To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.335
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.335
- Committer: Teddy Hogeborn
- Date: 2015-08-10 16:19:28 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 325.
- Revision ID: teddy@recompile.se-20150810161928-bnukog7l47j3pjix
Depend on Avahi and the network in the server's systemd service file.
* mandos.service ([Unit]/After): New; set to "network.target" and
"avahi-daemon.service".
([Unit]/RequisiteOverridable): New; set to "avahi-daemon.service".
* mandos.service ([Unit]/After): New; set to "network.target" and
"avahi-daemon.service".
([Unit]/RequisiteOverridable): New; set to "avahi-daemon.service".
- files added:
- initramfs-tools-hook-conf
- files removed:
- bugs.xml
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
1
#!/usr/bin/python2.7
2
# -*- mode: python; coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2020 Teddy Hogeborn
15
# Copyright © 2008-2020 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
37
from future_builtins import *
42
38
43
39
try:
44
40
import SocketServer as socketserver
48
44
import argparse
49
45
import datetime
50
46
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
51
53
try:
52
54
import ConfigParser as configparser
53
55
except ImportError:
77
79
import itertools
78
80
import collections
79
81
import codecs
80
import unittest
81
import random
82
import shlex
83
82
84
83
import dbus
85
84
import dbus.service
86
import gi
87
from gi.repository import GLib
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
88
90
from dbus.mainloop.glib import DBusGMainLoop
89
91
import ctypes
90
92
import ctypes.util
91
93
import xml.dom.minidom
92
94
import inspect
93
95
94
if sys.version_info.major == 2:
95
__metaclass__ = type
96
str = unicode
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
118
# Try to find the value of SO_BINDTODEVICE:
119
try:
120
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
121
# newer, and it is also the most natural place for it:
96
try:
122
97
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
123
98
except AttributeError:
124
99
try:
125
# This is where SO_BINDTODEVICE was up to and including Python
126
# 2.6, and also 3.2:
127
100
from IN import SO_BINDTODEVICE
128
101
except ImportError:
129
# In Python 2.7 it seems to have been removed entirely.
130
# Try running the C preprocessor:
131
try:
132
cc = subprocess.Popen(["cc", "--language=c", "-E",
133
"/dev/stdin"],
134
stdin=subprocess.PIPE,
135
stdout=subprocess.PIPE)
136
stdout = cc.communicate(
137
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
138
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
139
except (OSError, ValueError, IndexError):
140
# No value found
141
SO_BINDTODEVICE = None
142
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
145
146
version = "1.8.12"
102
SO_BINDTODEVICE = None
103
104
if sys.version_info.major == 2:
105
str = unicode
106
107
version = "1.6.9"
147
108
stored_state_file = "clients.pickle"
148
109
149
110
logger = logging.getLogger()
150
logging.captureWarnings(True) # Show warnings via the logging system
151
111
syslogger = None
152
112
153
113
try:
154
114
if_nametoindex = ctypes.cdll.LoadLibrary(
155
115
ctypes.util.find_library("c")).if_nametoindex
156
116
except (OSError, AttributeError):
157
117
158
118
def if_nametoindex(interface):
159
119
"Get an interface index the hard way, i.e. using fcntl()"
160
120
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
165
125
return interface_index
166
126
167
127
168
def copy_function(func):
169
"""Make a copy of a function"""
170
if sys.version_info.major == 2:
171
return types.FunctionType(func.func_code,
172
func.func_globals,
173
func.func_name,
174
func.func_defaults,
175
func.func_closure)
176
else:
177
return types.FunctionType(func.__code__,
178
func.__globals__,
179
func.__name__,
180
func.__defaults__,
181
func.__closure__)
182
183
184
128
def initlogger(debug, level=logging.WARNING):
185
129
"""init logger and add loglevel"""
186
130
187
131
global syslogger
188
132
syslogger = (logging.handlers.SysLogHandler(
189
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
190
address="/dev/log"))
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
191
135
syslogger.setFormatter(logging.Formatter
192
136
('Mandos [%(process)d]: %(levelname)s:'
193
137
' %(message)s'))
194
138
logger.addHandler(syslogger)
195
139
196
140
if debug:
197
141
console = logging.StreamHandler()
198
142
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
208
152
pass
209
153
210
154
211
class PGPEngine:
155
class PGPEngine(object):
212
156
"""A simple class for OpenPGP symmetric encryption & decryption"""
213
157
214
158
def __init__(self):
215
159
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
216
self.gpg = "gpg"
217
try:
218
output = subprocess.check_output(["gpgconf"])
219
for line in output.splitlines():
220
name, text, path = line.split(b":")
221
if name == b"gpg":
222
self.gpg = path
223
break
224
except OSError as e:
225
if e.errno != errno.ENOENT:
226
raise
227
160
self.gnupgargs = ['--batch',
228
'--homedir', self.tempdir,
161
'--home', self.tempdir,
229
162
'--force-mdc',
230
'--quiet']
231
# Only GPG version 1 has the --no-use-agent option.
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
233
self.gnupgargs.append("--no-use-agent")
234
163
'--quiet',
164
'--no-use-agent']
165
235
166
def __enter__(self):
236
167
return self
237
168
238
169
def __exit__(self, exc_type, exc_value, traceback):
239
170
self._cleanup()
240
171
return False
241
172
242
173
def __del__(self):
243
174
self._cleanup()
244
175
245
176
def _cleanup(self):
246
177
if self.tempdir is not None:
247
178
# Delete contents of tempdir
248
179
for root, dirs, files in os.walk(self.tempdir,
249
topdown=False):
180
topdown = False):
250
181
for filename in files:
251
182
os.remove(os.path.join(root, filename))
252
183
for dirname in dirs:
254
185
# Remove tempdir
255
186
os.rmdir(self.tempdir)
256
187
self.tempdir = None
257
188
258
189
def password_encode(self, password):
259
190
# Passphrase can not be empty and can not contain newlines or
260
191
# NUL bytes. So we prefix it and hex encode it.
265
196
.replace(b"\n", b"\\n")
266
197
.replace(b"\0", b"\\x00"))
267
198
return encoded
268
199
269
200
def encrypt(self, data, password):
270
201
passphrase = self.password_encode(password)
271
202
with tempfile.NamedTemporaryFile(
272
203
dir=self.tempdir) as passfile:
273
204
passfile.write(passphrase)
274
205
passfile.flush()
275
proc = subprocess.Popen([self.gpg, '--symmetric',
206
proc = subprocess.Popen(['gpg', '--symmetric',
276
207
'--passphrase-file',
277
208
passfile.name]
278
209
+ self.gnupgargs,
279
stdin=subprocess.PIPE,
280
stdout=subprocess.PIPE,
281
stderr=subprocess.PIPE)
282
ciphertext, err = proc.communicate(input=data)
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
283
214
if proc.returncode != 0:
284
215
raise PGPError(err)
285
216
return ciphertext
286
217
287
218
def decrypt(self, data, password):
288
219
passphrase = self.password_encode(password)
289
220
with tempfile.NamedTemporaryFile(
290
dir=self.tempdir) as passfile:
221
dir = self.tempdir) as passfile:
291
222
passfile.write(passphrase)
292
223
passfile.flush()
293
proc = subprocess.Popen([self.gpg, '--decrypt',
224
proc = subprocess.Popen(['gpg', '--decrypt',
294
225
'--passphrase-file',
295
226
passfile.name]
296
227
+ self.gnupgargs,
297
stdin=subprocess.PIPE,
298
stdout=subprocess.PIPE,
299
stderr=subprocess.PIPE)
300
decrypted_plaintext, err = proc.communicate(input=data)
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
301
232
if proc.returncode != 0:
302
233
raise PGPError(err)
303
234
return decrypted_plaintext
304
235
305
236
306
# Pretend that we have an Avahi module
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
309
IF_UNSPEC = -1 # avahi-common/address.h
310
PROTO_UNSPEC = -1 # avahi-common/address.h
311
PROTO_INET = 0 # avahi-common/address.h
312
PROTO_INET6 = 1 # avahi-common/address.h
313
DBUS_NAME = "org.freedesktop.Avahi"
314
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
DBUS_PATH_SERVER = "/"
317
318
@staticmethod
319
def string_array_to_txt_array(t):
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
for s in t), signature="ay")
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
323
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
324
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
325
SERVER_INVALID = 0 # avahi-common/defs.h
326
SERVER_REGISTERING = 1 # avahi-common/defs.h
327
SERVER_RUNNING = 2 # avahi-common/defs.h
328
SERVER_COLLISION = 3 # avahi-common/defs.h
329
SERVER_FAILURE = 4 # avahi-common/defs.h
330
331
332
237
class AvahiError(Exception):
333
238
def __init__(self, value, *args, **kwargs):
334
239
self.value = value
344
249
pass
345
250
346
251
347
class AvahiService:
252
class AvahiService(object):
348
253
"""An Avahi (Zeroconf) service.
349
254
350
255
Attributes:
351
256
interface: integer; avahi.IF_UNSPEC or an interface index.
352
257
Used to optionally bind to the specified interface.
364
269
server: D-Bus Server
365
270
bus: dbus.SystemBus()
366
271
"""
367
272
368
273
def __init__(self,
369
interface=avahi.IF_UNSPEC,
370
name=None,
371
servicetype=None,
372
port=None,
373
TXT=None,
374
domain="",
375
host="",
376
max_renames=32768,
377
protocol=avahi.PROTO_UNSPEC,
378
bus=None):
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
379
284
self.interface = interface
380
285
self.name = name
381
286
self.type = servicetype
390
295
self.server = None
391
296
self.bus = bus
392
297
self.entry_group_state_changed_match = None
393
298
394
299
def rename(self, remove=True):
395
300
"""Derived from the Avahi example code"""
396
301
if self.rename_count >= self.max_renames:
416
321
logger.critical("D-Bus Exception", exc_info=error)
417
322
self.cleanup()
418
323
os._exit(1)
419
324
420
325
def remove(self):
421
326
"""Derived from the Avahi example code"""
422
327
if self.entry_group_state_changed_match is not None:
424
329
self.entry_group_state_changed_match = None
425
330
if self.group is not None:
426
331
self.group.Reset()
427
332
428
333
def add(self):
429
334
"""Derived from the Avahi example code"""
430
335
self.remove()
447
352
dbus.UInt16(self.port),
448
353
avahi.string_array_to_txt_array(self.TXT))
449
354
self.group.Commit()
450
355
451
356
def entry_group_state_changed(self, state, error):
452
357
"""Derived from the Avahi example code"""
453
358
logger.debug("Avahi entry group state change: %i", state)
454
359
455
360
if state == avahi.ENTRY_GROUP_ESTABLISHED:
456
361
logger.debug("Zeroconf service established.")
457
362
elif state == avahi.ENTRY_GROUP_COLLISION:
461
366
logger.critical("Avahi: Error in group state changed %s",
462
367
str(error))
463
368
raise AvahiGroupError("State changed: {!s}".format(error))
464
369
465
370
def cleanup(self):
466
371
"""Derived from the Avahi example code"""
467
372
if self.group is not None:
472
377
pass
473
378
self.group = None
474
379
self.remove()
475
380
476
381
def server_state_changed(self, state, error=None):
477
382
"""Derived from the Avahi example code"""
478
383
logger.debug("Avahi server state change: %i", state)
507
412
logger.debug("Unknown state: %r", state)
508
413
else:
509
414
logger.debug("Unknown state: %r: %r", state, error)
510
415
511
416
def activate(self):
512
417
"""Derived from the Avahi example code"""
513
418
if self.server is None:
524
429
class AvahiServiceToSyslog(AvahiService):
525
430
def rename(self, *args, **kwargs):
526
431
"""Add the new name to the syslog messages"""
527
ret = super(AvahiServiceToSyslog, self).rename(*args,
528
**kwargs)
432
ret = AvahiService.rename(self, *args, **kwargs)
529
433
syslogger.setFormatter(logging.Formatter(
530
434
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
531
435
.format(self.name)))
532
436
return ret
533
437
534
535
# Pretend that we have a GnuTLS module
536
class gnutls:
537
"""This isn't so much a class as it is a module-like namespace."""
