To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.335
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.335
- Committer: Teddy Hogeborn
- Date: 2015-08-10 16:19:28 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 325.
- Revision ID: teddy@recompile.se-20150810161928-bnukog7l47j3pjix
Depend on Avahi and the network in the server's systemd service file.
* mandos.service ([Unit]/After): New; set to "network.target" and
"avahi-daemon.service".
([Unit]/RequisiteOverridable): New; set to "avahi-daemon.service".
* mandos.service ([Unit]/After): New; set to "network.target" and
"avahi-daemon.service".
([Unit]/RequisiteOverridable): New; set to "avahi-daemon.service".
- files added:
- initramfs-tools-hook-conf
- files removed:
- bugs.xml
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
1
#!/usr/bin/python2.7
2
# -*- mode: python; coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
37
from future_builtins import *
42
38
43
39
try:
44
40
import SocketServer as socketserver
48
44
import argparse
49
45
import datetime
50
46
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
51
53
try:
52
54
import ConfigParser as configparser
53
55
except ImportError:
77
79
import itertools
78
80
import collections
79
81
import codecs
80
import unittest
81
import random
82
import shlex
83
82
84
83
import dbus
85
84
import dbus.service
86
import gi
87
from gi.repository import GLib
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
88
90
from dbus.mainloop.glib import DBusGMainLoop
89
91
import ctypes
90
92
import ctypes.util
91
93
import xml.dom.minidom
92
94
import inspect
93
95
94
if sys.version_info.major == 2:
95
__metaclass__ = type
96
str = unicode
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
118
# Try to find the value of SO_BINDTODEVICE:
119
try:
120
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
121
# newer, and it is also the most natural place for it:
96
try:
122
97
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
123
98
except AttributeError:
124
99
try:
125
# This is where SO_BINDTODEVICE was up to and including Python
126
# 2.6, and also 3.2:
127
100
from IN import SO_BINDTODEVICE
128
101
except ImportError:
129
# In Python 2.7 it seems to have been removed entirely.
130
# Try running the C preprocessor:
131
try:
132
cc = subprocess.Popen(["cc", "--language=c", "-E",
133
"/dev/stdin"],
134
stdin=subprocess.PIPE,
135
stdout=subprocess.PIPE)
136
stdout = cc.communicate(
137
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
138
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
139
except (OSError, ValueError, IndexError):
140
# No value found
141
SO_BINDTODEVICE = None
142
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
145
146
version = "1.8.9"
102
SO_BINDTODEVICE = None
103
104
if sys.version_info.major == 2:
105
str = unicode
106
107
version = "1.6.9"
147
108
stored_state_file = "clients.pickle"
148
109
149
110
logger = logging.getLogger()
150
logging.captureWarnings(True) # Show warnings via the logging system
151
111
syslogger = None
152
112
153
113
try:
154
114
if_nametoindex = ctypes.cdll.LoadLibrary(
155
115
ctypes.util.find_library("c")).if_nametoindex
156
116
except (OSError, AttributeError):
157
117
158
118
def if_nametoindex(interface):
159
119
"Get an interface index the hard way, i.e. using fcntl()"
160
120
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
165
125
return interface_index
166
126
167
127
168
def copy_function(func):
169
"""Make a copy of a function"""
170
if sys.version_info.major == 2:
171
return types.FunctionType(func.func_code,
172
func.func_globals,
173
func.func_name,
174
func.func_defaults,
175
func.func_closure)
176
else:
177
return types.FunctionType(func.__code__,
178
func.__globals__,
179
func.__name__,
180
func.__defaults__,
181
func.__closure__)
182
183
184
128
def initlogger(debug, level=logging.WARNING):
185
129
"""init logger and add loglevel"""
186
130
187
131
global syslogger
188
132
syslogger = (logging.handlers.SysLogHandler(
189
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
190
address="/dev/log"))
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
191
135
syslogger.setFormatter(logging.Formatter
192
136
('Mandos [%(process)d]: %(levelname)s:'
193
137
' %(message)s'))
194
138
logger.addHandler(syslogger)
195
139
196
140
if debug:
197
141
console = logging.StreamHandler()
198
142
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
208
152
pass
209
153
210
154
211
class PGPEngine:
155
class PGPEngine(object):
212
156
"""A simple class for OpenPGP symmetric encryption & decryption"""
213
157
214
158
def __init__(self):
215
159
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
216
self.gpg = "gpg"
217
try:
218
output = subprocess.check_output(["gpgconf"])
219
for line in output.splitlines():
220
name, text, path = line.split(b":")
221
if name == b"gpg":
222
self.gpg = path
223
break
224
except OSError as e:
225
if e.errno != errno.ENOENT:
226
raise
227
160
self.gnupgargs = ['--batch',
228
'--homedir', self.tempdir,
161
'--home', self.tempdir,
229
162
'--force-mdc',
230
'--quiet']
231
# Only GPG version 1 has the --no-use-agent option.
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
233
self.gnupgargs.append("--no-use-agent")
234
163
'--quiet',
164
'--no-use-agent']
165
235
166
def __enter__(self):
236
167
return self
237
168
238
169
def __exit__(self, exc_type, exc_value, traceback):
239
170
self._cleanup()
240
171
return False
241
172
242
173
def __del__(self):
243
174
self._cleanup()
244
175
245
176
def _cleanup(self):
246
177
if self.tempdir is not None:
247
178
# Delete contents of tempdir
248
179
for root, dirs, files in os.walk(self.tempdir,
249
topdown=False):
180
topdown = False):
250
181
for filename in files:
251
182
os.remove(os.path.join(root, filename))
252
183
for dirname in dirs:
254
185
# Remove tempdir
255
186
os.rmdir(self.tempdir)
256
187
self.tempdir = None
257
188
258
189
def password_encode(self, password):
259
190
# Passphrase can not be empty and can not contain newlines or
260
191
# NUL bytes. So we prefix it and hex encode it.
265
196
.replace(b"\n", b"\\n")
266
197
.replace(b"\0", b"\\x00"))
267
198
return encoded
268
199
269
200
def encrypt(self, data, password):
270
201
passphrase = self.password_encode(password)
271
202
with tempfile.NamedTemporaryFile(
272
203
dir=self.tempdir) as passfile:
273
204
passfile.write(passphrase)
274
205
passfile.flush()
275
proc = subprocess.Popen([self.gpg, '--symmetric',
206
proc = subprocess.Popen(['gpg', '--symmetric',
276
207
'--passphrase-file',
277
208
passfile.name]
278
209
+ self.gnupgargs,
279
stdin=subprocess.PIPE,
280
stdout=subprocess.PIPE,
281
stderr=subprocess.PIPE)
282
ciphertext, err = proc.communicate(input=data)
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
283
214
if proc.returncode != 0:
284
215
raise PGPError(err)
285
216
return ciphertext
286
217
287
218
def decrypt(self, data, password):
288
219
passphrase = self.password_encode(password)
289
220
with tempfile.NamedTemporaryFile(
290
dir=self.tempdir) as passfile:
221
dir = self.tempdir) as passfile:
291
222
passfile.write(passphrase)
292
223
passfile.flush()
293
proc = subprocess.Popen([self.gpg, '--decrypt',
224
proc = subprocess.Popen(['gpg', '--decrypt',
294
225
'--passphrase-file',
295
226
passfile.name]
296
227
+ self.gnupgargs,
297
stdin=subprocess.PIPE,
298
stdout=subprocess.PIPE,
299
stderr=subprocess.PIPE)
300
decrypted_plaintext, err = proc.communicate(input=data)
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
301
232
if proc.returncode != 0:
302
233
raise PGPError(err)
303
234
return decrypted_plaintext
304
235
305
236
306
# Pretend that we have an Avahi module
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
309
IF_UNSPEC = -1 # avahi-common/address.h
310
PROTO_UNSPEC = -1 # avahi-common/address.h
311
PROTO_INET = 0 # avahi-common/address.h
312
PROTO_INET6 = 1 # avahi-common/address.h
313
DBUS_NAME = "org.freedesktop.Avahi"
314
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
DBUS_PATH_SERVER = "/"
317
318
@staticmethod
319
def string_array_to_txt_array(t):
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
for s in t), signature="ay")
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
323
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
324
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
325
SERVER_INVALID = 0 # avahi-common/defs.h
326
SERVER_REGISTERING = 1 # avahi-common/defs.h
327
SERVER_RUNNING = 2 # avahi-common/defs.h
328
SERVER_COLLISION = 3 # avahi-common/defs.h
329
SERVER_FAILURE = 4 # avahi-common/defs.h
330
331
332
237
class AvahiError(Exception):
333
238
def __init__(self, value, *args, **kwargs):
334
239
self.value = value
344
249
pass
345
250
346
251
347
class AvahiService:
252
class AvahiService(object):
348
253
"""An Avahi (Zeroconf) service.
349
254
350
255
Attributes:
351
256
interface: integer; avahi.IF_UNSPEC or an interface index.
352
257
Used to optionally bind to the specified interface.
364
269
server: D-Bus Server
365
270
bus: dbus.SystemBus()
366
271
"""
367
272
368
273
def __init__(self,
369
interface=avahi.IF_UNSPEC,
370
name=None,
371
servicetype=None,
372
port=None,
373
TXT=None,
374
domain="",
375
host="",
376
max_renames=32768,
377
protocol=avahi.PROTO_UNSPEC,
378
bus=None):
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
379
284
self.interface = interface
380
285
self.name = name
381
286
self.type = servicetype
390
295
self.server = None
391
296
self.bus = bus
392
297
self.entry_group_state_changed_match = None
393
298
394
299
def rename(self, remove=True):
395
300
"""Derived from the Avahi example code"""
396
301
if self.rename_count >= self.max_renames:
416
321
logger.critical("D-Bus Exception", exc_info=error)
417
322
self.cleanup()
418
323
os._exit(1)
419
324
420
325
def remove(self):
421
326
"""Derived from the Avahi example code"""
422
327
if self.entry_group_state_changed_match is not None:
424
329
self.entry_group_state_changed_match = None
425
330
if self.group is not None:
426
331
self.group.Reset()
427
332
428
333
def add(self):
429
334
"""Derived from the Avahi example code"""
430
335
self.remove()
447
352
dbus.UInt16(self.port),
448
353
avahi.string_array_to_txt_array(self.TXT))
449
354
self.group.Commit()
450
355
451
356
def entry_group_state_changed(self, state, error):
452
357
"""Derived from the Avahi example code"""
453
358
logger.debug("Avahi entry group state change: %i", state)
454
359
455
360
if state == avahi.ENTRY_GROUP_ESTABLISHED:
456
361
logger.debug("Zeroconf service established.")
457
362
elif state == avahi.ENTRY_GROUP_COLLISION:
461
366
logger.critical("Avahi: Error in group state changed %s",
462
367
str(error))
463
368
raise AvahiGroupError("State changed: {!s}".format(error))
464
369
465
370
def cleanup(self):
466
371
"""Derived from the Avahi example code"""
467
372
if self.group is not None:
472
377
pass
473
378
self.group = None
474
379
self.remove()
475
380
476
381
def server_state_changed(self, state, error=None):
477
382
"""Derived from the Avahi example code"""
478
383
logger.debug("Avahi server state change: %i", state)
507
412
logger.debug("Unknown state: %r", state)
508
413
else:
509
414
logger.debug("Unknown state: %r: %r", state, error)
510
415
511
416
def activate(self):
512
417
"""Derived from the Avahi example code"""
513
418
if self.server is None:
524
429
class AvahiServiceToSyslog(AvahiService):
525
430
def rename(self, *args, **kwargs):
526
431
"""Add the new name to the syslog messages"""
527
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
432
ret = AvahiService.rename(self, *args, **kwargs)
528
433
syslogger.setFormatter(logging.Formatter(
529
434
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
530
435
.format(self.name)))
531
436
return ret
532
437
533
534
# Pretend that we have a GnuTLS module
535
class gnutls:
536
"""This isn't so much a class as it is a module-like namespace."""
