To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.347
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.347
- Committer: Teddy Hogeborn
- Date: 2016-02-21 13:00:15 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 331.
- Revision ID: teddy@recompile.se-20160221130015-b32z5wnkw9swjg2s
mandos: Remove unused import and an errant space character.
- files added:
- initramfs-tools-hook-conf
- files removed:
- bugs.xml
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python
1
#!/usr/bin/python2.7
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
37
from future_builtins import *
42
38
43
39
try:
44
40
import SocketServer as socketserver
48
44
import argparse
49
45
import datetime
50
46
import errno
47
import gnutls.connection
48
import gnutls.errors
49
import gnutls.library.functions
50
import gnutls.library.constants
51
import gnutls.library.types
51
52
try:
52
53
import ConfigParser as configparser
53
54
except ImportError:
80
81
81
82
import dbus
82
83
import dbus.service
83
from gi.repository import GLib
84
try:
85
import gobject
86
except ImportError:
87
from gi.repository import GObject as gobject
88
import avahi
84
89
from dbus.mainloop.glib import DBusGMainLoop
85
90
import ctypes
86
91
import ctypes.util
87
92
import xml.dom.minidom
88
93
import inspect
89
94
90
# Try to find the value of SO_BINDTODEVICE:
91
95
try:
92
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
93
# newer, and it is also the most natural place for it:
94
96
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
95
97
except AttributeError:
96
98
try:
97
# This is where SO_BINDTODEVICE was up to and including Python
98
# 2.6, and also 3.2:
99
99
from IN import SO_BINDTODEVICE
100
100
except ImportError:
101
# In Python 2.7 it seems to have been removed entirely.
102
# Try running the C preprocessor:
103
try:
104
cc = subprocess.Popen(["cc", "--language=c", "-E",
105
"/dev/stdin"],
106
stdin=subprocess.PIPE,
107
stdout=subprocess.PIPE)
108
stdout = cc.communicate(
109
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
110
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
111
except (OSError, ValueError, IndexError):
112
# No value found
113
SO_BINDTODEVICE = None
101
SO_BINDTODEVICE = None
114
102
115
103
if sys.version_info.major == 2:
116
104
str = unicode
117
105
118
version = "1.8.5"
106
version = "1.7.1"
119
107
stored_state_file = "clients.pickle"
120
108
121
109
logger = logging.getLogger()
125
113
if_nametoindex = ctypes.cdll.LoadLibrary(
126
114
ctypes.util.find_library("c")).if_nametoindex
127
115
except (OSError, AttributeError):
128
116
129
117
def if_nametoindex(interface):
130
118
"Get an interface index the hard way, i.e. using fcntl()"
131
119
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
136
124
return interface_index
137
125
138
126
139
def copy_function(func):
140
"""Make a copy of a function"""
141
if sys.version_info.major == 2:
142
return types.FunctionType(func.func_code,
143
func.func_globals,
144
func.func_name,
145
func.func_defaults,
146
func.func_closure)
147
else:
148
return types.FunctionType(func.__code__,
149
func.__globals__,
150
func.__name__,
151
func.__defaults__,
152
func.__closure__)
153
154
155
127
def initlogger(debug, level=logging.WARNING):
156
128
"""init logger and add loglevel"""
157
129
158
130
global syslogger
159
131
syslogger = (logging.handlers.SysLogHandler(
160
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
161
address="/dev/log"))
132
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
133
address = "/dev/log"))
162
134
syslogger.setFormatter(logging.Formatter
163
135
('Mandos [%(process)d]: %(levelname)s:'
164
136
' %(message)s'))
165
137
logger.addHandler(syslogger)
166
138
167
139
if debug:
168
140
console = logging.StreamHandler()
169
141
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
181
153
182
154
class PGPEngine(object):
183
155
"""A simple class for OpenPGP symmetric encryption & decryption"""
184
156
185
157
def __init__(self):
186
158
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
187
self.gpg = "gpg"
188
try:
189
output = subprocess.check_output(["gpgconf"])
190
for line in output.splitlines():
191
name, text, path = line.split(b":")
192
if name == "gpg":
193
self.gpg = path
194
break
195
except OSError as e:
196
if e.errno != errno.ENOENT:
197
raise
198
159
self.gnupgargs = ['--batch',
199
'--homedir', self.tempdir,
160
'--home', self.tempdir,
200
161
'--force-mdc',
201
'--quiet']
202
# Only GPG version 1 has the --no-use-agent option.
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
204
self.gnupgargs.append("--no-use-agent")
205
162
'--quiet',
163
'--no-use-agent']
164
206
165
def __enter__(self):
207
166
return self
208
167
209
168
def __exit__(self, exc_type, exc_value, traceback):
210
169
self._cleanup()
211
170
return False
212
171
213
172
def __del__(self):
214
173
self._cleanup()
215
174
216
175
def _cleanup(self):
217
176
if self.tempdir is not None:
218
177
# Delete contents of tempdir
219
178
for root, dirs, files in os.walk(self.tempdir,
220
topdown=False):
179
topdown = False):
221
180
for filename in files:
222
181
os.remove(os.path.join(root, filename))
223
182
for dirname in dirs:
225
184
# Remove tempdir
226
185
os.rmdir(self.tempdir)
227
186
self.tempdir = None
228
187
229
188
def password_encode(self, password):
230
189
# Passphrase can not be empty and can not contain newlines or
231
190
# NUL bytes. So we prefix it and hex encode it.
236
195
.replace(b"\n", b"\\n")
237
196
.replace(b"\0", b"\\x00"))
238
197
return encoded
239
198
240
199
def encrypt(self, data, password):
241
200
passphrase = self.password_encode(password)
242
201
with tempfile.NamedTemporaryFile(
243
202
dir=self.tempdir) as passfile:
244
203
passfile.write(passphrase)
245
204
passfile.flush()
246
proc = subprocess.Popen([self.gpg, '--symmetric',
205
proc = subprocess.Popen(['gpg', '--symmetric',
247
206
'--passphrase-file',
248
207
passfile.name]
249
208
+ self.gnupgargs,
250
stdin=subprocess.PIPE,
251
stdout=subprocess.PIPE,
252
stderr=subprocess.PIPE)
253
ciphertext, err = proc.communicate(input=data)
209
stdin = subprocess.PIPE,
210
stdout = subprocess.PIPE,
211
stderr = subprocess.PIPE)
212
ciphertext, err = proc.communicate(input = data)
254
213
if proc.returncode != 0:
255
214
raise PGPError(err)
256
215
return ciphertext
257
216
258
217
def decrypt(self, data, password):
259
218
passphrase = self.password_encode(password)
260
219
with tempfile.NamedTemporaryFile(
261
dir=self.tempdir) as passfile:
220
dir = self.tempdir) as passfile:
262
221
passfile.write(passphrase)
263
222
passfile.flush()
264
proc = subprocess.Popen([self.gpg, '--decrypt',
223
proc = subprocess.Popen(['gpg', '--decrypt',
265
224
'--passphrase-file',
266
225
passfile.name]
267
226
+ self.gnupgargs,
268
stdin=subprocess.PIPE,
269
stdout=subprocess.PIPE,
270
stderr=subprocess.PIPE)
271
decrypted_plaintext, err = proc.communicate(input=data)
227
stdin = subprocess.PIPE,
228
stdout = subprocess.PIPE,
229
stderr = subprocess.PIPE)
230
decrypted_plaintext, err = proc.communicate(input = data)
272
231
if proc.returncode != 0:
273
232
raise PGPError(err)
274
233
return decrypted_plaintext
275
234
276
235
277
# Pretend that we have an Avahi module
278
class avahi(object):
279
"""This isn't so much a class as it is a module-like namespace."""
280
IF_UNSPEC = -1 # avahi-common/address.h
281
PROTO_UNSPEC = -1 # avahi-common/address.h
282
PROTO_INET = 0 # avahi-common/address.h
283
PROTO_INET6 = 1 # avahi-common/address.h
284
DBUS_NAME = "org.freedesktop.Avahi"
285
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
286
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
DBUS_PATH_SERVER = "/"
288
289
@staticmethod
290
def string_array_to_txt_array(t):
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
for s in t), signature="ay")
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
294
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
295
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
296
SERVER_INVALID = 0 # avahi-common/defs.h
297
SERVER_REGISTERING = 1 # avahi-common/defs.h
298
SERVER_RUNNING = 2 # avahi-common/defs.h
299
SERVER_COLLISION = 3 # avahi-common/defs.h
300
SERVER_FAILURE = 4 # avahi-common/defs.h
301
302
303
236
class AvahiError(Exception):
304
237
def __init__(self, value, *args, **kwargs):
305
238
self.value = value
317
250
318
251
class AvahiService(object):
319
252
"""An Avahi (Zeroconf) service.
320
253
321
254
Attributes:
322
255
interface: integer; avahi.IF_UNSPEC or an interface index.
323
256
Used to optionally bind to the specified interface.
335
268
server: D-Bus Server
336
269
bus: dbus.SystemBus()
337
270
"""
338
271
339
272
def __init__(self,
340
interface=avahi.IF_UNSPEC,
341
name=None,
342
servicetype=None,
343
port=None,
344
TXT=None,
345
domain="",
346
host="",
347
max_renames=32768,
348
protocol=avahi.PROTO_UNSPEC,
349
bus=None):
273
interface = avahi.IF_UNSPEC,
274
name = None,
275
servicetype = None,
276
port = None,
277
TXT = None,
278
domain = "",
279
host = "",
280
max_renames = 32768,
281
protocol = avahi.PROTO_UNSPEC,
282
bus = None):
350
283
self.interface = interface
351
284
self.name = name
352
285
self.type = servicetype
361
294
self.server = None
362
295
self.bus = bus
363
296
self.entry_group_state_changed_match = None
364
297
365
298
def rename(self, remove=True):
366
299
"""Derived from the Avahi example code"""
367
300
if self.rename_count >= self.max_renames:
387
320
logger.critical("D-Bus Exception", exc_info=error)
388
321
self.cleanup()
389
322
os._exit(1)
390
323
391
324
def remove(self):
392
325
"""Derived from the Avahi example code"""
393
326
if self.entry_group_state_changed_match is not None:
395
328
self.entry_group_state_changed_match = None
396
329
if self.group is not None:
397
330
self.group.Reset()
398
331
399
332
def add(self):
400
333
"""Derived from the Avahi example code"""
401
334
self.remove()
418
351
dbus.UInt16(self.port),
419
352
avahi.string_array_to_txt_array(self.TXT))
420
353
self.group.Commit()
421
354
422
355
def entry_group_state_changed(self, state, error):
423
356
"""Derived from the Avahi example code"""
424
357
logger.debug("Avahi entry group state change: %i", state)
425
358
426
359
if state == avahi.ENTRY_GROUP_ESTABLISHED:
427
360
logger.debug("Zeroconf service established.")
428
361
elif state == avahi.ENTRY_GROUP_COLLISION:
432
365
logger.critical("Avahi: Error in group state changed %s",
433
366
str(error))
434
367
raise AvahiGroupError("State changed: {!s}".format(error))
435
368
436
369
def cleanup(self):
437
370
"""Derived from the Avahi example code"""
438
371
if self.group is not None:
443
376
pass
444
377
self.group = None
445
378
self.remove()
446
379
447
380
def server_state_changed(self, state, error=None):
448
381
"""Derived from the Avahi example code"""
449
382
logger.debug("Avahi server state change: %i", state)
478
411
logger.debug("Unknown state: %r", state)
479
412
else:
480
413
logger.debug("Unknown state: %r: %r", state, error)
481
414
482
415
def activate(self):
483
416
"""Derived from the Avahi example code"""
484
417
if self.server is None:
495
428
class AvahiServiceToSyslog(AvahiService):
496
429
def rename(self, *args, **kwargs):
497
430
"""Add the new name to the syslog messages"""
498
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
431
ret = AvahiService.rename(self, *args, **kwargs)
499
432
syslogger.setFormatter(logging.Formatter(
500
433
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
501
434
.format(self.name)))
502
435
return ret
503
436
504
505
# Pretend that we have a GnuTLS module
506
class gnutls(object):
507
"""This isn't so much a class as it is a module-like namespace."""
508
509
library = ctypes.util.find_library("gnutls")
510
if library is None:
511
library = ctypes.util.find_library("gnutls-deb0")
512
_library = ctypes.cdll.LoadLibrary(library)