538
539
library = ctypes.util.find_library("gnutls")
540
if library is None:
541
library = ctypes.util.find_library("gnutls-deb0")
542
_library = ctypes.cdll.LoadLibrary(library)
543
del library
544
545
# Unless otherwise indicated, the constants and types below are
546
# all from the gnutls/gnutls.h C header file.
547
548
# Constants
549
E_SUCCESS = 0
550
E_INTERRUPTED = -52
551
E_AGAIN = -28
552
CRT_OPENPGP = 2
553
CRT_RAWPK = 3
554
CLIENT = 2
555
SHUT_RDWR = 0
556
CRD_CERTIFICATE = 1
557
E_NO_CERTIFICATE_FOUND = -49
558
X509_FMT_DER = 0
559
NO_TICKETS = 1<<10
560
ENABLE_RAWPK = 1<<18
561
CTYPE_PEERS = 3
562
KEYID_USE_SHA256 = 1 # gnutls/x509.h
563
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
564
565
# Types
566
class session_int(ctypes.Structure):
567
_fields_ = []
568
session_t = ctypes.POINTER(session_int)
569
570
class certificate_credentials_st(ctypes.Structure):
571
_fields_ = []
572
certificate_credentials_t = ctypes.POINTER(
573
certificate_credentials_st)
574
certificate_type_t = ctypes.c_int
575
576
class datum_t(ctypes.Structure):
577
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
578
('size', ctypes.c_uint)]
579
580
class openpgp_crt_int(ctypes.Structure):
581
_fields_ = []
582
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
583
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
584
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
585
credentials_type_t = ctypes.c_int
586
transport_ptr_t = ctypes.c_void_p
587
close_request_t = ctypes.c_int
588
589
# Exceptions
590
class Error(Exception):
591
def __init__(self, message=None, code=None, args=()):
592
# Default usage is by a message string, but if a return
593
# code is passed, convert it to a string with
594
# gnutls.strerror()
595
self.code = code
596
if message is None and code is not None:
597
message = gnutls.strerror(code)
598
return super(gnutls.Error, self).__init__(
599
message, *args)
600
601
class CertificateSecurityError(Error):
602
pass
603
604
# Classes
605
class Credentials:
606
def __init__(self):
607
self._c_object = gnutls.certificate_credentials_t()
608
gnutls.certificate_allocate_credentials(
609
ctypes.byref(self._c_object))
610
self.type = gnutls.CRD_CERTIFICATE
611
612
def __del__(self):
613
gnutls.certificate_free_credentials(self._c_object)
614
615
class ClientSession:
616
def __init__(self, socket, credentials=None):
617
self._c_object = gnutls.session_t()
618
gnutls_flags = gnutls.CLIENT
619
if gnutls.check_version(b"3.5.6"):
620
gnutls_flags |= gnutls.NO_TICKETS
621
if gnutls.has_rawpk:
622
gnutls_flags |= gnutls.ENABLE_RAWPK
623
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
624
del gnutls_flags
625
gnutls.set_default_priority(self._c_object)
626
gnutls.transport_set_ptr(self._c_object, socket.fileno())
627
gnutls.handshake_set_private_extensions(self._c_object,
628
True)
629
self.socket = socket
630
if credentials is None:
631
credentials = gnutls.Credentials()
632
gnutls.credentials_set(self._c_object, credentials.type,
633
ctypes.cast(credentials._c_object,
634
ctypes.c_void_p))
635
self.credentials = credentials
636
637
def __del__(self):
638
gnutls.deinit(self._c_object)
639
640
def handshake(self):
641
return gnutls.handshake(self._c_object)
642
643
def send(self, data):
644
data = bytes(data)
645
data_len = len(data)
646
while data_len > 0:
647
data_len -= gnutls.record_send(self._c_object,
648
data[-data_len:],
649
data_len)
650
651
def bye(self):
652
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
653
654
# Error handling functions
655
def _error_code(result):
656
"""A function to raise exceptions on errors, suitable
657
for the 'restype' attribute on ctypes functions"""
658
if result >= 0:
659
return result
660
if result == gnutls.E_NO_CERTIFICATE_FOUND:
661
raise gnutls.CertificateSecurityError(code=result)
662
raise gnutls.Error(code=result)
663
664
def _retry_on_error(result, func, arguments):
665
"""A function to retry on some errors, suitable
666
for the 'errcheck' attribute on ctypes functions"""
667
while result < 0:
668
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
669
return _error_code(result)
670
result = func(*arguments)
671
return result
672
673
# Unless otherwise indicated, the function declarations below are
674
# all from the gnutls/gnutls.h C header file.
675
676
# Functions
677
priority_set_direct = _library.gnutls_priority_set_direct
678
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
679
ctypes.POINTER(ctypes.c_char_p)]
680
priority_set_direct.restype = _error_code
681
682
init = _library.gnutls_init
683
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
684
init.restype = _error_code
685
686
set_default_priority = _library.gnutls_set_default_priority
687
set_default_priority.argtypes = [session_t]
688
set_default_priority.restype = _error_code
689
690
record_send = _library.gnutls_record_send
691
record_send.argtypes = [session_t, ctypes.c_void_p,
692
ctypes.c_size_t]
693
record_send.restype = ctypes.c_ssize_t
694
record_send.errcheck = _retry_on_error
695
696
certificate_allocate_credentials = (
697
_library.gnutls_certificate_allocate_credentials)
698
certificate_allocate_credentials.argtypes = [
699
ctypes.POINTER(certificate_credentials_t)]
700
certificate_allocate_credentials.restype = _error_code
701
702
certificate_free_credentials = (
703
_library.gnutls_certificate_free_credentials)
704
certificate_free_credentials.argtypes = [
705
certificate_credentials_t]
706
certificate_free_credentials.restype = None
707
708
handshake_set_private_extensions = (
709
_library.gnutls_handshake_set_private_extensions)
710
handshake_set_private_extensions.argtypes = [session_t,
711
ctypes.c_int]
712
handshake_set_private_extensions.restype = None
713
714
credentials_set = _library.gnutls_credentials_set
715
credentials_set.argtypes = [session_t, credentials_type_t,
716
ctypes.c_void_p]
717
credentials_set.restype = _error_code
718
719
strerror = _library.gnutls_strerror
720
strerror.argtypes = [ctypes.c_int]
721
strerror.restype = ctypes.c_char_p
722
723
certificate_type_get = _library.gnutls_certificate_type_get
724
certificate_type_get.argtypes = [session_t]
725
certificate_type_get.restype = _error_code
726
727
certificate_get_peers = _library.gnutls_certificate_get_peers
728
certificate_get_peers.argtypes = [session_t,
729
ctypes.POINTER(ctypes.c_uint)]
730
certificate_get_peers.restype = ctypes.POINTER(datum_t)
731
732
global_set_log_level = _library.gnutls_global_set_log_level
733
global_set_log_level.argtypes = [ctypes.c_int]
734
global_set_log_level.restype = None
735
736
global_set_log_function = _library.gnutls_global_set_log_function
737
global_set_log_function.argtypes = [log_func]
738
global_set_log_function.restype = None
739
740
deinit = _library.gnutls_deinit
741
deinit.argtypes = [session_t]
742
deinit.restype = None
743
744
handshake = _library.gnutls_handshake
745
handshake.argtypes = [session_t]
746
handshake.restype = _error_code
747
handshake.errcheck = _retry_on_error
748
749
transport_set_ptr = _library.gnutls_transport_set_ptr
750
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
751
transport_set_ptr.restype = None
752
753
bye = _library.gnutls_bye
754
bye.argtypes = [session_t, close_request_t]
755
bye.restype = _error_code
756
bye.errcheck = _retry_on_error
757
758
check_version = _library.gnutls_check_version
759
check_version.argtypes = [ctypes.c_char_p]
760
check_version.restype = ctypes.c_char_p
761
762
_need_version = b"3.3.0"
763
if check_version(_need_version) is None:
764
raise self.Error("Needs GnuTLS {} or later"
765
.format(_need_version))
766
767
_tls_rawpk_version = b"3.6.6"
768
has_rawpk = bool(check_version(_tls_rawpk_version))
769
770
if has_rawpk:
771
# Types
772
class pubkey_st(ctypes.Structure):
773
_fields = []
774
pubkey_t = ctypes.POINTER(pubkey_st)
775
776
x509_crt_fmt_t = ctypes.c_int
777
778
# All the function declarations below are from
779
# gnutls/abstract.h
780
pubkey_init = _library.gnutls_pubkey_init
781
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
782
pubkey_init.restype = _error_code
783
784
pubkey_import = _library.gnutls_pubkey_import
785
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
786
x509_crt_fmt_t]
787
pubkey_import.restype = _error_code
788
789
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
790
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
791
ctypes.POINTER(ctypes.c_ubyte),
792
ctypes.POINTER(ctypes.c_size_t)]
793
pubkey_get_key_id.restype = _error_code
794
795
pubkey_deinit = _library.gnutls_pubkey_deinit
796
pubkey_deinit.argtypes = [pubkey_t]
797
pubkey_deinit.restype = None
798
else:
799
# All the function declarations below are from
800
# gnutls/openpgp.h
801
802
openpgp_crt_init = _library.gnutls_openpgp_crt_init
803
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
804
openpgp_crt_init.restype = _error_code
805
806
openpgp_crt_import = _library.gnutls_openpgp_crt_import
807
openpgp_crt_import.argtypes = [openpgp_crt_t,
808
ctypes.POINTER(datum_t),
809
openpgp_crt_fmt_t]
810
openpgp_crt_import.restype = _error_code
811
812
openpgp_crt_verify_self = \
813
_library.gnutls_openpgp_crt_verify_self
814
openpgp_crt_verify_self.argtypes = [
815
openpgp_crt_t,
816
ctypes.c_uint,
817
ctypes.POINTER(ctypes.c_uint),
818
]
819
openpgp_crt_verify_self.restype = _error_code
820
821
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
822
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
823
openpgp_crt_deinit.restype = None
824
825
openpgp_crt_get_fingerprint = (
826
_library.gnutls_openpgp_crt_get_fingerprint)
827
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
828
ctypes.c_void_p,
829
ctypes.POINTER(
830
ctypes.c_size_t)]
831
openpgp_crt_get_fingerprint.restype = _error_code
832
833
if check_version(b"3.6.4"):
834
certificate_type_get2 = _library.gnutls_certificate_type_get2
835
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
836
certificate_type_get2.restype = _error_code
837
838
# Remove non-public functions
839
del _error_code, _retry_on_error
840
841
842
438
def call_pipe(connection, # : multiprocessing.Connection
843
439
func, *args, **kwargs):
844
440
"""This function is meant to be called by multiprocessing.Process
845
441
846
442
This function runs func(*args, **kwargs), and writes the resulting
847
443
return value on the provided multiprocessing.Connection.
848
444
"""
849
445
connection.send(func(*args, **kwargs))
850
446
connection.close()
851
447
852
853
class Client:
448
class Client(object):
854
449
"""A representation of a client host served by this server.
855
450
856
451
Attributes:
857
452
approved: bool(); 'None' if not yet approved/disapproved
858
453
approval_delay: datetime.timedelta(); Time to wait for approval
859
454
approval_duration: datetime.timedelta(); Duration of one approval
860
checker: multiprocessing.Process(); a running checker process used
861
to see if the client lives. 'None' if no process is
862
running.
863
checker_callback_tag: a GLib event source tag, or None
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
864
459
checker_command: string; External command which is run to check
865
460
if client lives. %() expansions are done at
866
461
runtime with vars(self) as dict, so that for
867
462
instance %(name)s can be used in the command.
868
checker_initiator_tag: a GLib event source tag, or None
463
checker_initiator_tag: a gobject event source tag, or None
869
464
created: datetime.datetime(); (UTC) object creation
870
465
client_structure: Object describing what attributes a client has
871
466
and is used for storing the client at exit
872
467
current_checker_command: string; current running checker_command
873
disable_initiator_tag: a GLib event source tag, or None
468
disable_initiator_tag: a gobject event source tag, or None
874
469
enabled: bool()
875
470
fingerprint: string (40 or 32 hexadecimal digits); used to
876
uniquely identify an OpenPGP client
877
key_id: string (64 hexadecimal digits); used to uniquely identify
878
a client using raw public keys
471
uniquely identify the client
879
472
host: string; available for use by the checker command
880
473
interval: datetime.timedelta(); How often to start a new checker
881
474
last_approval_request: datetime.datetime(); (UTC) or None
897
490
disabled, or None
898
491
server_settings: The server_settings dict from main()
899
492
"""
900
493
901
494
runtime_expansions = ("approval_delay", "approval_duration",
902
"created", "enabled", "expires", "key_id",
495
"created", "enabled", "expires",
903
496
"fingerprint", "host", "interval",
904
497
"last_approval_request", "last_checked_ok",
905
498
"last_enabled", "name", "timeout")
914
507
"approved_by_default": "True",
915
508
"enabled": "True",
916
509
}
917
510
918
511
@staticmethod
919
512
def config_parser(config):
920
513
"""Construct a new dict of client settings of this form:
927
520
for client_name in config.sections():
928
521
section = dict(config.items(client_name))
929
522
client = settings[client_name] = {}
930
523
931
524
client["host"] = section["host"]
932
525
# Reformat values from string types to Python types
933
526
client["approved_by_default"] = config.getboolean(
934
527
client_name, "approved_by_default")
935
528
client["enabled"] = config.getboolean(client_name,
936
529
"enabled")
937
938
# Uppercase and remove spaces from key_id and fingerprint
939
# for later comparison purposes with return value from the
940
# key_id() and fingerprint() functions
941
client["key_id"] = (section.get("key_id", "").upper()
942
.replace(" ", ""))
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
943
534
client["fingerprint"] = (section["fingerprint"].upper()
944
535
.replace(" ", ""))
945
536
if "secret" in section:
946
client["secret"] = codecs.decode(section["secret"]
947
.encode("utf-8"),
948
"base64")
537
client["secret"] = section["secret"].decode("base64")
949
538
elif "secfile" in section:
950
539
with open(os.path.expanduser(os.path.expandvars
951
540
(section["secfile"])),
966
555
client["last_approval_request"] = None
967
556
client["last_checked_ok"] = None
968
557
client["last_checker_status"] = -2
969
558
970
559
return settings
971
972
def __init__(self, settings, name=None, server_settings=None):
560
561
def __init__(self, settings, name = None, server_settings=None):
973
562
self.name = name
974
563
if server_settings is None:
975
564
server_settings = {}
977
566
# adding all client settings
978
567
for setting, value in settings.items():
979
568
setattr(self, setting, value)
980
569
981
570
if self.enabled:
982
571
if not hasattr(self, "last_enabled"):
983
572
self.last_enabled = datetime.datetime.utcnow()
987
576
else:
988
577
self.last_enabled = None
989
578
self.expires = None
990
579
991
580
logger.debug("Creating client %r", self.name)
992
logger.debug(" Key ID: %s", self.key_id)
993
581
logger.debug(" Fingerprint: %s", self.fingerprint)
994
582
self.created = settings.get("created",
995
583
datetime.datetime.utcnow())
996
584
997
585
# attributes specific for this server instance
998
586
self.checker = None
999
587
self.checker_initiator_tag = None
1005
593
self.changedstate = multiprocessing_manager.Condition(
1006
594
multiprocessing_manager.Lock())
1007
595
self.client_structure = [attr
1008
for attr in self.__dict__.keys()
596
for attr in self.__dict__.iterkeys()
1009
597
if not attr.startswith("_")]
1010
598
self.client_structure.append("client_structure")
1011
599
1012
600
for name, t in inspect.getmembers(
1013
601
type(self), lambda obj: isinstance(obj, property)):
1014
602
if not name.startswith("_"):
1015
603
self.client_structure.append(name)
1016
604
1017
605
# Send notice to process children that client state has changed
1018
606
def send_changedstate(self):
1019
607
with self.changedstate:
1020
608
self.changedstate.notify_all()
1021
609
1022
610
def enable(self):
1023
611
"""Start this client's checker and timeout hooks"""
1024
612
if getattr(self, "enabled", False):
1029
617
self.last_enabled = datetime.datetime.utcnow()
1030
618
self.init_checker()
1031
619
self.send_changedstate()
1032
620
1033
621
def disable(self, quiet=True):
1034
622
"""Disable this client."""
