To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.7.751
- compare with another revision
- download diff
- download tarball
- view history from revision 237.7.751
- Committer: teddy at recompile
- Date: 2020-02-07 20:53:34 UTC
- mto: This revision was merged to the branch mainline in revision 396.
- Revision ID: teddy@recompile.se-20200207205334-dp41p8c8vw0ytik5
Allow users to more easily alter mandos.service
The sysvinit script uses /etc/default/mandos as an environment file,
and supports adding additional server options to a DAEMON_ARGS
environment variable. This should be supported by the systemd
service, too.
* mandos.service ([Service]/EnvironmentFile): New; set to
"/etc/default/mandos ".
([Service]/ExecStart): Append "$DAEMON_ARGS".
The sysvinit script uses /etc/default/mandos as an environment file,
and supports adding additional server options to a DAEMON_ARGS
environment variable. This should be supported by the systemd
service, too.
* mandos.service ([Service]/EnvironmentFile): New; set to
"/etc/default/mandos ".
([Service]/ExecStart): Append "$DAEMON_ARGS".
- files added:
- bugs.xml
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python2.7
2
# -*- mode: python; coding: utf-8 -*-
3
#
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
#
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
#
33
#
33
34
34
35
from __future__ import (division, absolute_import, print_function,
35
36
unicode_literals)
36
37
37
from future_builtins import *
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
38
42
39
43
try:
40
44
import SocketServer as socketserver
44
48
import argparse
45
49
import datetime
46
50
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
53
51
try:
54
52
import ConfigParser as configparser
55
53
except ImportError:
79
77
import itertools
80
78
import collections
81
79
import codecs
80
import unittest
81
import random
82
82
83
83
import dbus
84
84
import dbus.service
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
85
import gi
86
from gi.repository import GLib
90
87
from dbus.mainloop.glib import DBusGMainLoop
91
88
import ctypes
92
89
import ctypes.util
93
90
import xml.dom.minidom
94
91
import inspect
95
92
96
try:
93
if sys.version_info.major == 2:
94
__metaclass__ = type
95
str = unicode
96
97
# Add collections.abc.Callable if it does not exist
98
try:
99
collections.abc.Callable
100
except AttributeError:
101
class abc:
102
Callable = collections.Callable
103
collections.abc = abc
104
del abc
105
106
# Show warnings by default
107
if not sys.warnoptions:
108
import warnings
109
warnings.simplefilter("default")
110
111
# Try to find the value of SO_BINDTODEVICE:
112
try:
113
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
114
# newer, and it is also the most natural place for it:
97
115
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
98
116
except AttributeError:
99
117
try:
118
# This is where SO_BINDTODEVICE was up to and including Python
119
# 2.6, and also 3.2:
100
120
from IN import SO_BINDTODEVICE
101
121
except ImportError:
102
SO_BINDTODEVICE = None
103
104
if sys.version_info.major == 2:
105
str = unicode
106
107
version = "1.7.0"
122
# In Python 2.7 it seems to have been removed entirely.
123
# Try running the C preprocessor:
124
try:
125
cc = subprocess.Popen(["cc", "--language=c", "-E",
126
"/dev/stdin"],
127
stdin=subprocess.PIPE,
128
stdout=subprocess.PIPE)
129
stdout = cc.communicate(
130
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
131
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
132
except (OSError, ValueError, IndexError):
133
# No value found
134
SO_BINDTODEVICE = None
135
136
if sys.version_info < (3, 2):
137
configparser.Configparser = configparser.SafeConfigParser
138
139
version = "1.8.9"
108
140
stored_state_file = "clients.pickle"
109
141
110
142
logger = logging.getLogger()
143
logging.captureWarnings(True) # Show warnings via the logging system
111
144
syslogger = None
112
145
113
146
try:
114
147
if_nametoindex = ctypes.cdll.LoadLibrary(
115
148
ctypes.util.find_library("c")).if_nametoindex
116
149
except (OSError, AttributeError):
117
150
118
151
def if_nametoindex(interface):
119
152
"Get an interface index the hard way, i.e. using fcntl()"
120
153
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
125
158
return interface_index
126
159
127
160
161
def copy_function(func):
162
"""Make a copy of a function"""
163
if sys.version_info.major == 2:
164
return types.FunctionType(func.func_code,
165
func.func_globals,
166
func.func_name,
167
func.func_defaults,
168
func.func_closure)
169
else:
170
return types.FunctionType(func.__code__,
171
func.__globals__,
172
func.__name__,
173
func.__defaults__,
174
func.__closure__)
175
176
128
177
def initlogger(debug, level=logging.WARNING):
129
178
"""init logger and add loglevel"""
130
179
131
180
global syslogger
132
181
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
182
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
183
address="/dev/log"))
135
184
syslogger.setFormatter(logging.Formatter
136
185
('Mandos [%(process)d]: %(levelname)s:'
137
186
' %(message)s'))
138
187
logger.addHandler(syslogger)
139
188
140
189
if debug:
141
190
console = logging.StreamHandler()
142
191
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
152
201
pass
153
202
154
203
155
class PGPEngine(object):
204
class PGPEngine:
156
205
"""A simple class for OpenPGP symmetric encryption & decryption"""
157
206
158
207
def __init__(self):
159
208
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
209
self.gpg = "gpg"
210
try:
211
output = subprocess.check_output(["gpgconf"])
212
for line in output.splitlines():
213
name, text, path = line.split(b":")
214
if name == b"gpg":
215
self.gpg = path
216
break
217
except OSError as e:
218
if e.errno != errno.ENOENT:
219
raise
160
220
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
221
'--homedir', self.tempdir,
162
222
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
165
223
'--quiet']
