To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.335
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.335
- Committer: Teddy Hogeborn
- Date: 2015-08-10 16:19:28 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 325.
- Revision ID: teddy@recompile.se-20150810161928-bnukog7l47j3pjix
Depend on Avahi and the network in the server's systemd service file.
* mandos.service ([Unit]/After): New; set to "network.target" and
"avahi-daemon.service".
([Unit]/RequisiteOverridable): New; set to "avahi-daemon.service".
* mandos.service ([Unit]/After): New; set to "network.target" and
"avahi-daemon.service".
([Unit]/RequisiteOverridable): New; set to "avahi-daemon.service".
- files added:
- initramfs-tools-hook-conf
- files removed:
- bugs.xml
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python
1
#!/usr/bin/python2.7
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
37
from future_builtins import *
42
38
43
39
try:
44
40
import SocketServer as socketserver
48
44
import argparse
49
45
import datetime
50
46
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
51
53
try:
52
54
import ConfigParser as configparser
53
55
except ImportError:
80
82
81
83
import dbus
82
84
import dbus.service
83
from gi.repository import GLib
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
84
90
from dbus.mainloop.glib import DBusGMainLoop
85
91
import ctypes
86
92
import ctypes.util
87
93
import xml.dom.minidom
88
94
import inspect
89
95
90
# Try to find the value of SO_BINDTODEVICE:
91
96
try:
92
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
93
# newer, and it is also the most natural place for it:
94
97
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
95
98
except AttributeError:
96
99
try:
97
# This is where SO_BINDTODEVICE was up to and including Python
98
# 2.6, and also 3.2:
99
100
from IN import SO_BINDTODEVICE
100
101
except ImportError:
101
# In Python 2.7 it seems to have been removed entirely.
102
# Try running the C preprocessor:
103
try:
104
cc = subprocess.Popen(["cc", "--language=c", "-E",
105
"/dev/stdin"],
106
stdin=subprocess.PIPE,
107
stdout=subprocess.PIPE)
108
stdout = cc.communicate(
109
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
110
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
111
except (OSError, ValueError, IndexError):
112
# No value found
113
SO_BINDTODEVICE = None
102
SO_BINDTODEVICE = None
114
103
115
104
if sys.version_info.major == 2:
116
105
str = unicode
117
106
118
version = "1.8.5"
107
version = "1.6.9"
119
108
stored_state_file = "clients.pickle"
120
109
121
110
logger = logging.getLogger()
125
114
if_nametoindex = ctypes.cdll.LoadLibrary(
126
115
ctypes.util.find_library("c")).if_nametoindex
127
116
except (OSError, AttributeError):
128
117
129
118
def if_nametoindex(interface):
130
119
"Get an interface index the hard way, i.e. using fcntl()"
131
120
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
136
125
return interface_index
137
126
138
127
139
def copy_function(func):
140
"""Make a copy of a function"""
141
if sys.version_info.major == 2:
142
return types.FunctionType(func.func_code,
143
func.func_globals,
144
func.func_name,
145
func.func_defaults,
146
func.func_closure)
147
else:
148
return types.FunctionType(func.__code__,
149
func.__globals__,
150
func.__name__,
151
func.__defaults__,
152
func.__closure__)
153
154
155
128
def initlogger(debug, level=logging.WARNING):
156
129
"""init logger and add loglevel"""
157
130
158
131
global syslogger
159
132
syslogger = (logging.handlers.SysLogHandler(
160
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
161
address="/dev/log"))
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
162
135
syslogger.setFormatter(logging.Formatter
163
136
('Mandos [%(process)d]: %(levelname)s:'
164
137
' %(message)s'))
165
138
logger.addHandler(syslogger)
166
139
167
140
if debug:
168
141
console = logging.StreamHandler()
169
142
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
181
154
182
155
class PGPEngine(object):
183
156
"""A simple class for OpenPGP symmetric encryption & decryption"""
184
157
185
158
def __init__(self):
186
159
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
187
self.gpg = "gpg"
188
try:
189
output = subprocess.check_output(["gpgconf"])
190
for line in output.splitlines():
191
name, text, path = line.split(b":")
192
if name == "gpg":
193
self.gpg = path
194
break
195
except OSError as e:
196
if e.errno != errno.ENOENT:
197
raise
198
160
self.gnupgargs = ['--batch',
199
'--homedir', self.tempdir,
161
'--home', self.tempdir,
200
162
'--force-mdc',
201
'--quiet']
202
# Only GPG version 1 has the --no-use-agent option.
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
204
self.gnupgargs.append("--no-use-agent")
205
163
'--quiet',
164
'--no-use-agent']
165
206
166
def __enter__(self):
207
167
return self
208
168
209
169
def __exit__(self, exc_type, exc_value, traceback):
210
170
self._cleanup()
211
171
return False
212
172
213
173
def __del__(self):
214
174
self._cleanup()
215
175
216
176
def _cleanup(self):
217
177
if self.tempdir is not None:
218
178
# Delete contents of tempdir
219
179
for root, dirs, files in os.walk(self.tempdir,
220
topdown=False):
180
topdown = False):
221
181
for filename in files:
222
182
os.remove(os.path.join(root, filename))
223
183
for dirname in dirs:
225
185
# Remove tempdir
226
186
os.rmdir(self.tempdir)
227
187
self.tempdir = None
228
188
229
189
def password_encode(self, password):
230
190
# Passphrase can not be empty and can not contain newlines or
231
191
# NUL bytes. So we prefix it and hex encode it.
236
196
.replace(b"\n", b"\\n")
237
197
.replace(b"\0", b"\\x00"))
238
198
return encoded
239
199
240
200
def encrypt(self, data, password):
241
201
passphrase = self.password_encode(password)
242
202
with tempfile.NamedTemporaryFile(
243
203
dir=self.tempdir) as passfile:
244
204
passfile.write(passphrase)
245
205
passfile.flush()
246
proc = subprocess.Popen([self.gpg, '--symmetric',
206
proc = subprocess.Popen(['gpg', '--symmetric',
247
207
'--passphrase-file',
248
208
passfile.name]
249
209
+ self.gnupgargs,
250
stdin=subprocess.PIPE,
251
stdout=subprocess.PIPE,
252
stderr=subprocess.PIPE)
253
ciphertext, err = proc.communicate(input=data)
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
254
214
if proc.returncode != 0:
255
215
raise PGPError(err)
256
216
return ciphertext
257
217
258
218
def decrypt(self, data, password):
259
219
passphrase = self.password_encode(password)
260
220
with tempfile.NamedTemporaryFile(
261
dir=self.tempdir) as passfile:
221
dir = self.tempdir) as passfile:
262
222
passfile.write(passphrase)
263
223
passfile.flush()
264
proc = subprocess.Popen([self.gpg, '--decrypt',
224
proc = subprocess.Popen(['gpg', '--decrypt',
265
225
'--passphrase-file',
266
226
passfile.name]
267
227
+ self.gnupgargs,
268
stdin=subprocess.PIPE,
269
stdout=subprocess.PIPE,
270
stderr=subprocess.PIPE)
271
decrypted_plaintext, err = proc.communicate(input=data)
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
272
232
if proc.returncode != 0:
273
233
raise PGPError(err)
274
234
return decrypted_plaintext
275
235
276
236
277
# Pretend that we have an Avahi module
278
class avahi(object):
279
"""This isn't so much a class as it is a module-like namespace."""
280
IF_UNSPEC = -1 # avahi-common/address.h
281
PROTO_UNSPEC = -1 # avahi-common/address.h
282
PROTO_INET = 0 # avahi-common/address.h
283
PROTO_INET6 = 1 # avahi-common/address.h
284
DBUS_NAME = "org.freedesktop.Avahi"
285
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
286
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
DBUS_PATH_SERVER = "/"
288
289
@staticmethod
290
def string_array_to_txt_array(t):
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
for s in t), signature="ay")
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
294
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
295
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
296
SERVER_INVALID = 0 # avahi-common/defs.h
297
SERVER_REGISTERING = 1 # avahi-common/defs.h
298
SERVER_RUNNING = 2 # avahi-common/defs.h
299
SERVER_COLLISION = 3 # avahi-common/defs.h
300
SERVER_FAILURE = 4 # avahi-common/defs.h
301
302
303
237
class AvahiError(Exception):
304
238
def __init__(self, value, *args, **kwargs):
305
239
self.value = value
317
251
318
252
class AvahiService(object):
319
253
"""An Avahi (Zeroconf) service.
320
254
321
255
Attributes:
322
256
interface: integer; avahi.IF_UNSPEC or an interface index.
323
257
Used to optionally bind to the specified interface.
335
269
server: D-Bus Server
336
270
bus: dbus.SystemBus()
337
271
"""
338
272
339
273
def __init__(self,
340
interface=avahi.IF_UNSPEC,
341
name=None,
342
servicetype=None,
343
port=None,
344
TXT=None,
345
domain="",
346
host="",
347
max_renames=32768,
348
protocol=avahi.PROTO_UNSPEC,
349
bus=None):
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
350
284
self.interface = interface
351
285
self.name = name
352
286
self.type = servicetype
361
295
self.server = None
362
296
self.bus = bus
363
297
self.entry_group_state_changed_match = None
364
298
365
299
def rename(self, remove=True):
366
300
"""Derived from the Avahi example code"""
367
301
if self.rename_count >= self.max_renames:
387
321
logger.critical("D-Bus Exception", exc_info=error)
388
322
self.cleanup()
389
323
os._exit(1)
390
324
391
325
def remove(self):
392
326
"""Derived from the Avahi example code"""
393
327
if self.entry_group_state_changed_match is not None:
395
329
self.entry_group_state_changed_match = None
396
330
if self.group is not None:
397
331
self.group.Reset()
398
332
399
333
def add(self):
400
334
"""Derived from the Avahi example code"""
401
335
self.remove()
418
352
dbus.UInt16(self.port),
419
353
avahi.string_array_to_txt_array(self.TXT))
420
354
self.group.Commit()
421
355
422
356
def entry_group_state_changed(self, state, error):
423
357
"""Derived from the Avahi example code"""
424
358
logger.debug("Avahi entry group state change: %i", state)
425
359
426
360
if state == avahi.ENTRY_GROUP_ESTABLISHED:
427
361
logger.debug("Zeroconf service established.")
428
362
elif state == avahi.ENTRY_GROUP_COLLISION:
432
366
logger.critical("Avahi: Error in group state changed %s",
433
367
str(error))
434
368
raise AvahiGroupError("State changed: {!s}".format(error))
435
369
436
370
def cleanup(self):
437
371
"""Derived from the Avahi example code"""
438
372
if self.group is not None:
443
377
pass
444
378
self.group = None
445
379
self.remove()
446
380
447
381
def server_state_changed(self, state, error=None):
448
382
"""Derived from the Avahi example code"""
449
383
logger.debug("Avahi server state change: %i", state)
478
412
logger.debug("Unknown state: %r", state)
479
413
else:
480
414
logger.debug("Unknown state: %r: %r", state, error)
481
415
482
416
def activate(self):
483
417
"""Derived from the Avahi example code"""
484
418
if self.server is None:
495
429
class AvahiServiceToSyslog(AvahiService):
496
430
def rename(self, *args, **kwargs):
497
431
"""Add the new name to the syslog messages"""
498
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
432
ret = AvahiService.rename(self, *args, **kwargs)
499
433
syslogger.setFormatter(logging.Formatter(
500
434
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
501
435
.format(self.name)))
502
436
return ret
503
437
504
505
# Pretend that we have a GnuTLS module
506
class gnutls(object):
507
"""This isn't so much a class as it is a module-like namespace."""
