type_func = lambda td: td.total_seconds() * 1000)
1907
1479
approval_duration = notifychangeproperty(
1908
1480
dbus.UInt64, "ApprovalDuration",
1909
type_func=lambda td: td.total_seconds() * 1000)
1481
type_func = lambda td: td.total_seconds() * 1000)
1910
1482
host = notifychangeproperty(dbus.String, "Host")
1911
1483
timeout = notifychangeproperty(
1912
1484
dbus.UInt64, "Timeout",
1913
type_func=lambda td: td.total_seconds() * 1000)
1485
type_func = lambda td: td.total_seconds() * 1000)
1914
1486
extended_timeout = notifychangeproperty(
1915
1487
dbus.UInt64, "ExtendedTimeout",
1916
type_func=lambda td: td.total_seconds() * 1000)
1488
type_func = lambda td: td.total_seconds() * 1000)
1917
1489
interval = notifychangeproperty(
1918
1490
dbus.UInt64, "Interval",
1919
type_func=lambda td: td.total_seconds() * 1000)
1491
type_func = lambda td: td.total_seconds() * 1000)
1920
1492
checker_command = notifychangeproperty(dbus.String, "Checker")
1921
1493
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1922
1494
invalidate_only=True)
1923
1495
1924
1496
del notifychangeproperty
1925
1497
1926
1498
def __del__(self, *args, **kwargs):
1927
1499
try:
1928
1500
self.remove_from_connection()
1931
1503
if hasattr(DBusObjectWithProperties, "__del__"):
1932
1504
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1933
1505
Client.__del__(self, *args, **kwargs)
1934
1506
1935
1507
def checker_callback(self, source, condition,
1936
1508
connection, command, *args, **kwargs):
1937
1509
ret = Client.checker_callback(self, source, condition,
1953
1525
| self.last_checker_signal),
1954
1526
dbus.String(command))
1955
1527
return ret
1956
1528
1957
1529
def start_checker(self, *args, **kwargs):
1958
1530
old_checker_pid = getattr(self.checker, "pid", None)
1959
1531
r = Client.start_checker(self, *args, **kwargs)
1963
1535
# Emit D-Bus signal
1964
1536
self.CheckerStarted(self.current_checker_command)
1965
1537
return r
1966
1538
1967
1539
def _reset_approved(self):
1968
1540
self.approved = None
1969
1541
return False
1970
1542
1971
1543
def approve(self, value=True):
1972
1544
self.approved = value
1973
GLib.timeout_add(int(self.approval_duration.total_seconds()
1974
* 1000), self._reset_approved)
1545
gobject.timeout_add(int(self.approval_duration.total_seconds()
1546
* 1000), self._reset_approved)
1975
1547
self.send_changedstate()
1976
1977
# D-Bus methods, signals & properties
1978
1979
# Interfaces
1980
1981
# Signals
1982
1548
1549
## D-Bus methods, signals & properties
1550
1551
## Interfaces
1552
1553
## Signals
1554
1983
1555
# CheckerCompleted - signal
1984
1556
@dbus.service.signal(_interface, signature="nxs")
1985
1557
def CheckerCompleted(self, exitcode, waitstatus, command):
1986
1558
"D-Bus signal"
1987
1559
pass
1988
1560
1989
1561
# CheckerStarted - signal
1990
1562
@dbus.service.signal(_interface, signature="s")
1991
1563
def CheckerStarted(self, command):
1992
1564
"D-Bus signal"
1993
1565
pass
1994
1566
1995
1567
# PropertyChanged - signal
1996
1568
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1997
1569
@dbus.service.signal(_interface, signature="sv")
1998
1570
def PropertyChanged(self, property, value):
1999
1571
"D-Bus signal"
2000
1572
pass
2001
1573
2002
1574
# GotSecret - signal
2003
1575
@dbus.service.signal(_interface)
2004
1576
def GotSecret(self):
2007
1579
server to mandos-client
2008
1580
"""
2009
1581
pass
2010
1582
2011
1583
# Rejected - signal
2012
1584
@dbus.service.signal(_interface, signature="s")
2013
1585
def Rejected(self, reason):
2014
1586
"D-Bus signal"
2015
1587
pass
2016
1588
2017
1589
# NeedApproval - signal
2018
1590
@dbus.service.signal(_interface, signature="tb")
2019
1591
def NeedApproval(self, timeout, default):
2020
1592
"D-Bus signal"
2021
1593
return self.need_approval()
2022
2023
# Methods
2024
1594
1595
## Methods
1596
2025
1597
# Approve - method
2026
1598
@dbus.service.method(_interface, in_signature="b")
2027
1599
def Approve(self, value):
2028
1600
self.approve(value)
2029
1601
2030
1602
# CheckedOK - method
2031
1603
@dbus.service.method(_interface)
2032
1604
def CheckedOK(self):
2033
1605
self.checked_ok()
2034
1606
2035
1607
# Enable - method
2036
1608
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2037
1609
@dbus.service.method(_interface)
2038
1610
def Enable(self):
2039
1611
"D-Bus method"
2040
1612
self.enable()
2041
1613
2042
1614
# StartChecker - method
2043
1615
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2044
1616
@dbus.service.method(_interface)
2045
1617
def StartChecker(self):
2046
1618
"D-Bus method"
2047
1619
self.start_checker()
2048
1620
2049
1621
# Disable - method
2050
1622
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2051
1623
@dbus.service.method(_interface)
2052
1624
def Disable(self):
2053
1625
"D-Bus method"
2054
1626
self.disable()
2055
1627
2056
1628
# StopChecker - method
2057
1629
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2058
1630
@dbus.service.method(_interface)
2059
1631
def StopChecker(self):
2060
1632
self.stop_checker()
2061
2062
# Properties
2063
1633
1634
## Properties
1635
2064
1636
# ApprovalPending - property
2065
1637
@dbus_service_property(_interface, signature="b", access="read")
2066
1638
def ApprovalPending_dbus_property(self):
2067
1639
return dbus.Boolean(bool(self.approvals_pending))
2068
1640
2069
1641
# ApprovedByDefault - property
2070
1642
@dbus_service_property(_interface,
2071
1643
signature="b",
2074
1646
if value is None: # get
2075
1647
return dbus.Boolean(self.approved_by_default)
2076
1648
self.approved_by_default = bool(value)
2077
1649
2078
1650
# ApprovalDelay - property
2079
1651
@dbus_service_property(_interface,
2080
1652
signature="t",
2084
1656
return dbus.UInt64(self.approval_delay.total_seconds()
2085
1657
* 1000)
2086
1658
self.approval_delay = datetime.timedelta(0, 0, 0, value)
2087
1659
2088
1660
# ApprovalDuration - property
2089
1661
@dbus_service_property(_interface,
2090
1662
signature="t",
2094
1666
return dbus.UInt64(self.approval_duration.total_seconds()
2095
1667
* 1000)
2096
1668
self.approval_duration = datetime.timedelta(0, 0, 0, value)
2097
1669
2098
1670
# Name - property
2099
1671
@dbus_annotations(
2100
1672
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2101
1673
@dbus_service_property(_interface, signature="s", access="read")
2102
1674
def Name_dbus_property(self):
2103
1675
return dbus.String(self.name)
2104
2105
# KeyID - property
2106
@dbus_annotations(
2107
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2108
@dbus_service_property(_interface, signature="s", access="read")
2109
def KeyID_dbus_property(self):
2110
return dbus.String(self.key_id)
2111
1676
2112
1677
# Fingerprint - property
2113
1678
@dbus_annotations(
2114
1679
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2115
1680
@dbus_service_property(_interface, signature="s", access="read")
2116
1681
def Fingerprint_dbus_property(self):
2117
1682
return dbus.String(self.fingerprint)
2118
1683
2119
1684
# Host - property
2120
1685
@dbus_service_property(_interface,
2121
1686
signature="s",
2124
1689
if value is None: # get
2125
1690
return dbus.String(self.host)
2126
1691
self.host = str(value)
2127
1692
2128
1693
# Created - property
2129
1694
@dbus_annotations(
2130
1695
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2131
1696
