To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.471
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.471
- Committer: Teddy Hogeborn
- Date: 2018-02-08 10:23:55 UTC
- mto: (237.7.594 trunk)
- mto: This revision was merged to the branch mainline in revision 362.
- Revision ID: teddy@recompile.se-20180208102355-3ent7sf87i9h9kka
Update copyright year to 2018
* DBUS-API: Update copyright year to 2018.
* debian/copyright: - '' -
* initramfs-unpack: - '' -
* intro.xml: - '' -
* mandos: - '' -
* mandos-clients.conf.xml: - '' -
* mandos-ctl: - '' -
* mandos-ctl.xml: - '' -
* mandos-keygen: - '' -
* mandos-keygen.xml: - '' -
* mandos-monitor: - '' -
* mandos-monitor.xml: - '' -
* mandos.conf.xml: - '' -
* mandos.xml: - '' -
* network-hooks.d/bridge: - '' -
* network-hooks.d/openvpn: - '' -
* network-hooks.d/wireless: - '' -
* plugin-helpers/mandos-client-iprouteadddel.c: - '' -
* plugin-runner.c: - '' -
* plugin-runner.xml: - '' -
* plugins.d/askpass-fifo.c: - '' -
* plugins.d/askpass-fifo.xml: - '' -
* plugins.d/mandos-client.c: - '' -
* plugins.d/mandos-client.xml: - '' -
* plugins.d/password-prompt.c: - '' -
* plugins.d/password-prompt.xml: - '' -
* plugins.d/plymouth.c: - '' -
* plugins.d/plymouth.xml: - '' -
* plugins.d/splashy.c: - '' -
* plugins.d/splashy.xml: - '' -
* plugins.d/usplash.c: - '' -
* plugins.d/usplash.xml: - '' -
* DBUS-API: Update copyright year to 2018.
* debian/copyright: - '' -
* initramfs-unpack: - '' -
* intro.xml: - '' -
* mandos: - '' -
* mandos-clients.conf.xml: - '' -
* mandos-ctl: - '' -
* mandos-ctl.xml: - '' -
* mandos-keygen: - '' -
* mandos-keygen.xml: - '' -
* mandos-monitor: - '' -
* mandos-monitor.xml: - '' -
* mandos.conf.xml: - '' -
* mandos.xml: - '' -
* network-hooks.d/bridge: - '' -
* network-hooks.d/openvpn: - '' -
* network-hooks.d/wireless: - '' -
* plugin-helpers/mandos-client-iprouteadddel.c: - '' -
* plugin-runner.c: - '' -
* plugin-runner.xml: - '' -
* plugins.d/askpass-fifo.c: - '' -
* plugins.d/askpass-fifo.xml: - '' -
* plugins.d/mandos-client.c: - '' -
* plugins.d/mandos-client.xml: - '' -
* plugins.d/password-prompt.c: - '' -
* plugins.d/password-prompt.xml: - '' -
* plugins.d/plymouth.c: - '' -
* plugins.d/plymouth.xml: - '' -
* plugins.d/splashy.c: - '' -
* plugins.d/splashy.xml: - '' -
* plugins.d/usplash.c: - '' -
* plugins.d/usplash.xml: - '' -
- files modified:
- DBUS-API
added
removed
mandos
1
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2018 Teddy Hogeborn
15
# Copyright © 2008-2018 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
#
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
#
33
#
33
34
34
35
from __future__ import (division, absolute_import, print_function,
35
36
unicode_literals)
86
87
import xml.dom.minidom
87
88
import inspect
88
89
90
# Try to find the value of SO_BINDTODEVICE:
89
91
try:
92
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
93
# newer, and it is also the most natural place for it:
90
94
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
91
95
except AttributeError:
92
96
try:
97
# This is where SO_BINDTODEVICE was up to and including Python
98
# 2.6, and also 3.2:
93
99
from IN import SO_BINDTODEVICE
94
100
except ImportError:
95
SO_BINDTODEVICE = None
101
# In Python 2.7 it seems to have been removed entirely.
102
# Try running the C preprocessor:
103
try:
104
cc = subprocess.Popen(["cc", "--language=c", "-E",
105
"/dev/stdin"],
106
stdin=subprocess.PIPE,
107
stdout=subprocess.PIPE)
108
stdout = cc.communicate(
109
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
110
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
111
except (OSError, ValueError, IndexError):
112
# No value found
113
SO_BINDTODEVICE = None
96
114
97
115
if sys.version_info.major == 2:
98
116
str = unicode
99
117
100
version = "1.7.7"
118
version = "1.7.16"
101
119
stored_state_file = "clients.pickle"
102
120
103
121
logger = logging.getLogger()
107
125
if_nametoindex = ctypes.cdll.LoadLibrary(
108
126
ctypes.util.find_library("c")).if_nametoindex
109
127
except (OSError, AttributeError):
110
128
111
129
def if_nametoindex(interface):
112
130
"Get an interface index the hard way, i.e. using fcntl()"
113
131
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
136
154
137
155
def initlogger(debug, level=logging.WARNING):
138
156
"""init logger and add loglevel"""
139
157
140
158
global syslogger
141
159
syslogger = (logging.handlers.SysLogHandler(
142
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
143
address = "/dev/log"))
160
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
161
address="/dev/log"))
144
162
syslogger.setFormatter(logging.Formatter
145
163
('Mandos [%(process)d]: %(levelname)s:'
146
164
' %(message)s'))
147
165
logger.addHandler(syslogger)
148
166
149
167
if debug:
150
168
console = logging.StreamHandler()
151
169
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
163
181
164
182
class PGPEngine(object):
165
183
"""A simple class for OpenPGP symmetric encryption & decryption"""
166
184
167
185
def __init__(self):
168
186
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
169
187
self.gpg = "gpg"
184
202
# Only GPG version 1 has the --no-use-agent option.
185
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
186
204
self.gnupgargs.append("--no-use-agent")
187
205
188
206
def __enter__(self):
189
207
return self
190
208
191
209
def __exit__(self, exc_type, exc_value, traceback):
192
210
self._cleanup()
193
211
return False
194
212
195
213
def __del__(self):
196
214
self._cleanup()
197
215
198
216
def _cleanup(self):
199
217
if self.tempdir is not None:
200
218
# Delete contents of tempdir
201
219
for root, dirs, files in os.walk(self.tempdir,
202
topdown = False):
220
topdown=False):
203
221
for filename in files:
204
222
os.remove(os.path.join(root, filename))
205
223
for dirname in dirs:
207
225
# Remove tempdir
208
226
os.rmdir(self.tempdir)
209
227
self.tempdir = None
210
228
211
229
def password_encode(self, password):
212
230
# Passphrase can not be empty and can not contain newlines or
213
231
# NUL bytes. So we prefix it and hex encode it.
218
236
.replace(b"\n", b"\\n")
219
237
.replace(b"\0", b"\\x00"))
220
238
return encoded
221
239
222
240
def encrypt(self, data, password):
223
241
passphrase = self.password_encode(password)
224
242
with tempfile.NamedTemporaryFile(
229
247
'--passphrase-file',
230
248
passfile.name]
231
249
+ self.gnupgargs,
232
stdin = subprocess.PIPE,
233
stdout = subprocess.PIPE,
234
stderr = subprocess.PIPE)
235
ciphertext, err = proc.communicate(input = data)
250
stdin=subprocess.PIPE,
251
stdout=subprocess.PIPE,
252
stderr=subprocess.PIPE)
253
ciphertext, err = proc.communicate(input=data)
236
254
if proc.returncode != 0:
237
255
raise PGPError(err)
238
256
return ciphertext
239
257
240
258
def decrypt(self, data, password):
241
259
passphrase = self.password_encode(password)
242
260
with tempfile.NamedTemporaryFile(
243
dir = self.tempdir) as passfile:
261
dir=self.tempdir) as passfile:
244
262
passfile.write(passphrase)
245
263
passfile.flush()
246
264
proc = subprocess.Popen([self.gpg, '--decrypt',
247
265
'--passphrase-file',
248
266
passfile.name]
249
267
+ self.gnupgargs,
250
stdin = subprocess.PIPE,
251
stdout = subprocess.PIPE,
252
stderr = subprocess.PIPE)
253
decrypted_plaintext, err = proc.communicate(input = data)
268
stdin=subprocess.PIPE,
269
stdout=subprocess.PIPE,
270
stderr=subprocess.PIPE)
271
decrypted_plaintext, err = proc.communicate(input=data)
254
272
if proc.returncode != 0:
255
273
raise PGPError(err)
256
274
return decrypted_plaintext
257
275
276
258
277
# Pretend that we have an Avahi module
259
278
class Avahi(object):
260
279
"""This isn't so much a class as it is a module-like namespace.
261
280
It is instantiated once, and simulates having an Avahi module."""
262
IF_UNSPEC = -1 # avahi-common/address.h
263
PROTO_UNSPEC = -1 # avahi-common/address.h
264
PROTO_INET = 0 # avahi-common/address.h
265
PROTO_INET6 = 1 # avahi-common/address.h
281
IF_UNSPEC = -1 # avahi-common/address.h
282
PROTO_UNSPEC = -1 # avahi-common/address.h
283
PROTO_INET = 0 # avahi-common/address.h
284
PROTO_INET6 = 1 # avahi-common/address.h
266
285
DBUS_NAME = "org.freedesktop.Avahi"
267
286
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
268
287
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
269
288
DBUS_PATH_SERVER = "/"
289
270
290
def string_array_to_txt_array(self, t):
271
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
272
292
for s in t), signature="ay")
273
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
274
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
275
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
276
SERVER_INVALID = 0 # avahi-common/defs.h
277
SERVER_REGISTERING = 1 # avahi-common/defs.h
278
SERVER_RUNNING = 2 # avahi-common/defs.h
279
SERVER_COLLISION = 3 # avahi-common/defs.h
280
SERVER_FAILURE = 4 # avahi-common/defs.h
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
294
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
295
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
296
SERVER_INVALID = 0 # avahi-common/defs.h
297
SERVER_REGISTERING = 1 # avahi-common/defs.h
298
SERVER_RUNNING = 2 # avahi-common/defs.h
299
SERVER_COLLISION = 3 # avahi-common/defs.h
300
SERVER_FAILURE = 4 # avahi-common/defs.h
281
301
avahi = Avahi()
282
302
303
283
304
class AvahiError(Exception):
284
305
def __init__(self, value, *args, **kwargs):
285
306
self.value = value
297
318
298
319
class AvahiService(object):
299
320
"""An Avahi (Zeroconf) service.
300
321
301
322
Attributes:
302
323
interface: integer; avahi.IF_UNSPEC or an interface index.
303
324
Used to optionally bind to the specified interface.
315
336
server: D-Bus Server
316
337
bus: dbus.SystemBus()
317
338
"""
318
339
319
340
def __init__(self,
320
interface = avahi.IF_UNSPEC,
321
name = None,
322
servicetype = None,
323
port = None,
324
TXT = None,
325
domain = "",
326
host = "",
327
max_renames = 32768,
328
protocol = avahi.PROTO_UNSPEC,
329
bus = None):
341
interface=avahi.IF_UNSPEC,
342
name=None,
343
servicetype=None,
344
port=None,
345
TXT=None,
346
domain="",
347
host="",
348
max_renames=32768,
349
protocol=avahi.PROTO_UNSPEC,
350
bus=None):
330
351
self.interface = interface
331
352
self.name = name
332
353
self.type = servicetype
341
362
self.server = None
342
363
self.bus = bus
343
364
self.entry_group_state_changed_match = None
344
365
345
366
def rename(self, remove=True):
346
367
"""Derived from the Avahi example code"""
347
368
if self.rename_count >= self.max_renames:
367
388
logger.critical("D-Bus Exception", exc_info=error)
368
389
self.cleanup()
369
390
os._exit(1)
370
391
371
392
def remove(self):
372
393
"""Derived from the Avahi example code"""
373
394
if self.entry_group_state_changed_match is not None:
375
396
self.entry_group_state_changed_match = None
376
397
if self.group is not None:
377
398
self.group.Reset()
378
399
379
400
def add(self):
380
401
"""Derived from the Avahi example code"""
381
402
self.remove()
398
419
dbus.UInt16(self.port),
399
420
avahi.string_array_to_txt_array(self.TXT))
400
421
self.group.Commit()
401
422
402
423
def entry_group_state_changed(self, state, error):
403
424
"""Derived from the Avahi example code"""
404
425
logger.debug("Avahi entry group state change: %i", state)
405
426
406
427
if state == avahi.ENTRY_GROUP_ESTABLISHED:
407
428
logger.debug("Zeroconf service established.")
