To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.335
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.335
- Committer: Teddy Hogeborn
- Date: 2015-08-10 16:19:28 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 325.
- Revision ID: teddy@recompile.se-20150810161928-bnukog7l47j3pjix
Depend on Avahi and the network in the server's systemd service file.
* mandos.service ([Unit]/After): New; set to "network.target" and
"avahi-daemon.service".
([Unit]/RequisiteOverridable): New; set to "avahi-daemon.service".
* mandos.service ([Unit]/After): New; set to "network.target" and
"avahi-daemon.service".
([Unit]/RequisiteOverridable): New; set to "avahi-daemon.service".
- files added:
- initramfs-tools-hook-conf
- files removed:
- bugs.xml
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
1
#!/usr/bin/python2.7
2
# -*- mode: python; coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
37
from future_builtins import *
42
38
43
39
try:
44
40
import SocketServer as socketserver
48
44
import argparse
49
45
import datetime
50
46
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
51
53
try:
52
54
import ConfigParser as configparser
53
55
except ImportError:
77
79
import itertools
78
80
import collections
79
81
import codecs
80
import unittest
81
import random
82
82
83
83
import dbus
84
84
import dbus.service
85
import gi
86
from gi.repository import GLib
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
87
90
from dbus.mainloop.glib import DBusGMainLoop
88
91
import ctypes
89
92
import ctypes.util
90
93
import xml.dom.minidom
91
94
import inspect
92
95
93
if sys.version_info.major == 2:
94
__metaclass__ = type
95
str = unicode
96
97
# Add collections.abc.Callable if it does not exist
98
try:
99
collections.abc.Callable
100
except AttributeError:
101
class abc:
102
Callable = collections.Callable
103
collections.abc = abc
104
del abc
105
106
# Show warnings by default
107
if not sys.warnoptions:
108
import warnings
109
warnings.simplefilter("default")
110
111
# Try to find the value of SO_BINDTODEVICE:
112
try:
113
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
114
# newer, and it is also the most natural place for it:
96
try:
115
97
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
116
98
except AttributeError:
117
99
try:
118
# This is where SO_BINDTODEVICE was up to and including Python
119
# 2.6, and also 3.2:
120
100
from IN import SO_BINDTODEVICE
121
101
except ImportError:
122
# In Python 2.7 it seems to have been removed entirely.
123
# Try running the C preprocessor:
124
try:
125
cc = subprocess.Popen(["cc", "--language=c", "-E",
126
"/dev/stdin"],
127
stdin=subprocess.PIPE,
128
stdout=subprocess.PIPE)
129
stdout = cc.communicate(
130
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
131
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
132
except (OSError, ValueError, IndexError):
133
# No value found
134
SO_BINDTODEVICE = None
135
136
if sys.version_info < (3, 2):
137
configparser.Configparser = configparser.SafeConfigParser
138
139
version = "1.8.9"
102
SO_BINDTODEVICE = None
103
104
if sys.version_info.major == 2:
105
str = unicode
106
107
version = "1.6.9"
140
108
stored_state_file = "clients.pickle"
141
109
142
110
logger = logging.getLogger()
143
logging.captureWarnings(True) # Show warnings via the logging system
144
111
syslogger = None
145
112
146
113
try:
147
114
if_nametoindex = ctypes.cdll.LoadLibrary(
148
115
ctypes.util.find_library("c")).if_nametoindex
149
116
except (OSError, AttributeError):
150
117
151
118
def if_nametoindex(interface):
152
119
"Get an interface index the hard way, i.e. using fcntl()"
153
120
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
158
125
return interface_index
159
126
160
127
161
def copy_function(func):
162
"""Make a copy of a function"""
163
if sys.version_info.major == 2:
164
return types.FunctionType(func.func_code,
165
func.func_globals,
166
func.func_name,
167
func.func_defaults,
168
func.func_closure)
169
else:
170
return types.FunctionType(func.__code__,
171
func.__globals__,
172
func.__name__,
173
func.__defaults__,
174
func.__closure__)
175
176
177
128
def initlogger(debug, level=logging.WARNING):
178
129
"""init logger and add loglevel"""
179
130
180
131
global syslogger
181
132
syslogger = (logging.handlers.SysLogHandler(
182
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
183
address="/dev/log"))
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
184
135
syslogger.setFormatter(logging.Formatter
185
136
('Mandos [%(process)d]: %(levelname)s:'
186
137
' %(message)s'))
187
138
logger.addHandler(syslogger)
188
139
189
140
if debug:
190
141
console = logging.StreamHandler()
191
142
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
201
152
pass
202
153
203
154
204
class PGPEngine:
155
class PGPEngine(object):
205
156
"""A simple class for OpenPGP symmetric encryption & decryption"""
206
157
207
158
def __init__(self):
208
159
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
209
self.gpg = "gpg"
210
try:
211
output = subprocess.check_output(["gpgconf"])
212
for line in output.splitlines():
213
name, text, path = line.split(b":")
214
if name == b"gpg":
215
self.gpg = path
216
break
217
except OSError as e:
218
if e.errno != errno.ENOENT:
219
raise
220
160
self.gnupgargs = ['--batch',
221
'--homedir', self.tempdir,
161
'--home', self.tempdir,
222
162
'--force-mdc',
223
'--quiet']
224
# Only GPG version 1 has the --no-use-agent option.
225
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
226
self.gnupgargs.append("--no-use-agent")
227
163
'--quiet',
164
'--no-use-agent']
165
228
166
def __enter__(self):
229
167
return self
230
168
231
169
def __exit__(self, exc_type, exc_value, traceback):
232
170
self._cleanup()
233
171
return False
234
172
235
173
def __del__(self):
236
174
self._cleanup()
237
175
238
176
def _cleanup(self):
239
177
if self.tempdir is not None:
240
178
# Delete contents of tempdir
241
179
for root, dirs, files in os.walk(self.tempdir,
242
topdown=False):
180
topdown = False):
243
181
for filename in files:
244
182
os.remove(os.path.join(root, filename))
245
183
for dirname in dirs:
247
185
# Remove tempdir
248
186
os.rmdir(self.tempdir)
249
187
self.tempdir = None
250
188
251
189
def password_encode(self, password):
252
190
# Passphrase can not be empty and can not contain newlines or
253
191
# NUL bytes. So we prefix it and hex encode it.
258
196
.replace(b"\n", b"\\n")
259
197
.replace(b"\0", b"\\x00"))
260
198
return encoded
261
199
262
200
def encrypt(self, data, password):
263
201
passphrase = self.password_encode(password)
264
202
with tempfile.NamedTemporaryFile(
265
203
dir=self.tempdir) as passfile:
266
204
passfile.write(passphrase)
267
205
passfile.flush()
268
proc = subprocess.Popen([self.gpg, '--symmetric',
206
proc = subprocess.Popen(['gpg', '--symmetric',
269
207
'--passphrase-file',
270
208
passfile.name]
271
209
+ self.gnupgargs,
272
stdin=subprocess.PIPE,
273
stdout=subprocess.PIPE,
274
stderr=subprocess.PIPE)
275
ciphertext, err = proc.communicate(input=data)
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
276
214
if proc.returncode != 0:
277
215
raise PGPError(err)
278
216
return ciphertext
279
217
280
218
def decrypt(self, data, password):
281
219
passphrase = self.password_encode(password)
282
220
with tempfile.NamedTemporaryFile(
283
dir=self.tempdir) as passfile:
221
dir = self.tempdir) as passfile:
284
222
passfile.write(passphrase)
285
223
passfile.flush()
286
proc = subprocess.Popen([self.gpg, '--decrypt',
224
proc = subprocess.Popen(['gpg', '--decrypt',
287
225
'--passphrase-file',
288
226
passfile.name]
289
227
+ self.gnupgargs,
290
stdin=subprocess.PIPE,
291
stdout=subprocess.PIPE,
292
stderr=subprocess.PIPE)
293
decrypted_plaintext, err = proc.communicate(input=data)
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
294
232
if proc.returncode != 0:
295
233
raise PGPError(err)
296
234
return decrypted_plaintext
297
235
298
236
299
# Pretend that we have an Avahi module
300
class avahi:
301
"""This isn't so much a class as it is a module-like namespace."""
302
IF_UNSPEC = -1 # avahi-common/address.h
303
PROTO_UNSPEC = -1 # avahi-common/address.h
304
PROTO_INET = 0 # avahi-common/address.h
305
PROTO_INET6 = 1 # avahi-common/address.h
306
DBUS_NAME = "org.freedesktop.Avahi"
307
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
308
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
309
DBUS_PATH_SERVER = "/"
310
311
@staticmethod
312
def string_array_to_txt_array(t):
313
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
314
for s in t), signature="ay")
315
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
316
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
317
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
318
SERVER_INVALID = 0 # avahi-common/defs.h
319
SERVER_REGISTERING = 1 # avahi-common/defs.h
320
SERVER_RUNNING = 2 # avahi-common/defs.h
321
SERVER_COLLISION = 3 # avahi-common/defs.h
322
SERVER_FAILURE = 4 # avahi-common/defs.h
323
324
325
237
class AvahiError(Exception):
326
238
def __init__(self, value, *args, **kwargs):
327
239
self.value = value
337
249
pass
338
250
339
251
340
class AvahiService:
252
class AvahiService(object):
341
253
"""An Avahi (Zeroconf) service.
342
254
343
255
Attributes:
344
256
interface: integer; avahi.IF_UNSPEC or an interface index.
345
257
Used to optionally bind to the specified interface.
357
269
server: D-Bus Server
358
270
bus: dbus.SystemBus()
359
271
"""
360
272
361
273
def __init__(self,
362
interface=avahi.IF_UNSPEC,
363
name=None,
364
servicetype=None,
365
port=None,
366
TXT=None,
367
domain="",
368
host="",
369
max_renames=32768,
370
protocol=avahi.PROTO_UNSPEC,
371
bus=None):
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
372
284
self.interface = interface
373
285
self.name = name
374
286
self.type = servicetype
383
295
self.server = None
384
296
self.bus = bus
385
297
self.entry_group_state_changed_match = None
386
298
387
299
def rename(self, remove=True):
388
300
"""Derived from the Avahi example code"""
389
301
if self.rename_count >= self.max_renames:
409
321
logger.critical("D-Bus Exception", exc_info=error)
410
322
self.cleanup()
411
323
os._exit(1)
412
324
413
325
def remove(self):
414
326
"""Derived from the Avahi example code"""
415
327
if self.entry_group_state_changed_match is not None:
417
329
self.entry_group_state_changed_match = None
418
330
if self.group is not None:
419
331
self.group.Reset()
420
332
421
333
def add(self):
422
334
"""Derived from the Avahi example code"""
423
335
self.remove()
440
352
dbus.UInt16(self.port),
441
353
avahi.string_array_to_txt_array(self.TXT))
442
354
self.group.Commit()
443
355
444
356
def entry_group_state_changed(self, state, error):
445
357
"""Derived from the Avahi example code"""
446
358
logger.debug("Avahi entry group state change: %i", state)
447
359
448
360
if state == avahi.ENTRY_GROUP_ESTABLISHED:
449
361
logger.debug("Zeroconf service established.")
450
362
elif state == avahi.ENTRY_GROUP_COLLISION:
454
366
logger.critical("Avahi: Error in group state changed %s",
455
367
str(error))
456
368
raise AvahiGroupError("State changed: {!s}".format(error))
457
369
458
370
def cleanup(self):
459
371
"""Derived from the Avahi example code"""
460
372
if self.group is not None:
465
377
pass
466
378
self.group = None
467
379
self.remove()
468
380
469
381
def server_state_changed(self, state, error=None):
470
382
"""Derived from the Avahi example code"""
471
383
logger.debug("Avahi server state change: %i", state)
500
412
logger.debug("Unknown state: %r", state)
501
413
else:
502
414
logger.debug("Unknown state: %r: %r", state, error)
503
415
504
416
def activate(self):
505
417
"""Derived from the Avahi example code"""
506
418
if self.server is None:
517
429
class AvahiServiceToSyslog(AvahiService):
518
430
def rename(self, *args, **kwargs):
519
431
"""Add the new name to the syslog messages"""
520
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
432
ret = AvahiService.rename(self, *args, **kwargs)
521
433
syslogger.setFormatter(logging.Formatter(
522
434
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
523
435
.format(self.name)))
524
436
return ret
525
437
526
527
# Pretend that we have a GnuTLS module
528
class gnutls:
529
"""This isn't so much a class as it is a module-like namespace."""
