To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.748
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.748
- Committer: teddy at recompile
- Date: 2020-02-05 20:32:33 UTC
- mto: This revision was merged to the branch mainline in revision 396.
- Revision ID: teddy@recompile.se-20200205203233-450ojm36jseglq4m
Server: Stagger checker runs when creating clients
To avoid checkers for all clients all running at the same time
periodically, schedule every initially scheduled future checker to run
at a time in the future a random amount of the interval, from the
current time.
* mandos (Client.init_checker): Schedule the first scheduled future
run of a checker to be a randomly chosen amount of this client's
"interval" (instead of a full interval).
To avoid checkers for all clients all running at the same time
periodically, schedule every initially scheduled future checker to run
at a time in the future a random amount of the interval, from the
current time.
* mandos (Client.init_checker): Schedule the first scheduled future
run of a checker to be a randomly chosen amount of this client's
"interval" (instead of a full interval).
- files added:
- bugs.xml
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python2.7
2
# -*- mode: python; coding: utf-8 -*-
3
#
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
#
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
#
33
#
33
34
34
35
from __future__ import (division, absolute_import, print_function,
35
36
unicode_literals)
36
37
37
from future_builtins import *
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
38
42
39
43
try:
40
44
import SocketServer as socketserver
44
48
import argparse
45
49
import datetime
46
50
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
53
51
try:
54
52
import ConfigParser as configparser
55
53
except ImportError:
79
77
import itertools
80
78
import collections
81
79
import codecs
80
import unittest
81
import random
82
82
83
83
import dbus
84
84
import dbus.service
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
85
import gi
86
from gi.repository import GLib
90
87
from dbus.mainloop.glib import DBusGMainLoop
91
88
import ctypes
92
89
import ctypes.util
93
90
import xml.dom.minidom
94
91
import inspect
95
92
93
if sys.version_info.major == 2:
94
__metaclass__ = type
95
str = unicode
96
97
# Show warnings by default
98
if not sys.warnoptions:
99
import warnings
100
warnings.simplefilter("default")
101
102
# Try to find the value of SO_BINDTODEVICE:
96
103
try:
104
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
105
# newer, and it is also the most natural place for it:
97
106
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
98
107
except AttributeError:
99
108
try:
109
# This is where SO_BINDTODEVICE was up to and including Python
110
# 2.6, and also 3.2:
100
111
from IN import SO_BINDTODEVICE
101
112
except ImportError:
102
SO_BINDTODEVICE = None
103
104
if sys.version_info.major == 2:
105
str = unicode
106
107
version = "1.7.0"
113
# In Python 2.7 it seems to have been removed entirely.
114
# Try running the C preprocessor:
115
try:
116
cc = subprocess.Popen(["cc", "--language=c", "-E",
117
"/dev/stdin"],
118
stdin=subprocess.PIPE,
119
stdout=subprocess.PIPE)
120
stdout = cc.communicate(
121
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
122
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
123
except (OSError, ValueError, IndexError):
124
# No value found
125
SO_BINDTODEVICE = None
126
127
if sys.version_info < (3, 2):
128
configparser.Configparser = configparser.SafeConfigParser
129
130
version = "1.8.9"
108
131
stored_state_file = "clients.pickle"
109
132
110
133
logger = logging.getLogger()
134
logging.captureWarnings(True) # Show warnings via the logging system
111
135
syslogger = None
112
136
113
137
try:
114
138
if_nametoindex = ctypes.cdll.LoadLibrary(
115
139
ctypes.util.find_library("c")).if_nametoindex
116
140
except (OSError, AttributeError):
117
141
118
142
def if_nametoindex(interface):
119
143
"Get an interface index the hard way, i.e. using fcntl()"
120
144
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
125
149
return interface_index
126
150
127
151
152
def copy_function(func):
153
"""Make a copy of a function"""
154
if sys.version_info.major == 2:
155
return types.FunctionType(func.func_code,
156
func.func_globals,
157
func.func_name,
158
func.func_defaults,
159
func.func_closure)
160
else:
161
return types.FunctionType(func.__code__,
162
func.__globals__,
163
func.__name__,
164
func.__defaults__,
165
func.__closure__)
166
167
128
168
def initlogger(debug, level=logging.WARNING):
129
169
"""init logger and add loglevel"""
130
170
131
171
global syslogger
132
172
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
173
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
174
address="/dev/log"))
135
175
syslogger.setFormatter(logging.Formatter
136
176
('Mandos [%(process)d]: %(levelname)s:'
137
177
' %(message)s'))
138
178
logger.addHandler(syslogger)
139
179
140
180
if debug:
141
181
console = logging.StreamHandler()
142
182
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
152
192
pass
153
193
154
194
155
class PGPEngine(object):
195
class PGPEngine:
156
196
"""A simple class for OpenPGP symmetric encryption & decryption"""
157
197
158
198
def __init__(self):
159
199
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
200
self.gpg = "gpg"
201
try:
202
output = subprocess.check_output(["gpgconf"])
203
for line in output.splitlines():
204
name, text, path = line.split(b":")
205
if name == b"gpg":
206
self.gpg = path
207
break
208
except OSError as e:
209
if e.errno != errno.ENOENT:
210
raise
160
211
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
212
'--homedir', self.tempdir,
162
213
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
165
214
'--quiet']
215
# Only GPG version 1 has the --no-use-agent option.
216
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
217
self.gnupgargs.append("--no-use-agent")
218
166
219
def __enter__(self):
167
220
return self
168
221
169
222
def __exit__(self, exc_type, exc_value, traceback):
170
223
self._cleanup()
171
224
return False
172
225
173
226
def __del__(self):
174
227
self._cleanup()
175
228
176
229
def _cleanup(self):
177
230
if self.tempdir is not None:
178
231
# Delete contents of tempdir
179
232
for root, dirs, files in os.walk(self.tempdir,
180
topdown = False):
233
topdown=False):
181
234
for filename in files:
182
235
os.remove(os.path.join(root, filename))
183
236
for dirname in dirs:
185
238
# Remove tempdir
186
239
os.rmdir(self.tempdir)
187
240
self.tempdir = None
188
241
189
242
def password_encode(self, password):
190
243
# Passphrase can not be empty and can not contain newlines or
191
244
# NUL bytes. So we prefix it and hex encode it.
196
249
.replace(b"\n", b"\\n")
197
250
.replace(b"\0", b"\\x00"))
198
251
return encoded
199
252
200
253
def encrypt(self, data, password):
201
254
passphrase = self.password_encode(password)
202
255
with tempfile.NamedTemporaryFile(
203
256
dir=self.tempdir) as passfile:
204
257
passfile.write(passphrase)
205
258
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
259
proc = subprocess.Popen([self.gpg, '--symmetric',
207
260
'--passphrase-file',
208
261
passfile.name]
209
262
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
263
stdin=subprocess.PIPE,
264
stdout=subprocess.PIPE,
265
stderr=subprocess.PIPE)
266
ciphertext, err = proc.communicate(input=data)
214
267
if proc.returncode != 0:
215
268
raise PGPError(err)
216
269
return ciphertext
217
270
218
271
def decrypt(self, data, password):
219
272
passphrase = self.password_encode(password)
220
273
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
274
dir=self.tempdir) as passfile:
222
275
passfile.write(passphrase)
223
276
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
277
proc = subprocess.Popen([self.gpg, '--decrypt',
225
278
'--passphrase-file',
226
279
passfile.name]
227
280
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
281
stdin=subprocess.PIPE,
282
stdout=subprocess.PIPE,
283
stderr=subprocess.PIPE)
284
decrypted_plaintext, err = proc.communicate(input=data)
232
285
if proc.returncode != 0:
233
286
raise PGPError(err)
234
287
return decrypted_plaintext
235
288
236
289
290
# Pretend that we have an Avahi module
291
class avahi:
292
"""This isn't so much a class as it is a module-like namespace."""
293
IF_UNSPEC = -1 # avahi-common/address.h
294
PROTO_UNSPEC = -1 # avahi-common/address.h
295
PROTO_INET = 0 # avahi-common/address.h
296
PROTO_INET6 = 1 # avahi-common/address.h
297
DBUS_NAME = "org.freedesktop.Avahi"
298
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
299
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
300
DBUS_PATH_SERVER = "/"
301
302
@staticmethod
303
def string_array_to_txt_array(t):
304
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
305
for s in t), signature="ay")
306
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
307
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
308
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
309
SERVER_INVALID = 0 # avahi-common/defs.h
310
SERVER_REGISTERING = 1 # avahi-common/defs.h
311
SERVER_RUNNING = 2 # avahi-common/defs.h
312
SERVER_COLLISION = 3 # avahi-common/defs.h
313
SERVER_FAILURE = 4 # avahi-common/defs.h
314
315
237
316
class AvahiError(Exception):
238
317
def __init__(self, value, *args, **kwargs):
239
318
self.value = value
249
328
pass
250
329
251
330
252
class AvahiService(object):
331
class AvahiService:
253
332
"""An Avahi (Zeroconf) service.
254
333
255
334
Attributes:
256
335
interface: integer; avahi.IF_UNSPEC or an interface index.
257
336
Used to optionally bind to the specified interface.
269
348
server: D-Bus Server
270
349
bus: dbus.SystemBus()
271
350
"""
272
351
273
352
def __init__(self,
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
353
interface=avahi.IF_UNSPEC,
354
name=None,
355
servicetype=None,
356
port=None,
357
TXT=None,
358
domain="",
359
host="",
360
max_renames=32768,
361
protocol=avahi.PROTO_UNSPEC,
362
bus=None):
284
363
self.interface = interface
285
364
self.name = name
286
365
self.type = servicetype
295
374
self.server = None
296
375
self.bus = bus
297
376
self.entry_group_state_changed_match = None
298
377
299
378
def rename(self, remove=True):
300
379
"""Derived from the Avahi example code"""
301
380
if self.rename_count >= self.max_renames:
321
400
logger.critical("D-Bus Exception", exc_info=error)
322
401
self.cleanup()
323
402
os._exit(1)
324
403
325
404
def remove(self):
326
405
"""Derived from the Avahi example code"""
327
406
if self.entry_group_state_changed_match is not None:
329
408
self.entry_group_state_changed_match = None
330
409
if self.group is not None:
331
410
self.group.Reset()
332
411
333
412
def add(self):
334
413
"""Derived from the Avahi example code"""
335
414
self.remove()
352
431
dbus.UInt16(self.port),
353
432
avahi.string_array_to_txt_array(self.TXT))
354
433
self.group.Commit()
355
434
356
435
def entry_group_state_changed(self, state, error):
357
436
"""Derived from the Avahi example code"""
358
437
logger.debug("Avahi entry group state change: %i", state)
359
438
360
439
if state == avahi.ENTRY_GROUP_ESTABLISHED:
361
440
logger.debug("Zeroconf service established.")
362
441
elif state == avahi.ENTRY_GROUP_COLLISION:
366
445
logger.critical("Avahi: Error in group state changed %s",
367
446
str(error))
368
447
raise AvahiGroupError("State changed: {!s}".format(error))
369
448
370
449
def cleanup(self):
371
450
"""Derived from the Avahi example code"""
372
451
if self.group is not None:
377
456
pass
378
457
self.group = None
379
458
self.remove()
380
459
381
460
def server_state_changed(self, state, error=None):
382
461
"""Derived from the Avahi example code"""
383
462
logger.debug("Avahi server state change: %i", state)
412
491
logger.debug("Unknown state: %r", state)
413
492
else:
414
493
logger.debug("Unknown state: %r: %r", state, error)
415
494
416
495
def activate(self):
417
496
"""Derived from the Avahi example code"""
418
497
if self.server is None:
429
508
class AvahiServiceToSyslog(AvahiService):
430
509
def rename(self, *args, **kwargs):
431
510
"""Add the new name to the syslog messages"""
432
ret = AvahiService.rename(self, *args, **kwargs)
511
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
433
512
syslogger.setFormatter(logging.Formatter(
434
513
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
435
514
.format(self.name)))
436
515
return ret
437
516
517
518
# Pretend that we have a GnuTLS module
519
class gnutls:
520
"""This isn't so much a class as it is a module-like namespace."""