408
429
elif state == avahi.ENTRY_GROUP_COLLISION:
412
433
logger.critical("Avahi: Error in group state changed %s",
413
434
str(error))
414
435
raise AvahiGroupError("State changed: {!s}".format(error))
415
436
416
437
def cleanup(self):
417
438
"""Derived from the Avahi example code"""
418
439
if self.group is not None:
423
444
pass
424
445
self.group = None
425
446
self.remove()
426
447
427
448
def server_state_changed(self, state, error=None):
428
449
"""Derived from the Avahi example code"""
429
450
logger.debug("Avahi server state change: %i", state)
458
479
logger.debug("Unknown state: %r", state)
459
480
else:
460
481
logger.debug("Unknown state: %r: %r", state, error)
461
482
462
483
def activate(self):
463
484
"""Derived from the Avahi example code"""
464
485
if self.server is None:
475
496
class AvahiServiceToSyslog(AvahiService):
476
497
def rename(self, *args, **kwargs):
477
498
"""Add the new name to the syslog messages"""
478
ret = AvahiService.rename(self, *args, **kwargs)
499
ret = super(AvahiServiceToSyslog, self).rename(self, *args,
500
**kwargs)
479
501
syslogger.setFormatter(logging.Formatter(
480
502
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
481
503
.format(self.name)))
482
504
return ret
483
505
506
484
507
# Pretend that we have a GnuTLS module
485
508
class GnuTLS(object):
486
509
"""This isn't so much a class as it is a module-like namespace.
487
510
It is instantiated once, and simulates having a GnuTLS module."""
488
489
_library = ctypes.cdll.LoadLibrary(
490
ctypes.util.find_library("gnutls"))
511
512
library = ctypes.util.find_library("gnutls")
513
if library is None:
514
library = ctypes.util.find_library("gnutls-deb0")
515
_library = ctypes.cdll.LoadLibrary(library)
516
del library
491
517
_need_version = b"3.3.0"
518
492
519
def __init__(self):
493
# Need to use class name "GnuTLS" here, since this method is
494
# called before the assignment to the "gnutls" global variable
495
# happens.
496
if GnuTLS.check_version(self._need_version) is None:
497
raise GnuTLS.Error("Needs GnuTLS {} or later"
498
.format(self._need_version))
499
520
# Need to use "self" here, since this method is called before
521
# the assignment to the "gnutls" global variable happens.
522
if self.check_version(self._need_version) is None:
523
raise self.Error("Needs GnuTLS {} or later"
524
.format(self._need_version))
525
500
526
# Unless otherwise indicated, the constants and types below are
501
527
# all from the gnutls/gnutls.h C header file.
502
528
503
529
# Constants
504
530
E_SUCCESS = 0
505
531
E_INTERRUPTED = -52
510
536
CRD_CERTIFICATE = 1
511
537
E_NO_CERTIFICATE_FOUND = -49
512
538
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
513
539
514
540
# Types
515
541
class session_int(ctypes.Structure):
516
542
_fields_ = []
517
543
session_t = ctypes.POINTER(session_int)
544
518
545
class certificate_credentials_st(ctypes.Structure):
519
546
_fields_ = []
520
547
certificate_credentials_t = ctypes.POINTER(
521
548
certificate_credentials_st)
522
549
certificate_type_t = ctypes.c_int
550
523
551
class datum_t(ctypes.Structure):
524
552
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
525
553
('size', ctypes.c_uint)]
554
526
555
class openpgp_crt_int(ctypes.Structure):
527
556
_fields_ = []
528
557
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
529
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
558
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
530
559
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
531
560
credentials_type_t = ctypes.c_int
532
561
transport_ptr_t = ctypes.c_void_p
533
562
close_request_t = ctypes.c_int
534
563
535
564
# Exceptions
536
565
class Error(Exception):
537
566
# We need to use the class name "GnuTLS" here, since this
538
567
# exception might be raised from within GnuTLS.__init__,
539
568
# which is called before the assignment to the "gnutls"
540
569
# global variable has happened.
541
def __init__(self, message = None, code = None, args=()):
570
def __init__(self, message=None, code=None, args=()):
542
571
# Default usage is by a message string, but if a return
543
572
# code is passed, convert it to a string with
544
573
# gnutls.strerror()
547
576
message = GnuTLS.strerror(code)
548
577
return super(GnuTLS.Error, self).__init__(
549
578
message, *args)
550
579
551
580
class CertificateSecurityError(Error):
552
581
pass
553
582
554
583
# Classes
555
584
class Credentials(object):
556
585
def __init__(self):
558
587
gnutls.certificate_allocate_credentials(
559
588
ctypes.byref(self._c_object))
560
589
self.type = gnutls.CRD_CERTIFICATE
561
590
562
591
def __del__(self):
563
592
gnutls.certificate_free_credentials(self._c_object)
564
593
565
594
class ClientSession(object):
566
def __init__(self, socket, credentials = None):
595
def __init__(self, socket, credentials=None):
567
596
self._c_object = gnutls.session_t()
568
597
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
569
598
gnutls.set_default_priority(self._c_object)
577
606
ctypes.cast(credentials._c_object,
578
607
ctypes.c_void_p))
579
608
self.credentials = credentials
580
609
581
610
def __del__(self):
582
611
gnutls.deinit(self._c_object)
583
612
584
613
def handshake(self):
585
614
return gnutls.handshake(self._c_object)
586
615
587
616
def send(self, data):
588
617
data = bytes(data)
589
618
data_len = len(data)
591
620
data_len -= gnutls.record_send(self._c_object,
592
621
data[-data_len:],
593
622
data_len)
594
623
595
624
def bye(self):
596
625
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
597
626
598
627
# Error handling functions
599
628
def _error_code(result):
600
629
"""A function to raise exceptions on errors, suitable
602
631
if result >= 0:
603
632
return result
604
633
if result == gnutls.E_NO_CERTIFICATE_FOUND:
605
raise gnutls.CertificateSecurityError(code = result)
606
raise gnutls.Error(code = result)
607
634
raise gnutls.CertificateSecurityError(code=result)
635
raise gnutls.Error(code=result)
636
608
637
def _retry_on_error(result, func, arguments):
609
638
"""A function to retry on some errors, suitable
610
639
for the 'errcheck' attribute on ctypes functions"""
613
642
return _error_code(result)
614
643
result = func(*arguments)
615
644
return result
616
645
617
646
# Unless otherwise indicated, the function declarations below are
618
647
# all from the gnutls/gnutls.h C header file.
619
648
620
649
# Functions
621
650
priority_set_direct = _library.gnutls_priority_set_direct
622
651
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
623
652
ctypes.POINTER(ctypes.c_char_p)]
624
653
priority_set_direct.restype = _error_code
625
654
626
655
init = _library.gnutls_init
627
656
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
628
657
init.restype = _error_code
629
658
630
659
set_default_priority = _library.gnutls_set_default_priority
631
660
set_default_priority.argtypes = [session_t]
632
661
set_default_priority.restype = _error_code
633
662
634
663
record_send = _library.gnutls_record_send
635
664
record_send.argtypes = [session_t, ctypes.c_void_p,
636
665
ctypes.c_size_t]
637
666
record_send.restype = ctypes.c_ssize_t
638
667
record_send.errcheck = _retry_on_error
639
668
640
669
certificate_allocate_credentials = (
641
670
_library.gnutls_certificate_allocate_credentials)
642
671
certificate_allocate_credentials.argtypes = [
643
672
ctypes.POINTER(certificate_credentials_t)]
644
673
certificate_allocate_credentials.restype = _error_code
645
674
646
675
certificate_free_credentials = (
647
676
_library.gnutls_certificate_free_credentials)
648
certificate_free_credentials.argtypes = [certificate_credentials_t]
677
certificate_free_credentials.argtypes = [
678
certificate_credentials_t]
649
679
certificate_free_credentials.restype = None
650
680
651
681
handshake_set_private_extensions = (
652
682
_library.gnutls_handshake_set_private_extensions)
653
683
handshake_set_private_extensions.argtypes = [session_t,
654
684
ctypes.c_int]
655
685
handshake_set_private_extensions.restype = None
656
686
657
687
credentials_set = _library.gnutls_credentials_set
658
688
credentials_set.argtypes = [session_t, credentials_type_t,
659
689
ctypes.c_void_p]
660
690
credentials_set.restype = _error_code
661
691
662
692
strerror = _library.gnutls_strerror
663
693
strerror.argtypes = [ctypes.c_int]
664
694
strerror.restype = ctypes.c_char_p
665
695
666
696
certificate_type_get = _library.gnutls_certificate_type_get
667
697
certificate_type_get.argtypes = [session_t]
668
698
certificate_type_get.restype = _error_code
669
699
670
700
certificate_get_peers = _library.gnutls_certificate_get_peers
671
701
certificate_get_peers.argtypes = [session_t,
672
702
ctypes.POINTER(ctypes.c_uint)]
673
703
certificate_get_peers.restype = ctypes.POINTER(datum_t)
674
704
675
705
global_set_log_level = _library.gnutls_global_set_log_level
676
706
global_set_log_level.argtypes = [ctypes.c_int]
677
707
global_set_log_level.restype = None
678
708
679
709
global_set_log_function = _library.gnutls_global_set_log_function
680
710
global_set_log_function.argtypes = [log_func]
681
711
global_set_log_function.restype = None
682
712
683
713
deinit = _library.gnutls_deinit
684
714
deinit.argtypes = [session_t]
685
715
deinit.restype = None
686
716
687
717
handshake = _library.gnutls_handshake
688
718
handshake.argtypes = [session_t]
689
719
handshake.restype = _error_code
690
720
handshake.errcheck = _retry_on_error
691
721
692
722
transport_set_ptr = _library.gnutls_transport_set_ptr
693
723
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
694
724
transport_set_ptr.restype = None
695
725
696
726
bye = _library.gnutls_bye
697
727
bye.argtypes = [session_t, close_request_t]
698
728
bye.restype = _error_code
699
729
bye.errcheck = _retry_on_error
700
730
701
731
check_version = _library.gnutls_check_version
702
732
check_version.argtypes = [ctypes.c_char_p]
703
733
check_version.restype = ctypes.c_char_p
704
734
705
735
# All the function declarations below are from gnutls/openpgp.h
706
736
707
737
openpgp_crt_init = _library.gnutls_openpgp_crt_init
708
738
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
709
739
openpgp_crt_init.restype = _error_code
710
740
711
741
openpgp_crt_import = _library.gnutls_openpgp_crt_import
712
742
openpgp_crt_import.argtypes = [openpgp_crt_t,
713
743
ctypes.POINTER(datum_t),
714
744
openpgp_crt_fmt_t]
715
745
openpgp_crt_import.restype = _error_code
716
746
717
747
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
718
748
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
719
749
ctypes.POINTER(ctypes.c_uint)]
720
750
openpgp_crt_verify_self.restype = _error_code
721
751
722
752
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
723
753
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
724
754
openpgp_crt_deinit.restype = None
725
755
726
756
openpgp_crt_get_fingerprint = (
727
757
_library.gnutls_openpgp_crt_get_fingerprint)
728
758
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
730
760
ctypes.POINTER(
731
761
ctypes.c_size_t)]
732
762
openpgp_crt_get_fingerprint.restype = _error_code
733
763
734
764
# Remove non-public functions
735
765
del _error_code, _retry_on_error
736
766
# Create the global "gnutls" object, simulating a module
737
767
gnutls = GnuTLS()
738
768
769
739
770
def call_pipe(connection, # : multiprocessing.Connection
740
771
func, *args, **kwargs):
741
772
"""This function is meant to be called by multiprocessing.Process
742
773
743
774
This function runs func(*args, **kwargs), and writes the resulting
744
775
return value on the provided multiprocessing.Connection.
745
776
"""
746
777
connection.send(func(*args, **kwargs))
747
778
connection.close()
748
779
780
749
781
class Client(object):
750
782
"""A representation of a client host served by this server.