513
del library
514
515
# Unless otherwise indicated, the constants and types below are
516
# all from the gnutls/gnutls.h C header file.
517
518
# Constants
519
E_SUCCESS = 0
520
E_INTERRUPTED = -52
521
E_AGAIN = -28
522
CRT_OPENPGP = 2
523
CRT_RAWPK = 3
524
CLIENT = 2
525
SHUT_RDWR = 0
526
CRD_CERTIFICATE = 1
527
E_NO_CERTIFICATE_FOUND = -49
528
X509_FMT_DER = 0
529
NO_TICKETS = 1<<10
530
ENABLE_RAWPK = 1<<18
531
CTYPE_PEERS = 3
532
KEYID_USE_SHA256 = 1 # gnutls/x509.h
533
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
534
535
# Types
536
class session_int(ctypes.Structure):
537
_fields_ = []
538
session_t = ctypes.POINTER(session_int)
539
540
class certificate_credentials_st(ctypes.Structure):
541
_fields_ = []
542
certificate_credentials_t = ctypes.POINTER(
543
certificate_credentials_st)
544
certificate_type_t = ctypes.c_int
545
546
class datum_t(ctypes.Structure):
547
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
548
('size', ctypes.c_uint)]
549
550
class openpgp_crt_int(ctypes.Structure):
551
_fields_ = []
552
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
553
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
554
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
555
credentials_type_t = ctypes.c_int
556
transport_ptr_t = ctypes.c_void_p
557
close_request_t = ctypes.c_int
558
559
# Exceptions
560
class Error(Exception):
561
def __init__(self, message=None, code=None, args=()):
562
# Default usage is by a message string, but if a return
563
# code is passed, convert it to a string with
564
# gnutls.strerror()
565
self.code = code
566
if message is None and code is not None:
567
message = gnutls.strerror(code)
568
return super(gnutls.Error, self).__init__(
569
message, *args)
570
571
class CertificateSecurityError(Error):
572
pass
573
574
# Classes
575
class Credentials(object):
576
def __init__(self):
577
self._c_object = gnutls.certificate_credentials_t()
578
gnutls.certificate_allocate_credentials(
579
ctypes.byref(self._c_object))
580
self.type = gnutls.CRD_CERTIFICATE
581
582
def __del__(self):
583
gnutls.certificate_free_credentials(self._c_object)
584
585
class ClientSession(object):
586
def __init__(self, socket, credentials=None):
587
self._c_object = gnutls.session_t()
588
gnutls_flags = gnutls.CLIENT
589
if gnutls.check_version(b"3.5.6"):
590
gnutls_flags |= gnutls.NO_TICKETS
591
if gnutls.has_rawpk:
592
gnutls_flags |= gnutls.ENABLE_RAWPK
593
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
594
del gnutls_flags
595
gnutls.set_default_priority(self._c_object)
596
gnutls.transport_set_ptr(self._c_object, socket.fileno())
597
gnutls.handshake_set_private_extensions(self._c_object,
598
True)
599
self.socket = socket
600
if credentials is None:
601
credentials = gnutls.Credentials()
602
gnutls.credentials_set(self._c_object, credentials.type,
603
ctypes.cast(credentials._c_object,
604
ctypes.c_void_p))
605
self.credentials = credentials
606
607
def __del__(self):
608
gnutls.deinit(self._c_object)
609
610
def handshake(self):
611
return gnutls.handshake(self._c_object)
612
613
def send(self, data):
614
data = bytes(data)
615
data_len = len(data)
616
while data_len > 0:
617
data_len -= gnutls.record_send(self._c_object,
618
data[-data_len:],
619
data_len)
620
621
def bye(self):
622
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
623
624
# Error handling functions
625
def _error_code(result):
626
"""A function to raise exceptions on errors, suitable
627
for the 'restype' attribute on ctypes functions"""
628
if result >= 0:
629
return result
630
if result == gnutls.E_NO_CERTIFICATE_FOUND:
631
raise gnutls.CertificateSecurityError(code=result)
632
raise gnutls.Error(code=result)
633
634
def _retry_on_error(result, func, arguments):
635
"""A function to retry on some errors, suitable
636
for the 'errcheck' attribute on ctypes functions"""
637
while result < 0:
638
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
639
return _error_code(result)
640
result = func(*arguments)
641
return result
642
643
# Unless otherwise indicated, the function declarations below are
644
# all from the gnutls/gnutls.h C header file.
645
646
# Functions
647
priority_set_direct = _library.gnutls_priority_set_direct
648
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
649
ctypes.POINTER(ctypes.c_char_p)]
650
priority_set_direct.restype = _error_code
651
652
init = _library.gnutls_init
653
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
654
init.restype = _error_code
655
656
set_default_priority = _library.gnutls_set_default_priority
657
set_default_priority.argtypes = [session_t]
658
set_default_priority.restype = _error_code
659
660
record_send = _library.gnutls_record_send
661
record_send.argtypes = [session_t, ctypes.c_void_p,
662
ctypes.c_size_t]
663
record_send.restype = ctypes.c_ssize_t
664
record_send.errcheck = _retry_on_error
665
666
certificate_allocate_credentials = (
667
_library.gnutls_certificate_allocate_credentials)
668
certificate_allocate_credentials.argtypes = [
669
ctypes.POINTER(certificate_credentials_t)]
670
certificate_allocate_credentials.restype = _error_code
671
672
certificate_free_credentials = (
673
_library.gnutls_certificate_free_credentials)
674
certificate_free_credentials.argtypes = [
675
certificate_credentials_t]
676
certificate_free_credentials.restype = None
677
678
handshake_set_private_extensions = (
679
_library.gnutls_handshake_set_private_extensions)
680
handshake_set_private_extensions.argtypes = [session_t,
681
ctypes.c_int]
682
handshake_set_private_extensions.restype = None
683
684
credentials_set = _library.gnutls_credentials_set
685
credentials_set.argtypes = [session_t, credentials_type_t,
686
ctypes.c_void_p]
687
credentials_set.restype = _error_code
688
689
strerror = _library.gnutls_strerror
690
strerror.argtypes = [ctypes.c_int]
691
strerror.restype = ctypes.c_char_p
692
693
certificate_type_get = _library.gnutls_certificate_type_get
694
certificate_type_get.argtypes = [session_t]
695
certificate_type_get.restype = _error_code
696
697
certificate_get_peers = _library.gnutls_certificate_get_peers
698
certificate_get_peers.argtypes = [session_t,
699
ctypes.POINTER(ctypes.c_uint)]
700
certificate_get_peers.restype = ctypes.POINTER(datum_t)
701
702
global_set_log_level = _library.gnutls_global_set_log_level
703
global_set_log_level.argtypes = [ctypes.c_int]
704
global_set_log_level.restype = None
705
706
global_set_log_function = _library.gnutls_global_set_log_function
707
global_set_log_function.argtypes = [log_func]
708
global_set_log_function.restype = None
709
710
deinit = _library.gnutls_deinit
711
deinit.argtypes = [session_t]
712
deinit.restype = None
713
714
handshake = _library.gnutls_handshake
715
handshake.argtypes = [session_t]
716
handshake.restype = _error_code
717
handshake.errcheck = _retry_on_error
718
719
transport_set_ptr = _library.gnutls_transport_set_ptr
720
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
721
transport_set_ptr.restype = None
722
723
bye = _library.gnutls_bye
724
bye.argtypes = [session_t, close_request_t]
725
bye.restype = _error_code
726
bye.errcheck = _retry_on_error
727
728
check_version = _library.gnutls_check_version
729
check_version.argtypes = [ctypes.c_char_p]
730
check_version.restype = ctypes.c_char_p
731
732
_need_version = b"3.3.0"
733
if check_version(_need_version) is None:
734
raise self.Error("Needs GnuTLS {} or later"
735
.format(_need_version))
736
737
_tls_rawpk_version = b"3.6.6"
738
has_rawpk = bool(check_version(_tls_rawpk_version))
739
740
if has_rawpk:
741
# Types
742
class pubkey_st(ctypes.Structure):
743
_fields = []
744
pubkey_t = ctypes.POINTER(pubkey_st)
745
746
x509_crt_fmt_t = ctypes.c_int
747
748
# All the function declarations below are from gnutls/abstract.h
749
pubkey_init = _library.gnutls_pubkey_init
750
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
751
pubkey_init.restype = _error_code
752
753
pubkey_import = _library.gnutls_pubkey_import
754
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
755
x509_crt_fmt_t]
756
pubkey_import.restype = _error_code
757
758
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
759
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
760
ctypes.POINTER(ctypes.c_ubyte),
761
ctypes.POINTER(ctypes.c_size_t)]
762
pubkey_get_key_id.restype = _error_code
763
764
pubkey_deinit = _library.gnutls_pubkey_deinit
765
pubkey_deinit.argtypes = [pubkey_t]
766
pubkey_deinit.restype = None
767
else:
768
# All the function declarations below are from gnutls/openpgp.h
769
770
openpgp_crt_init = _library.gnutls_openpgp_crt_init
771
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
772
openpgp_crt_init.restype = _error_code
773
774
openpgp_crt_import = _library.gnutls_openpgp_crt_import
775
openpgp_crt_import.argtypes = [openpgp_crt_t,
776
ctypes.POINTER(datum_t),
777
openpgp_crt_fmt_t]
778
openpgp_crt_import.restype = _error_code
779
780
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
781
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
782
ctypes.POINTER(ctypes.c_uint)]
783
openpgp_crt_verify_self.restype = _error_code
784
785
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
786
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
787
openpgp_crt_deinit.restype = None
788
789
openpgp_crt_get_fingerprint = (
790
_library.gnutls_openpgp_crt_get_fingerprint)
791
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
792
ctypes.c_void_p,
793
ctypes.POINTER(
794
ctypes.c_size_t)]
795
openpgp_crt_get_fingerprint.restype = _error_code
796
797
if check_version(b"3.6.4"):
798
certificate_type_get2 = _library.gnutls_certificate_type_get2
799
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
800
certificate_type_get2.restype = _error_code
801
802
# Remove non-public functions
803
del _error_code, _retry_on_error
804
805
806
437
def call_pipe(connection, # : multiprocessing.Connection
807
438
func, *args, **kwargs):
808
439
"""This function is meant to be called by multiprocessing.Process
809
440
810
441
This function runs func(*args, **kwargs), and writes the resulting
811
442
return value on the provided multiprocessing.Connection.
812
443
"""
813
444
connection.send(func(*args, **kwargs))
814
445
connection.close()
815
446
816
817
447
class Client(object):
818
448
"""A representation of a client host served by this server.
819
449
820
450
Attributes:
821
451
approved: bool(); 'None' if not yet approved/disapproved
822
452
approval_delay: datetime.timedelta(); Time to wait for approval
823
453
approval_duration: datetime.timedelta(); Duration of one approval
824
checker: multiprocessing.Process(); a running checker process used
825
to see if the client lives. 'None' if no process is
826
running.
827
checker_callback_tag: a GLib event source tag, or None
454
checker: subprocess.Popen(); a running checker process used
455
to see if the client lives.
456
'None' if no process is running.
457
checker_callback_tag: a gobject event source tag, or None
828
458
checker_command: string; External command which is run to check
829
459
if client lives. %() expansions are done at
830
460
runtime with vars(self) as dict, so that for
831
461
instance %(name)s can be used in the command.
832
checker_initiator_tag: a GLib event source tag, or None
462
checker_initiator_tag: a gobject event source tag, or None
833
463
created: datetime.datetime(); (UTC) object creation
834
464
client_structure: Object describing what attributes a client has
835
465
and is used for storing the client at exit
836
466
current_checker_command: string; current running checker_command
837
disable_initiator_tag: a GLib event source tag, or None
467
disable_initiator_tag: a gobject event source tag, or None
838
468
enabled: bool()
839
469
fingerprint: string (40 or 32 hexadecimal digits); used to
840
uniquely identify an OpenPGP client
841
key_id: string (64 hexadecimal digits); used to uniquely identify
842
a client using raw public keys
470
uniquely identify the client
843
471
host: string; available for use by the checker command
844
472
interval: datetime.timedelta(); How often to start a new checker
845
473
last_approval_request: datetime.datetime(); (UTC) or None
861
489
disabled, or None
862
490
server_settings: The server_settings dict from main()
863
491
"""
864
492
865
493
runtime_expansions = ("approval_delay", "approval_duration",
866
"created", "enabled", "expires", "key_id",
494
"created", "enabled", "expires",
867
495
"fingerprint", "host", "interval",
868
496
"last_approval_request", "last_checked_ok",
869
497
"last_enabled", "name", "timeout")
878
506
"approved_by_default": "True",
879
507
"enabled": "True",
880
508
}
881
509
882
510
@staticmethod
883
511
def config_parser(config):
884
512
"""Construct a new dict of client settings of this form:
891
519
for client_name in config.sections():
892
520
section = dict(config.items(client_name))
893
521
client = settings[client_name] = {}
894
522
895
523
client["host"] = section["host"]
896
524
# Reformat values from string types to Python types
897
525
client["approved_by_default"] = config.getboolean(
898
526
client_name, "approved_by_default")
899
527
client["enabled"] = config.getboolean(client_name,
900
528
"enabled")
901
902
# Uppercase and remove spaces from key_id and fingerprint
903
# for later comparison purposes with return value from the
904
# key_id() and fingerprint() functions
905
client["key_id"] = (section.get("key_id", "").upper()
906
.replace(" ", ""))
529
530
# Uppercase and remove spaces from fingerprint for later
531
# comparison purposes with return value from the
532
# fingerprint() function
907
533
client["fingerprint"] = (section["fingerprint"].upper()
908
534
.replace(" ", ""))
909
535
if "secret" in section:
910
client["secret"] = codecs.decode(section["secret"]
911
.encode("utf-8"),
912
"base64")
536
client["secret"] = section["secret"].decode("base64")
913
537
elif "secfile" in section:
914
538
with open(os.path.expanduser(os.path.expandvars
915
539
(section["secfile"])),
930
554
client["last_approval_request"] = None
931
555
client["last_checked_ok"] = None
932
556
client["last_checker_status"] = -2
933
557
934
558
return settings
935
936
def __init__(self, settings, name=None, server_settings=None):
559
560
def __init__(self, settings, name = None, server_settings=None):
937
561
self.name = name
938
562
if server_settings is None:
939
563
server_settings = {}
941
565
# adding all client settings
942
566
for setting, value in settings.items():
943
567
setattr(self, setting, value)
944
568
945
569
if self.enabled:
946
570
if not hasattr(self, "last_enabled"):
947
571
self.last_enabled = datetime.datetime.utcnow()
951
575
else:
952
576
self.last_enabled = None
953
577
self.expires = None
954
578
955
579
logger.debug("Creating client %r", self.name)
956
logger.debug(" Key ID: %s", self.key_id)
957
580
logger.debug(" Fingerprint: %s", self.fingerprint)
958
581
self.created = settings.get("created",
959
582
datetime.datetime.utcnow())
960
583
961
584
# attributes specific for this server instance
962
585
self.checker = None
963
586
self.checker_initiator_tag = None
969
592
self.changedstate = multiprocessing_manager.Condition(
970
593
multiprocessing_manager.Lock())
971
594
self.client_structure = [attr
972
for attr in self.__dict__.keys()
595
for attr in self.__dict__.iterkeys()
973
596
if not attr.startswith("_")]
974
597
self.client_structure.append("client_structure")
975
598
976
599
for name, t in inspect.getmembers(
977
600
type(self), lambda obj: isinstance(obj, property)):
978
601
if not name.startswith("_"):
979
602
self.client_structure.append(name)
980
603
981
604
# Send notice to process children that client state has changed
982
605
def send_changedstate(self):
983
606
with self.changedstate:
984
607
self.changedstate.notify_all()
985
608
986
609
def enable(self):
987
610
"""Start this client's checker and timeout hooks"""
988
611
if getattr(self, "enabled", False):
993
616
self.last_enabled = datetime.datetime.utcnow()
994
617
self.init_checker()
995
618
self.send_changedstate()
996
619
997
620
def disable(self, quiet=True):
998
621
"""Disable this client."""
