To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.335
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.335
- Committer: Teddy Hogeborn
- Date: 2015-08-10 16:19:28 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 325.
- Revision ID: teddy@recompile.se-20150810161928-bnukog7l47j3pjix
Depend on Avahi and the network in the server's systemd service file.
* mandos.service ([Unit]/After): New; set to "network.target" and
"avahi-daemon.service".
([Unit]/RequisiteOverridable): New; set to "avahi-daemon.service".
* mandos.service ([Unit]/After): New; set to "network.target" and
"avahi-daemon.service".
([Unit]/RequisiteOverridable): New; set to "avahi-daemon.service".
- files added:
- initramfs-tools-hook-conf
- files removed:
- bugs.xml
- files modified:
- DBUS-API
added
removed
mandos
1
#!/usr/bin/python
1
#!/usr/bin/python2.7
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
37
from future_builtins import *
42
38
43
39
try:
44
40
import SocketServer as socketserver
48
44
import argparse
49
45
import datetime
50
46
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
51
53
try:
52
54
import ConfigParser as configparser
53
55
except ImportError:
80
82
81
83
import dbus
82
84
import dbus.service
83
from gi.repository import GLib
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
84
90
from dbus.mainloop.glib import DBusGMainLoop
85
91
import ctypes
86
92
import ctypes.util
87
93
import xml.dom.minidom
88
94
import inspect
89
95
90
# Try to find the value of SO_BINDTODEVICE:
91
96
try:
92
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
93
# newer, and it is also the most natural place for it:
94
97
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
95
98
except AttributeError:
96
99
try:
97
# This is where SO_BINDTODEVICE was up to and including Python
98
# 2.6, and also 3.2:
99
100
from IN import SO_BINDTODEVICE
100
101
except ImportError:
101
# In Python 2.7 it seems to have been removed entirely.
102
# Try running the C preprocessor:
103
try:
104
cc = subprocess.Popen(["cc", "--language=c", "-E",
105
"/dev/stdin"],
106
stdin=subprocess.PIPE,
107
stdout=subprocess.PIPE)
108
stdout = cc.communicate(
109
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
110
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
111
except (OSError, ValueError, IndexError):
112
# No value found
113
SO_BINDTODEVICE = None
102
SO_BINDTODEVICE = None
114
103
115
104
if sys.version_info.major == 2:
116
105
str = unicode
117
106
118
version = "1.8.1"
107
version = "1.6.9"
119
108
stored_state_file = "clients.pickle"
120
109
121
110
logger = logging.getLogger()
125
114
if_nametoindex = ctypes.cdll.LoadLibrary(
126
115
ctypes.util.find_library("c")).if_nametoindex
127
116
except (OSError, AttributeError):
128
117
129
118
def if_nametoindex(interface):
130
119
"Get an interface index the hard way, i.e. using fcntl()"
131
120
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
136
125
return interface_index
137
126
138
127
139
def copy_function(func):
140
"""Make a copy of a function"""
141
if sys.version_info.major == 2:
142
return types.FunctionType(func.func_code,
143
func.func_globals,
144
func.func_name,
145
func.func_defaults,
146
func.func_closure)
147
else:
148
return types.FunctionType(func.__code__,
149
func.__globals__,
150
func.__name__,
151
func.__defaults__,
152
func.__closure__)
153
154
155
128
def initlogger(debug, level=logging.WARNING):
156
129
"""init logger and add loglevel"""
157
130
158
131
global syslogger
159
132
syslogger = (logging.handlers.SysLogHandler(
160
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
161
address="/dev/log"))
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
162
135
syslogger.setFormatter(logging.Formatter
163
136
('Mandos [%(process)d]: %(levelname)s:'
164
137
' %(message)s'))
165
138
logger.addHandler(syslogger)
166
139
167
140
if debug:
168
141
console = logging.StreamHandler()
169
142
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
181
154
182
155
class PGPEngine(object):
183
156
"""A simple class for OpenPGP symmetric encryption & decryption"""
184
157
185
158
def __init__(self):
186
159
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
187
self.gpg = "gpg"
188
try:
189
output = subprocess.check_output(["gpgconf"])
190
for line in output.splitlines():
191
name, text, path = line.split(b":")
192
if name == "gpg":
193
self.gpg = path
194
break
195
except OSError as e:
196
if e.errno != errno.ENOENT:
197
raise
198
160
self.gnupgargs = ['--batch',
199
'--homedir', self.tempdir,
161
'--home', self.tempdir,
200
162
'--force-mdc',
201
'--quiet']
202
# Only GPG version 1 has the --no-use-agent option.
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
204
self.gnupgargs.append("--no-use-agent")
205
163
'--quiet',
164
'--no-use-agent']
165
206
166
def __enter__(self):
207
167
return self
208
168
209
169
def __exit__(self, exc_type, exc_value, traceback):
210
170
self._cleanup()
211
171
return False
212
172
213
173
def __del__(self):
214
174
self._cleanup()
215
175
216
176
def _cleanup(self):
217
177
if self.tempdir is not None:
218
178
# Delete contents of tempdir
219
179
for root, dirs, files in os.walk(self.tempdir,
220
topdown=False):
180
topdown = False):
221
181
for filename in files:
222
182
os.remove(os.path.join(root, filename))
223
183
for dirname in dirs:
225
185
# Remove tempdir
226
186
os.rmdir(self.tempdir)
227
187
self.tempdir = None
228
188
229
189
def password_encode(self, password):
230
190
# Passphrase can not be empty and can not contain newlines or
231
191
# NUL bytes. So we prefix it and hex encode it.
236
196
.replace(b"\n", b"\\n")
237
197
.replace(b"\0", b"\\x00"))
238
198
return encoded
239
199
240
200
def encrypt(self, data, password):
241
201
passphrase = self.password_encode(password)
242
202
with tempfile.NamedTemporaryFile(
243
203
dir=self.tempdir) as passfile:
244
204
passfile.write(passphrase)
245
205
passfile.flush()
246
proc = subprocess.Popen([self.gpg, '--symmetric',
206
proc = subprocess.Popen(['gpg', '--symmetric',
247
207
'--passphrase-file',
248
208
passfile.name]
249
209
+ self.gnupgargs,
250
stdin=subprocess.PIPE,
251
stdout=subprocess.PIPE,
252
stderr=subprocess.PIPE)
253
ciphertext, err = proc.communicate(input=data)
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
254
214
if proc.returncode != 0:
255
215
raise PGPError(err)
256
216
return ciphertext
257
217
258
218
def decrypt(self, data, password):
259
219
passphrase = self.password_encode(password)
260
220
with tempfile.NamedTemporaryFile(
261
dir=self.tempdir) as passfile:
221
dir = self.tempdir) as passfile:
262
222
passfile.write(passphrase)
263
223
passfile.flush()
264
proc = subprocess.Popen([self.gpg, '--decrypt',
224
proc = subprocess.Popen(['gpg', '--decrypt',
265
225
'--passphrase-file',
266
226
passfile.name]
267
227
+ self.gnupgargs,
268
stdin=subprocess.PIPE,
269
stdout=subprocess.PIPE,
270
stderr=subprocess.PIPE)
271
decrypted_plaintext, err = proc.communicate(input=data)
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
272
232
if proc.returncode != 0:
273
233
raise PGPError(err)
274
234
return decrypted_plaintext
275
235
276
236
277
# Pretend that we have an Avahi module
278
class Avahi(object):
279
"""This isn't so much a class as it is a module-like namespace.
280
It is instantiated once, and simulates having an Avahi module."""
281
IF_UNSPEC = -1 # avahi-common/address.h
282
PROTO_UNSPEC = -1 # avahi-common/address.h
283
PROTO_INET = 0 # avahi-common/address.h
284
PROTO_INET6 = 1 # avahi-common/address.h
285
DBUS_NAME = "org.freedesktop.Avahi"
286
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
287
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
288
DBUS_PATH_SERVER = "/"
289
290
def string_array_to_txt_array(self, t):
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
for s in t), signature="ay")
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
294
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
295
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
296
SERVER_INVALID = 0 # avahi-common/defs.h
297
SERVER_REGISTERING = 1 # avahi-common/defs.h
298
SERVER_RUNNING = 2 # avahi-common/defs.h
299
SERVER_COLLISION = 3 # avahi-common/defs.h
300
SERVER_FAILURE = 4 # avahi-common/defs.h
301
avahi = Avahi()
302
303
304
237
class AvahiError(Exception):
305
238
def __init__(self, value, *args, **kwargs):
306
239
self.value = value
318
251
319
252
class AvahiService(object):
320
253
"""An Avahi (Zeroconf) service.
321
254
322
255
Attributes:
323
256
interface: integer; avahi.IF_UNSPEC or an interface index.
324
257
Used to optionally bind to the specified interface.
336
269
server: D-Bus Server
337
270
bus: dbus.SystemBus()
338
271
"""
339
272
340
273
def __init__(self,
341
interface=avahi.IF_UNSPEC,
342
name=None,
343
servicetype=None,
344
port=None,
345
TXT=None,
346
domain="",
347
host="",
348
max_renames=32768,
349
protocol=avahi.PROTO_UNSPEC,
350
bus=None):
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
351
284
self.interface = interface
352
285
self.name = name
353
286
self.type = servicetype
362
295
self.server = None
363
296
self.bus = bus
364
297
self.entry_group_state_changed_match = None
365
298
366
299
def rename(self, remove=True):
367
300
"""Derived from the Avahi example code"""
368
301
if self.rename_count >= self.max_renames:
388
321
logger.critical("D-Bus Exception", exc_info=error)
389
322
self.cleanup()
390
323
os._exit(1)
391
324
392
325
def remove(self):
393
326
"""Derived from the Avahi example code"""
394
327
if self.entry_group_state_changed_match is not None:
396
329
self.entry_group_state_changed_match = None
397
330
if self.group is not None:
398
331
self.group.Reset()
399
332
400
333
def add(self):
401
334
"""Derived from the Avahi example code"""
402
335
self.remove()
419
352
dbus.UInt16(self.port),
420
353
avahi.string_array_to_txt_array(self.TXT))
421
354
self.group.Commit()
422
355
423
356
def entry_group_state_changed(self, state, error):
424
357
"""Derived from the Avahi example code"""
425
358
logger.debug("Avahi entry group state change: %i", state)
426
359
427
360
if state == avahi.ENTRY_GROUP_ESTABLISHED:
428
361
logger.debug("Zeroconf service established.")
429
362
elif state == avahi.ENTRY_GROUP_COLLISION:
433
366
logger.critical("Avahi: Error in group state changed %s",
434
367
str(error))
435
368
raise AvahiGroupError("State changed: {!s}".format(error))
436
369
437
370
def cleanup(self):
438
371
"""Derived from the Avahi example code"""
439
372
if self.group is not None:
444
377
pass
445
378
self.group = None
446
379
self.remove()
447
380
448
381
def server_state_changed(self, state, error=None):
449
382
"""Derived from the Avahi example code"""
450
383
logger.debug("Avahi server state change: %i", state)
479
412
logger.debug("Unknown state: %r", state)
480
413
else:
481
414
logger.debug("Unknown state: %r: %r", state, error)
482
415
483
416
def activate(self):
484
417
"""Derived from the Avahi example code"""
485
418
if self.server is None:
496
429
class AvahiServiceToSyslog(AvahiService):
497
430
def rename(self, *args, **kwargs):
498
431
"""Add the new name to the syslog messages"""
499
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
432
ret = AvahiService.rename(self, *args, **kwargs)
500
433
syslogger.setFormatter(logging.Formatter(
501
434
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
502
435
.format(self.name)))
503
436
return ret
504
437
505
506
# Pretend that we have a GnuTLS module
507
class GnuTLS(object):
508
"""This isn't so much a class as it is a module-like namespace.
509
It is instantiated once, and simulates having a GnuTLS module."""