530
531
library = ctypes.util.find_library("gnutls")
532
if library is None:
533
library = ctypes.util.find_library("gnutls-deb0")
534
_library = ctypes.cdll.LoadLibrary(library)
535
del library
536
537
# Unless otherwise indicated, the constants and types below are
538
# all from the gnutls/gnutls.h C header file.
539
540
# Constants
541
E_SUCCESS = 0
542
E_INTERRUPTED = -52
543
E_AGAIN = -28
544
CRT_OPENPGP = 2
545
CRT_RAWPK = 3
546
CLIENT = 2
547
SHUT_RDWR = 0
548
CRD_CERTIFICATE = 1
549
E_NO_CERTIFICATE_FOUND = -49
550
X509_FMT_DER = 0
551
NO_TICKETS = 1<<10
552
ENABLE_RAWPK = 1<<18
553
CTYPE_PEERS = 3
554
KEYID_USE_SHA256 = 1 # gnutls/x509.h
555
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
556
557
# Types
558
class session_int(ctypes.Structure):
559
_fields_ = []
560
session_t = ctypes.POINTER(session_int)
561
562
class certificate_credentials_st(ctypes.Structure):
563
_fields_ = []
564
certificate_credentials_t = ctypes.POINTER(
565
certificate_credentials_st)
566
certificate_type_t = ctypes.c_int
567
568
class datum_t(ctypes.Structure):
569
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
570
('size', ctypes.c_uint)]
571
572
class openpgp_crt_int(ctypes.Structure):
573
_fields_ = []
574
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
575
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
576
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
577
credentials_type_t = ctypes.c_int
578
transport_ptr_t = ctypes.c_void_p
579
close_request_t = ctypes.c_int
580
581
# Exceptions
582
class Error(Exception):
583
def __init__(self, message=None, code=None, args=()):
584
# Default usage is by a message string, but if a return
585
# code is passed, convert it to a string with
586
# gnutls.strerror()
587
self.code = code
588
if message is None and code is not None:
589
message = gnutls.strerror(code)
590
return super(gnutls.Error, self).__init__(
591
message, *args)
592
593
class CertificateSecurityError(Error):
594
pass
595
596
# Classes
597
class Credentials:
598
def __init__(self):
599
self._c_object = gnutls.certificate_credentials_t()
600
gnutls.certificate_allocate_credentials(
601
ctypes.byref(self._c_object))
602
self.type = gnutls.CRD_CERTIFICATE
603
604
def __del__(self):
605
gnutls.certificate_free_credentials(self._c_object)
606
607
class ClientSession:
608
def __init__(self, socket, credentials=None):
609
self._c_object = gnutls.session_t()
610
gnutls_flags = gnutls.CLIENT
611
if gnutls.check_version(b"3.5.6"):
612
gnutls_flags |= gnutls.NO_TICKETS
613
if gnutls.has_rawpk:
614
gnutls_flags |= gnutls.ENABLE_RAWPK
615
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
616
del gnutls_flags
617
gnutls.set_default_priority(self._c_object)
618
gnutls.transport_set_ptr(self._c_object, socket.fileno())
619
gnutls.handshake_set_private_extensions(self._c_object,
620
True)
621
self.socket = socket
622
if credentials is None:
623
credentials = gnutls.Credentials()
624
gnutls.credentials_set(self._c_object, credentials.type,
625
ctypes.cast(credentials._c_object,
626
ctypes.c_void_p))
627
self.credentials = credentials
628
629
def __del__(self):
630
gnutls.deinit(self._c_object)
631
632
def handshake(self):
633
return gnutls.handshake(self._c_object)
634
635
def send(self, data):
636
data = bytes(data)
637
data_len = len(data)
638
while data_len > 0:
639
data_len -= gnutls.record_send(self._c_object,
640
data[-data_len:],
641
data_len)
642
643
def bye(self):
644
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
645
646
# Error handling functions
647
def _error_code(result):
648
"""A function to raise exceptions on errors, suitable
649
for the 'restype' attribute on ctypes functions"""
650
if result >= 0:
651
return result
652
if result == gnutls.E_NO_CERTIFICATE_FOUND:
653
raise gnutls.CertificateSecurityError(code=result)
654
raise gnutls.Error(code=result)
655
656
def _retry_on_error(result, func, arguments):
657
"""A function to retry on some errors, suitable
658
for the 'errcheck' attribute on ctypes functions"""
659
while result < 0:
660
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
661
return _error_code(result)
662
result = func(*arguments)
663
return result
664
665
# Unless otherwise indicated, the function declarations below are
666
# all from the gnutls/gnutls.h C header file.
667
668
# Functions
669
priority_set_direct = _library.gnutls_priority_set_direct
670
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
671
ctypes.POINTER(ctypes.c_char_p)]
672
priority_set_direct.restype = _error_code
673
674
init = _library.gnutls_init
675
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
676
init.restype = _error_code
677
678
set_default_priority = _library.gnutls_set_default_priority
679
set_default_priority.argtypes = [session_t]
680
set_default_priority.restype = _error_code
681
682
record_send = _library.gnutls_record_send
683
record_send.argtypes = [session_t, ctypes.c_void_p,
684
ctypes.c_size_t]
685
record_send.restype = ctypes.c_ssize_t
686
record_send.errcheck = _retry_on_error
687
688
certificate_allocate_credentials = (
689
_library.gnutls_certificate_allocate_credentials)
690
certificate_allocate_credentials.argtypes = [
691
ctypes.POINTER(certificate_credentials_t)]
692
certificate_allocate_credentials.restype = _error_code
693
694
certificate_free_credentials = (
695
_library.gnutls_certificate_free_credentials)
696
certificate_free_credentials.argtypes = [
697
certificate_credentials_t]
698
certificate_free_credentials.restype = None
699
700
handshake_set_private_extensions = (
701
_library.gnutls_handshake_set_private_extensions)
702
handshake_set_private_extensions.argtypes = [session_t,
703
ctypes.c_int]
704
handshake_set_private_extensions.restype = None
705
706
credentials_set = _library.gnutls_credentials_set
707
credentials_set.argtypes = [session_t, credentials_type_t,
708
ctypes.c_void_p]
709
credentials_set.restype = _error_code
710
711
strerror = _library.gnutls_strerror
712
strerror.argtypes = [ctypes.c_int]
713
strerror.restype = ctypes.c_char_p
714
715
certificate_type_get = _library.gnutls_certificate_type_get
716
certificate_type_get.argtypes = [session_t]
717
certificate_type_get.restype = _error_code
718
719
certificate_get_peers = _library.gnutls_certificate_get_peers
720
certificate_get_peers.argtypes = [session_t,
721
ctypes.POINTER(ctypes.c_uint)]
722
certificate_get_peers.restype = ctypes.POINTER(datum_t)
723
724
global_set_log_level = _library.gnutls_global_set_log_level
725
global_set_log_level.argtypes = [ctypes.c_int]
726
global_set_log_level.restype = None
727
728
global_set_log_function = _library.gnutls_global_set_log_function
729
global_set_log_function.argtypes = [log_func]
730
global_set_log_function.restype = None
731
732
deinit = _library.gnutls_deinit
733
deinit.argtypes = [session_t]
734
deinit.restype = None
735
736
handshake = _library.gnutls_handshake
737
handshake.argtypes = [session_t]
738
handshake.restype = _error_code
739
handshake.errcheck = _retry_on_error
740
741
transport_set_ptr = _library.gnutls_transport_set_ptr
742
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
743
transport_set_ptr.restype = None
744
745
bye = _library.gnutls_bye
746
bye.argtypes = [session_t, close_request_t]
747
bye.restype = _error_code
748
bye.errcheck = _retry_on_error
749
750
check_version = _library.gnutls_check_version
751
check_version.argtypes = [ctypes.c_char_p]
752
check_version.restype = ctypes.c_char_p
753
754
_need_version = b"3.3.0"
755
if check_version(_need_version) is None:
756
raise self.Error("Needs GnuTLS {} or later"
757
.format(_need_version))
758
759
_tls_rawpk_version = b"3.6.6"
760
has_rawpk = bool(check_version(_tls_rawpk_version))
761
762
if has_rawpk:
763
# Types
764
class pubkey_st(ctypes.Structure):
765
_fields = []
766
pubkey_t = ctypes.POINTER(pubkey_st)
767
768
x509_crt_fmt_t = ctypes.c_int
769
770
# All the function declarations below are from gnutls/abstract.h
771
pubkey_init = _library.gnutls_pubkey_init
772
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
773
pubkey_init.restype = _error_code
774
775
pubkey_import = _library.gnutls_pubkey_import
776
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
777
x509_crt_fmt_t]
778
pubkey_import.restype = _error_code
779
780
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
781
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
782
ctypes.POINTER(ctypes.c_ubyte),
783
ctypes.POINTER(ctypes.c_size_t)]
784
pubkey_get_key_id.restype = _error_code
785
786
pubkey_deinit = _library.gnutls_pubkey_deinit
787
pubkey_deinit.argtypes = [pubkey_t]
788
pubkey_deinit.restype = None
789
else:
790
# All the function declarations below are from gnutls/openpgp.h
791
792
openpgp_crt_init = _library.gnutls_openpgp_crt_init
793
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
794
openpgp_crt_init.restype = _error_code
795
796
openpgp_crt_import = _library.gnutls_openpgp_crt_import
797
openpgp_crt_import.argtypes = [openpgp_crt_t,
798
ctypes.POINTER(datum_t),
799
openpgp_crt_fmt_t]
800
openpgp_crt_import.restype = _error_code
801
802
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
803
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
804
ctypes.POINTER(ctypes.c_uint)]
805
openpgp_crt_verify_self.restype = _error_code
806
807
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
808
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
809
openpgp_crt_deinit.restype = None
810
811
openpgp_crt_get_fingerprint = (
812
_library.gnutls_openpgp_crt_get_fingerprint)
813
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
814
ctypes.c_void_p,
815
ctypes.POINTER(
816
ctypes.c_size_t)]
817
openpgp_crt_get_fingerprint.restype = _error_code
818
819
if check_version(b"3.6.4"):
820
certificate_type_get2 = _library.gnutls_certificate_type_get2
821
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
822
certificate_type_get2.restype = _error_code
823
824
# Remove non-public functions
825
del _error_code, _retry_on_error
826
827
828
438
def call_pipe(connection, # : multiprocessing.Connection
829
439
func, *args, **kwargs):
830
440
"""This function is meant to be called by multiprocessing.Process
831
441
832
442
This function runs func(*args, **kwargs), and writes the resulting
833
443
return value on the provided multiprocessing.Connection.
834
444
"""
835
445
connection.send(func(*args, **kwargs))
836
446
connection.close()
837
447
838
839
class Client:
448
class Client(object):
840
449
"""A representation of a client host served by this server.
841
450
842
451
Attributes:
843
452
approved: bool(); 'None' if not yet approved/disapproved
844
453
approval_delay: datetime.timedelta(); Time to wait for approval
845
454
approval_duration: datetime.timedelta(); Duration of one approval
846
checker: multiprocessing.Process(); a running checker process used
847
to see if the client lives. 'None' if no process is
848
running.
849
checker_callback_tag: a GLib event source tag, or None
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
850
459
checker_command: string; External command which is run to check
851
460
if client lives. %() expansions are done at
852
461
runtime with vars(self) as dict, so that for
853
462
instance %(name)s can be used in the command.
854
checker_initiator_tag: a GLib event source tag, or None
463
checker_initiator_tag: a gobject event source tag, or None
855
464
created: datetime.datetime(); (UTC) object creation
856
465
client_structure: Object describing what attributes a client has
857
466
and is used for storing the client at exit
858
467
current_checker_command: string; current running checker_command
859
disable_initiator_tag: a GLib event source tag, or None
468
disable_initiator_tag: a gobject event source tag, or None
860
469
enabled: bool()
861
470
fingerprint: string (40 or 32 hexadecimal digits); used to
862
uniquely identify an OpenPGP client
863
key_id: string (64 hexadecimal digits); used to uniquely identify
864
a client using raw public keys
471
uniquely identify the client
865
472
host: string; available for use by the checker command
866
473
interval: datetime.timedelta(); How often to start a new checker
867
474
last_approval_request: datetime.datetime(); (UTC) or None
883
490
disabled, or None
884
491
server_settings: The server_settings dict from main()
885
492
"""
886
493
887
494
runtime_expansions = ("approval_delay", "approval_duration",
888
"created", "enabled", "expires", "key_id",
495
"created", "enabled", "expires",
889
496
"fingerprint", "host", "interval",
890
497
"last_approval_request", "last_checked_ok",
891
498
"last_enabled", "name", "timeout")
900
507
"approved_by_default": "True",
901
508
"enabled": "True",
902
509
}
903
510
904
511
@staticmethod
905
512
def config_parser(config):
906
513
"""Construct a new dict of client settings of this form:
913
520
for client_name in config.sections():
914
521
section = dict(config.items(client_name))
915
522
client = settings[client_name] = {}
916
523
917
524
client["host"] = section["host"]
918
525
# Reformat values from string types to Python types
919
526
client["approved_by_default"] = config.getboolean(
920
527
client_name, "approved_by_default")
921
528
client["enabled"] = config.getboolean(client_name,
922
529
"enabled")
923
924
# Uppercase and remove spaces from key_id and fingerprint
925
# for later comparison purposes with return value from the
926
# key_id() and fingerprint() functions
927
client["key_id"] = (section.get("key_id", "").upper()
928
.replace(" ", ""))
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
929
534
client["fingerprint"] = (section["fingerprint"].upper()
930
535
.replace(" ", ""))
931
536
if "secret" in section:
932
client["secret"] = codecs.decode(section["secret"]
933
.encode("utf-8"),
934
"base64")
537
client["secret"] = section["secret"].decode("base64")
935
538
elif "secfile" in section:
936
539
with open(os.path.expanduser(os.path.expandvars
937
540
(section["secfile"])),
952
555
client["last_approval_request"] = None
953
556
client["last_checked_ok"] = None
954
557
client["last_checker_status"] = -2
955
558
956
559
return settings
957
958
def __init__(self, settings, name=None, server_settings=None):
560
561
def __init__(self, settings, name = None, server_settings=None):
959
562
self.name = name
960
563
if server_settings is None:
961
564
server_settings = {}
963
566
# adding all client settings
964
567
for setting, value in settings.items():
965
568
setattr(self, setting, value)
966
569
967
570
if self.enabled:
968
571
if not hasattr(self, "last_enabled"):
969
572
self.last_enabled = datetime.datetime.utcnow()
973
576
else:
974
577
self.last_enabled = None
975
578
self.expires = None
976
579
977
580
logger.debug("Creating client %r", self.name)
978
logger.debug(" Key ID: %s", self.key_id)
979
581
logger.debug(" Fingerprint: %s", self.fingerprint)
980
582
self.created = settings.get("created",
981
583
datetime.datetime.utcnow())
982
584
983
585
# attributes specific for this server instance
984
586
self.checker = None
985
587
self.checker_initiator_tag = None
991
593
self.changedstate = multiprocessing_manager.Condition(
992
594
multiprocessing_manager.Lock())
993
595
self.client_structure = [attr
994
for attr in self.__dict__.keys()
596
for attr in self.__dict__.iterkeys()
995
597
if not attr.startswith("_")]
996
598
self.client_structure.append("client_structure")
997
599
998
600
for name, t in inspect.getmembers(
999
601
type(self), lambda obj: isinstance(obj, property)):
1000
602
if not name.startswith("_"):
1001
603
self.client_structure.append(name)
1002
604
1003
605
# Send notice to process children that client state has changed
1004
606
def send_changedstate(self):
1005
607
with self.changedstate:
1006
608
self.changedstate.notify_all()
1007
609
1008
610
def enable(self):
1009
611
"""Start this client's checker and timeout hooks"""
1010
612
if getattr(self, "enabled", False):
1015
617
self.last_enabled = datetime.datetime.utcnow()
1016
618
self.init_checker()
1017
619
self.send_changedstate()
1018
620
1019
621
def disable(self, quiet=True):
1020
622
"""Disable this client."""
