To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.433
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.433
- Committer: Teddy Hogeborn
- Date: 2016-10-29 14:22:26 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 356.
- Revision ID: teddy@recompile.se-20161029142226-n4s9d70tuk615pg1
Makefile: Clarify message when running client.
* Makefile (run-client): Clarify message.
* Makefile (run-client): Clarify message.
added
removed
mandos
1
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
14
# Copyright © 2008-2016 Teddy Hogeborn
15
15
# Copyright © 2008-2016 Björn Påhlsson
16
#
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
19
19
# the Free Software Foundation, either version 3 of the License, or
23
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
25
# GNU General Public License for more details.
26
#
26
#
27
27
# You should have received a copy of the GNU General Public License
28
28
# along with this program. If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
#
30
#
31
31
# Contact the authors at <mandos@recompile.se>.
32
#
32
#
33
33
34
34
from __future__ import (division, absolute_import, print_function,
35
35
unicode_literals)
36
36
37
from future_builtins import *
37
try:
38
from future_builtins import *
39
except ImportError:
40
pass
38
41
39
42
try:
40
43
import SocketServer as socketserver
76
79
77
80
import dbus
78
81
import dbus.service
79
try:
80
import gobject
81
except ImportError:
82
from gi.repository import GObject as gobject
83
import avahi
82
from gi.repository import GLib
84
83
from dbus.mainloop.glib import DBusGMainLoop
85
84
import ctypes
86
85
import ctypes.util
87
86
import xml.dom.minidom
88
87
import inspect
89
88
89
# Try to find the value of SO_BINDTODEVICE:
90
90
try:
91
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
92
# newer, and it is also the most natural place for it:
91
93
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
92
94
except AttributeError:
93
95
try:
96
# This is where SO_BINDTODEVICE was up to and including Python
97
# 2.6, and also 3.2:
94
98
from IN import SO_BINDTODEVICE
95
99
except ImportError:
96
SO_BINDTODEVICE = None
100
# In Python 2.7 it seems to have been removed entirely.
101
# Try running the C preprocessor:
102
try:
103
cc = subprocess.Popen(["cc", "--language=c", "-E",
104
"/dev/stdin"],
105
stdin=subprocess.PIPE,
106
stdout=subprocess.PIPE)
107
stdout = cc.communicate(
108
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
109
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
110
except (OSError, ValueError, IndexError):
111
# No value found
112
SO_BINDTODEVICE = None
97
113
98
114
if sys.version_info.major == 2:
99
115
str = unicode
100
116
101
version = "1.7.3"
117
version = "1.7.13"
102
118
stored_state_file = "clients.pickle"
103
119
104
120
logger = logging.getLogger()
108
124
if_nametoindex = ctypes.cdll.LoadLibrary(
109
125
ctypes.util.find_library("c")).if_nametoindex
110
126
except (OSError, AttributeError):
111
127
112
128
def if_nametoindex(interface):
113
129
"Get an interface index the hard way, i.e. using fcntl()"
114
130
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
119
135
return interface_index
120
136
121
137
138
def copy_function(func):
139
"""Make a copy of a function"""
140
if sys.version_info.major == 2:
141
return types.FunctionType(func.func_code,
142
func.func_globals,
143
func.func_name,
144
func.func_defaults,
145
func.func_closure)
146
else:
147
return types.FunctionType(func.__code__,
148
func.__globals__,
149
func.__name__,
150
func.__defaults__,
151
func.__closure__)
152
153
122
154
def initlogger(debug, level=logging.WARNING):
123
155
"""init logger and add loglevel"""
124
156
125
157
global syslogger
126
158
syslogger = (logging.handlers.SysLogHandler(
127
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
128
address = "/dev/log"))
159
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
160
address="/dev/log"))
129
161
syslogger.setFormatter(logging.Formatter
130
162
('Mandos [%(process)d]: %(levelname)s:'
131
163
' %(message)s'))
132
164
logger.addHandler(syslogger)
133
165
134
166
if debug:
135
167
console = logging.StreamHandler()
136
168
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
148
180
149
181
class PGPEngine(object):
150
182
"""A simple class for OpenPGP symmetric encryption & decryption"""
151
183
152
184
def __init__(self):
153
185
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
154
186
self.gpg = "gpg"
155
187
try:
156
188
output = subprocess.check_output(["gpgconf"])
157
189
for line in output.splitlines():
158
name, text, path = line.split(":")
190
name, text, path = line.split(b":")
159
191
if name == "gpg":
160
192
self.gpg = path
161
193
break
165
197
self.gnupgargs = ['--batch',
166
198
'--homedir', self.tempdir,
167
199
'--force-mdc',
168
'--quiet',
169
'--no-use-agent']
170
200
'--quiet']
201
# Only GPG version 1 has the --no-use-agent option.
202
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
203
self.gnupgargs.append("--no-use-agent")
204
171
205
def __enter__(self):
172
206
return self
173
207
174
208
def __exit__(self, exc_type, exc_value, traceback):
175
209
self._cleanup()
176
210
return False
177
211
178
212
def __del__(self):
179
213
self._cleanup()
180
214
181
215
def _cleanup(self):
182
216
if self.tempdir is not None:
183
217
# Delete contents of tempdir
184
218
for root, dirs, files in os.walk(self.tempdir,
185
topdown = False):
219
topdown=False):
186
220
for filename in files:
187
221
os.remove(os.path.join(root, filename))
188
222
for dirname in dirs:
190
224
# Remove tempdir
191
225
os.rmdir(self.tempdir)
192
226
self.tempdir = None
193
227
194
228
def password_encode(self, password):
195
229
# Passphrase can not be empty and can not contain newlines or
196
230
# NUL bytes. So we prefix it and hex encode it.
201
235
.replace(b"\n", b"\\n")
202
236
.replace(b"\0", b"\\x00"))
203
237
return encoded
204
238
205
239
def encrypt(self, data, password):
206
240
passphrase = self.password_encode(password)
207
241
with tempfile.NamedTemporaryFile(
212
246
'--passphrase-file',
213
247
passfile.name]
214
248
+ self.gnupgargs,
215
stdin = subprocess.PIPE,
216
stdout = subprocess.PIPE,
217
stderr = subprocess.PIPE)
218
ciphertext, err = proc.communicate(input = data)
249
stdin=subprocess.PIPE,
250
stdout=subprocess.PIPE,
251
stderr=subprocess.PIPE)
252
ciphertext, err = proc.communicate(input=data)
219
253
if proc.returncode != 0:
220
254
raise PGPError(err)
221
255
return ciphertext
222
256
223
257
def decrypt(self, data, password):
224
258
passphrase = self.password_encode(password)
225
259
with tempfile.NamedTemporaryFile(
226
dir = self.tempdir) as passfile:
260
dir=self.tempdir) as passfile:
227
261
passfile.write(passphrase)
228
262
passfile.flush()
229
263
proc = subprocess.Popen([self.gpg, '--decrypt',
230
264
'--passphrase-file',
231
265
passfile.name]
232
266
+ self.gnupgargs,
233
stdin = subprocess.PIPE,
234
stdout = subprocess.PIPE,
235
stderr = subprocess.PIPE)
236
decrypted_plaintext, err = proc.communicate(input = data)
267
stdin=subprocess.PIPE,
268
stdout=subprocess.PIPE,
269
stderr=subprocess.PIPE)
270
decrypted_plaintext, err = proc.communicate(input=data)
237
271
if proc.returncode != 0:
238
272
raise PGPError(err)
239
273
return decrypted_plaintext
240
274
241
275
276
# Pretend that we have an Avahi module
277
class Avahi(object):
278
"""This isn't so much a class as it is a module-like namespace.
279
It is instantiated once, and simulates having an Avahi module."""
280
IF_UNSPEC = -1 # avahi-common/address.h
281
PROTO_UNSPEC = -1 # avahi-common/address.h
282
PROTO_INET = 0 # avahi-common/address.h
283
PROTO_INET6 = 1 # avahi-common/address.h
284
DBUS_NAME = "org.freedesktop.Avahi"
285
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
286
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
DBUS_PATH_SERVER = "/"
288
289
def string_array_to_txt_array(self, t):
290
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
291
for s in t), signature="ay")
292
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
293
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
294
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
295
SERVER_INVALID = 0 # avahi-common/defs.h
296
SERVER_REGISTERING = 1 # avahi-common/defs.h
297
SERVER_RUNNING = 2 # avahi-common/defs.h
298
SERVER_COLLISION = 3 # avahi-common/defs.h
299
SERVER_FAILURE = 4 # avahi-common/defs.h
300
avahi = Avahi()
301
302
242
303
class AvahiError(Exception):
243
304
def __init__(self, value, *args, **kwargs):
244
305
self.value = value
256
317
257
318
class AvahiService(object):
258
319
"""An Avahi (Zeroconf) service.
259
320
260
321
Attributes:
261
322
interface: integer; avahi.IF_UNSPEC or an interface index.
262
323
Used to optionally bind to the specified interface.
274
335
server: D-Bus Server
275
336
bus: dbus.SystemBus()
276
337
"""
277
338
278
339
def __init__(self,
279
interface = avahi.IF_UNSPEC,
280
name = None,
281
servicetype = None,
282
port = None,
283
TXT = None,
284
domain = "",
285
host = "",
286
max_renames = 32768,
287
protocol = avahi.PROTO_UNSPEC,
288
bus = None):
340
interface=avahi.IF_UNSPEC,
341
name=None,
342
servicetype=None,
343
port=None,
344
TXT=None,
345
domain="",
346
host="",
347
max_renames=32768,
348
protocol=avahi.PROTO_UNSPEC,
349
bus=None):
289
350
self.interface = interface
290
351
self.name = name
291
352
self.type = servicetype
300
361
self.server = None
301
362
self.bus = bus
302
363
self.entry_group_state_changed_match = None
303
364
304
365
def rename(self, remove=True):
305
366
"""Derived from the Avahi example code"""
306
367
if self.rename_count >= self.max_renames:
326
387
logger.critical("D-Bus Exception", exc_info=error)
327
388
self.cleanup()
328
389
os._exit(1)
329
390
330
391
def remove(self):
331
392
"""Derived from the Avahi example code"""
332
393
if self.entry_group_state_changed_match is not None:
334
395
self.entry_group_state_changed_match = None
335
396
if self.group is not None:
336
397
self.group.Reset()
337
398
338
399
def add(self):
339
400
"""Derived from the Avahi example code"""
340
401
self.remove()
357
418
dbus.UInt16(self.port),
358
419
avahi.string_array_to_txt_array(self.TXT))
359
420
self.group.Commit()
360
421
361
422
def entry_group_state_changed(self, state, error):
362
423
"""Derived from the Avahi example code"""
363
424
logger.debug("Avahi entry group state change: %i", state)
364
425
365
426
if state == avahi.ENTRY_GROUP_ESTABLISHED:
366
427
logger.debug("Zeroconf service established.")
367
428
elif state == avahi.ENTRY_GROUP_COLLISION:
371
432
logger.critical("Avahi: Error in group state changed %s",
372
433
str(error))
373
434
raise AvahiGroupError("State changed: {!s}".format(error))
374
435
375
436
def cleanup(self):
376
437
"""Derived from the Avahi example code"""
377
438
if self.group is not None:
382
443
pass
383
444
self.group = None
384
445
self.remove()
385
446
386
447
def server_state_changed(self, state, error=None):
387
448
"""Derived from the Avahi example code"""
388
449
logger.debug("Avahi server state change: %i", state)
417
478
logger.debug("Unknown state: %r", state)
418
479
else:
419
480
logger.debug("Unknown state: %r: %r", state, error)
420
481
421
482
def activate(self):
422
483
"""Derived from the Avahi example code"""
423
484
if self.server is None:
440
501
.format(self.name)))
441
502
return ret
442
503
504
443
505
# Pretend that we have a GnuTLS module
444
506
class GnuTLS(object):
445
507
"""This isn't so much a class as it is a module-like namespace.
446
508
It is instantiated once, and simulates having a GnuTLS module."""