508
509
library = ctypes.util.find_library("gnutls")
510
if library is None:
511
library = ctypes.util.find_library("gnutls-deb0")
512
_library = ctypes.cdll.LoadLibrary(library)
513
del library
514
515
# Unless otherwise indicated, the constants and types below are
516
# all from the gnutls/gnutls.h C header file.
517
518
# Constants
519
E_SUCCESS = 0
520
E_INTERRUPTED = -52
521
E_AGAIN = -28
522
CRT_OPENPGP = 2
523
CRT_RAWPK = 3
524
CLIENT = 2
525
SHUT_RDWR = 0
526
CRD_CERTIFICATE = 1
527
E_NO_CERTIFICATE_FOUND = -49
528
X509_FMT_DER = 0
529
NO_TICKETS = 1<<10
530
ENABLE_RAWPK = 1<<18
531
CTYPE_PEERS = 3
532
KEYID_USE_SHA256 = 1 # gnutls/x509.h
533
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
534
535
# Types
536
class session_int(ctypes.Structure):
537
_fields_ = []
538
session_t = ctypes.POINTER(session_int)
539
540
class certificate_credentials_st(ctypes.Structure):
541
_fields_ = []
542
certificate_credentials_t = ctypes.POINTER(
543
certificate_credentials_st)
544
certificate_type_t = ctypes.c_int
545
546
class datum_t(ctypes.Structure):
547
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
548
('size', ctypes.c_uint)]
549
550
class openpgp_crt_int(ctypes.Structure):
551
_fields_ = []
552
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
553
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
554
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
555
credentials_type_t = ctypes.c_int
556
transport_ptr_t = ctypes.c_void_p
557
close_request_t = ctypes.c_int
558
559
# Exceptions
560
class Error(Exception):
561
def __init__(self, message=None, code=None, args=()):
562
# Default usage is by a message string, but if a return
563
# code is passed, convert it to a string with
564
# gnutls.strerror()
565
self.code = code
566
if message is None and code is not None:
567
message = gnutls.strerror(code)
568
return super(gnutls.Error, self).__init__(
569
message, *args)
570
571
class CertificateSecurityError(Error):
572
pass
573
574
# Classes
575
class Credentials(object):
576
def __init__(self):
577
self._c_object = gnutls.certificate_credentials_t()
578
gnutls.certificate_allocate_credentials(
579
ctypes.byref(self._c_object))
580
self.type = gnutls.CRD_CERTIFICATE
581
582
def __del__(self):
583
gnutls.certificate_free_credentials(self._c_object)
584
585
class ClientSession(object):
586
def __init__(self, socket, credentials=None):
587
self._c_object = gnutls.session_t()
588
gnutls_flags = gnutls.CLIENT
589
if gnutls.check_version(b"3.5.6"):
590
gnutls_flags |= gnutls.NO_TICKETS
591
if gnutls.has_rawpk:
592
gnutls_flags |= gnutls.ENABLE_RAWPK
593
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
594
del gnutls_flags
595
gnutls.set_default_priority(self._c_object)
596
gnutls.transport_set_ptr(self._c_object, socket.fileno())
597
gnutls.handshake_set_private_extensions(self._c_object,
598
True)
599
self.socket = socket
600
if credentials is None:
601
credentials = gnutls.Credentials()
602
gnutls.credentials_set(self._c_object, credentials.type,
603
ctypes.cast(credentials._c_object,
604
ctypes.c_void_p))
605
self.credentials = credentials
606
607
def __del__(self):
608
gnutls.deinit(self._c_object)
609
610
def handshake(self):
611
return gnutls.handshake(self._c_object)
612
613
def send(self, data):
614
data = bytes(data)
615
data_len = len(data)
616
while data_len > 0:
617
data_len -= gnutls.record_send(self._c_object,
618
data[-data_len:],
619
data_len)
620
621
def bye(self):
622
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
623
624
# Error handling functions
625
def _error_code(result):
626
"""A function to raise exceptions on errors, suitable
627
for the 'restype' attribute on ctypes functions"""
628
if result >= 0:
629
return result
630
if result == gnutls.E_NO_CERTIFICATE_FOUND:
631
raise gnutls.CertificateSecurityError(code=result)
632
raise gnutls.Error(code=result)
633
634
def _retry_on_error(result, func, arguments):
635
"""A function to retry on some errors, suitable
636
for the 'errcheck' attribute on ctypes functions"""
637
while result < 0:
638
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
639
return _error_code(result)
640
result = func(*arguments)
641
return result
642
643
# Unless otherwise indicated, the function declarations below are
644
# all from the gnutls/gnutls.h C header file.
645
646
# Functions
647
priority_set_direct = _library.gnutls_priority_set_direct
648
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
649
ctypes.POINTER(ctypes.c_char_p)]
650
priority_set_direct.restype = _error_code
651
652
init = _library.gnutls_init
653
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
654
init.restype = _error_code
655
656
set_default_priority = _library.gnutls_set_default_priority
657
set_default_priority.argtypes = [session_t]
658
set_default_priority.restype = _error_code
659
660
record_send = _library.gnutls_record_send
661
record_send.argtypes = [session_t, ctypes.c_void_p,
662
ctypes.c_size_t]
663
record_send.restype = ctypes.c_ssize_t
664
record_send.errcheck = _retry_on_error
665
666
certificate_allocate_credentials = (
667
_library.gnutls_certificate_allocate_credentials)
668
certificate_allocate_credentials.argtypes = [
669
ctypes.POINTER(certificate_credentials_t)]
670
certificate_allocate_credentials.restype = _error_code
671
672
certificate_free_credentials = (
673
_library.gnutls_certificate_free_credentials)
674
certificate_free_credentials.argtypes = [
675
certificate_credentials_t]
676
certificate_free_credentials.restype = None
677
678
handshake_set_private_extensions = (
679
_library.gnutls_handshake_set_private_extensions)
680
handshake_set_private_extensions.argtypes = [session_t,
681
ctypes.c_int]
682
handshake_set_private_extensions.restype = None
683
684
credentials_set = _library.gnutls_credentials_set
685
credentials_set.argtypes = [session_t, credentials_type_t,
686
ctypes.c_void_p]
687
credentials_set.restype = _error_code
688
689
strerror = _library.gnutls_strerror
690
strerror.argtypes = [ctypes.c_int]
691
strerror.restype = ctypes.c_char_p
692
693
certificate_type_get = _library.gnutls_certificate_type_get
694
certificate_type_get.argtypes = [session_t]
695
certificate_type_get.restype = _error_code
696
697
certificate_get_peers = _library.gnutls_certificate_get_peers
698
certificate_get_peers.argtypes = [session_t,
699
ctypes.POINTER(ctypes.c_uint)]
700
certificate_get_peers.restype = ctypes.POINTER(datum_t)
701
702
global_set_log_level = _library.gnutls_global_set_log_level
703
global_set_log_level.argtypes = [ctypes.c_int]
704
global_set_log_level.restype = None
705
706
global_set_log_function = _library.gnutls_global_set_log_function
707
global_set_log_function.argtypes = [log_func]
708
global_set_log_function.restype = None
709
710
deinit = _library.gnutls_deinit
711
deinit.argtypes = [session_t]
712
deinit.restype = None
713
714
handshake = _library.gnutls_handshake
715
handshake.argtypes = [session_t]
716
handshake.restype = _error_code
717
handshake.errcheck = _retry_on_error
718
719
transport_set_ptr = _library.gnutls_transport_set_ptr
720
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
721
transport_set_ptr.restype = None
722
723
bye = _library.gnutls_bye
724
bye.argtypes = [session_t, close_request_t]
725
bye.restype = _error_code
726
bye.errcheck = _retry_on_error
727
728
check_version = _library.gnutls_check_version
729
check_version.argtypes = [ctypes.c_char_p]
730
check_version.restype = ctypes.c_char_p
731
732
_need_version = b"3.3.0"
733
if check_version(_need_version) is None:
734
raise self.Error("Needs GnuTLS {} or later"
735
.format(_need_version))
736
737
_tls_rawpk_version = b"3.6.6"
738
has_rawpk = bool(check_version(_tls_rawpk_version))
739
740
if has_rawpk:
741
# Types
742
class pubkey_st(ctypes.Structure):
743
_fields = []
744
pubkey_t = ctypes.POINTER(pubkey_st)
745
746
x509_crt_fmt_t = ctypes.c_int
747
748
# All the function declarations below are from gnutls/abstract.h
749
pubkey_init = _library.gnutls_pubkey_init
750
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
751
pubkey_init.restype = _error_code
752
753
pubkey_import = _library.gnutls_pubkey_import
754
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
755
x509_crt_fmt_t]
756
pubkey_import.restype = _error_code
757
758
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
759
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
760
ctypes.POINTER(ctypes.c_ubyte),
761
ctypes.POINTER(ctypes.c_size_t)]
762
pubkey_get_key_id.restype = _error_code
763
764
pubkey_deinit = _library.gnutls_pubkey_deinit
765
pubkey_deinit.argtypes = [pubkey_t]
766
pubkey_deinit.restype = None
767
else:
768
# All the function declarations below are from gnutls/openpgp.h
769
770
openpgp_crt_init = _library.gnutls_openpgp_crt_init
771
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
772
openpgp_crt_init.restype = _error_code
773
774
openpgp_crt_import = _library.gnutls_openpgp_crt_import
775
openpgp_crt_import.argtypes = [openpgp_crt_t,
776
ctypes.POINTER(datum_t),
777
openpgp_crt_fmt_t]
778
openpgp_crt_import.restype = _error_code
779
780
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
781
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
782
ctypes.POINTER(ctypes.c_uint)]
783
openpgp_crt_verify_self.restype = _error_code
784
785
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
786
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
787
openpgp_crt_deinit.restype = None
788
789
openpgp_crt_get_fingerprint = (
790
_library.gnutls_openpgp_crt_get_fingerprint)
791
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
792
ctypes.c_void_p,
793
ctypes.POINTER(
794
ctypes.c_size_t)]
795
openpgp_crt_get_fingerprint.restype = _error_code
796
797
if check_version(b"3.6.4"):
798
certificate_type_get2 = _library.gnutls_certificate_type_get2
799
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
800
certificate_type_get2.restype = _error_code
801
802
# Remove non-public functions
803
del _error_code, _retry_on_error
804
805
806
438
def call_pipe(connection, # : multiprocessing.Connection
807
439
func, *args, **kwargs):
808
440
"""This function is meant to be called by multiprocessing.Process
809
441
810
442
This function runs func(*args, **kwargs), and writes the resulting
811
443
return value on the provided multiprocessing.Connection.
812
444
"""
813
445
connection.send(func(*args, **kwargs))
814
446
connection.close()
815
447
816
817
448
class Client(object):
818
449
"""A representation of a client host served by this server.
819
450
820
451
Attributes:
821
452
approved: bool(); 'None' if not yet approved/disapproved
822
453
approval_delay: datetime.timedelta(); Time to wait for approval
823
454
approval_duration: datetime.timedelta(); Duration of one approval
824
checker: multiprocessing.Process(); a running checker process used
825
to see if the client lives. 'None' if no process is
826
running.
827
checker_callback_tag: a GLib event source tag, or None
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
828
459
checker_command: string; External command which is run to check
829
460
if client lives. %() expansions are done at
830
461
runtime with vars(self) as dict, so that for
831
462
instance %(name)s can be used in the command.
832
checker_initiator_tag: a GLib event source tag, or None
463
checker_initiator_tag: a gobject event source tag, or None
833
464
created: datetime.datetime(); (UTC) object creation
834
465
client_structure: Object describing what attributes a client has
835
466
and is used for storing the client at exit
836
467
current_checker_command: string; current running checker_command
837
disable_initiator_tag: a GLib event source tag, or None
468
disable_initiator_tag: a gobject event source tag, or None
838
469
enabled: bool()
839
470
fingerprint: string (40 or 32 hexadecimal digits); used to
840
uniquely identify an OpenPGP client
841
key_id: string (64 hexadecimal digits); used to uniquely identify
842
a client using raw public keys
471
uniquely identify the client
843
472
host: string; available for use by the checker command
844
473
interval: datetime.timedelta(); How often to start a new checker
845
474
last_approval_request: datetime.datetime(); (UTC) or None
861
490
disabled, or None
862
491
server_settings: The server_settings dict from main()
863
492
"""
864
493
865
494
runtime_expansions = ("approval_delay", "approval_duration",
866
"created", "enabled", "expires", "key_id",
495
"created", "enabled", "expires",
867
496
"fingerprint", "host", "interval",
868
497
"last_approval_request", "last_checked_ok",
869
498
"last_enabled", "name", "timeout")
878
507
"approved_by_default": "True",
879
508
"enabled": "True",
880
509
}
881
510
882
511
@staticmethod
883
512
def config_parser(config):
884
513
"""Construct a new dict of client settings of this form:
891
520
for client_name in config.sections():
892
521
section = dict(config.items(client_name))
893
522
client = settings[client_name] = {}
894
523
895
524
client["host"] = section["host"]
896
525
# Reformat values from string types to Python types
897
526
client["approved_by_default"] = config.getboolean(
898
527
client_name, "approved_by_default")
899
528
client["enabled"] = config.getboolean(client_name,
900
529
"enabled")
901
902
# Uppercase and remove spaces from key_id and fingerprint
903
# for later comparison purposes with return value from the
904
# key_id() and fingerprint() functions
905
client["key_id"] = (section.get("key_id", "").upper()
906
.replace(" ", ""))
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
907
534
client["fingerprint"] = (section["fingerprint"].upper()
908
535
.replace(" ", ""))
909
536
if "secret" in section:
910
client["secret"] = codecs.decode(section["secret"]
911
.encode("utf-8"),
912
"base64")
537
client["secret"] = section["secret"].decode("base64")
913
538
elif "secfile" in section:
914
539
with open(os.path.expanduser(os.path.expandvars
915
540
(section["secfile"])),
930
555
client["last_approval_request"] = None
931
556
client["last_checked_ok"] = None
932
557
client["last_checker_status"] = -2
933
558
934
559
return settings
935
936
def __init__(self, settings, name=None, server_settings=None):
560
561
def __init__(self, settings, name = None, server_settings=None):
937
562
self.name = name
938
563
if server_settings is None:
939
564
server_settings = {}
941
566
# adding all client settings
942
567
for setting, value in settings.items():
943
568
setattr(self, setting, value)
944
569
945
570
if self.enabled:
946
571
if not hasattr(self, "last_enabled"):
947
572
self.last_enabled = datetime.datetime.utcnow()
951
576
else:
952
577
self.last_enabled = None
953
578
self.expires = None
954
579
955
580
logger.debug("Creating client %r", self.name)
956
logger.debug(" Key ID: %s", self.key_id)
957
581
logger.debug(" Fingerprint: %s", self.fingerprint)
958
582
self.created = settings.get("created",
959
583
datetime.datetime.utcnow())
960
584
961
585
# attributes specific for this server instance
962
586
self.checker = None
963
587
self.checker_initiator_tag = None
969
593
self.changedstate = multiprocessing_manager.Condition(
970
594
multiprocessing_manager.Lock())
971
595
self.client_structure = [attr
972
for attr in self.__dict__.keys()
596
for attr in self.__dict__.iterkeys()
973
597
if not attr.startswith("_")]
974
598
self.client_structure.append("client_structure")
975
599
976
600
for name, t in inspect.getmembers(
977
601
type(self), lambda obj: isinstance(obj, property)):
978
602
if not name.startswith("_"):
979
603
self.client_structure.append(name)
980
604
981
605
# Send notice to process children that client state has changed
982
606
def send_changedstate(self):
983
607
with self.changedstate:
984
608
self.changedstate.notify_all()
985
609
986
610
def enable(self):
987
611
"""Start this client's checker and timeout hooks"""
988
612
if getattr(self, "enabled", False):
993
617
self.last_enabled = datetime.datetime.utcnow()
994
618
self.init_checker()
995
619
self.send_changedstate()
996
620
997
621
def disable(self, quiet=True):
998
622
"""Disable this client."""
