To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.335
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.335
- Committer: Teddy Hogeborn
- Date: 2015-08-10 16:19:28 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 325.
- Revision ID: teddy@recompile.se-20150810161928-bnukog7l47j3pjix
Depend on Avahi and the network in the server's systemd service file.
* mandos.service ([Unit]/After): New; set to "network.target" and
"avahi-daemon.service".
([Unit]/RequisiteOverridable): New; set to "avahi-daemon.service".
* mandos.service ([Unit]/After): New; set to "network.target" and
"avahi-daemon.service".
([Unit]/RequisiteOverridable): New; set to "avahi-daemon.service".
added
removed
mandos
1
#!/usr/bin/python
1
#!/usr/bin/python2.7
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2018 Teddy Hogeborn
15
# Copyright © 2008-2018 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
37
from future_builtins import *
42
38
43
39
try:
44
40
import SocketServer as socketserver
48
44
import argparse
49
45
import datetime
50
46
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
51
53
try:
52
54
import ConfigParser as configparser
53
55
except ImportError:
80
82
81
83
import dbus
82
84
import dbus.service
83
from gi.repository import GLib
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
84
90
from dbus.mainloop.glib import DBusGMainLoop
85
91
import ctypes
86
92
import ctypes.util
87
93
import xml.dom.minidom
88
94
import inspect
89
95
90
# Try to find the value of SO_BINDTODEVICE:
91
96
try:
92
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
93
# newer, and it is also the most natural place for it:
94
97
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
95
98
except AttributeError:
96
99
try:
97
# This is where SO_BINDTODEVICE was up to and including Python
98
# 2.6, and also 3.2:
99
100
from IN import SO_BINDTODEVICE
100
101
except ImportError:
101
# In Python 2.7 it seems to have been removed entirely.
102
# Try running the C preprocessor:
103
try:
104
cc = subprocess.Popen(["cc", "--language=c", "-E",
105
"/dev/stdin"],
106
stdin=subprocess.PIPE,
107
stdout=subprocess.PIPE)
108
stdout = cc.communicate(
109
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
110
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
111
except (OSError, ValueError, IndexError):
112
# No value found
113
SO_BINDTODEVICE = None
102
SO_BINDTODEVICE = None
114
103
115
104
if sys.version_info.major == 2:
116
105
str = unicode
117
106
118
version = "1.7.16"
107
version = "1.6.9"
119
108
stored_state_file = "clients.pickle"
120
109
121
110
logger = logging.getLogger()
125
114
if_nametoindex = ctypes.cdll.LoadLibrary(
126
115
ctypes.util.find_library("c")).if_nametoindex
127
116
except (OSError, AttributeError):
128
117
129
118
def if_nametoindex(interface):
130
119
"Get an interface index the hard way, i.e. using fcntl()"
131
120
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
136
125
return interface_index
137
126
138
127
139
def copy_function(func):
140
"""Make a copy of a function"""
141
if sys.version_info.major == 2:
142
return types.FunctionType(func.func_code,
143
func.func_globals,
144
func.func_name,
145
func.func_defaults,
146
func.func_closure)
147
else:
148
return types.FunctionType(func.__code__,
149
func.__globals__,
150
func.__name__,
151
func.__defaults__,
152
func.__closure__)
153
154
155
128
def initlogger(debug, level=logging.WARNING):
156
129
"""init logger and add loglevel"""
157
130
158
131
global syslogger
159
132
syslogger = (logging.handlers.SysLogHandler(
160
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
161
address="/dev/log"))
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
162
135
syslogger.setFormatter(logging.Formatter
163
136
('Mandos [%(process)d]: %(levelname)s:'
164
137
' %(message)s'))
165
138
logger.addHandler(syslogger)
166
139
167
140
if debug:
168
141
console = logging.StreamHandler()
169
142
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
181
154
182
155
class PGPEngine(object):
183
156
"""A simple class for OpenPGP symmetric encryption & decryption"""
184
157
185
158
def __init__(self):
186
159
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
187
self.gpg = "gpg"
188
try:
189
output = subprocess.check_output(["gpgconf"])
190
for line in output.splitlines():
191
name, text, path = line.split(b":")
192
if name == "gpg":
193
self.gpg = path
194
break
195
except OSError as e:
196
if e.errno != errno.ENOENT:
197
raise
198
160
self.gnupgargs = ['--batch',
199
'--homedir', self.tempdir,
161
'--home', self.tempdir,
200
162
'--force-mdc',
201
'--quiet']
202
# Only GPG version 1 has the --no-use-agent option.
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
204
self.gnupgargs.append("--no-use-agent")
205
163
'--quiet',
164
'--no-use-agent']
165
206
166
def __enter__(self):
207
167
return self
208
168
209
169
def __exit__(self, exc_type, exc_value, traceback):
210
170
self._cleanup()
211
171
return False
212
172
213
173
def __del__(self):
214
174
self._cleanup()
215
175
216
176
def _cleanup(self):
217
177
if self.tempdir is not None:
218
178
# Delete contents of tempdir
219
179
for root, dirs, files in os.walk(self.tempdir,
220
topdown=False):
180
topdown = False):
221
181
for filename in files:
222
182
os.remove(os.path.join(root, filename))
223
183
for dirname in dirs:
225
185
# Remove tempdir
226
186
os.rmdir(self.tempdir)
227
187
self.tempdir = None
228
188
229
189
def password_encode(self, password):
230
190
# Passphrase can not be empty and can not contain newlines or
231
191
# NUL bytes. So we prefix it and hex encode it.
236
196
.replace(b"\n", b"\\n")
237
197
.replace(b"\0", b"\\x00"))
238
198
return encoded
239
199
240
200
def encrypt(self, data, password):
241
201
passphrase = self.password_encode(password)
242
202
with tempfile.NamedTemporaryFile(
243
203
dir=self.tempdir) as passfile:
244
204
passfile.write(passphrase)
245
205
passfile.flush()
246
proc = subprocess.Popen([self.gpg, '--symmetric',
206
proc = subprocess.Popen(['gpg', '--symmetric',
247
207
'--passphrase-file',
248
208
passfile.name]
249
209
+ self.gnupgargs,
250
stdin=subprocess.PIPE,
251
stdout=subprocess.PIPE,
252
stderr=subprocess.PIPE)
253
ciphertext, err = proc.communicate(input=data)
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
254
214
if proc.returncode != 0:
255
215
raise PGPError(err)
256
216
return ciphertext
257
217
258
218
def decrypt(self, data, password):
259
219
passphrase = self.password_encode(password)
260
220
with tempfile.NamedTemporaryFile(
261
dir=self.tempdir) as passfile:
221
dir = self.tempdir) as passfile:
262
222
passfile.write(passphrase)
263
223
passfile.flush()
264
proc = subprocess.Popen([self.gpg, '--decrypt',
224
proc = subprocess.Popen(['gpg', '--decrypt',
265
225
'--passphrase-file',
266
226
passfile.name]
267
227
+ self.gnupgargs,
268
stdin=subprocess.PIPE,
269
stdout=subprocess.PIPE,
270
stderr=subprocess.PIPE)
271
decrypted_plaintext, err = proc.communicate(input=data)
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
272
232
if proc.returncode != 0:
273
233
raise PGPError(err)
274
234
return decrypted_plaintext
275
235
276
236
277
# Pretend that we have an Avahi module
278
class Avahi(object):
279
"""This isn't so much a class as it is a module-like namespace.
280
It is instantiated once, and simulates having an Avahi module."""
281
IF_UNSPEC = -1 # avahi-common/address.h
282
PROTO_UNSPEC = -1 # avahi-common/address.h
283
PROTO_INET = 0 # avahi-common/address.h
284
PROTO_INET6 = 1 # avahi-common/address.h
285
DBUS_NAME = "org.freedesktop.Avahi"
286
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
287
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
288
DBUS_PATH_SERVER = "/"
289
290
def string_array_to_txt_array(self, t):
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
for s in t), signature="ay")
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
294
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
295
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
296
SERVER_INVALID = 0 # avahi-common/defs.h
297
SERVER_REGISTERING = 1 # avahi-common/defs.h
298
SERVER_RUNNING = 2 # avahi-common/defs.h
299
SERVER_COLLISION = 3 # avahi-common/defs.h
300
SERVER_FAILURE = 4 # avahi-common/defs.h
301
avahi = Avahi()
302
303
304
237
class AvahiError(Exception):
305
238
def __init__(self, value, *args, **kwargs):
306
239
self.value = value
318
251
319
252
class AvahiService(object):
320
253
"""An Avahi (Zeroconf) service.
321
254
322
255
Attributes:
323
256
interface: integer; avahi.IF_UNSPEC or an interface index.
324
257
Used to optionally bind to the specified interface.
336
269
server: D-Bus Server
337
270
bus: dbus.SystemBus()
338
271
"""
339
272
340
273
def __init__(self,
341
interface=avahi.IF_UNSPEC,
342
name=None,
343
servicetype=None,
344
port=None,
345
TXT=None,
346
domain="",
347
host="",
348
max_renames=32768,
349
protocol=avahi.PROTO_UNSPEC,
350
bus=None):
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
351
284
self.interface = interface
352
285
self.name = name
353
286
self.type = servicetype
362
295
self.server = None
363
296
self.bus = bus
364
297
self.entry_group_state_changed_match = None
365
298
366
299
def rename(self, remove=True):
367
300
"""Derived from the Avahi example code"""
368
301
if self.rename_count >= self.max_renames:
388
321
logger.critical("D-Bus Exception", exc_info=error)
389
322
self.cleanup()
390
323
os._exit(1)
391
324
392
325
def remove(self):
393
326
"""Derived from the Avahi example code"""
394
327
if self.entry_group_state_changed_match is not None:
396
329
self.entry_group_state_changed_match = None
397
330
if self.group is not None:
398
331
self.group.Reset()
399
332
400
333
def add(self):
401
334
"""Derived from the Avahi example code"""
402
335
self.remove()
419
352
dbus.UInt16(self.port),
420
353
avahi.string_array_to_txt_array(self.TXT))
421
354
self.group.Commit()
422
355
423
356
def entry_group_state_changed(self, state, error):
424
357
"""Derived from the Avahi example code"""
425
358
logger.debug("Avahi entry group state change: %i", state)
426
359
427
360
if state == avahi.ENTRY_GROUP_ESTABLISHED:
428
361
logger.debug("Zeroconf service established.")
429
362
elif state == avahi.ENTRY_GROUP_COLLISION:
433
366
logger.critical("Avahi: Error in group state changed %s",
434
367
str(error))
435
368
raise AvahiGroupError("State changed: {!s}".format(error))
436
369
437
370
def cleanup(self):
438
371
"""Derived from the Avahi example code"""
439
372
if self.group is not None:
444
377
pass
445
378
self.group = None
446
379
self.remove()
447
380
448
381
def server_state_changed(self, state, error=None):
449
382
"""Derived from the Avahi example code"""
450
383
logger.debug("Avahi server state change: %i", state)
479
412
logger.debug("Unknown state: %r", state)
480
413
else:
481
414
logger.debug("Unknown state: %r: %r", state, error)
482
415
483
416
def activate(self):
484
417
"""Derived from the Avahi example code"""
485
418
if self.server is None:
496
429
class AvahiServiceToSyslog(AvahiService):
497
430
def rename(self, *args, **kwargs):
498
431
"""Add the new name to the syslog messages"""
499
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
432
ret = AvahiService.rename(self, *args, **kwargs)
500
433
syslogger.setFormatter(logging.Formatter(
501
434
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
502
435
.format(self.name)))
503
436
return ret
504
437
505
506
# Pretend that we have a GnuTLS module
507
class GnuTLS(object):
508
"""This isn't so much a class as it is a module-like namespace.
509
It is instantiated once, and simulates having a GnuTLS module."""