751
783
752
784
Attributes:
753
785
approved: bool(); 'None' if not yet approved/disapproved
754
786
approval_delay: datetime.timedelta(); Time to wait for approval
791
823
disabled, or None
792
824
server_settings: The server_settings dict from main()
793
825
"""
794
826
795
827
runtime_expansions = ("approval_delay", "approval_duration",
796
828
"created", "enabled", "expires",
797
829
"fingerprint", "host", "interval",
808
840
"approved_by_default": "True",
809
841
"enabled": "True",
810
842
}
811
843
812
844
@staticmethod
813
845
def config_parser(config):
814
846
"""Construct a new dict of client settings of this form:
821
853
for client_name in config.sections():
822
854
section = dict(config.items(client_name))
823
855
client = settings[client_name] = {}
824
856
825
857
client["host"] = section["host"]
826
858
# Reformat values from string types to Python types
827
859
client["approved_by_default"] = config.getboolean(
828
860
client_name, "approved_by_default")
829
861
client["enabled"] = config.getboolean(client_name,
830
862
"enabled")
831
863
832
864
# Uppercase and remove spaces from fingerprint for later
833
865
# comparison purposes with return value from the
834
866
# fingerprint() function
858
890
client["last_approval_request"] = None
859
891
client["last_checked_ok"] = None
860
892
client["last_checker_status"] = -2
861
893
862
894
return settings
863
864
def __init__(self, settings, name = None, server_settings=None):
895
896
def __init__(self, settings, name=None, server_settings=None):
865
897
self.name = name
866
898
if server_settings is None:
867
899
server_settings = {}
869
901
# adding all client settings
870
902
for setting, value in settings.items():
871
903
setattr(self, setting, value)
872
904
873
905
if self.enabled:
874
906
if not hasattr(self, "last_enabled"):
875
907
self.last_enabled = datetime.datetime.utcnow()
879
911
else:
880
912
self.last_enabled = None
881
913
self.expires = None
882
914
883
915
logger.debug("Creating client %r", self.name)
884
916
logger.debug(" Fingerprint: %s", self.fingerprint)
885
917
self.created = settings.get("created",
886
918
datetime.datetime.utcnow())
887
919
888
920
# attributes specific for this server instance
889
921
self.checker = None
890
922
self.checker_initiator_tag = None
899
931
for attr in self.__dict__.keys()
900
932
if not attr.startswith("_")]
901
933
self.client_structure.append("client_structure")
902
934
903
935
for name, t in inspect.getmembers(
904
936
type(self), lambda obj: isinstance(obj, property)):
905
937
if not name.startswith("_"):
906
938
self.client_structure.append(name)
907
939
908
940
# Send notice to process children that client state has changed
909
941
def send_changedstate(self):
910
942
with self.changedstate:
911
943
self.changedstate.notify_all()
912
944
913
945
def enable(self):
914
946
"""Start this client's checker and timeout hooks"""
915
947
if getattr(self, "enabled", False):
920
952
self.last_enabled = datetime.datetime.utcnow()
921
953
self.init_checker()
922
954
self.send_changedstate()
923
955
924
956
def disable(self, quiet=True):
925
957
"""Disable this client."""
926
958
if not getattr(self, "enabled", False):
940
972
self.send_changedstate()
941
973
# Do not run this again if called by a GLib.timeout_add
942
974
return False
943
975
944
976
def __del__(self):
945
977
self.disable()
946
978
947
979
def init_checker(self):
948
980
# Schedule a new checker to be started an 'interval' from now,
949
981
# and every interval from then on.
959
991
int(self.timeout.total_seconds() * 1000), self.disable)
960
992
# Also start a new checker *right now*.
961
993
self.start_checker()
962
994
963
995
def checker_callback(self, source, condition, connection,
964
996
command):
965
997
"""The checker has completed, so take appropriate actions."""
968
1000
# Read return code from connection (see call_pipe)
969
1001
returncode = connection.recv()
970
1002
connection.close()
971
1003
972
1004
if returncode >= 0:
973
1005
self.last_checker_status = returncode
974
1006
self.last_checker_signal = None
984
1016
logger.warning("Checker for %(name)s crashed?",
985
1017
vars(self))
986
1018
return False
987
1019
988
1020
def checked_ok(self):
989
1021
"""Assert that the client has been seen, alive and well."""
990
1022
self.last_checked_ok = datetime.datetime.utcnow()
991
1023
self.last_checker_status = 0
992
1024
self.last_checker_signal = None
993
1025
self.bump_timeout()
994
1026
995
1027
def bump_timeout(self, timeout=None):
996
1028
"""Bump up the timeout for this client."""
997
1029
if timeout is None:
1003
1035
self.disable_initiator_tag = GLib.timeout_add(
1004
1036
int(timeout.total_seconds() * 1000), self.disable)
1005
1037
self.expires = datetime.datetime.utcnow() + timeout
1006
1038
1007
1039
def need_approval(self):
1008
1040
self.last_approval_request = datetime.datetime.utcnow()
1009
1041
1010
1042
def start_checker(self):
1011
1043
"""Start a new checker subprocess if one is not running.
1012
1044
1013
1045
If a checker already exists, leave it running and do
1014
1046
nothing."""
1015
1047
# The reason for not killing a running checker is that if we
1020
1052
# checkers alone, the checker would have to take more time
1021
1053
# than 'timeout' for the client to be disabled, which is as it
1022
1054
# should be.
1023
1055
1024
1056
if self.checker is not None and not self.checker.is_alive():
1025
1057
logger.warning("Checker was not alive; joining")
1026
1058
self.checker.join()
1030
1062
# Escape attributes for the shell
1031
1063
escaped_attrs = {
1032
1064
attr: re.escape(str(getattr(self, attr)))
1033
for attr in self.runtime_expansions }
1065
for attr in self.runtime_expansions}
1034
1066
try:
1035
1067
command = self.checker_command % escaped_attrs
1036
1068
except TypeError as error:
1048
1080
# The exception is when not debugging but nevertheless
1049
1081
# running in the foreground; use the previously
1050
1082
# created wnull.
1051
popen_args = { "close_fds": True,
1052
"shell": True,
1053
"cwd": "/" }
1083
popen_args = {"close_fds": True,
1084
"shell": True,
1085
"cwd": "/"}
1054
1086
if (not self.server_settings["debug"]
1055
1087
and self.server_settings["foreground"]):
1056
1088
popen_args.update({"stdout": wnull,
1057
"stderr": wnull })
1058
pipe = multiprocessing.Pipe(duplex = False)
1089
"stderr": wnull})
1090
pipe = multiprocessing.Pipe(duplex=False)
1059
1091
self.checker = multiprocessing.Process(
1060
target = call_pipe,
1061
args = (pipe[1], subprocess.call, command),
1062
kwargs = popen_args)
1092
target=call_pipe,
1093
args=(pipe[1], subprocess.call, command),
1094
kwargs=popen_args)
1063
1095
self.checker.start()
1064
1096
self.checker_callback_tag = GLib.io_add_watch(
1065
1097
pipe[0].fileno(), GLib.IO_IN,
1066
1098
self.checker_callback, pipe[0], command)
1067
1099
# Re-run this periodically if run by GLib.timeout_add
1068
1100
return True
1069
1101
1070
1102
def stop_checker(self):
1071
1103
"""Force the checker process, if any, to stop."""
1072
1104
if self.checker_callback_tag:
1085
1117
byte_arrays=False):
1086
1118
"""Decorators for marking methods of a DBusObjectWithProperties to
1087
1119
become properties on the D-Bus.
1088
1120
1089
1121
The decorated method will be called with no arguments by "Get"
1090
1122
and with one argument by "Set".
1091
1123
1092
1124
The parameters, where they are supported, are the same as
1093
1125
dbus.service.method, except there is only "signature", since the
1094
1126
type from Get() and the type sent to Set() is the same.
1098
1130
if byte_arrays and signature != "ay":
1099
1131
raise ValueError("Byte arrays not supported for non-'ay'"
1100
1132
" signature {!r}".format(signature))
1101
1133
1102
1134
def decorator(func):
1103
1135
func._dbus_is_property = True
1104
1136
func._dbus_interface = dbus_interface
1107
1139
func._dbus_name = func.__name__
1108
1140
if func._dbus_name.endswith("_dbus_property"):
1109
1141
func._dbus_name = func._dbus_name[:-14]
1110
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1142
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
1111
1143
return func
1112
1144
1113
1145
return decorator
1114
1146
1115
1147
1116
1148
def dbus_interface_annotations(dbus_interface):
1117
1149
"""Decorator for marking functions returning interface annotations
1118
1150
1119
1151
Usage:
1120
1152
1121
1153
@dbus_interface_annotations("org.example.Interface")
1122
1154
def _foo(self): # Function name does not matter
1123
1155
return {"org.freedesktop.DBus.Deprecated": "true",
1124
1156
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1125
1157
"false"}
1126
1158
"""
1127
1159
1128
1160
def decorator(func):
1129
1161
func._dbus_is_interface = True
1130
1162
func._dbus_interface = dbus_interface
1131
1163
func._dbus_name = dbus_interface
1132
1164
return func
1133
1165
1134
1166
return decorator
1135
1167
1136
1168
1137
1169
def dbus_annotations(annotations):
1138
1170
"""Decorator to annotate D-Bus methods, signals or properties
1139
1171
Usage:
1140
1172
1141
1173
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1142
1174
"org.freedesktop.DBus.Property."
1143
1175
"EmitsChangedSignal": "false"})
1145
1177
access="r")
1146
1178
def Property_dbus_property(self):
1147
1179
return dbus.Boolean(False)
1148
1180
1149
1181
See also the DBusObjectWithAnnotations class.
1150
1182
"""
1151
1183
1152
1184
def decorator(func):
1153
1185
func._dbus_annotations = annotations
1154
1186
return func
1155
1187
1156
1188
return decorator
1157
1189
1158
1190
1176
1208
1177
1209
class DBusObjectWithAnnotations(dbus.service.Object):
1178
1210
"""A D-Bus object with annotations.
1179
1211
1180
1212
Classes inheriting from this can use the dbus_annotations
1181
1213
decorator to add annotations to methods or signals.
1182
1214
"""
1183
1215
1184
1216
@staticmethod
1185
1217
def _is_dbus_thing(thing):
1186
1218
"""Returns a function testing if an attribute is a D-Bus thing
1187
1219
1188
1220
If called like _is_dbus_thing("method") it returns a function
1189
1221
suitable for use as predicate to inspect.getmembers().
1190
1222
"""
1191
1223
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1192
1224
False)
1193
1225
1194
1226
def _get_all_dbus_things(self, thing):
1195
1227
"""Returns a generator of (name, attribute) pairs
1196
1228
"""
1199
1231
for cls in self.__class__.__mro__
1200
1232
for name, athing in
1201
1233
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1202
1234
1203
1235
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1204
out_signature = "s",
1205
path_keyword = 'object_path',
1206
connection_keyword = 'connection')
1236
out_signature="s",
1237
path_keyword='object_path',
1238
connection_keyword='connection')
1207
1239
def Introspect(self, object_path, connection):
1208
1240
"""Overloading of standard D-Bus method.
1209
1241
1210
1242
Inserts annotation tags on methods and signals.
1211
1243
"""
1212
1244
xmlstring = dbus.service.Object.Introspect(self, object_path,
1213
1245
connection)
1214
1246
try:
1215
1247
document = xml.dom.minidom.parseString(xmlstring)
1216
1248
1217
1249
for if_tag in document.getElementsByTagName("interface"):
1218
1250
# Add annotation tags
1219
1251
for typ in ("method", "signal"):
1246
1278
if_tag.appendChild(ann_tag)
1247
1279
# Fix argument name for the Introspect method itself
1248
1280
if (if_tag.getAttribute("name")
1249
== dbus.INTROSPECTABLE_IFACE):
1281
== dbus.INTROSPECTABLE_IFACE):
1250
1282
for cn in if_tag.getElementsByTagName("method"):
1251
1283
if cn.getAttribute("name") == "Introspect":
1252
1284
for arg in cn.getElementsByTagName("arg"):
1265
1297
1266
1298
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1267
1299
"""A D-Bus object with properties.
1268
1300
1269
1301
Classes inheriting from this can use the dbus_service_property
1270
1302
decorator to expose methods as D-Bus properties. It exposes the
1271
1303
standard Get(), Set(), and GetAll() methods on the D-Bus.
1272
1304
"""
1273
1305
1274
1306
def _get_dbus_property(self, interface_name, property_name):
1275
1307
"""Returns a bound method if one exists which is a D-Bus
1276
1308
property with the specified name and interface.