1035
623
if not getattr(self, "enabled", False):
1037
625
if not quiet:
1038
626
logger.info("Disabling client %s", self.name)
1039
627
if getattr(self, "disable_initiator_tag", None) is not None:
1040
GLib.source_remove(self.disable_initiator_tag)
628
gobject.source_remove(self.disable_initiator_tag)
1041
629
self.disable_initiator_tag = None
1042
630
self.expires = None
1043
631
if getattr(self, "checker_initiator_tag", None) is not None:
1044
GLib.source_remove(self.checker_initiator_tag)
632
gobject.source_remove(self.checker_initiator_tag)
1045
633
self.checker_initiator_tag = None
1046
634
self.stop_checker()
1047
635
self.enabled = False
1048
636
if not quiet:
1049
637
self.send_changedstate()
1050
# Do not run this again if called by a GLib.timeout_add
638
# Do not run this again if called by a gobject.timeout_add
1051
639
return False
1052
640
1053
641
def __del__(self):
1054
642
self.disable()
1055
643
1056
644
def init_checker(self):
1057
645
# Schedule a new checker to be started an 'interval' from now,
1058
646
# and every interval from then on.
1059
647
if self.checker_initiator_tag is not None:
1060
GLib.source_remove(self.checker_initiator_tag)
1061
self.checker_initiator_tag = GLib.timeout_add(
1062
random.randrange(int(self.interval.total_seconds() * 1000
1063
+ 1)),
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
650
int(self.interval.total_seconds() * 1000),
1064
651
self.start_checker)
1065
652
# Schedule a disable() when 'timeout' has passed
1066
653
if self.disable_initiator_tag is not None:
1067
GLib.source_remove(self.disable_initiator_tag)
1068
self.disable_initiator_tag = GLib.timeout_add(
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1069
656
int(self.timeout.total_seconds() * 1000), self.disable)
1070
657
# Also start a new checker *right now*.
1071
658
self.start_checker()
1072
659
1073
660
def checker_callback(self, source, condition, connection,
1074
661
command):
1075
662
"""The checker has completed, so take appropriate actions."""
663
self.checker_callback_tag = None
664
self.checker = None
1076
665
# Read return code from connection (see call_pipe)
1077
666
returncode = connection.recv()
1078
667
connection.close()
1079
if self.checker is not None:
1080
self.checker.join()
1081
self.checker_callback_tag = None
1082
self.checker = None
1083
668
1084
669
if returncode >= 0:
1085
670
self.last_checker_status = returncode
1086
671
self.last_checker_signal = None
1096
681
logger.warning("Checker for %(name)s crashed?",
1097
682
vars(self))
1098
683
return False
1099
684
1100
685
def checked_ok(self):
1101
686
"""Assert that the client has been seen, alive and well."""
1102
687
self.last_checked_ok = datetime.datetime.utcnow()
1103
688
self.last_checker_status = 0
1104
689
self.last_checker_signal = None
1105
690
self.bump_timeout()
1106
691
1107
692
def bump_timeout(self, timeout=None):
1108
693
"""Bump up the timeout for this client."""
1109
694
if timeout is None:
1110
695
timeout = self.timeout
1111
696
if self.disable_initiator_tag is not None:
1112
GLib.source_remove(self.disable_initiator_tag)
697
gobject.source_remove(self.disable_initiator_tag)
1113
698
self.disable_initiator_tag = None
1114
699
if getattr(self, "enabled", False):
1115
self.disable_initiator_tag = GLib.timeout_add(
700
self.disable_initiator_tag = gobject.timeout_add(
1116
701
int(timeout.total_seconds() * 1000), self.disable)
1117
702
self.expires = datetime.datetime.utcnow() + timeout
1118
703
1119
704
def need_approval(self):
1120
705
self.last_approval_request = datetime.datetime.utcnow()
1121
706
1122
707
def start_checker(self):
1123
708
"""Start a new checker subprocess if one is not running.
1124
709
1125
710
If a checker already exists, leave it running and do
1126
711
nothing."""
1127
712
# The reason for not killing a running checker is that if we
1132
717
# checkers alone, the checker would have to take more time
1133
718
# than 'timeout' for the client to be disabled, which is as it
1134
719
# should be.
1135
720
1136
721
if self.checker is not None and not self.checker.is_alive():
1137
722
logger.warning("Checker was not alive; joining")
1138
723
self.checker.join()
1141
726
if self.checker is None:
1142
727
# Escape attributes for the shell
1143
728
escaped_attrs = {
1144
attr: shlex.quote(str(getattr(self, attr)))
1145
for attr in self.runtime_expansions}
729
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
1146
731
try:
1147
732
command = self.checker_command % escaped_attrs
1148
733
except TypeError as error:
1160
745
# The exception is when not debugging but nevertheless
1161
746
# running in the foreground; use the previously
1162
747
# created wnull.
1163
popen_args = {"close_fds": True,
1164
"shell": True,
1165
"cwd": "/"}
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1166
751
if (not self.server_settings["debug"]
1167
752
and self.server_settings["foreground"]):
1168
753
popen_args.update({"stdout": wnull,
1169
"stderr": wnull})
1170
pipe = multiprocessing.Pipe(duplex=False)
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1171
756
self.checker = multiprocessing.Process(
1172
target=call_pipe,
1173
args=(pipe[1], subprocess.call, command),
1174
kwargs=popen_args)
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1175
760
self.checker.start()
1176
self.checker_callback_tag = GLib.io_add_watch(
1177
GLib.IOChannel.unix_new(pipe[0].fileno()),
1178
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1179
763
self.checker_callback, pipe[0], command)
1180
# Re-run this periodically if run by GLib.timeout_add
764
# Re-run this periodically if run by gobject.timeout_add
1181
765
return True
1182
766
1183
767
def stop_checker(self):
1184
768
"""Force the checker process, if any, to stop."""
1185
769
if self.checker_callback_tag:
1186
GLib.source_remove(self.checker_callback_tag)
770
gobject.source_remove(self.checker_callback_tag)
1187
771
self.checker_callback_tag = None
1188
772
if getattr(self, "checker", None) is None:
1189
773
return
1198
782
byte_arrays=False):
1199
783
"""Decorators for marking methods of a DBusObjectWithProperties to
1200
784
become properties on the D-Bus.
1201
785
1202
786
The decorated method will be called with no arguments by "Get"
1203
787
and with one argument by "Set".
1204
788
1205
789
The parameters, where they are supported, are the same as
1206
790
dbus.service.method, except there is only "signature", since the
1207
791
type from Get() and the type sent to Set() is the same.
1211
795
if byte_arrays and signature != "ay":
1212
796
raise ValueError("Byte arrays not supported for non-'ay'"
1213
797
" signature {!r}".format(signature))
1214
798
1215
799
def decorator(func):
1216
800
func._dbus_is_property = True
1217
801
func._dbus_interface = dbus_interface
1220
804
func._dbus_name = func.__name__
1221
805
if func._dbus_name.endswith("_dbus_property"):
1222
806
func._dbus_name = func._dbus_name[:-14]
1223
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1224
808
return func
1225
809
1226
810
return decorator
1227
811
1228
812
1229
813
def dbus_interface_annotations(dbus_interface):
1230
814
"""Decorator for marking functions returning interface annotations
1231
815
1232
816
Usage:
1233
817
1234
818
@dbus_interface_annotations("org.example.Interface")
1235
819
def _foo(self): # Function name does not matter
1236
820
return {"org.freedesktop.DBus.Deprecated": "true",
1237
821
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1238
822
"false"}
1239
823
"""
1240
824
1241
825
def decorator(func):
1242
826
func._dbus_is_interface = True
1243
827
func._dbus_interface = dbus_interface
1244
828
func._dbus_name = dbus_interface
1245
829
return func
1246
830
1247
831
return decorator
1248
832
1249
833
1250
834
def dbus_annotations(annotations):
1251
835
"""Decorator to annotate D-Bus methods, signals or properties
1252
836
Usage:
1253
837
1254
838
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1255
839
"org.freedesktop.DBus.Property."
1256
840
"EmitsChangedSignal": "false"})
1258
842
access="r")
1259
843
def Property_dbus_property(self):
1260
844
return dbus.Boolean(False)
1261
845
1262
846
See also the DBusObjectWithAnnotations class.
1263
847
"""
1264
848
1265
849
def decorator(func):
1266
850
func._dbus_annotations = annotations
1267
851
return func
1268
852
1269
853
return decorator
1270
854
1271
855
1289
873
1290
874
class DBusObjectWithAnnotations(dbus.service.Object):
1291
875
"""A D-Bus object with annotations.
1292
876
1293
877
Classes inheriting from this can use the dbus_annotations
1294
878
decorator to add annotations to methods or signals.
1295
879
"""
1296
880
1297
881
@staticmethod
1298
882
def _is_dbus_thing(thing):
1299
883
"""Returns a function testing if an attribute is a D-Bus thing
1300
884
1301
885
If called like _is_dbus_thing("method") it returns a function
1302
886
suitable for use as predicate to inspect.getmembers().
1303
887
"""
1304
888
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1305
889
False)
1306
890
1307
891
def _get_all_dbus_things(self, thing):
1308
892
"""Returns a generator of (name, attribute) pairs
1309
893
"""
1312
896
for cls in self.__class__.__mro__
1313
897
for name, athing in
1314
898
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1315
899
1316
900
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1317
out_signature="s",
1318
path_keyword='object_path',
1319
connection_keyword='connection')
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1320
904
def Introspect(self, object_path, connection):
1321
905
"""Overloading of standard D-Bus method.
1322
906
1323
907
Inserts annotation tags on methods and signals.
1324
908
"""
1325
909
xmlstring = dbus.service.Object.Introspect(self, object_path,
1326
910
connection)
1327
911
try:
1328
912
document = xml.dom.minidom.parseString(xmlstring)
1329
913
1330
914
for if_tag in document.getElementsByTagName("interface"):
1331
915
# Add annotation tags
1332
916
for typ in ("method", "signal"):
1359
943
if_tag.appendChild(ann_tag)
1360
944
# Fix argument name for the Introspect method itself
1361
945
if (if_tag.getAttribute("name")
1362
== dbus.INTROSPECTABLE_IFACE):
946
== dbus.INTROSPECTABLE_IFACE):
1363
947
for cn in if_tag.getElementsByTagName("method"):
1364
948
if cn.getAttribute("name") == "Introspect":
1365
949
for arg in cn.getElementsByTagName("arg"):
1378
962
1379
963
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1380
964
"""A D-Bus object with properties.
1381
965
1382
966
Classes inheriting from this can use the dbus_service_property
1383
967
decorator to expose methods as D-Bus properties. It exposes the
1384
968
standard Get(), Set(), and GetAll() methods on the D-Bus.
1385
969
"""
1386
970
1387
971
def _get_dbus_property(self, interface_name, property_name):
1388
972
"""Returns a bound method if one exists which is a D-Bus
1389
973
property with the specified name and interface.
1394
978
if (value._dbus_name == property_name
1395
979
and value._dbus_interface == interface_name):
1396
980
return value.__get__(self)
1397
981
1398
982
# No such property
1399
983
raise DBusPropertyNotFound("{}:{}.{}".format(
1400
984
self.dbus_object_path, interface_name, property_name))
1401
985
1402
986
@classmethod
1403
987
def _get_all_interface_names(cls):
1404
988
"""Get a sequence of all interfaces supported by an object"""
1407
991
for x in (inspect.getmro(cls))
1408
992
for attr in dir(x))
1409
993
if name is not None)
1410
994
1411
995
@dbus.service.method(dbus.PROPERTIES_IFACE,
1412
996
in_signature="ss",
1413
997
out_signature="v")
1421
1005
if not hasattr(value, "variant_level"):
1422
1006
return value
1423
1007
return type(value)(value, variant_level=value.variant_level+1)
1424
1008
1425
1009
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1426
1010
def Set(self, interface_name, property_name, value):
1427
1011
"""Standard D-Bus property Set() method, see D-Bus standard.
1436
1020
raise ValueError("Byte arrays not supported for non-"
1437
1021
"'ay' signature {!r}"
1438
1022
.format(prop._dbus_signature))
1439
value = dbus.ByteArray(bytes(value))
1023
value = dbus.ByteArray(b''.join(chr(byte)
1024
for byte in value))
1440
1025
prop(value)
1441
1026
1442
1027
@dbus.service.method(dbus.PROPERTIES_IFACE,
1443
1028
in_signature="s",
1444
1029
out_signature="a{sv}")
1445
1030
def GetAll(self, interface_name):
1446
1031
"""Standard D-Bus property GetAll() method, see D-Bus
1447
1032
standard.
1448
1033
1449
1034
Note: Will not include properties with access="write".
1450
1035
"""
1451
1036
properties = {}
1462
1047
properties[name] = value
1463
1048
continue
1464
1049
properties[name] = type(value)(
1465
value, variant_level=value.variant_level + 1)
1050
value, variant_level = value.variant_level + 1)
1466
1051
return dbus.Dictionary(properties, signature="sv")
1467
1052
1468
1053
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1469
1054
def PropertiesChanged(self, interface_name, changed_properties,
1470
1055
invalidated_properties):
1472
1057
standard.