510
511
library = ctypes.util.find_library("gnutls")
512
if library is None:
513
library = ctypes.util.find_library("gnutls-deb0")
514
_library = ctypes.cdll.LoadLibrary(library)
515
del library
516
_need_version = b"3.3.0"
517
518
def __init__(self):
519
# Need to use "self" here, since this method is called before
520
# the assignment to the "gnutls" global variable happens.
521
if self.check_version(self._need_version) is None:
522
raise self.Error("Needs GnuTLS {} or later"
523
.format(self._need_version))
524
525
# Unless otherwise indicated, the constants and types below are
526
# all from the gnutls/gnutls.h C header file.
527
528
# Constants
529
E_SUCCESS = 0
530
E_INTERRUPTED = -52
531
E_AGAIN = -28
532
CRT_OPENPGP = 2
533
CLIENT = 2
534
SHUT_RDWR = 0
535
CRD_CERTIFICATE = 1
536
E_NO_CERTIFICATE_FOUND = -49
537
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
538
539
# Types
540
class session_int(ctypes.Structure):
541
_fields_ = []
542
session_t = ctypes.POINTER(session_int)
543
544
class certificate_credentials_st(ctypes.Structure):
545
_fields_ = []
546
certificate_credentials_t = ctypes.POINTER(
547
certificate_credentials_st)
548
certificate_type_t = ctypes.c_int
549
550
class datum_t(ctypes.Structure):
551
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
552
('size', ctypes.c_uint)]
553
554
class openpgp_crt_int(ctypes.Structure):
555
_fields_ = []
556
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
557
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
558
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
559
credentials_type_t = ctypes.c_int
560
transport_ptr_t = ctypes.c_void_p
561
close_request_t = ctypes.c_int
562
563
# Exceptions
564
class Error(Exception):
565
# We need to use the class name "GnuTLS" here, since this
566
# exception might be raised from within GnuTLS.__init__,
567
# which is called before the assignment to the "gnutls"
568
# global variable has happened.
569
def __init__(self, message=None, code=None, args=()):
570
# Default usage is by a message string, but if a return
571
# code is passed, convert it to a string with
572
# gnutls.strerror()
573
self.code = code
574
if message is None and code is not None:
575
message = GnuTLS.strerror(code)
576
return super(GnuTLS.Error, self).__init__(
577
message, *args)
578
579
class CertificateSecurityError(Error):
580
pass
581
582
# Classes
583
class Credentials(object):
584
def __init__(self):
585
self._c_object = gnutls.certificate_credentials_t()
586
gnutls.certificate_allocate_credentials(
587
ctypes.byref(self._c_object))
588
self.type = gnutls.CRD_CERTIFICATE
589
590
def __del__(self):
591
gnutls.certificate_free_credentials(self._c_object)
592
593
class ClientSession(object):
594
def __init__(self, socket, credentials=None):
595
self._c_object = gnutls.session_t()
596
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
597
gnutls.set_default_priority(self._c_object)
598
gnutls.transport_set_ptr(self._c_object, socket.fileno())
599
gnutls.handshake_set_private_extensions(self._c_object,
600
True)
601
self.socket = socket
602
if credentials is None:
603
credentials = gnutls.Credentials()
604
gnutls.credentials_set(self._c_object, credentials.type,
605
ctypes.cast(credentials._c_object,
606
ctypes.c_void_p))
607
self.credentials = credentials
608
609
def __del__(self):
610
gnutls.deinit(self._c_object)
611
612
def handshake(self):
613
return gnutls.handshake(self._c_object)
614
615
def send(self, data):
616
data = bytes(data)
617
data_len = len(data)
618
while data_len > 0:
619
data_len -= gnutls.record_send(self._c_object,
620
data[-data_len:],
621
data_len)
622
623
def bye(self):
624
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
625
626
# Error handling functions
627
def _error_code(result):
628
"""A function to raise exceptions on errors, suitable
629
for the 'restype' attribute on ctypes functions"""
630
if result >= 0:
631
return result
632
if result == gnutls.E_NO_CERTIFICATE_FOUND:
633
raise gnutls.CertificateSecurityError(code=result)
634
raise gnutls.Error(code=result)
635
636
def _retry_on_error(result, func, arguments):
637
"""A function to retry on some errors, suitable
638
for the 'errcheck' attribute on ctypes functions"""
639
while result < 0:
640
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
641
return _error_code(result)
642
result = func(*arguments)
643
return result
644
645
# Unless otherwise indicated, the function declarations below are
646
# all from the gnutls/gnutls.h C header file.
647
648
# Functions
649
priority_set_direct = _library.gnutls_priority_set_direct
650
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
651
ctypes.POINTER(ctypes.c_char_p)]
652
priority_set_direct.restype = _error_code
653
654
init = _library.gnutls_init
655
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
656
init.restype = _error_code
657
658
set_default_priority = _library.gnutls_set_default_priority
659
set_default_priority.argtypes = [session_t]
660
set_default_priority.restype = _error_code
661
662
record_send = _library.gnutls_record_send
663
record_send.argtypes = [session_t, ctypes.c_void_p,
664
ctypes.c_size_t]
665
record_send.restype = ctypes.c_ssize_t
666
record_send.errcheck = _retry_on_error
667
668
certificate_allocate_credentials = (
669
_library.gnutls_certificate_allocate_credentials)
670
certificate_allocate_credentials.argtypes = [
671
ctypes.POINTER(certificate_credentials_t)]
672
certificate_allocate_credentials.restype = _error_code
673
674
certificate_free_credentials = (
675
_library.gnutls_certificate_free_credentials)
676
certificate_free_credentials.argtypes = [
677
certificate_credentials_t]
678
certificate_free_credentials.restype = None
679
680
handshake_set_private_extensions = (
681
_library.gnutls_handshake_set_private_extensions)
682
handshake_set_private_extensions.argtypes = [session_t,
683
ctypes.c_int]
684
handshake_set_private_extensions.restype = None
685
686
credentials_set = _library.gnutls_credentials_set
687
credentials_set.argtypes = [session_t, credentials_type_t,
688
ctypes.c_void_p]
689
credentials_set.restype = _error_code
690
691
strerror = _library.gnutls_strerror
692
strerror.argtypes = [ctypes.c_int]
693
strerror.restype = ctypes.c_char_p
694
695
certificate_type_get = _library.gnutls_certificate_type_get
696
certificate_type_get.argtypes = [session_t]
697
certificate_type_get.restype = _error_code
698
699
certificate_get_peers = _library.gnutls_certificate_get_peers
700
certificate_get_peers.argtypes = [session_t,
701
ctypes.POINTER(ctypes.c_uint)]
702
certificate_get_peers.restype = ctypes.POINTER(datum_t)
703
704
global_set_log_level = _library.gnutls_global_set_log_level
705
global_set_log_level.argtypes = [ctypes.c_int]
706
global_set_log_level.restype = None
707
708
global_set_log_function = _library.gnutls_global_set_log_function
709
global_set_log_function.argtypes = [log_func]
710
global_set_log_function.restype = None
711
712
deinit = _library.gnutls_deinit
713
deinit.argtypes = [session_t]
714
deinit.restype = None
715
716
handshake = _library.gnutls_handshake
717
handshake.argtypes = [session_t]
718
handshake.restype = _error_code
719
handshake.errcheck = _retry_on_error
720
721
transport_set_ptr = _library.gnutls_transport_set_ptr
722
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
723
transport_set_ptr.restype = None
724
725
bye = _library.gnutls_bye
726
bye.argtypes = [session_t, close_request_t]
727
bye.restype = _error_code
728
bye.errcheck = _retry_on_error
729
730
check_version = _library.gnutls_check_version
731
check_version.argtypes = [ctypes.c_char_p]
732
check_version.restype = ctypes.c_char_p
733
734
# All the function declarations below are from gnutls/openpgp.h
735
736
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
openpgp_crt_init.restype = _error_code
739
740
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
ctypes.POINTER(datum_t),
743
openpgp_crt_fmt_t]
744
openpgp_crt_import.restype = _error_code
745
746
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
ctypes.POINTER(ctypes.c_uint)]
749
openpgp_crt_verify_self.restype = _error_code
750
751
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
openpgp_crt_deinit.restype = None
754
755
openpgp_crt_get_fingerprint = (
756
_library.gnutls_openpgp_crt_get_fingerprint)
757
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
758
ctypes.c_void_p,
759
ctypes.POINTER(
760
ctypes.c_size_t)]
761
openpgp_crt_get_fingerprint.restype = _error_code
762
763
# Remove non-public functions
764
del _error_code, _retry_on_error
765
# Create the global "gnutls" object, simulating a module
766
gnutls = GnuTLS()
767
768
769
438
def call_pipe(connection, # : multiprocessing.Connection
770
439
func, *args, **kwargs):
771
440
"""This function is meant to be called by multiprocessing.Process
772
441
773
442
This function runs func(*args, **kwargs), and writes the resulting
774
443
return value on the provided multiprocessing.Connection.
775
444
"""
776
445
connection.send(func(*args, **kwargs))
777
446
connection.close()
778
447
779
780
448
class Client(object):
781
449
"""A representation of a client host served by this server.
782
450
783
451
Attributes:
784
452
approved: bool(); 'None' if not yet approved/disapproved
785
453
approval_delay: datetime.timedelta(); Time to wait for approval
787
455
checker: subprocess.Popen(); a running checker process used
788
456
to see if the client lives.
789
457
'None' if no process is running.
790
checker_callback_tag: a GLib event source tag, or None
458
checker_callback_tag: a gobject event source tag, or None
791
459
checker_command: string; External command which is run to check
792
460
if client lives. %() expansions are done at
793
461
runtime with vars(self) as dict, so that for
794
462
instance %(name)s can be used in the command.
795
checker_initiator_tag: a GLib event source tag, or None
463
checker_initiator_tag: a gobject event source tag, or None
796
464
created: datetime.datetime(); (UTC) object creation
797
465
client_structure: Object describing what attributes a client has
798
466
and is used for storing the client at exit
799
467
current_checker_command: string; current running checker_command
800
disable_initiator_tag: a GLib event source tag, or None
468
disable_initiator_tag: a gobject event source tag, or None
801
469
enabled: bool()
802
470
fingerprint: string (40 or 32 hexadecimal digits); used to
803
471
uniquely identify the client
822
490
disabled, or None
823
491
server_settings: The server_settings dict from main()
824
492
"""
825
493
826
494
runtime_expansions = ("approval_delay", "approval_duration",
827
495
"created", "enabled", "expires",
828
496
"fingerprint", "host", "interval",
839
507
"approved_by_default": "True",
840
508
"enabled": "True",
841
509
}
842
510
843
511
@staticmethod
844
512
def config_parser(config):
845
513
"""Construct a new dict of client settings of this form:
852
520
for client_name in config.sections():
853
521
section = dict(config.items(client_name))
854
522
client = settings[client_name] = {}
855
523
856
524
client["host"] = section["host"]
857
525
# Reformat values from string types to Python types
858
526
client["approved_by_default"] = config.getboolean(
859
527
client_name, "approved_by_default")
860
528
client["enabled"] = config.getboolean(client_name,
861
529
"enabled")
862
530
863
531
# Uppercase and remove spaces from fingerprint for later
864
532
# comparison purposes with return value from the
865
533
# fingerprint() function
866
534
client["fingerprint"] = (section["fingerprint"].upper()
867
535
.replace(" ", ""))
868
536
if "secret" in section:
869
client["secret"] = codecs.decode(section["secret"]
870
.encode("utf-8"),
871
"base64")
537
client["secret"] = section["secret"].decode("base64")
872
538
elif "secfile" in section:
873
539
with open(os.path.expanduser(os.path.expandvars
874
540
(section["secfile"])),
889
555
client["last_approval_request"] = None
890
556
client["last_checked_ok"] = None
891
557
client["last_checker_status"] = -2
892
558
893
559
return settings
894
895
def __init__(self, settings, name=None, server_settings=None):
560
561
def __init__(self, settings, name = None, server_settings=None):
896
562
self.name = name
897
563
if server_settings is None:
898
564
server_settings = {}
900
566
# adding all client settings
901
567
for setting, value in settings.items():
902
568
setattr(self, setting, value)
903
569
904
570
if self.enabled:
905
571
if not hasattr(self, "last_enabled"):
906
572
self.last_enabled = datetime.datetime.utcnow()
910
576
else:
911
577
self.last_enabled = None
912
578
self.expires = None
913
579
914
580
logger.debug("Creating client %r", self.name)
915
581
logger.debug(" Fingerprint: %s", self.fingerprint)
916
582
self.created = settings.get("created",
917
583
datetime.datetime.utcnow())
918
584
919
585
# attributes specific for this server instance
920
586
self.checker = None
921
587
self.checker_initiator_tag = None
927
593
self.changedstate = multiprocessing_manager.Condition(
928
594
multiprocessing_manager.Lock())
929
595
self.client_structure = [attr
930
for attr in self.__dict__.keys()
596
for attr in self.__dict__.iterkeys()
931
597
if not attr.startswith("_")]
932
598
self.client_structure.append("client_structure")
933
599
934
600
for name, t in inspect.getmembers(
935
601
type(self), lambda obj: isinstance(obj, property)):
936
602
if not name.startswith("_"):
937
603
self.client_structure.append(name)
938
604
939
605
# Send notice to process children that client state has changed
940
606
def send_changedstate(self):
941
607
with self.changedstate:
942
608
self.changedstate.notify_all()
943
609
944
610
def enable(self):
945
611
"""Start this client's checker and timeout hooks"""
946
612
if getattr(self, "enabled", False):
951
617
self.last_enabled = datetime.datetime.utcnow()
952
618
self.init_checker()
953
619
self.send_changedstate()
954
620
955
621
def disable(self, quiet=True):
956
622
"""Disable this client."""
