To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.432
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.432
- Committer: Teddy Hogeborn
- Date: 2016-10-29 13:44:49 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 356.
- Revision ID: teddy@recompile.se-20161029134449-imf8eidhzwfnax9w
mandos: Use "self" instead of class name "GnuTLS" in __init__.
* mandos (GnuTLS.__init__): Use "self" instead of class name "GnuTLS".
* mandos (GnuTLS.__init__): Use "self" instead of class name "GnuTLS".
added
removed
mandos
1
#!/usr/bin/python2.7
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
19
19
# the Free Software Foundation, either version 3 of the License, or
23
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
25
# GNU General Public License for more details.
26
#
26
#
27
27
# You should have received a copy of the GNU General Public License
28
28
# along with this program. If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
#
30
#
31
31
# Contact the authors at <mandos@recompile.se>.
32
#
32
#
33
33
34
34
from __future__ import (division, absolute_import, print_function,
35
35
unicode_literals)
36
36
37
from future_builtins import *
37
try:
38
from future_builtins import *
39
except ImportError:
40
pass
38
41
39
42
try:
40
43
import SocketServer as socketserver
44
47
import argparse
45
48
import datetime
46
49
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
53
50
try:
54
51
import ConfigParser as configparser
55
52
except ImportError:
82
79
83
80
import dbus
84
81
import dbus.service
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
82
from gi.repository import GLib
90
83
from dbus.mainloop.glib import DBusGMainLoop
91
84
import ctypes
92
85
import ctypes.util
93
86
import xml.dom.minidom
94
87
import inspect
95
88
89
# Try to find the value of SO_BINDTODEVICE:
96
90
try:
91
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
92
# newer, and it is also the most natural place for it:
97
93
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
98
94
except AttributeError:
99
95
try:
96
# This is where SO_BINDTODEVICE was up to and including Python
97
# 2.6, and also 3.2:
100
98
from IN import SO_BINDTODEVICE
101
99
except ImportError:
102
SO_BINDTODEVICE = None
100
# In Python 2.7 it seems to have been removed entirely.
101
# Try running the C preprocessor:
102
try:
103
cc = subprocess.Popen(["cc", "--language=c", "-E",
104
"/dev/stdin"],
105
stdin=subprocess.PIPE,
106
stdout=subprocess.PIPE)
107
stdout = cc.communicate(
108
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
109
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
110
except (OSError, ValueError, IndexError):
111
# No value found
112
SO_BINDTODEVICE = None
103
113
104
114
if sys.version_info.major == 2:
105
115
str = unicode
106
116
107
version = "1.7.1"
117
version = "1.7.13"
108
118
stored_state_file = "clients.pickle"
109
119
110
120
logger = logging.getLogger()
114
124
if_nametoindex = ctypes.cdll.LoadLibrary(
115
125
ctypes.util.find_library("c")).if_nametoindex
116
126
except (OSError, AttributeError):
117
127
118
128
def if_nametoindex(interface):
119
129
"Get an interface index the hard way, i.e. using fcntl()"
120
130
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
125
135
return interface_index
126
136
127
137
138
def copy_function(func):
139
"""Make a copy of a function"""
140
if sys.version_info.major == 2:
141
return types.FunctionType(func.func_code,
142
func.func_globals,
143
func.func_name,
144
func.func_defaults,
145
func.func_closure)
146
else:
147
return types.FunctionType(func.__code__,
148
func.__globals__,
149
func.__name__,
150
func.__defaults__,
151
func.__closure__)
152
153
128
154
def initlogger(debug, level=logging.WARNING):
129
155
"""init logger and add loglevel"""
130
156
131
157
global syslogger
132
158
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
159
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
160
address="/dev/log"))
135
161
syslogger.setFormatter(logging.Formatter
136
162
('Mandos [%(process)d]: %(levelname)s:'
137
163
' %(message)s'))
138
164
logger.addHandler(syslogger)
139
165
140
166
if debug:
141
167
console = logging.StreamHandler()
142
168
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
154
180
155
181
class PGPEngine(object):
156
182
"""A simple class for OpenPGP symmetric encryption & decryption"""
157
183
158
184
def __init__(self):
159
185
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
186
self.gpg = "gpg"
187
try:
188
output = subprocess.check_output(["gpgconf"])
189
for line in output.splitlines():
190
name, text, path = line.split(b":")
191
if name == "gpg":
192
self.gpg = path
193
break
194
except OSError as e:
195
if e.errno != errno.ENOENT:
196
raise
160
197
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
198
'--homedir', self.tempdir,
162
199
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
165
200
'--quiet']
201
# Only GPG version 1 has the --no-use-agent option.
202
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
203
self.gnupgargs.append("--no-use-agent")
204
166
205
def __enter__(self):
167
206
return self
168
207
169
208
def __exit__(self, exc_type, exc_value, traceback):
170
209
self._cleanup()
171
210
return False
172
211
173
212
def __del__(self):
174
213
self._cleanup()
175
214
176
215
def _cleanup(self):
177
216
if self.tempdir is not None:
178
217
# Delete contents of tempdir
179
218
for root, dirs, files in os.walk(self.tempdir,
180
topdown = False):
219
topdown=False):
181
220
for filename in files:
182
221
os.remove(os.path.join(root, filename))
183
222
for dirname in dirs:
185
224
# Remove tempdir
186
225
os.rmdir(self.tempdir)
187
226
self.tempdir = None
188
227
189
228
def password_encode(self, password):
190
229
# Passphrase can not be empty and can not contain newlines or
191
230
# NUL bytes. So we prefix it and hex encode it.
196
235
.replace(b"\n", b"\\n")
197
236
.replace(b"\0", b"\\x00"))
198
237
return encoded
199
238
200
239
def encrypt(self, data, password):
201
240
passphrase = self.password_encode(password)
202
241
with tempfile.NamedTemporaryFile(
203
242
dir=self.tempdir) as passfile:
204
243
passfile.write(passphrase)
205
244
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
245
proc = subprocess.Popen([self.gpg, '--symmetric',
207
246
'--passphrase-file',
208
247
passfile.name]
209
248
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
249
stdin=subprocess.PIPE,
250
stdout=subprocess.PIPE,
251
stderr=subprocess.PIPE)
252
ciphertext, err = proc.communicate(input=data)
214
253
if proc.returncode != 0:
215
254
raise PGPError(err)
216
255
return ciphertext
217
256
218
257
def decrypt(self, data, password):
219
258
passphrase = self.password_encode(password)
220
259
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
260
dir=self.tempdir) as passfile:
222
261
passfile.write(passphrase)
223
262
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
263
proc = subprocess.Popen([self.gpg, '--decrypt',
225
264
'--passphrase-file',
226
265
passfile.name]
227
266
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
267
stdin=subprocess.PIPE,
268
stdout=subprocess.PIPE,
269
stderr=subprocess.PIPE)
270
decrypted_plaintext, err = proc.communicate(input=data)
232
271
if proc.returncode != 0:
233
272
raise PGPError(err)
234
273
return decrypted_plaintext
235
274
236
275
276
# Pretend that we have an Avahi module
277
class Avahi(object):
278
"""This isn't so much a class as it is a module-like namespace.
279
It is instantiated once, and simulates having an Avahi module."""
280
IF_UNSPEC = -1 # avahi-common/address.h
281
PROTO_UNSPEC = -1 # avahi-common/address.h
282
PROTO_INET = 0 # avahi-common/address.h
283
PROTO_INET6 = 1 # avahi-common/address.h
284
DBUS_NAME = "org.freedesktop.Avahi"
285
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
286
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
DBUS_PATH_SERVER = "/"
288
289
def string_array_to_txt_array(self, t):
290
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
291
for s in t), signature="ay")
292
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
293
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
294
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
295
SERVER_INVALID = 0 # avahi-common/defs.h
296
SERVER_REGISTERING = 1 # avahi-common/defs.h
297
SERVER_RUNNING = 2 # avahi-common/defs.h
298
SERVER_COLLISION = 3 # avahi-common/defs.h
299
SERVER_FAILURE = 4 # avahi-common/defs.h
300
avahi = Avahi()
301
302
237
303
class AvahiError(Exception):
238
304
def __init__(self, value, *args, **kwargs):
239
305
self.value = value
251
317
252
318
class AvahiService(object):
253
319
"""An Avahi (Zeroconf) service.
254
320
255
321
Attributes:
256
322
interface: integer; avahi.IF_UNSPEC or an interface index.
257
323
Used to optionally bind to the specified interface.
269
335
server: D-Bus Server
270
336
bus: dbus.SystemBus()
271
337
"""
272
338
273
339
def __init__(self,
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
340
interface=avahi.IF_UNSPEC,
341
name=None,
342
servicetype=None,
343
port=None,
344
TXT=None,
345
domain="",
346
host="",
347
max_renames=32768,
348
protocol=avahi.PROTO_UNSPEC,
349
bus=None):
284
350
self.interface = interface
285
351
self.name = name
286
352
self.type = servicetype
295
361
self.server = None
296
362
self.bus = bus
297
363
self.entry_group_state_changed_match = None
298
364
299
365
def rename(self, remove=True):
300
366
"""Derived from the Avahi example code"""
301
367
if self.rename_count >= self.max_renames:
321
387
logger.critical("D-Bus Exception", exc_info=error)
322
388
self.cleanup()
323
389
os._exit(1)
324
390
325
391
def remove(self):
326
392
"""Derived from the Avahi example code"""
327
393
if self.entry_group_state_changed_match is not None:
329
395
self.entry_group_state_changed_match = None
330
396
if self.group is not None:
331
397
self.group.Reset()
332
398
333
399
def add(self):
334
400
"""Derived from the Avahi example code"""
335
401
self.remove()
352
418
dbus.UInt16(self.port),
353
419
avahi.string_array_to_txt_array(self.TXT))
354
420
self.group.Commit()
355
421
356
422
def entry_group_state_changed(self, state, error):
357
423
"""Derived from the Avahi example code"""
358
424
logger.debug("Avahi entry group state change: %i", state)
359
425
360
426
if state == avahi.ENTRY_GROUP_ESTABLISHED:
361
427
logger.debug("Zeroconf service established.")
362
428
elif state == avahi.ENTRY_GROUP_COLLISION:
366
432
logger.critical("Avahi: Error in group state changed %s",
367
433
str(error))
368
434
raise AvahiGroupError("State changed: {!s}".format(error))
369
435
370
436
def cleanup(self):
371
437
"""Derived from the Avahi example code"""
372
438
if self.group is not None:
377
443
pass
378
444
self.group = None
379
445
self.remove()
380
446
381
447
def server_state_changed(self, state, error=None):
382
448
"""Derived from the Avahi example code"""
383
449
logger.debug("Avahi server state change: %i", state)
412
478
logger.debug("Unknown state: %r", state)
413
479
else:
414
480
logger.debug("Unknown state: %r: %r", state, error)
415
481
416
482
def activate(self):
417
483
"""Derived from the Avahi example code"""
418
484
if self.server is None:
435
501
.format(self.name)))
436
502
return ret
437
503
504
505
# Pretend that we have a GnuTLS module
506
class GnuTLS(object):
507
"""This isn't so much a class as it is a module-like namespace.
508
It is instantiated once, and simulates having a GnuTLS module."""