1473
1058
"""
1474
1059
pass
1475
1060
1476
1061
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1477
1062
out_signature="s",
1478
1063
path_keyword='object_path',
1479
1064
connection_keyword='connection')
1480
1065
def Introspect(self, object_path, connection):
1481
1066
"""Overloading of standard D-Bus method.
1482
1067
1483
1068
Inserts property tags and interface annotation tags.
1484
1069
"""
1485
1070
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1487
1072
connection)
1488
1073
try:
1489
1074
document = xml.dom.minidom.parseString(xmlstring)
1490
1075
1491
1076
def make_tag(document, name, prop):
1492
1077
e = document.createElement("property")
1493
1078
e.setAttribute("name", name)
1494
1079
e.setAttribute("type", prop._dbus_signature)
1495
1080
e.setAttribute("access", prop._dbus_access)
1496
1081
return e
1497
1082
1498
1083
for if_tag in document.getElementsByTagName("interface"):
1499
1084
# Add property tags
1500
1085
for tag in (make_tag(document, name, prop)
1542
1127
exc_info=error)
1543
1128
return xmlstring
1544
1129
1545
1546
1130
try:
1547
1131
dbus.OBJECT_MANAGER_IFACE
1548
1132
except AttributeError:
1549
1133
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1550
1134
1551
1552
1135
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1553
1136
"""A D-Bus object with an ObjectManager.
1554
1137
1555
1138
Classes inheriting from this exposes the standard
1556
1139
GetManagedObjects call and the InterfacesAdded and
1557
1140
InterfacesRemoved signals on the standard
1558
1141
"org.freedesktop.DBus.ObjectManager" interface.
1559
1142
1560
1143
Note: No signals are sent automatically; they must be sent
1561
1144
manually.
1562
1145
"""
1563
1146
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1564
out_signature="a{oa{sa{sv}}}")
1147
out_signature = "a{oa{sa{sv}}}")
1565
1148
def GetManagedObjects(self):
1566
1149
"""This function must be overridden"""
1567
1150
raise NotImplementedError()
1568
1151
1569
1152
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1570
signature="oa{sa{sv}}")
1153
signature = "oa{sa{sv}}")
1571
1154
def InterfacesAdded(self, object_path, interfaces_and_properties):
1572
1155
pass
1573
1574
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1575
1158
def InterfacesRemoved(self, object_path, interfaces):
1576
1159
pass
1577
1160
1578
1161
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1579
out_signature="s",
1580
path_keyword='object_path',
1581
connection_keyword='connection')
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1582
1165
def Introspect(self, object_path, connection):
1583
1166
"""Overloading of standard D-Bus method.
1584
1167
1585
1168
Override return argument name of GetManagedObjects to be
1586
1169
"objpath_interfaces_and_properties"
1587
1170
"""
1590
1173
connection)
1591
1174
try:
1592
1175
document = xml.dom.minidom.parseString(xmlstring)
1593
1176
1594
1177
for if_tag in document.getElementsByTagName("interface"):
1595
1178
# Fix argument name for the GetManagedObjects method
1596
1179
if (if_tag.getAttribute("name")
1597
== dbus.OBJECT_MANAGER_IFACE):
1180
== dbus.OBJECT_MANAGER_IFACE):
1598
1181
for cn in if_tag.getElementsByTagName("method"):
1599
1182
if (cn.getAttribute("name")
1600
1183
== "GetManagedObjects"):
1610
1193
except (AttributeError, xml.dom.DOMException,
1611
1194
xml.parsers.expat.ExpatError) as error:
1612
1195
logger.error("Failed to override Introspection method",
1613
exc_info=error)
1196
exc_info = error)
1614
1197
return xmlstring
1615
1198
1616
1617
1199
def datetime_to_dbus(dt, variant_level=0):
1618
1200
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1619
1201
if dt is None:
1620
return dbus.String("", variant_level=variant_level)
1202
return dbus.String("", variant_level = variant_level)
1621
1203
return dbus.String(dt.isoformat(), variant_level=variant_level)
1622
1204
1623
1205
1626
1208
dbus.service.Object, it will add alternate D-Bus attributes with
1627
1209
interface names according to the "alt_interface_names" mapping.
1628
1210
Usage:
1629
1211
1630
1212
@alternate_dbus_interfaces({"org.example.Interface":
1631
1213
"net.example.AlternateInterface"})
1632
1214
class SampleDBusObject(dbus.service.Object):
1633
1215
@dbus.service.method("org.example.Interface")
1634
1216
def SampleDBusMethod():
1635
1217
pass
1636
1218
1637
1219
The above "SampleDBusMethod" on "SampleDBusObject" will be
1638
1220
reachable via two interfaces: "org.example.Interface" and
1639
1221
"net.example.AlternateInterface", the latter of which will have
1640
1222
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1641
1223
"true", unless "deprecate" is passed with a False value.
1642
1224
1643
1225
This works for methods and signals, and also for D-Bus properties
1644
1226
(from DBusObjectWithProperties) and interfaces (from the
1645
1227
dbus_interface_annotations decorator).
1646
1228
"""
1647
1229
1648
1230
def wrapper(cls):
1649
1231
for orig_interface_name, alt_interface_name in (
1650
1232
alt_interface_names.items()):
1665
1247
interface_names.add(alt_interface)
1666
1248
# Is this a D-Bus signal?
1667
1249
if getattr(attribute, "_dbus_is_signal", False):
1668
# Extract the original non-method undecorated
1669
# function by black magic
1670
1250
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1671
1253
nonmethod_func = (dict(
1672
1254
zip(attribute.func_code.co_freevars,
1673
1255
attribute.__closure__))
1674
1256
["func"].cell_contents)
1675
1257
else:
1676
nonmethod_func = (dict(
1677
zip(attribute.__code__.co_freevars,
1678
attribute.__closure__))
1679
["func"].cell_contents)
1258
nonmethod_func = attribute
1680
1259
# Create a new, but exactly alike, function
1681
1260
# object, and decorate it to be a new D-Bus signal
1682
1261
# with the alternate D-Bus interface name
1683
new_function = copy_function(nonmethod_func)
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1684
1276
new_function = (dbus.service.signal(
1685
1277
alt_interface,
1686
1278
attribute._dbus_signature)(new_function))
1690
1282
attribute._dbus_annotations)
1691
1283
except AttributeError:
1692
1284
pass
1693
1694
1285
# Define a creator of a function to call both the
1695
1286
# original and alternate functions, so both the
1696
1287
# original and alternate signals gets sent when
1699
1290
"""This function is a scope container to pass
1700
1291
func1 and func2 to the "call_both" function
1701
1292
outside of its arguments"""
1702
1293
1703
1294
@functools.wraps(func2)
1704
1295
def call_both(*args, **kwargs):
1705
1296
"""This function will emit two D-Bus
1706
1297
signals by calling func1 and func2"""
1707
1298
func1(*args, **kwargs)
1708
1299
func2(*args, **kwargs)
1709
# Make wrapper function look like a D-Bus
1710
# signal
1300
# Make wrapper function look like a D-Bus signal
1711
1301
for name, attr in inspect.getmembers(func2):
1712
1302
if name.startswith("_dbus_"):
1713
1303
setattr(call_both, name, attr)
1714
1304
1715
1305
return call_both
1716
1306
# Create the "call_both" function and add it to
1717
1307
# the class
1727
1317
alt_interface,
1728
1318
attribute._dbus_in_signature,
1729
1319
attribute._dbus_out_signature)
1730
(copy_function(attribute)))
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1731
1325
# Copy annotations, if any
1732
1326
try:
1733
1327
attr[attrname]._dbus_annotations = dict(
1745
1339
attribute._dbus_access,
1746
1340
attribute._dbus_get_args_options
1747
1341
["byte_arrays"])
1748
(copy_function(attribute)))
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1749
1348
# Copy annotations, if any
1750
1349
try:
1751
1350
attr[attrname]._dbus_annotations = dict(
1760
1359
# to the class.
1761
1360
attr[attrname] = (
1762
1361
dbus_interface_annotations(alt_interface)
1763
(copy_function(attribute)))
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1764
1367
if deprecate:
1765
1368
# Deprecate all alternate interfaces
1766
iname = "_AlternateDBusNames_interface_annotation{}"
1369
iname="_AlternateDBusNames_interface_annotation{}"
1767
1370
for interface_name in interface_names:
1768
1371
1769
1372
@dbus_interface_annotations(interface_name)
1770
1373
def func(self):
1771
return {"org.freedesktop.DBus.Deprecated":
1772
"true"}
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1773
1376
# Find an unused name
1774
1377
for aname in (iname.format(i)
1775
1378
for i in itertools.count()):
1779
1382
if interface_names:
1780
1383
# Replace the class with a new subclass of it with
1781
1384
# methods, signals, etc. as created above.
1782
if sys.version_info.major == 2:
1783
cls = type(b"{}Alternate".format(cls.__name__),
1784
(cls, ), attr)
1785
else:
1786
cls = type("{}Alternate".format(cls.__name__),
1787
(cls, ), attr)
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1788
1387
return cls
1789
1388
1790
1389
return wrapper
1791
1390
1792
1391
1794
1393
"se.bsnet.fukt.Mandos"})
1795
1394
class ClientDBus(Client, DBusObjectWithProperties):
1796
1395
"""A Client class using D-Bus
1797
1396
1798
1397
Attributes:
1799
1398
dbus_object_path: dbus.ObjectPath
1800
1399
bus: dbus.SystemBus()
1801
1400
"""
1802
1401
1803
1402
runtime_expansions = (Client.runtime_expansions
1804
1403
+ ("dbus_object_path", ))
1805
1404
1806
1405
_interface = "se.recompile.Mandos.Client"
1807
1406
1808
1407
# dbus.service.Object doesn't use super(), so we can't either.
1809
1810
def __init__(self, bus=None, *args, **kwargs):
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1811
1410
self.bus = bus
1812
1411
Client.__init__(self, *args, **kwargs)
1813
1412
# Only now, when this client is initialized, can it show up on
1819
1418
"/clients/" + client_object_name)
1820
1419
DBusObjectWithProperties.__init__(self, self.bus,
1821
1420
self.dbus_object_path)
1822
1421
1823
1422
def notifychangeproperty(transform_func, dbus_name,
1824
1423
type_func=lambda x: x,
1825
1424
variant_level=1,
1827
1426
_interface=_interface):
1828
1427
""" Modify a variable so that it's a property which announces
1829
1428
its changes to DBus.
1830
1429
1831
1430
transform_fun: Function that takes a value and a variant_level
1832
1431
and transforms it to a D-Bus type.
