To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.335
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.335
- Committer: Teddy Hogeborn
- Date: 2015-08-10 16:19:28 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 325.
- Revision ID: teddy@recompile.se-20150810161928-bnukog7l47j3pjix
Depend on Avahi and the network in the server's systemd service file.
* mandos.service ([Unit]/After): New; set to "network.target" and
"avahi-daemon.service".
([Unit]/RequisiteOverridable): New; set to "avahi-daemon.service".
* mandos.service ([Unit]/After): New; set to "network.target" and
"avahi-daemon.service".
([Unit]/RequisiteOverridable): New; set to "avahi-daemon.service".
- files added:
- initramfs-tools-hook-conf
- files removed:
- bugs.xml
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python3 -b
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
1
#!/usr/bin/python2.7
2
# -*- mode: python; coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
37
from future_builtins import *
42
38
43
39
try:
44
40
import SocketServer as socketserver
48
44
import argparse
49
45
import datetime
50
46
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
51
53
try:
52
54
import ConfigParser as configparser
53
55
except ImportError:
77
79
import itertools
78
80
import collections
79
81
import codecs
80
import unittest
81
82
82
83
import dbus
83
84
import dbus.service
84
import gi
85
from gi.repository import GLib
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
86
90
from dbus.mainloop.glib import DBusGMainLoop
87
91
import ctypes
88
92
import ctypes.util
89
93
import xml.dom.minidom
90
94
import inspect
91
95
92
if sys.version_info.major == 2:
93
__metaclass__ = type
94
95
# Show warnings by default
96
if not sys.warnoptions:
97
import warnings
98
warnings.simplefilter("default")
99
100
# Try to find the value of SO_BINDTODEVICE:
101
96
try:
102
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
103
# newer, and it is also the most natural place for it:
104
97
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
105
98
except AttributeError:
106
99
try:
107
# This is where SO_BINDTODEVICE was up to and including Python
108
# 2.6, and also 3.2:
109
100
from IN import SO_BINDTODEVICE
110
101
except ImportError:
111
# In Python 2.7 it seems to have been removed entirely.
112
# Try running the C preprocessor:
113
try:
114
cc = subprocess.Popen(["cc", "--language=c", "-E",
115
"/dev/stdin"],
116
stdin=subprocess.PIPE,
117
stdout=subprocess.PIPE)
118
stdout = cc.communicate(
119
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
120
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
121
except (OSError, ValueError, IndexError):
122
# No value found
123
SO_BINDTODEVICE = None
102
SO_BINDTODEVICE = None
124
103
125
104
if sys.version_info.major == 2:
126
105
str = unicode
127
106
128
if sys.version_info < (3, 2):
129
configparser.Configparser = configparser.SafeConfigParser
130
131
version = "1.8.9"
107
version = "1.6.9"
132
108
stored_state_file = "clients.pickle"
133
109
134
110
logger = logging.getLogger()
135
logging.captureWarnings(True) # Show warnings via the logging system
136
111
syslogger = None
137
112
138
113
try:
139
114
if_nametoindex = ctypes.cdll.LoadLibrary(
140
115
ctypes.util.find_library("c")).if_nametoindex
141
116
except (OSError, AttributeError):
142
117
143
118
def if_nametoindex(interface):
144
119
"Get an interface index the hard way, i.e. using fcntl()"
145
120
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
150
125
return interface_index
151
126
152
127
153
def copy_function(func):
154
"""Make a copy of a function"""
155
if sys.version_info.major == 2:
156
return types.FunctionType(func.func_code,
157
func.func_globals,
158
func.func_name,
159
func.func_defaults,
160
func.func_closure)
161
else:
162
return types.FunctionType(func.__code__,
163
func.__globals__,
164
func.__name__,
165
func.__defaults__,
166
func.__closure__)
167
168
169
128
def initlogger(debug, level=logging.WARNING):
170
129
"""init logger and add loglevel"""
171
130
172
131
global syslogger
173
132
syslogger = (logging.handlers.SysLogHandler(
174
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
175
address="/dev/log"))
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
176
135
syslogger.setFormatter(logging.Formatter
177
136
('Mandos [%(process)d]: %(levelname)s:'
178
137
' %(message)s'))
179
138
logger.addHandler(syslogger)
180
139
181
140
if debug:
182
141
console = logging.StreamHandler()
183
142
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
193
152
pass
194
153
195
154
196
class PGPEngine:
155
class PGPEngine(object):
197
156
"""A simple class for OpenPGP symmetric encryption & decryption"""
198
157
199
158
def __init__(self):
200
159
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
201
self.gpg = "gpg"
202
try:
203
output = subprocess.check_output(["gpgconf"])
204
for line in output.splitlines():
205
name, text, path = line.split(b":")
206
if name == b"gpg":
207
self.gpg = path
208
break
209
except OSError as e:
210
if e.errno != errno.ENOENT:
211
raise
212
160
self.gnupgargs = ['--batch',
213
'--homedir', self.tempdir,
161
'--home', self.tempdir,
214
162
'--force-mdc',
215
'--quiet']
216
# Only GPG version 1 has the --no-use-agent option.
217
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
218
self.gnupgargs.append("--no-use-agent")
219
163
'--quiet',
164
'--no-use-agent']
165
220
166
def __enter__(self):
221
167
return self
222
168
223
169
def __exit__(self, exc_type, exc_value, traceback):
224
170
self._cleanup()
225
171
return False
226
172
227
173
def __del__(self):
228
174
self._cleanup()
229
175
230
176
def _cleanup(self):
231
177
if self.tempdir is not None:
232
178
# Delete contents of tempdir
233
179
for root, dirs, files in os.walk(self.tempdir,
234
topdown=False):
180
topdown = False):
235
181
for filename in files:
236
182
os.remove(os.path.join(root, filename))
237
183
for dirname in dirs:
239
185
# Remove tempdir
240
186
os.rmdir(self.tempdir)
241
187
self.tempdir = None
242
188
243
189
def password_encode(self, password):
244
190
# Passphrase can not be empty and can not contain newlines or
245
191
# NUL bytes. So we prefix it and hex encode it.
250
196
.replace(b"\n", b"\\n")
251
197
.replace(b"\0", b"\\x00"))
252
198
return encoded
253
199
254
200
def encrypt(self, data, password):
255
201
passphrase = self.password_encode(password)
256
202
with tempfile.NamedTemporaryFile(
257
203
dir=self.tempdir) as passfile:
258
204
passfile.write(passphrase)
259
205
passfile.flush()
260
proc = subprocess.Popen([self.gpg, '--symmetric',
206
proc = subprocess.Popen(['gpg', '--symmetric',
261
207
'--passphrase-file',
262
208
passfile.name]
263
209
+ self.gnupgargs,
264
stdin=subprocess.PIPE,
265
stdout=subprocess.PIPE,
266
stderr=subprocess.PIPE)
267
ciphertext, err = proc.communicate(input=data)
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
268
214
if proc.returncode != 0:
269
215
raise PGPError(err)
270
216
return ciphertext
271
217
272
218
def decrypt(self, data, password):
273
219
passphrase = self.password_encode(password)
274
220
with tempfile.NamedTemporaryFile(
275
dir=self.tempdir) as passfile:
221
dir = self.tempdir) as passfile:
276
222
passfile.write(passphrase)
277
223
passfile.flush()
278
proc = subprocess.Popen([self.gpg, '--decrypt',
224
proc = subprocess.Popen(['gpg', '--decrypt',
279
225
'--passphrase-file',
280
226
passfile.name]
281
227
+ self.gnupgargs,
282
stdin=subprocess.PIPE,
283
stdout=subprocess.PIPE,
284
stderr=subprocess.PIPE)
285
decrypted_plaintext, err = proc.communicate(input=data)
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
286
232
if proc.returncode != 0:
287
233
raise PGPError(err)
288
234
return decrypted_plaintext
289
235
290
236
291
# Pretend that we have an Avahi module
292
class avahi:
293
"""This isn't so much a class as it is a module-like namespace."""
294
IF_UNSPEC = -1 # avahi-common/address.h
295
PROTO_UNSPEC = -1 # avahi-common/address.h
296
PROTO_INET = 0 # avahi-common/address.h
297
PROTO_INET6 = 1 # avahi-common/address.h
298
DBUS_NAME = "org.freedesktop.Avahi"
299
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
300
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
301
DBUS_PATH_SERVER = "/"
302
303
@staticmethod
304
def string_array_to_txt_array(t):
305
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
306
for s in t), signature="ay")
307
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
308
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
309
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
310
SERVER_INVALID = 0 # avahi-common/defs.h
311
SERVER_REGISTERING = 1 # avahi-common/defs.h
312
SERVER_RUNNING = 2 # avahi-common/defs.h
313
SERVER_COLLISION = 3 # avahi-common/defs.h
314
SERVER_FAILURE = 4 # avahi-common/defs.h
315
316
317
237
class AvahiError(Exception):
318
238
def __init__(self, value, *args, **kwargs):
319
239
self.value = value
329
249
pass
330
250
331
251
332
class AvahiService:
252
class AvahiService(object):
333
253
"""An Avahi (Zeroconf) service.
334
254
335
255
Attributes:
336
256
interface: integer; avahi.IF_UNSPEC or an interface index.
337
257
Used to optionally bind to the specified interface.
349
269
server: D-Bus Server
350
270
bus: dbus.SystemBus()
351
271
"""
352
272
353
273
def __init__(self,
354
interface=avahi.IF_UNSPEC,
355
name=None,
356
servicetype=None,
357
port=None,
358
TXT=None,
359
domain="",
360
host="",
361
max_renames=32768,
362
protocol=avahi.PROTO_UNSPEC,
363
bus=None):
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
364
284
self.interface = interface
365
285
self.name = name
366
286
self.type = servicetype
375
295
self.server = None
376
296
self.bus = bus
377
297
self.entry_group_state_changed_match = None
378
298
379
299
def rename(self, remove=True):
380
300
"""Derived from the Avahi example code"""
381
301
if self.rename_count >= self.max_renames:
401
321
logger.critical("D-Bus Exception", exc_info=error)
402
322
self.cleanup()
403
323
os._exit(1)
404
324
405
325
def remove(self):
406
326
"""Derived from the Avahi example code"""
407
327
if self.entry_group_state_changed_match is not None:
409
329
self.entry_group_state_changed_match = None
410
330
if self.group is not None:
411
331
self.group.Reset()
412
332
413
333
def add(self):
414
334
"""Derived from the Avahi example code"""
415
335
self.remove()
432
352
dbus.UInt16(self.port),
433
353
avahi.string_array_to_txt_array(self.TXT))
434
354
self.group.Commit()
435
355
436
356
def entry_group_state_changed(self, state, error):
437
357
"""Derived from the Avahi example code"""
438
358
logger.debug("Avahi entry group state change: %i", state)
439
359
440
360
if state == avahi.ENTRY_GROUP_ESTABLISHED:
441
361
logger.debug("Zeroconf service established.")
442
362
elif state == avahi.ENTRY_GROUP_COLLISION:
446
366
logger.critical("Avahi: Error in group state changed %s",
447
367
str(error))
448
368
raise AvahiGroupError("State changed: {!s}".format(error))
449
369
450
370
def cleanup(self):
451
371
"""Derived from the Avahi example code"""
452
372
if self.group is not None:
457
377
pass
458
378
self.group = None
459
379
self.remove()
460
380
461
381
def server_state_changed(self, state, error=None):
462
382
"""Derived from the Avahi example code"""
463
383
logger.debug("Avahi server state change: %i", state)
492
412
logger.debug("Unknown state: %r", state)
493
413
else:
494
414
logger.debug("Unknown state: %r: %r", state, error)
495
415
496
416
def activate(self):
497
417
"""Derived from the Avahi example code"""
498
418
if self.server is None:
509
429
class AvahiServiceToSyslog(AvahiService):
510
430
def rename(self, *args, **kwargs):
511
431
"""Add the new name to the syslog messages"""
512
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
432
ret = AvahiService.rename(self, *args, **kwargs)
513
433
syslogger.setFormatter(logging.Formatter(
514
434
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
515
435
.format(self.name)))
516
436
return ret
517
437
518
519
# Pretend that we have a GnuTLS module
520
class gnutls:
521
"""This isn't so much a class as it is a module-like namespace."""