509
510
library = ctypes.util.find_library("gnutls")
511
if library is None:
512
library = ctypes.util.find_library("gnutls-deb0")
513
_library = ctypes.cdll.LoadLibrary(library)
514
del library
515
_need_version = b"3.3.0"
516
517
def __init__(self):
518
# Need to use "self" here, since this method is called before
519
# the assignment to the "gnutls" global variable happens.
520
if self.check_version(self._need_version) is None:
521
raise self.Error("Needs GnuTLS {} or later"
522
.format(self._need_version))
523
524
# Unless otherwise indicated, the constants and types below are
525
# all from the gnutls/gnutls.h C header file.
526
527
# Constants
528
E_SUCCESS = 0
529
E_INTERRUPTED = -52
530
E_AGAIN = -28
531
CRT_OPENPGP = 2
532
CLIENT = 2
533
SHUT_RDWR = 0
534
CRD_CERTIFICATE = 1
535
E_NO_CERTIFICATE_FOUND = -49
536
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
537
538
# Types
539
class session_int(ctypes.Structure):
540
_fields_ = []
541
session_t = ctypes.POINTER(session_int)
542
543
class certificate_credentials_st(ctypes.Structure):
544
_fields_ = []
545
certificate_credentials_t = ctypes.POINTER(
546
certificate_credentials_st)
547
certificate_type_t = ctypes.c_int
548
549
class datum_t(ctypes.Structure):
550
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
551
('size', ctypes.c_uint)]
552
553
class openpgp_crt_int(ctypes.Structure):
554
_fields_ = []
555
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
556
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
557
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
558
credentials_type_t = ctypes.c_int
559
transport_ptr_t = ctypes.c_void_p
560
close_request_t = ctypes.c_int
561
562
# Exceptions
563
class Error(Exception):
564
# We need to use the class name "GnuTLS" here, since this
565
# exception might be raised from within GnuTLS.__init__,
566
# which is called before the assignment to the "gnutls"
567
# global variable has happened.
568
def __init__(self, message=None, code=None, args=()):
569
# Default usage is by a message string, but if a return
570
# code is passed, convert it to a string with
571
# gnutls.strerror()
572
self.code = code
573
if message is None and code is not None:
574
message = GnuTLS.strerror(code)
575
return super(GnuTLS.Error, self).__init__(
576
message, *args)
577
578
class CertificateSecurityError(Error):
579
pass
580
581
# Classes
582
class Credentials(object):
583
def __init__(self):
584
self._c_object = gnutls.certificate_credentials_t()
585
gnutls.certificate_allocate_credentials(
586
ctypes.byref(self._c_object))
587
self.type = gnutls.CRD_CERTIFICATE
588
589
def __del__(self):
590
gnutls.certificate_free_credentials(self._c_object)
591
592
class ClientSession(object):
593
def __init__(self, socket, credentials=None):
594
self._c_object = gnutls.session_t()
595
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
596
gnutls.set_default_priority(self._c_object)
597
gnutls.transport_set_ptr(self._c_object, socket.fileno())
598
gnutls.handshake_set_private_extensions(self._c_object,
599
True)
600
self.socket = socket
601
if credentials is None:
602
credentials = gnutls.Credentials()
603
gnutls.credentials_set(self._c_object, credentials.type,
604
ctypes.cast(credentials._c_object,
605
ctypes.c_void_p))
606
self.credentials = credentials
607
608
def __del__(self):
609
gnutls.deinit(self._c_object)
610
611
def handshake(self):
612
return gnutls.handshake(self._c_object)
613
614
def send(self, data):
615
data = bytes(data)
616
data_len = len(data)
617
while data_len > 0:
618
data_len -= gnutls.record_send(self._c_object,
619
data[-data_len:],
620
data_len)
621
622
def bye(self):
623
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
624
625
# Error handling functions
626
def _error_code(result):
627
"""A function to raise exceptions on errors, suitable
628
for the 'restype' attribute on ctypes functions"""
629
if result >= 0:
630
return result
631
if result == gnutls.E_NO_CERTIFICATE_FOUND:
632
raise gnutls.CertificateSecurityError(code=result)
633
raise gnutls.Error(code=result)
634
635
def _retry_on_error(result, func, arguments):
636
"""A function to retry on some errors, suitable
637
for the 'errcheck' attribute on ctypes functions"""
638
while result < 0:
639
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
640
return _error_code(result)
641
result = func(*arguments)
642
return result
643
644
# Unless otherwise indicated, the function declarations below are
645
# all from the gnutls/gnutls.h C header file.
646
647
# Functions
648
priority_set_direct = _library.gnutls_priority_set_direct
649
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
650
ctypes.POINTER(ctypes.c_char_p)]
651
priority_set_direct.restype = _error_code
652
653
init = _library.gnutls_init
654
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
655
init.restype = _error_code
656
657
set_default_priority = _library.gnutls_set_default_priority
658
set_default_priority.argtypes = [session_t]
659
set_default_priority.restype = _error_code
660
661
record_send = _library.gnutls_record_send
662
record_send.argtypes = [session_t, ctypes.c_void_p,
663
ctypes.c_size_t]
664
record_send.restype = ctypes.c_ssize_t
665
record_send.errcheck = _retry_on_error
666
667
certificate_allocate_credentials = (
668
_library.gnutls_certificate_allocate_credentials)
669
certificate_allocate_credentials.argtypes = [
670
ctypes.POINTER(certificate_credentials_t)]
671
certificate_allocate_credentials.restype = _error_code
672
673
certificate_free_credentials = (
674
_library.gnutls_certificate_free_credentials)
675
certificate_free_credentials.argtypes = [
676
certificate_credentials_t]
677
certificate_free_credentials.restype = None
678
679
handshake_set_private_extensions = (
680
_library.gnutls_handshake_set_private_extensions)
681
handshake_set_private_extensions.argtypes = [session_t,
682
ctypes.c_int]
683
handshake_set_private_extensions.restype = None
684
685
credentials_set = _library.gnutls_credentials_set
686
credentials_set.argtypes = [session_t, credentials_type_t,
687
ctypes.c_void_p]
688
credentials_set.restype = _error_code
689
690
strerror = _library.gnutls_strerror
691
strerror.argtypes = [ctypes.c_int]
692
strerror.restype = ctypes.c_char_p
693
694
certificate_type_get = _library.gnutls_certificate_type_get
695
certificate_type_get.argtypes = [session_t]
696
certificate_type_get.restype = _error_code
697
698
certificate_get_peers = _library.gnutls_certificate_get_peers
699
certificate_get_peers.argtypes = [session_t,
700
ctypes.POINTER(ctypes.c_uint)]
701
certificate_get_peers.restype = ctypes.POINTER(datum_t)
702
703
global_set_log_level = _library.gnutls_global_set_log_level
704
global_set_log_level.argtypes = [ctypes.c_int]
705
global_set_log_level.restype = None
706
707
global_set_log_function = _library.gnutls_global_set_log_function
708
global_set_log_function.argtypes = [log_func]
709
global_set_log_function.restype = None
710
711
deinit = _library.gnutls_deinit
712
deinit.argtypes = [session_t]
713
deinit.restype = None
714
715
handshake = _library.gnutls_handshake
716
handshake.argtypes = [session_t]
717
handshake.restype = _error_code
718
handshake.errcheck = _retry_on_error
719
720
transport_set_ptr = _library.gnutls_transport_set_ptr
721
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
722
transport_set_ptr.restype = None
723
724
bye = _library.gnutls_bye
725
bye.argtypes = [session_t, close_request_t]
726
bye.restype = _error_code
727
bye.errcheck = _retry_on_error
728
729
check_version = _library.gnutls_check_version
730
check_version.argtypes = [ctypes.c_char_p]
731
check_version.restype = ctypes.c_char_p
732
733
# All the function declarations below are from gnutls/openpgp.h
734
735
openpgp_crt_init = _library.gnutls_openpgp_crt_init
736
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
737
openpgp_crt_init.restype = _error_code
738
739
openpgp_crt_import = _library.gnutls_openpgp_crt_import
740
openpgp_crt_import.argtypes = [openpgp_crt_t,
741
ctypes.POINTER(datum_t),
742
openpgp_crt_fmt_t]
743
openpgp_crt_import.restype = _error_code
744
745
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
746
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
747
ctypes.POINTER(ctypes.c_uint)]
748
openpgp_crt_verify_self.restype = _error_code
749
750
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
751
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
752
openpgp_crt_deinit.restype = None
753
754
openpgp_crt_get_fingerprint = (
755
_library.gnutls_openpgp_crt_get_fingerprint)
756
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
757
ctypes.c_void_p,
758
ctypes.POINTER(
759
ctypes.c_size_t)]
760
openpgp_crt_get_fingerprint.restype = _error_code
761
762
# Remove non-public functions
763
del _error_code, _retry_on_error
764
# Create the global "gnutls" object, simulating a module
765
gnutls = GnuTLS()
766
767
438
768
def call_pipe(connection, # : multiprocessing.Connection
439
769
func, *args, **kwargs):
440
770
"""This function is meant to be called by multiprocessing.Process
441
771
442
772
This function runs func(*args, **kwargs), and writes the resulting
443
773
return value on the provided multiprocessing.Connection.
444
774
"""
445
775
connection.send(func(*args, **kwargs))
446
776
connection.close()
447
777
778
448
779
class Client(object):
449
780
"""A representation of a client host served by this server.
450
781
451
782
Attributes:
452
783
approved: bool(); 'None' if not yet approved/disapproved
453
784
approval_delay: datetime.timedelta(); Time to wait for approval
455
786
checker: subprocess.Popen(); a running checker process used
456
787
to see if the client lives.
457
788
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
789
checker_callback_tag: a GLib event source tag, or None
459
790
checker_command: string; External command which is run to check
460
791
if client lives. %() expansions are done at
461
792
runtime with vars(self) as dict, so that for
462
793
instance %(name)s can be used in the command.
463
checker_initiator_tag: a gobject event source tag, or None
794
checker_initiator_tag: a GLib event source tag, or None
464
795
created: datetime.datetime(); (UTC) object creation
465
796
client_structure: Object describing what attributes a client has
466
797
and is used for storing the client at exit
467
798
current_checker_command: string; current running checker_command
468
disable_initiator_tag: a gobject event source tag, or None
799
disable_initiator_tag: a GLib event source tag, or None
469
800
enabled: bool()
470
801
fingerprint: string (40 or 32 hexadecimal digits); used to
471
802
uniquely identify the client
490
821
disabled, or None
491
822
server_settings: The server_settings dict from main()
492
823
"""
493
824
494
825
runtime_expansions = ("approval_delay", "approval_duration",
495
826
"created", "enabled", "expires",
496
827
"fingerprint", "host", "interval",
507
838
"approved_by_default": "True",
508
839
"enabled": "True",
509
840
}
510
841
511
842
@staticmethod
512
843
def config_parser(config):
513
844
"""Construct a new dict of client settings of this form:
520
851
for client_name in config.sections():
521
852
section = dict(config.items(client_name))
522
853
client = settings[client_name] = {}
523
854
524
855
client["host"] = section["host"]
525
856
# Reformat values from string types to Python types
526
857
client["approved_by_default"] = config.getboolean(
527
858
client_name, "approved_by_default")
528
859
client["enabled"] = config.getboolean(client_name,
529
860
"enabled")
530
861
531
862
# Uppercase and remove spaces from fingerprint for later
532
863
# comparison purposes with return value from the
533
864
# fingerprint() function
534
865
client["fingerprint"] = (section["fingerprint"].upper()
535
866
.replace(" ", ""))
536
867
if "secret" in section:
537
client["secret"] = section["secret"].decode("base64")
868
client["secret"] = codecs.decode(section["secret"]
869
.encode("utf-8"),
870
"base64")
538
871
elif "secfile" in section:
539
872
with open(os.path.expanduser(os.path.expandvars
540
873
(section["secfile"])),
555
888
client["last_approval_request"] = None
556
889
client["last_checked_ok"] = None
557
890
client["last_checker_status"] = -2
558
891
559
892
return settings
560
561
def __init__(self, settings, name = None, server_settings=None):
893
894
def __init__(self, settings, name=None, server_settings=None):
562
895
self.name = name
563
896
if server_settings is None:
564
897
server_settings = {}
566
899
# adding all client settings
567
900
for setting, value in settings.items():
568
901
setattr(self, setting, value)
569
902
570
903
if self.enabled:
571
904
if not hasattr(self, "last_enabled"):
572
905
self.last_enabled = datetime.datetime.utcnow()
576
909
else:
577
910
self.last_enabled = None
578
911
self.expires = None
579
912
580
913
logger.debug("Creating client %r", self.name)
581
914
logger.debug(" Fingerprint: %s", self.fingerprint)
582
915
self.created = settings.get("created",
583
916
datetime.datetime.utcnow())
584
917
585
918
# attributes specific for this server instance
586
919
self.checker = None
587
920
self.checker_initiator_tag = None
593
926
self.changedstate = multiprocessing_manager.Condition(
594
927
multiprocessing_manager.Lock())
595
928
self.client_structure = [attr
596
for attr in self.__dict__.iterkeys()
929
for attr in self.__dict__.keys()
597
930
if not attr.startswith("_")]
598
931
self.client_structure.append("client_structure")
599
932
600
933
for name, t in inspect.getmembers(
601
934
type(self), lambda obj: isinstance(obj, property)):
602
935
if not name.startswith("_"):
603
936
self.client_structure.append(name)
604
937
605
938
# Send notice to process children that client state has changed
606
939
def send_changedstate(self):
607
940
with self.changedstate:
608
941
self.changedstate.notify_all()
609
942
610
943
def enable(self):
611
944
"""Start this client's checker and timeout hooks"""
612
945
if getattr(self, "enabled", False):
617
950
self.last_enabled = datetime.datetime.utcnow()
618
951
self.init_checker()
619
952
self.send_changedstate()
620
953
621
954
def disable(self, quiet=True):
622
955
"""Disable this client."""