999
623
if not getattr(self, "enabled", False):
1001
625
if not quiet:
1002
626
logger.info("Disabling client %s", self.name)
1003
627
if getattr(self, "disable_initiator_tag", None) is not None:
1004
GLib.source_remove(self.disable_initiator_tag)
628
gobject.source_remove(self.disable_initiator_tag)
1005
629
self.disable_initiator_tag = None
1006
630
self.expires = None
1007
631
if getattr(self, "checker_initiator_tag", None) is not None:
1008
GLib.source_remove(self.checker_initiator_tag)
632
gobject.source_remove(self.checker_initiator_tag)
1009
633
self.checker_initiator_tag = None
1010
634
self.stop_checker()
1011
635
self.enabled = False
1012
636
if not quiet:
1013
637
self.send_changedstate()
1014
# Do not run this again if called by a GLib.timeout_add
638
# Do not run this again if called by a gobject.timeout_add
1015
639
return False
1016
640
1017
641
def __del__(self):
1018
642
self.disable()
1019
643
1020
644
def init_checker(self):
1021
645
# Schedule a new checker to be started an 'interval' from now,
1022
646
# and every interval from then on.
1023
647
if self.checker_initiator_tag is not None:
1024
GLib.source_remove(self.checker_initiator_tag)
1025
self.checker_initiator_tag = GLib.timeout_add(
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
1026
650
int(self.interval.total_seconds() * 1000),
1027
651
self.start_checker)
1028
652
# Schedule a disable() when 'timeout' has passed
1029
653
if self.disable_initiator_tag is not None:
1030
GLib.source_remove(self.disable_initiator_tag)
1031
self.disable_initiator_tag = GLib.timeout_add(
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1032
656
int(self.timeout.total_seconds() * 1000), self.disable)
1033
657
# Also start a new checker *right now*.
1034
658
self.start_checker()
1035
659
1036
660
def checker_callback(self, source, condition, connection,
1037
661
command):
1038
662
"""The checker has completed, so take appropriate actions."""
663
self.checker_callback_tag = None
664
self.checker = None
1039
665
# Read return code from connection (see call_pipe)
1040
666
returncode = connection.recv()
1041
667
connection.close()
1042
self.checker.join()
1043
self.checker_callback_tag = None
1044
self.checker = None
1045
668
1046
669
if returncode >= 0:
1047
670
self.last_checker_status = returncode
1048
671
self.last_checker_signal = None
1058
681
logger.warning("Checker for %(name)s crashed?",
1059
682
vars(self))
1060
683
return False
1061
684
1062
685
def checked_ok(self):
1063
686
"""Assert that the client has been seen, alive and well."""
1064
687
self.last_checked_ok = datetime.datetime.utcnow()
1065
688
self.last_checker_status = 0
1066
689
self.last_checker_signal = None
1067
690
self.bump_timeout()
1068
691
1069
692
def bump_timeout(self, timeout=None):
1070
693
"""Bump up the timeout for this client."""
1071
694
if timeout is None:
1072
695
timeout = self.timeout
1073
696
if self.disable_initiator_tag is not None:
1074
GLib.source_remove(self.disable_initiator_tag)
697
gobject.source_remove(self.disable_initiator_tag)
1075
698
self.disable_initiator_tag = None
1076
699
if getattr(self, "enabled", False):
1077
self.disable_initiator_tag = GLib.timeout_add(
700
self.disable_initiator_tag = gobject.timeout_add(
1078
701
int(timeout.total_seconds() * 1000), self.disable)
1079
702
self.expires = datetime.datetime.utcnow() + timeout
1080
703
1081
704
def need_approval(self):
1082
705
self.last_approval_request = datetime.datetime.utcnow()
1083
706
1084
707
def start_checker(self):
1085
708
"""Start a new checker subprocess if one is not running.
1086
709
1087
710
If a checker already exists, leave it running and do
1088
711
nothing."""
1089
712
# The reason for not killing a running checker is that if we
1094
717
# checkers alone, the checker would have to take more time
1095
718
# than 'timeout' for the client to be disabled, which is as it
1096
719
# should be.
1097
720
1098
721
if self.checker is not None and not self.checker.is_alive():
1099
722
logger.warning("Checker was not alive; joining")
1100
723
self.checker.join()
1104
727
# Escape attributes for the shell
1105
728
escaped_attrs = {
1106
729
attr: re.escape(str(getattr(self, attr)))
1107
for attr in self.runtime_expansions}
730
for attr in self.runtime_expansions }
1108
731
try:
1109
732
command = self.checker_command % escaped_attrs
1110
733
except TypeError as error:
1122
745
# The exception is when not debugging but nevertheless
1123
746
# running in the foreground; use the previously
1124
747
# created wnull.
1125
popen_args = {"close_fds": True,
1126
"shell": True,
1127
"cwd": "/"}
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1128
751
if (not self.server_settings["debug"]
1129
752
and self.server_settings["foreground"]):
1130
753
popen_args.update({"stdout": wnull,
1131
"stderr": wnull})
1132
pipe = multiprocessing.Pipe(duplex=False)
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1133
756
self.checker = multiprocessing.Process(
1134
target=call_pipe,
1135
args=(pipe[1], subprocess.call, command),
1136
kwargs=popen_args)
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1137
760
self.checker.start()
1138
self.checker_callback_tag = GLib.io_add_watch(
1139
pipe[0].fileno(), GLib.IO_IN,
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1140
763
self.checker_callback, pipe[0], command)
1141
# Re-run this periodically if run by GLib.timeout_add
764
# Re-run this periodically if run by gobject.timeout_add
1142
765
return True
1143
766
1144
767
def stop_checker(self):
1145
768
"""Force the checker process, if any, to stop."""
1146
769
if self.checker_callback_tag:
1147
GLib.source_remove(self.checker_callback_tag)
770
gobject.source_remove(self.checker_callback_tag)
1148
771
self.checker_callback_tag = None
1149
772
if getattr(self, "checker", None) is None:
1150
773
return
1159
782
byte_arrays=False):
1160
783
"""Decorators for marking methods of a DBusObjectWithProperties to
1161
784
become properties on the D-Bus.
1162
785
1163
786
The decorated method will be called with no arguments by "Get"
1164
787
and with one argument by "Set".
1165
788
1166
789
The parameters, where they are supported, are the same as
1167
790
dbus.service.method, except there is only "signature", since the
1168
791
type from Get() and the type sent to Set() is the same.
1172
795
if byte_arrays and signature != "ay":
1173
796
raise ValueError("Byte arrays not supported for non-'ay'"
1174
797
" signature {!r}".format(signature))
1175
798
1176
799
def decorator(func):
1177
800
func._dbus_is_property = True
1178
801
func._dbus_interface = dbus_interface
1181
804
func._dbus_name = func.__name__
1182
805
if func._dbus_name.endswith("_dbus_property"):
1183
806
func._dbus_name = func._dbus_name[:-14]
1184
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1185
808
return func
1186
809
1187
810
return decorator
1188
811
1189
812
1190
813
def dbus_interface_annotations(dbus_interface):
1191
814
"""Decorator for marking functions returning interface annotations
1192
815
1193
816
Usage:
1194
817
1195
818
@dbus_interface_annotations("org.example.Interface")
1196
819
def _foo(self): # Function name does not matter
1197
820
return {"org.freedesktop.DBus.Deprecated": "true",
1198
821
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1199
822
"false"}
1200
823
"""
1201
824
1202
825
def decorator(func):
1203
826
func._dbus_is_interface = True
1204
827
func._dbus_interface = dbus_interface
1205
828
func._dbus_name = dbus_interface
1206
829
return func
1207
830
1208
831
return decorator
1209
832
1210
833
1211
834
def dbus_annotations(annotations):
1212
835
"""Decorator to annotate D-Bus methods, signals or properties
1213
836
Usage:
1214
837
1215
838
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1216
839
"org.freedesktop.DBus.Property."
1217
840
"EmitsChangedSignal": "false"})
1219
842
access="r")
1220
843
def Property_dbus_property(self):
1221
844
return dbus.Boolean(False)
1222
845
1223
846
See also the DBusObjectWithAnnotations class.
1224
847
"""
1225
848
1226
849
def decorator(func):
1227
850
func._dbus_annotations = annotations
1228
851
return func
1229
852
1230
853
return decorator
1231
854
1232
855
1250
873
1251
874
class DBusObjectWithAnnotations(dbus.service.Object):
1252
875
"""A D-Bus object with annotations.
1253
876
1254
877
Classes inheriting from this can use the dbus_annotations
1255
878
decorator to add annotations to methods or signals.
1256
879
"""
1257
880
1258
881
@staticmethod
1259
882
def _is_dbus_thing(thing):
1260
883
"""Returns a function testing if an attribute is a D-Bus thing
1261
884
1262
885
If called like _is_dbus_thing("method") it returns a function
1263
886
suitable for use as predicate to inspect.getmembers().
1264
887
"""
1265
888
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1266
889
False)
1267
890
1268
891
def _get_all_dbus_things(self, thing):
1269
892
"""Returns a generator of (name, attribute) pairs
1270
893
"""
1273
896
for cls in self.__class__.__mro__
1274
897
for name, athing in
1275
898
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1276
899
1277
900
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1278
out_signature="s",
1279
path_keyword='object_path',
1280
connection_keyword='connection')
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1281
904
def Introspect(self, object_path, connection):
1282
905
"""Overloading of standard D-Bus method.
1283
906
1284
907
Inserts annotation tags on methods and signals.
1285
908
"""
1286
909
xmlstring = dbus.service.Object.Introspect(self, object_path,
1287
910
connection)
1288
911
try:
1289
912
document = xml.dom.minidom.parseString(xmlstring)
1290
913
1291
914
for if_tag in document.getElementsByTagName("interface"):
1292
915
# Add annotation tags
1293
916
for typ in ("method", "signal"):
1320
943
if_tag.appendChild(ann_tag)
1321
944
# Fix argument name for the Introspect method itself
1322
945
if (if_tag.getAttribute("name")
1323
== dbus.INTROSPECTABLE_IFACE):
946
== dbus.INTROSPECTABLE_IFACE):
1324
947
for cn in if_tag.getElementsByTagName("method"):
1325
948
if cn.getAttribute("name") == "Introspect":
1326
949
for arg in cn.getElementsByTagName("arg"):
1339
962
1340
963
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1341
964
"""A D-Bus object with properties.
1342
965
1343
966
Classes inheriting from this can use the dbus_service_property
1344
967
decorator to expose methods as D-Bus properties. It exposes the
1345
968
standard Get(), Set(), and GetAll() methods on the D-Bus.
1346
969
"""
1347
970
1348
971
def _get_dbus_property(self, interface_name, property_name):
1349
972
"""Returns a bound method if one exists which is a D-Bus
1350
973
property with the specified name and interface.
1355
978
if (value._dbus_name == property_name
1356
979
and value._dbus_interface == interface_name):
1357
980
return value.__get__(self)
1358
981
1359
982
# No such property
1360
983
raise DBusPropertyNotFound("{}:{}.{}".format(
1361
984
self.dbus_object_path, interface_name, property_name))
1362
985
1363
986
@classmethod
1364
987
def _get_all_interface_names(cls):
1365
988
"""Get a sequence of all interfaces supported by an object"""
1368
991
for x in (inspect.getmro(cls))
1369
992
for attr in dir(x))
1370
993
if name is not None)
1371
994
1372
995
@dbus.service.method(dbus.PROPERTIES_IFACE,
1373
996
in_signature="ss",
1374
997
out_signature="v")
1382
1005
if not hasattr(value, "variant_level"):
1383
1006
return value
1384
1007
return type(value)(value, variant_level=value.variant_level+1)
1385
1008
1386
1009
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1387
1010
def Set(self, interface_name, property_name, value):
1388
1011
"""Standard D-Bus property Set() method, see D-Bus standard.
1400
1023
value = dbus.ByteArray(b''.join(chr(byte)
1401
1024
for byte in value))
1402
1025
prop(value)
1403
1026
1404
1027
@dbus.service.method(dbus.PROPERTIES_IFACE,
1405
1028
in_signature="s",
1406
1029
out_signature="a{sv}")
1407
1030
def GetAll(self, interface_name):
1408
1031
"""Standard D-Bus property GetAll() method, see D-Bus
1409
1032
standard.
1410
1033
1411
1034
Note: Will not include properties with access="write".