447
448
_library = ctypes.cdll.LoadLibrary(
449
ctypes.util.find_library("gnutls"))
450
_need_version = "3.3.0"
509
510
library = ctypes.util.find_library("gnutls")
511
if library is None:
512
library = ctypes.util.find_library("gnutls-deb0")
513
_library = ctypes.cdll.LoadLibrary(library)
514
del library
515
_need_version = b"3.3.0"
516
451
517
def __init__(self):
452
# Need to use class name "GnuTLS" here, since this method is
453
# called before the assignment to the "gnutls" global variable
454
# happens.
455
if GnuTLS.check_version(self._need_version) is None:
456
raise GnuTLS.Error("Needs GnuTLS {} or later"
457
.format(self._need_version))
458
518
# Need to use "self" here, since this method is called before
519
# the assignment to the "gnutls" global variable happens.
520
if self.check_version(self._need_version) is None:
521
raise self.Error("Needs GnuTLS {} or later"
522
.format(self._need_version))
523
459
524
# Unless otherwise indicated, the constants and types below are
460
525
# all from the gnutls/gnutls.h C header file.
461
526
462
527
# Constants
463
528
E_SUCCESS = 0
464
529
E_INTERRUPTED = -52
469
534
CRD_CERTIFICATE = 1
470
535
E_NO_CERTIFICATE_FOUND = -49
471
536
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
472
537
473
538
# Types
474
539
class session_int(ctypes.Structure):
475
540
_fields_ = []
476
541
session_t = ctypes.POINTER(session_int)
542
477
543
class certificate_credentials_st(ctypes.Structure):
478
544
_fields_ = []
479
545
certificate_credentials_t = ctypes.POINTER(
480
546
certificate_credentials_st)
481
547
certificate_type_t = ctypes.c_int
548
482
549
class datum_t(ctypes.Structure):
483
550
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
484
551
('size', ctypes.c_uint)]
552
485
553
class openpgp_crt_int(ctypes.Structure):
486
554
_fields_ = []
487
555
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
488
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
556
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
489
557
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
490
credentials_type_t = ctypes.c_int #
558
credentials_type_t = ctypes.c_int
491
559
transport_ptr_t = ctypes.c_void_p
492
560
close_request_t = ctypes.c_int
493
561
494
562
# Exceptions
495
563
class Error(Exception):
496
564
# We need to use the class name "GnuTLS" here, since this
497
565
# exception might be raised from within GnuTLS.__init__,
498
566
# which is called before the assignment to the "gnutls"
499
567
# global variable has happened.
500
def __init__(self, message = None, code = None, args=()):
568
def __init__(self, message=None, code=None, args=()):
501
569
# Default usage is by a message string, but if a return
502
570
# code is passed, convert it to a string with
503
571
# gnutls.strerror()
506
574
message = GnuTLS.strerror(code)
507
575
return super(GnuTLS.Error, self).__init__(
508
576
message, *args)
509
577
510
578
class CertificateSecurityError(Error):
511
579
pass
512
580
513
581
# Classes
514
582
class Credentials(object):
515
583
def __init__(self):
517
585
gnutls.certificate_allocate_credentials(
518
586
ctypes.byref(self._c_object))
519
587
self.type = gnutls.CRD_CERTIFICATE
520
588
521
589
def __del__(self):
522
590
gnutls.certificate_free_credentials(self._c_object)
523
591
524
592
class ClientSession(object):
525
def __init__(self, socket, credentials = None):
593
def __init__(self, socket, credentials=None):
526
594
self._c_object = gnutls.session_t()
527
595
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
528
596
gnutls.set_default_priority(self._c_object)
536
604
ctypes.cast(credentials._c_object,
537
605
ctypes.c_void_p))
538
606
self.credentials = credentials
539
607
540
608
def __del__(self):
541
609
gnutls.deinit(self._c_object)
542
610
543
611
def handshake(self):
544
612
return gnutls.handshake(self._c_object)
545
613
546
614
def send(self, data):
547
615
data = bytes(data)
548
616
data_len = len(data)
550
618
data_len -= gnutls.record_send(self._c_object,
551
619
data[-data_len:],
552
620
data_len)
553
621
554
622
def bye(self):
555
623
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
556
624
557
625
# Error handling functions
558
626
def _error_code(result):
559
627
"""A function to raise exceptions on errors, suitable
561
629
if result >= 0:
562
630
return result
563
631
if result == gnutls.E_NO_CERTIFICATE_FOUND:
564
raise gnutls.CertificateSecurityError(code = result)
565
raise gnutls.Error(code = result)
566
632
raise gnutls.CertificateSecurityError(code=result)
633
raise gnutls.Error(code=result)
634
567
635
def _retry_on_error(result, func, arguments):
568
636
"""A function to retry on some errors, suitable
569
637
for the 'errcheck' attribute on ctypes functions"""
572
640
return _error_code(result)
573
641
result = func(*arguments)
574
642
return result
575
643
576
644
# Unless otherwise indicated, the function declarations below are
577
645
# all from the gnutls/gnutls.h C header file.
578
646
579
647
# Functions
580
648
priority_set_direct = _library.gnutls_priority_set_direct
581
649
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
582
650
ctypes.POINTER(ctypes.c_char_p)]
583
651
priority_set_direct.restype = _error_code
584
652
585
653
init = _library.gnutls_init
586
654
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
587
655
init.restype = _error_code
588
656
589
657
set_default_priority = _library.gnutls_set_default_priority
590
658
set_default_priority.argtypes = [session_t]
591
659
set_default_priority.restype = _error_code
592
660
593
661
record_send = _library.gnutls_record_send
594
662
record_send.argtypes = [session_t, ctypes.c_void_p,
595
663
ctypes.c_size_t]
596
664
record_send.restype = ctypes.c_ssize_t
597
665
record_send.errcheck = _retry_on_error
598
666
599
667
certificate_allocate_credentials = (
600
668
_library.gnutls_certificate_allocate_credentials)
601
669
certificate_allocate_credentials.argtypes = [
602
670
ctypes.POINTER(certificate_credentials_t)]
603
671
certificate_allocate_credentials.restype = _error_code
604
672
605
673
certificate_free_credentials = (
606
674
_library.gnutls_certificate_free_credentials)
607
certificate_free_credentials.argtypes = [certificate_credentials_t]
675
certificate_free_credentials.argtypes = [
676
certificate_credentials_t]
608
677
certificate_free_credentials.restype = None
609
678
610
679
handshake_set_private_extensions = (
611
680
_library.gnutls_handshake_set_private_extensions)
612
681
handshake_set_private_extensions.argtypes = [session_t,
613
682
ctypes.c_int]
614
683
handshake_set_private_extensions.restype = None
615
684
616
685
credentials_set = _library.gnutls_credentials_set
617
686
credentials_set.argtypes = [session_t, credentials_type_t,
618
687
ctypes.c_void_p]
619
688
credentials_set.restype = _error_code
620
689
621
690
strerror = _library.gnutls_strerror
622
691
strerror.argtypes = [ctypes.c_int]
623
692
strerror.restype = ctypes.c_char_p
624
693
625
694
certificate_type_get = _library.gnutls_certificate_type_get
626
695
certificate_type_get.argtypes = [session_t]
627
696
certificate_type_get.restype = _error_code
628
697
629
698
certificate_get_peers = _library.gnutls_certificate_get_peers
630
699
certificate_get_peers.argtypes = [session_t,
631
700
ctypes.POINTER(ctypes.c_uint)]
632
701
certificate_get_peers.restype = ctypes.POINTER(datum_t)
633
702
634
703
global_set_log_level = _library.gnutls_global_set_log_level
635
704
global_set_log_level.argtypes = [ctypes.c_int]
636
705
global_set_log_level.restype = None
637
706
638
707
global_set_log_function = _library.gnutls_global_set_log_function
639
708
global_set_log_function.argtypes = [log_func]
640
709
global_set_log_function.restype = None
641
710
642
711
deinit = _library.gnutls_deinit
643
712
deinit.argtypes = [session_t]
644
713
deinit.restype = None
645
714
646
715
handshake = _library.gnutls_handshake
647
716
handshake.argtypes = [session_t]
648
717
handshake.restype = _error_code
649
718
handshake.errcheck = _retry_on_error
650
719
651
720
transport_set_ptr = _library.gnutls_transport_set_ptr
652
721
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
653
722
transport_set_ptr.restype = None
654
723
655
724
bye = _library.gnutls_bye
656
725
bye.argtypes = [session_t, close_request_t]
657
726
bye.restype = _error_code
658
727
bye.errcheck = _retry_on_error
659
728
660
729
check_version = _library.gnutls_check_version
661
730
check_version.argtypes = [ctypes.c_char_p]
662
731
check_version.restype = ctypes.c_char_p
663
732
664
733
# All the function declarations below are from gnutls/openpgp.h
665
734
666
735
openpgp_crt_init = _library.gnutls_openpgp_crt_init
667
736
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
668
737
openpgp_crt_init.restype = _error_code
669
738
670
739
openpgp_crt_import = _library.gnutls_openpgp_crt_import
671
740
openpgp_crt_import.argtypes = [openpgp_crt_t,
672
741
ctypes.POINTER(datum_t),
673
742
openpgp_crt_fmt_t]
674
743
openpgp_crt_import.restype = _error_code
675
744
676
745
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
677
746
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
678
747
ctypes.POINTER(ctypes.c_uint)]
679
748
openpgp_crt_verify_self.restype = _error_code
680
749
681
750
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
682
751
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
683
752
openpgp_crt_deinit.restype = None
684
753
685
754
openpgp_crt_get_fingerprint = (
686
755
_library.gnutls_openpgp_crt_get_fingerprint)
687
756
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
689
758
ctypes.POINTER(
690
759
ctypes.c_size_t)]
691
760
openpgp_crt_get_fingerprint.restype = _error_code
692
761
693
762
# Remove non-public functions
694
763
del _error_code, _retry_on_error
695
764
# Create the global "gnutls" object, simulating a module
696
765
gnutls = GnuTLS()
697
766
767
698
768
def call_pipe(connection, # : multiprocessing.Connection
699
769
func, *args, **kwargs):
700
770
"""This function is meant to be called by multiprocessing.Process
701
771
702
772
This function runs func(*args, **kwargs), and writes the resulting
703
773
return value on the provided multiprocessing.Connection.
704
774
"""
705
775
connection.send(func(*args, **kwargs))
706
776
connection.close()
707
777
778
708
779
class Client(object):
709
780
"""A representation of a client host served by this server.
710
781
711
782
Attributes:
712
783
approved: bool(); 'None' if not yet approved/disapproved
713
784
approval_delay: datetime.timedelta(); Time to wait for approval
715
786
checker: subprocess.Popen(); a running checker process used
716
787
to see if the client lives.
717
788
'None' if no process is running.
718
checker_callback_tag: a gobject event source tag, or None
789
checker_callback_tag: a GLib event source tag, or None
719
790
checker_command: string; External command which is run to check
720
791
if client lives. %() expansions are done at
721
792
runtime with vars(self) as dict, so that for
722
793
instance %(name)s can be used in the command.
723
checker_initiator_tag: a gobject event source tag, or None
794
checker_initiator_tag: a GLib event source tag, or None
724
795
created: datetime.datetime(); (UTC) object creation
725
796
client_structure: Object describing what attributes a client has
726
797
and is used for storing the client at exit
727
798
current_checker_command: string; current running checker_command
728
disable_initiator_tag: a gobject event source tag, or None
799
disable_initiator_tag: a GLib event source tag, or None
729
800
enabled: bool()
730
801
fingerprint: string (40 or 32 hexadecimal digits); used to
731
802
uniquely identify the client
750
821
disabled, or None
751
822
server_settings: The server_settings dict from main()
752
823
"""
753
824
754
825
runtime_expansions = ("approval_delay", "approval_duration",
755
826
"created", "enabled", "expires",
756
827
"fingerprint", "host", "interval",
767
838
"approved_by_default": "True",
768
839
"enabled": "True",
769
840
}
770
841
771
842
@staticmethod
772
843
def config_parser(config):
773
844
"""Construct a new dict of client settings of this form:
780
851
for client_name in config.sections():
781
852
section = dict(config.items(client_name))
782
853
client = settings[client_name] = {}
783
854
784
855
client["host"] = section["host"]
785
856
# Reformat values from string types to Python types
786
857
client["approved_by_default"] = config.getboolean(
787
858
client_name, "approved_by_default")
788
859
client["enabled"] = config.getboolean(client_name,
789
860
"enabled")
790
861
791
862
# Uppercase and remove spaces from fingerprint for later
792
863
# comparison purposes with return value from the
793
864
# fingerprint() function
794
865
client["fingerprint"] = (section["fingerprint"].upper()
795
866
.replace(" ", ""))
796
867
if "secret" in section:
797
client["secret"] = section["secret"].decode("base64")
868
client["secret"] = codecs.decode(section["secret"]
869
.encode("utf-8"),
870
"base64")
798
871
elif "secfile" in section:
799
872
with open(os.path.expanduser(os.path.expandvars
800
873
(section["secfile"])),
815
888
client["last_approval_request"] = None
816
889
client["last_checked_ok"] = None
817
890
client["last_checker_status"] = -2
818
891
819
892
return settings
820
821
def __init__(self, settings, name = None, server_settings=None):
893
894
def __init__(self, settings, name=None, server_settings=None):
822
895
self.name = name
823
896
if server_settings is None:
824
897
server_settings = {}
826
899
# adding all client settings
827
900
for setting, value in settings.items():
828
901
setattr(self, setting, value)
829
902
830
903
if self.enabled:
831
904
if not hasattr(self, "last_enabled"):
832
905
self.last_enabled = datetime.datetime.utcnow()
836
909
else:
837
910
self.last_enabled = None
838
911
self.expires = None
839
912
840
913
logger.debug("Creating client %r", self.name)
841
914
logger.debug(" Fingerprint: %s", self.fingerprint)
842
915
self.created = settings.get("created",
843
916
datetime.datetime.utcnow())
844
917
845
918
# attributes specific for this server instance
846
919
self.checker = None
847
920
self.checker_initiator_tag = None
853
926
self.changedstate = multiprocessing_manager.Condition(
854
927
multiprocessing_manager.Lock())
855
928
self.client_structure = [attr
856
for attr in self.__dict__.iterkeys()
929
for attr in self.__dict__.keys()
857
930
if not attr.startswith("_")]
858
931
self.client_structure.append("client_structure")
859
932
860
933
for name, t in inspect.getmembers(
861
934
type(self), lambda obj: isinstance(obj, property)):
862
935
if not name.startswith("_"):
863
936
self.client_structure.append(name)
864
937
865
938
# Send notice to process children that client state has changed
866
939
def send_changedstate(self):
867
940
with self.changedstate:
868
941
self.changedstate.notify_all()
869
942
870
943
def enable(self):
871
944
"""Start this client's checker and timeout hooks"""
872
945
if getattr(self, "enabled", False):
877
950
self.last_enabled = datetime.datetime.utcnow()
878
951
self.init_checker()
879
952
self.send_changedstate()
880
953
881
954
def disable(self, quiet=True):
882
955
"""Disable this client."""
