To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.349
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.349
- Committer: Teddy Hogeborn
- Date: 2016-02-28 03:01:43 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 331.
- Revision ID: teddy@recompile.se-20160228030143-i6w90r7wzkvlx9kq
Stop using python-gnutls. Use GnuTLS 3.3 or later directly.
* INSTALL: Document dependency on GnuTLS 3.3 and remove dependency on
Python-GnuTLS.
* debian/control (Source: mandos/Build-Depends): Add (>= 3.3.0) to
"libgnutls28-dev" and
"gnutls-dev".
(Source: mandos/Build-Depends-Indep): Remove "python2.7-gnutls".
(Package: mandos/Depends): Remove "python-gnutls" and
"python2.7-gnutls", add "libgnutls28-dev
(>= 3.3.0) | libgnutls30 (>= 3.3.0)"
* mandos: Remove imports of "gnutls" and all submodules.
(GnuTLS, gnutls): New; simulate a "gnutls" module. Change all
callers to match new shorter names.
* INSTALL: Document dependency on GnuTLS 3.3 and remove dependency on
Python-GnuTLS.
* debian/control (Source: mandos/Build-Depends): Add (>= 3.3.0) to
"libgnutls28-dev" and
"gnutls-dev".
(Source: mandos/Build-Depends-Indep): Remove "python2.7-gnutls".
(Package: mandos/Depends): Remove "python-gnutls" and
"python2.7-gnutls", add "libgnutls28-dev
(>= 3.3.0) | libgnutls30 (>= 3.3.0)"
* mandos: Remove imports of "gnutls" and all submodules.
(GnuTLS, gnutls): New; simulate a "gnutls" module. Change all
callers to match new shorter names.
added
removed
mandos
1
#!/usr/bin/python
1
#!/usr/bin/python2.7
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2018 Teddy Hogeborn
15
# Copyright © 2008-2018 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
37
from future_builtins import *
42
38
43
39
try:
44
40
import SocketServer as socketserver
80
76
81
77
import dbus
82
78
import dbus.service
83
from gi.repository import GLib
79
try:
80
import gobject
81
except ImportError:
82
from gi.repository import GObject as gobject
83
import avahi
84
84
from dbus.mainloop.glib import DBusGMainLoop
85
85
import ctypes
86
86
import ctypes.util
87
87
import xml.dom.minidom
88
88
import inspect
89
89
90
# Try to find the value of SO_BINDTODEVICE:
91
90
try:
92
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
93
# newer, and it is also the most natural place for it:
94
91
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
95
92
except AttributeError:
96
93
try:
97
# This is where SO_BINDTODEVICE was up to and including Python
98
# 2.6, and also 3.2:
99
94
from IN import SO_BINDTODEVICE
100
95
except ImportError:
101
# In Python 2.7 it seems to have been removed entirely.
102
# Try running the C preprocessor:
103
try:
104
cc = subprocess.Popen(["cc", "--language=c", "-E",
105
"/dev/stdin"],
106
stdin=subprocess.PIPE,
107
stdout=subprocess.PIPE)
108
stdout = cc.communicate(
109
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
110
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
111
except (OSError, ValueError, IndexError):
112
# No value found
113
SO_BINDTODEVICE = None
96
SO_BINDTODEVICE = None
114
97
115
98
if sys.version_info.major == 2:
116
99
str = unicode
117
100
118
version = "1.7.18"
101
version = "1.7.1"
119
102
stored_state_file = "clients.pickle"
120
103
121
104
logger = logging.getLogger()
125
108
if_nametoindex = ctypes.cdll.LoadLibrary(
126
109
ctypes.util.find_library("c")).if_nametoindex
127
110
except (OSError, AttributeError):
128
111
129
112
def if_nametoindex(interface):
130
113
"Get an interface index the hard way, i.e. using fcntl()"
131
114
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
136
119
return interface_index
137
120
138
121
139
def copy_function(func):
140
"""Make a copy of a function"""
141
if sys.version_info.major == 2:
142
return types.FunctionType(func.func_code,
143
func.func_globals,
144
func.func_name,
145
func.func_defaults,
146
func.func_closure)
147
else:
148
return types.FunctionType(func.__code__,
149
func.__globals__,
150
func.__name__,
151
func.__defaults__,
152
func.__closure__)
153
154
155
122
def initlogger(debug, level=logging.WARNING):
156
123
"""init logger and add loglevel"""
157
124
158
125
global syslogger
159
126
syslogger = (logging.handlers.SysLogHandler(
160
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
161
address="/dev/log"))
127
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
128
address = "/dev/log"))
162
129
syslogger.setFormatter(logging.Formatter
163
130
('Mandos [%(process)d]: %(levelname)s:'
164
131
' %(message)s'))
165
132
logger.addHandler(syslogger)
166
133
167
134
if debug:
168
135
console = logging.StreamHandler()
169
136
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
181
148
182
149
class PGPEngine(object):
183
150
"""A simple class for OpenPGP symmetric encryption & decryption"""
184
151
185
152
def __init__(self):
186
153
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
187
self.gpg = "gpg"
188
try:
189
output = subprocess.check_output(["gpgconf"])
190
for line in output.splitlines():
191
name, text, path = line.split(b":")
192
if name == "gpg":
193
self.gpg = path
194
break
195
except OSError as e:
196
if e.errno != errno.ENOENT:
197
raise
198
154
self.gnupgargs = ['--batch',
199
'--homedir', self.tempdir,
155
'--home', self.tempdir,
200
156
'--force-mdc',
201
'--quiet']
202
# Only GPG version 1 has the --no-use-agent option.
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
204
self.gnupgargs.append("--no-use-agent")
205
157
'--quiet',
158
'--no-use-agent']
159
206
160
def __enter__(self):
207
161
return self
208
162
209
163
def __exit__(self, exc_type, exc_value, traceback):
210
164
self._cleanup()
211
165
return False
212
166
213
167
def __del__(self):
214
168
self._cleanup()
215
169
216
170
def _cleanup(self):
217
171
if self.tempdir is not None:
218
172
# Delete contents of tempdir
219
173
for root, dirs, files in os.walk(self.tempdir,
220
topdown=False):
174
topdown = False):
221
175
for filename in files:
222
176
os.remove(os.path.join(root, filename))
223
177
for dirname in dirs:
225
179
# Remove tempdir
226
180
os.rmdir(self.tempdir)
227
181
self.tempdir = None
228
182
229
183
def password_encode(self, password):
230
184
# Passphrase can not be empty and can not contain newlines or
231
185
# NUL bytes. So we prefix it and hex encode it.
236
190
.replace(b"\n", b"\\n")
237
191
.replace(b"\0", b"\\x00"))
238
192
return encoded
239
193
240
194
def encrypt(self, data, password):
241
195
passphrase = self.password_encode(password)
242
196
with tempfile.NamedTemporaryFile(
243
197
dir=self.tempdir) as passfile:
244
198
passfile.write(passphrase)
245
199
passfile.flush()
246
proc = subprocess.Popen([self.gpg, '--symmetric',
200
proc = subprocess.Popen(['gpg', '--symmetric',
247
201
'--passphrase-file',
248
202
passfile.name]
249
203
+ self.gnupgargs,
250
stdin=subprocess.PIPE,
251
stdout=subprocess.PIPE,
252
stderr=subprocess.PIPE)
253
ciphertext, err = proc.communicate(input=data)
204
stdin = subprocess.PIPE,
205
stdout = subprocess.PIPE,
206
stderr = subprocess.PIPE)
207
ciphertext, err = proc.communicate(input = data)
254
208
if proc.returncode != 0:
255
209
raise PGPError(err)
256
210
return ciphertext
257
211
258
212
def decrypt(self, data, password):
259
213
passphrase = self.password_encode(password)
260
214
with tempfile.NamedTemporaryFile(
261
dir=self.tempdir) as passfile:
215
dir = self.tempdir) as passfile:
262
216
passfile.write(passphrase)
263
217
passfile.flush()
264
proc = subprocess.Popen([self.gpg, '--decrypt',
218
proc = subprocess.Popen(['gpg', '--decrypt',
265
219
'--passphrase-file',
266
220
passfile.name]
267
221
+ self.gnupgargs,
268
stdin=subprocess.PIPE,
269
stdout=subprocess.PIPE,
270
stderr=subprocess.PIPE)
271
decrypted_plaintext, err = proc.communicate(input=data)
222
stdin = subprocess.PIPE,
223
stdout = subprocess.PIPE,
224
stderr = subprocess.PIPE)
225
decrypted_plaintext, err = proc.communicate(input = data)
272
226
if proc.returncode != 0:
273
227
raise PGPError(err)
274
228
return decrypted_plaintext
275
229
276
230
277
# Pretend that we have an Avahi module
278
class Avahi(object):
279
"""This isn't so much a class as it is a module-like namespace.
280
It is instantiated once, and simulates having an Avahi module."""
281
IF_UNSPEC = -1 # avahi-common/address.h
282
PROTO_UNSPEC = -1 # avahi-common/address.h
283
PROTO_INET = 0 # avahi-common/address.h
284
PROTO_INET6 = 1 # avahi-common/address.h
285
DBUS_NAME = "org.freedesktop.Avahi"
286
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
287
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
288
DBUS_PATH_SERVER = "/"
289
290
def string_array_to_txt_array(self, t):
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
for s in t), signature="ay")
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
294
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
295
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
296
SERVER_INVALID = 0 # avahi-common/defs.h
297
SERVER_REGISTERING = 1 # avahi-common/defs.h
298
SERVER_RUNNING = 2 # avahi-common/defs.h
299
SERVER_COLLISION = 3 # avahi-common/defs.h
300
SERVER_FAILURE = 4 # avahi-common/defs.h
301
avahi = Avahi()
302
303
304
231
class AvahiError(Exception):
305
232
def __init__(self, value, *args, **kwargs):
306
233
self.value = value
318
245
319
246
class AvahiService(object):
320
247
"""An Avahi (Zeroconf) service.
321
248
322
249
Attributes:
323
250
interface: integer; avahi.IF_UNSPEC or an interface index.
324
251
Used to optionally bind to the specified interface.
336
263
server: D-Bus Server
337
264
bus: dbus.SystemBus()
338
265
"""
339
266
340
267
def __init__(self,
341
interface=avahi.IF_UNSPEC,
342
name=None,
343
servicetype=None,
344
port=None,
345
TXT=None,
346
domain="",
347
host="",
348
max_renames=32768,
349
protocol=avahi.PROTO_UNSPEC,
350
bus=None):
268
interface = avahi.IF_UNSPEC,
269
name = None,
270
servicetype = None,
271
port = None,
272
TXT = None,
273
domain = "",
274
host = "",
275
max_renames = 32768,
276
protocol = avahi.PROTO_UNSPEC,
277
bus = None):
351
278
self.interface = interface
352
279
self.name = name
353
280
self.type = servicetype
362
289
self.server = None
363
290
self.bus = bus
364
291
self.entry_group_state_changed_match = None
365
292
366
293
def rename(self, remove=True):
367
294
"""Derived from the Avahi example code"""
368
295
if self.rename_count >= self.max_renames:
388
315
logger.critical("D-Bus Exception", exc_info=error)
389
316
self.cleanup()
390
317
os._exit(1)
391
318
392
319
def remove(self):
393
320
"""Derived from the Avahi example code"""
394
321
if self.entry_group_state_changed_match is not None:
396
323
self.entry_group_state_changed_match = None
397
324
if self.group is not None:
398
325
self.group.Reset()
399
326
400
327
def add(self):
401
328
"""Derived from the Avahi example code"""
402
329
self.remove()
419
346
dbus.UInt16(self.port),
420
347
avahi.string_array_to_txt_array(self.TXT))
421
348
self.group.Commit()
422
349
423
350
def entry_group_state_changed(self, state, error):
424
351
"""Derived from the Avahi example code"""
425
352
logger.debug("Avahi entry group state change: %i", state)
426
353
427
354
if state == avahi.ENTRY_GROUP_ESTABLISHED:
428
355
logger.debug("Zeroconf service established.")
429
356
elif state == avahi.ENTRY_GROUP_COLLISION:
433
360
logger.critical("Avahi: Error in group state changed %s",
434
361
str(error))
435
362
raise AvahiGroupError("State changed: {!s}".format(error))
436
363
437
364
def cleanup(self):
438
365
"""Derived from the Avahi example code"""
439
366
if self.group is not None:
444
371
pass
445
372
self.group = None
446
373
self.remove()
447
374
448
375
def server_state_changed(self, state, error=None):
449
376
"""Derived from the Avahi example code"""
450
377
logger.debug("Avahi server state change: %i", state)
479
406
logger.debug("Unknown state: %r", state)
480
407
else:
481
408
logger.debug("Unknown state: %r: %r", state, error)
482
409
483
410
def activate(self):
484
411
"""Derived from the Avahi example code"""
485
412
if self.server is None:
496
423
class AvahiServiceToSyslog(AvahiService):
497
424
def rename(self, *args, **kwargs):
498
425
"""Add the new name to the syslog messages"""
499
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
426
ret = AvahiService.rename(self, *args, **kwargs)
500
427
syslogger.setFormatter(logging.Formatter(
501
428
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
502
429
.format(self.name)))
503
430
return ret
504
431
505
506
432
# Pretend that we have a GnuTLS module
507
433
class GnuTLS(object):
508
434
"""This isn't so much a class as it is a module-like namespace.
509
435
It is instantiated once, and simulates having a GnuTLS module."""