522
523
library = ctypes.util.find_library("gnutls")
524
if library is None:
525
library = ctypes.util.find_library("gnutls-deb0")
526
_library = ctypes.cdll.LoadLibrary(library)
527
del library
528
529
# Unless otherwise indicated, the constants and types below are
530
# all from the gnutls/gnutls.h C header file.
531
532
# Constants
533
E_SUCCESS = 0
534
E_INTERRUPTED = -52
535
E_AGAIN = -28
536
CRT_OPENPGP = 2
537
CRT_RAWPK = 3
538
CLIENT = 2
539
SHUT_RDWR = 0
540
CRD_CERTIFICATE = 1
541
E_NO_CERTIFICATE_FOUND = -49
542
X509_FMT_DER = 0
543
NO_TICKETS = 1<<10
544
ENABLE_RAWPK = 1<<18
545
CTYPE_PEERS = 3
546
KEYID_USE_SHA256 = 1 # gnutls/x509.h
547
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
548
549
# Types
550
class session_int(ctypes.Structure):
551
_fields_ = []
552
session_t = ctypes.POINTER(session_int)
553
554
class certificate_credentials_st(ctypes.Structure):
555
_fields_ = []
556
certificate_credentials_t = ctypes.POINTER(
557
certificate_credentials_st)
558
certificate_type_t = ctypes.c_int
559
560
class datum_t(ctypes.Structure):
561
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
562
('size', ctypes.c_uint)]
563
564
class openpgp_crt_int(ctypes.Structure):
565
_fields_ = []
566
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
567
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
568
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
569
credentials_type_t = ctypes.c_int
570
transport_ptr_t = ctypes.c_void_p
571
close_request_t = ctypes.c_int
572
573
# Exceptions
574
class Error(Exception):
575
def __init__(self, message=None, code=None, args=()):
576
# Default usage is by a message string, but if a return
577
# code is passed, convert it to a string with
578
# gnutls.strerror()
579
self.code = code
580
if message is None and code is not None:
581
message = gnutls.strerror(code)
582
return super(gnutls.Error, self).__init__(
583
message, *args)
584
585
class CertificateSecurityError(Error):
586
pass
587
588
# Classes
589
class Credentials:
590
def __init__(self):
591
self._c_object = gnutls.certificate_credentials_t()
592
gnutls.certificate_allocate_credentials(
593
ctypes.byref(self._c_object))
594
self.type = gnutls.CRD_CERTIFICATE
595
596
def __del__(self):
597
gnutls.certificate_free_credentials(self._c_object)
598
599
class ClientSession:
600
def __init__(self, socket, credentials=None):
601
self._c_object = gnutls.session_t()
602
gnutls_flags = gnutls.CLIENT
603
if gnutls.check_version(b"3.5.6"):
604
gnutls_flags |= gnutls.NO_TICKETS
605
if gnutls.has_rawpk:
606
gnutls_flags |= gnutls.ENABLE_RAWPK
607
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
608
del gnutls_flags
609
gnutls.set_default_priority(self._c_object)
610
gnutls.transport_set_ptr(self._c_object, socket.fileno())
611
gnutls.handshake_set_private_extensions(self._c_object,
612
True)
613
self.socket = socket
614
if credentials is None:
615
credentials = gnutls.Credentials()
616
gnutls.credentials_set(self._c_object, credentials.type,
617
ctypes.cast(credentials._c_object,
618
ctypes.c_void_p))
619
self.credentials = credentials
620
621
def __del__(self):
622
gnutls.deinit(self._c_object)
623
624
def handshake(self):
625
return gnutls.handshake(self._c_object)
626
627
def send(self, data):
628
data = bytes(data)
629
data_len = len(data)
630
while data_len > 0:
631
data_len -= gnutls.record_send(self._c_object,
632
data[-data_len:],
633
data_len)
634
635
def bye(self):
636
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
637
638
# Error handling functions
639
def _error_code(result):
640
"""A function to raise exceptions on errors, suitable
641
for the 'restype' attribute on ctypes functions"""
642
if result >= 0:
643
return result
644
if result == gnutls.E_NO_CERTIFICATE_FOUND:
645
raise gnutls.CertificateSecurityError(code=result)
646
raise gnutls.Error(code=result)
647
648
def _retry_on_error(result, func, arguments):
649
"""A function to retry on some errors, suitable
650
for the 'errcheck' attribute on ctypes functions"""
651
while result < 0:
652
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
653
return _error_code(result)
654
result = func(*arguments)
655
return result
656
657
# Unless otherwise indicated, the function declarations below are
658
# all from the gnutls/gnutls.h C header file.
659
660
# Functions
661
priority_set_direct = _library.gnutls_priority_set_direct
662
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
663
ctypes.POINTER(ctypes.c_char_p)]
664
priority_set_direct.restype = _error_code
665
666
init = _library.gnutls_init
667
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
668
init.restype = _error_code
669
670
set_default_priority = _library.gnutls_set_default_priority
671
set_default_priority.argtypes = [session_t]
672
set_default_priority.restype = _error_code
673
674
record_send = _library.gnutls_record_send
675
record_send.argtypes = [session_t, ctypes.c_void_p,
676
ctypes.c_size_t]
677
record_send.restype = ctypes.c_ssize_t
678
record_send.errcheck = _retry_on_error
679
680
certificate_allocate_credentials = (
681
_library.gnutls_certificate_allocate_credentials)
682
certificate_allocate_credentials.argtypes = [
683
ctypes.POINTER(certificate_credentials_t)]
684
certificate_allocate_credentials.restype = _error_code
685
686
certificate_free_credentials = (
687
_library.gnutls_certificate_free_credentials)
688
certificate_free_credentials.argtypes = [
689
certificate_credentials_t]
690
certificate_free_credentials.restype = None
691
692
handshake_set_private_extensions = (
693
_library.gnutls_handshake_set_private_extensions)
694
handshake_set_private_extensions.argtypes = [session_t,
695
ctypes.c_int]
696
handshake_set_private_extensions.restype = None
697
698
credentials_set = _library.gnutls_credentials_set
699
credentials_set.argtypes = [session_t, credentials_type_t,
700
ctypes.c_void_p]
701
credentials_set.restype = _error_code
702
703
strerror = _library.gnutls_strerror
704
strerror.argtypes = [ctypes.c_int]
705
strerror.restype = ctypes.c_char_p
706
707
certificate_type_get = _library.gnutls_certificate_type_get
708
certificate_type_get.argtypes = [session_t]
709
certificate_type_get.restype = _error_code
710
711
certificate_get_peers = _library.gnutls_certificate_get_peers
712
certificate_get_peers.argtypes = [session_t,
713
ctypes.POINTER(ctypes.c_uint)]
714
certificate_get_peers.restype = ctypes.POINTER(datum_t)
715
716
global_set_log_level = _library.gnutls_global_set_log_level
717
global_set_log_level.argtypes = [ctypes.c_int]
718
global_set_log_level.restype = None
719
720
global_set_log_function = _library.gnutls_global_set_log_function
721
global_set_log_function.argtypes = [log_func]
722
global_set_log_function.restype = None
723
724
deinit = _library.gnutls_deinit
725
deinit.argtypes = [session_t]
726
deinit.restype = None
727
728
handshake = _library.gnutls_handshake
729
handshake.argtypes = [session_t]
730
handshake.restype = _error_code
731
handshake.errcheck = _retry_on_error
732
733
transport_set_ptr = _library.gnutls_transport_set_ptr
734
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
735
transport_set_ptr.restype = None
736
737
bye = _library.gnutls_bye
738
bye.argtypes = [session_t, close_request_t]
739
bye.restype = _error_code
740
bye.errcheck = _retry_on_error
741
742
check_version = _library.gnutls_check_version
743
check_version.argtypes = [ctypes.c_char_p]
744
check_version.restype = ctypes.c_char_p
745
746
_need_version = b"3.3.0"
747
if check_version(_need_version) is None:
748
raise self.Error("Needs GnuTLS {} or later"
749
.format(_need_version))
750
751
_tls_rawpk_version = b"3.6.6"
752
has_rawpk = bool(check_version(_tls_rawpk_version))
753
754
if has_rawpk:
755
# Types
756
class pubkey_st(ctypes.Structure):
757
_fields = []
758
pubkey_t = ctypes.POINTER(pubkey_st)
759
760
x509_crt_fmt_t = ctypes.c_int
761
762
# All the function declarations below are from gnutls/abstract.h
763
pubkey_init = _library.gnutls_pubkey_init
764
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
765
pubkey_init.restype = _error_code
766
767
pubkey_import = _library.gnutls_pubkey_import
768
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
769
x509_crt_fmt_t]
770
pubkey_import.restype = _error_code
771
772
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
773
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
774
ctypes.POINTER(ctypes.c_ubyte),
775
ctypes.POINTER(ctypes.c_size_t)]
776
pubkey_get_key_id.restype = _error_code
777
778
pubkey_deinit = _library.gnutls_pubkey_deinit
779
pubkey_deinit.argtypes = [pubkey_t]
780
pubkey_deinit.restype = None
781
else:
782
# All the function declarations below are from gnutls/openpgp.h
783
784
openpgp_crt_init = _library.gnutls_openpgp_crt_init
785
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
786
openpgp_crt_init.restype = _error_code
787
788
openpgp_crt_import = _library.gnutls_openpgp_crt_import
789
openpgp_crt_import.argtypes = [openpgp_crt_t,
790
ctypes.POINTER(datum_t),
791
openpgp_crt_fmt_t]
792
openpgp_crt_import.restype = _error_code
793
794
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
795
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
796
ctypes.POINTER(ctypes.c_uint)]
797
openpgp_crt_verify_self.restype = _error_code
798
799
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
800
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
801
openpgp_crt_deinit.restype = None
802
803
openpgp_crt_get_fingerprint = (
804
_library.gnutls_openpgp_crt_get_fingerprint)
805
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
806
ctypes.c_void_p,
807
ctypes.POINTER(
808
ctypes.c_size_t)]
809
openpgp_crt_get_fingerprint.restype = _error_code
810
811
if check_version(b"3.6.4"):
812
certificate_type_get2 = _library.gnutls_certificate_type_get2
813
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
814
certificate_type_get2.restype = _error_code
815
816
# Remove non-public functions
817
del _error_code, _retry_on_error
818
819
820
438
def call_pipe(connection, # : multiprocessing.Connection
821
439
func, *args, **kwargs):
822
440
"""This function is meant to be called by multiprocessing.Process
823
441
824
442
This function runs func(*args, **kwargs), and writes the resulting
825
443
return value on the provided multiprocessing.Connection.
826
444
"""
827
445
connection.send(func(*args, **kwargs))
828
446
connection.close()
829
447
830
831
class Client:
448
class Client(object):
832
449
"""A representation of a client host served by this server.
833
450
834
451
Attributes:
835
452
approved: bool(); 'None' if not yet approved/disapproved
836
453
approval_delay: datetime.timedelta(); Time to wait for approval
837
454
approval_duration: datetime.timedelta(); Duration of one approval
838
checker: multiprocessing.Process(); a running checker process used
839
to see if the client lives. 'None' if no process is
840
running.
841
checker_callback_tag: a GLib event source tag, or None
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
842
459
checker_command: string; External command which is run to check
843
460
if client lives. %() expansions are done at
844
461
runtime with vars(self) as dict, so that for
845
462
instance %(name)s can be used in the command.
846
checker_initiator_tag: a GLib event source tag, or None
463
checker_initiator_tag: a gobject event source tag, or None
847
464
created: datetime.datetime(); (UTC) object creation
848
465
client_structure: Object describing what attributes a client has
849
466
and is used for storing the client at exit
850
467
current_checker_command: string; current running checker_command
851
disable_initiator_tag: a GLib event source tag, or None
468
disable_initiator_tag: a gobject event source tag, or None
852
469
enabled: bool()
853
470
fingerprint: string (40 or 32 hexadecimal digits); used to
854
uniquely identify an OpenPGP client
855
key_id: string (64 hexadecimal digits); used to uniquely identify
856
a client using raw public keys
471
uniquely identify the client
857
472
host: string; available for use by the checker command
858
473
interval: datetime.timedelta(); How often to start a new checker
859
474
last_approval_request: datetime.datetime(); (UTC) or None
875
490
disabled, or None
876
491
server_settings: The server_settings dict from main()
877
492
"""
878
493
879
494
runtime_expansions = ("approval_delay", "approval_duration",
880
"created", "enabled", "expires", "key_id",
495
"created", "enabled", "expires",
881
496
"fingerprint", "host", "interval",
882
497
"last_approval_request", "last_checked_ok",
883
498
"last_enabled", "name", "timeout")
892
507
"approved_by_default": "True",
893
508
"enabled": "True",
894
509
}
895
510
896
511
@staticmethod
897
512
def config_parser(config):
898
513
"""Construct a new dict of client settings of this form:
905
520
for client_name in config.sections():
906
521
section = dict(config.items(client_name))
907
522
client = settings[client_name] = {}
908
523
909
524
client["host"] = section["host"]
910
525
# Reformat values from string types to Python types
911
526
client["approved_by_default"] = config.getboolean(
912
527
client_name, "approved_by_default")
913
528
client["enabled"] = config.getboolean(client_name,
914
529
"enabled")
915
916
# Uppercase and remove spaces from key_id and fingerprint
917
# for later comparison purposes with return value from the
918
# key_id() and fingerprint() functions
919
client["key_id"] = (section.get("key_id", "").upper()
920
.replace(" ", ""))
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
921
534
client["fingerprint"] = (section["fingerprint"].upper()
922
535
.replace(" ", ""))
923
536
if "secret" in section:
924
client["secret"] = codecs.decode(section["secret"]
925
.encode("utf-8"),
926
"base64")
537
client["secret"] = section["secret"].decode("base64")
927
538
elif "secfile" in section:
928
539
with open(os.path.expanduser(os.path.expandvars
929
540
(section["secfile"])),
944
555
client["last_approval_request"] = None
945
556
client["last_checked_ok"] = None
946
557
client["last_checker_status"] = -2
947
558
948
559
return settings
949
950
def __init__(self, settings, name=None, server_settings=None):
560
561
def __init__(self, settings, name = None, server_settings=None):
951
562
self.name = name
952
563
if server_settings is None:
953
564
server_settings = {}
955
566
# adding all client settings
956
567
for setting, value in settings.items():
957
568
setattr(self, setting, value)
958
569
959
570
if self.enabled:
960
571
if not hasattr(self, "last_enabled"):
961
572
self.last_enabled = datetime.datetime.utcnow()
965
576
else:
966
577
self.last_enabled = None
967
578
self.expires = None
968
579
969
580
logger.debug("Creating client %r", self.name)
970
logger.debug(" Key ID: %s", self.key_id)
971
581
logger.debug(" Fingerprint: %s", self.fingerprint)
972
582
self.created = settings.get("created",
973
583
datetime.datetime.utcnow())
974
584
975
585
# attributes specific for this server instance
976
586
self.checker = None
977
587
self.checker_initiator_tag = None
983
593
self.changedstate = multiprocessing_manager.Condition(
984
594
multiprocessing_manager.Lock())
985
595
self.client_structure = [attr
986
for attr in self.__dict__.keys()
596
for attr in self.__dict__.iterkeys()
987
597
if not attr.startswith("_")]
988
598
self.client_structure.append("client_structure")
989
599
990
600
for name, t in inspect.getmembers(
991
601
type(self), lambda obj: isinstance(obj, property)):
992
602
if not name.startswith("_"):
993
603
self.client_structure.append(name)
994
604
995
605
# Send notice to process children that client state has changed
996
606
def send_changedstate(self):
997
607
with self.changedstate:
998
608
self.changedstate.notify_all()
999
609
1000
610
def enable(self):
1001
611
"""Start this client's checker and timeout hooks"""
1002
612
if getattr(self, "enabled", False):
1007
617
self.last_enabled = datetime.datetime.utcnow()
1008
618
self.init_checker()
1009
619
self.send_changedstate()
1010
620
1011
621
def disable(self, quiet=True):
1012
622
"""Disable this client."""