957
623
if not getattr(self, "enabled", False):
959
625
if not quiet:
960
626
logger.info("Disabling client %s", self.name)
961
627
if getattr(self, "disable_initiator_tag", None) is not None:
962
GLib.source_remove(self.disable_initiator_tag)
628
gobject.source_remove(self.disable_initiator_tag)
963
629
self.disable_initiator_tag = None
964
630
self.expires = None
965
631
if getattr(self, "checker_initiator_tag", None) is not None:
966
GLib.source_remove(self.checker_initiator_tag)
632
gobject.source_remove(self.checker_initiator_tag)
967
633
self.checker_initiator_tag = None
968
634
self.stop_checker()
969
635
self.enabled = False
970
636
if not quiet:
971
637
self.send_changedstate()
972
# Do not run this again if called by a GLib.timeout_add
638
# Do not run this again if called by a gobject.timeout_add
973
639
return False
974
640
975
641
def __del__(self):
976
642
self.disable()
977
643
978
644
def init_checker(self):
979
645
# Schedule a new checker to be started an 'interval' from now,
980
646
# and every interval from then on.
981
647
if self.checker_initiator_tag is not None:
982
GLib.source_remove(self.checker_initiator_tag)
983
self.checker_initiator_tag = GLib.timeout_add(
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
984
650
int(self.interval.total_seconds() * 1000),
985
651
self.start_checker)
986
652
# Schedule a disable() when 'timeout' has passed
987
653
if self.disable_initiator_tag is not None:
988
GLib.source_remove(self.disable_initiator_tag)
989
self.disable_initiator_tag = GLib.timeout_add(
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
990
656
int(self.timeout.total_seconds() * 1000), self.disable)
991
657
# Also start a new checker *right now*.
992
658
self.start_checker()
993
659
994
660
def checker_callback(self, source, condition, connection,
995
661
command):
996
662
"""The checker has completed, so take appropriate actions."""
999
665
# Read return code from connection (see call_pipe)
1000
666
returncode = connection.recv()
1001
667
connection.close()
1002
668
1003
669
if returncode >= 0:
1004
670
self.last_checker_status = returncode
1005
671
self.last_checker_signal = None
1015
681
logger.warning("Checker for %(name)s crashed?",
1016
682
vars(self))
1017
683
return False
1018
684
1019
685
def checked_ok(self):
1020
686
"""Assert that the client has been seen, alive and well."""
1021
687
self.last_checked_ok = datetime.datetime.utcnow()
1022
688
self.last_checker_status = 0
1023
689
self.last_checker_signal = None
1024
690
self.bump_timeout()
1025
691
1026
692
def bump_timeout(self, timeout=None):
1027
693
"""Bump up the timeout for this client."""
1028
694
if timeout is None:
1029
695
timeout = self.timeout
1030
696
if self.disable_initiator_tag is not None:
1031
GLib.source_remove(self.disable_initiator_tag)
697
gobject.source_remove(self.disable_initiator_tag)
1032
698
self.disable_initiator_tag = None
1033
699
if getattr(self, "enabled", False):
1034
self.disable_initiator_tag = GLib.timeout_add(
700
self.disable_initiator_tag = gobject.timeout_add(
1035
701
int(timeout.total_seconds() * 1000), self.disable)
1036
702
self.expires = datetime.datetime.utcnow() + timeout
1037
703
1038
704
def need_approval(self):
1039
705
self.last_approval_request = datetime.datetime.utcnow()
1040
706
1041
707
def start_checker(self):
1042
708
"""Start a new checker subprocess if one is not running.
1043
709
1044
710
If a checker already exists, leave it running and do
1045
711
nothing."""
1046
712
# The reason for not killing a running checker is that if we
1051
717
# checkers alone, the checker would have to take more time
1052
718
# than 'timeout' for the client to be disabled, which is as it
1053
719
# should be.
1054
720
1055
721
if self.checker is not None and not self.checker.is_alive():
1056
722
logger.warning("Checker was not alive; joining")
1057
723
self.checker.join()
1061
727
# Escape attributes for the shell
1062
728
escaped_attrs = {
1063
729
attr: re.escape(str(getattr(self, attr)))
1064
for attr in self.runtime_expansions}
730
for attr in self.runtime_expansions }
1065
731
try:
1066
732
command = self.checker_command % escaped_attrs
1067
733
except TypeError as error:
1079
745
# The exception is when not debugging but nevertheless
1080
746
# running in the foreground; use the previously
1081
747
# created wnull.
1082
popen_args = {"close_fds": True,
1083
"shell": True,
1084
"cwd": "/"}
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1085
751
if (not self.server_settings["debug"]
1086
752
and self.server_settings["foreground"]):
1087
753
popen_args.update({"stdout": wnull,
1088
"stderr": wnull})
1089
pipe = multiprocessing.Pipe(duplex=False)
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1090
756
self.checker = multiprocessing.Process(
1091
target=call_pipe,
1092
args=(pipe[1], subprocess.call, command),
1093
kwargs=popen_args)
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1094
760
self.checker.start()
1095
self.checker_callback_tag = GLib.io_add_watch(
1096
pipe[0].fileno(), GLib.IO_IN,
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1097
763
self.checker_callback, pipe[0], command)
1098
# Re-run this periodically if run by GLib.timeout_add
764
# Re-run this periodically if run by gobject.timeout_add
1099
765
return True
1100
766
1101
767
def stop_checker(self):
1102
768
"""Force the checker process, if any, to stop."""
1103
769
if self.checker_callback_tag:
1104
GLib.source_remove(self.checker_callback_tag)
770
gobject.source_remove(self.checker_callback_tag)
1105
771
self.checker_callback_tag = None
1106
772
if getattr(self, "checker", None) is None:
1107
773
return
1116
782
byte_arrays=False):
1117
783
"""Decorators for marking methods of a DBusObjectWithProperties to
1118
784
become properties on the D-Bus.
1119
785
1120
786
The decorated method will be called with no arguments by "Get"
1121
787
and with one argument by "Set".
1122
788
1123
789
The parameters, where they are supported, are the same as
1124
790
dbus.service.method, except there is only "signature", since the
1125
791
type from Get() and the type sent to Set() is the same.
1129
795
if byte_arrays and signature != "ay":
1130
796
raise ValueError("Byte arrays not supported for non-'ay'"
1131
797
" signature {!r}".format(signature))
1132
798
1133
799
def decorator(func):
1134
800
func._dbus_is_property = True
1135
801
func._dbus_interface = dbus_interface
1138
804
func._dbus_name = func.__name__
1139
805
if func._dbus_name.endswith("_dbus_property"):
1140
806
func._dbus_name = func._dbus_name[:-14]
1141
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1142
808
return func
1143
809
1144
810
return decorator
1145
811
1146
812
1147
813
def dbus_interface_annotations(dbus_interface):
1148
814
"""Decorator for marking functions returning interface annotations
1149
815
1150
816
Usage:
1151
817
1152
818
@dbus_interface_annotations("org.example.Interface")
1153
819
def _foo(self): # Function name does not matter
1154
820
return {"org.freedesktop.DBus.Deprecated": "true",
1155
821
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1156
822
"false"}
1157
823
"""
1158
824
1159
825
def decorator(func):
1160
826
func._dbus_is_interface = True
1161
827
func._dbus_interface = dbus_interface
1162
828
func._dbus_name = dbus_interface
1163
829
return func
1164
830
1165
831
return decorator
1166
832
1167
833
1168
834
def dbus_annotations(annotations):
1169
835
"""Decorator to annotate D-Bus methods, signals or properties
1170
836
Usage:
1171
837
1172
838
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1173
839
"org.freedesktop.DBus.Property."
1174
840
"EmitsChangedSignal": "false"})
1176
842
access="r")
1177
843
def Property_dbus_property(self):
1178
844
return dbus.Boolean(False)
1179
845
1180
846
See also the DBusObjectWithAnnotations class.
1181
847
"""
1182
848
1183
849
def decorator(func):
1184
850
func._dbus_annotations = annotations
1185
851
return func
1186
852
1187
853
return decorator
1188
854
1189
855
1207
873
1208
874
class DBusObjectWithAnnotations(dbus.service.Object):
1209
875
"""A D-Bus object with annotations.
1210
876
1211
877
Classes inheriting from this can use the dbus_annotations
1212
878
decorator to add annotations to methods or signals.
1213
879
"""
1214
880
1215
881
@staticmethod
1216
882
def _is_dbus_thing(thing):
1217
883
"""Returns a function testing if an attribute is a D-Bus thing
1218
884
1219
885
If called like _is_dbus_thing("method") it returns a function
1220
886
suitable for use as predicate to inspect.getmembers().
1221
887
"""
1222
888
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1223
889
False)
1224
890
1225
891
def _get_all_dbus_things(self, thing):
1226
892
"""Returns a generator of (name, attribute) pairs
1227
893
"""
1230
896
for cls in self.__class__.__mro__
1231
897
for name, athing in
1232
898
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1233
899
1234
900
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1235
out_signature="s",
1236
path_keyword='object_path',
1237
connection_keyword='connection')
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1238
904
def Introspect(self, object_path, connection):
1239
905
"""Overloading of standard D-Bus method.
1240
906
1241
907
Inserts annotation tags on methods and signals.
1242
908
"""
1243
909
xmlstring = dbus.service.Object.Introspect(self, object_path,
1244
910
connection)
1245
911
try:
1246
912
document = xml.dom.minidom.parseString(xmlstring)
1247
913
1248
914
for if_tag in document.getElementsByTagName("interface"):
1249
915
# Add annotation tags
1250
916
for typ in ("method", "signal"):
1277
943
if_tag.appendChild(ann_tag)
1278
944
# Fix argument name for the Introspect method itself
1279
945
if (if_tag.getAttribute("name")
1280
== dbus.INTROSPECTABLE_IFACE):
946
== dbus.INTROSPECTABLE_IFACE):
1281
947
for cn in if_tag.getElementsByTagName("method"):
1282
948
if cn.getAttribute("name") == "Introspect":
1283
949
for arg in cn.getElementsByTagName("arg"):
1296
962
1297
963
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1298
964
"""A D-Bus object with properties.
1299
965
1300
966
Classes inheriting from this can use the dbus_service_property
1301
967
decorator to expose methods as D-Bus properties. It exposes the
1302
968
standard Get(), Set(), and GetAll() methods on the D-Bus.
1303
969
"""
1304
970
1305
971
def _get_dbus_property(self, interface_name, property_name):
1306
972
"""Returns a bound method if one exists which is a D-Bus
1307
973
property with the specified name and interface.
1312
978
if (value._dbus_name == property_name
1313
979
and value._dbus_interface == interface_name):
1314
980
return value.__get__(self)
1315
981
1316
982
# No such property
1317
983
raise DBusPropertyNotFound("{}:{}.{}".format(
1318
984
self.dbus_object_path, interface_name, property_name))
1319
985
1320
986
@classmethod
1321
987
def _get_all_interface_names(cls):
1322
988
"""Get a sequence of all interfaces supported by an object"""
1325
991
for x in (inspect.getmro(cls))
1326
992
for attr in dir(x))
1327
993
if name is not None)
1328
994
1329
995
@dbus.service.method(dbus.PROPERTIES_IFACE,
1330
996
in_signature="ss",
1331
997
out_signature="v")
1339
1005
if not hasattr(value, "variant_level"):
1340
1006
return value
1341
1007
return type(value)(value, variant_level=value.variant_level+1)
1342
1008
1343
1009
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1344
1010
def Set(self, interface_name, property_name, value):
1345
1011
"""Standard D-Bus property Set() method, see D-Bus standard.
1357
1023
value = dbus.ByteArray(b''.join(chr(byte)
1358
1024
for byte in value))
1359
1025
prop(value)
1360
1026
1361
1027
@dbus.service.method(dbus.PROPERTIES_IFACE,
1362
1028
in_signature="s",
1363
1029
out_signature="a{sv}")
1364
1030
def GetAll(self, interface_name):
1365
1031
"""Standard D-Bus property GetAll() method, see D-Bus
1366
1032
standard.
