To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.349
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.349
- Committer: Teddy Hogeborn
- Date: 2016-02-28 03:01:43 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 331.
- Revision ID: teddy@recompile.se-20160228030143-i6w90r7wzkvlx9kq
Stop using python-gnutls. Use GnuTLS 3.3 or later directly.
* INSTALL: Document dependency on GnuTLS 3.3 and remove dependency on
Python-GnuTLS.
* debian/control (Source: mandos/Build-Depends): Add (>= 3.3.0) to
"libgnutls28-dev" and
"gnutls-dev".
(Source: mandos/Build-Depends-Indep): Remove "python2.7-gnutls".
(Package: mandos/Depends): Remove "python-gnutls" and
"python2.7-gnutls", add "libgnutls28-dev
(>= 3.3.0) | libgnutls30 (>= 3.3.0)"
* mandos: Remove imports of "gnutls" and all submodules.
(GnuTLS, gnutls): New; simulate a "gnutls" module. Change all
callers to match new shorter names.
* INSTALL: Document dependency on GnuTLS 3.3 and remove dependency on
Python-GnuTLS.
* debian/control (Source: mandos/Build-Depends): Add (>= 3.3.0) to
"libgnutls28-dev" and
"gnutls-dev".
(Source: mandos/Build-Depends-Indep): Remove "python2.7-gnutls".
(Package: mandos/Depends): Remove "python-gnutls" and
"python2.7-gnutls", add "libgnutls28-dev
(>= 3.3.0) | libgnutls30 (>= 3.3.0)"
* mandos: Remove imports of "gnutls" and all submodules.
(GnuTLS, gnutls): New; simulate a "gnutls" module. Change all
callers to match new shorter names.
added
removed
mandos
1
#!/usr/bin/python
1
#!/usr/bin/python2.7
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
#
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
19
19
# the Free Software Foundation, either version 3 of the License, or
23
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
25
# GNU General Public License for more details.
26
#
26
#
27
27
# You should have received a copy of the GNU General Public License
28
28
# along with this program. If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
#
30
#
31
31
# Contact the authors at <mandos@recompile.se>.
32
#
32
#
33
33
34
34
from __future__ import (division, absolute_import, print_function,
35
35
unicode_literals)
36
36
37
try:
38
from future_builtins import *
39
except ImportError:
40
pass
37
from future_builtins import *
41
38
42
39
try:
43
40
import SocketServer as socketserver
79
76
80
77
import dbus
81
78
import dbus.service
82
from gi.repository import GLib
79
try:
80
import gobject
81
except ImportError:
82
from gi.repository import GObject as gobject
83
import avahi
83
84
from dbus.mainloop.glib import DBusGMainLoop
84
85
import ctypes
85
86
import ctypes.util
86
87
import xml.dom.minidom
87
88
import inspect
88
89
89
# Try to find the value of SO_BINDTODEVICE:
90
90
try:
91
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
92
# newer, and it is also the most natural place for it:
93
91
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
94
92
except AttributeError:
95
93
try:
96
# This is where SO_BINDTODEVICE was up to and including Python
97
# 2.6, and also 3.2:
98
94
from IN import SO_BINDTODEVICE
99
95
except ImportError:
100
# In Python 2.7 it seems to have been removed entirely.
101
# Try running the C preprocessor:
102
try:
103
cc = subprocess.Popen(["cc", "--language=c", "-E",
104
"/dev/stdin"],
105
stdin=subprocess.PIPE,
106
stdout=subprocess.PIPE)
107
stdout = cc.communicate(
108
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
109
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
110
except (OSError, ValueError, IndexError):
111
# No value found
112
SO_BINDTODEVICE = None
96
SO_BINDTODEVICE = None
113
97
114
98
if sys.version_info.major == 2:
115
99
str = unicode
116
100
117
version = "1.7.14"
101
version = "1.7.1"
118
102
stored_state_file = "clients.pickle"
119
103
120
104
logger = logging.getLogger()
124
108
if_nametoindex = ctypes.cdll.LoadLibrary(
125
109
ctypes.util.find_library("c")).if_nametoindex
126
110
except (OSError, AttributeError):
127
111
128
112
def if_nametoindex(interface):
129
113
"Get an interface index the hard way, i.e. using fcntl()"
130
114
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
135
119
return interface_index
136
120
137
121
138
def copy_function(func):
139
"""Make a copy of a function"""
140
if sys.version_info.major == 2:
141
return types.FunctionType(func.func_code,
142
func.func_globals,
143
func.func_name,
144
func.func_defaults,
145
func.func_closure)
146
else:
147
return types.FunctionType(func.__code__,
148
func.__globals__,
149
func.__name__,
150
func.__defaults__,
151
func.__closure__)
152
153
154
122
def initlogger(debug, level=logging.WARNING):
155
123
"""init logger and add loglevel"""
156
124
157
125
global syslogger
158
126
syslogger = (logging.handlers.SysLogHandler(
159
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
160
address="/dev/log"))
127
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
128
address = "/dev/log"))
161
129
syslogger.setFormatter(logging.Formatter
162
130
('Mandos [%(process)d]: %(levelname)s:'
163
131
' %(message)s'))
164
132
logger.addHandler(syslogger)
165
133
166
134
if debug:
167
135
console = logging.StreamHandler()
168
136
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
180
148
181
149
class PGPEngine(object):
182
150
"""A simple class for OpenPGP symmetric encryption & decryption"""
183
151
184
152
def __init__(self):
185
153
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
186
self.gpg = "gpg"
187
try:
188
output = subprocess.check_output(["gpgconf"])
189
for line in output.splitlines():
190
name, text, path = line.split(b":")
191
if name == "gpg":
192
self.gpg = path
193
break
194
except OSError as e:
195
if e.errno != errno.ENOENT:
196
raise
197
154
self.gnupgargs = ['--batch',
198
'--homedir', self.tempdir,
155
'--home', self.tempdir,
199
156
'--force-mdc',
200
'--quiet']
201
# Only GPG version 1 has the --no-use-agent option.
202
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
203
self.gnupgargs.append("--no-use-agent")
204
157
'--quiet',
158
'--no-use-agent']
159
205
160
def __enter__(self):
206
161
return self
207
162
208
163
def __exit__(self, exc_type, exc_value, traceback):
209
164
self._cleanup()
210
165
return False
211
166
212
167
def __del__(self):
213
168
self._cleanup()
214
169
215
170
def _cleanup(self):
216
171
if self.tempdir is not None:
217
172
# Delete contents of tempdir
218
173
for root, dirs, files in os.walk(self.tempdir,
219
topdown=False):
174
topdown = False):
220
175
for filename in files:
221
176
os.remove(os.path.join(root, filename))
222
177
for dirname in dirs:
224
179
# Remove tempdir
225
180
os.rmdir(self.tempdir)
226
181
self.tempdir = None
227
182
228
183
def password_encode(self, password):
229
184
# Passphrase can not be empty and can not contain newlines or
230
185
# NUL bytes. So we prefix it and hex encode it.
235
190
.replace(b"\n", b"\\n")
236
191
.replace(b"\0", b"\\x00"))
237
192
return encoded
238
193
239
194
def encrypt(self, data, password):
240
195
passphrase = self.password_encode(password)
241
196
with tempfile.NamedTemporaryFile(
242
197
dir=self.tempdir) as passfile:
243
198
passfile.write(passphrase)
244
199
passfile.flush()
245
proc = subprocess.Popen([self.gpg, '--symmetric',
200
proc = subprocess.Popen(['gpg', '--symmetric',
246
201
'--passphrase-file',
247
202
passfile.name]
248
203
+ self.gnupgargs,
249
stdin=subprocess.PIPE,
250
stdout=subprocess.PIPE,
251
stderr=subprocess.PIPE)
252
ciphertext, err = proc.communicate(input=data)
204
stdin = subprocess.PIPE,
205
stdout = subprocess.PIPE,
206
stderr = subprocess.PIPE)
207
ciphertext, err = proc.communicate(input = data)
253
208
if proc.returncode != 0:
254
209
raise PGPError(err)
255
210
return ciphertext
256
211
257
212
def decrypt(self, data, password):
258
213
passphrase = self.password_encode(password)
259
214
with tempfile.NamedTemporaryFile(
260
dir=self.tempdir) as passfile:
215
dir = self.tempdir) as passfile:
261
216
passfile.write(passphrase)
262
217
passfile.flush()
263
proc = subprocess.Popen([self.gpg, '--decrypt',
218
proc = subprocess.Popen(['gpg', '--decrypt',
264
219
'--passphrase-file',
265
220
passfile.name]
266
221
+ self.gnupgargs,
267
stdin=subprocess.PIPE,
268
stdout=subprocess.PIPE,
269
stderr=subprocess.PIPE)
270
decrypted_plaintext, err = proc.communicate(input=data)
222
stdin = subprocess.PIPE,
223
stdout = subprocess.PIPE,
224
stderr = subprocess.PIPE)
225
decrypted_plaintext, err = proc.communicate(input = data)
271
226
if proc.returncode != 0:
272
227
raise PGPError(err)
273
228
return decrypted_plaintext
274
229
275
230
276
# Pretend that we have an Avahi module
277
class Avahi(object):
278
"""This isn't so much a class as it is a module-like namespace.
279
It is instantiated once, and simulates having an Avahi module."""
280
IF_UNSPEC = -1 # avahi-common/address.h
281
PROTO_UNSPEC = -1 # avahi-common/address.h
282
PROTO_INET = 0 # avahi-common/address.h
283
PROTO_INET6 = 1 # avahi-common/address.h
284
DBUS_NAME = "org.freedesktop.Avahi"
285
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
286
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
DBUS_PATH_SERVER = "/"
288
289
def string_array_to_txt_array(self, t):
290
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
291
for s in t), signature="ay")
292
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
293
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
294
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
295
SERVER_INVALID = 0 # avahi-common/defs.h
296
SERVER_REGISTERING = 1 # avahi-common/defs.h
297
SERVER_RUNNING = 2 # avahi-common/defs.h
298
SERVER_COLLISION = 3 # avahi-common/defs.h
299
SERVER_FAILURE = 4 # avahi-common/defs.h
300
avahi = Avahi()
301
302
303
231
class AvahiError(Exception):
304
232
def __init__(self, value, *args, **kwargs):
305
233
self.value = value
317
245
318
246
class AvahiService(object):
319
247
"""An Avahi (Zeroconf) service.
320
248
321
249
Attributes:
322
250
interface: integer; avahi.IF_UNSPEC or an interface index.
323
251
Used to optionally bind to the specified interface.
335
263
server: D-Bus Server
336
264
bus: dbus.SystemBus()
337
265
"""
338
266
339
267
def __init__(self,
340
interface=avahi.IF_UNSPEC,
341
name=None,
342
servicetype=None,
343
port=None,
344
TXT=None,
345
domain="",
346
host="",
347
max_renames=32768,
348
protocol=avahi.PROTO_UNSPEC,
349
bus=None):
268
interface = avahi.IF_UNSPEC,
269
name = None,
270
servicetype = None,
271
port = None,
272
TXT = None,
273
domain = "",
274
host = "",
275
max_renames = 32768,
276
protocol = avahi.PROTO_UNSPEC,
277
bus = None):
350
278
self.interface = interface
351
279
self.name = name
352
280
self.type = servicetype
361
289
self.server = None
362
290
self.bus = bus
363
291
self.entry_group_state_changed_match = None
364
292
365
293
def rename(self, remove=True):
366
294
"""Derived from the Avahi example code"""
367
295
if self.rename_count >= self.max_renames:
387
315
logger.critical("D-Bus Exception", exc_info=error)
388
316
self.cleanup()
389
317
os._exit(1)
390
318
391
319
def remove(self):
392
320
"""Derived from the Avahi example code"""
393
321
if self.entry_group_state_changed_match is not None:
395
323
self.entry_group_state_changed_match = None
396
324
if self.group is not None:
397
325
self.group.Reset()
398
326
399
327
def add(self):
400
328
"""Derived from the Avahi example code"""
401
329
self.remove()
418
346
dbus.UInt16(self.port),
419
347
avahi.string_array_to_txt_array(self.TXT))
420
348
self.group.Commit()
421
349
422
350
def entry_group_state_changed(self, state, error):
423
351
"""Derived from the Avahi example code"""
424
352
logger.debug("Avahi entry group state change: %i", state)
425
353
426
354
if state == avahi.ENTRY_GROUP_ESTABLISHED:
427
355
logger.debug("Zeroconf service established.")
428
356
elif state == avahi.ENTRY_GROUP_COLLISION:
432
360
logger.critical("Avahi: Error in group state changed %s",
433
361
str(error))
434
362
raise AvahiGroupError("State changed: {!s}".format(error))
435
363
436
364
def cleanup(self):
437
365
"""Derived from the Avahi example code"""
438
366
if self.group is not None:
443
371
pass
444
372
self.group = None
445
373
self.remove()
446
374
447
375
def server_state_changed(self, state, error=None):
448
376
"""Derived from the Avahi example code"""
449
377
logger.debug("Avahi server state change: %i", state)
478
406
logger.debug("Unknown state: %r", state)
479
407
else:
480
408
logger.debug("Unknown state: %r: %r", state, error)
481
409
482
410
def activate(self):
483
411
"""Derived from the Avahi example code"""
484
412
if self.server is None:
501
429
.format(self.name)))
502
430
return ret
503
431
504
505
432
# Pretend that we have a GnuTLS module
506
433
class GnuTLS(object):
507
434
"""This isn't so much a class as it is a module-like namespace.