510
511
library = ctypes.util.find_library("gnutls")
512
if library is None:
513
library = ctypes.util.find_library("gnutls-deb0")
514
_library = ctypes.cdll.LoadLibrary(library)
515
del library
516
_need_version = b"3.3.0"
517
_tls_rawpk_version = b"3.6.6"
518
519
def __init__(self):
520
# Need to use "self" here, since this method is called before
521
# the assignment to the "gnutls" global variable happens.
522
if self.check_version(self._need_version) is None:
523
raise self.Error("Needs GnuTLS {} or later"
524
.format(self._need_version))
525
526
# Unless otherwise indicated, the constants and types below are
527
# all from the gnutls/gnutls.h C header file.
528
529
# Constants
530
E_SUCCESS = 0
531
E_INTERRUPTED = -52
532
E_AGAIN = -28
533
CRT_OPENPGP = 2
534
CRT_RAWPK = 3
535
CLIENT = 2
536
SHUT_RDWR = 0
537
CRD_CERTIFICATE = 1
538
E_NO_CERTIFICATE_FOUND = -49
539
X509_FMT_DER = 0
540
NO_TICKETS = 1<<10
541
ENABLE_RAWPK = 1<<18
542
CTYPE_PEERS = 3
543
KEYID_USE_SHA256 = 1 # gnutls/x509.h
544
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
545
546
# Types
547
class session_int(ctypes.Structure):
548
_fields_ = []
549
session_t = ctypes.POINTER(session_int)
550
551
class certificate_credentials_st(ctypes.Structure):
552
_fields_ = []
553
certificate_credentials_t = ctypes.POINTER(
554
certificate_credentials_st)
555
certificate_type_t = ctypes.c_int
556
557
class datum_t(ctypes.Structure):
558
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
559
('size', ctypes.c_uint)]
560
561
class openpgp_crt_int(ctypes.Structure):
562
_fields_ = []
563
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
564
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
565
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
566
credentials_type_t = ctypes.c_int
567
transport_ptr_t = ctypes.c_void_p
568
close_request_t = ctypes.c_int
569
570
# Exceptions
571
class Error(Exception):
572
# We need to use the class name "GnuTLS" here, since this
573
# exception might be raised from within GnuTLS.__init__,
574
# which is called before the assignment to the "gnutls"
575
# global variable has happened.
576
def __init__(self, message=None, code=None, args=()):
577
# Default usage is by a message string, but if a return
578
# code is passed, convert it to a string with
579
# gnutls.strerror()
580
self.code = code
581
if message is None and code is not None:
582
message = GnuTLS.strerror(code)
583
return super(GnuTLS.Error, self).__init__(
584
message, *args)
585
586
class CertificateSecurityError(Error):
587
pass
588
589
# Classes
590
class Credentials(object):
591
def __init__(self):
592
self._c_object = gnutls.certificate_credentials_t()
593
gnutls.certificate_allocate_credentials(
594
ctypes.byref(self._c_object))
595
self.type = gnutls.CRD_CERTIFICATE
596
597
def __del__(self):
598
gnutls.certificate_free_credentials(self._c_object)
599
600
class ClientSession(object):
601
def __init__(self, socket, credentials=None):
602
self._c_object = gnutls.session_t()
603
gnutls_flags = gnutls.CLIENT
604
if gnutls.check_version("3.5.6"):
605
gnutls_flags |= gnutls.NO_TICKETS
606
if gnutls.has_rawpk:
607
gnutls_flags |= gnutls.ENABLE_RAWPK
608
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
609
del gnutls_flags
610
gnutls.set_default_priority(self._c_object)
611
gnutls.transport_set_ptr(self._c_object, socket.fileno())
612
gnutls.handshake_set_private_extensions(self._c_object,
613
True)
614
self.socket = socket
615
if credentials is None:
616
credentials = gnutls.Credentials()
617
gnutls.credentials_set(self._c_object, credentials.type,
618
ctypes.cast(credentials._c_object,
619
ctypes.c_void_p))
620
self.credentials = credentials
621
622
def __del__(self):
623
gnutls.deinit(self._c_object)
624
625
def handshake(self):
626
return gnutls.handshake(self._c_object)
627
628
def send(self, data):
629
data = bytes(data)
630
data_len = len(data)
631
while data_len > 0:
632
data_len -= gnutls.record_send(self._c_object,
633
data[-data_len:],
634
data_len)
635
636
def bye(self):
637
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
638
639
# Error handling functions
640
def _error_code(result):
641
"""A function to raise exceptions on errors, suitable
642
for the 'restype' attribute on ctypes functions"""
643
if result >= 0:
644
return result
645
if result == gnutls.E_NO_CERTIFICATE_FOUND:
646
raise gnutls.CertificateSecurityError(code=result)
647
raise gnutls.Error(code=result)
648
649
def _retry_on_error(result, func, arguments):
650
"""A function to retry on some errors, suitable
651
for the 'errcheck' attribute on ctypes functions"""
652
while result < 0:
653
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
654
return _error_code(result)
655
result = func(*arguments)
656
return result
657
658
# Unless otherwise indicated, the function declarations below are
659
# all from the gnutls/gnutls.h C header file.
660
661
# Functions
662
priority_set_direct = _library.gnutls_priority_set_direct
663
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
664
ctypes.POINTER(ctypes.c_char_p)]
665
priority_set_direct.restype = _error_code
666
667
init = _library.gnutls_init
668
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
669
init.restype = _error_code
670
671
set_default_priority = _library.gnutls_set_default_priority
672
set_default_priority.argtypes = [session_t]
673
set_default_priority.restype = _error_code
674
675
record_send = _library.gnutls_record_send
676
record_send.argtypes = [session_t, ctypes.c_void_p,
677
ctypes.c_size_t]
678
record_send.restype = ctypes.c_ssize_t
679
record_send.errcheck = _retry_on_error
680
681
certificate_allocate_credentials = (
682
_library.gnutls_certificate_allocate_credentials)
683
certificate_allocate_credentials.argtypes = [
684
ctypes.POINTER(certificate_credentials_t)]
685
certificate_allocate_credentials.restype = _error_code
686
687
certificate_free_credentials = (
688
_library.gnutls_certificate_free_credentials)
689
certificate_free_credentials.argtypes = [
690
certificate_credentials_t]
691
certificate_free_credentials.restype = None
692
693
handshake_set_private_extensions = (
694
_library.gnutls_handshake_set_private_extensions)
695
handshake_set_private_extensions.argtypes = [session_t,
696
ctypes.c_int]
697
handshake_set_private_extensions.restype = None
698
699
credentials_set = _library.gnutls_credentials_set
700
credentials_set.argtypes = [session_t, credentials_type_t,
701
ctypes.c_void_p]
702
credentials_set.restype = _error_code
703
704
strerror = _library.gnutls_strerror
705
strerror.argtypes = [ctypes.c_int]
706
strerror.restype = ctypes.c_char_p
707
708
certificate_type_get = _library.gnutls_certificate_type_get
709
certificate_type_get.argtypes = [session_t]
710
certificate_type_get.restype = _error_code
711
712
certificate_get_peers = _library.gnutls_certificate_get_peers
713
certificate_get_peers.argtypes = [session_t,
714
ctypes.POINTER(ctypes.c_uint)]
715
certificate_get_peers.restype = ctypes.POINTER(datum_t)
716
717
global_set_log_level = _library.gnutls_global_set_log_level
718
global_set_log_level.argtypes = [ctypes.c_int]
719
global_set_log_level.restype = None
720
721
global_set_log_function = _library.gnutls_global_set_log_function
722
global_set_log_function.argtypes = [log_func]
723
global_set_log_function.restype = None
724
725
deinit = _library.gnutls_deinit
726
deinit.argtypes = [session_t]
727
deinit.restype = None
728
729
handshake = _library.gnutls_handshake
730
handshake.argtypes = [session_t]
731
handshake.restype = _error_code
732
handshake.errcheck = _retry_on_error
733
734
transport_set_ptr = _library.gnutls_transport_set_ptr
735
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
736
transport_set_ptr.restype = None
737
738
bye = _library.gnutls_bye
739
bye.argtypes = [session_t, close_request_t]
740
bye.restype = _error_code
741
bye.errcheck = _retry_on_error
742
743
check_version = _library.gnutls_check_version
744
check_version.argtypes = [ctypes.c_char_p]
745
check_version.restype = ctypes.c_char_p
746
747
has_rawpk = bool(check_version(_tls_rawpk_version))
748
749
if has_rawpk:
750
# Types
751
class pubkey_st(ctypes.Structure):
752
_fields = []
753
pubkey_t = ctypes.POINTER(pubkey_st)
754
755
x509_crt_fmt_t = ctypes.c_int
756
757
# All the function declarations below are from gnutls/abstract.h
758
pubkey_init = _library.gnutls_pubkey_init
759
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
760
pubkey_init.restype = _error_code
761
762
pubkey_import = _library.gnutls_pubkey_import
763
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
764
x509_crt_fmt_t]
765
pubkey_import.restype = _error_code
766
767
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
768
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
769
ctypes.POINTER(ctypes.c_ubyte),
770
ctypes.POINTER(ctypes.c_size_t)]
771
pubkey_get_key_id.restype = _error_code
772
773
pubkey_deinit = _library.gnutls_pubkey_deinit
774
pubkey_deinit.argtypes = [pubkey_t]
775
pubkey_deinit.restype = None
776
else:
777
# All the function declarations below are from gnutls/openpgp.h
778
779
openpgp_crt_init = _library.gnutls_openpgp_crt_init
780
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
781
openpgp_crt_init.restype = _error_code
782
783
openpgp_crt_import = _library.gnutls_openpgp_crt_import
784
openpgp_crt_import.argtypes = [openpgp_crt_t,
785
ctypes.POINTER(datum_t),
786
openpgp_crt_fmt_t]
787
openpgp_crt_import.restype = _error_code
788
789
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
790
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
791
ctypes.POINTER(ctypes.c_uint)]
792
openpgp_crt_verify_self.restype = _error_code
793
794
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
795
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
796
openpgp_crt_deinit.restype = None
797
798
openpgp_crt_get_fingerprint = (
799
_library.gnutls_openpgp_crt_get_fingerprint)
800
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
801
ctypes.c_void_p,
802
ctypes.POINTER(
803
ctypes.c_size_t)]
804
openpgp_crt_get_fingerprint.restype = _error_code
805
806
if check_version("3.6.4"):
807
certificate_type_get2 = _library.gnutls_certificate_type_get2
808
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
809
certificate_type_get2.restype = _error_code
810
811
# Remove non-public functions
812
del _error_code, _retry_on_error
813
# Create the global "gnutls" object, simulating a module
814
gnutls = GnuTLS()
815
816
817
438
def call_pipe(connection, # : multiprocessing.Connection
818
439
func, *args, **kwargs):
819
440
"""This function is meant to be called by multiprocessing.Process
820
441
821
442
This function runs func(*args, **kwargs), and writes the resulting
822
443
return value on the provided multiprocessing.Connection.
823
444
"""
824
445
connection.send(func(*args, **kwargs))
825
446
connection.close()
826
447
827
828
448
class Client(object):
829
449
"""A representation of a client host served by this server.
830
450
831
451
Attributes:
832
452
approved: bool(); 'None' if not yet approved/disapproved
833
453
approval_delay: datetime.timedelta(); Time to wait for approval
835
455
checker: subprocess.Popen(); a running checker process used
836
456
to see if the client lives.
837
457
'None' if no process is running.
838
checker_callback_tag: a GLib event source tag, or None
458
checker_callback_tag: a gobject event source tag, or None
839
459
checker_command: string; External command which is run to check
840
460
if client lives. %() expansions are done at
841
461
runtime with vars(self) as dict, so that for
842
462
instance %(name)s can be used in the command.
843
checker_initiator_tag: a GLib event source tag, or None
463
checker_initiator_tag: a gobject event source tag, or None
844
464
created: datetime.datetime(); (UTC) object creation
845
465
client_structure: Object describing what attributes a client has
846
466
and is used for storing the client at exit
847
467
current_checker_command: string; current running checker_command
848
disable_initiator_tag: a GLib event source tag, or None
468
disable_initiator_tag: a gobject event source tag, or None
849
469
enabled: bool()
850
470
fingerprint: string (40 or 32 hexadecimal digits); used to
851
uniquely identify an OpenPGP client
852
key_id: string (64 hexadecimal digits); used to uniquely identify
853
a client using raw public keys
471
uniquely identify the client
854
472
host: string; available for use by the checker command
855
473
interval: datetime.timedelta(); How often to start a new checker
856
474
last_approval_request: datetime.datetime(); (UTC) or None
872
490
disabled, or None
873
491
server_settings: The server_settings dict from main()
874
492
"""
875
493
876
494
runtime_expansions = ("approval_delay", "approval_duration",
877
"created", "enabled", "expires", "key_id",
495
"created", "enabled", "expires",
878
496
"fingerprint", "host", "interval",
879
497
"last_approval_request", "last_checked_ok",
880
498
"last_enabled", "name", "timeout")
889
507
"approved_by_default": "True",
890
508
"enabled": "True",
891
509
}
892
510
893
511
@staticmethod
894
512
def config_parser(config):
895
513
"""Construct a new dict of client settings of this form:
902
520
for client_name in config.sections():
903
521
section = dict(config.items(client_name))
904
522
client = settings[client_name] = {}
905
523
906
524
client["host"] = section["host"]
907
525
# Reformat values from string types to Python types
908
526
client["approved_by_default"] = config.getboolean(
909
527
client_name, "approved_by_default")
910
528
client["enabled"] = config.getboolean(client_name,
911
529
"enabled")
912
913
# Uppercase and remove spaces from key_id and fingerprint
914
# for later comparison purposes with return value from the
915
# key_id() and fingerprint() functions
916
client["key_id"] = (section.get("key_id", "").upper()
917
.replace(" ", ""))
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
918
534
client["fingerprint"] = (section["fingerprint"].upper()
919
535
.replace(" ", ""))
920
536
if "secret" in section:
921
client["secret"] = codecs.decode(section["secret"]
922
.encode("utf-8"),
923
"base64")
537
client["secret"] = section["secret"].decode("base64")
924
538
elif "secfile" in section:
925
539
with open(os.path.expanduser(os.path.expandvars
926
540
(section["secfile"])),
941
555
client["last_approval_request"] = None
942
556
client["last_checked_ok"] = None
943
557
client["last_checker_status"] = -2
944
558
945
559
return settings
946
947
def __init__(self, settings, name=None, server_settings=None):
560
561
def __init__(self, settings, name = None, server_settings=None):
948
562
self.name = name
949
563
if server_settings is None:
950
564
server_settings = {}
952
566
# adding all client settings
953
567
for setting, value in settings.items():
954
568
setattr(self, setting, value)
955
569
956
570
if self.enabled:
957
571
if not hasattr(self, "last_enabled"):
958
572
self.last_enabled = datetime.datetime.utcnow()
962
576
else:
963
577
self.last_enabled = None
964
578
self.expires = None
965
579
966
580
logger.debug("Creating client %r", self.name)
967
logger.debug(" Key ID: %s", self.key_id)
968
581
logger.debug(" Fingerprint: %s", self.fingerprint)
969
582
self.created = settings.get("created",
970
583
datetime.datetime.utcnow())
971
584
972
585
# attributes specific for this server instance
973
586
self.checker = None
974
587
self.checker_initiator_tag = None
980
593
self.changedstate = multiprocessing_manager.Condition(
981
594
multiprocessing_manager.Lock())
982
595
self.client_structure = [attr
983
for attr in self.__dict__.keys()
596
for attr in self.__dict__.iterkeys()
984
597
if not attr.startswith("_")]
985
598
self.client_structure.append("client_structure")
986
599
987
600
for name, t in inspect.getmembers(
988
601
type(self), lambda obj: isinstance(obj, property)):
989
602
if not name.startswith("_"):
990
603
self.client_structure.append(name)
991
604
992
605
# Send notice to process children that client state has changed
993
606
def send_changedstate(self):
994
607
with self.changedstate:
995
608
self.changedstate.notify_all()
996
609
997
610
def enable(self):
998
611
"""Start this client's checker and timeout hooks"""
999
612
if getattr(self, "enabled", False):
1004
617
self.last_enabled = datetime.datetime.utcnow()
1005
618
self.init_checker()
1006
619
self.send_changedstate()
1007
620
1008
621
def disable(self, quiet=True):
1009
622
"""Disable this client."""