224
# Only GPG version 1 has the --no-use-agent option.
225
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
226
self.gnupgargs.append("--no-use-agent")
227
166
228
def __enter__(self):
167
229
return self
168
230
169
231
def __exit__(self, exc_type, exc_value, traceback):
170
232
self._cleanup()
171
233
return False
172
234
173
235
def __del__(self):
174
236
self._cleanup()
175
237
176
238
def _cleanup(self):
177
239
if self.tempdir is not None:
178
240
# Delete contents of tempdir
179
241
for root, dirs, files in os.walk(self.tempdir,
180
topdown = False):
242
topdown=False):
181
243
for filename in files:
182
244
os.remove(os.path.join(root, filename))
183
245
for dirname in dirs:
185
247
# Remove tempdir
186
248
os.rmdir(self.tempdir)
187
249
self.tempdir = None
188
250
189
251
def password_encode(self, password):
190
252
# Passphrase can not be empty and can not contain newlines or
191
253
# NUL bytes. So we prefix it and hex encode it.
196
258
.replace(b"\n", b"\\n")
197
259
.replace(b"\0", b"\\x00"))
198
260
return encoded
199
261
200
262
def encrypt(self, data, password):
201
263
passphrase = self.password_encode(password)
202
264
with tempfile.NamedTemporaryFile(
203
265
dir=self.tempdir) as passfile:
204
266
passfile.write(passphrase)
205
267
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
268
proc = subprocess.Popen([self.gpg, '--symmetric',
207
269
'--passphrase-file',
208
270
passfile.name]
209
271
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
272
stdin=subprocess.PIPE,
273
stdout=subprocess.PIPE,
274
stderr=subprocess.PIPE)
275
ciphertext, err = proc.communicate(input=data)
214
276
if proc.returncode != 0:
215
277
raise PGPError(err)
216
278
return ciphertext
217
279
218
280
def decrypt(self, data, password):
219
281
passphrase = self.password_encode(password)
220
282
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
283
dir=self.tempdir) as passfile:
222
284
passfile.write(passphrase)
223
285
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
286
proc = subprocess.Popen([self.gpg, '--decrypt',
225
287
'--passphrase-file',
226
288
passfile.name]
227
289
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
290
stdin=subprocess.PIPE,
291
stdout=subprocess.PIPE,
292
stderr=subprocess.PIPE)
293
decrypted_plaintext, err = proc.communicate(input=data)
232
294
if proc.returncode != 0:
233
295
raise PGPError(err)
234
296
return decrypted_plaintext
235
297
236
298
299
# Pretend that we have an Avahi module
300
class avahi:
301
"""This isn't so much a class as it is a module-like namespace."""
302
IF_UNSPEC = -1 # avahi-common/address.h
303
PROTO_UNSPEC = -1 # avahi-common/address.h
304
PROTO_INET = 0 # avahi-common/address.h
305
PROTO_INET6 = 1 # avahi-common/address.h
306
DBUS_NAME = "org.freedesktop.Avahi"
307
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
308
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
309
DBUS_PATH_SERVER = "/"
310
311
@staticmethod
312
def string_array_to_txt_array(t):
313
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
314
for s in t), signature="ay")
315
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
316
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
317
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
318
SERVER_INVALID = 0 # avahi-common/defs.h
319
SERVER_REGISTERING = 1 # avahi-common/defs.h
320
SERVER_RUNNING = 2 # avahi-common/defs.h
321
SERVER_COLLISION = 3 # avahi-common/defs.h
322
SERVER_FAILURE = 4 # avahi-common/defs.h
323
324
237
325
class AvahiError(Exception):
238
326
def __init__(self, value, *args, **kwargs):
239
327
self.value = value
249
337
pass
250
338
251
339
252
class AvahiService(object):
340
class AvahiService:
253
341
"""An Avahi (Zeroconf) service.
254
342
255
343
Attributes:
256
344
interface: integer; avahi.IF_UNSPEC or an interface index.
257
345
Used to optionally bind to the specified interface.
269
357
server: D-Bus Server
270
358
bus: dbus.SystemBus()
271
359
"""
272
360
273
361
def __init__(self,
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
362
interface=avahi.IF_UNSPEC,
363
name=None,
364
servicetype=None,
365
port=None,
366
TXT=None,
367
domain="",
368
host="",
369
max_renames=32768,
370
protocol=avahi.PROTO_UNSPEC,
371
bus=None):
284
372
self.interface = interface
285
373
self.name = name
286
374
self.type = servicetype
295
383
self.server = None
296
384
self.bus = bus
297
385
self.entry_group_state_changed_match = None
298
386
299
387
def rename(self, remove=True):
300
388
"""Derived from the Avahi example code"""
301
389
if self.rename_count >= self.max_renames:
321
409
logger.critical("D-Bus Exception", exc_info=error)
322
410
self.cleanup()
323
411
os._exit(1)
324
412
325
413
def remove(self):
326
414
"""Derived from the Avahi example code"""
327
415
if self.entry_group_state_changed_match is not None:
329
417
self.entry_group_state_changed_match = None
330
418
if self.group is not None:
331
419
self.group.Reset()
332
420
333
421
def add(self):
334
422
"""Derived from the Avahi example code"""
335
423
self.remove()
352
440
dbus.UInt16(self.port),
353
441
avahi.string_array_to_txt_array(self.TXT))
354
442
self.group.Commit()
355
443
356
444
def entry_group_state_changed(self, state, error):
357
445
"""Derived from the Avahi example code"""
358
446
logger.debug("Avahi entry group state change: %i", state)
359
447
360
448
if state == avahi.ENTRY_GROUP_ESTABLISHED:
361
449
logger.debug("Zeroconf service established.")