1833
1432
dbus_name: D-Bus name of the variable
1836
1435
variant_level: D-Bus variant level. Default: 1
1837
1436
"""
1838
1437
attrname = "_{}".format(dbus_name)
1839
1438
1840
1439
def setter(self, value):
1841
1440
if hasattr(self, "dbus_object_path"):
1842
1441
if (not hasattr(self, attrname) or
1849
1448
else:
1850
1449
dbus_value = transform_func(
1851
1450
type_func(value),
1852
variant_level=variant_level)
1451
variant_level = variant_level)
1853
1452
self.PropertyChanged(dbus.String(dbus_name),
1854
1453
dbus_value)
1855
1454
self.PropertiesChanged(
1856
1455
_interface,
1857
dbus.Dictionary({dbus.String(dbus_name):
1858
dbus_value}),
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1859
1458
dbus.Array())
1860
1459
setattr(self, attrname, value)
1861
1460
1862
1461
return property(lambda self: getattr(self, attrname), setter)
1863
1462
1864
1463
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1865
1464
approvals_pending = notifychangeproperty(dbus.Boolean,
1866
1465
"ApprovalPending",
1867
type_func=bool)
1466
type_func = bool)
1868
1467
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1869
1468
last_enabled = notifychangeproperty(datetime_to_dbus,
1870
1469
"LastEnabled")
1871
1470
checker = notifychangeproperty(
1872
1471
dbus.Boolean, "CheckerRunning",
1873
type_func=lambda checker: checker is not None)
1472
type_func = lambda checker: checker is not None)
1874
1473
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1875
1474
"LastCheckedOK")
1876
1475
last_checker_status = notifychangeproperty(dbus.Int16,
1881
1480
"ApprovedByDefault")
1882
1481
approval_delay = notifychangeproperty(
1883
1482
dbus.UInt64, "ApprovalDelay",
1884
type_func=lambda td: td.total_seconds() * 1000)
1483
type_func = lambda td: td.total_seconds() * 1000)
1885
1484
approval_duration = notifychangeproperty(
1886
1485
dbus.UInt64, "ApprovalDuration",
1887
type_func=lambda td: td.total_seconds() * 1000)
1486
type_func = lambda td: td.total_seconds() * 1000)
1888
1487
host = notifychangeproperty(dbus.String, "Host")
1889
1488
timeout = notifychangeproperty(
1890
1489
dbus.UInt64, "Timeout",
1891
type_func=lambda td: td.total_seconds() * 1000)
1490
type_func = lambda td: td.total_seconds() * 1000)
1892
1491
extended_timeout = notifychangeproperty(
1893
1492
dbus.UInt64, "ExtendedTimeout",
1894
type_func=lambda td: td.total_seconds() * 1000)
1493
type_func = lambda td: td.total_seconds() * 1000)
1895
1494
interval = notifychangeproperty(
1896
1495
dbus.UInt64, "Interval",
1897
type_func=lambda td: td.total_seconds() * 1000)
1496
type_func = lambda td: td.total_seconds() * 1000)
1898
1497
checker_command = notifychangeproperty(dbus.String, "Checker")
1899
1498
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1900
1499
invalidate_only=True)
1901
1500
1902
1501
del notifychangeproperty
1903
1502
1904
1503
def __del__(self, *args, **kwargs):
1905
1504
try:
1906
1505
self.remove_from_connection()
1909
1508
if hasattr(DBusObjectWithProperties, "__del__"):
1910
1509
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1911
1510
Client.__del__(self, *args, **kwargs)
1912
1511
1913
1512
def checker_callback(self, source, condition,
1914
1513
connection, command, *args, **kwargs):
1915
1514
ret = Client.checker_callback(self, source, condition,
1931
1530
| self.last_checker_signal),
1932
1531
dbus.String(command))
1933
1532
return ret
1934
1533
1935
1534
def start_checker(self, *args, **kwargs):
1936
1535
old_checker_pid = getattr(self.checker, "pid", None)
1937
1536
r = Client.start_checker(self, *args, **kwargs)
1941
1540
# Emit D-Bus signal
1942
1541
self.CheckerStarted(self.current_checker_command)
1943
1542
return r
1944
1543
1945
1544
def _reset_approved(self):
1946
1545
self.approved = None
1947
1546
return False
1948
1547
1949
1548
def approve(self, value=True):
1950
1549
self.approved = value
1951
GLib.timeout_add(int(self.approval_duration.total_seconds()
1952
* 1000), self._reset_approved)
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1953
1552
self.send_changedstate()
1954
1955
# D-Bus methods, signals & properties
1956
1957
# Interfaces
1958
1959
# Signals
1960
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1961
1560
# CheckerCompleted - signal
1962
1561
@dbus.service.signal(_interface, signature="nxs")
1963
1562
def CheckerCompleted(self, exitcode, waitstatus, command):
1964
1563
"D-Bus signal"
1965
1564
pass
1966
1565
1967
1566
# CheckerStarted - signal
1968
1567
@dbus.service.signal(_interface, signature="s")
1969
1568
def CheckerStarted(self, command):
1970
1569
"D-Bus signal"
1971
1570
pass
1972
1571
1973
1572
# PropertyChanged - signal
1974
1573
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1975
1574
@dbus.service.signal(_interface, signature="sv")
1976
1575
def PropertyChanged(self, property, value):
1977
1576
"D-Bus signal"
1978
1577
pass
1979
1578
1980
1579
# GotSecret - signal
1981
1580
@dbus.service.signal(_interface)
1982
1581
def GotSecret(self):
1985
1584
server to mandos-client
1986
1585
"""
1987
1586
pass
1988
1587
1989
1588
# Rejected - signal
1990
1589
@dbus.service.signal(_interface, signature="s")
1991
1590
def Rejected(self, reason):
1992
1591
"D-Bus signal"
1993
1592
pass
1994
1593
1995
1594
# NeedApproval - signal
1996
1595
@dbus.service.signal(_interface, signature="tb")
1997
1596
def NeedApproval(self, timeout, default):
1998
1597
"D-Bus signal"
1999
1598
return self.need_approval()
2000
2001
# Methods
2002
1599
1600
## Methods
1601
2003
1602
# Approve - method
2004
1603
@dbus.service.method(_interface, in_signature="b")
2005
1604
def Approve(self, value):
2006
1605
self.approve(value)
2007
1606
2008
1607
# CheckedOK - method
2009
1608
@dbus.service.method(_interface)
2010
1609
def CheckedOK(self):
2011
1610
self.checked_ok()
2012
1611
2013
1612
# Enable - method
2014
1613
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2015
1614
@dbus.service.method(_interface)
2016
1615
def Enable(self):
2017
1616
"D-Bus method"
2018
1617
self.enable()
2019
1618
2020
1619
# StartChecker - method
2021
1620
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2022
1621
@dbus.service.method(_interface)
2023
1622
def StartChecker(self):
2024
1623
"D-Bus method"
2025
1624
self.start_checker()
2026
1625
2027
1626
# Disable - method
2028
1627
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2029
1628
@dbus.service.method(_interface)
2030
1629
def Disable(self):
2031
1630
"D-Bus method"
2032
1631
self.disable()
2033
1632
2034
1633
# StopChecker - method
2035
1634
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2036
1635
@dbus.service.method(_interface)
2037
1636
def StopChecker(self):
2038
1637
self.stop_checker()
2039
2040
# Properties
2041
1638
1639
## Properties
1640
2042
1641
# ApprovalPending - property
2043
1642
@dbus_service_property(_interface, signature="b", access="read")
2044
1643
def ApprovalPending_dbus_property(self):
2045
1644
return dbus.Boolean(bool(self.approvals_pending))
2046
1645
2047
1646
# ApprovedByDefault - property
2048
1647
@dbus_service_property(_interface,
2049
1648
signature="b",
2052
1651
if value is None: # get
2053
1652
return dbus.Boolean(self.approved_by_default)
2054
1653
self.approved_by_default = bool(value)
2055
1654
2056
1655
# ApprovalDelay - property
2057
1656
@dbus_service_property(_interface,
2058
1657
signature="t",
2062
1661
return dbus.UInt64(self.approval_delay.total_seconds()
2063
1662
* 1000)
2064
1663
self.approval_delay = datetime.timedelta(0, 0, 0, value)
2065
1664
2066
1665
# ApprovalDuration - property
2067
1666
@dbus_service_property(_interface,
2068
1667
signature="t",
2072
1671
return dbus.UInt64(self.approval_duration.total_seconds()
2073
1672
* 1000)
2074
1673
self.approval_duration = datetime.timedelta(0, 0, 0, value)
2075
1674
2076
1675
# Name - property
2077
1676
@dbus_annotations(
2078
1677
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2079
1678
@dbus_service_property(_interface, signature="s", access="read")
2080
1679
def Name_dbus_property(self):
2081
1680
return dbus.String(self.name)
2082
2083
# KeyID - property
2084
@dbus_annotations(
2085
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2086
@dbus_service_property(_interface, signature="s", access="read")
2087
def KeyID_dbus_property(self):
2088
return dbus.String(self.key_id)
2089
1681
2090
1682
# Fingerprint - property
2091
1683
@dbus_annotations(
2092
1684
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2093
1685
@dbus_service_property(_interface, signature="s", access="read")
2094
1686
def Fingerprint_dbus_property(self):
2095
1687
return dbus.String(self.fingerprint)
2096
1688
2097
1689
# Host - property
2098
1690
@dbus_service_property(_interface,
2099
1691
signature="s",
2102
1694
if value is None: # get
2103
1695
return dbus.String(self.host)
2104
1696
self.host = str(value)
2105
1697
2106
1698
# Created - property
2107
1699
@dbus_annotations(
2108
1700
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2109
1701
@dbus_service_property(_interface, signature="s", access="read")
2110
1702
def Created_dbus_property(self):
2111
1703
return datetime_to_dbus(self.created)
2112
1704
2113
1705
# LastEnabled - property
2114
1706
@dbus_service_property(_interface, signature="s", access="read")
2115
1707
def LastEnabled_dbus_property(self):
2116
1708
return datetime_to_dbus(self.last_enabled)
2117
1709
2118
1710
# Enabled - property
2119
1711
@dbus_service_property(_interface,
2120
1712
signature="b",
2126
1718
self.enable()
2127
1719
else:
2128
1720
self.disable()
2129
1721
2130
1722
# LastCheckedOK - property
2131
1723
@dbus_service_property(_interface,
2132
1724
signature="s",
2136
1728
self.checked_ok()
2137
1729
return
2138
1730
return datetime_to_dbus(self.last_checked_ok)
2139
1731
2140
1732
# LastCheckerStatus - property
2141
1733
@dbus_service_property(_interface, signature="n", access="read")
2142
1734
def LastCheckerStatus_dbus_property(self):
2143
1735
return dbus.Int16(self.last_checker_status)
2144
1736
2145
1737
# Expires - property
2146
1738
@dbus_service_property(_interface, signature="s", access="read")
2147
1739
def Expires_dbus_property(self):
2148
1740
return datetime_to_dbus(self.expires)
2149
1741
2150
1742
# LastApprovalRequest - property
2151
1743
@dbus_service_property(_interface, signature="s", access="read")
2152
1744
def LastApprovalRequest_dbus_property(self):
2153
1745
return datetime_to_dbus(self.last_approval_request)
2154
1746
2155
1747
# Timeout - property
2156
1748
@dbus_service_property(_interface,
2157
1749
signature="t",
2172
1764
if (getattr(self, "disable_initiator_tag", None)
2173
1765
is None):
2174
1766
return
2175
GLib.source_remove(self.disable_initiator_tag)
2176
self.disable_initiator_tag = GLib.timeout_add(
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2177
1769
int((self.expires - now).total_seconds() * 1000),
2178
1770
self.disable)
2179
1771
2180
1772
# ExtendedTimeout - property
2181
1773
@dbus_service_property(_interface,
2182
1774
signature="t",
2186
1778
return dbus.UInt64(self.extended_timeout.total_seconds()
2187
1779
* 1000)
2188
1780
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2189
1781
2190
1782
# Interval - property
2191
1783
@dbus_service_property(_interface,
2192
1784
signature="t",
2199
1791
return
2200
1792
if self.enabled:
2201
1793
# Reschedule checker run
2202
GLib.source_remove(self.checker_initiator_tag)
2203
self.checker_initiator_tag = GLib.timeout_add(
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2204
1796
value, self.start_checker)
2205
self.start_checker() # Start one now, too
2206
1797
self.start_checker() # Start one now, too
1798
2207
1799
# Checker - property
2208
1800
@dbus_service_property(_interface,
2209
1801
signature="s",
2212
1804
if value is None: # get
2213
1805
return dbus.String(self.checker_command)
2214
1806
self.checker_command = str(value)
2215
1807
2216
1808
# CheckerRunning - property
2217
1809
@dbus_service_property(_interface,
2218
1810
signature="b",
2224
1816
self.start_checker()
2225
1817
else:
2226
1818
self.stop_checker()
2227
1819
2228
1820
# ObjectPath - property
2229
1821
@dbus_annotations(
2230
1822
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2231
1823
"org.freedesktop.DBus.Deprecated": "true"})
2232
1824
@dbus_service_property(_interface, signature="o", access="read")
2233
1825
def ObjectPath_dbus_property(self):
2234
return self.dbus_object_path # is already a dbus.ObjectPath
2235
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2236
1828
# Secret = property
2237
1829
@dbus_annotations(
2238
1830
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2243
1835
byte_arrays=True)
2244
1836
def Secret_dbus_property(self, value):
2245
1837
self.secret = bytes(value)
2246
1838
2247
1839
del _interface
2248
1840
2249
1841
2250
class ProxyClient:
2251
def __init__(self, child_pipe, key_id, fpr, address):
1842
class ProxyClient(object):
1843
def __init__(self, child_pipe, fpr, address):
2252
1844
self._pipe = child_pipe
2253
self._pipe.send(('init', key_id, fpr, address))
1845
self._pipe.send(('init', fpr, address))
2254
1846
if not self._pipe.recv():
2255
raise KeyError(key_id or fpr)
2256
1847
raise KeyError(fpr)
1848
2257
1849
def __getattribute__(self, name):
2258
1850
if name == '_pipe':
2259
1851
return super(ProxyClient, self).__getattribute__(name)
2262
1854
if data[0] == 'data':
2263
1855
return data[1]
2264
1856
if data[0] == 'function':
2265
1857
2266
1858
def func(*args, **kwargs):
2267
1859
self._pipe.send(('funcall', name, args, kwargs))
2268
1860
return self._pipe.recv()[1]
2269
1861
2270
1862
return func
2271
1863
2272
1864
def __setattr__(self, name, value):
2273
1865
if name == '_pipe':
2274
1866
return super(ProxyClient, self).__setattr__(name, value)
2277
1869
2278
1870
class ClientHandler(socketserver.BaseRequestHandler, object):
2279
1871
"""A class to handle client connections.
2280
1872
2281
1873
Instantiated once for each connection to handle it.
2282
1874
Note: This will run in its own forked process."""