@dbus_service_property(_interface, signature="s", access="read")
2132
1697
def Created_dbus_property(self):
2133
1698
return datetime_to_dbus(self.created)
2134
1699
2135
1700
# LastEnabled - property
2136
1701
@dbus_service_property(_interface, signature="s", access="read")
2137
1702
def LastEnabled_dbus_property(self):
2138
1703
return datetime_to_dbus(self.last_enabled)
2139
1704
2140
1705
# Enabled - property
2141
1706
@dbus_service_property(_interface,
2142
1707
signature="b",
2148
1713
self.enable()
2149
1714
else:
2150
1715
self.disable()
2151
1716
2152
1717
# LastCheckedOK - property
2153
1718
@dbus_service_property(_interface,
2154
1719
signature="s",
2158
1723
self.checked_ok()
2159
1724
return
2160
1725
return datetime_to_dbus(self.last_checked_ok)
2161
1726
2162
1727
# LastCheckerStatus - property
2163
1728
@dbus_service_property(_interface, signature="n", access="read")
2164
1729
def LastCheckerStatus_dbus_property(self):
2165
1730
return dbus.Int16(self.last_checker_status)
2166
1731
2167
1732
# Expires - property
2168
1733
@dbus_service_property(_interface, signature="s", access="read")
2169
1734
def Expires_dbus_property(self):
2170
1735
return datetime_to_dbus(self.expires)
2171
1736
2172
1737
# LastApprovalRequest - property
2173
1738
@dbus_service_property(_interface, signature="s", access="read")
2174
1739
def LastApprovalRequest_dbus_property(self):
2175
1740
return datetime_to_dbus(self.last_approval_request)
2176
1741
2177
1742
# Timeout - property
2178
1743
@dbus_service_property(_interface,
2179
1744
signature="t",
2194
1759
if (getattr(self, "disable_initiator_tag", None)
2195
1760
is None):
2196
1761
return
2197
GLib.source_remove(self.disable_initiator_tag)
2198
self.disable_initiator_tag = GLib.timeout_add(
1762
gobject.source_remove(self.disable_initiator_tag)
1763
self.disable_initiator_tag = gobject.timeout_add(
2199
1764
int((self.expires - now).total_seconds() * 1000),
2200
1765
self.disable)
2201
1766
2202
1767
# ExtendedTimeout - property
2203
1768
@dbus_service_property(_interface,
2204
1769
signature="t",
2208
1773
return dbus.UInt64(self.extended_timeout.total_seconds()
2209
1774
* 1000)
2210
1775
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2211
1776
2212
1777
# Interval - property
2213
1778
@dbus_service_property(_interface,
2214
1779
signature="t",
2221
1786
return
2222
1787
if self.enabled:
2223
1788
# Reschedule checker run
2224
GLib.source_remove(self.checker_initiator_tag)
2225
self.checker_initiator_tag = GLib.timeout_add(
1789
gobject.source_remove(self.checker_initiator_tag)
1790
self.checker_initiator_tag = gobject.timeout_add(
2226
1791
value, self.start_checker)
2227
self.start_checker() # Start one now, too
2228
1792
self.start_checker() # Start one now, too
1793
2229
1794
# Checker - property
2230
1795
@dbus_service_property(_interface,
2231
1796
signature="s",
2234
1799
if value is None: # get
2235
1800
return dbus.String(self.checker_command)
2236
1801
self.checker_command = str(value)
2237
1802
2238
1803
# CheckerRunning - property
2239
1804
@dbus_service_property(_interface,
2240
1805
signature="b",
2246
1811
self.start_checker()
2247
1812
else:
2248
1813
self.stop_checker()
2249
1814
2250
1815
# ObjectPath - property
2251
1816
@dbus_annotations(
2252
1817
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2253
1818
"org.freedesktop.DBus.Deprecated": "true"})
2254
1819
@dbus_service_property(_interface, signature="o", access="read")
2255
1820
def ObjectPath_dbus_property(self):
2256
return self.dbus_object_path # is already a dbus.ObjectPath
2257
1821
return self.dbus_object_path # is already a dbus.ObjectPath
1822
2258
1823
# Secret = property
2259
1824
@dbus_annotations(
2260
1825
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2265
1830
byte_arrays=True)
2266
1831
def Secret_dbus_property(self, value):
2267
1832
self.secret = bytes(value)
2268
1833
2269
1834
del _interface
2270
1835
2271
1836
2272
class ProxyClient:
2273
def __init__(self, child_pipe, key_id, fpr, address):
1837
class ProxyClient(object):
1838
def __init__(self, child_pipe, fpr, address):
2274
1839
self._pipe = child_pipe
2275
self._pipe.send(("init", key_id, fpr, address))
1840
self._pipe.send(('init', fpr, address))
2276
1841
if not self._pipe.recv():
2277
raise KeyError(key_id or fpr)
2278
1842
raise KeyError(fpr)
1843
2279
1844
def __getattribute__(self, name):
2280
if name == "_pipe":
1845
if name == '_pipe':
2281
1846
return super(ProxyClient, self).__getattribute__(name)
2282
self._pipe.send(("getattr", name))
1847
self._pipe.send(('getattr', name))
2283
1848
data = self._pipe.recv()
2284
if data[0] == "data":
1849
if data[0] == 'data':
2285
1850
return data[1]
2286
if data[0] == "function":
2287
1851
if data[0] == 'function':
1852
2288
1853
def func(*args, **kwargs):
2289
self._pipe.send(("funcall", name, args, kwargs))
1854
self._pipe.send(('funcall', name, args, kwargs))
2290
1855
return self._pipe.recv()[1]
2291
1856
2292
1857
return func
2293
1858
2294
1859
def __setattr__(self, name, value):
2295
if name == "_pipe":
1860
if name == '_pipe':
2296
1861
return super(ProxyClient, self).__setattr__(name, value)
2297
self._pipe.send(("setattr", name, value))
1862
self._pipe.send(('setattr', name, value))
2298
1863
2299
1864
2300
1865
class ClientHandler(socketserver.BaseRequestHandler, object):
2301
1866
"""A class to handle client connections.
2302
1867
2303
1868
Instantiated once for each connection to handle it.
2304
1869
Note: This will run in its own forked process."""
2305
1870
2306
1871
def handle(self):
2307
1872
with contextlib.closing(self.server.child_pipe) as child_pipe:
2308
1873
logger.info("TCP connection from: %s",
2309
1874
str(self.client_address))
2310
1875
logger.debug("Pipe FD: %d",
2311
1876
self.server.child_pipe.fileno())
2312
2313
session = gnutls.ClientSession(self.request)
2314
2315
# priority = ":".join(("NONE", "+VERS-TLS1.1",
2316
# "+AES-256-CBC", "+SHA1",
2317
# "+COMP-NULL", "+CTYPE-OPENPGP",
2318
# "+DHE-DSS"))
1877
1878
session = gnutls.connection.ClientSession(
1879
self.request, gnutls.connection .X509Credentials())
1880
1881
# Note: gnutls.connection.X509Credentials is really a
1882
# generic GnuTLS certificate credentials object so long as
1883
# no X.509 keys are added to it. Therefore, we can use it
1884
# here despite using OpenPGP certificates.
1885
1886
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1887
# "+AES-256-CBC", "+SHA1",
1888
# "+COMP-NULL", "+CTYPE-OPENPGP",
1889
# "+DHE-DSS"))
2319
1890
# Use a fallback default, since this MUST be set.
2320
1891
priority = self.server.gnutls_priority
2321
1892
if priority is None:
2322
1893
priority = "NORMAL"
2323
gnutls.priority_set_direct(session,
2324
priority.encode("utf-8"), None)
2325
1894
gnutls.library.functions.gnutls_priority_set_direct(
1895
session._c_object, priority, None)
1896
2326
1897
# Start communication using the Mandos protocol
2327
1898
# Get protocol number
2328
1899
line = self.request.makefile().readline()
2333
1904
except (ValueError, IndexError, RuntimeError) as error:
2334
1905
logger.error("Unknown protocol version: %s", error)
2335
1906
return
2336
1907
2337
1908
# Start GnuTLS connection
2338
1909
try:
2339
1910
session.handshake()
2340
except gnutls.Error as error:
1911
except gnutls.errors.GNUTLSError as error:
2341
1912
logger.warning("Handshake failed: %s", error)