1367
1033
1368
1034
Note: Will not include properties with access="write".
1369
1035
"""
1370
1036
properties = {}
1381
1047
properties[name] = value
1382
1048
continue
1383
1049
properties[name] = type(value)(
1384
value, variant_level=value.variant_level + 1)
1050
value, variant_level = value.variant_level + 1)
1385
1051
return dbus.Dictionary(properties, signature="sv")
1386
1052
1387
1053
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1388
1054
def PropertiesChanged(self, interface_name, changed_properties,
1389
1055
invalidated_properties):
1391
1057
standard.
1392
1058
"""
1393
1059
pass
1394
1060
1395
1061
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1396
1062
out_signature="s",
1397
1063
path_keyword='object_path',
1398
1064
connection_keyword='connection')
1399
1065
def Introspect(self, object_path, connection):
1400
1066
"""Overloading of standard D-Bus method.
1401
1067
1402
1068
Inserts property tags and interface annotation tags.
1403
1069
"""
1404
1070
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1406
1072
connection)
1407
1073
try:
1408
1074
document = xml.dom.minidom.parseString(xmlstring)
1409
1075
1410
1076
def make_tag(document, name, prop):
1411
1077
e = document.createElement("property")
1412
1078
e.setAttribute("name", name)
1413
1079
e.setAttribute("type", prop._dbus_signature)
1414
1080
e.setAttribute("access", prop._dbus_access)
1415
1081
return e
1416
1082
1417
1083
for if_tag in document.getElementsByTagName("interface"):
1418
1084
# Add property tags
1419
1085
for tag in (make_tag(document, name, prop)
1461
1127
exc_info=error)
1462
1128
return xmlstring
1463
1129
1464
1465
1130
try:
1466
1131
dbus.OBJECT_MANAGER_IFACE
1467
1132
except AttributeError:
1468
1133
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1469
1134
1470
1471
1135
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1472
1136
"""A D-Bus object with an ObjectManager.
1473
1137
1474
1138
Classes inheriting from this exposes the standard
1475
1139
GetManagedObjects call and the InterfacesAdded and
1476
1140
InterfacesRemoved signals on the standard
1477
1141
"org.freedesktop.DBus.ObjectManager" interface.
1478
1142
1479
1143
Note: No signals are sent automatically; they must be sent
1480
1144
manually.
1481
1145
"""
1482
1146
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1483
out_signature="a{oa{sa{sv}}}")
1147
out_signature = "a{oa{sa{sv}}}")
1484
1148
def GetManagedObjects(self):
1485
1149
"""This function must be overridden"""
1486
1150
raise NotImplementedError()
1487
1151
1488
1152
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1489
signature="oa{sa{sv}}")
1153
signature = "oa{sa{sv}}")
1490
1154
def InterfacesAdded(self, object_path, interfaces_and_properties):
1491
1155
pass
1492
1493
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1494
1158
def InterfacesRemoved(self, object_path, interfaces):
1495
1159
pass
1496
1160
1497
1161
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1498
out_signature="s",
1499
path_keyword='object_path',
1500
connection_keyword='connection')
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1501
1165
def Introspect(self, object_path, connection):
1502
1166
"""Overloading of standard D-Bus method.
1503
1167
1504
1168
Override return argument name of GetManagedObjects to be
1505
1169
"objpath_interfaces_and_properties"
1506
1170
"""
1509
1173
connection)
1510
1174
try:
1511
1175
document = xml.dom.minidom.parseString(xmlstring)
1512
1176
1513
1177
for if_tag in document.getElementsByTagName("interface"):
1514
1178
# Fix argument name for the GetManagedObjects method
1515
1179
if (if_tag.getAttribute("name")
1516
== dbus.OBJECT_MANAGER_IFACE):
1180
== dbus.OBJECT_MANAGER_IFACE):
1517
1181
for cn in if_tag.getElementsByTagName("method"):
1518
1182
if (cn.getAttribute("name")
1519
1183
== "GetManagedObjects"):
1529
1193
except (AttributeError, xml.dom.DOMException,
1530
1194
xml.parsers.expat.ExpatError) as error:
1531
1195
logger.error("Failed to override Introspection method",
1532
exc_info=error)
1196
exc_info = error)
1533
1197
return xmlstring
1534
1198
1535
1536
1199
def datetime_to_dbus(dt, variant_level=0):
1537
1200
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1538
1201
if dt is None:
1539
return dbus.String("", variant_level=variant_level)
1202
return dbus.String("", variant_level = variant_level)
1540
1203
return dbus.String(dt.isoformat(), variant_level=variant_level)
1541
1204
1542
1205
1545
1208
dbus.service.Object, it will add alternate D-Bus attributes with
1546
1209
interface names according to the "alt_interface_names" mapping.
1547
1210
Usage:
1548
1211
1549
1212
@alternate_dbus_interfaces({"org.example.Interface":
1550
1213
"net.example.AlternateInterface"})
1551
1214
class SampleDBusObject(dbus.service.Object):
1552
1215
@dbus.service.method("org.example.Interface")
1553
1216
def SampleDBusMethod():
1554
1217
pass
1555
1218
1556
1219
The above "SampleDBusMethod" on "SampleDBusObject" will be
1557
1220
reachable via two interfaces: "org.example.Interface" and
1558
1221
"net.example.AlternateInterface", the latter of which will have
1559
1222
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1560
1223
"true", unless "deprecate" is passed with a False value.
1561
1224
1562
1225
This works for methods and signals, and also for D-Bus properties
1563
1226
(from DBusObjectWithProperties) and interfaces (from the
1564
1227
dbus_interface_annotations decorator).
1565
1228
"""
1566
1229
1567
1230
def wrapper(cls):
1568
1231
for orig_interface_name, alt_interface_name in (
1569
1232
alt_interface_names.items()):
1584
1247
interface_names.add(alt_interface)
1585
1248
# Is this a D-Bus signal?
1586
1249
if getattr(attribute, "_dbus_is_signal", False):
1587
# Extract the original non-method undecorated
1588
# function by black magic
1589
1250
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1590
1253
nonmethod_func = (dict(
1591
1254
zip(attribute.func_code.co_freevars,
1592
1255
attribute.__closure__))
1593
1256
["func"].cell_contents)
1594
1257
else:
1595
nonmethod_func = (dict(
1596
zip(attribute.__code__.co_freevars,
1597
attribute.__closure__))
1598
["func"].cell_contents)
1258
nonmethod_func = attribute
1599
1259
# Create a new, but exactly alike, function
1600
1260
# object, and decorate it to be a new D-Bus signal
1601
1261
# with the alternate D-Bus interface name
1602
new_function = copy_function(nonmethod_func)
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1603
1276
new_function = (dbus.service.signal(
1604
1277
alt_interface,
1605
1278
attribute._dbus_signature)(new_function))
1609
1282
attribute._dbus_annotations)
1610
1283
except AttributeError:
1611
1284
pass
1612
1613
1285
# Define a creator of a function to call both the
1614
1286
# original and alternate functions, so both the
1615
1287
# original and alternate signals gets sent when
1618
1290
"""This function is a scope container to pass
1619
1291
func1 and func2 to the "call_both" function
1620
1292
outside of its arguments"""
1621
1293
1622
1294
@functools.wraps(func2)
1623
1295
def call_both(*args, **kwargs):
1624
1296
"""This function will emit two D-Bus
1625
1297
signals by calling func1 and func2"""
1626
1298
func1(*args, **kwargs)
1627
1299
func2(*args, **kwargs)
1628
# Make wrapper function look like a D-Bus
1629
# signal
1300
# Make wrapper function look like a D-Bus signal
1630
1301
for name, attr in inspect.getmembers(func2):
1631
1302
if name.startswith("_dbus_"):
1632
1303
setattr(call_both, name, attr)
1633
1304
1634
1305
return call_both
1635
1306
# Create the "call_both" function and add it to
1636
1307
# the class
1646
1317
alt_interface,
1647
1318
attribute._dbus_in_signature,
1648
1319
attribute._dbus_out_signature)
1649
(copy_function(attribute)))
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1650
1325
# Copy annotations, if any
1651
1326
try:
1652
1327
attr[attrname]._dbus_annotations = dict(
1664
1339
attribute._dbus_access,
1665
1340
attribute._dbus_get_args_options
1666
1341
["byte_arrays"])
1667
(copy_function(attribute)))
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1668
1348
# Copy annotations, if any
1669
1349
try:
1670
1350
attr[attrname]._dbus_annotations = dict(
1679
1359
# to the class.
1680
1360
attr[attrname] = (
1681
1361
dbus_interface_annotations(alt_interface)
1682
(copy_function(attribute)))
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1683
1367
if deprecate:
1684
1368
# Deprecate all alternate interfaces
1685
iname = "_AlternateDBusNames_interface_annotation{}"
1369
iname="_AlternateDBusNames_interface_annotation{}"
1686
1370
for interface_name in interface_names:
1687
1371
1688
1372
@dbus_interface_annotations(interface_name)
1689
1373
def func(self):
1690
return {"org.freedesktop.DBus.Deprecated":
1691
"true"}
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1692
1376
# Find an unused name
1693
1377
for aname in (iname.format(i)
1694
1378
for i in itertools.count()):
1698
1382
if interface_names:
1699
1383
# Replace the class with a new subclass of it with
1700
1384
# methods, signals, etc. as created above.
1701
if sys.version_info.major == 2:
1702
cls = type(b"{}Alternate".format(cls.__name__),
1703
(cls, ), attr)
1704
else:
1705
cls = type("{}Alternate".format(cls.__name__),
1706
(cls, ), attr)
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1707
1387
return cls
1708
1388
1709
1389
return wrapper
1710
1390
1711
1391
1713
1393
"se.bsnet.fukt.Mandos"})
1714
1394
class ClientDBus(Client, DBusObjectWithProperties):
1715
1395
"""A Client class using D-Bus
1716
1396
1717
1397
Attributes:
1718
1398
dbus_object_path: dbus.ObjectPath
1719
1399
bus: dbus.SystemBus()
1720
1400
"""
1721
1401
1722
1402
runtime_expansions = (Client.runtime_expansions
1723
1403
+ ("dbus_object_path", ))
1724
1404
1725
1405
_interface = "se.recompile.Mandos.Client"
1726
1406
1727
1407
# dbus.service.Object doesn't use super(), so we can't either.
1728
1729
def __init__(self, bus=None, *args, **kwargs):
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1730
1410
self.bus = bus
1731
1411
Client.__init__(self, *args, **kwargs)
1732
1412
# Only now, when this client is initialized, can it show up on
1738
1418
"/clients/" + client_object_name)
1739
1419
DBusObjectWithProperties.__init__(self, self.bus,
1740
1420
self.dbus_object_path)
1741
1421
1742
1422
def notifychangeproperty(transform_func, dbus_name,
1743
1423
type_func=lambda x: x,
1744
1424
variant_level=1,
1746
1426
_interface=_interface):
1747
1427
""" Modify a variable so that it's a property which announces
1748
1428
its changes to DBus.
1749
1429
1750
1430
transform_fun: Function that takes a value and a variant_level
1751
1431
and transforms it to a D-Bus type.