1013
623
if not getattr(self, "enabled", False):
1015
625
if not quiet:
1016
626
logger.info("Disabling client %s", self.name)
1017
627
if getattr(self, "disable_initiator_tag", None) is not None:
1018
GLib.source_remove(self.disable_initiator_tag)
628
gobject.source_remove(self.disable_initiator_tag)
1019
629
self.disable_initiator_tag = None
1020
630
self.expires = None
1021
631
if getattr(self, "checker_initiator_tag", None) is not None:
1022
GLib.source_remove(self.checker_initiator_tag)
632
gobject.source_remove(self.checker_initiator_tag)
1023
633
self.checker_initiator_tag = None
1024
634
self.stop_checker()
1025
635
self.enabled = False
1026
636
if not quiet:
1027
637
self.send_changedstate()
1028
# Do not run this again if called by a GLib.timeout_add
638
# Do not run this again if called by a gobject.timeout_add
1029
639
return False
1030
640
1031
641
def __del__(self):
1032
642
self.disable()
1033
643
1034
644
def init_checker(self):
1035
645
# Schedule a new checker to be started an 'interval' from now,
1036
646
# and every interval from then on.
1037
647
if self.checker_initiator_tag is not None:
1038
GLib.source_remove(self.checker_initiator_tag)
1039
self.checker_initiator_tag = GLib.timeout_add(
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
1040
650
int(self.interval.total_seconds() * 1000),
1041
651
self.start_checker)
1042
652
# Schedule a disable() when 'timeout' has passed
1043
653
if self.disable_initiator_tag is not None:
1044
GLib.source_remove(self.disable_initiator_tag)
1045
self.disable_initiator_tag = GLib.timeout_add(
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1046
656
int(self.timeout.total_seconds() * 1000), self.disable)
1047
657
# Also start a new checker *right now*.
1048
658
self.start_checker()
1049
659
1050
660
def checker_callback(self, source, condition, connection,
1051
661
command):
1052
662
"""The checker has completed, so take appropriate actions."""
663
self.checker_callback_tag = None
664
self.checker = None
1053
665
# Read return code from connection (see call_pipe)
1054
666
returncode = connection.recv()
1055
667
connection.close()
1056
if self.checker is not None:
1057
self.checker.join()
1058
self.checker_callback_tag = None
1059
self.checker = None
1060
668
1061
669
if returncode >= 0:
1062
670
self.last_checker_status = returncode
1063
671
self.last_checker_signal = None
1073
681
logger.warning("Checker for %(name)s crashed?",
1074
682
vars(self))
1075
683
return False
1076
684
1077
685
def checked_ok(self):
1078
686
"""Assert that the client has been seen, alive and well."""
1079
687
self.last_checked_ok = datetime.datetime.utcnow()
1080
688
self.last_checker_status = 0
1081
689
self.last_checker_signal = None
1082
690
self.bump_timeout()
1083
691
1084
692
def bump_timeout(self, timeout=None):
1085
693
"""Bump up the timeout for this client."""
1086
694
if timeout is None:
1087
695
timeout = self.timeout
1088
696
if self.disable_initiator_tag is not None:
1089
GLib.source_remove(self.disable_initiator_tag)
697
gobject.source_remove(self.disable_initiator_tag)
1090
698
self.disable_initiator_tag = None
1091
699
if getattr(self, "enabled", False):
1092
self.disable_initiator_tag = GLib.timeout_add(
700
self.disable_initiator_tag = gobject.timeout_add(
1093
701
int(timeout.total_seconds() * 1000), self.disable)
1094
702
self.expires = datetime.datetime.utcnow() + timeout
1095
703
1096
704
def need_approval(self):
1097
705
self.last_approval_request = datetime.datetime.utcnow()
1098
706
1099
707
def start_checker(self):
1100
708
"""Start a new checker subprocess if one is not running.
1101
709
1102
710
If a checker already exists, leave it running and do
1103
711
nothing."""
1104
712
# The reason for not killing a running checker is that if we
1109
717
# checkers alone, the checker would have to take more time
1110
718
# than 'timeout' for the client to be disabled, which is as it
1111
719
# should be.
1112
720
1113
721
if self.checker is not None and not self.checker.is_alive():
1114
722
logger.warning("Checker was not alive; joining")
1115
723
self.checker.join()
1119
727
# Escape attributes for the shell
1120
728
escaped_attrs = {
1121
729
attr: re.escape(str(getattr(self, attr)))
1122
for attr in self.runtime_expansions}
730
for attr in self.runtime_expansions }
1123
731
try:
1124
732
command = self.checker_command % escaped_attrs
1125
733
except TypeError as error:
1137
745
# The exception is when not debugging but nevertheless
1138
746
# running in the foreground; use the previously
1139
747
# created wnull.
1140
popen_args = {"close_fds": True,
1141
"shell": True,
1142
"cwd": "/"}
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1143
751
if (not self.server_settings["debug"]
1144
752
and self.server_settings["foreground"]):
1145
753
popen_args.update({"stdout": wnull,
1146
"stderr": wnull})
1147
pipe = multiprocessing.Pipe(duplex=False)
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1148
756
self.checker = multiprocessing.Process(
1149
target=call_pipe,
1150
args=(pipe[1], subprocess.call, command),
1151
kwargs=popen_args)
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1152
760
self.checker.start()
1153
self.checker_callback_tag = GLib.io_add_watch(
1154
GLib.IOChannel.unix_new(pipe[0].fileno()),
1155
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1156
763
self.checker_callback, pipe[0], command)
1157
# Re-run this periodically if run by GLib.timeout_add
764
# Re-run this periodically if run by gobject.timeout_add
1158
765
return True
1159
766
1160
767
def stop_checker(self):
1161
768
"""Force the checker process, if any, to stop."""
1162
769
if self.checker_callback_tag:
1163
GLib.source_remove(self.checker_callback_tag)
770
gobject.source_remove(self.checker_callback_tag)
1164
771
self.checker_callback_tag = None
1165
772
if getattr(self, "checker", None) is None:
1166
773
return
1175
782
byte_arrays=False):
1176
783
"""Decorators for marking methods of a DBusObjectWithProperties to
1177
784
become properties on the D-Bus.
1178
785
1179
786
The decorated method will be called with no arguments by "Get"
1180
787
and with one argument by "Set".
1181
788
1182
789
The parameters, where they are supported, are the same as
1183
790
dbus.service.method, except there is only "signature", since the
1184
791
type from Get() and the type sent to Set() is the same.
1188
795
if byte_arrays and signature != "ay":
1189
796
raise ValueError("Byte arrays not supported for non-'ay'"
1190
797
" signature {!r}".format(signature))
1191
798
1192
799
def decorator(func):
1193
800
func._dbus_is_property = True
1194
801
func._dbus_interface = dbus_interface
1197
804
func._dbus_name = func.__name__
1198
805
if func._dbus_name.endswith("_dbus_property"):
1199
806
func._dbus_name = func._dbus_name[:-14]
1200
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1201
808
return func
1202
809
1203
810
return decorator
1204
811
1205
812
1206
813
def dbus_interface_annotations(dbus_interface):
1207
814
"""Decorator for marking functions returning interface annotations
1208
815
1209
816
Usage:
1210
817
1211
818
@dbus_interface_annotations("org.example.Interface")
1212
819
def _foo(self): # Function name does not matter
1213
820
return {"org.freedesktop.DBus.Deprecated": "true",
1214
821
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1215
822
"false"}
1216
823
"""
1217
824
1218
825
def decorator(func):
1219
826
func._dbus_is_interface = True
1220
827
func._dbus_interface = dbus_interface
1221
828
func._dbus_name = dbus_interface
1222
829
return func
1223
830
1224
831
return decorator
1225
832
1226
833
1227
834
def dbus_annotations(annotations):
1228
835
"""Decorator to annotate D-Bus methods, signals or properties
1229
836
Usage:
1230
837
1231
838
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1232
839
"org.freedesktop.DBus.Property."
1233
840
"EmitsChangedSignal": "false"})
1235
842
access="r")
1236
843
def Property_dbus_property(self):
1237
844
return dbus.Boolean(False)
1238
845
1239
846
See also the DBusObjectWithAnnotations class.
1240
847
"""
1241
848
1242
849
def decorator(func):
1243
850
func._dbus_annotations = annotations
1244
851
return func
1245
852
1246
853
return decorator
1247
854
1248
855
1266
873
1267
874
class DBusObjectWithAnnotations(dbus.service.Object):
1268
875
"""A D-Bus object with annotations.
1269
876
1270
877
Classes inheriting from this can use the dbus_annotations
1271
878
decorator to add annotations to methods or signals.
1272
879
"""
1273
880
1274
881
@staticmethod
1275
882
def _is_dbus_thing(thing):
1276
883
"""Returns a function testing if an attribute is a D-Bus thing
1277
884
1278
885
If called like _is_dbus_thing("method") it returns a function
1279
886
suitable for use as predicate to inspect.getmembers().
1280
887
"""
1281
888
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1282
889
False)
1283
890
1284
891
def _get_all_dbus_things(self, thing):
1285
892
"""Returns a generator of (name, attribute) pairs
1286
893
"""
1289
896
for cls in self.__class__.__mro__
1290
897
for name, athing in
1291
898
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1292
899
1293
900
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1294
out_signature="s",
1295
path_keyword='object_path',
1296
connection_keyword='connection')
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1297
904
def Introspect(self, object_path, connection):
1298
905
"""Overloading of standard D-Bus method.
1299
906
1300
907
Inserts annotation tags on methods and signals.
1301
908
"""
1302
909
xmlstring = dbus.service.Object.Introspect(self, object_path,
1303
910
connection)
1304
911
try:
1305
912
document = xml.dom.minidom.parseString(xmlstring)
1306
913
1307
914
for if_tag in document.getElementsByTagName("interface"):
1308
915
# Add annotation tags
1309
916
for typ in ("method", "signal"):
1336
943
if_tag.appendChild(ann_tag)
1337
944
# Fix argument name for the Introspect method itself
1338
945
if (if_tag.getAttribute("name")
1339
== dbus.INTROSPECTABLE_IFACE):
946
== dbus.INTROSPECTABLE_IFACE):
1340
947
for cn in if_tag.getElementsByTagName("method"):
1341
948
if cn.getAttribute("name") == "Introspect":
1342
949
for arg in cn.getElementsByTagName("arg"):
1355
962
1356
963
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1357
964
"""A D-Bus object with properties.
1358
965
1359
966
Classes inheriting from this can use the dbus_service_property
1360
967
decorator to expose methods as D-Bus properties. It exposes the
1361
968
standard Get(), Set(), and GetAll() methods on the D-Bus.
1362
969
"""
1363
970
1364
971
def _get_dbus_property(self, interface_name, property_name):
1365
972
"""Returns a bound method if one exists which is a D-Bus
1366
973
property with the specified name and interface.
1371
978
if (value._dbus_name == property_name
1372
979
and value._dbus_interface == interface_name):
1373
980
return value.__get__(self)
1374
981
1375
982
# No such property
1376
983
raise DBusPropertyNotFound("{}:{}.{}".format(
1377
984
self.dbus_object_path, interface_name, property_name))
1378
985
1379
986
@classmethod
1380
987
def _get_all_interface_names(cls):
1381
988
"""Get a sequence of all interfaces supported by an object"""
1384
991
for x in (inspect.getmro(cls))
1385
992
for attr in dir(x))
1386
993
if name is not None)
1387
994
1388
995
@dbus.service.method(dbus.PROPERTIES_IFACE,
1389
996
in_signature="ss",
1390
997
out_signature="v")
1398
1005
if not hasattr(value, "variant_level"):
1399
1006
return value
1400
1007
return type(value)(value, variant_level=value.variant_level+1)
1401
1008
1402
1009
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1403
1010
def Set(self, interface_name, property_name, value):
1404
1011
"""Standard D-Bus property Set() method, see D-Bus standard.
1416
1023
value = dbus.ByteArray(b''.join(chr(byte)
1417
1024
for byte in value))
1418
1025
prop(value)
1419
1026
1420
1027
@dbus.service.method(dbus.PROPERTIES_IFACE,
1421
1028
in_signature="s",
1422
1029
out_signature="a{sv}")
1423
1030
def GetAll(self, interface_name):
1424
1031
"""Standard D-Bus property GetAll() method, see D-Bus
1425
1032
standard.
1426
1033
1427
1034
Note: Will not include properties with access="write".
1428
1035
"""
1429
1036
properties = {}
1440
1047
properties[name] = value
1441
1048
continue
1442
1049
properties[name] = type(value)(
1443
value, variant_level=value.variant_level + 1)
1050
value, variant_level = value.variant_level + 1)
1444
1051
return dbus.Dictionary(properties, signature="sv")
1445
1052
1446
1053
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1447
1054
def PropertiesChanged(self, interface_name, changed_properties,
1448
1055
invalidated_properties):
1450
1057
standard.