999
622
if not getattr(self, "enabled", False):
1001
624
if not quiet:
1002
625
logger.info("Disabling client %s", self.name)
1003
626
if getattr(self, "disable_initiator_tag", None) is not None:
1004
GLib.source_remove(self.disable_initiator_tag)
627
gobject.source_remove(self.disable_initiator_tag)
1005
628
self.disable_initiator_tag = None
1006
629
self.expires = None
1007
630
if getattr(self, "checker_initiator_tag", None) is not None:
1008
GLib.source_remove(self.checker_initiator_tag)
631
gobject.source_remove(self.checker_initiator_tag)
1009
632
self.checker_initiator_tag = None
1010
633
self.stop_checker()
1011
634
self.enabled = False
1012
635
if not quiet:
1013
636
self.send_changedstate()
1014
# Do not run this again if called by a GLib.timeout_add
637
# Do not run this again if called by a gobject.timeout_add
1015
638
return False
1016
639
1017
640
def __del__(self):
1018
641
self.disable()
1019
642
1020
643
def init_checker(self):
1021
644
# Schedule a new checker to be started an 'interval' from now,
1022
645
# and every interval from then on.
1023
646
if self.checker_initiator_tag is not None:
1024
GLib.source_remove(self.checker_initiator_tag)
1025
self.checker_initiator_tag = GLib.timeout_add(
647
gobject.source_remove(self.checker_initiator_tag)
648
self.checker_initiator_tag = gobject.timeout_add(
1026
649
int(self.interval.total_seconds() * 1000),
1027
650
self.start_checker)
1028
651
# Schedule a disable() when 'timeout' has passed
1029
652
if self.disable_initiator_tag is not None:
1030
GLib.source_remove(self.disable_initiator_tag)
1031
self.disable_initiator_tag = GLib.timeout_add(
653
gobject.source_remove(self.disable_initiator_tag)
654
self.disable_initiator_tag = gobject.timeout_add(
1032
655
int(self.timeout.total_seconds() * 1000), self.disable)
1033
656
# Also start a new checker *right now*.
1034
657
self.start_checker()
1035
658
1036
659
def checker_callback(self, source, condition, connection,
1037
660
command):
1038
661
"""The checker has completed, so take appropriate actions."""
662
self.checker_callback_tag = None
663
self.checker = None
1039
664
# Read return code from connection (see call_pipe)
1040
665
returncode = connection.recv()
1041
666
connection.close()
1042
self.checker.join()
1043
self.checker_callback_tag = None
1044
self.checker = None
1045
667
1046
668
if returncode >= 0:
1047
669
self.last_checker_status = returncode
1048
670
self.last_checker_signal = None
1058
680
logger.warning("Checker for %(name)s crashed?",
1059
681
vars(self))
1060
682
return False
1061
683
1062
684
def checked_ok(self):
1063
685
"""Assert that the client has been seen, alive and well."""
1064
686
self.last_checked_ok = datetime.datetime.utcnow()
1065
687
self.last_checker_status = 0
1066
688
self.last_checker_signal = None
1067
689
self.bump_timeout()
1068
690
1069
691
def bump_timeout(self, timeout=None):
1070
692
"""Bump up the timeout for this client."""
1071
693
if timeout is None:
1072
694
timeout = self.timeout
1073
695
if self.disable_initiator_tag is not None:
1074
GLib.source_remove(self.disable_initiator_tag)
696
gobject.source_remove(self.disable_initiator_tag)
1075
697
self.disable_initiator_tag = None
1076
698
if getattr(self, "enabled", False):
1077
self.disable_initiator_tag = GLib.timeout_add(
699
self.disable_initiator_tag = gobject.timeout_add(
1078
700
int(timeout.total_seconds() * 1000), self.disable)
1079
701
self.expires = datetime.datetime.utcnow() + timeout
1080
702
1081
703
def need_approval(self):
1082
704
self.last_approval_request = datetime.datetime.utcnow()
1083
705
1084
706
def start_checker(self):
1085
707
"""Start a new checker subprocess if one is not running.
1086
708
1087
709
If a checker already exists, leave it running and do
1088
710
nothing."""
1089
711
# The reason for not killing a running checker is that if we
1094
716
# checkers alone, the checker would have to take more time
1095
717
# than 'timeout' for the client to be disabled, which is as it
1096
718
# should be.
1097
719
1098
720
if self.checker is not None and not self.checker.is_alive():
1099
721
logger.warning("Checker was not alive; joining")
1100
722
self.checker.join()
1104
726
# Escape attributes for the shell
1105
727
escaped_attrs = {
1106
728
attr: re.escape(str(getattr(self, attr)))
1107
for attr in self.runtime_expansions}
729
for attr in self.runtime_expansions }
1108
730
try:
1109
731
command = self.checker_command % escaped_attrs
1110
732
except TypeError as error:
1122
744
# The exception is when not debugging but nevertheless
1123
745
# running in the foreground; use the previously
1124
746
# created wnull.
1125
popen_args = {"close_fds": True,
1126
"shell": True,
1127
"cwd": "/"}
747
popen_args = { "close_fds": True,
748
"shell": True,
749
"cwd": "/" }
1128
750
if (not self.server_settings["debug"]
1129
751
and self.server_settings["foreground"]):
1130
752
popen_args.update({"stdout": wnull,
1131
"stderr": wnull})
1132
pipe = multiprocessing.Pipe(duplex=False)
753
"stderr": wnull })
754
pipe = multiprocessing.Pipe(duplex = False)
1133
755
self.checker = multiprocessing.Process(
1134
target=call_pipe,
1135
args=(pipe[1], subprocess.call, command),
1136
kwargs=popen_args)
756
target = call_pipe,
757
args = (pipe[1], subprocess.call, command),
758
kwargs = popen_args)
1137
759
self.checker.start()
1138
self.checker_callback_tag = GLib.io_add_watch(
1139
pipe[0].fileno(), GLib.IO_IN,
760
self.checker_callback_tag = gobject.io_add_watch(
761
pipe[0].fileno(), gobject.IO_IN,
1140
762
self.checker_callback, pipe[0], command)
1141
# Re-run this periodically if run by GLib.timeout_add
763
# Re-run this periodically if run by gobject.timeout_add
1142
764
return True
1143
765
1144
766
def stop_checker(self):
1145
767
"""Force the checker process, if any, to stop."""
1146
768
if self.checker_callback_tag:
1147
GLib.source_remove(self.checker_callback_tag)
769
gobject.source_remove(self.checker_callback_tag)
1148
770
self.checker_callback_tag = None
1149
771
if getattr(self, "checker", None) is None:
1150
772
return
1159
781
byte_arrays=False):
1160
782
"""Decorators for marking methods of a DBusObjectWithProperties to
1161
783
become properties on the D-Bus.
1162
784
1163
785
The decorated method will be called with no arguments by "Get"
1164
786
and with one argument by "Set".
1165
787
1166
788
The parameters, where they are supported, are the same as
1167
789
dbus.service.method, except there is only "signature", since the
1168
790
type from Get() and the type sent to Set() is the same.
1172
794
if byte_arrays and signature != "ay":
1173
795
raise ValueError("Byte arrays not supported for non-'ay'"
1174
796
" signature {!r}".format(signature))
1175
797
1176
798
def decorator(func):
1177
799
func._dbus_is_property = True
1178
800
func._dbus_interface = dbus_interface
1181
803
func._dbus_name = func.__name__
1182
804
if func._dbus_name.endswith("_dbus_property"):
1183
805
func._dbus_name = func._dbus_name[:-14]
1184
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
806
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1185
807
return func
1186
808
1187
809
return decorator
1188
810
1189
811
1190
812
def dbus_interface_annotations(dbus_interface):
1191
813
"""Decorator for marking functions returning interface annotations
1192
814
1193
815
Usage:
1194
816
1195
817
@dbus_interface_annotations("org.example.Interface")
1196
818
def _foo(self): # Function name does not matter
1197
819
return {"org.freedesktop.DBus.Deprecated": "true",
1198
820
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1199
821
"false"}
1200
822
"""
1201
823
1202
824
def decorator(func):
1203
825
func._dbus_is_interface = True
1204
826
func._dbus_interface = dbus_interface
1205
827
func._dbus_name = dbus_interface
1206
828
return func
1207
829
1208
830
return decorator
1209
831
1210
832
1211
833
def dbus_annotations(annotations):
1212
834
"""Decorator to annotate D-Bus methods, signals or properties
1213
835
Usage:
1214
836
1215
837
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1216
838
"org.freedesktop.DBus.Property."
1217
839
"EmitsChangedSignal": "false"})
1219
841
access="r")
1220
842
def Property_dbus_property(self):
1221
843
return dbus.Boolean(False)
1222
844
1223
845
See also the DBusObjectWithAnnotations class.
1224
846
"""
1225
847
1226
848
def decorator(func):
1227
849
func._dbus_annotations = annotations
1228
850
return func
1229
851
1230
852
return decorator
1231
853
1232
854
1250
872
1251
873
class DBusObjectWithAnnotations(dbus.service.Object):
1252
874
"""A D-Bus object with annotations.
1253
875
1254
876
Classes inheriting from this can use the dbus_annotations
1255
877
decorator to add annotations to methods or signals.
1256
878
"""
1257
879
1258
880
@staticmethod
1259
881
def _is_dbus_thing(thing):
1260
882
"""Returns a function testing if an attribute is a D-Bus thing
1261
883
1262
884
If called like _is_dbus_thing("method") it returns a function
1263
885
suitable for use as predicate to inspect.getmembers().
1264
886
"""
1265
887
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1266
888
False)
1267
889
1268
890
def _get_all_dbus_things(self, thing):
1269
891
"""Returns a generator of (name, attribute) pairs
1270
892
"""
1273
895
for cls in self.__class__.__mro__
1274
896
for name, athing in
1275
897
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1276
898
1277
899
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1278
out_signature="s",
1279
path_keyword='object_path',
1280
connection_keyword='connection')
900
out_signature = "s",
901
path_keyword = 'object_path',
902
connection_keyword = 'connection')
1281
903
def Introspect(self, object_path, connection):
1282
904
"""Overloading of standard D-Bus method.
1283
905
1284
906
Inserts annotation tags on methods and signals.
1285
907
"""
1286
908
xmlstring = dbus.service.Object.Introspect(self, object_path,
1287
909
connection)
1288
910
try:
1289
911
document = xml.dom.minidom.parseString(xmlstring)
1290
912
1291
913
for if_tag in document.getElementsByTagName("interface"):
1292
914
# Add annotation tags
1293
915
for typ in ("method", "signal"):
1320
942
if_tag.appendChild(ann_tag)
1321
943
# Fix argument name for the Introspect method itself
1322
944
if (if_tag.getAttribute("name")
1323
== dbus.INTROSPECTABLE_IFACE):
945
== dbus.INTROSPECTABLE_IFACE):
1324
946
for cn in if_tag.getElementsByTagName("method"):
1325
947
if cn.getAttribute("name") == "Introspect":
1326
948
for arg in cn.getElementsByTagName("arg"):
1339
961
1340
962
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1341
963
"""A D-Bus object with properties.
1342
964
1343
965
Classes inheriting from this can use the dbus_service_property
1344
966
decorator to expose methods as D-Bus properties. It exposes the
1345
967
standard Get(), Set(), and GetAll() methods on the D-Bus.
1346
968
"""
1347
969
1348
970
def _get_dbus_property(self, interface_name, property_name):
1349
971
"""Returns a bound method if one exists which is a D-Bus
1350
972
property with the specified name and interface.
1355
977
if (value._dbus_name == property_name
1356
978
and value._dbus_interface == interface_name):
1357
979
return value.__get__(self)
1358
980
1359
981
# No such property
1360
982
raise DBusPropertyNotFound("{}:{}.{}".format(
1361
983
self.dbus_object_path, interface_name, property_name))
1362
984
1363
985
@classmethod
1364
986
def _get_all_interface_names(cls):
1365
987
"""Get a sequence of all interfaces supported by an object"""
1368
990
for x in (inspect.getmro(cls))
1369
991
for attr in dir(x))
1370
992
if name is not None)
1371
993
1372
994
@dbus.service.method(dbus.PROPERTIES_IFACE,
1373
995
in_signature="ss",
1374
996
out_signature="v")
1382
1004
if not hasattr(value, "variant_level"):
1383
1005
return value
1384
1006
return type(value)(value, variant_level=value.variant_level+1)
1385
1007
1386
1008
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1387
1009
def Set(self, interface_name, property_name, value):
1388
1010
"""Standard D-Bus property Set() method, see D-Bus standard.
1400
1022
value = dbus.ByteArray(b''.join(chr(byte)
1401
1023
for byte in value))
1402
1024
prop(value)
1403
1025
1404
1026
@dbus.service.method(dbus.PROPERTIES_IFACE,
1405
1027
in_signature="s",
1406
1028
out_signature="a{sv}")
1407
1029
def GetAll(self, interface_name):
1408
1030
"""Standard D-Bus property GetAll() method, see D-Bus
1409
1031
standard.
1410
1032
1411
1033
Note: Will not include properties with access="write".
1412
1034
"""
1413
1035
properties = {}
1424
1046
properties[name] = value
1425
1047
continue
1426
1048
properties[name] = type(value)(
1427
value, variant_level=value.variant_level + 1)
1049
value, variant_level = value.variant_level + 1)
1428
1050
return dbus.Dictionary(properties, signature="sv")
1429
1051
1430
1052
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1431
1053
def PropertiesChanged(self, interface_name, changed_properties,
1432
1054
invalidated_properties):
1434
1056
standard.
1435
1057
"""
1436
1058
pass
1437
1059
1438
1060
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1439
1061
out_signature="s",
1440
1062
path_keyword='object_path',
1441
1063
connection_keyword='connection')
1442
1064
def Introspect(self, object_path, connection):
1443
1065
"""Overloading of standard D-Bus method.
1444
1066
1445
1067
Inserts property tags and interface annotation tags.
1446
1068
"""
1447
1069
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1449
1071
connection)
1450
1072
try:
1451
1073
document = xml.dom.minidom.parseString(xmlstring)
1452
1074
1453
1075
def make_tag(document, name, prop):
1454
1076
e = document.createElement("property")
1455
1077
e.setAttribute("name", name)
1456
1078
e.setAttribute("type", prop._dbus_signature)
1457
1079
e.setAttribute("access", prop._dbus_access)
1458
1080
return e
1459
1081
1460
1082
for if_tag in document.getElementsByTagName("interface"):
1461
1083
# Add property tags
1462
1084
for tag in (make_tag(document, name, prop)
1504
1126
exc_info=error)
1505
1127
return xmlstring
1506
1128
1507
1508
1129
try:
1509
1130
dbus.OBJECT_MANAGER_IFACE
1510
1131
except AttributeError:
1511
1132
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1512
1133
1513
1514
1134
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1515
1135
"""A D-Bus object with an ObjectManager.