1412
1035
"""
1413
1036
properties = {}
1424
1047
properties[name] = value
1425
1048
continue
1426
1049
properties[name] = type(value)(
1427
value, variant_level=value.variant_level + 1)
1050
value, variant_level = value.variant_level + 1)
1428
1051
return dbus.Dictionary(properties, signature="sv")
1429
1052
1430
1053
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1431
1054
def PropertiesChanged(self, interface_name, changed_properties,
1432
1055
invalidated_properties):
1434
1057
standard.
1435
1058
"""
1436
1059
pass
1437
1060
1438
1061
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1439
1062
out_signature="s",
1440
1063
path_keyword='object_path',
1441
1064
connection_keyword='connection')
1442
1065
def Introspect(self, object_path, connection):
1443
1066
"""Overloading of standard D-Bus method.
1444
1067
1445
1068
Inserts property tags and interface annotation tags.
1446
1069
"""
1447
1070
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1449
1072
connection)
1450
1073
try:
1451
1074
document = xml.dom.minidom.parseString(xmlstring)
1452
1075
1453
1076
def make_tag(document, name, prop):
1454
1077
e = document.createElement("property")
1455
1078
e.setAttribute("name", name)
1456
1079
e.setAttribute("type", prop._dbus_signature)
1457
1080
e.setAttribute("access", prop._dbus_access)
1458
1081
return e
1459
1082
1460
1083
for if_tag in document.getElementsByTagName("interface"):
1461
1084
# Add property tags
1462
1085
for tag in (make_tag(document, name, prop)
1504
1127
exc_info=error)
1505
1128
return xmlstring
1506
1129
1507
1508
1130
try:
1509
1131
dbus.OBJECT_MANAGER_IFACE
1510
1132
except AttributeError:
1511
1133
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1512
1134
1513
1514
1135
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1515
1136
"""A D-Bus object with an ObjectManager.
1516
1137
1517
1138
Classes inheriting from this exposes the standard
1518
1139
GetManagedObjects call and the InterfacesAdded and
1519
1140
InterfacesRemoved signals on the standard
1520
1141
"org.freedesktop.DBus.ObjectManager" interface.
1521
1142
1522
1143
Note: No signals are sent automatically; they must be sent
1523
1144
manually.
1524
1145
"""
1525
1146
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1526
out_signature="a{oa{sa{sv}}}")
1147
out_signature = "a{oa{sa{sv}}}")
1527
1148
def GetManagedObjects(self):
1528
1149
"""This function must be overridden"""
1529
1150
raise NotImplementedError()
1530
1151
1531
1152
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1532
signature="oa{sa{sv}}")
1153
signature = "oa{sa{sv}}")
1533
1154
def InterfacesAdded(self, object_path, interfaces_and_properties):
1534
1155
pass
1535
1536
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1537
1158
def InterfacesRemoved(self, object_path, interfaces):
1538
1159
pass
1539
1160
1540
1161
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1541
out_signature="s",
1542
path_keyword='object_path',
1543
connection_keyword='connection')
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1544
1165
def Introspect(self, object_path, connection):
1545
1166
"""Overloading of standard D-Bus method.
1546
1167
1547
1168
Override return argument name of GetManagedObjects to be
1548
1169
"objpath_interfaces_and_properties"
1549
1170
"""
1552
1173
connection)
1553
1174
try:
1554
1175
document = xml.dom.minidom.parseString(xmlstring)
1555
1176
1556
1177
for if_tag in document.getElementsByTagName("interface"):
1557
1178
# Fix argument name for the GetManagedObjects method
1558
1179
if (if_tag.getAttribute("name")
1559
== dbus.OBJECT_MANAGER_IFACE):
1180
== dbus.OBJECT_MANAGER_IFACE):
1560
1181
for cn in if_tag.getElementsByTagName("method"):
1561
1182
if (cn.getAttribute("name")
1562
1183
== "GetManagedObjects"):
1572
1193
except (AttributeError, xml.dom.DOMException,
1573
1194
xml.parsers.expat.ExpatError) as error:
1574
1195
logger.error("Failed to override Introspection method",
1575
exc_info=error)
1196
exc_info = error)
1576
1197
return xmlstring
1577
1198
1578
1579
1199
def datetime_to_dbus(dt, variant_level=0):
1580
1200
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1581
1201
if dt is None:
1582
return dbus.String("", variant_level=variant_level)
1202
return dbus.String("", variant_level = variant_level)
1583
1203
return dbus.String(dt.isoformat(), variant_level=variant_level)
1584
1204
1585
1205
1588
1208
dbus.service.Object, it will add alternate D-Bus attributes with
1589
1209
interface names according to the "alt_interface_names" mapping.
1590
1210
Usage:
1591
1211
1592
1212
@alternate_dbus_interfaces({"org.example.Interface":
1593
1213
"net.example.AlternateInterface"})
1594
1214
class SampleDBusObject(dbus.service.Object):
1595
1215
@dbus.service.method("org.example.Interface")
1596
1216
def SampleDBusMethod():
1597
1217
pass
1598
1218
1599
1219
The above "SampleDBusMethod" on "SampleDBusObject" will be
1600
1220
reachable via two interfaces: "org.example.Interface" and
1601
1221
"net.example.AlternateInterface", the latter of which will have
1602
1222
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1603
1223
"true", unless "deprecate" is passed with a False value.
1604
1224
1605
1225
This works for methods and signals, and also for D-Bus properties
1606
1226
(from DBusObjectWithProperties) and interfaces (from the
1607
1227
dbus_interface_annotations decorator).
1608
1228
"""
1609
1229
1610
1230
def wrapper(cls):
1611
1231
for orig_interface_name, alt_interface_name in (
1612
1232
alt_interface_names.items()):
1627
1247
interface_names.add(alt_interface)
1628
1248
# Is this a D-Bus signal?
1629
1249
if getattr(attribute, "_dbus_is_signal", False):
1630
# Extract the original non-method undecorated
1631
# function by black magic
1632
1250
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1633
1253
nonmethod_func = (dict(
1634
1254
zip(attribute.func_code.co_freevars,
1635
1255
attribute.__closure__))
1636
1256
["func"].cell_contents)
1637
1257
else:
1638
nonmethod_func = (dict(
1639
zip(attribute.__code__.co_freevars,
1640
attribute.__closure__))
1641
["func"].cell_contents)
1258
nonmethod_func = attribute
1642
1259
# Create a new, but exactly alike, function
1643
1260
# object, and decorate it to be a new D-Bus signal
1644
1261
# with the alternate D-Bus interface name
1645
new_function = copy_function(nonmethod_func)
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1646
1276
new_function = (dbus.service.signal(
1647
1277
alt_interface,
1648
1278
attribute._dbus_signature)(new_function))
1652
1282
attribute._dbus_annotations)
1653
1283
except AttributeError:
1654
1284
pass
1655
1656
1285
# Define a creator of a function to call both the
1657
1286
# original and alternate functions, so both the
1658
1287
# original and alternate signals gets sent when
1661
1290
"""This function is a scope container to pass
1662
1291
func1 and func2 to the "call_both" function
1663
1292
outside of its arguments"""
1664
1293
1665
1294
@functools.wraps(func2)
1666
1295
def call_both(*args, **kwargs):
1667
1296
"""This function will emit two D-Bus
1668
1297
signals by calling func1 and func2"""
1669
1298
func1(*args, **kwargs)
1670
1299
func2(*args, **kwargs)
1671
# Make wrapper function look like a D-Bus
1672
# signal
1300
# Make wrapper function look like a D-Bus signal
1673
1301
for name, attr in inspect.getmembers(func2):
1674
1302
if name.startswith("_dbus_"):
1675
1303
setattr(call_both, name, attr)
1676
1304
1677
1305
return call_both
1678
1306
# Create the "call_both" function and add it to
1679
1307
# the class
1689
1317
alt_interface,
1690
1318
attribute._dbus_in_signature,
1691
1319
attribute._dbus_out_signature)
1692
(copy_function(attribute)))
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1693
1325
# Copy annotations, if any
1694
1326
try:
1695
1327
attr[attrname]._dbus_annotations = dict(
1707
1339
attribute._dbus_access,
1708
1340
attribute._dbus_get_args_options
1709
1341
["byte_arrays"])
1710
(copy_function(attribute)))
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1711
1348
# Copy annotations, if any
1712
1349
try:
1713
1350
attr[attrname]._dbus_annotations = dict(
1722
1359
# to the class.
1723
1360
attr[attrname] = (
1724
1361
dbus_interface_annotations(alt_interface)
1725
(copy_function(attribute)))
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1726
1367
if deprecate:
1727
1368
# Deprecate all alternate interfaces
1728
iname = "_AlternateDBusNames_interface_annotation{}"
1369
iname="_AlternateDBusNames_interface_annotation{}"
1729
1370
for interface_name in interface_names:
1730
1371
1731
1372
@dbus_interface_annotations(interface_name)
1732
1373
def func(self):
1733
return {"org.freedesktop.DBus.Deprecated":
1734
"true"}
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1735
1376
# Find an unused name
1736
1377
for aname in (iname.format(i)
1737
1378
for i in itertools.count()):
1741
1382
if interface_names:
1742
1383
# Replace the class with a new subclass of it with
1743
1384
# methods, signals, etc. as created above.
1744
if sys.version_info.major == 2:
1745
cls = type(b"{}Alternate".format(cls.__name__),
1746
(cls, ), attr)
1747
else:
1748
cls = type("{}Alternate".format(cls.__name__),
1749
(cls, ), attr)
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1750
1387
return cls
1751
1388
1752
1389
return wrapper
1753
1390
1754
1391
1756
1393
"se.bsnet.fukt.Mandos"})
1757
1394
class ClientDBus(Client, DBusObjectWithProperties):
1758
1395
"""A Client class using D-Bus
1759
1396
1760
1397
Attributes:
1761
1398
dbus_object_path: dbus.ObjectPath
1762
1399
bus: dbus.SystemBus()
1763
1400
"""
1764
1401
1765
1402
runtime_expansions = (Client.runtime_expansions
1766
1403
+ ("dbus_object_path", ))
1767
1404
1768
1405
_interface = "se.recompile.Mandos.Client"
1769
1406
1770
1407
# dbus.service.Object doesn't use super(), so we can't either.
1771
1772
def __init__(self, bus=None, *args, **kwargs):
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1773
1410
self.bus = bus
1774
1411
Client.__init__(self, *args, **kwargs)
1775
1412
# Only now, when this client is initialized, can it show up on
1781
1418
"/clients/" + client_object_name)
1782
1419
DBusObjectWithProperties.__init__(self, self.bus,
1783
1420
self.dbus_object_path)
1784
1421
1785
1422
def notifychangeproperty(transform_func, dbus_name,
1786
1423
type_func=lambda x: x,
1787
1424
variant_level=1,
1789
1426
_interface=_interface):
1790
1427
""" Modify a variable so that it's a property which announces
1791
1428
its changes to DBus.
1792
1429
1793
1430
transform_fun: Function that takes a value and a variant_level
1794
1431
and transforms it to a D-Bus type.