2283
1875
2284
1876
def handle(self):
2285
1877
with contextlib.closing(self.server.child_pipe) as child_pipe:
2286
1878
logger.info("TCP connection from: %s",
2287
1879
str(self.client_address))
2288
1880
logger.debug("Pipe FD: %d",
2289
1881
self.server.child_pipe.fileno())
2290
2291
session = gnutls.ClientSession(self.request)
2292
2293
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2294
# "+AES-256-CBC", "+SHA1",
2295
# "+COMP-NULL", "+CTYPE-OPENPGP",
2296
# "+DHE-DSS"))
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2297
1895
# Use a fallback default, since this MUST be set.
2298
1896
priority = self.server.gnutls_priority
2299
1897
if priority is None:
2300
1898
priority = "NORMAL"
2301
gnutls.priority_set_direct(session._c_object,
2302
priority.encode("utf-8"),
2303
None)
2304
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2305
1902
# Start communication using the Mandos protocol
2306
1903
# Get protocol number
2307
1904
line = self.request.makefile().readline()
2312
1909
except (ValueError, IndexError, RuntimeError) as error:
2313
1910
logger.error("Unknown protocol version: %s", error)
2314
1911
return
2315
1912
2316
1913
# Start GnuTLS connection
2317
1914
try:
2318
1915
session.handshake()
2319
except gnutls.Error as error:
1916
except gnutls.errors.GNUTLSError as error:
2320
1917
logger.warning("Handshake failed: %s", error)
2321
1918
# Do not run session.bye() here: the session is not
2322
1919
# established. Just abandon the request.
2323
1920
return
2324
1921
logger.debug("Handshake succeeded")
2325
1922
2326
1923
approval_required = False
2327
1924
try:
2328
if gnutls.has_rawpk:
2329
fpr = b""
2330
try:
2331
key_id = self.key_id(
2332
self.peer_certificate(session))
2333
except (TypeError, gnutls.Error) as error:
2334
logger.warning("Bad certificate: %s", error)
2335
return
2336
logger.debug("Key ID: %s", key_id)
2337
2338
else:
2339
key_id = b""
2340
try:
2341
fpr = self.fingerprint(
2342
self.peer_certificate(session))
2343
except (TypeError, gnutls.Error) as error:
2344
logger.warning("Bad certificate: %s", error)
2345
return
2346
logger.debug("Fingerprint: %s", fpr)
2347
2348
try:
2349
client = ProxyClient(child_pipe, key_id, fpr,
1925
try:
1926
fpr = self.fingerprint(
1927
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
1930
logger.warning("Bad certificate: %s", error)
1931
return
1932
logger.debug("Fingerprint: %s", fpr)
1933
1934
try:
1935
client = ProxyClient(child_pipe, fpr,
2350
1936
self.client_address)
2351
1937
except KeyError:
2352
1938
return
2353
1939
2354
1940
if client.approval_delay:
2355
1941
delay = client.approval_delay
2356
1942
client.approvals_pending += 1
2357
1943
approval_required = True
2358
1944
2359
1945
while True:
2360
1946
if not client.enabled:
2361
1947
logger.info("Client %s is disabled",
2364
1950
# Emit D-Bus signal
2365
1951
client.Rejected("Disabled")
2366
1952
return
2367
1953
2368
1954
if client.approved or not client.approval_delay:
2369
# We are approved or approval is disabled
1955
#We are approved or approval is disabled
2370
1956
break
2371
1957
elif client.approved is None:
2372
1958
logger.info("Client %s needs approval",
2383
1969
# Emit D-Bus signal
2384
1970
client.Rejected("Denied")
2385
1971
return
2386
2387
# wait until timeout or approved
1972
1973
#wait until timeout or approved
2388
1974
time = datetime.datetime.now()
2389
1975
client.changedstate.acquire()
2390
1976
client.changedstate.wait(delay.total_seconds())
2403
1989
break
2404
1990
else:
2405
1991
delay -= time2 - time
2406
2407
try:
2408
session.send(client.secret)
2409
except gnutls.Error as error:
2410
logger.warning("gnutls send failed",
2411
exc_info=error)
2412
return
2413
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2414
2006
logger.info("Sending secret to %s", client.name)
2415
2007
# bump the timeout using extended_timeout
2416
2008
client.bump_timeout(client.extended_timeout)
2417
2009
if self.server.use_dbus:
2418
2010
# Emit D-Bus signal
2419
2011
client.GotSecret()
2420
2012
2421
2013
finally:
2422
2014
if approval_required:
2423
2015
client.approvals_pending -= 1
2424
2016
try:
2425
2017
session.bye()
2426
except gnutls.Error as error:
2018
except gnutls.errors.GNUTLSError as error:
2427
2019
logger.warning("GnuTLS bye failed",
2428
2020
exc_info=error)
2429
2021
2430
2022
@staticmethod
2431
2023
def peer_certificate(session):
2432
"Return the peer's certificate as a bytestring"
2433
try:
2434
cert_type = gnutls.certificate_type_get2(session._c_object,
2435
gnutls.CTYPE_PEERS)
2436
except AttributeError:
2437
cert_type = gnutls.certificate_type_get(session._c_object)
2438
if gnutls.has_rawpk:
2439
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2440
else:
2441
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2442
# If not a valid certificate type...
2443
if cert_type not in valid_cert_types:
2444
logger.info("Cert type %r not in %r", cert_type,
2445
valid_cert_types)
2446
# ...return invalid data
2447
return b""
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2448
2031
list_size = ctypes.c_uint(1)
2449
cert_list = (gnutls.certificate_get_peers
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2450
2034
(session._c_object, ctypes.byref(list_size)))
2451
2035
if not bool(cert_list) and list_size.value != 0:
2452
raise gnutls.Error("error getting peer certificate")
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2453
2038
if list_size.value == 0:
2454
2039
return None
2455
2040
cert = cert_list[0]
2456
2041
return ctypes.string_at(cert.data, cert.size)
2457
2458
@staticmethod
2459
def key_id(certificate):
2460
"Convert a certificate bytestring to a hexdigit key ID"
2461
# New GnuTLS "datum" with the public key
2462
datum = gnutls.datum_t(
2463
ctypes.cast(ctypes.c_char_p(certificate),
2464
ctypes.POINTER(ctypes.c_ubyte)),
2465
ctypes.c_uint(len(certificate)))
2466
# XXX all these need to be created in the gnutls "module"
2467
# New empty GnuTLS certificate
2468
pubkey = gnutls.pubkey_t()
2469
gnutls.pubkey_init(ctypes.byref(pubkey))
2470
# Import the raw public key into the certificate
2471
gnutls.pubkey_import(pubkey,
2472
ctypes.byref(datum),
2473
gnutls.X509_FMT_DER)
2474
# New buffer for the key ID
2475
buf = ctypes.create_string_buffer(32)
2476
buf_len = ctypes.c_size_t(len(buf))
2477
# Get the key ID from the raw public key into the buffer
2478
gnutls.pubkey_get_key_id(
2479
pubkey,
2480
gnutls.KEYID_USE_SHA256,
2481
ctypes.cast(ctypes.byref(buf),
2482
ctypes.POINTER(ctypes.c_ubyte)),
2483
ctypes.byref(buf_len))
2484
# Deinit the certificate
2485
gnutls.pubkey_deinit(pubkey)
2486
2487
# Convert the buffer to a Python bytestring
2488
key_id = ctypes.string_at(buf, buf_len.value)
2489
# Convert the bytestring to hexadecimal notation
2490
hex_key_id = binascii.hexlify(key_id).upper()
2491
return hex_key_id
2492
2042
2493
2043
@staticmethod
2494
2044
def fingerprint(openpgp):
2495
2045
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2496
2046
# New GnuTLS "datum" with the OpenPGP public key
2497
datum = gnutls.datum_t(
2047
datum = gnutls.library.types.gnutls_datum_t(
2498
2048
ctypes.cast(ctypes.c_char_p(openpgp),
2499
2049
ctypes.POINTER(ctypes.c_ubyte)),
2500
2050
ctypes.c_uint(len(openpgp)))
2501
2051
# New empty GnuTLS certificate
2502
crt = gnutls.openpgp_crt_t()
2503
gnutls.openpgp_crt_init(ctypes.byref(crt))
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2504
2055
# Import the OpenPGP public key into the certificate
2505
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2506
gnutls.OPENPGP_FMT_RAW)
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2507
2059
# Verify the self signature in the key
2508
2060
crtverify = ctypes.c_uint()
2509
gnutls.openpgp_crt_verify_self(crt, 0,
2510
ctypes.byref(crtverify))
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2511
2063
if crtverify.value != 0:
2512
gnutls.openpgp_crt_deinit(crt)
2513
raise gnutls.CertificateSecurityError(code
2514
=crtverify.value)
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2515
2067
# New buffer for the fingerprint
2516
2068
buf = ctypes.create_string_buffer(20)
2517
2069
buf_len = ctypes.c_size_t()
2518
2070
# Get the fingerprint from the certificate into the buffer
2519
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2520
ctypes.byref(buf_len))
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2521
2073
# Deinit the certificate
2522
gnutls.openpgp_crt_deinit(crt)
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2523
2075
# Convert the buffer to a Python bytestring
2524
2076
fpr = ctypes.string_at(buf, buf_len.value)
2525
2077
# Convert the bytestring to hexadecimal notation
2527
2079
return hex_fpr
2528
2080
2529
2081
2530
class MultiprocessingMixIn:
2082
class MultiprocessingMixIn(object):
2531
2083
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2532
2084
2533
2085
def sub_process_main(self, request, address):
2534
2086
try:
2535
2087
self.finish_request(request, address)
2536
2088
except Exception:
2537
2089
self.handle_error(request, address)
2538
2090
self.close_request(request)
2539
2091
2540
2092
def process_request(self, request, address):
2541
2093
"""Start a new process to process the request."""
2542
proc = multiprocessing.Process(target=self.sub_process_main,
2543
args=(request, address))
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2544
2096
proc.start()
2545
2097
return proc
2546
2098
2547
2099
2548
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2100
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2549
2101
""" adds a pipe to the MixIn """
2550
2102
2551
2103
def process_request(self, request, client_address):
2552
2104
"""Overrides and wraps the original process_request().
2553
2105
2554
2106
This function creates a new pipe in self.pipe
2555
2107
"""
2556
2108
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2557
2109
2558
2110
proc = MultiprocessingMixIn.process_request(self, request,
2559
2111
client_address)
2560
2112
self.child_pipe.close()
2561
2113
self.add_pipe(parent_pipe, proc)
2562
2114
2563
2115
def add_pipe(self, parent_pipe, proc):
2564
2116
"""Dummy function; override as necessary"""
2565
2117
raise NotImplementedError()
2566
2118
2567
2119
2568
2120
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2569
socketserver.TCPServer):
2121
socketserver.TCPServer, object):
2570
2122
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2571
2123
2572
2124
Attributes:
2573
2125
enabled: Boolean; whether this server is activated yet
2574
2126
interface: None or a network interface name (string)
2575
2127
use_ipv6: Boolean; to use IPv6 or not
2576
2128
"""
2577
2129
2578
2130
def __init__(self, server_address, RequestHandlerClass,
2579
2131
interface=None,
2580
2132
use_ipv6=True,
2590
2142
self.socketfd = socketfd
2591
2143
# Save the original socket.socket() function
2592
2144
self.socket_socket = socket.socket
2593
2594
2145
# To implement --socket, we monkey patch socket.socket.
2595
#
2146
#
2596
2147
# (When socketserver.TCPServer is a new-style class, we
2597
2148
# could make self.socket into a property instead of monkey
2598
2149
# patching socket.socket.)
2599
#
2150
#
2600
2151
# Create a one-time-only replacement for socket.socket()
2601
2152
@functools.wraps(socket.socket)
2602
2153
def socket_wrapper(*args, **kwargs):
2614
2165
# socket_wrapper(), if socketfd was set.
2615
2166
socketserver.TCPServer.__init__(self, server_address,
2616
2167
RequestHandlerClass)
2617
2168
2618
2169
def server_bind(self):
2619
2170
"""This overrides the normal server_bind() function
2620
2171
to bind to an interface if one was specified, and also NOT to
2621
2172
bind to an address or port if they were not specified."""
2622
global SO_BINDTODEVICE
2623
2173
if self.interface is not None:
2624
2174
if SO_BINDTODEVICE is None:
2625
# Fall back to a hard-coded value which seems to be
2626
# common enough.
2627
logger.warning("SO_BINDTODEVICE not found, trying 25")
2628
SO_BINDTODEVICE = 25
2629
try:
2630
self.socket.setsockopt(
2631
socket.SOL_SOCKET, SO_BINDTODEVICE,
2632
(self.interface + "\0").encode("utf-8"))
2633
except socket.error as error:
2634
if error.errno == errno.EPERM:
2635
logger.error("No permission to bind to"
2636
" interface %s", self.interface)
2637
elif error.errno == errno.ENOPROTOOPT:
2638
logger.error("SO_BINDTODEVICE not available;"
2639
" cannot bind to interface %s",
2640
self.interface)
2641
elif error.errno == errno.ENODEV:
2642
logger.error("Interface %s does not exist,"
2643
" cannot bind", self.interface)
2644
else:
2645
raise
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2646
2196
# Only bind(2) the socket if we really need to.
2647
2197
if self.server_address[0] or self.server_address[1]:
2648
if self.server_address[1]:
2649
self.allow_reuse_address = True
2650
2198
if not self.server_address[0]:
2651
2199
if self.address_family == socket.AF_INET6:
2652
any_address = "::" # in6addr_any
2200
any_address = "::" # in6addr_any
2653
2201
else:
2654
any_address = "0.0.0.0" # INADDR_ANY
2202
any_address = "0.0.0.0" # INADDR_ANY
2655
2203
self.server_address = (any_address,
2656
2204
self.server_address[1])
2657
2205
elif not self.server_address[1]:
2667
2215
2668
2216
class MandosServer(IPv6_TCPServer):
2669
2217
"""Mandos server.
2670
2218
2671
2219
Attributes:
2672
2220
clients: set of Client objects
2673
2221
gnutls_priority GnuTLS priority string
2674
2222
use_dbus: Boolean; to emit D-Bus signals or not
2675
2676
Assumes a GLib.MainLoop event loop.
2223
2224
Assumes a gobject.MainLoop event loop.