1281
1313
if (value._dbus_name == property_name
1282
1314
and value._dbus_interface == interface_name):
1283
1315
return value.__get__(self)
1284
1316
1285
1317
# No such property
1286
1318
raise DBusPropertyNotFound("{}:{}.{}".format(
1287
1319
self.dbus_object_path, interface_name, property_name))
1288
1320
1289
1321
@classmethod
1290
1322
def _get_all_interface_names(cls):
1291
1323
"""Get a sequence of all interfaces supported by an object"""
1294
1326
for x in (inspect.getmro(cls))
1295
1327
for attr in dir(x))
1296
1328
if name is not None)
1297
1329
1298
1330
@dbus.service.method(dbus.PROPERTIES_IFACE,
1299
1331
in_signature="ss",
1300
1332
out_signature="v")
1308
1340
if not hasattr(value, "variant_level"):
1309
1341
return value
1310
1342
return type(value)(value, variant_level=value.variant_level+1)
1311
1343
1312
1344
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1313
1345
def Set(self, interface_name, property_name, value):
1314
1346
"""Standard D-Bus property Set() method, see D-Bus standard.
1326
1358
value = dbus.ByteArray(b''.join(chr(byte)
1327
1359
for byte in value))
1328
1360
prop(value)
1329
1361
1330
1362
@dbus.service.method(dbus.PROPERTIES_IFACE,
1331
1363
in_signature="s",
1332
1364
out_signature="a{sv}")
1333
1365
def GetAll(self, interface_name):
1334
1366
"""Standard D-Bus property GetAll() method, see D-Bus
1335
1367
standard.
1336
1368
1337
1369
Note: Will not include properties with access="write".
1338
1370
"""
1339
1371
properties = {}
1350
1382
properties[name] = value
1351
1383
continue
1352
1384
properties[name] = type(value)(
1353
value, variant_level = value.variant_level + 1)
1385
value, variant_level=value.variant_level + 1)
1354
1386
return dbus.Dictionary(properties, signature="sv")
1355
1387
1356
1388
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1357
1389
def PropertiesChanged(self, interface_name, changed_properties,
1358
1390
invalidated_properties):
1360
1392
standard.
1361
1393
"""
1362
1394
pass
1363
1395
1364
1396
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1365
1397
out_signature="s",
1366
1398
path_keyword='object_path',
1367
1399
connection_keyword='connection')
1368
1400
def Introspect(self, object_path, connection):
1369
1401
"""Overloading of standard D-Bus method.
1370
1402
1371
1403
Inserts property tags and interface annotation tags.
1372
1404
"""
1373
1405
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1375
1407
connection)
1376
1408
try:
1377
1409
document = xml.dom.minidom.parseString(xmlstring)
1378
1410
1379
1411
def make_tag(document, name, prop):
1380
1412
e = document.createElement("property")
1381
1413
e.setAttribute("name", name)
1382
1414
e.setAttribute("type", prop._dbus_signature)
1383
1415
e.setAttribute("access", prop._dbus_access)
1384
1416
return e
1385
1417
1386
1418
for if_tag in document.getElementsByTagName("interface"):
1387
1419
# Add property tags
1388
1420
for tag in (make_tag(document, name, prop)
1430
1462
exc_info=error)
1431
1463
return xmlstring
1432
1464
1465
1433
1466
try:
1434
1467
dbus.OBJECT_MANAGER_IFACE
1435
1468
except AttributeError:
1436
1469
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1437
1470
1471
1438
1472
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1439
1473
"""A D-Bus object with an ObjectManager.
1440
1474
1441
1475
Classes inheriting from this exposes the standard
1442
1476
GetManagedObjects call and the InterfacesAdded and
1443
1477
InterfacesRemoved signals on the standard
1444
1478
"org.freedesktop.DBus.ObjectManager" interface.
1445
1479
1446
1480
Note: No signals are sent automatically; they must be sent
1447
1481
manually.
1448
1482
"""
1449
1483
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1450
out_signature = "a{oa{sa{sv}}}")
1484
out_signature="a{oa{sa{sv}}}")
1451
1485
def GetManagedObjects(self):
1452
1486
"""This function must be overridden"""
1453
1487
raise NotImplementedError()
1454
1488
1455
1489
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1456
signature = "oa{sa{sv}}")
1490
signature="oa{sa{sv}}")
1457
1491
def InterfacesAdded(self, object_path, interfaces_and_properties):
1458
1492
pass
1459
1460
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1493
1494
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1461
1495
def InterfacesRemoved(self, object_path, interfaces):
1462
1496
pass
1463
1497
1464
1498
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1465
out_signature = "s",
1466
path_keyword = 'object_path',
1467
connection_keyword = 'connection')
1499
out_signature="s",
1500
path_keyword='object_path',
1501
connection_keyword='connection')
1468
1502
def Introspect(self, object_path, connection):
1469
1503
"""Overloading of standard D-Bus method.
1470
1504
1471
1505
Override return argument name of GetManagedObjects to be
1472
1506
"objpath_interfaces_and_properties"
1473
1507
"""
1476
1510
connection)
1477
1511
try:
1478
1512
document = xml.dom.minidom.parseString(xmlstring)
1479
1513
1480
1514
for if_tag in document.getElementsByTagName("interface"):
1481
1515
# Fix argument name for the GetManagedObjects method
1482
1516
if (if_tag.getAttribute("name")
1483
== dbus.OBJECT_MANAGER_IFACE):
1517
== dbus.OBJECT_MANAGER_IFACE):
1484
1518
for cn in if_tag.getElementsByTagName("method"):
1485
1519
if (cn.getAttribute("name")
1486
1520
== "GetManagedObjects"):
1496
1530
except (AttributeError, xml.dom.DOMException,
1497
1531
xml.parsers.expat.ExpatError) as error:
1498
1532
logger.error("Failed to override Introspection method",
1499
exc_info = error)
1533
exc_info=error)
1500
1534
return xmlstring
1501
1535
1536
1502
1537
def datetime_to_dbus(dt, variant_level=0):
1503
1538
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1504
1539
if dt is None:
1505
return dbus.String("", variant_level = variant_level)
1540
return dbus.String("", variant_level=variant_level)
1506
1541
return dbus.String(dt.isoformat(), variant_level=variant_level)
1507
1542
1508
1543
1511
1546
dbus.service.Object, it will add alternate D-Bus attributes with
1512
1547
interface names according to the "alt_interface_names" mapping.
1513
1548
Usage:
1514
1549
1515
1550
@alternate_dbus_interfaces({"org.example.Interface":
1516
1551
"net.example.AlternateInterface"})
1517
1552
class SampleDBusObject(dbus.service.Object):
1518
1553
@dbus.service.method("org.example.Interface")
1519
1554
def SampleDBusMethod():
1520
1555
pass
1521
1556
1522
1557
The above "SampleDBusMethod" on "SampleDBusObject" will be
1523
1558
reachable via two interfaces: "org.example.Interface" and
1524
1559
"net.example.AlternateInterface", the latter of which will have
1525
1560
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1526
1561
"true", unless "deprecate" is passed with a False value.
1527
1562
1528
1563
This works for methods and signals, and also for D-Bus properties
1529
1564
(from DBusObjectWithProperties) and interfaces (from the
1530
1565
dbus_interface_annotations decorator).
1531
1566
"""
1532
1567
1533
1568
def wrapper(cls):
1534
1569
for orig_interface_name, alt_interface_name in (
1535
1570
alt_interface_names.items()):
1575
1610
attribute._dbus_annotations)
1576
1611
except AttributeError:
1577
1612
pass
1613
1578
1614
# Define a creator of a function to call both the
1579
1615
# original and alternate functions, so both the
1580
1616
# original and alternate signals gets sent when
1583
1619
"""This function is a scope container to pass
1584
1620
func1 and func2 to the "call_both" function
1585
1621
outside of its arguments"""
1586
1622
1587
1623
@functools.wraps(func2)
1588
1624
def call_both(*args, **kwargs):
1589
1625
"""This function will emit two D-Bus
1590
1626
signals by calling func1 and func2"""
1591
1627
func1(*args, **kwargs)
1592
1628
func2(*args, **kwargs)
1593
# Make wrapper function look like a D-Bus signal
1629
# Make wrapper function look like a D-Bus
1630
# signal
1594
1631
for name, attr in inspect.getmembers(func2):
1595
1632
if name.startswith("_dbus_"):
1596
1633
setattr(call_both, name, attr)
1597
1634
1598
1635
return call_both
1599
1636
# Create the "call_both" function and add it to
1600
1637
# the class
1646
1683
(copy_function(attribute)))
1647
1684
if deprecate:
1648
1685
# Deprecate all alternate interfaces
1649
iname="_AlternateDBusNames_interface_annotation{}"
1686
iname = "_AlternateDBusNames_interface_annotation{}"
1650
1687
for interface_name in interface_names:
1651
1688
1652
1689
@dbus_interface_annotations(interface_name)
1653
1690
def func(self):
1654
return { "org.freedesktop.DBus.Deprecated":
1655
"true" }
1691
return {"org.freedesktop.DBus.Deprecated":
1692
"true"}
1656
1693
# Find an unused name
1657
1694
for aname in (iname.format(i)
1658
1695
for i in itertools.count()):
1669
1706
cls = type("{}Alternate".format(cls.__name__),
1670
1707
(cls, ), attr)
1671
1708
return cls
1672
1709
1673
1710
return wrapper
1674
1711
1675
1712
1677
1714
"se.bsnet.fukt.Mandos"})
1678
1715
class ClientDBus(Client, DBusObjectWithProperties):
1679
1716
"""A Client class using D-Bus
1680
1717
1681
1718
Attributes:
1682
1719
dbus_object_path: dbus.ObjectPath
1683
1720
bus: dbus.SystemBus()
1684
1721
"""
1685
1722
1686
1723
runtime_expansions = (Client.runtime_expansions
1687
1724
+ ("dbus_object_path", ))
1688
1725
1689
1726
_interface = "se.recompile.Mandos.Client"
1690
1727
1691
1728
# dbus.service.Object doesn't use super(), so we can't either.
1692
1693
def __init__(self, bus = None, *args, **kwargs):
1729
1730
def __init__(self, bus=None, *args, **kwargs):
1694
1731
self.bus = bus
1695
1732
Client.__init__(self, *args, **kwargs)
1696
1733
# Only now, when this client is initialized, can it show up on
1702
1739
"/clients/" + client_object_name)
1703
1740
DBusObjectWithProperties.__init__(self, self.bus,
1704
1741
self.dbus_object_path)
1705
1742
1706
1743
def notifychangeproperty(transform_func, dbus_name,
1707
1744
type_func=lambda x: x,
1708
1745
variant_level=1,
1710
1747
_interface=_interface):
1711
1748
""" Modify a variable so that it's a property which announces
1712
1749
its changes to DBus.
1713
1750
1714
1751
transform_fun: Function that takes a value and a variant_level
1715
1752
and transforms it to a D-Bus type.