510
511
library = ctypes.util.find_library("gnutls")
512
if library is None:
513
library = ctypes.util.find_library("gnutls-deb0")
514
_library = ctypes.cdll.LoadLibrary(library)
515
del library
516
_need_version = b"3.3.0"
517
436
437
_library = ctypes.cdll.LoadLibrary(
438
ctypes.util.find_library("gnutls"))
439
_need_version = "3.3.0"
518
440
def __init__(self):
519
# Need to use "self" here, since this method is called before
520
# the assignment to the "gnutls" global variable happens.
521
if self.check_version(self._need_version) is None:
522
raise self.Error("Needs GnuTLS {} or later"
523
.format(self._need_version))
524
441
# Need to use class name "GnuTLS" here, since this method is
442
# called before the assignment to the "gnutls" global variable
443
# happens.
444
if GnuTLS.check_version(self._need_version) is None:
445
raise GnuTLS.Error("Needs GnuTLS {} or later"
446
.format(self._need_version))
447
525
448
# Unless otherwise indicated, the constants and types below are
526
449
# all from the gnutls/gnutls.h C header file.
527
450
528
451
# Constants
529
452
E_SUCCESS = 0
530
E_INTERRUPTED = -52
531
E_AGAIN = -28
532
453
CRT_OPENPGP = 2
533
454
CLIENT = 2
534
455
SHUT_RDWR = 0
535
456
CRD_CERTIFICATE = 1
536
457
E_NO_CERTIFICATE_FOUND = -49
537
458
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
538
459
539
460
# Types
540
461
class session_int(ctypes.Structure):
541
462
_fields_ = []
542
463
session_t = ctypes.POINTER(session_int)
543
544
464
class certificate_credentials_st(ctypes.Structure):
545
465
_fields_ = []
546
466
certificate_credentials_t = ctypes.POINTER(
547
467
certificate_credentials_st)
548
468
certificate_type_t = ctypes.c_int
549
550
469
class datum_t(ctypes.Structure):
551
470
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
552
471
('size', ctypes.c_uint)]
553
554
472
class openpgp_crt_int(ctypes.Structure):
555
473
_fields_ = []
556
474
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
557
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
475
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
558
476
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
559
credentials_type_t = ctypes.c_int
477
credentials_type_t = ctypes.c_int #
560
478
transport_ptr_t = ctypes.c_void_p
561
479
close_request_t = ctypes.c_int
562
480
563
481
# Exceptions
564
482
class Error(Exception):
565
483
# We need to use the class name "GnuTLS" here, since this
566
484
# exception might be raised from within GnuTLS.__init__,
567
485
# which is called before the assignment to the "gnutls"
568
# global variable has happened.
569
def __init__(self, message=None, code=None, args=()):
486
# global variable happens.
487
def __init__(self, message = None, code = None, args=()):
570
488
# Default usage is by a message string, but if a return
571
489
# code is passed, convert it to a string with
572
490
# gnutls.strerror()
573
self.code = code
574
491
if message is None and code is not None:
575
492
message = GnuTLS.strerror(code)
576
493
return super(GnuTLS.Error, self).__init__(
577
494
message, *args)
578
495
579
496
class CertificateSecurityError(Error):
580
497
pass
581
498
582
499
# Classes
583
500
class Credentials(object):
584
501
def __init__(self):
586
503
gnutls.certificate_allocate_credentials(
587
504
ctypes.byref(self._c_object))
588
505
self.type = gnutls.CRD_CERTIFICATE
589
506
590
507
def __del__(self):
591
508
gnutls.certificate_free_credentials(self._c_object)
592
509
593
510
class ClientSession(object):
594
def __init__(self, socket, credentials=None):
511
def __init__(self, socket, credentials = None):
595
512
self._c_object = gnutls.session_t()
596
513
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
597
514
gnutls.set_default_priority(self._c_object)
605
522
ctypes.cast(credentials._c_object,
606
523
ctypes.c_void_p))
607
524
self.credentials = credentials
608
525
609
526
def __del__(self):
610
527
gnutls.deinit(self._c_object)
611
528
612
529
def handshake(self):
613
530
return gnutls.handshake(self._c_object)
614
531
615
532
def send(self, data):
616
533
data = bytes(data)
617
data_len = len(data)
618
while data_len > 0:
619
data_len -= gnutls.record_send(self._c_object,
620
data[-data_len:],
621
data_len)
622
534
if not data:
535
return 0
536
return gnutls.record_send(self._c_object, data, len(data))
537
623
538
def bye(self):
624
539
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
625
626
# Error handling functions
540
541
# Error handling function
627
542
def _error_code(result):
628
543
"""A function to raise exceptions on errors, suitable
629
544
for the 'restype' attribute on ctypes functions"""
630
545
if result >= 0:
631
546
return result
632
547
if result == gnutls.E_NO_CERTIFICATE_FOUND:
633
raise gnutls.CertificateSecurityError(code=result)
634
raise gnutls.Error(code=result)
635
636
def _retry_on_error(result, func, arguments):
637
"""A function to retry on some errors, suitable
638
for the 'errcheck' attribute on ctypes functions"""
639
while result < 0:
640
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
641
return _error_code(result)
642
result = func(*arguments)
643
return result
644
548
raise gnutls.CertificateSecurityError(code = result)
549
raise gnutls.Error(code = result)
550
645
551
# Unless otherwise indicated, the function declarations below are
646
552
# all from the gnutls/gnutls.h C header file.
647
553
648
554
# Functions
649
555
priority_set_direct = _library.gnutls_priority_set_direct
650
556
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
651
557
ctypes.POINTER(ctypes.c_char_p)]
652
558
priority_set_direct.restype = _error_code
653
559
654
560
init = _library.gnutls_init
655
561
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
656
562
init.restype = _error_code
657
563
658
564
set_default_priority = _library.gnutls_set_default_priority
659
565
set_default_priority.argtypes = [session_t]
660
566
set_default_priority.restype = _error_code
661
567
662
568
record_send = _library.gnutls_record_send
663
569
record_send.argtypes = [session_t, ctypes.c_void_p,
664
570
ctypes.c_size_t]
665
571
record_send.restype = ctypes.c_ssize_t
666
record_send.errcheck = _retry_on_error
667
572
668
573
certificate_allocate_credentials = (
669
574
_library.gnutls_certificate_allocate_credentials)
670
575
certificate_allocate_credentials.argtypes = [
671
576
ctypes.POINTER(certificate_credentials_t)]
672
577
certificate_allocate_credentials.restype = _error_code
673
578
674
579
certificate_free_credentials = (
675
580
_library.gnutls_certificate_free_credentials)
676
certificate_free_credentials.argtypes = [
677
certificate_credentials_t]
581
certificate_free_credentials.argtypes = [certificate_credentials_t]
678
582
certificate_free_credentials.restype = None
679
583
680
584
handshake_set_private_extensions = (
681
585
_library.gnutls_handshake_set_private_extensions)
682
586
handshake_set_private_extensions.argtypes = [session_t,
683
587
ctypes.c_int]
684
588
handshake_set_private_extensions.restype = None
685
589
686
590
credentials_set = _library.gnutls_credentials_set
687
591
credentials_set.argtypes = [session_t, credentials_type_t,
688
592
ctypes.c_void_p]
689
593
credentials_set.restype = _error_code
690
594
691
595
strerror = _library.gnutls_strerror
692
596
strerror.argtypes = [ctypes.c_int]
693
597
strerror.restype = ctypes.c_char_p
694
598
695
599
certificate_type_get = _library.gnutls_certificate_type_get
696
600
certificate_type_get.argtypes = [session_t]
697
601
certificate_type_get.restype = _error_code
698
602
699
603
certificate_get_peers = _library.gnutls_certificate_get_peers
700
604
certificate_get_peers.argtypes = [session_t,
701
605
ctypes.POINTER(ctypes.c_uint)]
702
606
certificate_get_peers.restype = ctypes.POINTER(datum_t)
703
607
704
608
global_set_log_level = _library.gnutls_global_set_log_level
705
609
global_set_log_level.argtypes = [ctypes.c_int]
706
610
global_set_log_level.restype = None
707
611
708
612
global_set_log_function = _library.gnutls_global_set_log_function
709
613
global_set_log_function.argtypes = [log_func]
710
614
global_set_log_function.restype = None
711
615
712
616
deinit = _library.gnutls_deinit
713
617
deinit.argtypes = [session_t]
714
618
deinit.restype = None
715
619
716
620
handshake = _library.gnutls_handshake
717
621
handshake.argtypes = [session_t]
718
622
handshake.restype = _error_code
719
handshake.errcheck = _retry_on_error
720
623
721
624
transport_set_ptr = _library.gnutls_transport_set_ptr
722
625
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
723
626
transport_set_ptr.restype = None
724
627
725
628
bye = _library.gnutls_bye
726
629
bye.argtypes = [session_t, close_request_t]
727
630
bye.restype = _error_code
728
bye.errcheck = _retry_on_error
729
631
730
632
check_version = _library.gnutls_check_version
731
633
check_version.argtypes = [ctypes.c_char_p]
732
634
check_version.restype = ctypes.c_char_p
733
635
734
636
# All the function declarations below are from gnutls/openpgp.h
735
637
736
638
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
639
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
640
openpgp_crt_init.restype = _error_code
739
641
740
642
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
643
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
644
ctypes.POINTER(datum_t),
743
645
openpgp_crt_fmt_t]
744
646
openpgp_crt_import.restype = _error_code
745
647
746
648
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
649
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
650
ctypes.POINTER(ctypes.c_uint)]
749
651
openpgp_crt_verify_self.restype = _error_code
750
652
751
653
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
654
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
655
openpgp_crt_deinit.restype = None
754
656
755
657
openpgp_crt_get_fingerprint = (
756
658
_library.gnutls_openpgp_crt_get_fingerprint)
757
659
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
759
661
ctypes.POINTER(
760
662
ctypes.c_size_t)]
761
663
openpgp_crt_get_fingerprint.restype = _error_code
762
763
# Remove non-public functions
764
del _error_code, _retry_on_error
664
665
# Remove non-public function
666
del _error_code
765
667
# Create the global "gnutls" object, simulating a module
766
668
gnutls = GnuTLS()
767
669
768
769
670
def call_pipe(connection, # : multiprocessing.Connection
770
671
func, *args, **kwargs):
771
672
"""This function is meant to be called by multiprocessing.Process
772
673
773
674
This function runs func(*args, **kwargs), and writes the resulting
774
675
return value on the provided multiprocessing.Connection.
775
676
"""
776
677
connection.send(func(*args, **kwargs))
777
678
connection.close()
778
679
779
780
680
class Client(object):
781
681
"""A representation of a client host served by this server.
782
682
783
683
Attributes:
784
684
approved: bool(); 'None' if not yet approved/disapproved
785
685
approval_delay: datetime.timedelta(); Time to wait for approval
787
687
checker: subprocess.Popen(); a running checker process used
788
688
to see if the client lives.
789
689
'None' if no process is running.
790
checker_callback_tag: a GLib event source tag, or None
690
checker_callback_tag: a gobject event source tag, or None
791
691
checker_command: string; External command which is run to check
792
692
if client lives. %() expansions are done at
793
693
runtime with vars(self) as dict, so that for
794
694
instance %(name)s can be used in the command.
795
checker_initiator_tag: a GLib event source tag, or None
695
checker_initiator_tag: a gobject event source tag, or None
796
696
created: datetime.datetime(); (UTC) object creation
797
697
client_structure: Object describing what attributes a client has
798
698
and is used for storing the client at exit
799
699
current_checker_command: string; current running checker_command
800
disable_initiator_tag: a GLib event source tag, or None
700
disable_initiator_tag: a gobject event source tag, or None
801
701
enabled: bool()
802
702
fingerprint: string (40 or 32 hexadecimal digits); used to
803
703
uniquely identify the client
822
722
disabled, or None
823
723
server_settings: The server_settings dict from main()
824
724
"""
825
725
826
726
runtime_expansions = ("approval_delay", "approval_duration",
827
727
"created", "enabled", "expires",
828
728
"fingerprint", "host", "interval",
839
739
"approved_by_default": "True",
840
740
"enabled": "True",
841
741
}
842
742
843
743
@staticmethod
844
744
def config_parser(config):
845
745
"""Construct a new dict of client settings of this form:
852
752
for client_name in config.sections():
853
753
section = dict(config.items(client_name))
854
754
client = settings[client_name] = {}
855
755
856
756
client["host"] = section["host"]
857
757
# Reformat values from string types to Python types
858
758
client["approved_by_default"] = config.getboolean(
859
759
client_name, "approved_by_default")
860
760
client["enabled"] = config.getboolean(client_name,
861
761
"enabled")
862
762
863
763
# Uppercase and remove spaces from fingerprint for later
864
764
# comparison purposes with return value from the
865
765
# fingerprint() function
866
766
client["fingerprint"] = (section["fingerprint"].upper()
867
767
.replace(" ", ""))
868
768
if "secret" in section:
869
client["secret"] = codecs.decode(section["secret"]
870
.encode("utf-8"),
871
"base64")
769
client["secret"] = section["secret"].decode("base64")
872
770
elif "secfile" in section:
873
771
with open(os.path.expanduser(os.path.expandvars
874
772
(section["secfile"])),
889
787
client["last_approval_request"] = None
890
788
client["last_checked_ok"] = None
891
789
client["last_checker_status"] = -2
892
790
893
791
return settings
894
895
def __init__(self, settings, name=None, server_settings=None):
792
793
def __init__(self, settings, name = None, server_settings=None):
896
794
self.name = name
897
795
if server_settings is None:
898
796
server_settings = {}
900
798
# adding all client settings
901
799
for setting, value in settings.items():
902
800
setattr(self, setting, value)
903
801
904
802
if self.enabled:
905
803
if not hasattr(self, "last_enabled"):
906
804
self.last_enabled = datetime.datetime.utcnow()
910
808
else:
911
809
self.last_enabled = None
912
810
self.expires = None
913
811
914
812
logger.debug("Creating client %r", self.name)
915
813
logger.debug(" Fingerprint: %s", self.fingerprint)
916
814
self.created = settings.get("created",
917
815
datetime.datetime.utcnow())
918
816
919
817
# attributes specific for this server instance
920
818
self.checker = None
921
819
self.checker_initiator_tag = None
927
825
self.changedstate = multiprocessing_manager.Condition(
928
826
multiprocessing_manager.Lock())
929
827
self.client_structure = [attr
930
for attr in self.__dict__.keys()
828
for attr in self.__dict__.iterkeys()
931
829
if not attr.startswith("_")]
932
830
self.client_structure.append("client_structure")
933
831
934
832
for name, t in inspect.getmembers(
935
833
type(self), lambda obj: isinstance(obj, property)):
936
834
if not name.startswith("_"):
937
835
self.client_structure.append(name)
938
836
939
837
# Send notice to process children that client state has changed
940
838
def send_changedstate(self):
941
839
with self.changedstate:
942
840
self.changedstate.notify_all()
943
841
944
842
def enable(self):
945
843
"""Start this client's checker and timeout hooks"""
946
844
if getattr(self, "enabled", False):
951
849
self.last_enabled = datetime.datetime.utcnow()
952
850
self.init_checker()
953
851
self.send_changedstate()
954
852
955
853
def disable(self, quiet=True):
956
854
"""Disable this client."""