537
538
library = ctypes.util.find_library("gnutls")
539
if library is None:
540
library = ctypes.util.find_library("gnutls-deb0")
541
_library = ctypes.cdll.LoadLibrary(library)
542
del library
543
544
# Unless otherwise indicated, the constants and types below are
545
# all from the gnutls/gnutls.h C header file.
546
547
# Constants
548
E_SUCCESS = 0
549
E_INTERRUPTED = -52
550
E_AGAIN = -28
551
CRT_OPENPGP = 2
552
CRT_RAWPK = 3
553
CLIENT = 2
554
SHUT_RDWR = 0
555
CRD_CERTIFICATE = 1
556
E_NO_CERTIFICATE_FOUND = -49
557
X509_FMT_DER = 0
558
NO_TICKETS = 1<<10
559
ENABLE_RAWPK = 1<<18
560
CTYPE_PEERS = 3
561
KEYID_USE_SHA256 = 1 # gnutls/x509.h
562
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
563
564
# Types
565
class session_int(ctypes.Structure):
566
_fields_ = []
567
session_t = ctypes.POINTER(session_int)
568
569
class certificate_credentials_st(ctypes.Structure):
570
_fields_ = []
571
certificate_credentials_t = ctypes.POINTER(
572
certificate_credentials_st)
573
certificate_type_t = ctypes.c_int
574
575
class datum_t(ctypes.Structure):
576
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
577
('size', ctypes.c_uint)]
578
579
class openpgp_crt_int(ctypes.Structure):
580
_fields_ = []
581
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
582
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
583
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
584
credentials_type_t = ctypes.c_int
585
transport_ptr_t = ctypes.c_void_p
586
close_request_t = ctypes.c_int
587
588
# Exceptions
589
class Error(Exception):
590
def __init__(self, message=None, code=None, args=()):
591
# Default usage is by a message string, but if a return
592
# code is passed, convert it to a string with
593
# gnutls.strerror()
594
self.code = code
595
if message is None and code is not None:
596
message = gnutls.strerror(code)
597
return super(gnutls.Error, self).__init__(
598
message, *args)
599
600
class CertificateSecurityError(Error):
601
pass
602
603
# Classes
604
class Credentials:
605
def __init__(self):
606
self._c_object = gnutls.certificate_credentials_t()
607
gnutls.certificate_allocate_credentials(
608
ctypes.byref(self._c_object))
609
self.type = gnutls.CRD_CERTIFICATE
610
611
def __del__(self):
612
gnutls.certificate_free_credentials(self._c_object)
613
614
class ClientSession:
615
def __init__(self, socket, credentials=None):
616
self._c_object = gnutls.session_t()
617
gnutls_flags = gnutls.CLIENT
618
if gnutls.check_version(b"3.5.6"):
619
gnutls_flags |= gnutls.NO_TICKETS
620
if gnutls.has_rawpk:
621
gnutls_flags |= gnutls.ENABLE_RAWPK
622
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
623
del gnutls_flags
624
gnutls.set_default_priority(self._c_object)
625
gnutls.transport_set_ptr(self._c_object, socket.fileno())
626
gnutls.handshake_set_private_extensions(self._c_object,
627
True)
628
self.socket = socket
629
if credentials is None:
630
credentials = gnutls.Credentials()
631
gnutls.credentials_set(self._c_object, credentials.type,
632
ctypes.cast(credentials._c_object,
633
ctypes.c_void_p))
634
self.credentials = credentials
635
636
def __del__(self):
637
gnutls.deinit(self._c_object)
638
639
def handshake(self):
640
return gnutls.handshake(self._c_object)
641
642
def send(self, data):
643
data = bytes(data)
644
data_len = len(data)
645
while data_len > 0:
646
data_len -= gnutls.record_send(self._c_object,
647
data[-data_len:],
648
data_len)
649
650
def bye(self):
651
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
652
653
# Error handling functions
654
def _error_code(result):
655
"""A function to raise exceptions on errors, suitable
656
for the 'restype' attribute on ctypes functions"""
657
if result >= 0:
658
return result
659
if result == gnutls.E_NO_CERTIFICATE_FOUND:
660
raise gnutls.CertificateSecurityError(code=result)
661
raise gnutls.Error(code=result)
662
663
def _retry_on_error(result, func, arguments):
664
"""A function to retry on some errors, suitable
665
for the 'errcheck' attribute on ctypes functions"""
666
while result < 0:
667
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
668
return _error_code(result)
669
result = func(*arguments)
670
return result
671
672
# Unless otherwise indicated, the function declarations below are
673
# all from the gnutls/gnutls.h C header file.
674
675
# Functions
676
priority_set_direct = _library.gnutls_priority_set_direct
677
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
678
ctypes.POINTER(ctypes.c_char_p)]
679
priority_set_direct.restype = _error_code
680
681
init = _library.gnutls_init
682
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
683
init.restype = _error_code
684
685
set_default_priority = _library.gnutls_set_default_priority
686
set_default_priority.argtypes = [session_t]
687
set_default_priority.restype = _error_code
688
689
record_send = _library.gnutls_record_send
690
record_send.argtypes = [session_t, ctypes.c_void_p,
691
ctypes.c_size_t]
692
record_send.restype = ctypes.c_ssize_t
693
record_send.errcheck = _retry_on_error
694
695
certificate_allocate_credentials = (
696
_library.gnutls_certificate_allocate_credentials)
697
certificate_allocate_credentials.argtypes = [
698
ctypes.POINTER(certificate_credentials_t)]
699
certificate_allocate_credentials.restype = _error_code
700
701
certificate_free_credentials = (
702
_library.gnutls_certificate_free_credentials)
703
certificate_free_credentials.argtypes = [
704
certificate_credentials_t]
705
certificate_free_credentials.restype = None
706
707
handshake_set_private_extensions = (
708
_library.gnutls_handshake_set_private_extensions)
709
handshake_set_private_extensions.argtypes = [session_t,
710
ctypes.c_int]
711
handshake_set_private_extensions.restype = None
712
713
credentials_set = _library.gnutls_credentials_set
714
credentials_set.argtypes = [session_t, credentials_type_t,
715
ctypes.c_void_p]
716
credentials_set.restype = _error_code
717
718
strerror = _library.gnutls_strerror
719
strerror.argtypes = [ctypes.c_int]
720
strerror.restype = ctypes.c_char_p
721
722
certificate_type_get = _library.gnutls_certificate_type_get
723
certificate_type_get.argtypes = [session_t]
724
certificate_type_get.restype = _error_code
725
726
certificate_get_peers = _library.gnutls_certificate_get_peers
727
certificate_get_peers.argtypes = [session_t,
728
ctypes.POINTER(ctypes.c_uint)]
729
certificate_get_peers.restype = ctypes.POINTER(datum_t)
730
731
global_set_log_level = _library.gnutls_global_set_log_level
732
global_set_log_level.argtypes = [ctypes.c_int]
733
global_set_log_level.restype = None
734
735
global_set_log_function = _library.gnutls_global_set_log_function
736
global_set_log_function.argtypes = [log_func]
737
global_set_log_function.restype = None
738
739
deinit = _library.gnutls_deinit
740
deinit.argtypes = [session_t]
741
deinit.restype = None
742
743
handshake = _library.gnutls_handshake
744
handshake.argtypes = [session_t]
745
handshake.restype = _error_code
746
handshake.errcheck = _retry_on_error
747
748
transport_set_ptr = _library.gnutls_transport_set_ptr
749
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
750
transport_set_ptr.restype = None
751
752
bye = _library.gnutls_bye
753
bye.argtypes = [session_t, close_request_t]
754
bye.restype = _error_code
755
bye.errcheck = _retry_on_error
756
757
check_version = _library.gnutls_check_version
758
check_version.argtypes = [ctypes.c_char_p]
759
check_version.restype = ctypes.c_char_p
760
761
_need_version = b"3.3.0"
762
if check_version(_need_version) is None:
763
raise self.Error("Needs GnuTLS {} or later"
764
.format(_need_version))
765
766
_tls_rawpk_version = b"3.6.6"
767
has_rawpk = bool(check_version(_tls_rawpk_version))
768
769
if has_rawpk:
770
# Types
771
class pubkey_st(ctypes.Structure):
772
_fields = []
773
pubkey_t = ctypes.POINTER(pubkey_st)
774
775
x509_crt_fmt_t = ctypes.c_int
776
777
# All the function declarations below are from gnutls/abstract.h
778
pubkey_init = _library.gnutls_pubkey_init
779
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
780
pubkey_init.restype = _error_code
781
782
pubkey_import = _library.gnutls_pubkey_import
783
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
784
x509_crt_fmt_t]
785
pubkey_import.restype = _error_code
786
787
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
788
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
789
ctypes.POINTER(ctypes.c_ubyte),
790
ctypes.POINTER(ctypes.c_size_t)]
791
pubkey_get_key_id.restype = _error_code
792
793
pubkey_deinit = _library.gnutls_pubkey_deinit
794
pubkey_deinit.argtypes = [pubkey_t]
795
pubkey_deinit.restype = None
796
else:
797
# All the function declarations below are from gnutls/openpgp.h
798
799
openpgp_crt_init = _library.gnutls_openpgp_crt_init
800
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
801
openpgp_crt_init.restype = _error_code
802
803
openpgp_crt_import = _library.gnutls_openpgp_crt_import
804
openpgp_crt_import.argtypes = [openpgp_crt_t,
805
ctypes.POINTER(datum_t),
806
openpgp_crt_fmt_t]
807
openpgp_crt_import.restype = _error_code
808
809
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
810
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
811
ctypes.POINTER(ctypes.c_uint)]
812
openpgp_crt_verify_self.restype = _error_code
813
814
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
815
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
816
openpgp_crt_deinit.restype = None
817
818
openpgp_crt_get_fingerprint = (
819
_library.gnutls_openpgp_crt_get_fingerprint)
820
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
821
ctypes.c_void_p,
822
ctypes.POINTER(
823
ctypes.c_size_t)]
824
openpgp_crt_get_fingerprint.restype = _error_code
825
826
if check_version(b"3.6.4"):
827
certificate_type_get2 = _library.gnutls_certificate_type_get2
828
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
829
certificate_type_get2.restype = _error_code
830
831
# Remove non-public functions
832
del _error_code, _retry_on_error
833
834
835
438
def call_pipe(connection, # : multiprocessing.Connection
836
439
func, *args, **kwargs):
837
440
"""This function is meant to be called by multiprocessing.Process
838
441
839
442
This function runs func(*args, **kwargs), and writes the resulting
840
443
return value on the provided multiprocessing.Connection.
841
444
"""
842
445
connection.send(func(*args, **kwargs))
843
446
connection.close()
844
447
845
846
class Client:
448
class Client(object):
847
449
"""A representation of a client host served by this server.
848
450
849
451
Attributes:
850
452
approved: bool(); 'None' if not yet approved/disapproved
851
453
approval_delay: datetime.timedelta(); Time to wait for approval
852
454
approval_duration: datetime.timedelta(); Duration of one approval
853
checker: multiprocessing.Process(); a running checker process used
854
to see if the client lives. 'None' if no process is
855
running.
856
checker_callback_tag: a GLib event source tag, or None
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
857
459
checker_command: string; External command which is run to check
858
460
if client lives. %() expansions are done at
859
461
runtime with vars(self) as dict, so that for
860
462
instance %(name)s can be used in the command.
861
checker_initiator_tag: a GLib event source tag, or None
463
checker_initiator_tag: a gobject event source tag, or None
862
464
created: datetime.datetime(); (UTC) object creation
863
465
client_structure: Object describing what attributes a client has
864
466
and is used for storing the client at exit
865
467
current_checker_command: string; current running checker_command
866
disable_initiator_tag: a GLib event source tag, or None
468
disable_initiator_tag: a gobject event source tag, or None
867
469
enabled: bool()
868
470
fingerprint: string (40 or 32 hexadecimal digits); used to
869
uniquely identify an OpenPGP client
870
key_id: string (64 hexadecimal digits); used to uniquely identify
871
a client using raw public keys
471
uniquely identify the client
872
472
host: string; available for use by the checker command
873
473
interval: datetime.timedelta(); How often to start a new checker
874
474
last_approval_request: datetime.datetime(); (UTC) or None
890
490
disabled, or None
891
491
server_settings: The server_settings dict from main()
892
492
"""
893
493
894
494
runtime_expansions = ("approval_delay", "approval_duration",
895
"created", "enabled", "expires", "key_id",
495
"created", "enabled", "expires",
896
496
"fingerprint", "host", "interval",
897
497
"last_approval_request", "last_checked_ok",
898
498
"last_enabled", "name", "timeout")
907
507
"approved_by_default": "True",
908
508
"enabled": "True",
909
509
}
910
510
911
511
@staticmethod
912
512
def config_parser(config):
913
513
"""Construct a new dict of client settings of this form:
920
520
for client_name in config.sections():
921
521
section = dict(config.items(client_name))
922
522
client = settings[client_name] = {}
923
523
924
524
client["host"] = section["host"]
925
525
# Reformat values from string types to Python types
926
526
client["approved_by_default"] = config.getboolean(
927
527
client_name, "approved_by_default")
928
528
client["enabled"] = config.getboolean(client_name,
929
529
"enabled")
930
931
# Uppercase and remove spaces from key_id and fingerprint
932
# for later comparison purposes with return value from the
933
# key_id() and fingerprint() functions
934
client["key_id"] = (section.get("key_id", "").upper()
935
.replace(" ", ""))
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
936
534
client["fingerprint"] = (section["fingerprint"].upper()
937
535
.replace(" ", ""))
938
536
if "secret" in section:
939
client["secret"] = codecs.decode(section["secret"]
940
.encode("utf-8"),
941
"base64")
537
client["secret"] = section["secret"].decode("base64")
942
538
elif "secfile" in section:
943
539
with open(os.path.expanduser(os.path.expandvars
944
540
(section["secfile"])),
959
555
client["last_approval_request"] = None
960
556
client["last_checked_ok"] = None
961
557
client["last_checker_status"] = -2
962
558
963
559
return settings
964
965
def __init__(self, settings, name=None, server_settings=None):
560
561
def __init__(self, settings, name = None, server_settings=None):
966
562
self.name = name
967
563
if server_settings is None:
968
564
server_settings = {}
970
566
# adding all client settings
971
567
for setting, value in settings.items():
972
568
setattr(self, setting, value)
973
569
974
570
if self.enabled:
975
571
if not hasattr(self, "last_enabled"):
976
572
self.last_enabled = datetime.datetime.utcnow()
980
576
else:
981
577
self.last_enabled = None
982
578
self.expires = None
983
579
984
580
logger.debug("Creating client %r", self.name)
985
logger.debug(" Key ID: %s", self.key_id)
986
581
logger.debug(" Fingerprint: %s", self.fingerprint)
987
582
self.created = settings.get("created",
988
583
datetime.datetime.utcnow())
989
584
990
585
# attributes specific for this server instance
991
586
self.checker = None
992
587
self.checker_initiator_tag = None
998
593
self.changedstate = multiprocessing_manager.Condition(
999
594
multiprocessing_manager.Lock())
1000
595
self.client_structure = [attr
1001
for attr in self.__dict__.keys()
596
for attr in self.__dict__.iterkeys()
1002
597
if not attr.startswith("_")]
1003
598
self.client_structure.append("client_structure")
1004
599
1005
600
for name, t in inspect.getmembers(
1006
601
type(self), lambda obj: isinstance(obj, property)):
1007
602
if not name.startswith("_"):
1008
603
self.client_structure.append(name)
1009
604
1010
605
# Send notice to process children that client state has changed
1011
606
def send_changedstate(self):
1012
607
with self.changedstate:
1013
608
self.changedstate.notify_all()
1014
609
1015
610
def enable(self):
1016
611
"""Start this client's checker and timeout hooks"""
1017
612
if getattr(self, "enabled", False):
1022
617
self.last_enabled = datetime.datetime.utcnow()
1023
618
self.init_checker()
1024
619
self.send_changedstate()
1025
620
1026
621
def disable(self, quiet=True):
1027
622
"""Disable this client."""