1716
1753
dbus_name: D-Bus name of the variable
1719
1756
variant_level: D-Bus variant level. Default: 1
1720
1757
"""
1721
1758
attrname = "_{}".format(dbus_name)
1722
1759
1723
1760
def setter(self, value):
1724
1761
if hasattr(self, "dbus_object_path"):
1725
1762
if (not hasattr(self, attrname) or
1732
1769
else:
1733
1770
dbus_value = transform_func(
1734
1771
type_func(value),
1735
variant_level = variant_level)
1772
variant_level=variant_level)
1736
1773
self.PropertyChanged(dbus.String(dbus_name),
1737
1774
dbus_value)
1738
1775
self.PropertiesChanged(
1739
1776
_interface,
1740
dbus.Dictionary({ dbus.String(dbus_name):
1741
dbus_value }),
1777
dbus.Dictionary({dbus.String(dbus_name):
1778
dbus_value}),
1742
1779
dbus.Array())
1743
1780
setattr(self, attrname, value)
1744
1781
1745
1782
return property(lambda self: getattr(self, attrname), setter)
1746
1783
1747
1784
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1748
1785
approvals_pending = notifychangeproperty(dbus.Boolean,
1749
1786
"ApprovalPending",
1750
type_func = bool)
1787
type_func=bool)
1751
1788
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1752
1789
last_enabled = notifychangeproperty(datetime_to_dbus,
1753
1790
"LastEnabled")
1754
1791
checker = notifychangeproperty(
1755
1792
dbus.Boolean, "CheckerRunning",
1756
type_func = lambda checker: checker is not None)
1793
type_func=lambda checker: checker is not None)
1757
1794
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1758
1795
"LastCheckedOK")
1759
1796
last_checker_status = notifychangeproperty(dbus.Int16,
1764
1801
"ApprovedByDefault")
1765
1802
approval_delay = notifychangeproperty(
1766
1803
dbus.UInt64, "ApprovalDelay",
1767
type_func = lambda td: td.total_seconds() * 1000)
1804
type_func=lambda td: td.total_seconds() * 1000)
1768
1805
approval_duration = notifychangeproperty(
1769
1806
dbus.UInt64, "ApprovalDuration",
1770
type_func = lambda td: td.total_seconds() * 1000)
1807
type_func=lambda td: td.total_seconds() * 1000)
1771
1808
host = notifychangeproperty(dbus.String, "Host")
1772
1809
timeout = notifychangeproperty(
1773
1810
dbus.UInt64, "Timeout",
1774
type_func = lambda td: td.total_seconds() * 1000)
1811
type_func=lambda td: td.total_seconds() * 1000)
1775
1812
extended_timeout = notifychangeproperty(
1776
1813
dbus.UInt64, "ExtendedTimeout",
1777
type_func = lambda td: td.total_seconds() * 1000)
1814
type_func=lambda td: td.total_seconds() * 1000)
1778
1815
interval = notifychangeproperty(
1779
1816
dbus.UInt64, "Interval",
1780
type_func = lambda td: td.total_seconds() * 1000)
1817
type_func=lambda td: td.total_seconds() * 1000)
1781
1818
checker_command = notifychangeproperty(dbus.String, "Checker")
1782
1819
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1783
1820
invalidate_only=True)
1784
1821
1785
1822
del notifychangeproperty
1786
1823
1787
1824
def __del__(self, *args, **kwargs):
1788
1825
try:
1789
1826
self.remove_from_connection()
1792
1829
if hasattr(DBusObjectWithProperties, "__del__"):
1793
1830
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1794
1831
Client.__del__(self, *args, **kwargs)
1795
1832
1796
1833
def checker_callback(self, source, condition,
1797
1834
connection, command, *args, **kwargs):
1798
1835
ret = Client.checker_callback(self, source, condition,
1814
1851
| self.last_checker_signal),
1815
1852
dbus.String(command))
1816
1853
return ret
1817
1854
1818
1855
def start_checker(self, *args, **kwargs):
1819
1856
old_checker_pid = getattr(self.checker, "pid", None)
1820
1857
r = Client.start_checker(self, *args, **kwargs)
1824
1861
# Emit D-Bus signal
1825
1862
self.CheckerStarted(self.current_checker_command)
1826
1863
return r
1827
1864
1828
1865
def _reset_approved(self):
1829
1866
self.approved = None
1830
1867
return False
1831
1868
1832
1869
def approve(self, value=True):
1833
1870
self.approved = value
1834
1871
GLib.timeout_add(int(self.approval_duration.total_seconds()
1835
1872
* 1000), self._reset_approved)
1836
1873
self.send_changedstate()
1837
1838
## D-Bus methods, signals & properties
1839
1840
## Interfaces
1841
1842
## Signals
1843
1874
1875
# D-Bus methods, signals & properties
1876
1877
# Interfaces
1878
1879
# Signals
1880
1844
1881
# CheckerCompleted - signal
1845
1882
@dbus.service.signal(_interface, signature="nxs")
1846
1883
def CheckerCompleted(self, exitcode, waitstatus, command):
1847
1884
"D-Bus signal"
1848
1885
pass
1849
1886
1850
1887
# CheckerStarted - signal
1851
1888
@dbus.service.signal(_interface, signature="s")
1852
1889
def CheckerStarted(self, command):
1853
1890
"D-Bus signal"
1854
1891
pass
1855
1892
1856
1893
# PropertyChanged - signal
1857
1894
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1858
1895
@dbus.service.signal(_interface, signature="sv")
1859
1896
def PropertyChanged(self, property, value):
1860
1897
"D-Bus signal"
1861
1898
pass
1862
1899
1863
1900
# GotSecret - signal
1864
1901
@dbus.service.signal(_interface)
1865
1902
def GotSecret(self):
1868
1905
server to mandos-client
1869
1906
"""
1870
1907
pass
1871
1908
1872
1909
# Rejected - signal
1873
1910
@dbus.service.signal(_interface, signature="s")
1874
1911
def Rejected(self, reason):
1875
1912
"D-Bus signal"
1876
1913
pass
1877
1914
1878
1915
# NeedApproval - signal
1879
1916
@dbus.service.signal(_interface, signature="tb")
1880
1917
def NeedApproval(self, timeout, default):
1881
1918
"D-Bus signal"
1882
1919
return self.need_approval()
1883
1884
## Methods
1885
1920
1921
# Methods
1922
1886
1923
# Approve - method
1887
1924
@dbus.service.method(_interface, in_signature="b")
1888
1925
def Approve(self, value):
1889
1926
self.approve(value)
1890
1927
1891
1928
# CheckedOK - method
1892
1929
@dbus.service.method(_interface)
1893
1930
def CheckedOK(self):
1894
1931
self.checked_ok()
1895
1932
1896
1933
# Enable - method
1897
1934
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1898
1935
@dbus.service.method(_interface)
1899
1936
def Enable(self):
1900
1937
"D-Bus method"
1901
1938
self.enable()
1902
1939
1903
1940
# StartChecker - method
1904
1941
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1905
1942
@dbus.service.method(_interface)
1906
1943
def StartChecker(self):
1907
1944
"D-Bus method"
1908
1945
self.start_checker()
1909
1946
1910
1947
# Disable - method
1911
1948
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1912
1949
@dbus.service.method(_interface)
1913
1950
def Disable(self):
1914
1951
"D-Bus method"
1915
1952
self.disable()
1916
1953
1917
1954
# StopChecker - method
1918
1955
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1919
1956
@dbus.service.method(_interface)
1920
1957
def StopChecker(self):
1921
1958
self.stop_checker()
1922
1923
## Properties
1924
1959
1960
# Properties
1961
1925
1962
# ApprovalPending - property
1926
1963
@dbus_service_property(_interface, signature="b", access="read")
1927
1964
def ApprovalPending_dbus_property(self):
1928
1965
return dbus.Boolean(bool(self.approvals_pending))
1929
1966
1930
1967
# ApprovedByDefault - property
1931
1968
@dbus_service_property(_interface,
1932
1969
signature="b",
1935
1972
if value is None: # get
1936
1973
return dbus.Boolean(self.approved_by_default)
1937
1974
self.approved_by_default = bool(value)
1938
1975
1939
1976
# ApprovalDelay - property
1940
1977
@dbus_service_property(_interface,
1941
1978
signature="t",
1945
1982
return dbus.UInt64(self.approval_delay.total_seconds()
1946
1983
* 1000)
1947
1984
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1948
1985
1949
1986
# ApprovalDuration - property
1950
1987
@dbus_service_property(_interface,
1951
1988
signature="t",
1955
1992
return dbus.UInt64(self.approval_duration.total_seconds()
1956
1993
* 1000)
1957
1994
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1958
1995
1959
1996
# Name - property
1960
1997
@dbus_annotations(
1961
1998
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1962
1999
@dbus_service_property(_interface, signature="s", access="read")
1963
2000
def Name_dbus_property(self):
1964
2001
return dbus.String(self.name)
1965
2002
1966
2003
# Fingerprint - property
1967
2004
@dbus_annotations(
1968
2005
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1969
2006
@dbus_service_property(_interface, signature="s", access="read")
1970
2007
def Fingerprint_dbus_property(self):
1971
2008
return dbus.String(self.fingerprint)
1972
2009
1973
2010
# Host - property
1974
2011
@dbus_service_property(_interface,
1975
2012
signature="s",
1978
2015
if value is None: # get
1979
2016
return dbus.String(self.host)
1980
2017
self.host = str(value)
1981
2018
1982
2019
# Created - property
1983
2020
@dbus_annotations(
1984
2021
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1985
2022
@dbus_service_property(_interface, signature="s", access="read")
1986
2023
def Created_dbus_property(self):
1987
2024
return datetime_to_dbus(self.created)
1988
2025
1989
2026
# LastEnabled - property
1990
2027
@dbus_service_property(_interface, signature="s", access="read")
1991
2028
def LastEnabled_dbus_property(self):
1992
2029
return datetime_to_dbus(self.last_enabled)
1993
2030
1994
2031
# Enabled - property
1995
2032
@dbus_service_property(_interface,
1996
2033
signature="b",
2002
2039
self.enable()
2003
2040
else:
2004
2041
self.disable()
2005
2042
2006
2043
# LastCheckedOK - property
2007
2044
@dbus_service_property(_interface,
2008
2045
signature="s",
2012
2049
self.checked_ok()
2013
2050
return
2014
2051
return datetime_to_dbus(self.last_checked_ok)
2015
2052
2016
2053
# LastCheckerStatus - property
2017
2054
@dbus_service_property(_interface, signature="n", access="read")
2018
2055
def LastCheckerStatus_dbus_property(self):
2019
2056
return dbus.Int16(self.last_checker_status)
2020
2057
2021
2058
# Expires - property
2022
2059
@dbus_service_property(_interface, signature="s", access="read")
2023
2060
def Expires_dbus_property(self):
2024
2061
return datetime_to_dbus(self.expires)
2025
2062
2026
2063
# LastApprovalRequest - property
2027
2064
@dbus_service_property(_interface, signature="s", access="read")
2028
2065
def LastApprovalRequest_dbus_property(self):
2029
2066
return datetime_to_dbus(self.last_approval_request)
2030
2067
2031
2068
# Timeout - property
2032
2069
@dbus_service_property(_interface,
2033
2070
signature="t",
2052
2089
self.disable_initiator_tag = GLib.timeout_add(
2053
2090
int((self.expires - now).total_seconds() * 1000),
2054
2091
self.disable)
2055
2092
2056
2093
# ExtendedTimeout - property
2057
2094
@dbus_service_property(_interface,
2058
2095
signature="t",
2062
2099
return dbus.UInt64(self.extended_timeout.total_seconds()
2063
2100
* 1000)
2064
2101
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2065
2102
2066
2103
# Interval - property
2067
2104
@dbus_service_property(_interface,
2068
2105
signature="t",
2078
2115
GLib.source_remove(self.checker_initiator_tag)
2079
2116
self.checker_initiator_tag = GLib.timeout_add(
2080
2117
value, self.start_checker)
2081
self.start_checker() # Start one now, too
2082
2118
self.start_checker() # Start one now, too
2119
2083
2120
# Checker - property
2084
2121
@dbus_service_property(_interface,
2085
2122
signature="s",
2088
2125
if value is None: # get
2089
2126
return dbus.String(self.checker_command)
2090
2127
self.checker_command = str(value)
2091
2128
2092
2129
# CheckerRunning - property
2093
2130
@dbus_service_property(_interface,
2094
2131
signature="b",
2100
2137
self.start_checker()
2101
2138
else:
2102
2139
self.stop_checker()
2103
2140
2104
2141
# ObjectPath - property
2105
2142
@dbus_annotations(
2106
2143
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2107
2144
"org.freedesktop.DBus.Deprecated": "true"})
2108
2145
@dbus_service_property(_interface, signature="o", access="read")
2109
2146
def ObjectPath_dbus_property(self):
2110
return self.dbus_object_path # is already a dbus.ObjectPath
2111
2147
return self.dbus_object_path # is already a dbus.ObjectPath
2148
2112
2149
# Secret = property
2113
2150
@dbus_annotations(
2114
2151
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2119
2156
byte_arrays=True)
2120
2157
def Secret_dbus_property(self, value):
2121
2158
self.secret = bytes(value)
2122
2159
2123
2160
del _interface
2124
2161
2125
2162
2129
2166
self._pipe.send(('init', fpr, address))
2130
2167
if not self._pipe.recv():
2131
2168
raise KeyError(fpr)
2132
2169
2133
2170
def __getattribute__(self, name):
2134
2171
if name == '_pipe':
2135
2172
return super(ProxyClient, self).__getattribute__(name)
2138
2175
if data[0] == 'data':
2139
2176
return data[1]
2140
2177
if data[0] == 'function':
2141
2178
2142
2179
def func(*args, **kwargs):
2143
2180
self._pipe.send(('funcall', name, args, kwargs))
2144
2181
return self._pipe.recv()[1]
2145
2182
2146
2183
return func
2147
2184
2148
2185
def __setattr__(self, name, value):
2149
2186
if name == '_pipe':
2150
2187
return super(ProxyClient, self).__setattr__(name, value)
2153
2190
2154
2191
class ClientHandler(socketserver.BaseRequestHandler, object):
2155
2192
"""A class to handle client connections.