521
522
library = ctypes.util.find_library("gnutls")
523
if library is None:
524
library = ctypes.util.find_library("gnutls-deb0")
525
_library = ctypes.cdll.LoadLibrary(library)
526
del library
527
528
# Unless otherwise indicated, the constants and types below are
529
# all from the gnutls/gnutls.h C header file.
530
531
# Constants
532
E_SUCCESS = 0
533
E_INTERRUPTED = -52
534
E_AGAIN = -28
535
CRT_OPENPGP = 2
536
CRT_RAWPK = 3
537
CLIENT = 2
538
SHUT_RDWR = 0
539
CRD_CERTIFICATE = 1
540
E_NO_CERTIFICATE_FOUND = -49
541
X509_FMT_DER = 0
542
NO_TICKETS = 1<<10
543
ENABLE_RAWPK = 1<<18
544
CTYPE_PEERS = 3
545
KEYID_USE_SHA256 = 1 # gnutls/x509.h
546
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
547
548
# Types
549
class session_int(ctypes.Structure):
550
_fields_ = []
551
session_t = ctypes.POINTER(session_int)
552
553
class certificate_credentials_st(ctypes.Structure):
554
_fields_ = []
555
certificate_credentials_t = ctypes.POINTER(
556
certificate_credentials_st)
557
certificate_type_t = ctypes.c_int
558
559
class datum_t(ctypes.Structure):
560
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
561
('size', ctypes.c_uint)]
562
563
class openpgp_crt_int(ctypes.Structure):
564
_fields_ = []
565
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
566
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
567
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
568
credentials_type_t = ctypes.c_int
569
transport_ptr_t = ctypes.c_void_p
570
close_request_t = ctypes.c_int
571
572
# Exceptions
573
class Error(Exception):
574
def __init__(self, message=None, code=None, args=()):
575
# Default usage is by a message string, but if a return
576
# code is passed, convert it to a string with
577
# gnutls.strerror()
578
self.code = code
579
if message is None and code is not None:
580
message = gnutls.strerror(code)
581
return super(gnutls.Error, self).__init__(
582
message, *args)
583
584
class CertificateSecurityError(Error):
585
pass
586
587
# Classes
588
class Credentials:
589
def __init__(self):
590
self._c_object = gnutls.certificate_credentials_t()
591
gnutls.certificate_allocate_credentials(
592
ctypes.byref(self._c_object))
593
self.type = gnutls.CRD_CERTIFICATE
594
595
def __del__(self):
596
gnutls.certificate_free_credentials(self._c_object)
597
598
class ClientSession:
599
def __init__(self, socket, credentials=None):
600
self._c_object = gnutls.session_t()
601
gnutls_flags = gnutls.CLIENT
602
if gnutls.check_version(b"3.5.6"):
603
gnutls_flags |= gnutls.NO_TICKETS
604
if gnutls.has_rawpk:
605
gnutls_flags |= gnutls.ENABLE_RAWPK
606
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
607
del gnutls_flags
608
gnutls.set_default_priority(self._c_object)
609
gnutls.transport_set_ptr(self._c_object, socket.fileno())
610
gnutls.handshake_set_private_extensions(self._c_object,
611
True)
612
self.socket = socket
613
if credentials is None:
614
credentials = gnutls.Credentials()
615
gnutls.credentials_set(self._c_object, credentials.type,
616
ctypes.cast(credentials._c_object,
617
ctypes.c_void_p))
618
self.credentials = credentials
619
620
def __del__(self):
621
gnutls.deinit(self._c_object)
622
623
def handshake(self):
624
return gnutls.handshake(self._c_object)
625
626
def send(self, data):
627
data = bytes(data)
628
data_len = len(data)
629
while data_len > 0:
630
data_len -= gnutls.record_send(self._c_object,
631
data[-data_len:],
632
data_len)
633
634
def bye(self):
635
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
636
637
# Error handling functions
638
def _error_code(result):
639
"""A function to raise exceptions on errors, suitable
640
for the 'restype' attribute on ctypes functions"""
641
if result >= 0:
642
return result
643
if result == gnutls.E_NO_CERTIFICATE_FOUND:
644
raise gnutls.CertificateSecurityError(code=result)
645
raise gnutls.Error(code=result)
646
647
def _retry_on_error(result, func, arguments):
648
"""A function to retry on some errors, suitable
649
for the 'errcheck' attribute on ctypes functions"""
650
while result < 0:
651
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
652
return _error_code(result)
653
result = func(*arguments)
654
return result
655
656
# Unless otherwise indicated, the function declarations below are
657
# all from the gnutls/gnutls.h C header file.
658
659
# Functions
660
priority_set_direct = _library.gnutls_priority_set_direct
661
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
662
ctypes.POINTER(ctypes.c_char_p)]
663
priority_set_direct.restype = _error_code
664
665
init = _library.gnutls_init
666
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
667
init.restype = _error_code
668
669
set_default_priority = _library.gnutls_set_default_priority
670
set_default_priority.argtypes = [session_t]
671
set_default_priority.restype = _error_code
672
673
record_send = _library.gnutls_record_send
674
record_send.argtypes = [session_t, ctypes.c_void_p,
675
ctypes.c_size_t]
676
record_send.restype = ctypes.c_ssize_t
677
record_send.errcheck = _retry_on_error
678
679
certificate_allocate_credentials = (
680
_library.gnutls_certificate_allocate_credentials)
681
certificate_allocate_credentials.argtypes = [
682
ctypes.POINTER(certificate_credentials_t)]
683
certificate_allocate_credentials.restype = _error_code
684
685
certificate_free_credentials = (
686
_library.gnutls_certificate_free_credentials)
687
certificate_free_credentials.argtypes = [
688
certificate_credentials_t]
689
certificate_free_credentials.restype = None
690
691
handshake_set_private_extensions = (
692
_library.gnutls_handshake_set_private_extensions)
693
handshake_set_private_extensions.argtypes = [session_t,
694
ctypes.c_int]
695
handshake_set_private_extensions.restype = None
696
697
credentials_set = _library.gnutls_credentials_set
698
credentials_set.argtypes = [session_t, credentials_type_t,
699
ctypes.c_void_p]
700
credentials_set.restype = _error_code
701
702
strerror = _library.gnutls_strerror
703
strerror.argtypes = [ctypes.c_int]
704
strerror.restype = ctypes.c_char_p
705
706
certificate_type_get = _library.gnutls_certificate_type_get
707
certificate_type_get.argtypes = [session_t]
708
certificate_type_get.restype = _error_code
709
710
certificate_get_peers = _library.gnutls_certificate_get_peers
711
certificate_get_peers.argtypes = [session_t,
712
ctypes.POINTER(ctypes.c_uint)]
713
certificate_get_peers.restype = ctypes.POINTER(datum_t)
714
715
global_set_log_level = _library.gnutls_global_set_log_level
716
global_set_log_level.argtypes = [ctypes.c_int]
717
global_set_log_level.restype = None
718
719
global_set_log_function = _library.gnutls_global_set_log_function
720
global_set_log_function.argtypes = [log_func]
721
global_set_log_function.restype = None
722
723
deinit = _library.gnutls_deinit
724
deinit.argtypes = [session_t]
725
deinit.restype = None
726
727
handshake = _library.gnutls_handshake
728
handshake.argtypes = [session_t]
729
handshake.restype = _error_code
730
handshake.errcheck = _retry_on_error
731
732
transport_set_ptr = _library.gnutls_transport_set_ptr
733
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
734
transport_set_ptr.restype = None
735
736
bye = _library.gnutls_bye
737
bye.argtypes = [session_t, close_request_t]
738
bye.restype = _error_code
739
bye.errcheck = _retry_on_error
740
741
check_version = _library.gnutls_check_version
742
check_version.argtypes = [ctypes.c_char_p]
743
check_version.restype = ctypes.c_char_p
744
745
_need_version = b"3.3.0"
746
if check_version(_need_version) is None:
747
raise self.Error("Needs GnuTLS {} or later"
748
.format(_need_version))
749
750
_tls_rawpk_version = b"3.6.6"
751
has_rawpk = bool(check_version(_tls_rawpk_version))
752
753
if has_rawpk:
754
# Types
755
class pubkey_st(ctypes.Structure):
756
_fields = []
757
pubkey_t = ctypes.POINTER(pubkey_st)
758
759
x509_crt_fmt_t = ctypes.c_int
760
761
# All the function declarations below are from gnutls/abstract.h
762
pubkey_init = _library.gnutls_pubkey_init
763
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
764
pubkey_init.restype = _error_code
765
766
pubkey_import = _library.gnutls_pubkey_import
767
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
768
x509_crt_fmt_t]
769
pubkey_import.restype = _error_code
770
771
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
772
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
773
ctypes.POINTER(ctypes.c_ubyte),
774
ctypes.POINTER(ctypes.c_size_t)]
775
pubkey_get_key_id.restype = _error_code
776
777
pubkey_deinit = _library.gnutls_pubkey_deinit
778
pubkey_deinit.argtypes = [pubkey_t]
779
pubkey_deinit.restype = None
780
else:
781
# All the function declarations below are from gnutls/openpgp.h
782
783
openpgp_crt_init = _library.gnutls_openpgp_crt_init
784
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
785
openpgp_crt_init.restype = _error_code
786
787
openpgp_crt_import = _library.gnutls_openpgp_crt_import
788
openpgp_crt_import.argtypes = [openpgp_crt_t,
789
ctypes.POINTER(datum_t),
790
openpgp_crt_fmt_t]
791
openpgp_crt_import.restype = _error_code
792
793
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
794
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
795
ctypes.POINTER(ctypes.c_uint)]
796
openpgp_crt_verify_self.restype = _error_code
797
798
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
799
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
800
openpgp_crt_deinit.restype = None
801
802
openpgp_crt_get_fingerprint = (
803
_library.gnutls_openpgp_crt_get_fingerprint)
804
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
805
ctypes.c_void_p,
806
ctypes.POINTER(
807
ctypes.c_size_t)]
808
openpgp_crt_get_fingerprint.restype = _error_code
809
810
if check_version(b"3.6.4"):
811
certificate_type_get2 = _library.gnutls_certificate_type_get2
812
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
813
certificate_type_get2.restype = _error_code
814
815
# Remove non-public functions
816
del _error_code, _retry_on_error
817
818
438
819
def call_pipe(connection, # : multiprocessing.Connection
439
820
func, *args, **kwargs):
440
821
"""This function is meant to be called by multiprocessing.Process
441
822
442
823
This function runs func(*args, **kwargs), and writes the resulting
443
824
return value on the provided multiprocessing.Connection.
444
825
"""
445
826
connection.send(func(*args, **kwargs))
446
827
connection.close()
447
828
448
class Client(object):
829
830
class Client:
449
831
"""A representation of a client host served by this server.
450
832
451
833
Attributes:
452
834
approved: bool(); 'None' if not yet approved/disapproved
453
835
approval_delay: datetime.timedelta(); Time to wait for approval
454
836
approval_duration: datetime.timedelta(); Duration of one approval
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
837
checker: multiprocessing.Process(); a running checker process used
838
to see if the client lives. 'None' if no process is
839
running.
840
checker_callback_tag: a GLib event source tag, or None
459
841
checker_command: string; External command which is run to check
460
842
if client lives. %() expansions are done at
461
843
runtime with vars(self) as dict, so that for
462
844
instance %(name)s can be used in the command.
463
checker_initiator_tag: a gobject event source tag, or None
845
checker_initiator_tag: a GLib event source tag, or None
464
846
created: datetime.datetime(); (UTC) object creation
465
847
client_structure: Object describing what attributes a client has
466
848
and is used for storing the client at exit
467
849
current_checker_command: string; current running checker_command
468
disable_initiator_tag: a gobject event source tag, or None
850
disable_initiator_tag: a GLib event source tag, or None
469
851
enabled: bool()
470
852
fingerprint: string (40 or 32 hexadecimal digits); used to
471
uniquely identify the client
853
uniquely identify an OpenPGP client
854
key_id: string (64 hexadecimal digits); used to uniquely identify
855
a client using raw public keys
472
856
host: string; available for use by the checker command
473
857
interval: datetime.timedelta(); How often to start a new checker
474
858
last_approval_request: datetime.datetime(); (UTC) or None
490
874
disabled, or None
491
875
server_settings: The server_settings dict from main()
492
876
"""
493
877
494
878
runtime_expansions = ("approval_delay", "approval_duration",
495
"created", "enabled", "expires",
879
"created", "enabled", "expires", "key_id",
496
880
"fingerprint", "host", "interval",
497
881
"last_approval_request", "last_checked_ok",
498
882
"last_enabled", "name", "timeout")
507
891
"approved_by_default": "True",
508
892
"enabled": "True",
509
893
}
510
894
511
895
@staticmethod
512
896
def config_parser(config):
513
897
"""Construct a new dict of client settings of this form:
520
904
for client_name in config.sections():
521
905
section = dict(config.items(client_name))
522
906
client = settings[client_name] = {}
523
907
524
908
client["host"] = section["host"]
525
909
# Reformat values from string types to Python types
526
910
client["approved_by_default"] = config.getboolean(
527
911
client_name, "approved_by_default")
528
912
client["enabled"] = config.getboolean(client_name,
529
913
"enabled")
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
914
915
# Uppercase and remove spaces from key_id and fingerprint
916
# for later comparison purposes with return value from the
917
# key_id() and fingerprint() functions
918
client["key_id"] = (section.get("key_id", "").upper()
919
.replace(" ", ""))
534
920
client["fingerprint"] = (section["fingerprint"].upper()
535
921
.replace(" ", ""))
536
922
if "secret" in section:
537
client["secret"] = section["secret"].decode("base64")
923
client["secret"] = codecs.decode(section["secret"]
924
.encode("utf-8"),
925
"base64")
538
926
elif "secfile" in section:
539
927
with open(os.path.expanduser(os.path.expandvars
540
928
(section["secfile"])),
555
943
client["last_approval_request"] = None
556
944
client["last_checked_ok"] = None
557
945
client["last_checker_status"] = -2
558
946
559
947
return settings
560
561
def __init__(self, settings, name = None, server_settings=None):
948
949
def __init__(self, settings, name=None, server_settings=None):
562
950
self.name = name
563
951
if server_settings is None:
564
952
server_settings = {}
566
954
# adding all client settings
567
955
for setting, value in settings.items():
568
956
setattr(self, setting, value)
569
957
570
958
if self.enabled:
571
959
if not hasattr(self, "last_enabled"):
572
960
self.last_enabled = datetime.datetime.utcnow()
576
964
else:
577
965
self.last_enabled = None
578
966
self.expires = None
579
967
580
968
logger.debug("Creating client %r", self.name)
969
logger.debug(" Key ID: %s", self.key_id)
581
970
logger.debug(" Fingerprint: %s", self.fingerprint)
582
971
self.created = settings.get("created",
583
972
datetime.datetime.utcnow())
584
973
585
974
# attributes specific for this server instance
586
975
self.checker = None
587
976
self.checker_initiator_tag = None
593
982
self.changedstate = multiprocessing_manager.Condition(
594
983
multiprocessing_manager.Lock())
595
984
self.client_structure = [attr
596
for attr in self.__dict__.iterkeys()
985
for attr in self.__dict__.keys()
597
986
if not attr.startswith("_")]
598
987
self.client_structure.append("client_structure")
599
988
600
989
for name, t in inspect.getmembers(
601
990
type(self), lambda obj: isinstance(obj, property)):
602
991
if not name.startswith("_"):
603
992
self.client_structure.append(name)
604
993
605
994
# Send notice to process children that client state has changed
606
995
def send_changedstate(self):
607
996
with self.changedstate:
608
997
self.changedstate.notify_all()
609
998
610
999
def enable(self):
611
1000
"""Start this client's checker and timeout hooks"""
612
1001
if getattr(self, "enabled", False):
617
1006
self.last_enabled = datetime.datetime.utcnow()
618
1007
self.init_checker()
619
1008
self.send_changedstate()
620
1009
621
1010
def disable(self, quiet=True):
622
1011
"""Disable this client."""