1451
1058
"""
1452
1059
pass
1453
1060
1454
1061
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1455
1062
out_signature="s",
1456
1063
path_keyword='object_path',
1457
1064
connection_keyword='connection')
1458
1065
def Introspect(self, object_path, connection):
1459
1066
"""Overloading of standard D-Bus method.
1460
1067
1461
1068
Inserts property tags and interface annotation tags.
1462
1069
"""
1463
1070
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1465
1072
connection)
1466
1073
try:
1467
1074
document = xml.dom.minidom.parseString(xmlstring)
1468
1075
1469
1076
def make_tag(document, name, prop):
1470
1077
e = document.createElement("property")
1471
1078
e.setAttribute("name", name)
1472
1079
e.setAttribute("type", prop._dbus_signature)
1473
1080
e.setAttribute("access", prop._dbus_access)
1474
1081
return e
1475
1082
1476
1083
for if_tag in document.getElementsByTagName("interface"):
1477
1084
# Add property tags
1478
1085
for tag in (make_tag(document, name, prop)
1520
1127
exc_info=error)
1521
1128
return xmlstring
1522
1129
1523
1524
1130
try:
1525
1131
dbus.OBJECT_MANAGER_IFACE
1526
1132
except AttributeError:
1527
1133
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1528
1134
1529
1530
1135
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1531
1136
"""A D-Bus object with an ObjectManager.
1532
1137
1533
1138
Classes inheriting from this exposes the standard
1534
1139
GetManagedObjects call and the InterfacesAdded and
1535
1140
InterfacesRemoved signals on the standard
1536
1141
"org.freedesktop.DBus.ObjectManager" interface.
1537
1142
1538
1143
Note: No signals are sent automatically; they must be sent
1539
1144
manually.
1540
1145
"""
1541
1146
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1542
out_signature="a{oa{sa{sv}}}")
1147
out_signature = "a{oa{sa{sv}}}")
1543
1148
def GetManagedObjects(self):
1544
1149
"""This function must be overridden"""
1545
1150
raise NotImplementedError()
1546
1151
1547
1152
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1548
signature="oa{sa{sv}}")
1153
signature = "oa{sa{sv}}")
1549
1154
def InterfacesAdded(self, object_path, interfaces_and_properties):
1550
1155
pass
1551
1552
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1553
1158
def InterfacesRemoved(self, object_path, interfaces):
1554
1159
pass
1555
1160
1556
1161
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1557
out_signature="s",
1558
path_keyword='object_path',
1559
connection_keyword='connection')
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1560
1165
def Introspect(self, object_path, connection):
1561
1166
"""Overloading of standard D-Bus method.
1562
1167
1563
1168
Override return argument name of GetManagedObjects to be
1564
1169
"objpath_interfaces_and_properties"
1565
1170
"""
1568
1173
connection)
1569
1174
try:
1570
1175
document = xml.dom.minidom.parseString(xmlstring)
1571
1176
1572
1177
for if_tag in document.getElementsByTagName("interface"):
1573
1178
# Fix argument name for the GetManagedObjects method
1574
1179
if (if_tag.getAttribute("name")
1575
== dbus.OBJECT_MANAGER_IFACE):
1180
== dbus.OBJECT_MANAGER_IFACE):
1576
1181
for cn in if_tag.getElementsByTagName("method"):
1577
1182
if (cn.getAttribute("name")
1578
1183
== "GetManagedObjects"):
1588
1193
except (AttributeError, xml.dom.DOMException,
1589
1194
xml.parsers.expat.ExpatError) as error:
1590
1195
logger.error("Failed to override Introspection method",
1591
exc_info=error)
1196
exc_info = error)
1592
1197
return xmlstring
1593
1198
1594
1595
1199
def datetime_to_dbus(dt, variant_level=0):
1596
1200
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1597
1201
if dt is None:
1598
return dbus.String("", variant_level=variant_level)
1202
return dbus.String("", variant_level = variant_level)
1599
1203
return dbus.String(dt.isoformat(), variant_level=variant_level)
1600
1204
1601
1205
1604
1208
dbus.service.Object, it will add alternate D-Bus attributes with
1605
1209
interface names according to the "alt_interface_names" mapping.
1606
1210
Usage:
1607
1211
1608
1212
@alternate_dbus_interfaces({"org.example.Interface":
1609
1213
"net.example.AlternateInterface"})
1610
1214
class SampleDBusObject(dbus.service.Object):
1611
1215
@dbus.service.method("org.example.Interface")
1612
1216
def SampleDBusMethod():
1613
1217
pass
1614
1218
1615
1219
The above "SampleDBusMethod" on "SampleDBusObject" will be
1616
1220
reachable via two interfaces: "org.example.Interface" and
1617
1221
"net.example.AlternateInterface", the latter of which will have
1618
1222
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1619
1223
"true", unless "deprecate" is passed with a False value.
1620
1224
1621
1225
This works for methods and signals, and also for D-Bus properties
1622
1226
(from DBusObjectWithProperties) and interfaces (from the
1623
1227
dbus_interface_annotations decorator).
1624
1228
"""
1625
1229
1626
1230
def wrapper(cls):
1627
1231
for orig_interface_name, alt_interface_name in (
1628
1232
alt_interface_names.items()):
1643
1247
interface_names.add(alt_interface)
1644
1248
# Is this a D-Bus signal?
1645
1249
if getattr(attribute, "_dbus_is_signal", False):
1646
# Extract the original non-method undecorated
1647
# function by black magic
1648
1250
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1649
1253
nonmethod_func = (dict(
1650
1254
zip(attribute.func_code.co_freevars,
1651
1255
attribute.__closure__))
1652
1256
["func"].cell_contents)
1653
1257
else:
1654
nonmethod_func = (dict(
1655
zip(attribute.__code__.co_freevars,
1656
attribute.__closure__))
1657
["func"].cell_contents)
1258
nonmethod_func = attribute
1658
1259
# Create a new, but exactly alike, function
1659
1260
# object, and decorate it to be a new D-Bus signal
1660
1261
# with the alternate D-Bus interface name
1661
new_function = copy_function(nonmethod_func)
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1662
1276
new_function = (dbus.service.signal(
1663
1277
alt_interface,
1664
1278
attribute._dbus_signature)(new_function))
1668
1282
attribute._dbus_annotations)
1669
1283
except AttributeError:
1670
1284
pass
1671
1672
1285
# Define a creator of a function to call both the
1673
1286
# original and alternate functions, so both the
1674
1287
# original and alternate signals gets sent when
1677
1290
"""This function is a scope container to pass
1678
1291
func1 and func2 to the "call_both" function
1679
1292
outside of its arguments"""
1680
1293
1681
1294
@functools.wraps(func2)
1682
1295
def call_both(*args, **kwargs):
1683
1296
"""This function will emit two D-Bus
1684
1297
signals by calling func1 and func2"""
1685
1298
func1(*args, **kwargs)
1686
1299
func2(*args, **kwargs)
1687
# Make wrapper function look like a D-Bus
1688
# signal
1300
# Make wrapper function look like a D-Bus signal
1689
1301
for name, attr in inspect.getmembers(func2):
1690
1302
if name.startswith("_dbus_"):
1691
1303
setattr(call_both, name, attr)
1692
1304
1693
1305
return call_both
1694
1306
# Create the "call_both" function and add it to
1695
1307
# the class
1705
1317
alt_interface,
1706
1318
attribute._dbus_in_signature,
1707
1319
attribute._dbus_out_signature)
1708
(copy_function(attribute)))
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1709
1325
# Copy annotations, if any
1710
1326
try:
1711
1327
attr[attrname]._dbus_annotations = dict(
1723
1339
attribute._dbus_access,
1724
1340
attribute._dbus_get_args_options
1725
1341
["byte_arrays"])
1726
(copy_function(attribute)))
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1727
1348
# Copy annotations, if any
1728
1349
try:
1729
1350
attr[attrname]._dbus_annotations = dict(
1738
1359
# to the class.
1739
1360
attr[attrname] = (
1740
1361
dbus_interface_annotations(alt_interface)
1741
(copy_function(attribute)))
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1742
1367
if deprecate:
1743
1368
# Deprecate all alternate interfaces
1744
iname = "_AlternateDBusNames_interface_annotation{}"
1369
iname="_AlternateDBusNames_interface_annotation{}"
1745
1370
for interface_name in interface_names:
1746
1371
1747
1372
@dbus_interface_annotations(interface_name)
1748
1373
def func(self):
1749
return {"org.freedesktop.DBus.Deprecated":
1750
"true"}
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1751
1376
# Find an unused name
1752
1377
for aname in (iname.format(i)
1753
1378
for i in itertools.count()):
1757
1382
if interface_names:
1758
1383
# Replace the class with a new subclass of it with
1759
1384
# methods, signals, etc. as created above.
1760
if sys.version_info.major == 2:
1761
cls = type(b"{}Alternate".format(cls.__name__),
1762
(cls, ), attr)
1763
else:
1764
cls = type("{}Alternate".format(cls.__name__),
1765
(cls, ), attr)
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1766
1387
return cls
1767
1388
1768
1389
return wrapper
1769
1390
1770
1391
1772
1393
"se.bsnet.fukt.Mandos"})
1773
1394
class ClientDBus(Client, DBusObjectWithProperties):
1774
1395
"""A Client class using D-Bus
1775
1396
1776
1397
Attributes:
1777
1398
dbus_object_path: dbus.ObjectPath
1778
1399
bus: dbus.SystemBus()
1779
1400
"""
1780
1401
1781
1402
runtime_expansions = (Client.runtime_expansions
1782
1403
+ ("dbus_object_path", ))
1783
1404
1784
1405
_interface = "se.recompile.Mandos.Client"
1785
1406
1786
1407
# dbus.service.Object doesn't use super(), so we can't either.
1787
1788
def __init__(self, bus=None, *args, **kwargs):
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1789
1410
self.bus = bus
1790
1411
Client.__init__(self, *args, **kwargs)
1791
1412
# Only now, when this client is initialized, can it show up on
1797
1418
"/clients/" + client_object_name)
1798
1419
DBusObjectWithProperties.__init__(self, self.bus,
1799
1420
self.dbus_object_path)
1800
1421
1801
1422
def notifychangeproperty(transform_func, dbus_name,
1802
1423
type_func=lambda x: x,
1803
1424
variant_level=1,
1805
1426
_interface=_interface):
1806
1427
""" Modify a variable so that it's a property which announces
1807
1428
its changes to DBus.
1808
1429
1809
1430
transform_fun: Function that takes a value and a variant_level
1810
1431
and transforms it to a D-Bus type.