1516
1136
1517
1137
Classes inheriting from this exposes the standard
1518
1138
GetManagedObjects call and the InterfacesAdded and
1519
1139
InterfacesRemoved signals on the standard
1520
1140
"org.freedesktop.DBus.ObjectManager" interface.
1521
1141
1522
1142
Note: No signals are sent automatically; they must be sent
1523
1143
manually.
1524
1144
"""
1525
1145
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1526
out_signature="a{oa{sa{sv}}}")
1146
out_signature = "a{oa{sa{sv}}}")
1527
1147
def GetManagedObjects(self):
1528
1148
"""This function must be overridden"""
1529
1149
raise NotImplementedError()
1530
1150
1531
1151
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1532
signature="oa{sa{sv}}")
1152
signature = "oa{sa{sv}}")
1533
1153
def InterfacesAdded(self, object_path, interfaces_and_properties):
1534
1154
pass
1535
1536
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1155
1156
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1537
1157
def InterfacesRemoved(self, object_path, interfaces):
1538
1158
pass
1539
1159
1540
1160
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1541
out_signature="s",
1542
path_keyword='object_path',
1543
connection_keyword='connection')
1161
out_signature = "s",
1162
path_keyword = 'object_path',
1163
connection_keyword = 'connection')
1544
1164
def Introspect(self, object_path, connection):
1545
1165
"""Overloading of standard D-Bus method.
1546
1166
1547
1167
Override return argument name of GetManagedObjects to be
1548
1168
"objpath_interfaces_and_properties"
1549
1169
"""
1552
1172
connection)
1553
1173
try:
1554
1174
document = xml.dom.minidom.parseString(xmlstring)
1555
1175
1556
1176
for if_tag in document.getElementsByTagName("interface"):
1557
1177
# Fix argument name for the GetManagedObjects method
1558
1178
if (if_tag.getAttribute("name")
1559
== dbus.OBJECT_MANAGER_IFACE):
1179
== dbus.OBJECT_MANAGER_IFACE):
1560
1180
for cn in if_tag.getElementsByTagName("method"):
1561
1181
if (cn.getAttribute("name")
1562
1182
== "GetManagedObjects"):
1572
1192
except (AttributeError, xml.dom.DOMException,
1573
1193
xml.parsers.expat.ExpatError) as error:
1574
1194
logger.error("Failed to override Introspection method",
1575
exc_info=error)
1195
exc_info = error)
1576
1196
return xmlstring
1577
1197
1578
1579
1198
def datetime_to_dbus(dt, variant_level=0):
1580
1199
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1581
1200
if dt is None:
1582
return dbus.String("", variant_level=variant_level)
1201
return dbus.String("", variant_level = variant_level)
1583
1202
return dbus.String(dt.isoformat(), variant_level=variant_level)
1584
1203
1585
1204
1588
1207
dbus.service.Object, it will add alternate D-Bus attributes with
1589
1208
interface names according to the "alt_interface_names" mapping.
1590
1209
Usage:
1591
1210
1592
1211
@alternate_dbus_interfaces({"org.example.Interface":
1593
1212
"net.example.AlternateInterface"})
1594
1213
class SampleDBusObject(dbus.service.Object):
1595
1214
@dbus.service.method("org.example.Interface")
1596
1215
def SampleDBusMethod():
1597
1216
pass
1598
1217
1599
1218
The above "SampleDBusMethod" on "SampleDBusObject" will be
1600
1219
reachable via two interfaces: "org.example.Interface" and
1601
1220
"net.example.AlternateInterface", the latter of which will have
1602
1221
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1603
1222
"true", unless "deprecate" is passed with a False value.
1604
1223
1605
1224
This works for methods and signals, and also for D-Bus properties
1606
1225
(from DBusObjectWithProperties) and interfaces (from the
1607
1226
dbus_interface_annotations decorator).
1608
1227
"""
1609
1228
1610
1229
def wrapper(cls):
1611
1230
for orig_interface_name, alt_interface_name in (
1612
1231
alt_interface_names.items()):
1627
1246
interface_names.add(alt_interface)
1628
1247
# Is this a D-Bus signal?
1629
1248
if getattr(attribute, "_dbus_is_signal", False):
1630
# Extract the original non-method undecorated
1631
# function by black magic
1632
1249
if sys.version_info.major == 2:
1250
# Extract the original non-method undecorated
1251
# function by black magic
1633
1252
nonmethod_func = (dict(
1634
1253
zip(attribute.func_code.co_freevars,
1635
1254
attribute.__closure__))
1636
1255
["func"].cell_contents)
1637
1256
else:
1638
nonmethod_func = (dict(
1639
zip(attribute.__code__.co_freevars,
1640
attribute.__closure__))
1641
["func"].cell_contents)
1257
nonmethod_func = attribute
1642
1258
# Create a new, but exactly alike, function
1643
1259
# object, and decorate it to be a new D-Bus signal
1644
1260
# with the alternate D-Bus interface name
1645
new_function = copy_function(nonmethod_func)
1261
if sys.version_info.major == 2:
1262
new_function = types.FunctionType(
1263
nonmethod_func.func_code,
1264
nonmethod_func.func_globals,
1265
nonmethod_func.func_name,
1266
nonmethod_func.func_defaults,
1267
nonmethod_func.func_closure)
1268
else:
1269
new_function = types.FunctionType(
1270
nonmethod_func.__code__,
1271
nonmethod_func.__globals__,
1272
nonmethod_func.__name__,
1273
nonmethod_func.__defaults__,
1274
nonmethod_func.__closure__)
1646
1275
new_function = (dbus.service.signal(
1647
1276
alt_interface,
1648
1277
attribute._dbus_signature)(new_function))
1652
1281
attribute._dbus_annotations)
1653
1282
except AttributeError:
1654
1283
pass
1655
1656
1284
# Define a creator of a function to call both the
1657
1285
# original and alternate functions, so both the
1658
1286
# original and alternate signals gets sent when
1661
1289
"""This function is a scope container to pass
1662
1290
func1 and func2 to the "call_both" function
1663
1291
outside of its arguments"""
1664
1292
1665
1293
@functools.wraps(func2)
1666
1294
def call_both(*args, **kwargs):
1667
1295
"""This function will emit two D-Bus
1668
1296
signals by calling func1 and func2"""
1669
1297
func1(*args, **kwargs)
1670
1298
func2(*args, **kwargs)
1671
# Make wrapper function look like a D-Bus
1672
# signal
1299
# Make wrapper function look like a D-Bus signal
1673
1300
for name, attr in inspect.getmembers(func2):
1674
1301
if name.startswith("_dbus_"):
1675
1302
setattr(call_both, name, attr)
1676
1303
1677
1304
return call_both
1678
1305
# Create the "call_both" function and add it to
1679
1306
# the class
1689
1316
alt_interface,
1690
1317
attribute._dbus_in_signature,
1691
1318
attribute._dbus_out_signature)
1692
(copy_function(attribute)))
1319
(types.FunctionType(attribute.func_code,
1320
attribute.func_globals,
1321
attribute.func_name,
1322
attribute.func_defaults,
1323
attribute.func_closure)))
1693
1324
# Copy annotations, if any
1694
1325
try:
1695
1326
attr[attrname]._dbus_annotations = dict(
1707
1338
attribute._dbus_access,
1708
1339
attribute._dbus_get_args_options
1709
1340
["byte_arrays"])
1710
(copy_function(attribute)))
1341
(types.FunctionType(
1342
attribute.func_code,
1343
attribute.func_globals,
1344
attribute.func_name,
1345
attribute.func_defaults,
1346
attribute.func_closure)))
1711
1347
# Copy annotations, if any
1712
1348
try:
1713
1349
attr[attrname]._dbus_annotations = dict(
1722
1358
# to the class.
1723
1359
attr[attrname] = (
1724
1360
dbus_interface_annotations(alt_interface)
1725
(copy_function(attribute)))
1361
(types.FunctionType(attribute.func_code,
1362
attribute.func_globals,
1363
attribute.func_name,
1364
attribute.func_defaults,
1365
attribute.func_closure)))
1726
1366
if deprecate:
1727
1367
# Deprecate all alternate interfaces
1728
iname = "_AlternateDBusNames_interface_annotation{}"
1368
iname="_AlternateDBusNames_interface_annotation{}"
1729
1369
for interface_name in interface_names:
1730
1370
1731
1371
@dbus_interface_annotations(interface_name)
1732
1372
def func(self):
1733
return {"org.freedesktop.DBus.Deprecated":
1734
"true"}
1373
return { "org.freedesktop.DBus.Deprecated":
1374
"true" }
1735
1375
# Find an unused name
1736
1376
for aname in (iname.format(i)
1737
1377
for i in itertools.count()):
1741
1381
if interface_names:
1742
1382
# Replace the class with a new subclass of it with
1743
1383
# methods, signals, etc. as created above.
1744
if sys.version_info.major == 2:
1745
cls = type(b"{}Alternate".format(cls.__name__),
1746
(cls, ), attr)
1747
else:
1748
cls = type("{}Alternate".format(cls.__name__),
1749
(cls, ), attr)
1384
cls = type(b"{}Alternate".format(cls.__name__),
1385
(cls, ), attr)
1750
1386
return cls
1751
1387
1752
1388
return wrapper
1753
1389
1754
1390
1756
1392
"se.bsnet.fukt.Mandos"})
1757
1393
class ClientDBus(Client, DBusObjectWithProperties):
1758
1394
"""A Client class using D-Bus
1759
1395
1760
1396
Attributes:
1761
1397
dbus_object_path: dbus.ObjectPath
1762
1398
bus: dbus.SystemBus()
1763
1399
"""
1764
1400
1765
1401
runtime_expansions = (Client.runtime_expansions
1766
1402
+ ("dbus_object_path", ))
1767
1403
1768
1404
_interface = "se.recompile.Mandos.Client"
1769
1405
1770
1406
# dbus.service.Object doesn't use super(), so we can't either.
1771
1772
def __init__(self, bus=None, *args, **kwargs):
1407
1408
def __init__(self, bus = None, *args, **kwargs):
1773
1409
self.bus = bus
1774
1410
Client.__init__(self, *args, **kwargs)
1775
1411
# Only now, when this client is initialized, can it show up on
1781
1417
"/clients/" + client_object_name)
1782
1418
DBusObjectWithProperties.__init__(self, self.bus,
1783
1419
self.dbus_object_path)
1784
1420
1785
1421
def notifychangeproperty(transform_func, dbus_name,
1786
1422
type_func=lambda x: x,
1787
1423
variant_level=1,
1789
1425
_interface=_interface):
1790
1426
""" Modify a variable so that it's a property which announces
1791
1427
its changes to DBus.
1792
1428
1793
1429
transform_fun: Function that takes a value and a variant_level
1794
1430
and transforms it to a D-Bus type.