2342
1913
# Do not run session.bye() here: the session is not
2343
1914
# established. Just abandon the request.
2344
1915
return
2345
1916
logger.debug("Handshake succeeded")
2346
1917
2347
1918
approval_required = False
2348
1919
try:
2349
if gnutls.has_rawpk:
2350
fpr = b""
2351
try:
2352
key_id = self.key_id(
2353
self.peer_certificate(session))
2354
except (TypeError, gnutls.Error) as error:
2355
logger.warning("Bad certificate: %s", error)
2356
return
2357
logger.debug("Key ID: %s",
2358
key_id.decode("utf-8",
2359
errors="replace"))
2360
2361
else:
2362
key_id = b""
2363
try:
2364
fpr = self.fingerprint(
2365
self.peer_certificate(session))
2366
except (TypeError, gnutls.Error) as error:
2367
logger.warning("Bad certificate: %s", error)
2368
return
2369
logger.debug("Fingerprint: %s", fpr)
2370
2371
try:
2372
client = ProxyClient(child_pipe, key_id, fpr,
1920
try:
1921
fpr = self.fingerprint(
1922
self.peer_certificate(session))
1923
except (TypeError,
1924
gnutls.errors.GNUTLSError) as error:
1925
logger.warning("Bad certificate: %s", error)
1926
return
1927
logger.debug("Fingerprint: %s", fpr)
1928
1929
try:
1930
client = ProxyClient(child_pipe, fpr,
2373
1931
self.client_address)
2374
1932
except KeyError:
2375
1933
return
2376
1934
2377
1935
if client.approval_delay:
2378
1936
delay = client.approval_delay
2379
1937
client.approvals_pending += 1
2380
1938
approval_required = True
2381
1939
2382
1940
while True:
2383
1941
if not client.enabled:
2384
1942
logger.info("Client %s is disabled",
2387
1945
# Emit D-Bus signal
2388
1946
client.Rejected("Disabled")
2389
1947
return
2390
1948
2391
1949
if client.approved or not client.approval_delay:
2392
# We are approved or approval is disabled
1950
#We are approved or approval is disabled
2393
1951
break
2394
1952
elif client.approved is None:
2395
1953
logger.info("Client %s needs approval",
2406
1964
# Emit D-Bus signal
2407
1965
client.Rejected("Denied")
2408
1966
return
2409
2410
# wait until timeout or approved
1967
1968
#wait until timeout or approved
2411
1969
time = datetime.datetime.now()
2412
1970
client.changedstate.acquire()
2413
1971
client.changedstate.wait(delay.total_seconds())
2426
1984
break
2427
1985
else:
2428
1986
delay -= time2 - time
2429
2430
try:
2431
session.send(client.secret)
2432
except gnutls.Error as error:
2433
logger.warning("gnutls send failed",
2434
exc_info=error)
2435
return
2436
1987
1988
sent_size = 0
1989
while sent_size < len(client.secret):
1990
try:
1991
sent = session.send(client.secret[sent_size:])
1992
except gnutls.errors.GNUTLSError as error:
1993
logger.warning("gnutls send failed",
1994
exc_info=error)
1995
return
1996
logger.debug("Sent: %d, remaining: %d", sent,
1997
len(client.secret) - (sent_size
1998
+ sent))
1999
sent_size += sent
2000
2437
2001
logger.info("Sending secret to %s", client.name)
2438
2002
# bump the timeout using extended_timeout
2439
2003
client.bump_timeout(client.extended_timeout)
2440
2004
if self.server.use_dbus:
2441
2005
# Emit D-Bus signal
2442
2006
client.GotSecret()
2443
2007
2444
2008
finally:
2445
2009
if approval_required:
2446
2010
client.approvals_pending -= 1
2447
2011
try:
2448
2012
session.bye()
2449
except gnutls.Error as error:
2013
except gnutls.errors.GNUTLSError as error:
2450
2014
logger.warning("GnuTLS bye failed",
2451
2015
exc_info=error)
2452
2016
2453
2017
@staticmethod
2454
2018
def peer_certificate(session):
2455
"Return the peer's certificate as a bytestring"
2456
try:
2457
cert_type = gnutls.certificate_type_get2(
2458
session, gnutls.CTYPE_PEERS)
2459
except AttributeError:
2460
cert_type = gnutls.certificate_type_get(session)
2461
if gnutls.has_rawpk:
2462
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2463
else:
2464
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2465
# If not a valid certificate type...
2466
if cert_type not in valid_cert_types:
2467
logger.info("Cert type %r not in %r", cert_type,
2468
valid_cert_types)
2469
# ...return invalid data
2470
return b""
2019
"Return the peer's OpenPGP certificate as a bytestring"
2020
# If not an OpenPGP certificate...
2021
if (gnutls.library.functions.gnutls_certificate_type_get(
2022
session._c_object)
2023
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2024
# ...do the normal thing
2025
return session.peer_certificate
2471
2026
list_size = ctypes.c_uint(1)
2472
cert_list = (gnutls.certificate_get_peers
2473
(session, ctypes.byref(list_size)))
2027
cert_list = (gnutls.library.functions
2028
.gnutls_certificate_get_peers
2029
(session._c_object, ctypes.byref(list_size)))
2474
2030
if not bool(cert_list) and list_size.value != 0:
2475
raise gnutls.Error("error getting peer certificate")
2031
raise gnutls.errors.GNUTLSError("error getting peer"
2032
" certificate")
2476
2033
if list_size.value == 0:
2477
2034
return None
2478
2035
cert = cert_list[0]
2479
2036
return ctypes.string_at(cert.data, cert.size)
2480
2481
@staticmethod
2482
def key_id(certificate):
2483
"Convert a certificate bytestring to a hexdigit key ID"
2484
# New GnuTLS "datum" with the public key
2485
datum = gnutls.datum_t(
2486
ctypes.cast(ctypes.c_char_p(certificate),
2487
ctypes.POINTER(ctypes.c_ubyte)),
2488
ctypes.c_uint(len(certificate)))
2489
# XXX all these need to be created in the gnutls "module"
2490
# New empty GnuTLS certificate
2491
pubkey = gnutls.pubkey_t()
2492
gnutls.pubkey_init(ctypes.byref(pubkey))
2493
# Import the raw public key into the certificate
2494
gnutls.pubkey_import(pubkey,
2495
ctypes.byref(datum),
2496
gnutls.X509_FMT_DER)
2497
# New buffer for the key ID
2498
buf = ctypes.create_string_buffer(32)
2499
buf_len = ctypes.c_size_t(len(buf))
2500
# Get the key ID from the raw public key into the buffer
2501
gnutls.pubkey_get_key_id(
2502
pubkey,
2503
gnutls.KEYID_USE_SHA256,
2504
ctypes.cast(ctypes.byref(buf),
2505
ctypes.POINTER(ctypes.c_ubyte)),
2506
ctypes.byref(buf_len))
2507
# Deinit the certificate
2508
gnutls.pubkey_deinit(pubkey)
2509
2510
# Convert the buffer to a Python bytestring
2511
key_id = ctypes.string_at(buf, buf_len.value)
2512
# Convert the bytestring to hexadecimal notation
2513
hex_key_id = binascii.hexlify(key_id).upper()
2514
return hex_key_id
2515
2037
2516
2038
@staticmethod
2517
2039
def fingerprint(openpgp):
2518
2040
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2519
2041
# New GnuTLS "datum" with the OpenPGP public key
2520
datum = gnutls.datum_t(
2042
datum = gnutls.library.types.gnutls_datum_t(
2521
2043
ctypes.cast(ctypes.c_char_p(openpgp),
2522
2044
ctypes.POINTER(ctypes.c_ubyte)),
2523
2045
ctypes.c_uint(len(openpgp)))
2524
2046
# New empty GnuTLS certificate
2525
crt = gnutls.openpgp_crt_t()
2526
gnutls.openpgp_crt_init(ctypes.byref(crt))
2047
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2048
gnutls.library.functions.gnutls_openpgp_crt_init(
2049
ctypes.byref(crt))
2527
2050
# Import the OpenPGP public key into the certificate
2528
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2529
gnutls.OPENPGP_FMT_RAW)
2051
gnutls.library.functions.gnutls_openpgp_crt_import(
2052
crt, ctypes.byref(datum),
2053
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2530
2054
# Verify the self signature in the key
2531
2055
crtverify = ctypes.c_uint()
2532
gnutls.openpgp_crt_verify_self(crt, 0,
2533
ctypes.byref(crtverify))
2056
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2057
crt, 0, ctypes.byref(crtverify))
2534
2058
if crtverify.value != 0:
2535
gnutls.openpgp_crt_deinit(crt)
2536
raise gnutls.CertificateSecurityError(code
2537
=crtverify.value)
2059
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2060
raise gnutls.errors.CertificateSecurityError(
2061
"Verify failed")
2538
2062
# New buffer for the fingerprint
2539
2063
buf = ctypes.create_string_buffer(20)
2540
2064
buf_len = ctypes.c_size_t()
2541
2065
# Get the fingerprint from the certificate into the buffer
2542
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2543
ctypes.byref(buf_len))
2066
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2067
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2544
2068
# Deinit the certificate
2545
gnutls.openpgp_crt_deinit(crt)
2069
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2546
2070
# Convert the buffer to a Python bytestring
2547
2071
fpr = ctypes.string_at(buf, buf_len.value)
2548
2072
# Convert the bytestring to hexadecimal notation
2550
2074
return hex_fpr
2551
2075
2552
2076
2553
class MultiprocessingMixIn:
2077
class MultiprocessingMixIn(object):
2554
2078
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2555
2079
2556
2080
def sub_process_main(self, request, address):
2557
2081
try:
2558
2082
self.finish_request(request, address)
2559
2083
except Exception:
2560
2084
self.handle_error(request, address)
2561
2085
self.close_request(request)
2562
2086
2563
2087
def process_request(self, request, address):
2564
2088
"""Start a new process to process the request."""
