To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.671
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.671
- Committer: Teddy Hogeborn
- Date: 2019-07-25 21:42:40 UTC
- mto: This revision was merged to the branch mainline in revision 384.
- Revision ID: teddy@recompile.se-20190725214240-31i9qehf60xb8yu4
Use hexadecimal unicode character references, not decimal
* mandos-options.xml (priority): Use "​" instead of "​"
to make it slightly more clear that ZERO WIDTH SPACE is intended.
* mandos-options.xml (priority): Use "​" instead of "​"
to make it slightly more clear that ZERO WIDTH SPACE is intended.
- files added:
- bugs.xml
- debian/tests
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python2.7
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
#
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
#
33
#
33
34
34
35
from __future__ import (division, absolute_import, print_function,
35
36
unicode_literals)
36
37
37
from future_builtins import *
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
38
42
39
43
try:
40
44
import SocketServer as socketserver
44
48
import argparse
45
49
import datetime
46
50
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
53
51
try:
54
52
import ConfigParser as configparser
55
53
except ImportError:
82
80
83
81
import dbus
84
82
import dbus.service
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
83
from gi.repository import GLib
90
84
from dbus.mainloop.glib import DBusGMainLoop
91
85
import ctypes
92
86
import ctypes.util
93
87
import xml.dom.minidom
94
88
import inspect
95
89
90
# Try to find the value of SO_BINDTODEVICE:
96
91
try:
92
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
93
# newer, and it is also the most natural place for it:
97
94
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
98
95
except AttributeError:
99
96
try:
97
# This is where SO_BINDTODEVICE was up to and including Python
98
# 2.6, and also 3.2:
100
99
from IN import SO_BINDTODEVICE
101
100
except ImportError:
102
SO_BINDTODEVICE = None
101
# In Python 2.7 it seems to have been removed entirely.
102
# Try running the C preprocessor:
103
try:
104
cc = subprocess.Popen(["cc", "--language=c", "-E",
105
"/dev/stdin"],
106
stdin=subprocess.PIPE,
107
stdout=subprocess.PIPE)
108
stdout = cc.communicate(
109
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
110
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
111
except (OSError, ValueError, IndexError):
112
# No value found
113
SO_BINDTODEVICE = None
103
114
104
115
if sys.version_info.major == 2:
105
116
str = unicode
106
117
107
version = "1.6.9"
118
version = "1.8.4"
108
119
stored_state_file = "clients.pickle"
109
120
110
121
logger = logging.getLogger()
114
125
if_nametoindex = ctypes.cdll.LoadLibrary(
115
126
ctypes.util.find_library("c")).if_nametoindex
116
127
except (OSError, AttributeError):
117
128
118
129
def if_nametoindex(interface):
119
130
"Get an interface index the hard way, i.e. using fcntl()"
120
131
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
125
136
return interface_index
126
137
127
138
139
def copy_function(func):
140
"""Make a copy of a function"""
141
if sys.version_info.major == 2:
142
return types.FunctionType(func.func_code,
143
func.func_globals,
144
func.func_name,
145
func.func_defaults,
146
func.func_closure)
147
else:
148
return types.FunctionType(func.__code__,
149
func.__globals__,
150
func.__name__,
151
func.__defaults__,
152
func.__closure__)
153
154
128
155
def initlogger(debug, level=logging.WARNING):
129
156
"""init logger and add loglevel"""
130
157
131
158
global syslogger
132
159
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
160
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
161
address="/dev/log"))
135
162
syslogger.setFormatter(logging.Formatter
136
163
('Mandos [%(process)d]: %(levelname)s:'
137
164
' %(message)s'))
138
165
logger.addHandler(syslogger)
139
166
140
167
if debug:
141
168
console = logging.StreamHandler()
142
169
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
154
181
155
182
class PGPEngine(object):
156
183
"""A simple class for OpenPGP symmetric encryption & decryption"""
157
184
158
185
def __init__(self):
159
186
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
187
self.gpg = "gpg"
188
try:
189
output = subprocess.check_output(["gpgconf"])
190
for line in output.splitlines():
191
name, text, path = line.split(b":")
192
if name == "gpg":
193
self.gpg = path
194
break
195
except OSError as e:
196
if e.errno != errno.ENOENT:
197
raise
160
198
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
199
'--homedir', self.tempdir,
162
200
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
165
201
'--quiet']
202
# Only GPG version 1 has the --no-use-agent option.
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
204
self.gnupgargs.append("--no-use-agent")
205
166
206
def __enter__(self):
167
207
return self
168
208
169
209
def __exit__(self, exc_type, exc_value, traceback):
170
210
self._cleanup()
171
211
return False
172
212
173
213
def __del__(self):
174
214
self._cleanup()
175
215
176
216
def _cleanup(self):
177
217
if self.tempdir is not None:
178
218
# Delete contents of tempdir
179
219
for root, dirs, files in os.walk(self.tempdir,
180
topdown = False):
220
topdown=False):
181
221
for filename in files:
182
222
os.remove(os.path.join(root, filename))
183
223
for dirname in dirs:
185
225
# Remove tempdir
186
226
os.rmdir(self.tempdir)
187
227
self.tempdir = None
188
228
189
229
def password_encode(self, password):
190
230
# Passphrase can not be empty and can not contain newlines or
191
231
# NUL bytes. So we prefix it and hex encode it.
196
236
.replace(b"\n", b"\\n")
197
237
.replace(b"\0", b"\\x00"))
198
238
return encoded
199
239
200
240
def encrypt(self, data, password):
201
241
passphrase = self.password_encode(password)
202
242
with tempfile.NamedTemporaryFile(
203
243
dir=self.tempdir) as passfile:
204
244
passfile.write(passphrase)
205
245
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
246
proc = subprocess.Popen([self.gpg, '--symmetric',
207
247
'--passphrase-file',
208
248
passfile.name]
209
249
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
250
stdin=subprocess.PIPE,
251
stdout=subprocess.PIPE,
252
stderr=subprocess.PIPE)
253
ciphertext, err = proc.communicate(input=data)
214
254
if proc.returncode != 0:
215
255
raise PGPError(err)
216
256
return ciphertext
217
257
218
258
def decrypt(self, data, password):
219
259
passphrase = self.password_encode(password)
220
260
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
261
dir=self.tempdir) as passfile:
222
262
passfile.write(passphrase)
223
263
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
264
proc = subprocess.Popen([self.gpg, '--decrypt',
225
265
'--passphrase-file',
226
266
passfile.name]
227
267
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
268
stdin=subprocess.PIPE,
269
stdout=subprocess.PIPE,
270
stderr=subprocess.PIPE)
271
decrypted_plaintext, err = proc.communicate(input=data)
232
272
if proc.returncode != 0:
233
273
raise PGPError(err)
234
274
return decrypted_plaintext
235
275
236
276
277
# Pretend that we have an Avahi module
278
class avahi(object):
279
"""This isn't so much a class as it is a module-like namespace."""
280
IF_UNSPEC = -1 # avahi-common/address.h
281
PROTO_UNSPEC = -1 # avahi-common/address.h
282
PROTO_INET = 0 # avahi-common/address.h
283
PROTO_INET6 = 1 # avahi-common/address.h
284
DBUS_NAME = "org.freedesktop.Avahi"
285
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
286
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
DBUS_PATH_SERVER = "/"
288
289
@staticmethod
290
def string_array_to_txt_array(t):
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
for s in t), signature="ay")
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
294
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
295
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
296
SERVER_INVALID = 0 # avahi-common/defs.h
297
SERVER_REGISTERING = 1 # avahi-common/defs.h
298
SERVER_RUNNING = 2 # avahi-common/defs.h
299
SERVER_COLLISION = 3 # avahi-common/defs.h
300
SERVER_FAILURE = 4 # avahi-common/defs.h
301
302
237
303
class AvahiError(Exception):
238
304
def __init__(self, value, *args, **kwargs):
239
305
self.value = value
251
317
252
318
class AvahiService(object):
253
319
"""An Avahi (Zeroconf) service.
254
320
255
321
Attributes:
256
322
interface: integer; avahi.IF_UNSPEC or an interface index.
257
323
Used to optionally bind to the specified interface.
269
335
server: D-Bus Server
270
336
bus: dbus.SystemBus()
271
337
"""
272
338
273
339
def __init__(self,
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
340
interface=avahi.IF_UNSPEC,
341
name=None,
342
servicetype=None,
343
port=None,
344
TXT=None,
345
domain="",
346
host="",
347
max_renames=32768,
348
protocol=avahi.PROTO_UNSPEC,
349
bus=None):
284
350
self.interface = interface
285
351
self.name = name
286
352
self.type = servicetype
295
361
self.server = None
296
362
self.bus = bus
297
363
self.entry_group_state_changed_match = None
298
364
299
365
def rename(self, remove=True):
300
366
"""Derived from the Avahi example code"""
301
367
if self.rename_count >= self.max_renames:
321
387
logger.critical("D-Bus Exception", exc_info=error)
322
388
self.cleanup()
323
389
os._exit(1)
324
390
325
391
def remove(self):
326
392
"""Derived from the Avahi example code"""
327
393
if self.entry_group_state_changed_match is not None:
329
395
self.entry_group_state_changed_match = None
330
396
if self.group is not None:
331
397
self.group.Reset()
332
398
333
399
def add(self):
334
400
"""Derived from the Avahi example code"""
335
401
self.remove()
352
418
dbus.UInt16(self.port),
353
419
avahi.string_array_to_txt_array(self.TXT))
354
420
self.group.Commit()
355
421
356
422
def entry_group_state_changed(self, state, error):
357
423
"""Derived from the Avahi example code"""
358
424
logger.debug("Avahi entry group state change: %i", state)
359
425
360
426
if state == avahi.ENTRY_GROUP_ESTABLISHED:
361
427
logger.debug("Zeroconf service established.")
362
428
elif state == avahi.ENTRY_GROUP_COLLISION:
366
432
logger.critical("Avahi: Error in group state changed %s",
367
433
str(error))
368
434
raise AvahiGroupError("State changed: {!s}".format(error))
369
435
370
436
def cleanup(self):
371
437
"""Derived from the Avahi example code"""
372
438
if self.group is not None:
377
443
pass
378
444
self.group = None
379
445
self.remove()
380
446
381
447
def server_state_changed(self, state, error=None):
382
448
"""Derived from the Avahi example code"""
383
449
logger.debug("Avahi server state change: %i", state)
412
478
logger.debug("Unknown state: %r", state)
413
479
else:
414
480
logger.debug("Unknown state: %r: %r", state, error)
415
481
416
482
def activate(self):
417
483
"""Derived from the Avahi example code"""
418
484
if self.server is None:
429
495
class AvahiServiceToSyslog(AvahiService):
430
496
def rename(self, *args, **kwargs):
431
497
"""Add the new name to the syslog messages"""
432
ret = AvahiService.rename(self, *args, **kwargs)
498
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
433
499
syslogger.setFormatter(logging.Formatter(
434
500
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
435
501
.format(self.name)))
436
502
return ret
437
503
504
505
# Pretend that we have a GnuTLS module
506
class gnutls(object):
507
"""This isn't so much a class as it is a module-like namespace."""
508
509
library = ctypes.util.find_library("gnutls")
510
if library is None:
511
library = ctypes.util.find_library("gnutls-deb0")
512
_library = ctypes.cdll.LoadLibrary(library)
513
del library
514
515
# Unless otherwise indicated, the constants and types below are
516
# all from the gnutls/gnutls.h C header file.
517
518
# Constants
519
E_SUCCESS = 0
520
E_INTERRUPTED = -52
521
E_AGAIN = -28
522
CRT_OPENPGP = 2
523
CRT_RAWPK = 3
524
CLIENT = 2
525
SHUT_RDWR = 0
526
CRD_CERTIFICATE = 1
527
E_NO_CERTIFICATE_FOUND = -49
528
X509_FMT_DER = 0
529
NO_TICKETS = 1<<10
530
ENABLE_RAWPK = 1<<18
531
CTYPE_PEERS = 3
532
KEYID_USE_SHA256 = 1 # gnutls/x509.h
533
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
534
535
# Types
536
class session_int(ctypes.Structure):
537
_fields_ = []
538
session_t = ctypes.POINTER(session_int)
539
540
class certificate_credentials_st(ctypes.Structure):
541
_fields_ = []
542
certificate_credentials_t = ctypes.POINTER(
543
certificate_credentials_st)
544
certificate_type_t = ctypes.c_int
545
546
class datum_t(ctypes.Structure):
547
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
548
('size', ctypes.c_uint)]
549
550
class openpgp_crt_int(ctypes.Structure):
551
_fields_ = []
552
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
553
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
554
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
555
credentials_type_t = ctypes.c_int
556
transport_ptr_t = ctypes.c_void_p
557
close_request_t = ctypes.c_int
558
559
# Exceptions
560
class Error(Exception):
561
def __init__(self, message=None, code=None, args=()):
562
# Default usage is by a message string, but if a return
563
# code is passed, convert it to a string with
564
# gnutls.strerror()
565
self.code = code
566
if message is None and code is not None:
567
message = gnutls.strerror(code)
568
return super(gnutls.Error, self).__init__(
569
message, *args)
570
571
class CertificateSecurityError(Error):
572
pass
573
574
# Classes
575
class Credentials(object):
576
def __init__(self):
577
self._c_object = gnutls.certificate_credentials_t()
578
gnutls.certificate_allocate_credentials(
579
ctypes.byref(self._c_object))
580
self.type = gnutls.CRD_CERTIFICATE
581
582
def __del__(self):
583
gnutls.certificate_free_credentials(self._c_object)
584
585
class ClientSession(object):
586
def __init__(self, socket, credentials=None):
587
self._c_object = gnutls.session_t()
588
gnutls_flags = gnutls.CLIENT
589
if gnutls.check_version("3.5.6"):
590
gnutls_flags |= gnutls.NO_TICKETS
591
if gnutls.has_rawpk:
592
gnutls_flags |= gnutls.ENABLE_RAWPK
593
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
594
del gnutls_flags
595
gnutls.set_default_priority(self._c_object)
596
gnutls.transport_set_ptr(self._c_object, socket.fileno())
597
gnutls.handshake_set_private_extensions(self._c_object,
598
True)
599
self.socket = socket
600
if credentials is None:
601
credentials = gnutls.Credentials()
602
gnutls.credentials_set(self._c_object, credentials.type,
603
ctypes.cast(credentials._c_object,
604
ctypes.c_void_p))
605
self.credentials = credentials
606
607
def __del__(self):
608
gnutls.deinit(self._c_object)
609
610
def handshake(self):
611
return gnutls.handshake(self._c_object)
612
613
def send(self, data):
614
data = bytes(data)
615
data_len = len(data)
616
while data_len > 0:
617
data_len -= gnutls.record_send(self._c_object,
618
data[-data_len:],
619
data_len)
620
621
def bye(self):
622
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
623
624
# Error handling functions
625
def _error_code(result):
626
"""A function to raise exceptions on errors, suitable
627
for the 'restype' attribute on ctypes functions"""
628
if result >= 0:
629
return result
630
if result == gnutls.E_NO_CERTIFICATE_FOUND:
631
raise gnutls.CertificateSecurityError(code=result)
632
raise gnutls.Error(code=result)
633
634
def _retry_on_error(result, func, arguments):
635
"""A function to retry on some errors, suitable
636
for the 'errcheck' attribute on ctypes functions"""
637
while result < 0:
638
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
639
return _error_code(result)
640
result = func(*arguments)