1028
623
if not getattr(self, "enabled", False):
1030
625
if not quiet:
1031
626
logger.info("Disabling client %s", self.name)
1032
627
if getattr(self, "disable_initiator_tag", None) is not None:
1033
GLib.source_remove(self.disable_initiator_tag)
628
gobject.source_remove(self.disable_initiator_tag)
1034
629
self.disable_initiator_tag = None
1035
630
self.expires = None
1036
631
if getattr(self, "checker_initiator_tag", None) is not None:
1037
GLib.source_remove(self.checker_initiator_tag)
632
gobject.source_remove(self.checker_initiator_tag)
1038
633
self.checker_initiator_tag = None
1039
634
self.stop_checker()
1040
635
self.enabled = False
1041
636
if not quiet:
1042
637
self.send_changedstate()
1043
# Do not run this again if called by a GLib.timeout_add
638
# Do not run this again if called by a gobject.timeout_add
1044
639
return False
1045
640
1046
641
def __del__(self):
1047
642
self.disable()
1048
643
1049
644
def init_checker(self):
1050
645
# Schedule a new checker to be started an 'interval' from now,
1051
646
# and every interval from then on.
1052
647
if self.checker_initiator_tag is not None:
1053
GLib.source_remove(self.checker_initiator_tag)
1054
self.checker_initiator_tag = GLib.timeout_add(
1055
random.randrange(int(self.interval.total_seconds() * 1000
1056
+ 1)),
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
650
int(self.interval.total_seconds() * 1000),
1057
651
self.start_checker)
1058
652
# Schedule a disable() when 'timeout' has passed
1059
653
if self.disable_initiator_tag is not None:
1060
GLib.source_remove(self.disable_initiator_tag)
1061
self.disable_initiator_tag = GLib.timeout_add(
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1062
656
int(self.timeout.total_seconds() * 1000), self.disable)
1063
657
# Also start a new checker *right now*.
1064
658
self.start_checker()
1065
659
1066
660
def checker_callback(self, source, condition, connection,
1067
661
command):
1068
662
"""The checker has completed, so take appropriate actions."""
663
self.checker_callback_tag = None
664
self.checker = None
1069
665
# Read return code from connection (see call_pipe)
1070
666
returncode = connection.recv()
1071
667
connection.close()
1072
if self.checker is not None:
1073
self.checker.join()
1074
self.checker_callback_tag = None
1075
self.checker = None
1076
668
1077
669
if returncode >= 0:
1078
670
self.last_checker_status = returncode
1079
671
self.last_checker_signal = None
1089
681
logger.warning("Checker for %(name)s crashed?",
1090
682
vars(self))
1091
683
return False
1092
684
1093
685
def checked_ok(self):
1094
686
"""Assert that the client has been seen, alive and well."""
1095
687
self.last_checked_ok = datetime.datetime.utcnow()
1096
688
self.last_checker_status = 0
1097
689
self.last_checker_signal = None
1098
690
self.bump_timeout()
1099
691
1100
692
def bump_timeout(self, timeout=None):
1101
693
"""Bump up the timeout for this client."""
1102
694
if timeout is None:
1103
695
timeout = self.timeout
1104
696
if self.disable_initiator_tag is not None:
1105
GLib.source_remove(self.disable_initiator_tag)
697
gobject.source_remove(self.disable_initiator_tag)
1106
698
self.disable_initiator_tag = None
1107
699
if getattr(self, "enabled", False):
1108
self.disable_initiator_tag = GLib.timeout_add(
700
self.disable_initiator_tag = gobject.timeout_add(
1109
701
int(timeout.total_seconds() * 1000), self.disable)
1110
702
self.expires = datetime.datetime.utcnow() + timeout
1111
703
1112
704
def need_approval(self):
1113
705
self.last_approval_request = datetime.datetime.utcnow()
1114
706
1115
707
def start_checker(self):
1116
708
"""Start a new checker subprocess if one is not running.
1117
709
1118
710
If a checker already exists, leave it running and do
1119
711
nothing."""
1120
712
# The reason for not killing a running checker is that if we
1125
717
# checkers alone, the checker would have to take more time
1126
718
# than 'timeout' for the client to be disabled, which is as it
1127
719
# should be.
1128
720
1129
721
if self.checker is not None and not self.checker.is_alive():
1130
722
logger.warning("Checker was not alive; joining")
1131
723
self.checker.join()
1134
726
if self.checker is None:
1135
727
# Escape attributes for the shell
1136
728
escaped_attrs = {
1137
attr: shlex.quote(str(getattr(self, attr)))
1138
for attr in self.runtime_expansions}
729
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
1139
731
try:
1140
732
command = self.checker_command % escaped_attrs
1141
733
except TypeError as error:
1153
745
# The exception is when not debugging but nevertheless
1154
746
# running in the foreground; use the previously
1155
747
# created wnull.
1156
popen_args = {"close_fds": True,
1157
"shell": True,
1158
"cwd": "/"}
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1159
751
if (not self.server_settings["debug"]
1160
752
and self.server_settings["foreground"]):
1161
753
popen_args.update({"stdout": wnull,
1162
"stderr": wnull})
1163
pipe = multiprocessing.Pipe(duplex=False)
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1164
756
self.checker = multiprocessing.Process(
1165
target=call_pipe,
1166
args=(pipe[1], subprocess.call, command),
1167
kwargs=popen_args)
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1168
760
self.checker.start()
1169
self.checker_callback_tag = GLib.io_add_watch(
1170
GLib.IOChannel.unix_new(pipe[0].fileno()),
1171
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1172
763
self.checker_callback, pipe[0], command)
1173
# Re-run this periodically if run by GLib.timeout_add
764
# Re-run this periodically if run by gobject.timeout_add
1174
765
return True
1175
766
1176
767
def stop_checker(self):
1177
768
"""Force the checker process, if any, to stop."""
1178
769
if self.checker_callback_tag:
1179
GLib.source_remove(self.checker_callback_tag)
770
gobject.source_remove(self.checker_callback_tag)
1180
771
self.checker_callback_tag = None
1181
772
if getattr(self, "checker", None) is None:
1182
773
return
1191
782
byte_arrays=False):
1192
783
"""Decorators for marking methods of a DBusObjectWithProperties to
1193
784
become properties on the D-Bus.
1194
785
1195
786
The decorated method will be called with no arguments by "Get"
1196
787
and with one argument by "Set".
1197
788
1198
789
The parameters, where they are supported, are the same as
1199
790
dbus.service.method, except there is only "signature", since the
1200
791
type from Get() and the type sent to Set() is the same.
1204
795
if byte_arrays and signature != "ay":
1205
796
raise ValueError("Byte arrays not supported for non-'ay'"
1206
797
" signature {!r}".format(signature))
1207
798
1208
799
def decorator(func):
1209
800
func._dbus_is_property = True
1210
801
func._dbus_interface = dbus_interface
1213
804
func._dbus_name = func.__name__
1214
805
if func._dbus_name.endswith("_dbus_property"):
1215
806
func._dbus_name = func._dbus_name[:-14]
1216
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1217
808
return func
1218
809
1219
810
return decorator
1220
811
1221
812
1222
813
def dbus_interface_annotations(dbus_interface):
1223
814
"""Decorator for marking functions returning interface annotations
1224
815
1225
816
Usage:
1226
817
1227
818
@dbus_interface_annotations("org.example.Interface")
1228
819
def _foo(self): # Function name does not matter
1229
820
return {"org.freedesktop.DBus.Deprecated": "true",
1230
821
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1231
822
"false"}
1232
823
"""
1233
824
1234
825
def decorator(func):
1235
826
func._dbus_is_interface = True
1236
827
func._dbus_interface = dbus_interface
1237
828
func._dbus_name = dbus_interface
1238
829
return func
1239
830
1240
831
return decorator
1241
832
1242
833
1243
834
def dbus_annotations(annotations):
1244
835
"""Decorator to annotate D-Bus methods, signals or properties
1245
836
Usage:
1246
837
1247
838
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1248
839
"org.freedesktop.DBus.Property."
1249
840
"EmitsChangedSignal": "false"})
1251
842
access="r")
1252
843
def Property_dbus_property(self):
1253
844
return dbus.Boolean(False)
1254
845
1255
846
See also the DBusObjectWithAnnotations class.
1256
847
"""
1257
848
1258
849
def decorator(func):
1259
850
func._dbus_annotations = annotations
1260
851
return func
1261
852
1262
853
return decorator
1263
854
1264
855
1282
873
1283
874
class DBusObjectWithAnnotations(dbus.service.Object):
1284
875
"""A D-Bus object with annotations.
1285
876
1286
877
Classes inheriting from this can use the dbus_annotations
1287
878
decorator to add annotations to methods or signals.
1288
879
"""
1289
880
1290
881
@staticmethod
1291
882
def _is_dbus_thing(thing):
1292
883
"""Returns a function testing if an attribute is a D-Bus thing
1293
884
1294
885
If called like _is_dbus_thing("method") it returns a function
1295
886
suitable for use as predicate to inspect.getmembers().
1296
887
"""
1297
888
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1298
889
False)
1299
890
1300
891
def _get_all_dbus_things(self, thing):
1301
892
"""Returns a generator of (name, attribute) pairs
1302
893
"""
1305
896
for cls in self.__class__.__mro__
1306
897
for name, athing in
1307
898
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1308
899
1309
900
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1310
out_signature="s",
1311
path_keyword='object_path',
1312
connection_keyword='connection')
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1313
904
def Introspect(self, object_path, connection):
1314
905
"""Overloading of standard D-Bus method.
1315
906
1316
907
Inserts annotation tags on methods and signals.
1317
908
"""
1318
909
xmlstring = dbus.service.Object.Introspect(self, object_path,
1319
910
connection)
1320
911
try:
1321
912
document = xml.dom.minidom.parseString(xmlstring)
1322
913
1323
914
for if_tag in document.getElementsByTagName("interface"):
1324
915
# Add annotation tags
1325
916
for typ in ("method", "signal"):
1352
943
if_tag.appendChild(ann_tag)
1353
944
# Fix argument name for the Introspect method itself
1354
945
if (if_tag.getAttribute("name")
1355
== dbus.INTROSPECTABLE_IFACE):
946
== dbus.INTROSPECTABLE_IFACE):
1356
947
for cn in if_tag.getElementsByTagName("method"):
1357
948
if cn.getAttribute("name") == "Introspect":
1358
949
for arg in cn.getElementsByTagName("arg"):
1371
962
1372
963
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1373
964
"""A D-Bus object with properties.
1374
965
1375
966
Classes inheriting from this can use the dbus_service_property
1376
967
decorator to expose methods as D-Bus properties. It exposes the
1377
968
standard Get(), Set(), and GetAll() methods on the D-Bus.
1378
969
"""
1379
970
1380
971
def _get_dbus_property(self, interface_name, property_name):
1381
972
"""Returns a bound method if one exists which is a D-Bus
1382
973
property with the specified name and interface.
1387
978
if (value._dbus_name == property_name
1388
979
and value._dbus_interface == interface_name):
1389
980
return value.__get__(self)
1390
981
1391
982
# No such property
1392
983
raise DBusPropertyNotFound("{}:{}.{}".format(
1393
984
self.dbus_object_path, interface_name, property_name))
1394
985
1395
986
@classmethod
1396
987
def _get_all_interface_names(cls):
1397
988
"""Get a sequence of all interfaces supported by an object"""
1400
991
for x in (inspect.getmro(cls))
1401
992
for attr in dir(x))
1402
993
if name is not None)
1403
994
1404
995
@dbus.service.method(dbus.PROPERTIES_IFACE,
1405
996
in_signature="ss",
1406
997
out_signature="v")
1414
1005
if not hasattr(value, "variant_level"):
1415
1006
return value
1416
1007
return type(value)(value, variant_level=value.variant_level+1)
1417
1008
1418
1009
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1419
1010
def Set(self, interface_name, property_name, value):
1420
1011
"""Standard D-Bus property Set() method, see D-Bus standard.
1429
1020
raise ValueError("Byte arrays not supported for non-"
1430
1021
"'ay' signature {!r}"
1431
1022
.format(prop._dbus_signature))
1432
value = dbus.ByteArray(bytes(value))
1023
value = dbus.ByteArray(b''.join(chr(byte)
1024
for byte in value))
1433
1025
prop(value)
1434
1026
1435
1027
@dbus.service.method(dbus.PROPERTIES_IFACE,
1436
1028
in_signature="s",
1437
1029
out_signature="a{sv}")
1438
1030
def GetAll(self, interface_name):
1439
1031
"""Standard D-Bus property GetAll() method, see D-Bus
1440
1032
standard.
1441
1033
1442
1034
Note: Will not include properties with access="write".
1443
1035
"""
1444
1036
properties = {}
1455
1047
properties[name] = value
1456
1048
continue
1457
1049
properties[name] = type(value)(
1458
value, variant_level=value.variant_level + 1)
1050
value, variant_level = value.variant_level + 1)
1459
1051
return dbus.Dictionary(properties, signature="sv")
1460
1052
1461
1053
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1462
1054
def PropertiesChanged(self, interface_name, changed_properties,
1463
1055
invalidated_properties):
1465
1057
standard.