957
855
if not getattr(self, "enabled", False):
959
857
if not quiet:
960
858
logger.info("Disabling client %s", self.name)
961
859
if getattr(self, "disable_initiator_tag", None) is not None:
962
GLib.source_remove(self.disable_initiator_tag)
860
gobject.source_remove(self.disable_initiator_tag)
963
861
self.disable_initiator_tag = None
964
862
self.expires = None
965
863
if getattr(self, "checker_initiator_tag", None) is not None:
966
GLib.source_remove(self.checker_initiator_tag)
864
gobject.source_remove(self.checker_initiator_tag)
967
865
self.checker_initiator_tag = None
968
866
self.stop_checker()
969
867
self.enabled = False
970
868
if not quiet:
971
869
self.send_changedstate()
972
# Do not run this again if called by a GLib.timeout_add
870
# Do not run this again if called by a gobject.timeout_add
973
871
return False
974
872
975
873
def __del__(self):
976
874
self.disable()
977
875
978
876
def init_checker(self):
979
877
# Schedule a new checker to be started an 'interval' from now,
980
878
# and every interval from then on.
981
879
if self.checker_initiator_tag is not None:
982
GLib.source_remove(self.checker_initiator_tag)
983
self.checker_initiator_tag = GLib.timeout_add(
880
gobject.source_remove(self.checker_initiator_tag)
881
self.checker_initiator_tag = gobject.timeout_add(
984
882
int(self.interval.total_seconds() * 1000),
985
883
self.start_checker)
986
884
# Schedule a disable() when 'timeout' has passed
987
885
if self.disable_initiator_tag is not None:
988
GLib.source_remove(self.disable_initiator_tag)
989
self.disable_initiator_tag = GLib.timeout_add(
886
gobject.source_remove(self.disable_initiator_tag)
887
self.disable_initiator_tag = gobject.timeout_add(
990
888
int(self.timeout.total_seconds() * 1000), self.disable)
991
889
# Also start a new checker *right now*.
992
890
self.start_checker()
993
891
994
892
def checker_callback(self, source, condition, connection,
995
893
command):
996
894
"""The checker has completed, so take appropriate actions."""
999
897
# Read return code from connection (see call_pipe)
1000
898
returncode = connection.recv()
1001
899
connection.close()
1002
900
1003
901
if returncode >= 0:
1004
902
self.last_checker_status = returncode
1005
903
self.last_checker_signal = None
1015
913
logger.warning("Checker for %(name)s crashed?",
1016
914
vars(self))
1017
915
return False
1018
916
1019
917
def checked_ok(self):
1020
918
"""Assert that the client has been seen, alive and well."""
1021
919
self.last_checked_ok = datetime.datetime.utcnow()
1022
920
self.last_checker_status = 0
1023
921
self.last_checker_signal = None
1024
922
self.bump_timeout()
1025
923
1026
924
def bump_timeout(self, timeout=None):
1027
925
"""Bump up the timeout for this client."""
1028
926
if timeout is None:
1029
927
timeout = self.timeout
1030
928
if self.disable_initiator_tag is not None:
1031
GLib.source_remove(self.disable_initiator_tag)
929
gobject.source_remove(self.disable_initiator_tag)
1032
930
self.disable_initiator_tag = None
1033
931
if getattr(self, "enabled", False):
1034
self.disable_initiator_tag = GLib.timeout_add(
932
self.disable_initiator_tag = gobject.timeout_add(
1035
933
int(timeout.total_seconds() * 1000), self.disable)
1036
934
self.expires = datetime.datetime.utcnow() + timeout
1037
935
1038
936
def need_approval(self):
1039
937
self.last_approval_request = datetime.datetime.utcnow()
1040
938
1041
939
def start_checker(self):
1042
940
"""Start a new checker subprocess if one is not running.
1043
941
1044
942
If a checker already exists, leave it running and do
1045
943
nothing."""
1046
944
# The reason for not killing a running checker is that if we
1051
949
# checkers alone, the checker would have to take more time
1052
950
# than 'timeout' for the client to be disabled, which is as it
1053
951
# should be.
1054
952
1055
953
if self.checker is not None and not self.checker.is_alive():
1056
954
logger.warning("Checker was not alive; joining")
1057
955
self.checker.join()
1061
959
# Escape attributes for the shell
1062
960
escaped_attrs = {
1063
961
attr: re.escape(str(getattr(self, attr)))
1064
for attr in self.runtime_expansions}
962
for attr in self.runtime_expansions }
1065
963
try:
1066
964
command = self.checker_command % escaped_attrs
1067
965
except TypeError as error:
1079
977
# The exception is when not debugging but nevertheless
1080
978
# running in the foreground; use the previously
1081
979
# created wnull.
1082
popen_args = {"close_fds": True,
1083
"shell": True,
1084
"cwd": "/"}
980
popen_args = { "close_fds": True,
981
"shell": True,
982
"cwd": "/" }
1085
983
if (not self.server_settings["debug"]
1086
984
and self.server_settings["foreground"]):
1087
985
popen_args.update({"stdout": wnull,
1088
"stderr": wnull})
1089
pipe = multiprocessing.Pipe(duplex=False)
986
"stderr": wnull })
987
pipe = multiprocessing.Pipe(duplex = False)
1090
988
self.checker = multiprocessing.Process(
1091
target=call_pipe,
1092
args=(pipe[1], subprocess.call, command),
1093
kwargs=popen_args)
989
target = call_pipe,
990
args = (pipe[1], subprocess.call, command),
991
kwargs = popen_args)
1094
992
self.checker.start()
1095
self.checker_callback_tag = GLib.io_add_watch(
1096
pipe[0].fileno(), GLib.IO_IN,
993
self.checker_callback_tag = gobject.io_add_watch(
994
pipe[0].fileno(), gobject.IO_IN,
1097
995
self.checker_callback, pipe[0], command)
1098
# Re-run this periodically if run by GLib.timeout_add
996
# Re-run this periodically if run by gobject.timeout_add
1099
997
return True
1100
998
1101
999
def stop_checker(self):
1102
1000
"""Force the checker process, if any, to stop."""
1103
1001
if self.checker_callback_tag:
1104
GLib.source_remove(self.checker_callback_tag)
1002
gobject.source_remove(self.checker_callback_tag)
1105
1003
self.checker_callback_tag = None
1106
1004
if getattr(self, "checker", None) is None:
1107
1005
return
1116
1014
byte_arrays=False):
1117
1015
"""Decorators for marking methods of a DBusObjectWithProperties to
1118
1016
become properties on the D-Bus.
1119
1017
1120
1018
The decorated method will be called with no arguments by "Get"
1121
1019
and with one argument by "Set".
1122
1020
1123
1021
The parameters, where they are supported, are the same as
1124
1022
dbus.service.method, except there is only "signature", since the
1125
1023
type from Get() and the type sent to Set() is the same.
1129
1027
if byte_arrays and signature != "ay":
1130
1028
raise ValueError("Byte arrays not supported for non-'ay'"
1131
1029
" signature {!r}".format(signature))
1132
1030
1133
1031
def decorator(func):
1134
1032
func._dbus_is_property = True
1135
1033
func._dbus_interface = dbus_interface
1138
1036
func._dbus_name = func.__name__
1139
1037
if func._dbus_name.endswith("_dbus_property"):
1140
1038
func._dbus_name = func._dbus_name[:-14]
1141
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
1039
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1142
1040
return func
1143
1041
1144
1042
return decorator
1145
1043
1146
1044
1147
1045
def dbus_interface_annotations(dbus_interface):
1148
1046
"""Decorator for marking functions returning interface annotations
1149
1047
1150
1048
Usage:
1151
1049
1152
1050
@dbus_interface_annotations("org.example.Interface")
1153
1051
def _foo(self): # Function name does not matter
1154
1052
return {"org.freedesktop.DBus.Deprecated": "true",
1155
1053
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1156
1054
"false"}
1157
1055
"""
1158
1056
1159
1057
def decorator(func):
1160
1058
func._dbus_is_interface = True
1161
1059
func._dbus_interface = dbus_interface
1162
1060
func._dbus_name = dbus_interface
1163
1061
return func
1164
1062
1165
1063
return decorator
1166
1064
1167
1065
1168
1066
def dbus_annotations(annotations):
1169
1067
"""Decorator to annotate D-Bus methods, signals or properties
1170
1068
Usage:
1171
1069
1172
1070
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1173
1071
"org.freedesktop.DBus.Property."
1174
1072
"EmitsChangedSignal": "false"})
1176
1074
access="r")
1177
1075
def Property_dbus_property(self):
1178
1076
return dbus.Boolean(False)
1179
1077
1180
1078
See also the DBusObjectWithAnnotations class.
1181
1079
"""
1182
1080
1183
1081
def decorator(func):
1184
1082
func._dbus_annotations = annotations
1185
1083
return func
1186
1084
1187
1085
return decorator
1188
1086
1189
1087
1207
1105
1208
1106
class DBusObjectWithAnnotations(dbus.service.Object):
1209
1107
"""A D-Bus object with annotations.
1210
1108
1211
1109
Classes inheriting from this can use the dbus_annotations
1212
1110
decorator to add annotations to methods or signals.
1213
1111
"""
1214
1112
1215
1113
@staticmethod
1216
1114
def _is_dbus_thing(thing):
1217
1115
"""Returns a function testing if an attribute is a D-Bus thing
1218
1116
1219
1117
If called like _is_dbus_thing("method") it returns a function
1220
1118
suitable for use as predicate to inspect.getmembers().
1221
1119
"""
1222
1120
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1223
1121
False)
1224
1122
1225
1123
def _get_all_dbus_things(self, thing):
1226
1124
"""Returns a generator of (name, attribute) pairs
1227
1125
"""
1230
1128
for cls in self.__class__.__mro__
1231
1129
for name, athing in
1232
1130
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1233
1131
1234
1132
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1235
out_signature="s",
1236
path_keyword='object_path',
1237
connection_keyword='connection')
1133
out_signature = "s",
1134
path_keyword = 'object_path',
1135
connection_keyword = 'connection')
1238
1136
def Introspect(self, object_path, connection):
1239
1137
"""Overloading of standard D-Bus method.
1240
1138
1241
1139
Inserts annotation tags on methods and signals.
1242
1140
"""
1243
1141
xmlstring = dbus.service.Object.Introspect(self, object_path,
1244
1142
connection)
1245
1143
try:
1246
1144
document = xml.dom.minidom.parseString(xmlstring)
1247
1145
1248
1146
for if_tag in document.getElementsByTagName("interface"):
1249
1147
# Add annotation tags
1250
1148
for typ in ("method", "signal"):
1277
1175
if_tag.appendChild(ann_tag)
1278
1176
# Fix argument name for the Introspect method itself
1279
1177
if (if_tag.getAttribute("name")
1280
== dbus.INTROSPECTABLE_IFACE):
1178
== dbus.INTROSPECTABLE_IFACE):
1281
1179
for cn in if_tag.getElementsByTagName("method"):
1282
1180
if cn.getAttribute("name") == "Introspect":
1283
1181
for arg in cn.getElementsByTagName("arg"):
1296
1194
1297
1195
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1298
1196
"""A D-Bus object with properties.
1299
1197
1300
1198
Classes inheriting from this can use the dbus_service_property
1301
1199
decorator to expose methods as D-Bus properties. It exposes the
1302
1200
standard Get(), Set(), and GetAll() methods on the D-Bus.
1303
1201
"""
1304
1202
1305
1203
def _get_dbus_property(self, interface_name, property_name):
1306
1204
"""Returns a bound method if one exists which is a D-Bus
1307
1205
property with the specified name and interface.