641
return result
642
643
# Unless otherwise indicated, the function declarations below are
644
# all from the gnutls/gnutls.h C header file.
645
646
# Functions
647
priority_set_direct = _library.gnutls_priority_set_direct
648
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
649
ctypes.POINTER(ctypes.c_char_p)]
650
priority_set_direct.restype = _error_code
651
652
init = _library.gnutls_init
653
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
654
init.restype = _error_code
655
656
set_default_priority = _library.gnutls_set_default_priority
657
set_default_priority.argtypes = [session_t]
658
set_default_priority.restype = _error_code
659
660
record_send = _library.gnutls_record_send
661
record_send.argtypes = [session_t, ctypes.c_void_p,
662
ctypes.c_size_t]
663
record_send.restype = ctypes.c_ssize_t
664
record_send.errcheck = _retry_on_error
665
666
certificate_allocate_credentials = (
667
_library.gnutls_certificate_allocate_credentials)
668
certificate_allocate_credentials.argtypes = [
669
ctypes.POINTER(certificate_credentials_t)]
670
certificate_allocate_credentials.restype = _error_code
671
672
certificate_free_credentials = (
673
_library.gnutls_certificate_free_credentials)
674
certificate_free_credentials.argtypes = [
675
certificate_credentials_t]
676
certificate_free_credentials.restype = None
677
678
handshake_set_private_extensions = (
679
_library.gnutls_handshake_set_private_extensions)
680
handshake_set_private_extensions.argtypes = [session_t,
681
ctypes.c_int]
682
handshake_set_private_extensions.restype = None
683
684
credentials_set = _library.gnutls_credentials_set
685
credentials_set.argtypes = [session_t, credentials_type_t,
686
ctypes.c_void_p]
687
credentials_set.restype = _error_code
688
689
strerror = _library.gnutls_strerror
690
strerror.argtypes = [ctypes.c_int]
691
strerror.restype = ctypes.c_char_p
692
693
certificate_type_get = _library.gnutls_certificate_type_get
694
certificate_type_get.argtypes = [session_t]
695
certificate_type_get.restype = _error_code
696
697
certificate_get_peers = _library.gnutls_certificate_get_peers
698
certificate_get_peers.argtypes = [session_t,
699
ctypes.POINTER(ctypes.c_uint)]
700
certificate_get_peers.restype = ctypes.POINTER(datum_t)
701
702
global_set_log_level = _library.gnutls_global_set_log_level
703
global_set_log_level.argtypes = [ctypes.c_int]
704
global_set_log_level.restype = None
705
706
global_set_log_function = _library.gnutls_global_set_log_function
707
global_set_log_function.argtypes = [log_func]
708
global_set_log_function.restype = None
709
710
deinit = _library.gnutls_deinit
711
deinit.argtypes = [session_t]
712
deinit.restype = None
713
714
handshake = _library.gnutls_handshake
715
handshake.argtypes = [session_t]
716
handshake.restype = _error_code
717
handshake.errcheck = _retry_on_error
718
719
transport_set_ptr = _library.gnutls_transport_set_ptr
720
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
721
transport_set_ptr.restype = None
722
723
bye = _library.gnutls_bye
724
bye.argtypes = [session_t, close_request_t]
725
bye.restype = _error_code
726
bye.errcheck = _retry_on_error
727
728
check_version = _library.gnutls_check_version
729
check_version.argtypes = [ctypes.c_char_p]
730
check_version.restype = ctypes.c_char_p
731
732
_need_version = b"3.3.0"
733
if check_version(_need_version) is None:
734
raise self.Error("Needs GnuTLS {} or later"
735
.format(_need_version))
736
737
_tls_rawpk_version = b"3.6.6"
738
has_rawpk = bool(check_version(_tls_rawpk_version))
739
740
if has_rawpk:
741
# Types
742
class pubkey_st(ctypes.Structure):
743
_fields = []
744
pubkey_t = ctypes.POINTER(pubkey_st)
745
746
x509_crt_fmt_t = ctypes.c_int
747
748
# All the function declarations below are from gnutls/abstract.h
749
pubkey_init = _library.gnutls_pubkey_init
750
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
751
pubkey_init.restype = _error_code
752
753
pubkey_import = _library.gnutls_pubkey_import
754
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
755
x509_crt_fmt_t]
756
pubkey_import.restype = _error_code
757
758
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
759
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
760
ctypes.POINTER(ctypes.c_ubyte),
761
ctypes.POINTER(ctypes.c_size_t)]
762
pubkey_get_key_id.restype = _error_code
763
764
pubkey_deinit = _library.gnutls_pubkey_deinit
765
pubkey_deinit.argtypes = [pubkey_t]
766
pubkey_deinit.restype = None
767
else:
768
# All the function declarations below are from gnutls/openpgp.h
769
770
openpgp_crt_init = _library.gnutls_openpgp_crt_init
771
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
772
openpgp_crt_init.restype = _error_code
773
774
openpgp_crt_import = _library.gnutls_openpgp_crt_import
775
openpgp_crt_import.argtypes = [openpgp_crt_t,
776
ctypes.POINTER(datum_t),
777
openpgp_crt_fmt_t]
778
openpgp_crt_import.restype = _error_code
779
780
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
781
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
782
ctypes.POINTER(ctypes.c_uint)]
783
openpgp_crt_verify_self.restype = _error_code
784
785
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
786
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
787
openpgp_crt_deinit.restype = None
788
789
openpgp_crt_get_fingerprint = (
790
_library.gnutls_openpgp_crt_get_fingerprint)
791
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
792
ctypes.c_void_p,
793
ctypes.POINTER(
794
ctypes.c_size_t)]
795
openpgp_crt_get_fingerprint.restype = _error_code
796
797
if check_version("3.6.4"):
798
certificate_type_get2 = _library.gnutls_certificate_type_get2
799
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
800
certificate_type_get2.restype = _error_code
801
802
# Remove non-public functions
803
del _error_code, _retry_on_error
804
805
438
806
def call_pipe(connection, # : multiprocessing.Connection
439
807
func, *args, **kwargs):
440
808
"""This function is meant to be called by multiprocessing.Process
441
809
442
810
This function runs func(*args, **kwargs), and writes the resulting
443
811
return value on the provided multiprocessing.Connection.
444
812
"""
445
813
connection.send(func(*args, **kwargs))
446
814
connection.close()
447
815
816
448
817
class Client(object):
449
818
"""A representation of a client host served by this server.
450
819
451
820
Attributes:
452
821
approved: bool(); 'None' if not yet approved/disapproved
453
822
approval_delay: datetime.timedelta(); Time to wait for approval
455
824
checker: subprocess.Popen(); a running checker process used
456
825
to see if the client lives.
457
826
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
827
checker_callback_tag: a GLib event source tag, or None
459
828
checker_command: string; External command which is run to check
460
829
if client lives. %() expansions are done at
461
830
runtime with vars(self) as dict, so that for
462
831
instance %(name)s can be used in the command.
463
checker_initiator_tag: a gobject event source tag, or None
832
checker_initiator_tag: a GLib event source tag, or None
464
833
created: datetime.datetime(); (UTC) object creation
465
834
client_structure: Object describing what attributes a client has
466
835
and is used for storing the client at exit
467
836
current_checker_command: string; current running checker_command
468
disable_initiator_tag: a gobject event source tag, or None
837
disable_initiator_tag: a GLib event source tag, or None
469
838
enabled: bool()
470
839
fingerprint: string (40 or 32 hexadecimal digits); used to
471
uniquely identify the client
840
uniquely identify an OpenPGP client
841
key_id: string (64 hexadecimal digits); used to uniquely identify
842
a client using raw public keys
472
843
host: string; available for use by the checker command
473
844
interval: datetime.timedelta(); How often to start a new checker
474
845
last_approval_request: datetime.datetime(); (UTC) or None
490
861
disabled, or None
491
862
server_settings: The server_settings dict from main()
492
863
"""
493
864
494
865
runtime_expansions = ("approval_delay", "approval_duration",
495
"created", "enabled", "expires",
866
"created", "enabled", "expires", "key_id",
496
867
"fingerprint", "host", "interval",
497
868
"last_approval_request", "last_checked_ok",
498
869
"last_enabled", "name", "timeout")
507
878
"approved_by_default": "True",
508
879
"enabled": "True",
509
880
}
510
881
511
882
@staticmethod
512
883
def config_parser(config):
513
884
"""Construct a new dict of client settings of this form:
520
891
for client_name in config.sections():
521
892
section = dict(config.items(client_name))
522
893
client = settings[client_name] = {}
523
894
524
895
client["host"] = section["host"]
525
896
# Reformat values from string types to Python types
526
897
client["approved_by_default"] = config.getboolean(
527
898
client_name, "approved_by_default")
528
899
client["enabled"] = config.getboolean(client_name,
529
900
"enabled")
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
901
902
# Uppercase and remove spaces from key_id and fingerprint
903
# for later comparison purposes with return value from the
904
# key_id() and fingerprint() functions
905
client["key_id"] = (section.get("key_id", "").upper()
906
.replace(" ", ""))
534
907
client["fingerprint"] = (section["fingerprint"].upper()
535
908
.replace(" ", ""))
536
909
if "secret" in section:
537
client["secret"] = section["secret"].decode("base64")
910
client["secret"] = codecs.decode(section["secret"]
911
.encode("utf-8"),
912
"base64")
538
913
elif "secfile" in section:
539
914
with open(os.path.expanduser(os.path.expandvars
540
915
(section["secfile"])),
555
930
client["last_approval_request"] = None
556
931
client["last_checked_ok"] = None
557
932
client["last_checker_status"] = -2
558
933
559
934
return settings
560
561
def __init__(self, settings, name = None, server_settings=None):
935
936
def __init__(self, settings, name=None, server_settings=None):
562
937
self.name = name
563
938
if server_settings is None:
564
939
server_settings = {}
566
941
# adding all client settings
567
942
for setting, value in settings.items():
568
943
setattr(self, setting, value)
569
944
570
945
if self.enabled:
571
946
if not hasattr(self, "last_enabled"):
572
947
self.last_enabled = datetime.datetime.utcnow()
576
951
else:
577
952
self.last_enabled = None
578
953
self.expires = None
579
954
580
955
logger.debug("Creating client %r", self.name)
956
logger.debug(" Key ID: %s", self.key_id)
581
957
logger.debug(" Fingerprint: %s", self.fingerprint)
582
958
self.created = settings.get("created",
583
959
datetime.datetime.utcnow())
584
960
585
961
# attributes specific for this server instance
586
962
self.checker = None
587
963
self.checker_initiator_tag = None
593
969
self.changedstate = multiprocessing_manager.Condition(
594
970
multiprocessing_manager.Lock())
595
971
self.client_structure = [attr
596
for attr in self.__dict__.iterkeys()
972
for attr in self.__dict__.keys()
597
973
if not attr.startswith("_")]
598
974
self.client_structure.append("client_structure")
599
975
600
976
for name, t in inspect.getmembers(
601
977
type(self), lambda obj: isinstance(obj, property)):
602
978
if not name.startswith("_"):
603
979
self.client_structure.append(name)
604
980
605
981
# Send notice to process children that client state has changed
606
982
def send_changedstate(self):
607
983
with self.changedstate:
608
984
self.changedstate.notify_all()
609
985
610
986
def enable(self):
611
987
"""Start this client's checker and timeout hooks"""
612
988
if getattr(self, "enabled", False):
617
993
self.last_enabled = datetime.datetime.utcnow()
618
994
self.init_checker()
619
995
self.send_changedstate()
620
996
621
997
def disable(self, quiet=True):
622
998
"""Disable this client."""
623
999
if not getattr(self, "enabled", False):
625
1001
if not quiet:
626
1002
logger.info("Disabling client %s", self.name)
627
1003
if getattr(self, "disable_initiator_tag", None) is not None:
628
gobject.source_remove(self.disable_initiator_tag)
1004
GLib.source_remove(self.disable_initiator_tag)
629
1005
self.disable_initiator_tag = None
630
1006
self.expires = None
631
1007
if getattr(self, "checker_initiator_tag", None) is not None:
632
gobject.source_remove(self.checker_initiator_tag)
1008
GLib.source_remove(self.checker_initiator_tag)
633
1009
self.checker_initiator_tag = None
634
1010
self.stop_checker()
635
1011
self.enabled = False
636
1012
if not quiet:
637
1013
self.send_changedstate()
638
# Do not run this again if called by a gobject.timeout_add
1014
# Do not run this again if called by a GLib.timeout_add
639
1015
return False
640
1016
641
1017
def __del__(self):
642
1018
self.disable()
643
1019
644
1020
def init_checker(self):
645
1021
# Schedule a new checker to be started an 'interval' from now,
646
1022
# and every interval from then on.
647
1023
if self.checker_initiator_tag is not None:
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
1024
GLib.source_remove(self.checker_initiator_tag)
1025
self.checker_initiator_tag = GLib.timeout_add(
650
1026
int(self.interval.total_seconds() * 1000),
651
1027
self.start_checker)
652
1028
# Schedule a disable() when 'timeout' has passed
653
1029
if self.disable_initiator_tag is not None:
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1030
GLib.source_remove(self.disable_initiator_tag)
1031
self.disable_initiator_tag = GLib.timeout_add(
656
1032
int(self.timeout.total_seconds() * 1000), self.disable)
657
1033
# Also start a new checker *right now*.
658
1034
self.start_checker()
659
1035
660
1036
def checker_callback(self, source, condition, connection,
661
1037
command):
662
1038
"""The checker has completed, so take appropriate actions."""