883
956
if not getattr(self, "enabled", False):
885
958
if not quiet:
886
959
logger.info("Disabling client %s", self.name)
887
960
if getattr(self, "disable_initiator_tag", None) is not None:
888
gobject.source_remove(self.disable_initiator_tag)
961
GLib.source_remove(self.disable_initiator_tag)
889
962
self.disable_initiator_tag = None
890
963
self.expires = None
891
964
if getattr(self, "checker_initiator_tag", None) is not None:
892
gobject.source_remove(self.checker_initiator_tag)
965
GLib.source_remove(self.checker_initiator_tag)
893
966
self.checker_initiator_tag = None
894
967
self.stop_checker()
895
968
self.enabled = False
896
969
if not quiet:
897
970
self.send_changedstate()
898
# Do not run this again if called by a gobject.timeout_add
971
# Do not run this again if called by a GLib.timeout_add
899
972
return False
900
973
901
974
def __del__(self):
902
975
self.disable()
903
976
904
977
def init_checker(self):
905
978
# Schedule a new checker to be started an 'interval' from now,
906
979
# and every interval from then on.
907
980
if self.checker_initiator_tag is not None:
908
gobject.source_remove(self.checker_initiator_tag)
909
self.checker_initiator_tag = gobject.timeout_add(
981
GLib.source_remove(self.checker_initiator_tag)
982
self.checker_initiator_tag = GLib.timeout_add(
910
983
int(self.interval.total_seconds() * 1000),
911
984
self.start_checker)
912
985
# Schedule a disable() when 'timeout' has passed
913
986
if self.disable_initiator_tag is not None:
914
gobject.source_remove(self.disable_initiator_tag)
915
self.disable_initiator_tag = gobject.timeout_add(
987
GLib.source_remove(self.disable_initiator_tag)
988
self.disable_initiator_tag = GLib.timeout_add(
916
989
int(self.timeout.total_seconds() * 1000), self.disable)
917
990
# Also start a new checker *right now*.
918
991
self.start_checker()
919
992
920
993
def checker_callback(self, source, condition, connection,
921
994
command):
922
995
"""The checker has completed, so take appropriate actions."""
925
998
# Read return code from connection (see call_pipe)
926
999
returncode = connection.recv()
927
1000
connection.close()
928
1001
929
1002
if returncode >= 0:
930
1003
self.last_checker_status = returncode
931
1004
self.last_checker_signal = None
941
1014
logger.warning("Checker for %(name)s crashed?",
942
1015
vars(self))
943
1016
return False
944
1017
945
1018
def checked_ok(self):
946
1019
"""Assert that the client has been seen, alive and well."""
947
1020
self.last_checked_ok = datetime.datetime.utcnow()
948
1021
self.last_checker_status = 0
949
1022
self.last_checker_signal = None
950
1023
self.bump_timeout()
951
1024
952
1025
def bump_timeout(self, timeout=None):
953
1026
"""Bump up the timeout for this client."""
954
1027
if timeout is None:
955
1028
timeout = self.timeout
956
1029
if self.disable_initiator_tag is not None:
957
gobject.source_remove(self.disable_initiator_tag)
1030
GLib.source_remove(self.disable_initiator_tag)
958
1031
self.disable_initiator_tag = None
959
1032
if getattr(self, "enabled", False):
960
self.disable_initiator_tag = gobject.timeout_add(
1033
self.disable_initiator_tag = GLib.timeout_add(
961
1034
int(timeout.total_seconds() * 1000), self.disable)
962
1035
self.expires = datetime.datetime.utcnow() + timeout
963
1036
964
1037
def need_approval(self):
965
1038
self.last_approval_request = datetime.datetime.utcnow()
966
1039
967
1040
def start_checker(self):
968
1041
"""Start a new checker subprocess if one is not running.
969
1042
970
1043
If a checker already exists, leave it running and do
971
1044
nothing."""
972
1045
# The reason for not killing a running checker is that if we
977
1050
# checkers alone, the checker would have to take more time
978
1051
# than 'timeout' for the client to be disabled, which is as it
979
1052
# should be.
980
1053
981
1054
if self.checker is not None and not self.checker.is_alive():
982
1055
logger.warning("Checker was not alive; joining")
983
1056
self.checker.join()
987
1060
# Escape attributes for the shell
988
1061
escaped_attrs = {
989
1062
attr: re.escape(str(getattr(self, attr)))
990
for attr in self.runtime_expansions }
1063
for attr in self.runtime_expansions}
991
1064
try:
992
1065
command = self.checker_command % escaped_attrs
993
1066
except TypeError as error:
1005
1078
# The exception is when not debugging but nevertheless
1006
1079
# running in the foreground; use the previously
1007
1080
# created wnull.
1008
popen_args = { "close_fds": True,
1009
"shell": True,
1010
"cwd": "/" }
1081
popen_args = {"close_fds": True,
1082
"shell": True,
1083
"cwd": "/"}
1011
1084
if (not self.server_settings["debug"]
1012
1085
and self.server_settings["foreground"]):
1013
1086
popen_args.update({"stdout": wnull,
1014
"stderr": wnull })
1015
pipe = multiprocessing.Pipe(duplex = False)
1087
"stderr": wnull})
1088
pipe = multiprocessing.Pipe(duplex=False)
1016
1089
self.checker = multiprocessing.Process(
1017
target = call_pipe,
1018
args = (pipe[1], subprocess.call, command),
1019
kwargs = popen_args)
1090
target=call_pipe,
1091
args=(pipe[1], subprocess.call, command),
1092
kwargs=popen_args)
1020
1093
self.checker.start()
1021
self.checker_callback_tag = gobject.io_add_watch(
1022
pipe[0].fileno(), gobject.IO_IN,
1094
self.checker_callback_tag = GLib.io_add_watch(
1095
pipe[0].fileno(), GLib.IO_IN,
1023
1096
self.checker_callback, pipe[0], command)
1024
# Re-run this periodically if run by gobject.timeout_add
1097
# Re-run this periodically if run by GLib.timeout_add
1025
1098
return True
1026
1099
1027
1100
def stop_checker(self):
1028
1101
"""Force the checker process, if any, to stop."""
1029
1102
if self.checker_callback_tag:
1030
gobject.source_remove(self.checker_callback_tag)
1103
GLib.source_remove(self.checker_callback_tag)
1031
1104
self.checker_callback_tag = None
1032
1105
if getattr(self, "checker", None) is None:
1033
1106
return
1042
1115
byte_arrays=False):
1043
1116
"""Decorators for marking methods of a DBusObjectWithProperties to
1044
1117
become properties on the D-Bus.
1045
1118
1046
1119
The decorated method will be called with no arguments by "Get"
1047
1120
and with one argument by "Set".
1048
1121
1049
1122
The parameters, where they are supported, are the same as
1050
1123
dbus.service.method, except there is only "signature", since the
1051
1124
type from Get() and the type sent to Set() is the same.
1055
1128
if byte_arrays and signature != "ay":
1056
1129
raise ValueError("Byte arrays not supported for non-'ay'"
1057
1130
" signature {!r}".format(signature))
1058
1131
1059
1132
def decorator(func):
1060
1133
func._dbus_is_property = True
1061
1134
func._dbus_interface = dbus_interface
1064
1137
func._dbus_name = func.__name__
1065
1138
if func._dbus_name.endswith("_dbus_property"):
1066
1139
func._dbus_name = func._dbus_name[:-14]
1067
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1140
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
1068
1141
return func
1069
1142
1070
1143
return decorator
1071
1144
1072
1145
1073
1146
def dbus_interface_annotations(dbus_interface):
1074
1147
"""Decorator for marking functions returning interface annotations
1075
1148
1076
1149
Usage:
1077
1150
1078
1151
@dbus_interface_annotations("org.example.Interface")
1079
1152
def _foo(self): # Function name does not matter
1080
1153
return {"org.freedesktop.DBus.Deprecated": "true",
1081
1154
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1082
1155
"false"}
1083
1156
"""
1084
1157
1085
1158
def decorator(func):
1086
1159
func._dbus_is_interface = True
1087
1160
func._dbus_interface = dbus_interface
1088
1161
func._dbus_name = dbus_interface
1089
1162
return func
1090
1163
1091
1164
return decorator
1092
1165
1093
1166
1094
1167
def dbus_annotations(annotations):
1095
1168
"""Decorator to annotate D-Bus methods, signals or properties
1096
1169
Usage:
1097
1170
1098
1171
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1099
1172
"org.freedesktop.DBus.Property."
1100
1173
"EmitsChangedSignal": "false"})
1102
1175
access="r")
1103
1176
def Property_dbus_property(self):
1104
1177
return dbus.Boolean(False)
1105
1178
1106
1179
See also the DBusObjectWithAnnotations class.
1107
1180
"""
1108
1181
1109
1182
def decorator(func):
1110
1183
func._dbus_annotations = annotations
1111
1184
return func
1112
1185
1113
1186
return decorator
1114
1187
1115
1188
1133
1206
1134
1207
class DBusObjectWithAnnotations(dbus.service.Object):
1135
1208
"""A D-Bus object with annotations.
1136
1209
1137
1210
Classes inheriting from this can use the dbus_annotations
1138
1211
decorator to add annotations to methods or signals.
1139
1212
"""
1140
1213
1141
1214
@staticmethod
1142
1215
def _is_dbus_thing(thing):
1143
1216
"""Returns a function testing if an attribute is a D-Bus thing
1144
1217
1145
1218
If called like _is_dbus_thing("method") it returns a function
1146
1219
suitable for use as predicate to inspect.getmembers().
1147
1220
"""
1148
1221
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1149
1222
False)
1150
1223
1151
1224
def _get_all_dbus_things(self, thing):
1152
1225
"""Returns a generator of (name, attribute) pairs
1153
1226
"""
1156
1229
for cls in self.__class__.__mro__
1157
1230
for name, athing in
1158
1231
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1159
1232
1160
1233
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1161
out_signature = "s",
1162
path_keyword = 'object_path',
1163
connection_keyword = 'connection')
1234
out_signature="s",
1235
path_keyword='object_path',
1236
connection_keyword='connection')
1164
1237
def Introspect(self, object_path, connection):
1165
1238
"""Overloading of standard D-Bus method.
1166
1239
1167
1240
Inserts annotation tags on methods and signals.
1168
1241
"""
1169
1242
xmlstring = dbus.service.Object.Introspect(self, object_path,
1170
1243
connection)
1171
1244
try:
1172
1245
document = xml.dom.minidom.parseString(xmlstring)
1173
1246
1174
1247
for if_tag in document.getElementsByTagName("interface"):
1175
1248
# Add annotation tags
1176
1249
for typ in ("method", "signal"):
1203
1276
if_tag.appendChild(ann_tag)
1204
1277
# Fix argument name for the Introspect method itself
1205
1278
if (if_tag.getAttribute("name")
1206
== dbus.INTROSPECTABLE_IFACE):
1279
== dbus.INTROSPECTABLE_IFACE):
1207
1280
for cn in if_tag.getElementsByTagName("method"):
1208
1281
if cn.getAttribute("name") == "Introspect":
1209
1282
for arg in cn.getElementsByTagName("arg"):
1222
1295
1223
1296
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1224
1297
"""A D-Bus object with properties.
1225
1298
1226
1299
Classes inheriting from this can use the dbus_service_property
1227
1300
decorator to expose methods as D-Bus properties. It exposes the
1228
1301
standard Get(), Set(), and GetAll() methods on the D-Bus.
1229
1302
"""
1230
1303
1231
1304
def _get_dbus_property(self, interface_name, property_name):
1232
1305
"""Returns a bound method if one exists which is a D-Bus
1233
1306
property with the specified name and interface.
1238
1311
if (value._dbus_name == property_name
1239
1312
and value._dbus_interface == interface_name):
1240
1313
return value.__get__(self)
1241
1314
1242
1315
# No such property
1243
1316
raise DBusPropertyNotFound("{}:{}.{}".format(
1244
1317
self.dbus_object_path, interface_name, property_name))
1245
1318
1246
1319
@classmethod
1247
1320
def _get_all_interface_names(cls):
1248
1321
"""Get a sequence of all interfaces supported by an object"""
1251
1324
for x in (inspect.getmro(cls))
1252
1325
for attr in dir(x))
1253
1326
if name is not None)
1254
1327
1255
1328
@dbus.service.method(dbus.PROPERTIES_IFACE,
1256
1329
in_signature="ss",
1257
1330
out_signature="v")
1265
1338
if not hasattr(value, "variant_level"):
1266
1339
return value
1267
1340
return type(value)(value, variant_level=value.variant_level+1)
1268
1341
1269
1342
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1270
1343
def Set(self, interface_name, property_name, value):
1271
1344
"""Standard D-Bus property Set() method, see D-Bus standard.