1312
1210
if (value._dbus_name == property_name
1313
1211
and value._dbus_interface == interface_name):
1314
1212
return value.__get__(self)
1315
1213
1316
1214
# No such property
1317
1215
raise DBusPropertyNotFound("{}:{}.{}".format(
1318
1216
self.dbus_object_path, interface_name, property_name))
1319
1217
1320
1218
@classmethod
1321
1219
def _get_all_interface_names(cls):
1322
1220
"""Get a sequence of all interfaces supported by an object"""
1325
1223
for x in (inspect.getmro(cls))
1326
1224
for attr in dir(x))
1327
1225
if name is not None)
1328
1226
1329
1227
@dbus.service.method(dbus.PROPERTIES_IFACE,
1330
1228
in_signature="ss",
1331
1229
out_signature="v")
1339
1237
if not hasattr(value, "variant_level"):
1340
1238
return value
1341
1239
return type(value)(value, variant_level=value.variant_level+1)
1342
1240
1343
1241
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1344
1242
def Set(self, interface_name, property_name, value):
1345
1243
"""Standard D-Bus property Set() method, see D-Bus standard.
1357
1255
value = dbus.ByteArray(b''.join(chr(byte)
1358
1256
for byte in value))
1359
1257
prop(value)
1360
1258
1361
1259
@dbus.service.method(dbus.PROPERTIES_IFACE,
1362
1260
in_signature="s",
1363
1261
out_signature="a{sv}")
1364
1262
def GetAll(self, interface_name):
1365
1263
"""Standard D-Bus property GetAll() method, see D-Bus
1366
1264
standard.
1367
1265
1368
1266
Note: Will not include properties with access="write".
1369
1267
"""
1370
1268
properties = {}
1381
1279
properties[name] = value
1382
1280
continue
1383
1281
properties[name] = type(value)(
1384
value, variant_level=value.variant_level + 1)
1282
value, variant_level = value.variant_level + 1)
1385
1283
return dbus.Dictionary(properties, signature="sv")
1386
1284
1387
1285
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1388
1286
def PropertiesChanged(self, interface_name, changed_properties,
1389
1287
invalidated_properties):
1391
1289
standard.
1392
1290
"""
1393
1291
pass
1394
1292
1395
1293
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1396
1294
out_signature="s",
1397
1295
path_keyword='object_path',
1398
1296
connection_keyword='connection')
1399
1297
def Introspect(self, object_path, connection):
1400
1298
"""Overloading of standard D-Bus method.
1401
1299
1402
1300
Inserts property tags and interface annotation tags.
1403
1301
"""
1404
1302
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1406
1304
connection)
1407
1305
try:
1408
1306
document = xml.dom.minidom.parseString(xmlstring)
1409
1307
1410
1308
def make_tag(document, name, prop):
1411
1309
e = document.createElement("property")
1412
1310
e.setAttribute("name", name)
1413
1311
e.setAttribute("type", prop._dbus_signature)
1414
1312
e.setAttribute("access", prop._dbus_access)
1415
1313
return e
1416
1314
1417
1315
for if_tag in document.getElementsByTagName("interface"):
1418
1316
# Add property tags
1419
1317
for tag in (make_tag(document, name, prop)
1461
1359
exc_info=error)
1462
1360
return xmlstring
1463
1361
1464
1465
1362
try:
1466
1363
dbus.OBJECT_MANAGER_IFACE
1467
1364
except AttributeError:
1468
1365
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1469
1366
1470
1471
1367
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1472
1368
"""A D-Bus object with an ObjectManager.
1473
1369
1474
1370
Classes inheriting from this exposes the standard
1475
1371
GetManagedObjects call and the InterfacesAdded and
1476
1372
InterfacesRemoved signals on the standard
1477
1373
"org.freedesktop.DBus.ObjectManager" interface.
1478
1374
1479
1375
Note: No signals are sent automatically; they must be sent
1480
1376
manually.
1481
1377
"""
1482
1378
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1483
out_signature="a{oa{sa{sv}}}")
1379
out_signature = "a{oa{sa{sv}}}")
1484
1380
def GetManagedObjects(self):
1485
1381
"""This function must be overridden"""
1486
1382
raise NotImplementedError()
1487
1383
1488
1384
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1489
signature="oa{sa{sv}}")
1385
signature = "oa{sa{sv}}")
1490
1386
def InterfacesAdded(self, object_path, interfaces_and_properties):
1491
1387
pass
1492
1493
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1388
1389
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1494
1390
def InterfacesRemoved(self, object_path, interfaces):
1495
1391
pass
1496
1392
1497
1393
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1498
out_signature="s",
1499
path_keyword='object_path',
1500
connection_keyword='connection')
1394
out_signature = "s",
1395
path_keyword = 'object_path',
1396
connection_keyword = 'connection')
1501
1397
def Introspect(self, object_path, connection):
1502
1398
"""Overloading of standard D-Bus method.
1503
1399
1504
1400
Override return argument name of GetManagedObjects to be
1505
1401
"objpath_interfaces_and_properties"
1506
1402
"""
1509
1405
connection)
1510
1406
try:
1511
1407
document = xml.dom.minidom.parseString(xmlstring)
1512
1408
1513
1409
for if_tag in document.getElementsByTagName("interface"):
1514
1410
# Fix argument name for the GetManagedObjects method
1515
1411
if (if_tag.getAttribute("name")
1516
== dbus.OBJECT_MANAGER_IFACE):
1412
== dbus.OBJECT_MANAGER_IFACE):
1517
1413
for cn in if_tag.getElementsByTagName("method"):
1518
1414
if (cn.getAttribute("name")
1519
1415
== "GetManagedObjects"):
1529
1425
except (AttributeError, xml.dom.DOMException,
1530
1426
xml.parsers.expat.ExpatError) as error:
1531
1427
logger.error("Failed to override Introspection method",
1532
exc_info=error)
1428
exc_info = error)
1533
1429
return xmlstring
1534
1430
1535
1536
1431
def datetime_to_dbus(dt, variant_level=0):
1537
1432
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1538
1433
if dt is None:
1539
return dbus.String("", variant_level=variant_level)
1434
return dbus.String("", variant_level = variant_level)
1540
1435
return dbus.String(dt.isoformat(), variant_level=variant_level)
1541
1436
1542
1437
1545
1440
dbus.service.Object, it will add alternate D-Bus attributes with
1546
1441
interface names according to the "alt_interface_names" mapping.
1547
1442
Usage:
1548
1443
1549
1444
@alternate_dbus_interfaces({"org.example.Interface":
1550
1445
"net.example.AlternateInterface"})
1551
1446
class SampleDBusObject(dbus.service.Object):
1552
1447
@dbus.service.method("org.example.Interface")
1553
1448
def SampleDBusMethod():
1554
1449
pass
1555
1450
1556
1451
The above "SampleDBusMethod" on "SampleDBusObject" will be
1557
1452
reachable via two interfaces: "org.example.Interface" and
1558
1453
"net.example.AlternateInterface", the latter of which will have
1559
1454
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1560
1455
"true", unless "deprecate" is passed with a False value.
1561
1456
1562
1457
This works for methods and signals, and also for D-Bus properties
1563
1458
(from DBusObjectWithProperties) and interfaces (from the
1564
1459
dbus_interface_annotations decorator).
1565
1460
"""
1566
1461
1567
1462
def wrapper(cls):
1568
1463
for orig_interface_name, alt_interface_name in (
1569
1464
alt_interface_names.items()):
1584
1479
interface_names.add(alt_interface)
1585
1480
# Is this a D-Bus signal?
1586
1481
if getattr(attribute, "_dbus_is_signal", False):
1587
# Extract the original non-method undecorated
1588
# function by black magic
1589
1482
if sys.version_info.major == 2:
1483
# Extract the original non-method undecorated
1484
# function by black magic
1590
1485
nonmethod_func = (dict(
1591
1486
zip(attribute.func_code.co_freevars,
1592
1487
attribute.__closure__))
1593
1488
["func"].cell_contents)
1594
1489
else:
1595
nonmethod_func = (dict(
1596
zip(attribute.__code__.co_freevars,
1597
attribute.__closure__))
1598
["func"].cell_contents)
1490
nonmethod_func = attribute
1599
1491
# Create a new, but exactly alike, function
1600
1492
# object, and decorate it to be a new D-Bus signal
1601
1493
# with the alternate D-Bus interface name
1602
new_function = copy_function(nonmethod_func)
1494
if sys.version_info.major == 2:
1495
new_function = types.FunctionType(
1496
nonmethod_func.func_code,
1497
nonmethod_func.func_globals,
1498
nonmethod_func.func_name,
1499
nonmethod_func.func_defaults,
1500
nonmethod_func.func_closure)
1501
else:
1502
new_function = types.FunctionType(
1503
nonmethod_func.__code__,
1504
nonmethod_func.__globals__,
1505
nonmethod_func.__name__,
1506
nonmethod_func.__defaults__,
1507
nonmethod_func.__closure__)
1603
1508
new_function = (dbus.service.signal(
1604
1509
alt_interface,
1605
1510
attribute._dbus_signature)(new_function))
1609
1514
attribute._dbus_annotations)
1610
1515
except AttributeError:
1611
1516
pass
1612
1613
1517
# Define a creator of a function to call both the
1614
1518
# original and alternate functions, so both the
1615
1519
# original and alternate signals gets sent when
1618
1522
"""This function is a scope container to pass
1619
1523
func1 and func2 to the "call_both" function
1620
1524
outside of its arguments"""
1621
1525
1622
1526
@functools.wraps(func2)
1623
1527
def call_both(*args, **kwargs):
1624
1528
"""This function will emit two D-Bus
1625
1529
signals by calling func1 and func2"""
1626
1530
func1(*args, **kwargs)
1627
1531
func2(*args, **kwargs)
1628
# Make wrapper function look like a D-Bus
1629
# signal
1532
# Make wrapper function look like a D-Bus signal
1630
1533
for name, attr in inspect.getmembers(func2):
1631
1534
if name.startswith("_dbus_"):
1632
1535
setattr(call_both, name, attr)
1633
1536
1634
1537
return call_both
1635
1538
# Create the "call_both" function and add it to
1636
1539
# the class
1646
1549
alt_interface,
1647
1550
attribute._dbus_in_signature,
1648
1551
attribute._dbus_out_signature)
1649
(copy_function(attribute)))
1552
(types.FunctionType(attribute.func_code,
1553
attribute.func_globals,
1554
attribute.func_name,
1555
attribute.func_defaults,
1556
attribute.func_closure)))
1650
1557
# Copy annotations, if any
1651
1558
try:
1652
1559
attr[attrname]._dbus_annotations = dict(
1664
1571
attribute._dbus_access,
1665
1572
attribute._dbus_get_args_options
1666
1573
["byte_arrays"])
1667
(copy_function(attribute)))
1574
(types.FunctionType(
1575
attribute.func_code,
1576
attribute.func_globals,
1577
attribute.func_name,
1578
attribute.func_defaults,
1579
attribute.func_closure)))
1668
1580
# Copy annotations, if any
1669
1581
try:
1670
1582
attr[attrname]._dbus_annotations = dict(
1679
1591
# to the class.
1680
1592
attr[attrname] = (
1681
1593
dbus_interface_annotations(alt_interface)
1682
(copy_function(attribute)))
1594
(types.FunctionType(attribute.func_code,
1595
attribute.func_globals,
1596
attribute.func_name,
1597
attribute.func_defaults,
1598
attribute.func_closure)))
1683
1599
if deprecate:
1684
1600
# Deprecate all alternate interfaces
1685
iname = "_AlternateDBusNames_interface_annotation{}"
1601
iname="_AlternateDBusNames_interface_annotation{}"
1686
1602
for interface_name in interface_names:
1687
1603
1688
1604
@dbus_interface_annotations(interface_name)
1689
1605
def func(self):
1690
return {"org.freedesktop.DBus.Deprecated":
1691
"true"}
1606
return { "org.freedesktop.DBus.Deprecated":
1607
"true" }
1692
1608
# Find an unused name
1693
1609
for aname in (iname.format(i)
1694
1610
for i in itertools.count()):
1698
1614
if interface_names:
1699
1615
# Replace the class with a new subclass of it with
1700
1616
# methods, signals, etc. as created above.
1701
if sys.version_info.major == 2:
1702
cls = type(b"{}Alternate".format(cls.__name__),
1703
(cls, ), attr)
1704
else:
1705
cls = type("{}Alternate".format(cls.__name__),
1706
(cls, ), attr)
1617
cls = type(b"{}Alternate".format(cls.__name__),
1618
(cls, ), attr)
1707
1619
return cls
1708
1620
1709
1621
return wrapper
1710
1622
1711
1623
1713
1625
"se.bsnet.fukt.Mandos"})
1714
1626
class ClientDBus(Client, DBusObjectWithProperties):
1715
1627
"""A Client class using D-Bus
1716
1628
1717
1629
Attributes:
1718
1630
dbus_object_path: dbus.ObjectPath
1719
1631
bus: dbus.SystemBus()
1720
1632
"""
1721
1633
1722
1634
runtime_expansions = (Client.runtime_expansions
1723
1635
+ ("dbus_object_path", ))
1724
1636
1725
1637
_interface = "se.recompile.Mandos.Client"
1726
1638
1727
1639
# dbus.service.Object doesn't use super(), so we can't either.
1728
1729
def __init__(self, bus=None, *args, **kwargs):
1640
1641
def __init__(self, bus = None, *args, **kwargs):
1730
1642
self.bus = bus
1731
1643
Client.__init__(self, *args, **kwargs)
1732
1644
# Only now, when this client is initialized, can it show up on
1738
1650
"/clients/" + client_object_name)
1739
1651
DBusObjectWithProperties.__init__(self, self.bus,
1740
1652
self.dbus_object_path)
1741
1653
1742
1654
def notifychangeproperty(transform_func, dbus_name,
1743
1655
type_func=lambda x: x,
1744
1656
variant_level=1,
1746
1658
_interface=_interface):
1747
1659
""" Modify a variable so that it's a property which announces
1748
1660
its changes to DBus.