1795
1432
dbus_name: D-Bus name of the variable
1798
1435
variant_level: D-Bus variant level. Default: 1
1799
1436
"""
1800
1437
attrname = "_{}".format(dbus_name)
1801
1438
1802
1439
def setter(self, value):
1803
1440
if hasattr(self, "dbus_object_path"):
1804
1441
if (not hasattr(self, attrname) or
1811
1448
else:
1812
1449
dbus_value = transform_func(
1813
1450
type_func(value),
1814
variant_level=variant_level)
1451
variant_level = variant_level)
1815
1452
self.PropertyChanged(dbus.String(dbus_name),
1816
1453
dbus_value)
1817
1454
self.PropertiesChanged(
1818
1455
_interface,
1819
dbus.Dictionary({dbus.String(dbus_name):
1820
dbus_value}),
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1821
1458
dbus.Array())
1822
1459
setattr(self, attrname, value)
1823
1460
1824
1461
return property(lambda self: getattr(self, attrname), setter)
1825
1462
1826
1463
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1827
1464
approvals_pending = notifychangeproperty(dbus.Boolean,
1828
1465
"ApprovalPending",
1829
type_func=bool)
1466
type_func = bool)
1830
1467
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1831
1468
last_enabled = notifychangeproperty(datetime_to_dbus,
1832
1469
"LastEnabled")
1833
1470
checker = notifychangeproperty(
1834
1471
dbus.Boolean, "CheckerRunning",
1835
type_func=lambda checker: checker is not None)
1472
type_func = lambda checker: checker is not None)
1836
1473
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1837
1474
"LastCheckedOK")
1838
1475
last_checker_status = notifychangeproperty(dbus.Int16,
1843
1480
"ApprovedByDefault")
1844
1481
approval_delay = notifychangeproperty(
1845
1482
dbus.UInt64, "ApprovalDelay",
1846
type_func=lambda td: td.total_seconds() * 1000)
1483
type_func = lambda td: td.total_seconds() * 1000)
1847
1484
approval_duration = notifychangeproperty(
1848
1485
dbus.UInt64, "ApprovalDuration",
1849
type_func=lambda td: td.total_seconds() * 1000)
1486
type_func = lambda td: td.total_seconds() * 1000)
1850
1487
host = notifychangeproperty(dbus.String, "Host")
1851
1488
timeout = notifychangeproperty(
1852
1489
dbus.UInt64, "Timeout",
1853
type_func=lambda td: td.total_seconds() * 1000)
1490
type_func = lambda td: td.total_seconds() * 1000)
1854
1491
extended_timeout = notifychangeproperty(
1855
1492
dbus.UInt64, "ExtendedTimeout",
1856
type_func=lambda td: td.total_seconds() * 1000)
1493
type_func = lambda td: td.total_seconds() * 1000)
1857
1494
interval = notifychangeproperty(
1858
1495
dbus.UInt64, "Interval",
1859
type_func=lambda td: td.total_seconds() * 1000)
1496
type_func = lambda td: td.total_seconds() * 1000)
1860
1497
checker_command = notifychangeproperty(dbus.String, "Checker")
1861
1498
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1862
1499
invalidate_only=True)
1863
1500
1864
1501
del notifychangeproperty
1865
1502
1866
1503
def __del__(self, *args, **kwargs):
1867
1504
try:
1868
1505
self.remove_from_connection()
1871
1508
if hasattr(DBusObjectWithProperties, "__del__"):
1872
1509
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1873
1510
Client.__del__(self, *args, **kwargs)
1874
1511
1875
1512
def checker_callback(self, source, condition,
1876
1513
connection, command, *args, **kwargs):
1877
1514
ret = Client.checker_callback(self, source, condition,
1893
1530
| self.last_checker_signal),
1894
1531
dbus.String(command))
1895
1532
return ret
1896
1533
1897
1534
def start_checker(self, *args, **kwargs):
1898
1535
old_checker_pid = getattr(self.checker, "pid", None)
1899
1536
r = Client.start_checker(self, *args, **kwargs)
1903
1540
# Emit D-Bus signal
1904
1541
self.CheckerStarted(self.current_checker_command)
1905
1542
return r
1906
1543
1907
1544
def _reset_approved(self):
1908
1545
self.approved = None
1909
1546
return False
1910
1547
1911
1548
def approve(self, value=True):
1912
1549
self.approved = value
1913
GLib.timeout_add(int(self.approval_duration.total_seconds()
1914
* 1000), self._reset_approved)
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1915
1552
self.send_changedstate()
1916
1917
# D-Bus methods, signals & properties
1918
1919
# Interfaces
1920
1921
# Signals
1922
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1923
1560
# CheckerCompleted - signal
1924
1561
@dbus.service.signal(_interface, signature="nxs")
1925
1562
def CheckerCompleted(self, exitcode, waitstatus, command):
1926
1563
"D-Bus signal"
1927
1564
pass
1928
1565
1929
1566
# CheckerStarted - signal
1930
1567
@dbus.service.signal(_interface, signature="s")
1931
1568
def CheckerStarted(self, command):
1932
1569
"D-Bus signal"
1933
1570
pass
1934
1571
1935
1572
# PropertyChanged - signal
1936
1573
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1937
1574
@dbus.service.signal(_interface, signature="sv")
1938
1575
def PropertyChanged(self, property, value):
1939
1576
"D-Bus signal"
1940
1577
pass
1941
1578
1942
1579
# GotSecret - signal
1943
1580
@dbus.service.signal(_interface)
1944
1581
def GotSecret(self):
1947
1584
server to mandos-client
1948
1585
"""
1949
1586
pass
1950
1587
1951
1588
# Rejected - signal
1952
1589
@dbus.service.signal(_interface, signature="s")
1953
1590
def Rejected(self, reason):
1954
1591
"D-Bus signal"
1955
1592
pass
1956
1593
1957
1594
# NeedApproval - signal
1958
1595
@dbus.service.signal(_interface, signature="tb")
1959
1596
def NeedApproval(self, timeout, default):
1960
1597
"D-Bus signal"
1961
1598
return self.need_approval()
1962
1963
# Methods
1964
1599
1600
## Methods
1601
1965
1602
# Approve - method
1966
1603
@dbus.service.method(_interface, in_signature="b")
1967
1604
def Approve(self, value):
1968
1605
self.approve(value)
1969
1606
1970
1607
# CheckedOK - method
1971
1608
@dbus.service.method(_interface)
1972
1609
def CheckedOK(self):
1973
1610
self.checked_ok()
1974
1611
1975
1612
# Enable - method
1976
1613
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1977
1614
@dbus.service.method(_interface)
1978
1615
def Enable(self):
1979
1616
"D-Bus method"
1980
1617
self.enable()
1981
1618
1982
1619
# StartChecker - method
1983
1620
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1984
1621
@dbus.service.method(_interface)
1985
1622
def StartChecker(self):
1986
1623
"D-Bus method"
1987
1624
self.start_checker()
1988
1625
1989
1626
# Disable - method
1990
1627
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1991
1628
@dbus.service.method(_interface)
1992
1629
def Disable(self):
1993
1630
"D-Bus method"
1994
1631
self.disable()
1995
1632
1996
1633
# StopChecker - method
1997
1634
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1998
1635
@dbus.service.method(_interface)
1999
1636
def StopChecker(self):
2000
1637
self.stop_checker()
2001
2002
# Properties
2003
1638
1639
## Properties
1640
2004
1641
# ApprovalPending - property
2005
1642
@dbus_service_property(_interface, signature="b", access="read")
2006
1643
def ApprovalPending_dbus_property(self):
2007
1644
return dbus.Boolean(bool(self.approvals_pending))
2008
1645
2009
1646
# ApprovedByDefault - property
2010
1647
@dbus_service_property(_interface,
2011
1648
signature="b",
2014
1651
if value is None: # get
2015
1652
return dbus.Boolean(self.approved_by_default)
2016
1653
self.approved_by_default = bool(value)
2017
1654
2018
1655
# ApprovalDelay - property
2019
1656
@dbus_service_property(_interface,
2020
1657
signature="t",
2024
1661
return dbus.UInt64(self.approval_delay.total_seconds()
2025
1662
* 1000)
2026
1663
self.approval_delay = datetime.timedelta(0, 0, 0, value)
2027
1664
2028
1665
# ApprovalDuration - property
2029
1666
@dbus_service_property(_interface,
2030
1667
signature="t",
2034
1671
return dbus.UInt64(self.approval_duration.total_seconds()
2035
1672
* 1000)
2036
1673
self.approval_duration = datetime.timedelta(0, 0, 0, value)
2037
1674
2038
1675
# Name - property
2039
1676
@dbus_annotations(
2040
1677
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2041
1678
@dbus_service_property(_interface, signature="s", access="read")
2042
1679
def Name_dbus_property(self):
2043
1680
return dbus.String(self.name)
2044
2045
# KeyID - property
2046
@dbus_annotations(
2047
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2048
@dbus_service_property(_interface, signature="s", access="read")
2049
def KeyID_dbus_property(self):
2050
return dbus.String(self.key_id)
2051
1681
2052
1682
# Fingerprint - property
2053
1683
@dbus_annotations(
2054
1684
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2055
1685
@dbus_service_property(_interface, signature="s", access="read")
2056
1686
def Fingerprint_dbus_property(self):
2057
1687
return dbus.String(self.fingerprint)
2058
1688
2059
1689
# Host - property
2060
1690
@dbus_service_property(_interface,
2061
1691
signature="s",
2064
1694
if value is None: # get
2065
1695
return dbus.String(self.host)
2066
1696
self.host = str(value)
2067
1697
2068
1698
# Created - property
2069
1699
@dbus_annotations(
2070
1700
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2071
1701
@dbus_service_property(_interface, signature="s", access="read")
2072
1702
def Created_dbus_property(self):
2073
1703
return datetime_to_dbus(self.created)
2074
1704
2075
1705
# LastEnabled - property
2076
1706
@dbus_service_property(_interface, signature="s", access="read")
2077
1707
def LastEnabled_dbus_property(self):
2078
1708
return datetime_to_dbus(self.last_enabled)
2079
1709
2080
1710
# Enabled - property
2081
1711
@dbus_service_property(_interface,
2082
1712
signature="b",
2088
1718
self.enable()
2089
1719
else:
2090
1720
self.disable()
2091
1721
2092
1722
# LastCheckedOK - property
2093
1723
@dbus_service_property(_interface,
2094
1724
signature="s",
2098
1728
self.checked_ok()
2099
1729
return
2100
1730
return datetime_to_dbus(self.last_checked_ok)
2101
1731
2102
1732
# LastCheckerStatus - property
2103
1733
@dbus_service_property(_interface, signature="n", access="read")
2104
1734
def LastCheckerStatus_dbus_property(self):
2105
1735
return dbus.Int16(self.last_checker_status)
2106
1736
2107
1737
# Expires - property
2108
1738
@dbus_service_property(_interface, signature="s", access="read")
2109
1739
def Expires_dbus_property(self):
2110
1740
return datetime_to_dbus(self.expires)
2111
1741
2112
1742
# LastApprovalRequest - property
2113
1743
@dbus_service_property(_interface, signature="s", access="read")
2114
1744
def LastApprovalRequest_dbus_property(self):
2115
1745
return datetime_to_dbus(self.last_approval_request)
2116
1746
2117
1747
# Timeout - property
2118
1748
@dbus_service_property(_interface,
2119
1749
signature="t",
2134
1764
if (getattr(self, "disable_initiator_tag", None)
2135
1765
is None):
2136
1766
return
2137
GLib.source_remove(self.disable_initiator_tag)
2138
self.disable_initiator_tag = GLib.timeout_add(
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2139
1769
int((self.expires - now).total_seconds() * 1000),
2140
1770
self.disable)
2141
1771
2142
1772
# ExtendedTimeout - property
2143
1773
@dbus_service_property(_interface,
2144
1774
signature="t",
2148
1778
return dbus.UInt64(self.extended_timeout.total_seconds()
2149
1779
* 1000)
2150
1780
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2151
1781
2152
1782
# Interval - property
2153
1783
@dbus_service_property(_interface,
2154
1784
signature="t",
2161
1791
return
2162
1792
if self.enabled:
2163
1793
# Reschedule checker run
2164
GLib.source_remove(self.checker_initiator_tag)
2165
self.checker_initiator_tag = GLib.timeout_add(
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2166
1796
value, self.start_checker)
2167
self.start_checker() # Start one now, too
2168
1797
self.start_checker() # Start one now, too
1798
2169
1799
# Checker - property
2170
1800
@dbus_service_property(_interface,
2171
1801
signature="s",
2174
1804
if value is None: # get
2175
1805
return dbus.String(self.checker_command)
2176
1806
self.checker_command = str(value)
2177
1807
2178
1808
# CheckerRunning - property
2179
1809
@dbus_service_property(_interface,
2180
1810
signature="b",
2186
1816
self.start_checker()
2187
1817
else:
2188
1818
self.stop_checker()
2189
1819
2190
1820
# ObjectPath - property
2191
1821
@dbus_annotations(
2192
1822
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2193
1823
"org.freedesktop.DBus.Deprecated": "true"})
2194
1824
@dbus_service_property(_interface, signature="o", access="read")
2195
1825
def ObjectPath_dbus_property(self):
2196
return self.dbus_object_path # is already a dbus.ObjectPath
2197
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2198
1828
# Secret = property
2199
1829
@dbus_annotations(
2200
1830
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2205
1835
byte_arrays=True)
2206
1836
def Secret_dbus_property(self, value):
2207
1837
self.secret = bytes(value)
2208
1838
2209
1839
del _interface
2210
1840
2211
1841
2212
1842
class ProxyClient(object):
2213
def __init__(self, child_pipe, key_id, fpr, address):
1843
def __init__(self, child_pipe, fpr, address):
2214
1844
self._pipe = child_pipe
2215
self._pipe.send(('init', key_id, fpr, address))
1845
self._pipe.send(('init', fpr, address))
2216
1846
if not self._pipe.recv():
2217
raise KeyError(key_id or fpr)
2218
1847
raise KeyError(fpr)
1848
2219
1849
def __getattribute__(self, name):
2220
1850
if name == '_pipe':
2221
1851
return super(ProxyClient, self).__getattribute__(name)
2224
1854
if data[0] == 'data':
2225
1855
return data[1]
2226
1856
if data[0] == 'function':
2227
1857
2228
1858
def func(*args, **kwargs):
2229
1859
self._pipe.send(('funcall', name, args, kwargs))
2230
1860
return self._pipe.recv()[1]
2231
1861
2232
1862
return func
2233
1863
2234
1864
def __setattr__(self, name, value):
2235
1865
if name == '_pipe':
2236
1866
return super(ProxyClient, self).__setattr__(name, value)
2239
1869
2240
1870
class ClientHandler(socketserver.BaseRequestHandler, object):
2241
1871
"""A class to handle client connections.
2242
1872
2243
1873
Instantiated once for each connection to handle it.
2244
1874
Note: This will run in its own forked process."""