1283
1356
value = dbus.ByteArray(b''.join(chr(byte)
1284
1357
for byte in value))
1285
1358
prop(value)
1286
1359
1287
1360
@dbus.service.method(dbus.PROPERTIES_IFACE,
1288
1361
in_signature="s",
1289
1362
out_signature="a{sv}")
1290
1363
def GetAll(self, interface_name):
1291
1364
"""Standard D-Bus property GetAll() method, see D-Bus
1292
1365
standard.
1293
1366
1294
1367
Note: Will not include properties with access="write".
1295
1368
"""
1296
1369
properties = {}
1307
1380
properties[name] = value
1308
1381
continue
1309
1382
properties[name] = type(value)(
1310
value, variant_level = value.variant_level + 1)
1383
value, variant_level=value.variant_level + 1)
1311
1384
return dbus.Dictionary(properties, signature="sv")
1312
1385
1313
1386
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1314
1387
def PropertiesChanged(self, interface_name, changed_properties,
1315
1388
invalidated_properties):
1317
1390
standard.
1318
1391
"""
1319
1392
pass
1320
1393
1321
1394
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1322
1395
out_signature="s",
1323
1396
path_keyword='object_path',
1324
1397
connection_keyword='connection')
1325
1398
def Introspect(self, object_path, connection):
1326
1399
"""Overloading of standard D-Bus method.
1327
1400
1328
1401
Inserts property tags and interface annotation tags.
1329
1402
"""
1330
1403
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1332
1405
connection)
1333
1406
try:
1334
1407
document = xml.dom.minidom.parseString(xmlstring)
1335
1408
1336
1409
def make_tag(document, name, prop):
1337
1410
e = document.createElement("property")
1338
1411
e.setAttribute("name", name)
1339
1412
e.setAttribute("type", prop._dbus_signature)
1340
1413
e.setAttribute("access", prop._dbus_access)
1341
1414
return e
1342
1415
1343
1416
for if_tag in document.getElementsByTagName("interface"):
1344
1417
# Add property tags
1345
1418
for tag in (make_tag(document, name, prop)
1392
1465
except AttributeError:
1393
1466
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1394
1467
1468
1395
1469
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1396
1470
"""A D-Bus object with an ObjectManager.
1397
1471
1398
1472
Classes inheriting from this exposes the standard
1399
1473
GetManagedObjects call and the InterfacesAdded and
1400
1474
InterfacesRemoved signals on the standard
1401
1475
"org.freedesktop.DBus.ObjectManager" interface.
1402
1476
1403
1477
Note: No signals are sent automatically; they must be sent
1404
1478
manually.
1405
1479
"""
1406
1480
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1407
out_signature = "a{oa{sa{sv}}}")
1481
out_signature="a{oa{sa{sv}}}")
1408
1482
def GetManagedObjects(self):
1409
1483
"""This function must be overridden"""
1410
1484
raise NotImplementedError()
1411
1485
1412
1486
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1413
signature = "oa{sa{sv}}")
1487
signature="oa{sa{sv}}")
1414
1488
def InterfacesAdded(self, object_path, interfaces_and_properties):
1415
1489
pass
1416
1417
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1490
1491
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1418
1492
def InterfacesRemoved(self, object_path, interfaces):
1419
1493
pass
1420
1494
1421
1495
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1422
out_signature = "s",
1423
path_keyword = 'object_path',
1424
connection_keyword = 'connection')
1496
out_signature="s",
1497
path_keyword='object_path',
1498
connection_keyword='connection')
1425
1499
def Introspect(self, object_path, connection):
1426
1500
"""Overloading of standard D-Bus method.
1427
1501
1428
1502
Override return argument name of GetManagedObjects to be
1429
1503
"objpath_interfaces_and_properties"
1430
1504
"""
1433
1507
connection)
1434
1508
try:
1435
1509
document = xml.dom.minidom.parseString(xmlstring)
1436
1510
1437
1511
for if_tag in document.getElementsByTagName("interface"):
1438
1512
# Fix argument name for the GetManagedObjects method
1439
1513
if (if_tag.getAttribute("name")
1440
== dbus.OBJECT_MANAGER_IFACE):
1514
== dbus.OBJECT_MANAGER_IFACE):
1441
1515
for cn in if_tag.getElementsByTagName("method"):
1442
1516
if (cn.getAttribute("name")
1443
1517
== "GetManagedObjects"):
1453
1527
except (AttributeError, xml.dom.DOMException,
1454
1528
xml.parsers.expat.ExpatError) as error:
1455
1529
logger.error("Failed to override Introspection method",
1456
exc_info = error)
1530
exc_info=error)
1457
1531
return xmlstring
1458
1532
1533
1459
1534
def datetime_to_dbus(dt, variant_level=0):
1460
1535
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1461
1536
if dt is None:
1462
return dbus.String("", variant_level = variant_level)
1537
return dbus.String("", variant_level=variant_level)
1463
1538
return dbus.String(dt.isoformat(), variant_level=variant_level)
1464
1539
1465
1540
1468
1543
dbus.service.Object, it will add alternate D-Bus attributes with
1469
1544
interface names according to the "alt_interface_names" mapping.
1470
1545
Usage:
1471
1546
1472
1547
@alternate_dbus_interfaces({"org.example.Interface":
1473
1548
"net.example.AlternateInterface"})
1474
1549
class SampleDBusObject(dbus.service.Object):
1475
1550
@dbus.service.method("org.example.Interface")
1476
1551
def SampleDBusMethod():
1477
1552
pass
1478
1553
1479
1554
The above "SampleDBusMethod" on "SampleDBusObject" will be
1480
1555
reachable via two interfaces: "org.example.Interface" and
1481
1556
"net.example.AlternateInterface", the latter of which will have
1482
1557
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1483
1558
"true", unless "deprecate" is passed with a False value.
1484
1559
1485
1560
This works for methods and signals, and also for D-Bus properties
1486
1561
(from DBusObjectWithProperties) and interfaces (from the
1487
1562
dbus_interface_annotations decorator).
1488
1563
"""
1489
1564
1490
1565
def wrapper(cls):
1491
1566
for orig_interface_name, alt_interface_name in (
1492
1567
alt_interface_names.items()):
1507
1582
interface_names.add(alt_interface)
1508
1583
# Is this a D-Bus signal?
1509
1584
if getattr(attribute, "_dbus_is_signal", False):
1585
# Extract the original non-method undecorated
1586
# function by black magic
1510
1587
if sys.version_info.major == 2:
1511
# Extract the original non-method undecorated
1512
# function by black magic
1513
1588
nonmethod_func = (dict(
1514
1589
zip(attribute.func_code.co_freevars,
1515
1590
attribute.__closure__))
1516
1591
["func"].cell_contents)
1517
1592
else:
1518
nonmethod_func = attribute
1593
nonmethod_func = (dict(
1594
zip(attribute.__code__.co_freevars,
1595
attribute.__closure__))
1596
["func"].cell_contents)
1519
1597
# Create a new, but exactly alike, function
1520
1598
# object, and decorate it to be a new D-Bus signal
1521
1599
# with the alternate D-Bus interface name
1522
if sys.version_info.major == 2:
1523
new_function = types.FunctionType(
1524
nonmethod_func.func_code,
1525
nonmethod_func.func_globals,
1526
nonmethod_func.func_name,
1527
nonmethod_func.func_defaults,
1528
nonmethod_func.func_closure)
1529
else:
1530
new_function = types.FunctionType(
1531
nonmethod_func.__code__,
1532
nonmethod_func.__globals__,
1533
nonmethod_func.__name__,
1534
nonmethod_func.__defaults__,
1535
nonmethod_func.__closure__)
1600
new_function = copy_function(nonmethod_func)
1536
1601
new_function = (dbus.service.signal(
1537
1602
alt_interface,
1538
1603
attribute._dbus_signature)(new_function))
1542
1607
attribute._dbus_annotations)
1543
1608
except AttributeError:
1544
1609
pass
1610
1545
1611
# Define a creator of a function to call both the
1546
1612
# original and alternate functions, so both the
1547
1613
# original and alternate signals gets sent when
1550
1616
"""This function is a scope container to pass
1551
1617
func1 and func2 to the "call_both" function
1552
1618
outside of its arguments"""
1553
1619
1554
1620
@functools.wraps(func2)
1555
1621
def call_both(*args, **kwargs):
1556
1622
"""This function will emit two D-Bus
1557
1623
signals by calling func1 and func2"""
1558
1624
func1(*args, **kwargs)
1559
1625
func2(*args, **kwargs)
1560
# Make wrapper function look like a D-Bus signal
1626
# Make wrapper function look like a D-Bus
1627
# signal
1561
1628
for name, attr in inspect.getmembers(func2):
1562
1629
if name.startswith("_dbus_"):
1563
1630
setattr(call_both, name, attr)
1564
1631
1565
1632
return call_both
1566
1633
# Create the "call_both" function and add it to
1567
1634
# the class
1577
1644
alt_interface,
1578
1645
attribute._dbus_in_signature,
1579
1646
attribute._dbus_out_signature)
1580
(types.FunctionType(attribute.func_code,
1581
attribute.func_globals,
1582
attribute.func_name,
1583
attribute.func_defaults,
1584
attribute.func_closure)))
1647
(copy_function(attribute)))
1585
1648
# Copy annotations, if any
1586
1649
try:
1587
1650
attr[attrname]._dbus_annotations = dict(
1599
1662
attribute._dbus_access,
1600
1663
attribute._dbus_get_args_options
1601
1664
["byte_arrays"])
1602
(types.FunctionType(
1603
attribute.func_code,
1604
attribute.func_globals,
1605
attribute.func_name,
1606
attribute.func_defaults,
1607
attribute.func_closure)))
1665
(copy_function(attribute)))
1608
1666
# Copy annotations, if any
1609
1667
try:
1610
1668
attr[attrname]._dbus_annotations = dict(
1619
1677
# to the class.
1620
1678
attr[attrname] = (
1621
1679
dbus_interface_annotations(alt_interface)
1622
(types.FunctionType(attribute.func_code,
1623
attribute.func_globals,
1624
attribute.func_name,
1625
attribute.func_defaults,
1626
attribute.func_closure)))
1680
(copy_function(attribute)))
1627
1681
if deprecate:
1628
1682
# Deprecate all alternate interfaces
1629
iname="_AlternateDBusNames_interface_annotation{}"
1683
iname = "_AlternateDBusNames_interface_annotation{}"
1630
1684
for interface_name in interface_names:
1631
1685
1632
1686
@dbus_interface_annotations(interface_name)
1633
1687
def func(self):
1634
return { "org.freedesktop.DBus.Deprecated":
1635
"true" }
1688
return {"org.freedesktop.DBus.Deprecated":
1689
"true"}
1636
1690
# Find an unused name
1637
1691
for aname in (iname.format(i)
1638
1692
for i in itertools.count()):
1642
1696
if interface_names:
1643
1697
# Replace the class with a new subclass of it with
1644
1698
# methods, signals, etc. as created above.
1645
cls = type(b"{}Alternate".format(cls.__name__),
1646
(cls, ), attr)
1699
if sys.version_info.major == 2:
1700
cls = type(b"{}Alternate".format(cls.__name__),
1701
(cls, ), attr)
1702
else:
1703
cls = type("{}Alternate".format(cls.__name__),
1704
(cls, ), attr)
1647
1705
return cls
1648
1706
1649
1707
return wrapper
1650
1708
1651
1709
1653
1711
"se.bsnet.fukt.Mandos"})
1654
1712
class ClientDBus(Client, DBusObjectWithProperties):
1655
1713
"""A Client class using D-Bus
1656
1714
1657
1715
Attributes:
1658
1716
dbus_object_path: dbus.ObjectPath
1659
1717
bus: dbus.SystemBus()
1660
1718
"""
1661
1719
1662
1720
runtime_expansions = (Client.runtime_expansions
1663
1721
+ ("dbus_object_path", ))
1664
1722
1665
1723
_interface = "se.recompile.Mandos.Client"
1666
1724
1667
1725
# dbus.service.Object doesn't use super(), so we can't either.
1668
1669
def __init__(self, bus = None, *args, **kwargs):
1726
1727
def __init__(self, bus=None, *args, **kwargs):
1670
1728
self.bus = bus
1671
1729
Client.__init__(self, *args, **kwargs)
1672
1730
# Only now, when this client is initialized, can it show up on
1678
1736
"/clients/" + client_object_name)
1679
1737
DBusObjectWithProperties.__init__(self, self.bus,
1680
1738
self.dbus_object_path)
1681
1739
1682
1740
def notifychangeproperty(transform_func, dbus_name,
1683
1741
type_func=lambda x: x,
1684
1742
variant_level=1,
1686
1744
_interface=_interface):
1687
1745
""" Modify a variable so that it's a property which announces
1688
1746
its changes to DBus.