2565
proc = multiprocessing.Process(target=self.sub_process_main,
2566
args=(request, address))
2089
proc = multiprocessing.Process(target = self.sub_process_main,
2090
args = (request, address))
2567
2091
proc.start()
2568
2092
return proc
2569
2093
2570
2094
2571
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2095
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2572
2096
""" adds a pipe to the MixIn """
2573
2097
2574
2098
def process_request(self, request, client_address):
2575
2099
"""Overrides and wraps the original process_request().
2576
2100
2577
2101
This function creates a new pipe in self.pipe
2578
2102
"""
2579
2103
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2580
2104
2581
2105
proc = MultiprocessingMixIn.process_request(self, request,
2582
2106
client_address)
2583
2107
self.child_pipe.close()
2584
2108
self.add_pipe(parent_pipe, proc)
2585
2109
2586
2110
def add_pipe(self, parent_pipe, proc):
2587
2111
"""Dummy function; override as necessary"""
2588
2112
raise NotImplementedError()
2589
2113
2590
2114
2591
2115
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2592
socketserver.TCPServer):
2593
"""IPv6-capable TCP server. Accepts None as address and/or port
2594
2116
socketserver.TCPServer, object):
2117
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2118
2595
2119
Attributes:
2596
2120
enabled: Boolean; whether this server is activated yet
2597
2121
interface: None or a network interface name (string)
2598
2122
use_ipv6: Boolean; to use IPv6 or not
2599
2123
"""
2600
2124
2601
2125
def __init__(self, server_address, RequestHandlerClass,
2602
2126
interface=None,
2603
2127
use_ipv6=True,
2613
2137
self.socketfd = socketfd
2614
2138
# Save the original socket.socket() function
2615
2139
self.socket_socket = socket.socket
2616
2617
2140
# To implement --socket, we monkey patch socket.socket.
2618
#
2141
#
2619
2142
# (When socketserver.TCPServer is a new-style class, we
2620
2143
# could make self.socket into a property instead of monkey
2621
2144
# patching socket.socket.)
2622
#
2145
#
2623
2146
# Create a one-time-only replacement for socket.socket()
2624
2147
@functools.wraps(socket.socket)
2625
2148
def socket_wrapper(*args, **kwargs):
2637
2160
# socket_wrapper(), if socketfd was set.
2638
2161
socketserver.TCPServer.__init__(self, server_address,
2639
2162
RequestHandlerClass)
2640
2163
2641
2164
def server_bind(self):
2642
2165
"""This overrides the normal server_bind() function
2643
2166
to bind to an interface if one was specified, and also NOT to
2644
2167
bind to an address or port if they were not specified."""
2645
global SO_BINDTODEVICE
2646
2168
if self.interface is not None:
2647
2169
if SO_BINDTODEVICE is None:
2648
# Fall back to a hard-coded value which seems to be
2649
# common enough.
2650
logger.warning("SO_BINDTODEVICE not found, trying 25")
2651
SO_BINDTODEVICE = 25
2652
try:
2653
self.socket.setsockopt(
2654
socket.SOL_SOCKET, SO_BINDTODEVICE,
2655
(self.interface + "\0").encode("utf-8"))
2656
except socket.error as error:
2657
if error.errno == errno.EPERM:
2658
logger.error("No permission to bind to"
2659
" interface %s", self.interface)
2660
elif error.errno == errno.ENOPROTOOPT:
2661
logger.error("SO_BINDTODEVICE not available;"
2662
" cannot bind to interface %s",
2663
self.interface)
2664
elif error.errno == errno.ENODEV:
2665
logger.error("Interface %s does not exist,"
2666
" cannot bind", self.interface)
2667
else:
2668
raise
2170
logger.error("SO_BINDTODEVICE does not exist;"
2171
" cannot bind to interface %s",
2172
self.interface)
2173
else:
2174
try:
2175
self.socket.setsockopt(
2176
socket.SOL_SOCKET, SO_BINDTODEVICE,
2177
(self.interface + "\0").encode("utf-8"))
2178
except socket.error as error:
2179
if error.errno == errno.EPERM:
2180
logger.error("No permission to bind to"
2181
" interface %s", self.interface)
2182
elif error.errno == errno.ENOPROTOOPT:
2183
logger.error("SO_BINDTODEVICE not available;"
2184
" cannot bind to interface %s",
2185
self.interface)
2186
elif error.errno == errno.ENODEV:
2187
logger.error("Interface %s does not exist,"
2188
" cannot bind", self.interface)
2189
else:
2190
raise
2669
2191
# Only bind(2) the socket if we really need to.
2670
2192
if self.server_address[0] or self.server_address[1]:
2671
if self.server_address[1]:
2672
self.allow_reuse_address = True
2673
2193
if not self.server_address[0]:
2674
2194
if self.address_family == socket.AF_INET6:
2675
any_address = "::" # in6addr_any
2195
any_address = "::" # in6addr_any
2676
2196
else:
2677
any_address = "0.0.0.0" # INADDR_ANY
2197
any_address = "0.0.0.0" # INADDR_ANY
2678
2198
self.server_address = (any_address,
2679
2199
self.server_address[1])
2680
2200
elif not self.server_address[1]:
2690
2210
2691
2211
class MandosServer(IPv6_TCPServer):
2692
2212
"""Mandos server.
2693
2213
2694
2214
Attributes:
2695
2215
clients: set of Client objects
2696
2216
gnutls_priority GnuTLS priority string
2697
2217
use_dbus: Boolean; to emit D-Bus signals or not
2698
2699
Assumes a GLib.MainLoop event loop.
2218
2219
Assumes a gobject.MainLoop event loop.