1749
1661
1750
1662
transform_fun: Function that takes a value and a variant_level
1751
1663
and transforms it to a D-Bus type.
1752
1664
dbus_name: D-Bus name of the variable
1755
1667
variant_level: D-Bus variant level. Default: 1
1756
1668
"""
1757
1669
attrname = "_{}".format(dbus_name)
1758
1670
1759
1671
def setter(self, value):
1760
1672
if hasattr(self, "dbus_object_path"):
1761
1673
if (not hasattr(self, attrname) or
1768
1680
else:
1769
1681
dbus_value = transform_func(
1770
1682
type_func(value),
1771
variant_level=variant_level)
1683
variant_level = variant_level)
1772
1684
self.PropertyChanged(dbus.String(dbus_name),
1773
1685
dbus_value)
1774
1686
self.PropertiesChanged(
1775
1687
_interface,
1776
dbus.Dictionary({dbus.String(dbus_name):
1777
dbus_value}),
1688
dbus.Dictionary({ dbus.String(dbus_name):
1689
dbus_value }),
1778
1690
dbus.Array())
1779
1691
setattr(self, attrname, value)
1780
1692
1781
1693
return property(lambda self: getattr(self, attrname), setter)
1782
1694
1783
1695
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1784
1696
approvals_pending = notifychangeproperty(dbus.Boolean,
1785
1697
"ApprovalPending",
1786
type_func=bool)
1698
type_func = bool)
1787
1699
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1788
1700
last_enabled = notifychangeproperty(datetime_to_dbus,
1789
1701
"LastEnabled")
1790
1702
checker = notifychangeproperty(
1791
1703
dbus.Boolean, "CheckerRunning",
1792
type_func=lambda checker: checker is not None)
1704
type_func = lambda checker: checker is not None)
1793
1705
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1794
1706
"LastCheckedOK")
1795
1707
last_checker_status = notifychangeproperty(dbus.Int16,
1800
1712
"ApprovedByDefault")
1801
1713
approval_delay = notifychangeproperty(
1802
1714
dbus.UInt64, "ApprovalDelay",
1803
type_func=lambda td: td.total_seconds() * 1000)
1715
type_func = lambda td: td.total_seconds() * 1000)
1804
1716
approval_duration = notifychangeproperty(
1805
1717
dbus.UInt64, "ApprovalDuration",
1806
type_func=lambda td: td.total_seconds() * 1000)
1718
type_func = lambda td: td.total_seconds() * 1000)
1807
1719
host = notifychangeproperty(dbus.String, "Host")
1808
1720
timeout = notifychangeproperty(
1809
1721
dbus.UInt64, "Timeout",
1810
type_func=lambda td: td.total_seconds() * 1000)
1722
type_func = lambda td: td.total_seconds() * 1000)
1811
1723
extended_timeout = notifychangeproperty(
1812
1724
dbus.UInt64, "ExtendedTimeout",
1813
type_func=lambda td: td.total_seconds() * 1000)
1725
type_func = lambda td: td.total_seconds() * 1000)
1814
1726
interval = notifychangeproperty(
1815
1727
dbus.UInt64, "Interval",
1816
type_func=lambda td: td.total_seconds() * 1000)
1728
type_func = lambda td: td.total_seconds() * 1000)
1817
1729
checker_command = notifychangeproperty(dbus.String, "Checker")
1818
1730
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1819
1731
invalidate_only=True)
1820
1732
1821
1733
del notifychangeproperty
1822
1734
1823
1735
def __del__(self, *args, **kwargs):
1824
1736
try:
1825
1737
self.remove_from_connection()
1828
1740
if hasattr(DBusObjectWithProperties, "__del__"):
1829
1741
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1830
1742
Client.__del__(self, *args, **kwargs)
1831
1743
1832
1744
def checker_callback(self, source, condition,
1833
1745
connection, command, *args, **kwargs):
1834
1746
ret = Client.checker_callback(self, source, condition,
1850
1762
| self.last_checker_signal),
1851
1763
dbus.String(command))
1852
1764
return ret
1853
1765
1854
1766
def start_checker(self, *args, **kwargs):
1855
1767
old_checker_pid = getattr(self.checker, "pid", None)
1856
1768
r = Client.start_checker(self, *args, **kwargs)
1860
1772
# Emit D-Bus signal
1861
1773
self.CheckerStarted(self.current_checker_command)
1862
1774
return r
1863
1775
1864
1776
def _reset_approved(self):
1865
1777
self.approved = None
1866
1778
return False
1867
1779
1868
1780
def approve(self, value=True):
1869
1781
self.approved = value
1870
GLib.timeout_add(int(self.approval_duration.total_seconds()
1871
* 1000), self._reset_approved)
1782
gobject.timeout_add(int(self.approval_duration.total_seconds()
1783
* 1000), self._reset_approved)
1872
1784
self.send_changedstate()
1873
1874
# D-Bus methods, signals & properties
1875
1876
# Interfaces
1877
1878
# Signals
1879
1785
1786
## D-Bus methods, signals & properties
1787
1788
## Interfaces
1789
1790
## Signals
1791
1880
1792
# CheckerCompleted - signal
1881
1793
@dbus.service.signal(_interface, signature="nxs")
1882
1794
def CheckerCompleted(self, exitcode, waitstatus, command):
1883
1795
"D-Bus signal"
1884
1796
pass
1885
1797
1886
1798
# CheckerStarted - signal
1887
1799
@dbus.service.signal(_interface, signature="s")
1888
1800
def CheckerStarted(self, command):
1889
1801
"D-Bus signal"
1890
1802
pass
1891
1803
1892
1804
# PropertyChanged - signal
1893
1805
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1894
1806
@dbus.service.signal(_interface, signature="sv")
1895
1807
def PropertyChanged(self, property, value):
1896
1808
"D-Bus signal"
1897
1809
pass
1898
1810
1899
1811
# GotSecret - signal
1900
1812
@dbus.service.signal(_interface)
1901
1813
def GotSecret(self):
1904
1816
server to mandos-client
1905
1817
"""
1906
1818
pass
1907
1819
1908
1820
# Rejected - signal
1909
1821
@dbus.service.signal(_interface, signature="s")
1910
1822
def Rejected(self, reason):
1911
1823
"D-Bus signal"
1912
1824
pass
1913
1825
1914
1826
# NeedApproval - signal
1915
1827
@dbus.service.signal(_interface, signature="tb")
1916
1828
def NeedApproval(self, timeout, default):
1917
1829
"D-Bus signal"
1918
1830
return self.need_approval()
1919
1920
# Methods
1921
1831
1832
## Methods
1833
1922
1834
# Approve - method
1923
1835
@dbus.service.method(_interface, in_signature="b")
1924
1836
def Approve(self, value):
1925
1837
self.approve(value)
1926
1838
1927
1839
# CheckedOK - method
1928
1840
@dbus.service.method(_interface)
1929
1841
def CheckedOK(self):
1930
1842
self.checked_ok()
1931
1843
1932
1844
# Enable - method
1933
1845
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1934
1846
@dbus.service.method(_interface)
1935
1847
def Enable(self):
1936
1848
"D-Bus method"
1937
1849
self.enable()
1938
1850
1939
1851
# StartChecker - method
1940
1852
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1941
1853
@dbus.service.method(_interface)
1942
1854
def StartChecker(self):
1943
1855
"D-Bus method"
1944
1856
self.start_checker()
1945
1857
1946
1858
# Disable - method
1947
1859
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1948
1860
@dbus.service.method(_interface)
1949
1861
def Disable(self):
1950
1862
"D-Bus method"
1951
1863
self.disable()
1952
1864
1953
1865
# StopChecker - method
1954
1866
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1955
1867
@dbus.service.method(_interface)
1956
1868
def StopChecker(self):
1957
1869
self.stop_checker()
1958
1959
# Properties
1960
1870
1871
## Properties
1872
1961
1873
# ApprovalPending - property
1962
1874
@dbus_service_property(_interface, signature="b", access="read")
1963
1875
def ApprovalPending_dbus_property(self):
1964
1876
return dbus.Boolean(bool(self.approvals_pending))
1965
1877
1966
1878
# ApprovedByDefault - property
1967
1879
@dbus_service_property(_interface,
1968
1880
signature="b",
1971
1883
if value is None: # get
1972
1884
return dbus.Boolean(self.approved_by_default)
1973
1885
self.approved_by_default = bool(value)
1974
1886
1975
1887
# ApprovalDelay - property
1976
1888
@dbus_service_property(_interface,
1977
1889
signature="t",
1981
1893
return dbus.UInt64(self.approval_delay.total_seconds()
1982
1894
* 1000)
1983
1895
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1984
1896
1985
1897
# ApprovalDuration - property
1986
1898
@dbus_service_property(_interface,
1987
1899
signature="t",
1991
1903
return dbus.UInt64(self.approval_duration.total_seconds()
1992
1904
* 1000)
1993
1905
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1994
1906
1995
1907
# Name - property
1996
1908
@dbus_annotations(
1997
1909
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1998
1910
@dbus_service_property(_interface, signature="s", access="read")
1999
1911
def Name_dbus_property(self):
2000
1912
return dbus.String(self.name)
2001
1913
2002
1914
# Fingerprint - property
2003
1915
@dbus_annotations(
2004
1916
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2005
1917
@dbus_service_property(_interface, signature="s", access="read")
2006
1918
def Fingerprint_dbus_property(self):
2007
1919
return dbus.String(self.fingerprint)
2008
1920
2009
1921
# Host - property
2010
1922
@dbus_service_property(_interface,
2011
1923
signature="s",
2014
1926
if value is None: # get
2015
1927
return dbus.String(self.host)
2016
1928
self.host = str(value)
2017
1929
2018
1930
# Created - property
2019
1931
@dbus_annotations(
2020
1932
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2021
1933
@dbus_service_property(_interface, signature="s", access="read")
2022
1934
def Created_dbus_property(self):
2023
1935
return datetime_to_dbus(self.created)
2024
1936
2025
1937
# LastEnabled - property
2026
1938
@dbus_service_property(_interface, signature="s", access="read")
2027
1939
def LastEnabled_dbus_property(self):
2028
1940
return datetime_to_dbus(self.last_enabled)
2029
1941
2030
1942
# Enabled - property
2031
1943
@dbus_service_property(_interface,
2032
1944
signature="b",
2038
1950
self.enable()
2039
1951
else:
2040
1952
self.disable()
2041
1953
2042
1954
# LastCheckedOK - property
2043
1955
@dbus_service_property(_interface,
2044
1956
signature="s",
2048
1960
self.checked_ok()
2049
1961
return
2050
1962
return datetime_to_dbus(self.last_checked_ok)
2051
1963
2052
1964
# LastCheckerStatus - property
2053
1965
@dbus_service_property(_interface, signature="n", access="read")
2054
1966
def LastCheckerStatus_dbus_property(self):
2055
1967
return dbus.Int16(self.last_checker_status)
2056
1968
2057
1969
# Expires - property
2058
1970
@dbus_service_property(_interface, signature="s", access="read")
2059
1971
def Expires_dbus_property(self):
2060
1972
return datetime_to_dbus(self.expires)
2061
1973
2062
1974
# LastApprovalRequest - property
2063
1975
@dbus_service_property(_interface, signature="s", access="read")
2064
1976
def LastApprovalRequest_dbus_property(self):
2065
1977
return datetime_to_dbus(self.last_approval_request)
2066
1978
2067
1979
# Timeout - property
2068
1980
@dbus_service_property(_interface,
2069
1981
signature="t",
2084
1996
if (getattr(self, "disable_initiator_tag", None)
2085
1997
is None):
2086
1998
return
2087
GLib.source_remove(self.disable_initiator_tag)
2088
self.disable_initiator_tag = GLib.timeout_add(
1999
gobject.source_remove(self.disable_initiator_tag)
2000
self.disable_initiator_tag = gobject.timeout_add(
2089
2001
int((self.expires - now).total_seconds() * 1000),
2090
2002
self.disable)
2091
2003
2092
2004
# ExtendedTimeout - property
2093
2005
@dbus_service_property(_interface,
2094
2006
signature="t",
2098
2010
return dbus.UInt64(self.extended_timeout.total_seconds()
2099
2011
* 1000)
2100
2012
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2101
2013
2102
2014
# Interval - property
2103
2015
@dbus_service_property(_interface,
2104
2016
signature="t",
2111
2023
return
2112
2024
if self.enabled:
2113
2025
# Reschedule checker run
2114
GLib.source_remove(self.checker_initiator_tag)
2115
self.checker_initiator_tag = GLib.timeout_add(
2026
gobject.source_remove(self.checker_initiator_tag)
2027
self.checker_initiator_tag = gobject.timeout_add(
2116
2028
value, self.start_checker)
2117
self.start_checker() # Start one now, too
2118
2029
self.start_checker() # Start one now, too
2030
2119
2031
# Checker - property
2120
2032
@dbus_service_property(_interface,
2121
2033
signature="s",
2124
2036
if value is None: # get
2125
2037
return dbus.String(self.checker_command)
2126
2038
self.checker_command = str(value)
2127
2039
2128
2040
# CheckerRunning - property
2129
2041
@dbus_service_property(_interface,
2130
2042
signature="b",
2136
2048
self.start_checker()
2137
2049
else:
2138
2050
self.stop_checker()
2139
2051
2140
2052
# ObjectPath - property
2141
2053
@dbus_annotations(
2142
2054
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2143
2055
"org.freedesktop.DBus.Deprecated": "true"})
2144
2056
@dbus_service_property(_interface, signature="o", access="read")
2145
2057
def ObjectPath_dbus_property(self):
2146
return self.dbus_object_path # is already a dbus.ObjectPath
2147
2058
return self.dbus_object_path # is already a dbus.ObjectPath
2059
2148
2060
# Secret = property
2149
2061
@dbus_annotations(
2150
2062
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2155
2067
byte_arrays=True)
2156
2068
def Secret_dbus_property(self, value):
2157
2069
self.secret = bytes(value)
2158
2070
2159
2071
del _interface
2160
2072
2161
2073
2165
2077
self._pipe.send(('init', fpr, address))
2166
2078
if not self._pipe.recv():
2167
2079
raise KeyError(fpr)
2168
2080
2169
2081
def __getattribute__(self, name):
2170
2082
if name == '_pipe':
2171
2083
return super(ProxyClient, self).__getattribute__(name)
2174
2086
if data[0] == 'data':
2175
2087
return data[1]
2176
2088
if data[0] == 'function':
2177
2089
2178
2090
def func(*args, **kwargs):
2179
2091
self._pipe.send(('funcall', name, args, kwargs))
2180
2092
return self._pipe.recv()[1]
2181
2093
2182
2094
return func
2183
2095
2184
2096
def __setattr__(self, name, value):
2185
2097
if name == '_pipe':
2186
2098
return super(ProxyClient, self).__setattr__(name, value)
2189
2101
2190
2102
class ClientHandler(socketserver.BaseRequestHandler, object):
2191
2103
"""A class to handle client connections.