362
450
elif state == avahi.ENTRY_GROUP_COLLISION:
366
454
logger.critical("Avahi: Error in group state changed %s",
367
455
str(error))
368
456
raise AvahiGroupError("State changed: {!s}".format(error))
369
457
370
458
def cleanup(self):
371
459
"""Derived from the Avahi example code"""
372
460
if self.group is not None:
377
465
pass
378
466
self.group = None
379
467
self.remove()
380
468
381
469
def server_state_changed(self, state, error=None):
382
470
"""Derived from the Avahi example code"""
383
471
logger.debug("Avahi server state change: %i", state)
412
500
logger.debug("Unknown state: %r", state)
413
501
else:
414
502
logger.debug("Unknown state: %r: %r", state, error)
415
503
416
504
def activate(self):
417
505
"""Derived from the Avahi example code"""
418
506
if self.server is None:
429
517
class AvahiServiceToSyslog(AvahiService):
430
518
def rename(self, *args, **kwargs):
431
519
"""Add the new name to the syslog messages"""
432
ret = AvahiService.rename(self, *args, **kwargs)
520
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
433
521
syslogger.setFormatter(logging.Formatter(
434
522
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
435
523
.format(self.name)))
436
524
return ret
437
525
526
527
# Pretend that we have a GnuTLS module
528
class gnutls:
529
"""This isn't so much a class as it is a module-like namespace."""
530
531
library = ctypes.util.find_library("gnutls")
532
if library is None:
533
library = ctypes.util.find_library("gnutls-deb0")
534
_library = ctypes.cdll.LoadLibrary(library)
535
del library
536
537
# Unless otherwise indicated, the constants and types below are
538
# all from the gnutls/gnutls.h C header file.
539
540
# Constants
541
E_SUCCESS = 0
542
E_INTERRUPTED = -52
543
E_AGAIN = -28
544
CRT_OPENPGP = 2
545
CRT_RAWPK = 3
546
CLIENT = 2
547
SHUT_RDWR = 0
548
CRD_CERTIFICATE = 1
549
E_NO_CERTIFICATE_FOUND = -49
550
X509_FMT_DER = 0
551
NO_TICKETS = 1<<10
552
ENABLE_RAWPK = 1<<18
553
CTYPE_PEERS = 3
554
KEYID_USE_SHA256 = 1 # gnutls/x509.h
555
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
556
557
# Types
558
class session_int(ctypes.Structure):
559
_fields_ = []
560
session_t = ctypes.POINTER(session_int)
561
562
class certificate_credentials_st(ctypes.Structure):
563
_fields_ = []
564
certificate_credentials_t = ctypes.POINTER(
565
certificate_credentials_st)
566
certificate_type_t = ctypes.c_int
567
568
class datum_t(ctypes.Structure):
569
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
570
('size', ctypes.c_uint)]
571
572
class openpgp_crt_int(ctypes.Structure):
573
_fields_ = []
574
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
575
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
576
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
577
credentials_type_t = ctypes.c_int
578
transport_ptr_t = ctypes.c_void_p
579
close_request_t = ctypes.c_int
580
581
# Exceptions
582
class Error(Exception):
583
def __init__(self, message=None, code=None, args=()):
584
# Default usage is by a message string, but if a return
585
# code is passed, convert it to a string with
586
# gnutls.strerror()
587
self.code = code
588
if message is None and code is not None:
589
message = gnutls.strerror(code)
590
return super(gnutls.Error, self).__init__(
591
message, *args)
592
593
class CertificateSecurityError(Error):
594
pass
595
596
# Classes
597
class Credentials:
598
def __init__(self):
599
self._c_object = gnutls.certificate_credentials_t()
600
gnutls.certificate_allocate_credentials(
601
ctypes.byref(self._c_object))
602
self.type = gnutls.CRD_CERTIFICATE
603
604
def __del__(self):
605
gnutls.certificate_free_credentials(self._c_object)
606
607
class ClientSession:
608
def __init__(self, socket, credentials=None):
609
self._c_object = gnutls.session_t()
610
gnutls_flags = gnutls.CLIENT
611
if gnutls.check_version(b"3.5.6"):
612
gnutls_flags |= gnutls.NO_TICKETS
613
if gnutls.has_rawpk:
614
gnutls_flags |= gnutls.ENABLE_RAWPK
615
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
616
del gnutls_flags
617
gnutls.set_default_priority(self._c_object)
618
gnutls.transport_set_ptr(self._c_object, socket.fileno())
619
gnutls.handshake_set_private_extensions(self._c_object,
620
True)
621
self.socket = socket
622
if credentials is None:
623
credentials = gnutls.Credentials()
624
gnutls.credentials_set(self._c_object, credentials.type,
625
ctypes.cast(credentials._c_object,
626
ctypes.c_void_p))
627
self.credentials = credentials
628
629
def __del__(self):
630
gnutls.deinit(self._c_object)
631
632
def handshake(self):
633
return gnutls.handshake(self._c_object)
634
635
def send(self, data):
636
data = bytes(data)
637
data_len = len(data)
638
while data_len > 0:
639
data_len -= gnutls.record_send(self._c_object,
640
data[-data_len:],
641
data_len)
642
643
def bye(self):
644
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
645
646
# Error handling functions
647
def _error_code(result):
648
"""A function to raise exceptions on errors, suitable
649
for the 'restype' attribute on ctypes functions"""
650
if result >= 0:
651
return result
652
if result == gnutls.E_NO_CERTIFICATE_FOUND:
653
raise gnutls.CertificateSecurityError(code=result)
654
raise gnutls.Error(code=result)
655
656
def _retry_on_error(result, func, arguments):
657
"""A function to retry on some errors, suitable
658
for the 'errcheck' attribute on ctypes functions"""
659
while result < 0:
660
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
661
return _error_code(result)
662
result = func(*arguments)