623
1012
if not getattr(self, "enabled", False):
625
1014
if not quiet:
626
1015
logger.info("Disabling client %s", self.name)
627
1016
if getattr(self, "disable_initiator_tag", None) is not None:
628
gobject.source_remove(self.disable_initiator_tag)
1017
GLib.source_remove(self.disable_initiator_tag)
629
1018
self.disable_initiator_tag = None
630
1019
self.expires = None
631
1020
if getattr(self, "checker_initiator_tag", None) is not None:
632
gobject.source_remove(self.checker_initiator_tag)
1021
GLib.source_remove(self.checker_initiator_tag)
633
1022
self.checker_initiator_tag = None
634
1023
self.stop_checker()
635
1024
self.enabled = False
636
1025
if not quiet:
637
1026
self.send_changedstate()
638
# Do not run this again if called by a gobject.timeout_add
1027
# Do not run this again if called by a GLib.timeout_add
639
1028
return False
640
1029
641
1030
def __del__(self):
642
1031
self.disable()
643
1032
644
1033
def init_checker(self):
645
1034
# Schedule a new checker to be started an 'interval' from now,
646
1035
# and every interval from then on.
647
1036
if self.checker_initiator_tag is not None:
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
650
int(self.interval.total_seconds() * 1000),
1037
GLib.source_remove(self.checker_initiator_tag)
1038
self.checker_initiator_tag = GLib.timeout_add(
1039
random.randrange(int(self.interval.total_seconds() * 1000
1040
+ 1)),
651
1041
self.start_checker)
652
1042
# Schedule a disable() when 'timeout' has passed
653
1043
if self.disable_initiator_tag is not None:
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1044
GLib.source_remove(self.disable_initiator_tag)
1045
self.disable_initiator_tag = GLib.timeout_add(
656
1046
int(self.timeout.total_seconds() * 1000), self.disable)
657
1047
# Also start a new checker *right now*.
658
1048
self.start_checker()
659
1049
660
1050
def checker_callback(self, source, condition, connection,
661
1051
command):
662
1052
"""The checker has completed, so take appropriate actions."""
663
self.checker_callback_tag = None
664
self.checker = None
665
1053
# Read return code from connection (see call_pipe)
666
1054
returncode = connection.recv()
667
1055
connection.close()
668
1056
if self.checker is not None:
1057
self.checker.join()
1058
self.checker_callback_tag = None
1059
self.checker = None
1060
669
1061
if returncode >= 0:
670
1062
self.last_checker_status = returncode
671
1063
self.last_checker_signal = None
681
1073
logger.warning("Checker for %(name)s crashed?",
682
1074
vars(self))
683
1075
return False
684
1076
685
1077
def checked_ok(self):
686
1078
"""Assert that the client has been seen, alive and well."""
687
1079
self.last_checked_ok = datetime.datetime.utcnow()
688
1080
self.last_checker_status = 0
689
1081
self.last_checker_signal = None
690
1082
self.bump_timeout()
691
1083
692
1084
def bump_timeout(self, timeout=None):
693
1085
"""Bump up the timeout for this client."""
694
1086
if timeout is None:
695
1087
timeout = self.timeout
696
1088
if self.disable_initiator_tag is not None:
697
gobject.source_remove(self.disable_initiator_tag)
1089
GLib.source_remove(self.disable_initiator_tag)
698
1090
self.disable_initiator_tag = None
699
1091
if getattr(self, "enabled", False):
700
self.disable_initiator_tag = gobject.timeout_add(
1092
self.disable_initiator_tag = GLib.timeout_add(
701
1093
int(timeout.total_seconds() * 1000), self.disable)
702
1094
self.expires = datetime.datetime.utcnow() + timeout
703
1095
704
1096
def need_approval(self):
705
1097
self.last_approval_request = datetime.datetime.utcnow()
706
1098
707
1099
def start_checker(self):
708
1100
"""Start a new checker subprocess if one is not running.
709
1101
710
1102
If a checker already exists, leave it running and do
711
1103
nothing."""
712
1104
# The reason for not killing a running checker is that if we
717
1109
# checkers alone, the checker would have to take more time
718
1110
# than 'timeout' for the client to be disabled, which is as it
719
1111
# should be.
720
1112
721
1113
if self.checker is not None and not self.checker.is_alive():
722
1114
logger.warning("Checker was not alive; joining")
723
1115
self.checker.join()
727
1119
# Escape attributes for the shell
728
1120
escaped_attrs = {
729
1121
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
1122
for attr in self.runtime_expansions}
731
1123
try:
732
1124
command = self.checker_command % escaped_attrs
733
1125
except TypeError as error:
745
1137
# The exception is when not debugging but nevertheless
746
1138
# running in the foreground; use the previously
747
1139
# created wnull.
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1140
popen_args = {"close_fds": True,
1141
"shell": True,
1142
"cwd": "/"}
751
1143
if (not self.server_settings["debug"]
752
1144
and self.server_settings["foreground"]):
753
1145
popen_args.update({"stdout": wnull,
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1146
"stderr": wnull})
1147
pipe = multiprocessing.Pipe(duplex=False)
756
1148
self.checker = multiprocessing.Process(
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1149
target=call_pipe,
1150
args=(pipe[1], subprocess.call, command),
1151
kwargs=popen_args)
760
1152
self.checker.start()
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1153
self.checker_callback_tag = GLib.io_add_watch(
1154
GLib.IOChannel.unix_new(pipe[0].fileno()),
1155
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
763
1156
self.checker_callback, pipe[0], command)
764
# Re-run this periodically if run by gobject.timeout_add
1157
# Re-run this periodically if run by GLib.timeout_add
765
1158
return True
766
1159
767
1160
def stop_checker(self):
768
1161
"""Force the checker process, if any, to stop."""
769
1162
if self.checker_callback_tag:
770
gobject.source_remove(self.checker_callback_tag)
1163
GLib.source_remove(self.checker_callback_tag)
771
1164
self.checker_callback_tag = None
772
1165
if getattr(self, "checker", None) is None:
773
1166
return
782
1175
byte_arrays=False):
783
1176
"""Decorators for marking methods of a DBusObjectWithProperties to
784
1177
become properties on the D-Bus.
785
1178
786
1179
The decorated method will be called with no arguments by "Get"
787
1180
and with one argument by "Set".
788
1181
789
1182
The parameters, where they are supported, are the same as
790
1183
dbus.service.method, except there is only "signature", since the
791
1184
type from Get() and the type sent to Set() is the same.
795
1188
if byte_arrays and signature != "ay":
796
1189
raise ValueError("Byte arrays not supported for non-'ay'"
797
1190
" signature {!r}".format(signature))
798
1191
799
1192
def decorator(func):
800
1193
func._dbus_is_property = True
801
1194
func._dbus_interface = dbus_interface
804
1197
func._dbus_name = func.__name__
805
1198
if func._dbus_name.endswith("_dbus_property"):
806
1199
func._dbus_name = func._dbus_name[:-14]
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1200
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
808
1201
return func
809
1202
810
1203
return decorator
811
1204
812
1205
813
1206
def dbus_interface_annotations(dbus_interface):
814
1207
"""Decorator for marking functions returning interface annotations
815
1208
816
1209
Usage:
817
1210
818
1211
@dbus_interface_annotations("org.example.Interface")
819
1212
def _foo(self): # Function name does not matter
820
1213
return {"org.freedesktop.DBus.Deprecated": "true",
821
1214
"org.freedesktop.DBus.Property.EmitsChangedSignal":
822
1215
"false"}
823
1216
"""
824
1217
825
1218
def decorator(func):
826
1219
func._dbus_is_interface = True
827
1220
func._dbus_interface = dbus_interface
828
1221
func._dbus_name = dbus_interface
829
1222
return func
830
1223
831
1224
return decorator
832
1225
833
1226
834
1227
def dbus_annotations(annotations):
835
1228
"""Decorator to annotate D-Bus methods, signals or properties
836
1229
Usage:
837
1230
838
1231
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
839
1232
"org.freedesktop.DBus.Property."
840
1233
"EmitsChangedSignal": "false"})
842
1235
access="r")
843
1236
def Property_dbus_property(self):
844
1237
return dbus.Boolean(False)
845
1238
846
1239
See also the DBusObjectWithAnnotations class.
847
1240
"""
848
1241
849
1242
def decorator(func):
850
1243
func._dbus_annotations = annotations
851
1244
return func
852
1245
853
1246
return decorator
854
1247
855
1248
873
1266
874
1267
class DBusObjectWithAnnotations(dbus.service.Object):
875
1268
"""A D-Bus object with annotations.
876
1269
877
1270
Classes inheriting from this can use the dbus_annotations
878
1271
decorator to add annotations to methods or signals.
879
1272
"""
880
1273
881
1274
@staticmethod
882
1275
def _is_dbus_thing(thing):
883
1276
"""Returns a function testing if an attribute is a D-Bus thing
884
1277
885
1278
If called like _is_dbus_thing("method") it returns a function
886
1279
suitable for use as predicate to inspect.getmembers().
887
1280
"""
888
1281
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
889
1282
False)
890
1283
891
1284
def _get_all_dbus_things(self, thing):
892
1285
"""Returns a generator of (name, attribute) pairs
893
1286
"""
896
1289
for cls in self.__class__.__mro__
897
1290
for name, athing in
898
1291
inspect.getmembers(cls, self._is_dbus_thing(thing)))
899
1292
900
1293
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1294
out_signature="s",
1295
path_keyword='object_path',
1296
connection_keyword='connection')
904
1297
def Introspect(self, object_path, connection):
905
1298
"""Overloading of standard D-Bus method.
906
1299
907
1300
Inserts annotation tags on methods and signals.
908
1301
"""
909
1302
xmlstring = dbus.service.Object.Introspect(self, object_path,
910
1303
connection)
911
1304
try:
912
1305
document = xml.dom.minidom.parseString(xmlstring)
913
1306
914
1307
for if_tag in document.getElementsByTagName("interface"):
915
1308
# Add annotation tags
916
1309
for typ in ("method", "signal"):
943
1336
if_tag.appendChild(ann_tag)
944
1337
# Fix argument name for the Introspect method itself
945
1338
if (if_tag.getAttribute("name")
946
== dbus.INTROSPECTABLE_IFACE):
1339
== dbus.INTROSPECTABLE_IFACE):
947
1340
for cn in if_tag.getElementsByTagName("method"):
948
1341
if cn.getAttribute("name") == "Introspect":
949
1342
for arg in cn.getElementsByTagName("arg"):
962
1355
963
1356
class DBusObjectWithProperties(DBusObjectWithAnnotations):
964
1357
"""A D-Bus object with properties.
965
1358
966
1359
Classes inheriting from this can use the dbus_service_property
967
1360
decorator to expose methods as D-Bus properties. It exposes the
968
1361
standard Get(), Set(), and GetAll() methods on the D-Bus.
969
1362
"""
970
1363
971
1364
def _get_dbus_property(self, interface_name, property_name):
972
1365
"""Returns a bound method if one exists which is a D-Bus
973
1366
property with the specified name and interface.
978
1371
if (value._dbus_name == property_name
979
1372
and value._dbus_interface == interface_name):
980
1373
return value.__get__(self)
981
1374
982
1375
# No such property
983
1376
raise DBusPropertyNotFound("{}:{}.{}".format(
984
1377
self.dbus_object_path, interface_name, property_name))
985
1378
986
1379
@classmethod
987
1380
def _get_all_interface_names(cls):
988
1381
"""Get a sequence of all interfaces supported by an object"""
991
1384
for x in (inspect.getmro(cls))
992
1385
for attr in dir(x))
993
1386
if name is not None)
994
1387
995
1388
@dbus.service.method(dbus.PROPERTIES_IFACE,
996
1389
in_signature="ss",
997
1390
out_signature="v")
1005
1398
if not hasattr(value, "variant_level"):
1006
1399
return value
1007
1400
return type(value)(value, variant_level=value.variant_level+1)
1008
1401
1009
1402
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1010
1403
def Set(self, interface_name, property_name, value):
1011
1404
"""Standard D-Bus property Set() method, see D-Bus standard.
1020
1413
raise ValueError("Byte arrays not supported for non-"
1021
1414
"'ay' signature {!r}"
1022
1415
.format(prop._dbus_signature))
1023
value = dbus.ByteArray(b''.join(chr(byte)
1024
for byte in value))
1416
value = dbus.ByteArray(bytes(value))
1025
1417
prop(value)
1026
1418
1027
1419
@dbus.service.method(dbus.PROPERTIES_IFACE,
1028
1420
in_signature="s",
1029
1421
out_signature="a{sv}")
1030
1422
def GetAll(self, interface_name):
1031
1423
"""Standard D-Bus property GetAll() method, see D-Bus
1032
1424
standard.
1033
1425
1034
1426
Note: Will not include properties with access="write".
1035
1427
"""
1036
1428
properties = {}
1047
1439
properties[name] = value
1048
1440
continue
1049
1441
properties[name] = type(value)(
1050
value, variant_level = value.variant_level + 1)
1442
value, variant_level=value.variant_level + 1)
1051
1443
return dbus.Dictionary(properties, signature="sv")
1052
1444
1053
1445
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1054
1446
def PropertiesChanged(self, interface_name, changed_properties,
1055
1447
invalidated_properties):
1057
1449
standard.