508
435
It is instantiated once, and simulates having a GnuTLS module."""
509
510
library = ctypes.util.find_library("gnutls")
511
if library is None:
512
library = ctypes.util.find_library("gnutls-deb0")
513
_library = ctypes.cdll.LoadLibrary(library)
514
del library
515
_need_version = b"3.3.0"
516
436
437
_library = ctypes.cdll.LoadLibrary(
438
ctypes.util.find_library("gnutls"))
439
_need_version = "3.3.0"
517
440
def __init__(self):
518
# Need to use "self" here, since this method is called before
519
# the assignment to the "gnutls" global variable happens.
520
if self.check_version(self._need_version) is None:
521
raise self.Error("Needs GnuTLS {} or later"
522
.format(self._need_version))
523
441
# Need to use class name "GnuTLS" here, since this method is
442
# called before the assignment to the "gnutls" global variable
443
# happens.
444
if GnuTLS.check_version(self._need_version) is None:
445
raise GnuTLS.Error("Needs GnuTLS {} or later"
446
.format(self._need_version))
447
524
448
# Unless otherwise indicated, the constants and types below are
525
449
# all from the gnutls/gnutls.h C header file.
526
450
527
451
# Constants
528
452
E_SUCCESS = 0
529
E_INTERRUPTED = -52
530
E_AGAIN = -28
531
453
CRT_OPENPGP = 2
532
454
CLIENT = 2
533
455
SHUT_RDWR = 0
534
456
CRD_CERTIFICATE = 1
535
457
E_NO_CERTIFICATE_FOUND = -49
536
458
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
537
459
538
460
# Types
539
461
class session_int(ctypes.Structure):
540
462
_fields_ = []
541
463
session_t = ctypes.POINTER(session_int)
542
543
464
class certificate_credentials_st(ctypes.Structure):
544
465
_fields_ = []
545
466
certificate_credentials_t = ctypes.POINTER(
546
467
certificate_credentials_st)
547
468
certificate_type_t = ctypes.c_int
548
549
469
class datum_t(ctypes.Structure):
550
470
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
551
471
('size', ctypes.c_uint)]
552
553
472
class openpgp_crt_int(ctypes.Structure):
554
473
_fields_ = []
555
474
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
556
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
475
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
557
476
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
558
credentials_type_t = ctypes.c_int
477
credentials_type_t = ctypes.c_int #
559
478
transport_ptr_t = ctypes.c_void_p
560
479
close_request_t = ctypes.c_int
561
480
562
481
# Exceptions
563
482
class Error(Exception):
564
483
# We need to use the class name "GnuTLS" here, since this
565
484
# exception might be raised from within GnuTLS.__init__,
566
485
# which is called before the assignment to the "gnutls"
567
# global variable has happened.
568
def __init__(self, message=None, code=None, args=()):
486
# global variable happens.
487
def __init__(self, message = None, code = None, args=()):
569
488
# Default usage is by a message string, but if a return
570
489
# code is passed, convert it to a string with
571
490
# gnutls.strerror()
572
self.code = code
573
491
if message is None and code is not None:
574
492
message = GnuTLS.strerror(code)
575
493
return super(GnuTLS.Error, self).__init__(
576
494
message, *args)
577
495
578
496
class CertificateSecurityError(Error):
579
497
pass
580
498
581
499
# Classes
582
500
class Credentials(object):
583
501
def __init__(self):
585
503
gnutls.certificate_allocate_credentials(
586
504
ctypes.byref(self._c_object))
587
505
self.type = gnutls.CRD_CERTIFICATE
588
506
589
507
def __del__(self):
590
508
gnutls.certificate_free_credentials(self._c_object)
591
509
592
510
class ClientSession(object):
593
def __init__(self, socket, credentials=None):
511
def __init__(self, socket, credentials = None):
594
512
self._c_object = gnutls.session_t()
595
513
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
596
514
gnutls.set_default_priority(self._c_object)
604
522
ctypes.cast(credentials._c_object,
605
523
ctypes.c_void_p))
606
524
self.credentials = credentials
607
525
608
526
def __del__(self):
609
527
gnutls.deinit(self._c_object)
610
528
611
529
def handshake(self):
612
530
return gnutls.handshake(self._c_object)
613
531
614
532
def send(self, data):
615
533
data = bytes(data)
616
data_len = len(data)
617
while data_len > 0:
618
data_len -= gnutls.record_send(self._c_object,
619
data[-data_len:],
620
data_len)
621
534
if not data:
535
return 0
536
return gnutls.record_send(self._c_object, data, len(data))
537
622
538
def bye(self):
623
539
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
624
625
# Error handling functions
540
541
# Error handling function
626
542
def _error_code(result):
627
543
"""A function to raise exceptions on errors, suitable
628
544
for the 'restype' attribute on ctypes functions"""
629
545
if result >= 0:
630
546
return result
631
547
if result == gnutls.E_NO_CERTIFICATE_FOUND:
632
raise gnutls.CertificateSecurityError(code=result)
633
raise gnutls.Error(code=result)
634
635
def _retry_on_error(result, func, arguments):
636
"""A function to retry on some errors, suitable
637
for the 'errcheck' attribute on ctypes functions"""
638
while result < 0:
639
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
640
return _error_code(result)
641
result = func(*arguments)
642
return result
643
548
raise gnutls.CertificateSecurityError(code = result)
549
raise gnutls.Error(code = result)
550
644
551
# Unless otherwise indicated, the function declarations below are
645
552
# all from the gnutls/gnutls.h C header file.
646
553
647
554
# Functions
648
555
priority_set_direct = _library.gnutls_priority_set_direct
649
556
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
650
557
ctypes.POINTER(ctypes.c_char_p)]
651
558
priority_set_direct.restype = _error_code
652
559
653
560
init = _library.gnutls_init
654
561
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
655
562
init.restype = _error_code
656
563
657
564
set_default_priority = _library.gnutls_set_default_priority
658
565
set_default_priority.argtypes = [session_t]
659
566
set_default_priority.restype = _error_code
660
567
661
568
record_send = _library.gnutls_record_send
662
569
record_send.argtypes = [session_t, ctypes.c_void_p,
663
570
ctypes.c_size_t]
664
571
record_send.restype = ctypes.c_ssize_t
665
record_send.errcheck = _retry_on_error
666
572
667
573
certificate_allocate_credentials = (
668
574
_library.gnutls_certificate_allocate_credentials)
669
575
certificate_allocate_credentials.argtypes = [
670
576
ctypes.POINTER(certificate_credentials_t)]
671
577
certificate_allocate_credentials.restype = _error_code
672
578
673
579
certificate_free_credentials = (
674
580
_library.gnutls_certificate_free_credentials)
675
certificate_free_credentials.argtypes = [
676
certificate_credentials_t]
581
certificate_free_credentials.argtypes = [certificate_credentials_t]
677
582
certificate_free_credentials.restype = None
678
583
679
584
handshake_set_private_extensions = (
680
585
_library.gnutls_handshake_set_private_extensions)
681
586
handshake_set_private_extensions.argtypes = [session_t,
682
587
ctypes.c_int]
683
588
handshake_set_private_extensions.restype = None
684
589
685
590
credentials_set = _library.gnutls_credentials_set
686
591
credentials_set.argtypes = [session_t, credentials_type_t,
687
592
ctypes.c_void_p]
688
593
credentials_set.restype = _error_code
689
594
690
595
strerror = _library.gnutls_strerror
691
596
strerror.argtypes = [ctypes.c_int]
692
597
strerror.restype = ctypes.c_char_p
693
598
694
599
certificate_type_get = _library.gnutls_certificate_type_get
695
600
certificate_type_get.argtypes = [session_t]
696
601
certificate_type_get.restype = _error_code
697
602
698
603
certificate_get_peers = _library.gnutls_certificate_get_peers
699
604
certificate_get_peers.argtypes = [session_t,
700
605
ctypes.POINTER(ctypes.c_uint)]
701
606
certificate_get_peers.restype = ctypes.POINTER(datum_t)
702
607
703
608
global_set_log_level = _library.gnutls_global_set_log_level
704
609
global_set_log_level.argtypes = [ctypes.c_int]
705
610
global_set_log_level.restype = None
706
611
707
612
global_set_log_function = _library.gnutls_global_set_log_function
708
613
global_set_log_function.argtypes = [log_func]
709
614
global_set_log_function.restype = None
710
615
711
616
deinit = _library.gnutls_deinit
712
617
deinit.argtypes = [session_t]
713
618
deinit.restype = None
714
619
715
620
handshake = _library.gnutls_handshake
716
621
handshake.argtypes = [session_t]
717
622
handshake.restype = _error_code
718
handshake.errcheck = _retry_on_error
719
623
720
624
transport_set_ptr = _library.gnutls_transport_set_ptr
721
625
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
722
626
transport_set_ptr.restype = None
723
627
724
628
bye = _library.gnutls_bye
725
629
bye.argtypes = [session_t, close_request_t]
726
630
bye.restype = _error_code
727
bye.errcheck = _retry_on_error
728
631
729
632
check_version = _library.gnutls_check_version
730
633
check_version.argtypes = [ctypes.c_char_p]
731
634
check_version.restype = ctypes.c_char_p
732
635
733
636
# All the function declarations below are from gnutls/openpgp.h
734
637
735
638
openpgp_crt_init = _library.gnutls_openpgp_crt_init
736
639
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
737
640
openpgp_crt_init.restype = _error_code
738
641
739
642
openpgp_crt_import = _library.gnutls_openpgp_crt_import
740
643
openpgp_crt_import.argtypes = [openpgp_crt_t,
741
644
ctypes.POINTER(datum_t),
742
645
openpgp_crt_fmt_t]
743
646
openpgp_crt_import.restype = _error_code
744
647
745
648
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
746
649
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
747
650
ctypes.POINTER(ctypes.c_uint)]
748
651
openpgp_crt_verify_self.restype = _error_code
749
652
750
653
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
751
654
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
752
655
openpgp_crt_deinit.restype = None
753
656
754
657
openpgp_crt_get_fingerprint = (
755
658
_library.gnutls_openpgp_crt_get_fingerprint)
756
659
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
758
661
ctypes.POINTER(
759
662
ctypes.c_size_t)]
760
663
openpgp_crt_get_fingerprint.restype = _error_code
761
762
# Remove non-public functions
763
del _error_code, _retry_on_error
664
665
# Remove non-public function
666
del _error_code
764
667
# Create the global "gnutls" object, simulating a module
765
668
gnutls = GnuTLS()
766
669
767
768
670
def call_pipe(connection, # : multiprocessing.Connection
769
671
func, *args, **kwargs):
770
672
"""This function is meant to be called by multiprocessing.Process
771
673
772
674
This function runs func(*args, **kwargs), and writes the resulting
773
675
return value on the provided multiprocessing.Connection.
774
676
"""
775
677
connection.send(func(*args, **kwargs))
776
678
connection.close()
777
679
778
779
680
class Client(object):
780
681
"""A representation of a client host served by this server.
781
682
782
683
Attributes:
783
684
approved: bool(); 'None' if not yet approved/disapproved
784
685
approval_delay: datetime.timedelta(); Time to wait for approval
786
687
checker: subprocess.Popen(); a running checker process used
787
688
to see if the client lives.
788
689
'None' if no process is running.
789
checker_callback_tag: a GLib event source tag, or None
690
checker_callback_tag: a gobject event source tag, or None
790
691
checker_command: string; External command which is run to check
791
692
if client lives. %() expansions are done at
792
693
runtime with vars(self) as dict, so that for
793
694
instance %(name)s can be used in the command.