1021
623
if not getattr(self, "enabled", False):
1023
625
if not quiet:
1024
626
logger.info("Disabling client %s", self.name)
1025
627
if getattr(self, "disable_initiator_tag", None) is not None:
1026
GLib.source_remove(self.disable_initiator_tag)
628
gobject.source_remove(self.disable_initiator_tag)
1027
629
self.disable_initiator_tag = None
1028
630
self.expires = None
1029
631
if getattr(self, "checker_initiator_tag", None) is not None:
1030
GLib.source_remove(self.checker_initiator_tag)
632
gobject.source_remove(self.checker_initiator_tag)
1031
633
self.checker_initiator_tag = None
1032
634
self.stop_checker()
1033
635
self.enabled = False
1034
636
if not quiet:
1035
637
self.send_changedstate()
1036
# Do not run this again if called by a GLib.timeout_add
638
# Do not run this again if called by a gobject.timeout_add
1037
639
return False
1038
640
1039
641
def __del__(self):
1040
642
self.disable()
1041
643
1042
644
def init_checker(self):
1043
645
# Schedule a new checker to be started an 'interval' from now,
1044
646
# and every interval from then on.
1045
647
if self.checker_initiator_tag is not None:
1046
GLib.source_remove(self.checker_initiator_tag)
1047
self.checker_initiator_tag = GLib.timeout_add(
1048
random.randrange(int(self.interval.total_seconds() * 1000
1049
+ 1)),
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
650
int(self.interval.total_seconds() * 1000),
1050
651
self.start_checker)
1051
652
# Schedule a disable() when 'timeout' has passed
1052
653
if self.disable_initiator_tag is not None:
1053
GLib.source_remove(self.disable_initiator_tag)
1054
self.disable_initiator_tag = GLib.timeout_add(
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1055
656
int(self.timeout.total_seconds() * 1000), self.disable)
1056
657
# Also start a new checker *right now*.
1057
658
self.start_checker()
1058
659
1059
660
def checker_callback(self, source, condition, connection,
1060
661
command):
1061
662
"""The checker has completed, so take appropriate actions."""
663
self.checker_callback_tag = None
664
self.checker = None
1062
665
# Read return code from connection (see call_pipe)
1063
666
returncode = connection.recv()
1064
667
connection.close()
1065
if self.checker is not None:
1066
self.checker.join()
1067
self.checker_callback_tag = None
1068
self.checker = None
1069
668
1070
669
if returncode >= 0:
1071
670
self.last_checker_status = returncode
1072
671
self.last_checker_signal = None
1082
681
logger.warning("Checker for %(name)s crashed?",
1083
682
vars(self))
1084
683
return False
1085
684
1086
685
def checked_ok(self):
1087
686
"""Assert that the client has been seen, alive and well."""
1088
687
self.last_checked_ok = datetime.datetime.utcnow()
1089
688
self.last_checker_status = 0
1090
689
self.last_checker_signal = None
1091
690
self.bump_timeout()
1092
691
1093
692
def bump_timeout(self, timeout=None):
1094
693
"""Bump up the timeout for this client."""
1095
694
if timeout is None:
1096
695
timeout = self.timeout
1097
696
if self.disable_initiator_tag is not None:
1098
GLib.source_remove(self.disable_initiator_tag)
697
gobject.source_remove(self.disable_initiator_tag)
1099
698
self.disable_initiator_tag = None
1100
699
if getattr(self, "enabled", False):
1101
self.disable_initiator_tag = GLib.timeout_add(
700
self.disable_initiator_tag = gobject.timeout_add(
1102
701
int(timeout.total_seconds() * 1000), self.disable)
1103
702
self.expires = datetime.datetime.utcnow() + timeout
1104
703
1105
704
def need_approval(self):
1106
705
self.last_approval_request = datetime.datetime.utcnow()
1107
706
1108
707
def start_checker(self):
1109
708
"""Start a new checker subprocess if one is not running.
1110
709
1111
710
If a checker already exists, leave it running and do
1112
711
nothing."""
1113
712
# The reason for not killing a running checker is that if we
1118
717
# checkers alone, the checker would have to take more time
1119
718
# than 'timeout' for the client to be disabled, which is as it
1120
719
# should be.
1121
720
1122
721
if self.checker is not None and not self.checker.is_alive():
1123
722
logger.warning("Checker was not alive; joining")
1124
723
self.checker.join()
1128
727
# Escape attributes for the shell
1129
728
escaped_attrs = {
1130
729
attr: re.escape(str(getattr(self, attr)))
1131
for attr in self.runtime_expansions}
730
for attr in self.runtime_expansions }
1132
731
try:
1133
732
command = self.checker_command % escaped_attrs
1134
733
except TypeError as error:
1146
745
# The exception is when not debugging but nevertheless
1147
746
# running in the foreground; use the previously
1148
747
# created wnull.
1149
popen_args = {"close_fds": True,
1150
"shell": True,
1151
"cwd": "/"}
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1152
751
if (not self.server_settings["debug"]
1153
752
and self.server_settings["foreground"]):
1154
753
popen_args.update({"stdout": wnull,
1155
"stderr": wnull})
1156
pipe = multiprocessing.Pipe(duplex=False)
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1157
756
self.checker = multiprocessing.Process(
1158
target=call_pipe,
1159
args=(pipe[1], subprocess.call, command),
1160
kwargs=popen_args)
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1161
760
self.checker.start()
1162
self.checker_callback_tag = GLib.io_add_watch(
1163
GLib.IOChannel.unix_new(pipe[0].fileno()),
1164
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1165
763
self.checker_callback, pipe[0], command)
1166
# Re-run this periodically if run by GLib.timeout_add
764
# Re-run this periodically if run by gobject.timeout_add
1167
765
return True
1168
766
1169
767
def stop_checker(self):
1170
768
"""Force the checker process, if any, to stop."""
1171
769
if self.checker_callback_tag:
1172
GLib.source_remove(self.checker_callback_tag)
770
gobject.source_remove(self.checker_callback_tag)
1173
771
self.checker_callback_tag = None
1174
772
if getattr(self, "checker", None) is None:
1175
773
return
1184
782
byte_arrays=False):
1185
783
"""Decorators for marking methods of a DBusObjectWithProperties to
1186
784
become properties on the D-Bus.
1187
785
1188
786
The decorated method will be called with no arguments by "Get"
1189
787
and with one argument by "Set".
1190
788
1191
789
The parameters, where they are supported, are the same as
1192
790
dbus.service.method, except there is only "signature", since the
1193
791
type from Get() and the type sent to Set() is the same.
1197
795
if byte_arrays and signature != "ay":
1198
796
raise ValueError("Byte arrays not supported for non-'ay'"
1199
797
" signature {!r}".format(signature))
1200
798
1201
799
def decorator(func):
1202
800
func._dbus_is_property = True
1203
801
func._dbus_interface = dbus_interface
1206
804
func._dbus_name = func.__name__
1207
805
if func._dbus_name.endswith("_dbus_property"):
1208
806
func._dbus_name = func._dbus_name[:-14]
1209
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1210
808
return func
1211
809
1212
810
return decorator
1213
811
1214
812
1215
813
def dbus_interface_annotations(dbus_interface):
1216
814
"""Decorator for marking functions returning interface annotations
1217
815
1218
816
Usage:
1219
817
1220
818
@dbus_interface_annotations("org.example.Interface")
1221
819
def _foo(self): # Function name does not matter
1222
820
return {"org.freedesktop.DBus.Deprecated": "true",
1223
821
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1224
822
"false"}
1225
823
"""
1226
824
1227
825
def decorator(func):
1228
826
func._dbus_is_interface = True
1229
827
func._dbus_interface = dbus_interface
1230
828
func._dbus_name = dbus_interface
1231
829
return func
1232
830
1233
831
return decorator
1234
832
1235
833
1236
834
def dbus_annotations(annotations):
1237
835
"""Decorator to annotate D-Bus methods, signals or properties
1238
836
Usage:
1239
837
1240
838
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1241
839
"org.freedesktop.DBus.Property."
1242
840
"EmitsChangedSignal": "false"})
1244
842
access="r")
1245
843
def Property_dbus_property(self):
1246
844
return dbus.Boolean(False)
1247
845
1248
846
See also the DBusObjectWithAnnotations class.
1249
847
"""
1250
848
1251
849
def decorator(func):
1252
850
func._dbus_annotations = annotations
1253
851
return func
1254
852
1255
853
return decorator
1256
854
1257
855
1275
873
1276
874
class DBusObjectWithAnnotations(dbus.service.Object):
1277
875
"""A D-Bus object with annotations.
1278
876
1279
877
Classes inheriting from this can use the dbus_annotations
1280
878
decorator to add annotations to methods or signals.
1281
879
"""
1282
880
1283
881
@staticmethod
1284
882
def _is_dbus_thing(thing):
1285
883
"""Returns a function testing if an attribute is a D-Bus thing
1286
884
1287
885
If called like _is_dbus_thing("method") it returns a function
1288
886
suitable for use as predicate to inspect.getmembers().
1289
887
"""
1290
888
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1291
889
False)
1292
890
1293
891
def _get_all_dbus_things(self, thing):
1294
892
"""Returns a generator of (name, attribute) pairs
1295
893
"""
1298
896
for cls in self.__class__.__mro__
1299
897
for name, athing in
1300
898
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1301
899
1302
900
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1303
out_signature="s",
1304
path_keyword='object_path',
1305
connection_keyword='connection')
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1306
904
def Introspect(self, object_path, connection):
1307
905
"""Overloading of standard D-Bus method.
1308
906
1309
907
Inserts annotation tags on methods and signals.
1310
908
"""
1311
909
xmlstring = dbus.service.Object.Introspect(self, object_path,
1312
910
connection)
1313
911
try:
1314
912
document = xml.dom.minidom.parseString(xmlstring)
1315
913
1316
914
for if_tag in document.getElementsByTagName("interface"):
1317
915
# Add annotation tags
1318
916
for typ in ("method", "signal"):
1345
943
if_tag.appendChild(ann_tag)
1346
944
# Fix argument name for the Introspect method itself
1347
945
if (if_tag.getAttribute("name")
1348
== dbus.INTROSPECTABLE_IFACE):
946
== dbus.INTROSPECTABLE_IFACE):
1349
947
for cn in if_tag.getElementsByTagName("method"):
1350
948
if cn.getAttribute("name") == "Introspect":
1351
949
for arg in cn.getElementsByTagName("arg"):
1364
962
1365
963
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1366
964
"""A D-Bus object with properties.
1367
965
1368
966
Classes inheriting from this can use the dbus_service_property
1369
967
decorator to expose methods as D-Bus properties. It exposes the
1370
968
standard Get(), Set(), and GetAll() methods on the D-Bus.
1371
969
"""
1372
970
1373
971
def _get_dbus_property(self, interface_name, property_name):
1374
972
"""Returns a bound method if one exists which is a D-Bus
1375
973
property with the specified name and interface.
1380
978
if (value._dbus_name == property_name
1381
979
and value._dbus_interface == interface_name):
1382
980
return value.__get__(self)
1383
981
1384
982
# No such property
1385
983
raise DBusPropertyNotFound("{}:{}.{}".format(
1386
984
self.dbus_object_path, interface_name, property_name))
1387
985
1388
986
@classmethod
1389
987
def _get_all_interface_names(cls):
1390
988
"""Get a sequence of all interfaces supported by an object"""
1393
991
for x in (inspect.getmro(cls))
1394
992
for attr in dir(x))
1395
993
if name is not None)
1396
994
1397
995
@dbus.service.method(dbus.PROPERTIES_IFACE,
1398
996
in_signature="ss",
1399
997
out_signature="v")
1407
1005
if not hasattr(value, "variant_level"):
1408
1006
return value
1409
1007
return type(value)(value, variant_level=value.variant_level+1)
1410
1008
1411
1009
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1412
1010
def Set(self, interface_name, property_name, value):
1413
1011
"""Standard D-Bus property Set() method, see D-Bus standard.
1422
1020
raise ValueError("Byte arrays not supported for non-"
1423
1021
"'ay' signature {!r}"
1424
1022
.format(prop._dbus_signature))
1425
value = dbus.ByteArray(bytes(value))
1023
value = dbus.ByteArray(b''.join(chr(byte)
1024
for byte in value))
1426
1025
prop(value)
1427
1026
1428
1027
@dbus.service.method(dbus.PROPERTIES_IFACE,
1429
1028
in_signature="s",
1430
1029
out_signature="a{sv}")
1431
1030
def GetAll(self, interface_name):
1432
1031
"""Standard D-Bus property GetAll() method, see D-Bus
1433
1032
standard.
1434
1033
1435
1034
Note: Will not include properties with access="write".