2156
2193
2157
2194
Instantiated once for each connection to handle it.
2158
2195
Note: This will run in its own forked process."""
2159
2196
2160
2197
def handle(self):
2161
2198
with contextlib.closing(self.server.child_pipe) as child_pipe:
2162
2199
logger.info("TCP connection from: %s",
2163
2200
str(self.client_address))
2164
2201
logger.debug("Pipe FD: %d",
2165
2202
self.server.child_pipe.fileno())
2166
2203
2167
2204
session = gnutls.ClientSession(self.request)
2168
2169
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
2170
# "+AES-256-CBC", "+SHA1",
2171
# "+COMP-NULL", "+CTYPE-OPENPGP",
2172
# "+DHE-DSS"))
2205
2206
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2207
# "+AES-256-CBC", "+SHA1",
2208
# "+COMP-NULL", "+CTYPE-OPENPGP",
2209
# "+DHE-DSS"))
2173
2210
# Use a fallback default, since this MUST be set.
2174
2211
priority = self.server.gnutls_priority
2175
2212
if priority is None:
2177
2214
gnutls.priority_set_direct(session._c_object,
2178
2215
priority.encode("utf-8"),
2179
2216
None)
2180
2217
2181
2218
# Start communication using the Mandos protocol
2182
2219
# Get protocol number
2183
2220
line = self.request.makefile().readline()
2188
2225
except (ValueError, IndexError, RuntimeError) as error:
2189
2226
logger.error("Unknown protocol version: %s", error)
2190
2227
return
2191
2228
2192
2229
# Start GnuTLS connection
2193
2230
try:
2194
2231
session.handshake()
2198
2235
# established. Just abandon the request.
2199
2236
return
2200
2237
logger.debug("Handshake succeeded")
2201
2238
2202
2239
approval_required = False
2203
2240
try:
2204
2241
try:
2208
2245
logger.warning("Bad certificate: %s", error)
2209
2246
return
2210
2247
logger.debug("Fingerprint: %s", fpr)
2211
2248
2212
2249
try:
2213
2250
client = ProxyClient(child_pipe, fpr,
2214
2251
self.client_address)
2215
2252
except KeyError:
2216
2253
return
2217
2254
2218
2255
if client.approval_delay:
2219
2256
delay = client.approval_delay
2220
2257
client.approvals_pending += 1
2221
2258
approval_required = True
2222
2259
2223
2260
while True:
2224
2261
if not client.enabled:
2225
2262
logger.info("Client %s is disabled",
2228
2265
# Emit D-Bus signal
2229
2266
client.Rejected("Disabled")
2230
2267
return
2231
2268
2232
2269
if client.approved or not client.approval_delay:
2233
#We are approved or approval is disabled
2270
# We are approved or approval is disabled
2234
2271
break
2235
2272
elif client.approved is None:
2236
2273
logger.info("Client %s needs approval",
2247
2284
# Emit D-Bus signal
2248
2285
client.Rejected("Denied")
2249
2286
return
2250
2251
#wait until timeout or approved
2287
2288
# wait until timeout or approved
2252
2289
time = datetime.datetime.now()
2253
2290
client.changedstate.acquire()
2254
2291
client.changedstate.wait(delay.total_seconds())
2267
2304
break
2268
2305
else:
2269
2306
delay -= time2 - time
2270
2307
2271
2308
try:
2272
2309
session.send(client.secret)
2273
2310
except gnutls.Error as error:
2274
2311
logger.warning("gnutls send failed",
2275
exc_info = error)
2312
exc_info=error)
2276
2313
return
2277
2314
2278
2315
logger.info("Sending secret to %s", client.name)
2279
2316
# bump the timeout using extended_timeout
2280
2317
client.bump_timeout(client.extended_timeout)
2281
2318
if self.server.use_dbus:
2282
2319
# Emit D-Bus signal
2283
2320
client.GotSecret()
2284
2321
2285
2322
finally:
2286
2323
if approval_required:
2287
2324
client.approvals_pending -= 1
2290
2327
except gnutls.Error as error:
2291
2328
logger.warning("GnuTLS bye failed",
2292
2329
exc_info=error)
2293
2330
2294
2331
@staticmethod
2295
2332
def peer_certificate(session):
2296
2333
"Return the peer's OpenPGP certificate as a bytestring"
2308
2345
return None
2309
2346
cert = cert_list[0]
2310
2347
return ctypes.string_at(cert.data, cert.size)
2311
2348
2312
2349
@staticmethod
2313
2350
def fingerprint(openpgp):
2314
2351
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2347
2384
2348
2385
class MultiprocessingMixIn(object):
2349
2386
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2350
2387
2351
2388
def sub_process_main(self, request, address):
2352
2389
try:
2353
2390
self.finish_request(request, address)
2354
2391
except Exception:
2355
2392
self.handle_error(request, address)
2356
2393
self.close_request(request)
2357
2394
2358
2395
def process_request(self, request, address):
2359
2396
"""Start a new process to process the request."""
2360
proc = multiprocessing.Process(target = self.sub_process_main,
2361
args = (request, address))
2397
proc = multiprocessing.Process(target=self.sub_process_main,
2398
args=(request, address))
2362
2399
proc.start()
2363
2400
return proc
2364
2401
2365
2402
2366
2403
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2367
2404
""" adds a pipe to the MixIn """
2368
2405
2369
2406
def process_request(self, request, client_address):
2370
2407
"""Overrides and wraps the original process_request().
2371
2408
2372
2409
This function creates a new pipe in self.pipe
2373
2410
"""
2374
2411
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2375
2412
2376
2413
proc = MultiprocessingMixIn.process_request(self, request,
2377
2414
client_address)
2378
2415
self.child_pipe.close()
2379
2416
self.add_pipe(parent_pipe, proc)
2380
2417
2381
2418
def add_pipe(self, parent_pipe, proc):
2382
2419
"""Dummy function; override as necessary"""
2383
2420
raise NotImplementedError()
2386
2423
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2387
2424
socketserver.TCPServer, object):
2388
2425
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2389
2426
2390
2427
Attributes:
2391
2428
enabled: Boolean; whether this server is activated yet
2392
2429
interface: None or a network interface name (string)
2393
2430
use_ipv6: Boolean; to use IPv6 or not
2394
2431
"""
2395
2432
2396
2433
def __init__(self, server_address, RequestHandlerClass,
2397
2434
interface=None,
2398
2435
use_ipv6=True,
2408
2445
self.socketfd = socketfd
2409
2446
# Save the original socket.socket() function
2410
2447
self.socket_socket = socket.socket
2448
2411
2449
# To implement --socket, we monkey patch socket.socket.
2412
#
2450
#
2413
2451
# (When socketserver.TCPServer is a new-style class, we
2414
2452
# could make self.socket into a property instead of monkey
2415
2453
# patching socket.socket.)
2416
#
2454
#
2417
2455
# Create a one-time-only replacement for socket.socket()
2418
2456
@functools.wraps(socket.socket)
2419
2457
def socket_wrapper(*args, **kwargs):
2431
2469
# socket_wrapper(), if socketfd was set.
2432
2470
socketserver.TCPServer.__init__(self, server_address,
2433
2471
RequestHandlerClass)
2434
2472
2435
2473
def server_bind(self):
2436
2474
"""This overrides the normal server_bind() function
2437
2475
to bind to an interface if one was specified, and also NOT to
2438
2476
bind to an address or port if they were not specified."""
2477
global SO_BINDTODEVICE
2439
2478
if self.interface is not None:
2440
2479
if SO_BINDTODEVICE is None:
2441
logger.error("SO_BINDTODEVICE does not exist;"
2442
" cannot bind to interface %s",
2443
self.interface)
2444
else:
2445
try:
2446
self.socket.setsockopt(
2447
socket.SOL_SOCKET, SO_BINDTODEVICE,
2448
(self.interface + "\0").encode("utf-8"))
2449
except socket.error as error:
2450
if error.errno == errno.EPERM:
2451
logger.error("No permission to bind to"
2452
" interface %s", self.interface)
2453
elif error.errno == errno.ENOPROTOOPT:
2454
logger.error("SO_BINDTODEVICE not available;"
2455
" cannot bind to interface %s",
2456
self.interface)
2457
elif error.errno == errno.ENODEV:
2458
logger.error("Interface %s does not exist,"
2459
" cannot bind", self.interface)
2460
else:
2461
raise
2480
# Fall back to a hard-coded value which seems to be
2481
# common enough.
2482
logger.warning("SO_BINDTODEVICE not found, trying 25")
2483
SO_BINDTODEVICE = 25
2484
try:
2485
self.socket.setsockopt(
2486
socket.SOL_SOCKET, SO_BINDTODEVICE,
2487
(self.interface + "\0").encode("utf-8"))
2488
except socket.error as error:
2489
if error.errno == errno.EPERM:
2490
logger.error("No permission to bind to"
2491
" interface %s", self.interface)
2492
elif error.errno == errno.ENOPROTOOPT:
2493
logger.error("SO_BINDTODEVICE not available;"
2494
" cannot bind to interface %s",
2495
self.interface)
2496
elif error.errno == errno.ENODEV:
2497
logger.error("Interface %s does not exist,"
2498
" cannot bind", self.interface)
2499
else:
2500
raise
2462
2501
# Only bind(2) the socket if we really need to.
2463
2502
if self.server_address[0] or self.server_address[1]:
2464
2503
if not self.server_address[0]:
2465
2504
if self.address_family == socket.AF_INET6:
2466
any_address = "::" # in6addr_any
2505
any_address = "::" # in6addr_any
2467
2506
else:
2468
any_address = "0.0.0.0" # INADDR_ANY
2507
any_address = "0.0.0.0" # INADDR_ANY
2469
2508
self.server_address = (any_address,
2470
2509
self.server_address[1])
2471
2510
elif not self.server_address[1]:
2481
2520
2482
2521
class MandosServer(IPv6_TCPServer):
2483
2522
"""Mandos server.
2484
2523
2485
2524
Attributes:
2486
2525
clients: set of Client objects
2487
2526
gnutls_priority GnuTLS priority string
2488
2527
use_dbus: Boolean; to emit D-Bus signals or not
2489
2528
2490
2529
Assumes a GLib.MainLoop event loop.