794
checker_initiator_tag: a GLib event source tag, or None
695
checker_initiator_tag: a gobject event source tag, or None
795
696
created: datetime.datetime(); (UTC) object creation
796
697
client_structure: Object describing what attributes a client has
797
698
and is used for storing the client at exit
798
699
current_checker_command: string; current running checker_command
799
disable_initiator_tag: a GLib event source tag, or None
700
disable_initiator_tag: a gobject event source tag, or None
800
701
enabled: bool()
801
702
fingerprint: string (40 or 32 hexadecimal digits); used to
802
703
uniquely identify the client
821
722
disabled, or None
822
723
server_settings: The server_settings dict from main()
823
724
"""
824
725
825
726
runtime_expansions = ("approval_delay", "approval_duration",
826
727
"created", "enabled", "expires",
827
728
"fingerprint", "host", "interval",
838
739
"approved_by_default": "True",
839
740
"enabled": "True",
840
741
}
841
742
842
743
@staticmethod
843
744
def config_parser(config):
844
745
"""Construct a new dict of client settings of this form:
851
752
for client_name in config.sections():
852
753
section = dict(config.items(client_name))
853
754
client = settings[client_name] = {}
854
755
855
756
client["host"] = section["host"]
856
757
# Reformat values from string types to Python types
857
758
client["approved_by_default"] = config.getboolean(
858
759
client_name, "approved_by_default")
859
760
client["enabled"] = config.getboolean(client_name,
860
761
"enabled")
861
762
862
763
# Uppercase and remove spaces from fingerprint for later
863
764
# comparison purposes with return value from the
864
765
# fingerprint() function
865
766
client["fingerprint"] = (section["fingerprint"].upper()
866
767
.replace(" ", ""))
867
768
if "secret" in section:
868
client["secret"] = codecs.decode(section["secret"]
869
.encode("utf-8"),
870
"base64")
769
client["secret"] = section["secret"].decode("base64")
871
770
elif "secfile" in section:
872
771
with open(os.path.expanduser(os.path.expandvars
873
772
(section["secfile"])),
888
787
client["last_approval_request"] = None
889
788
client["last_checked_ok"] = None
890
789
client["last_checker_status"] = -2
891
790
892
791
return settings
893
894
def __init__(self, settings, name=None, server_settings=None):
792
793
def __init__(self, settings, name = None, server_settings=None):
895
794
self.name = name
896
795
if server_settings is None:
897
796
server_settings = {}
899
798
# adding all client settings
900
799
for setting, value in settings.items():
901
800
setattr(self, setting, value)
902
801
903
802
if self.enabled:
904
803
if not hasattr(self, "last_enabled"):
905
804
self.last_enabled = datetime.datetime.utcnow()
909
808
else:
910
809
self.last_enabled = None
911
810
self.expires = None
912
811
913
812
logger.debug("Creating client %r", self.name)
914
813
logger.debug(" Fingerprint: %s", self.fingerprint)
915
814
self.created = settings.get("created",
916
815
datetime.datetime.utcnow())
917
816
918
817
# attributes specific for this server instance
919
818
self.checker = None
920
819
self.checker_initiator_tag = None
926
825
self.changedstate = multiprocessing_manager.Condition(
927
826
multiprocessing_manager.Lock())
928
827
self.client_structure = [attr
929
for attr in self.__dict__.keys()
828
for attr in self.__dict__.iterkeys()
930
829
if not attr.startswith("_")]
931
830
self.client_structure.append("client_structure")
932
831
933
832
for name, t in inspect.getmembers(
934
833
type(self), lambda obj: isinstance(obj, property)):
935
834
if not name.startswith("_"):
936
835
self.client_structure.append(name)
937
836
938
837
# Send notice to process children that client state has changed
939
838
def send_changedstate(self):
940
839
with self.changedstate:
941
840
self.changedstate.notify_all()
942
841
943
842
def enable(self):
944
843
"""Start this client's checker and timeout hooks"""
945
844
if getattr(self, "enabled", False):
950
849
self.last_enabled = datetime.datetime.utcnow()
951
850
self.init_checker()
952
851
self.send_changedstate()
953
852
954
853
def disable(self, quiet=True):
955
854
"""Disable this client."""
956
855
if not getattr(self, "enabled", False):
958
857
if not quiet:
959
858
logger.info("Disabling client %s", self.name)
960
859
if getattr(self, "disable_initiator_tag", None) is not None:
961
GLib.source_remove(self.disable_initiator_tag)
860
gobject.source_remove(self.disable_initiator_tag)
962
861
self.disable_initiator_tag = None
963
862
self.expires = None
964
863
if getattr(self, "checker_initiator_tag", None) is not None:
965
GLib.source_remove(self.checker_initiator_tag)
864
gobject.source_remove(self.checker_initiator_tag)
966
865
self.checker_initiator_tag = None
967
866
self.stop_checker()
968
867
self.enabled = False
969
868
if not quiet:
970
869
self.send_changedstate()
971
# Do not run this again if called by a GLib.timeout_add
870
# Do not run this again if called by a gobject.timeout_add
972
871
return False
973
872
974
873
def __del__(self):
975
874
self.disable()
976
875
977
876
def init_checker(self):
978
877
# Schedule a new checker to be started an 'interval' from now,
979
878
# and every interval from then on.
980
879
if self.checker_initiator_tag is not None:
981
GLib.source_remove(self.checker_initiator_tag)
982
self.checker_initiator_tag = GLib.timeout_add(
880
gobject.source_remove(self.checker_initiator_tag)
881
self.checker_initiator_tag = gobject.timeout_add(
983
882
int(self.interval.total_seconds() * 1000),
984
883
self.start_checker)
985
884
# Schedule a disable() when 'timeout' has passed
986
885
if self.disable_initiator_tag is not None:
987
GLib.source_remove(self.disable_initiator_tag)
988
self.disable_initiator_tag = GLib.timeout_add(
886
gobject.source_remove(self.disable_initiator_tag)
887
self.disable_initiator_tag = gobject.timeout_add(
989
888
int(self.timeout.total_seconds() * 1000), self.disable)
990
889
# Also start a new checker *right now*.
991
890
self.start_checker()
992
891
993
892
def checker_callback(self, source, condition, connection,
994
893
command):
995
894
"""The checker has completed, so take appropriate actions."""
998
897
# Read return code from connection (see call_pipe)
999
898
returncode = connection.recv()
1000
899
connection.close()
1001
900
1002
901
if returncode >= 0:
1003
902
self.last_checker_status = returncode
1004
903
self.last_checker_signal = None
1014
913
logger.warning("Checker for %(name)s crashed?",
1015
914
vars(self))
1016
915
return False
1017
916
1018
917
def checked_ok(self):
1019
918
"""Assert that the client has been seen, alive and well."""
1020
919
self.last_checked_ok = datetime.datetime.utcnow()
1021
920
self.last_checker_status = 0
1022
921
self.last_checker_signal = None
1023
922
self.bump_timeout()
1024
923
1025
924
def bump_timeout(self, timeout=None):
1026
925
"""Bump up the timeout for this client."""
1027
926
if timeout is None:
1028
927
timeout = self.timeout
1029
928
if self.disable_initiator_tag is not None:
1030
GLib.source_remove(self.disable_initiator_tag)
929
gobject.source_remove(self.disable_initiator_tag)
1031
930
self.disable_initiator_tag = None
1032
931
if getattr(self, "enabled", False):
1033
self.disable_initiator_tag = GLib.timeout_add(
932
self.disable_initiator_tag = gobject.timeout_add(
1034
933
int(timeout.total_seconds() * 1000), self.disable)
1035
934
self.expires = datetime.datetime.utcnow() + timeout
1036
935
1037
936
def need_approval(self):
1038
937
self.last_approval_request = datetime.datetime.utcnow()
1039
938
1040
939
def start_checker(self):
1041
940
"""Start a new checker subprocess if one is not running.
1042
941
1043
942
If a checker already exists, leave it running and do
1044
943
nothing."""
1045
944
# The reason for not killing a running checker is that if we
1050
949
# checkers alone, the checker would have to take more time
1051
950
# than 'timeout' for the client to be disabled, which is as it
1052
951
# should be.
1053
952
1054
953
if self.checker is not None and not self.checker.is_alive():
1055
954
logger.warning("Checker was not alive; joining")
1056
955
self.checker.join()
1060
959
# Escape attributes for the shell
1061
960
escaped_attrs = {
1062
961
attr: re.escape(str(getattr(self, attr)))
1063
for attr in self.runtime_expansions}
962
for attr in self.runtime_expansions }
1064
963
try:
1065
964
command = self.checker_command % escaped_attrs
1066
965
except TypeError as error:
1078
977
# The exception is when not debugging but nevertheless
1079
978
# running in the foreground; use the previously
1080
979
# created wnull.
1081
popen_args = {"close_fds": True,
1082
"shell": True,
1083
"cwd": "/"}
980
popen_args = { "close_fds": True,
981
"shell": True,
982
"cwd": "/" }
1084
983
if (not self.server_settings["debug"]
1085
984
and self.server_settings["foreground"]):
1086
985
popen_args.update({"stdout": wnull,
1087
"stderr": wnull})
1088
pipe = multiprocessing.Pipe(duplex=False)
986
"stderr": wnull })
987
pipe = multiprocessing.Pipe(duplex = False)
1089
988
self.checker = multiprocessing.Process(
1090
target=call_pipe,
1091
args=(pipe[1], subprocess.call, command),
1092
kwargs=popen_args)
989
target = call_pipe,
990
args = (pipe[1], subprocess.call, command),
991
kwargs = popen_args)
1093
992
self.checker.start()
1094
self.checker_callback_tag = GLib.io_add_watch(
1095
pipe[0].fileno(), GLib.IO_IN,
993
self.checker_callback_tag = gobject.io_add_watch(
994
pipe[0].fileno(), gobject.IO_IN,
1096
995
self.checker_callback, pipe[0], command)
1097
# Re-run this periodically if run by GLib.timeout_add
996
# Re-run this periodically if run by gobject.timeout_add
1098
997
return True
1099
998
1100
999
def stop_checker(self):
1101
1000
"""Force the checker process, if any, to stop."""
1102
1001
if self.checker_callback_tag:
1103
GLib.source_remove(self.checker_callback_tag)
1002
gobject.source_remove(self.checker_callback_tag)
1104
1003
self.checker_callback_tag = None
1105
1004
if getattr(self, "checker", None) is None:
1106
1005
return
1115
1014
byte_arrays=False):
1116
1015
"""Decorators for marking methods of a DBusObjectWithProperties to
1117
1016
become properties on the D-Bus.
1118
1017
1119
1018
The decorated method will be called with no arguments by "Get"
1120
1019
and with one argument by "Set".
1121
1020
1122
1021
The parameters, where they are supported, are the same as
1123
1022
dbus.service.method, except there is only "signature", since the
1124
1023
type from Get() and the type sent to Set() is the same.
1128
1027
if byte_arrays and signature != "ay":
1129
1028
raise ValueError("Byte arrays not supported for non-'ay'"
1130
1029
" signature {!r}".format(signature))
1131
1030
1132
1031
def decorator(func):
1133
1032
func._dbus_is_property = True
1134
1033
func._dbus_interface = dbus_interface
1137
1036
func._dbus_name = func.__name__
1138
1037
if func._dbus_name.endswith("_dbus_property"):
1139
1038
func._dbus_name = func._dbus_name[:-14]
1140
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
1039
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1141
1040
return func
1142
1041
1143
1042
return decorator
1144
1043
1145
1044
1146
1045
def dbus_interface_annotations(dbus_interface):
1147
1046
"""Decorator for marking functions returning interface annotations
1148
1047
1149
1048
Usage:
1150
1049
1151
1050
@dbus_interface_annotations("org.example.Interface")
1152
1051
def _foo(self): # Function name does not matter
1153
1052
return {"org.freedesktop.DBus.Deprecated": "true",
1154
1053
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1155
1054
"false"}
1156
1055
"""
1157
1056
1158
1057
def decorator(func):
1159
1058
func._dbus_is_interface = True
1160
1059
func._dbus_interface = dbus_interface
1161
1060
func._dbus_name = dbus_interface
1162
1061
return func
1163
1062
1164
1063
return decorator
1165
1064
1166
1065
1167
1066
def dbus_annotations(annotations):
1168
1067
"""Decorator to annotate D-Bus methods, signals or properties
1169
1068
Usage:
1170
1069
1171
1070
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1172
1071
"org.freedesktop.DBus.Property."
1173
1072
"EmitsChangedSignal": "false"})
1175
1074
access="r")
1176
1075
def Property_dbus_property(self):
1177
1076
return dbus.Boolean(False)
1178
1077
1179
1078
See also the DBusObjectWithAnnotations class.
1180
1079
"""
1181
1080
1182
1081
def decorator(func):
1183
1082
func._dbus_annotations = annotations
1184
1083
return func
1185
1084
1186
1085
return decorator
1187
1086
1188
1087
1206
1105
1207
1106
class DBusObjectWithAnnotations(dbus.service.Object):
1208
1107
"""A D-Bus object with annotations.
1209
1108
1210
1109
Classes inheriting from this can use the dbus_annotations
1211
1110
decorator to add annotations to methods or signals.
1212
1111
"""
1213
1112
1214
1113
@staticmethod
1215
1114
def _is_dbus_thing(thing):
1216
1115
"""Returns a function testing if an attribute is a D-Bus thing
1217
1116
1218
1117
If called like _is_dbus_thing("method") it returns a function
1219
1118
suitable for use as predicate to inspect.getmembers().
1220
1119
"""
1221
1120
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1222
1121
False)
1223
1122
1224
1123
def _get_all_dbus_things(self, thing):
1225
1124
"""Returns a generator of (name, attribute) pairs
1226
1125
"""
1229
1128
for cls in self.__class__.__mro__
1230
1129
for name, athing in
1231
1130
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1232
1131
1233
1132
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1234
out_signature="s",
1235
path_keyword='object_path',
1236
connection_keyword='connection')
1133
out_signature = "s",
1134
path_keyword = 'object_path',
1135
connection_keyword = 'connection')
1237
1136
def Introspect(self, object_path, connection):
1238
1137
"""Overloading of standard D-Bus method.
1239
1138
1240
1139
Inserts annotation tags on methods and signals.
1241
1140
"""
1242
1141
xmlstring = dbus.service.Object.Introspect(self, object_path,
1243
1142
connection)
1244
1143
try:
1245
1144
document = xml.dom.minidom.parseString(xmlstring)
1246
1145
1247
1146
for if_tag in document.getElementsByTagName("interface"):
1248
1147
# Add annotation tags
1249
1148
for typ in ("method", "signal"):
1276
1175
if_tag.appendChild(ann_tag)
1277
1176
# Fix argument name for the Introspect method itself
1278
1177
if (if_tag.getAttribute("name")
1279
== dbus.INTROSPECTABLE_IFACE):
1178
== dbus.INTROSPECTABLE_IFACE):
1280
1179
for cn in if_tag.getElementsByTagName("method"):
1281
1180
if cn.getAttribute("name") == "Introspect":
1282
1181
for arg in cn.getElementsByTagName("arg"):
1295
1194
1296
1195
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1297
1196
"""A D-Bus object with properties.
1298
1197
1299
1198
Classes inheriting from this can use the dbus_service_property
1300
1199
decorator to expose methods as D-Bus properties. It exposes the
1301
1200
standard Get(), Set(), and GetAll() methods on the D-Bus.