1795
1431
dbus_name: D-Bus name of the variable
1798
1434
variant_level: D-Bus variant level. Default: 1
1799
1435
"""
1800
1436
attrname = "_{}".format(dbus_name)
1801
1437
1802
1438
def setter(self, value):
1803
1439
if hasattr(self, "dbus_object_path"):
1804
1440
if (not hasattr(self, attrname) or
1811
1447
else:
1812
1448
dbus_value = transform_func(
1813
1449
type_func(value),
1814
variant_level=variant_level)
1450
variant_level = variant_level)
1815
1451
self.PropertyChanged(dbus.String(dbus_name),
1816
1452
dbus_value)
1817
1453
self.PropertiesChanged(
1818
1454
_interface,
1819
dbus.Dictionary({dbus.String(dbus_name):
1820
dbus_value}),
1455
dbus.Dictionary({ dbus.String(dbus_name):
1456
dbus_value }),
1821
1457
dbus.Array())
1822
1458
setattr(self, attrname, value)
1823
1459
1824
1460
return property(lambda self: getattr(self, attrname), setter)
1825
1461
1826
1462
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1827
1463
approvals_pending = notifychangeproperty(dbus.Boolean,
1828
1464
"ApprovalPending",
1829
type_func=bool)
1465
type_func = bool)
1830
1466
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1831
1467
last_enabled = notifychangeproperty(datetime_to_dbus,
1832
1468
"LastEnabled")
1833
1469
checker = notifychangeproperty(
1834
1470
dbus.Boolean, "CheckerRunning",
1835
type_func=lambda checker: checker is not None)
1471
type_func = lambda checker: checker is not None)
1836
1472
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1837
1473
"LastCheckedOK")
1838
1474
last_checker_status = notifychangeproperty(dbus.Int16,
1843
1479
"ApprovedByDefault")
1844
1480
approval_delay = notifychangeproperty(
1845
1481
dbus.UInt64, "ApprovalDelay",
1846
type_func=lambda td: td.total_seconds() * 1000)
1482
type_func = lambda td: td.total_seconds() * 1000)
1847
1483
approval_duration = notifychangeproperty(
1848
1484
dbus.UInt64, "ApprovalDuration",
1849
type_func=lambda td: td.total_seconds() * 1000)
1485
type_func = lambda td: td.total_seconds() * 1000)
1850
1486
host = notifychangeproperty(dbus.String, "Host")
1851
1487
timeout = notifychangeproperty(
1852
1488
dbus.UInt64, "Timeout",
1853
type_func=lambda td: td.total_seconds() * 1000)
1489
type_func = lambda td: td.total_seconds() * 1000)
1854
1490
extended_timeout = notifychangeproperty(
1855
1491
dbus.UInt64, "ExtendedTimeout",
1856
type_func=lambda td: td.total_seconds() * 1000)
1492
type_func = lambda td: td.total_seconds() * 1000)
1857
1493
interval = notifychangeproperty(
1858
1494
dbus.UInt64, "Interval",
1859
type_func=lambda td: td.total_seconds() * 1000)
1495
type_func = lambda td: td.total_seconds() * 1000)
1860
1496
checker_command = notifychangeproperty(dbus.String, "Checker")
1861
1497
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1862
1498
invalidate_only=True)
1863
1499
1864
1500
del notifychangeproperty
1865
1501
1866
1502
def __del__(self, *args, **kwargs):
1867
1503
try:
1868
1504
self.remove_from_connection()
1871
1507
if hasattr(DBusObjectWithProperties, "__del__"):
1872
1508
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1873
1509
Client.__del__(self, *args, **kwargs)
1874
1510
1875
1511
def checker_callback(self, source, condition,
1876
1512
connection, command, *args, **kwargs):
1877
1513
ret = Client.checker_callback(self, source, condition,
1893
1529
| self.last_checker_signal),
1894
1530
dbus.String(command))
1895
1531
return ret
1896
1532
1897
1533
def start_checker(self, *args, **kwargs):
1898
1534
old_checker_pid = getattr(self.checker, "pid", None)
1899
1535
r = Client.start_checker(self, *args, **kwargs)
1903
1539
# Emit D-Bus signal
1904
1540
self.CheckerStarted(self.current_checker_command)
1905
1541
return r
1906
1542
1907
1543
def _reset_approved(self):
1908
1544
self.approved = None
1909
1545
return False
1910
1546
1911
1547
def approve(self, value=True):
1912
1548
self.approved = value
1913
GLib.timeout_add(int(self.approval_duration.total_seconds()
1914
* 1000), self._reset_approved)
1549
gobject.timeout_add(int(self.approval_duration.total_seconds()
1550
* 1000), self._reset_approved)
1915
1551
self.send_changedstate()
1916
1917
# D-Bus methods, signals & properties
1918
1919
# Interfaces
1920
1921
# Signals
1922
1552
1553
## D-Bus methods, signals & properties
1554
1555
## Interfaces
1556
1557
## Signals
1558
1923
1559
# CheckerCompleted - signal
1924
1560
@dbus.service.signal(_interface, signature="nxs")
1925
1561
def CheckerCompleted(self, exitcode, waitstatus, command):
1926
1562
"D-Bus signal"
1927
1563
pass
1928
1564
1929
1565
# CheckerStarted - signal
1930
1566
@dbus.service.signal(_interface, signature="s")
1931
1567
def CheckerStarted(self, command):
1932
1568
"D-Bus signal"
1933
1569
pass
1934
1570
1935
1571
# PropertyChanged - signal
1936
1572
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1937
1573
@dbus.service.signal(_interface, signature="sv")
1938
1574
def PropertyChanged(self, property, value):
1939
1575
"D-Bus signal"
1940
1576
pass
1941
1577
1942
1578
# GotSecret - signal
1943
1579
@dbus.service.signal(_interface)
1944
1580
def GotSecret(self):
1947
1583
server to mandos-client
1948
1584
"""
1949
1585
pass
1950
1586
1951
1587
# Rejected - signal
1952
1588
@dbus.service.signal(_interface, signature="s")
1953
1589
def Rejected(self, reason):
1954
1590
"D-Bus signal"
1955
1591
pass
1956
1592
1957
1593
# NeedApproval - signal
1958
1594
@dbus.service.signal(_interface, signature="tb")
1959
1595
def NeedApproval(self, timeout, default):
1960
1596
"D-Bus signal"
1961
1597
return self.need_approval()
1962
1963
# Methods
1964
1598
1599
## Methods
1600
1965
1601
# Approve - method
1966
1602
@dbus.service.method(_interface, in_signature="b")
1967
1603
def Approve(self, value):
1968
1604
self.approve(value)
1969
1605
1970
1606
# CheckedOK - method
1971
1607
@dbus.service.method(_interface)
1972
1608
def CheckedOK(self):
1973
1609
self.checked_ok()
1974
1610
1975
1611
# Enable - method
1976
1612
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1977
1613
@dbus.service.method(_interface)
1978
1614
def Enable(self):
1979
1615
"D-Bus method"
1980
1616
self.enable()
1981
1617
1982
1618
# StartChecker - method
1983
1619
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1984
1620
@dbus.service.method(_interface)
1985
1621
def StartChecker(self):
1986
1622
"D-Bus method"
1987
1623
self.start_checker()
1988
1624
1989
1625
# Disable - method
1990
1626
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1991
1627
@dbus.service.method(_interface)
1992
1628
def Disable(self):
1993
1629
"D-Bus method"
1994
1630
self.disable()
1995
1631
1996
1632
# StopChecker - method
1997
1633
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1998
1634
@dbus.service.method(_interface)
1999
1635
def StopChecker(self):
2000
1636
self.stop_checker()
2001
2002
# Properties
2003
1637
1638
## Properties
1639
2004
1640
# ApprovalPending - property
2005
1641
@dbus_service_property(_interface, signature="b", access="read")
2006
1642
def ApprovalPending_dbus_property(self):
2007
1643
return dbus.Boolean(bool(self.approvals_pending))
2008
1644
2009
1645
# ApprovedByDefault - property
2010
1646
@dbus_service_property(_interface,
2011
1647
signature="b",
2014
1650
if value is None: # get
2015
1651
return dbus.Boolean(self.approved_by_default)
2016
1652
self.approved_by_default = bool(value)
2017
1653
2018
1654
# ApprovalDelay - property
2019
1655
@dbus_service_property(_interface,
2020
1656
signature="t",
2024
1660
return dbus.UInt64(self.approval_delay.total_seconds()
2025
1661
* 1000)
2026
1662
self.approval_delay = datetime.timedelta(0, 0, 0, value)
2027
1663
2028
1664
# ApprovalDuration - property
2029
1665
@dbus_service_property(_interface,
2030
1666
signature="t",
2034
1670
return dbus.UInt64(self.approval_duration.total_seconds()
2035
1671
* 1000)
2036
1672
self.approval_duration = datetime.timedelta(0, 0, 0, value)
2037
1673
2038
1674
# Name - property
2039
1675
@dbus_annotations(
2040
1676
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2041
1677
@dbus_service_property(_interface, signature="s", access="read")
2042
1678
def Name_dbus_property(self):
2043
1679
return dbus.String(self.name)
2044
2045
# KeyID - property
2046
@dbus_annotations(
2047
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2048
@dbus_service_property(_interface, signature="s", access="read")
2049
def KeyID_dbus_property(self):
2050
return dbus.String(self.key_id)
2051
1680
2052
1681
# Fingerprint - property
2053
1682
@dbus_annotations(
2054
1683
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2055
1684
@dbus_service_property(_interface, signature="s", access="read")
2056
1685
def Fingerprint_dbus_property(self):
2057
1686
return dbus.String(self.fingerprint)
2058
1687
2059
1688
# Host - property
2060
1689
@dbus_service_property(_interface,
2061
1690
signature="s",
2064
1693
if value is None: # get
2065
1694
return dbus.String(self.host)
2066
1695
self.host = str(value)
2067
1696
2068
1697
# Created - property
2069
1698
@dbus_annotations(
2070
1699
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2071
1700
@dbus_service_property(_interface, signature="s", access="read")
2072
1701
def Created_dbus_property(self):
2073
1702
return datetime_to_dbus(self.created)
2074
1703
2075
1704
# LastEnabled - property
2076
1705
@dbus_service_property(_interface, signature="s", access="read")
2077
1706
def LastEnabled_dbus_property(self):
2078
1707
return datetime_to_dbus(self.last_enabled)
2079
1708
2080
1709
# Enabled - property
2081
1710
@dbus_service_property(_interface,
2082
1711
signature="b",
2088
1717
self.enable()
2089
1718
else:
2090
1719
self.disable()
2091
1720
2092
1721
# LastCheckedOK - property
2093
1722
@dbus_service_property(_interface,
2094
1723
signature="s",
2098
1727
self.checked_ok()
2099
1728
return
2100
1729
return datetime_to_dbus(self.last_checked_ok)
2101
1730
2102
1731
# LastCheckerStatus - property
2103
1732
@dbus_service_property(_interface, signature="n", access="read")
2104
1733
def LastCheckerStatus_dbus_property(self):
2105
1734
return dbus.Int16(self.last_checker_status)
2106
1735
2107
1736
# Expires - property
2108
1737
@dbus_service_property(_interface, signature="s", access="read")
2109
1738
def Expires_dbus_property(self):
2110
1739
return datetime_to_dbus(self.expires)
2111
1740
2112
1741
# LastApprovalRequest - property
2113
1742
@dbus_service_property(_interface, signature="s", access="read")
2114
1743
def LastApprovalRequest_dbus_property(self):
2115
1744
return datetime_to_dbus(self.last_approval_request)
2116
1745
2117
1746
# Timeout - property
2118
1747
@dbus_service_property(_interface,
2119
1748
signature="t",
2134
1763
if (getattr(self, "disable_initiator_tag", None)
2135
1764
is None):
2136
1765
return
2137
GLib.source_remove(self.disable_initiator_tag)
2138
self.disable_initiator_tag = GLib.timeout_add(
1766
gobject.source_remove(self.disable_initiator_tag)
1767
self.disable_initiator_tag = gobject.timeout_add(
2139
1768
int((self.expires - now).total_seconds() * 1000),
2140
1769
self.disable)
2141
1770
2142
1771
# ExtendedTimeout - property
2143
1772
@dbus_service_property(_interface,
2144
1773
signature="t",
2148
1777
return dbus.UInt64(self.extended_timeout.total_seconds()
2149
1778
* 1000)
2150
1779
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2151
1780
2152
1781
# Interval - property
2153
1782
@dbus_service_property(_interface,
2154
1783
signature="t",
2161
1790
return
2162
1791
if self.enabled:
2163
1792
# Reschedule checker run
2164
GLib.source_remove(self.checker_initiator_tag)
2165
self.checker_initiator_tag = GLib.timeout_add(
1793
gobject.source_remove(self.checker_initiator_tag)
1794
self.checker_initiator_tag = gobject.timeout_add(
2166
1795
value, self.start_checker)
2167
self.start_checker() # Start one now, too
2168
1796
self.start_checker() # Start one now, too
1797
2169
1798
# Checker - property
2170
1799
@dbus_service_property(_interface,
2171
1800
signature="s",
2174
1803
if value is None: # get
2175
1804
return dbus.String(self.checker_command)
2176
1805
self.checker_command = str(value)
2177
1806
2178
1807
# CheckerRunning - property
2179
1808
@dbus_service_property(_interface,
2180
1809
signature="b",
2186
1815
self.start_checker()
2187
1816
else:
2188
1817
self.stop_checker()
2189
1818
2190
1819
# ObjectPath - property
2191
1820
@dbus_annotations(
2192
1821
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2193
1822
"org.freedesktop.DBus.Deprecated": "true"})
2194
1823
@dbus_service_property(_interface, signature="o", access="read")
2195
1824
def ObjectPath_dbus_property(self):
2196
return self.dbus_object_path # is already a dbus.ObjectPath
2197
1825
return self.dbus_object_path # is already a dbus.ObjectPath
1826
2198
1827
# Secret = property
2199
1828
@dbus_annotations(
2200
1829
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2205
1834
byte_arrays=True)
2206
1835
def Secret_dbus_property(self, value):
2207
1836
self.secret = bytes(value)
2208
1837
2209
1838
del _interface
2210
1839
2211
1840
2212
1841
class ProxyClient(object):
2213
def __init__(self, child_pipe, key_id, fpr, address):
1842
def __init__(self, child_pipe, fpr, address):
2214
1843
self._pipe = child_pipe
2215
self._pipe.send(('init', key_id, fpr, address))
1844
self._pipe.send(('init', fpr, address))
2216
1845
if not self._pipe.recv():
2217
raise KeyError(key_id or fpr)
2218
1846
raise KeyError(fpr)
1847
2219
1848
def __getattribute__(self, name):
2220
1849
if name == '_pipe':
2221
1850
return super(ProxyClient, self).__getattribute__(name)
2224
1853
if data[0] == 'data':
2225
1854
return data[1]
2226
1855
if data[0] == 'function':
2227
1856
2228
1857
def func(*args, **kwargs):
2229
1858
self._pipe.send(('funcall', name, args, kwargs))
2230
1859
return self._pipe.recv()[1]
2231
1860
2232
1861
return func
2233
1862
2234
1863
def __setattr__(self, name, value):
2235
1864
if name == '_pipe':
2236
1865
return super(ProxyClient, self).__setattr__(name, value)
2239
1868
2240
1869
class ClientHandler(socketserver.BaseRequestHandler, object):
2241
1870
"""A class to handle client connections.
2242
1871
2243
1872
Instantiated once for each connection to handle it.
2244
1873
Note: This will run in its own forked process."""
2245
1874
2246
1875
def handle(self):
2247
1876
with contextlib.closing(self.server.child_pipe) as child_pipe:
2248
1877
logger.info("TCP connection from: %s",
2249
1878
str(self.client_address))
2250
1879
logger.debug("Pipe FD: %d",
2251
1880
self.server.child_pipe.fileno())
2252
2253
session = gnutls.ClientSession(self.request)
2254
2255
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2256
# "+AES-256-CBC", "+SHA1",
2257
# "+COMP-NULL", "+CTYPE-OPENPGP",
2258
# "+DHE-DSS"))
1881
1882
session = gnutls.connection.ClientSession(
1883
self.request, gnutls.connection.X509Credentials())
1884
1885
# Note: gnutls.connection.X509Credentials is really a
1886
# generic GnuTLS certificate credentials object so long as
1887
# no X.509 keys are added to it. Therefore, we can use it
1888
# here despite using OpenPGP certificates.
1889
1890
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1891
# "+AES-256-CBC", "+SHA1",
1892
# "+COMP-NULL", "+CTYPE-OPENPGP",
1893
# "+DHE-DSS"))
2259
1894
# Use a fallback default, since this MUST be set.
2260
1895
priority = self.server.gnutls_priority
2261
1896
if priority is None:
2262
1897
priority = "NORMAL"
2263
gnutls.priority_set_direct(session._c_object,
2264
priority.encode("utf-8"),
2265
None)
2266
1898
gnutls.library.functions.gnutls_priority_set_direct(
1899
session._c_object, priority, None)
1900
2267
1901
# Start communication using the Mandos protocol
2268
1902
# Get protocol number
2269
1903
line = self.request.makefile().readline()
2274
1908
except (ValueError, IndexError, RuntimeError) as error:
2275
1909
logger.error("Unknown protocol version: %s", error)
2276
1910
return
2277
1911
2278
1912
# Start GnuTLS connection
2279
1913
try:
2280
1914
session.handshake()
2281
except gnutls.Error as error:
1915
except gnutls.errors.GNUTLSError as error:
2282
1916
logger.warning("Handshake failed: %s", error)