623
956
if not getattr(self, "enabled", False):
625
958
if not quiet:
626
959
logger.info("Disabling client %s", self.name)
627
960
if getattr(self, "disable_initiator_tag", None) is not None:
628
gobject.source_remove(self.disable_initiator_tag)
961
GLib.source_remove(self.disable_initiator_tag)
629
962
self.disable_initiator_tag = None
630
963
self.expires = None
631
964
if getattr(self, "checker_initiator_tag", None) is not None:
632
gobject.source_remove(self.checker_initiator_tag)
965
GLib.source_remove(self.checker_initiator_tag)
633
966
self.checker_initiator_tag = None
634
967
self.stop_checker()
635
968
self.enabled = False
636
969
if not quiet:
637
970
self.send_changedstate()
638
# Do not run this again if called by a gobject.timeout_add
971
# Do not run this again if called by a GLib.timeout_add
639
972
return False
640
973
641
974
def __del__(self):
642
975
self.disable()
643
976
644
977
def init_checker(self):
645
978
# Schedule a new checker to be started an 'interval' from now,
646
979
# and every interval from then on.
647
980
if self.checker_initiator_tag is not None:
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
981
GLib.source_remove(self.checker_initiator_tag)
982
self.checker_initiator_tag = GLib.timeout_add(
650
983
int(self.interval.total_seconds() * 1000),
651
984
self.start_checker)
652
985
# Schedule a disable() when 'timeout' has passed
653
986
if self.disable_initiator_tag is not None:
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
987
GLib.source_remove(self.disable_initiator_tag)
988
self.disable_initiator_tag = GLib.timeout_add(
656
989
int(self.timeout.total_seconds() * 1000), self.disable)
657
990
# Also start a new checker *right now*.
658
991
self.start_checker()
659
992
660
993
def checker_callback(self, source, condition, connection,
661
994
command):
662
995
"""The checker has completed, so take appropriate actions."""
665
998
# Read return code from connection (see call_pipe)
666
999
returncode = connection.recv()
667
1000
connection.close()
668
1001
669
1002
if returncode >= 0:
670
1003
self.last_checker_status = returncode
671
1004
self.last_checker_signal = None
681
1014
logger.warning("Checker for %(name)s crashed?",
682
1015
vars(self))
683
1016
return False
684
1017
685
1018
def checked_ok(self):
686
1019
"""Assert that the client has been seen, alive and well."""
687
1020
self.last_checked_ok = datetime.datetime.utcnow()
688
1021
self.last_checker_status = 0
689
1022
self.last_checker_signal = None
690
1023
self.bump_timeout()
691
1024
692
1025
def bump_timeout(self, timeout=None):
693
1026
"""Bump up the timeout for this client."""
694
1027
if timeout is None:
695
1028
timeout = self.timeout
696
1029
if self.disable_initiator_tag is not None:
697
gobject.source_remove(self.disable_initiator_tag)
1030
GLib.source_remove(self.disable_initiator_tag)
698
1031
self.disable_initiator_tag = None
699
1032
if getattr(self, "enabled", False):
700
self.disable_initiator_tag = gobject.timeout_add(
1033
self.disable_initiator_tag = GLib.timeout_add(
701
1034
int(timeout.total_seconds() * 1000), self.disable)
702
1035
self.expires = datetime.datetime.utcnow() + timeout
703
1036
704
1037
def need_approval(self):
705
1038
self.last_approval_request = datetime.datetime.utcnow()
706
1039
707
1040
def start_checker(self):
708
1041
"""Start a new checker subprocess if one is not running.
709
1042
710
1043
If a checker already exists, leave it running and do
711
1044
nothing."""
712
1045
# The reason for not killing a running checker is that if we
717
1050
# checkers alone, the checker would have to take more time
718
1051
# than 'timeout' for the client to be disabled, which is as it
719
1052
# should be.
720
1053
721
1054
if self.checker is not None and not self.checker.is_alive():
722
1055
logger.warning("Checker was not alive; joining")
723
1056
self.checker.join()
727
1060
# Escape attributes for the shell
728
1061
escaped_attrs = {
729
1062
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
1063
for attr in self.runtime_expansions}
731
1064
try:
732
1065
command = self.checker_command % escaped_attrs
733
1066
except TypeError as error:
745
1078
# The exception is when not debugging but nevertheless
746
1079
# running in the foreground; use the previously
747
1080
# created wnull.
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1081
popen_args = {"close_fds": True,
1082
"shell": True,
1083
"cwd": "/"}
751
1084
if (not self.server_settings["debug"]
752
1085
and self.server_settings["foreground"]):
753
1086
popen_args.update({"stdout": wnull,
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1087
"stderr": wnull})
1088
pipe = multiprocessing.Pipe(duplex=False)
756
1089
self.checker = multiprocessing.Process(
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1090
target=call_pipe,
1091
args=(pipe[1], subprocess.call, command),
1092
kwargs=popen_args)
760
1093
self.checker.start()
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1094
self.checker_callback_tag = GLib.io_add_watch(
1095
pipe[0].fileno(), GLib.IO_IN,
763
1096
self.checker_callback, pipe[0], command)
764
# Re-run this periodically if run by gobject.timeout_add
1097
# Re-run this periodically if run by GLib.timeout_add
765
1098
return True
766
1099
767
1100
def stop_checker(self):
768
1101
"""Force the checker process, if any, to stop."""
769
1102
if self.checker_callback_tag:
770
gobject.source_remove(self.checker_callback_tag)
1103
GLib.source_remove(self.checker_callback_tag)
771
1104
self.checker_callback_tag = None
772
1105
if getattr(self, "checker", None) is None:
773
1106
return
782
1115
byte_arrays=False):
783
1116
"""Decorators for marking methods of a DBusObjectWithProperties to
784
1117
become properties on the D-Bus.
785
1118
786
1119
The decorated method will be called with no arguments by "Get"
787
1120
and with one argument by "Set".
788
1121
789
1122
The parameters, where they are supported, are the same as
790
1123
dbus.service.method, except there is only "signature", since the
791
1124
type from Get() and the type sent to Set() is the same.
795
1128
if byte_arrays and signature != "ay":
796
1129
raise ValueError("Byte arrays not supported for non-'ay'"
797
1130
" signature {!r}".format(signature))
798
1131
799
1132
def decorator(func):
800
1133
func._dbus_is_property = True
801
1134
func._dbus_interface = dbus_interface
804
1137
func._dbus_name = func.__name__
805
1138
if func._dbus_name.endswith("_dbus_property"):
806
1139
func._dbus_name = func._dbus_name[:-14]
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1140
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
808
1141
return func
809
1142
810
1143
return decorator
811
1144
812
1145
813
1146
def dbus_interface_annotations(dbus_interface):
814
1147
"""Decorator for marking functions returning interface annotations
815
1148
816
1149
Usage:
817
1150
818
1151
@dbus_interface_annotations("org.example.Interface")
819
1152
def _foo(self): # Function name does not matter
820
1153
return {"org.freedesktop.DBus.Deprecated": "true",
821
1154
"org.freedesktop.DBus.Property.EmitsChangedSignal":
822
1155
"false"}
823
1156
"""
824
1157
825
1158
def decorator(func):
826
1159
func._dbus_is_interface = True
827
1160
func._dbus_interface = dbus_interface
828
1161
func._dbus_name = dbus_interface
829
1162
return func
830
1163
831
1164
return decorator
832
1165
833
1166
834
1167
def dbus_annotations(annotations):
835
1168
"""Decorator to annotate D-Bus methods, signals or properties
836
1169
Usage:
837
1170
838
1171
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
839
1172
"org.freedesktop.DBus.Property."
840
1173
"EmitsChangedSignal": "false"})
842
1175
access="r")
843
1176
def Property_dbus_property(self):
844
1177
return dbus.Boolean(False)
845
1178
846
1179
See also the DBusObjectWithAnnotations class.
847
1180
"""
848
1181
849
1182
def decorator(func):
850
1183
func._dbus_annotations = annotations
851
1184
return func
852
1185
853
1186
return decorator
854
1187
855
1188
873
1206
874
1207
class DBusObjectWithAnnotations(dbus.service.Object):
875
1208
"""A D-Bus object with annotations.
876
1209
877
1210
Classes inheriting from this can use the dbus_annotations
878
1211
decorator to add annotations to methods or signals.
879
1212
"""
880
1213
881
1214
@staticmethod
882
1215
def _is_dbus_thing(thing):
883
1216
"""Returns a function testing if an attribute is a D-Bus thing
884
1217
885
1218
If called like _is_dbus_thing("method") it returns a function
886
1219
suitable for use as predicate to inspect.getmembers().
887
1220
"""
888
1221
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
889
1222
False)
890
1223
891
1224
def _get_all_dbus_things(self, thing):
892
1225
"""Returns a generator of (name, attribute) pairs
893
1226
"""
896
1229
for cls in self.__class__.__mro__
897
1230
for name, athing in
898
1231
inspect.getmembers(cls, self._is_dbus_thing(thing)))
899
1232
900
1233
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1234
out_signature="s",
1235
path_keyword='object_path',
1236
connection_keyword='connection')
904
1237
def Introspect(self, object_path, connection):
905
1238
"""Overloading of standard D-Bus method.
906
1239
907
1240
Inserts annotation tags on methods and signals.
908
1241
"""
909
1242
xmlstring = dbus.service.Object.Introspect(self, object_path,
910
1243
connection)
911
1244
try:
912
1245
document = xml.dom.minidom.parseString(xmlstring)
913
1246
914
1247
for if_tag in document.getElementsByTagName("interface"):
915
1248
# Add annotation tags
916
1249
for typ in ("method", "signal"):
943
1276
if_tag.appendChild(ann_tag)
944
1277
# Fix argument name for the Introspect method itself
945
1278
if (if_tag.getAttribute("name")
946
== dbus.INTROSPECTABLE_IFACE):
1279
== dbus.INTROSPECTABLE_IFACE):
947
1280
for cn in if_tag.getElementsByTagName("method"):
948
1281
if cn.getAttribute("name") == "Introspect":
949
1282
for arg in cn.getElementsByTagName("arg"):
962
1295
963
1296
class DBusObjectWithProperties(DBusObjectWithAnnotations):
964
1297
"""A D-Bus object with properties.
965
1298
966
1299
Classes inheriting from this can use the dbus_service_property
967
1300
decorator to expose methods as D-Bus properties. It exposes the
968
1301
standard Get(), Set(), and GetAll() methods on the D-Bus.
969
1302
"""
970
1303
971
1304
def _get_dbus_property(self, interface_name, property_name):
972
1305
"""Returns a bound method if one exists which is a D-Bus
973
1306
property with the specified name and interface.
978
1311
if (value._dbus_name == property_name
979
1312
and value._dbus_interface == interface_name):
980
1313
return value.__get__(self)
981
1314
982
1315
# No such property
983
1316
raise DBusPropertyNotFound("{}:{}.{}".format(
984
1317
self.dbus_object_path, interface_name, property_name))
985
1318
986
1319
@classmethod
987
1320
def _get_all_interface_names(cls):
988
1321
"""Get a sequence of all interfaces supported by an object"""
991
1324
for x in (inspect.getmro(cls))
992
1325
for attr in dir(x))
993
1326
if name is not None)
994
1327
995
1328
@dbus.service.method(dbus.PROPERTIES_IFACE,
996
1329
in_signature="ss",
997
1330
out_signature="v")
1005
1338
if not hasattr(value, "variant_level"):
1006
1339
return value
1007
1340
return type(value)(value, variant_level=value.variant_level+1)
1008
1341
1009
1342
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1010
1343
def Set(self, interface_name, property_name, value):
1011
1344
"""Standard D-Bus property Set() method, see D-Bus standard.
1023
1356
value = dbus.ByteArray(b''.join(chr(byte)
1024
1357
for byte in value))
1025
1358
prop(value)
1026
1359
1027
1360
@dbus.service.method(dbus.PROPERTIES_IFACE,
1028
1361
in_signature="s",
1029
1362
out_signature="a{sv}")
1030
1363
def GetAll(self, interface_name):
1031
1364
"""Standard D-Bus property GetAll() method, see D-Bus
1032
1365
standard.