1752
1432
dbus_name: D-Bus name of the variable
1755
1435
variant_level: D-Bus variant level. Default: 1
1756
1436
"""
1757
1437
attrname = "_{}".format(dbus_name)
1758
1438
1759
1439
def setter(self, value):
1760
1440
if hasattr(self, "dbus_object_path"):
1761
1441
if (not hasattr(self, attrname) or
1768
1448
else:
1769
1449
dbus_value = transform_func(
1770
1450
type_func(value),
1771
variant_level=variant_level)
1451
variant_level = variant_level)
1772
1452
self.PropertyChanged(dbus.String(dbus_name),
1773
1453
dbus_value)
1774
1454
self.PropertiesChanged(
1775
1455
_interface,
1776
dbus.Dictionary({dbus.String(dbus_name):
1777
dbus_value}),
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1778
1458
dbus.Array())
1779
1459
setattr(self, attrname, value)
1780
1460
1781
1461
return property(lambda self: getattr(self, attrname), setter)
1782
1462
1783
1463
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1784
1464
approvals_pending = notifychangeproperty(dbus.Boolean,
1785
1465
"ApprovalPending",
1786
type_func=bool)
1466
type_func = bool)
1787
1467
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1788
1468
last_enabled = notifychangeproperty(datetime_to_dbus,
1789
1469
"LastEnabled")
1790
1470
checker = notifychangeproperty(
1791
1471
dbus.Boolean, "CheckerRunning",
1792
type_func=lambda checker: checker is not None)
1472
type_func = lambda checker: checker is not None)
1793
1473
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1794
1474
"LastCheckedOK")
1795
1475
last_checker_status = notifychangeproperty(dbus.Int16,
1800
1480
"ApprovedByDefault")
1801
1481
approval_delay = notifychangeproperty(
1802
1482
dbus.UInt64, "ApprovalDelay",
1803
type_func=lambda td: td.total_seconds() * 1000)
1483
type_func = lambda td: td.total_seconds() * 1000)
1804
1484
approval_duration = notifychangeproperty(
1805
1485
dbus.UInt64, "ApprovalDuration",
1806
type_func=lambda td: td.total_seconds() * 1000)
1486
type_func = lambda td: td.total_seconds() * 1000)
1807
1487
host = notifychangeproperty(dbus.String, "Host")
1808
1488
timeout = notifychangeproperty(
1809
1489
dbus.UInt64, "Timeout",
1810
type_func=lambda td: td.total_seconds() * 1000)
1490
type_func = lambda td: td.total_seconds() * 1000)
1811
1491
extended_timeout = notifychangeproperty(
1812
1492
dbus.UInt64, "ExtendedTimeout",
1813
type_func=lambda td: td.total_seconds() * 1000)
1493
type_func = lambda td: td.total_seconds() * 1000)
1814
1494
interval = notifychangeproperty(
1815
1495
dbus.UInt64, "Interval",
1816
type_func=lambda td: td.total_seconds() * 1000)
1496
type_func = lambda td: td.total_seconds() * 1000)
1817
1497
checker_command = notifychangeproperty(dbus.String, "Checker")
1818
1498
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1819
1499
invalidate_only=True)
1820
1500
1821
1501
del notifychangeproperty
1822
1502
1823
1503
def __del__(self, *args, **kwargs):
1824
1504
try:
1825
1505
self.remove_from_connection()
1828
1508
if hasattr(DBusObjectWithProperties, "__del__"):
1829
1509
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1830
1510
Client.__del__(self, *args, **kwargs)
1831
1511
1832
1512
def checker_callback(self, source, condition,
1833
1513
connection, command, *args, **kwargs):
1834
1514
ret = Client.checker_callback(self, source, condition,
1850
1530
| self.last_checker_signal),
1851
1531
dbus.String(command))
1852
1532
return ret
1853
1533
1854
1534
def start_checker(self, *args, **kwargs):
1855
1535
old_checker_pid = getattr(self.checker, "pid", None)
1856
1536
r = Client.start_checker(self, *args, **kwargs)
1860
1540
# Emit D-Bus signal
1861
1541
self.CheckerStarted(self.current_checker_command)
1862
1542
return r
1863
1543
1864
1544
def _reset_approved(self):
1865
1545
self.approved = None
1866
1546
return False
1867
1547
1868
1548
def approve(self, value=True):
1869
1549
self.approved = value
1870
GLib.timeout_add(int(self.approval_duration.total_seconds()
1871
* 1000), self._reset_approved)
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1872
1552
self.send_changedstate()
1873
1874
# D-Bus methods, signals & properties
1875
1876
# Interfaces
1877
1878
# Signals
1879
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1880
1560
# CheckerCompleted - signal
1881
1561
@dbus.service.signal(_interface, signature="nxs")
1882
1562
def CheckerCompleted(self, exitcode, waitstatus, command):
1883
1563
"D-Bus signal"
1884
1564
pass
1885
1565
1886
1566
# CheckerStarted - signal
1887
1567
@dbus.service.signal(_interface, signature="s")
1888
1568
def CheckerStarted(self, command):
1889
1569
"D-Bus signal"
1890
1570
pass
1891
1571
1892
1572
# PropertyChanged - signal
1893
1573
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1894
1574
@dbus.service.signal(_interface, signature="sv")
1895
1575
def PropertyChanged(self, property, value):
1896
1576
"D-Bus signal"
1897
1577
pass
1898
1578
1899
1579
# GotSecret - signal
1900
1580
@dbus.service.signal(_interface)
1901
1581
def GotSecret(self):
1904
1584
server to mandos-client
1905
1585
"""
1906
1586
pass
1907
1587
1908
1588
# Rejected - signal
1909
1589
@dbus.service.signal(_interface, signature="s")
1910
1590
def Rejected(self, reason):
1911
1591
"D-Bus signal"
1912
1592
pass
1913
1593
1914
1594
# NeedApproval - signal
1915
1595
@dbus.service.signal(_interface, signature="tb")
1916
1596
def NeedApproval(self, timeout, default):
1917
1597
"D-Bus signal"
1918
1598
return self.need_approval()
1919
1920
# Methods
1921
1599
1600
## Methods
1601
1922
1602
# Approve - method
1923
1603
@dbus.service.method(_interface, in_signature="b")
1924
1604
def Approve(self, value):
1925
1605
self.approve(value)
1926
1606
1927
1607
# CheckedOK - method
1928
1608
@dbus.service.method(_interface)
1929
1609
def CheckedOK(self):
1930
1610
self.checked_ok()
1931
1611
1932
1612
# Enable - method
1933
1613
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1934
1614
@dbus.service.method(_interface)
1935
1615
def Enable(self):
1936
1616
"D-Bus method"
1937
1617
self.enable()
1938
1618
1939
1619
# StartChecker - method
1940
1620
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1941
1621
@dbus.service.method(_interface)
1942
1622
def StartChecker(self):
1943
1623
"D-Bus method"
1944
1624
self.start_checker()
1945
1625
1946
1626
# Disable - method
1947
1627
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1948
1628
@dbus.service.method(_interface)
1949
1629
def Disable(self):
1950
1630
"D-Bus method"
1951
1631
self.disable()
1952
1632
1953
1633
# StopChecker - method
1954
1634
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1955
1635
@dbus.service.method(_interface)
1956
1636
def StopChecker(self):
1957
1637
self.stop_checker()
1958
1959
# Properties
1960
1638
1639
## Properties
1640
1961
1641
# ApprovalPending - property
1962
1642
@dbus_service_property(_interface, signature="b", access="read")
1963
1643
def ApprovalPending_dbus_property(self):
1964
1644
return dbus.Boolean(bool(self.approvals_pending))
1965
1645
1966
1646
# ApprovedByDefault - property
1967
1647
@dbus_service_property(_interface,
1968
1648
signature="b",
1971
1651
if value is None: # get
1972
1652
return dbus.Boolean(self.approved_by_default)
1973
1653
self.approved_by_default = bool(value)
1974
1654
1975
1655
# ApprovalDelay - property
1976
1656
@dbus_service_property(_interface,
1977
1657
signature="t",
1981
1661
return dbus.UInt64(self.approval_delay.total_seconds()
1982
1662
* 1000)
1983
1663
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1984
1664
1985
1665
# ApprovalDuration - property
1986
1666
@dbus_service_property(_interface,
1987
1667
signature="t",
1991
1671
return dbus.UInt64(self.approval_duration.total_seconds()
1992
1672
* 1000)
1993
1673
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1994
1674
1995
1675
# Name - property
1996
1676
@dbus_annotations(
1997
1677
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1998
1678
@dbus_service_property(_interface, signature="s", access="read")
1999
1679
def Name_dbus_property(self):
2000
1680
return dbus.String(self.name)
2001
1681
2002
1682
# Fingerprint - property
2003
1683
@dbus_annotations(
2004
1684
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2005
1685
@dbus_service_property(_interface, signature="s", access="read")
2006
1686
def Fingerprint_dbus_property(self):
2007
1687
return dbus.String(self.fingerprint)
2008
1688
2009
1689
# Host - property
2010
1690
@dbus_service_property(_interface,
2011
1691
signature="s",
2014
1694
if value is None: # get
2015
1695
return dbus.String(self.host)
2016
1696
self.host = str(value)
2017
1697
2018
1698
# Created - property
2019
1699
@dbus_annotations(
2020
1700
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2021
1701
@dbus_service_property(_interface, signature="s", access="read")
2022
1702
def Created_dbus_property(self):
2023
1703
return datetime_to_dbus(self.created)
2024
1704
2025
1705
# LastEnabled - property
2026
1706
@dbus_service_property(_interface, signature="s", access="read")
2027
1707
def LastEnabled_dbus_property(self):
2028
1708
return datetime_to_dbus(self.last_enabled)
2029
1709
2030
1710
# Enabled - property
2031
1711
@dbus_service_property(_interface,
2032
1712
signature="b",
2038
1718
self.enable()
2039
1719
else:
2040
1720
self.disable()
2041
1721
2042
1722
# LastCheckedOK - property
2043
1723
@dbus_service_property(_interface,
2044
1724
signature="s",
2048
1728
self.checked_ok()
2049
1729
return
2050
1730
return datetime_to_dbus(self.last_checked_ok)
2051
1731
2052
1732
# LastCheckerStatus - property
2053
1733
@dbus_service_property(_interface, signature="n", access="read")
2054
1734
def LastCheckerStatus_dbus_property(self):
2055
1735
return dbus.Int16(self.last_checker_status)
2056
1736
2057
1737
# Expires - property
2058
1738
@dbus_service_property(_interface, signature="s", access="read")
2059
1739
def Expires_dbus_property(self):
2060
1740
return datetime_to_dbus(self.expires)
2061
1741
2062
1742
# LastApprovalRequest - property
2063
1743
@dbus_service_property(_interface, signature="s", access="read")
2064
1744
def LastApprovalRequest_dbus_property(self):
2065
1745
return datetime_to_dbus(self.last_approval_request)
2066
1746
2067
1747
# Timeout - property
2068
1748
@dbus_service_property(_interface,
2069
1749
signature="t",
2084
1764
if (getattr(self, "disable_initiator_tag", None)
2085
1765
is None):
2086
1766
return
2087
GLib.source_remove(self.disable_initiator_tag)
2088
self.disable_initiator_tag = GLib.timeout_add(
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2089
1769
int((self.expires - now).total_seconds() * 1000),
2090
1770
self.disable)
2091
1771
2092
1772
# ExtendedTimeout - property
2093
1773
@dbus_service_property(_interface,
2094
1774
signature="t",
2098
1778
return dbus.UInt64(self.extended_timeout.total_seconds()
2099
1779
* 1000)
2100
1780
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2101
1781
2102
1782
# Interval - property
2103
1783
@dbus_service_property(_interface,
2104
1784
signature="t",
2111
1791
return
2112
1792
if self.enabled:
2113
1793
# Reschedule checker run
2114
GLib.source_remove(self.checker_initiator_tag)
2115
self.checker_initiator_tag = GLib.timeout_add(
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2116
1796
value, self.start_checker)
2117
self.start_checker() # Start one now, too
2118
1797
self.start_checker() # Start one now, too
1798
2119
1799
# Checker - property
2120
1800
@dbus_service_property(_interface,
2121
1801
signature="s",
2124
1804
if value is None: # get
2125
1805
return dbus.String(self.checker_command)
2126
1806
self.checker_command = str(value)
2127
1807
2128
1808
# CheckerRunning - property
2129
1809
@dbus_service_property(_interface,
2130
1810
signature="b",
2136
1816
self.start_checker()
2137
1817
else:
2138
1818
self.stop_checker()
2139
1819
2140
1820
# ObjectPath - property
2141
1821
@dbus_annotations(
2142
1822
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2143
1823
"org.freedesktop.DBus.Deprecated": "true"})
2144
1824
@dbus_service_property(_interface, signature="o", access="read")
2145
1825
def ObjectPath_dbus_property(self):
2146
return self.dbus_object_path # is already a dbus.ObjectPath
2147
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2148
1828
# Secret = property
2149
1829
@dbus_annotations(
2150
1830
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2155
1835
byte_arrays=True)
2156
1836
def Secret_dbus_property(self, value):
2157
1837
self.secret = bytes(value)
2158
1838
2159
1839
del _interface
2160
1840
2161
1841
2165
1845
self._pipe.send(('init', fpr, address))
2166
1846
if not self._pipe.recv():
2167
1847
raise KeyError(fpr)
2168
1848
2169
1849
def __getattribute__(self, name):
2170
1850
if name == '_pipe':
2171
1851
return super(ProxyClient, self).__getattribute__(name)
2174
1854
if data[0] == 'data':
2175
1855
return data[1]
2176
1856
if data[0] == 'function':
2177
1857
2178
1858
def func(*args, **kwargs):
2179
1859
self._pipe.send(('funcall', name, args, kwargs))
2180
1860
return self._pipe.recv()[1]
2181
1861
2182
1862
return func
2183
1863
2184
1864
def __setattr__(self, name, value):
2185
1865
if name == '_pipe':
2186
1866
return super(ProxyClient, self).__setattr__(name, value)
2189
1869
2190
1870
class ClientHandler(socketserver.BaseRequestHandler, object):
2191
1871
"""A class to handle client connections.