2245
1875
2246
1876
def handle(self):
2247
1877
with contextlib.closing(self.server.child_pipe) as child_pipe:
2248
1878
logger.info("TCP connection from: %s",
2249
1879
str(self.client_address))
2250
1880
logger.debug("Pipe FD: %d",
2251
1881
self.server.child_pipe.fileno())
2252
2253
session = gnutls.ClientSession(self.request)
2254
2255
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2256
# "+AES-256-CBC", "+SHA1",
2257
# "+COMP-NULL", "+CTYPE-OPENPGP",
2258
# "+DHE-DSS"))
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2259
1895
# Use a fallback default, since this MUST be set.
2260
1896
priority = self.server.gnutls_priority
2261
1897
if priority is None:
2262
1898
priority = "NORMAL"
2263
gnutls.priority_set_direct(session._c_object,
2264
priority.encode("utf-8"),
2265
None)
2266
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2267
1902
# Start communication using the Mandos protocol
2268
1903
# Get protocol number
2269
1904
line = self.request.makefile().readline()
2274
1909
except (ValueError, IndexError, RuntimeError) as error:
2275
1910
logger.error("Unknown protocol version: %s", error)
2276
1911
return
2277
1912
2278
1913
# Start GnuTLS connection
2279
1914
try:
2280
1915
session.handshake()
2281
except gnutls.Error as error:
1916
except gnutls.errors.GNUTLSError as error:
2282
1917
logger.warning("Handshake failed: %s", error)
2283
1918
# Do not run session.bye() here: the session is not
2284
1919
# established. Just abandon the request.
2285
1920
return
2286
1921
logger.debug("Handshake succeeded")
2287
1922
2288
1923
approval_required = False
2289
1924
try:
2290
if gnutls.has_rawpk:
2291
fpr = b""
2292
try:
2293
key_id = self.key_id(
2294
self.peer_certificate(session))
2295
except (TypeError, gnutls.Error) as error:
2296
logger.warning("Bad certificate: %s", error)
2297
return
2298
logger.debug("Key ID: %s", key_id)
2299
2300
else:
2301
key_id = b""
2302
try:
2303
fpr = self.fingerprint(
2304
self.peer_certificate(session))
2305
except (TypeError, gnutls.Error) as error:
2306
logger.warning("Bad certificate: %s", error)
2307
return
2308
logger.debug("Fingerprint: %s", fpr)
2309
2310
try:
2311
client = ProxyClient(child_pipe, key_id, fpr,
1925
try:
1926
fpr = self.fingerprint(
1927
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
1930
logger.warning("Bad certificate: %s", error)
1931
return
1932
logger.debug("Fingerprint: %s", fpr)
1933
1934
try:
1935
client = ProxyClient(child_pipe, fpr,
2312
1936
self.client_address)
2313
1937
except KeyError:
2314
1938
return
2315
1939
2316
1940
if client.approval_delay:
2317
1941
delay = client.approval_delay
2318
1942
client.approvals_pending += 1
2319
1943
approval_required = True
2320
1944
2321
1945
while True:
2322
1946
if not client.enabled:
2323
1947
logger.info("Client %s is disabled",
2326
1950
# Emit D-Bus signal
2327
1951
client.Rejected("Disabled")
2328
1952
return
2329
1953
2330
1954
if client.approved or not client.approval_delay:
2331
# We are approved or approval is disabled
1955
#We are approved or approval is disabled
2332
1956
break
2333
1957
elif client.approved is None:
2334
1958
logger.info("Client %s needs approval",
2345
1969
# Emit D-Bus signal
2346
1970
client.Rejected("Denied")
2347
1971
return
2348
2349
# wait until timeout or approved
1972
1973
#wait until timeout or approved
2350
1974
time = datetime.datetime.now()
2351
1975
client.changedstate.acquire()
2352
1976
client.changedstate.wait(delay.total_seconds())
2365
1989
break
2366
1990
else:
2367
1991
delay -= time2 - time
2368
2369
try:
2370
session.send(client.secret)
2371
except gnutls.Error as error:
2372
logger.warning("gnutls send failed",
2373
exc_info=error)
2374
return
2375
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2376
2006
logger.info("Sending secret to %s", client.name)
2377
2007
# bump the timeout using extended_timeout
2378
2008
client.bump_timeout(client.extended_timeout)
2379
2009
if self.server.use_dbus:
2380
2010
# Emit D-Bus signal
2381
2011
client.GotSecret()
2382
2012
2383
2013
finally:
2384
2014
if approval_required:
2385
2015
client.approvals_pending -= 1
2386
2016
try:
2387
2017
session.bye()
2388
except gnutls.Error as error:
2018
except gnutls.errors.GNUTLSError as error:
2389
2019
logger.warning("GnuTLS bye failed",
2390
2020
exc_info=error)
2391
2021
2392
2022
@staticmethod
2393
2023
def peer_certificate(session):
2394
"Return the peer's certificate as a bytestring"
2395
try:
2396
cert_type = gnutls.certificate_type_get2(session._c_object,
2397
gnutls.CTYPE_PEERS)
2398
except AttributeError:
2399
cert_type = gnutls.certificate_type_get(session._c_object)
2400
if gnutls.has_rawpk:
2401
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2402
else:
2403
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2404
# If not a valid certificate type...
2405
if cert_type not in valid_cert_types:
2406
logger.info("Cert type %r not in %r", cert_type,
2407
valid_cert_types)
2408
# ...return invalid data
2409
return b""
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2410
2031
list_size = ctypes.c_uint(1)
2411
cert_list = (gnutls.certificate_get_peers
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2412
2034
(session._c_object, ctypes.byref(list_size)))
2413
2035
if not bool(cert_list) and list_size.value != 0:
2414
raise gnutls.Error("error getting peer certificate")
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2415
2038
if list_size.value == 0:
2416
2039
return None
2417
2040
cert = cert_list[0]
2418
2041
return ctypes.string_at(cert.data, cert.size)
2419
2420
@staticmethod
2421
def key_id(certificate):
2422
"Convert a certificate bytestring to a hexdigit key ID"
2423
# New GnuTLS "datum" with the public key
2424
datum = gnutls.datum_t(
2425
ctypes.cast(ctypes.c_char_p(certificate),
2426
ctypes.POINTER(ctypes.c_ubyte)),
2427
ctypes.c_uint(len(certificate)))
2428
# XXX all these need to be created in the gnutls "module"
2429
# New empty GnuTLS certificate
2430
pubkey = gnutls.pubkey_t()
2431
gnutls.pubkey_init(ctypes.byref(pubkey))
2432
# Import the raw public key into the certificate
2433
gnutls.pubkey_import(pubkey,
2434
ctypes.byref(datum),
2435
gnutls.X509_FMT_DER)
2436
# New buffer for the key ID
2437
buf = ctypes.create_string_buffer(32)
2438
buf_len = ctypes.c_size_t(len(buf))
2439
# Get the key ID from the raw public key into the buffer
2440
gnutls.pubkey_get_key_id(pubkey,
2441
gnutls.KEYID_USE_SHA256,
2442
ctypes.cast(ctypes.byref(buf),
2443
ctypes.POINTER(ctypes.c_ubyte)),
2444
ctypes.byref(buf_len))
2445
# Deinit the certificate
2446
gnutls.pubkey_deinit(pubkey)
2447
2448
# Convert the buffer to a Python bytestring
2449
key_id = ctypes.string_at(buf, buf_len.value)
2450
# Convert the bytestring to hexadecimal notation
2451
hex_key_id = binascii.hexlify(key_id).upper()
2452
return hex_key_id
2453
2042
2454
2043
@staticmethod
2455
2044
def fingerprint(openpgp):
2456
2045
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2457
2046
# New GnuTLS "datum" with the OpenPGP public key
2458
datum = gnutls.datum_t(
2047
datum = gnutls.library.types.gnutls_datum_t(
2459
2048
ctypes.cast(ctypes.c_char_p(openpgp),
2460
2049
ctypes.POINTER(ctypes.c_ubyte)),
2461
2050
ctypes.c_uint(len(openpgp)))
2462
2051
# New empty GnuTLS certificate
2463
crt = gnutls.openpgp_crt_t()
2464
gnutls.openpgp_crt_init(ctypes.byref(crt))
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2465
2055
# Import the OpenPGP public key into the certificate
2466
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2467
gnutls.OPENPGP_FMT_RAW)
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2468
2059
# Verify the self signature in the key
2469
2060
crtverify = ctypes.c_uint()
2470
gnutls.openpgp_crt_verify_self(crt, 0,
2471
ctypes.byref(crtverify))
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2472
2063
if crtverify.value != 0:
2473
gnutls.openpgp_crt_deinit(crt)
2474
raise gnutls.CertificateSecurityError(code
2475
=crtverify.value)
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2476
2067
# New buffer for the fingerprint
2477
2068
buf = ctypes.create_string_buffer(20)
2478
2069
buf_len = ctypes.c_size_t()
2479
2070
# Get the fingerprint from the certificate into the buffer
2480
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2481
ctypes.byref(buf_len))
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2482
2073
# Deinit the certificate
2483
gnutls.openpgp_crt_deinit(crt)
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2484
2075
# Convert the buffer to a Python bytestring
2485
2076
fpr = ctypes.string_at(buf, buf_len.value)
2486
2077
# Convert the bytestring to hexadecimal notation
2490
2081
2491
2082
class MultiprocessingMixIn(object):
2492
2083
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2493
2084
2494
2085
def sub_process_main(self, request, address):
2495
2086
try:
2496
2087
self.finish_request(request, address)
2497
2088
except Exception:
2498
2089
self.handle_error(request, address)
2499
2090
self.close_request(request)
2500
2091
2501
2092
def process_request(self, request, address):
2502
2093
"""Start a new process to process the request."""
2503
proc = multiprocessing.Process(target=self.sub_process_main,
2504
args=(request, address))
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2505
2096
proc.start()
2506
2097
return proc
2507
2098
2508
2099
2509
2100
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2510
2101
""" adds a pipe to the MixIn """
2511
2102
2512
2103
def process_request(self, request, client_address):
2513
2104
"""Overrides and wraps the original process_request().
2514
2105
2515
2106
This function creates a new pipe in self.pipe
2516
2107
"""
2517
2108
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2518
2109
2519
2110
proc = MultiprocessingMixIn.process_request(self, request,
2520
2111
client_address)
2521
2112
self.child_pipe.close()
2522
2113
self.add_pipe(parent_pipe, proc)
2523
2114
2524
2115
def add_pipe(self, parent_pipe, proc):
2525
2116
"""Dummy function; override as necessary"""
2526
2117
raise NotImplementedError()
2529
2120
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2530
2121
socketserver.TCPServer, object):
2531
2122
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2532
2123
2533
2124
Attributes:
2534
2125
enabled: Boolean; whether this server is activated yet
2535
2126
interface: None or a network interface name (string)
2536
2127
use_ipv6: Boolean; to use IPv6 or not
2537
2128
"""
2538
2129
2539
2130
def __init__(self, server_address, RequestHandlerClass,
2540
2131
interface=None,
2541
2132
use_ipv6=True,
2551
2142
self.socketfd = socketfd
2552
2143
# Save the original socket.socket() function
2553
2144
self.socket_socket = socket.socket
2554
2555
2145
# To implement --socket, we monkey patch socket.socket.
2556
#
2146
#
2557
2147
# (When socketserver.TCPServer is a new-style class, we
2558
2148
# could make self.socket into a property instead of monkey
2559
2149
# patching socket.socket.)
2560
#
2150
#
2561
2151
# Create a one-time-only replacement for socket.socket()
2562
2152
@functools.wraps(socket.socket)
2563
2153
def socket_wrapper(*args, **kwargs):
2575
2165
# socket_wrapper(), if socketfd was set.
2576
2166
socketserver.TCPServer.__init__(self, server_address,
2577
2167
RequestHandlerClass)
2578
2168
2579
2169
def server_bind(self):
2580
2170
"""This overrides the normal server_bind() function
2581
2171
to bind to an interface if one was specified, and also NOT to
2582
2172
bind to an address or port if they were not specified."""
2583
global SO_BINDTODEVICE
2584
2173
if self.interface is not None:
2585
2174
if SO_BINDTODEVICE is None:
2586
# Fall back to a hard-coded value which seems to be
2587
# common enough.
2588
logger.warning("SO_BINDTODEVICE not found, trying 25")
2589
SO_BINDTODEVICE = 25
2590
try:
2591
self.socket.setsockopt(
2592
socket.SOL_SOCKET, SO_BINDTODEVICE,
2593
(self.interface + "\0").encode("utf-8"))
2594
except socket.error as error:
2595
if error.errno == errno.EPERM:
2596
logger.error("No permission to bind to"
2597
" interface %s", self.interface)
2598
elif error.errno == errno.ENOPROTOOPT:
2599
logger.error("SO_BINDTODEVICE not available;"
2600
" cannot bind to interface %s",
2601
self.interface)
2602
elif error.errno == errno.ENODEV:
2603
logger.error("Interface %s does not exist,"
2604
" cannot bind", self.interface)
2605
else:
2606
raise
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2607
2196
# Only bind(2) the socket if we really need to.
2608
2197
if self.server_address[0] or self.server_address[1]:
2609
if self.server_address[1]:
2610
self.allow_reuse_address = True
2611
2198
if not self.server_address[0]:
2612
2199
if self.address_family == socket.AF_INET6:
2613
any_address = "::" # in6addr_any
2200
any_address = "::" # in6addr_any
2614
2201
else:
2615
any_address = "0.0.0.0" # INADDR_ANY
2202
any_address = "0.0.0.0" # INADDR_ANY
2616
2203
self.server_address = (any_address,
2617
2204
self.server_address[1])
2618
2205
elif not self.server_address[1]:
2628
2215
2629
2216
class MandosServer(IPv6_TCPServer):
2630
2217
"""Mandos server.
2631
2218
2632
2219
Attributes:
2633
2220
clients: set of Client objects
2634
2221
gnutls_priority GnuTLS priority string
2635
2222
use_dbus: Boolean; to emit D-Bus signals or not
2636
2637
Assumes a GLib.MainLoop event loop.