1010
623
if not getattr(self, "enabled", False):
1012
625
if not quiet:
1013
626
logger.info("Disabling client %s", self.name)
1014
627
if getattr(self, "disable_initiator_tag", None) is not None:
1015
GLib.source_remove(self.disable_initiator_tag)
628
gobject.source_remove(self.disable_initiator_tag)
1016
629
self.disable_initiator_tag = None
1017
630
self.expires = None
1018
631
if getattr(self, "checker_initiator_tag", None) is not None:
1019
GLib.source_remove(self.checker_initiator_tag)
632
gobject.source_remove(self.checker_initiator_tag)
1020
633
self.checker_initiator_tag = None
1021
634
self.stop_checker()
1022
635
self.enabled = False
1023
636
if not quiet:
1024
637
self.send_changedstate()
1025
# Do not run this again if called by a GLib.timeout_add
638
# Do not run this again if called by a gobject.timeout_add
1026
639
return False
1027
640
1028
641
def __del__(self):
1029
642
self.disable()
1030
643
1031
644
def init_checker(self):
1032
645
# Schedule a new checker to be started an 'interval' from now,
1033
646
# and every interval from then on.
1034
647
if self.checker_initiator_tag is not None:
1035
GLib.source_remove(self.checker_initiator_tag)
1036
self.checker_initiator_tag = GLib.timeout_add(
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
1037
650
int(self.interval.total_seconds() * 1000),
1038
651
self.start_checker)
1039
652
# Schedule a disable() when 'timeout' has passed
1040
653
if self.disable_initiator_tag is not None:
1041
GLib.source_remove(self.disable_initiator_tag)
1042
self.disable_initiator_tag = GLib.timeout_add(
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1043
656
int(self.timeout.total_seconds() * 1000), self.disable)
1044
657
# Also start a new checker *right now*.
1045
658
self.start_checker()
1046
659
1047
660
def checker_callback(self, source, condition, connection,
1048
661
command):
1049
662
"""The checker has completed, so take appropriate actions."""
1052
665
# Read return code from connection (see call_pipe)
1053
666
returncode = connection.recv()
1054
667
connection.close()
1055
668
1056
669
if returncode >= 0:
1057
670
self.last_checker_status = returncode
1058
671
self.last_checker_signal = None
1068
681
logger.warning("Checker for %(name)s crashed?",
1069
682
vars(self))
1070
683
return False
1071
684
1072
685
def checked_ok(self):
1073
686
"""Assert that the client has been seen, alive and well."""
1074
687
self.last_checked_ok = datetime.datetime.utcnow()
1075
688
self.last_checker_status = 0
1076
689
self.last_checker_signal = None
1077
690
self.bump_timeout()
1078
691
1079
692
def bump_timeout(self, timeout=None):
1080
693
"""Bump up the timeout for this client."""
1081
694
if timeout is None:
1082
695
timeout = self.timeout
1083
696
if self.disable_initiator_tag is not None:
1084
GLib.source_remove(self.disable_initiator_tag)
697
gobject.source_remove(self.disable_initiator_tag)
1085
698
self.disable_initiator_tag = None
1086
699
if getattr(self, "enabled", False):
1087
self.disable_initiator_tag = GLib.timeout_add(
700
self.disable_initiator_tag = gobject.timeout_add(
1088
701
int(timeout.total_seconds() * 1000), self.disable)
1089
702
self.expires = datetime.datetime.utcnow() + timeout
1090
703
1091
704
def need_approval(self):
1092
705
self.last_approval_request = datetime.datetime.utcnow()
1093
706
1094
707
def start_checker(self):
1095
708
"""Start a new checker subprocess if one is not running.
1096
709
1097
710
If a checker already exists, leave it running and do
1098
711
nothing."""
1099
712
# The reason for not killing a running checker is that if we
1104
717
# checkers alone, the checker would have to take more time
1105
718
# than 'timeout' for the client to be disabled, which is as it
1106
719
# should be.
1107
720
1108
721
if self.checker is not None and not self.checker.is_alive():
1109
722
logger.warning("Checker was not alive; joining")
1110
723
self.checker.join()
1114
727
# Escape attributes for the shell
1115
728
escaped_attrs = {
1116
729
attr: re.escape(str(getattr(self, attr)))
1117
for attr in self.runtime_expansions}
730
for attr in self.runtime_expansions }
1118
731
try:
1119
732
command = self.checker_command % escaped_attrs
1120
733
except TypeError as error:
1132
745
# The exception is when not debugging but nevertheless
1133
746
# running in the foreground; use the previously
1134
747
# created wnull.
1135
popen_args = {"close_fds": True,
1136
"shell": True,
1137
"cwd": "/"}
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1138
751
if (not self.server_settings["debug"]
1139
752
and self.server_settings["foreground"]):
1140
753
popen_args.update({"stdout": wnull,
1141
"stderr": wnull})
1142
pipe = multiprocessing.Pipe(duplex=False)
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1143
756
self.checker = multiprocessing.Process(
1144
target=call_pipe,
1145
args=(pipe[1], subprocess.call, command),
1146
kwargs=popen_args)
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1147
760
self.checker.start()
1148
self.checker_callback_tag = GLib.io_add_watch(
1149
pipe[0].fileno(), GLib.IO_IN,
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1150
763
self.checker_callback, pipe[0], command)
1151
# Re-run this periodically if run by GLib.timeout_add
764
# Re-run this periodically if run by gobject.timeout_add
1152
765
return True
1153
766
1154
767
def stop_checker(self):
1155
768
"""Force the checker process, if any, to stop."""
1156
769
if self.checker_callback_tag:
1157
GLib.source_remove(self.checker_callback_tag)
770
gobject.source_remove(self.checker_callback_tag)
1158
771
self.checker_callback_tag = None
1159
772
if getattr(self, "checker", None) is None:
1160
773
return
1169
782
byte_arrays=False):
1170
783
"""Decorators for marking methods of a DBusObjectWithProperties to
1171
784
become properties on the D-Bus.
1172
785
1173
786
The decorated method will be called with no arguments by "Get"
1174
787
and with one argument by "Set".
1175
788
1176
789
The parameters, where they are supported, are the same as
1177
790
dbus.service.method, except there is only "signature", since the
1178
791
type from Get() and the type sent to Set() is the same.
1182
795
if byte_arrays and signature != "ay":
1183
796
raise ValueError("Byte arrays not supported for non-'ay'"
1184
797
" signature {!r}".format(signature))
1185
798
1186
799
def decorator(func):
1187
800
func._dbus_is_property = True
1188
801
func._dbus_interface = dbus_interface
1191
804
func._dbus_name = func.__name__
1192
805
if func._dbus_name.endswith("_dbus_property"):
1193
806
func._dbus_name = func._dbus_name[:-14]
1194
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1195
808
return func
1196
809
1197
810
return decorator
1198
811
1199
812
1200
813
def dbus_interface_annotations(dbus_interface):
1201
814
"""Decorator for marking functions returning interface annotations
1202
815
1203
816
Usage:
1204
817
1205
818
@dbus_interface_annotations("org.example.Interface")
1206
819
def _foo(self): # Function name does not matter
1207
820
return {"org.freedesktop.DBus.Deprecated": "true",
1208
821
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1209
822
"false"}
1210
823
"""
1211
824
1212
825
def decorator(func):
1213
826
func._dbus_is_interface = True
1214
827
func._dbus_interface = dbus_interface
1215
828
func._dbus_name = dbus_interface
1216
829
return func
1217
830
1218
831
return decorator
1219
832
1220
833
1221
834
def dbus_annotations(annotations):
1222
835
"""Decorator to annotate D-Bus methods, signals or properties
1223
836
Usage:
1224
837
1225
838
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1226
839
"org.freedesktop.DBus.Property."
1227
840
"EmitsChangedSignal": "false"})
1229
842
access="r")
1230
843
def Property_dbus_property(self):
1231
844
return dbus.Boolean(False)
1232
845
1233
846
See also the DBusObjectWithAnnotations class.
1234
847
"""
1235
848
1236
849
def decorator(func):
1237
850
func._dbus_annotations = annotations
1238
851
return func
1239
852
1240
853
return decorator
1241
854
1242
855
1260
873
1261
874
class DBusObjectWithAnnotations(dbus.service.Object):
1262
875
"""A D-Bus object with annotations.
1263
876
1264
877
Classes inheriting from this can use the dbus_annotations
1265
878
decorator to add annotations to methods or signals.
1266
879
"""
1267
880
1268
881
@staticmethod
1269
882
def _is_dbus_thing(thing):
1270
883
"""Returns a function testing if an attribute is a D-Bus thing
1271
884
1272
885
If called like _is_dbus_thing("method") it returns a function
1273
886
suitable for use as predicate to inspect.getmembers().
1274
887
"""
1275
888
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1276
889
False)
1277
890
1278
891
def _get_all_dbus_things(self, thing):
1279
892
"""Returns a generator of (name, attribute) pairs
1280
893
"""
1283
896
for cls in self.__class__.__mro__
1284
897
for name, athing in
1285
898
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1286
899
1287
900
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1288
out_signature="s",
1289
path_keyword='object_path',
1290
connection_keyword='connection')
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1291
904
def Introspect(self, object_path, connection):
1292
905
"""Overloading of standard D-Bus method.
1293
906
1294
907
Inserts annotation tags on methods and signals.
1295
908
"""
1296
909
xmlstring = dbus.service.Object.Introspect(self, object_path,
1297
910
connection)
1298
911
try:
1299
912
document = xml.dom.minidom.parseString(xmlstring)
1300
913
1301
914
for if_tag in document.getElementsByTagName("interface"):
1302
915
# Add annotation tags
1303
916
for typ in ("method", "signal"):
1330
943
if_tag.appendChild(ann_tag)
1331
944
# Fix argument name for the Introspect method itself
1332
945
if (if_tag.getAttribute("name")
1333
== dbus.INTROSPECTABLE_IFACE):
946
== dbus.INTROSPECTABLE_IFACE):
1334
947
for cn in if_tag.getElementsByTagName("method"):
1335
948
if cn.getAttribute("name") == "Introspect":
1336
949
for arg in cn.getElementsByTagName("arg"):
1349
962
1350
963
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1351
964
"""A D-Bus object with properties.
1352
965
1353
966
Classes inheriting from this can use the dbus_service_property
1354
967
decorator to expose methods as D-Bus properties. It exposes the
1355
968
standard Get(), Set(), and GetAll() methods on the D-Bus.
1356
969
"""
1357
970
1358
971
def _get_dbus_property(self, interface_name, property_name):
1359
972
"""Returns a bound method if one exists which is a D-Bus
1360
973
property with the specified name and interface.
1365
978
if (value._dbus_name == property_name
1366
979
and value._dbus_interface == interface_name):
1367
980
return value.__get__(self)
1368
981
1369
982
# No such property
1370
983
raise DBusPropertyNotFound("{}:{}.{}".format(
1371
984
self.dbus_object_path, interface_name, property_name))
1372
985
1373
986
@classmethod
1374
987
def _get_all_interface_names(cls):
1375
988
"""Get a sequence of all interfaces supported by an object"""
1378
991
for x in (inspect.getmro(cls))
1379
992
for attr in dir(x))
1380
993
if name is not None)
1381
994
1382
995
@dbus.service.method(dbus.PROPERTIES_IFACE,
1383
996
in_signature="ss",
1384
997
out_signature="v")
1392
1005
if not hasattr(value, "variant_level"):
1393
1006
return value
1394
1007
return type(value)(value, variant_level=value.variant_level+1)
1395
1008
1396
1009
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1397
1010
def Set(self, interface_name, property_name, value):
1398
1011
"""Standard D-Bus property Set() method, see D-Bus standard.
1410
1023
value = dbus.ByteArray(b''.join(chr(byte)
1411
1024
for byte in value))
1412
1025
prop(value)
1413
1026
1414
1027
@dbus.service.method(dbus.PROPERTIES_IFACE,
1415
1028
in_signature="s",
1416
1029
out_signature="a{sv}")
1417
1030
def GetAll(self, interface_name):
1418
1031
"""Standard D-Bus property GetAll() method, see D-Bus
1419
1032
standard.