665
1041
# Read return code from connection (see call_pipe)
666
1042
returncode = connection.recv()
667
1043
connection.close()
668
1044
669
1045
if returncode >= 0:
670
1046
self.last_checker_status = returncode
671
1047
self.last_checker_signal = None
681
1057
logger.warning("Checker for %(name)s crashed?",
682
1058
vars(self))
683
1059
return False
684
1060
685
1061
def checked_ok(self):
686
1062
"""Assert that the client has been seen, alive and well."""
687
1063
self.last_checked_ok = datetime.datetime.utcnow()
688
1064
self.last_checker_status = 0
689
1065
self.last_checker_signal = None
690
1066
self.bump_timeout()
691
1067
692
1068
def bump_timeout(self, timeout=None):
693
1069
"""Bump up the timeout for this client."""
694
1070
if timeout is None:
695
1071
timeout = self.timeout
696
1072
if self.disable_initiator_tag is not None:
697
gobject.source_remove(self.disable_initiator_tag)
1073
GLib.source_remove(self.disable_initiator_tag)
698
1074
self.disable_initiator_tag = None
699
1075
if getattr(self, "enabled", False):
700
self.disable_initiator_tag = gobject.timeout_add(
1076
self.disable_initiator_tag = GLib.timeout_add(
701
1077
int(timeout.total_seconds() * 1000), self.disable)
702
1078
self.expires = datetime.datetime.utcnow() + timeout
703
1079
704
1080
def need_approval(self):
705
1081
self.last_approval_request = datetime.datetime.utcnow()
706
1082
707
1083
def start_checker(self):
708
1084
"""Start a new checker subprocess if one is not running.
709
1085
710
1086
If a checker already exists, leave it running and do
711
1087
nothing."""
712
1088
# The reason for not killing a running checker is that if we
717
1093
# checkers alone, the checker would have to take more time
718
1094
# than 'timeout' for the client to be disabled, which is as it
719
1095
# should be.
720
1096
721
1097
if self.checker is not None and not self.checker.is_alive():
722
1098
logger.warning("Checker was not alive; joining")
723
1099
self.checker.join()
727
1103
# Escape attributes for the shell
728
1104
escaped_attrs = {
729
1105
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
1106
for attr in self.runtime_expansions}
731
1107
try:
732
1108
command = self.checker_command % escaped_attrs
733
1109
except TypeError as error:
745
1121
# The exception is when not debugging but nevertheless
746
1122
# running in the foreground; use the previously
747
1123
# created wnull.
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1124
popen_args = {"close_fds": True,
1125
"shell": True,
1126
"cwd": "/"}
751
1127
if (not self.server_settings["debug"]
752
1128
and self.server_settings["foreground"]):
753
1129
popen_args.update({"stdout": wnull,
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1130
"stderr": wnull})
1131
pipe = multiprocessing.Pipe(duplex=False)
756
1132
self.checker = multiprocessing.Process(
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1133
target=call_pipe,
1134
args=(pipe[1], subprocess.call, command),
1135
kwargs=popen_args)
760
1136
self.checker.start()
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1137
self.checker_callback_tag = GLib.io_add_watch(
1138
pipe[0].fileno(), GLib.IO_IN,
763
1139
self.checker_callback, pipe[0], command)
764
# Re-run this periodically if run by gobject.timeout_add
1140
# Re-run this periodically if run by GLib.timeout_add
765
1141
return True
766
1142
767
1143
def stop_checker(self):
768
1144
"""Force the checker process, if any, to stop."""
769
1145
if self.checker_callback_tag:
770
gobject.source_remove(self.checker_callback_tag)
1146
GLib.source_remove(self.checker_callback_tag)
771
1147
self.checker_callback_tag = None
772
1148
if getattr(self, "checker", None) is None:
773
1149
return
782
1158
byte_arrays=False):
783
1159
"""Decorators for marking methods of a DBusObjectWithProperties to
784
1160
become properties on the D-Bus.
785
1161
786
1162
The decorated method will be called with no arguments by "Get"
787
1163
and with one argument by "Set".
788
1164
789
1165
The parameters, where they are supported, are the same as
790
1166
dbus.service.method, except there is only "signature", since the
791
1167
type from Get() and the type sent to Set() is the same.
795
1171
if byte_arrays and signature != "ay":
796
1172
raise ValueError("Byte arrays not supported for non-'ay'"
797
1173
" signature {!r}".format(signature))
798
1174
799
1175
def decorator(func):
800
1176
func._dbus_is_property = True
801
1177
func._dbus_interface = dbus_interface
804
1180
func._dbus_name = func.__name__
805
1181
if func._dbus_name.endswith("_dbus_property"):
806
1182
func._dbus_name = func._dbus_name[:-14]
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1183
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
808
1184
return func
809
1185
810
1186
return decorator
811
1187
812
1188
813
1189
def dbus_interface_annotations(dbus_interface):
814
1190
"""Decorator for marking functions returning interface annotations
815
1191
816
1192
Usage:
817
1193
818
1194
@dbus_interface_annotations("org.example.Interface")
819
1195
def _foo(self): # Function name does not matter
820
1196
return {"org.freedesktop.DBus.Deprecated": "true",
821
1197
"org.freedesktop.DBus.Property.EmitsChangedSignal":
822
1198
"false"}
823
1199
"""
824
1200
825
1201
def decorator(func):
826
1202
func._dbus_is_interface = True
827
1203
func._dbus_interface = dbus_interface
828
1204
func._dbus_name = dbus_interface
829
1205
return func
830
1206
831
1207
return decorator
832
1208
833
1209
834
1210
def dbus_annotations(annotations):
835
1211
"""Decorator to annotate D-Bus methods, signals or properties
836
1212
Usage:
837
1213
838
1214
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
839
1215
"org.freedesktop.DBus.Property."
840
1216
"EmitsChangedSignal": "false"})
842
1218
access="r")
843
1219
def Property_dbus_property(self):
844
1220
return dbus.Boolean(False)
845
1221
846
1222
See also the DBusObjectWithAnnotations class.
847
1223
"""
848
1224
849
1225
def decorator(func):
850
1226
func._dbus_annotations = annotations
851
1227
return func
852
1228
853
1229
return decorator
854
1230
855
1231
873
1249
874
1250
class DBusObjectWithAnnotations(dbus.service.Object):
875
1251
"""A D-Bus object with annotations.
876
1252
877
1253
Classes inheriting from this can use the dbus_annotations
878
1254
decorator to add annotations to methods or signals.
879
1255
"""
880
1256
881
1257
@staticmethod
882
1258
def _is_dbus_thing(thing):
883
1259
"""Returns a function testing if an attribute is a D-Bus thing
884
1260
885
1261
If called like _is_dbus_thing("method") it returns a function
886
1262
suitable for use as predicate to inspect.getmembers().
887
1263
"""
888
1264
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
889
1265
False)
890
1266
891
1267
def _get_all_dbus_things(self, thing):
892
1268
"""Returns a generator of (name, attribute) pairs
893
1269
"""
896
1272
for cls in self.__class__.__mro__
897
1273
for name, athing in
898
1274
inspect.getmembers(cls, self._is_dbus_thing(thing)))
899
1275
900
1276
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1277
out_signature="s",
1278
path_keyword='object_path',
1279
connection_keyword='connection')
904
1280
def Introspect(self, object_path, connection):
905
1281
"""Overloading of standard D-Bus method.
906
1282
907
1283
Inserts annotation tags on methods and signals.
908
1284
"""
909
1285
xmlstring = dbus.service.Object.Introspect(self, object_path,
910
1286
connection)
911
1287
try:
912
1288
document = xml.dom.minidom.parseString(xmlstring)
913
1289
914
1290
for if_tag in document.getElementsByTagName("interface"):
915
1291
# Add annotation tags
916
1292
for typ in ("method", "signal"):
943
1319
if_tag.appendChild(ann_tag)
944
1320
# Fix argument name for the Introspect method itself
945
1321
if (if_tag.getAttribute("name")
946
== dbus.INTROSPECTABLE_IFACE):
1322
== dbus.INTROSPECTABLE_IFACE):
947
1323
for cn in if_tag.getElementsByTagName("method"):
948
1324
if cn.getAttribute("name") == "Introspect":
949
1325
for arg in cn.getElementsByTagName("arg"):
962
1338
963
1339
class DBusObjectWithProperties(DBusObjectWithAnnotations):
964
1340
"""A D-Bus object with properties.
965
1341
966
1342
Classes inheriting from this can use the dbus_service_property
967
1343
decorator to expose methods as D-Bus properties. It exposes the
968
1344
standard Get(), Set(), and GetAll() methods on the D-Bus.
969
1345
"""
970
1346
971
1347
def _get_dbus_property(self, interface_name, property_name):
972
1348
"""Returns a bound method if one exists which is a D-Bus
973
1349
property with the specified name and interface.
978
1354
if (value._dbus_name == property_name
979
1355
and value._dbus_interface == interface_name):
980
1356
return value.__get__(self)
981
1357
982
1358
# No such property
983
1359
raise DBusPropertyNotFound("{}:{}.{}".format(
984
1360
self.dbus_object_path, interface_name, property_name))
985
1361
986
1362
@classmethod
987
1363
def _get_all_interface_names(cls):
988
1364
"""Get a sequence of all interfaces supported by an object"""
991
1367
for x in (inspect.getmro(cls))
992
1368
for attr in dir(x))
993
1369
if name is not None)
994
1370
995
1371
@dbus.service.method(dbus.PROPERTIES_IFACE,
996
1372
in_signature="ss",
997
1373
out_signature="v")
1005
1381
if not hasattr(value, "variant_level"):
1006
1382
return value
1007
1383
return type(value)(value, variant_level=value.variant_level+1)
1008
1384
1009
1385
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1010
1386
def Set(self, interface_name, property_name, value):
1011
1387
"""Standard D-Bus property Set() method, see D-Bus standard.
1023
1399
value = dbus.ByteArray(b''.join(chr(byte)
1024
1400
for byte in value))
1025
1401
prop(value)
1026
1402
1027
1403
@dbus.service.method(dbus.PROPERTIES_IFACE,
1028
1404
in_signature="s",
1029
1405
out_signature="a{sv}")
1030
1406
def GetAll(self, interface_name):
1031
1407
"""Standard D-Bus property GetAll() method, see D-Bus
1032
1408
standard.
1033
1409
1034
1410
Note: Will not include properties with access="write".
1035
1411
"""
1036
1412
properties = {}
1047
1423
properties[name] = value
1048
1424
continue
1049
1425
properties[name] = type(value)(
1050
value, variant_level = value.variant_level + 1)
1426
value, variant_level=value.variant_level + 1)
1051
1427
return dbus.Dictionary(properties, signature="sv")
1052
1428
1053
1429
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1054
1430
def PropertiesChanged(self, interface_name, changed_properties,
1055
1431
invalidated_properties):
1057
1433
standard.
1058
1434
"""
1059
1435
pass
1060
1436
1061
1437
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1062
1438
out_signature="s",
1063
1439
path_keyword='object_path',
1064
1440
connection_keyword='connection')
1065
1441
def Introspect(self, object_path, connection):
1066
1442
"""Overloading of standard D-Bus method.
1067
1443
1068
1444
Inserts property tags and interface annotation tags.
1069
1445
"""
1070
1446
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1072
1448
connection)
1073
1449
try:
1074
1450
document = xml.dom.minidom.parseString(xmlstring)
1075
1451
1076
1452
def make_tag(document, name, prop):
1077
1453
e = document.createElement("property")
1078
1454
e.setAttribute("name", name)
1079
1455
e.setAttribute("type", prop._dbus_signature)
1080
1456
e.setAttribute("access", prop._dbus_access)
1081
1457
return e
1082
1458
1083
1459
for if_tag in document.getElementsByTagName("interface"):
1084
1460
# Add property tags
1085
1461
for tag in (make_tag(document, name, prop)
1127
1503
exc_info=error)
1128
1504
return xmlstring
1129
1505
1506
1130
1507
try:
1131
1508
dbus.OBJECT_MANAGER_IFACE
1132
1509
except AttributeError:
1133
1510
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1134
1511
1512
1135
1513
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1136
1514
"""A D-Bus object with an ObjectManager.
1137
1515
1138
1516
Classes inheriting from this exposes the standard
1139
1517
GetManagedObjects call and the InterfacesAdded and
1140
1518
InterfacesRemoved signals on the standard
1141
1519
"org.freedesktop.DBus.ObjectManager" interface.
1142
1520
1143
1521
Note: No signals are sent automatically; they must be sent
1144
1522
manually.
1145
1523
"""
1146
1524
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1147
out_signature = "a{oa{sa{sv}}}")
1525
out_signature="a{oa{sa{sv}}}")
1148
1526
def GetManagedObjects(self):
1149
1527
"""This function must be overridden"""
1150
1528
raise NotImplementedError()
1151
1529
1152
1530
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1153
signature = "oa{sa{sv}}")
1531
signature="oa{sa{sv}}")
1154
1532
def InterfacesAdded(self, object_path, interfaces_and_properties):
1155
1533
pass
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1158
signature = "oas")
1534
1535
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1159
1536
def InterfacesRemoved(self, object_path, interfaces):
1160
1537
pass
1161
1538
1162
1539
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1163
out_signature = "s",
1164
path_keyword = 'object_path',
1165
connection_keyword = 'connection')
1540
out_signature="s",
1541
path_keyword='object_path',
1542
connection_keyword='connection')
1166
1543
def Introspect(self, object_path, connection):
1167
1544
"""Overloading of standard D-Bus method.