2192
2104
2193
2105
Instantiated once for each connection to handle it.
2194
2106
Note: This will run in its own forked process."""
2195
2107
2196
2108
def handle(self):
2197
2109
with contextlib.closing(self.server.child_pipe) as child_pipe:
2198
2110
logger.info("TCP connection from: %s",
2199
2111
str(self.client_address))
2200
2112
logger.debug("Pipe FD: %d",
2201
2113
self.server.child_pipe.fileno())
2202
2114
2203
2115
session = gnutls.ClientSession(self.request)
2204
2205
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2206
# "+AES-256-CBC", "+SHA1",
2207
# "+COMP-NULL", "+CTYPE-OPENPGP",
2208
# "+DHE-DSS"))
2116
2117
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
2118
# "+AES-256-CBC", "+SHA1",
2119
# "+COMP-NULL", "+CTYPE-OPENPGP",
2120
# "+DHE-DSS"))
2209
2121
# Use a fallback default, since this MUST be set.
2210
2122
priority = self.server.gnutls_priority
2211
2123
if priority is None:
2212
2124
priority = "NORMAL"
2213
gnutls.priority_set_direct(session._c_object,
2214
priority.encode("utf-8"),
2125
gnutls.priority_set_direct(session._c_object, priority,
2215
2126
None)
2216
2127
2217
2128
# Start communication using the Mandos protocol
2218
2129
# Get protocol number
2219
2130
line = self.request.makefile().readline()
2224
2135
except (ValueError, IndexError, RuntimeError) as error:
2225
2136
logger.error("Unknown protocol version: %s", error)
2226
2137
return
2227
2138
2228
2139
# Start GnuTLS connection
2229
2140
try:
2230
2141
session.handshake()
2234
2145
# established. Just abandon the request.
2235
2146
return
2236
2147
logger.debug("Handshake succeeded")
2237
2148
2238
2149
approval_required = False
2239
2150
try:
2240
2151
try:
2244
2155
logger.warning("Bad certificate: %s", error)
2245
2156
return
2246
2157
logger.debug("Fingerprint: %s", fpr)
2247
2158
2248
2159
try:
2249
2160
client = ProxyClient(child_pipe, fpr,
2250
2161
self.client_address)
2251
2162
except KeyError:
2252
2163
return
2253
2164
2254
2165
if client.approval_delay:
2255
2166
delay = client.approval_delay
2256
2167
client.approvals_pending += 1
2257
2168
approval_required = True
2258
2169
2259
2170
while True:
2260
2171
if not client.enabled:
2261
2172
logger.info("Client %s is disabled",
2264
2175
# Emit D-Bus signal
2265
2176
client.Rejected("Disabled")
2266
2177
return
2267
2178
2268
2179
if client.approved or not client.approval_delay:
2269
# We are approved or approval is disabled
2180
#We are approved or approval is disabled
2270
2181
break
2271
2182
elif client.approved is None:
2272
2183
logger.info("Client %s needs approval",
2283
2194
# Emit D-Bus signal
2284
2195
client.Rejected("Denied")
2285
2196
return
2286
2287
# wait until timeout or approved
2197
2198
#wait until timeout or approved
2288
2199
time = datetime.datetime.now()
2289
2200
client.changedstate.acquire()
2290
2201
client.changedstate.wait(delay.total_seconds())
2303
2214
break
2304
2215
else:
2305
2216
delay -= time2 - time
2306
2307
try:
2308
session.send(client.secret)
2309
except gnutls.Error as error:
2310
logger.warning("gnutls send failed",
2311
exc_info=error)
2312
return
2313
2217
2218
sent_size = 0
2219
while sent_size < len(client.secret):
2220
try:
2221
sent = session.send(client.secret[sent_size:])
2222
except gnutls.Error as error:
2223
logger.warning("gnutls send failed",
2224
exc_info=error)
2225
return
2226
logger.debug("Sent: %d, remaining: %d", sent,
2227
len(client.secret) - (sent_size
2228
+ sent))
2229
sent_size += sent
2230
2314
2231
logger.info("Sending secret to %s", client.name)
2315
2232
# bump the timeout using extended_timeout
2316
2233
client.bump_timeout(client.extended_timeout)
2317
2234
if self.server.use_dbus:
2318
2235
# Emit D-Bus signal
2319
2236
client.GotSecret()
2320
2237
2321
2238
finally:
2322
2239
if approval_required:
2323
2240
client.approvals_pending -= 1
2326
2243
except gnutls.Error as error:
2327
2244
logger.warning("GnuTLS bye failed",
2328
2245
exc_info=error)
2329
2246
2330
2247
@staticmethod
2331
2248
def peer_certificate(session):
2332
2249
"Return the peer's OpenPGP certificate as a bytestring"
2344
2261
return None
2345
2262
cert = cert_list[0]
2346
2263
return ctypes.string_at(cert.data, cert.size)
2347
2264
2348
2265
@staticmethod
2349
2266
def fingerprint(openpgp):
2350
2267
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2383
2300
2384
2301
class MultiprocessingMixIn(object):
2385
2302
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2386
2303
2387
2304
def sub_process_main(self, request, address):
2388
2305
try:
2389
2306
self.finish_request(request, address)
2390
2307
except Exception:
2391
2308
self.handle_error(request, address)
2392
2309
self.close_request(request)
2393
2310
2394
2311
def process_request(self, request, address):
2395
2312
"""Start a new process to process the request."""
2396
proc = multiprocessing.Process(target=self.sub_process_main,
2397
args=(request, address))
2313
proc = multiprocessing.Process(target = self.sub_process_main,
2314
args = (request, address))
2398
2315
proc.start()
2399
2316
return proc
2400
2317
2401
2318
2402
2319
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2403
2320
""" adds a pipe to the MixIn """
2404
2321
2405
2322
def process_request(self, request, client_address):
2406
2323
"""Overrides and wraps the original process_request().
2407
2324
2408
2325
This function creates a new pipe in self.pipe
2409
2326
"""
2410
2327
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2411
2328
2412
2329
proc = MultiprocessingMixIn.process_request(self, request,
2413
2330
client_address)
2414
2331
self.child_pipe.close()
2415
2332
self.add_pipe(parent_pipe, proc)
2416
2333
2417
2334
def add_pipe(self, parent_pipe, proc):
2418
2335
"""Dummy function; override as necessary"""
2419
2336
raise NotImplementedError()
2422
2339
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2423
2340
socketserver.TCPServer, object):
2424
2341
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2425
2342
2426
2343
Attributes:
2427
2344
enabled: Boolean; whether this server is activated yet
2428
2345
interface: None or a network interface name (string)
2429
2346
use_ipv6: Boolean; to use IPv6 or not
2430
2347
"""
2431
2348
2432
2349
def __init__(self, server_address, RequestHandlerClass,
2433
2350
interface=None,
2434
2351
use_ipv6=True,
2444
2361
self.socketfd = socketfd
2445
2362
# Save the original socket.socket() function
2446
2363
self.socket_socket = socket.socket
2447
2448
2364
# To implement --socket, we monkey patch socket.socket.
2449
#
2365
#
2450
2366
# (When socketserver.TCPServer is a new-style class, we
2451
2367
# could make self.socket into a property instead of monkey
2452
2368
# patching socket.socket.)
2453
#
2369
#
2454
2370
# Create a one-time-only replacement for socket.socket()
2455
2371
@functools.wraps(socket.socket)
2456
2372
def socket_wrapper(*args, **kwargs):
2468
2384
# socket_wrapper(), if socketfd was set.
2469
2385
socketserver.TCPServer.__init__(self, server_address,
2470
2386
RequestHandlerClass)
2471
2387
2472
2388
def server_bind(self):
2473
2389
"""This overrides the normal server_bind() function
2474
2390
to bind to an interface if one was specified, and also NOT to
2475
2391
bind to an address or port if they were not specified."""
2476
global SO_BINDTODEVICE
2477
2392
if self.interface is not None:
2478
2393
if SO_BINDTODEVICE is None:
2479
# Fall back to a hard-coded value which seems to be
2480
# common enough.
2481
logger.warning("SO_BINDTODEVICE not found, trying 25")
2482
SO_BINDTODEVICE = 25
2483
try:
2484
self.socket.setsockopt(
2485
socket.SOL_SOCKET, SO_BINDTODEVICE,
2486
(self.interface + "\0").encode("utf-8"))
2487
except socket.error as error:
2488
if error.errno == errno.EPERM:
2489
logger.error("No permission to bind to"
2490
" interface %s", self.interface)
2491
elif error.errno == errno.ENOPROTOOPT:
2492
logger.error("SO_BINDTODEVICE not available;"
2493
" cannot bind to interface %s",
2494
self.interface)
2495
elif error.errno == errno.ENODEV:
2496
logger.error("Interface %s does not exist,"
2497
" cannot bind", self.interface)
2498
else:
2499
raise
2394
logger.error("SO_BINDTODEVICE does not exist;"
2395
" cannot bind to interface %s",
2396
self.interface)
2397
else:
2398
try:
2399
self.socket.setsockopt(
2400
socket.SOL_SOCKET, SO_BINDTODEVICE,
2401
(self.interface + "\0").encode("utf-8"))
2402
except socket.error as error:
2403
if error.errno == errno.EPERM:
2404
logger.error("No permission to bind to"
2405
" interface %s", self.interface)
2406
elif error.errno == errno.ENOPROTOOPT:
2407
logger.error("SO_BINDTODEVICE not available;"
2408
" cannot bind to interface %s",
2409
self.interface)
2410
elif error.errno == errno.ENODEV:
2411
logger.error("Interface %s does not exist,"
2412
" cannot bind", self.interface)
2413
else:
2414
raise
2500
2415
# Only bind(2) the socket if we really need to.
2501
2416
if self.server_address[0] or self.server_address[1]:
2502
2417
if not self.server_address[0]:
2503
2418
if self.address_family == socket.AF_INET6:
2504
any_address = "::" # in6addr_any
2419
any_address = "::" # in6addr_any
2505
2420
else:
2506
any_address = "0.0.0.0" # INADDR_ANY
2421
any_address = "0.0.0.0" # INADDR_ANY
2507
2422
self.server_address = (any_address,
2508
2423
self.server_address[1])
2509
2424
elif not self.server_address[1]:
2519
2434
2520
2435
class MandosServer(IPv6_TCPServer):
2521
2436
"""Mandos server.
2522
2437
2523
2438
Attributes:
2524
2439
clients: set of Client objects
2525
2440
gnutls_priority GnuTLS priority string
2526
2441
use_dbus: Boolean; to emit D-Bus signals or not
2527
2528
Assumes a GLib.MainLoop event loop.
2442
2443
Assumes a gobject.MainLoop event loop.