663
return result
664
665
# Unless otherwise indicated, the function declarations below are
666
# all from the gnutls/gnutls.h C header file.
667
668
# Functions
669
priority_set_direct = _library.gnutls_priority_set_direct
670
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
671
ctypes.POINTER(ctypes.c_char_p)]
672
priority_set_direct.restype = _error_code
673
674
init = _library.gnutls_init
675
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
676
init.restype = _error_code
677
678
set_default_priority = _library.gnutls_set_default_priority
679
set_default_priority.argtypes = [session_t]
680
set_default_priority.restype = _error_code
681
682
record_send = _library.gnutls_record_send
683
record_send.argtypes = [session_t, ctypes.c_void_p,
684
ctypes.c_size_t]
685
record_send.restype = ctypes.c_ssize_t
686
record_send.errcheck = _retry_on_error
687
688
certificate_allocate_credentials = (
689
_library.gnutls_certificate_allocate_credentials)
690
certificate_allocate_credentials.argtypes = [
691
ctypes.POINTER(certificate_credentials_t)]
692
certificate_allocate_credentials.restype = _error_code
693
694
certificate_free_credentials = (
695
_library.gnutls_certificate_free_credentials)
696
certificate_free_credentials.argtypes = [
697
certificate_credentials_t]
698
certificate_free_credentials.restype = None
699
700
handshake_set_private_extensions = (
701
_library.gnutls_handshake_set_private_extensions)
702
handshake_set_private_extensions.argtypes = [session_t,
703
ctypes.c_int]
704
handshake_set_private_extensions.restype = None
705
706
credentials_set = _library.gnutls_credentials_set
707
credentials_set.argtypes = [session_t, credentials_type_t,
708
ctypes.c_void_p]
709
credentials_set.restype = _error_code
710
711
strerror = _library.gnutls_strerror
712
strerror.argtypes = [ctypes.c_int]
713
strerror.restype = ctypes.c_char_p
714
715
certificate_type_get = _library.gnutls_certificate_type_get
716
certificate_type_get.argtypes = [session_t]
717
certificate_type_get.restype = _error_code
718
719
certificate_get_peers = _library.gnutls_certificate_get_peers
720
certificate_get_peers.argtypes = [session_t,
721
ctypes.POINTER(ctypes.c_uint)]
722
certificate_get_peers.restype = ctypes.POINTER(datum_t)
723
724
global_set_log_level = _library.gnutls_global_set_log_level
725
global_set_log_level.argtypes = [ctypes.c_int]
726
global_set_log_level.restype = None
727
728
global_set_log_function = _library.gnutls_global_set_log_function
729
global_set_log_function.argtypes = [log_func]
730
global_set_log_function.restype = None
731
732
deinit = _library.gnutls_deinit
733
deinit.argtypes = [session_t]
734
deinit.restype = None
735
736
handshake = _library.gnutls_handshake
737
handshake.argtypes = [session_t]
738
handshake.restype = _error_code
739
handshake.errcheck = _retry_on_error
740
741
transport_set_ptr = _library.gnutls_transport_set_ptr
742
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
743
transport_set_ptr.restype = None
744
745
bye = _library.gnutls_bye
746
bye.argtypes = [session_t, close_request_t]
747
bye.restype = _error_code
748
bye.errcheck = _retry_on_error
749
750
check_version = _library.gnutls_check_version
751
check_version.argtypes = [ctypes.c_char_p]
752
check_version.restype = ctypes.c_char_p
753
754
_need_version = b"3.3.0"
755
if check_version(_need_version) is None:
756
raise self.Error("Needs GnuTLS {} or later"
757
.format(_need_version))
758
759
_tls_rawpk_version = b"3.6.6"
760
has_rawpk = bool(check_version(_tls_rawpk_version))
761
762
if has_rawpk:
763
# Types
764
class pubkey_st(ctypes.Structure):
765
_fields = []
766
pubkey_t = ctypes.POINTER(pubkey_st)
767
768
x509_crt_fmt_t = ctypes.c_int
769
770
# All the function declarations below are from gnutls/abstract.h
771
pubkey_init = _library.gnutls_pubkey_init
772
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
773
pubkey_init.restype = _error_code
774
775
pubkey_import = _library.gnutls_pubkey_import
776
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
777
x509_crt_fmt_t]
778
pubkey_import.restype = _error_code
779
780
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
781
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
782
ctypes.POINTER(ctypes.c_ubyte),
783
ctypes.POINTER(ctypes.c_size_t)]
784
pubkey_get_key_id.restype = _error_code
785
786
pubkey_deinit = _library.gnutls_pubkey_deinit
787
pubkey_deinit.argtypes = [pubkey_t]
788
pubkey_deinit.restype = None
789
else:
790
# All the function declarations below are from gnutls/openpgp.h
791
792
openpgp_crt_init = _library.gnutls_openpgp_crt_init
793
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
794
openpgp_crt_init.restype = _error_code
795
796
openpgp_crt_import = _library.gnutls_openpgp_crt_import
797
openpgp_crt_import.argtypes = [openpgp_crt_t,
798
ctypes.POINTER(datum_t),
799
openpgp_crt_fmt_t]
800
openpgp_crt_import.restype = _error_code
801
802
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
803
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
804
ctypes.POINTER(ctypes.c_uint)]
805
openpgp_crt_verify_self.restype = _error_code
806
807
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
808
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
809
openpgp_crt_deinit.restype = None
810
811
openpgp_crt_get_fingerprint = (
812
_library.gnutls_openpgp_crt_get_fingerprint)
813
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
814
ctypes.c_void_p,
815
ctypes.POINTER(
816
ctypes.c_size_t)]
817
openpgp_crt_get_fingerprint.restype = _error_code
818
819
if check_version(b"3.6.4"):
820
certificate_type_get2 = _library.gnutls_certificate_type_get2
821
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
822
certificate_type_get2.restype = _error_code
823
824
# Remove non-public functions
825
del _error_code, _retry_on_error
826
827
438
828
def call_pipe(connection, # : multiprocessing.Connection
439
829
func, *args, **kwargs):
440
830
"""This function is meant to be called by multiprocessing.Process
441
831
442
832
This function runs func(*args, **kwargs), and writes the resulting
443
833
return value on the provided multiprocessing.Connection.