1168
1545
1169
1546
Override return argument name of GetManagedObjects to be
1170
1547
"objpath_interfaces_and_properties"
1171
1548
"""
1172
xmlstring = DBusObjectWithAnnotations(self, object_path,
1173
connection)
1549
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1550
object_path,
1551
connection)
1174
1552
try:
1175
1553
document = xml.dom.minidom.parseString(xmlstring)
1176
1554
1177
1555
for if_tag in document.getElementsByTagName("interface"):
1178
1556
# Fix argument name for the GetManagedObjects method
1179
1557
if (if_tag.getAttribute("name")
1180
== dbus.OBJECT_MANAGER_IFACE):
1558
== dbus.OBJECT_MANAGER_IFACE):
1181
1559
for cn in if_tag.getElementsByTagName("method"):
1182
1560
if (cn.getAttribute("name")
1183
1561
== "GetManagedObjects"):
1193
1571
except (AttributeError, xml.dom.DOMException,
1194
1572
xml.parsers.expat.ExpatError) as error:
1195
1573
logger.error("Failed to override Introspection method",
1196
exc_info = error)
1574
exc_info=error)
1197
1575
return xmlstring
1198
1576
1577
1199
1578
def datetime_to_dbus(dt, variant_level=0):
1200
1579
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1201
1580
if dt is None:
1202
return dbus.String("", variant_level = variant_level)
1581
return dbus.String("", variant_level=variant_level)
1203
1582
return dbus.String(dt.isoformat(), variant_level=variant_level)
1204
1583
1205
1584
1208
1587
dbus.service.Object, it will add alternate D-Bus attributes with
1209
1588
interface names according to the "alt_interface_names" mapping.
1210
1589
Usage:
1211
1590
1212
1591
@alternate_dbus_interfaces({"org.example.Interface":
1213
1592
"net.example.AlternateInterface"})
1214
1593
class SampleDBusObject(dbus.service.Object):
1215
1594
@dbus.service.method("org.example.Interface")
1216
1595
def SampleDBusMethod():
1217
1596
pass
1218
1597
1219
1598
The above "SampleDBusMethod" on "SampleDBusObject" will be
1220
1599
reachable via two interfaces: "org.example.Interface" and
1221
1600
"net.example.AlternateInterface", the latter of which will have
1222
1601
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1223
1602
"true", unless "deprecate" is passed with a False value.
1224
1603
1225
1604
This works for methods and signals, and also for D-Bus properties
1226
1605
(from DBusObjectWithProperties) and interfaces (from the
1227
1606
dbus_interface_annotations decorator).
1228
1607
"""
1229
1608
1230
1609
def wrapper(cls):
1231
1610
for orig_interface_name, alt_interface_name in (
1232
1611
alt_interface_names.items()):
1247
1626
interface_names.add(alt_interface)
1248
1627
# Is this a D-Bus signal?
1249
1628
if getattr(attribute, "_dbus_is_signal", False):
1629
# Extract the original non-method undecorated
1630
# function by black magic
1250
1631
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1253
1632
nonmethod_func = (dict(
1254
1633
zip(attribute.func_code.co_freevars,
1255
1634
attribute.__closure__))
1256
1635
["func"].cell_contents)
1257
1636
else:
1258
nonmethod_func = attribute
1637
nonmethod_func = (dict(
1638
zip(attribute.__code__.co_freevars,
1639
attribute.__closure__))
1640
["func"].cell_contents)
1259
1641
# Create a new, but exactly alike, function
1260
1642
# object, and decorate it to be a new D-Bus signal
1261
1643
# with the alternate D-Bus interface name
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1644
new_function = copy_function(nonmethod_func)
1276
1645
new_function = (dbus.service.signal(
1277
1646
alt_interface,
1278
1647
attribute._dbus_signature)(new_function))
1282
1651
attribute._dbus_annotations)
1283
1652
except AttributeError:
1284
1653
pass
1654
1285
1655
# Define a creator of a function to call both the
1286
1656
# original and alternate functions, so both the
1287
1657
# original and alternate signals gets sent when
1290
1660
"""This function is a scope container to pass
1291
1661
func1 and func2 to the "call_both" function
1292
1662
outside of its arguments"""
1293
1663
1664
@functools.wraps(func2)
1294
1665
def call_both(*args, **kwargs):
1295
1666
"""This function will emit two D-Bus
1296
1667
signals by calling func1 and func2"""
1297
1668
func1(*args, **kwargs)
1298
1669
func2(*args, **kwargs)
1299
1670
# Make wrapper function look like a D-Bus
1671
# signal
1672
for name, attr in inspect.getmembers(func2):
1673
if name.startswith("_dbus_"):
1674
setattr(call_both, name, attr)
1675
1300
1676
return call_both
1301
1677
# Create the "call_both" function and add it to
1302
1678
# the class
1312
1688
alt_interface,
1313
1689
attribute._dbus_in_signature,
1314
1690
attribute._dbus_out_signature)
1315
(types.FunctionType(attribute.func_code,
1316
attribute.func_globals,
1317
attribute.func_name,
1318
attribute.func_defaults,
1319
attribute.func_closure)))
1691
(copy_function(attribute)))
1320
1692
# Copy annotations, if any
1321
1693
try:
1322
1694
attr[attrname]._dbus_annotations = dict(
1334
1706
attribute._dbus_access,
1335
1707
attribute._dbus_get_args_options
1336
1708
["byte_arrays"])
1337
(types.FunctionType(
1338
attribute.func_code,
1339
attribute.func_globals,
1340
attribute.func_name,
1341
attribute.func_defaults,
1342
attribute.func_closure)))
1709
(copy_function(attribute)))
1343
1710
# Copy annotations, if any
1344
1711
try:
1345
1712
attr[attrname]._dbus_annotations = dict(
1354
1721
# to the class.
1355
1722
attr[attrname] = (
1356
1723
dbus_interface_annotations(alt_interface)
1357
(types.FunctionType(attribute.func_code,
1358
attribute.func_globals,
1359
attribute.func_name,
1360
attribute.func_defaults,
1361
attribute.func_closure)))
1724
(copy_function(attribute)))
1362
1725
if deprecate:
1363
1726
# Deprecate all alternate interfaces
1364
iname="_AlternateDBusNames_interface_annotation{}"
1727
iname = "_AlternateDBusNames_interface_annotation{}"
1365
1728
for interface_name in interface_names:
1366
1729
1367
1730
@dbus_interface_annotations(interface_name)
1368
1731
def func(self):
1369
return { "org.freedesktop.DBus.Deprecated":
1370
"true" }
1732
return {"org.freedesktop.DBus.Deprecated":
1733
"true"}
1371
1734
# Find an unused name
1372
1735
for aname in (iname.format(i)
1373
1736
for i in itertools.count()):
1377
1740
if interface_names:
1378
1741
# Replace the class with a new subclass of it with
1379
1742
# methods, signals, etc. as created above.
1380
cls = type(b"{}Alternate".format(cls.__name__),
1381
(cls, ), attr)
1743
if sys.version_info.major == 2:
1744
cls = type(b"{}Alternate".format(cls.__name__),
1745
(cls, ), attr)
1746
else:
1747
cls = type("{}Alternate".format(cls.__name__),
1748
(cls, ), attr)
1382
1749
return cls
1383
1750
1384
1751
return wrapper
1385
1752
1386
1753
1388
1755
"se.bsnet.fukt.Mandos"})
1389
1756
class ClientDBus(Client, DBusObjectWithProperties):
1390
1757
"""A Client class using D-Bus
1391
1758
1392
1759
Attributes:
1393
1760
dbus_object_path: dbus.ObjectPath
1394
1761
bus: dbus.SystemBus()
1395
1762
"""
1396
1763
1397
1764
runtime_expansions = (Client.runtime_expansions
1398
1765
+ ("dbus_object_path", ))
1399
1766
1400
1767
_interface = "se.recompile.Mandos.Client"
1401
1768
1402
1769
# dbus.service.Object doesn't use super(), so we can't either.
1403
1404
def __init__(self, bus = None, *args, **kwargs):
1770
1771
def __init__(self, bus=None, *args, **kwargs):
1405
1772
self.bus = bus
1406
1773
Client.__init__(self, *args, **kwargs)
1407
1774
# Only now, when this client is initialized, can it show up on
1413
1780
"/clients/" + client_object_name)
1414
1781
DBusObjectWithProperties.__init__(self, self.bus,
1415
1782
self.dbus_object_path)
1416
1783
1417
1784
def notifychangeproperty(transform_func, dbus_name,
1418
1785
type_func=lambda x: x,
1419
1786
variant_level=1,
1421
1788
_interface=_interface):
1422
1789
""" Modify a variable so that it's a property which announces
1423
1790
its changes to DBus.
1424
1791
1425
1792
transform_fun: Function that takes a value and a variant_level
1426
1793
and transforms it to a D-Bus type.
1427
1794
dbus_name: D-Bus name of the variable
1430
1797
variant_level: D-Bus variant level. Default: 1
1431
1798
"""
1432
1799
attrname = "_{}".format(dbus_name)
1433
1800
1434
1801
def setter(self, value):
1435
1802
if hasattr(self, "dbus_object_path"):
1436
1803
if (not hasattr(self, attrname) or
1443
1810
else:
1444
1811
dbus_value = transform_func(
1445
1812
type_func(value),
1446
variant_level = variant_level)
1813
variant_level=variant_level)
1447
1814
self.PropertyChanged(dbus.String(dbus_name),
1448
1815
dbus_value)
1449
1816
self.PropertiesChanged(
1450
1817
_interface,
1451
dbus.Dictionary({ dbus.String(dbus_name):
1452
dbus_value }),
1818
dbus.Dictionary({dbus.String(dbus_name):
1819
dbus_value}),
1453
1820
dbus.Array())
1454
1821
setattr(self, attrname, value)
1455
1822
1456
1823
return property(lambda self: getattr(self, attrname), setter)
1457
1824
1458
1825
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1459
1826
approvals_pending = notifychangeproperty(dbus.Boolean,
1460
1827
"ApprovalPending",
1461
type_func = bool)
1828
type_func=bool)
1462
1829
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1463
1830
last_enabled = notifychangeproperty(datetime_to_dbus,
1464
1831
"LastEnabled")
1465
1832
checker = notifychangeproperty(
1466
1833
dbus.Boolean, "CheckerRunning",
1467
type_func = lambda checker: checker is not None)
1834
type_func=lambda checker: checker is not None)
1468
1835
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1469
1836
"LastCheckedOK")
1470
1837
last_checker_status = notifychangeproperty(dbus.Int16,
1475
1842
"ApprovedByDefault")
1476
1843
approval_delay = notifychangeproperty(
1477
1844
dbus.UInt64, "ApprovalDelay",
1478
type_func = lambda td: td.total_seconds() * 1000)
1845
type_func=lambda td: td.total_seconds() * 1000)
1479
1846
approval_duration = notifychangeproperty(
1480
1847
dbus.UInt64, "ApprovalDuration",
1481
type_func = lambda td: td.total_seconds() * 1000)
1848
type_func=lambda td: td.total_seconds() * 1000)
1482
1849
host = notifychangeproperty(dbus.String, "Host")
1483
1850
timeout = notifychangeproperty(
1484
1851
dbus.UInt64, "Timeout",
1485
type_func = lambda td: td.total_seconds() * 1000)
1852
type_func=lambda td: td.total_seconds() * 1000)
1486
1853
extended_timeout = notifychangeproperty(
1487
1854
dbus.UInt64, "ExtendedTimeout",
1488
type_func = lambda td: td.total_seconds() * 1000)
1855
type_func=lambda td: td.total_seconds() * 1000)
1489
1856
interval = notifychangeproperty(
1490
1857
dbus.UInt64, "Interval",
1491
type_func = lambda td: td.total_seconds() * 1000)
1858
type_func=lambda td: td.total_seconds() * 1000)
1492
1859
checker_command = notifychangeproperty(dbus.String, "Checker")
1493
1860
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1494
1861
invalidate_only=True)
1495
1862
1496
1863
del notifychangeproperty
1497
1864
1498
1865
def __del__(self, *args, **kwargs):
1499
1866
try:
1500
1867
self.remove_from_connection()
1503
1870
if hasattr(DBusObjectWithProperties, "__del__"):
1504
1871
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1505
1872
Client.__del__(self, *args, **kwargs)
1506
1873
1507
1874
def checker_callback(self, source, condition,
1508
1875
connection, command, *args, **kwargs):
1509
1876
ret = Client.checker_callback(self, source, condition,
1525
1892
| self.last_checker_signal),
1526
1893
dbus.String(command))
1527
1894
return ret
1528
1895
1529
1896
def start_checker(self, *args, **kwargs):
1530
1897
old_checker_pid = getattr(self.checker, "pid", None)
1531
1898
r = Client.start_checker(self, *args, **kwargs)
1535
1902
# Emit D-Bus signal
1536
1903
self.CheckerStarted(self.current_checker_command)
1537
1904
return r
1538
1905
1539
1906
def _reset_approved(self):
1540
1907
self.approved = None
1541
1908
return False
1542
1909
1543
1910
def approve(self, value=True):
1544
1911
self.approved = value
1545
gobject.timeout_add(int(self.approval_duration.total_seconds()
1546
* 1000), self._reset_approved)
1912
GLib.timeout_add(int(self.approval_duration.total_seconds()
1913
* 1000), self._reset_approved)