1033
1366
1034
1367
Note: Will not include properties with access="write".
1035
1368
"""
1036
1369
properties = {}
1047
1380
properties[name] = value
1048
1381
continue
1049
1382
properties[name] = type(value)(
1050
value, variant_level = value.variant_level + 1)
1383
value, variant_level=value.variant_level + 1)
1051
1384
return dbus.Dictionary(properties, signature="sv")
1052
1385
1053
1386
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1054
1387
def PropertiesChanged(self, interface_name, changed_properties,
1055
1388
invalidated_properties):
1057
1390
standard.
1058
1391
"""
1059
1392
pass
1060
1393
1061
1394
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1062
1395
out_signature="s",
1063
1396
path_keyword='object_path',
1064
1397
connection_keyword='connection')
1065
1398
def Introspect(self, object_path, connection):
1066
1399
"""Overloading of standard D-Bus method.
1067
1400
1068
1401
Inserts property tags and interface annotation tags.
1069
1402
"""
1070
1403
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1072
1405
connection)
1073
1406
try:
1074
1407
document = xml.dom.minidom.parseString(xmlstring)
1075
1408
1076
1409
def make_tag(document, name, prop):
1077
1410
e = document.createElement("property")
1078
1411
e.setAttribute("name", name)
1079
1412
e.setAttribute("type", prop._dbus_signature)
1080
1413
e.setAttribute("access", prop._dbus_access)
1081
1414
return e
1082
1415
1083
1416
for if_tag in document.getElementsByTagName("interface"):
1084
1417
# Add property tags
1085
1418
for tag in (make_tag(document, name, prop)
1132
1465
except AttributeError:
1133
1466
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1134
1467
1468
1135
1469
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1136
1470
"""A D-Bus object with an ObjectManager.
1137
1471
1138
1472
Classes inheriting from this exposes the standard
1139
1473
GetManagedObjects call and the InterfacesAdded and
1140
1474
InterfacesRemoved signals on the standard
1141
1475
"org.freedesktop.DBus.ObjectManager" interface.
1142
1476
1143
1477
Note: No signals are sent automatically; they must be sent
1144
1478
manually.
1145
1479
"""
1146
1480
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1147
out_signature = "a{oa{sa{sv}}}")
1481
out_signature="a{oa{sa{sv}}}")
1148
1482
def GetManagedObjects(self):
1149
1483
"""This function must be overridden"""
1150
1484
raise NotImplementedError()
1151
1485
1152
1486
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1153
signature = "oa{sa{sv}}")
1487
signature="oa{sa{sv}}")
1154
1488
def InterfacesAdded(self, object_path, interfaces_and_properties):
1155
1489
pass
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1490
1491
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1158
1492
def InterfacesRemoved(self, object_path, interfaces):
1159
1493
pass
1160
1494
1161
1495
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1496
out_signature="s",
1497
path_keyword='object_path',
1498
connection_keyword='connection')
1165
1499
def Introspect(self, object_path, connection):
1166
1500
"""Overloading of standard D-Bus method.
1167
1501
1168
1502
Override return argument name of GetManagedObjects to be
1169
1503
"objpath_interfaces_and_properties"
1170
1504
"""
1173
1507
connection)
1174
1508
try:
1175
1509
document = xml.dom.minidom.parseString(xmlstring)
1176
1510
1177
1511
for if_tag in document.getElementsByTagName("interface"):
1178
1512
# Fix argument name for the GetManagedObjects method
1179
1513
if (if_tag.getAttribute("name")
1180
== dbus.OBJECT_MANAGER_IFACE):
1514
== dbus.OBJECT_MANAGER_IFACE):
1181
1515
for cn in if_tag.getElementsByTagName("method"):
1182
1516
if (cn.getAttribute("name")
1183
1517
== "GetManagedObjects"):
1193
1527
except (AttributeError, xml.dom.DOMException,
1194
1528
xml.parsers.expat.ExpatError) as error:
1195
1529
logger.error("Failed to override Introspection method",
1196
exc_info = error)
1530
exc_info=error)
1197
1531
return xmlstring
1198
1532
1533
1199
1534
def datetime_to_dbus(dt, variant_level=0):
1200
1535
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1201
1536
if dt is None:
1202
return dbus.String("", variant_level = variant_level)
1537
return dbus.String("", variant_level=variant_level)
1203
1538
return dbus.String(dt.isoformat(), variant_level=variant_level)
1204
1539
1205
1540
1208
1543
dbus.service.Object, it will add alternate D-Bus attributes with
1209
1544
interface names according to the "alt_interface_names" mapping.
1210
1545
Usage:
1211
1546
1212
1547
@alternate_dbus_interfaces({"org.example.Interface":
1213
1548
"net.example.AlternateInterface"})
1214
1549
class SampleDBusObject(dbus.service.Object):
1215
1550
@dbus.service.method("org.example.Interface")
1216
1551
def SampleDBusMethod():
1217
1552
pass
1218
1553
1219
1554
The above "SampleDBusMethod" on "SampleDBusObject" will be
1220
1555
reachable via two interfaces: "org.example.Interface" and
1221
1556
"net.example.AlternateInterface", the latter of which will have
1222
1557
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1223
1558
"true", unless "deprecate" is passed with a False value.
1224
1559
1225
1560
This works for methods and signals, and also for D-Bus properties
1226
1561
(from DBusObjectWithProperties) and interfaces (from the
1227
1562
dbus_interface_annotations decorator).
1228
1563
"""
1229
1564
1230
1565
def wrapper(cls):
1231
1566
for orig_interface_name, alt_interface_name in (
1232
1567
alt_interface_names.items()):
1247
1582
interface_names.add(alt_interface)
1248
1583
# Is this a D-Bus signal?
1249
1584
if getattr(attribute, "_dbus_is_signal", False):
1585
# Extract the original non-method undecorated
1586
# function by black magic
1250
1587
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1253
1588
nonmethod_func = (dict(
1254
1589
zip(attribute.func_code.co_freevars,
1255
1590
attribute.__closure__))
1256
1591
["func"].cell_contents)
1257
1592
else:
1258
nonmethod_func = attribute
1593
nonmethod_func = (dict(
1594
zip(attribute.__code__.co_freevars,
1595
attribute.__closure__))
1596
["func"].cell_contents)
1259
1597
# Create a new, but exactly alike, function
1260
1598
# object, and decorate it to be a new D-Bus signal
1261
1599
# with the alternate D-Bus interface name
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1600
new_function = copy_function(nonmethod_func)
1276
1601
new_function = (dbus.service.signal(
1277
1602
alt_interface,
1278
1603
attribute._dbus_signature)(new_function))
1282
1607
attribute._dbus_annotations)
1283
1608
except AttributeError:
1284
1609
pass
1610
1285
1611
# Define a creator of a function to call both the
1286
1612
# original and alternate functions, so both the
1287
1613
# original and alternate signals gets sent when
1290
1616
"""This function is a scope container to pass
1291
1617
func1 and func2 to the "call_both" function
1292
1618
outside of its arguments"""
1293
1619
1294
1620
@functools.wraps(func2)
1295
1621
def call_both(*args, **kwargs):
1296
1622
"""This function will emit two D-Bus
1297
1623
signals by calling func1 and func2"""
1298
1624
func1(*args, **kwargs)
1299
1625
func2(*args, **kwargs)
1300
# Make wrapper function look like a D-Bus signal
1626
# Make wrapper function look like a D-Bus
1627
# signal
1301
1628
for name, attr in inspect.getmembers(func2):
1302
1629
if name.startswith("_dbus_"):
1303
1630
setattr(call_both, name, attr)
1304
1631
1305
1632
return call_both
1306
1633
# Create the "call_both" function and add it to
1307
1634
# the class
1317
1644
alt_interface,
1318
1645
attribute._dbus_in_signature,
1319
1646
attribute._dbus_out_signature)
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1647
(copy_function(attribute)))
1325
1648
# Copy annotations, if any
1326
1649
try:
1327
1650
attr[attrname]._dbus_annotations = dict(
1339
1662
attribute._dbus_access,
1340
1663
attribute._dbus_get_args_options
1341
1664
["byte_arrays"])
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1665
(copy_function(attribute)))
1348
1666
# Copy annotations, if any
1349
1667
try:
1350
1668
attr[attrname]._dbus_annotations = dict(
1359
1677
# to the class.
1360
1678
attr[attrname] = (
1361
1679
dbus_interface_annotations(alt_interface)
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1680
(copy_function(attribute)))
1367
1681
if deprecate:
1368
1682
# Deprecate all alternate interfaces
1369
iname="_AlternateDBusNames_interface_annotation{}"
1683
iname = "_AlternateDBusNames_interface_annotation{}"
1370
1684
for interface_name in interface_names:
1371
1685
1372
1686
@dbus_interface_annotations(interface_name)
1373
1687
def func(self):
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1688
return {"org.freedesktop.DBus.Deprecated":
1689
"true"}
1376
1690
# Find an unused name
1377
1691
for aname in (iname.format(i)
1378
1692
for i in itertools.count()):
1382
1696
if interface_names:
1383
1697
# Replace the class with a new subclass of it with
1384
1698
# methods, signals, etc. as created above.
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1699
if sys.version_info.major == 2:
1700
cls = type(b"{}Alternate".format(cls.__name__),
1701
(cls, ), attr)
1702
else:
1703
cls = type("{}Alternate".format(cls.__name__),
1704
(cls, ), attr)
1387
1705
return cls
1388
1706
1389
1707
return wrapper
1390
1708
1391
1709
1393
1711
"se.bsnet.fukt.Mandos"})
1394
1712
class ClientDBus(Client, DBusObjectWithProperties):
1395
1713
"""A Client class using D-Bus
1396
1714
1397
1715
Attributes:
1398
1716
dbus_object_path: dbus.ObjectPath
1399
1717
bus: dbus.SystemBus()
1400
1718
"""
1401
1719
1402
1720
runtime_expansions = (Client.runtime_expansions
1403
1721
+ ("dbus_object_path", ))
1404
1722
1405
1723
_interface = "se.recompile.Mandos.Client"
1406
1724
1407
1725
# dbus.service.Object doesn't use super(), so we can't either.
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1726
1727
def __init__(self, bus=None, *args, **kwargs):
1410
1728
self.bus = bus
1411
1729
Client.__init__(self, *args, **kwargs)
1412
1730
# Only now, when this client is initialized, can it show up on
1418
1736
"/clients/" + client_object_name)
1419
1737
DBusObjectWithProperties.__init__(self, self.bus,
1420
1738
self.dbus_object_path)
1421
1739
1422
1740
def notifychangeproperty(transform_func, dbus_name,
1423
1741
type_func=lambda x: x,
1424
1742
variant_level=1,
1426
1744
_interface=_interface):
1427
1745
""" Modify a variable so that it's a property which announces
1428
1746
its changes to DBus.
1429
1747
1430
1748
transform_fun: Function that takes a value and a variant_level
1431
1749
and transforms it to a D-Bus type.