1689
1747
1690
1748
transform_fun: Function that takes a value and a variant_level
1691
1749
and transforms it to a D-Bus type.
1692
1750
dbus_name: D-Bus name of the variable
1695
1753
variant_level: D-Bus variant level. Default: 1
1696
1754
"""
1697
1755
attrname = "_{}".format(dbus_name)
1698
1756
1699
1757
def setter(self, value):
1700
1758
if hasattr(self, "dbus_object_path"):
1701
1759
if (not hasattr(self, attrname) or
1708
1766
else:
1709
1767
dbus_value = transform_func(
1710
1768
type_func(value),
1711
variant_level = variant_level)
1769
variant_level=variant_level)
1712
1770
self.PropertyChanged(dbus.String(dbus_name),
1713
1771
dbus_value)
1714
1772
self.PropertiesChanged(
1715
1773
_interface,
1716
dbus.Dictionary({ dbus.String(dbus_name):
1717
dbus_value }),
1774
dbus.Dictionary({dbus.String(dbus_name):
1775
dbus_value}),
1718
1776
dbus.Array())
1719
1777
setattr(self, attrname, value)
1720
1778
1721
1779
return property(lambda self: getattr(self, attrname), setter)
1722
1780
1723
1781
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1724
1782
approvals_pending = notifychangeproperty(dbus.Boolean,
1725
1783
"ApprovalPending",
1726
type_func = bool)
1784
type_func=bool)
1727
1785
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1728
1786
last_enabled = notifychangeproperty(datetime_to_dbus,
1729
1787
"LastEnabled")
1730
1788
checker = notifychangeproperty(
1731
1789
dbus.Boolean, "CheckerRunning",
1732
type_func = lambda checker: checker is not None)
1790
type_func=lambda checker: checker is not None)
1733
1791
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1734
1792
"LastCheckedOK")
1735
1793
last_checker_status = notifychangeproperty(dbus.Int16,
1740
1798
"ApprovedByDefault")
1741
1799
approval_delay = notifychangeproperty(
1742
1800
dbus.UInt64, "ApprovalDelay",
1743
type_func = lambda td: td.total_seconds() * 1000)
1801
type_func=lambda td: td.total_seconds() * 1000)
1744
1802
approval_duration = notifychangeproperty(
1745
1803
dbus.UInt64, "ApprovalDuration",
1746
type_func = lambda td: td.total_seconds() * 1000)
1804
type_func=lambda td: td.total_seconds() * 1000)
1747
1805
host = notifychangeproperty(dbus.String, "Host")
1748
1806
timeout = notifychangeproperty(
1749
1807
dbus.UInt64, "Timeout",
1750
type_func = lambda td: td.total_seconds() * 1000)
1808
type_func=lambda td: td.total_seconds() * 1000)
1751
1809
extended_timeout = notifychangeproperty(
1752
1810
dbus.UInt64, "ExtendedTimeout",
1753
type_func = lambda td: td.total_seconds() * 1000)
1811
type_func=lambda td: td.total_seconds() * 1000)
1754
1812
interval = notifychangeproperty(
1755
1813
dbus.UInt64, "Interval",
1756
type_func = lambda td: td.total_seconds() * 1000)
1814
type_func=lambda td: td.total_seconds() * 1000)
1757
1815
checker_command = notifychangeproperty(dbus.String, "Checker")
1758
1816
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1759
1817
invalidate_only=True)
1760
1818
1761
1819
del notifychangeproperty
1762
1820
1763
1821
def __del__(self, *args, **kwargs):
1764
1822
try:
1765
1823
self.remove_from_connection()
1768
1826
if hasattr(DBusObjectWithProperties, "__del__"):
1769
1827
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1770
1828
Client.__del__(self, *args, **kwargs)
1771
1829
1772
1830
def checker_callback(self, source, condition,
1773
1831
connection, command, *args, **kwargs):
1774
1832
ret = Client.checker_callback(self, source, condition,
1790
1848
| self.last_checker_signal),
1791
1849
dbus.String(command))
1792
1850
return ret
1793
1851
1794
1852
def start_checker(self, *args, **kwargs):
1795
1853
old_checker_pid = getattr(self.checker, "pid", None)
1796
1854
r = Client.start_checker(self, *args, **kwargs)
1800
1858
# Emit D-Bus signal
1801
1859
self.CheckerStarted(self.current_checker_command)
1802
1860
return r
1803
1861
1804
1862
def _reset_approved(self):
1805
1863
self.approved = None
1806
1864
return False
1807
1865
1808
1866
def approve(self, value=True):
1809
1867
self.approved = value
1810
gobject.timeout_add(int(self.approval_duration.total_seconds()
1811
* 1000), self._reset_approved)
1868
GLib.timeout_add(int(self.approval_duration.total_seconds()
1869
* 1000), self._reset_approved)
1812
1870
self.send_changedstate()
1813
1814
## D-Bus methods, signals & properties
1815
1816
## Interfaces
1817
1818
## Signals
1819
1871
1872
# D-Bus methods, signals & properties
1873
1874
# Interfaces
1875
1876
# Signals
1877
1820
1878
# CheckerCompleted - signal
1821
1879
@dbus.service.signal(_interface, signature="nxs")
1822
1880
def CheckerCompleted(self, exitcode, waitstatus, command):
1823
1881
"D-Bus signal"
1824
1882
pass
1825
1883
1826
1884
# CheckerStarted - signal
1827
1885
@dbus.service.signal(_interface, signature="s")
1828
1886
def CheckerStarted(self, command):
1829
1887
"D-Bus signal"
1830
1888
pass
1831
1889
1832
1890
# PropertyChanged - signal
1833
1891
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1834
1892
@dbus.service.signal(_interface, signature="sv")
1835
1893
def PropertyChanged(self, property, value):
1836
1894
"D-Bus signal"
1837
1895
pass
1838
1896
1839
1897
# GotSecret - signal
1840
1898
@dbus.service.signal(_interface)
1841
1899
def GotSecret(self):
1844
1902
server to mandos-client
1845
1903
"""
1846
1904
pass
1847
1905
1848
1906
# Rejected - signal
1849
1907
@dbus.service.signal(_interface, signature="s")
1850
1908
def Rejected(self, reason):
1851
1909
"D-Bus signal"
1852
1910
pass
1853
1911
1854
1912
# NeedApproval - signal
1855
1913
@dbus.service.signal(_interface, signature="tb")
1856
1914
def NeedApproval(self, timeout, default):
1857
1915
"D-Bus signal"
1858
1916
return self.need_approval()
1859
1860
## Methods
1861
1917
1918
# Methods
1919
1862
1920
# Approve - method
1863
1921
@dbus.service.method(_interface, in_signature="b")
1864
1922
def Approve(self, value):
1865
1923
self.approve(value)
1866
1924
1867
1925
# CheckedOK - method
1868
1926
@dbus.service.method(_interface)
1869
1927
def CheckedOK(self):
1870
1928
self.checked_ok()
1871
1929
1872
1930
# Enable - method
1873
1931
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1874
1932
@dbus.service.method(_interface)
1875
1933
def Enable(self):
1876
1934
"D-Bus method"
1877
1935
self.enable()
1878
1936
1879
1937
# StartChecker - method
1880
1938
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1881
1939
@dbus.service.method(_interface)
1882
1940
def StartChecker(self):
1883
1941
"D-Bus method"
1884
1942
self.start_checker()
1885
1943
1886
1944
# Disable - method
1887
1945
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1888
1946
@dbus.service.method(_interface)
1889
1947
def Disable(self):
1890
1948
"D-Bus method"
1891
1949
self.disable()
1892
1950
1893
1951
# StopChecker - method
1894
1952
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1895
1953
@dbus.service.method(_interface)
1896
1954
def StopChecker(self):
1897
1955
self.stop_checker()
1898
1899
## Properties
1900
1956
1957
# Properties
1958
1901
1959
# ApprovalPending - property
1902
1960
@dbus_service_property(_interface, signature="b", access="read")
1903
1961
def ApprovalPending_dbus_property(self):
1904
1962
return dbus.Boolean(bool(self.approvals_pending))
1905
1963
1906
1964
# ApprovedByDefault - property
1907
1965
@dbus_service_property(_interface,
1908
1966
signature="b",
1911
1969
if value is None: # get
1912
1970
return dbus.Boolean(self.approved_by_default)
1913
1971
self.approved_by_default = bool(value)
1914
1972
1915
1973
# ApprovalDelay - property
1916
1974
@dbus_service_property(_interface,
1917
1975
signature="t",
1921
1979
return dbus.UInt64(self.approval_delay.total_seconds()
1922
1980
* 1000)
1923
1981
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1924
1982
1925
1983
# ApprovalDuration - property
1926
1984
@dbus_service_property(_interface,
1927
1985
signature="t",
1931
1989
return dbus.UInt64(self.approval_duration.total_seconds()
1932
1990
* 1000)
1933
1991
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1934
1992
1935
1993
# Name - property
1936
1994
@dbus_annotations(
1937
1995
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1938
1996
@dbus_service_property(_interface, signature="s", access="read")
1939
1997
def Name_dbus_property(self):
1940
1998
return dbus.String(self.name)
1941
1999
1942
2000
# Fingerprint - property
1943
2001
@dbus_annotations(
1944
2002
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1945
2003
@dbus_service_property(_interface, signature="s", access="read")
1946
2004
def Fingerprint_dbus_property(self):
1947
2005
return dbus.String(self.fingerprint)
1948
2006
1949
2007
# Host - property
1950
2008
@dbus_service_property(_interface,
1951
2009
signature="s",
1954
2012
if value is None: # get
1955
2013
return dbus.String(self.host)
1956
2014
self.host = str(value)
1957
2015
1958
2016
# Created - property
1959
2017
@dbus_annotations(
1960
2018
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1961
2019
@dbus_service_property(_interface, signature="s", access="read")
1962
2020
def Created_dbus_property(self):
1963
2021
return datetime_to_dbus(self.created)
1964
2022
1965
2023
# LastEnabled - property
1966
2024
@dbus_service_property(_interface, signature="s", access="read")
1967
2025
def LastEnabled_dbus_property(self):
1968
2026
return datetime_to_dbus(self.last_enabled)
1969
2027
1970
2028
# Enabled - property
1971
2029
@dbus_service_property(_interface,
1972
2030
signature="b",
1978
2036
self.enable()
1979
2037
else:
1980
2038
self.disable()
1981
2039
1982
2040
# LastCheckedOK - property
1983
2041
@dbus_service_property(_interface,
1984
2042
signature="s",
1988
2046
self.checked_ok()
1989
2047
return
1990
2048
return datetime_to_dbus(self.last_checked_ok)
1991
2049
1992
2050
# LastCheckerStatus - property
1993
2051
@dbus_service_property(_interface, signature="n", access="read")
1994
2052
def LastCheckerStatus_dbus_property(self):
1995
2053
return dbus.Int16(self.last_checker_status)
1996
2054
1997
2055
# Expires - property
1998
2056
@dbus_service_property(_interface, signature="s", access="read")
1999
2057
def Expires_dbus_property(self):
2000
2058
return datetime_to_dbus(self.expires)
2001
2059
2002
2060
# LastApprovalRequest - property
2003
2061
@dbus_service_property(_interface, signature="s", access="read")
2004
2062
def LastApprovalRequest_dbus_property(self):
2005
2063
return datetime_to_dbus(self.last_approval_request)
2006
2064
2007
2065
# Timeout - property
2008
2066
@dbus_service_property(_interface,
2009
2067
signature="t",
2024
2082
if (getattr(self, "disable_initiator_tag", None)
2025
2083
is None):
2026
2084
return
2027
gobject.source_remove(self.disable_initiator_tag)
2028
self.disable_initiator_tag = gobject.timeout_add(
2085
GLib.source_remove(self.disable_initiator_tag)
2086
self.disable_initiator_tag = GLib.timeout_add(
2029
2087
int((self.expires - now).total_seconds() * 1000),
2030
2088
self.disable)
2031
2089
2032
2090
# ExtendedTimeout - property
2033
2091
@dbus_service_property(_interface,
2034
2092
signature="t",
2038
2096
return dbus.UInt64(self.extended_timeout.total_seconds()
2039
2097
* 1000)
2040
2098
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2041
2099
2042
2100
# Interval - property
2043
2101
@dbus_service_property(_interface,
2044
2102
signature="t",
2051
2109
return
2052
2110
if self.enabled:
2053
2111
# Reschedule checker run
2054
gobject.source_remove(self.checker_initiator_tag)
2055
self.checker_initiator_tag = gobject.timeout_add(
2112
GLib.source_remove(self.checker_initiator_tag)
2113
self.checker_initiator_tag = GLib.timeout_add(
2056
2114
value, self.start_checker)
2057
self.start_checker() # Start one now, too
2058
2115
self.start_checker() # Start one now, too
2116
2059
2117
# Checker - property
2060
2118
@dbus_service_property(_interface,
2061
2119
signature="s",
2064
2122
if value is None: # get
2065
2123
return dbus.String(self.checker_command)
2066
2124
self.checker_command = str(value)
2067
2125
2068
2126
# CheckerRunning - property
2069
2127
@dbus_service_property(_interface,
2070
2128
signature="b",
2076
2134
self.start_checker()
2077
2135
else:
2078
2136
self.stop_checker()
2079
2137
2080
2138
# ObjectPath - property
2081
2139
@dbus_annotations(
2082
2140
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2083
2141
"org.freedesktop.DBus.Deprecated": "true"})
2084
2142
@dbus_service_property(_interface, signature="o", access="read")
2085
2143
def ObjectPath_dbus_property(self):
2086
return self.dbus_object_path # is already a dbus.ObjectPath
2087
2144
return self.dbus_object_path # is already a dbus.ObjectPath
2145
2088
2146
# Secret = property
2089
2147
@dbus_annotations(
2090
2148
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2095
2153
byte_arrays=True)
2096
2154
def Secret_dbus_property(self, value):
2097
2155
self.secret = bytes(value)
2098
2156
2099
2157
del _interface
2100
2158
2101
2159
2105
2163
self._pipe.send(('init', fpr, address))
2106
2164
if not self._pipe.recv():
2107
2165
raise KeyError(fpr)
2108
2166
2109
2167
def __getattribute__(self, name):
2110
2168
if name == '_pipe':
2111
2169
return super(ProxyClient, self).__getattribute__(name)
2114
2172
if data[0] == 'data':
2115
2173
return data[1]
2116
2174
if data[0] == 'function':
2117
2175
2118
2176
def func(*args, **kwargs):
2119
2177
self._pipe.send(('funcall', name, args, kwargs))
2120
2178
return self._pipe.recv()[1]
2121
2179
2122
2180
return func
2123
2181
2124
2182
def __setattr__(self, name, value):
2125
2183
if name == '_pipe':
2126
2184
return super(ProxyClient, self).__setattr__(name, value)
2129
2187
2130
2188
class ClientHandler(socketserver.BaseRequestHandler, object):
2131
2189
"""A class to handle client connections.