2700
2220
"""
2701
2221
2702
2222
def __init__(self, server_address, RequestHandlerClass,
2703
2223
interface=None,
2704
2224
use_ipv6=True,
2714
2234
self.gnutls_priority = gnutls_priority
2715
2235
IPv6_TCPServer.__init__(self, server_address,
2716
2236
RequestHandlerClass,
2717
interface=interface,
2718
use_ipv6=use_ipv6,
2719
socketfd=socketfd)
2720
2237
interface = interface,
2238
use_ipv6 = use_ipv6,
2239
socketfd = socketfd)
2240
2721
2241
def server_activate(self):
2722
2242
if self.enabled:
2723
2243
return socketserver.TCPServer.server_activate(self)
2724
2244
2725
2245
def enable(self):
2726
2246
self.enabled = True
2727
2247
2728
2248
def add_pipe(self, parent_pipe, proc):
2729
2249
# Call "handle_ipc" for both data and EOF events
2730
GLib.io_add_watch(
2731
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2732
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2250
gobject.io_add_watch(
2251
parent_pipe.fileno(),
2252
gobject.IO_IN | gobject.IO_HUP,
2733
2253
functools.partial(self.handle_ipc,
2734
parent_pipe=parent_pipe,
2735
proc=proc))
2736
2254
parent_pipe = parent_pipe,
2255
proc = proc))
2256
2737
2257
def handle_ipc(self, source, condition,
2738
2258
parent_pipe=None,
2739
proc=None,
2259
proc = None,
2740
2260
client_object=None):
2741
2261
# error, or the other end of multiprocessing.Pipe has closed
2742
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2262
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2743
2263
# Wait for other process to exit
2744
2264
proc.join()
2745
2265
return False
2746
2266
2747
2267
# Read a request from the child
2748
2268
request = parent_pipe.recv()
2749
2269
command = request[0]
2750
2751
if command == "init":
2752
key_id = request[1].decode("ascii")
2753
fpr = request[2].decode("ascii")
2754
address = request[3]
2755
2756
for c in self.clients.values():
2757
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2758
"27AE41E4649B934CA495991B7852B855"):
2759
continue
2760
if key_id and c.key_id == key_id:
2761
client = c
2762
break
2763
if fpr and c.fingerprint == fpr:
2270
2271
if command == 'init':
2272
fpr = request[1]
2273
address = request[2]
2274
2275
for c in self.clients.itervalues():
2276
if c.fingerprint == fpr:
2764
2277
client = c
2765
2278
break
2766
2279
else:
2767
logger.info("Client not found for key ID: %s, address"
2768
": %s", key_id or fpr, address)
2280
logger.info("Client not found for fingerprint: %s, ad"
2281
"dress: %s", fpr, address)
2769
2282
if self.use_dbus:
2770
2283
# Emit D-Bus signal
2771
mandos_dbus_service.ClientNotFound(key_id or fpr,
2284
mandos_dbus_service.ClientNotFound(fpr,
2772
2285
address[0])
2773
2286
parent_pipe.send(False)
2774
2287
return False
2775
2776
GLib.io_add_watch(
2777
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2778
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2288
2289
gobject.io_add_watch(
2290
parent_pipe.fileno(),
2291
gobject.IO_IN | gobject.IO_HUP,
2779
2292
functools.partial(self.handle_ipc,
2780
parent_pipe=parent_pipe,
2781
proc=proc,
2782
client_object=client))
2293
parent_pipe = parent_pipe,
2294
proc = proc,
2295
client_object = client))
2783
2296
parent_pipe.send(True)
2784
2297
# remove the old hook in favor of the new above hook on
2785
2298
# same fileno
2786
2299
return False
2787
if command == "funcall":
2300
if command == 'funcall':
2788
2301
funcname = request[1]
2789
2302
args = request[2]
2790
2303
kwargs = request[3]
2791
2792
parent_pipe.send(("data", getattr(client_object,
2304
2305
parent_pipe.send(('data', getattr(client_object,
2793
2306
funcname)(*args,
2794
2307
**kwargs)))
2795
2796
if command == "getattr":
2308
2309
if command == 'getattr':
2797
2310
attrname = request[1]
2798
2311
if isinstance(client_object.__getattribute__(attrname),
2799
collections.abc.Callable):
2800
parent_pipe.send(("function", ))
2312
collections.Callable):
2313
parent_pipe.send(('function', ))
2801
2314
else:
2802
2315
parent_pipe.send((
2803
"data", client_object.__getattribute__(attrname)))
2804
2805
if command == "setattr":
2316
'data', client_object.__getattribute__(attrname)))
2317
2318
if command == 'setattr':
2806
2319
attrname = request[1]
2807
2320
value = request[2]
2808
2321
setattr(client_object, attrname, value)
2809
2322
2810
2323
return True
2811
2324
2812
2325
2813
2326
def rfc3339_duration_to_delta(duration):
2814
2327
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2815
2816
>>> timedelta = datetime.timedelta
2817
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2818
True
2819
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2820
True
2821
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2822
True
2823
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2824
True
2825
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2826
True
2827
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2828
True
2829
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2830
True
2831
>>> del timedelta
2328
2329
>>> rfc3339_duration_to_delta("P7D")
2330
datetime.timedelta(7)
2331
>>> rfc3339_duration_to_delta("PT60S")
2332
datetime.timedelta(0, 60)
2333
>>> rfc3339_duration_to_delta("PT60M")
2334
datetime.timedelta(0, 3600)
2335
>>> rfc3339_duration_to_delta("PT24H")
2336
datetime.timedelta(1)
2337
>>> rfc3339_duration_to_delta("P1W")
2338
datetime.timedelta(7)
2339
>>> rfc3339_duration_to_delta("PT5M30S")
2340
datetime.timedelta(0, 330)
2341
>>> rfc3339_duration_to_delta("P1DT3M20S")
2342
datetime.timedelta(1, 200)
2832
2343
"""
2833
2344
2834
2345
# Parsing an RFC 3339 duration with regular expressions is not
2835
2346
# possible - there would have to be multiple places for the same
2836
2347
# values, like seconds. The current code, while more esoteric, is
2837
2348
# cleaner without depending on a parsing library. If Python had a
2838
2349
# built-in library for parsing we would use it, but we'd like to
2839
2350
# avoid excessive use of external libraries.
2840
2351
2841
2352
# New type for defining tokens, syntax, and semantics all-in-one
2842
2353
Token = collections.namedtuple("Token", (
2843
2354
"regexp", # To match token; if "value" is not None, must have
2876
2387
frozenset((token_year, token_month,
2877
2388
token_day, token_time,
2878
2389
token_week)))
2879
# Define starting values:
2880
# Value so far
2881
value = datetime.timedelta()
2390
# Define starting values
2391
value = datetime.timedelta() # Value so far
2882
2392
found_token = None
2883
# Following valid tokens
2884
followers = frozenset((token_duration, ))
2885
# String left to parse
2886
s = duration
2393
followers = frozenset((token_duration, )) # Following valid tokens
2394
s = duration # String left to parse
2887
2395
# Loop until end token is found
2888
2396
while found_token is not token_end:
2889
2397
# Search for any currently valid tokens
2913
2421
2914
2422
def string_to_delta(interval):
2915
2423
"""Parse a string and return a datetime.timedelta
2916
2917
>>> string_to_delta("7d") == datetime.timedelta(7)
2918
True
2919
>>> string_to_delta("60s") == datetime.timedelta(0, 60)
2920
True
2921
>>> string_to_delta("60m") == datetime.timedelta(0, 3600)
2922
True
2923
>>> string_to_delta("24h") == datetime.timedelta(1)
2924
True
2925
>>> string_to_delta("1w") == datetime.timedelta(7)
2926
True
2927
>>> string_to_delta("5m 30s") == datetime.timedelta(0, 330)
2928
True
2424
2425
>>> string_to_delta('7d')
2426
datetime.timedelta(7)
2427
>>> string_to_delta('60s')
2428
datetime.timedelta(0, 60)
2429
>>> string_to_delta('60m')
2430
datetime.timedelta(0, 3600)
2431
>>> string_to_delta('24h')
2432
datetime.timedelta(1)
2433
>>> string_to_delta('1w')
2434
datetime.timedelta(7)
2435
>>> string_to_delta('5m 30s')
2436
datetime.timedelta(0, 330)
2929
2437
"""
2930
2438
2931
2439
try:
2932
2440
return rfc3339_duration_to_delta(interval)
2933
2441
except ValueError:
2934
2442
pass
2935
2443
2936
2444
timevalue = datetime.timedelta(0)
2937
2445
for s in interval.split():
2938
2446
try:
2956
2464
return timevalue
2957
2465
2958
2466
2959
def daemon(nochdir=False, noclose=False):
2467
def daemon(nochdir = False, noclose = False):
2960
2468
"""See daemon(3). Standard BSD Unix function.