1432
1750
dbus_name: D-Bus name of the variable
1435
1753
variant_level: D-Bus variant level. Default: 1
1436
1754
"""
1437
1755
attrname = "_{}".format(dbus_name)
1438
1756
1439
1757
def setter(self, value):
1440
1758
if hasattr(self, "dbus_object_path"):
1441
1759
if (not hasattr(self, attrname) or
1448
1766
else:
1449
1767
dbus_value = transform_func(
1450
1768
type_func(value),
1451
variant_level = variant_level)
1769
variant_level=variant_level)
1452
1770
self.PropertyChanged(dbus.String(dbus_name),
1453
1771
dbus_value)
1454
1772
self.PropertiesChanged(
1455
1773
_interface,
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1774
dbus.Dictionary({dbus.String(dbus_name):
1775
dbus_value}),
1458
1776
dbus.Array())
1459
1777
setattr(self, attrname, value)
1460
1778
1461
1779
return property(lambda self: getattr(self, attrname), setter)
1462
1780
1463
1781
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1464
1782
approvals_pending = notifychangeproperty(dbus.Boolean,
1465
1783
"ApprovalPending",
1466
type_func = bool)
1784
type_func=bool)
1467
1785
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1468
1786
last_enabled = notifychangeproperty(datetime_to_dbus,
1469
1787
"LastEnabled")
1470
1788
checker = notifychangeproperty(
1471
1789
dbus.Boolean, "CheckerRunning",
1472
type_func = lambda checker: checker is not None)
1790
type_func=lambda checker: checker is not None)
1473
1791
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1474
1792
"LastCheckedOK")
1475
1793
last_checker_status = notifychangeproperty(dbus.Int16,
1480
1798
"ApprovedByDefault")
1481
1799
approval_delay = notifychangeproperty(
1482
1800
dbus.UInt64, "ApprovalDelay",
1483
type_func = lambda td: td.total_seconds() * 1000)
1801
type_func=lambda td: td.total_seconds() * 1000)
1484
1802
approval_duration = notifychangeproperty(
1485
1803
dbus.UInt64, "ApprovalDuration",
1486
type_func = lambda td: td.total_seconds() * 1000)
1804
type_func=lambda td: td.total_seconds() * 1000)
1487
1805
host = notifychangeproperty(dbus.String, "Host")
1488
1806
timeout = notifychangeproperty(
1489
1807
dbus.UInt64, "Timeout",
1490
type_func = lambda td: td.total_seconds() * 1000)
1808
type_func=lambda td: td.total_seconds() * 1000)
1491
1809
extended_timeout = notifychangeproperty(
1492
1810
dbus.UInt64, "ExtendedTimeout",
1493
type_func = lambda td: td.total_seconds() * 1000)
1811
type_func=lambda td: td.total_seconds() * 1000)
1494
1812
interval = notifychangeproperty(
1495
1813
dbus.UInt64, "Interval",
1496
type_func = lambda td: td.total_seconds() * 1000)
1814
type_func=lambda td: td.total_seconds() * 1000)
1497
1815
checker_command = notifychangeproperty(dbus.String, "Checker")
1498
1816
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1499
1817
invalidate_only=True)
1500
1818
1501
1819
del notifychangeproperty
1502
1820
1503
1821
def __del__(self, *args, **kwargs):
1504
1822
try:
1505
1823
self.remove_from_connection()
1508
1826
if hasattr(DBusObjectWithProperties, "__del__"):
1509
1827
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1510
1828
Client.__del__(self, *args, **kwargs)
1511
1829
1512
1830
def checker_callback(self, source, condition,
1513
1831
connection, command, *args, **kwargs):
1514
1832
ret = Client.checker_callback(self, source, condition,
1530
1848
| self.last_checker_signal),
1531
1849
dbus.String(command))
1532
1850
return ret
1533
1851
1534
1852
def start_checker(self, *args, **kwargs):
1535
1853
old_checker_pid = getattr(self.checker, "pid", None)
1536
1854
r = Client.start_checker(self, *args, **kwargs)
1540
1858
# Emit D-Bus signal
1541
1859
self.CheckerStarted(self.current_checker_command)
1542
1860
return r
1543
1861
1544
1862
def _reset_approved(self):
1545
1863
self.approved = None
1546
1864
return False
1547
1865
1548
1866
def approve(self, value=True):
1549
1867
self.approved = value
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1868
GLib.timeout_add(int(self.approval_duration.total_seconds()
1869
* 1000), self._reset_approved)
1552
1870
self.send_changedstate()
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1871
1872
# D-Bus methods, signals & properties
1873
1874
# Interfaces
1875
1876
# Signals
1877
1560
1878
# CheckerCompleted - signal
1561
1879
@dbus.service.signal(_interface, signature="nxs")
1562
1880
def CheckerCompleted(self, exitcode, waitstatus, command):
1563
1881
"D-Bus signal"
1564
1882
pass
1565
1883
1566
1884
# CheckerStarted - signal
1567
1885
@dbus.service.signal(_interface, signature="s")
1568
1886
def CheckerStarted(self, command):
1569
1887
"D-Bus signal"
1570
1888
pass
1571
1889
1572
1890
# PropertyChanged - signal
1573
1891
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1574
1892
@dbus.service.signal(_interface, signature="sv")
1575
1893
def PropertyChanged(self, property, value):
1576
1894
"D-Bus signal"
1577
1895
pass
1578
1896
1579
1897
# GotSecret - signal
1580
1898
@dbus.service.signal(_interface)
1581
1899
def GotSecret(self):
1584
1902
server to mandos-client
1585
1903
"""
1586
1904
pass
1587
1905
1588
1906
# Rejected - signal
1589
1907
@dbus.service.signal(_interface, signature="s")
1590
1908
def Rejected(self, reason):
1591
1909
"D-Bus signal"
1592
1910
pass
1593
1911
1594
1912
# NeedApproval - signal
1595
1913
@dbus.service.signal(_interface, signature="tb")
1596
1914
def NeedApproval(self, timeout, default):
1597
1915
"D-Bus signal"
1598
1916
return self.need_approval()
1599
1600
## Methods
1601
1917
1918
# Methods
1919
1602
1920
# Approve - method
1603
1921
@dbus.service.method(_interface, in_signature="b")
1604
1922
def Approve(self, value):
1605
1923
self.approve(value)
1606
1924
1607
1925
# CheckedOK - method
1608
1926
@dbus.service.method(_interface)
1609
1927
def CheckedOK(self):
1610
1928
self.checked_ok()
1611
1929
1612
1930
# Enable - method
1613
1931
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1614
1932
@dbus.service.method(_interface)
1615
1933
def Enable(self):
1616
1934
"D-Bus method"
1617
1935
self.enable()
1618
1936
1619
1937
# StartChecker - method
1620
1938
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1621
1939
@dbus.service.method(_interface)
1622
1940
def StartChecker(self):
1623
1941
"D-Bus method"
1624
1942
self.start_checker()
1625
1943
1626
1944
# Disable - method
1627
1945
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1628
1946
@dbus.service.method(_interface)
1629
1947
def Disable(self):
1630
1948
"D-Bus method"
1631
1949
self.disable()
1632
1950
1633
1951
# StopChecker - method
1634
1952
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1635
1953
@dbus.service.method(_interface)
1636
1954
def StopChecker(self):
1637
1955
self.stop_checker()
1638
1639
## Properties
1640
1956
1957
# Properties
1958
1641
1959
# ApprovalPending - property
1642
1960
@dbus_service_property(_interface, signature="b", access="read")
1643
1961
def ApprovalPending_dbus_property(self):
1644
1962
return dbus.Boolean(bool(self.approvals_pending))
1645
1963
1646
1964
# ApprovedByDefault - property
1647
1965
@dbus_service_property(_interface,
1648
1966
signature="b",
1651
1969
if value is None: # get
1652
1970
return dbus.Boolean(self.approved_by_default)
1653
1971
self.approved_by_default = bool(value)
1654
1972
1655
1973
# ApprovalDelay - property
1656
1974
@dbus_service_property(_interface,
1657
1975
signature="t",
1661
1979
return dbus.UInt64(self.approval_delay.total_seconds()
1662
1980
* 1000)
1663
1981
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1664
1982
1665
1983
# ApprovalDuration - property
1666
1984
@dbus_service_property(_interface,
1667
1985
signature="t",
1671
1989
return dbus.UInt64(self.approval_duration.total_seconds()
1672
1990
* 1000)
1673
1991
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1674
1992
1675
1993
# Name - property
1676
1994
@dbus_annotations(
1677
1995
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1678
1996
@dbus_service_property(_interface, signature="s", access="read")
1679
1997
def Name_dbus_property(self):
1680
1998
return dbus.String(self.name)
1681
1999
1682
2000
# Fingerprint - property
1683
2001
@dbus_annotations(
1684
2002
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1685
2003
@dbus_service_property(_interface, signature="s", access="read")
1686
2004
def Fingerprint_dbus_property(self):
1687
2005
return dbus.String(self.fingerprint)
1688
2006
1689
2007
# Host - property
1690
2008
@dbus_service_property(_interface,
1691
2009
signature="s",
1694
2012
if value is None: # get
1695
2013
return dbus.String(self.host)
1696
2014
self.host = str(value)
1697
2015
1698
2016
# Created - property
1699
2017
@dbus_annotations(
1700
2018
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1701
2019
@dbus_service_property(_interface, signature="s", access="read")
1702
2020
def Created_dbus_property(self):
1703
2021
return datetime_to_dbus(self.created)
1704
2022
1705
2023
# LastEnabled - property
1706
2024
@dbus_service_property(_interface, signature="s", access="read")
1707
2025
def LastEnabled_dbus_property(self):
1708
2026
return datetime_to_dbus(self.last_enabled)
1709
2027
1710
2028
# Enabled - property
1711
2029
@dbus_service_property(_interface,
1712
2030
signature="b",
1718
2036
self.enable()
1719
2037
else:
1720
2038
self.disable()
1721
2039
1722
2040
# LastCheckedOK - property
1723
2041
@dbus_service_property(_interface,
1724
2042
signature="s",
1728
2046
self.checked_ok()
1729
2047
return
1730
2048
return datetime_to_dbus(self.last_checked_ok)
1731
2049
1732
2050
# LastCheckerStatus - property
1733
2051
@dbus_service_property(_interface, signature="n", access="read")
1734
2052
def LastCheckerStatus_dbus_property(self):
1735
2053
return dbus.Int16(self.last_checker_status)
1736
2054
1737
2055
# Expires - property
1738
2056
@dbus_service_property(_interface, signature="s", access="read")
1739
2057
def Expires_dbus_property(self):
1740
2058
return datetime_to_dbus(self.expires)
1741
2059
1742
2060
# LastApprovalRequest - property
1743
2061
@dbus_service_property(_interface, signature="s", access="read")
1744
2062
def LastApprovalRequest_dbus_property(self):
1745
2063
return datetime_to_dbus(self.last_approval_request)
1746
2064
1747
2065
# Timeout - property
1748
2066
@dbus_service_property(_interface,
1749
2067
signature="t",
1764
2082
if (getattr(self, "disable_initiator_tag", None)
1765
2083
is None):
1766
2084
return
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2085
GLib.source_remove(self.disable_initiator_tag)
2086
self.disable_initiator_tag = GLib.timeout_add(
1769
2087
int((self.expires - now).total_seconds() * 1000),
1770
2088
self.disable)
1771
2089
1772
2090
# ExtendedTimeout - property
1773
2091
@dbus_service_property(_interface,
1774
2092
signature="t",
1778
2096
return dbus.UInt64(self.extended_timeout.total_seconds()
1779
2097
* 1000)
1780
2098
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1781
2099
1782
2100
# Interval - property
1783
2101
@dbus_service_property(_interface,
1784
2102
signature="t",
1791
2109
return
1792
2110
if self.enabled:
1793
2111
# Reschedule checker run
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2112
GLib.source_remove(self.checker_initiator_tag)
2113
self.checker_initiator_tag = GLib.timeout_add(
1796
2114
value, self.start_checker)
1797
self.start_checker() # Start one now, too
1798
2115
self.start_checker() # Start one now, too
2116
1799
2117
# Checker - property
1800
2118
@dbus_service_property(_interface,
1801
2119
signature="s",
1804
2122
if value is None: # get
1805
2123
return dbus.String(self.checker_command)
1806
2124
self.checker_command = str(value)
1807
2125
1808
2126
# CheckerRunning - property
1809
2127
@dbus_service_property(_interface,
1810
2128
signature="b",
1816
2134
self.start_checker()
1817
2135
else:
1818
2136
self.stop_checker()
1819
2137
1820
2138
# ObjectPath - property
1821
2139
@dbus_annotations(
1822
2140
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
1823
2141
"org.freedesktop.DBus.Deprecated": "true"})
1824
2142
@dbus_service_property(_interface, signature="o", access="read")
1825
2143
def ObjectPath_dbus_property(self):
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2144
return self.dbus_object_path # is already a dbus.ObjectPath
2145
1828
2146
# Secret = property
1829
2147
@dbus_annotations(
1830
2148
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
1835
2153
byte_arrays=True)
1836
2154
def Secret_dbus_property(self, value):
1837
2155
self.secret = bytes(value)
1838
2156
1839
2157
del _interface
1840
2158
1841
2159
1845
2163
self._pipe.send(('init', fpr, address))
1846
2164
if not self._pipe.recv():
1847
2165
raise KeyError(fpr)
1848
2166
1849
2167
def __getattribute__(self, name):
1850
2168
if name == '_pipe':
1851
2169
return super(ProxyClient, self).__getattribute__(name)
1854
2172
if data[0] == 'data':
1855
2173
return data[1]
1856
2174
if data[0] == 'function':
1857
2175
1858
2176
def func(*args, **kwargs):
1859
2177
self._pipe.send(('funcall', name, args, kwargs))
1860
2178
return self._pipe.recv()[1]
1861
2179
1862
2180
return func
1863
2181
1864
2182
def __setattr__(self, name, value):
1865
2183
if name == '_pipe':
1866
2184
return super(ProxyClient, self).__setattr__(name, value)
1869
2187
1870
2188
class ClientHandler(socketserver.BaseRequestHandler, object):
1871
2189
"""A class to handle client connections.