1466
1058
"""
1467
1059
pass
1468
1060
1469
1061
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1470
1062
out_signature="s",
1471
1063
path_keyword='object_path',
1472
1064
connection_keyword='connection')
1473
1065
def Introspect(self, object_path, connection):
1474
1066
"""Overloading of standard D-Bus method.
1475
1067
1476
1068
Inserts property tags and interface annotation tags.
1477
1069
"""
1478
1070
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1480
1072
connection)
1481
1073
try:
1482
1074
document = xml.dom.minidom.parseString(xmlstring)
1483
1075
1484
1076
def make_tag(document, name, prop):
1485
1077
e = document.createElement("property")
1486
1078
e.setAttribute("name", name)
1487
1079
e.setAttribute("type", prop._dbus_signature)
1488
1080
e.setAttribute("access", prop._dbus_access)
1489
1081
return e
1490
1082
1491
1083
for if_tag in document.getElementsByTagName("interface"):
1492
1084
# Add property tags
1493
1085
for tag in (make_tag(document, name, prop)
1535
1127
exc_info=error)
1536
1128
return xmlstring
1537
1129
1538
1539
1130
try:
1540
1131
dbus.OBJECT_MANAGER_IFACE
1541
1132
except AttributeError:
1542
1133
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1543
1134
1544
1545
1135
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1546
1136
"""A D-Bus object with an ObjectManager.
1547
1137
1548
1138
Classes inheriting from this exposes the standard
1549
1139
GetManagedObjects call and the InterfacesAdded and
1550
1140
InterfacesRemoved signals on the standard
1551
1141
"org.freedesktop.DBus.ObjectManager" interface.
1552
1142
1553
1143
Note: No signals are sent automatically; they must be sent
1554
1144
manually.
1555
1145
"""
1556
1146
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1557
out_signature="a{oa{sa{sv}}}")
1147
out_signature = "a{oa{sa{sv}}}")
1558
1148
def GetManagedObjects(self):
1559
1149
"""This function must be overridden"""
1560
1150
raise NotImplementedError()
1561
1151
1562
1152
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1563
signature="oa{sa{sv}}")
1153
signature = "oa{sa{sv}}")
1564
1154
def InterfacesAdded(self, object_path, interfaces_and_properties):
1565
1155
pass
1566
1567
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1568
1158
def InterfacesRemoved(self, object_path, interfaces):
1569
1159
pass
1570
1160
1571
1161
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1572
out_signature="s",
1573
path_keyword='object_path',
1574
connection_keyword='connection')
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1575
1165
def Introspect(self, object_path, connection):
1576
1166
"""Overloading of standard D-Bus method.
1577
1167
1578
1168
Override return argument name of GetManagedObjects to be
1579
1169
"objpath_interfaces_and_properties"
1580
1170
"""
1583
1173
connection)
1584
1174
try:
1585
1175
document = xml.dom.minidom.parseString(xmlstring)
1586
1176
1587
1177
for if_tag in document.getElementsByTagName("interface"):
1588
1178
# Fix argument name for the GetManagedObjects method
1589
1179
if (if_tag.getAttribute("name")
1590
== dbus.OBJECT_MANAGER_IFACE):
1180
== dbus.OBJECT_MANAGER_IFACE):
1591
1181
for cn in if_tag.getElementsByTagName("method"):
1592
1182
if (cn.getAttribute("name")
1593
1183
== "GetManagedObjects"):
1603
1193
except (AttributeError, xml.dom.DOMException,
1604
1194
xml.parsers.expat.ExpatError) as error:
1605
1195
logger.error("Failed to override Introspection method",
1606
exc_info=error)
1196
exc_info = error)
1607
1197
return xmlstring
1608
1198
1609
1610
1199
def datetime_to_dbus(dt, variant_level=0):
1611
1200
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1612
1201
if dt is None:
1613
return dbus.String("", variant_level=variant_level)
1202
return dbus.String("", variant_level = variant_level)
1614
1203
return dbus.String(dt.isoformat(), variant_level=variant_level)
1615
1204
1616
1205
1619
1208
dbus.service.Object, it will add alternate D-Bus attributes with
1620
1209
interface names according to the "alt_interface_names" mapping.
1621
1210
Usage:
1622
1211
1623
1212
@alternate_dbus_interfaces({"org.example.Interface":
1624
1213
"net.example.AlternateInterface"})
1625
1214
class SampleDBusObject(dbus.service.Object):
1626
1215
@dbus.service.method("org.example.Interface")
1627
1216
def SampleDBusMethod():
1628
1217
pass
1629
1218
1630
1219
The above "SampleDBusMethod" on "SampleDBusObject" will be
1631
1220
reachable via two interfaces: "org.example.Interface" and
1632
1221
"net.example.AlternateInterface", the latter of which will have
1633
1222
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1634
1223
"true", unless "deprecate" is passed with a False value.
1635
1224
1636
1225
This works for methods and signals, and also for D-Bus properties
1637
1226
(from DBusObjectWithProperties) and interfaces (from the
1638
1227
dbus_interface_annotations decorator).
1639
1228
"""
1640
1229
1641
1230
def wrapper(cls):
1642
1231
for orig_interface_name, alt_interface_name in (
1643
1232
alt_interface_names.items()):
1658
1247
interface_names.add(alt_interface)
1659
1248
# Is this a D-Bus signal?
1660
1249
if getattr(attribute, "_dbus_is_signal", False):
1661
# Extract the original non-method undecorated
1662
# function by black magic
1663
1250
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1664
1253
nonmethod_func = (dict(
1665
1254
zip(attribute.func_code.co_freevars,
1666
1255
attribute.__closure__))
1667
1256
["func"].cell_contents)
1668
1257
else:
1669
nonmethod_func = (dict(
1670
zip(attribute.__code__.co_freevars,
1671
attribute.__closure__))
1672
["func"].cell_contents)
1258
nonmethod_func = attribute
1673
1259
# Create a new, but exactly alike, function
1674
1260
# object, and decorate it to be a new D-Bus signal
1675
1261
# with the alternate D-Bus interface name
1676
new_function = copy_function(nonmethod_func)
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1677
1276
new_function = (dbus.service.signal(
1678
1277
alt_interface,
1679
1278
attribute._dbus_signature)(new_function))
1683
1282
attribute._dbus_annotations)
1684
1283
except AttributeError:
1685
1284
pass
1686
1687
1285
# Define a creator of a function to call both the
1688
1286
# original and alternate functions, so both the
1689
1287
# original and alternate signals gets sent when
1692
1290
"""This function is a scope container to pass
1693
1291
func1 and func2 to the "call_both" function
1694
1292
outside of its arguments"""
1695
1293
1696
1294
@functools.wraps(func2)
1697
1295
def call_both(*args, **kwargs):
1698
1296
"""This function will emit two D-Bus
1699
1297
signals by calling func1 and func2"""
1700
1298
func1(*args, **kwargs)
1701
1299
func2(*args, **kwargs)
1702
# Make wrapper function look like a D-Bus
1703
# signal
1300
# Make wrapper function look like a D-Bus signal
1704
1301
for name, attr in inspect.getmembers(func2):
1705
1302
if name.startswith("_dbus_"):
1706
1303
setattr(call_both, name, attr)
1707
1304
1708
1305
return call_both
1709
1306
# Create the "call_both" function and add it to
1710
1307
# the class
1720
1317
alt_interface,
1721
1318
attribute._dbus_in_signature,
1722
1319
attribute._dbus_out_signature)
1723
(copy_function(attribute)))
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1724
1325
# Copy annotations, if any
1725
1326
try:
1726
1327
attr[attrname]._dbus_annotations = dict(
1738
1339
attribute._dbus_access,
1739
1340
attribute._dbus_get_args_options
1740
1341
["byte_arrays"])
1741
(copy_function(attribute)))
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1742
1348
# Copy annotations, if any
1743
1349
try:
1744
1350
attr[attrname]._dbus_annotations = dict(
1753
1359
# to the class.
1754
1360
attr[attrname] = (
1755
1361
dbus_interface_annotations(alt_interface)
1756
(copy_function(attribute)))
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1757
1367
if deprecate:
1758
1368
# Deprecate all alternate interfaces
1759
iname = "_AlternateDBusNames_interface_annotation{}"
1369
iname="_AlternateDBusNames_interface_annotation{}"
1760
1370
for interface_name in interface_names:
1761
1371
1762
1372
@dbus_interface_annotations(interface_name)
1763
1373
def func(self):
1764
return {"org.freedesktop.DBus.Deprecated":
1765
"true"}
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1766
1376
# Find an unused name
1767
1377
for aname in (iname.format(i)
1768
1378
for i in itertools.count()):
1772
1382
if interface_names:
1773
1383
# Replace the class with a new subclass of it with
1774
1384
# methods, signals, etc. as created above.
1775
if sys.version_info.major == 2:
1776
cls = type(b"{}Alternate".format(cls.__name__),
1777
(cls, ), attr)
1778
else:
1779
cls = type("{}Alternate".format(cls.__name__),
1780
(cls, ), attr)
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1781
1387
return cls
1782
1388
1783
1389
return wrapper
1784
1390
1785
1391
1787
1393
"se.bsnet.fukt.Mandos"})
1788
1394
class ClientDBus(Client, DBusObjectWithProperties):
1789
1395
"""A Client class using D-Bus
1790
1396
1791
1397
Attributes:
1792
1398
dbus_object_path: dbus.ObjectPath
1793
1399
bus: dbus.SystemBus()
1794
1400
"""
1795
1401
1796
1402
runtime_expansions = (Client.runtime_expansions
1797
1403
+ ("dbus_object_path", ))
1798
1404
1799
1405
_interface = "se.recompile.Mandos.Client"
1800
1406
1801
1407
# dbus.service.Object doesn't use super(), so we can't either.
1802
1803
def __init__(self, bus=None, *args, **kwargs):
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1804
1410
self.bus = bus
1805
1411
Client.__init__(self, *args, **kwargs)
1806
1412
# Only now, when this client is initialized, can it show up on
1812
1418
"/clients/" + client_object_name)
1813
1419
DBusObjectWithProperties.__init__(self, self.bus,
1814
1420
self.dbus_object_path)
1815
1421
1816
1422
def notifychangeproperty(transform_func, dbus_name,
1817
1423
type_func=lambda x: x,
1818
1424
variant_level=1,
1820
1426
_interface=_interface):
1821
1427
""" Modify a variable so that it's a property which announces
1822
1428
its changes to DBus.
1823
1429
1824
1430
transform_fun: Function that takes a value and a variant_level
1825
1431
and transforms it to a D-Bus type.