2283
1917
# Do not run session.bye() here: the session is not
2284
1918
# established. Just abandon the request.
2285
1919
return
2286
1920
logger.debug("Handshake succeeded")
2287
1921
2288
1922
approval_required = False
2289
1923
try:
2290
if gnutls.has_rawpk:
2291
fpr = b""
2292
try:
2293
key_id = self.key_id(
2294
self.peer_certificate(session))
2295
except (TypeError, gnutls.Error) as error:
2296
logger.warning("Bad certificate: %s", error)
2297
return
2298
logger.debug("Key ID: %s", key_id)
2299
2300
else:
2301
key_id = b""
2302
try:
2303
fpr = self.fingerprint(
2304
self.peer_certificate(session))
2305
except (TypeError, gnutls.Error) as error:
2306
logger.warning("Bad certificate: %s", error)
2307
return
2308
logger.debug("Fingerprint: %s", fpr)
2309
2310
try:
2311
client = ProxyClient(child_pipe, key_id, fpr,
1924
try:
1925
fpr = self.fingerprint(
1926
self.peer_certificate(session))
1927
except (TypeError,
1928
gnutls.errors.GNUTLSError) as error:
1929
logger.warning("Bad certificate: %s", error)
1930
return
1931
logger.debug("Fingerprint: %s", fpr)
1932
1933
try:
1934
client = ProxyClient(child_pipe, fpr,
2312
1935
self.client_address)
2313
1936
except KeyError:
2314
1937
return
2315
1938
2316
1939
if client.approval_delay:
2317
1940
delay = client.approval_delay
2318
1941
client.approvals_pending += 1
2319
1942
approval_required = True
2320
1943
2321
1944
while True:
2322
1945
if not client.enabled:
2323
1946
logger.info("Client %s is disabled",
2326
1949
# Emit D-Bus signal
2327
1950
client.Rejected("Disabled")
2328
1951
return
2329
1952
2330
1953
if client.approved or not client.approval_delay:
2331
# We are approved or approval is disabled
1954
#We are approved or approval is disabled
2332
1955
break
2333
1956
elif client.approved is None:
2334
1957
logger.info("Client %s needs approval",
2345
1968
# Emit D-Bus signal
2346
1969
client.Rejected("Denied")
2347
1970
return
2348
2349
# wait until timeout or approved
1971
1972
#wait until timeout or approved
2350
1973
time = datetime.datetime.now()
2351
1974
client.changedstate.acquire()
2352
1975
client.changedstate.wait(delay.total_seconds())
2365
1988
break
2366
1989
else:
2367
1990
delay -= time2 - time
2368
2369
try:
2370
session.send(client.secret)
2371
except gnutls.Error as error:
2372
logger.warning("gnutls send failed",
2373
exc_info=error)
2374
return
2375
1991
1992
sent_size = 0
1993
while sent_size < len(client.secret):
1994
try:
1995
sent = session.send(client.secret[sent_size:])
1996
except gnutls.errors.GNUTLSError as error:
1997
logger.warning("gnutls send failed",
1998
exc_info=error)
1999
return
2000
logger.debug("Sent: %d, remaining: %d", sent,
2001
len(client.secret) - (sent_size
2002
+ sent))
2003
sent_size += sent
2004
2376
2005
logger.info("Sending secret to %s", client.name)
2377
2006
# bump the timeout using extended_timeout
2378
2007
client.bump_timeout(client.extended_timeout)
2379
2008
if self.server.use_dbus:
2380
2009
# Emit D-Bus signal
2381
2010
client.GotSecret()
2382
2011
2383
2012
finally:
2384
2013
if approval_required:
2385
2014
client.approvals_pending -= 1
2386
2015
try:
2387
2016
session.bye()
2388
except gnutls.Error as error:
2017
except gnutls.errors.GNUTLSError as error:
2389
2018
logger.warning("GnuTLS bye failed",
2390
2019
exc_info=error)
2391
2020
2392
2021
@staticmethod
2393
2022
def peer_certificate(session):
2394
"Return the peer's certificate as a bytestring"
2395
try:
2396
cert_type = gnutls.certificate_type_get2(session._c_object,
2397
gnutls.CTYPE_PEERS)
2398
except AttributeError:
2399
cert_type = gnutls.certificate_type_get(session._c_object)
2400
if gnutls.has_rawpk:
2401
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2402
else:
2403
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2404
# If not a valid certificate type...
2405
if cert_type not in valid_cert_types:
2406
logger.info("Cert type %r not in %r", cert_type,
2407
valid_cert_types)
2408
# ...return invalid data
2409
return b""
2023
"Return the peer's OpenPGP certificate as a bytestring"
2024
# If not an OpenPGP certificate...
2025
if (gnutls.library.functions.gnutls_certificate_type_get(
2026
session._c_object)
2027
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2028
# ...do the normal thing
2029
return session.peer_certificate
2410
2030
list_size = ctypes.c_uint(1)
2411
cert_list = (gnutls.certificate_get_peers
2031
cert_list = (gnutls.library.functions
2032
.gnutls_certificate_get_peers
2412
2033
(session._c_object, ctypes.byref(list_size)))
2413
2034
if not bool(cert_list) and list_size.value != 0:
2414
raise gnutls.Error("error getting peer certificate")
2035
raise gnutls.errors.GNUTLSError("error getting peer"
2036
" certificate")
2415
2037
if list_size.value == 0:
2416
2038
return None
2417
2039
cert = cert_list[0]
2418
2040
return ctypes.string_at(cert.data, cert.size)
2419
2420
@staticmethod
2421
def key_id(certificate):
2422
"Convert a certificate bytestring to a hexdigit key ID"
2423
# New GnuTLS "datum" with the public key
2424
datum = gnutls.datum_t(
2425
ctypes.cast(ctypes.c_char_p(certificate),
2426
ctypes.POINTER(ctypes.c_ubyte)),
2427
ctypes.c_uint(len(certificate)))
2428
# XXX all these need to be created in the gnutls "module"
2429
# New empty GnuTLS certificate
2430
pubkey = gnutls.pubkey_t()
2431
gnutls.pubkey_init(ctypes.byref(pubkey))
2432
# Import the raw public key into the certificate
2433
gnutls.pubkey_import(pubkey,
2434
ctypes.byref(datum),
2435
gnutls.X509_FMT_DER)
2436
# New buffer for the key ID
2437
buf = ctypes.create_string_buffer(32)
2438
buf_len = ctypes.c_size_t(len(buf))
2439
# Get the key ID from the raw public key into the buffer
2440
gnutls.pubkey_get_key_id(pubkey,
2441
gnutls.KEYID_USE_SHA256,
2442
ctypes.cast(ctypes.byref(buf),
2443
ctypes.POINTER(ctypes.c_ubyte)),
2444
ctypes.byref(buf_len))
2445
# Deinit the certificate
2446
gnutls.pubkey_deinit(pubkey)
2447
2448
# Convert the buffer to a Python bytestring
2449
key_id = ctypes.string_at(buf, buf_len.value)
2450
# Convert the bytestring to hexadecimal notation
2451
hex_key_id = binascii.hexlify(key_id).upper()
2452
return hex_key_id
2453
2041
2454
2042
@staticmethod
2455
2043
def fingerprint(openpgp):
2456
2044
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2457
2045
# New GnuTLS "datum" with the OpenPGP public key
2458
datum = gnutls.datum_t(
2046
datum = gnutls.library.types.gnutls_datum_t(
2459
2047
ctypes.cast(ctypes.c_char_p(openpgp),
2460
2048
ctypes.POINTER(ctypes.c_ubyte)),
2461
2049
ctypes.c_uint(len(openpgp)))
2462
2050
# New empty GnuTLS certificate
2463
crt = gnutls.openpgp_crt_t()
2464
gnutls.openpgp_crt_init(ctypes.byref(crt))
2051
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2052
gnutls.library.functions.gnutls_openpgp_crt_init(
2053
ctypes.byref(crt))
2465
2054
# Import the OpenPGP public key into the certificate
2466
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2467
gnutls.OPENPGP_FMT_RAW)
2055
gnutls.library.functions.gnutls_openpgp_crt_import(
2056
crt, ctypes.byref(datum),
2057
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2468
2058
# Verify the self signature in the key
2469
2059
crtverify = ctypes.c_uint()
2470
gnutls.openpgp_crt_verify_self(crt, 0,
2471
ctypes.byref(crtverify))
2060
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2061
crt, 0, ctypes.byref(crtverify))
2472
2062
if crtverify.value != 0:
2473
gnutls.openpgp_crt_deinit(crt)
2474
raise gnutls.CertificateSecurityError(code
2475
=crtverify.value)
2063
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2064
raise gnutls.errors.CertificateSecurityError(
2065
"Verify failed")
2476
2066
# New buffer for the fingerprint
2477
2067
buf = ctypes.create_string_buffer(20)
2478
2068
buf_len = ctypes.c_size_t()
2479
2069
# Get the fingerprint from the certificate into the buffer
2480
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2481
ctypes.byref(buf_len))
2070
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2071
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2482
2072
# Deinit the certificate
2483
gnutls.openpgp_crt_deinit(crt)
2073
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2484
2074
# Convert the buffer to a Python bytestring
2485
2075
fpr = ctypes.string_at(buf, buf_len.value)
2486
2076
# Convert the bytestring to hexadecimal notation
2490
2080
2491
2081
class MultiprocessingMixIn(object):
2492
2082
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2493
2083
2494
2084
def sub_process_main(self, request, address):
2495
2085
try:
2496
2086
self.finish_request(request, address)
2497
2087
except Exception:
2498
2088
self.handle_error(request, address)
2499
2089
self.close_request(request)
2500
2090
2501
2091
def process_request(self, request, address):
2502
2092
"""Start a new process to process the request."""
2503
proc = multiprocessing.Process(target=self.sub_process_main,
2504
args=(request, address))
2093
proc = multiprocessing.Process(target = self.sub_process_main,
2094
args = (request, address))
2505
2095
proc.start()
2506
2096
return proc
2507
2097
2508
2098
2509
2099
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2510
2100
""" adds a pipe to the MixIn """
2511
2101
2512
2102
def process_request(self, request, client_address):
2513
2103
"""Overrides and wraps the original process_request().
2514
2104
2515
2105
This function creates a new pipe in self.pipe
2516
2106
"""
2517
2107
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2518
2108
2519
2109
proc = MultiprocessingMixIn.process_request(self, request,
2520
2110
client_address)
2521
2111
self.child_pipe.close()
2522
2112
self.add_pipe(parent_pipe, proc)
2523
2113
2524
2114
def add_pipe(self, parent_pipe, proc):
2525
2115
"""Dummy function; override as necessary"""
2526
2116
raise NotImplementedError()
2529
2119
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2530
2120
socketserver.TCPServer, object):
2531
2121
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2532
2122
2533
2123
Attributes:
2534
2124
enabled: Boolean; whether this server is activated yet
2535
2125
interface: None or a network interface name (string)
2536
2126
use_ipv6: Boolean; to use IPv6 or not
2537
2127
"""
2538
2128
2539
2129
def __init__(self, server_address, RequestHandlerClass,
2540
2130
interface=None,
2541
2131
use_ipv6=True,
2551
2141
self.socketfd = socketfd
2552
2142
# Save the original socket.socket() function
2553
2143
self.socket_socket = socket.socket
2554
2555
2144
# To implement --socket, we monkey patch socket.socket.
2556
#
2145
#
2557
2146
# (When socketserver.TCPServer is a new-style class, we
2558
2147
# could make self.socket into a property instead of monkey
2559
2148
# patching socket.socket.)
2560
#
2149
#
2561
2150
# Create a one-time-only replacement for socket.socket()
2562
2151
@functools.wraps(socket.socket)
2563
2152
def socket_wrapper(*args, **kwargs):
2575
2164
# socket_wrapper(), if socketfd was set.
2576
2165
socketserver.TCPServer.__init__(self, server_address,
2577
2166
RequestHandlerClass)
2578
2167
2579
2168
def server_bind(self):
2580
2169
"""This overrides the normal server_bind() function
2581
2170
to bind to an interface if one was specified, and also NOT to
2582
2171
bind to an address or port if they were not specified."""
2583
global SO_BINDTODEVICE
2584
2172
if self.interface is not None:
2585
2173
if SO_BINDTODEVICE is None:
2586
# Fall back to a hard-coded value which seems to be
2587
# common enough.
2588
logger.warning("SO_BINDTODEVICE not found, trying 25")
2589
SO_BINDTODEVICE = 25
2590
try:
2591
self.socket.setsockopt(
2592
socket.SOL_SOCKET, SO_BINDTODEVICE,
2593
(self.interface + "\0").encode("utf-8"))
2594
except socket.error as error:
2595
if error.errno == errno.EPERM:
2596
logger.error("No permission to bind to"
2597
" interface %s", self.interface)
2598
elif error.errno == errno.ENOPROTOOPT:
2599
logger.error("SO_BINDTODEVICE not available;"
2600
" cannot bind to interface %s",
2601
self.interface)
2602
elif error.errno == errno.ENODEV:
2603
logger.error("Interface %s does not exist,"
2604
" cannot bind", self.interface)
2605
else:
2606
raise
2174
logger.error("SO_BINDTODEVICE does not exist;"
2175
" cannot bind to interface %s",
2176
self.interface)
2177
else:
2178
try:
2179
self.socket.setsockopt(
2180
socket.SOL_SOCKET, SO_BINDTODEVICE,
2181
(self.interface + "\0").encode("utf-8"))
2182
except socket.error as error:
2183
if error.errno == errno.EPERM:
2184
logger.error("No permission to bind to"
2185
" interface %s", self.interface)
2186
elif error.errno == errno.ENOPROTOOPT:
2187
logger.error("SO_BINDTODEVICE not available;"
2188
" cannot bind to interface %s",
2189
self.interface)
2190
elif error.errno == errno.ENODEV:
2191
logger.error("Interface %s does not exist,"
2192
" cannot bind", self.interface)
2193
else:
2194
raise
2607
2195
# Only bind(2) the socket if we really need to.
2608
2196
if self.server_address[0] or self.server_address[1]:
2609
if self.server_address[1]:
2610
self.allow_reuse_address = True
2611
2197
if not self.server_address[0]:
2612
2198
if self.address_family == socket.AF_INET6:
2613
any_address = "::" # in6addr_any
2199
any_address = "::" # in6addr_any
2614
2200
else:
2615
any_address = "0.0.0.0" # INADDR_ANY
2201
any_address = "0.0.0.0" # INADDR_ANY
2616
2202
self.server_address = (any_address,
2617
2203
self.server_address[1])
2618
2204
elif not self.server_address[1]:
2628
2214
2629
2215
class MandosServer(IPv6_TCPServer):
2630
2216
"""Mandos server.