1872
2190
1873
2191
Instantiated once for each connection to handle it.
1874
2192
Note: This will run in its own forked process."""
1875
2193
1876
2194
def handle(self):
1877
2195
with contextlib.closing(self.server.child_pipe) as child_pipe:
1878
2196
logger.info("TCP connection from: %s",
1879
2197
str(self.client_address))
1880
2198
logger.debug("Pipe FD: %d",
1881
2199
self.server.child_pipe.fileno())
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2200
2201
session = gnutls.ClientSession(self.request)
2202
2203
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2204
# "+AES-256-CBC", "+SHA1",
2205
# "+COMP-NULL", "+CTYPE-OPENPGP",
2206
# "+DHE-DSS"))
1895
2207
# Use a fallback default, since this MUST be set.
1896
2208
priority = self.server.gnutls_priority
1897
2209
if priority is None:
1898
2210
priority = "NORMAL"
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2211
gnutls.priority_set_direct(session._c_object,
2212
priority.encode("utf-8"),
2213
None)
2214
1902
2215
# Start communication using the Mandos protocol
1903
2216
# Get protocol number
1904
2217
line = self.request.makefile().readline()
1909
2222
except (ValueError, IndexError, RuntimeError) as error:
1910
2223
logger.error("Unknown protocol version: %s", error)
1911
2224
return
1912
2225
1913
2226
# Start GnuTLS connection
1914
2227
try:
1915
2228
session.handshake()
1916
except gnutls.errors.GNUTLSError as error:
2229
except gnutls.Error as error:
1917
2230
logger.warning("Handshake failed: %s", error)
1918
2231
# Do not run session.bye() here: the session is not
1919
2232
# established. Just abandon the request.
1920
2233
return
1921
2234
logger.debug("Handshake succeeded")
1922
2235
1923
2236
approval_required = False
1924
2237
try:
1925
2238
try:
1926
2239
fpr = self.fingerprint(
1927
2240
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
2241
except (TypeError, gnutls.Error) as error:
1930
2242
logger.warning("Bad certificate: %s", error)
1931
2243
return
1932
2244
logger.debug("Fingerprint: %s", fpr)
1933
2245
1934
2246
try:
1935
2247
client = ProxyClient(child_pipe, fpr,
1936
2248
self.client_address)
1937
2249
except KeyError:
1938
2250
return
1939
2251
1940
2252
if client.approval_delay:
1941
2253
delay = client.approval_delay
1942
2254
client.approvals_pending += 1
1943
2255
approval_required = True
1944
2256
1945
2257
while True:
1946
2258
if not client.enabled:
1947
2259
logger.info("Client %s is disabled",
1950
2262
# Emit D-Bus signal
1951
2263
client.Rejected("Disabled")
1952
2264
return
1953
2265
1954
2266
if client.approved or not client.approval_delay:
1955
#We are approved or approval is disabled
2267
# We are approved or approval is disabled
1956
2268
break
1957
2269
elif client.approved is None:
1958
2270
logger.info("Client %s needs approval",
1969
2281
# Emit D-Bus signal
1970
2282
client.Rejected("Denied")
1971
2283
return
1972
1973
#wait until timeout or approved
2284
2285
# wait until timeout or approved
1974
2286
time = datetime.datetime.now()
1975
2287
client.changedstate.acquire()
1976
2288
client.changedstate.wait(delay.total_seconds())
1989
2301
break
1990
2302
else:
1991
2303
delay -= time2 - time
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2304
2305
try:
2306
session.send(client.secret)
2307
except gnutls.Error as error:
2308
logger.warning("gnutls send failed",
2309
exc_info=error)
2310
return
2311
2006
2312
logger.info("Sending secret to %s", client.name)
2007
2313
# bump the timeout using extended_timeout
2008
2314
client.bump_timeout(client.extended_timeout)
2009
2315
if self.server.use_dbus:
2010
2316
# Emit D-Bus signal
2011
2317
client.GotSecret()
2012
2318
2013
2319
finally:
2014
2320
if approval_required:
2015
2321
client.approvals_pending -= 1
2016
2322
try:
2017
2323
session.bye()
2018
except gnutls.errors.GNUTLSError as error:
2324
except gnutls.Error as error:
2019
2325
logger.warning("GnuTLS bye failed",
2020
2326
exc_info=error)
2021
2327
2022
2328
@staticmethod
2023
2329
def peer_certificate(session):
2024
2330
"Return the peer's OpenPGP certificate as a bytestring"
2025
2331
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2332
if (gnutls.certificate_type_get(session._c_object)
2333
!= gnutls.CRT_OPENPGP):
2334
# ...return invalid data
2335
return b""
2031
2336
list_size = ctypes.c_uint(1)
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2337
cert_list = (gnutls.certificate_get_peers
2034
2338
(session._c_object, ctypes.byref(list_size)))
2035
2339
if not bool(cert_list) and list_size.value != 0:
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2340
raise gnutls.Error("error getting peer certificate")
2038
2341
if list_size.value == 0:
2039
2342
return None
2040
2343
cert = cert_list[0]
2041
2344
return ctypes.string_at(cert.data, cert.size)
2042
2345
2043
2346
@staticmethod
2044
2347
def fingerprint(openpgp):
2045
2348
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2046
2349
# New GnuTLS "datum" with the OpenPGP public key
2047
datum = gnutls.library.types.gnutls_datum_t(
2350
datum = gnutls.datum_t(
2048
2351
ctypes.cast(ctypes.c_char_p(openpgp),
2049
2352
ctypes.POINTER(ctypes.c_ubyte)),
2050
2353
ctypes.c_uint(len(openpgp)))
2051
2354
# New empty GnuTLS certificate
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2355
crt = gnutls.openpgp_crt_t()
2356
gnutls.openpgp_crt_init(ctypes.byref(crt))
2055
2357
# Import the OpenPGP public key into the certificate
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2358
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2359
gnutls.OPENPGP_FMT_RAW)
2059
2360
# Verify the self signature in the key
2060
2361
crtverify = ctypes.c_uint()
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2362
gnutls.openpgp_crt_verify_self(crt, 0,
2363
ctypes.byref(crtverify))
2063
2364
if crtverify.value != 0:
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2365
gnutls.openpgp_crt_deinit(crt)
2366
raise gnutls.CertificateSecurityError("Verify failed")
2067
2367
# New buffer for the fingerprint
2068
2368
buf = ctypes.create_string_buffer(20)
2069
2369
buf_len = ctypes.c_size_t()
2070
2370
# Get the fingerprint from the certificate into the buffer
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2371
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2372
ctypes.byref(buf_len))
2073
2373
# Deinit the certificate
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2374
gnutls.openpgp_crt_deinit(crt)
2075
2375
# Convert the buffer to a Python bytestring
2076
2376
fpr = ctypes.string_at(buf, buf_len.value)
2077
2377
# Convert the bytestring to hexadecimal notation
2081
2381
2082
2382
class MultiprocessingMixIn(object):
2083
2383
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2084
2384
2085
2385
def sub_process_main(self, request, address):
2086
2386
try:
2087
2387
self.finish_request(request, address)
2088
2388
except Exception:
2089
2389
self.handle_error(request, address)
2090
2390
self.close_request(request)
2091
2391
2092
2392
def process_request(self, request, address):
2093
2393
"""Start a new process to process the request."""
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2394
proc = multiprocessing.Process(target=self.sub_process_main,
2395
args=(request, address))
2096
2396
proc.start()
2097
2397
return proc
2098
2398
2099
2399
2100
2400
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2101
2401
""" adds a pipe to the MixIn """
2102
2402
2103
2403
def process_request(self, request, client_address):
2104
2404
"""Overrides and wraps the original process_request().
2105
2405
2106
2406
This function creates a new pipe in self.pipe
2107
2407
"""
2108
2408
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2109
2409
2110
2410
proc = MultiprocessingMixIn.process_request(self, request,
2111
2411
client_address)
2112
2412
self.child_pipe.close()
2113
2413
self.add_pipe(parent_pipe, proc)
2114
2414
2115
2415
def add_pipe(self, parent_pipe, proc):
2116
2416
"""Dummy function; override as necessary"""
2117
2417
raise NotImplementedError()
2120
2420
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2121
2421
socketserver.TCPServer, object):
2122
2422
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2123
2423
2124
2424
Attributes:
2125
2425
enabled: Boolean; whether this server is activated yet
2126
2426
interface: None or a network interface name (string)
2127
2427
use_ipv6: Boolean; to use IPv6 or not
2128
2428
"""
2129
2429
2130
2430
def __init__(self, server_address, RequestHandlerClass,
2131
2431
interface=None,
2132
2432
use_ipv6=True,
2142
2442
self.socketfd = socketfd
2143
2443
# Save the original socket.socket() function
2144
2444
self.socket_socket = socket.socket
2445
2145
2446
# To implement --socket, we monkey patch socket.socket.
2146
#
2447
#
2147
2448
# (When socketserver.TCPServer is a new-style class, we
2148
2449
# could make self.socket into a property instead of monkey
2149
2450
# patching socket.socket.)
2150
#
2451
#
2151
2452
# Create a one-time-only replacement for socket.socket()
2152
2453
@functools.wraps(socket.socket)
2153
2454
def socket_wrapper(*args, **kwargs):
2165
2466
# socket_wrapper(), if socketfd was set.
2166
2467
socketserver.TCPServer.__init__(self, server_address,
2167
2468
RequestHandlerClass)
2168
2469
2169
2470
def server_bind(self):
2170
2471
"""This overrides the normal server_bind() function
2171
2472
to bind to an interface if one was specified, and also NOT to
2172
2473
bind to an address or port if they were not specified."""
2474
global SO_BINDTODEVICE
2173
2475
if self.interface is not None:
2174
2476
if SO_BINDTODEVICE is None:
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2477
# Fall back to a hard-coded value which seems to be
2478
# common enough.
2479
logger.warning("SO_BINDTODEVICE not found, trying 25")
2480
SO_BINDTODEVICE = 25
2481
try:
2482
self.socket.setsockopt(
2483
socket.SOL_SOCKET, SO_BINDTODEVICE,
2484
(self.interface + "\0").encode("utf-8"))
2485
except socket.error as error:
2486
if error.errno == errno.EPERM:
2487
logger.error("No permission to bind to"
2488
" interface %s", self.interface)
2489
elif error.errno == errno.ENOPROTOOPT:
2490
logger.error("SO_BINDTODEVICE not available;"
2491
" cannot bind to interface %s",
2492
self.interface)
2493
elif error.errno == errno.ENODEV:
2494
logger.error("Interface %s does not exist,"
2495
" cannot bind", self.interface)
2496
else:
2497
raise
2196
2498
# Only bind(2) the socket if we really need to.
2197
2499
if self.server_address[0] or self.server_address[1]:
2198
2500
if not self.server_address[0]:
2199
2501
if self.address_family == socket.AF_INET6:
2200
any_address = "::" # in6addr_any
2502
any_address = "::" # in6addr_any
2201
2503
else:
2202
any_address = "0.0.0.0" # INADDR_ANY
2504
any_address = "0.0.0.0" # INADDR_ANY
2203
2505
self.server_address = (any_address,
2204
2506
self.server_address[1])
2205
2507
elif not self.server_address[1]:
2215
2517
2216
2518
class MandosServer(IPv6_TCPServer):
2217
2519
"""Mandos server.
2218
2520
2219
2521
Attributes:
2220
2522
clients: set of Client objects
2221
2523
gnutls_priority GnuTLS priority string
2222
2524
use_dbus: Boolean; to emit D-Bus signals or not
2223
2224
Assumes a gobject.MainLoop event loop.
2525
2526
Assumes a GLib.MainLoop event loop.