2491
2530
"""
2492
2531
2493
2532
def __init__(self, server_address, RequestHandlerClass,
2494
2533
interface=None,
2495
2534
use_ipv6=True,
2505
2544
self.gnutls_priority = gnutls_priority
2506
2545
IPv6_TCPServer.__init__(self, server_address,
2507
2546
RequestHandlerClass,
2508
interface = interface,
2509
use_ipv6 = use_ipv6,
2510
socketfd = socketfd)
2511
2547
interface=interface,
2548
use_ipv6=use_ipv6,
2549
socketfd=socketfd)
2550
2512
2551
def server_activate(self):
2513
2552
if self.enabled:
2514
2553
return socketserver.TCPServer.server_activate(self)
2515
2554
2516
2555
def enable(self):
2517
2556
self.enabled = True
2518
2557
2519
2558
def add_pipe(self, parent_pipe, proc):
2520
2559
# Call "handle_ipc" for both data and EOF events
2521
2560
GLib.io_add_watch(
2522
2561
parent_pipe.fileno(),
2523
2562
GLib.IO_IN | GLib.IO_HUP,
2524
2563
functools.partial(self.handle_ipc,
2525
parent_pipe = parent_pipe,
2526
proc = proc))
2527
2564
parent_pipe=parent_pipe,
2565
proc=proc))
2566
2528
2567
def handle_ipc(self, source, condition,
2529
2568
parent_pipe=None,
2530
proc = None,
2569
proc=None,
2531
2570
client_object=None):
2532
2571
# error, or the other end of multiprocessing.Pipe has closed
2533
2572
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2534
2573
# Wait for other process to exit
2535
2574
proc.join()
2536
2575
return False
2537
2576
2538
2577
# Read a request from the child
2539
2578
request = parent_pipe.recv()
2540
2579
command = request[0]
2541
2580
2542
2581
if command == 'init':
2543
fpr = request[1]
2582
fpr = request[1].decode("ascii")
2544
2583
address = request[2]
2545
2584
2546
2585
for c in self.clients.values():
2547
2586
if c.fingerprint == fpr:
2548
2587
client = c
2556
2595
address[0])
2557
2596
parent_pipe.send(False)
2558
2597
return False
2559
2598
2560
2599
GLib.io_add_watch(
2561
2600
parent_pipe.fileno(),
2562
2601
GLib.IO_IN | GLib.IO_HUP,
2563
2602
functools.partial(self.handle_ipc,
2564
parent_pipe = parent_pipe,
2565
proc = proc,
2566
client_object = client))
2603
parent_pipe=parent_pipe,
2604
proc=proc,
2605
client_object=client))
2567
2606
parent_pipe.send(True)
2568
2607
# remove the old hook in favor of the new above hook on
2569
2608
# same fileno
2572
2611
funcname = request[1]
2573
2612
args = request[2]
2574
2613
kwargs = request[3]
2575
2614
2576
2615
parent_pipe.send(('data', getattr(client_object,
2577
2616
funcname)(*args,
2578
2617
**kwargs)))
2579
2618
2580
2619
if command == 'getattr':
2581
2620
attrname = request[1]
2582
2621
if isinstance(client_object.__getattribute__(attrname),
2585
2624
else:
2586
2625
parent_pipe.send((
2587
2626
'data', client_object.__getattribute__(attrname)))
2588
2627
2589
2628
if command == 'setattr':
2590
2629
attrname = request[1]
2591
2630
value = request[2]
2592
2631
setattr(client_object, attrname, value)
2593
2632
2594
2633
return True
2595
2634
2596
2635
2597
2636
def rfc3339_duration_to_delta(duration):
2598
2637
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2599
2638
2600
2639
>>> rfc3339_duration_to_delta("P7D")
2601
2640
datetime.timedelta(7)
2602
2641
>>> rfc3339_duration_to_delta("PT60S")
2612
2651
>>> rfc3339_duration_to_delta("P1DT3M20S")
2613
2652
datetime.timedelta(1, 200)
2614
2653
"""
2615
2654
2616
2655
# Parsing an RFC 3339 duration with regular expressions is not
2617
2656
# possible - there would have to be multiple places for the same
2618
2657
# values, like seconds. The current code, while more esoteric, is
2619
2658
# cleaner without depending on a parsing library. If Python had a
2620
2659
# built-in library for parsing we would use it, but we'd like to
2621
2660
# avoid excessive use of external libraries.
2622
2661
2623
2662
# New type for defining tokens, syntax, and semantics all-in-one
2624
2663
Token = collections.namedtuple("Token", (
2625
2664
"regexp", # To match token; if "value" is not None, must have
2658
2697
frozenset((token_year, token_month,
2659
2698
token_day, token_time,
2660
2699
token_week)))
2661
# Define starting values
2662
value = datetime.timedelta() # Value so far
2700
# Define starting values:
2701
# Value so far
2702
value = datetime.timedelta()
2663
2703
found_token = None
2664
followers = frozenset((token_duration, )) # Following valid tokens
2665
s = duration # String left to parse
2704
# Following valid tokens
2705
followers = frozenset((token_duration, ))
2706
# String left to parse
2707
s = duration
2666
2708
# Loop until end token is found
2667
2709
while found_token is not token_end:
2668
2710
# Search for any currently valid tokens
2692
2734
2693
2735
def string_to_delta(interval):
2694
2736
"""Parse a string and return a datetime.timedelta
2695
2737
2696
2738
>>> string_to_delta('7d')
2697
2739
datetime.timedelta(7)
2698
2740
>>> string_to_delta('60s')
2706
2748
>>> string_to_delta('5m 30s')
2707
2749
datetime.timedelta(0, 330)
2708
2750
"""
2709
2751
2710
2752
try:
2711
2753
return rfc3339_duration_to_delta(interval)
2712
2754
except ValueError:
2713
2755
pass
2714
2756
2715
2757
timevalue = datetime.timedelta(0)
2716
2758
for s in interval.split():
2717
2759
try:
2735
2777
return timevalue
2736
2778
2737
2779
2738
def daemon(nochdir = False, noclose = False):
2780
def daemon(nochdir=False, noclose=False):
2739
2781
"""See daemon(3). Standard BSD Unix function.
2740
2782
2741
2783
This should really exist as os.daemon, but it doesn't (yet)."""
2742
2784
if os.fork():
2743
2785
sys.exit()
2761
2803
2762
2804
2763
2805
def main():
2764
2806
2765
2807
##################################################################
2766
2808
# Parsing of options, both command line and config file
2767
2809
2768
2810
parser = argparse.ArgumentParser()
2769
2811
parser.add_argument("-v", "--version", action="version",
2770
version = "%(prog)s {}".format(version),
2812
version="%(prog)s {}".format(version),
2771
2813
help="show version number and exit")
2772
2814
parser.add_argument("-i", "--interface", metavar="IF",
2773
2815
help="Bind to interface IF")
2809
2851
parser.add_argument("--no-zeroconf", action="store_false",
2810
2852
dest="zeroconf", help="Do not use Zeroconf",
2811
2853
default=None)
2812
2854
2813
2855
options = parser.parse_args()
2814
2856
2815
2857
if options.check:
2816
2858
import doctest
2817
2859
fail_count, test_count = doctest.testmod()
2818
2860
sys.exit(os.EX_OK if fail_count == 0 else 1)
2819
2861
2820
2862
# Default values for config file for server-global settings
2821
server_defaults = { "interface": "",
2822
"address": "",
2823
"port": "",
2824
"debug": "False",
2825
"priority":
2826
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2827
":+SIGN-DSA-SHA256",
2828
"servicename": "Mandos",
2829
"use_dbus": "True",
2830
"use_ipv6": "True",
2831
"debuglevel": "",
2832
"restore": "True",
2833
"socket": "",
2834
"statedir": "/var/lib/mandos",
2835
"foreground": "False",
2836
"zeroconf": "True",
2837
}
2838
2863
server_defaults = {"interface": "",
2864
"address": "",
2865
"port": "",
2866
"debug": "False",
2867
"priority":
2868
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2869
":+SIGN-DSA-SHA256",
2870
"servicename": "Mandos",
2871
"use_dbus": "True",
2872
"use_ipv6": "True",
2873
"debuglevel": "",
2874
"restore": "True",
2875
"socket": "",
2876
"statedir": "/var/lib/mandos",
2877
"foreground": "False",
2878
"zeroconf": "True",
2879
}
2880
2839
2881
# Parse config file for server-global settings
2840
2882
server_config = configparser.SafeConfigParser(server_defaults)
2841
2883
del server_defaults
2843
2885
# Convert the SafeConfigParser object to a dict
2844
2886
server_settings = server_config.defaults()
2845
2887
# Use the appropriate methods on the non-string config options
2846
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
2888
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2889
"foreground", "zeroconf"):
2847
2890
server_settings[option] = server_config.getboolean("DEFAULT",
2848
2891
option)
2849
2892
if server_settings["port"]:
2859
2902
server_settings["socket"] = os.dup(server_settings
2860
2903
["socket"])
2861
2904
del server_config
2862
2905
2863
2906
# Override the settings from the config file with command line
2864
2907
# options, if set.
2865
2908
for option in ("interface", "address", "port", "debug",
2883
2926
if server_settings["debug"]:
2884
2927
server_settings["foreground"] = True
2885
2928
# Now we have our good server settings in "server_settings"
2886
2929
2887
2930
##################################################################
2888
2931
2889
2932
if (not server_settings["zeroconf"]
2890
2933
and not (server_settings["port"]
2891
2934
or server_settings["socket"] != "")):
2892
2935
parser.error("Needs port or socket to work without Zeroconf")
2893
2936
2894
2937
# For convenience
2895
2938
debug = server_settings["debug"]
2896
2939
debuglevel = server_settings["debuglevel"]
2900
2943
stored_state_file)
2901
2944
foreground = server_settings["foreground"]
2902
2945
zeroconf = server_settings["zeroconf"]
2903
2946
2904
2947
if debug:
2905
2948
initlogger(debug, logging.DEBUG)
2906
2949
else:
2909
2952
else:
2910
2953
level = getattr(logging, debuglevel.upper())
2911
2954
initlogger(debug, level)
2912
2955
2913
2956
if server_settings["servicename"] != "Mandos":
2914
2957
syslogger.setFormatter(
2915
2958
logging.Formatter('Mandos ({}) [%(process)d]:'
2916
2959
' %(levelname)s: %(message)s'.format(
2917
2960
server_settings["servicename"])))
2918
2961
2919
2962
# Parse config file with clients
2920
2963
client_config = configparser.SafeConfigParser(Client
2921
2964
.client_defaults)
2922
2965
client_config.read(os.path.join(server_settings["configdir"],
2923
2966
"clients.conf"))
2924
2967
2925
2968
global mandos_dbus_service
2926
2969
mandos_dbus_service = None
2927
2970
2928
2971
socketfd = None
2929
2972
if server_settings["socket"] != "":
2930
2973
socketfd = server_settings["socket"]
2946
2989
except IOError as e:
2947
2990
logger.error("Could not open file %r", pidfilename,
2948
2991
exc_info=e)
2949
2992
2950
2993
for name, group in (("_mandos", "_mandos"),
2951
2994
("mandos", "mandos"),
2952
2995
("nobody", "nogroup")):
2970
3013
.format(uid, gid, os.strerror(error.errno)))
2971
3014
if error.errno != errno.EPERM:
2972
3015
raise
2973
3016
2974
3017
if debug:
2975
3018
# Enable all possible GnuTLS debugging
2976
3019
2977
3020
# "Use a log level over 10 to enable all debugging options."
2978
3021
# - GnuTLS manual
2979
3022
gnutls.global_set_log_level(11)
2980
3023
2981
3024
@gnutls.log_func
2982
3025
def debug_gnutls(level, string):
2983
3026
logger.debug("GnuTLS: %s", string[:-1])
2984
3027
2985
3028
gnutls.global_set_log_function(debug_gnutls)
2986
3029
2987
3030
# Redirect stdin so all checkers get /dev/null
2988
3031
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2989
3032
os.dup2(null, sys.stdin.fileno())
2990
3033
if null > 2:
2991
3034
os.close(null)
2992
3035
2993
3036
# Need to fork before connecting to D-Bus
2994
3037
if not foreground:
2995
3038
# Close all input and output, do double fork, etc.
2996
3039
daemon()
2997
3040
2998
3041
# multiprocessing will use threads, so before we use GLib we need
2999
3042
# to inform GLib that threads will be used.
3000
3043
GLib.threads_init()
3001
3044
3002
3045
global main_loop
3003
3046
# From the Avahi example code
3004
3047
DBusGMainLoop(set_as_default=True)
3021
3064
if zeroconf:
3022
3065
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3023
3066
service = AvahiServiceToSyslog(
3024
name = server_settings["servicename"],
3025
servicetype = "_mandos._tcp",
3026
protocol = protocol,
3027
bus = bus)
3067
name=server_settings["servicename"],
3068
servicetype="_mandos._tcp",
3069
protocol=protocol,
3070
bus=bus)
3028
3071
if server_settings["interface"]:
3029
3072
service.interface = if_nametoindex(
3030
3073
server_settings["interface"].encode("utf-8"))
3031
3074
3032
3075
global multiprocessing_manager
3033
3076
multiprocessing_manager = multiprocessing.Manager()
3034
3077
3035
3078
client_class = Client
3036
3079
if use_dbus:
3037
client_class = functools.partial(ClientDBus, bus = bus)
3038
3080
client_class = functools.partial(ClientDBus, bus=bus)
3081
3039
3082
client_settings = Client.config_parser(client_config)
3040
3083
old_client_settings = {}
3041
3084
clients_data = {}
3042
3085
3043
3086
# This is used to redirect stdout and stderr for checker processes
3044
3087
global wnull
3045
wnull = open(os.devnull, "w") # A writable /dev/null
3088
wnull = open(os.devnull, "w") # A writable /dev/null
3046
3089
# Only used if server is running in foreground but not in debug
3047
3090
# mode
3048
3091
if debug or not foreground:
3049
3092
wnull.close()