1547
1914
self.send_changedstate()
1548
1549
## D-Bus methods, signals & properties
1550
1551
## Interfaces
1552
1553
## Signals
1554
1915
1916
# D-Bus methods, signals & properties
1917
1918
# Interfaces
1919
1920
# Signals
1921
1555
1922
# CheckerCompleted - signal
1556
1923
@dbus.service.signal(_interface, signature="nxs")
1557
1924
def CheckerCompleted(self, exitcode, waitstatus, command):
1558
1925
"D-Bus signal"
1559
1926
pass
1560
1927
1561
1928
# CheckerStarted - signal
1562
1929
@dbus.service.signal(_interface, signature="s")
1563
1930
def CheckerStarted(self, command):
1564
1931
"D-Bus signal"
1565
1932
pass
1566
1933
1567
1934
# PropertyChanged - signal
1568
1935
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1569
1936
@dbus.service.signal(_interface, signature="sv")
1570
1937
def PropertyChanged(self, property, value):
1571
1938
"D-Bus signal"
1572
1939
pass
1573
1940
1574
1941
# GotSecret - signal
1575
1942
@dbus.service.signal(_interface)
1576
1943
def GotSecret(self):
1579
1946
server to mandos-client
1580
1947
"""
1581
1948
pass
1582
1949
1583
1950
# Rejected - signal
1584
1951
@dbus.service.signal(_interface, signature="s")
1585
1952
def Rejected(self, reason):
1586
1953
"D-Bus signal"
1587
1954
pass
1588
1955
1589
1956
# NeedApproval - signal
1590
1957
@dbus.service.signal(_interface, signature="tb")
1591
1958
def NeedApproval(self, timeout, default):
1592
1959
"D-Bus signal"
1593
1960
return self.need_approval()
1594
1595
## Methods
1596
1961
1962
# Methods
1963
1597
1964
# Approve - method
1598
1965
@dbus.service.method(_interface, in_signature="b")
1599
1966
def Approve(self, value):
1600
1967
self.approve(value)
1601
1968
1602
1969
# CheckedOK - method
1603
1970
@dbus.service.method(_interface)
1604
1971
def CheckedOK(self):
1605
1972
self.checked_ok()
1606
1973
1607
1974
# Enable - method
1608
1975
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1609
1976
@dbus.service.method(_interface)
1610
1977
def Enable(self):
1611
1978
"D-Bus method"
1612
1979
self.enable()
1613
1980
1614
1981
# StartChecker - method
1615
1982
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1616
1983
@dbus.service.method(_interface)
1617
1984
def StartChecker(self):
1618
1985
"D-Bus method"
1619
1986
self.start_checker()
1620
1987
1621
1988
# Disable - method
1622
1989
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1623
1990
@dbus.service.method(_interface)
1624
1991
def Disable(self):
1625
1992
"D-Bus method"
1626
1993
self.disable()
1627
1994
1628
1995
# StopChecker - method
1629
1996
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1630
1997
@dbus.service.method(_interface)
1631
1998
def StopChecker(self):
1632
1999
self.stop_checker()
1633
1634
## Properties
1635
2000
2001
# Properties
2002
1636
2003
# ApprovalPending - property
1637
2004
@dbus_service_property(_interface, signature="b", access="read")
1638
2005
def ApprovalPending_dbus_property(self):
1639
2006
return dbus.Boolean(bool(self.approvals_pending))
1640
2007
1641
2008
# ApprovedByDefault - property
1642
2009
@dbus_service_property(_interface,
1643
2010
signature="b",
1646
2013
if value is None: # get
1647
2014
return dbus.Boolean(self.approved_by_default)
1648
2015
self.approved_by_default = bool(value)
1649
2016
1650
2017
# ApprovalDelay - property
1651
2018
@dbus_service_property(_interface,
1652
2019
signature="t",
1656
2023
return dbus.UInt64(self.approval_delay.total_seconds()
1657
2024
* 1000)
1658
2025
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1659
2026
1660
2027
# ApprovalDuration - property
1661
2028
@dbus_service_property(_interface,
1662
2029
signature="t",
1666
2033
return dbus.UInt64(self.approval_duration.total_seconds()
1667
2034
* 1000)
1668
2035
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1669
2036
1670
2037
# Name - property
1671
2038
@dbus_annotations(
1672
2039
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1673
2040
@dbus_service_property(_interface, signature="s", access="read")
1674
2041
def Name_dbus_property(self):
1675
2042
return dbus.String(self.name)
1676
2043
2044
# KeyID - property
2045
@dbus_annotations(
2046
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2047
@dbus_service_property(_interface, signature="s", access="read")
2048
def KeyID_dbus_property(self):
2049
return dbus.String(self.key_id)
2050
1677
2051
# Fingerprint - property
1678
2052
@dbus_annotations(
1679
2053
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1680
2054
@dbus_service_property(_interface, signature="s", access="read")
1681
2055
def Fingerprint_dbus_property(self):
1682
2056
return dbus.String(self.fingerprint)
1683
2057
1684
2058
# Host - property
1685
2059
@dbus_service_property(_interface,
1686
2060
signature="s",
1689
2063
if value is None: # get
1690
2064
return dbus.String(self.host)
1691
2065
self.host = str(value)
1692
2066
1693
2067
# Created - property
1694
2068
@dbus_annotations(
1695
2069
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1696
2070
@dbus_service_property(_interface, signature="s", access="read")
1697
2071
def Created_dbus_property(self):
1698
2072
return datetime_to_dbus(self.created)
1699
2073
1700
2074
# LastEnabled - property
1701
2075
@dbus_service_property(_interface, signature="s", access="read")
1702
2076
def LastEnabled_dbus_property(self):
1703
2077
return datetime_to_dbus(self.last_enabled)
1704
2078
1705
2079
# Enabled - property
1706
2080
@dbus_service_property(_interface,
1707
2081
signature="b",
1713
2087
self.enable()
1714
2088
else:
1715
2089
self.disable()
1716
2090
1717
2091
# LastCheckedOK - property
1718
2092
@dbus_service_property(_interface,
1719
2093
signature="s",
1723
2097
self.checked_ok()
1724
2098
return
1725
2099
return datetime_to_dbus(self.last_checked_ok)
1726
2100
1727
2101
# LastCheckerStatus - property
1728
2102
@dbus_service_property(_interface, signature="n", access="read")
1729
2103
def LastCheckerStatus_dbus_property(self):
1730
2104
return dbus.Int16(self.last_checker_status)
1731
2105
1732
2106
# Expires - property
1733
2107
@dbus_service_property(_interface, signature="s", access="read")
1734
2108
def Expires_dbus_property(self):
1735
2109
return datetime_to_dbus(self.expires)
1736
2110
1737
2111
# LastApprovalRequest - property
1738
2112
@dbus_service_property(_interface, signature="s", access="read")
1739
2113
def LastApprovalRequest_dbus_property(self):
1740
2114
return datetime_to_dbus(self.last_approval_request)
1741
2115
1742
2116
# Timeout - property
1743
2117
@dbus_service_property(_interface,
1744
2118
signature="t",
1759
2133
if (getattr(self, "disable_initiator_tag", None)
1760
2134
is None):
1761
2135
return
1762
gobject.source_remove(self.disable_initiator_tag)
1763
self.disable_initiator_tag = gobject.timeout_add(
2136
GLib.source_remove(self.disable_initiator_tag)
2137
self.disable_initiator_tag = GLib.timeout_add(
1764
2138
int((self.expires - now).total_seconds() * 1000),
1765
2139
self.disable)
1766
2140
1767
2141
# ExtendedTimeout - property
1768
2142
@dbus_service_property(_interface,
1769
2143
signature="t",
1773
2147
return dbus.UInt64(self.extended_timeout.total_seconds()
1774
2148
* 1000)
1775
2149
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1776
2150
1777
2151
# Interval - property
1778
2152
@dbus_service_property(_interface,
1779
2153
signature="t",
1786
2160
return
1787
2161
if self.enabled:
1788
2162
# Reschedule checker run
1789
gobject.source_remove(self.checker_initiator_tag)
1790
self.checker_initiator_tag = gobject.timeout_add(
2163
GLib.source_remove(self.checker_initiator_tag)
2164
self.checker_initiator_tag = GLib.timeout_add(
1791
2165
value, self.start_checker)
1792
self.start_checker() # Start one now, too
1793
2166
self.start_checker() # Start one now, too
2167
1794
2168
# Checker - property
1795
2169
@dbus_service_property(_interface,
1796
2170
signature="s",
1799
2173
if value is None: # get
1800
2174
return dbus.String(self.checker_command)
1801
2175
self.checker_command = str(value)
1802
2176
1803
2177
# CheckerRunning - property
1804
2178
@dbus_service_property(_interface,
1805
2179
signature="b",
1811
2185
self.start_checker()
1812
2186
else:
1813
2187
self.stop_checker()
1814
2188
1815
2189
# ObjectPath - property
1816
2190
@dbus_annotations(
1817
2191
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
1818
2192
"org.freedesktop.DBus.Deprecated": "true"})
1819
2193
@dbus_service_property(_interface, signature="o", access="read")
1820
2194
def ObjectPath_dbus_property(self):
1821
return self.dbus_object_path # is already a dbus.ObjectPath
1822
2195
return self.dbus_object_path # is already a dbus.ObjectPath
2196
1823
2197
# Secret = property
1824
2198
@dbus_annotations(
1825
2199
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
1830
2204
byte_arrays=True)
1831
2205
def Secret_dbus_property(self, value):
1832
2206
self.secret = bytes(value)
1833
2207
1834
2208
del _interface
1835
2209
1836
2210
1837
2211
class ProxyClient(object):
1838
def __init__(self, child_pipe, fpr, address):
2212
def __init__(self, child_pipe, key_id, fpr, address):
1839
2213
self._pipe = child_pipe
1840
self._pipe.send(('init', fpr, address))
2214
self._pipe.send(('init', key_id, fpr, address))
1841
2215
if not self._pipe.recv():
1842
raise KeyError(fpr)
1843
2216
raise KeyError(key_id or fpr)
2217
1844
2218
def __getattribute__(self, name):
1845
2219
if name == '_pipe':
1846
2220
return super(ProxyClient, self).__getattribute__(name)
1849
2223
if data[0] == 'data':
1850
2224
return data[1]
1851
2225
if data[0] == 'function':
1852
2226
1853
2227
def func(*args, **kwargs):
1854
2228
self._pipe.send(('funcall', name, args, kwargs))
1855
2229
return self._pipe.recv()[1]
1856
2230
1857
2231
return func
1858
2232
1859
2233
def __setattr__(self, name, value):
1860
2234
if name == '_pipe':
1861
2235
return super(ProxyClient, self).__setattr__(name, value)
1864
2238
1865
2239
class ClientHandler(socketserver.BaseRequestHandler, object):
1866
2240
"""A class to handle client connections.
1867
2241
1868
2242
Instantiated once for each connection to handle it.
1869
2243
Note: This will run in its own forked process."""
1870
2244
1871
2245
def handle(self):
1872
2246
with contextlib.closing(self.server.child_pipe) as child_pipe:
1873
2247
logger.info("TCP connection from: %s",
1874
2248
str(self.client_address))
1875
2249
logger.debug("Pipe FD: %d",
1876
2250
self.server.child_pipe.fileno())
1877
1878
session = gnutls.connection.ClientSession(
1879
self.request, gnutls.connection .X509Credentials())
1880
1881
# Note: gnutls.connection.X509Credentials is really a
1882
# generic GnuTLS certificate credentials object so long as
1883
# no X.509 keys are added to it. Therefore, we can use it
1884
# here despite using OpenPGP certificates.
1885
1886
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1887
# "+AES-256-CBC", "+SHA1",
1888
# "+COMP-NULL", "+CTYPE-OPENPGP",
1889
# "+DHE-DSS"))
2251
2252
session = gnutls.ClientSession(self.request)
2253
2254
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2255
# "+AES-256-CBC", "+SHA1",
2256
# "+COMP-NULL", "+CTYPE-OPENPGP",
2257
# "+DHE-DSS"))
1890
2258
# Use a fallback default, since this MUST be set.
1891
2259
priority = self.server.gnutls_priority
1892
2260
if priority is None:
1893
2261
priority = "NORMAL"
1894
gnutls.library.functions.gnutls_priority_set_direct(
1895
session._c_object, priority, None)
1896
2262
gnutls.priority_set_direct(session._c_object,
2263
priority.encode("utf-8"),
2264
None)
2265
1897
2266
# Start communication using the Mandos protocol
1898
2267
# Get protocol number
1899
2268
line = self.request.makefile().readline()
1904
2273
except (ValueError, IndexError, RuntimeError) as error:
1905
2274
logger.error("Unknown protocol version: %s", error)
1906
2275
return
1907
2276
1908
2277
# Start GnuTLS connection
1909
2278
try:
1910
2279
session.handshake()
1911
except gnutls.errors.GNUTLSError as error:
2280
except gnutls.Error as error:
1912
2281
logger.warning("Handshake failed: %s", error)