2529
2444
"""
2530
2445
2531
2446
def __init__(self, server_address, RequestHandlerClass,
2532
2447
interface=None,
2533
2448
use_ipv6=True,
2543
2458
self.gnutls_priority = gnutls_priority
2544
2459
IPv6_TCPServer.__init__(self, server_address,
2545
2460
RequestHandlerClass,
2546
interface=interface,
2547
use_ipv6=use_ipv6,
2548
socketfd=socketfd)
2549
2461
interface = interface,
2462
use_ipv6 = use_ipv6,
2463
socketfd = socketfd)
2464
2550
2465
def server_activate(self):
2551
2466
if self.enabled:
2552
2467
return socketserver.TCPServer.server_activate(self)
2553
2468
2554
2469
def enable(self):
2555
2470
self.enabled = True
2556
2471
2557
2472
def add_pipe(self, parent_pipe, proc):
2558
2473
# Call "handle_ipc" for both data and EOF events
2559
GLib.io_add_watch(
2474
gobject.io_add_watch(
2560
2475
parent_pipe.fileno(),
2561
GLib.IO_IN | GLib.IO_HUP,
2476
gobject.IO_IN | gobject.IO_HUP,
2562
2477
functools.partial(self.handle_ipc,
2563
parent_pipe=parent_pipe,
2564
proc=proc))
2565
2478
parent_pipe = parent_pipe,
2479
proc = proc))
2480
2566
2481
def handle_ipc(self, source, condition,
2567
2482
parent_pipe=None,
2568
proc=None,
2483
proc = None,
2569
2484
client_object=None):
2570
2485
# error, or the other end of multiprocessing.Pipe has closed
2571
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2486
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2572
2487
# Wait for other process to exit
2573
2488
proc.join()
2574
2489
return False
2575
2490
2576
2491
# Read a request from the child
2577
2492
request = parent_pipe.recv()
2578
2493
command = request[0]
2579
2494
2580
2495
if command == 'init':
2581
fpr = request[1].decode("ascii")
2496
fpr = request[1]
2582
2497
address = request[2]
2583
2584
for c in self.clients.values():
2498
2499
for c in self.clients.itervalues():
2585
2500
if c.fingerprint == fpr:
2586
2501
client = c
2587
2502
break
2594
2509
address[0])
2595
2510
parent_pipe.send(False)
2596
2511
return False
2597
2598
GLib.io_add_watch(
2512
2513
gobject.io_add_watch(
2599
2514
parent_pipe.fileno(),
2600
GLib.IO_IN | GLib.IO_HUP,
2515
gobject.IO_IN | gobject.IO_HUP,
2601
2516
functools.partial(self.handle_ipc,
2602
parent_pipe=parent_pipe,
2603
proc=proc,
2604
client_object=client))
2517
parent_pipe = parent_pipe,
2518
proc = proc,
2519
client_object = client))
2605
2520
parent_pipe.send(True)
2606
2521
# remove the old hook in favor of the new above hook on
2607
2522
# same fileno
2610
2525
funcname = request[1]
2611
2526
args = request[2]
2612
2527
kwargs = request[3]
2613
2528
2614
2529
parent_pipe.send(('data', getattr(client_object,
2615
2530
funcname)(*args,
2616
2531
**kwargs)))
2617
2532
2618
2533
if command == 'getattr':
2619
2534
attrname = request[1]
2620
2535
if isinstance(client_object.__getattribute__(attrname),
2623
2538
else:
2624
2539
parent_pipe.send((
2625
2540
'data', client_object.__getattribute__(attrname)))
2626
2541
2627
2542
if command == 'setattr':
2628
2543
attrname = request[1]
2629
2544
value = request[2]
2630
2545
setattr(client_object, attrname, value)
2631
2546
2632
2547
return True
2633
2548
2634
2549
2635
2550
def rfc3339_duration_to_delta(duration):
2636
2551
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2637
2552
2638
2553
>>> rfc3339_duration_to_delta("P7D")
2639
2554
datetime.timedelta(7)
2640
2555
>>> rfc3339_duration_to_delta("PT60S")
2650
2565
>>> rfc3339_duration_to_delta("P1DT3M20S")
2651
2566
datetime.timedelta(1, 200)
2652
2567
"""
2653
2568
2654
2569
# Parsing an RFC 3339 duration with regular expressions is not
2655
2570
# possible - there would have to be multiple places for the same
2656
2571
# values, like seconds. The current code, while more esoteric, is
2657
2572
# cleaner without depending on a parsing library. If Python had a
2658
2573
# built-in library for parsing we would use it, but we'd like to
2659
2574
# avoid excessive use of external libraries.
2660
2575
2661
2576
# New type for defining tokens, syntax, and semantics all-in-one
2662
2577
Token = collections.namedtuple("Token", (
2663
2578
"regexp", # To match token; if "value" is not None, must have
2696
2611
frozenset((token_year, token_month,
2697
2612
token_day, token_time,
2698
2613
token_week)))
2699
# Define starting values:
2700
# Value so far
2701
value = datetime.timedelta()
2614
# Define starting values
2615
value = datetime.timedelta() # Value so far
2702
2616
found_token = None
2703
# Following valid tokens
2704
followers = frozenset((token_duration, ))
2705
# String left to parse
2706
s = duration
2617
followers = frozenset((token_duration, )) # Following valid tokens
2618
s = duration # String left to parse
2707
2619
# Loop until end token is found
2708
2620
while found_token is not token_end:
2709
2621
# Search for any currently valid tokens
2733
2645
2734
2646
def string_to_delta(interval):
2735
2647
"""Parse a string and return a datetime.timedelta
2736
2648
2737
2649
>>> string_to_delta('7d')
2738
2650
datetime.timedelta(7)
2739
2651
>>> string_to_delta('60s')
2747
2659
>>> string_to_delta('5m 30s')
2748
2660
datetime.timedelta(0, 330)
2749
2661
"""
2750
2662
2751
2663
try:
2752
2664
return rfc3339_duration_to_delta(interval)
2753
2665
except ValueError:
2754
2666
pass
2755
2667
2756
2668
timevalue = datetime.timedelta(0)
2757
2669
for s in interval.split():
2758
2670
try:
2776
2688
return timevalue
2777
2689
2778
2690
2779
def daemon(nochdir=False, noclose=False):
2691
def daemon(nochdir = False, noclose = False):
2780
2692
"""See daemon(3). Standard BSD Unix function.
2781
2693
2782
2694
This should really exist as os.daemon, but it doesn't (yet)."""
2783
2695
if os.fork():
2784
2696
sys.exit()
2802
2714
2803
2715
2804
2716
def main():
2805
2717
2806
2718
##################################################################
2807
2719
# Parsing of options, both command line and config file
2808
2720
2809
2721
parser = argparse.ArgumentParser()
2810
2722
parser.add_argument("-v", "--version", action="version",
2811
version="%(prog)s {}".format(version),
2723
version = "%(prog)s {}".format(version),
2812
2724
help="show version number and exit")
2813
2725
parser.add_argument("-i", "--interface", metavar="IF",
2814
2726
help="Bind to interface IF")
2850
2762
parser.add_argument("--no-zeroconf", action="store_false",
2851
2763
dest="zeroconf", help="Do not use Zeroconf",
2852
2764
default=None)
2853
2765
2854
2766
options = parser.parse_args()
2855
2767
2856
2768
if options.check:
2857
2769
import doctest
2858
2770
fail_count, test_count = doctest.testmod()
2859
2771
sys.exit(os.EX_OK if fail_count == 0 else 1)
2860
2772
2861
2773
# Default values for config file for server-global settings
2862
server_defaults = {"interface": "",
2863
"address": "",
2864
"port": "",
2865
"debug": "False",
2866
"priority":
2867
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2868
":+SIGN-DSA-SHA256",
2869
"servicename": "Mandos",
2870
"use_dbus": "True",
2871
"use_ipv6": "True",
2872
"debuglevel": "",
2873
"restore": "True",
2874
"socket": "",
2875
"statedir": "/var/lib/mandos",
2876
"foreground": "False",
2877
"zeroconf": "True",
2878
}
2879
2774
server_defaults = { "interface": "",
2775
"address": "",
2776
"port": "",
2777
"debug": "False",
2778
"priority":
2779
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2780
":+SIGN-DSA-SHA256",
2781
"servicename": "Mandos",
2782
"use_dbus": "True",
2783
"use_ipv6": "True",
2784
"debuglevel": "",
2785
"restore": "True",
2786
"socket": "",
2787
"statedir": "/var/lib/mandos",
2788
"foreground": "False",
2789
"zeroconf": "True",
2790
}
2791
2880
2792
# Parse config file for server-global settings
2881
2793
server_config = configparser.SafeConfigParser(server_defaults)
2882
2794
del server_defaults
2884
2796
# Convert the SafeConfigParser object to a dict
2885
2797
server_settings = server_config.defaults()
2886
2798
# Use the appropriate methods on the non-string config options
2887
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2888
"foreground", "zeroconf"):
2799
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
2889
2800
server_settings[option] = server_config.getboolean("DEFAULT",
2890
2801
option)
2891
2802
if server_settings["port"]:
2901
2812
server_settings["socket"] = os.dup(server_settings
2902
2813
["socket"])
2903
2814
del server_config
2904
2815
2905
2816
# Override the settings from the config file with command line
2906
2817
# options, if set.
2907
2818
for option in ("interface", "address", "port", "debug",
2925
2836
if server_settings["debug"]:
2926
2837
server_settings["foreground"] = True
2927
2838
# Now we have our good server settings in "server_settings"
2928
2839
2929
2840
##################################################################
2930
2841
2931
2842
if (not server_settings["zeroconf"]
2932
2843
and not (server_settings["port"]
2933
2844
or server_settings["socket"] != "")):
2934
2845
parser.error("Needs port or socket to work without Zeroconf")
2935
2846
2936
2847
# For convenience
2937
2848
debug = server_settings["debug"]
2938
2849
debuglevel = server_settings["debuglevel"]
2942
2853
stored_state_file)
2943
2854
foreground = server_settings["foreground"]
2944
2855
zeroconf = server_settings["zeroconf"]
2945
2856
2946
2857
if debug:
2947
2858
initlogger(debug, logging.DEBUG)
2948
2859
else:
2951
2862
else:
2952
2863
level = getattr(logging, debuglevel.upper())
2953
2864
initlogger(debug, level)
2954
2865
2955
2866
if server_settings["servicename"] != "Mandos":
2956
2867
syslogger.setFormatter(
2957
2868
logging.Formatter('Mandos ({}) [%(process)d]:'
2958
2869
' %(levelname)s: %(message)s'.format(
2959
2870
server_settings["servicename"])))
2960
2871
2961
2872
# Parse config file with clients
2962
2873
client_config = configparser.SafeConfigParser(Client
2963
2874
.client_defaults)
2964
2875
client_config.read(os.path.join(server_settings["configdir"],
2965
2876
"clients.conf"))
2966
2877
2967
2878
global mandos_dbus_service
2968
2879
mandos_dbus_service = None
2969
2880
2970
2881
socketfd = None
2971
2882
if server_settings["socket"] != "":
2972
2883
socketfd = server_settings["socket"]
2988
2899
except IOError as e:
2989
2900
logger.error("Could not open file %r", pidfilename,
2990
2901
exc_info=e)
2991
2992
for name, group in (("_mandos", "_mandos"),
2993
("mandos", "mandos"),
2994
("nobody", "nogroup")):
2902
2903
for name in ("_mandos", "mandos", "nobody"):
2995
2904
try:
2996
2905
uid = pwd.getpwnam(name).pw_uid
2997
gid = pwd.getpwnam(group).pw_gid
2906
gid = pwd.getpwnam(name).pw_gid
2998
2907
break
2999
2908
except KeyError:
3000
2909
continue
3004
2913
try:
3005
2914
os.setgid(gid)
3006
2915
os.setuid(uid)
3007
if debug:
3008
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3009
gid))
3010
2916
except OSError as error:
3011
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3012
.format(uid, gid, os.strerror(error.errno)))
3013
2917
if error.errno != errno.EPERM:
3014
2918
raise
3015
2919
3016
2920
if debug:
3017
2921
# Enable all possible GnuTLS debugging
3018
2922
3019
2923
# "Use a log level over 10 to enable all debugging options."
3020
2924
# - GnuTLS manual
3021
2925
gnutls.global_set_log_level(11)
3022
2926
3023
2927
@gnutls.log_func
3024
2928
def debug_gnutls(level, string):
3025
2929
logger.debug("GnuTLS: %s", string[:-1])
3026
2930
3027
2931
gnutls.global_set_log_function(debug_gnutls)
3028
2932
3029
2933
# Redirect stdin so all checkers get /dev/null
3030
2934
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3031
2935
os.dup2(null, sys.stdin.fileno())
3032
2936
if null > 2:
3033
2937
os.close(null)
3034
2938
3035
2939
# Need to fork before connecting to D-Bus
3036
2940
if not foreground:
3037
2941
# Close all input and output, do double fork, etc.
3038
2942
daemon()
3039
3040
# multiprocessing will use threads, so before we use GLib we need
3041
# to inform GLib that threads will be used.
3042
GLib.threads_init()
3043
2943
2944
# multiprocessing will use threads, so before we use gobject we
2945
# need to inform gobject that threads will be used.
2946
gobject.threads_init()
2947
3044
2948
global main_loop
3045
2949
# From the Avahi example code
3046
2950
DBusGMainLoop(set_as_default=True)
3047
main_loop = GLib.MainLoop()
2951
main_loop = gobject.MainLoop()
3048
2952
bus = dbus.SystemBus()
3049
2953
# End of Avahi example code
3050
2954
if use_dbus:
3063
2967
if zeroconf:
3064
2968
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3065
2969
service = AvahiServiceToSyslog(
3066
name=server_settings["servicename"],
3067
servicetype="_mandos._tcp",
3068
protocol=protocol,
3069
bus=bus)
2970
name = server_settings["servicename"],
2971
servicetype = "_mandos._tcp",
2972
protocol = protocol,
2973
bus = bus)
3070
2974
if server_settings["interface"]:
3071
2975
service.interface = if_nametoindex(
3072
2976
server_settings["interface"].encode("utf-8"))
3073
2977
3074
2978
global multiprocessing_manager
3075
2979
multiprocessing_manager = multiprocessing.Manager()
3076
2980
3077
2981
client_class = Client
3078
2982
if use_dbus:
3079
client_class = functools.partial(ClientDBus, bus=bus)
3080
2983
client_class = functools.partial(ClientDBus, bus = bus)
2984
3081
2985
client_settings = Client.config_parser(client_config)
3082
2986
old_client_settings = {}
3083
2987
clients_data = {}
3084
2988
3085
2989
# This is used to redirect stdout and stderr for checker processes
3086
2990
global wnull
3087
wnull = open(os.devnull, "w") # A writable /dev/null
2991
wnull = open(os.devnull, "w") # A writable /dev/null
3088
2992
# Only used if server is running in foreground but not in debug
3089
2993
# mode
3090
2994
if debug or not foreground:
3091
2995
wnull.close()