1058
1450
"""
1059
1451
pass
1060
1452
1061
1453
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1062
1454
out_signature="s",
1063
1455
path_keyword='object_path',
1064
1456
connection_keyword='connection')
1065
1457
def Introspect(self, object_path, connection):
1066
1458
"""Overloading of standard D-Bus method.
1067
1459
1068
1460
Inserts property tags and interface annotation tags.
1069
1461
"""
1070
1462
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1072
1464
connection)
1073
1465
try:
1074
1466
document = xml.dom.minidom.parseString(xmlstring)
1075
1467
1076
1468
def make_tag(document, name, prop):
1077
1469
e = document.createElement("property")
1078
1470
e.setAttribute("name", name)
1079
1471
e.setAttribute("type", prop._dbus_signature)
1080
1472
e.setAttribute("access", prop._dbus_access)
1081
1473
return e
1082
1474
1083
1475
for if_tag in document.getElementsByTagName("interface"):
1084
1476
# Add property tags
1085
1477
for tag in (make_tag(document, name, prop)
1127
1519
exc_info=error)
1128
1520
return xmlstring
1129
1521
1522
1130
1523
try:
1131
1524
dbus.OBJECT_MANAGER_IFACE
1132
1525
except AttributeError:
1133
1526
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1134
1527
1528
1135
1529
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1136
1530
"""A D-Bus object with an ObjectManager.
1137
1531
1138
1532
Classes inheriting from this exposes the standard
1139
1533
GetManagedObjects call and the InterfacesAdded and
1140
1534
InterfacesRemoved signals on the standard
1141
1535
"org.freedesktop.DBus.ObjectManager" interface.
1142
1536
1143
1537
Note: No signals are sent automatically; they must be sent
1144
1538
manually.
1145
1539
"""
1146
1540
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1147
out_signature = "a{oa{sa{sv}}}")
1541
out_signature="a{oa{sa{sv}}}")
1148
1542
def GetManagedObjects(self):
1149
1543
"""This function must be overridden"""
1150
1544
raise NotImplementedError()
1151
1545
1152
1546
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1153
signature = "oa{sa{sv}}")
1547
signature="oa{sa{sv}}")
1154
1548
def InterfacesAdded(self, object_path, interfaces_and_properties):
1155
1549
pass
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1550
1551
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1158
1552
def InterfacesRemoved(self, object_path, interfaces):
1159
1553
pass
1160
1554
1161
1555
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1556
out_signature="s",
1557
path_keyword='object_path',
1558
connection_keyword='connection')
1165
1559
def Introspect(self, object_path, connection):
1166
1560
"""Overloading of standard D-Bus method.
1167
1561
1168
1562
Override return argument name of GetManagedObjects to be
1169
1563
"objpath_interfaces_and_properties"
1170
1564
"""
1173
1567
connection)
1174
1568
try:
1175
1569
document = xml.dom.minidom.parseString(xmlstring)
1176
1570
1177
1571
for if_tag in document.getElementsByTagName("interface"):
1178
1572
# Fix argument name for the GetManagedObjects method
1179
1573
if (if_tag.getAttribute("name")
1180
== dbus.OBJECT_MANAGER_IFACE):
1574
== dbus.OBJECT_MANAGER_IFACE):
1181
1575
for cn in if_tag.getElementsByTagName("method"):
1182
1576
if (cn.getAttribute("name")
1183
1577
== "GetManagedObjects"):
1193
1587
except (AttributeError, xml.dom.DOMException,
1194
1588
xml.parsers.expat.ExpatError) as error:
1195
1589
logger.error("Failed to override Introspection method",
1196
exc_info = error)
1590
exc_info=error)
1197
1591
return xmlstring
1198
1592
1593
1199
1594
def datetime_to_dbus(dt, variant_level=0):
1200
1595
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1201
1596
if dt is None:
1202
return dbus.String("", variant_level = variant_level)
1597
return dbus.String("", variant_level=variant_level)
1203
1598
return dbus.String(dt.isoformat(), variant_level=variant_level)
1204
1599
1205
1600
1208
1603
dbus.service.Object, it will add alternate D-Bus attributes with
1209
1604
interface names according to the "alt_interface_names" mapping.
1210
1605
Usage:
1211
1606
1212
1607
@alternate_dbus_interfaces({"org.example.Interface":
1213
1608
"net.example.AlternateInterface"})
1214
1609
class SampleDBusObject(dbus.service.Object):
1215
1610
@dbus.service.method("org.example.Interface")
1216
1611
def SampleDBusMethod():
1217
1612
pass
1218
1613
1219
1614
The above "SampleDBusMethod" on "SampleDBusObject" will be
1220
1615
reachable via two interfaces: "org.example.Interface" and
1221
1616
"net.example.AlternateInterface", the latter of which will have
1222
1617
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1223
1618
"true", unless "deprecate" is passed with a False value.
1224
1619
1225
1620
This works for methods and signals, and also for D-Bus properties
1226
1621
(from DBusObjectWithProperties) and interfaces (from the
1227
1622
dbus_interface_annotations decorator).
1228
1623
"""
1229
1624
1230
1625
def wrapper(cls):
1231
1626
for orig_interface_name, alt_interface_name in (
1232
1627
alt_interface_names.items()):
1247
1642
interface_names.add(alt_interface)
1248
1643
# Is this a D-Bus signal?
1249
1644
if getattr(attribute, "_dbus_is_signal", False):
1645
# Extract the original non-method undecorated
1646
# function by black magic
1250
1647
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1253
1648
nonmethod_func = (dict(
1254
1649
zip(attribute.func_code.co_freevars,
1255
1650
attribute.__closure__))
1256
1651
["func"].cell_contents)
1257
1652
else:
1258
nonmethod_func = attribute
1653
nonmethod_func = (dict(
1654
zip(attribute.__code__.co_freevars,
1655
attribute.__closure__))
1656
["func"].cell_contents)
1259
1657
# Create a new, but exactly alike, function
1260
1658
# object, and decorate it to be a new D-Bus signal
1261
1659
# with the alternate D-Bus interface name
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1660
new_function = copy_function(nonmethod_func)
1276
1661
new_function = (dbus.service.signal(
1277
1662
alt_interface,
1278
1663
attribute._dbus_signature)(new_function))
1282
1667
attribute._dbus_annotations)
1283
1668
except AttributeError:
1284
1669
pass
1670
1285
1671
# Define a creator of a function to call both the
1286
1672
# original and alternate functions, so both the
1287
1673
# original and alternate signals gets sent when
1290
1676
"""This function is a scope container to pass
1291
1677
func1 and func2 to the "call_both" function
1292
1678
outside of its arguments"""
1293
1679
1294
1680
@functools.wraps(func2)
1295
1681
def call_both(*args, **kwargs):
1296
1682
"""This function will emit two D-Bus
1297
1683
signals by calling func1 and func2"""
1298
1684
func1(*args, **kwargs)
1299
1685
func2(*args, **kwargs)
1300
# Make wrapper function look like a D-Bus signal
1686
# Make wrapper function look like a D-Bus
1687
# signal
1301
1688
for name, attr in inspect.getmembers(func2):
1302
1689
if name.startswith("_dbus_"):
1303
1690
setattr(call_both, name, attr)
1304
1691
1305
1692
return call_both
1306
1693
# Create the "call_both" function and add it to
1307
1694
# the class
1317
1704
alt_interface,
1318
1705
attribute._dbus_in_signature,
1319
1706
attribute._dbus_out_signature)
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1707
(copy_function(attribute)))
1325
1708
# Copy annotations, if any
1326
1709
try:
1327
1710
attr[attrname]._dbus_annotations = dict(
1339
1722
attribute._dbus_access,
1340
1723
attribute._dbus_get_args_options
1341
1724
["byte_arrays"])
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1725
(copy_function(attribute)))
1348
1726
# Copy annotations, if any
1349
1727
try:
1350
1728
attr[attrname]._dbus_annotations = dict(
1359
1737
# to the class.
1360
1738
attr[attrname] = (
1361
1739
dbus_interface_annotations(alt_interface)
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1740
(copy_function(attribute)))
1367
1741
if deprecate:
1368
1742
# Deprecate all alternate interfaces
1369
iname="_AlternateDBusNames_interface_annotation{}"
1743
iname = "_AlternateDBusNames_interface_annotation{}"
1370
1744
for interface_name in interface_names:
1371
1745
1372
1746
@dbus_interface_annotations(interface_name)
1373
1747
def func(self):
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1748
return {"org.freedesktop.DBus.Deprecated":
1749
"true"}
1376
1750
# Find an unused name
1377
1751
for aname in (iname.format(i)
1378
1752
for i in itertools.count()):
1382
1756
if interface_names:
1383
1757
# Replace the class with a new subclass of it with
1384
1758
# methods, signals, etc. as created above.
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1759
if sys.version_info.major == 2:
1760
cls = type(b"{}Alternate".format(cls.__name__),
1761
(cls, ), attr)
1762
else:
1763
cls = type("{}Alternate".format(cls.__name__),
1764
(cls, ), attr)
1387
1765
return cls
1388
1766
1389
1767
return wrapper
1390
1768
1391
1769
1393
1771
"se.bsnet.fukt.Mandos"})
1394
1772
class ClientDBus(Client, DBusObjectWithProperties):
1395
1773
"""A Client class using D-Bus
1396
1774
1397
1775
Attributes:
1398
1776
dbus_object_path: dbus.ObjectPath
1399
1777
bus: dbus.SystemBus()
1400
1778
"""
1401
1779
1402
1780
runtime_expansions = (Client.runtime_expansions
1403
1781
+ ("dbus_object_path", ))
1404
1782
1405
1783
_interface = "se.recompile.Mandos.Client"
1406
1784
1407
1785
# dbus.service.Object doesn't use super(), so we can't either.
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1786
1787
def __init__(self, bus=None, *args, **kwargs):
1410
1788
self.bus = bus
1411
1789
Client.__init__(self, *args, **kwargs)
1412
1790
# Only now, when this client is initialized, can it show up on
1418
1796
"/clients/" + client_object_name)
1419
1797
DBusObjectWithProperties.__init__(self, self.bus,
1420
1798
self.dbus_object_path)
1421
1799
1422
1800
def notifychangeproperty(transform_func, dbus_name,
1423
1801
type_func=lambda x: x,
1424
1802
variant_level=1,
1426
1804
_interface=_interface):
1427
1805
""" Modify a variable so that it's a property which announces
1428
1806
its changes to DBus.
1429
1807
1430
1808
transform_fun: Function that takes a value and a variant_level
1431
1809
and transforms it to a D-Bus type.