1302
1201
"""
1303
1202
1304
1203
def _get_dbus_property(self, interface_name, property_name):
1305
1204
"""Returns a bound method if one exists which is a D-Bus
1306
1205
property with the specified name and interface.
1311
1210
if (value._dbus_name == property_name
1312
1211
and value._dbus_interface == interface_name):
1313
1212
return value.__get__(self)
1314
1213
1315
1214
# No such property
1316
1215
raise DBusPropertyNotFound("{}:{}.{}".format(
1317
1216
self.dbus_object_path, interface_name, property_name))
1318
1217
1319
1218
@classmethod
1320
1219
def _get_all_interface_names(cls):
1321
1220
"""Get a sequence of all interfaces supported by an object"""
1324
1223
for x in (inspect.getmro(cls))
1325
1224
for attr in dir(x))
1326
1225
if name is not None)
1327
1226
1328
1227
@dbus.service.method(dbus.PROPERTIES_IFACE,
1329
1228
in_signature="ss",
1330
1229
out_signature="v")
1338
1237
if not hasattr(value, "variant_level"):
1339
1238
return value
1340
1239
return type(value)(value, variant_level=value.variant_level+1)
1341
1240
1342
1241
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1343
1242
def Set(self, interface_name, property_name, value):
1344
1243
"""Standard D-Bus property Set() method, see D-Bus standard.
1356
1255
value = dbus.ByteArray(b''.join(chr(byte)
1357
1256
for byte in value))
1358
1257
prop(value)
1359
1258
1360
1259
@dbus.service.method(dbus.PROPERTIES_IFACE,
1361
1260
in_signature="s",
1362
1261
out_signature="a{sv}")
1363
1262
def GetAll(self, interface_name):
1364
1263
"""Standard D-Bus property GetAll() method, see D-Bus
1365
1264
standard.
1366
1265
1367
1266
Note: Will not include properties with access="write".
1368
1267
"""
1369
1268
properties = {}
1380
1279
properties[name] = value
1381
1280
continue
1382
1281
properties[name] = type(value)(
1383
value, variant_level=value.variant_level + 1)
1282
value, variant_level = value.variant_level + 1)
1384
1283
return dbus.Dictionary(properties, signature="sv")
1385
1284
1386
1285
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1387
1286
def PropertiesChanged(self, interface_name, changed_properties,
1388
1287
invalidated_properties):
1390
1289
standard.
1391
1290
"""
1392
1291
pass
1393
1292
1394
1293
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1395
1294
out_signature="s",
1396
1295
path_keyword='object_path',
1397
1296
connection_keyword='connection')
1398
1297
def Introspect(self, object_path, connection):
1399
1298
"""Overloading of standard D-Bus method.
1400
1299
1401
1300
Inserts property tags and interface annotation tags.
1402
1301
"""
1403
1302
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1405
1304
connection)
1406
1305
try:
1407
1306
document = xml.dom.minidom.parseString(xmlstring)
1408
1307
1409
1308
def make_tag(document, name, prop):
1410
1309
e = document.createElement("property")
1411
1310
e.setAttribute("name", name)
1412
1311
e.setAttribute("type", prop._dbus_signature)
1413
1312
e.setAttribute("access", prop._dbus_access)
1414
1313
return e
1415
1314
1416
1315
for if_tag in document.getElementsByTagName("interface"):
1417
1316
# Add property tags
1418
1317
for tag in (make_tag(document, name, prop)
1460
1359
exc_info=error)
1461
1360
return xmlstring
1462
1361
1463
1464
1362
try:
1465
1363
dbus.OBJECT_MANAGER_IFACE
1466
1364
except AttributeError:
1467
1365
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1468
1366
1469
1470
1367
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1471
1368
"""A D-Bus object with an ObjectManager.
1472
1369
1473
1370
Classes inheriting from this exposes the standard
1474
1371
GetManagedObjects call and the InterfacesAdded and
1475
1372
InterfacesRemoved signals on the standard
1476
1373
"org.freedesktop.DBus.ObjectManager" interface.
1477
1374
1478
1375
Note: No signals are sent automatically; they must be sent
1479
1376
manually.
1480
1377
"""
1481
1378
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1482
out_signature="a{oa{sa{sv}}}")
1379
out_signature = "a{oa{sa{sv}}}")
1483
1380
def GetManagedObjects(self):
1484
1381
"""This function must be overridden"""
1485
1382
raise NotImplementedError()
1486
1383
1487
1384
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1488
signature="oa{sa{sv}}")
1385
signature = "oa{sa{sv}}")
1489
1386
def InterfacesAdded(self, object_path, interfaces_and_properties):
1490
1387
pass
1491
1492
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1388
1389
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1493
1390
def InterfacesRemoved(self, object_path, interfaces):
1494
1391
pass
1495
1392
1496
1393
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1497
out_signature="s",
1498
path_keyword='object_path',
1499
connection_keyword='connection')
1394
out_signature = "s",
1395
path_keyword = 'object_path',
1396
connection_keyword = 'connection')
1500
1397
def Introspect(self, object_path, connection):
1501
1398
"""Overloading of standard D-Bus method.
1502
1399
1503
1400
Override return argument name of GetManagedObjects to be
1504
1401
"objpath_interfaces_and_properties"
1505
1402
"""
1508
1405
connection)
1509
1406
try:
1510
1407
document = xml.dom.minidom.parseString(xmlstring)
1511
1408
1512
1409
for if_tag in document.getElementsByTagName("interface"):
1513
1410
# Fix argument name for the GetManagedObjects method
1514
1411
if (if_tag.getAttribute("name")
1515
== dbus.OBJECT_MANAGER_IFACE):
1412
== dbus.OBJECT_MANAGER_IFACE):
1516
1413
for cn in if_tag.getElementsByTagName("method"):
1517
1414
if (cn.getAttribute("name")
1518
1415
== "GetManagedObjects"):
1528
1425
except (AttributeError, xml.dom.DOMException,
1529
1426
xml.parsers.expat.ExpatError) as error:
1530
1427
logger.error("Failed to override Introspection method",
1531
exc_info=error)
1428
exc_info = error)
1532
1429
return xmlstring
1533
1430
1534
1535
1431
def datetime_to_dbus(dt, variant_level=0):
1536
1432
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1537
1433
if dt is None:
1538
return dbus.String("", variant_level=variant_level)
1434
return dbus.String("", variant_level = variant_level)
1539
1435
return dbus.String(dt.isoformat(), variant_level=variant_level)
1540
1436
1541
1437
1544
1440
dbus.service.Object, it will add alternate D-Bus attributes with
1545
1441
interface names according to the "alt_interface_names" mapping.
1546
1442
Usage:
1547
1443
1548
1444
@alternate_dbus_interfaces({"org.example.Interface":
1549
1445
"net.example.AlternateInterface"})
1550
1446
class SampleDBusObject(dbus.service.Object):
1551
1447
@dbus.service.method("org.example.Interface")
1552
1448
def SampleDBusMethod():
1553
1449
pass
1554
1450
1555
1451
The above "SampleDBusMethod" on "SampleDBusObject" will be
1556
1452
reachable via two interfaces: "org.example.Interface" and
1557
1453
"net.example.AlternateInterface", the latter of which will have
1558
1454
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1559
1455
"true", unless "deprecate" is passed with a False value.
1560
1456
1561
1457
This works for methods and signals, and also for D-Bus properties
1562
1458
(from DBusObjectWithProperties) and interfaces (from the
1563
1459
dbus_interface_annotations decorator).
1564
1460
"""
1565
1461
1566
1462
def wrapper(cls):
1567
1463
for orig_interface_name, alt_interface_name in (
1568
1464
alt_interface_names.items()):
1583
1479
interface_names.add(alt_interface)
1584
1480
# Is this a D-Bus signal?
1585
1481
if getattr(attribute, "_dbus_is_signal", False):
1586
# Extract the original non-method undecorated
1587
# function by black magic
1588
1482
if sys.version_info.major == 2:
1483
# Extract the original non-method undecorated
1484
# function by black magic
1589
1485
nonmethod_func = (dict(
1590
1486
zip(attribute.func_code.co_freevars,
1591
1487
attribute.__closure__))
1592
1488
["func"].cell_contents)
1593
1489
else:
1594
nonmethod_func = (dict(
1595
zip(attribute.__code__.co_freevars,
1596
attribute.__closure__))
1597
["func"].cell_contents)
1490
nonmethod_func = attribute
1598
1491
# Create a new, but exactly alike, function
1599
1492
# object, and decorate it to be a new D-Bus signal
1600
1493
# with the alternate D-Bus interface name
1601
new_function = copy_function(nonmethod_func)
1494
if sys.version_info.major == 2:
1495
new_function = types.FunctionType(
1496
nonmethod_func.func_code,
1497
nonmethod_func.func_globals,
1498
nonmethod_func.func_name,
1499
nonmethod_func.func_defaults,
1500
nonmethod_func.func_closure)
1501
else:
1502
new_function = types.FunctionType(
1503
nonmethod_func.__code__,
1504
nonmethod_func.__globals__,
1505
nonmethod_func.__name__,
1506
nonmethod_func.__defaults__,
1507
nonmethod_func.__closure__)
1602
1508
new_function = (dbus.service.signal(
1603
1509
alt_interface,
1604
1510
attribute._dbus_signature)(new_function))
1608
1514
attribute._dbus_annotations)
1609
1515
except AttributeError:
1610
1516
pass
1611
1612
1517
# Define a creator of a function to call both the
1613
1518
# original and alternate functions, so both the
1614
1519
# original and alternate signals gets sent when
1617
1522
"""This function is a scope container to pass
1618
1523
func1 and func2 to the "call_both" function
1619
1524
outside of its arguments"""
1620
1525
1621
1526
@functools.wraps(func2)
1622
1527
def call_both(*args, **kwargs):
1623
1528
"""This function will emit two D-Bus
1624
1529
signals by calling func1 and func2"""
1625
1530
func1(*args, **kwargs)
1626
1531
func2(*args, **kwargs)
1627
# Make wrapper function look like a D-Bus
1628
# signal
1532
# Make wrapper function look like a D-Bus signal
1629
1533
for name, attr in inspect.getmembers(func2):
1630
1534
if name.startswith("_dbus_"):
1631
1535
setattr(call_both, name, attr)
1632
1536
1633
1537
return call_both
1634
1538
# Create the "call_both" function and add it to
1635
1539
# the class
1645
1549
alt_interface,
1646
1550
attribute._dbus_in_signature,
1647
1551
attribute._dbus_out_signature)
1648
(copy_function(attribute)))
1552
(types.FunctionType(attribute.func_code,
1553
attribute.func_globals,
1554
attribute.func_name,
1555
attribute.func_defaults,
1556
attribute.func_closure)))
1649
1557
# Copy annotations, if any
1650
1558
try:
1651
1559
attr[attrname]._dbus_annotations = dict(
1663
1571
attribute._dbus_access,
1664
1572
attribute._dbus_get_args_options
1665
1573
["byte_arrays"])
1666
(copy_function(attribute)))
1574
(types.FunctionType(
1575
attribute.func_code,
1576
attribute.func_globals,
1577
attribute.func_name,
1578
attribute.func_defaults,
1579
attribute.func_closure)))
1667
1580
# Copy annotations, if any
1668
1581
try:
1669
1582
attr[attrname]._dbus_annotations = dict(
1678
1591
# to the class.
1679
1592
attr[attrname] = (
1680
1593
dbus_interface_annotations(alt_interface)
1681
(copy_function(attribute)))
1594
(types.FunctionType(attribute.func_code,
1595
attribute.func_globals,
1596
attribute.func_name,
1597
attribute.func_defaults,
1598
attribute.func_closure)))
1682
1599
if deprecate:
1683
1600
# Deprecate all alternate interfaces
1684
iname = "_AlternateDBusNames_interface_annotation{}"
1601
iname="_AlternateDBusNames_interface_annotation{}"
1685
1602
for interface_name in interface_names:
1686
1603
1687
1604
@dbus_interface_annotations(interface_name)
1688
1605
def func(self):
1689
return {"org.freedesktop.DBus.Deprecated":
1690
"true"}
1606
return { "org.freedesktop.DBus.Deprecated":
1607
"true" }
1691
1608
# Find an unused name
1692
1609
for aname in (iname.format(i)
1693
1610
for i in itertools.count()):
1697
1614
if interface_names:
1698
1615
# Replace the class with a new subclass of it with
1699
1616
# methods, signals, etc. as created above.
1700
if sys.version_info.major == 2:
1701
cls = type(b"{}Alternate".format(cls.__name__),
1702
(cls, ), attr)
1703
else:
1704
cls = type("{}Alternate".format(cls.__name__),
1705
(cls, ), attr)
1617
cls = type(b"{}Alternate".format(cls.__name__),
1618
(cls, ), attr)
1706
1619
return cls
1707
1620
1708
1621
return wrapper
1709
1622
1710
1623
1712
1625
"se.bsnet.fukt.Mandos"})
1713
1626
class ClientDBus(Client, DBusObjectWithProperties):
1714
1627
"""A Client class using D-Bus
1715
1628
1716
1629
Attributes:
1717
1630
dbus_object_path: dbus.ObjectPath
1718
1631
bus: dbus.SystemBus()
1719
1632
"""
1720
1633
1721
1634
runtime_expansions = (Client.runtime_expansions
1722
1635
+ ("dbus_object_path", ))
1723
1636
1724
1637
_interface = "se.recompile.Mandos.Client"
1725
1638
1726
1639
# dbus.service.Object doesn't use super(), so we can't either.
1727
1728
def __init__(self, bus=None, *args, **kwargs):
1640
1641
def __init__(self, bus = None, *args, **kwargs):
1729
1642
self.bus = bus
1730
1643
Client.__init__(self, *args, **kwargs)
1731
1644
# Only now, when this client is initialized, can it show up on
1737
1650
"/clients/" + client_object_name)
1738
1651
DBusObjectWithProperties.__init__(self, self.bus,
1739
1652
self.dbus_object_path)
1740
1653
1741
1654
def notifychangeproperty(transform_func, dbus_name,
1742
1655
type_func=lambda x: x,
1743
1656
variant_level=1,
1745
1658
_interface=_interface):
1746
1659
""" Modify a variable so that it's a property which announces
1747
1660
its changes to DBus.