2677
2225
"""
2678
2226
2679
2227
def __init__(self, server_address, RequestHandlerClass,
2680
2228
interface=None,
2681
2229
use_ipv6=True,
2691
2239
self.gnutls_priority = gnutls_priority
2692
2240
IPv6_TCPServer.__init__(self, server_address,
2693
2241
RequestHandlerClass,
2694
interface=interface,
2695
use_ipv6=use_ipv6,
2696
socketfd=socketfd)
2697
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2698
2246
def server_activate(self):
2699
2247
if self.enabled:
2700
2248
return socketserver.TCPServer.server_activate(self)
2701
2249
2702
2250
def enable(self):
2703
2251
self.enabled = True
2704
2252
2705
2253
def add_pipe(self, parent_pipe, proc):
2706
2254
# Call "handle_ipc" for both data and EOF events
2707
GLib.io_add_watch(
2708
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2709
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2255
gobject.io_add_watch(
2256
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2710
2258
functools.partial(self.handle_ipc,
2711
parent_pipe=parent_pipe,
2712
proc=proc))
2713
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2714
2262
def handle_ipc(self, source, condition,
2715
2263
parent_pipe=None,
2716
proc=None,
2264
proc = None,
2717
2265
client_object=None):
2718
2266
# error, or the other end of multiprocessing.Pipe has closed
2719
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2720
2268
# Wait for other process to exit
2721
2269
proc.join()
2722
2270
return False
2723
2271
2724
2272
# Read a request from the child
2725
2273
request = parent_pipe.recv()
2726
2274
command = request[0]
2727
2275
2728
2276
if command == 'init':
2729
key_id = request[1].decode("ascii")
2730
fpr = request[2].decode("ascii")
2731
address = request[3]
2732
2733
for c in self.clients.values():
2734
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2735
"27AE41E4649B934CA495991B7852B855"):
2736
continue
2737
if key_id and c.key_id == key_id:
2738
client = c
2739
break
2740
if fpr and c.fingerprint == fpr:
2277
fpr = request[1]
2278
address = request[2]
2279
2280
for c in self.clients.itervalues():
2281
if c.fingerprint == fpr:
2741
2282
client = c
2742
2283
break
2743
2284
else:
2744
logger.info("Client not found for key ID: %s, address"
2745
": %s", key_id or fpr, address)
2285
logger.info("Client not found for fingerprint: %s, ad"
2286
"dress: %s", fpr, address)
2746
2287
if self.use_dbus:
2747
2288
# Emit D-Bus signal
2748
mandos_dbus_service.ClientNotFound(key_id or fpr,
2289
mandos_dbus_service.ClientNotFound(fpr,
2749
2290
address[0])
2750
2291
parent_pipe.send(False)
2751
2292
return False
2752
2753
GLib.io_add_watch(
2754
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2755
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2293
2294
gobject.io_add_watch(
2295
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2756
2297
functools.partial(self.handle_ipc,
2757
parent_pipe=parent_pipe,
2758
proc=proc,
2759
client_object=client))
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2760
2301
parent_pipe.send(True)
2761
2302
# remove the old hook in favor of the new above hook on
2762
2303
# same fileno
2765
2306
funcname = request[1]
2766
2307
args = request[2]
2767
2308
kwargs = request[3]
2768
2309
2769
2310
parent_pipe.send(('data', getattr(client_object,
2770
2311
funcname)(*args,
2771
2312
**kwargs)))
2772
2313
2773
2314
if command == 'getattr':
2774
2315
attrname = request[1]
2775
2316
if isinstance(client_object.__getattribute__(attrname),
2776
collections.abc.Callable):
2317
collections.Callable):
2777
2318
parent_pipe.send(('function', ))
2778
2319
else:
2779
2320
parent_pipe.send((
2780
2321
'data', client_object.__getattribute__(attrname)))
2781
2322
2782
2323
if command == 'setattr':
2783
2324
attrname = request[1]
2784
2325
value = request[2]
2785
2326
setattr(client_object, attrname, value)
2786
2327
2787
2328
return True
2788
2329
2789
2330
2790
2331
def rfc3339_duration_to_delta(duration):
2791
2332
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2792
2793
>>> timedelta = datetime.timedelta
2794
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2795
True
2796
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2797
True
2798
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2799
True
2800
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2801
True
2802
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2803
True
2804
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2805
True
2806
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2807
True
2808
>>> del timedelta
2333
2334
>>> rfc3339_duration_to_delta("P7D")
2335
datetime.timedelta(7)
2336
>>> rfc3339_duration_to_delta("PT60S")
2337
datetime.timedelta(0, 60)
2338
>>> rfc3339_duration_to_delta("PT60M")
2339
datetime.timedelta(0, 3600)
2340
>>> rfc3339_duration_to_delta("PT24H")
2341
datetime.timedelta(1)
2342
>>> rfc3339_duration_to_delta("P1W")
2343
datetime.timedelta(7)
2344
>>> rfc3339_duration_to_delta("PT5M30S")
2345
datetime.timedelta(0, 330)
2346
>>> rfc3339_duration_to_delta("P1DT3M20S")
2347
datetime.timedelta(1, 200)
2809
2348
"""
2810
2349
2811
2350
# Parsing an RFC 3339 duration with regular expressions is not
2812
2351
# possible - there would have to be multiple places for the same
2813
2352
# values, like seconds. The current code, while more esoteric, is
2814
2353
# cleaner without depending on a parsing library. If Python had a
2815
2354
# built-in library for parsing we would use it, but we'd like to
2816
2355
# avoid excessive use of external libraries.
2817
2356
2818
2357
# New type for defining tokens, syntax, and semantics all-in-one
2819
2358
Token = collections.namedtuple("Token", (
2820
2359
"regexp", # To match token; if "value" is not None, must have
2853
2392
frozenset((token_year, token_month,
2854
2393
token_day, token_time,
2855
2394
token_week)))
2856
# Define starting values:
2857
# Value so far
2858
value = datetime.timedelta()
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2859
2397
found_token = None
2860
# Following valid tokens
2861
followers = frozenset((token_duration, ))
2862
# String left to parse
2863
s = duration
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2864
2400
# Loop until end token is found
2865
2401
while found_token is not token_end:
2866
2402
# Search for any currently valid tokens
2890
2426
2891
2427
def string_to_delta(interval):
2892
2428
"""Parse a string and return a datetime.timedelta
2893
2894
>>> string_to_delta('7d') == datetime.timedelta(7)
2895
True
2896
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2897
True
2898
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2899
True
2900
>>> string_to_delta('24h') == datetime.timedelta(1)
2901
True
2902
>>> string_to_delta('1w') == datetime.timedelta(7)
2903
True
2904
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2905
True
2429
2430
>>> string_to_delta('7d')
2431
datetime.timedelta(7)
2432
>>> string_to_delta('60s')
2433
datetime.timedelta(0, 60)
2434
>>> string_to_delta('60m')
2435
datetime.timedelta(0, 3600)
2436
>>> string_to_delta('24h')
2437
datetime.timedelta(1)
2438
>>> string_to_delta('1w')
2439
datetime.timedelta(7)
2440
>>> string_to_delta('5m 30s')
2441
datetime.timedelta(0, 330)
2906
2442
"""
2907
2443
2908
2444
try:
2909
2445
return rfc3339_duration_to_delta(interval)
2910
2446
except ValueError:
2911
2447
pass
2912
2448
2913
2449
timevalue = datetime.timedelta(0)
2914
2450
for s in interval.split():
2915
2451
try:
2933
2469
return timevalue
2934
2470
2935
2471
2936
def daemon(nochdir=False, noclose=False):
2472
def daemon(nochdir = False, noclose = False):
2937
2473
"""See daemon(3). Standard BSD Unix function.
2938
2474
2939
2475
This should really exist as os.daemon, but it doesn't (yet)."""
2940
2476
if os.fork():
2941
2477
sys.exit()
2959
2495
2960
2496
2961
2497
def main():
2962
2498
2963
2499
##################################################################
2964
2500
# Parsing of options, both command line and config file
2965
2501
2966
2502
parser = argparse.ArgumentParser()
2967
2503
parser.add_argument("-v", "--version", action="version",
2968
version="%(prog)s {}".format(version),
2504
version = "%(prog)s {}".format(version),
2969
2505
help="show version number and exit")
2970
2506
parser.add_argument("-i", "--interface", metavar="IF",
2971
2507
help="Bind to interface IF")
3007
2543
parser.add_argument("--no-zeroconf", action="store_false",
3008
2544
dest="zeroconf", help="Do not use Zeroconf",
3009
2545
default=None)
3010
2546
3011
2547
options = parser.parse_args()
3012
2548
2549
if options.check:
2550
import doctest
2551
fail_count, test_count = doctest.testmod()
2552
sys.exit(os.EX_OK if fail_count == 0 else 1)
2553
3013
2554
# Default values for config file for server-global settings
3014
if gnutls.has_rawpk:
3015
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3016
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3017
else:
3018
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3019
":+SIGN-DSA-SHA256")
3020
server_defaults = {"interface": "",
3021
"address": "",
3022
"port": "",
3023
"debug": "False",
3024
"priority": priority,
3025
"servicename": "Mandos",
3026
"use_dbus": "True",
3027
"use_ipv6": "True",
3028
"debuglevel": "",
3029
"restore": "True",
3030
"socket": "",
3031
"statedir": "/var/lib/mandos",
3032
"foreground": "False",
3033
"zeroconf": "True",
3034
}
3035
del priority
3036
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
3037
2573
# Parse config file for server-global settings
3038
server_config = configparser.ConfigParser(server_defaults)
2574
server_config = configparser.SafeConfigParser(server_defaults)
3039
2575
del server_defaults
3040
2576
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3041
# Convert the ConfigParser object to a dict
2577
# Convert the SafeConfigParser object to a dict
3042
2578
server_settings = server_config.defaults()
3043
2579
# Use the appropriate methods on the non-string config options
3044
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3045
"foreground", "zeroconf"):
2580
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3046
2581
server_settings[option] = server_config.getboolean("DEFAULT",
3047
2582
option)
3048
2583
if server_settings["port"]:
3058
2593
server_settings["socket"] = os.dup(server_settings
3059
2594
["socket"])
3060
2595
del server_config
3061
2596
3062
2597
# Override the settings from the config file with command line
3063
2598
# options, if set.
3064
2599
for option in ("interface", "address", "port", "debug",
3082
2617
if server_settings["debug"]:
3083
2618
server_settings["foreground"] = True
3084
2619
# Now we have our good server settings in "server_settings"
3085
2620
3086
2621
##################################################################
3087
2622
3088
2623
if (not server_settings["zeroconf"]
3089
2624
and not (server_settings["port"]
3090
2625
or server_settings["socket"] != "")):
3091
2626
parser.error("Needs port or socket to work without Zeroconf")
3092
2627
3093
2628
# For convenience
3094
2629
debug = server_settings["debug"]
3095
2630
debuglevel = server_settings["debuglevel"]
3099
2634
stored_state_file)
3100
2635
foreground = server_settings["foreground"]
3101
2636
zeroconf = server_settings["zeroconf"]
3102
2637
3103
2638
if debug:
3104
2639
initlogger(debug, logging.DEBUG)
3105
2640
else:
3108
2643
else:
3109
2644
level = getattr(logging, debuglevel.upper())
3110
2645
initlogger(debug, level)
3111
2646
3112
2647
if server_settings["servicename"] != "Mandos":
3113
2648
syslogger.setFormatter(
3114
2649
logging.Formatter('Mandos ({}) [%(process)d]:'
3115
2650
' %(levelname)s: %(message)s'.format(
3116
2651
server_settings["servicename"])))
3117
2652
3118
2653
# Parse config file with clients
3119
client_config = configparser.ConfigParser(Client.client_defaults)
2654
client_config = configparser.SafeConfigParser(Client
2655
.client_defaults)
3120
2656
client_config.read(os.path.join(server_settings["configdir"],
3121
2657
"clients.conf"))
3122
2658
3123
2659
global mandos_dbus_service
3124
2660
mandos_dbus_service = None
3125
2661
3126
2662
socketfd = None
3127
2663
if server_settings["socket"] != "":
3128
2664
socketfd = server_settings["socket"]
3144
2680
except IOError as e:
3145
2681
logger.error("Could not open file %r", pidfilename,
3146
2682
exc_info=e)
3147
3148
for name, group in (("_mandos", "_mandos"),
3149
("mandos", "mandos"),
3150
("nobody", "nogroup")):
2683
2684
for name in ("_mandos", "mandos", "nobody"):
3151
2685
try:
3152
2686
uid = pwd.getpwnam(name).pw_uid
3153
gid = pwd.getpwnam(group).pw_gid
2687
gid = pwd.getpwnam(name).pw_gid
3154
2688
break
3155
2689
except KeyError:
3156
2690
continue
3160
2694
try:
3161
2695
os.setgid(gid)
3162
2696
os.setuid(uid)
3163
if debug:
3164
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3165
gid))
3166
2697
except OSError as error:
3167
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3168
.format(uid, gid, os.strerror(error.errno)))
3169
2698
if error.errno != errno.EPERM:
3170
2699
raise
3171
2700
3172
2701
if debug:
3173
2702
# Enable all possible GnuTLS debugging
3174
2703
3175
2704
# "Use a log level over 10 to enable all debugging options."
3176
2705
# - GnuTLS manual
3177
gnutls.global_set_log_level(11)
3178
3179
@gnutls.log_func
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3180
2709
def debug_gnutls(level, string):
3181
2710
logger.debug("GnuTLS: %s", string[:-1])
3182
3183
gnutls.global_set_log_function(debug_gnutls)
3184
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3185
2715
# Redirect stdin so all checkers get /dev/null
3186
2716
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3187
2717
os.dup2(null, sys.stdin.fileno())
3188
2718
if null > 2:
3189
2719
os.close(null)
3190
2720
3191
2721
# Need to fork before connecting to D-Bus
3192
2722
if not foreground:
3193
2723
# Close all input and output, do double fork, etc.
3194
2724
daemon()
3195
3196
if gi.version_info < (3, 10, 2):
3197
# multiprocessing will use threads, so before we use GLib we
3198
# need to inform GLib that threads will be used.
3199
GLib.threads_init()
3200
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3201
2730
global main_loop
3202
2731
# From the Avahi example code
3203
2732
DBusGMainLoop(set_as_default=True)
3204
main_loop = GLib.MainLoop()
2733
main_loop = gobject.MainLoop()
3205
2734
bus = dbus.SystemBus()
3206
2735
# End of Avahi example code
3207
2736
if use_dbus:
3220
2749
if zeroconf:
3221
2750
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3222
2751
service = AvahiServiceToSyslog(
3223
name=server_settings["servicename"],
3224
servicetype="_mandos._tcp",
3225
protocol=protocol,
3226
bus=bus)
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3227
2756
if server_settings["interface"]:
3228
2757
service.interface = if_nametoindex(
3229
2758
server_settings["interface"].encode("utf-8"))
3230
2759
3231
2760
global multiprocessing_manager
3232
2761
multiprocessing_manager = multiprocessing.Manager()
3233
2762
3234
2763
client_class = Client
3235
2764
if use_dbus:
3236
client_class = functools.partial(ClientDBus, bus=bus)
3237
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3238
2767
client_settings = Client.config_parser(client_config)
3239
2768
old_client_settings = {}
3240
2769
clients_data = {}
3241
2770
3242
2771
# This is used to redirect stdout and stderr for checker processes
3243
2772
global wnull
3244
wnull = open(os.devnull, "w") # A writable /dev/null
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3245
2774
# Only used if server is running in foreground but not in debug
3246
2775
# mode
3247
2776
if debug or not foreground:
3248
2777
wnull.close()