1432
1810
dbus_name: D-Bus name of the variable
1435
1813
variant_level: D-Bus variant level. Default: 1
1436
1814
"""
1437
1815
attrname = "_{}".format(dbus_name)
1438
1816
1439
1817
def setter(self, value):
1440
1818
if hasattr(self, "dbus_object_path"):
1441
1819
if (not hasattr(self, attrname) or
1448
1826
else:
1449
1827
dbus_value = transform_func(
1450
1828
type_func(value),
1451
variant_level = variant_level)
1829
variant_level=variant_level)
1452
1830
self.PropertyChanged(dbus.String(dbus_name),
1453
1831
dbus_value)
1454
1832
self.PropertiesChanged(
1455
1833
_interface,
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1834
dbus.Dictionary({dbus.String(dbus_name):
1835
dbus_value}),
1458
1836
dbus.Array())
1459
1837
setattr(self, attrname, value)
1460
1838
1461
1839
return property(lambda self: getattr(self, attrname), setter)
1462
1840
1463
1841
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1464
1842
approvals_pending = notifychangeproperty(dbus.Boolean,
1465
1843
"ApprovalPending",
1466
type_func = bool)
1844
type_func=bool)
1467
1845
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1468
1846
last_enabled = notifychangeproperty(datetime_to_dbus,
1469
1847
"LastEnabled")
1470
1848
checker = notifychangeproperty(
1471
1849
dbus.Boolean, "CheckerRunning",
1472
type_func = lambda checker: checker is not None)
1850
type_func=lambda checker: checker is not None)
1473
1851
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1474
1852
"LastCheckedOK")
1475
1853
last_checker_status = notifychangeproperty(dbus.Int16,
1480
1858
"ApprovedByDefault")
1481
1859
approval_delay = notifychangeproperty(
1482
1860
dbus.UInt64, "ApprovalDelay",
1483
type_func = lambda td: td.total_seconds() * 1000)
1861
type_func=lambda td: td.total_seconds() * 1000)
1484
1862
approval_duration = notifychangeproperty(
1485
1863
dbus.UInt64, "ApprovalDuration",
1486
type_func = lambda td: td.total_seconds() * 1000)
1864
type_func=lambda td: td.total_seconds() * 1000)
1487
1865
host = notifychangeproperty(dbus.String, "Host")
1488
1866
timeout = notifychangeproperty(
1489
1867
dbus.UInt64, "Timeout",
1490
type_func = lambda td: td.total_seconds() * 1000)
1868
type_func=lambda td: td.total_seconds() * 1000)
1491
1869
extended_timeout = notifychangeproperty(
1492
1870
dbus.UInt64, "ExtendedTimeout",
1493
type_func = lambda td: td.total_seconds() * 1000)
1871
type_func=lambda td: td.total_seconds() * 1000)
1494
1872
interval = notifychangeproperty(
1495
1873
dbus.UInt64, "Interval",
1496
type_func = lambda td: td.total_seconds() * 1000)
1874
type_func=lambda td: td.total_seconds() * 1000)
1497
1875
checker_command = notifychangeproperty(dbus.String, "Checker")
1498
1876
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1499
1877
invalidate_only=True)
1500
1878
1501
1879
del notifychangeproperty
1502
1880
1503
1881
def __del__(self, *args, **kwargs):
1504
1882
try:
1505
1883
self.remove_from_connection()
1508
1886
if hasattr(DBusObjectWithProperties, "__del__"):
1509
1887
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1510
1888
Client.__del__(self, *args, **kwargs)
1511
1889
1512
1890
def checker_callback(self, source, condition,
1513
1891
connection, command, *args, **kwargs):
1514
1892
ret = Client.checker_callback(self, source, condition,
1530
1908
| self.last_checker_signal),
1531
1909
dbus.String(command))
1532
1910
return ret
1533
1911
1534
1912
def start_checker(self, *args, **kwargs):
1535
1913
old_checker_pid = getattr(self.checker, "pid", None)
1536
1914
r = Client.start_checker(self, *args, **kwargs)
1540
1918
# Emit D-Bus signal
1541
1919
self.CheckerStarted(self.current_checker_command)
1542
1920
return r
1543
1921
1544
1922
def _reset_approved(self):
1545
1923
self.approved = None
1546
1924
return False
1547
1925
1548
1926
def approve(self, value=True):
1549
1927
self.approved = value
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1928
GLib.timeout_add(int(self.approval_duration.total_seconds()
1929
* 1000), self._reset_approved)
1552
1930
self.send_changedstate()
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1931
1932
# D-Bus methods, signals & properties
1933
1934
# Interfaces
1935
1936
# Signals
1937
1560
1938
# CheckerCompleted - signal
1561
1939
@dbus.service.signal(_interface, signature="nxs")
1562
1940
def CheckerCompleted(self, exitcode, waitstatus, command):
1563
1941
"D-Bus signal"
1564
1942
pass
1565
1943
1566
1944
# CheckerStarted - signal
1567
1945
@dbus.service.signal(_interface, signature="s")
1568
1946
def CheckerStarted(self, command):
1569
1947
"D-Bus signal"
1570
1948
pass
1571
1949
1572
1950
# PropertyChanged - signal
1573
1951
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1574
1952
@dbus.service.signal(_interface, signature="sv")
1575
1953
def PropertyChanged(self, property, value):
1576
1954
"D-Bus signal"
1577
1955
pass
1578
1956
1579
1957
# GotSecret - signal
1580
1958
@dbus.service.signal(_interface)
1581
1959
def GotSecret(self):
1584
1962
server to mandos-client
1585
1963
"""
1586
1964
pass
1587
1965
1588
1966
# Rejected - signal
1589
1967
@dbus.service.signal(_interface, signature="s")
1590
1968
def Rejected(self, reason):
1591
1969
"D-Bus signal"
1592
1970
pass
1593
1971
1594
1972
# NeedApproval - signal
1595
1973
@dbus.service.signal(_interface, signature="tb")
1596
1974
def NeedApproval(self, timeout, default):
1597
1975
"D-Bus signal"
1598
1976
return self.need_approval()
1599
1600
## Methods
1601
1977
1978
# Methods
1979
1602
1980
# Approve - method
1603
1981
@dbus.service.method(_interface, in_signature="b")
1604
1982
def Approve(self, value):
1605
1983
self.approve(value)
1606
1984
1607
1985
# CheckedOK - method
1608
1986
@dbus.service.method(_interface)
1609
1987
def CheckedOK(self):
1610
1988
self.checked_ok()
1611
1989
1612
1990
# Enable - method
1613
1991
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1614
1992
@dbus.service.method(_interface)
1615
1993
def Enable(self):
1616
1994
"D-Bus method"
1617
1995
self.enable()
1618
1996
1619
1997
# StartChecker - method
1620
1998
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1621
1999
@dbus.service.method(_interface)
1622
2000
def StartChecker(self):
1623
2001
"D-Bus method"
1624
2002
self.start_checker()
1625
2003
1626
2004
# Disable - method
1627
2005
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1628
2006
@dbus.service.method(_interface)
1629
2007
def Disable(self):
1630
2008
"D-Bus method"
1631
2009
self.disable()
1632
2010
1633
2011
# StopChecker - method
1634
2012
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1635
2013
@dbus.service.method(_interface)
1636
2014
def StopChecker(self):
1637
2015
self.stop_checker()
1638
1639
## Properties
1640
2016
2017
# Properties
2018
1641
2019
# ApprovalPending - property
1642
2020
@dbus_service_property(_interface, signature="b", access="read")
1643
2021
def ApprovalPending_dbus_property(self):
1644
2022
return dbus.Boolean(bool(self.approvals_pending))
1645
2023
1646
2024
# ApprovedByDefault - property
1647
2025
@dbus_service_property(_interface,
1648
2026
signature="b",
1651
2029
if value is None: # get
1652
2030
return dbus.Boolean(self.approved_by_default)
1653
2031
self.approved_by_default = bool(value)
1654
2032
1655
2033
# ApprovalDelay - property
1656
2034
@dbus_service_property(_interface,
1657
2035
signature="t",
1661
2039
return dbus.UInt64(self.approval_delay.total_seconds()
1662
2040
* 1000)
1663
2041
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1664
2042
1665
2043
# ApprovalDuration - property
1666
2044
@dbus_service_property(_interface,
1667
2045
signature="t",
1671
2049
return dbus.UInt64(self.approval_duration.total_seconds()
1672
2050
* 1000)
1673
2051
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1674
2052
1675
2053
# Name - property
1676
2054
@dbus_annotations(
1677
2055
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1678
2056
@dbus_service_property(_interface, signature="s", access="read")
1679
2057
def Name_dbus_property(self):
1680
2058
return dbus.String(self.name)
1681
2059
2060
# KeyID - property
2061
@dbus_annotations(
2062
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2063
@dbus_service_property(_interface, signature="s", access="read")
2064
def KeyID_dbus_property(self):
2065
return dbus.String(self.key_id)
2066
1682
2067
# Fingerprint - property
1683
2068
@dbus_annotations(
1684
2069
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1685
2070
@dbus_service_property(_interface, signature="s", access="read")
1686
2071
def Fingerprint_dbus_property(self):
1687
2072
return dbus.String(self.fingerprint)
1688
2073
1689
2074
# Host - property
1690
2075
@dbus_service_property(_interface,
1691
2076
signature="s",
1694
2079
if value is None: # get
1695
2080
return dbus.String(self.host)
1696
2081
self.host = str(value)
1697
2082
1698
2083
# Created - property
1699
2084
@dbus_annotations(
1700
2085
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1701
2086
@dbus_service_property(_interface, signature="s", access="read")
1702
2087
def Created_dbus_property(self):
1703
2088
return datetime_to_dbus(self.created)
1704
2089
1705
2090
# LastEnabled - property
1706
2091
@dbus_service_property(_interface, signature="s", access="read")
1707
2092
def LastEnabled_dbus_property(self):
1708
2093
return datetime_to_dbus(self.last_enabled)
1709
2094
1710
2095
# Enabled - property
1711
2096
@dbus_service_property(_interface,
1712
2097
signature="b",
1718
2103
self.enable()
1719
2104
else:
1720
2105
self.disable()
1721
2106
1722
2107
# LastCheckedOK - property
1723
2108
@dbus_service_property(_interface,
1724
2109
signature="s",
1728
2113
self.checked_ok()
1729
2114
return
1730
2115
return datetime_to_dbus(self.last_checked_ok)
1731
2116
1732
2117
# LastCheckerStatus - property
1733
2118
@dbus_service_property(_interface, signature="n", access="read")
1734
2119
def LastCheckerStatus_dbus_property(self):
1735
2120
return dbus.Int16(self.last_checker_status)
1736
2121
1737
2122
# Expires - property
1738
2123
@dbus_service_property(_interface, signature="s", access="read")
1739
2124
def Expires_dbus_property(self):
1740
2125
return datetime_to_dbus(self.expires)
1741
2126
1742
2127
# LastApprovalRequest - property
1743
2128
@dbus_service_property(_interface, signature="s", access="read")
1744
2129
def LastApprovalRequest_dbus_property(self):
1745
2130
return datetime_to_dbus(self.last_approval_request)
1746
2131
1747
2132
# Timeout - property
1748
2133
@dbus_service_property(_interface,
1749
2134
signature="t",
1764
2149
if (getattr(self, "disable_initiator_tag", None)
1765
2150
is None):
1766
2151
return
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2152
GLib.source_remove(self.disable_initiator_tag)
2153
self.disable_initiator_tag = GLib.timeout_add(
1769
2154
int((self.expires - now).total_seconds() * 1000),
1770
2155
self.disable)
1771
2156
1772
2157
# ExtendedTimeout - property
1773
2158
@dbus_service_property(_interface,
1774
2159
signature="t",
1778
2163
return dbus.UInt64(self.extended_timeout.total_seconds()
1779
2164
* 1000)
1780
2165
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1781
2166
1782
2167
# Interval - property
1783
2168
@dbus_service_property(_interface,
1784
2169
signature="t",
1791
2176
return
1792
2177
if self.enabled:
1793
2178
# Reschedule checker run
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2179
GLib.source_remove(self.checker_initiator_tag)
2180
self.checker_initiator_tag = GLib.timeout_add(
1796
2181
value, self.start_checker)
1797
self.start_checker() # Start one now, too
1798
2182
self.start_checker() # Start one now, too
2183
1799
2184
# Checker - property
1800
2185
@dbus_service_property(_interface,
1801
2186
signature="s",
1804
2189
if value is None: # get
1805
2190
return dbus.String(self.checker_command)
1806
2191
self.checker_command = str(value)
1807
2192
1808
2193
# CheckerRunning - property
1809
2194
@dbus_service_property(_interface,
1810
2195
signature="b",
1816
2201
self.start_checker()
1817
2202
else:
1818
2203
self.stop_checker()
1819
2204
1820
2205
# ObjectPath - property
1821
2206
@dbus_annotations(
1822
2207
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
1823
2208
"org.freedesktop.DBus.Deprecated": "true"})
1824
2209
@dbus_service_property(_interface, signature="o", access="read")
1825
2210
def ObjectPath_dbus_property(self):
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2211
return self.dbus_object_path # is already a dbus.ObjectPath
2212
1828
2213
# Secret = property
1829
2214
@dbus_annotations(
1830
2215
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
1835
2220
byte_arrays=True)
1836
2221
def Secret_dbus_property(self, value):
1837
2222
self.secret = bytes(value)
1838
2223
1839
2224
del _interface
1840
2225
1841
2226
1842
class ProxyClient(object):
1843
def __init__(self, child_pipe, fpr, address):
2227
class ProxyClient:
2228
def __init__(self, child_pipe, key_id, fpr, address):
1844
2229
self._pipe = child_pipe
1845
self._pipe.send(('init', fpr, address))
2230
self._pipe.send(('init', key_id, fpr, address))
1846
2231
if not self._pipe.recv():
1847
raise KeyError(fpr)
1848
2232
raise KeyError(key_id or fpr)
2233
1849
2234
def __getattribute__(self, name):
1850
2235
if name == '_pipe':
1851
2236
return super(ProxyClient, self).__getattribute__(name)
1854
2239
if data[0] == 'data':
1855
2240
return data[1]
1856
2241
if data[0] == 'function':
1857
2242
1858
2243
def func(*args, **kwargs):
1859
2244
self._pipe.send(('funcall', name, args, kwargs))
1860
2245
return self._pipe.recv()[1]
1861
2246
1862
2247
return func
1863
2248
1864
2249
def __setattr__(self, name, value):
1865
2250
if name == '_pipe':
1866
2251
return super(ProxyClient, self).__setattr__(name, value)
1869
2254
1870
2255
class ClientHandler(socketserver.BaseRequestHandler, object):
1871
2256
"""A class to handle client connections.
1872
2257
1873
2258
Instantiated once for each connection to handle it.
1874
2259
Note: This will run in its own forked process."""