1913
2282
# Do not run session.bye() here: the session is not
1914
2283
# established. Just abandon the request.
1915
2284
return
1916
2285
logger.debug("Handshake succeeded")
1917
2286
1918
2287
approval_required = False
1919
2288
try:
1920
try:
1921
fpr = self.fingerprint(
1922
self.peer_certificate(session))
1923
except (TypeError,
1924
gnutls.errors.GNUTLSError) as error:
1925
logger.warning("Bad certificate: %s", error)
1926
return
1927
logger.debug("Fingerprint: %s", fpr)
1928
1929
try:
1930
client = ProxyClient(child_pipe, fpr,
2289
if gnutls.has_rawpk:
2290
fpr = ""
2291
try:
2292
key_id = self.key_id(
2293
self.peer_certificate(session))
2294
except (TypeError, gnutls.Error) as error:
2295
logger.warning("Bad certificate: %s", error)
2296
return
2297
logger.debug("Key ID: %s", key_id)
2298
2299
else:
2300
key_id = ""
2301
try:
2302
fpr = self.fingerprint(
2303
self.peer_certificate(session))
2304
except (TypeError, gnutls.Error) as error:
2305
logger.warning("Bad certificate: %s", error)
2306
return
2307
logger.debug("Fingerprint: %s", fpr)
2308
2309
try:
2310
client = ProxyClient(child_pipe, key_id, fpr,
1931
2311
self.client_address)
1932
2312
except KeyError:
1933
2313
return
1934
2314
1935
2315
if client.approval_delay:
1936
2316
delay = client.approval_delay
1937
2317
client.approvals_pending += 1
1938
2318
approval_required = True
1939
2319
1940
2320
while True:
1941
2321
if not client.enabled:
1942
2322
logger.info("Client %s is disabled",
1945
2325
# Emit D-Bus signal
1946
2326
client.Rejected("Disabled")
1947
2327
return
1948
2328
1949
2329
if client.approved or not client.approval_delay:
1950
#We are approved or approval is disabled
2330
# We are approved or approval is disabled
1951
2331
break
1952
2332
elif client.approved is None:
1953
2333
logger.info("Client %s needs approval",
1964
2344
# Emit D-Bus signal
1965
2345
client.Rejected("Denied")
1966
2346
return
1967
1968
#wait until timeout or approved
2347
2348
# wait until timeout or approved
1969
2349
time = datetime.datetime.now()
1970
2350
client.changedstate.acquire()
1971
2351
client.changedstate.wait(delay.total_seconds())
1984
2364
break
1985
2365
else:
1986
2366
delay -= time2 - time
1987
1988
sent_size = 0
1989
while sent_size < len(client.secret):
1990
try:
1991
sent = session.send(client.secret[sent_size:])
1992
except gnutls.errors.GNUTLSError as error:
1993
logger.warning("gnutls send failed",
1994
exc_info=error)
1995
return
1996
logger.debug("Sent: %d, remaining: %d", sent,
1997
len(client.secret) - (sent_size
1998
+ sent))
1999
sent_size += sent
2000
2367
2368
try:
2369
session.send(client.secret)
2370
except gnutls.Error as error:
2371
logger.warning("gnutls send failed",
2372
exc_info=error)
2373
return
2374
2001
2375
logger.info("Sending secret to %s", client.name)
2002
2376
# bump the timeout using extended_timeout
2003
2377
client.bump_timeout(client.extended_timeout)
2004
2378
if self.server.use_dbus:
2005
2379
# Emit D-Bus signal
2006
2380
client.GotSecret()
2007
2381
2008
2382
finally:
2009
2383
if approval_required:
2010
2384
client.approvals_pending -= 1
2011
2385
try:
2012
2386
session.bye()
2013
except gnutls.errors.GNUTLSError as error:
2387
except gnutls.Error as error:
2014
2388
logger.warning("GnuTLS bye failed",
2015
2389
exc_info=error)
2016
2390
2017
2391
@staticmethod
2018
2392
def peer_certificate(session):
2019
"Return the peer's OpenPGP certificate as a bytestring"
2020
# If not an OpenPGP certificate...
2021
if (gnutls.library.functions.gnutls_certificate_type_get(
2022
session._c_object)
2023
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2024
# ...do the normal thing
2025
return session.peer_certificate
2393
"Return the peer's certificate as a bytestring"
2394
try:
2395
cert_type = gnutls.certificate_type_get2(session._c_object,
2396
gnutls.CTYPE_PEERS)
2397
except AttributeError:
2398
cert_type = gnutls.certificate_type_get(session._c_object)
2399
if gnutls.has_rawpk:
2400
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2401
else:
2402
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2403
# If not a valid certificate type...
2404
if cert_type not in valid_cert_types:
2405
logger.info("Cert type %r not in %r", cert_type,
2406
valid_cert_types)
2407
# ...return invalid data
2408
return b""
2026
2409
list_size = ctypes.c_uint(1)
2027
cert_list = (gnutls.library.functions
2028
.gnutls_certificate_get_peers
2410
cert_list = (gnutls.certificate_get_peers
2029
2411
(session._c_object, ctypes.byref(list_size)))
2030
2412
if not bool(cert_list) and list_size.value != 0:
2031
raise gnutls.errors.GNUTLSError("error getting peer"
2032
" certificate")
2413
raise gnutls.Error("error getting peer certificate")
2033
2414
if list_size.value == 0:
2034
2415
return None
2035
2416
cert = cert_list[0]
2036
2417
return ctypes.string_at(cert.data, cert.size)
2037
2418
2419
@staticmethod
2420
def key_id(certificate):
2421
"Convert a certificate bytestring to a hexdigit key ID"
2422
# New GnuTLS "datum" with the public key
2423
datum = gnutls.datum_t(
2424
ctypes.cast(ctypes.c_char_p(certificate),
2425
ctypes.POINTER(ctypes.c_ubyte)),
2426
ctypes.c_uint(len(certificate)))
2427
# XXX all these need to be created in the gnutls "module"
2428
# New empty GnuTLS certificate
2429
pubkey = gnutls.pubkey_t()
2430
gnutls.pubkey_init(ctypes.byref(pubkey))
2431
# Import the raw public key into the certificate
2432
gnutls.pubkey_import(pubkey,
2433
ctypes.byref(datum),
2434
gnutls.X509_FMT_DER)
2435
# New buffer for the key ID
2436
buf = ctypes.create_string_buffer(32)
2437
buf_len = ctypes.c_size_t(len(buf))
2438
# Get the key ID from the raw public key into the buffer
2439
gnutls.pubkey_get_key_id(pubkey,
2440
gnutls.KEYID_USE_SHA256,
2441
ctypes.cast(ctypes.byref(buf),
2442
ctypes.POINTER(ctypes.c_ubyte)),
2443
ctypes.byref(buf_len))
2444
# Deinit the certificate
2445
gnutls.pubkey_deinit(pubkey)
2446
2447
# Convert the buffer to a Python bytestring
2448
key_id = ctypes.string_at(buf, buf_len.value)
2449
# Convert the bytestring to hexadecimal notation
2450
hex_key_id = binascii.hexlify(key_id).upper()
2451
return hex_key_id
2452
2038
2453
@staticmethod
2039
2454
def fingerprint(openpgp):
2040
2455
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2041
2456
# New GnuTLS "datum" with the OpenPGP public key
2042
datum = gnutls.library.types.gnutls_datum_t(
2457
datum = gnutls.datum_t(
2043
2458
ctypes.cast(ctypes.c_char_p(openpgp),
2044
2459
ctypes.POINTER(ctypes.c_ubyte)),
2045
2460
ctypes.c_uint(len(openpgp)))
2046
2461
# New empty GnuTLS certificate
2047
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2048
gnutls.library.functions.gnutls_openpgp_crt_init(
2049
ctypes.byref(crt))
2462
crt = gnutls.openpgp_crt_t()
2463
gnutls.openpgp_crt_init(ctypes.byref(crt))
2050
2464
# Import the OpenPGP public key into the certificate
2051
gnutls.library.functions.gnutls_openpgp_crt_import(
2052
crt, ctypes.byref(datum),
2053
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2465
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2466
gnutls.OPENPGP_FMT_RAW)
2054
2467
# Verify the self signature in the key
2055
2468
crtverify = ctypes.c_uint()
2056
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2057
crt, 0, ctypes.byref(crtverify))
2469
gnutls.openpgp_crt_verify_self(crt, 0,
2470
ctypes.byref(crtverify))
2058
2471
if crtverify.value != 0:
2059
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2060
raise gnutls.errors.CertificateSecurityError(
2061
"Verify failed")
2472
gnutls.openpgp_crt_deinit(crt)
2473
raise gnutls.CertificateSecurityError(code
2474
=crtverify.value)
2062
2475
# New buffer for the fingerprint
2063
2476
buf = ctypes.create_string_buffer(20)
2064
2477
buf_len = ctypes.c_size_t()
2065
2478
# Get the fingerprint from the certificate into the buffer
2066
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2067
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2479
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2480
ctypes.byref(buf_len))
2068
2481
# Deinit the certificate
2069
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2482
gnutls.openpgp_crt_deinit(crt)
2070
2483
# Convert the buffer to a Python bytestring
2071
2484
fpr = ctypes.string_at(buf, buf_len.value)
2072
2485
# Convert the bytestring to hexadecimal notation
2076
2489
2077
2490
class MultiprocessingMixIn(object):
2078
2491
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2079
2492
2080
2493
def sub_process_main(self, request, address):
2081
2494
try:
2082
2495
self.finish_request(request, address)
2083
2496
except Exception:
2084
2497
self.handle_error(request, address)
2085
2498
self.close_request(request)
2086
2499
2087
2500
def process_request(self, request, address):
2088
2501
"""Start a new process to process the request."""
2089
proc = multiprocessing.Process(target = self.sub_process_main,
2090
args = (request, address))
2502
proc = multiprocessing.Process(target=self.sub_process_main,
2503
args=(request, address))
2091
2504
proc.start()
2092
2505
return proc
2093
2506
2094
2507
2095
2508
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2096
2509
""" adds a pipe to the MixIn """
2097
2510
2098
2511
def process_request(self, request, client_address):
2099
2512
"""Overrides and wraps the original process_request().
2100
2513
2101
2514
This function creates a new pipe in self.pipe
2102
2515
"""
2103
2516
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2104
2517
2105
2518
proc = MultiprocessingMixIn.process_request(self, request,
2106
2519
client_address)
2107
2520
self.child_pipe.close()
2108
2521
self.add_pipe(parent_pipe, proc)
2109
2522
2110
2523
def add_pipe(self, parent_pipe, proc):
2111
2524
"""Dummy function; override as necessary"""
2112
2525
raise NotImplementedError()
2115
2528
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2116
2529
socketserver.TCPServer, object):
2117
2530
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2118
2531
2119
2532
Attributes:
2120
2533
enabled: Boolean; whether this server is activated yet
2121
2534
interface: None or a network interface name (string)
2122
2535
use_ipv6: Boolean; to use IPv6 or not
2123
2536
"""
2124
2537
2125
2538
def __init__(self, server_address, RequestHandlerClass,
2126
2539
interface=None,
2127
2540
use_ipv6=True,
2137
2550
self.socketfd = socketfd
2138
2551
# Save the original socket.socket() function
2139
2552
self.socket_socket = socket.socket
2553
2140
2554
# To implement --socket, we monkey patch socket.socket.
2141
#
2555
#
2142
2556
# (When socketserver.TCPServer is a new-style class, we
2143
2557
# could make self.socket into a property instead of monkey
2144
2558
# patching socket.socket.)
2145
#
2559
#
2146
2560
# Create a one-time-only replacement for socket.socket()
2147
2561
@functools.wraps(socket.socket)
2148
2562
def socket_wrapper(*args, **kwargs):
2160
2574
# socket_wrapper(), if socketfd was set.
2161
2575
socketserver.TCPServer.__init__(self, server_address,
2162
2576
RequestHandlerClass)
2163
2577
2164
2578
def server_bind(self):
2165
2579
"""This overrides the normal server_bind() function
2166
2580
to bind to an interface if one was specified, and also NOT to
2167
2581
bind to an address or port if they were not specified."""
2582
global SO_BINDTODEVICE
2168
2583
if self.interface is not None:
2169
2584
if SO_BINDTODEVICE is None:
2170
logger.error("SO_BINDTODEVICE does not exist;"
2171
" cannot bind to interface %s",
2172
self.interface)
2173
else:
2174
try:
2175
self.socket.setsockopt(
2176
socket.SOL_SOCKET, SO_BINDTODEVICE,
2177
(self.interface + "\0").encode("utf-8"))
2178
except socket.error as error:
2179
if error.errno == errno.EPERM:
2180
logger.error("No permission to bind to"
2181
" interface %s", self.interface)
2182
elif error.errno == errno.ENOPROTOOPT:
2183
logger.error("SO_BINDTODEVICE not available;"
2184
" cannot bind to interface %s",
2185
self.interface)
2186
elif error.errno == errno.ENODEV:
2187
logger.error("Interface %s does not exist,"
2188
" cannot bind", self.interface)
2189
else:
2190
raise
2585
# Fall back to a hard-coded value which seems to be
2586
# common enough.
2587
logger.warning("SO_BINDTODEVICE not found, trying 25")
2588
SO_BINDTODEVICE = 25
2589
try:
2590
self.socket.setsockopt(
2591
socket.SOL_SOCKET, SO_BINDTODEVICE,
2592
(self.interface + "\0").encode("utf-8"))
2593
except socket.error as error:
2594
if error.errno == errno.EPERM:
2595
logger.error("No permission to bind to"
2596
" interface %s", self.interface)
2597
elif error.errno == errno.ENOPROTOOPT:
2598
logger.error("SO_BINDTODEVICE not available;"
2599
" cannot bind to interface %s",
2600
self.interface)
2601
elif error.errno == errno.ENODEV:
2602
logger.error("Interface %s does not exist,"
2603
" cannot bind", self.interface)
2604
else:
2605
raise
2191
2606
# Only bind(2) the socket if we really need to.
2192
2607
if self.server_address[0] or self.server_address[1]:
2608
if self.server_address[1]:
2609
self.allow_reuse_address = True
2193
2610
if not self.server_address[0]:
2194
2611
if self.address_family == socket.AF_INET6:
2195
any_address = "::" # in6addr_any
2612
any_address = "::" # in6addr_any
2196
2613
else:
2197
any_address = "0.0.0.0" # INADDR_ANY
2614
any_address = "0.0.0.0" # INADDR_ANY
2198
2615
self.server_address = (any_address,
2199
2616
self.server_address[1])
2200
2617
elif not self.server_address[1]:
2210
2627
2211
2628
class MandosServer(IPv6_TCPServer):
2212
2629
"""Mandos server.
2213
2630
2214
2631
Attributes:
2215
2632
clients: set of Client objects
2216
2633
gnutls_priority GnuTLS priority string
2217
2634
use_dbus: Boolean; to emit D-Bus signals or not
2218
2219
Assumes a gobject.MainLoop event loop.
2635
2636
Assumes a GLib.MainLoop event loop.