1436
1035
"""
1437
1036
properties = {}
1448
1047
properties[name] = value
1449
1048
continue
1450
1049
properties[name] = type(value)(
1451
value, variant_level=value.variant_level + 1)
1050
value, variant_level = value.variant_level + 1)
1452
1051
return dbus.Dictionary(properties, signature="sv")
1453
1052
1454
1053
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1455
1054
def PropertiesChanged(self, interface_name, changed_properties,
1456
1055
invalidated_properties):
1458
1057
standard.
1459
1058
"""
1460
1059
pass
1461
1060
1462
1061
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1463
1062
out_signature="s",
1464
1063
path_keyword='object_path',
1465
1064
connection_keyword='connection')
1466
1065
def Introspect(self, object_path, connection):
1467
1066
"""Overloading of standard D-Bus method.
1468
1067
1469
1068
Inserts property tags and interface annotation tags.
1470
1069
"""
1471
1070
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1473
1072
connection)
1474
1073
try:
1475
1074
document = xml.dom.minidom.parseString(xmlstring)
1476
1075
1477
1076
def make_tag(document, name, prop):
1478
1077
e = document.createElement("property")
1479
1078
e.setAttribute("name", name)
1480
1079
e.setAttribute("type", prop._dbus_signature)
1481
1080
e.setAttribute("access", prop._dbus_access)
1482
1081
return e
1483
1082
1484
1083
for if_tag in document.getElementsByTagName("interface"):
1485
1084
# Add property tags
1486
1085
for tag in (make_tag(document, name, prop)
1528
1127
exc_info=error)
1529
1128
return xmlstring
1530
1129
1531
1532
1130
try:
1533
1131
dbus.OBJECT_MANAGER_IFACE
1534
1132
except AttributeError:
1535
1133
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1536
1134
1537
1538
1135
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1539
1136
"""A D-Bus object with an ObjectManager.
1540
1137
1541
1138
Classes inheriting from this exposes the standard
1542
1139
GetManagedObjects call and the InterfacesAdded and
1543
1140
InterfacesRemoved signals on the standard
1544
1141
"org.freedesktop.DBus.ObjectManager" interface.
1545
1142
1546
1143
Note: No signals are sent automatically; they must be sent
1547
1144
manually.
1548
1145
"""
1549
1146
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1550
out_signature="a{oa{sa{sv}}}")
1147
out_signature = "a{oa{sa{sv}}}")
1551
1148
def GetManagedObjects(self):
1552
1149
"""This function must be overridden"""
1553
1150
raise NotImplementedError()
1554
1151
1555
1152
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1556
signature="oa{sa{sv}}")
1153
signature = "oa{sa{sv}}")
1557
1154
def InterfacesAdded(self, object_path, interfaces_and_properties):
1558
1155
pass
1559
1560
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1561
1158
def InterfacesRemoved(self, object_path, interfaces):
1562
1159
pass
1563
1160
1564
1161
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1565
out_signature="s",
1566
path_keyword='object_path',
1567
connection_keyword='connection')
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1568
1165
def Introspect(self, object_path, connection):
1569
1166
"""Overloading of standard D-Bus method.
1570
1167
1571
1168
Override return argument name of GetManagedObjects to be
1572
1169
"objpath_interfaces_and_properties"
1573
1170
"""
1576
1173
connection)
1577
1174
try:
1578
1175
document = xml.dom.minidom.parseString(xmlstring)
1579
1176
1580
1177
for if_tag in document.getElementsByTagName("interface"):
1581
1178
# Fix argument name for the GetManagedObjects method
1582
1179
if (if_tag.getAttribute("name")
1583
== dbus.OBJECT_MANAGER_IFACE):
1180
== dbus.OBJECT_MANAGER_IFACE):
1584
1181
for cn in if_tag.getElementsByTagName("method"):
1585
1182
if (cn.getAttribute("name")
1586
1183
== "GetManagedObjects"):
1596
1193
except (AttributeError, xml.dom.DOMException,
1597
1194
xml.parsers.expat.ExpatError) as error:
1598
1195
logger.error("Failed to override Introspection method",
1599
exc_info=error)
1196
exc_info = error)
1600
1197
return xmlstring
1601
1198
1602
1603
1199
def datetime_to_dbus(dt, variant_level=0):
1604
1200
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1605
1201
if dt is None:
1606
return dbus.String("", variant_level=variant_level)
1202
return dbus.String("", variant_level = variant_level)
1607
1203
return dbus.String(dt.isoformat(), variant_level=variant_level)
1608
1204
1609
1205
1612
1208
dbus.service.Object, it will add alternate D-Bus attributes with
1613
1209
interface names according to the "alt_interface_names" mapping.
1614
1210
Usage:
1615
1211
1616
1212
@alternate_dbus_interfaces({"org.example.Interface":
1617
1213
"net.example.AlternateInterface"})
1618
1214
class SampleDBusObject(dbus.service.Object):
1619
1215
@dbus.service.method("org.example.Interface")
1620
1216
def SampleDBusMethod():
1621
1217
pass
1622
1218
1623
1219
The above "SampleDBusMethod" on "SampleDBusObject" will be
1624
1220
reachable via two interfaces: "org.example.Interface" and
1625
1221
"net.example.AlternateInterface", the latter of which will have
1626
1222
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1627
1223
"true", unless "deprecate" is passed with a False value.
1628
1224
1629
1225
This works for methods and signals, and also for D-Bus properties
1630
1226
(from DBusObjectWithProperties) and interfaces (from the
1631
1227
dbus_interface_annotations decorator).
1632
1228
"""
1633
1229
1634
1230
def wrapper(cls):
1635
1231
for orig_interface_name, alt_interface_name in (
1636
1232
alt_interface_names.items()):
1651
1247
interface_names.add(alt_interface)
1652
1248
# Is this a D-Bus signal?
1653
1249
if getattr(attribute, "_dbus_is_signal", False):
1654
# Extract the original non-method undecorated
1655
# function by black magic
1656
1250
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1657
1253
nonmethod_func = (dict(
1658
1254
zip(attribute.func_code.co_freevars,
1659
1255
attribute.__closure__))
1660
1256
["func"].cell_contents)
1661
1257
else:
1662
nonmethod_func = (dict(
1663
zip(attribute.__code__.co_freevars,
1664
attribute.__closure__))
1665
["func"].cell_contents)
1258
nonmethod_func = attribute
1666
1259
# Create a new, but exactly alike, function
1667
1260
# object, and decorate it to be a new D-Bus signal
1668
1261
# with the alternate D-Bus interface name
1669
new_function = copy_function(nonmethod_func)
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1670
1276
new_function = (dbus.service.signal(
1671
1277
alt_interface,
1672
1278
attribute._dbus_signature)(new_function))
1676
1282
attribute._dbus_annotations)
1677
1283
except AttributeError:
1678
1284
pass
1679
1680
1285
# Define a creator of a function to call both the
1681
1286
# original and alternate functions, so both the
1682
1287
# original and alternate signals gets sent when
1685
1290
"""This function is a scope container to pass
1686
1291
func1 and func2 to the "call_both" function
1687
1292
outside of its arguments"""
1688
1293
1689
1294
@functools.wraps(func2)
1690
1295
def call_both(*args, **kwargs):
1691
1296
"""This function will emit two D-Bus
1692
1297
signals by calling func1 and func2"""
1693
1298
func1(*args, **kwargs)
1694
1299
func2(*args, **kwargs)
1695
# Make wrapper function look like a D-Bus
1696
# signal
1300
# Make wrapper function look like a D-Bus signal
1697
1301
for name, attr in inspect.getmembers(func2):
1698
1302
if name.startswith("_dbus_"):
1699
1303
setattr(call_both, name, attr)
1700
1304
1701
1305
return call_both
1702
1306
# Create the "call_both" function and add it to
1703
1307
# the class
1713
1317
alt_interface,
1714
1318
attribute._dbus_in_signature,
1715
1319
attribute._dbus_out_signature)
1716
(copy_function(attribute)))
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1717
1325
# Copy annotations, if any
1718
1326
try:
1719
1327
attr[attrname]._dbus_annotations = dict(
1731
1339
attribute._dbus_access,
1732
1340
attribute._dbus_get_args_options
1733
1341
["byte_arrays"])
1734
(copy_function(attribute)))
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1735
1348
# Copy annotations, if any
1736
1349
try:
1737
1350
attr[attrname]._dbus_annotations = dict(
1746
1359
# to the class.
1747
1360
attr[attrname] = (
1748
1361
dbus_interface_annotations(alt_interface)
1749
(copy_function(attribute)))
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1750
1367
if deprecate:
1751
1368
# Deprecate all alternate interfaces
1752
iname = "_AlternateDBusNames_interface_annotation{}"
1369
iname="_AlternateDBusNames_interface_annotation{}"
1753
1370
for interface_name in interface_names:
1754
1371
1755
1372
@dbus_interface_annotations(interface_name)
1756
1373
def func(self):
1757
return {"org.freedesktop.DBus.Deprecated":
1758
"true"}
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1759
1376
# Find an unused name
1760
1377
for aname in (iname.format(i)
1761
1378
for i in itertools.count()):
1765
1382
if interface_names:
1766
1383
# Replace the class with a new subclass of it with
1767
1384
# methods, signals, etc. as created above.
1768
if sys.version_info.major == 2:
1769
cls = type(b"{}Alternate".format(cls.__name__),
1770
(cls, ), attr)
1771
else:
1772
cls = type("{}Alternate".format(cls.__name__),
1773
(cls, ), attr)
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1774
1387
return cls
1775
1388
1776
1389
return wrapper
1777
1390
1778
1391
1780
1393
"se.bsnet.fukt.Mandos"})
1781
1394
class ClientDBus(Client, DBusObjectWithProperties):
1782
1395
"""A Client class using D-Bus
1783
1396
1784
1397
Attributes:
1785
1398
dbus_object_path: dbus.ObjectPath
1786
1399
bus: dbus.SystemBus()
1787
1400
"""
1788
1401
1789
1402
runtime_expansions = (Client.runtime_expansions
1790
1403
+ ("dbus_object_path", ))
1791
1404
1792
1405
_interface = "se.recompile.Mandos.Client"
1793
1406
1794
1407
# dbus.service.Object doesn't use super(), so we can't either.
1795
1796
def __init__(self, bus=None, *args, **kwargs):
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1797
1410
self.bus = bus
1798
1411
Client.__init__(self, *args, **kwargs)
1799
1412
# Only now, when this client is initialized, can it show up on
1805
1418
"/clients/" + client_object_name)
1806
1419
DBusObjectWithProperties.__init__(self, self.bus,
1807
1420
self.dbus_object_path)
1808
1421
1809
1422
def notifychangeproperty(transform_func, dbus_name,
1810
1423
type_func=lambda x: x,
1811
1424
variant_level=1,
1813
1426
_interface=_interface):
1814
1427
""" Modify a variable so that it's a property which announces
1815
1428
its changes to DBus.
1816
1429
1817
1430
transform_fun: Function that takes a value and a variant_level
1818
1431
and transforms it to a D-Bus type.