1748
1661
1749
1662
transform_fun: Function that takes a value and a variant_level
1750
1663
and transforms it to a D-Bus type.
1751
1664
dbus_name: D-Bus name of the variable
1754
1667
variant_level: D-Bus variant level. Default: 1
1755
1668
"""
1756
1669
attrname = "_{}".format(dbus_name)
1757
1670
1758
1671
def setter(self, value):
1759
1672
if hasattr(self, "dbus_object_path"):
1760
1673
if (not hasattr(self, attrname) or
1767
1680
else:
1768
1681
dbus_value = transform_func(
1769
1682
type_func(value),
1770
variant_level=variant_level)
1683
variant_level = variant_level)
1771
1684
self.PropertyChanged(dbus.String(dbus_name),
1772
1685
dbus_value)
1773
1686
self.PropertiesChanged(
1774
1687
_interface,
1775
dbus.Dictionary({dbus.String(dbus_name):
1776
dbus_value}),
1688
dbus.Dictionary({ dbus.String(dbus_name):
1689
dbus_value }),
1777
1690
dbus.Array())
1778
1691
setattr(self, attrname, value)
1779
1692
1780
1693
return property(lambda self: getattr(self, attrname), setter)
1781
1694
1782
1695
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1783
1696
approvals_pending = notifychangeproperty(dbus.Boolean,
1784
1697
"ApprovalPending",
1785
type_func=bool)
1698
type_func = bool)
1786
1699
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1787
1700
last_enabled = notifychangeproperty(datetime_to_dbus,
1788
1701
"LastEnabled")
1789
1702
checker = notifychangeproperty(
1790
1703
dbus.Boolean, "CheckerRunning",
1791
type_func=lambda checker: checker is not None)
1704
type_func = lambda checker: checker is not None)
1792
1705
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1793
1706
"LastCheckedOK")
1794
1707
last_checker_status = notifychangeproperty(dbus.Int16,
1799
1712
"ApprovedByDefault")
1800
1713
approval_delay = notifychangeproperty(
1801
1714
dbus.UInt64, "ApprovalDelay",
1802
type_func=lambda td: td.total_seconds() * 1000)
1715
type_func = lambda td: td.total_seconds() * 1000)
1803
1716
approval_duration = notifychangeproperty(
1804
1717
dbus.UInt64, "ApprovalDuration",
1805
type_func=lambda td: td.total_seconds() * 1000)
1718
type_func = lambda td: td.total_seconds() * 1000)
1806
1719
host = notifychangeproperty(dbus.String, "Host")
1807
1720
timeout = notifychangeproperty(
1808
1721
dbus.UInt64, "Timeout",
1809
type_func=lambda td: td.total_seconds() * 1000)
1722
type_func = lambda td: td.total_seconds() * 1000)
1810
1723
extended_timeout = notifychangeproperty(
1811
1724
dbus.UInt64, "ExtendedTimeout",
1812
type_func=lambda td: td.total_seconds() * 1000)
1725
type_func = lambda td: td.total_seconds() * 1000)
1813
1726
interval = notifychangeproperty(
1814
1727
dbus.UInt64, "Interval",
1815
type_func=lambda td: td.total_seconds() * 1000)
1728
type_func = lambda td: td.total_seconds() * 1000)
1816
1729
checker_command = notifychangeproperty(dbus.String, "Checker")
1817
1730
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1818
1731
invalidate_only=True)
1819
1732
1820
1733
del notifychangeproperty
1821
1734
1822
1735
def __del__(self, *args, **kwargs):
1823
1736
try:
1824
1737
self.remove_from_connection()
1827
1740
if hasattr(DBusObjectWithProperties, "__del__"):
1828
1741
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1829
1742
Client.__del__(self, *args, **kwargs)
1830
1743
1831
1744
def checker_callback(self, source, condition,
1832
1745
connection, command, *args, **kwargs):
1833
1746
ret = Client.checker_callback(self, source, condition,
1849
1762
| self.last_checker_signal),
1850
1763
dbus.String(command))
1851
1764
return ret
1852
1765
1853
1766
def start_checker(self, *args, **kwargs):
1854
1767
old_checker_pid = getattr(self.checker, "pid", None)
1855
1768
r = Client.start_checker(self, *args, **kwargs)
1859
1772
# Emit D-Bus signal
1860
1773
self.CheckerStarted(self.current_checker_command)
1861
1774
return r
1862
1775
1863
1776
def _reset_approved(self):
1864
1777
self.approved = None
1865
1778
return False
1866
1779
1867
1780
def approve(self, value=True):
1868
1781
self.approved = value
1869
GLib.timeout_add(int(self.approval_duration.total_seconds()
1870
* 1000), self._reset_approved)
1782
gobject.timeout_add(int(self.approval_duration.total_seconds()
1783
* 1000), self._reset_approved)
1871
1784
self.send_changedstate()
1872
1873
# D-Bus methods, signals & properties
1874
1875
# Interfaces
1876
1877
# Signals
1878
1785
1786
## D-Bus methods, signals & properties
1787
1788
## Interfaces
1789
1790
## Signals
1791
1879
1792
# CheckerCompleted - signal
1880
1793
@dbus.service.signal(_interface, signature="nxs")
1881
1794
def CheckerCompleted(self, exitcode, waitstatus, command):
1882
1795
"D-Bus signal"
1883
1796
pass
1884
1797
1885
1798
# CheckerStarted - signal
1886
1799
@dbus.service.signal(_interface, signature="s")
1887
1800
def CheckerStarted(self, command):
1888
1801
"D-Bus signal"
1889
1802
pass
1890
1803
1891
1804
# PropertyChanged - signal
1892
1805
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1893
1806
@dbus.service.signal(_interface, signature="sv")
1894
1807
def PropertyChanged(self, property, value):
1895
1808
"D-Bus signal"
1896
1809
pass
1897
1810
1898
1811
# GotSecret - signal
1899
1812
@dbus.service.signal(_interface)
1900
1813
def GotSecret(self):
1903
1816
server to mandos-client
1904
1817
"""
1905
1818
pass
1906
1819
1907
1820
# Rejected - signal
1908
1821
@dbus.service.signal(_interface, signature="s")
1909
1822
def Rejected(self, reason):
1910
1823
"D-Bus signal"
1911
1824
pass
1912
1825
1913
1826
# NeedApproval - signal
1914
1827
@dbus.service.signal(_interface, signature="tb")
1915
1828
def NeedApproval(self, timeout, default):
1916
1829
"D-Bus signal"
1917
1830
return self.need_approval()
1918
1919
# Methods
1920
1831
1832
## Methods
1833
1921
1834
# Approve - method
1922
1835
@dbus.service.method(_interface, in_signature="b")
1923
1836
def Approve(self, value):
1924
1837
self.approve(value)
1925
1838
1926
1839
# CheckedOK - method
1927
1840
@dbus.service.method(_interface)
1928
1841
def CheckedOK(self):
1929
1842
self.checked_ok()
1930
1843
1931
1844
# Enable - method
1932
1845
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1933
1846
@dbus.service.method(_interface)
1934
1847
def Enable(self):
1935
1848
"D-Bus method"
1936
1849
self.enable()
1937
1850
1938
1851
# StartChecker - method
1939
1852
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1940
1853
@dbus.service.method(_interface)
1941
1854
def StartChecker(self):
1942
1855
"D-Bus method"
1943
1856
self.start_checker()
1944
1857
1945
1858
# Disable - method
1946
1859
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1947
1860
@dbus.service.method(_interface)
1948
1861
def Disable(self):
1949
1862
"D-Bus method"
1950
1863
self.disable()
1951
1864
1952
1865
# StopChecker - method
1953
1866
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1954
1867
@dbus.service.method(_interface)
1955
1868
def StopChecker(self):
1956
1869
self.stop_checker()
1957
1958
# Properties
1959
1870
1871
## Properties
1872
1960
1873
# ApprovalPending - property
1961
1874
@dbus_service_property(_interface, signature="b", access="read")
1962
1875
def ApprovalPending_dbus_property(self):
1963
1876
return dbus.Boolean(bool(self.approvals_pending))
1964
1877
1965
1878
# ApprovedByDefault - property
1966
1879
@dbus_service_property(_interface,
1967
1880
signature="b",
1970
1883
if value is None: # get
1971
1884
return dbus.Boolean(self.approved_by_default)
1972
1885
self.approved_by_default = bool(value)
1973
1886
1974
1887
# ApprovalDelay - property
1975
1888
@dbus_service_property(_interface,
1976
1889
signature="t",
1980
1893
return dbus.UInt64(self.approval_delay.total_seconds()
1981
1894
* 1000)
1982
1895
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1983
1896
1984
1897
# ApprovalDuration - property
1985
1898
@dbus_service_property(_interface,
1986
1899
signature="t",
1990
1903
return dbus.UInt64(self.approval_duration.total_seconds()
1991
1904
* 1000)
1992
1905
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1993
1906
1994
1907
# Name - property
1995
1908
@dbus_annotations(
1996
1909
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1997
1910
@dbus_service_property(_interface, signature="s", access="read")
1998
1911
def Name_dbus_property(self):
1999
1912
return dbus.String(self.name)
2000
1913
2001
1914
# Fingerprint - property
2002
1915
@dbus_annotations(
2003
1916
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2004
1917
@dbus_service_property(_interface, signature="s", access="read")
2005
1918
def Fingerprint_dbus_property(self):
2006
1919
return dbus.String(self.fingerprint)
2007
1920
2008
1921
# Host - property
2009
1922
@dbus_service_property(_interface,
2010
1923
signature="s",
2013
1926
if value is None: # get
2014
1927
return dbus.String(self.host)
2015
1928
self.host = str(value)
2016
1929
2017
1930
# Created - property
2018
1931
@dbus_annotations(
2019
1932
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2020
1933
@dbus_service_property(_interface, signature="s", access="read")
2021
1934
def Created_dbus_property(self):
2022
1935
return datetime_to_dbus(self.created)
2023
1936
2024
1937
# LastEnabled - property
2025
1938
@dbus_service_property(_interface, signature="s", access="read")
2026
1939
def LastEnabled_dbus_property(self):
2027
1940
return datetime_to_dbus(self.last_enabled)
2028
1941
2029
1942
# Enabled - property
2030
1943
@dbus_service_property(_interface,
2031
1944
signature="b",
2037
1950
self.enable()
2038
1951
else:
2039
1952
self.disable()
2040
1953
2041
1954
# LastCheckedOK - property
2042
1955
@dbus_service_property(_interface,
2043
1956
signature="s",
2047
1960
self.checked_ok()
2048
1961
return
2049
1962
return datetime_to_dbus(self.last_checked_ok)
2050
1963
2051
1964
# LastCheckerStatus - property
2052
1965
@dbus_service_property(_interface, signature="n", access="read")
2053
1966
def LastCheckerStatus_dbus_property(self):
2054
1967
return dbus.Int16(self.last_checker_status)
2055
1968
2056
1969
# Expires - property
2057
1970
@dbus_service_property(_interface, signature="s", access="read")
2058
1971
def Expires_dbus_property(self):
2059
1972
return datetime_to_dbus(self.expires)
2060
1973
2061
1974
# LastApprovalRequest - property
2062
1975
@dbus_service_property(_interface, signature="s", access="read")
2063
1976
def LastApprovalRequest_dbus_property(self):
2064
1977
return datetime_to_dbus(self.last_approval_request)
2065
1978
2066
1979
# Timeout - property
2067
1980
@dbus_service_property(_interface,
2068
1981
signature="t",
2083
1996
if (getattr(self, "disable_initiator_tag", None)
2084
1997
is None):
2085
1998
return
2086
GLib.source_remove(self.disable_initiator_tag)
2087
self.disable_initiator_tag = GLib.timeout_add(
1999
gobject.source_remove(self.disable_initiator_tag)
2000
self.disable_initiator_tag = gobject.timeout_add(
2088
2001
int((self.expires - now).total_seconds() * 1000),
2089
2002
self.disable)
2090
2003
2091
2004
# ExtendedTimeout - property
2092
2005
@dbus_service_property(_interface,
2093
2006
signature="t",
2097
2010
return dbus.UInt64(self.extended_timeout.total_seconds()
2098
2011
* 1000)
2099
2012
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2100
2013
2101
2014
# Interval - property
2102
2015
@dbus_service_property(_interface,
2103
2016
signature="t",
2110
2023
return
2111
2024
if self.enabled:
2112
2025
# Reschedule checker run
2113
GLib.source_remove(self.checker_initiator_tag)
2114
self.checker_initiator_tag = GLib.timeout_add(
2026
gobject.source_remove(self.checker_initiator_tag)
2027
self.checker_initiator_tag = gobject.timeout_add(
2115
2028
value, self.start_checker)
2116
self.start_checker() # Start one now, too
2117
2029
self.start_checker() # Start one now, too
2030
2118
2031
# Checker - property
2119
2032
@dbus_service_property(_interface,
2120
2033
signature="s",
2123
2036
if value is None: # get
2124
2037
return dbus.String(self.checker_command)
2125
2038
self.checker_command = str(value)
2126
2039
2127
2040
# CheckerRunning - property
2128
2041
@dbus_service_property(_interface,
2129
2042
signature="b",
2135
2048
self.start_checker()
2136
2049
else:
2137
2050
self.stop_checker()
2138
2051
2139
2052
# ObjectPath - property
2140
2053
@dbus_annotations(
2141
2054
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2142
2055
"org.freedesktop.DBus.Deprecated": "true"})
2143
2056
@dbus_service_property(_interface, signature="o", access="read")
2144
2057
def ObjectPath_dbus_property(self):
2145
return self.dbus_object_path # is already a dbus.ObjectPath
2146
2058
return self.dbus_object_path # is already a dbus.ObjectPath
2059
2147
2060
# Secret = property
2148
2061
@dbus_annotations(
2149
2062
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2154
2067
byte_arrays=True)
2155
2068
def Secret_dbus_property(self, value):
2156
2069
self.secret = bytes(value)
2157
2070
2158
2071
del _interface
2159
2072
2160
2073
2164
2077
self._pipe.send(('init', fpr, address))
2165
2078
if not self._pipe.recv():
2166
2079
raise KeyError(fpr)
2167
2080
2168
2081
def __getattribute__(self, name):
2169
2082
if name == '_pipe':
2170
2083
return super(ProxyClient, self).__getattribute__(name)
2173
2086
if data[0] == 'data':
2174
2087
return data[1]
2175
2088
if data[0] == 'function':
2176
2089
2177
2090
def func(*args, **kwargs):
2178
2091
self._pipe.send(('funcall', name, args, kwargs))
2179
2092
return self._pipe.recv()[1]
2180
2093
2181
2094
return func
2182
2095
2183
2096
def __setattr__(self, name, value):
2184
2097
if name == '_pipe':
2185
2098
return super(ProxyClient, self).__setattr__(name, value)
2188
2101
2189
2102
class ClientHandler(socketserver.BaseRequestHandler, object):
2190
2103
"""A class to handle client connections.