1826
1432
dbus_name: D-Bus name of the variable
1829
1435
variant_level: D-Bus variant level. Default: 1
1830
1436
"""
1831
1437
attrname = "_{}".format(dbus_name)
1832
1438
1833
1439
def setter(self, value):
1834
1440
if hasattr(self, "dbus_object_path"):
1835
1441
if (not hasattr(self, attrname) or
1842
1448
else:
1843
1449
dbus_value = transform_func(
1844
1450
type_func(value),
1845
variant_level=variant_level)
1451
variant_level = variant_level)
1846
1452
self.PropertyChanged(dbus.String(dbus_name),
1847
1453
dbus_value)
1848
1454
self.PropertiesChanged(
1849
1455
_interface,
1850
dbus.Dictionary({dbus.String(dbus_name):
1851
dbus_value}),
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1852
1458
dbus.Array())
1853
1459
setattr(self, attrname, value)
1854
1460
1855
1461
return property(lambda self: getattr(self, attrname), setter)
1856
1462
1857
1463
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1858
1464
approvals_pending = notifychangeproperty(dbus.Boolean,
1859
1465
"ApprovalPending",
1860
type_func=bool)
1466
type_func = bool)
1861
1467
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1862
1468
last_enabled = notifychangeproperty(datetime_to_dbus,
1863
1469
"LastEnabled")
1864
1470
checker = notifychangeproperty(
1865
1471
dbus.Boolean, "CheckerRunning",
1866
type_func=lambda checker: checker is not None)
1472
type_func = lambda checker: checker is not None)
1867
1473
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1868
1474
"LastCheckedOK")
1869
1475
last_checker_status = notifychangeproperty(dbus.Int16,
1874
1480
"ApprovedByDefault")
1875
1481
approval_delay = notifychangeproperty(
1876
1482
dbus.UInt64, "ApprovalDelay",
1877
type_func=lambda td: td.total_seconds() * 1000)
1483
type_func = lambda td: td.total_seconds() * 1000)
1878
1484
approval_duration = notifychangeproperty(
1879
1485
dbus.UInt64, "ApprovalDuration",
1880
type_func=lambda td: td.total_seconds() * 1000)
1486
type_func = lambda td: td.total_seconds() * 1000)
1881
1487
host = notifychangeproperty(dbus.String, "Host")
1882
1488
timeout = notifychangeproperty(
1883
1489
dbus.UInt64, "Timeout",
1884
type_func=lambda td: td.total_seconds() * 1000)
1490
type_func = lambda td: td.total_seconds() * 1000)
1885
1491
extended_timeout = notifychangeproperty(
1886
1492
dbus.UInt64, "ExtendedTimeout",
1887
type_func=lambda td: td.total_seconds() * 1000)
1493
type_func = lambda td: td.total_seconds() * 1000)
1888
1494
interval = notifychangeproperty(
1889
1495
dbus.UInt64, "Interval",
1890
type_func=lambda td: td.total_seconds() * 1000)
1496
type_func = lambda td: td.total_seconds() * 1000)
1891
1497
checker_command = notifychangeproperty(dbus.String, "Checker")
1892
1498
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1893
1499
invalidate_only=True)
1894
1500
1895
1501
del notifychangeproperty
1896
1502
1897
1503
def __del__(self, *args, **kwargs):
1898
1504
try:
1899
1505
self.remove_from_connection()
1902
1508
if hasattr(DBusObjectWithProperties, "__del__"):
1903
1509
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1904
1510
Client.__del__(self, *args, **kwargs)
1905
1511
1906
1512
def checker_callback(self, source, condition,
1907
1513
connection, command, *args, **kwargs):
1908
1514
ret = Client.checker_callback(self, source, condition,
1924
1530
| self.last_checker_signal),
1925
1531
dbus.String(command))
1926
1532
return ret
1927
1533
1928
1534
def start_checker(self, *args, **kwargs):
1929
1535
old_checker_pid = getattr(self.checker, "pid", None)
1930
1536
r = Client.start_checker(self, *args, **kwargs)
1934
1540
# Emit D-Bus signal
1935
1541
self.CheckerStarted(self.current_checker_command)
1936
1542
return r
1937
1543
1938
1544
def _reset_approved(self):
1939
1545
self.approved = None
1940
1546
return False
1941
1547
1942
1548
def approve(self, value=True):
1943
1549
self.approved = value
1944
GLib.timeout_add(int(self.approval_duration.total_seconds()
1945
* 1000), self._reset_approved)
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1946
1552
self.send_changedstate()
1947
1948
# D-Bus methods, signals & properties
1949
1950
# Interfaces
1951
1952
# Signals
1953
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1954
1560
# CheckerCompleted - signal
1955
1561
@dbus.service.signal(_interface, signature="nxs")
1956
1562
def CheckerCompleted(self, exitcode, waitstatus, command):
1957
1563
"D-Bus signal"
1958
1564
pass
1959
1565
1960
1566
# CheckerStarted - signal
1961
1567
@dbus.service.signal(_interface, signature="s")
1962
1568
def CheckerStarted(self, command):
1963
1569
"D-Bus signal"
1964
1570
pass
1965
1571
1966
1572
# PropertyChanged - signal
1967
1573
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1968
1574
@dbus.service.signal(_interface, signature="sv")
1969
1575
def PropertyChanged(self, property, value):
1970
1576
"D-Bus signal"
1971
1577
pass
1972
1578
1973
1579
# GotSecret - signal
1974
1580
@dbus.service.signal(_interface)
1975
1581
def GotSecret(self):
1978
1584
server to mandos-client
1979
1585
"""
1980
1586
pass
1981
1587
1982
1588
# Rejected - signal
1983
1589
@dbus.service.signal(_interface, signature="s")
1984
1590
def Rejected(self, reason):
1985
1591
"D-Bus signal"
1986
1592
pass
1987
1593
1988
1594
# NeedApproval - signal
1989
1595
@dbus.service.signal(_interface, signature="tb")
1990
1596
def NeedApproval(self, timeout, default):
1991
1597
"D-Bus signal"
1992
1598
return self.need_approval()
1993
1994
# Methods
1995
1599
1600
## Methods
1601
1996
1602
# Approve - method
1997
1603
@dbus.service.method(_interface, in_signature="b")
1998
1604
def Approve(self, value):
1999
1605
self.approve(value)
2000
1606
2001
1607
# CheckedOK - method
2002
1608
@dbus.service.method(_interface)
2003
1609
def CheckedOK(self):
2004
1610
self.checked_ok()
2005
1611
2006
1612
# Enable - method
2007
1613
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2008
1614
@dbus.service.method(_interface)
2009
1615
def Enable(self):
2010
1616
"D-Bus method"
2011
1617
self.enable()
2012
1618
2013
1619
# StartChecker - method
2014
1620
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2015
1621
@dbus.service.method(_interface)
2016
1622
def StartChecker(self):
2017
1623
"D-Bus method"
2018
1624
self.start_checker()
2019
1625
2020
1626
# Disable - method
2021
1627
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2022
1628
@dbus.service.method(_interface)
2023
1629
def Disable(self):
2024
1630
"D-Bus method"
2025
1631
self.disable()
2026
1632
2027
1633
# StopChecker - method
2028
1634
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2029
1635
@dbus.service.method(_interface)
2030
1636
def StopChecker(self):
2031
1637
self.stop_checker()
2032
2033
# Properties
2034
1638
1639
## Properties
1640
2035
1641
# ApprovalPending - property
2036
1642
@dbus_service_property(_interface, signature="b", access="read")
2037
1643
def ApprovalPending_dbus_property(self):
2038
1644
return dbus.Boolean(bool(self.approvals_pending))
2039
1645
2040
1646
# ApprovedByDefault - property
2041
1647
@dbus_service_property(_interface,
2042
1648
signature="b",
2045
1651
if value is None: # get
2046
1652
return dbus.Boolean(self.approved_by_default)
2047
1653
self.approved_by_default = bool(value)
2048
1654
2049
1655
# ApprovalDelay - property
2050
1656
@dbus_service_property(_interface,
2051
1657
signature="t",
2055
1661
return dbus.UInt64(self.approval_delay.total_seconds()
2056
1662
* 1000)
2057
1663
self.approval_delay = datetime.timedelta(0, 0, 0, value)
2058
1664
2059
1665
# ApprovalDuration - property
2060
1666
@dbus_service_property(_interface,
2061
1667
signature="t",
2065
1671
return dbus.UInt64(self.approval_duration.total_seconds()
2066
1672
* 1000)
2067
1673
self.approval_duration = datetime.timedelta(0, 0, 0, value)
2068
1674
2069
1675
# Name - property
2070
1676
@dbus_annotations(
2071
1677
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2072
1678
@dbus_service_property(_interface, signature="s", access="read")
2073
1679
def Name_dbus_property(self):
2074
1680
return dbus.String(self.name)
2075
2076
# KeyID - property
2077
@dbus_annotations(
2078
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2079
@dbus_service_property(_interface, signature="s", access="read")
2080
def KeyID_dbus_property(self):
2081
return dbus.String(self.key_id)
2082
1681
2083
1682
# Fingerprint - property
2084
1683
@dbus_annotations(
2085
1684
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2086
1685
@dbus_service_property(_interface, signature="s", access="read")
2087
1686
def Fingerprint_dbus_property(self):
2088
1687
return dbus.String(self.fingerprint)
2089
1688
2090
1689
# Host - property
2091
1690
@dbus_service_property(_interface,
2092
1691
signature="s",
2095
1694
if value is None: # get
2096
1695
return dbus.String(self.host)
2097
1696
self.host = str(value)
2098
1697
2099
1698
# Created - property
2100
1699
@dbus_annotations(
2101
1700
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2102
1701
@dbus_service_property(_interface, signature="s", access="read")
2103
1702
def Created_dbus_property(self):
2104
1703
return datetime_to_dbus(self.created)
2105
1704
2106
1705
# LastEnabled - property
2107
1706
@dbus_service_property(_interface, signature="s", access="read")
2108
1707
def LastEnabled_dbus_property(self):
2109
1708
return datetime_to_dbus(self.last_enabled)
2110
1709
2111
1710
# Enabled - property
2112
1711
@dbus_service_property(_interface,
2113
1712
signature="b",
2119
1718
self.enable()
2120
1719
else:
2121
1720
self.disable()
2122
1721
2123
1722
# LastCheckedOK - property
2124
1723
@dbus_service_property(_interface,
2125
1724
signature="s",
2129
1728
self.checked_ok()
2130
1729
return
2131
1730
return datetime_to_dbus(self.last_checked_ok)
2132
1731
2133
1732
# LastCheckerStatus - property
2134
1733
@dbus_service_property(_interface, signature="n", access="read")
2135
1734
def LastCheckerStatus_dbus_property(self):
2136
1735
return dbus.Int16(self.last_checker_status)
2137
1736
2138
1737
# Expires - property
2139
1738
@dbus_service_property(_interface, signature="s", access="read")
2140
1739
def Expires_dbus_property(self):
2141
1740
return datetime_to_dbus(self.expires)
2142
1741
2143
1742
# LastApprovalRequest - property
2144
1743
@dbus_service_property(_interface, signature="s", access="read")
2145
1744
def LastApprovalRequest_dbus_property(self):
2146
1745
return datetime_to_dbus(self.last_approval_request)
2147
1746
2148
1747
# Timeout - property
2149
1748
@dbus_service_property(_interface,
2150
1749
signature="t",
2165
1764
if (getattr(self, "disable_initiator_tag", None)
2166
1765
is None):
2167
1766
return
2168
GLib.source_remove(self.disable_initiator_tag)
2169
self.disable_initiator_tag = GLib.timeout_add(
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2170
1769
int((self.expires - now).total_seconds() * 1000),
2171
1770
self.disable)
2172
1771
2173
1772
# ExtendedTimeout - property
2174
1773
@dbus_service_property(_interface,
2175
1774
signature="t",
2179
1778
return dbus.UInt64(self.extended_timeout.total_seconds()
2180
1779
* 1000)
2181
1780
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2182
1781
2183
1782
# Interval - property
2184
1783
@dbus_service_property(_interface,
2185
1784
signature="t",
2192
1791
return
2193
1792
if self.enabled:
2194
1793
# Reschedule checker run
2195
GLib.source_remove(self.checker_initiator_tag)
2196
self.checker_initiator_tag = GLib.timeout_add(
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2197
1796
value, self.start_checker)
2198
self.start_checker() # Start one now, too
2199
1797
self.start_checker() # Start one now, too
1798
2200
1799
# Checker - property
2201
1800
@dbus_service_property(_interface,
2202
1801
signature="s",
2205
1804
if value is None: # get
2206
1805
return dbus.String(self.checker_command)
2207
1806
self.checker_command = str(value)
2208
1807
2209
1808
# CheckerRunning - property
2210
1809
@dbus_service_property(_interface,
2211
1810
signature="b",
2217
1816
self.start_checker()
2218
1817
else:
2219
1818
self.stop_checker()
2220
1819
2221
1820
# ObjectPath - property
2222
1821
@dbus_annotations(
2223
1822
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2224
1823
"org.freedesktop.DBus.Deprecated": "true"})
2225
1824
@dbus_service_property(_interface, signature="o", access="read")
2226
1825
def ObjectPath_dbus_property(self):
2227
return self.dbus_object_path # is already a dbus.ObjectPath
2228
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2229
1828
# Secret = property
2230
1829
@dbus_annotations(
2231
1830
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2236
1835
byte_arrays=True)
2237
1836
def Secret_dbus_property(self, value):
2238
1837
self.secret = bytes(value)
2239
1838
2240
1839
del _interface
2241
1840
2242
1841
2243
class ProxyClient:
2244
def __init__(self, child_pipe, key_id, fpr, address):
1842
class ProxyClient(object):
1843
def __init__(self, child_pipe, fpr, address):
2245
1844
self._pipe = child_pipe
2246
self._pipe.send(('init', key_id, fpr, address))
1845
self._pipe.send(('init', fpr, address))
2247
1846
if not self._pipe.recv():
2248
raise KeyError(key_id or fpr)
2249
1847
raise KeyError(fpr)
1848
2250
1849
def __getattribute__(self, name):
2251
1850
if name == '_pipe':
2252
1851
return super(ProxyClient, self).__getattribute__(name)
2255
1854
if data[0] == 'data':
2256
1855
return data[1]
2257
1856
if data[0] == 'function':
2258
1857
2259
1858
def func(*args, **kwargs):
2260
1859
self._pipe.send(('funcall', name, args, kwargs))
2261
1860
return self._pipe.recv()[1]
2262
1861
2263
1862
return func
2264
1863
2265
1864
def __setattr__(self, name, value):
2266
1865
if name == '_pipe':
2267
1866
return super(ProxyClient, self).__setattr__(name, value)
2270
1869
2271
1870
class ClientHandler(socketserver.BaseRequestHandler, object):
2272
1871
"""A class to handle client connections.
2273
1872
2274
1873
Instantiated once for each connection to handle it.
2275
1874
Note: This will run in its own forked process."""