1811
1432
dbus_name: D-Bus name of the variable
1814
1435
variant_level: D-Bus variant level. Default: 1
1815
1436
"""
1816
1437
attrname = "_{}".format(dbus_name)
1817
1438
1818
1439
def setter(self, value):
1819
1440
if hasattr(self, "dbus_object_path"):
1820
1441
if (not hasattr(self, attrname) or
1827
1448
else:
1828
1449
dbus_value = transform_func(
1829
1450
type_func(value),
1830
variant_level=variant_level)
1451
variant_level = variant_level)
1831
1452
self.PropertyChanged(dbus.String(dbus_name),
1832
1453
dbus_value)
1833
1454
self.PropertiesChanged(
1834
1455
_interface,
1835
dbus.Dictionary({dbus.String(dbus_name):
1836
dbus_value}),
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1837
1458
dbus.Array())
1838
1459
setattr(self, attrname, value)
1839
1460
1840
1461
return property(lambda self: getattr(self, attrname), setter)
1841
1462
1842
1463
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1843
1464
approvals_pending = notifychangeproperty(dbus.Boolean,
1844
1465
"ApprovalPending",
1845
type_func=bool)
1466
type_func = bool)
1846
1467
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1847
1468
last_enabled = notifychangeproperty(datetime_to_dbus,
1848
1469
"LastEnabled")
1849
1470
checker = notifychangeproperty(
1850
1471
dbus.Boolean, "CheckerRunning",
1851
type_func=lambda checker: checker is not None)
1472
type_func = lambda checker: checker is not None)
1852
1473
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1853
1474
"LastCheckedOK")
1854
1475
last_checker_status = notifychangeproperty(dbus.Int16,
1859
1480
"ApprovedByDefault")
1860
1481
approval_delay = notifychangeproperty(
1861
1482
dbus.UInt64, "ApprovalDelay",
1862
type_func=lambda td: td.total_seconds() * 1000)
1483
type_func = lambda td: td.total_seconds() * 1000)
1863
1484
approval_duration = notifychangeproperty(
1864
1485
dbus.UInt64, "ApprovalDuration",
1865
type_func=lambda td: td.total_seconds() * 1000)
1486
type_func = lambda td: td.total_seconds() * 1000)
1866
1487
host = notifychangeproperty(dbus.String, "Host")
1867
1488
timeout = notifychangeproperty(
1868
1489
dbus.UInt64, "Timeout",
1869
type_func=lambda td: td.total_seconds() * 1000)
1490
type_func = lambda td: td.total_seconds() * 1000)
1870
1491
extended_timeout = notifychangeproperty(
1871
1492
dbus.UInt64, "ExtendedTimeout",
1872
type_func=lambda td: td.total_seconds() * 1000)
1493
type_func = lambda td: td.total_seconds() * 1000)
1873
1494
interval = notifychangeproperty(
1874
1495
dbus.UInt64, "Interval",
1875
type_func=lambda td: td.total_seconds() * 1000)
1496
type_func = lambda td: td.total_seconds() * 1000)
1876
1497
checker_command = notifychangeproperty(dbus.String, "Checker")
1877
1498
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1878
1499
invalidate_only=True)
1879
1500
1880
1501
del notifychangeproperty
1881
1502
1882
1503
def __del__(self, *args, **kwargs):
1883
1504
try:
1884
1505
self.remove_from_connection()
1887
1508
if hasattr(DBusObjectWithProperties, "__del__"):
1888
1509
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1889
1510
Client.__del__(self, *args, **kwargs)
1890
1511
1891
1512
def checker_callback(self, source, condition,
1892
1513
connection, command, *args, **kwargs):
1893
1514
ret = Client.checker_callback(self, source, condition,
1909
1530
| self.last_checker_signal),
1910
1531
dbus.String(command))
1911
1532
return ret
1912
1533
1913
1534
def start_checker(self, *args, **kwargs):
1914
1535
old_checker_pid = getattr(self.checker, "pid", None)
1915
1536
r = Client.start_checker(self, *args, **kwargs)
1919
1540
# Emit D-Bus signal
1920
1541
self.CheckerStarted(self.current_checker_command)
1921
1542
return r
1922
1543
1923
1544
def _reset_approved(self):
1924
1545
self.approved = None
1925
1546
return False
1926
1547
1927
1548
def approve(self, value=True):
1928
1549
self.approved = value
1929
GLib.timeout_add(int(self.approval_duration.total_seconds()
1930
* 1000), self._reset_approved)
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1931
1552
self.send_changedstate()
1932
1933
# D-Bus methods, signals & properties
1934
1935
# Interfaces
1936
1937
# Signals
1938
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1939
1560
# CheckerCompleted - signal
1940
1561
@dbus.service.signal(_interface, signature="nxs")
1941
1562
def CheckerCompleted(self, exitcode, waitstatus, command):
1942
1563
"D-Bus signal"
1943
1564
pass
1944
1565
1945
1566
# CheckerStarted - signal
1946
1567
@dbus.service.signal(_interface, signature="s")
1947
1568
def CheckerStarted(self, command):
1948
1569
"D-Bus signal"
1949
1570
pass
1950
1571
1951
1572
# PropertyChanged - signal
1952
1573
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1953
1574
@dbus.service.signal(_interface, signature="sv")
1954
1575
def PropertyChanged(self, property, value):
1955
1576
"D-Bus signal"
1956
1577
pass
1957
1578
1958
1579
# GotSecret - signal
1959
1580
@dbus.service.signal(_interface)
1960
1581
def GotSecret(self):
1963
1584
server to mandos-client
1964
1585
"""
1965
1586
pass
1966
1587
1967
1588
# Rejected - signal
1968
1589
@dbus.service.signal(_interface, signature="s")
1969
1590
def Rejected(self, reason):
1970
1591
"D-Bus signal"
1971
1592
pass
1972
1593
1973
1594
# NeedApproval - signal
1974
1595
@dbus.service.signal(_interface, signature="tb")
1975
1596
def NeedApproval(self, timeout, default):
1976
1597
"D-Bus signal"
1977
1598
return self.need_approval()
1978
1979
# Methods
1980
1599
1600
## Methods
1601
1981
1602
# Approve - method
1982
1603
@dbus.service.method(_interface, in_signature="b")
1983
1604
def Approve(self, value):
1984
1605
self.approve(value)
1985
1606
1986
1607
# CheckedOK - method
1987
1608
@dbus.service.method(_interface)
1988
1609
def CheckedOK(self):
1989
1610
self.checked_ok()
1990
1611
1991
1612
# Enable - method
1992
1613
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1993
1614
@dbus.service.method(_interface)
1994
1615
def Enable(self):
1995
1616
"D-Bus method"
1996
1617
self.enable()
1997
1618
1998
1619
# StartChecker - method
1999
1620
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2000
1621
@dbus.service.method(_interface)
2001
1622
def StartChecker(self):
2002
1623
"D-Bus method"
2003
1624
self.start_checker()
2004
1625
2005
1626
# Disable - method
2006
1627
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2007
1628
@dbus.service.method(_interface)
2008
1629
def Disable(self):
2009
1630
"D-Bus method"
2010
1631
self.disable()
2011
1632
2012
1633
# StopChecker - method
2013
1634
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2014
1635
@dbus.service.method(_interface)
2015
1636
def StopChecker(self):
2016
1637
self.stop_checker()
2017
2018
# Properties
2019
1638
1639
## Properties
1640
2020
1641
# ApprovalPending - property
2021
1642
@dbus_service_property(_interface, signature="b", access="read")
2022
1643
def ApprovalPending_dbus_property(self):
2023
1644
return dbus.Boolean(bool(self.approvals_pending))
2024
1645
2025
1646
# ApprovedByDefault - property
2026
1647
@dbus_service_property(_interface,
2027
1648
signature="b",
2030
1651
if value is None: # get
2031
1652
return dbus.Boolean(self.approved_by_default)
2032
1653
self.approved_by_default = bool(value)
2033
1654
2034
1655
# ApprovalDelay - property
2035
1656
@dbus_service_property(_interface,
2036
1657
signature="t",
2040
1661
return dbus.UInt64(self.approval_delay.total_seconds()
2041
1662
* 1000)
2042
1663
self.approval_delay = datetime.timedelta(0, 0, 0, value)
2043
1664
2044
1665
# ApprovalDuration - property
2045
1666
@dbus_service_property(_interface,
2046
1667
signature="t",
2050
1671
return dbus.UInt64(self.approval_duration.total_seconds()
2051
1672
* 1000)
2052
1673
self.approval_duration = datetime.timedelta(0, 0, 0, value)
2053
1674
2054
1675
# Name - property
2055
1676
@dbus_annotations(
2056
1677
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2057
1678
@dbus_service_property(_interface, signature="s", access="read")
2058
1679
def Name_dbus_property(self):
2059
1680
return dbus.String(self.name)
2060
2061
# KeyID - property
2062
@dbus_annotations(
2063
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2064
@dbus_service_property(_interface, signature="s", access="read")
2065
def KeyID_dbus_property(self):
2066
return dbus.String(self.key_id)
2067
1681
2068
1682
# Fingerprint - property
2069
1683
@dbus_annotations(
2070
1684
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2071
1685
@dbus_service_property(_interface, signature="s", access="read")
2072
1686
def Fingerprint_dbus_property(self):
2073
1687
return dbus.String(self.fingerprint)
2074
1688
2075
1689
# Host - property
2076
1690
@dbus_service_property(_interface,
2077
1691
signature="s",
2080
1694
if value is None: # get
2081
1695
return dbus.String(self.host)
2082
1696
self.host = str(value)
2083
1697
2084
1698
# Created - property
2085
1699
@dbus_annotations(
2086
1700
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2087
1701
@dbus_service_property(_interface, signature="s", access="read")
2088
1702
def Created_dbus_property(self):
2089
1703
return datetime_to_dbus(self.created)
2090
1704
2091
1705
# LastEnabled - property
2092
1706
@dbus_service_property(_interface, signature="s", access="read")
2093
1707
def LastEnabled_dbus_property(self):
2094
1708
return datetime_to_dbus(self.last_enabled)
2095
1709
2096
1710
# Enabled - property
2097
1711
@dbus_service_property(_interface,
2098
1712
signature="b",
2104
1718
self.enable()
2105
1719
else:
2106
1720
self.disable()
2107
1721
2108
1722
# LastCheckedOK - property
2109
1723
@dbus_service_property(_interface,
2110
1724
signature="s",
2114
1728
self.checked_ok()
2115
1729
return
2116
1730
return datetime_to_dbus(self.last_checked_ok)
2117
1731
2118
1732
# LastCheckerStatus - property
2119
1733
@dbus_service_property(_interface, signature="n", access="read")
2120
1734
def LastCheckerStatus_dbus_property(self):
2121
1735
return dbus.Int16(self.last_checker_status)
2122
1736
2123
1737
# Expires - property
2124
1738
@dbus_service_property(_interface, signature="s", access="read")
2125
1739
def Expires_dbus_property(self):
2126
1740
return datetime_to_dbus(self.expires)
2127
1741
2128
1742
# LastApprovalRequest - property
2129
1743
@dbus_service_property(_interface, signature="s", access="read")
2130
1744
def LastApprovalRequest_dbus_property(self):
2131
1745
return datetime_to_dbus(self.last_approval_request)
2132
1746
2133
1747
# Timeout - property
2134
1748
@dbus_service_property(_interface,
2135
1749
signature="t",
2150
1764
if (getattr(self, "disable_initiator_tag", None)
2151
1765
is None):
2152
1766
return
2153
GLib.source_remove(self.disable_initiator_tag)
2154
self.disable_initiator_tag = GLib.timeout_add(
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2155
1769
int((self.expires - now).total_seconds() * 1000),
2156
1770
self.disable)
2157
1771
2158
1772
# ExtendedTimeout - property
2159
1773
@dbus_service_property(_interface,
2160
1774
signature="t",
2164
1778
return dbus.UInt64(self.extended_timeout.total_seconds()
2165
1779
* 1000)
2166
1780
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2167
1781
2168
1782
# Interval - property
2169
1783
@dbus_service_property(_interface,
2170
1784
signature="t",
2177
1791
return
2178
1792
if self.enabled:
2179
1793
# Reschedule checker run
2180
GLib.source_remove(self.checker_initiator_tag)
2181
self.checker_initiator_tag = GLib.timeout_add(
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2182
1796
value, self.start_checker)
2183
self.start_checker() # Start one now, too
2184
1797
self.start_checker() # Start one now, too
1798
2185
1799
# Checker - property
2186
1800
@dbus_service_property(_interface,
2187
1801
signature="s",
2190
1804
if value is None: # get
2191
1805
return dbus.String(self.checker_command)
2192
1806
self.checker_command = str(value)
2193
1807
2194
1808
# CheckerRunning - property
2195
1809
@dbus_service_property(_interface,
2196
1810
signature="b",
2202
1816
self.start_checker()
2203
1817
else:
2204
1818
self.stop_checker()
2205
1819
2206
1820
# ObjectPath - property
2207
1821
@dbus_annotations(
2208
1822
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2209
1823
"org.freedesktop.DBus.Deprecated": "true"})
2210
1824
@dbus_service_property(_interface, signature="o", access="read")
2211
1825
def ObjectPath_dbus_property(self):
2212
return self.dbus_object_path # is already a dbus.ObjectPath
2213
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2214
1828
# Secret = property
2215
1829
@dbus_annotations(
2216
1830
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2221
1835
byte_arrays=True)
2222
1836
def Secret_dbus_property(self, value):
2223
1837
self.secret = bytes(value)
2224
1838
2225
1839
del _interface
2226
1840
2227
1841
2228
class ProxyClient:
2229
def __init__(self, child_pipe, key_id, fpr, address):
1842
class ProxyClient(object):
1843
def __init__(self, child_pipe, fpr, address):
2230
1844
self._pipe = child_pipe
2231
self._pipe.send(('init', key_id, fpr, address))
1845
self._pipe.send(('init', fpr, address))
2232
1846
if not self._pipe.recv():
2233
raise KeyError(key_id or fpr)
2234
1847
raise KeyError(fpr)
1848
2235
1849
def __getattribute__(self, name):
2236
1850
if name == '_pipe':
2237
1851
return super(ProxyClient, self).__getattribute__(name)
2240
1854
if data[0] == 'data':
2241
1855
return data[1]
2242
1856
if data[0] == 'function':
2243
1857
2244
1858
def func(*args, **kwargs):
2245
1859
self._pipe.send(('funcall', name, args, kwargs))
2246
1860
return self._pipe.recv()[1]
2247
1861
2248
1862
return func
2249
1863
2250
1864
def __setattr__(self, name, value):
2251
1865
if name == '_pipe':
2252
1866
return super(ProxyClient, self).__setattr__(name, value)
2255
1869
2256
1870
class ClientHandler(socketserver.BaseRequestHandler, object):
2257
1871
"""A class to handle client connections.
2258
1872
2259
1873
Instantiated once for each connection to handle it.
2260
1874
Note: This will run in its own forked process."""