2132
2190
2133
2191
Instantiated once for each connection to handle it.
2134
2192
Note: This will run in its own forked process."""
2135
2193
2136
2194
def handle(self):
2137
2195
with contextlib.closing(self.server.child_pipe) as child_pipe:
2138
2196
logger.info("TCP connection from: %s",
2139
2197
str(self.client_address))
2140
2198
logger.debug("Pipe FD: %d",
2141
2199
self.server.child_pipe.fileno())
2142
2200
2143
2201
session = gnutls.ClientSession(self.request)
2144
2145
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
2146
# "+AES-256-CBC", "+SHA1",
2147
# "+COMP-NULL", "+CTYPE-OPENPGP",
2148
# "+DHE-DSS"))
2202
2203
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2204
# "+AES-256-CBC", "+SHA1",
2205
# "+COMP-NULL", "+CTYPE-OPENPGP",
2206
# "+DHE-DSS"))
2149
2207
# Use a fallback default, since this MUST be set.
2150
2208
priority = self.server.gnutls_priority
2151
2209
if priority is None:
2152
2210
priority = "NORMAL"
2153
gnutls.priority_set_direct(session._c_object, priority,
2211
gnutls.priority_set_direct(session._c_object,
2212
priority.encode("utf-8"),
2154
2213
None)
2155
2214
2156
2215
# Start communication using the Mandos protocol
2157
2216
# Get protocol number
2158
2217
line = self.request.makefile().readline()
2163
2222
except (ValueError, IndexError, RuntimeError) as error:
2164
2223
logger.error("Unknown protocol version: %s", error)
2165
2224
return
2166
2225
2167
2226
# Start GnuTLS connection
2168
2227
try:
2169
2228
session.handshake()
2173
2232
# established. Just abandon the request.
2174
2233
return
2175
2234
logger.debug("Handshake succeeded")
2176
2235
2177
2236
approval_required = False
2178
2237
try:
2179
2238
try:
2183
2242
logger.warning("Bad certificate: %s", error)
2184
2243
return
2185
2244
logger.debug("Fingerprint: %s", fpr)
2186
2245
2187
2246
try:
2188
2247
client = ProxyClient(child_pipe, fpr,
2189
2248
self.client_address)
2190
2249
except KeyError:
2191
2250
return
2192
2251
2193
2252
if client.approval_delay:
2194
2253
delay = client.approval_delay
2195
2254
client.approvals_pending += 1
2196
2255
approval_required = True
2197
2256
2198
2257
while True:
2199
2258
if not client.enabled:
2200
2259
logger.info("Client %s is disabled",
2203
2262
# Emit D-Bus signal
2204
2263
client.Rejected("Disabled")
2205
2264
return
2206
2265
2207
2266
if client.approved or not client.approval_delay:
2208
#We are approved or approval is disabled
2267
# We are approved or approval is disabled
2209
2268
break
2210
2269
elif client.approved is None:
2211
2270
logger.info("Client %s needs approval",
2222
2281
# Emit D-Bus signal
2223
2282
client.Rejected("Denied")
2224
2283
return
2225
2226
#wait until timeout or approved
2284
2285
# wait until timeout or approved
2227
2286
time = datetime.datetime.now()
2228
2287
client.changedstate.acquire()
2229
2288
client.changedstate.wait(delay.total_seconds())
2242
2301
break
2243
2302
else:
2244
2303
delay -= time2 - time
2245
2304
2246
2305
try:
2247
2306
session.send(client.secret)
2248
2307
except gnutls.Error as error:
2249
2308
logger.warning("gnutls send failed",
2250
exc_info = error)
2309
exc_info=error)
2251
2310
return
2252
2311
2253
2312
logger.info("Sending secret to %s", client.name)
2254
2313
# bump the timeout using extended_timeout
2255
2314
client.bump_timeout(client.extended_timeout)
2256
2315
if self.server.use_dbus:
2257
2316
# Emit D-Bus signal
2258
2317
client.GotSecret()
2259
2318
2260
2319
finally:
2261
2320
if approval_required:
2262
2321
client.approvals_pending -= 1
2265
2324
except gnutls.Error as error:
2266
2325
logger.warning("GnuTLS bye failed",
2267
2326
exc_info=error)
2268
2327
2269
2328
@staticmethod
2270
2329
def peer_certificate(session):
2271
2330
"Return the peer's OpenPGP certificate as a bytestring"
2283
2342
return None
2284
2343
cert = cert_list[0]
2285
2344
return ctypes.string_at(cert.data, cert.size)
2286
2345
2287
2346
@staticmethod
2288
2347
def fingerprint(openpgp):
2289
2348
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2322
2381
2323
2382
class MultiprocessingMixIn(object):
2324
2383
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2325
2384
2326
2385
def sub_process_main(self, request, address):
2327
2386
try:
2328
2387
self.finish_request(request, address)
2329
2388
except Exception:
2330
2389
self.handle_error(request, address)
2331
2390
self.close_request(request)
2332
2391
2333
2392
def process_request(self, request, address):
2334
2393
"""Start a new process to process the request."""
2335
proc = multiprocessing.Process(target = self.sub_process_main,
2336
args = (request, address))
2394
proc = multiprocessing.Process(target=self.sub_process_main,
2395
args=(request, address))
2337
2396
proc.start()
2338
2397
return proc
2339
2398
2340
2399
2341
2400
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2342
2401
""" adds a pipe to the MixIn """
2343
2402
2344
2403
def process_request(self, request, client_address):
2345
2404
"""Overrides and wraps the original process_request().
2346
2405
2347
2406
This function creates a new pipe in self.pipe
2348
2407
"""
2349
2408
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2350
2409
2351
2410
proc = MultiprocessingMixIn.process_request(self, request,
2352
2411
client_address)
2353
2412
self.child_pipe.close()
2354
2413
self.add_pipe(parent_pipe, proc)
2355
2414
2356
2415
def add_pipe(self, parent_pipe, proc):
2357
2416
"""Dummy function; override as necessary"""
2358
2417
raise NotImplementedError()
2361
2420
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2362
2421
socketserver.TCPServer, object):
2363
2422
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2364
2423
2365
2424
Attributes:
2366
2425
enabled: Boolean; whether this server is activated yet
2367
2426
interface: None or a network interface name (string)
2368
2427
use_ipv6: Boolean; to use IPv6 or not
2369
2428
"""
2370
2429
2371
2430
def __init__(self, server_address, RequestHandlerClass,
2372
2431
interface=None,
2373
2432
use_ipv6=True,
2383
2442
self.socketfd = socketfd
2384
2443
# Save the original socket.socket() function
2385
2444
self.socket_socket = socket.socket
2445
2386
2446
# To implement --socket, we monkey patch socket.socket.
2387
#
2447
#
2388
2448
# (When socketserver.TCPServer is a new-style class, we
2389
2449
# could make self.socket into a property instead of monkey
2390
2450
# patching socket.socket.)
2391
#
2451
#
2392
2452
# Create a one-time-only replacement for socket.socket()
2393
2453
@functools.wraps(socket.socket)
2394
2454
def socket_wrapper(*args, **kwargs):
2406
2466
# socket_wrapper(), if socketfd was set.
2407
2467
socketserver.TCPServer.__init__(self, server_address,
2408
2468
RequestHandlerClass)
2409
2469
2410
2470
def server_bind(self):
2411
2471
"""This overrides the normal server_bind() function
2412
2472
to bind to an interface if one was specified, and also NOT to
2413
2473
bind to an address or port if they were not specified."""
2474
global SO_BINDTODEVICE
2414
2475
if self.interface is not None:
2415
2476
if SO_BINDTODEVICE is None:
2416
logger.error("SO_BINDTODEVICE does not exist;"
2417
" cannot bind to interface %s",
2418
self.interface)
2419
else:
2420
try:
2421
self.socket.setsockopt(
2422
socket.SOL_SOCKET, SO_BINDTODEVICE,
2423
(self.interface + "\0").encode("utf-8"))
2424
except socket.error as error:
2425
if error.errno == errno.EPERM:
2426
logger.error("No permission to bind to"
2427
" interface %s", self.interface)
2428
elif error.errno == errno.ENOPROTOOPT:
2429
logger.error("SO_BINDTODEVICE not available;"
2430
" cannot bind to interface %s",
2431
self.interface)
2432
elif error.errno == errno.ENODEV:
2433
logger.error("Interface %s does not exist,"
2434
" cannot bind", self.interface)
2435
else:
2436
raise
2477
# Fall back to a hard-coded value which seems to be
2478
# common enough.
2479
logger.warning("SO_BINDTODEVICE not found, trying 25")
2480
SO_BINDTODEVICE = 25
2481
try:
2482
self.socket.setsockopt(
2483
socket.SOL_SOCKET, SO_BINDTODEVICE,
2484
(self.interface + "\0").encode("utf-8"))
2485
except socket.error as error:
2486
if error.errno == errno.EPERM:
2487
logger.error("No permission to bind to"
2488
" interface %s", self.interface)
2489
elif error.errno == errno.ENOPROTOOPT:
2490
logger.error("SO_BINDTODEVICE not available;"
2491
" cannot bind to interface %s",
2492
self.interface)
2493
elif error.errno == errno.ENODEV:
2494
logger.error("Interface %s does not exist,"
2495
" cannot bind", self.interface)
2496
else:
2497
raise
2437
2498
# Only bind(2) the socket if we really need to.
2438
2499
if self.server_address[0] or self.server_address[1]:
2439
2500
if not self.server_address[0]:
2440
2501
if self.address_family == socket.AF_INET6:
2441
any_address = "::" # in6addr_any
2502
any_address = "::" # in6addr_any
2442
2503
else:
2443
any_address = "0.0.0.0" # INADDR_ANY
2504
any_address = "0.0.0.0" # INADDR_ANY
2444
2505
self.server_address = (any_address,
2445
2506
self.server_address[1])
2446
2507
elif not self.server_address[1]:
2456
2517
2457
2518
class MandosServer(IPv6_TCPServer):
2458
2519
"""Mandos server.
2459
2520
2460
2521
Attributes:
2461
2522
clients: set of Client objects
2462
2523
gnutls_priority GnuTLS priority string
2463
2524
use_dbus: Boolean; to emit D-Bus signals or not
2464
2465
Assumes a gobject.MainLoop event loop.
2525
2526
Assumes a GLib.MainLoop event loop.