1420
1033
1421
1034
Note: Will not include properties with access="write".
1422
1035
"""
1423
1036
properties = {}
1434
1047
properties[name] = value
1435
1048
continue
1436
1049
properties[name] = type(value)(
1437
value, variant_level=value.variant_level + 1)
1050
value, variant_level = value.variant_level + 1)
1438
1051
return dbus.Dictionary(properties, signature="sv")
1439
1052
1440
1053
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1441
1054
def PropertiesChanged(self, interface_name, changed_properties,
1442
1055
invalidated_properties):
1444
1057
standard.
1445
1058
"""
1446
1059
pass
1447
1060
1448
1061
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1449
1062
out_signature="s",
1450
1063
path_keyword='object_path',
1451
1064
connection_keyword='connection')
1452
1065
def Introspect(self, object_path, connection):
1453
1066
"""Overloading of standard D-Bus method.
1454
1067
1455
1068
Inserts property tags and interface annotation tags.
1456
1069
"""
1457
1070
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1459
1072
connection)
1460
1073
try:
1461
1074
document = xml.dom.minidom.parseString(xmlstring)
1462
1075
1463
1076
def make_tag(document, name, prop):
1464
1077
e = document.createElement("property")
1465
1078
e.setAttribute("name", name)
1466
1079
e.setAttribute("type", prop._dbus_signature)
1467
1080
e.setAttribute("access", prop._dbus_access)
1468
1081
return e
1469
1082
1470
1083
for if_tag in document.getElementsByTagName("interface"):
1471
1084
# Add property tags
1472
1085
for tag in (make_tag(document, name, prop)
1514
1127
exc_info=error)
1515
1128
return xmlstring
1516
1129
1517
1518
1130
try:
1519
1131
dbus.OBJECT_MANAGER_IFACE
1520
1132
except AttributeError:
1521
1133
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1522
1134
1523
1524
1135
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1525
1136
"""A D-Bus object with an ObjectManager.
1526
1137
1527
1138
Classes inheriting from this exposes the standard
1528
1139
GetManagedObjects call and the InterfacesAdded and
1529
1140
InterfacesRemoved signals on the standard
1530
1141
"org.freedesktop.DBus.ObjectManager" interface.
1531
1142
1532
1143
Note: No signals are sent automatically; they must be sent
1533
1144
manually.
1534
1145
"""
1535
1146
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1536
out_signature="a{oa{sa{sv}}}")
1147
out_signature = "a{oa{sa{sv}}}")
1537
1148
def GetManagedObjects(self):
1538
1149
"""This function must be overridden"""
1539
1150
raise NotImplementedError()
1540
1151
1541
1152
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1542
signature="oa{sa{sv}}")
1153
signature = "oa{sa{sv}}")
1543
1154
def InterfacesAdded(self, object_path, interfaces_and_properties):
1544
1155
pass
1545
1546
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1547
1158
def InterfacesRemoved(self, object_path, interfaces):
1548
1159
pass
1549
1160
1550
1161
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1551
out_signature="s",
1552
path_keyword='object_path',
1553
connection_keyword='connection')
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1554
1165
def Introspect(self, object_path, connection):
1555
1166
"""Overloading of standard D-Bus method.
1556
1167
1557
1168
Override return argument name of GetManagedObjects to be
1558
1169
"objpath_interfaces_and_properties"
1559
1170
"""
1562
1173
connection)
1563
1174
try:
1564
1175
document = xml.dom.minidom.parseString(xmlstring)
1565
1176
1566
1177
for if_tag in document.getElementsByTagName("interface"):
1567
1178
# Fix argument name for the GetManagedObjects method
1568
1179
if (if_tag.getAttribute("name")
1569
== dbus.OBJECT_MANAGER_IFACE):
1180
== dbus.OBJECT_MANAGER_IFACE):
1570
1181
for cn in if_tag.getElementsByTagName("method"):
1571
1182
if (cn.getAttribute("name")
1572
1183
== "GetManagedObjects"):
1582
1193
except (AttributeError, xml.dom.DOMException,
1583
1194
xml.parsers.expat.ExpatError) as error:
1584
1195
logger.error("Failed to override Introspection method",
1585
exc_info=error)
1196
exc_info = error)
1586
1197
return xmlstring
1587
1198
1588
1589
1199
def datetime_to_dbus(dt, variant_level=0):
1590
1200
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1591
1201
if dt is None:
1592
return dbus.String("", variant_level=variant_level)
1202
return dbus.String("", variant_level = variant_level)
1593
1203
return dbus.String(dt.isoformat(), variant_level=variant_level)
1594
1204
1595
1205
1598
1208
dbus.service.Object, it will add alternate D-Bus attributes with
1599
1209
interface names according to the "alt_interface_names" mapping.
1600
1210
Usage:
1601
1211
1602
1212
@alternate_dbus_interfaces({"org.example.Interface":
1603
1213
"net.example.AlternateInterface"})
1604
1214
class SampleDBusObject(dbus.service.Object):
1605
1215
@dbus.service.method("org.example.Interface")
1606
1216
def SampleDBusMethod():
1607
1217
pass
1608
1218
1609
1219
The above "SampleDBusMethod" on "SampleDBusObject" will be
1610
1220
reachable via two interfaces: "org.example.Interface" and
1611
1221
"net.example.AlternateInterface", the latter of which will have
1612
1222
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1613
1223
"true", unless "deprecate" is passed with a False value.
1614
1224
1615
1225
This works for methods and signals, and also for D-Bus properties
1616
1226
(from DBusObjectWithProperties) and interfaces (from the
1617
1227
dbus_interface_annotations decorator).
1618
1228
"""
1619
1229
1620
1230
def wrapper(cls):
1621
1231
for orig_interface_name, alt_interface_name in (
1622
1232
alt_interface_names.items()):
1637
1247
interface_names.add(alt_interface)
1638
1248
# Is this a D-Bus signal?
1639
1249
if getattr(attribute, "_dbus_is_signal", False):
1640
# Extract the original non-method undecorated
1641
# function by black magic
1642
1250
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1643
1253
nonmethod_func = (dict(
1644
1254
zip(attribute.func_code.co_freevars,
1645
1255
attribute.__closure__))
1646
1256
["func"].cell_contents)
1647
1257
else:
1648
nonmethod_func = (dict(
1649
zip(attribute.__code__.co_freevars,
1650
attribute.__closure__))
1651
["func"].cell_contents)
1258
nonmethod_func = attribute
1652
1259
# Create a new, but exactly alike, function
1653
1260
# object, and decorate it to be a new D-Bus signal
1654
1261
# with the alternate D-Bus interface name
1655
new_function = copy_function(nonmethod_func)
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1656
1276
new_function = (dbus.service.signal(
1657
1277
alt_interface,
1658
1278
attribute._dbus_signature)(new_function))
1662
1282
attribute._dbus_annotations)
1663
1283
except AttributeError:
1664
1284
pass
1665
1666
1285
# Define a creator of a function to call both the
1667
1286
# original and alternate functions, so both the
1668
1287
# original and alternate signals gets sent when
1671
1290
"""This function is a scope container to pass
1672
1291
func1 and func2 to the "call_both" function
1673
1292
outside of its arguments"""
1674
1293
1675
1294
@functools.wraps(func2)
1676
1295
def call_both(*args, **kwargs):
1677
1296
"""This function will emit two D-Bus
1678
1297
signals by calling func1 and func2"""
1679
1298
func1(*args, **kwargs)
1680
1299
func2(*args, **kwargs)
1681
# Make wrapper function look like a D-Bus
1682
# signal
1300
# Make wrapper function look like a D-Bus signal
1683
1301
for name, attr in inspect.getmembers(func2):
1684
1302
if name.startswith("_dbus_"):
1685
1303
setattr(call_both, name, attr)
1686
1304
1687
1305
return call_both
1688
1306
# Create the "call_both" function and add it to
1689
1307
# the class
1699
1317
alt_interface,
1700
1318
attribute._dbus_in_signature,
1701
1319
attribute._dbus_out_signature)
1702
(copy_function(attribute)))
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1703
1325
# Copy annotations, if any
1704
1326
try:
1705
1327
attr[attrname]._dbus_annotations = dict(
1717
1339
attribute._dbus_access,
1718
1340
attribute._dbus_get_args_options
1719
1341
["byte_arrays"])
1720
(copy_function(attribute)))
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1721
1348
# Copy annotations, if any
1722
1349
try:
1723
1350
attr[attrname]._dbus_annotations = dict(
1732
1359
# to the class.
1733
1360
attr[attrname] = (
1734
1361
dbus_interface_annotations(alt_interface)
1735
(copy_function(attribute)))
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1736
1367
if deprecate:
1737
1368
# Deprecate all alternate interfaces
1738
iname = "_AlternateDBusNames_interface_annotation{}"
1369
iname="_AlternateDBusNames_interface_annotation{}"
1739
1370
for interface_name in interface_names:
1740
1371
1741
1372
@dbus_interface_annotations(interface_name)
1742
1373
def func(self):
1743
return {"org.freedesktop.DBus.Deprecated":
1744
"true"}
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1745
1376
# Find an unused name
1746
1377
for aname in (iname.format(i)
1747
1378
for i in itertools.count()):
1751
1382
if interface_names:
1752
1383
# Replace the class with a new subclass of it with
1753
1384
# methods, signals, etc. as created above.
1754
if sys.version_info.major == 2:
1755
cls = type(b"{}Alternate".format(cls.__name__),
1756
(cls, ), attr)
1757
else:
1758
cls = type("{}Alternate".format(cls.__name__),
1759
(cls, ), attr)
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1760
1387
return cls
1761
1388
1762
1389
return wrapper
1763
1390
1764
1391
1766
1393
"se.bsnet.fukt.Mandos"})
1767
1394
class ClientDBus(Client, DBusObjectWithProperties):
1768
1395
"""A Client class using D-Bus
1769
1396
1770
1397
Attributes:
1771
1398
dbus_object_path: dbus.ObjectPath
1772
1399
bus: dbus.SystemBus()
1773
1400
"""
1774
1401
1775
1402
runtime_expansions = (Client.runtime_expansions
1776
1403
+ ("dbus_object_path", ))
1777
1404
1778
1405
_interface = "se.recompile.Mandos.Client"
1779
1406
1780
1407
# dbus.service.Object doesn't use super(), so we can't either.
1781
1782
def __init__(self, bus=None, *args, **kwargs):
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1783
1410
self.bus = bus
1784
1411
Client.__init__(self, *args, **kwargs)
1785
1412
# Only now, when this client is initialized, can it show up on
1791
1418
"/clients/" + client_object_name)
1792
1419
DBusObjectWithProperties.__init__(self, self.bus,
1793
1420
self.dbus_object_path)
1794
1421
1795
1422
def notifychangeproperty(transform_func, dbus_name,
1796
1423
type_func=lambda x: x,
1797
1424
variant_level=1,
1799
1426
_interface=_interface):
1800
1427
""" Modify a variable so that it's a property which announces
1801
1428
its changes to DBus.
1802
1429
1803
1430
transform_fun: Function that takes a value and a variant_level
1804
1431
and transforms it to a D-Bus type.