444
834
"""
445
835
connection.send(func(*args, **kwargs))
446
836
connection.close()
447
837
448
class Client(object):
838
839
class Client:
449
840
"""A representation of a client host served by this server.
450
841
451
842
Attributes:
452
843
approved: bool(); 'None' if not yet approved/disapproved
453
844
approval_delay: datetime.timedelta(); Time to wait for approval
454
845
approval_duration: datetime.timedelta(); Duration of one approval
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
846
checker: multiprocessing.Process(); a running checker process used
847
to see if the client lives. 'None' if no process is
848
running.
849
checker_callback_tag: a GLib event source tag, or None
459
850
checker_command: string; External command which is run to check
460
851
if client lives. %() expansions are done at
461
852
runtime with vars(self) as dict, so that for
462
853
instance %(name)s can be used in the command.
463
checker_initiator_tag: a gobject event source tag, or None
854
checker_initiator_tag: a GLib event source tag, or None
464
855
created: datetime.datetime(); (UTC) object creation
465
856
client_structure: Object describing what attributes a client has
466
857
and is used for storing the client at exit
467
858
current_checker_command: string; current running checker_command
468
disable_initiator_tag: a gobject event source tag, or None
859
disable_initiator_tag: a GLib event source tag, or None
469
860
enabled: bool()
470
861
fingerprint: string (40 or 32 hexadecimal digits); used to
471
uniquely identify the client
862
uniquely identify an OpenPGP client
863
key_id: string (64 hexadecimal digits); used to uniquely identify
864
a client using raw public keys
472
865
host: string; available for use by the checker command
473
866
interval: datetime.timedelta(); How often to start a new checker
474
867
last_approval_request: datetime.datetime(); (UTC) or None
490
883
disabled, or None
491
884
server_settings: The server_settings dict from main()
492
885
"""
493
886
494
887
runtime_expansions = ("approval_delay", "approval_duration",
495
"created", "enabled", "expires",
888
"created", "enabled", "expires", "key_id",
496
889
"fingerprint", "host", "interval",
497
890
"last_approval_request", "last_checked_ok",
498
891
"last_enabled", "name", "timeout")
507
900
"approved_by_default": "True",
508
901
"enabled": "True",
509
902
}
510
903
511
904
@staticmethod
512
905
def config_parser(config):
513
906
"""Construct a new dict of client settings of this form:
520
913
for client_name in config.sections():
521
914
section = dict(config.items(client_name))
522
915
client = settings[client_name] = {}
523
916
524
917
client["host"] = section["host"]
525
918
# Reformat values from string types to Python types
526
919
client["approved_by_default"] = config.getboolean(
527
920
client_name, "approved_by_default")
528
921
client["enabled"] = config.getboolean(client_name,
529
922
"enabled")
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
923
924
# Uppercase and remove spaces from key_id and fingerprint
925
# for later comparison purposes with return value from the
926
# key_id() and fingerprint() functions
927
client["key_id"] = (section.get("key_id", "").upper()
928
.replace(" ", ""))
534
929
client["fingerprint"] = (section["fingerprint"].upper()
535
930
.replace(" ", ""))
536
931
if "secret" in section:
537
client["secret"] = section["secret"].decode("base64")
932
client["secret"] = codecs.decode(section["secret"]
933
.encode("utf-8"),
934
"base64")
538
935
elif "secfile" in section:
539
936
with open(os.path.expanduser(os.path.expandvars
540
937
(section["secfile"])),
555
952
client["last_approval_request"] = None
556
953
client["last_checked_ok"] = None
557
954
client["last_checker_status"] = -2
558
955
559
956
return settings
560
561
def __init__(self, settings, name = None, server_settings=None):
957
958
def __init__(self, settings, name=None, server_settings=None):
562
959
self.name = name
563
960
if server_settings is None:
564
961
server_settings = {}
566
963
# adding all client settings
567
964
for setting, value in settings.items():
568
965
setattr(self, setting, value)
569
966
570
967
if self.enabled:
571
968
if not hasattr(self, "last_enabled"):
572
969
self.last_enabled = datetime.datetime.utcnow()
576
973
else:
577
974
self.last_enabled = None
578
975
self.expires = None
579
976
580
977
logger.debug("Creating client %r", self.name)
978
logger.debug(" Key ID: %s", self.key_id)
581
979
logger.debug(" Fingerprint: %s", self.fingerprint)
582
980
self.created = settings.get("created",
583
981
datetime.datetime.utcnow())
584
982
585
983
# attributes specific for this server instance
586
984
self.checker = None
587
985
self.checker_initiator_tag = None