2466
2527
"""
2467
2528
2468
2529
def __init__(self, server_address, RequestHandlerClass,
2469
2530
interface=None,
2470
2531
use_ipv6=True,
2480
2541
self.gnutls_priority = gnutls_priority
2481
2542
IPv6_TCPServer.__init__(self, server_address,
2482
2543
RequestHandlerClass,
2483
interface = interface,
2484
use_ipv6 = use_ipv6,
2485
socketfd = socketfd)
2486
2544
interface=interface,
2545
use_ipv6=use_ipv6,
2546
socketfd=socketfd)
2547
2487
2548
def server_activate(self):
2488
2549
if self.enabled:
2489
2550
return socketserver.TCPServer.server_activate(self)
2490
2551
2491
2552
def enable(self):
2492
2553
self.enabled = True
2493
2554
2494
2555
def add_pipe(self, parent_pipe, proc):
2495
2556
# Call "handle_ipc" for both data and EOF events
2496
gobject.io_add_watch(
2557
GLib.io_add_watch(
2497
2558
parent_pipe.fileno(),
2498
gobject.IO_IN | gobject.IO_HUP,
2559
GLib.IO_IN | GLib.IO_HUP,
2499
2560
functools.partial(self.handle_ipc,
2500
parent_pipe = parent_pipe,
2501
proc = proc))
2502
2561
parent_pipe=parent_pipe,
2562
proc=proc))
2563
2503
2564
def handle_ipc(self, source, condition,
2504
2565
parent_pipe=None,
2505
proc = None,
2566
proc=None,
2506
2567
client_object=None):
2507
2568
# error, or the other end of multiprocessing.Pipe has closed
2508
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2569
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2509
2570
# Wait for other process to exit
2510
2571
proc.join()
2511
2572
return False
2512
2573
2513
2574
# Read a request from the child
2514
2575
request = parent_pipe.recv()
2515
2576
command = request[0]
2516
2577
2517
2578
if command == 'init':
2518
2579
fpr = request[1]
2519
2580
address = request[2]
2520
2521
for c in self.clients.itervalues():
2581
2582
for c in self.clients.values():
2522
2583
if c.fingerprint == fpr:
2523
2584
client = c
2524
2585
break
2531
2592
address[0])
2532
2593
parent_pipe.send(False)
2533
2594
return False
2534
2535
gobject.io_add_watch(
2595
2596
GLib.io_add_watch(
2536
2597
parent_pipe.fileno(),
2537
gobject.IO_IN | gobject.IO_HUP,
2598
GLib.IO_IN | GLib.IO_HUP,
2538
2599
functools.partial(self.handle_ipc,
2539
parent_pipe = parent_pipe,
2540
proc = proc,
2541
client_object = client))
2600
parent_pipe=parent_pipe,
2601
proc=proc,
2602
client_object=client))
2542
2603
parent_pipe.send(True)
2543
2604
# remove the old hook in favor of the new above hook on
2544
2605
# same fileno
2547
2608
funcname = request[1]
2548
2609
args = request[2]
2549
2610
kwargs = request[3]
2550
2611
2551
2612
parent_pipe.send(('data', getattr(client_object,
2552
2613
funcname)(*args,
2553
2614
**kwargs)))
2554
2615
2555
2616
if command == 'getattr':
2556
2617
attrname = request[1]
2557
2618
if isinstance(client_object.__getattribute__(attrname),
2560
2621
else:
2561
2622
parent_pipe.send((
2562
2623
'data', client_object.__getattribute__(attrname)))
2563
2624
2564
2625
if command == 'setattr':
2565
2626
attrname = request[1]
2566
2627
value = request[2]
2567
2628
setattr(client_object, attrname, value)
2568
2629
2569
2630
return True
2570
2631
2571
2632
2572
2633
def rfc3339_duration_to_delta(duration):
2573
2634
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2574
2635
2575
2636
>>> rfc3339_duration_to_delta("P7D")
2576
2637
datetime.timedelta(7)
2577
2638
>>> rfc3339_duration_to_delta("PT60S")
2587
2648
>>> rfc3339_duration_to_delta("P1DT3M20S")
2588
2649
datetime.timedelta(1, 200)
2589
2650
"""
2590
2651
2591
2652
# Parsing an RFC 3339 duration with regular expressions is not
2592
2653
# possible - there would have to be multiple places for the same
2593
2654
# values, like seconds. The current code, while more esoteric, is
2594
2655
# cleaner without depending on a parsing library. If Python had a
2595
2656
# built-in library for parsing we would use it, but we'd like to
2596
2657
# avoid excessive use of external libraries.
2597
2658
2598
2659
# New type for defining tokens, syntax, and semantics all-in-one
2599
2660
Token = collections.namedtuple("Token", (
2600
2661
"regexp", # To match token; if "value" is not None, must have
2633
2694
frozenset((token_year, token_month,
2634
2695
token_day, token_time,
2635
2696
token_week)))
2636
# Define starting values
2637
value = datetime.timedelta() # Value so far
2697
# Define starting values:
2698
# Value so far
2699
value = datetime.timedelta()
2638
2700
found_token = None
2639
followers = frozenset((token_duration, )) # Following valid tokens
2640
s = duration # String left to parse
2701
# Following valid tokens
2702
followers = frozenset((token_duration, ))
2703
# String left to parse
2704
s = duration
2641
2705
# Loop until end token is found
2642
2706
while found_token is not token_end:
2643
2707
# Search for any currently valid tokens
2667
2731
2668
2732
def string_to_delta(interval):
2669
2733
"""Parse a string and return a datetime.timedelta
2670
2734
2671
2735
>>> string_to_delta('7d')
2672
2736
datetime.timedelta(7)
2673
2737
>>> string_to_delta('60s')
2681
2745
>>> string_to_delta('5m 30s')
2682
2746
datetime.timedelta(0, 330)
2683
2747
"""
2684
2748
2685
2749
try:
2686
2750
return rfc3339_duration_to_delta(interval)
2687
2751
except ValueError:
2688
2752
pass
2689
2753
2690
2754
timevalue = datetime.timedelta(0)
2691
2755
for s in interval.split():
2692
2756
try:
2710
2774
return timevalue
2711
2775
2712
2776
2713
def daemon(nochdir = False, noclose = False):
2777
def daemon(nochdir=False, noclose=False):
2714
2778
"""See daemon(3). Standard BSD Unix function.
2715
2779
2716
2780
This should really exist as os.daemon, but it doesn't (yet)."""
2717
2781
if os.fork():
2718
2782
sys.exit()
2736
2800
2737
2801
2738
2802
def main():
2739
2803
2740
2804
##################################################################
2741
2805
# Parsing of options, both command line and config file
2742
2806
2743
2807
parser = argparse.ArgumentParser()
2744
2808
parser.add_argument("-v", "--version", action="version",
2745
version = "%(prog)s {}".format(version),
2809
version="%(prog)s {}".format(version),
2746
2810
help="show version number and exit")
2747
2811
parser.add_argument("-i", "--interface", metavar="IF",
2748
2812
help="Bind to interface IF")
2784
2848
parser.add_argument("--no-zeroconf", action="store_false",
2785
2849
dest="zeroconf", help="Do not use Zeroconf",
2786
2850
default=None)
2787
2851
2788
2852
options = parser.parse_args()
2789
2853
2790
2854
if options.check:
2791
2855
import doctest
2792
2856
fail_count, test_count = doctest.testmod()
2793
2857
sys.exit(os.EX_OK if fail_count == 0 else 1)
2794
2858
2795
2859
# Default values for config file for server-global settings
2796
server_defaults = { "interface": "",
2797
"address": "",
2798
"port": "",
2799
"debug": "False",
2800
"priority":
2801
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2802
":+SIGN-DSA-SHA256",
2803
"servicename": "Mandos",
2804
"use_dbus": "True",
2805
"use_ipv6": "True",
2806
"debuglevel": "",
2807
"restore": "True",
2808
"socket": "",
2809
"statedir": "/var/lib/mandos",
2810
"foreground": "False",
2811
"zeroconf": "True",
2812
}
2813
2860
server_defaults = {"interface": "",
2861
"address": "",
2862
"port": "",
2863
"debug": "False",
2864
"priority":
2865
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2866
":+SIGN-DSA-SHA256",
2867
"servicename": "Mandos",
2868
"use_dbus": "True",
2869
"use_ipv6": "True",
2870
"debuglevel": "",
2871
"restore": "True",
2872
"socket": "",
2873
"statedir": "/var/lib/mandos",
2874
"foreground": "False",
2875
"zeroconf": "True",
2876
}
2877
2814
2878
# Parse config file for server-global settings
2815
2879
server_config = configparser.SafeConfigParser(server_defaults)
2816
2880
del server_defaults
2834
2898
server_settings["socket"] = os.dup(server_settings
2835
2899
["socket"])
2836
2900
del server_config
2837
2901
2838
2902
# Override the settings from the config file with command line
2839
2903
# options, if set.
2840
2904
for option in ("interface", "address", "port", "debug",
2858
2922
if server_settings["debug"]:
2859
2923
server_settings["foreground"] = True
2860
2924
# Now we have our good server settings in "server_settings"
2861
2925
2862
2926
##################################################################
2863
2927
2864
2928
if (not server_settings["zeroconf"]
2865
2929
and not (server_settings["port"]
2866
2930
or server_settings["socket"] != "")):
2867
2931
parser.error("Needs port or socket to work without Zeroconf")
2868
2932
2869
2933
# For convenience
2870
2934
debug = server_settings["debug"]
2871
2935
debuglevel = server_settings["debuglevel"]
2875
2939
stored_state_file)
2876
2940
foreground = server_settings["foreground"]
2877
2941
zeroconf = server_settings["zeroconf"]
2878
2942
2879
2943
if debug:
2880
2944
initlogger(debug, logging.DEBUG)
2881
2945
else:
2884
2948
else:
2885
2949
level = getattr(logging, debuglevel.upper())
2886
2950
initlogger(debug, level)
2887
2951
2888
2952
if server_settings["servicename"] != "Mandos":
2889
2953
syslogger.setFormatter(
2890
2954
logging.Formatter('Mandos ({}) [%(process)d]:'
2891
2955
' %(levelname)s: %(message)s'.format(
2892
2956
server_settings["servicename"])))
2893
2957
2894
2958
# Parse config file with clients
2895
2959
client_config = configparser.SafeConfigParser(Client
2896
2960
.client_defaults)
2897
2961
client_config.read(os.path.join(server_settings["configdir"],
2898
2962
"clients.conf"))
2899
2963
2900
2964
global mandos_dbus_service
2901
2965
mandos_dbus_service = None
2902
2966
2903
2967
socketfd = None
2904
2968
if server_settings["socket"] != "":
2905
2969
socketfd = server_settings["socket"]
2921
2985
except IOError as e:
2922
2986
logger.error("Could not open file %r", pidfilename,
2923
2987
exc_info=e)
2924
2988
2925
2989
for name, group in (("_mandos", "_mandos"),
2926
2990
("mandos", "mandos"),
2927
2991
("nobody", "nogroup")):
2937
3001
try:
2938
3002
os.setgid(gid)
2939
3003
os.setuid(uid)
3004
if debug:
3005
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3006
gid))
2940
3007
except OSError as error:
3008
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3009
.format(uid, gid, os.strerror(error.errno)))
2941
3010
if error.errno != errno.EPERM:
2942
3011
raise
2943
3012
2944
3013
if debug:
2945
3014
# Enable all possible GnuTLS debugging
2946
3015
2947
3016
# "Use a log level over 10 to enable all debugging options."
2948
3017
# - GnuTLS manual
2949
3018
gnutls.global_set_log_level(11)
2950
3019
2951
3020
@gnutls.log_func
2952
3021
def debug_gnutls(level, string):
2953
3022
logger.debug("GnuTLS: %s", string[:-1])
2954
3023
2955
3024
gnutls.global_set_log_function(debug_gnutls)
2956
3025
2957
3026
# Redirect stdin so all checkers get /dev/null
2958
3027
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2959
3028
os.dup2(null, sys.stdin.fileno())
2960
3029
if null > 2:
2961
3030
os.close(null)
2962
3031
2963
3032
# Need to fork before connecting to D-Bus
2964
3033
if not foreground:
2965
3034
# Close all input and output, do double fork, etc.
2966
3035
daemon()
2967
2968
# multiprocessing will use threads, so before we use gobject we
2969
# need to inform gobject that threads will be used.
2970
gobject.threads_init()
2971
3036
3037
# multiprocessing will use threads, so before we use GLib we need
3038
# to inform GLib that threads will be used.
3039
GLib.threads_init()
3040
2972
3041
global main_loop
2973
3042
# From the Avahi example code
2974
3043
DBusGMainLoop(set_as_default=True)
2975
main_loop = gobject.MainLoop()
3044
main_loop = GLib.MainLoop()
2976
3045
bus = dbus.SystemBus()
2977
3046
# End of Avahi example code
2978
3047
if use_dbus:
2991
3060
if zeroconf:
2992
3061
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2993
3062
service = AvahiServiceToSyslog(
2994
name = server_settings["servicename"],
2995
servicetype = "_mandos._tcp",
2996
protocol = protocol,
2997
bus = bus)
3063
name=server_settings["servicename"],
3064
servicetype="_mandos._tcp",
3065
protocol=protocol,
3066
bus=bus)
2998
3067
if server_settings["interface"]:
2999
3068
service.interface = if_nametoindex(
3000
3069
server_settings["interface"].encode("utf-8"))
3001
3070
3002
3071
global multiprocessing_manager
3003
3072
multiprocessing_manager = multiprocessing.Manager()
3004
3073
3005
3074
client_class = Client
3006
3075
if use_dbus:
3007
client_class = functools.partial(ClientDBus, bus = bus)
3008
3076
client_class = functools.partial(ClientDBus, bus=bus)
3077
3009
3078
client_settings = Client.config_parser(client_config)
3010
3079
old_client_settings = {}
3011
3080
clients_data = {}
3012
3081
3013
3082
# This is used to redirect stdout and stderr for checker processes
3014
3083
global wnull
3015
wnull = open(os.devnull, "w") # A writable /dev/null
3084
wnull = open(os.devnull, "w") # A writable /dev/null
3016
3085
# Only used if server is running in foreground but not in debug
3017
3086
# mode
3018
3087
if debug or not foreground:
3019
3088
wnull.close()