1805
1432
dbus_name: D-Bus name of the variable
1808
1435
variant_level: D-Bus variant level. Default: 1
1809
1436
"""
1810
1437
attrname = "_{}".format(dbus_name)
1811
1438
1812
1439
def setter(self, value):
1813
1440
if hasattr(self, "dbus_object_path"):
1814
1441
if (not hasattr(self, attrname) or
1821
1448
else:
1822
1449
dbus_value = transform_func(
1823
1450
type_func(value),
1824
variant_level=variant_level)
1451
variant_level = variant_level)
1825
1452
self.PropertyChanged(dbus.String(dbus_name),
1826
1453
dbus_value)
1827
1454
self.PropertiesChanged(
1828
1455
_interface,
1829
dbus.Dictionary({dbus.String(dbus_name):
1830
dbus_value}),
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1831
1458
dbus.Array())
1832
1459
setattr(self, attrname, value)
1833
1460
1834
1461
return property(lambda self: getattr(self, attrname), setter)
1835
1462
1836
1463
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1837
1464
approvals_pending = notifychangeproperty(dbus.Boolean,
1838
1465
"ApprovalPending",
1839
type_func=bool)
1466
type_func = bool)
1840
1467
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1841
1468
last_enabled = notifychangeproperty(datetime_to_dbus,
1842
1469
"LastEnabled")
1843
1470
checker = notifychangeproperty(
1844
1471
dbus.Boolean, "CheckerRunning",
1845
type_func=lambda checker: checker is not None)
1472
type_func = lambda checker: checker is not None)
1846
1473
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1847
1474
"LastCheckedOK")
1848
1475
last_checker_status = notifychangeproperty(dbus.Int16,
1853
1480
"ApprovedByDefault")
1854
1481
approval_delay = notifychangeproperty(
1855
1482
dbus.UInt64, "ApprovalDelay",
1856
type_func=lambda td: td.total_seconds() * 1000)
1483
type_func = lambda td: td.total_seconds() * 1000)
1857
1484
approval_duration = notifychangeproperty(
1858
1485
dbus.UInt64, "ApprovalDuration",
1859
type_func=lambda td: td.total_seconds() * 1000)
1486
type_func = lambda td: td.total_seconds() * 1000)
1860
1487
host = notifychangeproperty(dbus.String, "Host")
1861
1488
timeout = notifychangeproperty(
1862
1489
dbus.UInt64, "Timeout",
1863
type_func=lambda td: td.total_seconds() * 1000)
1490
type_func = lambda td: td.total_seconds() * 1000)
1864
1491
extended_timeout = notifychangeproperty(
1865
1492
dbus.UInt64, "ExtendedTimeout",
1866
type_func=lambda td: td.total_seconds() * 1000)
1493
type_func = lambda td: td.total_seconds() * 1000)
1867
1494
interval = notifychangeproperty(
1868
1495
dbus.UInt64, "Interval",
1869
type_func=lambda td: td.total_seconds() * 1000)
1496
type_func = lambda td: td.total_seconds() * 1000)
1870
1497
checker_command = notifychangeproperty(dbus.String, "Checker")
1871
1498
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1872
1499
invalidate_only=True)
1873
1500
1874
1501
del notifychangeproperty
1875
1502
1876
1503
def __del__(self, *args, **kwargs):
1877
1504
try:
1878
1505
self.remove_from_connection()
1881
1508
if hasattr(DBusObjectWithProperties, "__del__"):
1882
1509
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1883
1510
Client.__del__(self, *args, **kwargs)
1884
1511
1885
1512
def checker_callback(self, source, condition,
1886
1513
connection, command, *args, **kwargs):
1887
1514
ret = Client.checker_callback(self, source, condition,
1903
1530
| self.last_checker_signal),
1904
1531
dbus.String(command))
1905
1532
return ret
1906
1533
1907
1534
def start_checker(self, *args, **kwargs):
1908
1535
old_checker_pid = getattr(self.checker, "pid", None)
1909
1536
r = Client.start_checker(self, *args, **kwargs)
1913
1540
# Emit D-Bus signal
1914
1541
self.CheckerStarted(self.current_checker_command)
1915
1542
return r
1916
1543
1917
1544
def _reset_approved(self):
1918
1545
self.approved = None
1919
1546
return False
1920
1547
1921
1548
def approve(self, value=True):
1922
1549
self.approved = value
1923
GLib.timeout_add(int(self.approval_duration.total_seconds()
1924
* 1000), self._reset_approved)
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1925
1552
self.send_changedstate()
1926
1927
# D-Bus methods, signals & properties
1928
1929
# Interfaces
1930
1931
# Signals
1932
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1933
1560
# CheckerCompleted - signal
1934
1561
@dbus.service.signal(_interface, signature="nxs")
1935
1562
def CheckerCompleted(self, exitcode, waitstatus, command):
1936
1563
"D-Bus signal"
1937
1564
pass
1938
1565
1939
1566
# CheckerStarted - signal
1940
1567
@dbus.service.signal(_interface, signature="s")
1941
1568
def CheckerStarted(self, command):
1942
1569
"D-Bus signal"
1943
1570
pass
1944
1571
1945
1572
# PropertyChanged - signal
1946
1573
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1947
1574
@dbus.service.signal(_interface, signature="sv")
1948
1575
def PropertyChanged(self, property, value):
1949
1576
"D-Bus signal"
1950
1577
pass
1951
1578
1952
1579
# GotSecret - signal
1953
1580
@dbus.service.signal(_interface)
1954
1581
def GotSecret(self):
1957
1584
server to mandos-client
1958
1585
"""
1959
1586
pass
1960
1587
1961
1588
# Rejected - signal
1962
1589
@dbus.service.signal(_interface, signature="s")
1963
1590
def Rejected(self, reason):
1964
1591
"D-Bus signal"
1965
1592
pass
1966
1593
1967
1594
# NeedApproval - signal
1968
1595
@dbus.service.signal(_interface, signature="tb")
1969
1596
def NeedApproval(self, timeout, default):
1970
1597
"D-Bus signal"
1971
1598
return self.need_approval()
1972
1973
# Methods
1974
1599
1600
## Methods
1601
1975
1602
# Approve - method
1976
1603
@dbus.service.method(_interface, in_signature="b")
1977
1604
def Approve(self, value):
1978
1605
self.approve(value)
1979
1606
1980
1607
# CheckedOK - method
1981
1608
@dbus.service.method(_interface)
1982
1609
def CheckedOK(self):
1983
1610
self.checked_ok()
1984
1611
1985
1612
# Enable - method
1986
1613
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1987
1614
@dbus.service.method(_interface)
1988
1615
def Enable(self):
1989
1616
"D-Bus method"
1990
1617
self.enable()
1991
1618
1992
1619
# StartChecker - method
1993
1620
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1994
1621
@dbus.service.method(_interface)
1995
1622
def StartChecker(self):
1996
1623
"D-Bus method"
1997
1624
self.start_checker()
1998
1625
1999
1626
# Disable - method
2000
1627
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2001
1628
@dbus.service.method(_interface)
2002
1629
def Disable(self):
2003
1630
"D-Bus method"
2004
1631
self.disable()
2005
1632
2006
1633
# StopChecker - method
2007
1634
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2008
1635
@dbus.service.method(_interface)
2009
1636
def StopChecker(self):
2010
1637
self.stop_checker()
2011
2012
# Properties
2013
1638
1639
## Properties
1640
2014
1641
# ApprovalPending - property
2015
1642
@dbus_service_property(_interface, signature="b", access="read")
2016
1643
def ApprovalPending_dbus_property(self):
2017
1644
return dbus.Boolean(bool(self.approvals_pending))
2018
1645
2019
1646
# ApprovedByDefault - property
2020
1647
@dbus_service_property(_interface,
2021
1648
signature="b",
2024
1651
if value is None: # get
2025
1652
return dbus.Boolean(self.approved_by_default)
2026
1653
self.approved_by_default = bool(value)
2027
1654
2028
1655
# ApprovalDelay - property
2029
1656
@dbus_service_property(_interface,
2030
1657
signature="t",
2034
1661
return dbus.UInt64(self.approval_delay.total_seconds()
2035
1662
* 1000)
2036
1663
self.approval_delay = datetime.timedelta(0, 0, 0, value)
2037
1664
2038
1665
# ApprovalDuration - property
2039
1666
@dbus_service_property(_interface,
2040
1667
signature="t",
2044
1671
return dbus.UInt64(self.approval_duration.total_seconds()
2045
1672
* 1000)
2046
1673
self.approval_duration = datetime.timedelta(0, 0, 0, value)
2047
1674
2048
1675
# Name - property
2049
1676
@dbus_annotations(
2050
1677
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2051
1678
@dbus_service_property(_interface, signature="s", access="read")
2052
1679
def Name_dbus_property(self):
2053
1680
return dbus.String(self.name)
2054
2055
# KeyID - property
2056
@dbus_annotations(
2057
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2058
@dbus_service_property(_interface, signature="s", access="read")
2059
def KeyID_dbus_property(self):
2060
return dbus.String(self.key_id)
2061
1681
2062
1682
# Fingerprint - property
2063
1683
@dbus_annotations(
2064
1684
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2065
1685
@dbus_service_property(_interface, signature="s", access="read")
2066
1686
def Fingerprint_dbus_property(self):
2067
1687
return dbus.String(self.fingerprint)
2068
1688
2069
1689
# Host - property
2070
1690
@dbus_service_property(_interface,
2071
1691
signature="s",
2074
1694
if value is None: # get
2075
1695
return dbus.String(self.host)
2076
1696
self.host = str(value)
2077
1697
2078
1698
# Created - property
2079
1699
@dbus_annotations(
2080
1700
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2081
1701
@dbus_service_property(_interface, signature="s", access="read")
2082
1702
def Created_dbus_property(self):
2083
1703
return datetime_to_dbus(self.created)
2084
1704
2085
1705
# LastEnabled - property
2086
1706
@dbus_service_property(_interface, signature="s", access="read")
2087
1707
def LastEnabled_dbus_property(self):
2088
1708
return datetime_to_dbus(self.last_enabled)
2089
1709
2090
1710
# Enabled - property
2091
1711
@dbus_service_property(_interface,
2092
1712
signature="b",
2098
1718
self.enable()
2099
1719
else:
2100
1720
self.disable()
2101
1721
2102
1722
# LastCheckedOK - property
2103
1723
@dbus_service_property(_interface,
2104
1724
signature="s",
2108
1728
self.checked_ok()
2109
1729
return
2110
1730
return datetime_to_dbus(self.last_checked_ok)
2111
1731
2112
1732
# LastCheckerStatus - property
2113
1733
@dbus_service_property(_interface, signature="n", access="read")
2114
1734
def LastCheckerStatus_dbus_property(self):
2115
1735
return dbus.Int16(self.last_checker_status)
2116
1736
2117
1737
# Expires - property
2118
1738
@dbus_service_property(_interface, signature="s", access="read")
2119
1739
def Expires_dbus_property(self):
2120
1740
return datetime_to_dbus(self.expires)
2121
1741
2122
1742
# LastApprovalRequest - property
2123
1743
@dbus_service_property(_interface, signature="s", access="read")
2124
1744
def LastApprovalRequest_dbus_property(self):
2125
1745
return datetime_to_dbus(self.last_approval_request)
2126
1746
2127
1747
# Timeout - property
2128
1748
@dbus_service_property(_interface,
2129
1749
signature="t",
2144
1764
if (getattr(self, "disable_initiator_tag", None)
2145
1765
is None):
2146
1766
return
2147
GLib.source_remove(self.disable_initiator_tag)
2148
self.disable_initiator_tag = GLib.timeout_add(
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2149
1769
int((self.expires - now).total_seconds() * 1000),
2150
1770
self.disable)
2151
1771
2152
1772
# ExtendedTimeout - property
2153
1773
@dbus_service_property(_interface,
2154
1774
signature="t",
2158
1778
return dbus.UInt64(self.extended_timeout.total_seconds()
2159
1779
* 1000)
2160
1780
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2161
1781
2162
1782
# Interval - property
2163
1783
@dbus_service_property(_interface,
2164
1784
signature="t",
2171
1791
return
2172
1792
if self.enabled:
2173
1793
# Reschedule checker run
2174
GLib.source_remove(self.checker_initiator_tag)
2175
self.checker_initiator_tag = GLib.timeout_add(
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2176
1796
value, self.start_checker)
2177
self.start_checker() # Start one now, too
2178
1797
self.start_checker() # Start one now, too
1798
2179
1799
# Checker - property
2180
1800
@dbus_service_property(_interface,
2181
1801
signature="s",
2184
1804
if value is None: # get
2185
1805
return dbus.String(self.checker_command)
2186
1806
self.checker_command = str(value)
2187
1807
2188
1808
# CheckerRunning - property
2189
1809
@dbus_service_property(_interface,
2190
1810
signature="b",
2196
1816
self.start_checker()
2197
1817
else:
2198
1818
self.stop_checker()
2199
1819
2200
1820
# ObjectPath - property
2201
1821
@dbus_annotations(
2202
1822
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2203
1823
"org.freedesktop.DBus.Deprecated": "true"})
2204
1824
@dbus_service_property(_interface, signature="o", access="read")
2205
1825
def ObjectPath_dbus_property(self):
2206
return self.dbus_object_path # is already a dbus.ObjectPath
2207
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2208
1828
# Secret = property
2209
1829
@dbus_annotations(
2210
1830
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2215
1835
byte_arrays=True)
2216
1836
def Secret_dbus_property(self, value):
2217
1837
self.secret = bytes(value)
2218
1838
2219
1839
del _interface
2220
1840
2221
1841
2222
1842
class ProxyClient(object):
2223
def __init__(self, child_pipe, key_id, fpr, address):
1843
def __init__(self, child_pipe, fpr, address):
2224
1844
self._pipe = child_pipe
2225
self._pipe.send(('init', key_id, fpr, address))
1845
self._pipe.send(('init', fpr, address))
2226
1846
if not self._pipe.recv():
2227
raise KeyError(key_id or fpr)
2228
1847
raise KeyError(fpr)
1848
2229
1849
def __getattribute__(self, name):
2230
1850
if name == '_pipe':
2231
1851
return super(ProxyClient, self).__getattribute__(name)
2234
1854
if data[0] == 'data':
2235
1855
return data[1]
2236
1856
if data[0] == 'function':
2237
1857
2238
1858
def func(*args, **kwargs):
2239
1859
self._pipe.send(('funcall', name, args, kwargs))
2240
1860
return self._pipe.recv()[1]
2241
1861
2242
1862
return func
2243
1863
2244
1864
def __setattr__(self, name, value):
2245
1865
if name == '_pipe':
2246
1866
return super(ProxyClient, self).__setattr__(name, value)
2249
1869
2250
1870
class ClientHandler(socketserver.BaseRequestHandler, object):
2251
1871
"""A class to handle client connections.
2252
1872
2253
1873
Instantiated once for each connection to handle it.
2254
1874
Note: This will run in its own forked process."""