1819
1432
dbus_name: D-Bus name of the variable
1822
1435
variant_level: D-Bus variant level. Default: 1
1823
1436
"""
1824
1437
attrname = "_{}".format(dbus_name)
1825
1438
1826
1439
def setter(self, value):
1827
1440
if hasattr(self, "dbus_object_path"):
1828
1441
if (not hasattr(self, attrname) or
1835
1448
else:
1836
1449
dbus_value = transform_func(
1837
1450
type_func(value),
1838
variant_level=variant_level)
1451
variant_level = variant_level)
1839
1452
self.PropertyChanged(dbus.String(dbus_name),
1840
1453
dbus_value)
1841
1454
self.PropertiesChanged(
1842
1455
_interface,
1843
dbus.Dictionary({dbus.String(dbus_name):
1844
dbus_value}),
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1845
1458
dbus.Array())
1846
1459
setattr(self, attrname, value)
1847
1460
1848
1461
return property(lambda self: getattr(self, attrname), setter)
1849
1462
1850
1463
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1851
1464
approvals_pending = notifychangeproperty(dbus.Boolean,
1852
1465
"ApprovalPending",
1853
type_func=bool)
1466
type_func = bool)
1854
1467
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1855
1468
last_enabled = notifychangeproperty(datetime_to_dbus,
1856
1469
"LastEnabled")
1857
1470
checker = notifychangeproperty(
1858
1471
dbus.Boolean, "CheckerRunning",
1859
type_func=lambda checker: checker is not None)
1472
type_func = lambda checker: checker is not None)
1860
1473
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1861
1474
"LastCheckedOK")
1862
1475
last_checker_status = notifychangeproperty(dbus.Int16,
1867
1480
"ApprovedByDefault")
1868
1481
approval_delay = notifychangeproperty(
1869
1482
dbus.UInt64, "ApprovalDelay",
1870
type_func=lambda td: td.total_seconds() * 1000)
1483
type_func = lambda td: td.total_seconds() * 1000)
1871
1484
approval_duration = notifychangeproperty(
1872
1485
dbus.UInt64, "ApprovalDuration",
1873
type_func=lambda td: td.total_seconds() * 1000)
1486
type_func = lambda td: td.total_seconds() * 1000)
1874
1487
host = notifychangeproperty(dbus.String, "Host")
1875
1488
timeout = notifychangeproperty(
1876
1489
dbus.UInt64, "Timeout",
1877
type_func=lambda td: td.total_seconds() * 1000)
1490
type_func = lambda td: td.total_seconds() * 1000)
1878
1491
extended_timeout = notifychangeproperty(
1879
1492
dbus.UInt64, "ExtendedTimeout",
1880
type_func=lambda td: td.total_seconds() * 1000)
1493
type_func = lambda td: td.total_seconds() * 1000)
1881
1494
interval = notifychangeproperty(
1882
1495
dbus.UInt64, "Interval",
1883
type_func=lambda td: td.total_seconds() * 1000)
1496
type_func = lambda td: td.total_seconds() * 1000)
1884
1497
checker_command = notifychangeproperty(dbus.String, "Checker")
1885
1498
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1886
1499
invalidate_only=True)
1887
1500
1888
1501
del notifychangeproperty
1889
1502
1890
1503
def __del__(self, *args, **kwargs):
1891
1504
try:
1892
1505
self.remove_from_connection()
1895
1508
if hasattr(DBusObjectWithProperties, "__del__"):
1896
1509
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1897
1510
Client.__del__(self, *args, **kwargs)
1898
1511
1899
1512
def checker_callback(self, source, condition,
1900
1513
connection, command, *args, **kwargs):
1901
1514
ret = Client.checker_callback(self, source, condition,
1917
1530
| self.last_checker_signal),
1918
1531
dbus.String(command))
1919
1532
return ret
1920
1533
1921
1534
def start_checker(self, *args, **kwargs):
1922
1535
old_checker_pid = getattr(self.checker, "pid", None)
1923
1536
r = Client.start_checker(self, *args, **kwargs)
1927
1540
# Emit D-Bus signal
1928
1541
self.CheckerStarted(self.current_checker_command)
1929
1542
return r
1930
1543
1931
1544
def _reset_approved(self):
1932
1545
self.approved = None
1933
1546
return False
1934
1547
1935
1548
def approve(self, value=True):
1936
1549
self.approved = value
1937
GLib.timeout_add(int(self.approval_duration.total_seconds()
1938
* 1000), self._reset_approved)
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1939
1552
self.send_changedstate()
1940
1941
# D-Bus methods, signals & properties
1942
1943
# Interfaces
1944
1945
# Signals
1946
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1947
1560
# CheckerCompleted - signal
1948
1561
@dbus.service.signal(_interface, signature="nxs")
1949
1562
def CheckerCompleted(self, exitcode, waitstatus, command):
1950
1563
"D-Bus signal"
1951
1564
pass
1952
1565
1953
1566
# CheckerStarted - signal
1954
1567
@dbus.service.signal(_interface, signature="s")
1955
1568
def CheckerStarted(self, command):
1956
1569
"D-Bus signal"
1957
1570
pass
1958
1571
1959
1572
# PropertyChanged - signal
1960
1573
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1961
1574
@dbus.service.signal(_interface, signature="sv")
1962
1575
def PropertyChanged(self, property, value):
1963
1576
"D-Bus signal"
1964
1577
pass
1965
1578
1966
1579
# GotSecret - signal
1967
1580
@dbus.service.signal(_interface)
1968
1581
def GotSecret(self):
1971
1584
server to mandos-client
1972
1585
"""
1973
1586
pass
1974
1587
1975
1588
# Rejected - signal
1976
1589
@dbus.service.signal(_interface, signature="s")
1977
1590
def Rejected(self, reason):
1978
1591
"D-Bus signal"
1979
1592
pass
1980
1593
1981
1594
# NeedApproval - signal
1982
1595
@dbus.service.signal(_interface, signature="tb")
1983
1596
def NeedApproval(self, timeout, default):
1984
1597
"D-Bus signal"
1985
1598
return self.need_approval()
1986
1987
# Methods
1988
1599
1600
## Methods
1601
1989
1602
# Approve - method
1990
1603
@dbus.service.method(_interface, in_signature="b")
1991
1604
def Approve(self, value):
1992
1605
self.approve(value)
1993
1606
1994
1607
# CheckedOK - method
1995
1608
@dbus.service.method(_interface)
1996
1609
def CheckedOK(self):
1997
1610
self.checked_ok()
1998
1611
1999
1612
# Enable - method
2000
1613
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2001
1614
@dbus.service.method(_interface)
2002
1615
def Enable(self):
2003
1616
"D-Bus method"
2004
1617
self.enable()
2005
1618
2006
1619
# StartChecker - method
2007
1620
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2008
1621
@dbus.service.method(_interface)
2009
1622
def StartChecker(self):
2010
1623
"D-Bus method"
2011
1624
self.start_checker()
2012
1625
2013
1626
# Disable - method
2014
1627
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2015
1628
@dbus.service.method(_interface)
2016
1629
def Disable(self):
2017
1630
"D-Bus method"
2018
1631
self.disable()
2019
1632
2020
1633
# StopChecker - method
2021
1634
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2022
1635
@dbus.service.method(_interface)
2023
1636
def StopChecker(self):
2024
1637
self.stop_checker()
2025
2026
# Properties
2027
1638
1639
## Properties
1640
2028
1641
# ApprovalPending - property
2029
1642
@dbus_service_property(_interface, signature="b", access="read")
2030
1643
def ApprovalPending_dbus_property(self):
2031
1644
return dbus.Boolean(bool(self.approvals_pending))
2032
1645
2033
1646
# ApprovedByDefault - property
2034
1647
@dbus_service_property(_interface,
2035
1648
signature="b",
2038
1651
if value is None: # get
2039
1652
return dbus.Boolean(self.approved_by_default)
2040
1653
self.approved_by_default = bool(value)
2041
1654
2042
1655
# ApprovalDelay - property
2043
1656
@dbus_service_property(_interface,
2044
1657
signature="t",
2048
1661
return dbus.UInt64(self.approval_delay.total_seconds()
2049
1662
* 1000)
2050
1663
self.approval_delay = datetime.timedelta(0, 0, 0, value)
2051
1664
2052
1665
# ApprovalDuration - property
2053
1666
@dbus_service_property(_interface,
2054
1667
signature="t",
2058
1671
return dbus.UInt64(self.approval_duration.total_seconds()
2059
1672
* 1000)
2060
1673
self.approval_duration = datetime.timedelta(0, 0, 0, value)
2061
1674
2062
1675
# Name - property
2063
1676
@dbus_annotations(
2064
1677
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2065
1678
@dbus_service_property(_interface, signature="s", access="read")
2066
1679
def Name_dbus_property(self):
2067
1680
return dbus.String(self.name)
2068
2069
# KeyID - property
2070
@dbus_annotations(
2071
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2072
@dbus_service_property(_interface, signature="s", access="read")
2073
def KeyID_dbus_property(self):
2074
return dbus.String(self.key_id)
2075
1681
2076
1682
# Fingerprint - property
2077
1683
@dbus_annotations(
2078
1684
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2079
1685
@dbus_service_property(_interface, signature="s", access="read")
2080
1686
def Fingerprint_dbus_property(self):
2081
1687
return dbus.String(self.fingerprint)
2082
1688
2083
1689
# Host - property
2084
1690
@dbus_service_property(_interface,
2085
1691
signature="s",
2088
1694
if value is None: # get
2089
1695
return dbus.String(self.host)
2090
1696
self.host = str(value)
2091
1697
2092
1698
# Created - property
2093
1699
@dbus_annotations(
2094
1700
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2095
1701
@dbus_service_property(_interface, signature="s", access="read")
2096
1702
def Created_dbus_property(self):
2097
1703
return datetime_to_dbus(self.created)
2098
1704
2099
1705
# LastEnabled - property
2100
1706
@dbus_service_property(_interface, signature="s", access="read")
2101
1707
def LastEnabled_dbus_property(self):
2102
1708
return datetime_to_dbus(self.last_enabled)
2103
1709
2104
1710
# Enabled - property
2105
1711
@dbus_service_property(_interface,
2106
1712
signature="b",
2112
1718
self.enable()
2113
1719
else:
2114
1720
self.disable()
2115
1721
2116
1722
# LastCheckedOK - property
2117
1723
@dbus_service_property(_interface,
2118
1724
signature="s",
2122
1728
self.checked_ok()
2123
1729
return
2124
1730
return datetime_to_dbus(self.last_checked_ok)
2125
1731
2126
1732
# LastCheckerStatus - property
2127
1733
@dbus_service_property(_interface, signature="n", access="read")
2128
1734
def LastCheckerStatus_dbus_property(self):
2129
1735
return dbus.Int16(self.last_checker_status)
2130
1736
2131
1737
# Expires - property
2132
1738
@dbus_service_property(_interface, signature="s", access="read")
2133
1739
def Expires_dbus_property(self):
2134
1740
return datetime_to_dbus(self.expires)
2135
1741
2136
1742
# LastApprovalRequest - property
2137
1743
@dbus_service_property(_interface, signature="s", access="read")
2138
1744
def LastApprovalRequest_dbus_property(self):
2139
1745
return datetime_to_dbus(self.last_approval_request)
2140
1746
2141
1747
# Timeout - property
2142
1748
@dbus_service_property(_interface,
2143
1749
signature="t",
2158
1764
if (getattr(self, "disable_initiator_tag", None)
2159
1765
is None):
2160
1766
return
2161
GLib.source_remove(self.disable_initiator_tag)
2162
self.disable_initiator_tag = GLib.timeout_add(
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2163
1769
int((self.expires - now).total_seconds() * 1000),
2164
1770
self.disable)
2165
1771
2166
1772
# ExtendedTimeout - property
2167
1773
@dbus_service_property(_interface,
2168
1774
signature="t",
2172
1778
return dbus.UInt64(self.extended_timeout.total_seconds()
2173
1779
* 1000)
2174
1780
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2175
1781
2176
1782
# Interval - property
2177
1783
@dbus_service_property(_interface,
2178
1784
signature="t",
2185
1791
return
2186
1792
if self.enabled:
2187
1793
# Reschedule checker run
2188
GLib.source_remove(self.checker_initiator_tag)
2189
self.checker_initiator_tag = GLib.timeout_add(
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2190
1796
value, self.start_checker)
2191
self.start_checker() # Start one now, too
2192
1797
self.start_checker() # Start one now, too
1798
2193
1799
# Checker - property
2194
1800
@dbus_service_property(_interface,
2195
1801
signature="s",
2198
1804
if value is None: # get
2199
1805
return dbus.String(self.checker_command)
2200
1806
self.checker_command = str(value)
2201
1807
2202
1808
# CheckerRunning - property
2203
1809
@dbus_service_property(_interface,
2204
1810
signature="b",
2210
1816
self.start_checker()
2211
1817
else:
2212
1818
self.stop_checker()
2213
1819
2214
1820
# ObjectPath - property
2215
1821
@dbus_annotations(
2216
1822
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2217
1823
"org.freedesktop.DBus.Deprecated": "true"})
2218
1824
@dbus_service_property(_interface, signature="o", access="read")
2219
1825
def ObjectPath_dbus_property(self):
2220
return self.dbus_object_path # is already a dbus.ObjectPath
2221
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2222
1828
# Secret = property
2223
1829
@dbus_annotations(
2224
1830
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2229
1835
byte_arrays=True)
2230
1836
def Secret_dbus_property(self, value):
2231
1837
self.secret = bytes(value)
2232
1838
2233
1839
del _interface
2234
1840
2235
1841
2236
class ProxyClient:
2237
def __init__(self, child_pipe, key_id, fpr, address):
1842
class ProxyClient(object):
1843
def __init__(self, child_pipe, fpr, address):
2238
1844
self._pipe = child_pipe
2239
self._pipe.send(('init', key_id, fpr, address))
1845
self._pipe.send(('init', fpr, address))
2240
1846
if not self._pipe.recv():
2241
raise KeyError(key_id or fpr)
2242
1847
raise KeyError(fpr)
1848
2243
1849
def __getattribute__(self, name):
2244
1850
if name == '_pipe':
2245
1851
return super(ProxyClient, self).__getattribute__(name)
2248
1854
if data[0] == 'data':
2249
1855
return data[1]
2250
1856
if data[0] == 'function':
2251
1857
2252
1858
def func(*args, **kwargs):
2253
1859
self._pipe.send(('funcall', name, args, kwargs))
2254
1860
return self._pipe.recv()[1]
2255
1861
2256
1862
return func
2257
1863
2258
1864
def __setattr__(self, name, value):
2259
1865
if name == '_pipe':
2260
1866
return super(ProxyClient, self).__setattr__(name, value)
2263
1869
2264
1870
class ClientHandler(socketserver.BaseRequestHandler, object):
2265
1871
"""A class to handle client connections.
2266
1872
2267
1873
Instantiated once for each connection to handle it.
2268
1874
Note: This will run in its own forked process."""