1875
2260
1876
2261
def handle(self):
1877
2262
with contextlib.closing(self.server.child_pipe) as child_pipe:
1878
2263
logger.info("TCP connection from: %s",
1879
2264
str(self.client_address))
1880
2265
logger.debug("Pipe FD: %d",
1881
2266
self.server.child_pipe.fileno())
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2267
2268
session = gnutls.ClientSession(self.request)
2269
2270
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2271
# "+AES-256-CBC", "+SHA1",
2272
# "+COMP-NULL", "+CTYPE-OPENPGP",
2273
# "+DHE-DSS"))
1895
2274
# Use a fallback default, since this MUST be set.
1896
2275
priority = self.server.gnutls_priority
1897
2276
if priority is None:
1898
2277
priority = "NORMAL"
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2278
gnutls.priority_set_direct(session._c_object,
2279
priority.encode("utf-8"),
2280
None)
2281
1902
2282
# Start communication using the Mandos protocol
1903
2283
# Get protocol number
1904
2284
line = self.request.makefile().readline()
1909
2289
except (ValueError, IndexError, RuntimeError) as error:
1910
2290
logger.error("Unknown protocol version: %s", error)
1911
2291
return
1912
2292
1913
2293
# Start GnuTLS connection
1914
2294
try:
1915
2295
session.handshake()
1916
except gnutls.errors.GNUTLSError as error:
2296
except gnutls.Error as error:
1917
2297
logger.warning("Handshake failed: %s", error)
1918
2298
# Do not run session.bye() here: the session is not
1919
2299
# established. Just abandon the request.
1920
2300
return
1921
2301
logger.debug("Handshake succeeded")
1922
2302
1923
2303
approval_required = False
1924
2304
try:
1925
try:
1926
fpr = self.fingerprint(
1927
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
1930
logger.warning("Bad certificate: %s", error)
1931
return
1932
logger.debug("Fingerprint: %s", fpr)
1933
1934
try:
1935
client = ProxyClient(child_pipe, fpr,
2305
if gnutls.has_rawpk:
2306
fpr = b""
2307
try:
2308
key_id = self.key_id(
2309
self.peer_certificate(session))
2310
except (TypeError, gnutls.Error) as error:
2311
logger.warning("Bad certificate: %s", error)
2312
return
2313
logger.debug("Key ID: %s", key_id)
2314
2315
else:
2316
key_id = b""
2317
try:
2318
fpr = self.fingerprint(
2319
self.peer_certificate(session))
2320
except (TypeError, gnutls.Error) as error:
2321
logger.warning("Bad certificate: %s", error)
2322
return
2323
logger.debug("Fingerprint: %s", fpr)
2324
2325
try:
2326
client = ProxyClient(child_pipe, key_id, fpr,
1936
2327
self.client_address)
1937
2328
except KeyError:
1938
2329
return
1939
2330
1940
2331
if client.approval_delay:
1941
2332
delay = client.approval_delay
1942
2333
client.approvals_pending += 1
1943
2334
approval_required = True
1944
2335
1945
2336
while True:
1946
2337
if not client.enabled:
1947
2338
logger.info("Client %s is disabled",
1950
2341
# Emit D-Bus signal
1951
2342
client.Rejected("Disabled")
1952
2343
return
1953
2344
1954
2345
if client.approved or not client.approval_delay:
1955
#We are approved or approval is disabled
2346
# We are approved or approval is disabled
1956
2347
break
1957
2348
elif client.approved is None:
1958
2349
logger.info("Client %s needs approval",
1969
2360
# Emit D-Bus signal
1970
2361
client.Rejected("Denied")
1971
2362
return
1972
1973
#wait until timeout or approved
2363
2364
# wait until timeout or approved
1974
2365
time = datetime.datetime.now()
1975
2366
client.changedstate.acquire()
1976
2367
client.changedstate.wait(delay.total_seconds())
1989
2380
break
1990
2381
else:
1991
2382
delay -= time2 - time
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2383
2384
try:
2385
session.send(client.secret)
2386
except gnutls.Error as error:
2387
logger.warning("gnutls send failed",
2388
exc_info=error)
2389
return
2390
2006
2391
logger.info("Sending secret to %s", client.name)
2007
2392
# bump the timeout using extended_timeout
2008
2393
client.bump_timeout(client.extended_timeout)
2009
2394
if self.server.use_dbus:
2010
2395
# Emit D-Bus signal
2011
2396
client.GotSecret()
2012
2397
2013
2398
finally:
2014
2399
if approval_required:
2015
2400
client.approvals_pending -= 1
2016
2401
try:
2017
2402
session.bye()
2018
except gnutls.errors.GNUTLSError as error:
2403
except gnutls.Error as error:
2019
2404
logger.warning("GnuTLS bye failed",
2020
2405
exc_info=error)
2021
2406
2022
2407
@staticmethod
2023
2408
def peer_certificate(session):
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2409
"Return the peer's certificate as a bytestring"
2410
try:
2411
cert_type = gnutls.certificate_type_get2(session._c_object,
2412
gnutls.CTYPE_PEERS)
2413
except AttributeError:
2414
cert_type = gnutls.certificate_type_get(session._c_object)
2415
if gnutls.has_rawpk:
2416
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2417
else:
2418
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2419
# If not a valid certificate type...
2420
if cert_type not in valid_cert_types:
2421
logger.info("Cert type %r not in %r", cert_type,
2422
valid_cert_types)
2423
# ...return invalid data
2424
return b""
2031
2425
list_size = ctypes.c_uint(1)
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2426
cert_list = (gnutls.certificate_get_peers
2034
2427
(session._c_object, ctypes.byref(list_size)))
2035
2428
if not bool(cert_list) and list_size.value != 0:
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2429
raise gnutls.Error("error getting peer certificate")
2038
2430
if list_size.value == 0:
2039
2431
return None
2040
2432
cert = cert_list[0]
2041
2433
return ctypes.string_at(cert.data, cert.size)
2042
2434
2435
@staticmethod
2436
def key_id(certificate):
2437
"Convert a certificate bytestring to a hexdigit key ID"
2438
# New GnuTLS "datum" with the public key
2439
datum = gnutls.datum_t(
2440
ctypes.cast(ctypes.c_char_p(certificate),
2441
ctypes.POINTER(ctypes.c_ubyte)),
2442
ctypes.c_uint(len(certificate)))
2443
# XXX all these need to be created in the gnutls "module"
2444
# New empty GnuTLS certificate
2445
pubkey = gnutls.pubkey_t()
2446
gnutls.pubkey_init(ctypes.byref(pubkey))
2447
# Import the raw public key into the certificate
2448
gnutls.pubkey_import(pubkey,
2449
ctypes.byref(datum),
2450
gnutls.X509_FMT_DER)
2451
# New buffer for the key ID
2452
buf = ctypes.create_string_buffer(32)
2453
buf_len = ctypes.c_size_t(len(buf))
2454
# Get the key ID from the raw public key into the buffer
2455
gnutls.pubkey_get_key_id(pubkey,
2456
gnutls.KEYID_USE_SHA256,
2457
ctypes.cast(ctypes.byref(buf),
2458
ctypes.POINTER(ctypes.c_ubyte)),
2459
ctypes.byref(buf_len))
2460
# Deinit the certificate
2461
gnutls.pubkey_deinit(pubkey)
2462
2463
# Convert the buffer to a Python bytestring
2464
key_id = ctypes.string_at(buf, buf_len.value)
2465
# Convert the bytestring to hexadecimal notation
2466
hex_key_id = binascii.hexlify(key_id).upper()
2467
return hex_key_id
2468
2043
2469
@staticmethod
2044
2470
def fingerprint(openpgp):
2045
2471
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2046
2472
# New GnuTLS "datum" with the OpenPGP public key
2047
datum = gnutls.library.types.gnutls_datum_t(
2473
datum = gnutls.datum_t(
2048
2474
ctypes.cast(ctypes.c_char_p(openpgp),
2049
2475
ctypes.POINTER(ctypes.c_ubyte)),
2050
2476
ctypes.c_uint(len(openpgp)))
2051
2477
# New empty GnuTLS certificate
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2478
crt = gnutls.openpgp_crt_t()
2479
gnutls.openpgp_crt_init(ctypes.byref(crt))
2055
2480
# Import the OpenPGP public key into the certificate
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2481
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2482
gnutls.OPENPGP_FMT_RAW)
2059
2483
# Verify the self signature in the key
2060
2484
crtverify = ctypes.c_uint()
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2485
gnutls.openpgp_crt_verify_self(crt, 0,
2486
ctypes.byref(crtverify))
2063
2487
if crtverify.value != 0:
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2488
gnutls.openpgp_crt_deinit(crt)
2489
raise gnutls.CertificateSecurityError(code
2490
=crtverify.value)
2067
2491
# New buffer for the fingerprint
2068
2492
buf = ctypes.create_string_buffer(20)
2069
2493
buf_len = ctypes.c_size_t()
2070
2494
# Get the fingerprint from the certificate into the buffer
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2495
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2496
ctypes.byref(buf_len))
2073
2497
# Deinit the certificate
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2498
gnutls.openpgp_crt_deinit(crt)
2075
2499
# Convert the buffer to a Python bytestring
2076
2500
fpr = ctypes.string_at(buf, buf_len.value)
2077
2501
# Convert the bytestring to hexadecimal notation
2079
2503
return hex_fpr
2080
2504
2081
2505
2082
class MultiprocessingMixIn(object):
2506
class MultiprocessingMixIn:
2083
2507
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2084
2508
2085
2509
def sub_process_main(self, request, address):
2086
2510
try:
2087
2511
self.finish_request(request, address)
2088
2512
except Exception:
2089
2513
self.handle_error(request, address)
2090
2514
self.close_request(request)
2091
2515
2092
2516
def process_request(self, request, address):
2093
2517
"""Start a new process to process the request."""
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2518
proc = multiprocessing.Process(target=self.sub_process_main,
2519
args=(request, address))
2096
2520
proc.start()
2097
2521
return proc
2098
2522
2099
2523
2100
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2524
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2101
2525
""" adds a pipe to the MixIn """
2102
2526
2103
2527
def process_request(self, request, client_address):
2104
2528
"""Overrides and wraps the original process_request().
2105
2529
2106
2530
This function creates a new pipe in self.pipe
2107
2531
"""
2108
2532
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2109
2533
2110
2534
proc = MultiprocessingMixIn.process_request(self, request,
2111
2535
client_address)
2112
2536
self.child_pipe.close()
2113
2537
self.add_pipe(parent_pipe, proc)
2114
2538
2115
2539
def add_pipe(self, parent_pipe, proc):
2116
2540
"""Dummy function; override as necessary"""
2117
2541
raise NotImplementedError()
2118
2542
2119
2543
2120
2544
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2121
socketserver.TCPServer, object):
2545
socketserver.TCPServer):
2122
2546
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2123
2547
2124
2548
Attributes:
2125
2549
enabled: Boolean; whether this server is activated yet
2126
2550
interface: None or a network interface name (string)
2127
2551
use_ipv6: Boolean; to use IPv6 or not
2128
2552
"""
2129
2553
2130
2554
def __init__(self, server_address, RequestHandlerClass,
2131
2555
interface=None,
2132
2556
use_ipv6=True,
2142
2566
self.socketfd = socketfd
2143
2567
# Save the original socket.socket() function
2144
2568
self.socket_socket = socket.socket
2569
2145
2570
# To implement --socket, we monkey patch socket.socket.
2146
#
2571
#
2147
2572
# (When socketserver.TCPServer is a new-style class, we
2148
2573
# could make self.socket into a property instead of monkey
2149
2574
# patching socket.socket.)
2150
#
2575
#
2151
2576
# Create a one-time-only replacement for socket.socket()
2152
2577
@functools.wraps(socket.socket)
2153
2578
def socket_wrapper(*args, **kwargs):
2165
2590
# socket_wrapper(), if socketfd was set.
2166
2591
socketserver.TCPServer.__init__(self, server_address,
2167
2592
RequestHandlerClass)
2168
2593
2169
2594
def server_bind(self):
2170
2595
"""This overrides the normal server_bind() function
2171
2596
to bind to an interface if one was specified, and also NOT to
2172
2597
bind to an address or port if they were not specified."""
2598
global SO_BINDTODEVICE
2173
2599
if self.interface is not None:
2174
2600
if SO_BINDTODEVICE is None:
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2601
# Fall back to a hard-coded value which seems to be
2602
# common enough.
2603
logger.warning("SO_BINDTODEVICE not found, trying 25")
2604
SO_BINDTODEVICE = 25
2605
try:
2606
self.socket.setsockopt(
2607
socket.SOL_SOCKET, SO_BINDTODEVICE,
2608
(self.interface + "\0").encode("utf-8"))
2609
except socket.error as error:
2610
if error.errno == errno.EPERM:
2611
logger.error("No permission to bind to"
2612
" interface %s", self.interface)
2613
elif error.errno == errno.ENOPROTOOPT:
2614
logger.error("SO_BINDTODEVICE not available;"
2615
" cannot bind to interface %s",
2616
self.interface)
2617
elif error.errno == errno.ENODEV:
2618
logger.error("Interface %s does not exist,"
2619
" cannot bind", self.interface)
2620
else:
2621
raise
2196
2622
# Only bind(2) the socket if we really need to.
2197
2623
if self.server_address[0] or self.server_address[1]:
2624
if self.server_address[1]:
2625
self.allow_reuse_address = True
2198
2626
if not self.server_address[0]:
2199
2627
if self.address_family == socket.AF_INET6:
2200
any_address = "::" # in6addr_any
2628
any_address = "::" # in6addr_any
2201
2629
else:
2202
any_address = "0.0.0.0" # INADDR_ANY
2630
any_address = "0.0.0.0" # INADDR_ANY
2203
2631
self.server_address = (any_address,
2204
2632
self.server_address[1])
2205
2633
elif not self.server_address[1]:
2215
2643
2216
2644
class MandosServer(IPv6_TCPServer):
2217
2645
"""Mandos server.
2218
2646
2219
2647
Attributes:
2220
2648
clients: set of Client objects
2221
2649
gnutls_priority GnuTLS priority string
2222
2650
use_dbus: Boolean; to emit D-Bus signals or not
2223
2224
Assumes a gobject.MainLoop event loop.
2651
2652
Assumes a GLib.MainLoop event loop.