2191
2104
2192
2105
Instantiated once for each connection to handle it.
2193
2106
Note: This will run in its own forked process."""
2194
2107
2195
2108
def handle(self):
2196
2109
with contextlib.closing(self.server.child_pipe) as child_pipe:
2197
2110
logger.info("TCP connection from: %s",
2198
2111
str(self.client_address))
2199
2112
logger.debug("Pipe FD: %d",
2200
2113
self.server.child_pipe.fileno())
2201
2114
2202
2115
session = gnutls.ClientSession(self.request)
2203
2204
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2205
# "+AES-256-CBC", "+SHA1",
2206
# "+COMP-NULL", "+CTYPE-OPENPGP",
2207
# "+DHE-DSS"))
2116
2117
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
2118
# "+AES-256-CBC", "+SHA1",
2119
# "+COMP-NULL", "+CTYPE-OPENPGP",
2120
# "+DHE-DSS"))
2208
2121
# Use a fallback default, since this MUST be set.
2209
2122
priority = self.server.gnutls_priority
2210
2123
if priority is None:
2211
2124
priority = "NORMAL"
2212
gnutls.priority_set_direct(session._c_object,
2213
priority.encode("utf-8"),
2125
gnutls.priority_set_direct(session._c_object, priority,
2214
2126
None)
2215
2127
2216
2128
# Start communication using the Mandos protocol
2217
2129
# Get protocol number
2218
2130
line = self.request.makefile().readline()
2223
2135
except (ValueError, IndexError, RuntimeError) as error:
2224
2136
logger.error("Unknown protocol version: %s", error)
2225
2137
return
2226
2138
2227
2139
# Start GnuTLS connection
2228
2140
try:
2229
2141
session.handshake()
2233
2145
# established. Just abandon the request.
2234
2146
return
2235
2147
logger.debug("Handshake succeeded")
2236
2148
2237
2149
approval_required = False
2238
2150
try:
2239
2151
try:
2243
2155
logger.warning("Bad certificate: %s", error)
2244
2156
return
2245
2157
logger.debug("Fingerprint: %s", fpr)
2246
2158
2247
2159
try:
2248
2160
client = ProxyClient(child_pipe, fpr,
2249
2161
self.client_address)
2250
2162
except KeyError:
2251
2163
return
2252
2164
2253
2165
if client.approval_delay:
2254
2166
delay = client.approval_delay
2255
2167
client.approvals_pending += 1
2256
2168
approval_required = True
2257
2169
2258
2170
while True:
2259
2171
if not client.enabled:
2260
2172
logger.info("Client %s is disabled",
2263
2175
# Emit D-Bus signal
2264
2176
client.Rejected("Disabled")
2265
2177
return
2266
2178
2267
2179
if client.approved or not client.approval_delay:
2268
# We are approved or approval is disabled
2180
#We are approved or approval is disabled
2269
2181
break
2270
2182
elif client.approved is None:
2271
2183
logger.info("Client %s needs approval",
2282
2194
# Emit D-Bus signal
2283
2195
client.Rejected("Denied")
2284
2196
return
2285
2286
# wait until timeout or approved
2197
2198
#wait until timeout or approved
2287
2199
time = datetime.datetime.now()
2288
2200
client.changedstate.acquire()
2289
2201
client.changedstate.wait(delay.total_seconds())
2302
2214
break
2303
2215
else:
2304
2216
delay -= time2 - time
2305
2306
try:
2307
session.send(client.secret)
2308
except gnutls.Error as error:
2309
logger.warning("gnutls send failed",
2310
exc_info=error)
2311
return
2312
2217
2218
sent_size = 0
2219
while sent_size < len(client.secret):
2220
try:
2221
sent = session.send(client.secret[sent_size:])
2222
except gnutls.Error as error:
2223
logger.warning("gnutls send failed",
2224
exc_info=error)
2225
return
2226
logger.debug("Sent: %d, remaining: %d", sent,
2227
len(client.secret) - (sent_size
2228
+ sent))
2229
sent_size += sent
2230
2313
2231
logger.info("Sending secret to %s", client.name)
2314
2232
# bump the timeout using extended_timeout
2315
2233
client.bump_timeout(client.extended_timeout)
2316
2234
if self.server.use_dbus:
2317
2235
# Emit D-Bus signal
2318
2236
client.GotSecret()
2319
2237
2320
2238
finally:
2321
2239
if approval_required:
2322
2240
client.approvals_pending -= 1
2325
2243
except gnutls.Error as error:
2326
2244
logger.warning("GnuTLS bye failed",
2327
2245
exc_info=error)
2328
2246
2329
2247
@staticmethod
2330
2248
def peer_certificate(session):
2331
2249
"Return the peer's OpenPGP certificate as a bytestring"
2343
2261
return None
2344
2262
cert = cert_list[0]
2345
2263
return ctypes.string_at(cert.data, cert.size)
2346
2264
2347
2265
@staticmethod
2348
2266
def fingerprint(openpgp):
2349
2267
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2382
2300
2383
2301
class MultiprocessingMixIn(object):
2384
2302
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2385
2303
2386
2304
def sub_process_main(self, request, address):
2387
2305
try:
2388
2306
self.finish_request(request, address)
2389
2307
except Exception:
2390
2308
self.handle_error(request, address)
2391
2309
self.close_request(request)
2392
2310
2393
2311
def process_request(self, request, address):
2394
2312
"""Start a new process to process the request."""
2395
proc = multiprocessing.Process(target=self.sub_process_main,
2396
args=(request, address))
2313
proc = multiprocessing.Process(target = self.sub_process_main,
2314
args = (request, address))
2397
2315
proc.start()
2398
2316
return proc
2399
2317
2400
2318
2401
2319
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2402
2320
""" adds a pipe to the MixIn """
2403
2321
2404
2322
def process_request(self, request, client_address):
2405
2323
"""Overrides and wraps the original process_request().
2406
2324
2407
2325
This function creates a new pipe in self.pipe
2408
2326
"""
2409
2327
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2410
2328
2411
2329
proc = MultiprocessingMixIn.process_request(self, request,
2412
2330
client_address)
2413
2331
self.child_pipe.close()
2414
2332
self.add_pipe(parent_pipe, proc)
2415
2333
2416
2334
def add_pipe(self, parent_pipe, proc):
2417
2335
"""Dummy function; override as necessary"""
2418
2336
raise NotImplementedError()
2421
2339
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2422
2340
socketserver.TCPServer, object):
2423
2341
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2424
2342
2425
2343
Attributes:
2426
2344
enabled: Boolean; whether this server is activated yet
2427
2345
interface: None or a network interface name (string)
2428
2346
use_ipv6: Boolean; to use IPv6 or not
2429
2347
"""
2430
2348
2431
2349
def __init__(self, server_address, RequestHandlerClass,
2432
2350
interface=None,
2433
2351
use_ipv6=True,
2443
2361
self.socketfd = socketfd
2444
2362
# Save the original socket.socket() function
2445
2363
self.socket_socket = socket.socket
2446
2447
2364
# To implement --socket, we monkey patch socket.socket.
2448
#
2365
#
2449
2366
# (When socketserver.TCPServer is a new-style class, we
2450
2367
# could make self.socket into a property instead of monkey
2451
2368
# patching socket.socket.)
2452
#
2369
#
2453
2370
# Create a one-time-only replacement for socket.socket()
2454
2371
@functools.wraps(socket.socket)
2455
2372
def socket_wrapper(*args, **kwargs):
2467
2384
# socket_wrapper(), if socketfd was set.
2468
2385
socketserver.TCPServer.__init__(self, server_address,
2469
2386
RequestHandlerClass)
2470
2387
2471
2388
def server_bind(self):
2472
2389
"""This overrides the normal server_bind() function
2473
2390
to bind to an interface if one was specified, and also NOT to
2474
2391
bind to an address or port if they were not specified."""
2475
global SO_BINDTODEVICE
2476
2392
if self.interface is not None:
2477
2393
if SO_BINDTODEVICE is None:
2478
# Fall back to a hard-coded value which seems to be
2479
# common enough.
2480
logger.warning("SO_BINDTODEVICE not found, trying 25")
2481
SO_BINDTODEVICE = 25
2482
try:
2483
self.socket.setsockopt(
2484
socket.SOL_SOCKET, SO_BINDTODEVICE,
2485
(self.interface + "\0").encode("utf-8"))
2486
except socket.error as error:
2487
if error.errno == errno.EPERM:
2488
logger.error("No permission to bind to"
2489
" interface %s", self.interface)
2490
elif error.errno == errno.ENOPROTOOPT:
2491
logger.error("SO_BINDTODEVICE not available;"
2492
" cannot bind to interface %s",
2493
self.interface)
2494
elif error.errno == errno.ENODEV:
2495
logger.error("Interface %s does not exist,"
2496
" cannot bind", self.interface)
2497
else:
2498
raise
2394
logger.error("SO_BINDTODEVICE does not exist;"
2395
" cannot bind to interface %s",
2396
self.interface)
2397
else:
2398
try:
2399
self.socket.setsockopt(
2400
socket.SOL_SOCKET, SO_BINDTODEVICE,
2401
(self.interface + "\0").encode("utf-8"))
2402
except socket.error as error:
2403
if error.errno == errno.EPERM:
2404
logger.error("No permission to bind to"
2405
" interface %s", self.interface)
2406
elif error.errno == errno.ENOPROTOOPT:
2407
logger.error("SO_BINDTODEVICE not available;"
2408
" cannot bind to interface %s",
2409
self.interface)
2410
elif error.errno == errno.ENODEV:
2411
logger.error("Interface %s does not exist,"
2412
" cannot bind", self.interface)
2413
else:
2414
raise
2499
2415
# Only bind(2) the socket if we really need to.
2500
2416
if self.server_address[0] or self.server_address[1]:
2501
2417
if not self.server_address[0]:
2502
2418
if self.address_family == socket.AF_INET6:
2503
any_address = "::" # in6addr_any
2419
any_address = "::" # in6addr_any
2504
2420
else:
2505
any_address = "0.0.0.0" # INADDR_ANY
2421
any_address = "0.0.0.0" # INADDR_ANY
2506
2422
self.server_address = (any_address,
2507
2423
self.server_address[1])
2508
2424
elif not self.server_address[1]:
2518
2434
2519
2435
class MandosServer(IPv6_TCPServer):
2520
2436
"""Mandos server.
2521
2437
2522
2438
Attributes:
2523
2439
clients: set of Client objects
2524
2440
gnutls_priority GnuTLS priority string
2525
2441
use_dbus: Boolean; to emit D-Bus signals or not
2526
2527
Assumes a GLib.MainLoop event loop.
2442
2443
Assumes a gobject.MainLoop event loop.