2223
2224
Assumes a gobject.MainLoop event loop.
2638
2225
"""
2639
2226
2640
2227
def __init__(self, server_address, RequestHandlerClass,
2641
2228
interface=None,
2642
2229
use_ipv6=True,
2652
2239
self.gnutls_priority = gnutls_priority
2653
2240
IPv6_TCPServer.__init__(self, server_address,
2654
2241
RequestHandlerClass,
2655
interface=interface,
2656
use_ipv6=use_ipv6,
2657
socketfd=socketfd)
2658
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2659
2246
def server_activate(self):
2660
2247
if self.enabled:
2661
2248
return socketserver.TCPServer.server_activate(self)
2662
2249
2663
2250
def enable(self):
2664
2251
self.enabled = True
2665
2252
2666
2253
def add_pipe(self, parent_pipe, proc):
2667
2254
# Call "handle_ipc" for both data and EOF events
2668
GLib.io_add_watch(
2255
gobject.io_add_watch(
2669
2256
parent_pipe.fileno(),
2670
GLib.IO_IN | GLib.IO_HUP,
2257
gobject.IO_IN | gobject.IO_HUP,
2671
2258
functools.partial(self.handle_ipc,
2672
parent_pipe=parent_pipe,
2673
proc=proc))
2674
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2675
2262
def handle_ipc(self, source, condition,
2676
2263
parent_pipe=None,
2677
proc=None,
2264
proc = None,
2678
2265
client_object=None):
2679
2266
# error, or the other end of multiprocessing.Pipe has closed
2680
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2681
2268
# Wait for other process to exit
2682
2269
proc.join()
2683
2270
return False
2684
2271
2685
2272
# Read a request from the child
2686
2273
request = parent_pipe.recv()
2687
2274
command = request[0]
2688
2275
2689
2276
if command == 'init':
2690
key_id = request[1].decode("ascii")
2691
fpr = request[2].decode("ascii")
2692
address = request[3]
2693
2694
for c in self.clients.values():
2695
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2696
continue
2697
if key_id and c.key_id == key_id:
2698
client = c
2699
break
2700
if fpr and c.fingerprint == fpr:
2277
fpr = request[1]
2278
address = request[2]
2279
2280
for c in self.clients.itervalues():
2281
if c.fingerprint == fpr:
2701
2282
client = c
2702
2283
break
2703
2284
else:
2704
logger.info("Client not found for key ID: %s, address"
2705
": %s", key_id or fpr, address)
2285
logger.info("Client not found for fingerprint: %s, ad"
2286
"dress: %s", fpr, address)
2706
2287
if self.use_dbus:
2707
2288
# Emit D-Bus signal
2708
mandos_dbus_service.ClientNotFound(key_id or fpr,
2289
mandos_dbus_service.ClientNotFound(fpr,
2709
2290
address[0])
2710
2291
parent_pipe.send(False)
2711
2292
return False
2712
2713
GLib.io_add_watch(
2293
2294
gobject.io_add_watch(
2714
2295
parent_pipe.fileno(),
2715
GLib.IO_IN | GLib.IO_HUP,
2296
gobject.IO_IN | gobject.IO_HUP,
2716
2297
functools.partial(self.handle_ipc,
2717
parent_pipe=parent_pipe,
2718
proc=proc,
2719
client_object=client))
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2720
2301
parent_pipe.send(True)
2721
2302
# remove the old hook in favor of the new above hook on
2722
2303
# same fileno
2725
2306
funcname = request[1]
2726
2307
args = request[2]
2727
2308
kwargs = request[3]
2728
2309
2729
2310
parent_pipe.send(('data', getattr(client_object,
2730
2311
funcname)(*args,
2731
2312
**kwargs)))
2732
2313
2733
2314
if command == 'getattr':
2734
2315
attrname = request[1]
2735
2316
if isinstance(client_object.__getattribute__(attrname),
2738
2319
else:
2739
2320
parent_pipe.send((
2740
2321
'data', client_object.__getattribute__(attrname)))
2741
2322
2742
2323
if command == 'setattr':
2743
2324
attrname = request[1]
2744
2325
value = request[2]
2745
2326
setattr(client_object, attrname, value)
2746
2327
2747
2328
return True
2748
2329
2749
2330
2750
2331
def rfc3339_duration_to_delta(duration):
2751
2332
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2752
2333
2753
2334
>>> rfc3339_duration_to_delta("P7D")
2754
2335
datetime.timedelta(7)
2755
2336
>>> rfc3339_duration_to_delta("PT60S")
2765
2346
>>> rfc3339_duration_to_delta("P1DT3M20S")
2766
2347
datetime.timedelta(1, 200)
2767
2348
"""
2768
2349
2769
2350
# Parsing an RFC 3339 duration with regular expressions is not
2770
2351
# possible - there would have to be multiple places for the same
2771
2352
# values, like seconds. The current code, while more esoteric, is
2772
2353
# cleaner without depending on a parsing library. If Python had a
2773
2354
# built-in library for parsing we would use it, but we'd like to
2774
2355
# avoid excessive use of external libraries.
2775
2356
2776
2357
# New type for defining tokens, syntax, and semantics all-in-one
2777
2358
Token = collections.namedtuple("Token", (
2778
2359
"regexp", # To match token; if "value" is not None, must have
2811
2392
frozenset((token_year, token_month,
2812
2393
token_day, token_time,
2813
2394
token_week)))
2814
# Define starting values:
2815
# Value so far
2816
value = datetime.timedelta()
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2817
2397
found_token = None
2818
# Following valid tokens
2819
followers = frozenset((token_duration, ))
2820
# String left to parse
2821
s = duration
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2822
2400
# Loop until end token is found
2823
2401
while found_token is not token_end:
2824
2402
# Search for any currently valid tokens
2848
2426
2849
2427
def string_to_delta(interval):
2850
2428
"""Parse a string and return a datetime.timedelta
2851
2429
2852
2430
>>> string_to_delta('7d')
2853
2431
datetime.timedelta(7)
2854
2432
>>> string_to_delta('60s')
2862
2440
>>> string_to_delta('5m 30s')
2863
2441
datetime.timedelta(0, 330)
2864
2442
"""
2865
2443
2866
2444
try:
2867
2445
return rfc3339_duration_to_delta(interval)
2868
2446
except ValueError:
2869
2447
pass
2870
2448
2871
2449
timevalue = datetime.timedelta(0)
2872
2450
for s in interval.split():
2873
2451
try:
2891
2469
return timevalue
2892
2470
2893
2471
2894
def daemon(nochdir=False, noclose=False):
2472
def daemon(nochdir = False, noclose = False):
2895
2473
"""See daemon(3). Standard BSD Unix function.
2896
2474
2897
2475
This should really exist as os.daemon, but it doesn't (yet)."""
2898
2476
if os.fork():
2899
2477
sys.exit()
2917
2495
2918
2496
2919
2497
def main():
2920
2498
2921
2499
##################################################################
2922
2500
# Parsing of options, both command line and config file
2923
2501
2924
2502
parser = argparse.ArgumentParser()
2925
2503
parser.add_argument("-v", "--version", action="version",
2926
version="%(prog)s {}".format(version),
2504
version = "%(prog)s {}".format(version),
2927
2505
help="show version number and exit")
2928
2506
parser.add_argument("-i", "--interface", metavar="IF",
2929
2507
help="Bind to interface IF")
2965
2543
parser.add_argument("--no-zeroconf", action="store_false",
2966
2544
dest="zeroconf", help="Do not use Zeroconf",
2967
2545
default=None)
2968
2546
2969
2547
options = parser.parse_args()
2970
2548
2971
2549
if options.check:
2972
2550
import doctest
2973
2551
fail_count, test_count = doctest.testmod()
2974
2552
sys.exit(os.EX_OK if fail_count == 0 else 1)
2975
2553
2976
2554
# Default values for config file for server-global settings
2977
if gnutls.has_rawpk:
2978
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2979
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2980
else:
2981
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2982
":+SIGN-DSA-SHA256")
2983
server_defaults = {"interface": "",
2984
"address": "",
2985
"port": "",
2986
"debug": "False",
2987
"priority": priority,
2988
"servicename": "Mandos",
2989
"use_dbus": "True",
2990
"use_ipv6": "True",
2991
"debuglevel": "",
2992
"restore": "True",
2993
"socket": "",
2994
"statedir": "/var/lib/mandos",
2995
"foreground": "False",
2996
"zeroconf": "True",
2997
}
2998
del priority
2999
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
3000
2573
# Parse config file for server-global settings
3001
2574
server_config = configparser.SafeConfigParser(server_defaults)
3002
2575
del server_defaults
3004
2577
# Convert the SafeConfigParser object to a dict
3005
2578
server_settings = server_config.defaults()
3006
2579
# Use the appropriate methods on the non-string config options
3007
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3008
"foreground", "zeroconf"):
2580
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3009
2581
server_settings[option] = server_config.getboolean("DEFAULT",
3010
2582
option)
3011
2583
if server_settings["port"]:
3021
2593
server_settings["socket"] = os.dup(server_settings
3022
2594
["socket"])
3023
2595
del server_config
3024
2596
3025
2597
# Override the settings from the config file with command line
3026
2598
# options, if set.
3027
2599
for option in ("interface", "address", "port", "debug",
3045
2617
if server_settings["debug"]:
3046
2618
server_settings["foreground"] = True
3047
2619
# Now we have our good server settings in "server_settings"
3048
2620
3049
2621
##################################################################
3050
2622
3051
2623
if (not server_settings["zeroconf"]
3052
2624
and not (server_settings["port"]
3053
2625
or server_settings["socket"] != "")):
3054
2626
parser.error("Needs port or socket to work without Zeroconf")
3055
2627
3056
2628
# For convenience
3057
2629
debug = server_settings["debug"]
3058
2630
debuglevel = server_settings["debuglevel"]
3062
2634
stored_state_file)
3063
2635
foreground = server_settings["foreground"]
3064
2636
zeroconf = server_settings["zeroconf"]
3065
2637
3066
2638
if debug:
3067
2639
initlogger(debug, logging.DEBUG)
3068
2640
else:
3071
2643
else:
3072
2644
level = getattr(logging, debuglevel.upper())
3073
2645
initlogger(debug, level)
3074
2646
3075
2647
if server_settings["servicename"] != "Mandos":
3076
2648
syslogger.setFormatter(
3077
2649
logging.Formatter('Mandos ({}) [%(process)d]:'
3078
2650
' %(levelname)s: %(message)s'.format(
3079
2651
server_settings["servicename"])))
3080
2652
3081
2653
# Parse config file with clients
3082
2654
client_config = configparser.SafeConfigParser(Client
3083
2655
.client_defaults)
3084
2656
client_config.read(os.path.join(server_settings["configdir"],
3085
2657
"clients.conf"))
3086
2658
3087
2659
global mandos_dbus_service
3088
2660
mandos_dbus_service = None
3089
2661
3090
2662
socketfd = None
3091
2663
if server_settings["socket"] != "":
3092
2664
socketfd = server_settings["socket"]
3108
2680
except IOError as e:
3109
2681
logger.error("Could not open file %r", pidfilename,
3110
2682
exc_info=e)
3111
3112
for name, group in (("_mandos", "_mandos"),
3113
("mandos", "mandos"),
3114
("nobody", "nogroup")):
2683
2684
for name in ("_mandos", "mandos", "nobody"):
3115
2685
try:
3116
2686
uid = pwd.getpwnam(name).pw_uid
3117
gid = pwd.getpwnam(group).pw_gid
2687
gid = pwd.getpwnam(name).pw_gid
3118
2688
break
3119
2689
except KeyError:
3120
2690
continue
3124
2694
try:
3125
2695
os.setgid(gid)
3126
2696
os.setuid(uid)
3127
if debug:
3128
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3129
gid))
3130
2697
except OSError as error:
3131
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3132
.format(uid, gid, os.strerror(error.errno)))
3133
2698
if error.errno != errno.EPERM:
3134
2699
raise
3135
2700
3136
2701
if debug:
3137
2702
# Enable all possible GnuTLS debugging
3138
2703
3139
2704
# "Use a log level over 10 to enable all debugging options."
3140
2705
# - GnuTLS manual
3141
gnutls.global_set_log_level(11)
3142
3143
@gnutls.log_func
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3144
2709
def debug_gnutls(level, string):
3145
2710
logger.debug("GnuTLS: %s", string[:-1])
3146
3147
gnutls.global_set_log_function(debug_gnutls)
3148
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3149
2715
# Redirect stdin so all checkers get /dev/null
3150
2716
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3151
2717
os.dup2(null, sys.stdin.fileno())
3152
2718
if null > 2:
3153
2719
os.close(null)
3154
2720
3155
2721
# Need to fork before connecting to D-Bus
3156
2722
if not foreground:
3157
2723
# Close all input and output, do double fork, etc.
3158
2724
daemon()