3092
2996
3093
2997
# Get client data and settings from last running state.
3094
2998
if server_settings["restore"]:
3095
2999
try:
3096
3000
with open(stored_state_path, "rb") as stored_state:
3097
if sys.version_info.major == 2:
3098
clients_data, old_client_settings = pickle.load(
3099
stored_state)
3100
else:
3101
bytes_clients_data, bytes_old_client_settings = (
3102
pickle.load(stored_state, encoding="bytes"))
3103
# Fix bytes to strings
3104
# clients_data
3105
# .keys()
3106
clients_data = {(key.decode("utf-8")
3107
if isinstance(key, bytes)
3108
else key): value
3109
for key, value in
3110
bytes_clients_data.items()}
3111
del bytes_clients_data
3112
for key in clients_data:
3113
value = {(k.decode("utf-8")
3114
if isinstance(k, bytes) else k): v
3115
for k, v in
3116
clients_data[key].items()}
3117
clients_data[key] = value
3118
# .client_structure
3119
value["client_structure"] = [
3120
(s.decode("utf-8")
3121
if isinstance(s, bytes)
3122
else s) for s in
3123
value["client_structure"]]
3124
# .name & .host
3125
for k in ("name", "host"):
3126
if isinstance(value[k], bytes):
3127
value[k] = value[k].decode("utf-8")
3128
# old_client_settings
3129
# .keys()
3130
old_client_settings = {
3131
(key.decode("utf-8")
3132
if isinstance(key, bytes)
3133
else key): value
3134
for key, value in
3135
bytes_old_client_settings.items()}
3136
del bytes_old_client_settings
3137
# .host
3138
for value in old_client_settings.values():
3139
if isinstance(value["host"], bytes):
3140
value["host"] = (value["host"]
3141
.decode("utf-8"))
3001
clients_data, old_client_settings = pickle.load(
3002
stored_state)
3142
3003
os.remove(stored_state_path)
3143
3004
except IOError as e:
3144
3005
if e.errno == errno.ENOENT:
3152
3013
logger.warning("Could not load persistent state: "
3153
3014
"EOFError:",
3154
3015
exc_info=e)
3155
3016
3156
3017
with PGPEngine() as pgp:
3157
3018
for client_name, client in clients_data.items():
3158
3019
# Skip removed clients
3159
3020
if client_name not in client_settings:
3160
3021
continue
3161
3022
3162
3023
# Decide which value to use after restoring saved state.
3163
3024
# We have three different values: Old config file,
3164
3025
# new config file, and saved state.
3175
3036
client[name] = value
3176
3037
except KeyError:
3177
3038
pass
3178
3039
3179
3040
# Clients who has passed its expire date can still be
3180
3041
# enabled if its last checker was successful. A Client
3181
3042
# whose checker succeeded before we stored its state is
3214
3075
client_name))
3215
3076
client["secret"] = (client_settings[client_name]
3216
3077
["secret"])
3217
3078
3218
3079
# Add/remove clients based on new changes made to config
3219
3080
for client_name in (set(old_client_settings)
3220
3081
- set(client_settings)):
3222
3083
for client_name in (set(client_settings)
3223
3084
- set(old_client_settings)):
3224
3085
clients_data[client_name] = client_settings[client_name]
3225
3086
3226
3087
# Create all client objects
3227
3088
for client_name, client in clients_data.items():
3228
3089
tcp_server.clients[client_name] = client_class(
3229
name=client_name,
3230
settings=client,
3231
server_settings=server_settings)
3232
3090
name = client_name,
3091
settings = client,
3092
server_settings = server_settings)
3093
3233
3094
if not tcp_server.clients:
3234
3095
logger.warning("No clients defined")
3235
3096
3236
3097
if not foreground:
3237
3098
if pidfile is not None:
3238
3099
pid = os.getpid()
3244
3105
pidfilename, pid)
3245
3106
del pidfile
3246
3107
del pidfilename
3247
3248
for termsig in (signal.SIGHUP, signal.SIGTERM):
3249
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3250
lambda: main_loop.quit() and False)
3251
3108
3109
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
3110
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
3111
3252
3112
if use_dbus:
3253
3113
3254
3114
@alternate_dbus_interfaces(
3255
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
3115
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3256
3116
class MandosDBusService(DBusObjectWithObjectManager):
3257
3117
"""A D-Bus proxy object"""
3258
3118
3259
3119
def __init__(self):
3260
3120
dbus.service.Object.__init__(self, bus, "/")
3261
3121
3262
3122
_interface = "se.recompile.Mandos"
3263
3123
3264
3124
@dbus.service.signal(_interface, signature="o")
3265
3125
def ClientAdded(self, objpath):
3266
3126
"D-Bus signal"
3267
3127
pass
3268
3128
3269
3129
@dbus.service.signal(_interface, signature="ss")
3270
3130
def ClientNotFound(self, fingerprint, address):
3271
3131
"D-Bus signal"
3272
3132
pass
3273
3133
3274
3134
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3275
3135
"true"})
3276
3136
@dbus.service.signal(_interface, signature="os")
3277
3137
def ClientRemoved(self, objpath, name):
3278
3138
"D-Bus signal"
3279
3139
pass
3280
3140
3281
3141
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3282
3142
"true"})
3283
3143
@dbus.service.method(_interface, out_signature="ao")
3284
3144
def GetAllClients(self):
3285
3145
"D-Bus method"
3286
3146
return dbus.Array(c.dbus_object_path for c in
3287
tcp_server.clients.values())
3288
3147
tcp_server.clients.itervalues())
3148
3289
3149
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3290
3150
"true"})
3291
3151
@dbus.service.method(_interface,
3293
3153
def GetAllClientsWithProperties(self):
3294
3154
"D-Bus method"
3295
3155
return dbus.Dictionary(
3296
{c.dbus_object_path: c.GetAll(
3156
{ c.dbus_object_path: c.GetAll(
3297
3157
"se.recompile.Mandos.Client")
3298
for c in tcp_server.clients.values()},
3158
for c in tcp_server.clients.itervalues() },
3299
3159
signature="oa{sv}")
3300
3160
3301
3161
@dbus.service.method(_interface, in_signature="o")
3302
3162
def RemoveClient(self, object_path):
3303
3163
"D-Bus method"
3304
for c in tcp_server.clients.values():
3164
for c in tcp_server.clients.itervalues():
3305
3165
if c.dbus_object_path == object_path:
3306
3166
del tcp_server.clients[c.name]
3307
3167
c.remove_from_connection()
3311
3171
self.client_removed_signal(c)
3312
3172
return
3313
3173
raise KeyError(object_path)
3314
3174
3315
3175
del _interface
3316
3176
3317
3177
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3318
out_signature="a{oa{sa{sv}}}")
3178
out_signature = "a{oa{sa{sv}}}")
3319
3179
def GetManagedObjects(self):
3320
3180
"""D-Bus method"""
3321
3181
return dbus.Dictionary(
3322
{client.dbus_object_path:
3323
dbus.Dictionary(
3324
{interface: client.GetAll(interface)
3325
for interface in
3326
client._get_all_interface_names()})
3327
for client in tcp_server.clients.values()})
3328
3182
{ client.dbus_object_path:
3183
dbus.Dictionary(
3184
{ interface: client.GetAll(interface)
3185
for interface in
3186
client._get_all_interface_names()})
3187
for client in tcp_server.clients.values()})
3188
3329
3189
def client_added_signal(self, client):
3330
3190
"""Send the new standard signal and the old signal"""
3331
3191
if use_dbus:
3333
3193
self.InterfacesAdded(
3334
3194
client.dbus_object_path,
3335
3195
dbus.Dictionary(
3336
{interface: client.GetAll(interface)
3337
for interface in
3338
client._get_all_interface_names()}))
3196
{ interface: client.GetAll(interface)
3197
for interface in
3198
client._get_all_interface_names()}))
3339
3199
# Old signal
3340
3200
self.ClientAdded(client.dbus_object_path)
3341
3201
3342
3202
def client_removed_signal(self, client):
3343
3203
"""Send the new standard signal and the old signal"""
3344
3204
if use_dbus:
3349
3209
# Old signal
3350
3210
self.ClientRemoved(client.dbus_object_path,
3351
3211
client.name)
3352
3212
3353
3213
mandos_dbus_service = MandosDBusService()
3354
3355
# Save modules to variables to exempt the modules from being
3356
# unloaded before the function registered with atexit() is run.
3357
mp = multiprocessing
3358
wn = wnull
3359
3214
3360
3215
def cleanup():
3361
3216
"Cleanup function; run on exit"
3362
3217
if zeroconf:
3363
3218
service.cleanup()
3364
3365
mp.active_children()
3366
wn.close()
3219
3220
multiprocessing.active_children()
3221
wnull.close()
3367
3222
if not (tcp_server.clients or client_settings):
3368
3223
return
3369
3224
3370
3225
# Store client before exiting. Secrets are encrypted with key
3371
3226
# based on what config file has. If config file is
3372
3227
# removed/edited, old secret will thus be unrecovable.
3373
3228
clients = {}
3374
3229
with PGPEngine() as pgp:
3375
for client in tcp_server.clients.values():
3230
for client in tcp_server.clients.itervalues():
3376
3231
key = client_settings[client.name]["secret"]
3377
3232
client.encrypted_secret = pgp.encrypt(client.secret,
3378
3233
key)
3379
3234
client_dict = {}
3380
3235
3381
3236
# A list of attributes that can not be pickled
3382
3237
# + secret.
3383
exclude = {"bus", "changedstate", "secret",
3384
"checker", "server_settings"}
3238
exclude = { "bus", "changedstate", "secret",
3239
"checker", "server_settings" }
3385
3240
for name, typ in inspect.getmembers(dbus.service
3386
3241
.Object):
3387
3242
exclude.add(name)
3388
3243
3389
3244
client_dict["encrypted_secret"] = (client
3390
3245
.encrypted_secret)
3391
3246
for attr in client.client_structure:
3392
3247
if attr not in exclude:
3393
3248
client_dict[attr] = getattr(client, attr)
3394
3249
3395
3250
clients[client.name] = client_dict
3396
3251
del client_settings[client.name]["secret"]
3397
3252
3398
3253
try:
3399
3254
with tempfile.NamedTemporaryFile(
3400
3255
mode='wb',
3402
3257
prefix='clients-',
3403
3258
dir=os.path.dirname(stored_state_path),
3404
3259
delete=False) as stored_state:
3405
pickle.dump((clients, client_settings), stored_state,
3406
protocol=2)
3260
pickle.dump((clients, client_settings), stored_state)
3407
3261
tempname = stored_state.name
3408
3262
os.rename(tempname, stored_state_path)
3409
3263
except (IOError, OSError) as e:
3419
3273
logger.warning("Could not save persistent state:",
3420
3274
exc_info=e)
3421
3275
raise
3422
3276
3423
3277
# Delete all clients, and settings from config
3424
3278
while tcp_server.clients:
3425
3279
name, client = tcp_server.clients.popitem()
3431
3285
if use_dbus:
3432
3286
mandos_dbus_service.client_removed_signal(client)
3433
3287
client_settings.clear()
3434
3288
3435
3289
atexit.register(cleanup)
3436
3437
for client in tcp_server.clients.values():
3290
3291
for client in tcp_server.clients.itervalues():
3438
3292
if use_dbus:
3439
3293
# Emit D-Bus signal for adding
3440
3294
mandos_dbus_service.client_added_signal(client)
3441
3295
# Need to initiate checking of clients
3442
3296
if client.enabled:
3443
3297
client.init_checker()
3444
3298
3445
3299
tcp_server.enable()
3446
3300
tcp_server.server_activate()
3447
3301
3448
3302
# Find out what port we got
3449
3303
if zeroconf:
3450
3304
service.port = tcp_server.socket.getsockname()[1]
3455
3309
else: # IPv4
3456
3310
logger.info("Now listening on address %r, port %d",
3457
3311
*tcp_server.socket.getsockname())
3458
3459
# service.interface = tcp_server.socket.getsockname()[3]
3460
3312
3313
#service.interface = tcp_server.socket.getsockname()[3]
3314
3461
3315
try:
3462
3316
if zeroconf:
3463
3317
# From the Avahi example code
3468
3322
cleanup()
3469
3323
sys.exit(1)
3470
3324
# End of Avahi example code
3471
3472
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3473
lambda *args, **kwargs:
3474
(tcp_server.handle_request
3475
(*args[2:], **kwargs) or True))
3476
3325
3326
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3327
lambda *args, **kwargs:
3328
(tcp_server.handle_request
3329
(*args[2:], **kwargs) or True))
3330
3477
3331
logger.debug("Starting main loop")
3478
3332
main_loop.run()
3479
3333
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0