2192
1872
2193
1873
Instantiated once for each connection to handle it.
2194
1874
Note: This will run in its own forked process."""
2195
1875
2196
1876
def handle(self):
2197
1877
with contextlib.closing(self.server.child_pipe) as child_pipe:
2198
1878
logger.info("TCP connection from: %s",
2199
1879
str(self.client_address))
2200
1880
logger.debug("Pipe FD: %d",
2201
1881
self.server.child_pipe.fileno())
2202
2203
session = gnutls.ClientSession(self.request)
2204
2205
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2206
# "+AES-256-CBC", "+SHA1",
2207
# "+COMP-NULL", "+CTYPE-OPENPGP",
2208
# "+DHE-DSS"))
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2209
1895
# Use a fallback default, since this MUST be set.
2210
1896
priority = self.server.gnutls_priority
2211
1897
if priority is None:
2212
1898
priority = "NORMAL"
2213
gnutls.priority_set_direct(session._c_object,
2214
priority.encode("utf-8"),
2215
None)
2216
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2217
1902
# Start communication using the Mandos protocol
2218
1903
# Get protocol number
2219
1904
line = self.request.makefile().readline()
2224
1909
except (ValueError, IndexError, RuntimeError) as error:
2225
1910
logger.error("Unknown protocol version: %s", error)
2226
1911
return
2227
1912
2228
1913
# Start GnuTLS connection
2229
1914
try:
2230
1915
session.handshake()
2231
except gnutls.Error as error:
1916
except gnutls.errors.GNUTLSError as error:
2232
1917
logger.warning("Handshake failed: %s", error)
2233
1918
# Do not run session.bye() here: the session is not
2234
1919
# established. Just abandon the request.
2235
1920
return
2236
1921
logger.debug("Handshake succeeded")
2237
1922
2238
1923
approval_required = False
2239
1924
try:
2240
1925
try:
2241
1926
fpr = self.fingerprint(
2242
1927
self.peer_certificate(session))
2243
except (TypeError, gnutls.Error) as error:
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
2244
1930
logger.warning("Bad certificate: %s", error)
2245
1931
return
2246
1932
logger.debug("Fingerprint: %s", fpr)
2247
1933
2248
1934
try:
2249
1935
client = ProxyClient(child_pipe, fpr,
2250
1936
self.client_address)
2251
1937
except KeyError:
2252
1938
return
2253
1939
2254
1940
if client.approval_delay:
2255
1941
delay = client.approval_delay
2256
1942
client.approvals_pending += 1
2257
1943
approval_required = True
2258
1944
2259
1945
while True:
2260
1946
if not client.enabled:
2261
1947
logger.info("Client %s is disabled",
2264
1950
# Emit D-Bus signal
2265
1951
client.Rejected("Disabled")
2266
1952
return
2267
1953
2268
1954
if client.approved or not client.approval_delay:
2269
# We are approved or approval is disabled
1955
#We are approved or approval is disabled
2270
1956
break
2271
1957
elif client.approved is None:
2272
1958
logger.info("Client %s needs approval",
2283
1969
# Emit D-Bus signal
2284
1970
client.Rejected("Denied")
2285
1971
return
2286
2287
# wait until timeout or approved
1972
1973
#wait until timeout or approved
2288
1974
time = datetime.datetime.now()
2289
1975
client.changedstate.acquire()
2290
1976
client.changedstate.wait(delay.total_seconds())
2303
1989
break
2304
1990
else:
2305
1991
delay -= time2 - time
2306
2307
try:
2308
session.send(client.secret)
2309
except gnutls.Error as error:
2310
logger.warning("gnutls send failed",
2311
exc_info=error)
2312
return
2313
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2314
2006
logger.info("Sending secret to %s", client.name)
2315
2007
# bump the timeout using extended_timeout
2316
2008
client.bump_timeout(client.extended_timeout)
2317
2009
if self.server.use_dbus:
2318
2010
# Emit D-Bus signal
2319
2011
client.GotSecret()
2320
2012
2321
2013
finally:
2322
2014
if approval_required:
2323
2015
client.approvals_pending -= 1
2324
2016
try:
2325
2017
session.bye()
2326
except gnutls.Error as error:
2018
except gnutls.errors.GNUTLSError as error:
2327
2019
logger.warning("GnuTLS bye failed",
2328
2020
exc_info=error)
2329
2021
2330
2022
@staticmethod
2331
2023
def peer_certificate(session):
2332
2024
"Return the peer's OpenPGP certificate as a bytestring"
2333
2025
# If not an OpenPGP certificate...
2334
if (gnutls.certificate_type_get(session._c_object)
2335
!= gnutls.CRT_OPENPGP):
2336
# ...return invalid data
2337
return b""
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2338
2031
list_size = ctypes.c_uint(1)
2339
cert_list = (gnutls.certificate_get_peers
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2340
2034
(session._c_object, ctypes.byref(list_size)))
2341
2035
if not bool(cert_list) and list_size.value != 0:
2342
raise gnutls.Error("error getting peer certificate")
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2343
2038
if list_size.value == 0:
2344
2039
return None
2345
2040
cert = cert_list[0]
2346
2041
return ctypes.string_at(cert.data, cert.size)
2347
2042
2348
2043
@staticmethod
2349
2044
def fingerprint(openpgp):
2350
2045
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2351
2046
# New GnuTLS "datum" with the OpenPGP public key
2352
datum = gnutls.datum_t(
2047
datum = gnutls.library.types.gnutls_datum_t(
2353
2048
ctypes.cast(ctypes.c_char_p(openpgp),
2354
2049
ctypes.POINTER(ctypes.c_ubyte)),
2355
2050
ctypes.c_uint(len(openpgp)))
2356
2051
# New empty GnuTLS certificate
2357
crt = gnutls.openpgp_crt_t()
2358
gnutls.openpgp_crt_init(ctypes.byref(crt))
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2359
2055
# Import the OpenPGP public key into the certificate
2360
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2361
gnutls.OPENPGP_FMT_RAW)
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2362
2059
# Verify the self signature in the key
2363
2060
crtverify = ctypes.c_uint()
2364
gnutls.openpgp_crt_verify_self(crt, 0,
2365
ctypes.byref(crtverify))
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2366
2063
if crtverify.value != 0:
2367
gnutls.openpgp_crt_deinit(crt)
2368
raise gnutls.CertificateSecurityError("Verify failed")
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2369
2067
# New buffer for the fingerprint
2370
2068
buf = ctypes.create_string_buffer(20)
2371
2069
buf_len = ctypes.c_size_t()
2372
2070
# Get the fingerprint from the certificate into the buffer
2373
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2374
ctypes.byref(buf_len))
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2375
2073
# Deinit the certificate
2376
gnutls.openpgp_crt_deinit(crt)
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2377
2075
# Convert the buffer to a Python bytestring
2378
2076
fpr = ctypes.string_at(buf, buf_len.value)
2379
2077
# Convert the bytestring to hexadecimal notation
2383
2081
2384
2082
class MultiprocessingMixIn(object):
2385
2083
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2386
2084
2387
2085
def sub_process_main(self, request, address):
2388
2086
try:
2389
2087
self.finish_request(request, address)
2390
2088
except Exception:
2391
2089
self.handle_error(request, address)
2392
2090
self.close_request(request)
2393
2091
2394
2092
def process_request(self, request, address):
2395
2093
"""Start a new process to process the request."""
2396
proc = multiprocessing.Process(target=self.sub_process_main,
2397
args=(request, address))
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2398
2096
proc.start()
2399
2097
return proc
2400
2098
2401
2099
2402
2100
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2403
2101
""" adds a pipe to the MixIn """
2404
2102
2405
2103
def process_request(self, request, client_address):
2406
2104
"""Overrides and wraps the original process_request().
2407
2105
2408
2106
This function creates a new pipe in self.pipe
2409
2107
"""
2410
2108
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2411
2109
2412
2110
proc = MultiprocessingMixIn.process_request(self, request,
2413
2111
client_address)
2414
2112
self.child_pipe.close()
2415
2113
self.add_pipe(parent_pipe, proc)
2416
2114
2417
2115
def add_pipe(self, parent_pipe, proc):
2418
2116
"""Dummy function; override as necessary"""
2419
2117
raise NotImplementedError()
2422
2120
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2423
2121
socketserver.TCPServer, object):
2424
2122
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2425
2123
2426
2124
Attributes:
2427
2125
enabled: Boolean; whether this server is activated yet
2428
2126
interface: None or a network interface name (string)
2429
2127
use_ipv6: Boolean; to use IPv6 or not
2430
2128
"""
2431
2129
2432
2130
def __init__(self, server_address, RequestHandlerClass,
2433
2131
interface=None,
2434
2132
use_ipv6=True,
2444
2142
self.socketfd = socketfd
2445
2143
# Save the original socket.socket() function
2446
2144
self.socket_socket = socket.socket
2447
2448
2145
# To implement --socket, we monkey patch socket.socket.
2449
#
2146
#
2450
2147
# (When socketserver.TCPServer is a new-style class, we
2451
2148
# could make self.socket into a property instead of monkey
2452
2149
# patching socket.socket.)
2453
#
2150
#
2454
2151
# Create a one-time-only replacement for socket.socket()
2455
2152
@functools.wraps(socket.socket)
2456
2153
def socket_wrapper(*args, **kwargs):
2468
2165
# socket_wrapper(), if socketfd was set.
2469
2166
socketserver.TCPServer.__init__(self, server_address,
2470
2167
RequestHandlerClass)
2471
2168
2472
2169
def server_bind(self):
2473
2170
"""This overrides the normal server_bind() function
2474
2171
to bind to an interface if one was specified, and also NOT to
2475
2172
bind to an address or port if they were not specified."""
2476
global SO_BINDTODEVICE
2477
2173
if self.interface is not None:
2478
2174
if SO_BINDTODEVICE is None:
2479
# Fall back to a hard-coded value which seems to be
2480
# common enough.
2481
logger.warning("SO_BINDTODEVICE not found, trying 25")
2482
SO_BINDTODEVICE = 25
2483
try:
2484
self.socket.setsockopt(
2485
socket.SOL_SOCKET, SO_BINDTODEVICE,
2486
(self.interface + "\0").encode("utf-8"))
2487
except socket.error as error:
2488
if error.errno == errno.EPERM:
2489
logger.error("No permission to bind to"
2490
" interface %s", self.interface)
2491
elif error.errno == errno.ENOPROTOOPT:
2492
logger.error("SO_BINDTODEVICE not available;"
2493
" cannot bind to interface %s",
2494
self.interface)
2495
elif error.errno == errno.ENODEV:
2496
logger.error("Interface %s does not exist,"
2497
" cannot bind", self.interface)
2498
else:
2499
raise
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2500
2196
# Only bind(2) the socket if we really need to.
2501
2197
if self.server_address[0] or self.server_address[1]:
2502
2198
if not self.server_address[0]:
2503
2199
if self.address_family == socket.AF_INET6:
2504
any_address = "::" # in6addr_any
2200
any_address = "::" # in6addr_any
2505
2201
else:
2506
any_address = "0.0.0.0" # INADDR_ANY
2202
any_address = "0.0.0.0" # INADDR_ANY
2507
2203
self.server_address = (any_address,
2508
2204
self.server_address[1])
2509
2205
elif not self.server_address[1]:
2519
2215
2520
2216
class MandosServer(IPv6_TCPServer):
2521
2217
"""Mandos server.
2522
2218
2523
2219
Attributes:
2524
2220
clients: set of Client objects
2525
2221
gnutls_priority GnuTLS priority string
2526
2222
use_dbus: Boolean; to emit D-Bus signals or not
2527
2528
Assumes a GLib.MainLoop event loop.
2223
2224
Assumes a gobject.MainLoop event loop.