3050
3093
3051
3094
# Get client data and settings from last running state.
3052
3095
if server_settings["restore"]:
3053
3096
try:
3054
3097
with open(stored_state_path, "rb") as stored_state:
3055
if sys.version_info.major == 2:
3098
if sys.version_info.major == 2:
3056
3099
clients_data, old_client_settings = pickle.load(
3057
3100
stored_state)
3058
3101
else:
3059
3102
bytes_clients_data, bytes_old_client_settings = (
3060
pickle.load(stored_state, encoding = "bytes"))
3061
### Fix bytes to strings
3062
## clients_data
3103
pickle.load(stored_state, encoding="bytes"))
3104
# Fix bytes to strings
3105
# clients_data
3063
3106
# .keys()
3064
clients_data = { (key.decode("utf-8")
3065
if isinstance(key, bytes)
3066
else key): value
3067
for key, value in
3068
bytes_clients_data.items() }
3107
clients_data = {(key.decode("utf-8")
3108
if isinstance(key, bytes)
3109
else key): value
3110
for key, value in
3111
bytes_clients_data.items()}
3069
3112
del bytes_clients_data
3070
3113
for key in clients_data:
3071
value = { (k.decode("utf-8")
3072
if isinstance(k, bytes) else k): v
3073
for k, v in
3074
clients_data[key].items() }
3114
value = {(k.decode("utf-8")
3115
if isinstance(k, bytes) else k): v
3116
for k, v in
3117
clients_data[key].items()}
3075
3118
clients_data[key] = value
3076
3119
# .client_structure
3077
3120
value["client_structure"] = [
3078
3121
(s.decode("utf-8")
3079
3122
if isinstance(s, bytes)
3080
3123
else s) for s in
3081
value["client_structure"] ]
3124
value["client_structure"]]
3082
3125
# .name & .host
3083
3126
for k in ("name", "host"):
3084
3127
if isinstance(value[k], bytes):
3085
3128
value[k] = value[k].decode("utf-8")
3086
## old_client_settings
3129
# old_client_settings
3087
3130
# .keys()
3088
3131
old_client_settings = {
3089
3132
(key.decode("utf-8")
3090
3133
if isinstance(key, bytes)
3091
3134
else key): value
3092
3135
for key, value in
3093
bytes_old_client_settings.items() }
3136
bytes_old_client_settings.items()}
3094
3137
del bytes_old_client_settings
3095
3138
# .host
3096
3139
for value in old_client_settings.values():
3110
3153
logger.warning("Could not load persistent state: "
3111
3154
"EOFError:",
3112
3155
exc_info=e)
3113
3156
3114
3157
with PGPEngine() as pgp:
3115
3158
for client_name, client in clients_data.items():
3116
3159
# Skip removed clients
3117
3160
if client_name not in client_settings:
3118
3161
continue
3119
3162
3120
3163
# Decide which value to use after restoring saved state.
3121
3164
# We have three different values: Old config file,
3122
3165
# new config file, and saved state.
3133
3176
client[name] = value
3134
3177
except KeyError:
3135
3178
pass
3136
3179
3137
3180
# Clients who has passed its expire date can still be
3138
3181
# enabled if its last checker was successful. A Client
3139
3182
# whose checker succeeded before we stored its state is
3172
3215
client_name))
3173
3216
client["secret"] = (client_settings[client_name]
3174
3217
["secret"])
3175
3218
3176
3219
# Add/remove clients based on new changes made to config
3177
3220
for client_name in (set(old_client_settings)
3178
3221
- set(client_settings)):
3180
3223
for client_name in (set(client_settings)
3181
3224
- set(old_client_settings)):
3182
3225
clients_data[client_name] = client_settings[client_name]
3183
3226
3184
3227
# Create all client objects
3185
3228
for client_name, client in clients_data.items():
3186
3229
tcp_server.clients[client_name] = client_class(
3187
name = client_name,
3188
settings = client,
3189
server_settings = server_settings)
3190
3230
name=client_name,
3231
settings=client,
3232
server_settings=server_settings)
3233
3191
3234
if not tcp_server.clients:
3192
3235
logger.warning("No clients defined")
3193
3236
3194
3237
if not foreground:
3195
3238
if pidfile is not None:
3196
3239
pid = os.getpid()
3202
3245
pidfilename, pid)
3203
3246
del pidfile
3204
3247
del pidfilename
3205
3248
3206
3249
for termsig in (signal.SIGHUP, signal.SIGTERM):
3207
3250
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3208
3251
lambda: main_loop.quit() and False)
3209
3252
3210
3253
if use_dbus:
3211
3254
3212
3255
@alternate_dbus_interfaces(
3213
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3256
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
3214
3257
class MandosDBusService(DBusObjectWithObjectManager):
3215
3258
"""A D-Bus proxy object"""
3216
3259
3217
3260
def __init__(self):
3218
3261
dbus.service.Object.__init__(self, bus, "/")
3219
3262
3220
3263
_interface = "se.recompile.Mandos"
3221
3264
3222
3265
@dbus.service.signal(_interface, signature="o")
3223
3266
def ClientAdded(self, objpath):
3224
3267
"D-Bus signal"
3225
3268
pass
3226
3269
3227
3270
@dbus.service.signal(_interface, signature="ss")
3228
3271
def ClientNotFound(self, fingerprint, address):
3229
3272
"D-Bus signal"
3230
3273
pass
3231
3274
3232
3275
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3233
3276
"true"})
3234
3277
@dbus.service.signal(_interface, signature="os")
3235
3278
def ClientRemoved(self, objpath, name):
3236
3279
"D-Bus signal"
3237
3280
pass
3238
3281
3239
3282
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3240
3283
"true"})
3241
3284
@dbus.service.method(_interface, out_signature="ao")
3243
3286
"D-Bus method"
3244
3287
return dbus.Array(c.dbus_object_path for c in
3245
3288
tcp_server.clients.values())
3246
3289
3247
3290
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3248
3291
"true"})
3249
3292
@dbus.service.method(_interface,
3251
3294
def GetAllClientsWithProperties(self):
3252
3295
"D-Bus method"
3253
3296
return dbus.Dictionary(
3254
{ c.dbus_object_path: c.GetAll(
3297
{c.dbus_object_path: c.GetAll(
3255
3298
"se.recompile.Mandos.Client")
3256
for c in tcp_server.clients.values() },
3299
for c in tcp_server.clients.values()},
3257
3300
signature="oa{sv}")
3258
3301
3259
3302
@dbus.service.method(_interface, in_signature="o")
3260
3303
def RemoveClient(self, object_path):
3261
3304
"D-Bus method"
3269
3312
self.client_removed_signal(c)
3270
3313
return
3271
3314
raise KeyError(object_path)
3272
3315
3273
3316
del _interface
3274
3317
3275
3318
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3276
out_signature = "a{oa{sa{sv}}}")
3319
out_signature="a{oa{sa{sv}}}")
3277
3320
def GetManagedObjects(self):
3278
3321
"""D-Bus method"""
3279
3322
return dbus.Dictionary(
3280
{ client.dbus_object_path:
3281
dbus.Dictionary(
3282
{ interface: client.GetAll(interface)
3283
for interface in
3284
client._get_all_interface_names()})
3285
for client in tcp_server.clients.values()})
3286
3323
{client.dbus_object_path:
3324
dbus.Dictionary(
3325
{interface: client.GetAll(interface)
3326
for interface in
3327
client._get_all_interface_names()})
3328
for client in tcp_server.clients.values()})
3329
3287
3330
def client_added_signal(self, client):
3288
3331
"""Send the new standard signal and the old signal"""
3289
3332
if use_dbus:
3291
3334
self.InterfacesAdded(
3292
3335
client.dbus_object_path,
3293
3336
dbus.Dictionary(
3294
{ interface: client.GetAll(interface)
3295
for interface in
3296
client._get_all_interface_names()}))
3337
{interface: client.GetAll(interface)
3338
for interface in
3339
client._get_all_interface_names()}))
3297
3340
# Old signal
3298
3341
self.ClientAdded(client.dbus_object_path)
3299
3342
3300
3343
def client_removed_signal(self, client):
3301
3344
"""Send the new standard signal and the old signal"""
3302
3345
if use_dbus:
3307
3350
# Old signal
3308
3351
self.ClientRemoved(client.dbus_object_path,
3309
3352
client.name)
3310
3353
3311
3354
mandos_dbus_service = MandosDBusService()
3312
3355
3313
3356
# Save modules to variables to exempt the modules from being
3314
3357
# unloaded before the function registered with atexit() is run.
3315
3358
mp = multiprocessing
3316
3359
wn = wnull
3360
3317
3361
def cleanup():
3318
3362
"Cleanup function; run on exit"
3319
3363
if zeroconf:
3320
3364
service.cleanup()
3321
3365
3322
3366
mp.active_children()
3323
3367
wn.close()
3324
3368
if not (tcp_server.clients or client_settings):
3325
3369
return
3326
3370
3327
3371
# Store client before exiting. Secrets are encrypted with key
3328
3372
# based on what config file has. If config file is
3329
3373
# removed/edited, old secret will thus be unrecovable.
3334
3378
client.encrypted_secret = pgp.encrypt(client.secret,
3335
3379
key)
3336
3380
client_dict = {}
3337
3381
3338
3382
# A list of attributes that can not be pickled
3339
3383
# + secret.
3340
exclude = { "bus", "changedstate", "secret",
3341
"checker", "server_settings" }
3384
exclude = {"bus", "changedstate", "secret",
3385
"checker", "server_settings"}
3342
3386
for name, typ in inspect.getmembers(dbus.service
3343
3387
.Object):
3344
3388
exclude.add(name)
3345
3389
3346
3390
client_dict["encrypted_secret"] = (client
3347
3391
.encrypted_secret)
3348
3392
for attr in client.client_structure:
3349
3393
if attr not in exclude:
3350
3394
client_dict[attr] = getattr(client, attr)
3351
3395
3352
3396
clients[client.name] = client_dict
3353
3397
del client_settings[client.name]["secret"]
3354
3398
3355
3399
try:
3356
3400
with tempfile.NamedTemporaryFile(
3357
3401
mode='wb',
3360
3404
dir=os.path.dirname(stored_state_path),
3361
3405
delete=False) as stored_state:
3362
3406
pickle.dump((clients, client_settings), stored_state,
3363
protocol = 2)
3407
protocol=2)
3364
3408
tempname = stored_state.name
3365
3409
os.rename(tempname, stored_state_path)
3366
3410
except (IOError, OSError) as e:
3376
3420
logger.warning("Could not save persistent state:",
3377
3421
exc_info=e)
3378
3422
raise
3379
3423
3380
3424
# Delete all clients, and settings from config
3381
3425
while tcp_server.clients:
3382
3426
name, client = tcp_server.clients.popitem()
3388
3432
if use_dbus:
3389
3433
mandos_dbus_service.client_removed_signal(client)
3390
3434
client_settings.clear()
3391
3435
3392
3436
atexit.register(cleanup)
3393
3437
3394
3438
for client in tcp_server.clients.values():
3395
3439
if use_dbus:
3396
3440
# Emit D-Bus signal for adding
3398
3442
# Need to initiate checking of clients
3399
3443
if client.enabled:
3400
3444
client.init_checker()
3401
3445
3402
3446
tcp_server.enable()
3403
3447
tcp_server.server_activate()
3404
3448
3405
3449
# Find out what port we got
3406
3450
if zeroconf:
3407
3451
service.port = tcp_server.socket.getsockname()[1]
3412
3456
else: # IPv4
3413
3457
logger.info("Now listening on address %r, port %d",
3414
3458
*tcp_server.socket.getsockname())
3415
3416
#service.interface = tcp_server.socket.getsockname()[3]
3417
3459
3460
# service.interface = tcp_server.socket.getsockname()[3]
3461
3418
3462
try:
3419
3463
if zeroconf:
3420
3464
# From the Avahi example code
3425
3469
cleanup()
3426
3470
sys.exit(1)
3427
3471
# End of Avahi example code
3428
3472
3429
3473
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3430
3474
lambda *args, **kwargs:
3431
3475
(tcp_server.handle_request
3432
3476
(*args[2:], **kwargs) or True))
3433
3477
3434
3478
logger.debug("Starting main loop")
3435
3479
main_loop.run()
3436
3480
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0