2225
2653
"""
2226
2654
2227
2655
def __init__(self, server_address, RequestHandlerClass,
2228
2656
interface=None,
2229
2657
use_ipv6=True,
2239
2667
self.gnutls_priority = gnutls_priority
2240
2668
IPv6_TCPServer.__init__(self, server_address,
2241
2669
RequestHandlerClass,
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2670
interface=interface,
2671
use_ipv6=use_ipv6,
2672
socketfd=socketfd)
2673
2246
2674
def server_activate(self):
2247
2675
if self.enabled:
2248
2676
return socketserver.TCPServer.server_activate(self)
2249
2677
2250
2678
def enable(self):
2251
2679
self.enabled = True
2252
2680
2253
2681
def add_pipe(self, parent_pipe, proc):
2254
2682
# Call "handle_ipc" for both data and EOF events
2255
gobject.io_add_watch(
2256
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2683
GLib.io_add_watch(
2684
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2685
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2258
2686
functools.partial(self.handle_ipc,
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2687
parent_pipe=parent_pipe,
2688
proc=proc))
2689
2262
2690
def handle_ipc(self, source, condition,
2263
2691
parent_pipe=None,
2264
proc = None,
2692
proc=None,
2265
2693
client_object=None):
2266
2694
# error, or the other end of multiprocessing.Pipe has closed
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2695
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2268
2696
# Wait for other process to exit
2269
2697
proc.join()
2270
2698
return False
2271
2699
2272
2700
# Read a request from the child
2273
2701
request = parent_pipe.recv()
2274
2702
command = request[0]
2275
2703
2276
2704
if command == 'init':
2277
fpr = request[1]
2278
address = request[2]
2279
2280
for c in self.clients.itervalues():
2281
if c.fingerprint == fpr:
2705
key_id = request[1].decode("ascii")
2706
fpr = request[2].decode("ascii")
2707
address = request[3]
2708
2709
for c in self.clients.values():
2710
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2711
continue
2712
if key_id and c.key_id == key_id:
2713
client = c
2714
break
2715
if fpr and c.fingerprint == fpr:
2282
2716
client = c
2283
2717
break
2284
2718
else:
2285
logger.info("Client not found for fingerprint: %s, ad"
2286
"dress: %s", fpr, address)
2719
logger.info("Client not found for key ID: %s, address"
2720
": %s", key_id or fpr, address)
2287
2721
if self.use_dbus:
2288
2722
# Emit D-Bus signal
2289
mandos_dbus_service.ClientNotFound(fpr,
2723
mandos_dbus_service.ClientNotFound(key_id or fpr,
2290
2724
address[0])
2291
2725
parent_pipe.send(False)
2292
2726
return False
2293
2294
gobject.io_add_watch(
2295
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2727
2728
GLib.io_add_watch(
2729
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2730
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2297
2731
functools.partial(self.handle_ipc,
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2732
parent_pipe=parent_pipe,
2733
proc=proc,
2734
client_object=client))
2301
2735
parent_pipe.send(True)
2302
2736
# remove the old hook in favor of the new above hook on
2303
2737
# same fileno
2306
2740
funcname = request[1]
2307
2741
args = request[2]
2308
2742
kwargs = request[3]
2309
2743
2310
2744
parent_pipe.send(('data', getattr(client_object,
2311
2745
funcname)(*args,
2312
2746
**kwargs)))
2313
2747
2314
2748
if command == 'getattr':
2315
2749
attrname = request[1]
2316
2750
if isinstance(client_object.__getattribute__(attrname),
2319
2753
else:
2320
2754
parent_pipe.send((
2321
2755
'data', client_object.__getattribute__(attrname)))
2322
2756
2323
2757
if command == 'setattr':
2324
2758
attrname = request[1]
2325
2759
value = request[2]
2326
2760
setattr(client_object, attrname, value)
2327
2761
2328
2762
return True
2329
2763
2330
2764
2331
2765
def rfc3339_duration_to_delta(duration):
2332
2766
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2333
2334
>>> rfc3339_duration_to_delta("P7D")
2335
datetime.timedelta(7)
2336
>>> rfc3339_duration_to_delta("PT60S")
2337
datetime.timedelta(0, 60)
2338
>>> rfc3339_duration_to_delta("PT60M")
2339
datetime.timedelta(0, 3600)
2340
>>> rfc3339_duration_to_delta("PT24H")
2341
datetime.timedelta(1)
2342
>>> rfc3339_duration_to_delta("P1W")
2343
datetime.timedelta(7)
2344
>>> rfc3339_duration_to_delta("PT5M30S")
2345
datetime.timedelta(0, 330)
2346
>>> rfc3339_duration_to_delta("P1DT3M20S")
2347
datetime.timedelta(1, 200)
2767
2768
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2769
True
2770
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2771
True
2772
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2773
True
2774
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2775
True
2776
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2777
True
2778
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2779
True
2780
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2781
True
2348
2782
"""
2349
2783
2350
2784
# Parsing an RFC 3339 duration with regular expressions is not
2351
2785
# possible - there would have to be multiple places for the same
2352
2786
# values, like seconds. The current code, while more esoteric, is
2353
2787
# cleaner without depending on a parsing library. If Python had a
2354
2788
# built-in library for parsing we would use it, but we'd like to
2355
2789
# avoid excessive use of external libraries.
2356
2790
2357
2791
# New type for defining tokens, syntax, and semantics all-in-one
2358
2792
Token = collections.namedtuple("Token", (
2359
2793
"regexp", # To match token; if "value" is not None, must have
2392
2826
frozenset((token_year, token_month,
2393
2827
token_day, token_time,
2394
2828
token_week)))
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2829
# Define starting values:
2830
# Value so far
2831
value = datetime.timedelta()
2397
2832
found_token = None
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2833
# Following valid tokens
2834
followers = frozenset((token_duration, ))
2835
# String left to parse
2836
s = duration
2400
2837
# Loop until end token is found
2401
2838
while found_token is not token_end:
2402
2839
# Search for any currently valid tokens
2426
2863
2427
2864
def string_to_delta(interval):
2428
2865
"""Parse a string and return a datetime.timedelta
2429
2430
>>> string_to_delta('7d')
2431
datetime.timedelta(7)
2432
>>> string_to_delta('60s')
2433
datetime.timedelta(0, 60)
2434
>>> string_to_delta('60m')
2435
datetime.timedelta(0, 3600)
2436
>>> string_to_delta('24h')
2437
datetime.timedelta(1)
2438
>>> string_to_delta('1w')
2439
datetime.timedelta(7)
2440
>>> string_to_delta('5m 30s')
2441
datetime.timedelta(0, 330)
2866
2867
>>> string_to_delta('7d') == datetime.timedelta(7)
2868
True
2869
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2870
True
2871
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2872
True
2873
>>> string_to_delta('24h') == datetime.timedelta(1)
2874
True
2875
>>> string_to_delta('1w') == datetime.timedelta(7)
2876
True
2877
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2878
True
2442
2879
"""
2443
2880
2444
2881
try:
2445
2882
return rfc3339_duration_to_delta(interval)
2446
2883
except ValueError:
2447
2884
pass
2448
2885
2449
2886
timevalue = datetime.timedelta(0)
2450
2887
for s in interval.split():
2451
2888
try:
2469
2906
return timevalue
2470
2907
2471
2908
2472
def daemon(nochdir = False, noclose = False):
2909
def daemon(nochdir=False, noclose=False):
2473
2910
"""See daemon(3). Standard BSD Unix function.
2474
2911
2475
2912
This should really exist as os.daemon, but it doesn't (yet)."""
2476
2913
if os.fork():
2477
2914
sys.exit()
2495
2932
2496
2933
2497
2934
def main():
2498
2935
2499
2936
##################################################################
2500
2937
# Parsing of options, both command line and config file
2501
2938
2502
2939
parser = argparse.ArgumentParser()
2503
2940
parser.add_argument("-v", "--version", action="version",
2504
version = "%(prog)s {}".format(version),
2941
version="%(prog)s {}".format(version),
2505
2942
help="show version number and exit")
2506
2943
parser.add_argument("-i", "--interface", metavar="IF",
2507
2944
help="Bind to interface IF")
2543
2980
parser.add_argument("--no-zeroconf", action="store_false",
2544
2981
dest="zeroconf", help="Do not use Zeroconf",
2545
2982
default=None)
2546
2983
2547
2984
options = parser.parse_args()
2548
2549
if options.check:
2550
import doctest
2551
fail_count, test_count = doctest.testmod()
2552
sys.exit(os.EX_OK if fail_count == 0 else 1)
2553
2985
2554
2986
# Default values for config file for server-global settings
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
2987
if gnutls.has_rawpk:
2988
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2989
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2990
else:
2991
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2992
":+SIGN-DSA-SHA256")
2993
server_defaults = {"interface": "",
2994
"address": "",
2995
"port": "",
2996
"debug": "False",
2997
"priority": priority,
2998
"servicename": "Mandos",
2999
"use_dbus": "True",
3000
"use_ipv6": "True",
3001
"debuglevel": "",
3002
"restore": "True",
3003
"socket": "",
3004
"statedir": "/var/lib/mandos",
3005
"foreground": "False",
3006
"zeroconf": "True",
3007
}
3008
del priority
3009
2573
3010
# Parse config file for server-global settings
2574
server_config = configparser.SafeConfigParser(server_defaults)
3011
server_config = configparser.ConfigParser(server_defaults)
2575
3012
del server_defaults
2576
3013
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2577
# Convert the SafeConfigParser object to a dict
3014
# Convert the ConfigParser object to a dict
2578
3015
server_settings = server_config.defaults()
2579
3016
# Use the appropriate methods on the non-string config options
2580
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3017
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3018
"foreground", "zeroconf"):
2581
3019
server_settings[option] = server_config.getboolean("DEFAULT",
2582
3020
option)
2583
3021
if server_settings["port"]:
2593
3031
server_settings["socket"] = os.dup(server_settings
2594
3032
["socket"])
2595
3033
del server_config
2596
3034
2597
3035
# Override the settings from the config file with command line
2598
3036
# options, if set.
2599
3037
for option in ("interface", "address", "port", "debug",
2617
3055
if server_settings["debug"]:
2618
3056
server_settings["foreground"] = True
2619
3057
# Now we have our good server settings in "server_settings"
2620
3058
2621
3059
##################################################################
2622
3060
2623
3061
if (not server_settings["zeroconf"]
2624
3062
and not (server_settings["port"]
2625
3063
or server_settings["socket"] != "")):
2626
3064
parser.error("Needs port or socket to work without Zeroconf")
2627
3065
2628
3066
# For convenience
2629
3067
debug = server_settings["debug"]
2630
3068
debuglevel = server_settings["debuglevel"]
2634
3072
stored_state_file)
2635
3073
foreground = server_settings["foreground"]
2636
3074
zeroconf = server_settings["zeroconf"]
2637
3075
2638
3076
if debug:
2639
3077
initlogger(debug, logging.DEBUG)
2640
3078
else:
2643
3081
else:
2644
3082
level = getattr(logging, debuglevel.upper())
2645
3083
initlogger(debug, level)
2646
3084
2647
3085
if server_settings["servicename"] != "Mandos":
2648
3086
syslogger.setFormatter(
2649
3087
logging.Formatter('Mandos ({}) [%(process)d]:'
2650
3088
' %(levelname)s: %(message)s'.format(
2651
3089
server_settings["servicename"])))
2652
3090
2653
3091
# Parse config file with clients
2654
client_config = configparser.SafeConfigParser(Client
2655
.client_defaults)
3092
client_config = configparser.ConfigParser(Client.client_defaults)
2656
3093
client_config.read(os.path.join(server_settings["configdir"],
2657
3094
"clients.conf"))
2658
3095
2659
3096
global mandos_dbus_service
2660
3097
mandos_dbus_service = None
2661
3098
2662
3099
socketfd = None
2663
3100
if server_settings["socket"] != "":
2664
3101
socketfd = server_settings["socket"]
2680
3117
except IOError as e:
2681
3118
logger.error("Could not open file %r", pidfilename,
2682
3119
exc_info=e)
2683
2684
for name in ("_mandos", "mandos", "nobody"):
3120
3121
for name, group in (("_mandos", "_mandos"),
3122
("mandos", "mandos"),
3123
("nobody", "nogroup")):
2685
3124
try:
2686
3125
uid = pwd.getpwnam(name).pw_uid
2687
gid = pwd.getpwnam(name).pw_gid
3126
gid = pwd.getpwnam(group).pw_gid
2688
3127
break
2689
3128
except KeyError:
2690
3129
continue
2694
3133
try:
2695
3134
os.setgid(gid)
2696
3135
os.setuid(uid)
3136
if debug:
3137
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3138
gid))
2697
3139
except OSError as error:
3140
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3141
.format(uid, gid, os.strerror(error.errno)))
2698
3142
if error.errno != errno.EPERM:
2699
3143
raise
2700
3144
2701
3145
if debug:
2702
3146
# Enable all possible GnuTLS debugging
2703
3147
2704
3148
# "Use a log level over 10 to enable all debugging options."
2705
3149
# - GnuTLS manual
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3150
gnutls.global_set_log_level(11)
3151
3152
@gnutls.log_func
2709
3153
def debug_gnutls(level, string):
2710
3154
logger.debug("GnuTLS: %s", string[:-1])
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3155
3156
gnutls.global_set_log_function(debug_gnutls)
3157
2715
3158
# Redirect stdin so all checkers get /dev/null
2716
3159
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2717
3160
os.dup2(null, sys.stdin.fileno())
2718
3161
if null > 2:
2719
3162
os.close(null)
2720
3163
2721
3164
# Need to fork before connecting to D-Bus
2722
3165
if not foreground:
2723
3166
# Close all input and output, do double fork, etc.
2724
3167
daemon()
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3168
3169
if gi.version_info < (3, 10, 2):
3170
# multiprocessing will use threads, so before we use GLib we
3171
# need to inform GLib that threads will be used.
3172
GLib.threads_init()
3173
2730
3174
global main_loop
2731
3175
# From the Avahi example code
2732
3176
DBusGMainLoop(set_as_default=True)
2733
main_loop = gobject.MainLoop()
3177
main_loop = GLib.MainLoop()
2734
3178
bus = dbus.SystemBus()
2735
3179
# End of Avahi example code
2736
3180
if use_dbus:
2749
3193
if zeroconf:
2750
3194
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2751
3195
service = AvahiServiceToSyslog(
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3196
name=server_settings["servicename"],
3197
servicetype="_mandos._tcp",
3198
protocol=protocol,
3199
bus=bus)
2756
3200
if server_settings["interface"]:
2757
3201
service.interface = if_nametoindex(
2758
3202
server_settings["interface"].encode("utf-8"))
2759
3203
2760
3204
global multiprocessing_manager
2761
3205
multiprocessing_manager = multiprocessing.Manager()
2762
3206
2763
3207
client_class = Client
2764
3208
if use_dbus:
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3209
client_class = functools.partial(ClientDBus, bus=bus)
3210
2767
3211
client_settings = Client.config_parser(client_config)
2768
3212
old_client_settings = {}
2769
3213
clients_data = {}
2770
3214
2771
3215
# This is used to redirect stdout and stderr for checker processes
2772
3216
global wnull
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3217
wnull = open(os.devnull, "w") # A writable /dev/null
2774
3218
# Only used if server is running in foreground but not in debug
2775
3219
# mode
2776
3220
if debug or not foreground:
2777
3221
wnull.close()