2961
2469
2962
2470
This should really exist as os.daemon, but it doesn't (yet)."""
2963
2471
if os.fork():
2964
2472
sys.exit()
2982
2490
2983
2491
2984
2492
def main():
2985
2493
2986
2494
##################################################################
2987
2495
# Parsing of options, both command line and config file
2988
2496
2989
2497
parser = argparse.ArgumentParser()
2990
2498
parser.add_argument("-v", "--version", action="version",
2991
version="%(prog)s {}".format(version),
2499
version = "%(prog)s {}".format(version),
2992
2500
help="show version number and exit")
2993
2501
parser.add_argument("-i", "--interface", metavar="IF",
2994
2502
help="Bind to interface IF")
3030
2538
parser.add_argument("--no-zeroconf", action="store_false",
3031
2539
dest="zeroconf", help="Do not use Zeroconf",
3032
2540
default=None)
3033
2541
3034
2542
options = parser.parse_args()
3035
2543
2544
if options.check:
2545
import doctest
2546
fail_count, test_count = doctest.testmod()
2547
sys.exit(os.EX_OK if fail_count == 0 else 1)
2548
3036
2549
# Default values for config file for server-global settings
3037
if gnutls.has_rawpk:
3038
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3039
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3040
else:
3041
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3042
":+SIGN-DSA-SHA256")
3043
server_defaults = {"interface": "",
3044
"address": "",
3045
"port": "",
3046
"debug": "False",
3047
"priority": priority,
3048
"servicename": "Mandos",
3049
"use_dbus": "True",
3050
"use_ipv6": "True",
3051
"debuglevel": "",
3052
"restore": "True",
3053
"socket": "",
3054
"statedir": "/var/lib/mandos",
3055
"foreground": "False",
3056
"zeroconf": "True",
3057
}
3058
del priority
3059
2550
server_defaults = { "interface": "",
2551
"address": "",
2552
"port": "",
2553
"debug": "False",
2554
"priority":
2555
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2556
":+SIGN-DSA-SHA256",
2557
"servicename": "Mandos",
2558
"use_dbus": "True",
2559
"use_ipv6": "True",
2560
"debuglevel": "",
2561
"restore": "True",
2562
"socket": "",
2563
"statedir": "/var/lib/mandos",
2564
"foreground": "False",
2565
"zeroconf": "True",
2566
}
2567
3060
2568
# Parse config file for server-global settings
3061
server_config = configparser.ConfigParser(server_defaults)
2569
server_config = configparser.SafeConfigParser(server_defaults)
3062
2570
del server_defaults
3063
2571
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3064
# Convert the ConfigParser object to a dict
2572
# Convert the SafeConfigParser object to a dict
3065
2573
server_settings = server_config.defaults()
3066
2574
# Use the appropriate methods on the non-string config options
3067
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3068
"foreground", "zeroconf"):
2575
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3069
2576
server_settings[option] = server_config.getboolean("DEFAULT",
3070
2577
option)
3071
2578
if server_settings["port"]:
3081
2588
server_settings["socket"] = os.dup(server_settings
3082
2589
["socket"])
3083
2590
del server_config
3084
2591
3085
2592
# Override the settings from the config file with command line
3086
2593
# options, if set.
3087
2594
for option in ("interface", "address", "port", "debug",
3105
2612
if server_settings["debug"]:
3106
2613
server_settings["foreground"] = True
3107
2614
# Now we have our good server settings in "server_settings"
3108
2615
3109
2616
##################################################################
3110
2617
3111
2618
if (not server_settings["zeroconf"]
3112
2619
and not (server_settings["port"]
3113
2620
or server_settings["socket"] != "")):
3114
2621
parser.error("Needs port or socket to work without Zeroconf")
3115
2622
3116
2623
# For convenience
3117
2624
debug = server_settings["debug"]
3118
2625
debuglevel = server_settings["debuglevel"]
3122
2629
stored_state_file)
3123
2630
foreground = server_settings["foreground"]
3124
2631
zeroconf = server_settings["zeroconf"]
3125
2632
3126
2633
if debug:
3127
2634
initlogger(debug, logging.DEBUG)
3128
2635
else:
3131
2638
else:
3132
2639
level = getattr(logging, debuglevel.upper())
3133
2640
initlogger(debug, level)
3134
2641
3135
2642
if server_settings["servicename"] != "Mandos":
3136
2643
syslogger.setFormatter(
3137
logging.Formatter("Mandos ({}) [%(process)d]:"
3138
" %(levelname)s: %(message)s".format(
2644
logging.Formatter('Mandos ({}) [%(process)d]:'
2645
' %(levelname)s: %(message)s'.format(
3139
2646
server_settings["servicename"])))
3140
2647
3141
2648
# Parse config file with clients
3142
client_config = configparser.ConfigParser(Client.client_defaults)
2649
client_config = configparser.SafeConfigParser(Client
2650
.client_defaults)
3143
2651
client_config.read(os.path.join(server_settings["configdir"],
3144
2652
"clients.conf"))
3145
2653
3146
2654
global mandos_dbus_service
3147
2655
mandos_dbus_service = None
3148
2656
3149
2657
socketfd = None
3150
2658
if server_settings["socket"] != "":
3151
2659
socketfd = server_settings["socket"]
3167
2675
except IOError as e:
3168
2676
logger.error("Could not open file %r", pidfilename,
3169
2677
exc_info=e)
3170
3171
for name, group in (("_mandos", "_mandos"),
3172
("mandos", "mandos"),
3173
("nobody", "nogroup")):
2678
2679
for name in ("_mandos", "mandos", "nobody"):
3174
2680
try:
3175
2681
uid = pwd.getpwnam(name).pw_uid
3176
gid = pwd.getpwnam(group).pw_gid
2682
gid = pwd.getpwnam(name).pw_gid
3177
2683
break
3178
2684
except KeyError:
3179
2685
continue
3183
2689
try:
3184
2690
os.setgid(gid)
3185
2691
os.setuid(uid)
3186
if debug:
3187
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3188
gid))
3189
2692
except OSError as error:
3190
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3191
.format(uid, gid, os.strerror(error.errno)))
3192
2693
if error.errno != errno.EPERM:
3193
2694
raise
3194
2695
3195
2696
if debug:
3196
2697
# Enable all possible GnuTLS debugging
3197
2698
3198
2699
# "Use a log level over 10 to enable all debugging options."
3199
2700
# - GnuTLS manual
3200
gnutls.global_set_log_level(11)
3201
3202
@gnutls.log_func
2701
gnutls.library.functions.gnutls_global_set_log_level(11)
2702
2703
@gnutls.library.types.gnutls_log_func
3203
2704
def debug_gnutls(level, string):
3204
logger.debug("GnuTLS: %s",
3205
string[:-1].decode("utf-8",
3206
errors="replace"))
3207
3208
gnutls.global_set_log_function(debug_gnutls)
3209
2705
logger.debug("GnuTLS: %s", string[:-1])
2706
2707
gnutls.library.functions.gnutls_global_set_log_function(
2708
debug_gnutls)
2709
3210
2710
# Redirect stdin so all checkers get /dev/null
3211
2711
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3212
2712
os.dup2(null, sys.stdin.fileno())
3213
2713
if null > 2:
3214
2714
os.close(null)
3215
2715
3216
2716
# Need to fork before connecting to D-Bus
3217
2717
if not foreground:
3218
2718
# Close all input and output, do double fork, etc.
3219
2719
daemon()
3220
3221
if gi.version_info < (3, 10, 2):
3222
# multiprocessing will use threads, so before we use GLib we
3223
# need to inform GLib that threads will be used.
3224
GLib.threads_init()