2276
1875
2277
1876
def handle(self):
2278
1877
with contextlib.closing(self.server.child_pipe) as child_pipe:
2279
1878
logger.info("TCP connection from: %s",
2280
1879
str(self.client_address))
2281
1880
logger.debug("Pipe FD: %d",
2282
1881
self.server.child_pipe.fileno())
2283
2284
session = gnutls.ClientSession(self.request)
2285
2286
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2287
# "+AES-256-CBC", "+SHA1",
2288
# "+COMP-NULL", "+CTYPE-OPENPGP",
2289
# "+DHE-DSS"))
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2290
1895
# Use a fallback default, since this MUST be set.
2291
1896
priority = self.server.gnutls_priority
2292
1897
if priority is None:
2293
1898
priority = "NORMAL"
2294
gnutls.priority_set_direct(session._c_object,
2295
priority.encode("utf-8"),
2296
None)
2297
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2298
1902
# Start communication using the Mandos protocol
2299
1903
# Get protocol number
2300
1904
line = self.request.makefile().readline()
2305
1909
except (ValueError, IndexError, RuntimeError) as error:
2306
1910
logger.error("Unknown protocol version: %s", error)
2307
1911
return
2308
1912
2309
1913
# Start GnuTLS connection
2310
1914
try:
2311
1915
session.handshake()
2312
except gnutls.Error as error:
1916
except gnutls.errors.GNUTLSError as error:
2313
1917
logger.warning("Handshake failed: %s", error)
2314
1918
# Do not run session.bye() here: the session is not
2315
1919
# established. Just abandon the request.
2316
1920
return
2317
1921
logger.debug("Handshake succeeded")
2318
1922
2319
1923
approval_required = False
2320
1924
try:
2321
if gnutls.has_rawpk:
2322
fpr = b""
2323
try:
2324
key_id = self.key_id(
2325
self.peer_certificate(session))
2326
except (TypeError, gnutls.Error) as error:
2327
logger.warning("Bad certificate: %s", error)
2328
return
2329
logger.debug("Key ID: %s", key_id)
2330
2331
else:
2332
key_id = b""
2333
try:
2334
fpr = self.fingerprint(
2335
self.peer_certificate(session))
2336
except (TypeError, gnutls.Error) as error:
2337
logger.warning("Bad certificate: %s", error)
2338
return
2339
logger.debug("Fingerprint: %s", fpr)
2340
2341
try:
2342
client = ProxyClient(child_pipe, key_id, fpr,
1925
try:
1926
fpr = self.fingerprint(
1927
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
1930
logger.warning("Bad certificate: %s", error)
1931
return
1932
logger.debug("Fingerprint: %s", fpr)
1933
1934
try:
1935
client = ProxyClient(child_pipe, fpr,
2343
1936
self.client_address)
2344
1937
except KeyError:
2345
1938
return
2346
1939
2347
1940
if client.approval_delay:
2348
1941
delay = client.approval_delay
2349
1942
client.approvals_pending += 1
2350
1943
approval_required = True
2351
1944
2352
1945
while True:
2353
1946
if not client.enabled:
2354
1947
logger.info("Client %s is disabled",
2357
1950
# Emit D-Bus signal
2358
1951
client.Rejected("Disabled")
2359
1952
return
2360
1953
2361
1954
if client.approved or not client.approval_delay:
2362
# We are approved or approval is disabled
1955
#We are approved or approval is disabled
2363
1956
break
2364
1957
elif client.approved is None:
2365
1958
logger.info("Client %s needs approval",
2376
1969
# Emit D-Bus signal
2377
1970
client.Rejected("Denied")
2378
1971
return
2379
2380
# wait until timeout or approved
1972
1973
#wait until timeout or approved
2381
1974
time = datetime.datetime.now()
2382
1975
client.changedstate.acquire()
2383
1976
client.changedstate.wait(delay.total_seconds())
2396
1989
break
2397
1990
else:
2398
1991
delay -= time2 - time
2399
2400
try:
2401
session.send(client.secret)
2402
except gnutls.Error as error:
2403
logger.warning("gnutls send failed",
2404
exc_info=error)
2405
return
2406
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2407
2006
logger.info("Sending secret to %s", client.name)
2408
2007
# bump the timeout using extended_timeout
2409
2008
client.bump_timeout(client.extended_timeout)
2410
2009
if self.server.use_dbus:
2411
2010
# Emit D-Bus signal
2412
2011
client.GotSecret()
2413
2012
2414
2013
finally:
2415
2014
if approval_required:
2416
2015
client.approvals_pending -= 1
2417
2016
try:
2418
2017
session.bye()
2419
except gnutls.Error as error:
2018
except gnutls.errors.GNUTLSError as error:
2420
2019
logger.warning("GnuTLS bye failed",
2421
2020
exc_info=error)
2422
2021
2423
2022
@staticmethod
2424
2023
def peer_certificate(session):
2425
"Return the peer's certificate as a bytestring"
2426
try:
2427
cert_type = gnutls.certificate_type_get2(session._c_object,
2428
gnutls.CTYPE_PEERS)
2429
except AttributeError:
2430
cert_type = gnutls.certificate_type_get(session._c_object)
2431
if gnutls.has_rawpk:
2432
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2433
else:
2434
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2435
# If not a valid certificate type...
2436
if cert_type not in valid_cert_types:
2437
logger.info("Cert type %r not in %r", cert_type,
2438
valid_cert_types)
2439
# ...return invalid data
2440
return b""
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2441
2031
list_size = ctypes.c_uint(1)
2442
cert_list = (gnutls.certificate_get_peers
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2443
2034
(session._c_object, ctypes.byref(list_size)))
2444
2035
if not bool(cert_list) and list_size.value != 0:
2445
raise gnutls.Error("error getting peer certificate")
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2446
2038
if list_size.value == 0:
2447
2039
return None
2448
2040
cert = cert_list[0]
2449
2041
return ctypes.string_at(cert.data, cert.size)
2450
2451
@staticmethod
2452
def key_id(certificate):
2453
"Convert a certificate bytestring to a hexdigit key ID"
2454
# New GnuTLS "datum" with the public key
2455
datum = gnutls.datum_t(
2456
ctypes.cast(ctypes.c_char_p(certificate),
2457
ctypes.POINTER(ctypes.c_ubyte)),
2458
ctypes.c_uint(len(certificate)))
2459
# XXX all these need to be created in the gnutls "module"
2460
# New empty GnuTLS certificate
2461
pubkey = gnutls.pubkey_t()
2462
gnutls.pubkey_init(ctypes.byref(pubkey))
2463
# Import the raw public key into the certificate
2464
gnutls.pubkey_import(pubkey,
2465
ctypes.byref(datum),
2466
gnutls.X509_FMT_DER)
2467
# New buffer for the key ID
2468
buf = ctypes.create_string_buffer(32)
2469
buf_len = ctypes.c_size_t(len(buf))
2470
# Get the key ID from the raw public key into the buffer
2471
gnutls.pubkey_get_key_id(pubkey,
2472
gnutls.KEYID_USE_SHA256,
2473
ctypes.cast(ctypes.byref(buf),
2474
ctypes.POINTER(ctypes.c_ubyte)),
2475
ctypes.byref(buf_len))
2476
# Deinit the certificate
2477
gnutls.pubkey_deinit(pubkey)
2478
2479
# Convert the buffer to a Python bytestring
2480
key_id = ctypes.string_at(buf, buf_len.value)
2481
# Convert the bytestring to hexadecimal notation
2482
hex_key_id = binascii.hexlify(key_id).upper()
2483
return hex_key_id
2484
2042
2485
2043
@staticmethod
2486
2044
def fingerprint(openpgp):
2487
2045
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2488
2046
# New GnuTLS "datum" with the OpenPGP public key
2489
datum = gnutls.datum_t(
2047
datum = gnutls.library.types.gnutls_datum_t(
2490
2048
ctypes.cast(ctypes.c_char_p(openpgp),
2491
2049
ctypes.POINTER(ctypes.c_ubyte)),
2492
2050
ctypes.c_uint(len(openpgp)))
2493
2051
# New empty GnuTLS certificate
2494
crt = gnutls.openpgp_crt_t()
2495
gnutls.openpgp_crt_init(ctypes.byref(crt))
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2496
2055
# Import the OpenPGP public key into the certificate
2497
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2498
gnutls.OPENPGP_FMT_RAW)
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2499
2059
# Verify the self signature in the key
2500
2060
crtverify = ctypes.c_uint()
2501
gnutls.openpgp_crt_verify_self(crt, 0,
2502
ctypes.byref(crtverify))
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2503
2063
if crtverify.value != 0:
2504
gnutls.openpgp_crt_deinit(crt)
2505
raise gnutls.CertificateSecurityError(code
2506
=crtverify.value)
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2507
2067
# New buffer for the fingerprint
2508
2068
buf = ctypes.create_string_buffer(20)
2509
2069
buf_len = ctypes.c_size_t()
2510
2070
# Get the fingerprint from the certificate into the buffer
2511
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2512
ctypes.byref(buf_len))
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2513
2073
# Deinit the certificate
2514
gnutls.openpgp_crt_deinit(crt)
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2515
2075
# Convert the buffer to a Python bytestring
2516
2076
fpr = ctypes.string_at(buf, buf_len.value)
2517
2077
# Convert the bytestring to hexadecimal notation
2519
2079
return hex_fpr
2520
2080
2521
2081
2522
class MultiprocessingMixIn:
2082
class MultiprocessingMixIn(object):
2523
2083
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2524
2084
2525
2085
def sub_process_main(self, request, address):
2526
2086
try:
2527
2087
self.finish_request(request, address)
2528
2088
except Exception:
2529
2089
self.handle_error(request, address)
2530
2090
self.close_request(request)
2531
2091
2532
2092
def process_request(self, request, address):
2533
2093
"""Start a new process to process the request."""
2534
proc = multiprocessing.Process(target=self.sub_process_main,
2535
args=(request, address))
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2536
2096
proc.start()
2537
2097
return proc
2538
2098
2539
2099
2540
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2100
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2541
2101
""" adds a pipe to the MixIn """
2542
2102
2543
2103
def process_request(self, request, client_address):
2544
2104
"""Overrides and wraps the original process_request().
2545
2105
2546
2106
This function creates a new pipe in self.pipe
2547
2107
"""
2548
2108
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2549
2109
2550
2110
proc = MultiprocessingMixIn.process_request(self, request,
2551
2111
client_address)
2552
2112
self.child_pipe.close()
2553
2113
self.add_pipe(parent_pipe, proc)
2554
2114
2555
2115
def add_pipe(self, parent_pipe, proc):
2556
2116
"""Dummy function; override as necessary"""
2557
2117
raise NotImplementedError()
2558
2118
2559
2119
2560
2120
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2561
socketserver.TCPServer):
2121
socketserver.TCPServer, object):
2562
2122
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2563
2123
2564
2124
Attributes:
2565
2125
enabled: Boolean; whether this server is activated yet
2566
2126
interface: None or a network interface name (string)
2567
2127
use_ipv6: Boolean; to use IPv6 or not
2568
2128
"""
2569
2129
2570
2130
def __init__(self, server_address, RequestHandlerClass,
2571
2131
interface=None,
2572
2132
use_ipv6=True,
2582
2142
self.socketfd = socketfd
2583
2143
# Save the original socket.socket() function
2584
2144
self.socket_socket = socket.socket
2585
2586
2145
# To implement --socket, we monkey patch socket.socket.
2587
#
2146
#
2588
2147
# (When socketserver.TCPServer is a new-style class, we
2589
2148
# could make self.socket into a property instead of monkey
2590
2149
# patching socket.socket.)
2591
#
2150
#
2592
2151
# Create a one-time-only replacement for socket.socket()
2593
2152
@functools.wraps(socket.socket)
2594
2153
def socket_wrapper(*args, **kwargs):
2606
2165
# socket_wrapper(), if socketfd was set.
2607
2166
socketserver.TCPServer.__init__(self, server_address,
2608
2167
RequestHandlerClass)
2609
2168
2610
2169
def server_bind(self):
2611
2170
"""This overrides the normal server_bind() function
2612
2171
to bind to an interface if one was specified, and also NOT to
2613
2172
bind to an address or port if they were not specified."""
2614
global SO_BINDTODEVICE
2615
2173
if self.interface is not None:
2616
2174
if SO_BINDTODEVICE is None:
2617
# Fall back to a hard-coded value which seems to be
2618
# common enough.
2619
logger.warning("SO_BINDTODEVICE not found, trying 25")
2620
SO_BINDTODEVICE = 25
2621
try:
2622
self.socket.setsockopt(
2623
socket.SOL_SOCKET, SO_BINDTODEVICE,
2624
(self.interface + "\0").encode("utf-8"))
2625
except socket.error as error:
2626
if error.errno == errno.EPERM:
2627
logger.error("No permission to bind to"
2628
" interface %s", self.interface)
2629
elif error.errno == errno.ENOPROTOOPT:
2630
logger.error("SO_BINDTODEVICE not available;"
2631
" cannot bind to interface %s",
2632
self.interface)
2633
elif error.errno == errno.ENODEV:
2634
logger.error("Interface %s does not exist,"
2635
" cannot bind", self.interface)
2636
else:
2637
raise
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2638
2196
# Only bind(2) the socket if we really need to.
2639
2197
if self.server_address[0] or self.server_address[1]:
2640
if self.server_address[1]:
2641
self.allow_reuse_address = True
2642
2198
if not self.server_address[0]:
2643
2199
if self.address_family == socket.AF_INET6:
2644
any_address = "::" # in6addr_any
2200
any_address = "::" # in6addr_any
2645
2201
else:
2646
any_address = "0.0.0.0" # INADDR_ANY
2202
any_address = "0.0.0.0" # INADDR_ANY
2647
2203
self.server_address = (any_address,
2648
2204
self.server_address[1])
2649
2205
elif not self.server_address[1]:
2659
2215
2660
2216
class MandosServer(IPv6_TCPServer):
2661
2217
"""Mandos server.
2662
2218
2663
2219
Attributes:
2664
2220
clients: set of Client objects
2665
2221
gnutls_priority GnuTLS priority string
2666
2222
use_dbus: Boolean; to emit D-Bus signals or not
2667
2668
Assumes a GLib.MainLoop event loop.
2223
2224
Assumes a gobject.MainLoop event loop.