2631
2217
2632
2218
Attributes:
2633
2219
clients: set of Client objects
2634
2220
gnutls_priority GnuTLS priority string
2635
2221
use_dbus: Boolean; to emit D-Bus signals or not
2636
2637
Assumes a GLib.MainLoop event loop.
2222
2223
Assumes a gobject.MainLoop event loop.
2638
2224
"""
2639
2225
2640
2226
def __init__(self, server_address, RequestHandlerClass,
2641
2227
interface=None,
2642
2228
use_ipv6=True,
2652
2238
self.gnutls_priority = gnutls_priority
2653
2239
IPv6_TCPServer.__init__(self, server_address,
2654
2240
RequestHandlerClass,
2655
interface=interface,
2656
use_ipv6=use_ipv6,
2657
socketfd=socketfd)
2658
2241
interface = interface,
2242
use_ipv6 = use_ipv6,
2243
socketfd = socketfd)
2244
2659
2245
def server_activate(self):
2660
2246
if self.enabled:
2661
2247
return socketserver.TCPServer.server_activate(self)
2662
2248
2663
2249
def enable(self):
2664
2250
self.enabled = True
2665
2251
2666
2252
def add_pipe(self, parent_pipe, proc):
2667
2253
# Call "handle_ipc" for both data and EOF events
2668
GLib.io_add_watch(
2254
gobject.io_add_watch(
2669
2255
parent_pipe.fileno(),
2670
GLib.IO_IN | GLib.IO_HUP,
2256
gobject.IO_IN | gobject.IO_HUP,
2671
2257
functools.partial(self.handle_ipc,
2672
parent_pipe=parent_pipe,
2673
proc=proc))
2674
2258
parent_pipe = parent_pipe,
2259
proc = proc))
2260
2675
2261
def handle_ipc(self, source, condition,
2676
2262
parent_pipe=None,
2677
proc=None,
2263
proc = None,
2678
2264
client_object=None):
2679
2265
# error, or the other end of multiprocessing.Pipe has closed
2680
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2266
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2681
2267
# Wait for other process to exit
2682
2268
proc.join()
2683
2269
return False
2684
2270
2685
2271
# Read a request from the child
2686
2272
request = parent_pipe.recv()
2687
2273
command = request[0]
2688
2274
2689
2275
if command == 'init':
2690
key_id = request[1].decode("ascii")
2691
fpr = request[2].decode("ascii")
2692
address = request[3]
2693
2694
for c in self.clients.values():
2695
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2696
continue
2697
if key_id and c.key_id == key_id:
2698
client = c
2699
break
2700
if fpr and c.fingerprint == fpr:
2276
fpr = request[1]
2277
address = request[2]
2278
2279
for c in self.clients.itervalues():
2280
if c.fingerprint == fpr:
2701
2281
client = c
2702
2282
break
2703
2283
else:
2704
logger.info("Client not found for key ID: %s, address"
2705
": %s", key_id or fpr, address)
2284
logger.info("Client not found for fingerprint: %s, ad"
2285
"dress: %s", fpr, address)
2706
2286
if self.use_dbus:
2707
2287
# Emit D-Bus signal
2708
mandos_dbus_service.ClientNotFound(key_id or fpr,
2288
mandos_dbus_service.ClientNotFound(fpr,
2709
2289
address[0])
2710
2290
parent_pipe.send(False)
2711
2291
return False
2712
2713
GLib.io_add_watch(
2292
2293
gobject.io_add_watch(
2714
2294
parent_pipe.fileno(),
2715
GLib.IO_IN | GLib.IO_HUP,
2295
gobject.IO_IN | gobject.IO_HUP,
2716
2296
functools.partial(self.handle_ipc,
2717
parent_pipe=parent_pipe,
2718
proc=proc,
2719
client_object=client))
2297
parent_pipe = parent_pipe,
2298
proc = proc,
2299
client_object = client))
2720
2300
parent_pipe.send(True)
2721
2301
# remove the old hook in favor of the new above hook on
2722
2302
# same fileno
2725
2305
funcname = request[1]
2726
2306
args = request[2]
2727
2307
kwargs = request[3]
2728
2308
2729
2309
parent_pipe.send(('data', getattr(client_object,
2730
2310
funcname)(*args,
2731
2311
**kwargs)))
2732
2312
2733
2313
if command == 'getattr':
2734
2314
attrname = request[1]
2735
2315
if isinstance(client_object.__getattribute__(attrname),
2738
2318
else:
2739
2319
parent_pipe.send((
2740
2320
'data', client_object.__getattribute__(attrname)))
2741
2321
2742
2322
if command == 'setattr':
2743
2323
attrname = request[1]
2744
2324
value = request[2]
2745
2325
setattr(client_object, attrname, value)
2746
2326
2747
2327
return True
2748
2328
2749
2329
2750
2330
def rfc3339_duration_to_delta(duration):
2751
2331
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2752
2332
2753
2333
>>> rfc3339_duration_to_delta("P7D")
2754
2334
datetime.timedelta(7)
2755
2335
>>> rfc3339_duration_to_delta("PT60S")
2765
2345
>>> rfc3339_duration_to_delta("P1DT3M20S")
2766
2346
datetime.timedelta(1, 200)
2767
2347
"""
2768
2348
2769
2349
# Parsing an RFC 3339 duration with regular expressions is not
2770
2350
# possible - there would have to be multiple places for the same
2771
2351
# values, like seconds. The current code, while more esoteric, is
2772
2352
# cleaner without depending on a parsing library. If Python had a
2773
2353
# built-in library for parsing we would use it, but we'd like to
2774
2354
# avoid excessive use of external libraries.
2775
2355
2776
2356
# New type for defining tokens, syntax, and semantics all-in-one
2777
2357
Token = collections.namedtuple("Token", (
2778
2358
"regexp", # To match token; if "value" is not None, must have
2811
2391
frozenset((token_year, token_month,
2812
2392
token_day, token_time,
2813
2393
token_week)))
2814
# Define starting values:
2815
# Value so far
2816
value = datetime.timedelta()
2394
# Define starting values
2395
value = datetime.timedelta() # Value so far
2817
2396
found_token = None
2818
# Following valid tokens
2819
followers = frozenset((token_duration, ))
2820
# String left to parse
2821
s = duration
2397
followers = frozenset((token_duration, )) # Following valid tokens
2398
s = duration # String left to parse
2822
2399
# Loop until end token is found
2823
2400
while found_token is not token_end:
2824
2401
# Search for any currently valid tokens
2848
2425
2849
2426
def string_to_delta(interval):
2850
2427
"""Parse a string and return a datetime.timedelta
2851
2428
2852
2429
>>> string_to_delta('7d')
2853
2430
datetime.timedelta(7)
2854
2431
>>> string_to_delta('60s')
2862
2439
>>> string_to_delta('5m 30s')
2863
2440
datetime.timedelta(0, 330)
2864
2441
"""
2865
2442
2866
2443
try:
2867
2444
return rfc3339_duration_to_delta(interval)
2868
2445
except ValueError:
2869
2446
pass
2870
2447
2871
2448
timevalue = datetime.timedelta(0)
2872
2449
for s in interval.split():
2873
2450
try:
2891
2468
return timevalue
2892
2469
2893
2470
2894
def daemon(nochdir=False, noclose=False):
2471
def daemon(nochdir = False, noclose = False):
2895
2472
"""See daemon(3). Standard BSD Unix function.
2896
2473
2897
2474
This should really exist as os.daemon, but it doesn't (yet)."""
2898
2475
if os.fork():
2899
2476
sys.exit()
2917
2494
2918
2495
2919
2496
def main():
2920
2497
2921
2498
##################################################################
2922
2499
# Parsing of options, both command line and config file
2923
2500
2924
2501
parser = argparse.ArgumentParser()
2925
2502
parser.add_argument("-v", "--version", action="version",
2926
version="%(prog)s {}".format(version),
2503
version = "%(prog)s {}".format(version),
2927
2504
help="show version number and exit")
2928
2505
parser.add_argument("-i", "--interface", metavar="IF",
2929
2506
help="Bind to interface IF")
2965
2542
parser.add_argument("--no-zeroconf", action="store_false",
2966
2543
dest="zeroconf", help="Do not use Zeroconf",
2967
2544
default=None)
2968
2545
2969
2546
options = parser.parse_args()
2970
2547
2971
2548
if options.check:
2972
2549
import doctest
2973
2550
fail_count, test_count = doctest.testmod()
2974
2551
sys.exit(os.EX_OK if fail_count == 0 else 1)
2975
2552
2976
2553
# Default values for config file for server-global settings
2977
if gnutls.has_rawpk:
2978
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2979
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2980
else:
2981
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2982
":+SIGN-DSA-SHA256")
2983
server_defaults = {"interface": "",
2984
"address": "",
2985
"port": "",
2986
"debug": "False",
2987
"priority": priority,
2988
"servicename": "Mandos",
2989
"use_dbus": "True",
2990
"use_ipv6": "True",
2991
"debuglevel": "",
2992
"restore": "True",
2993
"socket": "",
2994
"statedir": "/var/lib/mandos",
2995
"foreground": "False",
2996
"zeroconf": "True",
2997
}
2998
del priority
2999
2554
server_defaults = { "interface": "",
2555
"address": "",
2556
"port": "",
2557
"debug": "False",
2558
"priority":
2559
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2560
":+SIGN-DSA-SHA256",
2561
"servicename": "Mandos",
2562
"use_dbus": "True",
2563
"use_ipv6": "True",
2564
"debuglevel": "",
2565
"restore": "True",
2566
"socket": "",
2567
"statedir": "/var/lib/mandos",
2568
"foreground": "False",
2569
"zeroconf": "True",
2570
}
2571
3000
2572
# Parse config file for server-global settings
3001
2573
server_config = configparser.SafeConfigParser(server_defaults)
3002
2574
del server_defaults
3004
2576
# Convert the SafeConfigParser object to a dict
3005
2577
server_settings = server_config.defaults()
3006
2578
# Use the appropriate methods on the non-string config options
3007
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3008
"foreground", "zeroconf"):
2579
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3009
2580
server_settings[option] = server_config.getboolean("DEFAULT",
3010
2581
option)
3011
2582
if server_settings["port"]:
3021
2592
server_settings["socket"] = os.dup(server_settings
3022
2593
["socket"])
3023
2594
del server_config
3024
2595
3025
2596
# Override the settings from the config file with command line
3026
2597
# options, if set.
3027
2598
for option in ("interface", "address", "port", "debug",
3045
2616
if server_settings["debug"]:
3046
2617
server_settings["foreground"] = True
3047
2618
# Now we have our good server settings in "server_settings"
3048
2619
3049
2620
##################################################################
3050
2621
3051
2622
if (not server_settings["zeroconf"]
3052
2623
and not (server_settings["port"]
3053
2624
or server_settings["socket"] != "")):
3054
2625
parser.error("Needs port or socket to work without Zeroconf")
3055
2626
3056
2627
# For convenience
3057
2628
debug = server_settings["debug"]
3058
2629
debuglevel = server_settings["debuglevel"]
3062
2633
stored_state_file)
3063
2634
foreground = server_settings["foreground"]
3064
2635
zeroconf = server_settings["zeroconf"]
3065
2636
3066
2637
if debug:
3067
2638
initlogger(debug, logging.DEBUG)
3068
2639
else:
3071
2642
else:
3072
2643
level = getattr(logging, debuglevel.upper())
3073
2644
initlogger(debug, level)
3074
2645
3075
2646
if server_settings["servicename"] != "Mandos":
3076
2647
syslogger.setFormatter(
3077
2648
logging.Formatter('Mandos ({}) [%(process)d]:'
3078
2649
' %(levelname)s: %(message)s'.format(
3079
2650
server_settings["servicename"])))
3080
2651
3081
2652
# Parse config file with clients
3082
2653
client_config = configparser.SafeConfigParser(Client
3083
2654
.client_defaults)
3084
2655
client_config.read(os.path.join(server_settings["configdir"],
3085
2656
"clients.conf"))
3086
2657
3087
2658
global mandos_dbus_service
3088
2659
mandos_dbus_service = None
3089
2660
3090
2661
socketfd = None
3091
2662
if server_settings["socket"] != "":
3092
2663
socketfd = server_settings["socket"]
3108
2679
except IOError as e:
3109
2680
logger.error("Could not open file %r", pidfilename,
3110
2681
exc_info=e)
3111
3112
for name, group in (("_mandos", "_mandos"),
3113
("mandos", "mandos"),
3114
("nobody", "nogroup")):
2682
2683
for name in ("_mandos", "mandos", "nobody"):
3115
2684
try:
3116
2685
uid = pwd.getpwnam(name).pw_uid
3117
gid = pwd.getpwnam(group).pw_gid
2686
gid = pwd.getpwnam(name).pw_gid
3118
2687
break
3119
2688
except KeyError:
3120
2689
continue
3124
2693
try:
3125
2694
os.setgid(gid)
3126
2695
os.setuid(uid)
3127
if debug:
3128
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3129
gid))
3130
2696
except OSError as error:
3131
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3132
.format(uid, gid, os.strerror(error.errno)))
3133
2697
if error.errno != errno.EPERM:
3134
2698
raise
3135
2699
3136
2700
if debug:
3137
2701
# Enable all possible GnuTLS debugging
3138
2702
3139
2703
# "Use a log level over 10 to enable all debugging options."
3140
2704
# - GnuTLS manual
3141
gnutls.global_set_log_level(11)
3142
3143
@gnutls.log_func
2705
gnutls.library.functions.gnutls_global_set_log_level(11)
2706
2707
@gnutls.library.types.gnutls_log_func
3144
2708
def debug_gnutls(level, string):
3145
2709
logger.debug("GnuTLS: %s", string[:-1])
3146
3147
gnutls.global_set_log_function(debug_gnutls)
3148
2710
2711
gnutls.library.functions.gnutls_global_set_log_function(
2712
debug_gnutls)
2713
3149
2714
# Redirect stdin so all checkers get /dev/null
3150
2715
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3151
2716
os.dup2(null, sys.stdin.fileno())
3152
2717
if null > 2:
3153
2718
os.close(null)
3154
2719
3155
2720
# Need to fork before connecting to D-Bus
3156
2721
if not foreground:
3157
2722
# Close all input and output, do double fork, etc.
3158
2723
daemon()
3159
3160
# multiprocessing will use threads, so before we use GLib we need
3161
# to inform GLib that threads will be used.
3162
GLib.threads_init()