2529
2225
"""
2530
2226
2531
2227
def __init__(self, server_address, RequestHandlerClass,
2532
2228
interface=None,
2533
2229
use_ipv6=True,
2543
2239
self.gnutls_priority = gnutls_priority
2544
2240
IPv6_TCPServer.__init__(self, server_address,
2545
2241
RequestHandlerClass,
2546
interface=interface,
2547
use_ipv6=use_ipv6,
2548
socketfd=socketfd)
2549
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2550
2246
def server_activate(self):
2551
2247
if self.enabled:
2552
2248
return socketserver.TCPServer.server_activate(self)
2553
2249
2554
2250
def enable(self):
2555
2251
self.enabled = True
2556
2252
2557
2253
def add_pipe(self, parent_pipe, proc):
2558
2254
# Call "handle_ipc" for both data and EOF events
2559
GLib.io_add_watch(
2255
gobject.io_add_watch(
2560
2256
parent_pipe.fileno(),
2561
GLib.IO_IN | GLib.IO_HUP,
2257
gobject.IO_IN | gobject.IO_HUP,
2562
2258
functools.partial(self.handle_ipc,
2563
parent_pipe=parent_pipe,
2564
proc=proc))
2565
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2566
2262
def handle_ipc(self, source, condition,
2567
2263
parent_pipe=None,
2568
proc=None,
2264
proc = None,
2569
2265
client_object=None):
2570
2266
# error, or the other end of multiprocessing.Pipe has closed
2571
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2572
2268
# Wait for other process to exit
2573
2269
proc.join()
2574
2270
return False
2575
2271
2576
2272
# Read a request from the child
2577
2273
request = parent_pipe.recv()
2578
2274
command = request[0]
2579
2275
2580
2276
if command == 'init':
2581
fpr = request[1].decode("ascii")
2277
fpr = request[1]
2582
2278
address = request[2]
2583
2584
for c in self.clients.values():
2279
2280
for c in self.clients.itervalues():
2585
2281
if c.fingerprint == fpr:
2586
2282
client = c
2587
2283
break
2594
2290
address[0])
2595
2291
parent_pipe.send(False)
2596
2292
return False
2597
2598
GLib.io_add_watch(
2293
2294
gobject.io_add_watch(
2599
2295
parent_pipe.fileno(),
2600
GLib.IO_IN | GLib.IO_HUP,
2296
gobject.IO_IN | gobject.IO_HUP,
2601
2297
functools.partial(self.handle_ipc,
2602
parent_pipe=parent_pipe,
2603
proc=proc,
2604
client_object=client))
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2605
2301
parent_pipe.send(True)
2606
2302
# remove the old hook in favor of the new above hook on
2607
2303
# same fileno
2610
2306
funcname = request[1]
2611
2307
args = request[2]
2612
2308
kwargs = request[3]
2613
2309
2614
2310
parent_pipe.send(('data', getattr(client_object,
2615
2311
funcname)(*args,
2616
2312
**kwargs)))
2617
2313
2618
2314
if command == 'getattr':
2619
2315
attrname = request[1]
2620
2316
if isinstance(client_object.__getattribute__(attrname),
2623
2319
else:
2624
2320
parent_pipe.send((
2625
2321
'data', client_object.__getattribute__(attrname)))
2626
2322
2627
2323
if command == 'setattr':
2628
2324
attrname = request[1]
2629
2325
value = request[2]
2630
2326
setattr(client_object, attrname, value)
2631
2327
2632
2328
return True
2633
2329
2634
2330
2635
2331
def rfc3339_duration_to_delta(duration):
2636
2332
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2637
2333
2638
2334
>>> rfc3339_duration_to_delta("P7D")
2639
2335
datetime.timedelta(7)
2640
2336
>>> rfc3339_duration_to_delta("PT60S")
2650
2346
>>> rfc3339_duration_to_delta("P1DT3M20S")
2651
2347
datetime.timedelta(1, 200)
2652
2348
"""
2653
2349
2654
2350
# Parsing an RFC 3339 duration with regular expressions is not
2655
2351
# possible - there would have to be multiple places for the same
2656
2352
# values, like seconds. The current code, while more esoteric, is
2657
2353
# cleaner without depending on a parsing library. If Python had a
2658
2354
# built-in library for parsing we would use it, but we'd like to
2659
2355
# avoid excessive use of external libraries.
2660
2356
2661
2357
# New type for defining tokens, syntax, and semantics all-in-one
2662
2358
Token = collections.namedtuple("Token", (
2663
2359
"regexp", # To match token; if "value" is not None, must have
2696
2392
frozenset((token_year, token_month,
2697
2393
token_day, token_time,
2698
2394
token_week)))
2699
# Define starting values:
2700
# Value so far
2701
value = datetime.timedelta()
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2702
2397
found_token = None
2703
# Following valid tokens
2704
followers = frozenset((token_duration, ))
2705
# String left to parse
2706
s = duration
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2707
2400
# Loop until end token is found
2708
2401
while found_token is not token_end:
2709
2402
# Search for any currently valid tokens
2733
2426
2734
2427
def string_to_delta(interval):
2735
2428
"""Parse a string and return a datetime.timedelta
2736
2429
2737
2430
>>> string_to_delta('7d')
2738
2431
datetime.timedelta(7)
2739
2432
>>> string_to_delta('60s')
2747
2440
>>> string_to_delta('5m 30s')
2748
2441
datetime.timedelta(0, 330)
2749
2442
"""
2750
2443
2751
2444
try:
2752
2445
return rfc3339_duration_to_delta(interval)
2753
2446
except ValueError:
2754
2447
pass
2755
2448
2756
2449
timevalue = datetime.timedelta(0)
2757
2450
for s in interval.split():
2758
2451
try:
2776
2469
return timevalue
2777
2470
2778
2471
2779
def daemon(nochdir=False, noclose=False):
2472
def daemon(nochdir = False, noclose = False):
2780
2473
"""See daemon(3). Standard BSD Unix function.
2781
2474
2782
2475
This should really exist as os.daemon, but it doesn't (yet)."""
2783
2476
if os.fork():
2784
2477
sys.exit()
2802
2495
2803
2496
2804
2497
def main():
2805
2498
2806
2499
##################################################################
2807
2500
# Parsing of options, both command line and config file
2808
2501
2809
2502
parser = argparse.ArgumentParser()
2810
2503
parser.add_argument("-v", "--version", action="version",
2811
version="%(prog)s {}".format(version),
2504
version = "%(prog)s {}".format(version),
2812
2505
help="show version number and exit")
2813
2506
parser.add_argument("-i", "--interface", metavar="IF",
2814
2507
help="Bind to interface IF")
2850
2543
parser.add_argument("--no-zeroconf", action="store_false",
2851
2544
dest="zeroconf", help="Do not use Zeroconf",
2852
2545
default=None)
2853
2546
2854
2547
options = parser.parse_args()
2855
2548
2856
2549
if options.check:
2857
2550
import doctest
2858
2551
fail_count, test_count = doctest.testmod()
2859
2552
sys.exit(os.EX_OK if fail_count == 0 else 1)
2860
2553
2861
2554
# Default values for config file for server-global settings
2862
server_defaults = {"interface": "",
2863
"address": "",
2864
"port": "",
2865
"debug": "False",
2866
"priority":
2867
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2868
":+SIGN-DSA-SHA256",
2869
"servicename": "Mandos",
2870
"use_dbus": "True",
2871
"use_ipv6": "True",
2872
"debuglevel": "",
2873
"restore": "True",
2874
"socket": "",
2875
"statedir": "/var/lib/mandos",
2876
"foreground": "False",
2877
"zeroconf": "True",
2878
}
2879
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
2880
2573
# Parse config file for server-global settings
2881
2574
server_config = configparser.SafeConfigParser(server_defaults)
2882
2575
del server_defaults
2884
2577
# Convert the SafeConfigParser object to a dict
2885
2578
server_settings = server_config.defaults()
2886
2579
# Use the appropriate methods on the non-string config options
2887
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2888
"foreground", "zeroconf"):
2580
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
2889
2581
server_settings[option] = server_config.getboolean("DEFAULT",
2890
2582
option)
2891
2583
if server_settings["port"]:
2901
2593
server_settings["socket"] = os.dup(server_settings
2902
2594
["socket"])
2903
2595
del server_config
2904
2596
2905
2597
# Override the settings from the config file with command line
2906
2598
# options, if set.
2907
2599
for option in ("interface", "address", "port", "debug",
2925
2617
if server_settings["debug"]:
2926
2618
server_settings["foreground"] = True
2927
2619
# Now we have our good server settings in "server_settings"
2928
2620
2929
2621
##################################################################
2930
2622
2931
2623
if (not server_settings["zeroconf"]
2932
2624
and not (server_settings["port"]
2933
2625
or server_settings["socket"] != "")):
2934
2626
parser.error("Needs port or socket to work without Zeroconf")
2935
2627
2936
2628
# For convenience
2937
2629
debug = server_settings["debug"]
2938
2630
debuglevel = server_settings["debuglevel"]
2942
2634
stored_state_file)
2943
2635
foreground = server_settings["foreground"]
2944
2636
zeroconf = server_settings["zeroconf"]
2945
2637
2946
2638
if debug:
2947
2639
initlogger(debug, logging.DEBUG)
2948
2640
else:
2951
2643
else:
2952
2644
level = getattr(logging, debuglevel.upper())
2953
2645
initlogger(debug, level)
2954
2646
2955
2647
if server_settings["servicename"] != "Mandos":
2956
2648
syslogger.setFormatter(
2957
2649
logging.Formatter('Mandos ({}) [%(process)d]:'
2958
2650
' %(levelname)s: %(message)s'.format(
2959
2651
server_settings["servicename"])))
2960
2652
2961
2653
# Parse config file with clients
2962
2654
client_config = configparser.SafeConfigParser(Client
2963
2655
.client_defaults)
2964
2656
client_config.read(os.path.join(server_settings["configdir"],
2965
2657
"clients.conf"))
2966
2658
2967
2659
global mandos_dbus_service
2968
2660
mandos_dbus_service = None
2969
2661
2970
2662
socketfd = None
2971
2663
if server_settings["socket"] != "":
2972
2664
socketfd = server_settings["socket"]
2988
2680
except IOError as e:
2989
2681
logger.error("Could not open file %r", pidfilename,
2990
2682
exc_info=e)
2991
2992
for name, group in (("_mandos", "_mandos"),
2993
("mandos", "mandos"),
2994
("nobody", "nogroup")):
2683
2684
for name in ("_mandos", "mandos", "nobody"):
2995
2685
try:
2996
2686
uid = pwd.getpwnam(name).pw_uid
2997
gid = pwd.getpwnam(group).pw_gid
2687
gid = pwd.getpwnam(name).pw_gid
2998
2688
break
2999
2689
except KeyError:
3000
2690
continue
3004
2694
try:
3005
2695
os.setgid(gid)
3006
2696
os.setuid(uid)
3007
if debug:
3008
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3009
gid))
3010
2697
except OSError as error:
3011
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3012
.format(uid, gid, os.strerror(error.errno)))
3013
2698
if error.errno != errno.EPERM:
3014
2699
raise
3015
2700
3016
2701
if debug:
3017
2702
# Enable all possible GnuTLS debugging
3018
2703
3019
2704
# "Use a log level over 10 to enable all debugging options."
3020
2705
# - GnuTLS manual
3021
gnutls.global_set_log_level(11)
3022
3023
@gnutls.log_func
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3024
2709
def debug_gnutls(level, string):
3025
2710
logger.debug("GnuTLS: %s", string[:-1])
3026
3027
gnutls.global_set_log_function(debug_gnutls)
3028
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3029
2715
# Redirect stdin so all checkers get /dev/null
3030
2716
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3031
2717
os.dup2(null, sys.stdin.fileno())
3032
2718
if null > 2:
3033
2719
os.close(null)
3034
2720
3035
2721
# Need to fork before connecting to D-Bus
3036
2722
if not foreground:
3037
2723
# Close all input and output, do double fork, etc.
3038
2724
daemon()
3039
3040
# multiprocessing will use threads, so before we use GLib we need
3041
# to inform GLib that threads will be used.
3042
GLib.threads_init()
3043
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3044
2730
global main_loop
3045
2731
# From the Avahi example code
3046
2732
DBusGMainLoop(set_as_default=True)
3047
main_loop = GLib.MainLoop()
2733
main_loop = gobject.MainLoop()
3048
2734
bus = dbus.SystemBus()
3049
2735
# End of Avahi example code
3050
2736
if use_dbus:
3063
2749
if zeroconf:
3064
2750
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3065
2751
service = AvahiServiceToSyslog(
3066
name=server_settings["servicename"],
3067
servicetype="_mandos._tcp",
3068
protocol=protocol,
3069
bus=bus)
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3070
2756
if server_settings["interface"]:
3071
2757
service.interface = if_nametoindex(
3072
2758
server_settings["interface"].encode("utf-8"))
3073
2759
3074
2760
global multiprocessing_manager
3075
2761
multiprocessing_manager = multiprocessing.Manager()
3076
2762
3077
2763
client_class = Client
3078
2764
if use_dbus:
3079
client_class = functools.partial(ClientDBus, bus=bus)
3080
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3081
2767
client_settings = Client.config_parser(client_config)
3082
2768
old_client_settings = {}
3083
2769
clients_data = {}
3084
2770
3085
2771
# This is used to redirect stdout and stderr for checker processes
3086
2772
global wnull
3087
wnull = open(os.devnull, "w") # A writable /dev/null
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3088
2774
# Only used if server is running in foreground but not in debug
3089
2775
# mode
3090
2776
if debug or not foreground:
3091
2777
wnull.close()