2255
1875
2256
1876
def handle(self):
2257
1877
with contextlib.closing(self.server.child_pipe) as child_pipe:
2258
1878
logger.info("TCP connection from: %s",
2259
1879
str(self.client_address))
2260
1880
logger.debug("Pipe FD: %d",
2261
1881
self.server.child_pipe.fileno())
2262
2263
session = gnutls.ClientSession(self.request)
2264
2265
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2266
# "+AES-256-CBC", "+SHA1",
2267
# "+COMP-NULL", "+CTYPE-OPENPGP",
2268
# "+DHE-DSS"))
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2269
1895
# Use a fallback default, since this MUST be set.
2270
1896
priority = self.server.gnutls_priority
2271
1897
if priority is None:
2272
1898
priority = "NORMAL"
2273
gnutls.priority_set_direct(session._c_object,
2274
priority.encode("utf-8"),
2275
None)
2276
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2277
1902
# Start communication using the Mandos protocol
2278
1903
# Get protocol number
2279
1904
line = self.request.makefile().readline()
2284
1909
except (ValueError, IndexError, RuntimeError) as error:
2285
1910
logger.error("Unknown protocol version: %s", error)
2286
1911
return
2287
1912
2288
1913
# Start GnuTLS connection
2289
1914
try:
2290
1915
session.handshake()
2291
except gnutls.Error as error:
1916
except gnutls.errors.GNUTLSError as error:
2292
1917
logger.warning("Handshake failed: %s", error)
2293
1918
# Do not run session.bye() here: the session is not
2294
1919
# established. Just abandon the request.
2295
1920
return
2296
1921
logger.debug("Handshake succeeded")
2297
1922
2298
1923
approval_required = False
2299
1924
try:
2300
if gnutls.has_rawpk:
2301
fpr = ""
2302
try:
2303
key_id = self.key_id(
2304
self.peer_certificate(session))
2305
except (TypeError, gnutls.Error) as error:
2306
logger.warning("Bad certificate: %s", error)
2307
return
2308
logger.debug("Key ID: %s", key_id)
2309
2310
else:
2311
key_id = ""
2312
try:
2313
fpr = self.fingerprint(
2314
self.peer_certificate(session))
2315
except (TypeError, gnutls.Error) as error:
2316
logger.warning("Bad certificate: %s", error)
2317
return
2318
logger.debug("Fingerprint: %s", fpr)
2319
2320
try:
2321
client = ProxyClient(child_pipe, key_id, fpr,
1925
try:
1926
fpr = self.fingerprint(
1927
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
1930
logger.warning("Bad certificate: %s", error)
1931
return
1932
logger.debug("Fingerprint: %s", fpr)
1933
1934
try:
1935
client = ProxyClient(child_pipe, fpr,
2322
1936
self.client_address)
2323
1937
except KeyError:
2324
1938
return
2325
1939
2326
1940
if client.approval_delay:
2327
1941
delay = client.approval_delay
2328
1942
client.approvals_pending += 1
2329
1943
approval_required = True
2330
1944
2331
1945
while True:
2332
1946
if not client.enabled:
2333
1947
logger.info("Client %s is disabled",
2336
1950
# Emit D-Bus signal
2337
1951
client.Rejected("Disabled")
2338
1952
return
2339
1953
2340
1954
if client.approved or not client.approval_delay:
2341
# We are approved or approval is disabled
1955
#We are approved or approval is disabled
2342
1956
break
2343
1957
elif client.approved is None:
2344
1958
logger.info("Client %s needs approval",
2355
1969
# Emit D-Bus signal
2356
1970
client.Rejected("Denied")
2357
1971
return
2358
2359
# wait until timeout or approved
1972
1973
#wait until timeout or approved
2360
1974
time = datetime.datetime.now()
2361
1975
client.changedstate.acquire()
2362
1976
client.changedstate.wait(delay.total_seconds())
2375
1989
break
2376
1990
else:
2377
1991
delay -= time2 - time
2378
2379
try:
2380
session.send(client.secret)
2381
except gnutls.Error as error:
2382
logger.warning("gnutls send failed",
2383
exc_info=error)
2384
return
2385
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2386
2006
logger.info("Sending secret to %s", client.name)
2387
2007
# bump the timeout using extended_timeout
2388
2008
client.bump_timeout(client.extended_timeout)
2389
2009
if self.server.use_dbus:
2390
2010
# Emit D-Bus signal
2391
2011
client.GotSecret()
2392
2012
2393
2013
finally:
2394
2014
if approval_required:
2395
2015
client.approvals_pending -= 1
2396
2016
try:
2397
2017
session.bye()
2398
except gnutls.Error as error:
2018
except gnutls.errors.GNUTLSError as error:
2399
2019
logger.warning("GnuTLS bye failed",
2400
2020
exc_info=error)
2401
2021
2402
2022
@staticmethod
2403
2023
def peer_certificate(session):
2404
"Return the peer's certificate as a bytestring"
2405
try:
2406
cert_type = gnutls.certificate_type_get2(session._c_object,
2407
gnutls.CTYPE_PEERS)
2408
except AttributeError:
2409
cert_type = gnutls.certificate_type_get(session._c_object)
2410
if gnutls.has_rawpk:
2411
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2412
else:
2413
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2414
# If not a valid certificate type...
2415
if cert_type not in valid_cert_types:
2416
logger.info("Cert type %r not in %r", cert_type,
2417
valid_cert_types)
2418
# ...return invalid data
2419
return b""
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2420
2031
list_size = ctypes.c_uint(1)
2421
cert_list = (gnutls.certificate_get_peers
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2422
2034
(session._c_object, ctypes.byref(list_size)))
2423
2035
if not bool(cert_list) and list_size.value != 0:
2424
raise gnutls.Error("error getting peer certificate")
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2425
2038
if list_size.value == 0:
2426
2039
return None
2427
2040
cert = cert_list[0]
2428
2041
return ctypes.string_at(cert.data, cert.size)
2429
2430
@staticmethod
2431
def key_id(certificate):
2432
"Convert a certificate bytestring to a hexdigit key ID"
2433
# New GnuTLS "datum" with the public key
2434
datum = gnutls.datum_t(
2435
ctypes.cast(ctypes.c_char_p(certificate),
2436
ctypes.POINTER(ctypes.c_ubyte)),
2437
ctypes.c_uint(len(certificate)))
2438
# XXX all these need to be created in the gnutls "module"
2439
# New empty GnuTLS certificate
2440
pubkey = gnutls.pubkey_t()
2441
gnutls.pubkey_init(ctypes.byref(pubkey))
2442
# Import the raw public key into the certificate
2443
gnutls.pubkey_import(pubkey,
2444
ctypes.byref(datum),
2445
gnutls.X509_FMT_DER)
2446
# New buffer for the key ID
2447
buf = ctypes.create_string_buffer(32)
2448
buf_len = ctypes.c_size_t(len(buf))
2449
# Get the key ID from the raw public key into the buffer
2450
gnutls.pubkey_get_key_id(pubkey,
2451
gnutls.KEYID_USE_SHA256,
2452
ctypes.cast(ctypes.byref(buf),
2453
ctypes.POINTER(ctypes.c_ubyte)),
2454
ctypes.byref(buf_len))
2455
# Deinit the certificate
2456
gnutls.pubkey_deinit(pubkey)
2457
2458
# Convert the buffer to a Python bytestring
2459
key_id = ctypes.string_at(buf, buf_len.value)
2460
# Convert the bytestring to hexadecimal notation
2461
hex_key_id = binascii.hexlify(key_id).upper()
2462
return hex_key_id
2463
2042
2464
2043
@staticmethod
2465
2044
def fingerprint(openpgp):
2466
2045
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2467
2046
# New GnuTLS "datum" with the OpenPGP public key
2468
datum = gnutls.datum_t(
2047
datum = gnutls.library.types.gnutls_datum_t(
2469
2048
ctypes.cast(ctypes.c_char_p(openpgp),
2470
2049
ctypes.POINTER(ctypes.c_ubyte)),
2471
2050
ctypes.c_uint(len(openpgp)))
2472
2051
# New empty GnuTLS certificate
2473
crt = gnutls.openpgp_crt_t()
2474
gnutls.openpgp_crt_init(ctypes.byref(crt))
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2475
2055
# Import the OpenPGP public key into the certificate
2476
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2477
gnutls.OPENPGP_FMT_RAW)
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2478
2059
# Verify the self signature in the key
2479
2060
crtverify = ctypes.c_uint()
2480
gnutls.openpgp_crt_verify_self(crt, 0,
2481
ctypes.byref(crtverify))
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2482
2063
if crtverify.value != 0:
2483
gnutls.openpgp_crt_deinit(crt)
2484
raise gnutls.CertificateSecurityError(code
2485
=crtverify.value)
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2486
2067
# New buffer for the fingerprint
2487
2068
buf = ctypes.create_string_buffer(20)
2488
2069
buf_len = ctypes.c_size_t()
2489
2070
# Get the fingerprint from the certificate into the buffer
2490
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2491
ctypes.byref(buf_len))
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2492
2073
# Deinit the certificate
2493
gnutls.openpgp_crt_deinit(crt)
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2494
2075
# Convert the buffer to a Python bytestring
2495
2076
fpr = ctypes.string_at(buf, buf_len.value)
2496
2077
# Convert the bytestring to hexadecimal notation
2500
2081
2501
2082
class MultiprocessingMixIn(object):
2502
2083
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2503
2084
2504
2085
def sub_process_main(self, request, address):
2505
2086
try:
2506
2087
self.finish_request(request, address)
2507
2088
except Exception:
2508
2089
self.handle_error(request, address)
2509
2090
self.close_request(request)
2510
2091
2511
2092
def process_request(self, request, address):
2512
2093
"""Start a new process to process the request."""
2513
proc = multiprocessing.Process(target=self.sub_process_main,
2514
args=(request, address))
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2515
2096
proc.start()
2516
2097
return proc
2517
2098
2518
2099
2519
2100
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2520
2101
""" adds a pipe to the MixIn """
2521
2102
2522
2103
def process_request(self, request, client_address):
2523
2104
"""Overrides and wraps the original process_request().
2524
2105
2525
2106
This function creates a new pipe in self.pipe
2526
2107
"""
2527
2108
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2528
2109
2529
2110
proc = MultiprocessingMixIn.process_request(self, request,
2530
2111
client_address)
2531
2112
self.child_pipe.close()
2532
2113
self.add_pipe(parent_pipe, proc)
2533
2114
2534
2115
def add_pipe(self, parent_pipe, proc):
2535
2116
"""Dummy function; override as necessary"""
2536
2117
raise NotImplementedError()
2539
2120
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2540
2121
socketserver.TCPServer, object):
2541
2122
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2542
2123
2543
2124
Attributes:
2544
2125
enabled: Boolean; whether this server is activated yet
2545
2126
interface: None or a network interface name (string)
2546
2127
use_ipv6: Boolean; to use IPv6 or not
2547
2128
"""
2548
2129
2549
2130
def __init__(self, server_address, RequestHandlerClass,
2550
2131
interface=None,
2551
2132
use_ipv6=True,
2561
2142
self.socketfd = socketfd
2562
2143
# Save the original socket.socket() function
2563
2144
self.socket_socket = socket.socket
2564
2565
2145
# To implement --socket, we monkey patch socket.socket.
2566
#
2146
#
2567
2147
# (When socketserver.TCPServer is a new-style class, we
2568
2148
# could make self.socket into a property instead of monkey
2569
2149
# patching socket.socket.)
2570
#
2150
#
2571
2151
# Create a one-time-only replacement for socket.socket()
2572
2152
@functools.wraps(socket.socket)
2573
2153
def socket_wrapper(*args, **kwargs):
2585
2165
# socket_wrapper(), if socketfd was set.
2586
2166
socketserver.TCPServer.__init__(self, server_address,
2587
2167
RequestHandlerClass)
2588
2168
2589
2169
def server_bind(self):
2590
2170
"""This overrides the normal server_bind() function
2591
2171
to bind to an interface if one was specified, and also NOT to
2592
2172
bind to an address or port if they were not specified."""
2593
global SO_BINDTODEVICE
2594
2173
if self.interface is not None:
2595
2174
if SO_BINDTODEVICE is None:
2596
# Fall back to a hard-coded value which seems to be
2597
# common enough.
2598
logger.warning("SO_BINDTODEVICE not found, trying 25")
2599
SO_BINDTODEVICE = 25
2600
try:
2601
self.socket.setsockopt(
2602
socket.SOL_SOCKET, SO_BINDTODEVICE,
2603
(self.interface + "\0").encode("utf-8"))
2604
except socket.error as error:
2605
if error.errno == errno.EPERM:
2606
logger.error("No permission to bind to"
2607
" interface %s", self.interface)
2608
elif error.errno == errno.ENOPROTOOPT:
2609
logger.error("SO_BINDTODEVICE not available;"
2610
" cannot bind to interface %s",
2611
self.interface)
2612
elif error.errno == errno.ENODEV:
2613
logger.error("Interface %s does not exist,"
2614
" cannot bind", self.interface)
2615
else:
2616
raise
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2617
2196
# Only bind(2) the socket if we really need to.
2618
2197
if self.server_address[0] or self.server_address[1]:
2619
2198
if not self.server_address[0]:
2620
2199
if self.address_family == socket.AF_INET6:
2621
any_address = "::" # in6addr_any
2200
any_address = "::" # in6addr_any
2622
2201
else:
2623
any_address = "0.0.0.0" # INADDR_ANY
2202
any_address = "0.0.0.0" # INADDR_ANY
2624
2203
self.server_address = (any_address,
2625
2204
self.server_address[1])
2626
2205
elif not self.server_address[1]:
2636
2215
2637
2216
class MandosServer(IPv6_TCPServer):
2638
2217
"""Mandos server.