2261
1875
2262
1876
def handle(self):
2263
1877
with contextlib.closing(self.server.child_pipe) as child_pipe:
2264
1878
logger.info("TCP connection from: %s",
2265
1879
str(self.client_address))
2266
1880
logger.debug("Pipe FD: %d",
2267
1881
self.server.child_pipe.fileno())
2268
2269
session = gnutls.ClientSession(self.request)
2270
2271
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2272
# "+AES-256-CBC", "+SHA1",
2273
# "+COMP-NULL", "+CTYPE-OPENPGP",
2274
# "+DHE-DSS"))
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2275
1895
# Use a fallback default, since this MUST be set.
2276
1896
priority = self.server.gnutls_priority
2277
1897
if priority is None:
2278
1898
priority = "NORMAL"
2279
gnutls.priority_set_direct(session._c_object,
2280
priority.encode("utf-8"),
2281
None)
2282
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2283
1902
# Start communication using the Mandos protocol
2284
1903
# Get protocol number
2285
1904
line = self.request.makefile().readline()
2290
1909
except (ValueError, IndexError, RuntimeError) as error:
2291
1910
logger.error("Unknown protocol version: %s", error)
2292
1911
return
2293
1912
2294
1913
# Start GnuTLS connection
2295
1914
try:
2296
1915
session.handshake()
2297
except gnutls.Error as error:
1916
except gnutls.errors.GNUTLSError as error:
2298
1917
logger.warning("Handshake failed: %s", error)
2299
1918
# Do not run session.bye() here: the session is not
2300
1919
# established. Just abandon the request.
2301
1920
return
2302
1921
logger.debug("Handshake succeeded")
2303
1922
2304
1923
approval_required = False
2305
1924
try:
2306
if gnutls.has_rawpk:
2307
fpr = b""
2308
try:
2309
key_id = self.key_id(
2310
self.peer_certificate(session))
2311
except (TypeError, gnutls.Error) as error:
2312
logger.warning("Bad certificate: %s", error)
2313
return
2314
logger.debug("Key ID: %s", key_id)
2315
2316
else:
2317
key_id = b""
2318
try:
2319
fpr = self.fingerprint(
2320
self.peer_certificate(session))
2321
except (TypeError, gnutls.Error) as error:
2322
logger.warning("Bad certificate: %s", error)
2323
return
2324
logger.debug("Fingerprint: %s", fpr)
2325
2326
try:
2327
client = ProxyClient(child_pipe, key_id, fpr,
1925
try:
1926
fpr = self.fingerprint(
1927
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
1930
logger.warning("Bad certificate: %s", error)
1931
return
1932
logger.debug("Fingerprint: %s", fpr)
1933
1934
try:
1935
client = ProxyClient(child_pipe, fpr,
2328
1936
self.client_address)
2329
1937
except KeyError:
2330
1938
return
2331
1939
2332
1940
if client.approval_delay:
2333
1941
delay = client.approval_delay
2334
1942
client.approvals_pending += 1
2335
1943
approval_required = True
2336
1944
2337
1945
while True:
2338
1946
if not client.enabled:
2339
1947
logger.info("Client %s is disabled",
2342
1950
# Emit D-Bus signal
2343
1951
client.Rejected("Disabled")
2344
1952
return
2345
1953
2346
1954
if client.approved or not client.approval_delay:
2347
# We are approved or approval is disabled
1955
#We are approved or approval is disabled
2348
1956
break
2349
1957
elif client.approved is None:
2350
1958
logger.info("Client %s needs approval",
2361
1969
# Emit D-Bus signal
2362
1970
client.Rejected("Denied")
2363
1971
return
2364
2365
# wait until timeout or approved
1972
1973
#wait until timeout or approved
2366
1974
time = datetime.datetime.now()
2367
1975
client.changedstate.acquire()
2368
1976
client.changedstate.wait(delay.total_seconds())
2381
1989
break
2382
1990
else:
2383
1991
delay -= time2 - time
2384
2385
try:
2386
session.send(client.secret)
2387
except gnutls.Error as error:
2388
logger.warning("gnutls send failed",
2389
exc_info=error)
2390
return
2391
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2392
2006
logger.info("Sending secret to %s", client.name)
2393
2007
# bump the timeout using extended_timeout
2394
2008
client.bump_timeout(client.extended_timeout)
2395
2009
if self.server.use_dbus:
2396
2010
# Emit D-Bus signal
2397
2011
client.GotSecret()
2398
2012
2399
2013
finally:
2400
2014
if approval_required:
2401
2015
client.approvals_pending -= 1
2402
2016
try:
2403
2017
session.bye()
2404
except gnutls.Error as error:
2018
except gnutls.errors.GNUTLSError as error:
2405
2019
logger.warning("GnuTLS bye failed",
2406
2020
exc_info=error)
2407
2021
2408
2022
@staticmethod
2409
2023
def peer_certificate(session):
2410
"Return the peer's certificate as a bytestring"
2411
try:
2412
cert_type = gnutls.certificate_type_get2(session._c_object,
2413
gnutls.CTYPE_PEERS)
2414
except AttributeError:
2415
cert_type = gnutls.certificate_type_get(session._c_object)
2416
if gnutls.has_rawpk:
2417
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2418
else:
2419
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2420
# If not a valid certificate type...
2421
if cert_type not in valid_cert_types:
2422
logger.info("Cert type %r not in %r", cert_type,
2423
valid_cert_types)
2424
# ...return invalid data
2425
return b""
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2426
2031
list_size = ctypes.c_uint(1)
2427
cert_list = (gnutls.certificate_get_peers
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2428
2034
(session._c_object, ctypes.byref(list_size)))
2429
2035
if not bool(cert_list) and list_size.value != 0:
2430
raise gnutls.Error("error getting peer certificate")
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2431
2038
if list_size.value == 0:
2432
2039
return None
2433
2040
cert = cert_list[0]
2434
2041
return ctypes.string_at(cert.data, cert.size)
2435
2436
@staticmethod
2437
def key_id(certificate):
2438
"Convert a certificate bytestring to a hexdigit key ID"
2439
# New GnuTLS "datum" with the public key
2440
datum = gnutls.datum_t(
2441
ctypes.cast(ctypes.c_char_p(certificate),
2442
ctypes.POINTER(ctypes.c_ubyte)),
2443
ctypes.c_uint(len(certificate)))
2444
# XXX all these need to be created in the gnutls "module"
2445
# New empty GnuTLS certificate
2446
pubkey = gnutls.pubkey_t()
2447
gnutls.pubkey_init(ctypes.byref(pubkey))
2448
# Import the raw public key into the certificate
2449
gnutls.pubkey_import(pubkey,
2450
ctypes.byref(datum),
2451
gnutls.X509_FMT_DER)
2452
# New buffer for the key ID
2453
buf = ctypes.create_string_buffer(32)
2454
buf_len = ctypes.c_size_t(len(buf))
2455
# Get the key ID from the raw public key into the buffer
2456
gnutls.pubkey_get_key_id(pubkey,
2457
gnutls.KEYID_USE_SHA256,
2458
ctypes.cast(ctypes.byref(buf),
2459
ctypes.POINTER(ctypes.c_ubyte)),
2460
ctypes.byref(buf_len))
2461
# Deinit the certificate
2462
gnutls.pubkey_deinit(pubkey)
2463
2464
# Convert the buffer to a Python bytestring
2465
key_id = ctypes.string_at(buf, buf_len.value)
2466
# Convert the bytestring to hexadecimal notation
2467
hex_key_id = binascii.hexlify(key_id).upper()
2468
return hex_key_id
2469
2042
2470
2043
@staticmethod
2471
2044
def fingerprint(openpgp):
2472
2045
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2473
2046
# New GnuTLS "datum" with the OpenPGP public key
2474
datum = gnutls.datum_t(
2047
datum = gnutls.library.types.gnutls_datum_t(
2475
2048
ctypes.cast(ctypes.c_char_p(openpgp),
2476
2049
ctypes.POINTER(ctypes.c_ubyte)),
2477
2050
ctypes.c_uint(len(openpgp)))
2478
2051
# New empty GnuTLS certificate
2479
crt = gnutls.openpgp_crt_t()
2480
gnutls.openpgp_crt_init(ctypes.byref(crt))
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2481
2055
# Import the OpenPGP public key into the certificate
2482
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2483
gnutls.OPENPGP_FMT_RAW)
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2484
2059
# Verify the self signature in the key
2485
2060
crtverify = ctypes.c_uint()
2486
gnutls.openpgp_crt_verify_self(crt, 0,
2487
ctypes.byref(crtverify))
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2488
2063
if crtverify.value != 0:
2489
gnutls.openpgp_crt_deinit(crt)
2490
raise gnutls.CertificateSecurityError(code
2491
=crtverify.value)
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2492
2067
# New buffer for the fingerprint
2493
2068
buf = ctypes.create_string_buffer(20)
2494
2069
buf_len = ctypes.c_size_t()
2495
2070
# Get the fingerprint from the certificate into the buffer
2496
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2497
ctypes.byref(buf_len))
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2498
2073
# Deinit the certificate
2499
gnutls.openpgp_crt_deinit(crt)
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2500
2075
# Convert the buffer to a Python bytestring
2501
2076
fpr = ctypes.string_at(buf, buf_len.value)
2502
2077
# Convert the bytestring to hexadecimal notation
2504
2079
return hex_fpr
2505
2080
2506
2081
2507
class MultiprocessingMixIn:
2082
class MultiprocessingMixIn(object):
2508
2083
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2509
2084
2510
2085
def sub_process_main(self, request, address):
2511
2086
try:
2512
2087
self.finish_request(request, address)
2513
2088
except Exception:
2514
2089
self.handle_error(request, address)
2515
2090
self.close_request(request)
2516
2091
2517
2092
def process_request(self, request, address):
2518
2093
"""Start a new process to process the request."""
2519
proc = multiprocessing.Process(target=self.sub_process_main,
2520
args=(request, address))
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2521
2096
proc.start()
2522
2097
return proc
2523
2098
2524
2099
2525
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2100
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2526
2101
""" adds a pipe to the MixIn """
2527
2102
2528
2103
def process_request(self, request, client_address):
2529
2104
"""Overrides and wraps the original process_request().
2530
2105
2531
2106
This function creates a new pipe in self.pipe
2532
2107
"""
2533
2108
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2534
2109
2535
2110
proc = MultiprocessingMixIn.process_request(self, request,
2536
2111
client_address)
2537
2112
self.child_pipe.close()
2538
2113
self.add_pipe(parent_pipe, proc)
2539
2114
2540
2115
def add_pipe(self, parent_pipe, proc):
2541
2116
"""Dummy function; override as necessary"""
2542
2117
raise NotImplementedError()
2543
2118
2544
2119
2545
2120
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2546
socketserver.TCPServer):
2121
socketserver.TCPServer, object):
2547
2122
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2548
2123
2549
2124
Attributes:
2550
2125
enabled: Boolean; whether this server is activated yet
2551
2126
interface: None or a network interface name (string)
2552
2127
use_ipv6: Boolean; to use IPv6 or not
2553
2128
"""
2554
2129
2555
2130
def __init__(self, server_address, RequestHandlerClass,
2556
2131
interface=None,
2557
2132
use_ipv6=True,
2567
2142
self.socketfd = socketfd
2568
2143
# Save the original socket.socket() function
2569
2144
self.socket_socket = socket.socket
2570
2571
2145
# To implement --socket, we monkey patch socket.socket.
2572
#
2146
#
2573
2147
# (When socketserver.TCPServer is a new-style class, we
2574
2148
# could make self.socket into a property instead of monkey
2575
2149
# patching socket.socket.)
2576
#
2150
#
2577
2151
# Create a one-time-only replacement for socket.socket()
2578
2152
@functools.wraps(socket.socket)
2579
2153
def socket_wrapper(*args, **kwargs):
2591
2165
# socket_wrapper(), if socketfd was set.
2592
2166
socketserver.TCPServer.__init__(self, server_address,
2593
2167
RequestHandlerClass)
2594
2168
2595
2169
def server_bind(self):
2596
2170
"""This overrides the normal server_bind() function
2597
2171
to bind to an interface if one was specified, and also NOT to
2598
2172
bind to an address or port if they were not specified."""
2599
global SO_BINDTODEVICE
2600
2173
if self.interface is not None:
2601
2174
if SO_BINDTODEVICE is None:
2602
# Fall back to a hard-coded value which seems to be
2603
# common enough.
2604
logger.warning("SO_BINDTODEVICE not found, trying 25")
2605
SO_BINDTODEVICE = 25
2606
try:
2607
self.socket.setsockopt(
2608
socket.SOL_SOCKET, SO_BINDTODEVICE,
2609
(self.interface + "\0").encode("utf-8"))
2610
except socket.error as error:
2611
if error.errno == errno.EPERM:
2612
logger.error("No permission to bind to"
2613
" interface %s", self.interface)
2614
elif error.errno == errno.ENOPROTOOPT:
2615
logger.error("SO_BINDTODEVICE not available;"
2616
" cannot bind to interface %s",
2617
self.interface)
2618
elif error.errno == errno.ENODEV:
2619
logger.error("Interface %s does not exist,"
2620
" cannot bind", self.interface)
2621
else:
2622
raise
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2623
2196
# Only bind(2) the socket if we really need to.
2624
2197
if self.server_address[0] or self.server_address[1]:
2625
if self.server_address[1]:
2626
self.allow_reuse_address = True
2627
2198
if not self.server_address[0]:
2628
2199
if self.address_family == socket.AF_INET6:
2629
any_address = "::" # in6addr_any
2200
any_address = "::" # in6addr_any
2630
2201
else:
2631
any_address = "0.0.0.0" # INADDR_ANY
2202
any_address = "0.0.0.0" # INADDR_ANY
2632
2203
self.server_address = (any_address,
2633
2204
self.server_address[1])
2634
2205
elif not self.server_address[1]:
2644
2215
2645
2216
class MandosServer(IPv6_TCPServer):
2646
2217
"""Mandos server.
2647
2218
2648
2219
Attributes:
2649
2220
clients: set of Client objects
2650
2221
gnutls_priority GnuTLS priority string
2651
2222
use_dbus: Boolean; to emit D-Bus signals or not
2652
2653
Assumes a GLib.MainLoop event loop.
2223
2224
Assumes a gobject.MainLoop event loop.