2225
2527
"""
2226
2528
2227
2529
def __init__(self, server_address, RequestHandlerClass,
2228
2530
interface=None,
2229
2531
use_ipv6=True,
2239
2541
self.gnutls_priority = gnutls_priority
2240
2542
IPv6_TCPServer.__init__(self, server_address,
2241
2543
RequestHandlerClass,
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2544
interface=interface,
2545
use_ipv6=use_ipv6,
2546
socketfd=socketfd)
2547
2246
2548
def server_activate(self):
2247
2549
if self.enabled:
2248
2550
return socketserver.TCPServer.server_activate(self)
2249
2551
2250
2552
def enable(self):
2251
2553
self.enabled = True
2252
2554
2253
2555
def add_pipe(self, parent_pipe, proc):
2254
2556
# Call "handle_ipc" for both data and EOF events
2255
gobject.io_add_watch(
2557
GLib.io_add_watch(
2256
2558
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2559
GLib.IO_IN | GLib.IO_HUP,
2258
2560
functools.partial(self.handle_ipc,
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2561
parent_pipe=parent_pipe,
2562
proc=proc))
2563
2262
2564
def handle_ipc(self, source, condition,
2263
2565
parent_pipe=None,
2264
proc = None,
2566
proc=None,
2265
2567
client_object=None):
2266
2568
# error, or the other end of multiprocessing.Pipe has closed
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2569
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2268
2570
# Wait for other process to exit
2269
2571
proc.join()
2270
2572
return False
2271
2573
2272
2574
# Read a request from the child
2273
2575
request = parent_pipe.recv()
2274
2576
command = request[0]
2275
2577
2276
2578
if command == 'init':
2277
2579
fpr = request[1]
2278
2580
address = request[2]
2279
2280
for c in self.clients.itervalues():
2581
2582
for c in self.clients.values():
2281
2583
if c.fingerprint == fpr:
2282
2584
client = c
2283
2585
break
2290
2592
address[0])
2291
2593
parent_pipe.send(False)
2292
2594
return False
2293
2294
gobject.io_add_watch(
2595
2596
GLib.io_add_watch(
2295
2597
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2598
GLib.IO_IN | GLib.IO_HUP,
2297
2599
functools.partial(self.handle_ipc,
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2600
parent_pipe=parent_pipe,
2601
proc=proc,
2602
client_object=client))
2301
2603
parent_pipe.send(True)
2302
2604
# remove the old hook in favor of the new above hook on
2303
2605
# same fileno
2306
2608
funcname = request[1]
2307
2609
args = request[2]
2308
2610
kwargs = request[3]
2309
2611
2310
2612
parent_pipe.send(('data', getattr(client_object,
2311
2613
funcname)(*args,
2312
2614
**kwargs)))
2313
2615
2314
2616
if command == 'getattr':
2315
2617
attrname = request[1]
2316
2618
if isinstance(client_object.__getattribute__(attrname),
2319
2621
else:
2320
2622
parent_pipe.send((
2321
2623
'data', client_object.__getattribute__(attrname)))
2322
2624
2323
2625
if command == 'setattr':
2324
2626
attrname = request[1]
2325
2627
value = request[2]
2326
2628
setattr(client_object, attrname, value)
2327
2629
2328
2630
return True
2329
2631
2330
2632
2331
2633
def rfc3339_duration_to_delta(duration):
2332
2634
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2333
2635
2334
2636
>>> rfc3339_duration_to_delta("P7D")
2335
2637
datetime.timedelta(7)
2336
2638
>>> rfc3339_duration_to_delta("PT60S")
2346
2648
>>> rfc3339_duration_to_delta("P1DT3M20S")
2347
2649
datetime.timedelta(1, 200)
2348
2650
"""
2349
2651
2350
2652
# Parsing an RFC 3339 duration with regular expressions is not
2351
2653
# possible - there would have to be multiple places for the same
2352
2654
# values, like seconds. The current code, while more esoteric, is
2353
2655
# cleaner without depending on a parsing library. If Python had a
2354
2656
# built-in library for parsing we would use it, but we'd like to
2355
2657
# avoid excessive use of external libraries.
2356
2658
2357
2659
# New type for defining tokens, syntax, and semantics all-in-one
2358
2660
Token = collections.namedtuple("Token", (
2359
2661
"regexp", # To match token; if "value" is not None, must have
2392
2694
frozenset((token_year, token_month,
2393
2695
token_day, token_time,
2394
2696
token_week)))
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2697
# Define starting values:
2698
# Value so far
2699
value = datetime.timedelta()
2397
2700
found_token = None
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2701
# Following valid tokens
2702
followers = frozenset((token_duration, ))
2703
# String left to parse
2704
s = duration
2400
2705
# Loop until end token is found
2401
2706
while found_token is not token_end:
2402
2707
# Search for any currently valid tokens
2426
2731
2427
2732
def string_to_delta(interval):
2428
2733
"""Parse a string and return a datetime.timedelta
2429
2734
2430
2735
>>> string_to_delta('7d')
2431
2736
datetime.timedelta(7)
2432
2737
>>> string_to_delta('60s')
2440
2745
>>> string_to_delta('5m 30s')
2441
2746
datetime.timedelta(0, 330)
2442
2747
"""
2443
2748
2444
2749
try:
2445
2750
return rfc3339_duration_to_delta(interval)
2446
2751
except ValueError:
2447
2752
pass
2448
2753
2449
2754
timevalue = datetime.timedelta(0)
2450
2755
for s in interval.split():
2451
2756
try:
2469
2774
return timevalue
2470
2775
2471
2776
2472
def daemon(nochdir = False, noclose = False):
2777
def daemon(nochdir=False, noclose=False):
2473
2778
"""See daemon(3). Standard BSD Unix function.
2474
2779
2475
2780
This should really exist as os.daemon, but it doesn't (yet)."""
2476
2781
if os.fork():
2477
2782
sys.exit()
2495
2800
2496
2801
2497
2802
def main():
2498
2803
2499
2804
##################################################################
2500
2805
# Parsing of options, both command line and config file
2501
2806
2502
2807
parser = argparse.ArgumentParser()
2503
2808
parser.add_argument("-v", "--version", action="version",
2504
version = "%(prog)s {}".format(version),
2809
version="%(prog)s {}".format(version),
2505
2810
help="show version number and exit")
2506
2811
parser.add_argument("-i", "--interface", metavar="IF",
2507
2812
help="Bind to interface IF")
2543
2848
parser.add_argument("--no-zeroconf", action="store_false",
2544
2849
dest="zeroconf", help="Do not use Zeroconf",
2545
2850
default=None)
2546
2851
2547
2852
options = parser.parse_args()
2548
2853
2549
2854
if options.check:
2550
2855
import doctest
2551
2856
fail_count, test_count = doctest.testmod()
2552
2857
sys.exit(os.EX_OK if fail_count == 0 else 1)
2553
2858
2554
2859
# Default values for config file for server-global settings
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
2860
server_defaults = {"interface": "",
2861
"address": "",
2862
"port": "",
2863
"debug": "False",
2864
"priority":
2865
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2866
":+SIGN-DSA-SHA256",
2867
"servicename": "Mandos",
2868
"use_dbus": "True",
2869
"use_ipv6": "True",
2870
"debuglevel": "",
2871
"restore": "True",
2872
"socket": "",
2873
"statedir": "/var/lib/mandos",
2874
"foreground": "False",
2875
"zeroconf": "True",
2876
}
2877
2573
2878
# Parse config file for server-global settings
2574
2879
server_config = configparser.SafeConfigParser(server_defaults)
2575
2880
del server_defaults
2593
2898
server_settings["socket"] = os.dup(server_settings
2594
2899
["socket"])
2595
2900
del server_config
2596
2901
2597
2902
# Override the settings from the config file with command line
2598
2903
# options, if set.
2599
2904
for option in ("interface", "address", "port", "debug",
2617
2922
if server_settings["debug"]:
2618
2923
server_settings["foreground"] = True
2619
2924
# Now we have our good server settings in "server_settings"
2620
2925
2621
2926
##################################################################
2622
2927
2623
2928
if (not server_settings["zeroconf"]
2624
2929
and not (server_settings["port"]
2625
2930
or server_settings["socket"] != "")):
2626
2931
parser.error("Needs port or socket to work without Zeroconf")
2627
2932
2628
2933
# For convenience
2629
2934
debug = server_settings["debug"]
2630
2935
debuglevel = server_settings["debuglevel"]
2634
2939
stored_state_file)
2635
2940
foreground = server_settings["foreground"]
2636
2941
zeroconf = server_settings["zeroconf"]
2637
2942
2638
2943
if debug:
2639
2944
initlogger(debug, logging.DEBUG)
2640
2945
else:
2643
2948
else:
2644
2949
level = getattr(logging, debuglevel.upper())
2645
2950
initlogger(debug, level)
2646
2951
2647
2952
if server_settings["servicename"] != "Mandos":
2648
2953
syslogger.setFormatter(
2649
2954
logging.Formatter('Mandos ({}) [%(process)d]:'
2650
2955
' %(levelname)s: %(message)s'.format(
2651
2956
server_settings["servicename"])))
2652
2957
2653
2958
# Parse config file with clients
2654
2959
client_config = configparser.SafeConfigParser(Client
2655
2960
.client_defaults)
2656
2961
client_config.read(os.path.join(server_settings["configdir"],
2657
2962
"clients.conf"))
2658
2963
2659
2964
global mandos_dbus_service
2660
2965
mandos_dbus_service = None
2661
2966
2662
2967
socketfd = None
2663
2968
if server_settings["socket"] != "":
2664
2969
socketfd = server_settings["socket"]
2680
2985
except IOError as e:
2681
2986
logger.error("Could not open file %r", pidfilename,
2682
2987
exc_info=e)
2683
2684
for name in ("_mandos", "mandos", "nobody"):
2988
2989
for name, group in (("_mandos", "_mandos"),
2990
("mandos", "mandos"),
2991
("nobody", "nogroup")):
2685
2992
try:
2686
2993
uid = pwd.getpwnam(name).pw_uid
2687
gid = pwd.getpwnam(name).pw_gid
2994
gid = pwd.getpwnam(group).pw_gid
2688
2995
break
2689
2996
except KeyError:
2690
2997
continue
2694
3001
try:
2695
3002
os.setgid(gid)
2696
3003
os.setuid(uid)
3004
if debug:
3005
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3006
gid))
2697
3007
except OSError as error:
3008
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3009
.format(uid, gid, os.strerror(error.errno)))
2698
3010
if error.errno != errno.EPERM:
2699
3011
raise
2700
3012
2701
3013
if debug:
2702
3014
# Enable all possible GnuTLS debugging
2703
3015
2704
3016
# "Use a log level over 10 to enable all debugging options."
2705
3017
# - GnuTLS manual
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3018
gnutls.global_set_log_level(11)
3019
3020
@gnutls.log_func
2709
3021
def debug_gnutls(level, string):
2710
3022
logger.debug("GnuTLS: %s", string[:-1])
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3023
3024
gnutls.global_set_log_function(debug_gnutls)
3025
2715
3026
# Redirect stdin so all checkers get /dev/null
2716
3027
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2717
3028
os.dup2(null, sys.stdin.fileno())
2718
3029
if null > 2:
2719
3030
os.close(null)
2720
3031
2721
3032
# Need to fork before connecting to D-Bus
2722
3033
if not foreground:
2723
3034
# Close all input and output, do double fork, etc.
2724
3035
daemon()
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3036
3037
# multiprocessing will use threads, so before we use GLib we need
3038
# to inform GLib that threads will be used.
3039
GLib.threads_init()
3040
2730
3041
global main_loop
2731
3042
# From the Avahi example code
2732
3043
DBusGMainLoop(set_as_default=True)
2733
main_loop = gobject.MainLoop()
3044
main_loop = GLib.MainLoop()
2734
3045
bus = dbus.SystemBus()
2735
3046
# End of Avahi example code
2736
3047
if use_dbus:
2749
3060
if zeroconf:
2750
3061
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2751
3062
service = AvahiServiceToSyslog(
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3063
name=server_settings["servicename"],
3064
servicetype="_mandos._tcp",
3065
protocol=protocol,
3066
bus=bus)
2756
3067
if server_settings["interface"]:
2757
3068
service.interface = if_nametoindex(
2758
3069
server_settings["interface"].encode("utf-8"))
2759
3070
2760
3071
global multiprocessing_manager
2761
3072
multiprocessing_manager = multiprocessing.Manager()
2762
3073
2763
3074
client_class = Client
2764
3075
if use_dbus:
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3076
client_class = functools.partial(ClientDBus, bus=bus)
3077
2767
3078
client_settings = Client.config_parser(client_config)
2768
3079
old_client_settings = {}
2769
3080
clients_data = {}
2770
3081
2771
3082
# This is used to redirect stdout and stderr for checker processes
2772
3083
global wnull
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3084
wnull = open(os.devnull, "w") # A writable /dev/null
2774
3085
# Only used if server is running in foreground but not in debug
2775
3086
# mode
2776
3087
if debug or not foreground:
2777
3088
wnull.close()