2528
2444
"""
2529
2445
2530
2446
def __init__(self, server_address, RequestHandlerClass,
2531
2447
interface=None,
2532
2448
use_ipv6=True,
2542
2458
self.gnutls_priority = gnutls_priority
2543
2459
IPv6_TCPServer.__init__(self, server_address,
2544
2460
RequestHandlerClass,
2545
interface=interface,
2546
use_ipv6=use_ipv6,
2547
socketfd=socketfd)
2548
2461
interface = interface,
2462
use_ipv6 = use_ipv6,
2463
socketfd = socketfd)
2464
2549
2465
def server_activate(self):
2550
2466
if self.enabled:
2551
2467
return socketserver.TCPServer.server_activate(self)
2552
2468
2553
2469
def enable(self):
2554
2470
self.enabled = True
2555
2471
2556
2472
def add_pipe(self, parent_pipe, proc):
2557
2473
# Call "handle_ipc" for both data and EOF events
2558
GLib.io_add_watch(
2474
gobject.io_add_watch(
2559
2475
parent_pipe.fileno(),
2560
GLib.IO_IN | GLib.IO_HUP,
2476
gobject.IO_IN | gobject.IO_HUP,
2561
2477
functools.partial(self.handle_ipc,
2562
parent_pipe=parent_pipe,
2563
proc=proc))
2564
2478
parent_pipe = parent_pipe,
2479
proc = proc))
2480
2565
2481
def handle_ipc(self, source, condition,
2566
2482
parent_pipe=None,
2567
proc=None,
2483
proc = None,
2568
2484
client_object=None):
2569
2485
# error, or the other end of multiprocessing.Pipe has closed
2570
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2486
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2571
2487
# Wait for other process to exit
2572
2488
proc.join()
2573
2489
return False
2574
2490
2575
2491
# Read a request from the child
2576
2492
request = parent_pipe.recv()
2577
2493
command = request[0]
2578
2494
2579
2495
if command == 'init':
2580
2496
fpr = request[1]
2581
2497
address = request[2]
2582
2583
for c in self.clients.values():
2498
2499
for c in self.clients.itervalues():
2584
2500
if c.fingerprint == fpr:
2585
2501
client = c
2586
2502
break
2593
2509
address[0])
2594
2510
parent_pipe.send(False)
2595
2511
return False
2596
2597
GLib.io_add_watch(
2512
2513
gobject.io_add_watch(
2598
2514
parent_pipe.fileno(),
2599
GLib.IO_IN | GLib.IO_HUP,
2515
gobject.IO_IN | gobject.IO_HUP,
2600
2516
functools.partial(self.handle_ipc,
2601
parent_pipe=parent_pipe,
2602
proc=proc,
2603
client_object=client))
2517
parent_pipe = parent_pipe,
2518
proc = proc,
2519
client_object = client))
2604
2520
parent_pipe.send(True)
2605
2521
# remove the old hook in favor of the new above hook on
2606
2522
# same fileno
2609
2525
funcname = request[1]
2610
2526
args = request[2]
2611
2527
kwargs = request[3]
2612
2528
2613
2529
parent_pipe.send(('data', getattr(client_object,
2614
2530
funcname)(*args,
2615
2531
**kwargs)))
2616
2532
2617
2533
if command == 'getattr':
2618
2534
attrname = request[1]
2619
2535
if isinstance(client_object.__getattribute__(attrname),
2622
2538
else:
2623
2539
parent_pipe.send((
2624
2540
'data', client_object.__getattribute__(attrname)))
2625
2541
2626
2542
if command == 'setattr':
2627
2543
attrname = request[1]
2628
2544
value = request[2]
2629
2545
setattr(client_object, attrname, value)
2630
2546
2631
2547
return True
2632
2548
2633
2549
2634
2550
def rfc3339_duration_to_delta(duration):
2635
2551
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2636
2552
2637
2553
>>> rfc3339_duration_to_delta("P7D")
2638
2554
datetime.timedelta(7)
2639
2555
>>> rfc3339_duration_to_delta("PT60S")
2649
2565
>>> rfc3339_duration_to_delta("P1DT3M20S")
2650
2566
datetime.timedelta(1, 200)
2651
2567
"""
2652
2568
2653
2569
# Parsing an RFC 3339 duration with regular expressions is not
2654
2570
# possible - there would have to be multiple places for the same
2655
2571
# values, like seconds. The current code, while more esoteric, is
2656
2572
# cleaner without depending on a parsing library. If Python had a
2657
2573
# built-in library for parsing we would use it, but we'd like to
2658
2574
# avoid excessive use of external libraries.
2659
2575
2660
2576
# New type for defining tokens, syntax, and semantics all-in-one
2661
2577
Token = collections.namedtuple("Token", (
2662
2578
"regexp", # To match token; if "value" is not None, must have
2695
2611
frozenset((token_year, token_month,
2696
2612
token_day, token_time,
2697
2613
token_week)))
2698
# Define starting values:
2699
# Value so far
2700
value = datetime.timedelta()
2614
# Define starting values
2615
value = datetime.timedelta() # Value so far
2701
2616
found_token = None
2702
# Following valid tokens
2703
followers = frozenset((token_duration, ))
2704
# String left to parse
2705
s = duration
2617
followers = frozenset((token_duration, )) # Following valid tokens
2618
s = duration # String left to parse
2706
2619
# Loop until end token is found
2707
2620
while found_token is not token_end:
2708
2621
# Search for any currently valid tokens
2732
2645
2733
2646
def string_to_delta(interval):
2734
2647
"""Parse a string and return a datetime.timedelta
2735
2648
2736
2649
>>> string_to_delta('7d')
2737
2650
datetime.timedelta(7)
2738
2651
>>> string_to_delta('60s')
2746
2659
>>> string_to_delta('5m 30s')
2747
2660
datetime.timedelta(0, 330)
2748
2661
"""
2749
2662
2750
2663
try:
2751
2664
return rfc3339_duration_to_delta(interval)
2752
2665
except ValueError:
2753
2666
pass
2754
2667
2755
2668
timevalue = datetime.timedelta(0)
2756
2669
for s in interval.split():
2757
2670
try:
2775
2688
return timevalue
2776
2689
2777
2690
2778
def daemon(nochdir=False, noclose=False):
2691
def daemon(nochdir = False, noclose = False):
2779
2692
"""See daemon(3). Standard BSD Unix function.
2780
2693
2781
2694
This should really exist as os.daemon, but it doesn't (yet)."""
2782
2695
if os.fork():
2783
2696
sys.exit()
2801
2714
2802
2715
2803
2716
def main():
2804
2717
2805
2718
##################################################################
2806
2719
# Parsing of options, both command line and config file
2807
2720
2808
2721
parser = argparse.ArgumentParser()
2809
2722
parser.add_argument("-v", "--version", action="version",
2810
version="%(prog)s {}".format(version),
2723
version = "%(prog)s {}".format(version),
2811
2724
help="show version number and exit")
2812
2725
parser.add_argument("-i", "--interface", metavar="IF",
2813
2726
help="Bind to interface IF")
2849
2762
parser.add_argument("--no-zeroconf", action="store_false",
2850
2763
dest="zeroconf", help="Do not use Zeroconf",
2851
2764
default=None)
2852
2765
2853
2766
options = parser.parse_args()
2854
2767
2855
2768
if options.check:
2856
2769
import doctest
2857
2770
fail_count, test_count = doctest.testmod()
2858
2771
sys.exit(os.EX_OK if fail_count == 0 else 1)
2859
2772
2860
2773
# Default values for config file for server-global settings
2861
server_defaults = {"interface": "",
2862
"address": "",
2863
"port": "",
2864
"debug": "False",
2865
"priority":
2866
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2867
":+SIGN-DSA-SHA256",
2868
"servicename": "Mandos",
2869
"use_dbus": "True",
2870
"use_ipv6": "True",
2871
"debuglevel": "",
2872
"restore": "True",
2873
"socket": "",
2874
"statedir": "/var/lib/mandos",
2875
"foreground": "False",
2876
"zeroconf": "True",
2877
}
2878
2774
server_defaults = { "interface": "",
2775
"address": "",
2776
"port": "",
2777
"debug": "False",
2778
"priority":
2779
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2780
":+SIGN-DSA-SHA256",
2781
"servicename": "Mandos",
2782
"use_dbus": "True",
2783
"use_ipv6": "True",
2784
"debuglevel": "",
2785
"restore": "True",
2786
"socket": "",
2787
"statedir": "/var/lib/mandos",
2788
"foreground": "False",
2789
"zeroconf": "True",
2790
}
2791
2879
2792
# Parse config file for server-global settings
2880
2793
server_config = configparser.SafeConfigParser(server_defaults)
2881
2794
del server_defaults
2899
2812
server_settings["socket"] = os.dup(server_settings
2900
2813
["socket"])
2901
2814
del server_config
2902
2815
2903
2816
# Override the settings from the config file with command line
2904
2817
# options, if set.
2905
2818
for option in ("interface", "address", "port", "debug",
2923
2836
if server_settings["debug"]:
2924
2837
server_settings["foreground"] = True
2925
2838
# Now we have our good server settings in "server_settings"
2926
2839
2927
2840
##################################################################
2928
2841
2929
2842
if (not server_settings["zeroconf"]
2930
2843
and not (server_settings["port"]
2931
2844
or server_settings["socket"] != "")):
2932
2845
parser.error("Needs port or socket to work without Zeroconf")
2933
2846
2934
2847
# For convenience
2935
2848
debug = server_settings["debug"]
2936
2849
debuglevel = server_settings["debuglevel"]
2940
2853
stored_state_file)
2941
2854
foreground = server_settings["foreground"]
2942
2855
zeroconf = server_settings["zeroconf"]
2943
2856
2944
2857
if debug:
2945
2858
initlogger(debug, logging.DEBUG)
2946
2859
else:
2949
2862
else:
2950
2863
level = getattr(logging, debuglevel.upper())
2951
2864
initlogger(debug, level)
2952
2865
2953
2866
if server_settings["servicename"] != "Mandos":
2954
2867
syslogger.setFormatter(
2955
2868
logging.Formatter('Mandos ({}) [%(process)d]:'
2956
2869
' %(levelname)s: %(message)s'.format(
2957
2870
server_settings["servicename"])))
2958
2871
2959
2872
# Parse config file with clients
2960
2873
client_config = configparser.SafeConfigParser(Client
2961
2874
.client_defaults)
2962
2875
client_config.read(os.path.join(server_settings["configdir"],
2963
2876
"clients.conf"))
2964
2877
2965
2878
global mandos_dbus_service
2966
2879
mandos_dbus_service = None
2967
2880
2968
2881
socketfd = None
2969
2882
if server_settings["socket"] != "":
2970
2883
socketfd = server_settings["socket"]
2986
2899
except IOError as e:
2987
2900
logger.error("Could not open file %r", pidfilename,
2988
2901
exc_info=e)
2989
2990
for name, group in (("_mandos", "_mandos"),
2991
("mandos", "mandos"),
2992
("nobody", "nogroup")):
2902
2903
for name in ("_mandos", "mandos", "nobody"):
2993
2904
try:
2994
2905
uid = pwd.getpwnam(name).pw_uid
2995
gid = pwd.getpwnam(group).pw_gid
2906
gid = pwd.getpwnam(name).pw_gid
2996
2907
break
2997
2908
except KeyError:
2998
2909
continue
3002
2913
try:
3003
2914
os.setgid(gid)
3004
2915
os.setuid(uid)
3005
if debug:
3006
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3007
gid))
3008
2916
except OSError as error:
3009
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3010
.format(uid, gid, os.strerror(error.errno)))
3011
2917
if error.errno != errno.EPERM:
3012
2918
raise
3013
2919
3014
2920
if debug:
3015
2921
# Enable all possible GnuTLS debugging
3016
2922
3017
2923
# "Use a log level over 10 to enable all debugging options."
3018
2924
# - GnuTLS manual
3019
2925
gnutls.global_set_log_level(11)
3020
2926
3021
2927
@gnutls.log_func
3022
2928
def debug_gnutls(level, string):
3023
2929
logger.debug("GnuTLS: %s", string[:-1])
3024
2930
3025
2931
gnutls.global_set_log_function(debug_gnutls)
3026
2932
3027
2933
# Redirect stdin so all checkers get /dev/null
3028
2934
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3029
2935
os.dup2(null, sys.stdin.fileno())
3030
2936
if null > 2:
3031
2937
os.close(null)
3032
2938
3033
2939
# Need to fork before connecting to D-Bus
3034
2940
if not foreground:
3035
2941
# Close all input and output, do double fork, etc.
3036
2942
daemon()
3037
3038
# multiprocessing will use threads, so before we use GLib we need
3039
# to inform GLib that threads will be used.
3040
GLib.threads_init()
3041
2943
2944
# multiprocessing will use threads, so before we use gobject we
2945
# need to inform gobject that threads will be used.
2946
gobject.threads_init()
2947
3042
2948
global main_loop
3043
2949
# From the Avahi example code
3044
2950
DBusGMainLoop(set_as_default=True)
3045
main_loop = GLib.MainLoop()
2951
main_loop = gobject.MainLoop()
3046
2952
bus = dbus.SystemBus()
3047
2953
# End of Avahi example code
3048
2954
if use_dbus:
3061
2967
if zeroconf:
3062
2968
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3063
2969
service = AvahiServiceToSyslog(
3064
name=server_settings["servicename"],
3065
servicetype="_mandos._tcp",
3066
protocol=protocol,
3067
bus=bus)
2970
name = server_settings["servicename"],
2971
servicetype = "_mandos._tcp",
2972
protocol = protocol,
2973
bus = bus)
3068
2974
if server_settings["interface"]:
3069
2975
service.interface = if_nametoindex(
3070
2976
server_settings["interface"].encode("utf-8"))
3071
2977
3072
2978
global multiprocessing_manager
3073
2979
multiprocessing_manager = multiprocessing.Manager()
3074
2980
3075
2981
client_class = Client
3076
2982
if use_dbus:
3077
client_class = functools.partial(ClientDBus, bus=bus)
3078
2983
client_class = functools.partial(ClientDBus, bus = bus)
2984
3079
2985
client_settings = Client.config_parser(client_config)
3080
2986
old_client_settings = {}
3081
2987
clients_data = {}
3082
2988
3083
2989
# This is used to redirect stdout and stderr for checker processes
3084
2990
global wnull
3085
wnull = open(os.devnull, "w") # A writable /dev/null
2991
wnull = open(os.devnull, "w") # A writable /dev/null
3086
2992
# Only used if server is running in foreground but not in debug
3087
2993
# mode
3088
2994
if debug or not foreground:
3089
2995
wnull.close()