2669
2225
"""
2670
2226
2671
2227
def __init__(self, server_address, RequestHandlerClass,
2672
2228
interface=None,
2673
2229
use_ipv6=True,
2683
2239
self.gnutls_priority = gnutls_priority
2684
2240
IPv6_TCPServer.__init__(self, server_address,
2685
2241
RequestHandlerClass,
2686
interface=interface,
2687
use_ipv6=use_ipv6,
2688
socketfd=socketfd)
2689
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2690
2246
def server_activate(self):
2691
2247
if self.enabled:
2692
2248
return socketserver.TCPServer.server_activate(self)
2693
2249
2694
2250
def enable(self):
2695
2251
self.enabled = True
2696
2252
2697
2253
def add_pipe(self, parent_pipe, proc):
2698
2254
# Call "handle_ipc" for both data and EOF events
2699
GLib.io_add_watch(
2700
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2701
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2255
gobject.io_add_watch(
2256
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2702
2258
functools.partial(self.handle_ipc,
2703
parent_pipe=parent_pipe,
2704
proc=proc))
2705
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2706
2262
def handle_ipc(self, source, condition,
2707
2263
parent_pipe=None,
2708
proc=None,
2264
proc = None,
2709
2265
client_object=None):
2710
2266
# error, or the other end of multiprocessing.Pipe has closed
2711
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2712
2268
# Wait for other process to exit
2713
2269
proc.join()
2714
2270
return False
2715
2271
2716
2272
# Read a request from the child
2717
2273
request = parent_pipe.recv()
2718
2274
command = request[0]
2719
2275
2720
2276
if command == 'init':
2721
key_id = request[1].decode("ascii")
2722
fpr = request[2].decode("ascii")
2723
address = request[3]
2724
2725
for c in self.clients.values():
2726
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2727
continue
2728
if key_id and c.key_id == key_id:
2729
client = c
2730
break
2731
if fpr and c.fingerprint == fpr:
2277
fpr = request[1]
2278
address = request[2]
2279
2280
for c in self.clients.itervalues():
2281
if c.fingerprint == fpr:
2732
2282
client = c
2733
2283
break
2734
2284
else:
2735
logger.info("Client not found for key ID: %s, address"
2736
": %s", key_id or fpr, address)
2285
logger.info("Client not found for fingerprint: %s, ad"
2286
"dress: %s", fpr, address)
2737
2287
if self.use_dbus:
2738
2288
# Emit D-Bus signal
2739
mandos_dbus_service.ClientNotFound(key_id or fpr,
2289
mandos_dbus_service.ClientNotFound(fpr,
2740
2290
address[0])
2741
2291
parent_pipe.send(False)
2742
2292
return False
2743
2744
GLib.io_add_watch(
2745
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2746
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2293
2294
gobject.io_add_watch(
2295
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2747
2297
functools.partial(self.handle_ipc,
2748
parent_pipe=parent_pipe,
2749
proc=proc,
2750
client_object=client))
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2751
2301
parent_pipe.send(True)
2752
2302
# remove the old hook in favor of the new above hook on
2753
2303
# same fileno
2756
2306
funcname = request[1]
2757
2307
args = request[2]
2758
2308
kwargs = request[3]
2759
2309
2760
2310
parent_pipe.send(('data', getattr(client_object,
2761
2311
funcname)(*args,
2762
2312
**kwargs)))
2763
2313
2764
2314
if command == 'getattr':
2765
2315
attrname = request[1]
2766
2316
if isinstance(client_object.__getattribute__(attrname),
2767
collections.abc.Callable):
2317
collections.Callable):
2768
2318
parent_pipe.send(('function', ))
2769
2319
else:
2770
2320
parent_pipe.send((
2771
2321
'data', client_object.__getattribute__(attrname)))
2772
2322
2773
2323
if command == 'setattr':
2774
2324
attrname = request[1]
2775
2325
value = request[2]
2776
2326
setattr(client_object, attrname, value)
2777
2327
2778
2328
return True
2779
2329
2780
2330
2781
2331
def rfc3339_duration_to_delta(duration):
2782
2332
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2783
2784
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2785
True
2786
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2787
True
2788
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2789
True
2790
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2791
True
2792
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2793
True
2794
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2795
True
2796
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2797
True
2333
2334
>>> rfc3339_duration_to_delta("P7D")
2335
datetime.timedelta(7)
2336
>>> rfc3339_duration_to_delta("PT60S")
2337
datetime.timedelta(0, 60)
2338
>>> rfc3339_duration_to_delta("PT60M")
2339
datetime.timedelta(0, 3600)
2340
>>> rfc3339_duration_to_delta("PT24H")
2341
datetime.timedelta(1)
2342
>>> rfc3339_duration_to_delta("P1W")
2343
datetime.timedelta(7)
2344
>>> rfc3339_duration_to_delta("PT5M30S")
2345
datetime.timedelta(0, 330)
2346
>>> rfc3339_duration_to_delta("P1DT3M20S")
2347
datetime.timedelta(1, 200)
2798
2348
"""
2799
2349
2800
2350
# Parsing an RFC 3339 duration with regular expressions is not
2801
2351
# possible - there would have to be multiple places for the same
2802
2352
# values, like seconds. The current code, while more esoteric, is
2803
2353
# cleaner without depending on a parsing library. If Python had a
2804
2354
# built-in library for parsing we would use it, but we'd like to
2805
2355
# avoid excessive use of external libraries.
2806
2356
2807
2357
# New type for defining tokens, syntax, and semantics all-in-one
2808
2358
Token = collections.namedtuple("Token", (
2809
2359
"regexp", # To match token; if "value" is not None, must have
2842
2392
frozenset((token_year, token_month,
2843
2393
token_day, token_time,
2844
2394
token_week)))
2845
# Define starting values:
2846
# Value so far
2847
value = datetime.timedelta()
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2848
2397
found_token = None
2849
# Following valid tokens
2850
followers = frozenset((token_duration, ))
2851
# String left to parse
2852
s = duration
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2853
2400
# Loop until end token is found
2854
2401
while found_token is not token_end:
2855
2402
# Search for any currently valid tokens
2879
2426
2880
2427
def string_to_delta(interval):
2881
2428
"""Parse a string and return a datetime.timedelta
2882
2883
>>> string_to_delta('7d') == datetime.timedelta(7)
2884
True
2885
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2886
True
2887
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2888
True
2889
>>> string_to_delta('24h') == datetime.timedelta(1)
2890
True
2891
>>> string_to_delta('1w') == datetime.timedelta(7)
2892
True
2893
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2894
True
2429
2430
>>> string_to_delta('7d')
2431
datetime.timedelta(7)
2432
>>> string_to_delta('60s')
2433
datetime.timedelta(0, 60)
2434
>>> string_to_delta('60m')
2435
datetime.timedelta(0, 3600)
2436
>>> string_to_delta('24h')
2437
datetime.timedelta(1)
2438
>>> string_to_delta('1w')
2439
datetime.timedelta(7)
2440
>>> string_to_delta('5m 30s')
2441
datetime.timedelta(0, 330)
2895
2442
"""
2896
2443
2897
2444
try:
2898
2445
return rfc3339_duration_to_delta(interval)
2899
2446
except ValueError:
2900
2447
pass
2901
2448
2902
2449
timevalue = datetime.timedelta(0)
2903
2450
for s in interval.split():
2904
2451
try:
2922
2469
return timevalue
2923
2470
2924
2471
2925
def daemon(nochdir=False, noclose=False):
2472
def daemon(nochdir = False, noclose = False):
2926
2473
"""See daemon(3). Standard BSD Unix function.
2927
2474
2928
2475
This should really exist as os.daemon, but it doesn't (yet)."""
2929
2476
if os.fork():
2930
2477
sys.exit()
2948
2495
2949
2496
2950
2497
def main():
2951
2498
2952
2499
##################################################################
2953
2500
# Parsing of options, both command line and config file
2954
2501
2955
2502
parser = argparse.ArgumentParser()
2956
2503
parser.add_argument("-v", "--version", action="version",
2957
version="%(prog)s {}".format(version),
2504
version = "%(prog)s {}".format(version),
2958
2505
help="show version number and exit")
2959
2506
parser.add_argument("-i", "--interface", metavar="IF",
2960
2507
help="Bind to interface IF")
2996
2543
parser.add_argument("--no-zeroconf", action="store_false",
2997
2544
dest="zeroconf", help="Do not use Zeroconf",
2998
2545
default=None)
2999
2546
3000
2547
options = parser.parse_args()
3001
2548
2549
if options.check:
2550
import doctest
2551
fail_count, test_count = doctest.testmod()
2552
sys.exit(os.EX_OK if fail_count == 0 else 1)
2553
3002
2554
# Default values for config file for server-global settings
3003
if gnutls.has_rawpk:
3004
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3005
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3006
else:
3007
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3008
":+SIGN-DSA-SHA256")
3009
server_defaults = {"interface": "",
3010
"address": "",
3011
"port": "",
3012
"debug": "False",
3013
"priority": priority,
3014
"servicename": "Mandos",
3015
"use_dbus": "True",
3016
"use_ipv6": "True",
3017
"debuglevel": "",
3018
"restore": "True",
3019
"socket": "",
3020
"statedir": "/var/lib/mandos",
3021
"foreground": "False",
3022
"zeroconf": "True",
3023
}
3024
del priority
3025
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
3026
2573
# Parse config file for server-global settings
3027
server_config = configparser.ConfigParser(server_defaults)
2574
server_config = configparser.SafeConfigParser(server_defaults)
3028
2575
del server_defaults
3029
2576
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3030
# Convert the ConfigParser object to a dict
2577
# Convert the SafeConfigParser object to a dict
3031
2578
server_settings = server_config.defaults()
3032
2579
# Use the appropriate methods on the non-string config options
3033
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3034
"foreground", "zeroconf"):
2580
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3035
2581
server_settings[option] = server_config.getboolean("DEFAULT",
3036
2582
option)
3037
2583
if server_settings["port"]:
3047
2593
server_settings["socket"] = os.dup(server_settings
3048
2594
["socket"])
3049
2595
del server_config
3050
2596
3051
2597
# Override the settings from the config file with command line
3052
2598
# options, if set.
3053
2599
for option in ("interface", "address", "port", "debug",
3071
2617
if server_settings["debug"]:
3072
2618
server_settings["foreground"] = True
3073
2619
# Now we have our good server settings in "server_settings"
3074
2620
3075
2621
##################################################################
3076
2622
3077
2623
if (not server_settings["zeroconf"]
3078
2624
and not (server_settings["port"]
3079
2625
or server_settings["socket"] != "")):
3080
2626
parser.error("Needs port or socket to work without Zeroconf")
3081
2627
3082
2628
# For convenience
3083
2629
debug = server_settings["debug"]
3084
2630
debuglevel = server_settings["debuglevel"]
3088
2634
stored_state_file)
3089
2635
foreground = server_settings["foreground"]
3090
2636
zeroconf = server_settings["zeroconf"]
3091
2637
3092
2638
if debug:
3093
2639
initlogger(debug, logging.DEBUG)
3094
2640
else:
3097
2643
else:
3098
2644
level = getattr(logging, debuglevel.upper())
3099
2645
initlogger(debug, level)
3100
2646
3101
2647
if server_settings["servicename"] != "Mandos":
3102
2648
syslogger.setFormatter(
3103
2649
logging.Formatter('Mandos ({}) [%(process)d]:'
3104
2650
' %(levelname)s: %(message)s'.format(
3105
2651
server_settings["servicename"])))
3106
2652
3107
2653
# Parse config file with clients
3108
client_config = configparser.ConfigParser(Client.client_defaults)
2654
client_config = configparser.SafeConfigParser(Client
2655
.client_defaults)
3109
2656
client_config.read(os.path.join(server_settings["configdir"],
3110
2657
"clients.conf"))
3111
2658
3112
2659
global mandos_dbus_service
3113
2660
mandos_dbus_service = None
3114
2661
3115
2662
socketfd = None
3116
2663
if server_settings["socket"] != "":
3117
2664
socketfd = server_settings["socket"]
3133
2680
except IOError as e:
3134
2681
logger.error("Could not open file %r", pidfilename,
3135
2682
exc_info=e)
3136
3137
for name, group in (("_mandos", "_mandos"),
3138
("mandos", "mandos"),
3139
("nobody", "nogroup")):
2683
2684
for name in ("_mandos", "mandos", "nobody"):
3140
2685
try:
3141
2686
uid = pwd.getpwnam(name).pw_uid
3142
gid = pwd.getpwnam(group).pw_gid
2687
gid = pwd.getpwnam(name).pw_gid
3143
2688
break
3144
2689
except KeyError:
3145
2690
continue
3149
2694
try:
3150
2695
os.setgid(gid)
3151
2696
os.setuid(uid)
3152
if debug:
3153
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3154
gid))
3155
2697
except OSError as error:
3156
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3157
.format(uid, gid, os.strerror(error.errno)))
3158
2698
if error.errno != errno.EPERM:
3159
2699
raise
3160
2700
3161
2701
if debug:
3162
2702
# Enable all possible GnuTLS debugging
3163
2703
3164
2704
# "Use a log level over 10 to enable all debugging options."
3165
2705
# - GnuTLS manual
3166
gnutls.global_set_log_level(11)
3167
3168
@gnutls.log_func
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3169
2709
def debug_gnutls(level, string):
3170
2710
logger.debug("GnuTLS: %s", string[:-1])
3171
3172
gnutls.global_set_log_function(debug_gnutls)
3173
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3174
2715
# Redirect stdin so all checkers get /dev/null
3175
2716
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3176
2717
os.dup2(null, sys.stdin.fileno())
3177
2718
if null > 2:
3178
2719
os.close(null)
3179
2720
3180
2721
# Need to fork before connecting to D-Bus
3181
2722
if not foreground:
3182
2723
# Close all input and output, do double fork, etc.
3183
2724
daemon()
3184
3185
if gi.version_info < (3, 10, 2):
3186
# multiprocessing will use threads, so before we use GLib we
3187
# need to inform GLib that threads will be used.
3188
GLib.threads_init()
3189
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3190
2730
global main_loop
3191
2731
# From the Avahi example code
3192
2732
DBusGMainLoop(set_as_default=True)
3193
main_loop = GLib.MainLoop()
2733
main_loop = gobject.MainLoop()
3194
2734
bus = dbus.SystemBus()
3195
2735
# End of Avahi example code
3196
2736
if use_dbus:
3209
2749
if zeroconf:
3210
2750
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3211
2751
service = AvahiServiceToSyslog(
3212
name=server_settings["servicename"],
3213
servicetype="_mandos._tcp",
3214
protocol=protocol,
3215
bus=bus)
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3216
2756
if server_settings["interface"]:
3217
2757
service.interface = if_nametoindex(
3218
2758
server_settings["interface"].encode("utf-8"))
3219
2759
3220
2760
global multiprocessing_manager
3221
2761
multiprocessing_manager = multiprocessing.Manager()
3222
2762
3223
2763
client_class = Client
3224
2764
if use_dbus:
3225
client_class = functools.partial(ClientDBus, bus=bus)
3226
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3227
2767
client_settings = Client.config_parser(client_config)
3228
2768
old_client_settings = {}
3229
2769
clients_data = {}
3230
2770
3231
2771
# This is used to redirect stdout and stderr for checker processes
3232
2772
global wnull
3233
wnull = open(os.devnull, "w") # A writable /dev/null
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3234
2774
# Only used if server is running in foreground but not in debug
3235
2775
# mode
3236
2776
if debug or not foreground:
3237
2777
wnull.close()