3249
2778
3250
2779
# Get client data and settings from last running state.
3251
2780
if server_settings["restore"]:
3252
2781
try:
3253
2782
with open(stored_state_path, "rb") as stored_state:
3254
if sys.version_info.major == 2:
3255
clients_data, old_client_settings = pickle.load(
3256
stored_state)
3257
else:
3258
bytes_clients_data, bytes_old_client_settings = (
3259
pickle.load(stored_state, encoding="bytes"))
3260
# Fix bytes to strings
3261
# clients_data
3262
# .keys()
3263
clients_data = {(key.decode("utf-8")
3264
if isinstance(key, bytes)
3265
else key): value
3266
for key, value in
3267
bytes_clients_data.items()}
3268
del bytes_clients_data
3269
for key in clients_data:
3270
value = {(k.decode("utf-8")
3271
if isinstance(k, bytes) else k): v
3272
for k, v in
3273
clients_data[key].items()}
3274
clients_data[key] = value
3275
# .client_structure
3276
value["client_structure"] = [
3277
(s.decode("utf-8")
3278
if isinstance(s, bytes)
3279
else s) for s in
3280
value["client_structure"]]
3281
# .name, .host, and .checker_command
3282
for k in ("name", "host", "checker_command"):
3283
if isinstance(value[k], bytes):
3284
value[k] = value[k].decode("utf-8")
3285
if "key_id" not in value:
3286
value["key_id"] = ""
3287
elif "fingerprint" not in value:
3288
value["fingerprint"] = ""
3289
# old_client_settings
3290
# .keys()
3291
old_client_settings = {
3292
(key.decode("utf-8")
3293
if isinstance(key, bytes)
3294
else key): value
3295
for key, value in
3296
bytes_old_client_settings.items()}
3297
del bytes_old_client_settings
3298
# .host and .checker_command
3299
for value in old_client_settings.values():
3300
for attribute in ("host", "checker_command"):
3301
if isinstance(value[attribute], bytes):
3302
value[attribute] = (value[attribute]
3303
.decode("utf-8"))
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3304
2785
os.remove(stored_state_path)
3305
2786
except IOError as e:
3306
2787
if e.errno == errno.ENOENT:
3314
2795
logger.warning("Could not load persistent state: "
3315
2796
"EOFError:",
3316
2797
exc_info=e)
3317
2798
3318
2799
with PGPEngine() as pgp:
3319
2800
for client_name, client in clients_data.items():
3320
2801
# Skip removed clients
3321
2802
if client_name not in client_settings:
3322
2803
continue
3323
2804
3324
2805
# Decide which value to use after restoring saved state.
3325
2806
# We have three different values: Old config file,
3326
2807
# new config file, and saved state.
3337
2818
client[name] = value
3338
2819
except KeyError:
3339
2820
pass
3340
2821
3341
2822
# Clients who has passed its expire date can still be
3342
2823
# enabled if its last checker was successful. A Client
3343
2824
# whose checker succeeded before we stored its state is
3376
2857
client_name))
3377
2858
client["secret"] = (client_settings[client_name]
3378
2859
["secret"])
3379
2860
3380
2861
# Add/remove clients based on new changes made to config
3381
2862
for client_name in (set(old_client_settings)
3382
2863
- set(client_settings)):
3384
2865
for client_name in (set(client_settings)
3385
2866
- set(old_client_settings)):
3386
2867
clients_data[client_name] = client_settings[client_name]
3387
2868
3388
2869
# Create all client objects
3389
2870
for client_name, client in clients_data.items():
3390
2871
tcp_server.clients[client_name] = client_class(
3391
name=client_name,
3392
settings=client,
3393
server_settings=server_settings)
3394
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3395
2876
if not tcp_server.clients:
3396
2877
logger.warning("No clients defined")
3397
2878
3398
2879
if not foreground:
3399
2880
if pidfile is not None:
3400
2881
pid = os.getpid()
3406
2887
pidfilename, pid)
3407
2888
del pidfile
3408
2889
del pidfilename
3409
3410
for termsig in (signal.SIGHUP, signal.SIGTERM):
3411
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3412
lambda: main_loop.quit() and False)
3413
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3414
2894
if use_dbus:
3415
2895
3416
2896
@alternate_dbus_interfaces(
3417
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3418
2898
class MandosDBusService(DBusObjectWithObjectManager):
3419
2899
"""A D-Bus proxy object"""
3420
2900
3421
2901
def __init__(self):
3422
2902
dbus.service.Object.__init__(self, bus, "/")
3423
2903
3424
2904
_interface = "se.recompile.Mandos"
3425
2905
3426
2906
@dbus.service.signal(_interface, signature="o")
3427
2907
def ClientAdded(self, objpath):
3428
2908
"D-Bus signal"
3429
2909
pass
3430
2910
3431
2911
@dbus.service.signal(_interface, signature="ss")
3432
def ClientNotFound(self, key_id, address):
2912
def ClientNotFound(self, fingerprint, address):
3433
2913
"D-Bus signal"
3434
2914
pass
3435
2915
3436
2916
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3437
2917
"true"})
3438
2918
@dbus.service.signal(_interface, signature="os")
3439
2919
def ClientRemoved(self, objpath, name):
3440
2920
"D-Bus signal"
3441
2921
pass
3442
2922
3443
2923
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3444
2924
"true"})
3445
2925
@dbus.service.method(_interface, out_signature="ao")
3446
2926
def GetAllClients(self):
3447
2927
"D-Bus method"
3448
2928
return dbus.Array(c.dbus_object_path for c in
3449
tcp_server.clients.values())
3450
2929
tcp_server.clients.itervalues())
2930
3451
2931
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3452
2932
"true"})
3453
2933
@dbus.service.method(_interface,
3455
2935
def GetAllClientsWithProperties(self):
3456
2936
"D-Bus method"
3457
2937
return dbus.Dictionary(
3458
{c.dbus_object_path: c.GetAll(
2938
{ c.dbus_object_path: c.GetAll(
3459
2939
"se.recompile.Mandos.Client")
3460
for c in tcp_server.clients.values()},
2940
for c in tcp_server.clients.itervalues() },
3461
2941
signature="oa{sv}")
3462
2942
3463
2943
@dbus.service.method(_interface, in_signature="o")
3464
2944
def RemoveClient(self, object_path):
3465
2945
"D-Bus method"
3466
for c in tcp_server.clients.values():
2946
for c in tcp_server.clients.itervalues():
3467
2947
if c.dbus_object_path == object_path:
3468
2948
del tcp_server.clients[c.name]
3469
2949
c.remove_from_connection()
3473
2953
self.client_removed_signal(c)
3474
2954
return
3475
2955
raise KeyError(object_path)
3476
2956
3477
2957
del _interface
3478
2958
3479
2959
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3480
out_signature="a{oa{sa{sv}}}")
2960
out_signature = "a{oa{sa{sv}}}")
3481
2961
def GetManagedObjects(self):
3482
2962
"""D-Bus method"""
3483
2963
return dbus.Dictionary(
3484
{client.dbus_object_path:
3485
dbus.Dictionary(
3486
{interface: client.GetAll(interface)
3487
for interface in
3488
client._get_all_interface_names()})
3489
for client in tcp_server.clients.values()})
3490
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3491
2971
def client_added_signal(self, client):
3492
2972
"""Send the new standard signal and the old signal"""
3493
2973
if use_dbus:
3495
2975
self.InterfacesAdded(
3496
2976
client.dbus_object_path,
3497
2977
dbus.Dictionary(
3498
{interface: client.GetAll(interface)
3499
for interface in
3500
client._get_all_interface_names()}))
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3501
2981
# Old signal
3502
2982
self.ClientAdded(client.dbus_object_path)
3503
2983
3504
2984
def client_removed_signal(self, client):
3505
2985
"""Send the new standard signal and the old signal"""
3506
2986
if use_dbus:
3511
2991
# Old signal
3512
2992
self.ClientRemoved(client.dbus_object_path,
3513
2993
client.name)
3514
2994
3515
2995
mandos_dbus_service = MandosDBusService()
3516
3517
# Save modules to variables to exempt the modules from being
3518
# unloaded before the function registered with atexit() is run.
3519
mp = multiprocessing
3520
wn = wnull
3521
2996
3522
2997
def cleanup():
3523
2998
"Cleanup function; run on exit"
3524
2999
if zeroconf:
3525
3000
service.cleanup()
3526
3527
mp.active_children()
3528
wn.close()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3529
3004
if not (tcp_server.clients or client_settings):
3530
3005
return
3531
3006
3532
3007
# Store client before exiting. Secrets are encrypted with key
3533
3008
# based on what config file has. If config file is
3534
3009
# removed/edited, old secret will thus be unrecovable.
3535
3010
clients = {}
3536
3011
with PGPEngine() as pgp:
3537
for client in tcp_server.clients.values():
3012
for client in tcp_server.clients.itervalues():
3538
3013
key = client_settings[client.name]["secret"]
3539
3014
client.encrypted_secret = pgp.encrypt(client.secret,
3540
3015
key)
3541
3016
client_dict = {}
3542
3017
3543
3018
# A list of attributes that can not be pickled
3544
3019
# + secret.
3545
exclude = {"bus", "changedstate", "secret",
3546
"checker", "server_settings"}
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3547
3022
for name, typ in inspect.getmembers(dbus.service
3548
3023
.Object):
3549
3024
exclude.add(name)
3550
3025
3551
3026
client_dict["encrypted_secret"] = (client
3552
3027
.encrypted_secret)
3553
3028
for attr in client.client_structure:
3554
3029
if attr not in exclude:
3555
3030
client_dict[attr] = getattr(client, attr)
3556
3031
3557
3032
clients[client.name] = client_dict
3558
3033
del client_settings[client.name]["secret"]
3559
3034
3560
3035
try:
3561
3036
with tempfile.NamedTemporaryFile(
3562
3037
mode='wb',
3564
3039
prefix='clients-',
3565
3040
dir=os.path.dirname(stored_state_path),
3566
3041
delete=False) as stored_state:
3567
pickle.dump((clients, client_settings), stored_state,
3568
protocol=2)
3042
pickle.dump((clients, client_settings), stored_state)
3569
3043
tempname = stored_state.name
3570
3044
os.rename(tempname, stored_state_path)
3571
3045
except (IOError, OSError) as e:
3581
3055
logger.warning("Could not save persistent state:",
3582
3056
exc_info=e)
3583
3057
raise
3584
3058
3585
3059
# Delete all clients, and settings from config
3586
3060
while tcp_server.clients:
3587
3061
name, client = tcp_server.clients.popitem()
3590
3064
# Don't signal the disabling
3591
3065
client.disable(quiet=True)
3592
3066
# Emit D-Bus signal for removal
3593
if use_dbus:
3594
mandos_dbus_service.client_removed_signal(client)
3067
mandos_dbus_service.client_removed_signal(client)
3595
3068
client_settings.clear()
3596
3069
3597
3070
atexit.register(cleanup)
3598
3599
for client in tcp_server.clients.values():
3071
3072
for client in tcp_server.clients.itervalues():
3600
3073
if use_dbus:
3601
3074
# Emit D-Bus signal for adding
3602
3075
mandos_dbus_service.client_added_signal(client)
3603
3076
# Need to initiate checking of clients
3604
3077
if client.enabled:
3605
3078
client.init_checker()
3606
3079
3607
3080
tcp_server.enable()
3608
3081
tcp_server.server_activate()
3609
3082
3610
3083
# Find out what port we got
3611
3084
if zeroconf:
3612
3085
service.port = tcp_server.socket.getsockname()[1]
3617
3090
else: # IPv4
3618
3091
logger.info("Now listening on address %r, port %d",
3619
3092
*tcp_server.socket.getsockname())
3620
3621
# service.interface = tcp_server.socket.getsockname()[3]
3622
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3623
3096
try:
3624
3097
if zeroconf:
3625
3098
# From the Avahi example code
3630
3103
cleanup()
3631
3104
sys.exit(1)
3632
3105
# End of Avahi example code
3633
3634
GLib.io_add_watch(
3635
GLib.IOChannel.unix_new(tcp_server.fileno()),
3636
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3637
lambda *args, **kwargs: (tcp_server.handle_request
3638
(*args[2:], **kwargs) or True))
3639
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3640
3112
logger.debug("Starting main loop")
3641
3113
main_loop.run()
3642
3114
except AvahiError as error:
3651
3123
# Must run before the D-Bus bus name gets deregistered
3652
3124
cleanup()
3653
3125
3654
3655
def should_only_run_tests():
3656
parser = argparse.ArgumentParser(add_help=False)
3657
parser.add_argument("--check", action='store_true')
3658
args, unknown_args = parser.parse_known_args()
3659
run_tests = args.check
3660
if run_tests:
3661
# Remove --check argument from sys.argv
3662
sys.argv[1:] = unknown_args
3663
return run_tests
3664
3665
# Add all tests from doctest strings
3666
def load_tests(loader, tests, none):
3667
import doctest
3668
tests.addTests(doctest.DocTestSuite())
3669
return tests
3670
3126
3671
3127
if __name__ == '__main__':
3672
try:
3673
if should_only_run_tests():
3674
# Call using ./mandos --check [--verbose]
3675
unittest.main()
3676
else:
3677
main()
3678
finally:
3679
logging.shutdown()
3128
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0