2778
3089
2779
3090
# Get client data and settings from last running state.
2780
3091
if server_settings["restore"]:
2781
3092
try:
2782
3093
with open(stored_state_path, "rb") as stored_state:
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3094
if sys.version_info.major == 2:
3095
clients_data, old_client_settings = pickle.load(
3096
stored_state)
3097
else:
3098
bytes_clients_data, bytes_old_client_settings = (
3099
pickle.load(stored_state, encoding="bytes"))
3100
# Fix bytes to strings
3101
# clients_data
3102
# .keys()
3103
clients_data = {(key.decode("utf-8")
3104
if isinstance(key, bytes)
3105
else key): value
3106
for key, value in
3107
bytes_clients_data.items()}
3108
del bytes_clients_data
3109
for key in clients_data:
3110
value = {(k.decode("utf-8")
3111
if isinstance(k, bytes) else k): v
3112
for k, v in
3113
clients_data[key].items()}
3114
clients_data[key] = value
3115
# .client_structure
3116
value["client_structure"] = [
3117
(s.decode("utf-8")
3118
if isinstance(s, bytes)
3119
else s) for s in
3120
value["client_structure"]]
3121
# .name & .host
3122
for k in ("name", "host"):
3123
if isinstance(value[k], bytes):
3124
value[k] = value[k].decode("utf-8")
3125
# old_client_settings
3126
# .keys()
3127
old_client_settings = {
3128
(key.decode("utf-8")
3129
if isinstance(key, bytes)
3130
else key): value
3131
for key, value in
3132
bytes_old_client_settings.items()}
3133
del bytes_old_client_settings
3134
# .host
3135
for value in old_client_settings.values():
3136
if isinstance(value["host"], bytes):
3137
value["host"] = (value["host"]
3138
.decode("utf-8"))
2785
3139
os.remove(stored_state_path)
2786
3140
except IOError as e:
2787
3141
if e.errno == errno.ENOENT:
2795
3149
logger.warning("Could not load persistent state: "
2796
3150
"EOFError:",
2797
3151
exc_info=e)
2798
3152
2799
3153
with PGPEngine() as pgp:
2800
3154
for client_name, client in clients_data.items():
2801
3155
# Skip removed clients
2802
3156
if client_name not in client_settings:
2803
3157
continue
2804
3158
2805
3159
# Decide which value to use after restoring saved state.
2806
3160
# We have three different values: Old config file,
2807
3161
# new config file, and saved state.
2818
3172
client[name] = value
2819
3173
except KeyError:
2820
3174
pass
2821
3175
2822
3176
# Clients who has passed its expire date can still be
2823
3177
# enabled if its last checker was successful. A Client
2824
3178
# whose checker succeeded before we stored its state is
2857
3211
client_name))
2858
3212
client["secret"] = (client_settings[client_name]
2859
3213
["secret"])
2860
3214
2861
3215
# Add/remove clients based on new changes made to config
2862
3216
for client_name in (set(old_client_settings)
2863
3217
- set(client_settings)):
2865
3219
for client_name in (set(client_settings)
2866
3220
- set(old_client_settings)):
2867
3221
clients_data[client_name] = client_settings[client_name]
2868
3222
2869
3223
# Create all client objects
2870
3224
for client_name, client in clients_data.items():
2871
3225
tcp_server.clients[client_name] = client_class(
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3226
name=client_name,
3227
settings=client,
3228
server_settings=server_settings)
3229
2876
3230
if not tcp_server.clients:
2877
3231
logger.warning("No clients defined")
2878
3232
2879
3233
if not foreground:
2880
3234
if pidfile is not None:
2881
3235
pid = os.getpid()
2887
3241
pidfilename, pid)
2888
3242
del pidfile
2889
3243
del pidfilename
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3244
3245
for termsig in (signal.SIGHUP, signal.SIGTERM):
3246
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3247
lambda: main_loop.quit() and False)
3248
2894
3249
if use_dbus:
2895
3250
2896
3251
@alternate_dbus_interfaces(
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3252
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2898
3253
class MandosDBusService(DBusObjectWithObjectManager):
2899
3254
"""A D-Bus proxy object"""
2900
3255
2901
3256
def __init__(self):
2902
3257
dbus.service.Object.__init__(self, bus, "/")
2903
3258
2904
3259
_interface = "se.recompile.Mandos"
2905
3260
2906
3261
@dbus.service.signal(_interface, signature="o")
2907
3262
def ClientAdded(self, objpath):
2908
3263
"D-Bus signal"
2909
3264
pass
2910
3265
2911
3266
@dbus.service.signal(_interface, signature="ss")
2912
3267
def ClientNotFound(self, fingerprint, address):
2913
3268
"D-Bus signal"
2914
3269
pass
2915
3270
2916
3271
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2917
3272
"true"})
2918
3273
@dbus.service.signal(_interface, signature="os")
2919
3274
def ClientRemoved(self, objpath, name):
2920
3275
"D-Bus signal"
2921
3276
pass
2922
3277
2923
3278
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2924
3279
"true"})
2925
3280
@dbus.service.method(_interface, out_signature="ao")
2926
3281
def GetAllClients(self):
2927
3282
"D-Bus method"
2928
3283
return dbus.Array(c.dbus_object_path for c in
2929
tcp_server.clients.itervalues())
2930
3284
tcp_server.clients.values())
3285
2931
3286
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2932
3287
"true"})
2933
3288
@dbus.service.method(_interface,
2935
3290
def GetAllClientsWithProperties(self):
2936
3291
"D-Bus method"
2937
3292
return dbus.Dictionary(
2938
{ c.dbus_object_path: c.GetAll(
3293
{c.dbus_object_path: c.GetAll(
2939
3294
"se.recompile.Mandos.Client")
2940
for c in tcp_server.clients.itervalues() },
3295
for c in tcp_server.clients.values()},
2941
3296
signature="oa{sv}")
2942
3297
2943
3298
@dbus.service.method(_interface, in_signature="o")
2944
3299
def RemoveClient(self, object_path):
2945
3300
"D-Bus method"
2946
for c in tcp_server.clients.itervalues():
3301
for c in tcp_server.clients.values():
2947
3302
if c.dbus_object_path == object_path:
2948
3303
del tcp_server.clients[c.name]
2949
3304
c.remove_from_connection()
2953
3308
self.client_removed_signal(c)
2954
3309
return
2955
3310
raise KeyError(object_path)
2956
3311
2957
3312
del _interface
2958
3313
2959
3314
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
2960
out_signature = "a{oa{sa{sv}}}")
3315
out_signature="a{oa{sa{sv}}}")
2961
3316
def GetManagedObjects(self):
2962
3317
"""D-Bus method"""
2963
3318
return dbus.Dictionary(
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3319
{client.dbus_object_path:
3320
dbus.Dictionary(
3321
{interface: client.GetAll(interface)
3322
for interface in
3323
client._get_all_interface_names()})
3324
for client in tcp_server.clients.values()})
3325
2971
3326
def client_added_signal(self, client):
2972
3327
"""Send the new standard signal and the old signal"""
2973
3328
if use_dbus:
2975
3330
self.InterfacesAdded(
2976
3331
client.dbus_object_path,
2977
3332
dbus.Dictionary(
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3333
{interface: client.GetAll(interface)
3334
for interface in
3335
client._get_all_interface_names()}))
2981
3336
# Old signal
2982
3337
self.ClientAdded(client.dbus_object_path)
2983
3338
2984
3339
def client_removed_signal(self, client):
2985
3340
"""Send the new standard signal and the old signal"""
2986
3341
if use_dbus:
2991
3346
# Old signal
2992
3347
self.ClientRemoved(client.dbus_object_path,
2993
3348
client.name)
2994
3349
2995
3350
mandos_dbus_service = MandosDBusService()
2996
3351
3352
# Save modules to variables to exempt the modules from being
3353
# unloaded before the function registered with atexit() is run.
3354
mp = multiprocessing
3355
wn = wnull
3356
2997
3357
def cleanup():
2998
3358
"Cleanup function; run on exit"
2999
3359
if zeroconf:
3000
3360
service.cleanup()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3361
3362
mp.active_children()
3363
wn.close()
3004
3364
if not (tcp_server.clients or client_settings):
3005
3365
return
3006
3366
3007
3367
# Store client before exiting. Secrets are encrypted with key
3008
3368
# based on what config file has. If config file is
3009
3369
# removed/edited, old secret will thus be unrecovable.
3010
3370
clients = {}
3011
3371
with PGPEngine() as pgp:
3012
for client in tcp_server.clients.itervalues():
3372
for client in tcp_server.clients.values():
3013
3373
key = client_settings[client.name]["secret"]
3014
3374
client.encrypted_secret = pgp.encrypt(client.secret,
3015
3375
key)
3016
3376
client_dict = {}
3017
3377
3018
3378
# A list of attributes that can not be pickled
3019
3379
# + secret.
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3380
exclude = {"bus", "changedstate", "secret",
3381
"checker", "server_settings"}
3022
3382
for name, typ in inspect.getmembers(dbus.service
3023
3383
.Object):
3024
3384
exclude.add(name)
3025
3385
3026
3386
client_dict["encrypted_secret"] = (client
3027
3387
.encrypted_secret)
3028
3388
for attr in client.client_structure:
3029
3389
if attr not in exclude:
3030
3390
client_dict[attr] = getattr(client, attr)
3031
3391
3032
3392
clients[client.name] = client_dict
3033
3393
del client_settings[client.name]["secret"]
3034
3394
3035
3395
try:
3036
3396
with tempfile.NamedTemporaryFile(
3037
3397
mode='wb',
3039
3399
prefix='clients-',
3040
3400
dir=os.path.dirname(stored_state_path),
3041
3401
delete=False) as stored_state:
3042
pickle.dump((clients, client_settings), stored_state)
3402
pickle.dump((clients, client_settings), stored_state,
3403
protocol=2)
3043
3404
tempname = stored_state.name
3044
3405
os.rename(tempname, stored_state_path)
3045
3406
except (IOError, OSError) as e:
3055
3416
logger.warning("Could not save persistent state:",
3056
3417
exc_info=e)
3057
3418
raise
3058
3419
3059
3420
# Delete all clients, and settings from config
3060
3421
while tcp_server.clients:
3061
3422
name, client = tcp_server.clients.popitem()
3064
3425
# Don't signal the disabling
3065
3426
client.disable(quiet=True)
3066
3427
# Emit D-Bus signal for removal
3067
mandos_dbus_service.client_removed_signal(client)
3428
if use_dbus:
3429
mandos_dbus_service.client_removed_signal(client)
3068
3430
client_settings.clear()
3069
3431
3070
3432
atexit.register(cleanup)
3071
3072
for client in tcp_server.clients.itervalues():
3433
3434
for client in tcp_server.clients.values():
3073
3435
if use_dbus:
3074
3436
# Emit D-Bus signal for adding
3075
3437
mandos_dbus_service.client_added_signal(client)
3076
3438
# Need to initiate checking of clients
3077
3439
if client.enabled:
3078
3440
client.init_checker()
3079
3441
3080
3442
tcp_server.enable()
3081
3443
tcp_server.server_activate()
3082
3444
3083
3445
# Find out what port we got
3084
3446
if zeroconf:
3085
3447
service.port = tcp_server.socket.getsockname()[1]
3090
3452
else: # IPv4
3091
3453
logger.info("Now listening on address %r, port %d",
3092
3454
*tcp_server.socket.getsockname())
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3455
3456
# service.interface = tcp_server.socket.getsockname()[3]
3457
3096
3458
try:
3097
3459
if zeroconf:
3098
3460
# From the Avahi example code
3103
3465
cleanup()
3104
3466
sys.exit(1)
3105
3467
# End of Avahi example code
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3468
3469
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3470
lambda *args, **kwargs:
3471
(tcp_server.handle_request
3472
(*args[2:], **kwargs) or True))
3473
3112
3474
logger.debug("Starting main loop")
3113
3475
main_loop.run()
3114
3476
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0