2269
1875
2270
1876
def handle(self):
2271
1877
with contextlib.closing(self.server.child_pipe) as child_pipe:
2272
1878
logger.info("TCP connection from: %s",
2273
1879
str(self.client_address))
2274
1880
logger.debug("Pipe FD: %d",
2275
1881
self.server.child_pipe.fileno())
2276
2277
session = gnutls.ClientSession(self.request)
2278
2279
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2280
# "+AES-256-CBC", "+SHA1",
2281
# "+COMP-NULL", "+CTYPE-OPENPGP",
2282
# "+DHE-DSS"))
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2283
1895
# Use a fallback default, since this MUST be set.
2284
1896
priority = self.server.gnutls_priority
2285
1897
if priority is None:
2286
1898
priority = "NORMAL"
2287
gnutls.priority_set_direct(session._c_object,
2288
priority.encode("utf-8"),
2289
None)
2290
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2291
1902
# Start communication using the Mandos protocol
2292
1903
# Get protocol number
2293
1904
line = self.request.makefile().readline()
2298
1909
except (ValueError, IndexError, RuntimeError) as error:
2299
1910
logger.error("Unknown protocol version: %s", error)
2300
1911
return
2301
1912
2302
1913
# Start GnuTLS connection
2303
1914
try:
2304
1915
session.handshake()
2305
except gnutls.Error as error:
1916
except gnutls.errors.GNUTLSError as error:
2306
1917
logger.warning("Handshake failed: %s", error)
2307
1918
# Do not run session.bye() here: the session is not
2308
1919
# established. Just abandon the request.
2309
1920
return
2310
1921
logger.debug("Handshake succeeded")
2311
1922
2312
1923
approval_required = False
2313
1924
try:
2314
if gnutls.has_rawpk:
2315
fpr = b""
2316
try:
2317
key_id = self.key_id(
2318
self.peer_certificate(session))
2319
except (TypeError, gnutls.Error) as error:
2320
logger.warning("Bad certificate: %s", error)
2321
return
2322
logger.debug("Key ID: %s", key_id)
2323
2324
else:
2325
key_id = b""
2326
try:
2327
fpr = self.fingerprint(
2328
self.peer_certificate(session))
2329
except (TypeError, gnutls.Error) as error:
2330
logger.warning("Bad certificate: %s", error)
2331
return
2332
logger.debug("Fingerprint: %s", fpr)
2333
2334
try:
2335
client = ProxyClient(child_pipe, key_id, fpr,
1925
try:
1926
fpr = self.fingerprint(
1927
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
1930
logger.warning("Bad certificate: %s", error)
1931
return
1932
logger.debug("Fingerprint: %s", fpr)
1933
1934
try:
1935
client = ProxyClient(child_pipe, fpr,
2336
1936
self.client_address)
2337
1937
except KeyError:
2338
1938
return
2339
1939
2340
1940
if client.approval_delay:
2341
1941
delay = client.approval_delay
2342
1942
client.approvals_pending += 1
2343
1943
approval_required = True
2344
1944
2345
1945
while True:
2346
1946
if not client.enabled:
2347
1947
logger.info("Client %s is disabled",
2350
1950
# Emit D-Bus signal
2351
1951
client.Rejected("Disabled")
2352
1952
return
2353
1953
2354
1954
if client.approved or not client.approval_delay:
2355
# We are approved or approval is disabled
1955
#We are approved or approval is disabled
2356
1956
break
2357
1957
elif client.approved is None:
2358
1958
logger.info("Client %s needs approval",
2369
1969
# Emit D-Bus signal
2370
1970
client.Rejected("Denied")
2371
1971
return
2372
2373
# wait until timeout or approved
1972
1973
#wait until timeout or approved
2374
1974
time = datetime.datetime.now()
2375
1975
client.changedstate.acquire()
2376
1976
client.changedstate.wait(delay.total_seconds())
2389
1989
break
2390
1990
else:
2391
1991
delay -= time2 - time
2392
2393
try:
2394
session.send(client.secret)
2395
except gnutls.Error as error:
2396
logger.warning("gnutls send failed",
2397
exc_info=error)
2398
return
2399
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2400
2006
logger.info("Sending secret to %s", client.name)
2401
2007
# bump the timeout using extended_timeout
2402
2008
client.bump_timeout(client.extended_timeout)
2403
2009
if self.server.use_dbus:
2404
2010
# Emit D-Bus signal
2405
2011
client.GotSecret()
2406
2012
2407
2013
finally:
2408
2014
if approval_required:
2409
2015
client.approvals_pending -= 1
2410
2016
try:
2411
2017
session.bye()
2412
except gnutls.Error as error:
2018
except gnutls.errors.GNUTLSError as error:
2413
2019
logger.warning("GnuTLS bye failed",
2414
2020
exc_info=error)
2415
2021
2416
2022
@staticmethod
2417
2023
def peer_certificate(session):
2418
"Return the peer's certificate as a bytestring"
2419
try:
2420
cert_type = gnutls.certificate_type_get2(session._c_object,
2421
gnutls.CTYPE_PEERS)
2422
except AttributeError:
2423
cert_type = gnutls.certificate_type_get(session._c_object)
2424
if gnutls.has_rawpk:
2425
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2426
else:
2427
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2428
# If not a valid certificate type...
2429
if cert_type not in valid_cert_types:
2430
logger.info("Cert type %r not in %r", cert_type,
2431
valid_cert_types)
2432
# ...return invalid data
2433
return b""
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2434
2031
list_size = ctypes.c_uint(1)
2435
cert_list = (gnutls.certificate_get_peers
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2436
2034
(session._c_object, ctypes.byref(list_size)))
2437
2035
if not bool(cert_list) and list_size.value != 0:
2438
raise gnutls.Error("error getting peer certificate")
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2439
2038
if list_size.value == 0:
2440
2039
return None
2441
2040
cert = cert_list[0]
2442
2041
return ctypes.string_at(cert.data, cert.size)
2443
2444
@staticmethod
2445
def key_id(certificate):
2446
"Convert a certificate bytestring to a hexdigit key ID"
2447
# New GnuTLS "datum" with the public key
2448
datum = gnutls.datum_t(
2449
ctypes.cast(ctypes.c_char_p(certificate),
2450
ctypes.POINTER(ctypes.c_ubyte)),
2451
ctypes.c_uint(len(certificate)))
2452
# XXX all these need to be created in the gnutls "module"
2453
# New empty GnuTLS certificate
2454
pubkey = gnutls.pubkey_t()
2455
gnutls.pubkey_init(ctypes.byref(pubkey))
2456
# Import the raw public key into the certificate
2457
gnutls.pubkey_import(pubkey,
2458
ctypes.byref(datum),
2459
gnutls.X509_FMT_DER)
2460
# New buffer for the key ID
2461
buf = ctypes.create_string_buffer(32)
2462
buf_len = ctypes.c_size_t(len(buf))
2463
# Get the key ID from the raw public key into the buffer
2464
gnutls.pubkey_get_key_id(pubkey,
2465
gnutls.KEYID_USE_SHA256,
2466
ctypes.cast(ctypes.byref(buf),
2467
ctypes.POINTER(ctypes.c_ubyte)),
2468
ctypes.byref(buf_len))
2469
# Deinit the certificate
2470
gnutls.pubkey_deinit(pubkey)
2471
2472
# Convert the buffer to a Python bytestring
2473
key_id = ctypes.string_at(buf, buf_len.value)
2474
# Convert the bytestring to hexadecimal notation
2475
hex_key_id = binascii.hexlify(key_id).upper()
2476
return hex_key_id
2477
2042
2478
2043
@staticmethod
2479
2044
def fingerprint(openpgp):
2480
2045
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2481
2046
# New GnuTLS "datum" with the OpenPGP public key
2482
datum = gnutls.datum_t(
2047
datum = gnutls.library.types.gnutls_datum_t(
2483
2048
ctypes.cast(ctypes.c_char_p(openpgp),
2484
2049
ctypes.POINTER(ctypes.c_ubyte)),
2485
2050
ctypes.c_uint(len(openpgp)))
2486
2051
# New empty GnuTLS certificate
2487
crt = gnutls.openpgp_crt_t()
2488
gnutls.openpgp_crt_init(ctypes.byref(crt))
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2489
2055
# Import the OpenPGP public key into the certificate
2490
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2491
gnutls.OPENPGP_FMT_RAW)
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2492
2059
# Verify the self signature in the key
2493
2060
crtverify = ctypes.c_uint()
2494
gnutls.openpgp_crt_verify_self(crt, 0,
2495
ctypes.byref(crtverify))
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2496
2063
if crtverify.value != 0:
2497
gnutls.openpgp_crt_deinit(crt)
2498
raise gnutls.CertificateSecurityError(code
2499
=crtverify.value)
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2500
2067
# New buffer for the fingerprint
2501
2068
buf = ctypes.create_string_buffer(20)
2502
2069
buf_len = ctypes.c_size_t()
2503
2070
# Get the fingerprint from the certificate into the buffer
2504
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2505
ctypes.byref(buf_len))
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2506
2073
# Deinit the certificate
2507
gnutls.openpgp_crt_deinit(crt)
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2508
2075
# Convert the buffer to a Python bytestring
2509
2076
fpr = ctypes.string_at(buf, buf_len.value)
2510
2077
# Convert the bytestring to hexadecimal notation
2512
2079
return hex_fpr
2513
2080
2514
2081
2515
class MultiprocessingMixIn:
2082
class MultiprocessingMixIn(object):
2516
2083
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2517
2084
2518
2085
def sub_process_main(self, request, address):
2519
2086
try:
2520
2087
self.finish_request(request, address)
2521
2088
except Exception:
2522
2089
self.handle_error(request, address)
2523
2090
self.close_request(request)
2524
2091
2525
2092
def process_request(self, request, address):
2526
2093
"""Start a new process to process the request."""
2527
proc = multiprocessing.Process(target=self.sub_process_main,
2528
args=(request, address))
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2529
2096
proc.start()
2530
2097
return proc
2531
2098
2532
2099
2533
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2100
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2534
2101
""" adds a pipe to the MixIn """
2535
2102
2536
2103
def process_request(self, request, client_address):
2537
2104
"""Overrides and wraps the original process_request().
2538
2105
2539
2106
This function creates a new pipe in self.pipe
2540
2107
"""
2541
2108
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2542
2109
2543
2110
proc = MultiprocessingMixIn.process_request(self, request,
2544
2111
client_address)
2545
2112
self.child_pipe.close()
2546
2113
self.add_pipe(parent_pipe, proc)
2547
2114
2548
2115
def add_pipe(self, parent_pipe, proc):
2549
2116
"""Dummy function; override as necessary"""
2550
2117
raise NotImplementedError()
2551
2118
2552
2119
2553
2120
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2554
socketserver.TCPServer):
2121
socketserver.TCPServer, object):
2555
2122
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2556
2123
2557
2124
Attributes:
2558
2125
enabled: Boolean; whether this server is activated yet
2559
2126
interface: None or a network interface name (string)
2560
2127
use_ipv6: Boolean; to use IPv6 or not
2561
2128
"""
2562
2129
2563
2130
def __init__(self, server_address, RequestHandlerClass,
2564
2131
interface=None,
2565
2132
use_ipv6=True,
2575
2142
self.socketfd = socketfd
2576
2143
# Save the original socket.socket() function
2577
2144
self.socket_socket = socket.socket
2578
2579
2145
# To implement --socket, we monkey patch socket.socket.
2580
#
2146
#
2581
2147
# (When socketserver.TCPServer is a new-style class, we
2582
2148
# could make self.socket into a property instead of monkey
2583
2149
# patching socket.socket.)
2584
#
2150
#
2585
2151
# Create a one-time-only replacement for socket.socket()
2586
2152
@functools.wraps(socket.socket)
2587
2153
def socket_wrapper(*args, **kwargs):
2599
2165
# socket_wrapper(), if socketfd was set.
2600
2166
socketserver.TCPServer.__init__(self, server_address,
2601
2167
RequestHandlerClass)
2602
2168
2603
2169
def server_bind(self):
2604
2170
"""This overrides the normal server_bind() function
2605
2171
to bind to an interface if one was specified, and also NOT to
2606
2172
bind to an address or port if they were not specified."""
2607
global SO_BINDTODEVICE
2608
2173
if self.interface is not None:
2609
2174
if SO_BINDTODEVICE is None:
2610
# Fall back to a hard-coded value which seems to be
2611
# common enough.
2612
logger.warning("SO_BINDTODEVICE not found, trying 25")
2613
SO_BINDTODEVICE = 25
2614
try:
2615
self.socket.setsockopt(
2616
socket.SOL_SOCKET, SO_BINDTODEVICE,
2617
(self.interface + "\0").encode("utf-8"))
2618
except socket.error as error:
2619
if error.errno == errno.EPERM:
2620
logger.error("No permission to bind to"
2621
" interface %s", self.interface)
2622
elif error.errno == errno.ENOPROTOOPT:
2623
logger.error("SO_BINDTODEVICE not available;"
2624
" cannot bind to interface %s",
2625
self.interface)
2626
elif error.errno == errno.ENODEV:
2627
logger.error("Interface %s does not exist,"
2628
" cannot bind", self.interface)
2629
else:
2630
raise
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2631
2196
# Only bind(2) the socket if we really need to.
2632
2197
if self.server_address[0] or self.server_address[1]:
2633
if self.server_address[1]:
2634
self.allow_reuse_address = True
2635
2198
if not self.server_address[0]:
2636
2199
if self.address_family == socket.AF_INET6:
2637
any_address = "::" # in6addr_any
2200
any_address = "::" # in6addr_any
2638
2201
else:
2639
any_address = "0.0.0.0" # INADDR_ANY
2202
any_address = "0.0.0.0" # INADDR_ANY
2640
2203
self.server_address = (any_address,
2641
2204
self.server_address[1])
2642
2205
elif not self.server_address[1]:
2652
2215
2653
2216
class MandosServer(IPv6_TCPServer):
2654
2217
"""Mandos server.
2655
2218
2656
2219
Attributes:
2657
2220
clients: set of Client objects
2658
2221
gnutls_priority GnuTLS priority string
2659
2222
use_dbus: Boolean; to emit D-Bus signals or not
2660
2661
Assumes a GLib.MainLoop event loop.
2223
2224
Assumes a gobject.MainLoop event loop.