3092
2778
3093
2779
# Get client data and settings from last running state.
3094
2780
if server_settings["restore"]:
3095
2781
try:
3096
2782
with open(stored_state_path, "rb") as stored_state:
3097
if sys.version_info.major == 2:
3098
clients_data, old_client_settings = pickle.load(
3099
stored_state)
3100
else:
3101
bytes_clients_data, bytes_old_client_settings = (
3102
pickle.load(stored_state, encoding="bytes"))
3103
# Fix bytes to strings
3104
# clients_data
3105
# .keys()
3106
clients_data = {(key.decode("utf-8")
3107
if isinstance(key, bytes)
3108
else key): value
3109
for key, value in
3110
bytes_clients_data.items()}
3111
del bytes_clients_data
3112
for key in clients_data:
3113
value = {(k.decode("utf-8")
3114
if isinstance(k, bytes) else k): v
3115
for k, v in
3116
clients_data[key].items()}
3117
clients_data[key] = value
3118
# .client_structure
3119
value["client_structure"] = [
3120
(s.decode("utf-8")
3121
if isinstance(s, bytes)
3122
else s) for s in
3123
value["client_structure"]]
3124
# .name & .host
3125
for k in ("name", "host"):
3126
if isinstance(value[k], bytes):
3127
value[k] = value[k].decode("utf-8")
3128
# old_client_settings
3129
# .keys()
3130
old_client_settings = {
3131
(key.decode("utf-8")
3132
if isinstance(key, bytes)
3133
else key): value
3134
for key, value in
3135
bytes_old_client_settings.items()}
3136
del bytes_old_client_settings
3137
# .host
3138
for value in old_client_settings.values():
3139
if isinstance(value["host"], bytes):
3140
value["host"] = (value["host"]
3141
.decode("utf-8"))
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3142
2785
os.remove(stored_state_path)
3143
2786
except IOError as e:
3144
2787
if e.errno == errno.ENOENT:
3152
2795
logger.warning("Could not load persistent state: "
3153
2796
"EOFError:",
3154
2797
exc_info=e)
3155
2798
3156
2799
with PGPEngine() as pgp:
3157
2800
for client_name, client in clients_data.items():
3158
2801
# Skip removed clients
3159
2802
if client_name not in client_settings:
3160
2803
continue
3161
2804
3162
2805
# Decide which value to use after restoring saved state.
3163
2806
# We have three different values: Old config file,
3164
2807
# new config file, and saved state.
3175
2818
client[name] = value
3176
2819
except KeyError:
3177
2820
pass
3178
2821
3179
2822
# Clients who has passed its expire date can still be
3180
2823
# enabled if its last checker was successful. A Client
3181
2824
# whose checker succeeded before we stored its state is
3214
2857
client_name))
3215
2858
client["secret"] = (client_settings[client_name]
3216
2859
["secret"])
3217
2860
3218
2861
# Add/remove clients based on new changes made to config
3219
2862
for client_name in (set(old_client_settings)
3220
2863
- set(client_settings)):
3222
2865
for client_name in (set(client_settings)
3223
2866
- set(old_client_settings)):
3224
2867
clients_data[client_name] = client_settings[client_name]
3225
2868
3226
2869
# Create all client objects
3227
2870
for client_name, client in clients_data.items():
3228
2871
tcp_server.clients[client_name] = client_class(
3229
name=client_name,
3230
settings=client,
3231
server_settings=server_settings)
3232
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3233
2876
if not tcp_server.clients:
3234
2877
logger.warning("No clients defined")
3235
2878
3236
2879
if not foreground:
3237
2880
if pidfile is not None:
3238
2881
pid = os.getpid()
3244
2887
pidfilename, pid)
3245
2888
del pidfile
3246
2889
del pidfilename
3247
3248
for termsig in (signal.SIGHUP, signal.SIGTERM):
3249
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3250
lambda: main_loop.quit() and False)
3251
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3252
2894
if use_dbus:
3253
2895
3254
2896
@alternate_dbus_interfaces(
3255
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3256
2898
class MandosDBusService(DBusObjectWithObjectManager):
3257
2899
"""A D-Bus proxy object"""
3258
2900
3259
2901
def __init__(self):
3260
2902
dbus.service.Object.__init__(self, bus, "/")
3261
2903
3262
2904
_interface = "se.recompile.Mandos"
3263
2905
3264
2906
@dbus.service.signal(_interface, signature="o")
3265
2907
def ClientAdded(self, objpath):
3266
2908
"D-Bus signal"
3267
2909
pass
3268
2910
3269
2911
@dbus.service.signal(_interface, signature="ss")
3270
2912
def ClientNotFound(self, fingerprint, address):
3271
2913
"D-Bus signal"
3272
2914
pass
3273
2915
3274
2916
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3275
2917
"true"})
3276
2918
@dbus.service.signal(_interface, signature="os")
3277
2919
def ClientRemoved(self, objpath, name):
3278
2920
"D-Bus signal"
3279
2921
pass
3280
2922
3281
2923
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3282
2924
"true"})
3283
2925
@dbus.service.method(_interface, out_signature="ao")
3284
2926
def GetAllClients(self):
3285
2927
"D-Bus method"
3286
2928
return dbus.Array(c.dbus_object_path for c in
3287
tcp_server.clients.values())
3288
2929
tcp_server.clients.itervalues())
2930
3289
2931
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3290
2932
"true"})
3291
2933
@dbus.service.method(_interface,
3293
2935
def GetAllClientsWithProperties(self):
3294
2936
"D-Bus method"
3295
2937
return dbus.Dictionary(
3296
{c.dbus_object_path: c.GetAll(
2938
{ c.dbus_object_path: c.GetAll(
3297
2939
"se.recompile.Mandos.Client")
3298
for c in tcp_server.clients.values()},
2940
for c in tcp_server.clients.itervalues() },
3299
2941
signature="oa{sv}")
3300
2942
3301
2943
@dbus.service.method(_interface, in_signature="o")
3302
2944
def RemoveClient(self, object_path):
3303
2945
"D-Bus method"
3304
for c in tcp_server.clients.values():
2946
for c in tcp_server.clients.itervalues():
3305
2947
if c.dbus_object_path == object_path:
3306
2948
del tcp_server.clients[c.name]
3307
2949
c.remove_from_connection()
3311
2953
self.client_removed_signal(c)
3312
2954
return
3313
2955
raise KeyError(object_path)
3314
2956
3315
2957
del _interface
3316
2958
3317
2959
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3318
out_signature="a{oa{sa{sv}}}")
2960
out_signature = "a{oa{sa{sv}}}")
3319
2961
def GetManagedObjects(self):
3320
2962
"""D-Bus method"""
3321
2963
return dbus.Dictionary(
3322
{client.dbus_object_path:
3323
dbus.Dictionary(
3324
{interface: client.GetAll(interface)
3325
for interface in
3326
client._get_all_interface_names()})
3327
for client in tcp_server.clients.values()})
3328
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3329
2971
def client_added_signal(self, client):
3330
2972
"""Send the new standard signal and the old signal"""
3331
2973
if use_dbus:
3333
2975
self.InterfacesAdded(
3334
2976
client.dbus_object_path,
3335
2977
dbus.Dictionary(
3336
{interface: client.GetAll(interface)
3337
for interface in
3338
client._get_all_interface_names()}))
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3339
2981
# Old signal
3340
2982
self.ClientAdded(client.dbus_object_path)
3341
2983
3342
2984
def client_removed_signal(self, client):
3343
2985
"""Send the new standard signal and the old signal"""
3344
2986
if use_dbus:
3349
2991
# Old signal
3350
2992
self.ClientRemoved(client.dbus_object_path,
3351
2993
client.name)
3352
2994
3353
2995
mandos_dbus_service = MandosDBusService()
3354
3355
# Save modules to variables to exempt the modules from being
3356
# unloaded before the function registered with atexit() is run.
3357
mp = multiprocessing
3358
wn = wnull
3359
2996
3360
2997
def cleanup():
3361
2998
"Cleanup function; run on exit"
3362
2999
if zeroconf:
3363
3000
service.cleanup()
3364
3365
mp.active_children()
3366
wn.close()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3367
3004
if not (tcp_server.clients or client_settings):
3368
3005
return
3369
3006
3370
3007
# Store client before exiting. Secrets are encrypted with key
3371
3008
# based on what config file has. If config file is
3372
3009
# removed/edited, old secret will thus be unrecovable.
3373
3010
clients = {}
3374
3011
with PGPEngine() as pgp:
3375
for client in tcp_server.clients.values():
3012
for client in tcp_server.clients.itervalues():
3376
3013
key = client_settings[client.name]["secret"]
3377
3014
client.encrypted_secret = pgp.encrypt(client.secret,
3378
3015
key)
3379
3016
client_dict = {}
3380
3017
3381
3018
# A list of attributes that can not be pickled
3382
3019
# + secret.
3383
exclude = {"bus", "changedstate", "secret",
3384
"checker", "server_settings"}
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3385
3022
for name, typ in inspect.getmembers(dbus.service
3386
3023
.Object):
3387
3024
exclude.add(name)
3388
3025
3389
3026
client_dict["encrypted_secret"] = (client
3390
3027
.encrypted_secret)
3391
3028
for attr in client.client_structure:
3392
3029
if attr not in exclude:
3393
3030
client_dict[attr] = getattr(client, attr)
3394
3031
3395
3032
clients[client.name] = client_dict
3396
3033
del client_settings[client.name]["secret"]
3397
3034
3398
3035
try:
3399
3036
with tempfile.NamedTemporaryFile(
3400
3037
mode='wb',
3402
3039
prefix='clients-',
3403
3040
dir=os.path.dirname(stored_state_path),
3404
3041
delete=False) as stored_state:
3405
pickle.dump((clients, client_settings), stored_state,
3406
protocol=2)
3042
pickle.dump((clients, client_settings), stored_state)
3407
3043
tempname = stored_state.name
3408
3044
os.rename(tempname, stored_state_path)
3409
3045
except (IOError, OSError) as e:
3419
3055
logger.warning("Could not save persistent state:",
3420
3056
exc_info=e)
3421
3057
raise
3422
3058
3423
3059
# Delete all clients, and settings from config
3424
3060
while tcp_server.clients:
3425
3061
name, client = tcp_server.clients.popitem()
3428
3064
# Don't signal the disabling
3429
3065
client.disable(quiet=True)
3430
3066
# Emit D-Bus signal for removal
3431
if use_dbus:
3432
mandos_dbus_service.client_removed_signal(client)
3067
mandos_dbus_service.client_removed_signal(client)
3433
3068
client_settings.clear()
3434
3069
3435
3070
atexit.register(cleanup)
3436
3437
for client in tcp_server.clients.values():
3071
3072
for client in tcp_server.clients.itervalues():
3438
3073
if use_dbus:
3439
3074
# Emit D-Bus signal for adding
3440
3075
mandos_dbus_service.client_added_signal(client)
3441
3076
# Need to initiate checking of clients
3442
3077
if client.enabled:
3443
3078
client.init_checker()
3444
3079
3445
3080
tcp_server.enable()
3446
3081
tcp_server.server_activate()
3447
3082
3448
3083
# Find out what port we got
3449
3084
if zeroconf:
3450
3085
service.port = tcp_server.socket.getsockname()[1]
3455
3090
else: # IPv4
3456
3091
logger.info("Now listening on address %r, port %d",
3457
3092
*tcp_server.socket.getsockname())
3458
3459
# service.interface = tcp_server.socket.getsockname()[3]
3460
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3461
3096
try:
3462
3097
if zeroconf:
3463
3098
# From the Avahi example code
3468
3103
cleanup()
3469
3104
sys.exit(1)
3470
3105
# End of Avahi example code
3471
3472
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3473
lambda *args, **kwargs:
3474
(tcp_server.handle_request
3475
(*args[2:], **kwargs) or True))
3476
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3477
3112
logger.debug("Starting main loop")
3478
3113
main_loop.run()
3479
3114
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0