2654
2225
"""
2655
2226
2656
2227
def __init__(self, server_address, RequestHandlerClass,
2657
2228
interface=None,
2658
2229
use_ipv6=True,
2668
2239
self.gnutls_priority = gnutls_priority
2669
2240
IPv6_TCPServer.__init__(self, server_address,
2670
2241
RequestHandlerClass,
2671
interface=interface,
2672
use_ipv6=use_ipv6,
2673
socketfd=socketfd)
2674
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2675
2246
def server_activate(self):
2676
2247
if self.enabled:
2677
2248
return socketserver.TCPServer.server_activate(self)
2678
2249
2679
2250
def enable(self):
2680
2251
self.enabled = True
2681
2252
2682
2253
def add_pipe(self, parent_pipe, proc):
2683
2254
# Call "handle_ipc" for both data and EOF events
2684
GLib.io_add_watch(
2685
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2686
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2255
gobject.io_add_watch(
2256
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2687
2258
functools.partial(self.handle_ipc,
2688
parent_pipe=parent_pipe,
2689
proc=proc))
2690
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2691
2262
def handle_ipc(self, source, condition,
2692
2263
parent_pipe=None,
2693
proc=None,
2264
proc = None,
2694
2265
client_object=None):
2695
2266
# error, or the other end of multiprocessing.Pipe has closed
2696
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2697
2268
# Wait for other process to exit
2698
2269
proc.join()
2699
2270
return False
2700
2271
2701
2272
# Read a request from the child
2702
2273
request = parent_pipe.recv()
2703
2274
command = request[0]
2704
2275
2705
2276
if command == 'init':
2706
key_id = request[1].decode("ascii")
2707
fpr = request[2].decode("ascii")
2708
address = request[3]
2709
2710
for c in self.clients.values():
2711
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2712
continue
2713
if key_id and c.key_id == key_id:
2714
client = c
2715
break
2716
if fpr and c.fingerprint == fpr:
2277
fpr = request[1]
2278
address = request[2]
2279
2280
for c in self.clients.itervalues():
2281
if c.fingerprint == fpr:
2717
2282
client = c
2718
2283
break
2719
2284
else:
2720
logger.info("Client not found for key ID: %s, address"
2721
": %s", key_id or fpr, address)
2285
logger.info("Client not found for fingerprint: %s, ad"
2286
"dress: %s", fpr, address)
2722
2287
if self.use_dbus:
2723
2288
# Emit D-Bus signal
2724
mandos_dbus_service.ClientNotFound(key_id or fpr,
2289
mandos_dbus_service.ClientNotFound(fpr,
2725
2290
address[0])
2726
2291
parent_pipe.send(False)
2727
2292
return False
2728
2729
GLib.io_add_watch(
2730
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2731
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2293
2294
gobject.io_add_watch(
2295
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2732
2297
functools.partial(self.handle_ipc,
2733
parent_pipe=parent_pipe,
2734
proc=proc,
2735
client_object=client))
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2736
2301
parent_pipe.send(True)
2737
2302
# remove the old hook in favor of the new above hook on
2738
2303
# same fileno
2741
2306
funcname = request[1]
2742
2307
args = request[2]
2743
2308
kwargs = request[3]
2744
2309
2745
2310
parent_pipe.send(('data', getattr(client_object,
2746
2311
funcname)(*args,
2747
2312
**kwargs)))
2748
2313
2749
2314
if command == 'getattr':
2750
2315
attrname = request[1]
2751
2316
if isinstance(client_object.__getattribute__(attrname),
2754
2319
else:
2755
2320
parent_pipe.send((
2756
2321
'data', client_object.__getattribute__(attrname)))
2757
2322
2758
2323
if command == 'setattr':
2759
2324
attrname = request[1]
2760
2325
value = request[2]
2761
2326
setattr(client_object, attrname, value)
2762
2327
2763
2328
return True
2764
2329
2765
2330
2766
2331
def rfc3339_duration_to_delta(duration):
2767
2332
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2768
2769
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2770
True
2771
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2772
True
2773
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2774
True
2775
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2776
True
2777
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2778
True
2779
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2780
True
2781
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2782
True
2333
2334
>>> rfc3339_duration_to_delta("P7D")
2335
datetime.timedelta(7)
2336
>>> rfc3339_duration_to_delta("PT60S")
2337
datetime.timedelta(0, 60)
2338
>>> rfc3339_duration_to_delta("PT60M")
2339
datetime.timedelta(0, 3600)
2340
>>> rfc3339_duration_to_delta("PT24H")
2341
datetime.timedelta(1)
2342
>>> rfc3339_duration_to_delta("P1W")
2343
datetime.timedelta(7)
2344
>>> rfc3339_duration_to_delta("PT5M30S")
2345
datetime.timedelta(0, 330)
2346
>>> rfc3339_duration_to_delta("P1DT3M20S")
2347
datetime.timedelta(1, 200)
2783
2348
"""
2784
2349
2785
2350
# Parsing an RFC 3339 duration with regular expressions is not
2786
2351
# possible - there would have to be multiple places for the same
2787
2352
# values, like seconds. The current code, while more esoteric, is
2788
2353
# cleaner without depending on a parsing library. If Python had a
2789
2354
# built-in library for parsing we would use it, but we'd like to
2790
2355
# avoid excessive use of external libraries.
2791
2356
2792
2357
# New type for defining tokens, syntax, and semantics all-in-one
2793
2358
Token = collections.namedtuple("Token", (
2794
2359
"regexp", # To match token; if "value" is not None, must have
2827
2392
frozenset((token_year, token_month,
2828
2393
token_day, token_time,
2829
2394
token_week)))
2830
# Define starting values:
2831
# Value so far
2832
value = datetime.timedelta()
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2833
2397
found_token = None
2834
# Following valid tokens
2835
followers = frozenset((token_duration, ))
2836
# String left to parse
2837
s = duration
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2838
2400
# Loop until end token is found
2839
2401
while found_token is not token_end:
2840
2402
# Search for any currently valid tokens
2864
2426
2865
2427
def string_to_delta(interval):
2866
2428
"""Parse a string and return a datetime.timedelta
2867
2868
>>> string_to_delta('7d') == datetime.timedelta(7)
2869
True
2870
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2871
True
2872
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2873
True
2874
>>> string_to_delta('24h') == datetime.timedelta(1)
2875
True
2876
>>> string_to_delta('1w') == datetime.timedelta(7)
2877
True
2878
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2879
True
2429
2430
>>> string_to_delta('7d')
2431
datetime.timedelta(7)
2432
>>> string_to_delta('60s')
2433
datetime.timedelta(0, 60)
2434
>>> string_to_delta('60m')
2435
datetime.timedelta(0, 3600)
2436
>>> string_to_delta('24h')
2437
datetime.timedelta(1)
2438
>>> string_to_delta('1w')
2439
datetime.timedelta(7)
2440
>>> string_to_delta('5m 30s')
2441
datetime.timedelta(0, 330)
2880
2442
"""
2881
2443
2882
2444
try:
2883
2445
return rfc3339_duration_to_delta(interval)
2884
2446
except ValueError:
2885
2447
pass
2886
2448
2887
2449
timevalue = datetime.timedelta(0)
2888
2450
for s in interval.split():
2889
2451
try:
2907
2469
return timevalue
2908
2470
2909
2471
2910
def daemon(nochdir=False, noclose=False):
2472
def daemon(nochdir = False, noclose = False):
2911
2473
"""See daemon(3). Standard BSD Unix function.
2912
2474
2913
2475
This should really exist as os.daemon, but it doesn't (yet)."""
2914
2476
if os.fork():
2915
2477
sys.exit()
2933
2495
2934
2496
2935
2497
def main():
2936
2498
2937
2499
##################################################################
2938
2500
# Parsing of options, both command line and config file
2939
2501
2940
2502
parser = argparse.ArgumentParser()
2941
2503
parser.add_argument("-v", "--version", action="version",
2942
version="%(prog)s {}".format(version),
2504
version = "%(prog)s {}".format(version),
2943
2505
help="show version number and exit")
2944
2506
parser.add_argument("-i", "--interface", metavar="IF",
2945
2507
help="Bind to interface IF")
2981
2543
parser.add_argument("--no-zeroconf", action="store_false",
2982
2544
dest="zeroconf", help="Do not use Zeroconf",
2983
2545
default=None)
2984
2546
2985
2547
options = parser.parse_args()
2986
2548
2549
if options.check:
2550
import doctest
2551
fail_count, test_count = doctest.testmod()
2552
sys.exit(os.EX_OK if fail_count == 0 else 1)
2553
2987
2554
# Default values for config file for server-global settings
2988
if gnutls.has_rawpk:
2989
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2990
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2991
else:
2992
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2993
":+SIGN-DSA-SHA256")
2994
server_defaults = {"interface": "",
2995
"address": "",
2996
"port": "",
2997
"debug": "False",
2998
"priority": priority,
2999
"servicename": "Mandos",
3000
"use_dbus": "True",
3001
"use_ipv6": "True",
3002
"debuglevel": "",
3003
"restore": "True",
3004
"socket": "",
3005
"statedir": "/var/lib/mandos",
3006
"foreground": "False",
3007
"zeroconf": "True",
3008
}
3009
del priority
3010
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
3011
2573
# Parse config file for server-global settings
3012
server_config = configparser.ConfigParser(server_defaults)
2574
server_config = configparser.SafeConfigParser(server_defaults)
3013
2575
del server_defaults
3014
2576
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3015
# Convert the ConfigParser object to a dict
2577
# Convert the SafeConfigParser object to a dict
3016
2578
server_settings = server_config.defaults()
3017
2579
# Use the appropriate methods on the non-string config options
3018
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3019
"foreground", "zeroconf"):
2580
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3020
2581
server_settings[option] = server_config.getboolean("DEFAULT",
3021
2582
option)
3022
2583
if server_settings["port"]:
3032
2593
server_settings["socket"] = os.dup(server_settings
3033
2594
["socket"])
3034
2595
del server_config
3035
2596
3036
2597
# Override the settings from the config file with command line
3037
2598
# options, if set.
3038
2599
for option in ("interface", "address", "port", "debug",
3056
2617
if server_settings["debug"]:
3057
2618
server_settings["foreground"] = True
3058
2619
# Now we have our good server settings in "server_settings"
3059
2620
3060
2621
##################################################################
3061
2622
3062
2623
if (not server_settings["zeroconf"]
3063
2624
and not (server_settings["port"]
3064
2625
or server_settings["socket"] != "")):
3065
2626
parser.error("Needs port or socket to work without Zeroconf")
3066
2627
3067
2628
# For convenience
3068
2629
debug = server_settings["debug"]
3069
2630
debuglevel = server_settings["debuglevel"]
3073
2634
stored_state_file)
3074
2635
foreground = server_settings["foreground"]
3075
2636
zeroconf = server_settings["zeroconf"]
3076
2637
3077
2638
if debug:
3078
2639
initlogger(debug, logging.DEBUG)
3079
2640
else:
3082
2643
else:
3083
2644
level = getattr(logging, debuglevel.upper())
3084
2645
initlogger(debug, level)
3085
2646
3086
2647
if server_settings["servicename"] != "Mandos":
3087
2648
syslogger.setFormatter(
3088
2649
logging.Formatter('Mandos ({}) [%(process)d]:'
3089
2650
' %(levelname)s: %(message)s'.format(
3090
2651
server_settings["servicename"])))
3091
2652
3092
2653
# Parse config file with clients
3093
client_config = configparser.ConfigParser(Client.client_defaults)
2654
client_config = configparser.SafeConfigParser(Client
2655
.client_defaults)
3094
2656
client_config.read(os.path.join(server_settings["configdir"],
3095
2657
"clients.conf"))
3096
2658
3097
2659
global mandos_dbus_service
3098
2660
mandos_dbus_service = None
3099
2661
3100
2662
socketfd = None
3101
2663
if server_settings["socket"] != "":
3102
2664
socketfd = server_settings["socket"]
3118
2680
except IOError as e:
3119
2681
logger.error("Could not open file %r", pidfilename,
3120
2682
exc_info=e)
3121
3122
for name, group in (("_mandos", "_mandos"),
3123
("mandos", "mandos"),
3124
("nobody", "nogroup")):
2683
2684
for name in ("_mandos", "mandos", "nobody"):
3125
2685
try:
3126
2686
uid = pwd.getpwnam(name).pw_uid
3127
gid = pwd.getpwnam(group).pw_gid
2687
gid = pwd.getpwnam(name).pw_gid
3128
2688
break
3129
2689
except KeyError:
3130
2690
continue
3134
2694
try:
3135
2695
os.setgid(gid)
3136
2696
os.setuid(uid)
3137
if debug:
3138
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3139
gid))
3140
2697
except OSError as error:
3141
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3142
.format(uid, gid, os.strerror(error.errno)))
3143
2698
if error.errno != errno.EPERM:
3144
2699
raise
3145
2700
3146
2701
if debug:
3147
2702
# Enable all possible GnuTLS debugging
3148
2703
3149
2704
# "Use a log level over 10 to enable all debugging options."
3150
2705
# - GnuTLS manual
3151
gnutls.global_set_log_level(11)
3152
3153
@gnutls.log_func
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3154
2709
def debug_gnutls(level, string):
3155
2710
logger.debug("GnuTLS: %s", string[:-1])
3156
3157
gnutls.global_set_log_function(debug_gnutls)
3158
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3159
2715
# Redirect stdin so all checkers get /dev/null
3160
2716
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3161
2717
os.dup2(null, sys.stdin.fileno())
3162
2718
if null > 2:
3163
2719
os.close(null)
3164
2720
3165
2721
# Need to fork before connecting to D-Bus
3166
2722
if not foreground:
3167
2723
# Close all input and output, do double fork, etc.
3168
2724
daemon()
3169
3170
if gi.version_info < (3, 10, 2):
3171
# multiprocessing will use threads, so before we use GLib we
3172
# need to inform GLib that threads will be used.
3173
GLib.threads_init()
3174
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3175
2730
global main_loop
3176
2731
# From the Avahi example code
3177
2732
DBusGMainLoop(set_as_default=True)
3178
main_loop = GLib.MainLoop()
2733
main_loop = gobject.MainLoop()
3179
2734
bus = dbus.SystemBus()
3180
2735
# End of Avahi example code
3181
2736
if use_dbus:
3194
2749
if zeroconf:
3195
2750
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3196
2751
service = AvahiServiceToSyslog(
3197
name=server_settings["servicename"],
3198
servicetype="_mandos._tcp",
3199
protocol=protocol,
3200
bus=bus)
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3201
2756
if server_settings["interface"]:
3202
2757
service.interface = if_nametoindex(
3203
2758
server_settings["interface"].encode("utf-8"))
3204
2759
3205
2760
global multiprocessing_manager
3206
2761
multiprocessing_manager = multiprocessing.Manager()
3207
2762
3208
2763
client_class = Client
3209
2764
if use_dbus:
3210
client_class = functools.partial(ClientDBus, bus=bus)
3211
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3212
2767
client_settings = Client.config_parser(client_config)
3213
2768
old_client_settings = {}
3214
2769
clients_data = {}
3215
2770
3216
2771
# This is used to redirect stdout and stderr for checker processes
3217
2772
global wnull
3218
wnull = open(os.devnull, "w") # A writable /dev/null
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3219
2774
# Only used if server is running in foreground but not in debug
3220
2775
# mode
3221
2776
if debug or not foreground:
3222
2777
wnull.close()