3090
2996
3091
2997
# Get client data and settings from last running state.
3092
2998
if server_settings["restore"]:
3093
2999
try:
3094
3000
with open(stored_state_path, "rb") as stored_state:
3095
if sys.version_info.major == 2:
3096
clients_data, old_client_settings = pickle.load(
3097
stored_state)
3098
else:
3099
bytes_clients_data, bytes_old_client_settings = (
3100
pickle.load(stored_state, encoding="bytes"))
3101
# Fix bytes to strings
3102
# clients_data
3103
# .keys()
3104
clients_data = {(key.decode("utf-8")
3105
if isinstance(key, bytes)
3106
else key): value
3107
for key, value in
3108
bytes_clients_data.items()}
3109
del bytes_clients_data
3110
for key in clients_data:
3111
value = {(k.decode("utf-8")
3112
if isinstance(k, bytes) else k): v
3113
for k, v in
3114
clients_data[key].items()}
3115
clients_data[key] = value
3116
# .client_structure
3117
value["client_structure"] = [
3118
(s.decode("utf-8")
3119
if isinstance(s, bytes)
3120
else s) for s in
3121
value["client_structure"]]
3122
# .name & .host
3123
for k in ("name", "host"):
3124
if isinstance(value[k], bytes):
3125
value[k] = value[k].decode("utf-8")
3126
# old_client_settings
3127
# .keys()
3128
old_client_settings = {
3129
(key.decode("utf-8")
3130
if isinstance(key, bytes)
3131
else key): value
3132
for key, value in
3133
bytes_old_client_settings.items()}
3134
del bytes_old_client_settings
3135
# .host
3136
for value in old_client_settings.values():
3137
if isinstance(value["host"], bytes):
3138
value["host"] = (value["host"]
3139
.decode("utf-8"))
3001
clients_data, old_client_settings = pickle.load(
3002
stored_state)
3140
3003
os.remove(stored_state_path)
3141
3004
except IOError as e:
3142
3005
if e.errno == errno.ENOENT:
3150
3013
logger.warning("Could not load persistent state: "
3151
3014
"EOFError:",
3152
3015
exc_info=e)
3153
3016
3154
3017
with PGPEngine() as pgp:
3155
3018
for client_name, client in clients_data.items():
3156
3019
# Skip removed clients
3157
3020
if client_name not in client_settings:
3158
3021
continue
3159
3022
3160
3023
# Decide which value to use after restoring saved state.
3161
3024
# We have three different values: Old config file,
3162
3025
# new config file, and saved state.
3173
3036
client[name] = value
3174
3037
except KeyError:
3175
3038
pass
3176
3039
3177
3040
# Clients who has passed its expire date can still be
3178
3041
# enabled if its last checker was successful. A Client
3179
3042
# whose checker succeeded before we stored its state is
3212
3075
client_name))
3213
3076
client["secret"] = (client_settings[client_name]
3214
3077
["secret"])
3215
3078
3216
3079
# Add/remove clients based on new changes made to config
3217
3080
for client_name in (set(old_client_settings)
3218
3081
- set(client_settings)):
3220
3083
for client_name in (set(client_settings)
3221
3084
- set(old_client_settings)):
3222
3085
clients_data[client_name] = client_settings[client_name]
3223
3086
3224
3087
# Create all client objects
3225
3088
for client_name, client in clients_data.items():
3226
3089
tcp_server.clients[client_name] = client_class(
3227
name=client_name,
3228
settings=client,
3229
server_settings=server_settings)
3230
3090
name = client_name,
3091
settings = client,
3092
server_settings = server_settings)
3093
3231
3094
if not tcp_server.clients:
3232
3095
logger.warning("No clients defined")
3233
3096
3234
3097
if not foreground:
3235
3098
if pidfile is not None:
3236
3099
pid = os.getpid()
3242
3105
pidfilename, pid)
3243
3106
del pidfile
3244
3107
del pidfilename
3245
3246
for termsig in (signal.SIGHUP, signal.SIGTERM):
3247
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3248
lambda: main_loop.quit() and False)
3249
3108
3109
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
3110
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
3111
3250
3112
if use_dbus:
3251
3113
3252
3114
@alternate_dbus_interfaces(
3253
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
3115
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3254
3116
class MandosDBusService(DBusObjectWithObjectManager):
3255
3117
"""A D-Bus proxy object"""
3256
3118
3257
3119
def __init__(self):
3258
3120
dbus.service.Object.__init__(self, bus, "/")
3259
3121
3260
3122
_interface = "se.recompile.Mandos"
3261
3123
3262
3124
@dbus.service.signal(_interface, signature="o")
3263
3125
def ClientAdded(self, objpath):
3264
3126
"D-Bus signal"
3265
3127
pass
3266
3128
3267
3129
@dbus.service.signal(_interface, signature="ss")
3268
3130
def ClientNotFound(self, fingerprint, address):
3269
3131
"D-Bus signal"
3270
3132
pass
3271
3133
3272
3134
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3273
3135
"true"})
3274
3136
@dbus.service.signal(_interface, signature="os")
3275
3137
def ClientRemoved(self, objpath, name):
3276
3138
"D-Bus signal"
3277
3139
pass
3278
3140
3279
3141
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3280
3142
"true"})
3281
3143
@dbus.service.method(_interface, out_signature="ao")
3282
3144
def GetAllClients(self):
3283
3145
"D-Bus method"
3284
3146
return dbus.Array(c.dbus_object_path for c in
3285
tcp_server.clients.values())
3286
3147
tcp_server.clients.itervalues())
3148
3287
3149
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3288
3150
"true"})
3289
3151
@dbus.service.method(_interface,
3291
3153
def GetAllClientsWithProperties(self):
3292
3154
"D-Bus method"
3293
3155
return dbus.Dictionary(
3294
{c.dbus_object_path: c.GetAll(
3156
{ c.dbus_object_path: c.GetAll(
3295
3157
"se.recompile.Mandos.Client")
3296
for c in tcp_server.clients.values()},
3158
for c in tcp_server.clients.itervalues() },
3297
3159
signature="oa{sv}")
3298
3160
3299
3161
@dbus.service.method(_interface, in_signature="o")
3300
3162
def RemoveClient(self, object_path):
3301
3163
"D-Bus method"
3302
for c in tcp_server.clients.values():
3164
for c in tcp_server.clients.itervalues():
3303
3165
if c.dbus_object_path == object_path:
3304
3166
del tcp_server.clients[c.name]
3305
3167
c.remove_from_connection()
3309
3171
self.client_removed_signal(c)
3310
3172
return
3311
3173
raise KeyError(object_path)
3312
3174
3313
3175
del _interface
3314
3176
3315
3177
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3316
out_signature="a{oa{sa{sv}}}")
3178
out_signature = "a{oa{sa{sv}}}")
3317
3179
def GetManagedObjects(self):
3318
3180
"""D-Bus method"""
3319
3181
return dbus.Dictionary(
3320
{client.dbus_object_path:
3321
dbus.Dictionary(
3322
{interface: client.GetAll(interface)
3323
for interface in
3324
client._get_all_interface_names()})
3325
for client in tcp_server.clients.values()})
3326
3182
{ client.dbus_object_path:
3183
dbus.Dictionary(
3184
{ interface: client.GetAll(interface)
3185
for interface in
3186
client._get_all_interface_names()})
3187
for client in tcp_server.clients.values()})
3188
3327
3189
def client_added_signal(self, client):
3328
3190
"""Send the new standard signal and the old signal"""
3329
3191
if use_dbus:
3331
3193
self.InterfacesAdded(
3332
3194
client.dbus_object_path,
3333
3195
dbus.Dictionary(
3334
{interface: client.GetAll(interface)
3335
for interface in
3336
client._get_all_interface_names()}))
3196
{ interface: client.GetAll(interface)
3197
for interface in
3198
client._get_all_interface_names()}))
3337
3199
# Old signal
3338
3200
self.ClientAdded(client.dbus_object_path)
3339
3201
3340
3202
def client_removed_signal(self, client):
3341
3203
"""Send the new standard signal and the old signal"""
3342
3204
if use_dbus:
3347
3209
# Old signal
3348
3210
self.ClientRemoved(client.dbus_object_path,
3349
3211
client.name)
3350
3212
3351
3213
mandos_dbus_service = MandosDBusService()
3352
3353
# Save modules to variables to exempt the modules from being
3354
# unloaded before the function registered with atexit() is run.
3355
mp = multiprocessing
3356
wn = wnull
3357
3214
3358
3215
def cleanup():
3359
3216
"Cleanup function; run on exit"
3360
3217
if zeroconf:
3361
3218
service.cleanup()
3362
3363
mp.active_children()
3364
wn.close()
3219
3220
multiprocessing.active_children()
3221
wnull.close()
3365
3222
if not (tcp_server.clients or client_settings):
3366
3223
return
3367
3224
3368
3225
# Store client before exiting. Secrets are encrypted with key
3369
3226
# based on what config file has. If config file is
3370
3227
# removed/edited, old secret will thus be unrecovable.
3371
3228
clients = {}
3372
3229
with PGPEngine() as pgp:
3373
for client in tcp_server.clients.values():
3230
for client in tcp_server.clients.itervalues():
3374
3231
key = client_settings[client.name]["secret"]
3375
3232
client.encrypted_secret = pgp.encrypt(client.secret,
3376
3233
key)
3377
3234
client_dict = {}
3378
3235
3379
3236
# A list of attributes that can not be pickled
3380
3237
# + secret.
3381
exclude = {"bus", "changedstate", "secret",
3382
"checker", "server_settings"}
3238
exclude = { "bus", "changedstate", "secret",
3239
"checker", "server_settings" }
3383
3240
for name, typ in inspect.getmembers(dbus.service
3384
3241
.Object):
3385
3242
exclude.add(name)
3386
3243
3387
3244
client_dict["encrypted_secret"] = (client
3388
3245
.encrypted_secret)
3389
3246
for attr in client.client_structure:
3390
3247
if attr not in exclude:
3391
3248
client_dict[attr] = getattr(client, attr)
3392
3249
3393
3250
clients[client.name] = client_dict
3394
3251
del client_settings[client.name]["secret"]
3395
3252
3396
3253
try:
3397
3254
with tempfile.NamedTemporaryFile(
3398
3255
mode='wb',
3400
3257
prefix='clients-',
3401
3258
dir=os.path.dirname(stored_state_path),
3402
3259
delete=False) as stored_state:
3403
pickle.dump((clients, client_settings), stored_state,
3404
protocol=2)
3260
pickle.dump((clients, client_settings), stored_state)
3405
3261
tempname = stored_state.name
3406
3262
os.rename(tempname, stored_state_path)
3407
3263
except (IOError, OSError) as e:
3417
3273
logger.warning("Could not save persistent state:",
3418
3274
exc_info=e)
3419
3275
raise
3420
3276
3421
3277
# Delete all clients, and settings from config
3422
3278
while tcp_server.clients:
3423
3279
name, client = tcp_server.clients.popitem()
3429
3285
if use_dbus:
3430
3286
mandos_dbus_service.client_removed_signal(client)
3431
3287
client_settings.clear()
3432
3288
3433
3289
atexit.register(cleanup)
3434
3435
for client in tcp_server.clients.values():
3290
3291
for client in tcp_server.clients.itervalues():
3436
3292
if use_dbus:
3437
3293
# Emit D-Bus signal for adding
3438
3294
mandos_dbus_service.client_added_signal(client)
3439
3295
# Need to initiate checking of clients
3440
3296
if client.enabled:
3441
3297
client.init_checker()
3442
3298
3443
3299
tcp_server.enable()
3444
3300
tcp_server.server_activate()
3445
3301
3446
3302
# Find out what port we got
3447
3303
if zeroconf:
3448
3304
service.port = tcp_server.socket.getsockname()[1]
3453
3309
else: # IPv4
3454
3310
logger.info("Now listening on address %r, port %d",
3455
3311
*tcp_server.socket.getsockname())
3456
3457
# service.interface = tcp_server.socket.getsockname()[3]
3458
3312
3313
#service.interface = tcp_server.socket.getsockname()[3]
3314
3459
3315
try:
3460
3316
if zeroconf:
3461
3317
# From the Avahi example code
3466
3322
cleanup()
3467
3323
sys.exit(1)
3468
3324
# End of Avahi example code
3469
3470
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3471
lambda *args, **kwargs:
3472
(tcp_server.handle_request
3473
(*args[2:], **kwargs) or True))
3474
3325
3326
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3327
lambda *args, **kwargs:
3328
(tcp_server.handle_request
3329
(*args[2:], **kwargs) or True))
3330
3475
3331
logger.debug("Starting main loop")
3476
3332
main_loop.run()
3477
3333
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0