3020
3089
3021
3090
# Get client data and settings from last running state.
3022
3091
if server_settings["restore"]:
3023
3092
try:
3024
3093
with open(stored_state_path, "rb") as stored_state:
3025
clients_data, old_client_settings = pickle.load(
3026
stored_state)
3094
if sys.version_info.major == 2:
3095
clients_data, old_client_settings = pickle.load(
3096
stored_state)
3097
else:
3098
bytes_clients_data, bytes_old_client_settings = (
3099
pickle.load(stored_state, encoding="bytes"))
3100
# Fix bytes to strings
3101
# clients_data
3102
# .keys()
3103
clients_data = {(key.decode("utf-8")
3104
if isinstance(key, bytes)
3105
else key): value
3106
for key, value in
3107
bytes_clients_data.items()}
3108
del bytes_clients_data
3109
for key in clients_data:
3110
value = {(k.decode("utf-8")
3111
if isinstance(k, bytes) else k): v
3112
for k, v in
3113
clients_data[key].items()}
3114
clients_data[key] = value
3115
# .client_structure
3116
value["client_structure"] = [
3117
(s.decode("utf-8")
3118
if isinstance(s, bytes)
3119
else s) for s in
3120
value["client_structure"]]
3121
# .name & .host
3122
for k in ("name", "host"):
3123
if isinstance(value[k], bytes):
3124
value[k] = value[k].decode("utf-8")
3125
# old_client_settings
3126
# .keys()
3127
old_client_settings = {
3128
(key.decode("utf-8")
3129
if isinstance(key, bytes)
3130
else key): value
3131
for key, value in
3132
bytes_old_client_settings.items()}
3133
del bytes_old_client_settings
3134
# .host
3135
for value in old_client_settings.values():
3136
if isinstance(value["host"], bytes):
3137
value["host"] = (value["host"]
3138
.decode("utf-8"))
3027
3139
os.remove(stored_state_path)
3028
3140
except IOError as e:
3029
3141
if e.errno == errno.ENOENT:
3037
3149
logger.warning("Could not load persistent state: "
3038
3150
"EOFError:",
3039
3151
exc_info=e)
3040
3152
3041
3153
with PGPEngine() as pgp:
3042
3154
for client_name, client in clients_data.items():
3043
3155
# Skip removed clients
3044
3156
if client_name not in client_settings:
3045
3157
continue
3046
3158
3047
3159
# Decide which value to use after restoring saved state.
3048
3160
# We have three different values: Old config file,
3049
3161
# new config file, and saved state.
3060
3172
client[name] = value
3061
3173
except KeyError:
3062
3174
pass
3063
3175
3064
3176
# Clients who has passed its expire date can still be
3065
3177
# enabled if its last checker was successful. A Client
3066
3178
# whose checker succeeded before we stored its state is
3099
3211
client_name))
3100
3212
client["secret"] = (client_settings[client_name]
3101
3213
["secret"])
3102
3214
3103
3215
# Add/remove clients based on new changes made to config
3104
3216
for client_name in (set(old_client_settings)
3105
3217
- set(client_settings)):
3107
3219
for client_name in (set(client_settings)
3108
3220
- set(old_client_settings)):
3109
3221
clients_data[client_name] = client_settings[client_name]
3110
3222
3111
3223
# Create all client objects
3112
3224
for client_name, client in clients_data.items():
3113
3225
tcp_server.clients[client_name] = client_class(
3114
name = client_name,
3115
settings = client,
3116
server_settings = server_settings)
3117
3226
name=client_name,
3227
settings=client,
3228
server_settings=server_settings)
3229
3118
3230
if not tcp_server.clients:
3119
3231
logger.warning("No clients defined")
3120
3232
3121
3233
if not foreground:
3122
3234
if pidfile is not None:
3123
3235
pid = os.getpid()
3129
3241
pidfilename, pid)
3130
3242
del pidfile
3131
3243
del pidfilename
3132
3133
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
3134
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
3135
3244
3245
for termsig in (signal.SIGHUP, signal.SIGTERM):
3246
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3247
lambda: main_loop.quit() and False)
3248
3136
3249
if use_dbus:
3137
3250
3138
3251
@alternate_dbus_interfaces(
3139
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3252
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
3140
3253
class MandosDBusService(DBusObjectWithObjectManager):
3141
3254
"""A D-Bus proxy object"""
3142
3255
3143
3256
def __init__(self):
3144
3257
dbus.service.Object.__init__(self, bus, "/")
3145
3258
3146
3259
_interface = "se.recompile.Mandos"
3147
3260
3148
3261
@dbus.service.signal(_interface, signature="o")
3149
3262
def ClientAdded(self, objpath):
3150
3263
"D-Bus signal"
3151
3264
pass
3152
3265
3153
3266
@dbus.service.signal(_interface, signature="ss")
3154
3267
def ClientNotFound(self, fingerprint, address):
3155
3268
"D-Bus signal"
3156
3269
pass
3157
3270
3158
3271
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3159
3272
"true"})
3160
3273
@dbus.service.signal(_interface, signature="os")
3161
3274
def ClientRemoved(self, objpath, name):
3162
3275
"D-Bus signal"
3163
3276
pass
3164
3277
3165
3278
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3166
3279
"true"})
3167
3280
@dbus.service.method(_interface, out_signature="ao")
3168
3281
def GetAllClients(self):
3169
3282
"D-Bus method"
3170
3283
return dbus.Array(c.dbus_object_path for c in
3171
tcp_server.clients.itervalues())
3172
3284
tcp_server.clients.values())
3285
3173
3286
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3174
3287
"true"})
3175
3288
@dbus.service.method(_interface,
3177
3290
def GetAllClientsWithProperties(self):
3178
3291
"D-Bus method"
3179
3292
return dbus.Dictionary(
3180
{ c.dbus_object_path: c.GetAll(
3293
{c.dbus_object_path: c.GetAll(
3181
3294
"se.recompile.Mandos.Client")
3182
for c in tcp_server.clients.itervalues() },
3295
for c in tcp_server.clients.values()},
3183
3296
signature="oa{sv}")
3184
3297
3185
3298
@dbus.service.method(_interface, in_signature="o")
3186
3299
def RemoveClient(self, object_path):
3187
3300
"D-Bus method"
3188
for c in tcp_server.clients.itervalues():
3301
for c in tcp_server.clients.values():
3189
3302
if c.dbus_object_path == object_path:
3190
3303
del tcp_server.clients[c.name]
3191
3304
c.remove_from_connection()
3195
3308
self.client_removed_signal(c)
3196
3309
return
3197
3310
raise KeyError(object_path)
3198
3311
3199
3312
del _interface
3200
3313
3201
3314
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3202
out_signature = "a{oa{sa{sv}}}")
3315
out_signature="a{oa{sa{sv}}}")
3203
3316
def GetManagedObjects(self):
3204
3317
"""D-Bus method"""
3205
3318
return dbus.Dictionary(
3206
{ client.dbus_object_path:
3207
dbus.Dictionary(
3208
{ interface: client.GetAll(interface)
3209
for interface in
3210
client._get_all_interface_names()})
3211
for client in tcp_server.clients.values()})
3212
3319
{client.dbus_object_path:
3320
dbus.Dictionary(
3321
{interface: client.GetAll(interface)
3322
for interface in
3323
client._get_all_interface_names()})
3324
for client in tcp_server.clients.values()})
3325
3213
3326
def client_added_signal(self, client):
3214
3327
"""Send the new standard signal and the old signal"""
3215
3328
if use_dbus:
3217
3330
self.InterfacesAdded(
3218
3331
client.dbus_object_path,
3219
3332
dbus.Dictionary(
3220
{ interface: client.GetAll(interface)
3221
for interface in
3222
client._get_all_interface_names()}))
3333
{interface: client.GetAll(interface)
3334
for interface in
3335
client._get_all_interface_names()}))
3223
3336
# Old signal
3224
3337
self.ClientAdded(client.dbus_object_path)
3225
3338
3226
3339
def client_removed_signal(self, client):
3227
3340
"""Send the new standard signal and the old signal"""
3228
3341
if use_dbus:
3233
3346
# Old signal
3234
3347
self.ClientRemoved(client.dbus_object_path,
3235
3348
client.name)
3236
3349
3237
3350
mandos_dbus_service = MandosDBusService()
3238
3351
3352
# Save modules to variables to exempt the modules from being
3353
# unloaded before the function registered with atexit() is run.
3354
mp = multiprocessing
3355
wn = wnull
3356
3239
3357
def cleanup():
3240
3358
"Cleanup function; run on exit"
3241
3359
if zeroconf:
3242
3360
service.cleanup()
3243
3244
multiprocessing.active_children()
3245
wnull.close()
3361
3362
mp.active_children()
3363
wn.close()
3246
3364
if not (tcp_server.clients or client_settings):
3247
3365
return
3248
3366
3249
3367
# Store client before exiting. Secrets are encrypted with key
3250
3368
# based on what config file has. If config file is
3251
3369
# removed/edited, old secret will thus be unrecovable.
3252
3370
clients = {}
3253
3371
with PGPEngine() as pgp:
3254
for client in tcp_server.clients.itervalues():
3372
for client in tcp_server.clients.values():
3255
3373
key = client_settings[client.name]["secret"]
3256
3374
client.encrypted_secret = pgp.encrypt(client.secret,
3257
3375
key)
3258
3376
client_dict = {}
3259
3377
3260
3378
# A list of attributes that can not be pickled
3261
3379
# + secret.
3262
exclude = { "bus", "changedstate", "secret",
3263
"checker", "server_settings" }
3380
exclude = {"bus", "changedstate", "secret",
3381
"checker", "server_settings"}
3264
3382
for name, typ in inspect.getmembers(dbus.service
3265
3383
.Object):
3266
3384
exclude.add(name)
3267
3385
3268
3386
client_dict["encrypted_secret"] = (client
3269
3387
.encrypted_secret)
3270
3388
for attr in client.client_structure:
3271
3389
if attr not in exclude:
3272
3390
client_dict[attr] = getattr(client, attr)
3273
3391
3274
3392
clients[client.name] = client_dict
3275
3393
del client_settings[client.name]["secret"]
3276
3394
3277
3395
try:
3278
3396
with tempfile.NamedTemporaryFile(
3279
3397
mode='wb',
3281
3399
prefix='clients-',
3282
3400
dir=os.path.dirname(stored_state_path),
3283
3401
delete=False) as stored_state:
3284
pickle.dump((clients, client_settings), stored_state)
3402
pickle.dump((clients, client_settings), stored_state,
3403
protocol=2)
3285
3404
tempname = stored_state.name
3286
3405
os.rename(tempname, stored_state_path)
3287
3406
except (IOError, OSError) as e:
3297
3416
logger.warning("Could not save persistent state:",
3298
3417
exc_info=e)
3299
3418
raise
3300
3419
3301
3420
# Delete all clients, and settings from config
3302
3421
while tcp_server.clients:
3303
3422
name, client = tcp_server.clients.popitem()
3309
3428
if use_dbus:
3310
3429
mandos_dbus_service.client_removed_signal(client)
3311
3430
client_settings.clear()
3312
3431
3313
3432
atexit.register(cleanup)
3314
3315
for client in tcp_server.clients.itervalues():
3433
3434
for client in tcp_server.clients.values():
3316
3435
if use_dbus:
3317
3436
# Emit D-Bus signal for adding
3318
3437
mandos_dbus_service.client_added_signal(client)
3319
3438
# Need to initiate checking of clients
3320
3439
if client.enabled:
3321
3440
client.init_checker()
3322
3441
3323
3442
tcp_server.enable()
3324
3443
tcp_server.server_activate()
3325
3444
3326
3445
# Find out what port we got
3327
3446
if zeroconf:
3328
3447
service.port = tcp_server.socket.getsockname()[1]
3333
3452
else: # IPv4
3334
3453
logger.info("Now listening on address %r, port %d",
3335
3454
*tcp_server.socket.getsockname())
3336
3337
#service.interface = tcp_server.socket.getsockname()[3]
3338
3455
3456
# service.interface = tcp_server.socket.getsockname()[3]
3457
3339
3458
try:
3340
3459
if zeroconf:
3341
3460
# From the Avahi example code
3346
3465
cleanup()
3347
3466
sys.exit(1)
3348
3467
# End of Avahi example code
3349
3350
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3351
lambda *args, **kwargs:
3352
(tcp_server.handle_request
3353
(*args[2:], **kwargs) or True))
3354
3468
3469
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3470
lambda *args, **kwargs:
3471
(tcp_server.handle_request
3472
(*args[2:], **kwargs) or True))
3473
3355
3474
logger.debug("Starting main loop")
3356
3475
main_loop.run()
3357
3476
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0