2662
2225
"""
2663
2226
2664
2227
def __init__(self, server_address, RequestHandlerClass,
2665
2228
interface=None,
2666
2229
use_ipv6=True,
2676
2239
self.gnutls_priority = gnutls_priority
2677
2240
IPv6_TCPServer.__init__(self, server_address,
2678
2241
RequestHandlerClass,
2679
interface=interface,
2680
use_ipv6=use_ipv6,
2681
socketfd=socketfd)
2682
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2683
2246
def server_activate(self):
2684
2247
if self.enabled:
2685
2248
return socketserver.TCPServer.server_activate(self)
2686
2249
2687
2250
def enable(self):
2688
2251
self.enabled = True
2689
2252
2690
2253
def add_pipe(self, parent_pipe, proc):
2691
2254
# Call "handle_ipc" for both data and EOF events
2692
GLib.io_add_watch(
2693
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2694
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2255
gobject.io_add_watch(
2256
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2695
2258
functools.partial(self.handle_ipc,
2696
parent_pipe=parent_pipe,
2697
proc=proc))
2698
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2699
2262
def handle_ipc(self, source, condition,
2700
2263
parent_pipe=None,
2701
proc=None,
2264
proc = None,
2702
2265
client_object=None):
2703
2266
# error, or the other end of multiprocessing.Pipe has closed
2704
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2705
2268
# Wait for other process to exit
2706
2269
proc.join()
2707
2270
return False
2708
2271
2709
2272
# Read a request from the child
2710
2273
request = parent_pipe.recv()
2711
2274
command = request[0]
2712
2275
2713
2276
if command == 'init':
2714
key_id = request[1].decode("ascii")
2715
fpr = request[2].decode("ascii")
2716
address = request[3]
2717
2718
for c in self.clients.values():
2719
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2720
continue
2721
if key_id and c.key_id == key_id:
2722
client = c
2723
break
2724
if fpr and c.fingerprint == fpr:
2277
fpr = request[1]
2278
address = request[2]
2279
2280
for c in self.clients.itervalues():
2281
if c.fingerprint == fpr:
2725
2282
client = c
2726
2283
break
2727
2284
else:
2728
logger.info("Client not found for key ID: %s, address"
2729
": %s", key_id or fpr, address)
2285
logger.info("Client not found for fingerprint: %s, ad"
2286
"dress: %s", fpr, address)
2730
2287
if self.use_dbus:
2731
2288
# Emit D-Bus signal
2732
mandos_dbus_service.ClientNotFound(key_id or fpr,
2289
mandos_dbus_service.ClientNotFound(fpr,
2733
2290
address[0])
2734
2291
parent_pipe.send(False)
2735
2292
return False
2736
2737
GLib.io_add_watch(
2738
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2739
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2293
2294
gobject.io_add_watch(
2295
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2740
2297
functools.partial(self.handle_ipc,
2741
parent_pipe=parent_pipe,
2742
proc=proc,
2743
client_object=client))
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2744
2301
parent_pipe.send(True)
2745
2302
# remove the old hook in favor of the new above hook on
2746
2303
# same fileno
2749
2306
funcname = request[1]
2750
2307
args = request[2]
2751
2308
kwargs = request[3]
2752
2309
2753
2310
parent_pipe.send(('data', getattr(client_object,
2754
2311
funcname)(*args,
2755
2312
**kwargs)))
2756
2313
2757
2314
if command == 'getattr':
2758
2315
attrname = request[1]
2759
2316
if isinstance(client_object.__getattribute__(attrname),
2760
collections.abc.Callable):
2317
collections.Callable):
2761
2318
parent_pipe.send(('function', ))
2762
2319
else:
2763
2320
parent_pipe.send((
2764
2321
'data', client_object.__getattribute__(attrname)))
2765
2322
2766
2323
if command == 'setattr':
2767
2324
attrname = request[1]
2768
2325
value = request[2]
2769
2326
setattr(client_object, attrname, value)
2770
2327
2771
2328
return True
2772
2329
2773
2330
2774
2331
def rfc3339_duration_to_delta(duration):
2775
2332
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2776
2777
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2778
True
2779
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2780
True
2781
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2782
True
2783
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2784
True
2785
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2786
True
2787
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2788
True
2789
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2790
True
2333
2334
>>> rfc3339_duration_to_delta("P7D")
2335
datetime.timedelta(7)
2336
>>> rfc3339_duration_to_delta("PT60S")
2337
datetime.timedelta(0, 60)
2338
>>> rfc3339_duration_to_delta("PT60M")
2339
datetime.timedelta(0, 3600)
2340
>>> rfc3339_duration_to_delta("PT24H")
2341
datetime.timedelta(1)
2342
>>> rfc3339_duration_to_delta("P1W")
2343
datetime.timedelta(7)
2344
>>> rfc3339_duration_to_delta("PT5M30S")
2345
datetime.timedelta(0, 330)
2346
>>> rfc3339_duration_to_delta("P1DT3M20S")
2347
datetime.timedelta(1, 200)
2791
2348
"""
2792
2349
2793
2350
# Parsing an RFC 3339 duration with regular expressions is not
2794
2351
# possible - there would have to be multiple places for the same
2795
2352
# values, like seconds. The current code, while more esoteric, is
2796
2353
# cleaner without depending on a parsing library. If Python had a
2797
2354
# built-in library for parsing we would use it, but we'd like to
2798
2355
# avoid excessive use of external libraries.
2799
2356
2800
2357
# New type for defining tokens, syntax, and semantics all-in-one
2801
2358
Token = collections.namedtuple("Token", (
2802
2359
"regexp", # To match token; if "value" is not None, must have
2835
2392
frozenset((token_year, token_month,
2836
2393
token_day, token_time,
2837
2394
token_week)))
2838
# Define starting values:
2839
# Value so far
2840
value = datetime.timedelta()
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2841
2397
found_token = None
2842
# Following valid tokens
2843
followers = frozenset((token_duration, ))
2844
# String left to parse
2845
s = duration
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2846
2400
# Loop until end token is found
2847
2401
while found_token is not token_end:
2848
2402
# Search for any currently valid tokens
2872
2426
2873
2427
def string_to_delta(interval):
2874
2428
"""Parse a string and return a datetime.timedelta
2875
2876
>>> string_to_delta('7d') == datetime.timedelta(7)
2877
True
2878
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2879
True
2880
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2881
True
2882
>>> string_to_delta('24h') == datetime.timedelta(1)
2883
True
2884
>>> string_to_delta('1w') == datetime.timedelta(7)
2885
True
2886
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2887
True
2429
2430
>>> string_to_delta('7d')
2431
datetime.timedelta(7)
2432
>>> string_to_delta('60s')
2433
datetime.timedelta(0, 60)
2434
>>> string_to_delta('60m')
2435
datetime.timedelta(0, 3600)
2436
>>> string_to_delta('24h')
2437
datetime.timedelta(1)
2438
>>> string_to_delta('1w')
2439
datetime.timedelta(7)
2440
>>> string_to_delta('5m 30s')
2441
datetime.timedelta(0, 330)
2888
2442
"""
2889
2443
2890
2444
try:
2891
2445
return rfc3339_duration_to_delta(interval)
2892
2446
except ValueError:
2893
2447
pass
2894
2448
2895
2449
timevalue = datetime.timedelta(0)
2896
2450
for s in interval.split():
2897
2451
try:
2915
2469
return timevalue
2916
2470
2917
2471
2918
def daemon(nochdir=False, noclose=False):
2472
def daemon(nochdir = False, noclose = False):
2919
2473
"""See daemon(3). Standard BSD Unix function.
2920
2474
2921
2475
This should really exist as os.daemon, but it doesn't (yet)."""
2922
2476
if os.fork():
2923
2477
sys.exit()
2941
2495
2942
2496
2943
2497
def main():
2944
2498
2945
2499
##################################################################
2946
2500
# Parsing of options, both command line and config file
2947
2501
2948
2502
parser = argparse.ArgumentParser()
2949
2503
parser.add_argument("-v", "--version", action="version",
2950
version="%(prog)s {}".format(version),
2504
version = "%(prog)s {}".format(version),
2951
2505
help="show version number and exit")
2952
2506
parser.add_argument("-i", "--interface", metavar="IF",
2953
2507
help="Bind to interface IF")
2989
2543
parser.add_argument("--no-zeroconf", action="store_false",
2990
2544
dest="zeroconf", help="Do not use Zeroconf",
2991
2545
default=None)
2992
2546
2993
2547
options = parser.parse_args()
2994
2548
2549
if options.check:
2550
import doctest
2551
fail_count, test_count = doctest.testmod()
2552
sys.exit(os.EX_OK if fail_count == 0 else 1)
2553
2995
2554
# Default values for config file for server-global settings
2996
if gnutls.has_rawpk:
2997
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2998
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2999
else:
3000
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3001
":+SIGN-DSA-SHA256")
3002
server_defaults = {"interface": "",
3003
"address": "",
3004
"port": "",
3005
"debug": "False",
3006
"priority": priority,
3007
"servicename": "Mandos",
3008
"use_dbus": "True",
3009
"use_ipv6": "True",
3010
"debuglevel": "",
3011
"restore": "True",
3012
"socket": "",
3013
"statedir": "/var/lib/mandos",
3014
"foreground": "False",
3015
"zeroconf": "True",
3016
}
3017
del priority
3018
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
3019
2573
# Parse config file for server-global settings
3020
server_config = configparser.ConfigParser(server_defaults)
2574
server_config = configparser.SafeConfigParser(server_defaults)
3021
2575
del server_defaults
3022
2576
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3023
# Convert the ConfigParser object to a dict
2577
# Convert the SafeConfigParser object to a dict
3024
2578
server_settings = server_config.defaults()
3025
2579
# Use the appropriate methods on the non-string config options
3026
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3027
"foreground", "zeroconf"):
2580
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3028
2581
server_settings[option] = server_config.getboolean("DEFAULT",
3029
2582
option)
3030
2583
if server_settings["port"]:
3040
2593
server_settings["socket"] = os.dup(server_settings
3041
2594
["socket"])
3042
2595
del server_config
3043
2596
3044
2597
# Override the settings from the config file with command line
3045
2598
# options, if set.
3046
2599
for option in ("interface", "address", "port", "debug",
3064
2617
if server_settings["debug"]:
3065
2618
server_settings["foreground"] = True
3066
2619
# Now we have our good server settings in "server_settings"
3067
2620
3068
2621
##################################################################
3069
2622
3070
2623
if (not server_settings["zeroconf"]
3071
2624
and not (server_settings["port"]
3072
2625
or server_settings["socket"] != "")):
3073
2626
parser.error("Needs port or socket to work without Zeroconf")
3074
2627
3075
2628
# For convenience
3076
2629
debug = server_settings["debug"]
3077
2630
debuglevel = server_settings["debuglevel"]
3081
2634
stored_state_file)
3082
2635
foreground = server_settings["foreground"]
3083
2636
zeroconf = server_settings["zeroconf"]
3084
2637
3085
2638
if debug:
3086
2639
initlogger(debug, logging.DEBUG)
3087
2640
else:
3090
2643
else:
3091
2644
level = getattr(logging, debuglevel.upper())
3092
2645
initlogger(debug, level)
3093
2646
3094
2647
if server_settings["servicename"] != "Mandos":
3095
2648
syslogger.setFormatter(
3096
2649
logging.Formatter('Mandos ({}) [%(process)d]:'
3097
2650
' %(levelname)s: %(message)s'.format(
3098
2651
server_settings["servicename"])))
3099
2652
3100
2653
# Parse config file with clients
3101
client_config = configparser.ConfigParser(Client.client_defaults)
2654
client_config = configparser.SafeConfigParser(Client
2655
.client_defaults)
3102
2656
client_config.read(os.path.join(server_settings["configdir"],
3103
2657
"clients.conf"))
3104
2658
3105
2659
global mandos_dbus_service
3106
2660
mandos_dbus_service = None
3107
2661
3108
2662
socketfd = None
3109
2663
if server_settings["socket"] != "":
3110
2664
socketfd = server_settings["socket"]
3126
2680
except IOError as e:
3127
2681
logger.error("Could not open file %r", pidfilename,
3128
2682
exc_info=e)
3129
3130
for name, group in (("_mandos", "_mandos"),
3131
("mandos", "mandos"),
3132
("nobody", "nogroup")):
2683
2684
for name in ("_mandos", "mandos", "nobody"):
3133
2685
try:
3134
2686
uid = pwd.getpwnam(name).pw_uid
3135
gid = pwd.getpwnam(group).pw_gid
2687
gid = pwd.getpwnam(name).pw_gid
3136
2688
break
3137
2689
except KeyError:
3138
2690
continue
3142
2694
try:
3143
2695
os.setgid(gid)
3144
2696
os.setuid(uid)
3145
if debug:
3146
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3147
gid))
3148
2697
except OSError as error:
3149
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3150
.format(uid, gid, os.strerror(error.errno)))
3151
2698
if error.errno != errno.EPERM:
3152
2699
raise
3153
2700
3154
2701
if debug:
3155
2702
# Enable all possible GnuTLS debugging
3156
2703
3157
2704
# "Use a log level over 10 to enable all debugging options."
3158
2705
# - GnuTLS manual
3159
gnutls.global_set_log_level(11)
3160
3161
@gnutls.log_func
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3162
2709
def debug_gnutls(level, string):
3163
2710
logger.debug("GnuTLS: %s", string[:-1])
3164
3165
gnutls.global_set_log_function(debug_gnutls)
3166
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3167
2715
# Redirect stdin so all checkers get /dev/null
3168
2716
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3169
2717
os.dup2(null, sys.stdin.fileno())
3170
2718
if null > 2:
3171
2719
os.close(null)
3172
2720
3173
2721
# Need to fork before connecting to D-Bus
3174
2722
if not foreground:
3175
2723
# Close all input and output, do double fork, etc.
3176
2724
daemon()
3177
3178
if gi.version_info < (3, 10, 2):
3179
# multiprocessing will use threads, so before we use GLib we
3180
# need to inform GLib that threads will be used.
3181
GLib.threads_init()
3182
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3183
2730
global main_loop
3184
2731
# From the Avahi example code
3185
2732
DBusGMainLoop(set_as_default=True)
3186
main_loop = GLib.MainLoop()
2733
main_loop = gobject.MainLoop()
3187
2734
bus = dbus.SystemBus()
3188
2735
# End of Avahi example code
3189
2736
if use_dbus:
3202
2749
if zeroconf:
3203
2750
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3204
2751
service = AvahiServiceToSyslog(
3205
name=server_settings["servicename"],
3206
servicetype="_mandos._tcp",
3207
protocol=protocol,
3208
bus=bus)
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3209
2756
if server_settings["interface"]:
3210
2757
service.interface = if_nametoindex(
3211
2758
server_settings["interface"].encode("utf-8"))
3212
2759
3213
2760
global multiprocessing_manager
3214
2761
multiprocessing_manager = multiprocessing.Manager()
3215
2762
3216
2763
client_class = Client
3217
2764
if use_dbus:
3218
client_class = functools.partial(ClientDBus, bus=bus)
3219
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3220
2767
client_settings = Client.config_parser(client_config)
3221
2768
old_client_settings = {}
3222
2769
clients_data = {}
3223
2770
3224
2771
# This is used to redirect stdout and stderr for checker processes
3225
2772
global wnull
3226
wnull = open(os.devnull, "w") # A writable /dev/null
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3227
2774
# Only used if server is running in foreground but not in debug
3228
2775
# mode
3229
2776
if debug or not foreground:
3230
2777
wnull.close()