2220
2637
"""
2221
2638
2222
2639
def __init__(self, server_address, RequestHandlerClass,
2223
2640
interface=None,
2224
2641
use_ipv6=True,
2234
2651
self.gnutls_priority = gnutls_priority
2235
2652
IPv6_TCPServer.__init__(self, server_address,
2236
2653
RequestHandlerClass,
2237
interface = interface,
2238
use_ipv6 = use_ipv6,
2239
socketfd = socketfd)
2240
2654
interface=interface,
2655
use_ipv6=use_ipv6,
2656
socketfd=socketfd)
2657
2241
2658
def server_activate(self):
2242
2659
if self.enabled:
2243
2660
return socketserver.TCPServer.server_activate(self)
2244
2661
2245
2662
def enable(self):
2246
2663
self.enabled = True
2247
2664
2248
2665
def add_pipe(self, parent_pipe, proc):
2249
2666
# Call "handle_ipc" for both data and EOF events
2250
gobject.io_add_watch(
2667
GLib.io_add_watch(
2251
2668
parent_pipe.fileno(),
2252
gobject.IO_IN | gobject.IO_HUP,
2669
GLib.IO_IN | GLib.IO_HUP,
2253
2670
functools.partial(self.handle_ipc,
2254
parent_pipe = parent_pipe,
2255
proc = proc))
2256
2671
parent_pipe=parent_pipe,
2672
proc=proc))
2673
2257
2674
def handle_ipc(self, source, condition,
2258
2675
parent_pipe=None,
2259
proc = None,
2676
proc=None,
2260
2677
client_object=None):
2261
2678
# error, or the other end of multiprocessing.Pipe has closed
2262
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2679
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2263
2680
# Wait for other process to exit
2264
2681
proc.join()
2265
2682
return False
2266
2683
2267
2684
# Read a request from the child
2268
2685
request = parent_pipe.recv()
2269
2686
command = request[0]
2270
2687
2271
2688
if command == 'init':
2272
fpr = request[1]
2273
address = request[2]
2274
2275
for c in self.clients.itervalues():
2276
if c.fingerprint == fpr:
2689
key_id = request[1].decode("ascii")
2690
fpr = request[2].decode("ascii")
2691
address = request[3]
2692
2693
for c in self.clients.values():
2694
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2695
continue
2696
if key_id and c.key_id == key_id:
2697
client = c
2698
break
2699
if fpr and c.fingerprint == fpr:
2277
2700
client = c
2278
2701
break
2279
2702
else:
2280
logger.info("Client not found for fingerprint: %s, ad"
2281
"dress: %s", fpr, address)
2703
logger.info("Client not found for key ID: %s, address"
2704
": %s", key_id or fpr, address)
2282
2705
if self.use_dbus:
2283
2706
# Emit D-Bus signal
2284
mandos_dbus_service.ClientNotFound(fpr,
2707
mandos_dbus_service.ClientNotFound(key_id or fpr,
2285
2708
address[0])
2286
2709
parent_pipe.send(False)
2287
2710
return False
2288
2289
gobject.io_add_watch(
2711
2712
GLib.io_add_watch(
2290
2713
parent_pipe.fileno(),
2291
gobject.IO_IN | gobject.IO_HUP,
2714
GLib.IO_IN | GLib.IO_HUP,
2292
2715
functools.partial(self.handle_ipc,
2293
parent_pipe = parent_pipe,
2294
proc = proc,
2295
client_object = client))
2716
parent_pipe=parent_pipe,
2717
proc=proc,
2718
client_object=client))
2296
2719
parent_pipe.send(True)
2297
2720
# remove the old hook in favor of the new above hook on
2298
2721
# same fileno
2301
2724
funcname = request[1]
2302
2725
args = request[2]
2303
2726
kwargs = request[3]
2304
2727
2305
2728
parent_pipe.send(('data', getattr(client_object,
2306
2729
funcname)(*args,
2307
2730
**kwargs)))
2308
2731
2309
2732
if command == 'getattr':
2310
2733
attrname = request[1]
2311
2734
if isinstance(client_object.__getattribute__(attrname),
2314
2737
else:
2315
2738
parent_pipe.send((
2316
2739
'data', client_object.__getattribute__(attrname)))
2317
2740
2318
2741
if command == 'setattr':
2319
2742
attrname = request[1]
2320
2743
value = request[2]
2321
2744
setattr(client_object, attrname, value)
2322
2745
2323
2746
return True
2324
2747
2325
2748
2326
2749
def rfc3339_duration_to_delta(duration):
2327
2750
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2328
2751
2329
2752
>>> rfc3339_duration_to_delta("P7D")
2330
2753
datetime.timedelta(7)
2331
2754
>>> rfc3339_duration_to_delta("PT60S")
2341
2764
>>> rfc3339_duration_to_delta("P1DT3M20S")
2342
2765
datetime.timedelta(1, 200)
2343
2766
"""
2344
2767
2345
2768
# Parsing an RFC 3339 duration with regular expressions is not
2346
2769
# possible - there would have to be multiple places for the same
2347
2770
# values, like seconds. The current code, while more esoteric, is
2348
2771
# cleaner without depending on a parsing library. If Python had a
2349
2772
# built-in library for parsing we would use it, but we'd like to
2350
2773
# avoid excessive use of external libraries.
2351
2774
2352
2775
# New type for defining tokens, syntax, and semantics all-in-one
2353
2776
Token = collections.namedtuple("Token", (
2354
2777
"regexp", # To match token; if "value" is not None, must have
2387
2810
frozenset((token_year, token_month,
2388
2811
token_day, token_time,
2389
2812
token_week)))
2390
# Define starting values
2391
value = datetime.timedelta() # Value so far
2813
# Define starting values:
2814
# Value so far
2815
value = datetime.timedelta()
2392
2816
found_token = None
2393
followers = frozenset((token_duration, )) # Following valid tokens
2394
s = duration # String left to parse
2817
# Following valid tokens
2818
followers = frozenset((token_duration, ))
2819
# String left to parse
2820
s = duration
2395
2821
# Loop until end token is found
2396
2822
while found_token is not token_end:
2397
2823
# Search for any currently valid tokens
2421
2847
2422
2848
def string_to_delta(interval):
2423
2849
"""Parse a string and return a datetime.timedelta
2424
2850
2425
2851
>>> string_to_delta('7d')
2426
2852
datetime.timedelta(7)
2427
2853
>>> string_to_delta('60s')
2435
2861
>>> string_to_delta('5m 30s')
2436
2862
datetime.timedelta(0, 330)
2437
2863
"""
2438
2864
2439
2865
try:
2440
2866
return rfc3339_duration_to_delta(interval)
2441
2867
except ValueError:
2442
2868
pass
2443
2869
2444
2870
timevalue = datetime.timedelta(0)
2445
2871
for s in interval.split():
2446
2872
try:
2464
2890
return timevalue
2465
2891
2466
2892
2467
def daemon(nochdir = False, noclose = False):
2893
def daemon(nochdir=False, noclose=False):
2468
2894
"""See daemon(3). Standard BSD Unix function.
2469
2895
2470
2896
This should really exist as os.daemon, but it doesn't (yet)."""
2471
2897
if os.fork():
2472
2898
sys.exit()
2490
2916
2491
2917
2492
2918
def main():
2493
2919
2494
2920
##################################################################
2495
2921
# Parsing of options, both command line and config file
2496
2922
2497
2923
parser = argparse.ArgumentParser()
2498
2924
parser.add_argument("-v", "--version", action="version",
2499
version = "%(prog)s {}".format(version),
2925
version="%(prog)s {}".format(version),
2500
2926
help="show version number and exit")
2501
2927
parser.add_argument("-i", "--interface", metavar="IF",
2502
2928
help="Bind to interface IF")
2538
2964
parser.add_argument("--no-zeroconf", action="store_false",
2539
2965
dest="zeroconf", help="Do not use Zeroconf",
2540
2966
default=None)
2541
2967
2542
2968
options = parser.parse_args()
2543
2969
2544
2970
if options.check:
2545
2971
import doctest
2546
2972
fail_count, test_count = doctest.testmod()
2547
2973
sys.exit(os.EX_OK if fail_count == 0 else 1)
2548
2974
2549
2975
# Default values for config file for server-global settings
2550
server_defaults = { "interface": "",
2551
"address": "",
2552
"port": "",
2553
"debug": "False",
2554
"priority":
2555
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2556
":+SIGN-DSA-SHA256",
2557
"servicename": "Mandos",
2558
"use_dbus": "True",
2559
"use_ipv6": "True",
2560
"debuglevel": "",
2561
"restore": "True",
2562
"socket": "",
2563
"statedir": "/var/lib/mandos",
2564
"foreground": "False",
2565
"zeroconf": "True",
2566
}
2567
2976
if gnutls.has_rawpk:
2977
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2978
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2979
else:
2980
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2981
":+SIGN-DSA-SHA256")
2982
server_defaults = {"interface": "",
2983
"address": "",
2984
"port": "",
2985
"debug": "False",
2986
"priority": priority,
2987
"servicename": "Mandos",
2988
"use_dbus": "True",
2989
"use_ipv6": "True",
2990
"debuglevel": "",
2991
"restore": "True",
2992
"socket": "",
2993
"statedir": "/var/lib/mandos",
2994
"foreground": "False",
2995
"zeroconf": "True",
2996
}
2997
del priority
2998
2568
2999
# Parse config file for server-global settings
2569
3000
server_config = configparser.SafeConfigParser(server_defaults)
2570
3001
del server_defaults
2572
3003
# Convert the SafeConfigParser object to a dict
2573
3004
server_settings = server_config.defaults()
2574
3005
# Use the appropriate methods on the non-string config options
2575
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3006
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3007
"foreground", "zeroconf"):
2576
3008
server_settings[option] = server_config.getboolean("DEFAULT",
2577
3009
option)
2578
3010
if server_settings["port"]:
2588
3020
server_settings["socket"] = os.dup(server_settings
2589
3021
["socket"])
2590
3022
del server_config
2591
3023
2592
3024
# Override the settings from the config file with command line
2593
3025
# options, if set.
2594
3026
for option in ("interface", "address", "port", "debug",
2612
3044
if server_settings["debug"]:
2613
3045
server_settings["foreground"] = True
2614
3046
# Now we have our good server settings in "server_settings"
2615
3047
2616
3048
##################################################################
2617
3049
2618
3050
if (not server_settings["zeroconf"]
2619
3051
and not (server_settings["port"]
2620
3052
or server_settings["socket"] != "")):
2621
3053
parser.error("Needs port or socket to work without Zeroconf")
2622
3054
2623
3055
# For convenience
2624
3056
debug = server_settings["debug"]
2625
3057
debuglevel = server_settings["debuglevel"]
2629
3061
stored_state_file)
2630
3062
foreground = server_settings["foreground"]
2631
3063
zeroconf = server_settings["zeroconf"]
2632
3064
2633
3065
if debug:
2634
3066
initlogger(debug, logging.DEBUG)
2635
3067
else:
2638
3070
else:
2639
3071
level = getattr(logging, debuglevel.upper())
2640
3072
initlogger(debug, level)
2641
3073
2642
3074
if server_settings["servicename"] != "Mandos":
2643
3075
syslogger.setFormatter(
2644
3076
logging.Formatter('Mandos ({}) [%(process)d]:'
2645
3077
' %(levelname)s: %(message)s'.format(
2646
3078
server_settings["servicename"])))
2647
3079
2648
3080
# Parse config file with clients
2649
3081
client_config = configparser.SafeConfigParser(Client
2650
3082
.client_defaults)
2651
3083
client_config.read(os.path.join(server_settings["configdir"],
2652
3084
"clients.conf"))
2653
3085
2654
3086
global mandos_dbus_service
2655
3087
mandos_dbus_service = None
2656
3088
2657
3089
socketfd = None
2658
3090
if server_settings["socket"] != "":
2659
3091
socketfd = server_settings["socket"]
2675
3107
except IOError as e:
2676
3108
logger.error("Could not open file %r", pidfilename,
2677
3109
exc_info=e)
2678
2679
for name in ("_mandos", "mandos", "nobody"):
3110
3111
for name, group in (("_mandos", "_mandos"),
3112
("mandos", "mandos"),
3113
("nobody", "nogroup")):
2680
3114
try:
2681
3115
uid = pwd.getpwnam(name).pw_uid
2682
gid = pwd.getpwnam(name).pw_gid
3116
gid = pwd.getpwnam(group).pw_gid
2683
3117
break
2684
3118
except KeyError:
2685
3119
continue
2689
3123
try:
2690
3124
os.setgid(gid)
2691
3125
os.setuid(uid)
3126
if debug:
3127
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3128
gid))
2692
3129
except OSError as error:
3130
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3131
.format(uid, gid, os.strerror(error.errno)))
2693
3132
if error.errno != errno.EPERM:
2694
3133
raise
2695
3134
2696
3135
if debug:
2697
3136
# Enable all possible GnuTLS debugging
2698
3137
2699
3138
# "Use a log level over 10 to enable all debugging options."
2700
3139
# - GnuTLS manual
2701
gnutls.library.functions.gnutls_global_set_log_level(11)
2702
2703
@gnutls.library.types.gnutls_log_func
3140
gnutls.global_set_log_level(11)
3141
3142
@gnutls.log_func
2704
3143
def debug_gnutls(level, string):
2705
3144
logger.debug("GnuTLS: %s", string[:-1])
2706
2707
gnutls.library.functions.gnutls_global_set_log_function(
2708
debug_gnutls)
2709
3145
3146
gnutls.global_set_log_function(debug_gnutls)
3147
2710
3148
# Redirect stdin so all checkers get /dev/null
2711
3149
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2712
3150
os.dup2(null, sys.stdin.fileno())
2713
3151
if null > 2:
2714
3152
os.close(null)
2715
3153
2716
3154
# Need to fork before connecting to D-Bus
2717
3155
if not foreground:
2718
3156
# Close all input and output, do double fork, etc.
2719
3157
daemon()
2720
2721
# multiprocessing will use threads, so before we use gobject we
2722
# need to inform gobject that threads will be used.
2723
gobject.threads_init()