3225
2720
2721
# multiprocessing will use threads, so before we use gobject we
2722
# need to inform gobject that threads will be used.
2723
gobject.threads_init()
2724
3226
2725
global main_loop
3227
2726
# From the Avahi example code
3228
2727
DBusGMainLoop(set_as_default=True)
3229
main_loop = GLib.MainLoop()
2728
main_loop = gobject.MainLoop()
3230
2729
bus = dbus.SystemBus()
3231
2730
# End of Avahi example code
3232
2731
if use_dbus:
3245
2744
if zeroconf:
3246
2745
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3247
2746
service = AvahiServiceToSyslog(
3248
name=server_settings["servicename"],
3249
servicetype="_mandos._tcp",
3250
protocol=protocol,
3251
bus=bus)
2747
name = server_settings["servicename"],
2748
servicetype = "_mandos._tcp",
2749
protocol = protocol,
2750
bus = bus)
3252
2751
if server_settings["interface"]:
3253
2752
service.interface = if_nametoindex(
3254
2753
server_settings["interface"].encode("utf-8"))
3255
2754
3256
2755
global multiprocessing_manager
3257
2756
multiprocessing_manager = multiprocessing.Manager()
3258
2757
3259
2758
client_class = Client
3260
2759
if use_dbus:
3261
client_class = functools.partial(ClientDBus, bus=bus)
3262
2760
client_class = functools.partial(ClientDBus, bus = bus)
2761
3263
2762
client_settings = Client.config_parser(client_config)
3264
2763
old_client_settings = {}
3265
2764
clients_data = {}
3266
2765
3267
2766
# This is used to redirect stdout and stderr for checker processes
3268
2767
global wnull
3269
wnull = open(os.devnull, "w") # A writable /dev/null
2768
wnull = open(os.devnull, "w") # A writable /dev/null
3270
2769
# Only used if server is running in foreground but not in debug
3271
2770
# mode
3272
2771
if debug or not foreground:
3273
2772
wnull.close()
3274
2773
3275
2774
# Get client data and settings from last running state.
3276
2775
if server_settings["restore"]:
3277
2776
try:
3278
2777
with open(stored_state_path, "rb") as stored_state:
3279
if sys.version_info.major == 2:
3280
clients_data, old_client_settings = pickle.load(
3281
stored_state)
3282
else:
3283
bytes_clients_data, bytes_old_client_settings = (
3284
pickle.load(stored_state, encoding="bytes"))
3285
# Fix bytes to strings
3286
# clients_data
3287
# .keys()
3288
clients_data = {(key.decode("utf-8")
3289
if isinstance(key, bytes)
3290
else key): value
3291
for key, value in
3292
bytes_clients_data.items()}
3293
del bytes_clients_data
3294
for key in clients_data:
3295
value = {(k.decode("utf-8")
3296
if isinstance(k, bytes) else k): v
3297
for k, v in
3298
clients_data[key].items()}
3299
clients_data[key] = value
3300
# .client_structure
3301
value["client_structure"] = [
3302
(s.decode("utf-8")
3303
if isinstance(s, bytes)
3304
else s) for s in
3305
value["client_structure"]]
3306
# .name, .host, and .checker_command
3307
for k in ("name", "host", "checker_command"):
3308
if isinstance(value[k], bytes):
3309
value[k] = value[k].decode("utf-8")
3310
if "key_id" not in value:
3311
value["key_id"] = ""
3312
elif "fingerprint" not in value:
3313
value["fingerprint"] = ""
3314
# old_client_settings
3315
# .keys()
3316
old_client_settings = {
3317
(key.decode("utf-8")
3318
if isinstance(key, bytes)
3319
else key): value
3320
for key, value in
3321
bytes_old_client_settings.items()}
3322
del bytes_old_client_settings
3323
# .host and .checker_command
3324
for value in old_client_settings.values():
3325
for attribute in ("host", "checker_command"):
3326
if isinstance(value[attribute], bytes):
3327
value[attribute] = (value[attribute]
3328
.decode("utf-8"))
2778
clients_data, old_client_settings = pickle.load(
2779
stored_state)
3329
2780
os.remove(stored_state_path)
3330
2781
except IOError as e:
3331
2782
if e.errno == errno.ENOENT:
3339
2790
logger.warning("Could not load persistent state: "
3340
2791
"EOFError:",
3341
2792
exc_info=e)
3342
2793
3343
2794
with PGPEngine() as pgp:
3344
2795
for client_name, client in clients_data.items():
3345
2796
# Skip removed clients
3346
2797
if client_name not in client_settings:
3347
2798
continue
3348
2799
3349
2800
# Decide which value to use after restoring saved state.
3350
2801
# We have three different values: Old config file,
3351
2802
# new config file, and saved state.
3362
2813
client[name] = value
3363
2814
except KeyError:
3364
2815
pass
3365
2816
3366
2817
# Clients who has passed its expire date can still be
3367
2818
# enabled if its last checker was successful. A Client
3368
2819
# whose checker succeeded before we stored its state is
3401
2852
client_name))
3402
2853
client["secret"] = (client_settings[client_name]
3403
2854
["secret"])
3404
2855
3405
2856
# Add/remove clients based on new changes made to config
3406
2857
for client_name in (set(old_client_settings)
3407
2858
- set(client_settings)):
3409
2860
for client_name in (set(client_settings)
3410
2861
- set(old_client_settings)):
3411
2862
clients_data[client_name] = client_settings[client_name]
3412
2863
3413
2864
# Create all client objects
3414
2865
for client_name, client in clients_data.items():
3415
2866
tcp_server.clients[client_name] = client_class(
3416
name=client_name,
3417
settings=client,
3418
server_settings=server_settings)
3419
2867
name = client_name,
2868
settings = client,
2869
server_settings = server_settings)
2870
3420
2871
if not tcp_server.clients:
3421
2872
logger.warning("No clients defined")
3422
2873
3423
2874
if not foreground:
3424
2875
if pidfile is not None:
3425
2876
pid = os.getpid()
3431
2882
pidfilename, pid)
3432
2883
del pidfile
3433
2884
del pidfilename
3434
3435
for termsig in (signal.SIGHUP, signal.SIGTERM):
3436
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3437
lambda: main_loop.quit() and False)
3438
2885
2886
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2887
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2888
3439
2889
if use_dbus:
3440
2890
3441
2891
@alternate_dbus_interfaces(
3442
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2892
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3443
2893
class MandosDBusService(DBusObjectWithObjectManager):
3444
2894
"""A D-Bus proxy object"""
3445
2895
3446
2896
def __init__(self):
3447
2897
dbus.service.Object.__init__(self, bus, "/")
3448
2898
3449
2899
_interface = "se.recompile.Mandos"
3450
2900
3451
2901
@dbus.service.signal(_interface, signature="o")
3452
2902
def ClientAdded(self, objpath):
3453
2903
"D-Bus signal"
3454
2904
pass
3455
2905
3456
2906
@dbus.service.signal(_interface, signature="ss")
3457
def ClientNotFound(self, key_id, address):
2907
def ClientNotFound(self, fingerprint, address):
3458
2908
"D-Bus signal"
3459
2909
pass
3460
2910
3461
2911
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3462
2912
"true"})
3463
2913
@dbus.service.signal(_interface, signature="os")
3464
2914
def ClientRemoved(self, objpath, name):
3465
2915
"D-Bus signal"
3466
2916
pass
3467
2917
3468
2918
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3469
2919
"true"})
3470
2920
@dbus.service.method(_interface, out_signature="ao")
3471
2921
def GetAllClients(self):
3472
2922
"D-Bus method"
3473
2923
return dbus.Array(c.dbus_object_path for c in
3474
tcp_server.clients.values())
3475
2924
tcp_server.clients.itervalues())
2925
3476
2926
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3477
2927
"true"})
3478
2928
@dbus.service.method(_interface,
3480
2930
def GetAllClientsWithProperties(self):
3481
2931
"D-Bus method"
3482
2932
return dbus.Dictionary(
3483
{c.dbus_object_path: c.GetAll(
2933
{ c.dbus_object_path: c.GetAll(
3484
2934
"se.recompile.Mandos.Client")
3485
for c in tcp_server.clients.values()},
2935
for c in tcp_server.clients.itervalues() },
3486
2936
signature="oa{sv}")
3487
2937
3488
2938
@dbus.service.method(_interface, in_signature="o")
3489
2939
def RemoveClient(self, object_path):
3490
2940
"D-Bus method"
3491
for c in tcp_server.clients.values():
2941
for c in tcp_server.clients.itervalues():
3492
2942
if c.dbus_object_path == object_path:
3493
2943
del tcp_server.clients[c.name]
3494
2944
c.remove_from_connection()
3498
2948
self.client_removed_signal(c)
3499
2949
return
3500
2950
raise KeyError(object_path)
3501
2951
3502
2952
del _interface
3503
2953
3504
2954
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3505
out_signature="a{oa{sa{sv}}}")
2955
out_signature = "a{oa{sa{sv}}}")
3506
2956
def GetManagedObjects(self):
3507
2957
"""D-Bus method"""
3508
2958
return dbus.Dictionary(
3509
{client.dbus_object_path:
3510
dbus.Dictionary(
3511
{interface: client.GetAll(interface)
3512
for interface in
3513
client._get_all_interface_names()})
3514
for client in tcp_server.clients.values()})
3515
2959
{ client.dbus_object_path:
2960
dbus.Dictionary(
2961
{ interface: client.GetAll(interface)
2962
for interface in
2963
client._get_all_interface_names()})
2964
for client in tcp_server.clients.values()})
2965
3516
2966
def client_added_signal(self, client):
3517
2967
"""Send the new standard signal and the old signal"""
3518
2968
if use_dbus:
3520
2970
self.InterfacesAdded(
3521
2971
client.dbus_object_path,
3522
2972
dbus.Dictionary(
3523
{interface: client.GetAll(interface)
3524
for interface in
3525
client._get_all_interface_names()}))
2973
{ interface: client.GetAll(interface)
2974
for interface in
2975
client._get_all_interface_names()}))
3526
2976
# Old signal
3527
2977
self.ClientAdded(client.dbus_object_path)
3528
2978
3529
2979
def client_removed_signal(self, client):
3530
2980
"""Send the new standard signal and the old signal"""
3531
2981
if use_dbus:
3536
2986
# Old signal
3537
2987
self.ClientRemoved(client.dbus_object_path,
3538
2988
client.name)
3539
2989
3540
2990
mandos_dbus_service = MandosDBusService()