593
991
self.changedstate = multiprocessing_manager.Condition(
594
992
multiprocessing_manager.Lock())
595
993
self.client_structure = [attr
596
for attr in self.__dict__.iterkeys()
994
for attr in self.__dict__.keys()
597
995
if not attr.startswith("_")]
598
996
self.client_structure.append("client_structure")
599
997
600
998
for name, t in inspect.getmembers(
601
999
type(self), lambda obj: isinstance(obj, property)):
602
1000
if not name.startswith("_"):
603
1001
self.client_structure.append(name)
604
1002
605
1003
# Send notice to process children that client state has changed
606
1004
def send_changedstate(self):
607
1005
with self.changedstate:
608
1006
self.changedstate.notify_all()
609
1007
610
1008
def enable(self):
611
1009
"""Start this client's checker and timeout hooks"""
612
1010
if getattr(self, "enabled", False):
617
1015
self.last_enabled = datetime.datetime.utcnow()
618
1016
self.init_checker()
619
1017
self.send_changedstate()
620
1018
621
1019
def disable(self, quiet=True):
622
1020
"""Disable this client."""
623
1021
if not getattr(self, "enabled", False):
625
1023
if not quiet:
626
1024
logger.info("Disabling client %s", self.name)
627
1025
if getattr(self, "disable_initiator_tag", None) is not None:
628
gobject.source_remove(self.disable_initiator_tag)
1026
GLib.source_remove(self.disable_initiator_tag)
629
1027
self.disable_initiator_tag = None
630
1028
self.expires = None
631
1029
if getattr(self, "checker_initiator_tag", None) is not None:
632
gobject.source_remove(self.checker_initiator_tag)
1030
GLib.source_remove(self.checker_initiator_tag)
633
1031
self.checker_initiator_tag = None
634
1032
self.stop_checker()
635
1033
self.enabled = False
636
1034
if not quiet:
637
1035
self.send_changedstate()
638
# Do not run this again if called by a gobject.timeout_add
1036
# Do not run this again if called by a GLib.timeout_add
639
1037
return False
640
1038
641
1039
def __del__(self):
642
1040
self.disable()
643
1041
644
1042
def init_checker(self):
645
1043
# Schedule a new checker to be started an 'interval' from now,
646
1044
# and every interval from then on.
647
1045
if self.checker_initiator_tag is not None:
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
650
int(self.interval.total_seconds() * 1000),
1046
GLib.source_remove(self.checker_initiator_tag)
1047
self.checker_initiator_tag = GLib.timeout_add(
1048
random.randrange(int(self.interval.total_seconds() * 1000
1049
+ 1)),
651
1050
self.start_checker)
652
1051
# Schedule a disable() when 'timeout' has passed
653
1052
if self.disable_initiator_tag is not None:
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1053
GLib.source_remove(self.disable_initiator_tag)
1054
self.disable_initiator_tag = GLib.timeout_add(
656
1055
int(self.timeout.total_seconds() * 1000), self.disable)
657
1056
# Also start a new checker *right now*.
658
1057
self.start_checker()
659
1058
660
1059
def checker_callback(self, source, condition, connection,
661
1060
command):
662
1061
"""The checker has completed, so take appropriate actions."""
663
self.checker_callback_tag = None
664
self.checker = None
665
1062
# Read return code from connection (see call_pipe)
666
1063
returncode = connection.recv()
667
1064
connection.close()
668
1065
if self.checker is not None:
1066
self.checker.join()
1067
self.checker_callback_tag = None
1068
self.checker = None
1069
669
1070
if returncode >= 0:
670
1071
self.last_checker_status = returncode
671
1072
self.last_checker_signal = None
681
1082
logger.warning("Checker for %(name)s crashed?",
682
1083
vars(self))
683
1084
return False
684
1085
685
1086
def checked_ok(self):
686
1087
"""Assert that the client has been seen, alive and well."""
687
1088
self.last_checked_ok = datetime.datetime.utcnow()
688
1089
self.last_checker_status = 0
689
1090
self.last_checker_signal = None
690
1091
self.bump_timeout()
691
1092
692
1093
def bump_timeout(self, timeout=None):
693
1094
"""Bump up the timeout for this client."""
694
1095
if timeout is None:
695
1096
timeout = self.timeout
696
1097
if self.disable_initiator_tag is not None:
697
gobject.source_remove(self.disable_initiator_tag)
1098
GLib.source_remove(self.disable_initiator_tag)
698
1099
self.disable_initiator_tag = None
699
1100
if getattr(self, "enabled", False):
700
self.disable_initiator_tag = gobject.timeout_add(
1101
self.disable_initiator_tag = GLib.timeout_add(
701
1102
int(timeout.total_seconds() * 1000), self.disable)
702
1103
self.expires = datetime.datetime.utcnow() + timeout
703
1104
704
1105
def need_approval(self):
705
1106
self.last_approval_request = datetime.datetime.utcnow()
706
1107
707
1108
def start_checker(self):
708
1109
"""Start a new checker subprocess if one is not running.