2724
3158
3159
# multiprocessing will use threads, so before we use GLib we need
3160
# to inform GLib that threads will be used.
3161
GLib.threads_init()
3162
2725
3163
global main_loop
2726
3164
# From the Avahi example code
2727
3165
DBusGMainLoop(set_as_default=True)
2728
main_loop = gobject.MainLoop()
3166
main_loop = GLib.MainLoop()
2729
3167
bus = dbus.SystemBus()
2730
3168
# End of Avahi example code
2731
3169
if use_dbus:
2744
3182
if zeroconf:
2745
3183
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2746
3184
service = AvahiServiceToSyslog(
2747
name = server_settings["servicename"],
2748
servicetype = "_mandos._tcp",
2749
protocol = protocol,
2750
bus = bus)
3185
name=server_settings["servicename"],
3186
servicetype="_mandos._tcp",
3187
protocol=protocol,
3188
bus=bus)
2751
3189
if server_settings["interface"]:
2752
3190
service.interface = if_nametoindex(
2753
3191
server_settings["interface"].encode("utf-8"))
2754
3192
2755
3193
global multiprocessing_manager
2756
3194
multiprocessing_manager = multiprocessing.Manager()
2757
3195
2758
3196
client_class = Client
2759
3197
if use_dbus:
2760
client_class = functools.partial(ClientDBus, bus = bus)
2761
3198
client_class = functools.partial(ClientDBus, bus=bus)
3199
2762
3200
client_settings = Client.config_parser(client_config)
2763
3201
old_client_settings = {}
2764
3202
clients_data = {}
2765
3203
2766
3204
# This is used to redirect stdout and stderr for checker processes
2767
3205
global wnull
2768
wnull = open(os.devnull, "w") # A writable /dev/null
3206
wnull = open(os.devnull, "w") # A writable /dev/null
2769
3207
# Only used if server is running in foreground but not in debug
2770
3208
# mode
2771
3209
if debug or not foreground:
2772
3210
wnull.close()
2773
3211
2774
3212
# Get client data and settings from last running state.
2775
3213
if server_settings["restore"]:
2776
3214
try:
2777
3215
with open(stored_state_path, "rb") as stored_state:
2778
clients_data, old_client_settings = pickle.load(
2779
stored_state)
3216
if sys.version_info.major == 2:
3217
clients_data, old_client_settings = pickle.load(
3218
stored_state)
3219
else:
3220
bytes_clients_data, bytes_old_client_settings = (
3221
pickle.load(stored_state, encoding="bytes"))
3222
# Fix bytes to strings
3223
# clients_data
3224
# .keys()
3225
clients_data = {(key.decode("utf-8")
3226
if isinstance(key, bytes)
3227
else key): value
3228
for key, value in
3229
bytes_clients_data.items()}
3230
del bytes_clients_data
3231
for key in clients_data:
3232
value = {(k.decode("utf-8")
3233
if isinstance(k, bytes) else k): v
3234
for k, v in
3235
clients_data[key].items()}
3236
clients_data[key] = value
3237
# .client_structure
3238
value["client_structure"] = [
3239
(s.decode("utf-8")
3240
if isinstance(s, bytes)
3241
else s) for s in
3242
value["client_structure"]]
3243
# .name & .host
3244
for k in ("name", "host"):
3245
if isinstance(value[k], bytes):
3246
value[k] = value[k].decode("utf-8")
3247
if not value.has_key("key_id"):
3248
value["key_id"] = ""
3249
elif not value.has_key("fingerprint"):
3250
value["fingerprint"] = ""
3251
# old_client_settings
3252
# .keys()
3253
old_client_settings = {
3254
(key.decode("utf-8")
3255
if isinstance(key, bytes)
3256
else key): value
3257
for key, value in
3258
bytes_old_client_settings.items()}
3259
del bytes_old_client_settings
3260
# .host
3261
for value in old_client_settings.values():
3262
if isinstance(value["host"], bytes):
3263
value["host"] = (value["host"]
3264
.decode("utf-8"))
2780
3265
os.remove(stored_state_path)
2781
3266
except IOError as e:
2782
3267
if e.errno == errno.ENOENT:
2790
3275
logger.warning("Could not load persistent state: "
2791
3276
"EOFError:",
2792
3277
exc_info=e)
2793
3278
2794
3279
with PGPEngine() as pgp:
2795
3280
for client_name, client in clients_data.items():
2796
3281
# Skip removed clients
2797
3282
if client_name not in client_settings:
2798
3283
continue
2799
3284
2800
3285
# Decide which value to use after restoring saved state.
2801
3286
# We have three different values: Old config file,
2802
3287
# new config file, and saved state.
2813
3298
client[name] = value
2814
3299
except KeyError:
2815
3300
pass
2816
3301
2817
3302
# Clients who has passed its expire date can still be
2818
3303
# enabled if its last checker was successful. A Client
2819
3304
# whose checker succeeded before we stored its state is
2852
3337
client_name))
2853
3338
client["secret"] = (client_settings[client_name]
2854
3339
["secret"])
2855
3340
2856
3341
# Add/remove clients based on new changes made to config
2857
3342
for client_name in (set(old_client_settings)
2858
3343
- set(client_settings)):
2860
3345
for client_name in (set(client_settings)
2861
3346
- set(old_client_settings)):
2862
3347
clients_data[client_name] = client_settings[client_name]
2863
3348
2864
3349
# Create all client objects
2865
3350
for client_name, client in clients_data.items():
2866
3351
tcp_server.clients[client_name] = client_class(
2867
name = client_name,
2868
settings = client,
2869
server_settings = server_settings)
2870
3352
name=client_name,
3353
settings=client,
3354
server_settings=server_settings)
3355
2871
3356
if not tcp_server.clients:
2872
3357
logger.warning("No clients defined")
2873
3358
2874
3359
if not foreground:
2875
3360
if pidfile is not None:
2876
3361
pid = os.getpid()
2882
3367
pidfilename, pid)
2883
3368
del pidfile
2884
3369
del pidfilename
2885
2886
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2887
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2888
3370
3371
for termsig in (signal.SIGHUP, signal.SIGTERM):
3372
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3373
lambda: main_loop.quit() and False)
3374
2889
3375
if use_dbus:
2890
3376
2891
3377
@alternate_dbus_interfaces(
2892
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3378
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2893
3379
class MandosDBusService(DBusObjectWithObjectManager):
2894
3380
"""A D-Bus proxy object"""
2895
3381
2896
3382
def __init__(self):
2897
3383
dbus.service.Object.__init__(self, bus, "/")
2898
3384
2899
3385
_interface = "se.recompile.Mandos"
2900
3386
2901
3387
@dbus.service.signal(_interface, signature="o")
2902
3388
def ClientAdded(self, objpath):
2903
3389
"D-Bus signal"
2904
3390
pass
2905
3391
2906
3392
@dbus.service.signal(_interface, signature="ss")
2907
def ClientNotFound(self, fingerprint, address):
3393
def ClientNotFound(self, key_id, address):
2908
3394
"D-Bus signal"
2909
3395
pass
2910
3396
2911
3397
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2912
3398
"true"})
2913
3399
@dbus.service.signal(_interface, signature="os")
2914
3400
def ClientRemoved(self, objpath, name):
2915
3401
"D-Bus signal"
2916
3402
pass
2917
3403
2918
3404
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2919
3405
"true"})
2920
3406
@dbus.service.method(_interface, out_signature="ao")
2921
3407
def GetAllClients(self):
2922
3408
"D-Bus method"
2923
3409
return dbus.Array(c.dbus_object_path for c in
2924
tcp_server.clients.itervalues())
2925
3410
tcp_server.clients.values())
3411
2926
3412
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2927
3413
"true"})
2928
3414
@dbus.service.method(_interface,
2930
3416
def GetAllClientsWithProperties(self):
2931
3417
"D-Bus method"
2932
3418
return dbus.Dictionary(
2933
{ c.dbus_object_path: c.GetAll(
3419
{c.dbus_object_path: c.GetAll(
2934
3420
"se.recompile.Mandos.Client")
2935
for c in tcp_server.clients.itervalues() },
3421
for c in tcp_server.clients.values()},
2936
3422
signature="oa{sv}")
2937
3423
2938
3424
@dbus.service.method(_interface, in_signature="o")
2939
3425
def RemoveClient(self, object_path):
2940
3426
"D-Bus method"
2941
for c in tcp_server.clients.itervalues():
3427
for c in tcp_server.clients.values():
2942
3428
if c.dbus_object_path == object_path:
2943
3429
del tcp_server.clients[c.name]
2944
3430
c.remove_from_connection()
2948
3434
self.client_removed_signal(c)
2949
3435
return
2950
3436
raise KeyError(object_path)
2951
3437
2952
3438
del _interface
2953
3439
2954
3440
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
2955
out_signature = "a{oa{sa{sv}}}")
3441
out_signature="a{oa{sa{sv}}}")
2956
3442
def GetManagedObjects(self):
2957
3443
"""D-Bus method"""
2958
3444
return dbus.Dictionary(
2959
{ client.dbus_object_path:
2960
dbus.Dictionary(
2961
{ interface: client.GetAll(interface)
2962
for interface in
2963
client._get_all_interface_names()})
2964
for client in tcp_server.clients.values()})
2965
3445
{client.dbus_object_path:
3446
dbus.Dictionary(
3447
{interface: client.GetAll(interface)
3448
for interface in
3449
client._get_all_interface_names()})
3450
for client in tcp_server.clients.values()})
3451
2966
3452
def client_added_signal(self, client):
2967
3453
"""Send the new standard signal and the old signal"""
2968
3454
if use_dbus:
2970
3456
self.InterfacesAdded(
2971
3457
client.dbus_object_path,
2972
3458
dbus.Dictionary(
2973
{ interface: client.GetAll(interface)
2974
for interface in
2975
client._get_all_interface_names()}))
3459
{interface: client.GetAll(interface)
3460
for interface in
3461
client._get_all_interface_names()}))
2976
3462
# Old signal
2977
3463
self.ClientAdded(client.dbus_object_path)
2978
3464
2979
3465
def client_removed_signal(self, client):
2980
3466
"""Send the new standard signal and the old signal"""
2981
3467
if use_dbus:
2986
3472
# Old signal
2987
3473
self.ClientRemoved(client.dbus_object_path,
2988
3474
client.name)
2989
3475
2990
3476
mandos_dbus_service = MandosDBusService()
2991
3477
3478
# Save modules to variables to exempt the modules from being
3479
# unloaded before the function registered with atexit() is run.
3480
mp = multiprocessing
3481
wn = wnull
3482
2992
3483
def cleanup():
2993
3484
"Cleanup function; run on exit"
2994
3485
if zeroconf:
2995
3486
service.cleanup()
2996
2997
multiprocessing.active_children()
2998
wnull.close()
3487
3488
mp.active_children()
3489
wn.close()
2999
3490
if not (tcp_server.clients or client_settings):
3000
3491
return
3001
3492
3002
3493
# Store client before exiting. Secrets are encrypted with key
3003
3494
# based on what config file has. If config file is
3004
3495
# removed/edited, old secret will thus be unrecovable.
3005
3496
clients = {}
3006
3497
with PGPEngine() as pgp:
3007
for client in tcp_server.clients.itervalues():
3498
for client in tcp_server.clients.values():
3008
3499
key = client_settings[client.name]["secret"]
3009
3500
client.encrypted_secret = pgp.encrypt(client.secret,
3010
3501
key)
3011
3502
client_dict = {}
3012
3503
3013
3504
# A list of attributes that can not be pickled
3014
3505
# + secret.
3015
exclude = { "bus", "changedstate", "secret",
3016
"checker", "server_settings" }
3506
exclude = {"bus", "changedstate", "secret",
3507
"checker", "server_settings"}
3017
3508
for name, typ in inspect.getmembers(dbus.service
3018
3509
.Object):
3019
3510
exclude.add(name)
3020
3511
3021
3512
client_dict["encrypted_secret"] = (client
3022
3513
.encrypted_secret)
3023
3514
for attr in client.client_structure:
3024
3515
if attr not in exclude:
3025
3516
client_dict[attr] = getattr(client, attr)
3026
3517
3027
3518
clients[client.name] = client_dict
3028
3519
del client_settings[client.name]["secret"]
3029
3520
3030
3521
try:
3031
3522
with tempfile.NamedTemporaryFile(
3032
3523
mode='wb',
3034
3525
prefix='clients-',
3035
3526
dir=os.path.dirname(stored_state_path),
3036
3527
delete=False) as stored_state:
3037
pickle.dump((clients, client_settings), stored_state)
3528
pickle.dump((clients, client_settings), stored_state,
3529
protocol=2)
3038
3530
tempname = stored_state.name
3039
3531
os.rename(tempname, stored_state_path)
3040
3532
except (IOError, OSError) as e:
3050
3542
logger.warning("Could not save persistent state:",
3051
3543
exc_info=e)
3052
3544
raise
3053
3545
3054
3546
# Delete all clients, and settings from config
3055
3547
while tcp_server.clients:
3056
3548
name, client = tcp_server.clients.popitem()
3059
3551
# Don't signal the disabling
3060
3552
client.disable(quiet=True)
3061
3553
# Emit D-Bus signal for removal
3062
mandos_dbus_service.client_removed_signal(client)
3554
if use_dbus:
3555
mandos_dbus_service.client_removed_signal(client)
3063
3556
client_settings.clear()
3064
3557
3065
3558
atexit.register(cleanup)
3066
3067
for client in tcp_server.clients.itervalues():
3559
3560
for client in tcp_server.clients.values():
3068
3561
if use_dbus:
3069
3562
# Emit D-Bus signal for adding
3070
3563
mandos_dbus_service.client_added_signal(client)
3071
3564
# Need to initiate checking of clients
3072
3565
if client.enabled:
3073
3566
client.init_checker()
3074
3567
3075
3568
tcp_server.enable()
3076
3569
tcp_server.server_activate()
3077
3570
3078
3571
# Find out what port we got
3079
3572
if zeroconf:
3080
3573
service.port = tcp_server.socket.getsockname()[1]
3085
3578
else: # IPv4
3086
3579
logger.info("Now listening on address %r, port %d",
3087
3580
*tcp_server.socket.getsockname())
3088
3089
#service.interface = tcp_server.socket.getsockname()[3]
3090
3581
3582
# service.interface = tcp_server.socket.getsockname()[3]
3583
3091
3584
try:
3092
3585
if zeroconf:
3093
3586
# From the Avahi example code
3098
3591
cleanup()
3099
3592
sys.exit(1)
3100
3593
# End of Avahi example code
3101
3102
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3103
lambda *args, **kwargs:
3104
(tcp_server.handle_request
3105
(*args[2:], **kwargs) or True))
3106
3594
3595
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3596
lambda *args, **kwargs:
3597
(tcp_server.handle_request
3598
(*args[2:], **kwargs) or True))
3599
3107
3600
logger.debug("Starting main loop")
3108
3601
main_loop.run()
3109
3602
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0