3223
2778
3224
2779
# Get client data and settings from last running state.
3225
2780
if server_settings["restore"]:
3226
2781
try:
3227
2782
with open(stored_state_path, "rb") as stored_state:
3228
if sys.version_info.major == 2:
3229
clients_data, old_client_settings = pickle.load(
3230
stored_state)
3231
else:
3232
bytes_clients_data, bytes_old_client_settings = (
3233
pickle.load(stored_state, encoding="bytes"))
3234
# Fix bytes to strings
3235
# clients_data
3236
# .keys()
3237
clients_data = {(key.decode("utf-8")
3238
if isinstance(key, bytes)
3239
else key): value
3240
for key, value in
3241
bytes_clients_data.items()}
3242
del bytes_clients_data
3243
for key in clients_data:
3244
value = {(k.decode("utf-8")
3245
if isinstance(k, bytes) else k): v
3246
for k, v in
3247
clients_data[key].items()}
3248
clients_data[key] = value
3249
# .client_structure
3250
value["client_structure"] = [
3251
(s.decode("utf-8")
3252
if isinstance(s, bytes)
3253
else s) for s in
3254
value["client_structure"]]
3255
# .name, .host, and .checker_command
3256
for k in ("name", "host", "checker_command"):
3257
if isinstance(value[k], bytes):
3258
value[k] = value[k].decode("utf-8")
3259
if "key_id" not in value:
3260
value["key_id"] = ""
3261
elif "fingerprint" not in value:
3262
value["fingerprint"] = ""
3263
# old_client_settings
3264
# .keys()
3265
old_client_settings = {
3266
(key.decode("utf-8")
3267
if isinstance(key, bytes)
3268
else key): value
3269
for key, value in
3270
bytes_old_client_settings.items()}
3271
del bytes_old_client_settings
3272
# .host and .checker_command
3273
for value in old_client_settings.values():
3274
for attribute in ("host", "checker_command"):
3275
if isinstance(value[attribute], bytes):
3276
value[attribute] = (value[attribute]
3277
.decode("utf-8"))
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3278
2785
os.remove(stored_state_path)
3279
2786
except IOError as e:
3280
2787
if e.errno == errno.ENOENT:
3288
2795
logger.warning("Could not load persistent state: "
3289
2796
"EOFError:",
3290
2797
exc_info=e)
3291
2798
3292
2799
with PGPEngine() as pgp:
3293
2800
for client_name, client in clients_data.items():
3294
2801
# Skip removed clients
3295
2802
if client_name not in client_settings:
3296
2803
continue
3297
2804
3298
2805
# Decide which value to use after restoring saved state.
3299
2806
# We have three different values: Old config file,
3300
2807
# new config file, and saved state.
3311
2818
client[name] = value
3312
2819
except KeyError:
3313
2820
pass
3314
2821
3315
2822
# Clients who has passed its expire date can still be
3316
2823
# enabled if its last checker was successful. A Client
3317
2824
# whose checker succeeded before we stored its state is
3350
2857
client_name))
3351
2858
client["secret"] = (client_settings[client_name]
3352
2859
["secret"])
3353
2860
3354
2861
# Add/remove clients based on new changes made to config
3355
2862
for client_name in (set(old_client_settings)
3356
2863
- set(client_settings)):
3358
2865
for client_name in (set(client_settings)
3359
2866
- set(old_client_settings)):
3360
2867
clients_data[client_name] = client_settings[client_name]
3361
2868
3362
2869
# Create all client objects
3363
2870
for client_name, client in clients_data.items():
3364
2871
tcp_server.clients[client_name] = client_class(
3365
name=client_name,
3366
settings=client,
3367
server_settings=server_settings)
3368
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3369
2876
if not tcp_server.clients:
3370
2877
logger.warning("No clients defined")
3371
2878
3372
2879
if not foreground:
3373
2880
if pidfile is not None:
3374
2881
pid = os.getpid()
3380
2887
pidfilename, pid)
3381
2888
del pidfile
3382
2889
del pidfilename
3383
3384
for termsig in (signal.SIGHUP, signal.SIGTERM):
3385
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3386
lambda: main_loop.quit() and False)
3387
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3388
2894
if use_dbus:
3389
2895
3390
2896
@alternate_dbus_interfaces(
3391
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3392
2898
class MandosDBusService(DBusObjectWithObjectManager):
3393
2899
"""A D-Bus proxy object"""
3394
2900
3395
2901
def __init__(self):
3396
2902
dbus.service.Object.__init__(self, bus, "/")
3397
2903
3398
2904
_interface = "se.recompile.Mandos"
3399
2905
3400
2906
@dbus.service.signal(_interface, signature="o")
3401
2907
def ClientAdded(self, objpath):
3402
2908
"D-Bus signal"
3403
2909
pass
3404
2910
3405
2911
@dbus.service.signal(_interface, signature="ss")
3406
def ClientNotFound(self, key_id, address):
2912
def ClientNotFound(self, fingerprint, address):
3407
2913
"D-Bus signal"
3408
2914
pass
3409
2915
3410
2916
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3411
2917
"true"})
3412
2918
@dbus.service.signal(_interface, signature="os")
3413
2919
def ClientRemoved(self, objpath, name):
3414
2920
"D-Bus signal"
3415
2921
pass
3416
2922
3417
2923
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3418
2924
"true"})
3419
2925
@dbus.service.method(_interface, out_signature="ao")
3420
2926
def GetAllClients(self):
3421
2927
"D-Bus method"
3422
2928
return dbus.Array(c.dbus_object_path for c in
3423
tcp_server.clients.values())
3424
2929
tcp_server.clients.itervalues())
2930
3425
2931
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3426
2932
"true"})
3427
2933
@dbus.service.method(_interface,
3429
2935
def GetAllClientsWithProperties(self):
3430
2936
"D-Bus method"
3431
2937
return dbus.Dictionary(
3432
{c.dbus_object_path: c.GetAll(
2938
{ c.dbus_object_path: c.GetAll(
3433
2939
"se.recompile.Mandos.Client")
3434
for c in tcp_server.clients.values()},
2940
for c in tcp_server.clients.itervalues() },
3435
2941
signature="oa{sv}")
3436
2942
3437
2943
@dbus.service.method(_interface, in_signature="o")
3438
2944
def RemoveClient(self, object_path):
3439
2945
"D-Bus method"
3440
for c in tcp_server.clients.values():
2946
for c in tcp_server.clients.itervalues():
3441
2947
if c.dbus_object_path == object_path:
3442
2948
del tcp_server.clients[c.name]
3443
2949
c.remove_from_connection()
3447
2953
self.client_removed_signal(c)
3448
2954
return
3449
2955
raise KeyError(object_path)
3450
2956
3451
2957
del _interface
3452
2958
3453
2959
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3454
out_signature="a{oa{sa{sv}}}")
2960
out_signature = "a{oa{sa{sv}}}")
3455
2961
def GetManagedObjects(self):
3456
2962
"""D-Bus method"""
3457
2963
return dbus.Dictionary(
3458
{client.dbus_object_path:
3459
dbus.Dictionary(
3460
{interface: client.GetAll(interface)
3461
for interface in
3462
client._get_all_interface_names()})
3463
for client in tcp_server.clients.values()})
3464
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3465
2971
def client_added_signal(self, client):
3466
2972
"""Send the new standard signal and the old signal"""
3467
2973
if use_dbus:
3469
2975
self.InterfacesAdded(
3470
2976
client.dbus_object_path,
3471
2977
dbus.Dictionary(
3472
{interface: client.GetAll(interface)
3473
for interface in
3474
client._get_all_interface_names()}))
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3475
2981
# Old signal
3476
2982
self.ClientAdded(client.dbus_object_path)
3477
2983
3478
2984
def client_removed_signal(self, client):
3479
2985
"""Send the new standard signal and the old signal"""
3480
2986
if use_dbus:
3485
2991
# Old signal
3486
2992
self.ClientRemoved(client.dbus_object_path,
3487
2993
client.name)
3488
2994
3489
2995
mandos_dbus_service = MandosDBusService()
3490
3491
# Save modules to variables to exempt the modules from being
3492
# unloaded before the function registered with atexit() is run.
3493
mp = multiprocessing
3494
wn = wnull
3495
2996
3496
2997
def cleanup():
3497
2998
"Cleanup function; run on exit"
3498
2999
if zeroconf:
3499
3000
service.cleanup()
3500
3501
mp.active_children()
3502
wn.close()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3503
3004
if not (tcp_server.clients or client_settings):
3504
3005
return
3505
3006
3506
3007
# Store client before exiting. Secrets are encrypted with key
3507
3008
# based on what config file has. If config file is
3508
3009
# removed/edited, old secret will thus be unrecovable.
3509
3010
clients = {}
3510
3011
with PGPEngine() as pgp:
3511
for client in tcp_server.clients.values():
3012
for client in tcp_server.clients.itervalues():
3512
3013
key = client_settings[client.name]["secret"]
3513
3014
client.encrypted_secret = pgp.encrypt(client.secret,
3514
3015
key)
3515
3016
client_dict = {}
3516
3017
3517
3018
# A list of attributes that can not be pickled
3518
3019
# + secret.
3519
exclude = {"bus", "changedstate", "secret",
3520
"checker", "server_settings"}
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3521
3022
for name, typ in inspect.getmembers(dbus.service
3522
3023
.Object):
3523
3024
exclude.add(name)
3524
3025
3525
3026
client_dict["encrypted_secret"] = (client
3526
3027
.encrypted_secret)
3527
3028
for attr in client.client_structure:
3528
3029
if attr not in exclude:
3529
3030
client_dict[attr] = getattr(client, attr)
3530
3031
3531
3032
clients[client.name] = client_dict
3532
3033
del client_settings[client.name]["secret"]
3533
3034
3534
3035
try:
3535
3036
with tempfile.NamedTemporaryFile(
3536
3037
mode='wb',
3538
3039
prefix='clients-',
3539
3040
dir=os.path.dirname(stored_state_path),
3540
3041
delete=False) as stored_state:
3541
pickle.dump((clients, client_settings), stored_state,
3542
protocol=2)
3042
pickle.dump((clients, client_settings), stored_state)
3543
3043
tempname = stored_state.name
3544
3044
os.rename(tempname, stored_state_path)
3545
3045
except (IOError, OSError) as e:
3555
3055
logger.warning("Could not save persistent state:",
3556
3056
exc_info=e)
3557
3057
raise
3558
3058
3559
3059
# Delete all clients, and settings from config
3560
3060
while tcp_server.clients:
3561
3061
name, client = tcp_server.clients.popitem()
3564
3064
# Don't signal the disabling
3565
3065
client.disable(quiet=True)
3566
3066
# Emit D-Bus signal for removal
3567
if use_dbus:
3568
mandos_dbus_service.client_removed_signal(client)
3067
mandos_dbus_service.client_removed_signal(client)
3569
3068
client_settings.clear()
3570
3069
3571
3070
atexit.register(cleanup)
3572
3573
for client in tcp_server.clients.values():
3071
3072
for client in tcp_server.clients.itervalues():
3574
3073
if use_dbus:
3575
3074
# Emit D-Bus signal for adding
3576
3075
mandos_dbus_service.client_added_signal(client)
3577
3076
# Need to initiate checking of clients
3578
3077
if client.enabled:
3579
3078
client.init_checker()
3580
3079
3581
3080
tcp_server.enable()
3582
3081
tcp_server.server_activate()
3583
3082
3584
3083
# Find out what port we got
3585
3084
if zeroconf:
3586
3085
service.port = tcp_server.socket.getsockname()[1]
3591
3090
else: # IPv4
3592
3091
logger.info("Now listening on address %r, port %d",
3593
3092
*tcp_server.socket.getsockname())
3594
3595
# service.interface = tcp_server.socket.getsockname()[3]
3596
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3597
3096
try:
3598
3097
if zeroconf:
3599
3098
# From the Avahi example code
3604
3103
cleanup()
3605
3104
sys.exit(1)
3606
3105
# End of Avahi example code
3607
3608
GLib.io_add_watch(
3609
GLib.IOChannel.unix_new(tcp_server.fileno()),
3610
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3611
lambda *args, **kwargs: (tcp_server.handle_request
3612
(*args[2:], **kwargs) or True))
3613
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3614
3112
logger.debug("Starting main loop")
3615
3113
main_loop.run()
3616
3114
except AvahiError as error:
3625
3123
# Must run before the D-Bus bus name gets deregistered
3626
3124
cleanup()
3627
3125
3628
3629
def should_only_run_tests():
3630
parser = argparse.ArgumentParser(add_help=False)
3631
parser.add_argument("--check", action='store_true')
3632
args, unknown_args = parser.parse_known_args()
3633
run_tests = args.check
3634
if run_tests:
3635
# Remove --check argument from sys.argv
3636
sys.argv[1:] = unknown_args
3637
return run_tests
3638
3639
# Add all tests from doctest strings
3640
def load_tests(loader, tests, none):
3641
import doctest
3642
tests.addTests(doctest.DocTestSuite())
3643
return tests
3644
3126
3645
3127
if __name__ == '__main__':
3646
try:
3647
if should_only_run_tests():
3648
# Call using ./mandos --check [--verbose]
3649
unittest.main()
3650
else:
3651
main()
3652
finally:
3653
logging.shutdown()
3128
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0