3541
3542
# Save modules to variables to exempt the modules from being
3543
# unloaded before the function registered with atexit() is run.
3544
mp = multiprocessing
3545
wn = wnull
3546
2991
3547
2992
def cleanup():
3548
2993
"Cleanup function; run on exit"
3549
2994
if zeroconf:
3550
2995
service.cleanup()
3551
3552
mp.active_children()
3553
wn.close()
2996
2997
multiprocessing.active_children()
2998
wnull.close()
3554
2999
if not (tcp_server.clients or client_settings):
3555
3000
return
3556
3001
3557
3002
# Store client before exiting. Secrets are encrypted with key
3558
3003
# based on what config file has. If config file is
3559
3004
# removed/edited, old secret will thus be unrecovable.
3560
3005
clients = {}
3561
3006
with PGPEngine() as pgp:
3562
for client in tcp_server.clients.values():
3007
for client in tcp_server.clients.itervalues():
3563
3008
key = client_settings[client.name]["secret"]
3564
3009
client.encrypted_secret = pgp.encrypt(client.secret,
3565
3010
key)
3566
3011
client_dict = {}
3567
3012
3568
3013
# A list of attributes that can not be pickled
3569
3014
# + secret.
3570
exclude = {"bus", "changedstate", "secret",
3571
"checker", "server_settings"}
3015
exclude = { "bus", "changedstate", "secret",
3016
"checker", "server_settings" }
3572
3017
for name, typ in inspect.getmembers(dbus.service
3573
3018
.Object):
3574
3019
exclude.add(name)
3575
3020
3576
3021
client_dict["encrypted_secret"] = (client
3577
3022
.encrypted_secret)
3578
3023
for attr in client.client_structure:
3579
3024
if attr not in exclude:
3580
3025
client_dict[attr] = getattr(client, attr)
3581
3026
3582
3027
clients[client.name] = client_dict
3583
3028
del client_settings[client.name]["secret"]
3584
3029
3585
3030
try:
3586
3031
with tempfile.NamedTemporaryFile(
3587
mode="wb",
3032
mode='wb',
3588
3033
suffix=".pickle",
3589
prefix="clients-",
3034
prefix='clients-',
3590
3035
dir=os.path.dirname(stored_state_path),
3591
3036
delete=False) as stored_state:
3592
pickle.dump((clients, client_settings), stored_state,
3593
protocol=2)
3037
pickle.dump((clients, client_settings), stored_state)
3594
3038
tempname = stored_state.name
3595
3039
os.rename(tempname, stored_state_path)
3596
3040
except (IOError, OSError) as e:
3606
3050
logger.warning("Could not save persistent state:",
3607
3051
exc_info=e)
3608
3052
raise
3609
3053
3610
3054
# Delete all clients, and settings from config
3611
3055
while tcp_server.clients:
3612
3056
name, client = tcp_server.clients.popitem()
3615
3059
# Don't signal the disabling
3616
3060
client.disable(quiet=True)
3617
3061
# Emit D-Bus signal for removal
3618
if use_dbus:
3619
mandos_dbus_service.client_removed_signal(client)
3062
mandos_dbus_service.client_removed_signal(client)
3620
3063
client_settings.clear()
3621
3064
3622
3065
atexit.register(cleanup)
3623
3624
for client in tcp_server.clients.values():
3066
3067
for client in tcp_server.clients.itervalues():
3625
3068
if use_dbus:
3626
3069
# Emit D-Bus signal for adding
3627
3070
mandos_dbus_service.client_added_signal(client)
3628
3071
# Need to initiate checking of clients
3629
3072
if client.enabled:
3630
3073
client.init_checker()
3631
3074
3632
3075
tcp_server.enable()
3633
3076
tcp_server.server_activate()
3634
3077
3635
3078
# Find out what port we got
3636
3079
if zeroconf:
3637
3080
service.port = tcp_server.socket.getsockname()[1]
3642
3085
else: # IPv4
3643
3086
logger.info("Now listening on address %r, port %d",
3644
3087
*tcp_server.socket.getsockname())
3645
3646
# service.interface = tcp_server.socket.getsockname()[3]
3647
3088
3089
#service.interface = tcp_server.socket.getsockname()[3]
3090
3648
3091
try:
3649
3092
if zeroconf:
3650
3093
# From the Avahi example code
3655
3098
cleanup()
3656
3099
sys.exit(1)
3657
3100
# End of Avahi example code
3658
3659
GLib.io_add_watch(
3660
GLib.IOChannel.unix_new(tcp_server.fileno()),
3661
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3662
lambda *args, **kwargs: (tcp_server.handle_request
3663
(*args[2:], **kwargs) or True))
3664
3101
3102
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3103
lambda *args, **kwargs:
3104
(tcp_server.handle_request
3105
(*args[2:], **kwargs) or True))
3106
3665
3107
logger.debug("Starting main loop")
3666
3108
main_loop.run()
3667
3109
except AvahiError as error:
3676
3118
# Must run before the D-Bus bus name gets deregistered
3677
3119
cleanup()
3678
3120
3679
3680
def should_only_run_tests():
3681
parser = argparse.ArgumentParser(add_help=False)
3682
parser.add_argument("--check", action="store_true")
3683
args, unknown_args = parser.parse_known_args()
3684
run_tests = args.check
3685
if run_tests:
3686
# Remove --check argument from sys.argv
3687
sys.argv[1:] = unknown_args
3688
return run_tests
3689
3690
# Add all tests from doctest strings
3691
def load_tests(loader, tests, none):
3692
import doctest
3693
tests.addTests(doctest.DocTestSuite())
3694
return tests
3695
3696
if __name__ == "__main__":
3697
try:
3698
if should_only_run_tests():
3699
# Call using ./mandos --check [--verbose]
3700
unittest.main()
3701
else:
3702
main()
3703
finally:
3704
logging.shutdown()
3121
3122
if __name__ == '__main__':
3123
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0