3238
2778
3239
2779
# Get client data and settings from last running state.
3240
2780
if server_settings["restore"]:
3241
2781
try:
3242
2782
with open(stored_state_path, "rb") as stored_state:
3243
if sys.version_info.major == 2:
3244
clients_data, old_client_settings = pickle.load(
3245
stored_state)
3246
else:
3247
bytes_clients_data, bytes_old_client_settings = (
3248
pickle.load(stored_state, encoding="bytes"))
3249
# Fix bytes to strings
3250
# clients_data
3251
# .keys()
3252
clients_data = {(key.decode("utf-8")
3253
if isinstance(key, bytes)
3254
else key): value
3255
for key, value in
3256
bytes_clients_data.items()}
3257
del bytes_clients_data
3258
for key in clients_data:
3259
value = {(k.decode("utf-8")
3260
if isinstance(k, bytes) else k): v
3261
for k, v in
3262
clients_data[key].items()}
3263
clients_data[key] = value
3264
# .client_structure
3265
value["client_structure"] = [
3266
(s.decode("utf-8")
3267
if isinstance(s, bytes)
3268
else s) for s in
3269
value["client_structure"]]
3270
# .name, .host, and .checker_command
3271
for k in ("name", "host", "checker_command"):
3272
if isinstance(value[k], bytes):
3273
value[k] = value[k].decode("utf-8")
3274
if "key_id" not in value:
3275
value["key_id"] = ""
3276
elif "fingerprint" not in value:
3277
value["fingerprint"] = ""
3278
# old_client_settings
3279
# .keys()
3280
old_client_settings = {
3281
(key.decode("utf-8")
3282
if isinstance(key, bytes)
3283
else key): value
3284
for key, value in
3285
bytes_old_client_settings.items()}
3286
del bytes_old_client_settings
3287
# .host and .checker_command
3288
for value in old_client_settings.values():
3289
for attribute in ("host", "checker_command"):
3290
if isinstance(value[attribute], bytes):
3291
value[attribute] = (value[attribute]
3292
.decode("utf-8"))
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3293
2785
os.remove(stored_state_path)
3294
2786
except IOError as e:
3295
2787
if e.errno == errno.ENOENT:
3303
2795
logger.warning("Could not load persistent state: "
3304
2796
"EOFError:",
3305
2797
exc_info=e)
3306
2798
3307
2799
with PGPEngine() as pgp:
3308
2800
for client_name, client in clients_data.items():
3309
2801
# Skip removed clients
3310
2802
if client_name not in client_settings:
3311
2803
continue
3312
2804
3313
2805
# Decide which value to use after restoring saved state.
3314
2806
# We have three different values: Old config file,
3315
2807
# new config file, and saved state.
3326
2818
client[name] = value
3327
2819
except KeyError:
3328
2820
pass
3329
2821
3330
2822
# Clients who has passed its expire date can still be
3331
2823
# enabled if its last checker was successful. A Client
3332
2824
# whose checker succeeded before we stored its state is
3365
2857
client_name))
3366
2858
client["secret"] = (client_settings[client_name]
3367
2859
["secret"])
3368
2860
3369
2861
# Add/remove clients based on new changes made to config
3370
2862
for client_name in (set(old_client_settings)
3371
2863
- set(client_settings)):
3373
2865
for client_name in (set(client_settings)
3374
2866
- set(old_client_settings)):
3375
2867
clients_data[client_name] = client_settings[client_name]
3376
2868
3377
2869
# Create all client objects
3378
2870
for client_name, client in clients_data.items():
3379
2871
tcp_server.clients[client_name] = client_class(
3380
name=client_name,
3381
settings=client,
3382
server_settings=server_settings)
3383
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3384
2876
if not tcp_server.clients:
3385
2877
logger.warning("No clients defined")
3386
2878
3387
2879
if not foreground:
3388
2880
if pidfile is not None:
3389
2881
pid = os.getpid()
3395
2887
pidfilename, pid)
3396
2888
del pidfile
3397
2889
del pidfilename
3398
3399
for termsig in (signal.SIGHUP, signal.SIGTERM):
3400
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3401
lambda: main_loop.quit() and False)
3402
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3403
2894
if use_dbus:
3404
2895
3405
2896
@alternate_dbus_interfaces(
3406
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3407
2898
class MandosDBusService(DBusObjectWithObjectManager):
3408
2899
"""A D-Bus proxy object"""
3409
2900
3410
2901
def __init__(self):
3411
2902
dbus.service.Object.__init__(self, bus, "/")
3412
2903
3413
2904
_interface = "se.recompile.Mandos"
3414
2905
3415
2906
@dbus.service.signal(_interface, signature="o")
3416
2907
def ClientAdded(self, objpath):
3417
2908
"D-Bus signal"
3418
2909
pass
3419
2910
3420
2911
@dbus.service.signal(_interface, signature="ss")
3421
def ClientNotFound(self, key_id, address):
2912
def ClientNotFound(self, fingerprint, address):
3422
2913
"D-Bus signal"
3423
2914
pass
3424
2915
3425
2916
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3426
2917
"true"})
3427
2918
@dbus.service.signal(_interface, signature="os")
3428
2919
def ClientRemoved(self, objpath, name):
3429
2920
"D-Bus signal"
3430
2921
pass
3431
2922
3432
2923
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3433
2924
"true"})
3434
2925
@dbus.service.method(_interface, out_signature="ao")
3435
2926
def GetAllClients(self):
3436
2927
"D-Bus method"
3437
2928
return dbus.Array(c.dbus_object_path for c in
3438
tcp_server.clients.values())
3439
2929
tcp_server.clients.itervalues())
2930
3440
2931
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3441
2932
"true"})
3442
2933
@dbus.service.method(_interface,
3444
2935
def GetAllClientsWithProperties(self):
3445
2936
"D-Bus method"
3446
2937
return dbus.Dictionary(
3447
{c.dbus_object_path: c.GetAll(
2938
{ c.dbus_object_path: c.GetAll(
3448
2939
"se.recompile.Mandos.Client")
3449
for c in tcp_server.clients.values()},
2940
for c in tcp_server.clients.itervalues() },
3450
2941
signature="oa{sv}")
3451
2942
3452
2943
@dbus.service.method(_interface, in_signature="o")
3453
2944
def RemoveClient(self, object_path):
3454
2945
"D-Bus method"
3455
for c in tcp_server.clients.values():
2946
for c in tcp_server.clients.itervalues():
3456
2947
if c.dbus_object_path == object_path:
3457
2948
del tcp_server.clients[c.name]
3458
2949
c.remove_from_connection()
3462
2953
self.client_removed_signal(c)
3463
2954
return
3464
2955
raise KeyError(object_path)
3465
2956
3466
2957
del _interface
3467
2958
3468
2959
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3469
out_signature="a{oa{sa{sv}}}")
2960
out_signature = "a{oa{sa{sv}}}")
3470
2961
def GetManagedObjects(self):
3471
2962
"""D-Bus method"""
3472
2963
return dbus.Dictionary(
3473
{client.dbus_object_path:
3474
dbus.Dictionary(
3475
{interface: client.GetAll(interface)
3476
for interface in
3477
client._get_all_interface_names()})
3478
for client in tcp_server.clients.values()})
3479
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3480
2971
def client_added_signal(self, client):
3481
2972
"""Send the new standard signal and the old signal"""
3482
2973
if use_dbus:
3484
2975
self.InterfacesAdded(
3485
2976
client.dbus_object_path,
3486
2977
dbus.Dictionary(
3487
{interface: client.GetAll(interface)
3488
for interface in
3489
client._get_all_interface_names()}))
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3490
2981
# Old signal
3491
2982
self.ClientAdded(client.dbus_object_path)
3492
2983
3493
2984
def client_removed_signal(self, client):
3494
2985
"""Send the new standard signal and the old signal"""
3495
2986
if use_dbus:
3500
2991
# Old signal
3501
2992
self.ClientRemoved(client.dbus_object_path,
3502
2993
client.name)
3503
2994
3504
2995
mandos_dbus_service = MandosDBusService()
3505
3506
# Save modules to variables to exempt the modules from being
3507
# unloaded before the function registered with atexit() is run.
3508
mp = multiprocessing
3509
wn = wnull
3510
2996
3511
2997
def cleanup():
3512
2998
"Cleanup function; run on exit"
3513
2999
if zeroconf:
3514
3000
service.cleanup()
3515
3516
mp.active_children()
3517
wn.close()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3518
3004
if not (tcp_server.clients or client_settings):
3519
3005
return
3520
3006
3521
3007
# Store client before exiting. Secrets are encrypted with key
3522
3008
# based on what config file has. If config file is
3523
3009
# removed/edited, old secret will thus be unrecovable.
3524
3010
clients = {}
3525
3011
with PGPEngine() as pgp:
3526
for client in tcp_server.clients.values():
3012
for client in tcp_server.clients.itervalues():
3527
3013
key = client_settings[client.name]["secret"]
3528
3014
client.encrypted_secret = pgp.encrypt(client.secret,
3529
3015
key)
3530
3016
client_dict = {}
3531
3017
3532
3018
# A list of attributes that can not be pickled
3533
3019
# + secret.
3534
exclude = {"bus", "changedstate", "secret",
3535
"checker", "server_settings"}
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3536
3022
for name, typ in inspect.getmembers(dbus.service
3537
3023
.Object):
3538
3024
exclude.add(name)
3539
3025
3540
3026
client_dict["encrypted_secret"] = (client
3541
3027
.encrypted_secret)
3542
3028
for attr in client.client_structure:
3543
3029
if attr not in exclude:
3544
3030
client_dict[attr] = getattr(client, attr)
3545
3031
3546
3032
clients[client.name] = client_dict
3547
3033
del client_settings[client.name]["secret"]
3548
3034
3549
3035
try:
3550
3036
with tempfile.NamedTemporaryFile(
3551
3037
mode='wb',
3553
3039
prefix='clients-',
3554
3040
dir=os.path.dirname(stored_state_path),
3555
3041
delete=False) as stored_state:
3556
pickle.dump((clients, client_settings), stored_state,
3557
protocol=2)
3042
pickle.dump((clients, client_settings), stored_state)
3558
3043
tempname = stored_state.name
3559
3044
os.rename(tempname, stored_state_path)
3560
3045
except (IOError, OSError) as e:
3570
3055
logger.warning("Could not save persistent state:",
3571
3056
exc_info=e)
3572
3057
raise
3573
3058
3574
3059
# Delete all clients, and settings from config
3575
3060
while tcp_server.clients:
3576
3061
name, client = tcp_server.clients.popitem()
3579
3064
# Don't signal the disabling
3580
3065
client.disable(quiet=True)
3581
3066
# Emit D-Bus signal for removal
3582
if use_dbus:
3583
mandos_dbus_service.client_removed_signal(client)
3067
mandos_dbus_service.client_removed_signal(client)
3584
3068
client_settings.clear()
3585
3069
3586
3070
atexit.register(cleanup)
3587
3588
for client in tcp_server.clients.values():
3071
3072
for client in tcp_server.clients.itervalues():
3589
3073
if use_dbus:
3590
3074
# Emit D-Bus signal for adding
3591
3075
mandos_dbus_service.client_added_signal(client)
3592
3076
# Need to initiate checking of clients
3593
3077
if client.enabled:
3594
3078
client.init_checker()
3595
3079
3596
3080
tcp_server.enable()
3597
3081
tcp_server.server_activate()
3598
3082
3599
3083
# Find out what port we got
3600
3084
if zeroconf:
3601
3085
service.port = tcp_server.socket.getsockname()[1]
3606
3090
else: # IPv4
3607
3091
logger.info("Now listening on address %r, port %d",
3608
3092
*tcp_server.socket.getsockname())
3609
3610
# service.interface = tcp_server.socket.getsockname()[3]
3611
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3612
3096
try:
3613
3097
if zeroconf:
3614
3098
# From the Avahi example code
3619
3103
cleanup()
3620
3104
sys.exit(1)
3621
3105
# End of Avahi example code
3622
3623
GLib.io_add_watch(
3624
GLib.IOChannel.unix_new(tcp_server.fileno()),
3625
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3626
lambda *args, **kwargs: (tcp_server.handle_request
3627
(*args[2:], **kwargs) or True))
3628
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3629
3112
logger.debug("Starting main loop")
3630
3113
main_loop.run()
3631
3114
except AvahiError as error:
3640
3123
# Must run before the D-Bus bus name gets deregistered
3641
3124
cleanup()
3642
3125
3643
3644
def should_only_run_tests():
3645
parser = argparse.ArgumentParser(add_help=False)
3646
parser.add_argument("--check", action='store_true')
3647
args, unknown_args = parser.parse_known_args()
3648
run_tests = args.check
3649
if run_tests:
3650
# Remove --check argument from sys.argv
3651
sys.argv[1:] = unknown_args
3652
return run_tests
3653
3654
# Add all tests from doctest strings
3655
def load_tests(loader, tests, none):
3656
import doctest
3657
tests.addTests(doctest.DocTestSuite())
3658
return tests
3659
3126
3660
3127
if __name__ == '__main__':
3661
try:
3662
if should_only_run_tests():
3663
# Call using ./mandos --check [--verbose]
3664
unittest.main()
3665
else:
3666
main()
3667
finally:
3668
logging.shutdown()
3128
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0