3231
2778
3232
2779
# Get client data and settings from last running state.
3233
2780
if server_settings["restore"]:
3234
2781
try:
3235
2782
with open(stored_state_path, "rb") as stored_state:
3236
if sys.version_info.major == 2:
3237
clients_data, old_client_settings = pickle.load(
3238
stored_state)
3239
else:
3240
bytes_clients_data, bytes_old_client_settings = (
3241
pickle.load(stored_state, encoding="bytes"))
3242
# Fix bytes to strings
3243
# clients_data
3244
# .keys()
3245
clients_data = {(key.decode("utf-8")
3246
if isinstance(key, bytes)
3247
else key): value
3248
for key, value in
3249
bytes_clients_data.items()}
3250
del bytes_clients_data
3251
for key in clients_data:
3252
value = {(k.decode("utf-8")
3253
if isinstance(k, bytes) else k): v
3254
for k, v in
3255
clients_data[key].items()}
3256
clients_data[key] = value
3257
# .client_structure
3258
value["client_structure"] = [
3259
(s.decode("utf-8")
3260
if isinstance(s, bytes)
3261
else s) for s in
3262
value["client_structure"]]
3263
# .name, .host, and .checker_command
3264
for k in ("name", "host", "checker_command"):
3265
if isinstance(value[k], bytes):
3266
value[k] = value[k].decode("utf-8")
3267
if "key_id" not in value:
3268
value["key_id"] = ""
3269
elif "fingerprint" not in value:
3270
value["fingerprint"] = ""
3271
# old_client_settings
3272
# .keys()
3273
old_client_settings = {
3274
(key.decode("utf-8")
3275
if isinstance(key, bytes)
3276
else key): value
3277
for key, value in
3278
bytes_old_client_settings.items()}
3279
del bytes_old_client_settings
3280
# .host and .checker_command
3281
for value in old_client_settings.values():
3282
for attribute in ("host", "checker_command"):
3283
if isinstance(value[attribute], bytes):
3284
value[attribute] = (value[attribute]
3285
.decode("utf-8"))
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3286
2785
os.remove(stored_state_path)
3287
2786
except IOError as e:
3288
2787
if e.errno == errno.ENOENT:
3296
2795
logger.warning("Could not load persistent state: "
3297
2796
"EOFError:",
3298
2797
exc_info=e)
3299
2798
3300
2799
with PGPEngine() as pgp:
3301
2800
for client_name, client in clients_data.items():
3302
2801
# Skip removed clients
3303
2802
if client_name not in client_settings:
3304
2803
continue
3305
2804
3306
2805
# Decide which value to use after restoring saved state.
3307
2806
# We have three different values: Old config file,
3308
2807
# new config file, and saved state.
3319
2818
client[name] = value
3320
2819
except KeyError:
3321
2820
pass
3322
2821
3323
2822
# Clients who has passed its expire date can still be
3324
2823
# enabled if its last checker was successful. A Client
3325
2824
# whose checker succeeded before we stored its state is
3358
2857
client_name))
3359
2858
client["secret"] = (client_settings[client_name]
3360
2859
["secret"])
3361
2860
3362
2861
# Add/remove clients based on new changes made to config
3363
2862
for client_name in (set(old_client_settings)
3364
2863
- set(client_settings)):
3366
2865
for client_name in (set(client_settings)
3367
2866
- set(old_client_settings)):
3368
2867
clients_data[client_name] = client_settings[client_name]
3369
2868
3370
2869
# Create all client objects
3371
2870
for client_name, client in clients_data.items():
3372
2871
tcp_server.clients[client_name] = client_class(
3373
name=client_name,
3374
settings=client,
3375
server_settings=server_settings)
3376
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3377
2876
if not tcp_server.clients:
3378
2877
logger.warning("No clients defined")
3379
2878
3380
2879
if not foreground:
3381
2880
if pidfile is not None:
3382
2881
pid = os.getpid()
3388
2887
pidfilename, pid)
3389
2888
del pidfile
3390
2889
del pidfilename
3391
3392
for termsig in (signal.SIGHUP, signal.SIGTERM):
3393
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3394
lambda: main_loop.quit() and False)
3395
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3396
2894
if use_dbus:
3397
2895
3398
2896
@alternate_dbus_interfaces(
3399
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3400
2898
class MandosDBusService(DBusObjectWithObjectManager):
3401
2899
"""A D-Bus proxy object"""
3402
2900
3403
2901
def __init__(self):
3404
2902
dbus.service.Object.__init__(self, bus, "/")
3405
2903
3406
2904
_interface = "se.recompile.Mandos"
3407
2905
3408
2906
@dbus.service.signal(_interface, signature="o")
3409
2907
def ClientAdded(self, objpath):
3410
2908
"D-Bus signal"
3411
2909
pass
3412
2910
3413
2911
@dbus.service.signal(_interface, signature="ss")
3414
def ClientNotFound(self, key_id, address):
2912
def ClientNotFound(self, fingerprint, address):
3415
2913
"D-Bus signal"
3416
2914
pass
3417
2915
3418
2916
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3419
2917
"true"})
3420
2918
@dbus.service.signal(_interface, signature="os")
3421
2919
def ClientRemoved(self, objpath, name):
3422
2920
"D-Bus signal"
3423
2921
pass
3424
2922
3425
2923
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3426
2924
"true"})
3427
2925
@dbus.service.method(_interface, out_signature="ao")
3428
2926
def GetAllClients(self):
3429
2927
"D-Bus method"
3430
2928
return dbus.Array(c.dbus_object_path for c in
3431
tcp_server.clients.values())
3432
2929
tcp_server.clients.itervalues())
2930
3433
2931
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3434
2932
"true"})
3435
2933
@dbus.service.method(_interface,
3437
2935
def GetAllClientsWithProperties(self):
3438
2936
"D-Bus method"
3439
2937
return dbus.Dictionary(
3440
{c.dbus_object_path: c.GetAll(
2938
{ c.dbus_object_path: c.GetAll(
3441
2939
"se.recompile.Mandos.Client")
3442
for c in tcp_server.clients.values()},
2940
for c in tcp_server.clients.itervalues() },
3443
2941
signature="oa{sv}")
3444
2942
3445
2943
@dbus.service.method(_interface, in_signature="o")
3446
2944
def RemoveClient(self, object_path):
3447
2945
"D-Bus method"
3448
for c in tcp_server.clients.values():
2946
for c in tcp_server.clients.itervalues():
3449
2947
if c.dbus_object_path == object_path:
3450
2948
del tcp_server.clients[c.name]
3451
2949
c.remove_from_connection()
3455
2953
self.client_removed_signal(c)
3456
2954
return
3457
2955
raise KeyError(object_path)
3458
2956
3459
2957
del _interface
3460
2958
3461
2959
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3462
out_signature="a{oa{sa{sv}}}")
2960
out_signature = "a{oa{sa{sv}}}")
3463
2961
def GetManagedObjects(self):
3464
2962
"""D-Bus method"""
3465
2963
return dbus.Dictionary(
3466
{client.dbus_object_path:
3467
dbus.Dictionary(
3468
{interface: client.GetAll(interface)
3469
for interface in
3470
client._get_all_interface_names()})
3471
for client in tcp_server.clients.values()})
3472
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3473
2971
def client_added_signal(self, client):
3474
2972
"""Send the new standard signal and the old signal"""
3475
2973
if use_dbus:
3477
2975
self.InterfacesAdded(
3478
2976
client.dbus_object_path,
3479
2977
dbus.Dictionary(
3480
{interface: client.GetAll(interface)
3481
for interface in
3482
client._get_all_interface_names()}))
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3483
2981
# Old signal
3484
2982
self.ClientAdded(client.dbus_object_path)
3485
2983
3486
2984
def client_removed_signal(self, client):
3487
2985
"""Send the new standard signal and the old signal"""
3488
2986
if use_dbus:
3493
2991
# Old signal
3494
2992
self.ClientRemoved(client.dbus_object_path,
3495
2993
client.name)
3496
2994
3497
2995
mandos_dbus_service = MandosDBusService()
3498
3499
# Save modules to variables to exempt the modules from being
3500
# unloaded before the function registered with atexit() is run.
3501
mp = multiprocessing
3502
wn = wnull
3503
2996
3504
2997
def cleanup():
3505
2998
"Cleanup function; run on exit"
3506
2999
if zeroconf:
3507
3000
service.cleanup()
3508
3509
mp.active_children()
3510
wn.close()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3511
3004
if not (tcp_server.clients or client_settings):
3512
3005
return
3513
3006
3514
3007
# Store client before exiting. Secrets are encrypted with key
3515
3008
# based on what config file has. If config file is
3516
3009
# removed/edited, old secret will thus be unrecovable.
3517
3010
clients = {}
3518
3011
with PGPEngine() as pgp:
3519
for client in tcp_server.clients.values():
3012
for client in tcp_server.clients.itervalues():
3520
3013
key = client_settings[client.name]["secret"]
3521
3014
client.encrypted_secret = pgp.encrypt(client.secret,
3522
3015
key)
3523
3016
client_dict = {}
3524
3017
3525
3018
# A list of attributes that can not be pickled
3526
3019
# + secret.
3527
exclude = {"bus", "changedstate", "secret",
3528
"checker", "server_settings"}
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3529
3022
for name, typ in inspect.getmembers(dbus.service
3530
3023
.Object):
3531
3024
exclude.add(name)
3532
3025
3533
3026
client_dict["encrypted_secret"] = (client
3534
3027
.encrypted_secret)
3535
3028
for attr in client.client_structure:
3536
3029
if attr not in exclude:
3537
3030
client_dict[attr] = getattr(client, attr)
3538
3031
3539
3032
clients[client.name] = client_dict
3540
3033
del client_settings[client.name]["secret"]
3541
3034
3542
3035
try:
3543
3036
with tempfile.NamedTemporaryFile(
3544
3037
mode='wb',
3546
3039
prefix='clients-',
3547
3040
dir=os.path.dirname(stored_state_path),
3548
3041
delete=False) as stored_state:
3549
pickle.dump((clients, client_settings), stored_state,
3550
protocol=2)
3042
pickle.dump((clients, client_settings), stored_state)
3551
3043
tempname = stored_state.name
3552
3044
os.rename(tempname, stored_state_path)
3553
3045
except (IOError, OSError) as e:
3563
3055
logger.warning("Could not save persistent state:",
3564
3056
exc_info=e)
3565
3057
raise
3566
3058
3567
3059
# Delete all clients, and settings from config
3568
3060
while tcp_server.clients:
3569
3061
name, client = tcp_server.clients.popitem()
3572
3064
# Don't signal the disabling
3573
3065
client.disable(quiet=True)
3574
3066
# Emit D-Bus signal for removal
3575
if use_dbus:
3576
mandos_dbus_service.client_removed_signal(client)
3067
mandos_dbus_service.client_removed_signal(client)
3577
3068
client_settings.clear()
3578
3069
3579
3070
atexit.register(cleanup)
3580
3581
for client in tcp_server.clients.values():
3071
3072
for client in tcp_server.clients.itervalues():
3582
3073
if use_dbus:
3583
3074
# Emit D-Bus signal for adding
3584
3075
mandos_dbus_service.client_added_signal(client)
3585
3076
# Need to initiate checking of clients
3586
3077
if client.enabled:
3587
3078
client.init_checker()
3588
3079
3589
3080
tcp_server.enable()
3590
3081
tcp_server.server_activate()
3591
3082
3592
3083
# Find out what port we got
3593
3084
if zeroconf:
3594
3085
service.port = tcp_server.socket.getsockname()[1]
3599
3090
else: # IPv4
3600
3091
logger.info("Now listening on address %r, port %d",
3601
3092
*tcp_server.socket.getsockname())
3602
3603
# service.interface = tcp_server.socket.getsockname()[3]
3604
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3605
3096
try:
3606
3097
if zeroconf:
3607
3098
# From the Avahi example code
3612
3103
cleanup()
3613
3104
sys.exit(1)
3614
3105
# End of Avahi example code
3615
3616
GLib.io_add_watch(
3617
GLib.IOChannel.unix_new(tcp_server.fileno()),
3618
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3619
lambda *args, **kwargs: (tcp_server.handle_request
3620
(*args[2:], **kwargs) or True))
3621
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3622
3112
logger.debug("Starting main loop")
3623
3113
main_loop.run()
3624
3114
except AvahiError as error:
3633
3123
# Must run before the D-Bus bus name gets deregistered
3634
3124
cleanup()
3635
3125
3636
3637
def should_only_run_tests():
3638
parser = argparse.ArgumentParser(add_help=False)
3639
parser.add_argument("--check", action='store_true')
3640
args, unknown_args = parser.parse_known_args()
3641
run_tests = args.check
3642
if run_tests:
3643
# Remove --check argument from sys.argv
3644
sys.argv[1:] = unknown_args
3645
return run_tests
3646
3647
# Add all tests from doctest strings
3648
def load_tests(loader, tests, none):
3649
import doctest
3650
tests.addTests(doctest.DocTestSuite())
3651
return tests
3652
3126
3653
3127
if __name__ == '__main__':
3654
try:
3655
if should_only_run_tests():
3656
# Call using ./mandos --check [--verbose]
3657
unittest.main()
3658
else:
3659
main()
3660
finally:
3661
logging.shutdown()
3128
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0