709
1110
710
1111
If a checker already exists, leave it running and do
711
1112
nothing."""
712
1113
# The reason for not killing a running checker is that if we
717
1118
# checkers alone, the checker would have to take more time
718
1119
# than 'timeout' for the client to be disabled, which is as it
719
1120
# should be.
720
1121
721
1122
if self.checker is not None and not self.checker.is_alive():
722
1123
logger.warning("Checker was not alive; joining")
723
1124
self.checker.join()
727
1128
# Escape attributes for the shell
728
1129
escaped_attrs = {
729
1130
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
1131
for attr in self.runtime_expansions}
731
1132
try:
732
1133
command = self.checker_command % escaped_attrs
733
1134
except TypeError as error:
745
1146
# The exception is when not debugging but nevertheless
746
1147
# running in the foreground; use the previously
747
1148
# created wnull.
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1149
popen_args = {"close_fds": True,
1150
"shell": True,
1151
"cwd": "/"}
751
1152
if (not self.server_settings["debug"]
752
1153
and self.server_settings["foreground"]):
753
1154
popen_args.update({"stdout": wnull,
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1155
"stderr": wnull})
1156
pipe = multiprocessing.Pipe(duplex=False)
756
1157
self.checker = multiprocessing.Process(
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1158
target=call_pipe,
1159
args=(pipe[1], subprocess.call, command),
1160
kwargs=popen_args)
760
1161
self.checker.start()
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1162
self.checker_callback_tag = GLib.io_add_watch(
1163
GLib.IOChannel.unix_new(pipe[0].fileno()),
1164
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
763
1165
self.checker_callback, pipe[0], command)
764
# Re-run this periodically if run by gobject.timeout_add
1166
# Re-run this periodically if run by GLib.timeout_add
765
1167
return True
766
1168
767
1169
def stop_checker(self):
768
1170
"""Force the checker process, if any, to stop."""
769
1171
if self.checker_callback_tag:
770
gobject.source_remove(self.checker_callback_tag)
1172
GLib.source_remove(self.checker_callback_tag)
771
1173
self.checker_callback_tag = None
772
1174
if getattr(self, "checker", None) is None:
773
1175
return
782
1184
byte_arrays=False):
783
1185
"""Decorators for marking methods of a DBusObjectWithProperties to
784
1186
become properties on the D-Bus.
785
1187
786
1188
The decorated method will be called with no arguments by "Get"
787
1189
and with one argument by "Set".
788
1190
789
1191
The parameters, where they are supported, are the same as
790
1192
dbus.service.method, except there is only "signature", since the
791
1193
type from Get() and the type sent to Set() is the same.
795
1197
if byte_arrays and signature != "ay":
796
1198
raise ValueError("Byte arrays not supported for non-'ay'"
797
1199
" signature {!r}".format(signature))
798
1200
799
1201
def decorator(func):
800
1202
func._dbus_is_property = True
801
1203
func._dbus_interface = dbus_interface
804
1206
func._dbus_name = func.__name__
805
1207
if func._dbus_name.endswith("_dbus_property"):
806
1208
func._dbus_name = func._dbus_name[:-14]
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1209
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
808
1210
return func
809
1211
810
1212
return decorator
811
1213
812
1214
813
1215
def dbus_interface_annotations(dbus_interface):
814
1216
"""Decorator for marking functions returning interface annotations
815
1217
816
1218
Usage:
817
1219
818
1220
@dbus_interface_annotations("org.example.Interface")
819
1221
def _foo(self): # Function name does not matter
820
1222
return {"org.freedesktop.DBus.Deprecated": "true",
821
1223
"org.freedesktop.DBus.Property.EmitsChangedSignal":
822
1224
"false"}
823
1225
"""
824
1226
825
1227
def decorator(func):
826
1228
func._dbus_is_interface = True
827
1229
func._dbus_interface = dbus_interface
828
1230
func._dbus_name = dbus_interface
829
1231
return func
830
1232
831
1233
return decorator
832
1234
833
1235
834
1236
def dbus_annotations(annotations):
835
1237
"""Decorator to annotate D-Bus methods, signals or properties
836
1238
Usage:
837
1239
838
1240
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
839
1241
"org.freedesktop.DBus.Property."
840
1242
"EmitsChangedSignal": "false"})
842
1244
access="r")
843
1245
def Property_dbus_property(self):
844
1246
return dbus.Boolean(False)
845
1247
846
1248
See also the DBusObjectWithAnnotations class.
847
1249
"""
848
1250
849
1251
def decorator(func):
850
1252
func._dbus_annotations = annotations
851
1253
return func
852
1254
853
1255
return decorator
854
1256
855
1257
873
1275
874
1276
class DBusObjectWithAnnotations(dbus.service.Object):
875
1277
"""A D-Bus object with annotations.
876
1278
877
1279
Classes inheriting from this can use the dbus_annotations
878
1280
decorator to add annotations to methods or signals.
879
1281
"""
880
1282
881
1283
@staticmethod
882
1284
def _is_dbus_thing(thing):
883
1285
"""Returns a function testing if an attribute is a D-Bus thing
884
1286
885
1287
If called like _is_dbus_thing("method") it returns a function
886
1288
suitable for use as predicate to inspect.getmembers().