3159
3160
# multiprocessing will use threads, so before we use GLib we need
3161
# to inform GLib that threads will be used.
3162
GLib.threads_init()
3163
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3164
2730
global main_loop
3165
2731
# From the Avahi example code
3166
2732
DBusGMainLoop(set_as_default=True)
3167
main_loop = GLib.MainLoop()
2733
main_loop = gobject.MainLoop()
3168
2734
bus = dbus.SystemBus()
3169
2735
# End of Avahi example code
3170
2736
if use_dbus:
3183
2749
if zeroconf:
3184
2750
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3185
2751
service = AvahiServiceToSyslog(
3186
name=server_settings["servicename"],
3187
servicetype="_mandos._tcp",
3188
protocol=protocol,
3189
bus=bus)
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3190
2756
if server_settings["interface"]:
3191
2757
service.interface = if_nametoindex(
3192
2758
server_settings["interface"].encode("utf-8"))
3193
2759
3194
2760
global multiprocessing_manager
3195
2761
multiprocessing_manager = multiprocessing.Manager()
3196
2762
3197
2763
client_class = Client
3198
2764
if use_dbus:
3199
client_class = functools.partial(ClientDBus, bus=bus)
3200
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3201
2767
client_settings = Client.config_parser(client_config)
3202
2768
old_client_settings = {}
3203
2769
clients_data = {}
3204
2770
3205
2771
# This is used to redirect stdout and stderr for checker processes
3206
2772
global wnull
3207
wnull = open(os.devnull, "w") # A writable /dev/null
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3208
2774
# Only used if server is running in foreground but not in debug
3209
2775
# mode
3210
2776
if debug or not foreground:
3211
2777
wnull.close()
3212
2778
3213
2779
# Get client data and settings from last running state.
3214
2780
if server_settings["restore"]:
3215
2781
try:
3216
2782
with open(stored_state_path, "rb") as stored_state:
3217
if sys.version_info.major == 2:
3218
clients_data, old_client_settings = pickle.load(
3219
stored_state)
3220
else:
3221
bytes_clients_data, bytes_old_client_settings = (
3222
pickle.load(stored_state, encoding="bytes"))
3223
# Fix bytes to strings
3224
# clients_data
3225
# .keys()
3226
clients_data = {(key.decode("utf-8")
3227
if isinstance(key, bytes)
3228
else key): value
3229
for key, value in
3230
bytes_clients_data.items()}
3231
del bytes_clients_data
3232
for key in clients_data:
3233
value = {(k.decode("utf-8")
3234
if isinstance(k, bytes) else k): v
3235
for k, v in
3236
clients_data[key].items()}
3237
clients_data[key] = value
3238
# .client_structure
3239
value["client_structure"] = [
3240
(s.decode("utf-8")
3241
if isinstance(s, bytes)
3242
else s) for s in
3243
value["client_structure"]]
3244
# .name & .host
3245
for k in ("name", "host"):
3246
if isinstance(value[k], bytes):
3247
value[k] = value[k].decode("utf-8")
3248
if "key_id" not in value:
3249
value["key_id"] = ""
3250
elif "fingerprint" not in value:
3251
value["fingerprint"] = ""
3252
# old_client_settings
3253
# .keys()
3254
old_client_settings = {
3255
(key.decode("utf-8")
3256
if isinstance(key, bytes)
3257
else key): value
3258
for key, value in
3259
bytes_old_client_settings.items()}
3260
del bytes_old_client_settings
3261
# .host
3262
for value in old_client_settings.values():
3263
if isinstance(value["host"], bytes):
3264
value["host"] = (value["host"]
3265
.decode("utf-8"))
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3266
2785
os.remove(stored_state_path)
3267
2786
except IOError as e:
3268
2787
if e.errno == errno.ENOENT:
3276
2795
logger.warning("Could not load persistent state: "
3277
2796
"EOFError:",
3278
2797
exc_info=e)
3279
2798
3280
2799
with PGPEngine() as pgp:
3281
2800
for client_name, client in clients_data.items():
3282
2801
# Skip removed clients
3283
2802
if client_name not in client_settings:
3284
2803
continue
3285
2804
3286
2805
# Decide which value to use after restoring saved state.
3287
2806
# We have three different values: Old config file,
3288
2807
# new config file, and saved state.
3299
2818
client[name] = value
3300
2819
except KeyError:
3301
2820
pass
3302
2821
3303
2822
# Clients who has passed its expire date can still be
3304
2823
# enabled if its last checker was successful. A Client
3305
2824
# whose checker succeeded before we stored its state is
3338
2857
client_name))
3339
2858
client["secret"] = (client_settings[client_name]
3340
2859
["secret"])
3341
2860
3342
2861
# Add/remove clients based on new changes made to config
3343
2862
for client_name in (set(old_client_settings)
3344
2863
- set(client_settings)):
3346
2865
for client_name in (set(client_settings)
3347
2866
- set(old_client_settings)):
3348
2867
clients_data[client_name] = client_settings[client_name]
3349
2868
3350
2869
# Create all client objects
3351
2870
for client_name, client in clients_data.items():
3352
2871
tcp_server.clients[client_name] = client_class(
3353
name=client_name,
3354
settings=client,
3355
server_settings=server_settings)
3356
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3357
2876
if not tcp_server.clients:
3358
2877
logger.warning("No clients defined")
3359
2878
3360
2879
if not foreground:
3361
2880
if pidfile is not None:
3362
2881
pid = os.getpid()
3368
2887
pidfilename, pid)
3369
2888
del pidfile
3370
2889
del pidfilename
3371
3372
for termsig in (signal.SIGHUP, signal.SIGTERM):
3373
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3374
lambda: main_loop.quit() and False)
3375
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3376
2894
if use_dbus:
3377
2895
3378
2896
@alternate_dbus_interfaces(
3379
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3380
2898
class MandosDBusService(DBusObjectWithObjectManager):
3381
2899
"""A D-Bus proxy object"""
3382
2900
3383
2901
def __init__(self):
3384
2902
dbus.service.Object.__init__(self, bus, "/")
3385
2903
3386
2904
_interface = "se.recompile.Mandos"
3387
2905
3388
2906
@dbus.service.signal(_interface, signature="o")
3389
2907
def ClientAdded(self, objpath):
3390
2908
"D-Bus signal"
3391
2909
pass
3392
2910
3393
2911
@dbus.service.signal(_interface, signature="ss")
3394
def ClientNotFound(self, key_id, address):
2912
def ClientNotFound(self, fingerprint, address):
3395
2913
"D-Bus signal"
3396
2914
pass
3397
2915
3398
2916
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3399
2917
"true"})
3400
2918
@dbus.service.signal(_interface, signature="os")
3401
2919
def ClientRemoved(self, objpath, name):
3402
2920
"D-Bus signal"
3403
2921
pass
3404
2922
3405
2923
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3406
2924
"true"})
3407
2925
@dbus.service.method(_interface, out_signature="ao")
3408
2926
def GetAllClients(self):
3409
2927
"D-Bus method"
3410
2928
return dbus.Array(c.dbus_object_path for c in
3411
tcp_server.clients.values())
3412
2929
tcp_server.clients.itervalues())
2930
3413
2931
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3414
2932
"true"})
3415
2933
@dbus.service.method(_interface,
3417
2935
def GetAllClientsWithProperties(self):
3418
2936
"D-Bus method"
3419
2937
return dbus.Dictionary(
3420
{c.dbus_object_path: c.GetAll(
2938
{ c.dbus_object_path: c.GetAll(
3421
2939
"se.recompile.Mandos.Client")
3422
for c in tcp_server.clients.values()},
2940
for c in tcp_server.clients.itervalues() },
3423
2941
signature="oa{sv}")
3424
2942
3425
2943
@dbus.service.method(_interface, in_signature="o")
3426
2944
def RemoveClient(self, object_path):
3427
2945
"D-Bus method"
3428
for c in tcp_server.clients.values():
2946
for c in tcp_server.clients.itervalues():
3429
2947
if c.dbus_object_path == object_path:
3430
2948
del tcp_server.clients[c.name]
3431
2949
c.remove_from_connection()
3435
2953
self.client_removed_signal(c)
3436
2954
return
3437
2955
raise KeyError(object_path)
3438
2956
3439
2957
del _interface
3440
2958
3441
2959
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3442
out_signature="a{oa{sa{sv}}}")
2960
out_signature = "a{oa{sa{sv}}}")
3443
2961
def GetManagedObjects(self):
3444
2962
"""D-Bus method"""
3445
2963
return dbus.Dictionary(
3446
{client.dbus_object_path:
3447
dbus.Dictionary(
3448
{interface: client.GetAll(interface)
3449
for interface in
3450
client._get_all_interface_names()})
3451
for client in tcp_server.clients.values()})
3452
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3453
2971
def client_added_signal(self, client):
3454
2972
"""Send the new standard signal and the old signal"""
3455
2973
if use_dbus:
3457
2975
self.InterfacesAdded(
3458
2976
client.dbus_object_path,
3459
2977
dbus.Dictionary(
3460
{interface: client.GetAll(interface)
3461
for interface in
3462
client._get_all_interface_names()}))
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3463
2981
# Old signal
3464
2982
self.ClientAdded(client.dbus_object_path)
3465
2983
3466
2984
def client_removed_signal(self, client):
3467
2985
"""Send the new standard signal and the old signal"""
3468
2986
if use_dbus:
3473
2991
# Old signal
3474
2992
self.ClientRemoved(client.dbus_object_path,
3475
2993
client.name)
3476
2994
3477
2995
mandos_dbus_service = MandosDBusService()
3478
3479
# Save modules to variables to exempt the modules from being
3480
# unloaded before the function registered with atexit() is run.
3481
mp = multiprocessing
3482
wn = wnull
3483
2996
3484
2997
def cleanup():
3485
2998
"Cleanup function; run on exit"
3486
2999
if zeroconf:
3487
3000
service.cleanup()
3488
3489
mp.active_children()
3490
wn.close()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3491
3004
if not (tcp_server.clients or client_settings):
3492
3005
return
3493
3006
3494
3007
# Store client before exiting. Secrets are encrypted with key
3495
3008
# based on what config file has. If config file is
3496
3009
# removed/edited, old secret will thus be unrecovable.
3497
3010
clients = {}
3498
3011
with PGPEngine() as pgp:
3499
for client in tcp_server.clients.values():
3012
for client in tcp_server.clients.itervalues():
3500
3013
key = client_settings[client.name]["secret"]
3501
3014
client.encrypted_secret = pgp.encrypt(client.secret,
3502
3015
key)
3503
3016
client_dict = {}
3504
3017
3505
3018
# A list of attributes that can not be pickled
3506
3019
# + secret.
3507
exclude = {"bus", "changedstate", "secret",
3508
"checker", "server_settings"}
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3509
3022
for name, typ in inspect.getmembers(dbus.service
3510
3023
.Object):
3511
3024
exclude.add(name)
3512
3025
3513
3026
client_dict["encrypted_secret"] = (client
3514
3027
.encrypted_secret)
3515
3028
for attr in client.client_structure:
3516
3029
if attr not in exclude:
3517
3030
client_dict[attr] = getattr(client, attr)
3518
3031
3519
3032
clients[client.name] = client_dict
3520
3033
del client_settings[client.name]["secret"]
3521
3034
3522
3035
try:
3523
3036
with tempfile.NamedTemporaryFile(
3524
3037
mode='wb',
3526
3039
prefix='clients-',
3527
3040
dir=os.path.dirname(stored_state_path),
3528
3041
delete=False) as stored_state:
3529
pickle.dump((clients, client_settings), stored_state,
3530
protocol=2)
3042
pickle.dump((clients, client_settings), stored_state)
3531
3043
tempname = stored_state.name
3532
3044
os.rename(tempname, stored_state_path)
3533
3045
except (IOError, OSError) as e:
3543
3055
logger.warning("Could not save persistent state:",
3544
3056
exc_info=e)
3545
3057
raise
3546
3058
3547
3059
# Delete all clients, and settings from config
3548
3060
while tcp_server.clients:
3549
3061
name, client = tcp_server.clients.popitem()
3552
3064
# Don't signal the disabling
3553
3065
client.disable(quiet=True)
3554
3066
# Emit D-Bus signal for removal
3555
if use_dbus:
3556
mandos_dbus_service.client_removed_signal(client)
3067
mandos_dbus_service.client_removed_signal(client)
3557
3068
client_settings.clear()
3558
3069
3559
3070
atexit.register(cleanup)
3560
3561
for client in tcp_server.clients.values():
3071
3072
for client in tcp_server.clients.itervalues():
3562
3073
if use_dbus:
3563
3074
# Emit D-Bus signal for adding
3564
3075
mandos_dbus_service.client_added_signal(client)
3565
3076
# Need to initiate checking of clients
3566
3077
if client.enabled:
3567
3078
client.init_checker()
3568
3079
3569
3080
tcp_server.enable()
3570
3081
tcp_server.server_activate()
3571
3082
3572
3083
# Find out what port we got
3573
3084
if zeroconf:
3574
3085
service.port = tcp_server.socket.getsockname()[1]
3579
3090
else: # IPv4
3580
3091
logger.info("Now listening on address %r, port %d",
3581
3092
*tcp_server.socket.getsockname())
3582
3583
# service.interface = tcp_server.socket.getsockname()[3]
3584
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3585
3096
try:
3586
3097
if zeroconf:
3587
3098
# From the Avahi example code
3592
3103
cleanup()
3593
3104
sys.exit(1)
3594
3105
# End of Avahi example code
3595
3596
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3597
lambda *args, **kwargs:
3598
(tcp_server.handle_request
3599
(*args[2:], **kwargs) or True))
3600
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3601
3112
logger.debug("Starting main loop")
3602
3113
main_loop.run()
3603
3114
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0