2639
2218
2640
2219
Attributes:
2641
2220
clients: set of Client objects
2642
2221
gnutls_priority GnuTLS priority string
2643
2222
use_dbus: Boolean; to emit D-Bus signals or not
2644
2645
Assumes a GLib.MainLoop event loop.
2223
2224
Assumes a gobject.MainLoop event loop.
2646
2225
"""
2647
2226
2648
2227
def __init__(self, server_address, RequestHandlerClass,
2649
2228
interface=None,
2650
2229
use_ipv6=True,
2660
2239
self.gnutls_priority = gnutls_priority
2661
2240
IPv6_TCPServer.__init__(self, server_address,
2662
2241
RequestHandlerClass,
2663
interface=interface,
2664
use_ipv6=use_ipv6,
2665
socketfd=socketfd)
2666
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2667
2246
def server_activate(self):
2668
2247
if self.enabled:
2669
2248
return socketserver.TCPServer.server_activate(self)
2670
2249
2671
2250
def enable(self):
2672
2251
self.enabled = True
2673
2252
2674
2253
def add_pipe(self, parent_pipe, proc):
2675
2254
# Call "handle_ipc" for both data and EOF events
2676
GLib.io_add_watch(
2255
gobject.io_add_watch(
2677
2256
parent_pipe.fileno(),
2678
GLib.IO_IN | GLib.IO_HUP,
2257
gobject.IO_IN | gobject.IO_HUP,
2679
2258
functools.partial(self.handle_ipc,
2680
parent_pipe=parent_pipe,
2681
proc=proc))
2682
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2683
2262
def handle_ipc(self, source, condition,
2684
2263
parent_pipe=None,
2685
proc=None,
2264
proc = None,
2686
2265
client_object=None):
2687
2266
# error, or the other end of multiprocessing.Pipe has closed
2688
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2689
2268
# Wait for other process to exit
2690
2269
proc.join()
2691
2270
return False
2692
2271
2693
2272
# Read a request from the child
2694
2273
request = parent_pipe.recv()
2695
2274
command = request[0]
2696
2275
2697
2276
if command == 'init':
2698
key_id = request[1].decode("ascii")
2699
fpr = request[2].decode("ascii")
2700
address = request[3]
2701
2702
for c in self.clients.values():
2703
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2704
continue
2705
if key_id and c.key_id == key_id:
2706
client = c
2707
break
2708
if fpr and c.fingerprint == fpr:
2277
fpr = request[1]
2278
address = request[2]
2279
2280
for c in self.clients.itervalues():
2281
if c.fingerprint == fpr:
2709
2282
client = c
2710
2283
break
2711
2284
else:
2712
logger.info("Client not found for key ID: %s, address"
2713
": %s", key_id or fpr, address)
2285
logger.info("Client not found for fingerprint: %s, ad"
2286
"dress: %s", fpr, address)
2714
2287
if self.use_dbus:
2715
2288
# Emit D-Bus signal
2716
mandos_dbus_service.ClientNotFound(key_id or fpr,
2289
mandos_dbus_service.ClientNotFound(fpr,
2717
2290
address[0])
2718
2291
parent_pipe.send(False)
2719
2292
return False
2720
2721
GLib.io_add_watch(
2293
2294
gobject.io_add_watch(
2722
2295
parent_pipe.fileno(),
2723
GLib.IO_IN | GLib.IO_HUP,
2296
gobject.IO_IN | gobject.IO_HUP,
2724
2297
functools.partial(self.handle_ipc,
2725
parent_pipe=parent_pipe,
2726
proc=proc,
2727
client_object=client))
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2728
2301
parent_pipe.send(True)
2729
2302
# remove the old hook in favor of the new above hook on
2730
2303
# same fileno
2733
2306
funcname = request[1]
2734
2307
args = request[2]
2735
2308
kwargs = request[3]
2736
2309
2737
2310
parent_pipe.send(('data', getattr(client_object,
2738
2311
funcname)(*args,
2739
2312
**kwargs)))
2740
2313
2741
2314
if command == 'getattr':
2742
2315
attrname = request[1]
2743
2316
if isinstance(client_object.__getattribute__(attrname),
2746
2319
else:
2747
2320
parent_pipe.send((
2748
2321
'data', client_object.__getattribute__(attrname)))
2749
2322
2750
2323
if command == 'setattr':
2751
2324
attrname = request[1]
2752
2325
value = request[2]
2753
2326
setattr(client_object, attrname, value)
2754
2327
2755
2328
return True
2756
2329
2757
2330
2758
2331
def rfc3339_duration_to_delta(duration):
2759
2332
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2760
2333
2761
2334
>>> rfc3339_duration_to_delta("P7D")
2762
2335
datetime.timedelta(7)
2763
2336
>>> rfc3339_duration_to_delta("PT60S")
2773
2346
>>> rfc3339_duration_to_delta("P1DT3M20S")
2774
2347
datetime.timedelta(1, 200)
2775
2348
"""
2776
2349
2777
2350
# Parsing an RFC 3339 duration with regular expressions is not
2778
2351
# possible - there would have to be multiple places for the same
2779
2352
# values, like seconds. The current code, while more esoteric, is
2780
2353
# cleaner without depending on a parsing library. If Python had a
2781
2354
# built-in library for parsing we would use it, but we'd like to
2782
2355
# avoid excessive use of external libraries.
2783
2356
2784
2357
# New type for defining tokens, syntax, and semantics all-in-one
2785
2358
Token = collections.namedtuple("Token", (
2786
2359
"regexp", # To match token; if "value" is not None, must have
2819
2392
frozenset((token_year, token_month,
2820
2393
token_day, token_time,
2821
2394
token_week)))
2822
# Define starting values:
2823
# Value so far
2824
value = datetime.timedelta()
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2825
2397
found_token = None
2826
# Following valid tokens
2827
followers = frozenset((token_duration, ))
2828
# String left to parse
2829
s = duration
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2830
2400
# Loop until end token is found
2831
2401
while found_token is not token_end:
2832
2402
# Search for any currently valid tokens
2856
2426
2857
2427
def string_to_delta(interval):
2858
2428
"""Parse a string and return a datetime.timedelta
2859
2429
2860
2430
>>> string_to_delta('7d')
2861
2431
datetime.timedelta(7)
2862
2432
>>> string_to_delta('60s')
2870
2440
>>> string_to_delta('5m 30s')
2871
2441
datetime.timedelta(0, 330)
2872
2442
"""
2873
2443
2874
2444
try:
2875
2445
return rfc3339_duration_to_delta(interval)
2876
2446
except ValueError:
2877
2447
pass
2878
2448
2879
2449
timevalue = datetime.timedelta(0)
2880
2450
for s in interval.split():
2881
2451
try:
2899
2469
return timevalue
2900
2470
2901
2471
2902
def daemon(nochdir=False, noclose=False):
2472
def daemon(nochdir = False, noclose = False):
2903
2473
"""See daemon(3). Standard BSD Unix function.
2904
2474
2905
2475
This should really exist as os.daemon, but it doesn't (yet)."""
2906
2476
if os.fork():
2907
2477
sys.exit()
2925
2495
2926
2496
2927
2497
def main():
2928
2498
2929
2499
##################################################################
2930
2500
# Parsing of options, both command line and config file
2931
2501
2932
2502
parser = argparse.ArgumentParser()
2933
2503
parser.add_argument("-v", "--version", action="version",
2934
version="%(prog)s {}".format(version),
2504
version = "%(prog)s {}".format(version),
2935
2505
help="show version number and exit")
2936
2506
parser.add_argument("-i", "--interface", metavar="IF",
2937
2507
help="Bind to interface IF")
2973
2543
parser.add_argument("--no-zeroconf", action="store_false",
2974
2544
dest="zeroconf", help="Do not use Zeroconf",
2975
2545
default=None)
2976
2546
2977
2547
options = parser.parse_args()
2978
2548
2979
2549
if options.check:
2980
2550
import doctest
2981
2551
fail_count, test_count = doctest.testmod()
2982
2552
sys.exit(os.EX_OK if fail_count == 0 else 1)
2983
2553
2984
2554
# Default values for config file for server-global settings
2985
if gnutls.has_rawpk:
2986
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2987
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2988
else:
2989
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2990
":+SIGN-DSA-SHA256")
2991
server_defaults = {"interface": "",
2992
"address": "",
2993
"port": "",
2994
"debug": "False",
2995
"priority": priority,
2996
"servicename": "Mandos",
2997
"use_dbus": "True",
2998
"use_ipv6": "True",
2999
"debuglevel": "",
3000
"restore": "True",
3001
"socket": "",
3002
"statedir": "/var/lib/mandos",
3003
"foreground": "False",
3004
"zeroconf": "True",
3005
}
3006
del priority
3007
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
3008
2573
# Parse config file for server-global settings
3009
2574
server_config = configparser.SafeConfigParser(server_defaults)
3010
2575
del server_defaults
3012
2577
# Convert the SafeConfigParser object to a dict
3013
2578
server_settings = server_config.defaults()
3014
2579
# Use the appropriate methods on the non-string config options
3015
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3016
"foreground", "zeroconf"):
2580
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3017
2581
server_settings[option] = server_config.getboolean("DEFAULT",
3018
2582
option)
3019
2583
if server_settings["port"]:
3029
2593
server_settings["socket"] = os.dup(server_settings
3030
2594
["socket"])
3031
2595
del server_config
3032
2596
3033
2597
# Override the settings from the config file with command line
3034
2598
# options, if set.
3035
2599
for option in ("interface", "address", "port", "debug",
3053
2617
if server_settings["debug"]:
3054
2618
server_settings["foreground"] = True
3055
2619
# Now we have our good server settings in "server_settings"
3056
2620
3057
2621
##################################################################
3058
2622
3059
2623
if (not server_settings["zeroconf"]
3060
2624
and not (server_settings["port"]
3061
2625
or server_settings["socket"] != "")):
3062
2626
parser.error("Needs port or socket to work without Zeroconf")
3063
2627
3064
2628
# For convenience
3065
2629
debug = server_settings["debug"]
3066
2630
debuglevel = server_settings["debuglevel"]
3070
2634
stored_state_file)
3071
2635
foreground = server_settings["foreground"]
3072
2636
zeroconf = server_settings["zeroconf"]
3073
2637
3074
2638
if debug:
3075
2639
initlogger(debug, logging.DEBUG)
3076
2640
else:
3079
2643
else:
3080
2644
level = getattr(logging, debuglevel.upper())
3081
2645
initlogger(debug, level)
3082
2646
3083
2647
if server_settings["servicename"] != "Mandos":
3084
2648
syslogger.setFormatter(
3085
2649
logging.Formatter('Mandos ({}) [%(process)d]:'
3086
2650
' %(levelname)s: %(message)s'.format(
3087
2651
server_settings["servicename"])))
3088
2652
3089
2653
# Parse config file with clients
3090
2654
client_config = configparser.SafeConfigParser(Client
3091
2655
.client_defaults)
3092
2656
client_config.read(os.path.join(server_settings["configdir"],
3093
2657
"clients.conf"))
3094
2658
3095
2659
global mandos_dbus_service
3096
2660
mandos_dbus_service = None
3097
2661
3098
2662
socketfd = None
3099
2663
if server_settings["socket"] != "":
3100
2664
socketfd = server_settings["socket"]
3116
2680
except IOError as e:
3117
2681
logger.error("Could not open file %r", pidfilename,
3118
2682
exc_info=e)
3119
3120
for name, group in (("_mandos", "_mandos"),
3121
("mandos", "mandos"),
3122
("nobody", "nogroup")):
2683
2684
for name in ("_mandos", "mandos", "nobody"):
3123
2685
try:
3124
2686
uid = pwd.getpwnam(name).pw_uid
3125
gid = pwd.getpwnam(group).pw_gid
2687
gid = pwd.getpwnam(name).pw_gid
3126
2688
break
3127
2689
except KeyError:
3128
2690
continue
3132
2694
try:
3133
2695
os.setgid(gid)
3134
2696
os.setuid(uid)
3135
if debug:
3136
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3137
gid))
3138
2697
except OSError as error:
3139
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3140
.format(uid, gid, os.strerror(error.errno)))
3141
2698
if error.errno != errno.EPERM:
3142
2699
raise
3143
2700
3144
2701
if debug:
3145
2702
# Enable all possible GnuTLS debugging
3146
2703
3147
2704
# "Use a log level over 10 to enable all debugging options."
3148
2705
# - GnuTLS manual
3149
gnutls.global_set_log_level(11)
3150
3151
@gnutls.log_func
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3152
2709
def debug_gnutls(level, string):
3153
2710
logger.debug("GnuTLS: %s", string[:-1])
3154
3155
gnutls.global_set_log_function(debug_gnutls)
3156
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3157
2715
# Redirect stdin so all checkers get /dev/null
3158
2716
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3159
2717
os.dup2(null, sys.stdin.fileno())
3160
2718
if null > 2:
3161
2719
os.close(null)
3162
2720
3163
2721
# Need to fork before connecting to D-Bus
3164
2722
if not foreground:
3165
2723
# Close all input and output, do double fork, etc.
3166
2724
daemon()