2778
3222
2779
3223
# Get client data and settings from last running state.
2780
3224
if server_settings["restore"]:
2781
3225
try:
2782
3226
with open(stored_state_path, "rb") as stored_state:
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3227
if sys.version_info.major == 2:
3228
clients_data, old_client_settings = pickle.load(
3229
stored_state)
3230
else:
3231
bytes_clients_data, bytes_old_client_settings = (
3232
pickle.load(stored_state, encoding="bytes"))
3233
# Fix bytes to strings
3234
# clients_data
3235
# .keys()
3236
clients_data = {(key.decode("utf-8")
3237
if isinstance(key, bytes)
3238
else key): value
3239
for key, value in
3240
bytes_clients_data.items()}
3241
del bytes_clients_data
3242
for key in clients_data:
3243
value = {(k.decode("utf-8")
3244
if isinstance(k, bytes) else k): v
3245
for k, v in
3246
clients_data[key].items()}
3247
clients_data[key] = value
3248
# .client_structure
3249
value["client_structure"] = [
3250
(s.decode("utf-8")
3251
if isinstance(s, bytes)
3252
else s) for s in
3253
value["client_structure"]]
3254
# .name, .host, and .checker_command
3255
for k in ("name", "host", "checker_command"):
3256
if isinstance(value[k], bytes):
3257
value[k] = value[k].decode("utf-8")
3258
if "key_id" not in value:
3259
value["key_id"] = ""
3260
elif "fingerprint" not in value:
3261
value["fingerprint"] = ""
3262
# old_client_settings
3263
# .keys()
3264
old_client_settings = {
3265
(key.decode("utf-8")
3266
if isinstance(key, bytes)
3267
else key): value
3268
for key, value in
3269
bytes_old_client_settings.items()}
3270
del bytes_old_client_settings
3271
# .host and .checker_command
3272
for value in old_client_settings.values():
3273
for attribute in ("host", "checker_command"):
3274
if isinstance(value[attribute], bytes):
3275
value[attribute] = (value[attribute]
3276
.decode("utf-8"))
2785
3277
os.remove(stored_state_path)
2786
3278
except IOError as e:
2787
3279
if e.errno == errno.ENOENT:
2795
3287
logger.warning("Could not load persistent state: "
2796
3288
"EOFError:",
2797
3289
exc_info=e)
2798
3290
2799
3291
with PGPEngine() as pgp:
2800
3292
for client_name, client in clients_data.items():
2801
3293
# Skip removed clients
2802
3294
if client_name not in client_settings:
2803
3295
continue
2804
3296
2805
3297
# Decide which value to use after restoring saved state.
2806
3298
# We have three different values: Old config file,
2807
3299
# new config file, and saved state.
2818
3310
client[name] = value
2819
3311
except KeyError:
2820
3312
pass
2821
3313
2822
3314
# Clients who has passed its expire date can still be
2823
3315
# enabled if its last checker was successful. A Client
2824
3316
# whose checker succeeded before we stored its state is
2857
3349
client_name))
2858
3350
client["secret"] = (client_settings[client_name]
2859
3351
["secret"])
2860
3352
2861
3353
# Add/remove clients based on new changes made to config
2862
3354
for client_name in (set(old_client_settings)
2863
3355
- set(client_settings)):
2865
3357
for client_name in (set(client_settings)
2866
3358
- set(old_client_settings)):
2867
3359
clients_data[client_name] = client_settings[client_name]
2868
3360
2869
3361
# Create all client objects
2870
3362
for client_name, client in clients_data.items():
2871
3363
tcp_server.clients[client_name] = client_class(
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3364
name=client_name,
3365
settings=client,
3366
server_settings=server_settings)
3367
2876
3368
if not tcp_server.clients:
2877
3369
logger.warning("No clients defined")
2878
3370
2879
3371
if not foreground:
2880
3372
if pidfile is not None:
2881
3373
pid = os.getpid()
2887
3379
pidfilename, pid)
2888
3380
del pidfile
2889
3381
del pidfilename
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3382
3383
for termsig in (signal.SIGHUP, signal.SIGTERM):
3384
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3385
lambda: main_loop.quit() and False)
3386
2894
3387
if use_dbus:
2895
3388
2896
3389
@alternate_dbus_interfaces(
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3390
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2898
3391
class MandosDBusService(DBusObjectWithObjectManager):
2899
3392
"""A D-Bus proxy object"""
2900
3393
2901
3394
def __init__(self):
2902
3395
dbus.service.Object.__init__(self, bus, "/")
2903
3396
2904
3397
_interface = "se.recompile.Mandos"
2905
3398
2906
3399
@dbus.service.signal(_interface, signature="o")
2907
3400
def ClientAdded(self, objpath):
2908
3401
"D-Bus signal"
2909
3402
pass
2910
3403
2911
3404
@dbus.service.signal(_interface, signature="ss")
2912
def ClientNotFound(self, fingerprint, address):
3405
def ClientNotFound(self, key_id, address):
2913
3406
"D-Bus signal"
2914
3407
pass
2915
3408
2916
3409
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2917
3410
"true"})
2918
3411
@dbus.service.signal(_interface, signature="os")
2919
3412
def ClientRemoved(self, objpath, name):
2920
3413
"D-Bus signal"
2921
3414
pass
2922
3415
2923
3416
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2924
3417
"true"})
2925
3418
@dbus.service.method(_interface, out_signature="ao")
2926
3419
def GetAllClients(self):
2927
3420
"D-Bus method"
2928
3421
return dbus.Array(c.dbus_object_path for c in
2929
tcp_server.clients.itervalues())
2930
3422
tcp_server.clients.values())
3423
2931
3424
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2932
3425
"true"})
2933
3426
@dbus.service.method(_interface,
2935
3428
def GetAllClientsWithProperties(self):
2936
3429
"D-Bus method"
2937
3430
return dbus.Dictionary(
2938
{ c.dbus_object_path: c.GetAll(
3431
{c.dbus_object_path: c.GetAll(
2939
3432
"se.recompile.Mandos.Client")
2940
for c in tcp_server.clients.itervalues() },
3433
for c in tcp_server.clients.values()},
2941
3434
signature="oa{sv}")
2942
3435
2943
3436
@dbus.service.method(_interface, in_signature="o")
2944
3437
def RemoveClient(self, object_path):
2945
3438
"D-Bus method"
2946
for c in tcp_server.clients.itervalues():
3439
for c in tcp_server.clients.values():
2947
3440
if c.dbus_object_path == object_path:
2948
3441
del tcp_server.clients[c.name]
2949
3442
c.remove_from_connection()
2953
3446
self.client_removed_signal(c)
2954
3447
return
2955
3448
raise KeyError(object_path)
2956
3449
2957
3450
del _interface
2958
3451
2959
3452
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
2960
out_signature = "a{oa{sa{sv}}}")
3453
out_signature="a{oa{sa{sv}}}")
2961
3454
def GetManagedObjects(self):
2962
3455
"""D-Bus method"""
2963
3456
return dbus.Dictionary(
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3457
{client.dbus_object_path:
3458
dbus.Dictionary(
3459
{interface: client.GetAll(interface)
3460
for interface in
3461
client._get_all_interface_names()})
3462
for client in tcp_server.clients.values()})
3463
2971
3464
def client_added_signal(self, client):
2972
3465
"""Send the new standard signal and the old signal"""
2973
3466
if use_dbus:
2975
3468
self.InterfacesAdded(
2976
3469
client.dbus_object_path,
2977
3470
dbus.Dictionary(
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3471
{interface: client.GetAll(interface)
3472
for interface in
3473
client._get_all_interface_names()}))
2981
3474
# Old signal
2982
3475
self.ClientAdded(client.dbus_object_path)
2983
3476
2984
3477
def client_removed_signal(self, client):
2985
3478
"""Send the new standard signal and the old signal"""
2986
3479
if use_dbus:
2991
3484
# Old signal
2992
3485
self.ClientRemoved(client.dbus_object_path,
2993
3486
client.name)
2994
3487
2995
3488
mandos_dbus_service = MandosDBusService()
2996
3489
3490
# Save modules to variables to exempt the modules from being
3491
# unloaded before the function registered with atexit() is run.
3492
mp = multiprocessing
3493
wn = wnull
3494
2997
3495
def cleanup():
2998
3496
"Cleanup function; run on exit"
2999
3497
if zeroconf:
3000
3498
service.cleanup()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3499
3500
mp.active_children()
3501
wn.close()
3004
3502
if not (tcp_server.clients or client_settings):
3005
3503
return
3006
3504
3007
3505
# Store client before exiting. Secrets are encrypted with key
3008
3506
# based on what config file has. If config file is
3009
3507
# removed/edited, old secret will thus be unrecovable.
3010
3508
clients = {}
3011
3509
with PGPEngine() as pgp:
3012
for client in tcp_server.clients.itervalues():
3510
for client in tcp_server.clients.values():
3013
3511
key = client_settings[client.name]["secret"]
3014
3512
client.encrypted_secret = pgp.encrypt(client.secret,
3015
3513
key)
3016
3514
client_dict = {}
3017
3515
3018
3516
# A list of attributes that can not be pickled
3019
3517
# + secret.
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3518
exclude = {"bus", "changedstate", "secret",
3519
"checker", "server_settings"}
3022
3520
for name, typ in inspect.getmembers(dbus.service
3023
3521
.Object):
3024
3522
exclude.add(name)
3025
3523
3026
3524
client_dict["encrypted_secret"] = (client
3027
3525
.encrypted_secret)
3028
3526
for attr in client.client_structure:
3029
3527
if attr not in exclude:
3030
3528
client_dict[attr] = getattr(client, attr)
3031
3529
3032
3530
clients[client.name] = client_dict
3033
3531
del client_settings[client.name]["secret"]
3034
3532
3035
3533
try:
3036
3534
with tempfile.NamedTemporaryFile(
3037
3535
mode='wb',
3039
3537
prefix='clients-',
3040
3538
dir=os.path.dirname(stored_state_path),
3041
3539
delete=False) as stored_state:
3042
pickle.dump((clients, client_settings), stored_state)
3540
pickle.dump((clients, client_settings), stored_state,
3541
protocol=2)
3043
3542
tempname = stored_state.name
3044
3543
os.rename(tempname, stored_state_path)
3045
3544
except (IOError, OSError) as e:
3055
3554
logger.warning("Could not save persistent state:",
3056
3555
exc_info=e)
3057
3556
raise
3058
3557
3059
3558
# Delete all clients, and settings from config
3060
3559
while tcp_server.clients:
3061
3560
name, client = tcp_server.clients.popitem()
3064
3563
# Don't signal the disabling
3065
3564
client.disable(quiet=True)
3066
3565
# Emit D-Bus signal for removal
3067
mandos_dbus_service.client_removed_signal(client)
3566
if use_dbus:
3567
mandos_dbus_service.client_removed_signal(client)
3068
3568
client_settings.clear()
3069
3569
3070
3570
atexit.register(cleanup)
3071
3072
for client in tcp_server.clients.itervalues():
3571
3572
for client in tcp_server.clients.values():
3073
3573
if use_dbus:
3074
3574
# Emit D-Bus signal for adding
3075
3575
mandos_dbus_service.client_added_signal(client)
3076
3576
# Need to initiate checking of clients
3077
3577
if client.enabled:
3078
3578
client.init_checker()
3079
3579
3080
3580
tcp_server.enable()
3081
3581
tcp_server.server_activate()
3082
3582
3083
3583
# Find out what port we got
3084
3584
if zeroconf:
3085
3585
service.port = tcp_server.socket.getsockname()[1]
3090
3590
else: # IPv4
3091
3591
logger.info("Now listening on address %r, port %d",
3092
3592
*tcp_server.socket.getsockname())
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3593
3594
# service.interface = tcp_server.socket.getsockname()[3]
3595
3096
3596
try:
3097
3597
if zeroconf:
3098
3598
# From the Avahi example code
3103
3603
cleanup()
3104
3604
sys.exit(1)
3105
3605
# End of Avahi example code
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3606
3607
GLib.io_add_watch(
3608
GLib.IOChannel.unix_new(tcp_server.fileno()),
3609
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3610
lambda *args, **kwargs: (tcp_server.handle_request
3611
(*args[2:], **kwargs) or True))
3612
3112
3613
logger.debug("Starting main loop")
3113
3614
main_loop.run()
3114
3615
except AvahiError as error:
3123
3624
# Must run before the D-Bus bus name gets deregistered
3124
3625
cleanup()
3125
3626
3627
3628
def should_only_run_tests():
3629
parser = argparse.ArgumentParser(add_help=False)
3630
parser.add_argument("--check", action='store_true')
3631
args, unknown_args = parser.parse_known_args()
3632
run_tests = args.check
3633
if run_tests:
3634
# Remove --check argument from sys.argv
3635
sys.argv[1:] = unknown_args
3636
return run_tests
3637
3638
# Add all tests from doctest strings
3639
def load_tests(loader, tests, none):
3640
import doctest
3641
tests.addTests(doctest.DocTestSuite())
3642
return tests
3126
3643
3127
3644
if __name__ == '__main__':
3128
main()
3645
try:
3646
if should_only_run_tests():
3647
# Call using ./mandos --check [--verbose]
3648
unittest.main()
3649
else:
3650
main()
3651
finally:
3652
logging.shutdown()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0