3163
2724
2725
# multiprocessing will use threads, so before we use gobject we
2726
# need to inform gobject that threads will be used.
2727
gobject.threads_init()
2728
3164
2729
global main_loop
3165
2730
# From the Avahi example code
3166
2731
DBusGMainLoop(set_as_default=True)
3167
main_loop = GLib.MainLoop()
2732
main_loop = gobject.MainLoop()
3168
2733
bus = dbus.SystemBus()
3169
2734
# End of Avahi example code
3170
2735
if use_dbus:
3183
2748
if zeroconf:
3184
2749
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3185
2750
service = AvahiServiceToSyslog(
3186
name=server_settings["servicename"],
3187
servicetype="_mandos._tcp",
3188
protocol=protocol,
3189
bus=bus)
2751
name = server_settings["servicename"],
2752
servicetype = "_mandos._tcp",
2753
protocol = protocol,
2754
bus = bus)
3190
2755
if server_settings["interface"]:
3191
2756
service.interface = if_nametoindex(
3192
2757
server_settings["interface"].encode("utf-8"))
3193
2758
3194
2759
global multiprocessing_manager
3195
2760
multiprocessing_manager = multiprocessing.Manager()
3196
2761
3197
2762
client_class = Client
3198
2763
if use_dbus:
3199
client_class = functools.partial(ClientDBus, bus=bus)
3200
2764
client_class = functools.partial(ClientDBus, bus = bus)
2765
3201
2766
client_settings = Client.config_parser(client_config)
3202
2767
old_client_settings = {}
3203
2768
clients_data = {}
3204
2769
3205
2770
# This is used to redirect stdout and stderr for checker processes
3206
2771
global wnull
3207
wnull = open(os.devnull, "w") # A writable /dev/null
2772
wnull = open(os.devnull, "w") # A writable /dev/null
3208
2773
# Only used if server is running in foreground but not in debug
3209
2774
# mode
3210
2775
if debug or not foreground:
3211
2776
wnull.close()
3212
2777
3213
2778
# Get client data and settings from last running state.
3214
2779
if server_settings["restore"]:
3215
2780
try:
3216
2781
with open(stored_state_path, "rb") as stored_state:
3217
if sys.version_info.major == 2:
3218
clients_data, old_client_settings = pickle.load(
3219
stored_state)
3220
else:
3221
bytes_clients_data, bytes_old_client_settings = (
3222
pickle.load(stored_state, encoding="bytes"))
3223
# Fix bytes to strings
3224
# clients_data
3225
# .keys()
3226
clients_data = {(key.decode("utf-8")
3227
if isinstance(key, bytes)
3228
else key): value
3229
for key, value in
3230
bytes_clients_data.items()}
3231
del bytes_clients_data
3232
for key in clients_data:
3233
value = {(k.decode("utf-8")
3234
if isinstance(k, bytes) else k): v
3235
for k, v in
3236
clients_data[key].items()}
3237
clients_data[key] = value
3238
# .client_structure
3239
value["client_structure"] = [
3240
(s.decode("utf-8")
3241
if isinstance(s, bytes)
3242
else s) for s in
3243
value["client_structure"]]
3244
# .name & .host
3245
for k in ("name", "host"):
3246
if isinstance(value[k], bytes):
3247
value[k] = value[k].decode("utf-8")
3248
if "key_id" not in value:
3249
value["key_id"] = ""
3250
elif "fingerprint" not in value:
3251
value["fingerprint"] = ""
3252
# old_client_settings
3253
# .keys()
3254
old_client_settings = {
3255
(key.decode("utf-8")
3256
if isinstance(key, bytes)
3257
else key): value
3258
for key, value in
3259
bytes_old_client_settings.items()}
3260
del bytes_old_client_settings
3261
# .host
3262
for value in old_client_settings.values():
3263
if isinstance(value["host"], bytes):
3264
value["host"] = (value["host"]
3265
.decode("utf-8"))
2782
clients_data, old_client_settings = pickle.load(
2783
stored_state)
3266
2784
os.remove(stored_state_path)
3267
2785
except IOError as e:
3268
2786
if e.errno == errno.ENOENT:
3276
2794
logger.warning("Could not load persistent state: "
3277
2795
"EOFError:",
3278
2796
exc_info=e)
3279
2797
3280
2798
with PGPEngine() as pgp:
3281
2799
for client_name, client in clients_data.items():
3282
2800
# Skip removed clients
3283
2801
if client_name not in client_settings:
3284
2802
continue
3285
2803
3286
2804
# Decide which value to use after restoring saved state.
3287
2805
# We have three different values: Old config file,
3288
2806
# new config file, and saved state.
3299
2817
client[name] = value
3300
2818
except KeyError:
3301
2819
pass
3302
2820
3303
2821
# Clients who has passed its expire date can still be
3304
2822
# enabled if its last checker was successful. A Client
3305
2823
# whose checker succeeded before we stored its state is
3338
2856
client_name))
3339
2857
client["secret"] = (client_settings[client_name]
3340
2858
["secret"])
3341
2859
3342
2860
# Add/remove clients based on new changes made to config
3343
2861
for client_name in (set(old_client_settings)
3344
2862
- set(client_settings)):
3346
2864
for client_name in (set(client_settings)
3347
2865
- set(old_client_settings)):
3348
2866
clients_data[client_name] = client_settings[client_name]
3349
2867
3350
2868
# Create all client objects
3351
2869
for client_name, client in clients_data.items():
3352
2870
tcp_server.clients[client_name] = client_class(
3353
name=client_name,
3354
settings=client,
3355
server_settings=server_settings)
3356
2871
name = client_name,
2872
settings = client,
2873
server_settings = server_settings)
2874
3357
2875
if not tcp_server.clients:
3358
2876
logger.warning("No clients defined")
3359
2877
3360
2878
if not foreground:
3361
2879
if pidfile is not None:
3362
2880
pid = os.getpid()
3368
2886
pidfilename, pid)
3369
2887
del pidfile
3370
2888
del pidfilename
3371
3372
for termsig in (signal.SIGHUP, signal.SIGTERM):
3373
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3374
lambda: main_loop.quit() and False)
3375
2889
2890
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2891
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2892
3376
2893
if use_dbus:
3377
2894
3378
2895
@alternate_dbus_interfaces(
3379
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2896
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3380
2897
class MandosDBusService(DBusObjectWithObjectManager):
3381
2898
"""A D-Bus proxy object"""
3382
2899
3383
2900
def __init__(self):
3384
2901
dbus.service.Object.__init__(self, bus, "/")
3385
2902
3386
2903
_interface = "se.recompile.Mandos"
3387
2904
3388
2905
@dbus.service.signal(_interface, signature="o")
3389
2906
def ClientAdded(self, objpath):
3390
2907
"D-Bus signal"
3391
2908
pass
3392
2909
3393
2910
@dbus.service.signal(_interface, signature="ss")
3394
def ClientNotFound(self, key_id, address):
2911
def ClientNotFound(self, fingerprint, address):
3395
2912
"D-Bus signal"
3396
2913
pass
3397
2914
3398
2915
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3399
2916
"true"})
3400
2917
@dbus.service.signal(_interface, signature="os")
3401
2918
def ClientRemoved(self, objpath, name):
3402
2919
"D-Bus signal"
3403
2920
pass
3404
2921
3405
2922
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3406
2923
"true"})
3407
2924
@dbus.service.method(_interface, out_signature="ao")
3408
2925
def GetAllClients(self):
3409
2926
"D-Bus method"
3410
2927
return dbus.Array(c.dbus_object_path for c in
3411
tcp_server.clients.values())
3412
2928
tcp_server.clients.itervalues())
2929
3413
2930
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3414
2931
"true"})
3415
2932
@dbus.service.method(_interface,
3417
2934
def GetAllClientsWithProperties(self):
3418
2935
"D-Bus method"
3419
2936
return dbus.Dictionary(
3420
{c.dbus_object_path: c.GetAll(
2937
{ c.dbus_object_path: c.GetAll(
3421
2938
"se.recompile.Mandos.Client")
3422
for c in tcp_server.clients.values()},
2939
for c in tcp_server.clients.itervalues() },
3423
2940
signature="oa{sv}")
3424
2941
3425
2942
@dbus.service.method(_interface, in_signature="o")
3426
2943
def RemoveClient(self, object_path):
3427
2944
"D-Bus method"
3428
for c in tcp_server.clients.values():
2945
for c in tcp_server.clients.itervalues():
3429
2946
if c.dbus_object_path == object_path:
3430
2947
del tcp_server.clients[c.name]
3431
2948
c.remove_from_connection()
3435
2952
self.client_removed_signal(c)
3436
2953
return
3437
2954
raise KeyError(object_path)
3438
2955
3439
2956
del _interface
3440
2957
3441
2958
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3442
out_signature="a{oa{sa{sv}}}")
2959
out_signature = "a{oa{sa{sv}}}")
3443
2960
def GetManagedObjects(self):
3444
2961
"""D-Bus method"""
3445
2962
return dbus.Dictionary(
3446
{client.dbus_object_path:
3447
dbus.Dictionary(
3448
{interface: client.GetAll(interface)
3449
for interface in
3450
client._get_all_interface_names()})
3451
for client in tcp_server.clients.values()})
3452
2963
{ client.dbus_object_path:
2964
dbus.Dictionary(
2965
{ interface: client.GetAll(interface)
2966
for interface in
2967
client._get_all_interface_names()})
2968
for client in tcp_server.clients.values()})
2969
3453
2970
def client_added_signal(self, client):
3454
2971
"""Send the new standard signal and the old signal"""
3455
2972
if use_dbus:
3457
2974
self.InterfacesAdded(
3458
2975
client.dbus_object_path,
3459
2976
dbus.Dictionary(
3460
{interface: client.GetAll(interface)
3461
for interface in
3462
client._get_all_interface_names()}))
2977
{ interface: client.GetAll(interface)
2978
for interface in
2979
client._get_all_interface_names()}))
3463
2980
# Old signal
3464
2981
self.ClientAdded(client.dbus_object_path)
3465
2982
3466
2983
def client_removed_signal(self, client):
3467
2984
"""Send the new standard signal and the old signal"""
3468
2985
if use_dbus:
3473
2990
# Old signal
3474
2991
self.ClientRemoved(client.dbus_object_path,
3475
2992
client.name)
3476
2993
3477
2994
mandos_dbus_service = MandosDBusService()
3478
3479
# Save modules to variables to exempt the modules from being
3480
# unloaded before the function registered with atexit() is run.
3481
mp = multiprocessing
3482
wn = wnull
3483
2995
3484
2996
def cleanup():
3485
2997
"Cleanup function; run on exit"
3486
2998
if zeroconf:
3487
2999
service.cleanup()
3488
3489
mp.active_children()
3490
wn.close()
3000
3001
multiprocessing.active_children()
3002
wnull.close()
3491
3003
if not (tcp_server.clients or client_settings):
3492
3004
return
3493
3005
3494
3006
# Store client before exiting. Secrets are encrypted with key
3495
3007
# based on what config file has. If config file is
3496
3008
# removed/edited, old secret will thus be unrecovable.
3497
3009
clients = {}
3498
3010
with PGPEngine() as pgp:
3499
for client in tcp_server.clients.values():
3011
for client in tcp_server.clients.itervalues():
3500
3012
key = client_settings[client.name]["secret"]
3501
3013
client.encrypted_secret = pgp.encrypt(client.secret,
3502
3014
key)
3503
3015
client_dict = {}
3504
3016
3505
3017
# A list of attributes that can not be pickled
3506
3018
# + secret.
3507
exclude = {"bus", "changedstate", "secret",
3508
"checker", "server_settings"}
3019
exclude = { "bus", "changedstate", "secret",
3020
"checker", "server_settings" }
3509
3021
for name, typ in inspect.getmembers(dbus.service
3510
3022
.Object):
3511
3023
exclude.add(name)
3512
3024
3513
3025
client_dict["encrypted_secret"] = (client
3514
3026
.encrypted_secret)
3515
3027
for attr in client.client_structure:
3516
3028
if attr not in exclude:
3517
3029
client_dict[attr] = getattr(client, attr)
3518
3030
3519
3031
clients[client.name] = client_dict
3520
3032
del client_settings[client.name]["secret"]
3521
3033
3522
3034
try:
3523
3035
with tempfile.NamedTemporaryFile(
3524
3036
mode='wb',
3526
3038
prefix='clients-',
3527
3039
dir=os.path.dirname(stored_state_path),
3528
3040
delete=False) as stored_state:
3529
pickle.dump((clients, client_settings), stored_state,
3530
protocol=2)
3041
pickle.dump((clients, client_settings), stored_state)
3531
3042
tempname = stored_state.name
3532
3043
os.rename(tempname, stored_state_path)
3533
3044
except (IOError, OSError) as e:
3543
3054
logger.warning("Could not save persistent state:",
3544
3055
exc_info=e)
3545
3056
raise
3546
3057
3547
3058
# Delete all clients, and settings from config
3548
3059
while tcp_server.clients:
3549
3060
name, client = tcp_server.clients.popitem()
3555
3066
if use_dbus:
3556
3067
mandos_dbus_service.client_removed_signal(client)
3557
3068
client_settings.clear()
3558
3069
3559
3070
atexit.register(cleanup)
3560
3561
for client in tcp_server.clients.values():
3071
3072
for client in tcp_server.clients.itervalues():
3562
3073
if use_dbus:
3563
3074
# Emit D-Bus signal for adding
3564
3075
mandos_dbus_service.client_added_signal(client)
3565
3076
# Need to initiate checking of clients
3566
3077
if client.enabled:
3567
3078
client.init_checker()
3568
3079
3569
3080
tcp_server.enable()
3570
3081
tcp_server.server_activate()
3571
3082
3572
3083
# Find out what port we got
3573
3084
if zeroconf:
3574
3085
service.port = tcp_server.socket.getsockname()[1]
3579
3090
else: # IPv4
3580
3091
logger.info("Now listening on address %r, port %d",
3581
3092
*tcp_server.socket.getsockname())
3582
3583
# service.interface = tcp_server.socket.getsockname()[3]
3584
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3585
3096
try:
3586
3097
if zeroconf:
3587
3098
# From the Avahi example code
3592
3103
cleanup()
3593
3104
sys.exit(1)
3594
3105
# End of Avahi example code
3595
3596
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3597
lambda *args, **kwargs:
3598
(tcp_server.handle_request
3599
(*args[2:], **kwargs) or True))
3600
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3601
3112
logger.debug("Starting main loop")
3602
3113
main_loop.run()
3603
3114
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0