3167
3168
# multiprocessing will use threads, so before we use GLib we need
3169
# to inform GLib that threads will be used.
3170
GLib.threads_init()
3171
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3172
2730
global main_loop
3173
2731
# From the Avahi example code
3174
2732
DBusGMainLoop(set_as_default=True)
3175
main_loop = GLib.MainLoop()
2733
main_loop = gobject.MainLoop()
3176
2734
bus = dbus.SystemBus()
3177
2735
# End of Avahi example code
3178
2736
if use_dbus:
3191
2749
if zeroconf:
3192
2750
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3193
2751
service = AvahiServiceToSyslog(
3194
name=server_settings["servicename"],
3195
servicetype="_mandos._tcp",
3196
protocol=protocol,
3197
bus=bus)
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3198
2756
if server_settings["interface"]:
3199
2757
service.interface = if_nametoindex(
3200
2758
server_settings["interface"].encode("utf-8"))
3201
2759
3202
2760
global multiprocessing_manager
3203
2761
multiprocessing_manager = multiprocessing.Manager()
3204
2762
3205
2763
client_class = Client
3206
2764
if use_dbus:
3207
client_class = functools.partial(ClientDBus, bus=bus)
3208
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3209
2767
client_settings = Client.config_parser(client_config)
3210
2768
old_client_settings = {}
3211
2769
clients_data = {}
3212
2770
3213
2771
# This is used to redirect stdout and stderr for checker processes
3214
2772
global wnull
3215
wnull = open(os.devnull, "w") # A writable /dev/null
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3216
2774
# Only used if server is running in foreground but not in debug
3217
2775
# mode
3218
2776
if debug or not foreground:
3219
2777
wnull.close()
3220
2778
3221
2779
# Get client data and settings from last running state.
3222
2780
if server_settings["restore"]:
3223
2781
try:
3224
2782
with open(stored_state_path, "rb") as stored_state:
3225
if sys.version_info.major == 2:
3226
clients_data, old_client_settings = pickle.load(
3227
stored_state)
3228
else:
3229
bytes_clients_data, bytes_old_client_settings = (
3230
pickle.load(stored_state, encoding="bytes"))
3231
# Fix bytes to strings
3232
# clients_data
3233
# .keys()
3234
clients_data = {(key.decode("utf-8")
3235
if isinstance(key, bytes)
3236
else key): value
3237
for key, value in
3238
bytes_clients_data.items()}
3239
del bytes_clients_data
3240
for key in clients_data:
3241
value = {(k.decode("utf-8")
3242
if isinstance(k, bytes) else k): v
3243
for k, v in
3244
clients_data[key].items()}
3245
clients_data[key] = value
3246
# .client_structure
3247
value["client_structure"] = [
3248
(s.decode("utf-8")
3249
if isinstance(s, bytes)
3250
else s) for s in
3251
value["client_structure"]]
3252
# .name & .host
3253
for k in ("name", "host"):
3254
if isinstance(value[k], bytes):
3255
value[k] = value[k].decode("utf-8")
3256
if not value.has_key("key_id"):
3257
value["key_id"] = ""
3258
elif not value.has_key("fingerprint"):
3259
value["fingerprint"] = ""
3260
# old_client_settings
3261
# .keys()
3262
old_client_settings = {
3263
(key.decode("utf-8")
3264
if isinstance(key, bytes)
3265
else key): value
3266
for key, value in
3267
bytes_old_client_settings.items()}
3268
del bytes_old_client_settings
3269
# .host
3270
for value in old_client_settings.values():
3271
if isinstance(value["host"], bytes):
3272
value["host"] = (value["host"]
3273
.decode("utf-8"))
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3274
2785
os.remove(stored_state_path)
3275
2786
except IOError as e:
3276
2787
if e.errno == errno.ENOENT:
3284
2795
logger.warning("Could not load persistent state: "
3285
2796
"EOFError:",
3286
2797
exc_info=e)
3287
2798
3288
2799
with PGPEngine() as pgp:
3289
2800
for client_name, client in clients_data.items():
3290
2801
# Skip removed clients
3291
2802
if client_name not in client_settings:
3292
2803
continue
3293
2804
3294
2805
# Decide which value to use after restoring saved state.
3295
2806
# We have three different values: Old config file,
3296
2807
# new config file, and saved state.
3307
2818
client[name] = value
3308
2819
except KeyError:
3309
2820
pass
3310
2821
3311
2822
# Clients who has passed its expire date can still be
3312
2823
# enabled if its last checker was successful. A Client
3313
2824
# whose checker succeeded before we stored its state is
3346
2857
client_name))
3347
2858
client["secret"] = (client_settings[client_name]
3348
2859
["secret"])
3349
2860
3350
2861
# Add/remove clients based on new changes made to config
3351
2862
for client_name in (set(old_client_settings)
3352
2863
- set(client_settings)):
3354
2865
for client_name in (set(client_settings)
3355
2866
- set(old_client_settings)):
3356
2867
clients_data[client_name] = client_settings[client_name]
3357
2868
3358
2869
# Create all client objects
3359
2870
for client_name, client in clients_data.items():
3360
2871
tcp_server.clients[client_name] = client_class(
3361
name=client_name,
3362
settings=client,
3363
server_settings=server_settings)
3364
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3365
2876
if not tcp_server.clients:
3366
2877
logger.warning("No clients defined")
3367
2878
3368
2879
if not foreground:
3369
2880
if pidfile is not None:
3370
2881
pid = os.getpid()
3376
2887
pidfilename, pid)
3377
2888
del pidfile
3378
2889
del pidfilename
3379
3380
for termsig in (signal.SIGHUP, signal.SIGTERM):
3381
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3382
lambda: main_loop.quit() and False)
3383
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3384
2894
if use_dbus:
3385
2895
3386
2896
@alternate_dbus_interfaces(
3387
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3388
2898
class MandosDBusService(DBusObjectWithObjectManager):
3389
2899
"""A D-Bus proxy object"""
3390
2900
3391
2901
def __init__(self):
3392
2902
dbus.service.Object.__init__(self, bus, "/")
3393
2903
3394
2904
_interface = "se.recompile.Mandos"
3395
2905
3396
2906
@dbus.service.signal(_interface, signature="o")
3397
2907
def ClientAdded(self, objpath):
3398
2908
"D-Bus signal"
3399
2909
pass
3400
2910
3401
2911
@dbus.service.signal(_interface, signature="ss")
3402
def ClientNotFound(self, key_id, address):
2912
def ClientNotFound(self, fingerprint, address):
3403
2913
"D-Bus signal"
3404
2914
pass
3405
2915
3406
2916
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3407
2917
"true"})
3408
2918
@dbus.service.signal(_interface, signature="os")
3409
2919
def ClientRemoved(self, objpath, name):
3410
2920
"D-Bus signal"
3411
2921
pass
3412
2922
3413
2923
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3414
2924
"true"})
3415
2925
@dbus.service.method(_interface, out_signature="ao")
3416
2926
def GetAllClients(self):
3417
2927
"D-Bus method"
3418
2928
return dbus.Array(c.dbus_object_path for c in
3419
tcp_server.clients.values())
3420
2929
tcp_server.clients.itervalues())
2930
3421
2931
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3422
2932
"true"})
3423
2933
@dbus.service.method(_interface,
3425
2935
def GetAllClientsWithProperties(self):
3426
2936
"D-Bus method"
3427
2937
return dbus.Dictionary(
3428
{c.dbus_object_path: c.GetAll(
2938
{ c.dbus_object_path: c.GetAll(
3429
2939
"se.recompile.Mandos.Client")
3430
for c in tcp_server.clients.values()},
2940
for c in tcp_server.clients.itervalues() },
3431
2941
signature="oa{sv}")
3432
2942
3433
2943
@dbus.service.method(_interface, in_signature="o")
3434
2944
def RemoveClient(self, object_path):
3435
2945
"D-Bus method"
3436
for c in tcp_server.clients.values():
2946
for c in tcp_server.clients.itervalues():
3437
2947
if c.dbus_object_path == object_path:
3438
2948
del tcp_server.clients[c.name]
3439
2949
c.remove_from_connection()
3443
2953
self.client_removed_signal(c)
3444
2954
return
3445
2955
raise KeyError(object_path)
3446
2956
3447
2957
del _interface
3448
2958
3449
2959
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3450
out_signature="a{oa{sa{sv}}}")
2960
out_signature = "a{oa{sa{sv}}}")
3451
2961
def GetManagedObjects(self):
3452
2962
"""D-Bus method"""
3453
2963
return dbus.Dictionary(
3454
{client.dbus_object_path:
3455
dbus.Dictionary(
3456
{interface: client.GetAll(interface)
3457
for interface in
3458
client._get_all_interface_names()})
3459
for client in tcp_server.clients.values()})
3460
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3461
2971
def client_added_signal(self, client):
3462
2972
"""Send the new standard signal and the old signal"""
3463
2973
if use_dbus:
3465
2975
self.InterfacesAdded(
3466
2976
client.dbus_object_path,
3467
2977
dbus.Dictionary(
3468
{interface: client.GetAll(interface)
3469
for interface in
3470
client._get_all_interface_names()}))
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3471
2981
# Old signal
3472
2982
self.ClientAdded(client.dbus_object_path)
3473
2983
3474
2984
def client_removed_signal(self, client):
3475
2985
"""Send the new standard signal and the old signal"""
3476
2986
if use_dbus:
3481
2991
# Old signal
3482
2992
self.ClientRemoved(client.dbus_object_path,
3483
2993
client.name)
3484
2994
3485
2995
mandos_dbus_service = MandosDBusService()
3486
3487
# Save modules to variables to exempt the modules from being
3488
# unloaded before the function registered with atexit() is run.
3489
mp = multiprocessing
3490
wn = wnull
3491
2996
3492
2997
def cleanup():
3493
2998
"Cleanup function; run on exit"
3494
2999
if zeroconf:
3495
3000
service.cleanup()
3496
3497
mp.active_children()
3498
wn.close()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3499
3004
if not (tcp_server.clients or client_settings):
3500
3005
return
3501
3006
3502
3007
# Store client before exiting. Secrets are encrypted with key
3503
3008
# based on what config file has. If config file is
3504
3009
# removed/edited, old secret will thus be unrecovable.
3505
3010
clients = {}
3506
3011
with PGPEngine() as pgp:
3507
for client in tcp_server.clients.values():
3012
for client in tcp_server.clients.itervalues():
3508
3013
key = client_settings[client.name]["secret"]
3509
3014
client.encrypted_secret = pgp.encrypt(client.secret,
3510
3015
key)
3511
3016
client_dict = {}
3512
3017
3513
3018
# A list of attributes that can not be pickled
3514
3019
# + secret.
3515
exclude = {"bus", "changedstate", "secret",
3516
"checker", "server_settings"}
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3517
3022
for name, typ in inspect.getmembers(dbus.service
3518
3023
.Object):
3519
3024
exclude.add(name)
3520
3025
3521
3026
client_dict["encrypted_secret"] = (client
3522
3027
.encrypted_secret)
3523
3028
for attr in client.client_structure:
3524
3029
if attr not in exclude:
3525
3030
client_dict[attr] = getattr(client, attr)
3526
3031
3527
3032
clients[client.name] = client_dict
3528
3033
del client_settings[client.name]["secret"]
3529
3034
3530
3035
try:
3531
3036
with tempfile.NamedTemporaryFile(
3532
3037
mode='wb',
3534
3039
prefix='clients-',
3535
3040
dir=os.path.dirname(stored_state_path),
3536
3041
delete=False) as stored_state:
3537
pickle.dump((clients, client_settings), stored_state,
3538
protocol=2)
3042
pickle.dump((clients, client_settings), stored_state)
3539
3043
tempname = stored_state.name
3540
3044
os.rename(tempname, stored_state_path)
3541
3045
except (IOError, OSError) as e:
3551
3055
logger.warning("Could not save persistent state:",
3552
3056
exc_info=e)
3553
3057
raise
3554
3058
3555
3059
# Delete all clients, and settings from config
3556
3060
while tcp_server.clients:
3557
3061
name, client = tcp_server.clients.popitem()
3560
3064
# Don't signal the disabling
3561
3065
client.disable(quiet=True)
3562
3066
# Emit D-Bus signal for removal
3563
if use_dbus:
3564
mandos_dbus_service.client_removed_signal(client)
3067
mandos_dbus_service.client_removed_signal(client)
3565
3068
client_settings.clear()
3566
3069
3567
3070
atexit.register(cleanup)
3568
3569
for client in tcp_server.clients.values():
3071
3072
for client in tcp_server.clients.itervalues():
3570
3073
if use_dbus:
3571
3074
# Emit D-Bus signal for adding
3572
3075
mandos_dbus_service.client_added_signal(client)
3573
3076
# Need to initiate checking of clients
3574
3077
if client.enabled:
3575
3078
client.init_checker()
3576
3079
3577
3080
tcp_server.enable()
3578
3081
tcp_server.server_activate()
3579
3082
3580
3083
# Find out what port we got
3581
3084
if zeroconf:
3582
3085
service.port = tcp_server.socket.getsockname()[1]
3587
3090
else: # IPv4
3588
3091
logger.info("Now listening on address %r, port %d",
3589
3092
*tcp_server.socket.getsockname())
3590
3591
# service.interface = tcp_server.socket.getsockname()[3]
3592
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3593
3096
try:
3594
3097
if zeroconf:
3595
3098
# From the Avahi example code
3600
3103
cleanup()
3601
3104
sys.exit(1)
3602
3105
# End of Avahi example code
3603
3604
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3605
lambda *args, **kwargs:
3606
(tcp_server.handle_request
3607
(*args[2:], **kwargs) or True))
3608
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3609
3112
logger.debug("Starting main loop")
3610
3113
main_loop.run()
3611
3114
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0