887
1289
"""
888
1290
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
889
1291
False)
890
1292
891
1293
def _get_all_dbus_things(self, thing):
892
1294
"""Returns a generator of (name, attribute) pairs
893
1295
"""
896
1298
for cls in self.__class__.__mro__
897
1299
for name, athing in
898
1300
inspect.getmembers(cls, self._is_dbus_thing(thing)))
899
1301
900
1302
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1303
out_signature="s",
1304
path_keyword='object_path',
1305
connection_keyword='connection')
904
1306
def Introspect(self, object_path, connection):
905
1307
"""Overloading of standard D-Bus method.
906
1308
907
1309
Inserts annotation tags on methods and signals.
908
1310
"""
909
1311
xmlstring = dbus.service.Object.Introspect(self, object_path,
910
1312
connection)
911
1313
try:
912
1314
document = xml.dom.minidom.parseString(xmlstring)
913
1315
914
1316
for if_tag in document.getElementsByTagName("interface"):
915
1317
# Add annotation tags
916
1318
for typ in ("method", "signal"):
943
1345
if_tag.appendChild(ann_tag)
944
1346
# Fix argument name for the Introspect method itself
945
1347
if (if_tag.getAttribute("name")
946
== dbus.INTROSPECTABLE_IFACE):
1348
== dbus.INTROSPECTABLE_IFACE):
947
1349
for cn in if_tag.getElementsByTagName("method"):
948
1350
if cn.getAttribute("name") == "Introspect":
949
1351
for arg in cn.getElementsByTagName("arg"):
962
1364
963
1365
class DBusObjectWithProperties(DBusObjectWithAnnotations):
964
1366
"""A D-Bus object with properties.
965
1367
966
1368
Classes inheriting from this can use the dbus_service_property
967
1369
decorator to expose methods as D-Bus properties. It exposes the
968
1370
standard Get(), Set(), and GetAll() methods on the D-Bus.
969
1371
"""
970
1372
971
1373
def _get_dbus_property(self, interface_name, property_name):
972
1374
"""Returns a bound method if one exists which is a D-Bus
973
1375
property with the specified name and interface.
978
1380
if (value._dbus_name == property_name
979
1381
and value._dbus_interface == interface_name):
980
1382
return value.__get__(self)
981
1383
982
1384
# No such property
983
1385
raise DBusPropertyNotFound("{}:{}.{}".format(
984
1386
self.dbus_object_path, interface_name, property_name))
985
1387
986
1388
@classmethod
987
1389
def _get_all_interface_names(cls):
988
1390
"""Get a sequence of all interfaces supported by an object"""
991
1393
for x in (inspect.getmro(cls))
992
1394
for attr in dir(x))
993
1395
if name is not None)
994
1396
995
1397
@dbus.service.method(dbus.PROPERTIES_IFACE,
996
1398
in_signature="ss",
997
1399
out_signature="v")
1005
1407
if not hasattr(value, "variant_level"):
1006
1408
return value
1007
1409
return type(value)(value, variant_level=value.variant_level+1)
1008
1410
1009
1411
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1010
1412
def Set(self, interface_name, property_name, value):
1011
1413
"""Standard D-Bus property Set() method, see D-Bus standard.
1020
1422
raise ValueError("Byte arrays not supported for non-"
1021
1423
"'ay' signature {!r}"
1022
1424
.format(prop._dbus_signature))
1023
value = dbus.ByteArray(b''.join(chr(byte)
1024
for byte in value))
1425
value = dbus.ByteArray(bytes(value))
1025
1426
prop(value)
1026
1427
1027
1428
@dbus.service.method(dbus.PROPERTIES_IFACE,
1028
1429
in_signature="s",
1029
1430
out_signature="a{sv}")
1030
1431
def GetAll(self, interface_name):
1031
1432
"""Standard D-Bus property GetAll() method, see D-Bus
1032
1433
standard.
1033
1434
1034
1435
Note: Will not include properties with access="write".
1035
1436
"""
1036
1437
properties = {}
1047
1448
properties[name] = value
1048
1449
continue
1049
1450
properties[name] = type(value)(
1050
value, variant_level = value.variant_level + 1)
1451
value, variant_level=value.variant_level + 1)
1051
1452
return dbus.Dictionary(properties, signature="sv")
1052
1453
1053
1454
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1054
1455
def PropertiesChanged(self, interface_name, changed_properties,
1055
1456
invalidated_properties):
1057
1458
standard.
1058
1459
"""
1059
1460
pass
1060
1461
1061
1462
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1062
1463
out_signature="s",
1063
1464
path_keyword='object_path',
1064
1465
connection_keyword='connection')
1065
1466
def Introspect(self, object_path, connection):
1066
1467
"""Overloading of standard D-Bus method.
1067
1468
1068
1469
Inserts property tags and interface annotation tags.
1069
1470
"""
1070
1471
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1072
1473
connection)
1073
1474
try:
1074
1475
document = xml.dom.minidom.parseString(xmlstring)
1075
1476
1076
1477
def make_tag(document, name, prop):
1077
1478
e = document.createElement("property")
1078
1479
e.setAttribute("name", name)
1079
1480
e.setAttribute("type", prop._dbus_signature)
1080
1481
e.setAttribute("access", prop._dbus_access)
1081
1482
return e
1082
1483
1083
1484
for if_tag in document.getElementsByTagName("interface"):
1084
1485
# Add property tags
1085
1486
for tag in (make_tag(document, name, prop)
1127
1528
exc_info=error)
1128
1529
return xmlstring
1129
1530
1531
1130
1532
try:
1131
1533
dbus.OBJECT_MANAGER_IFACE
1132
1534
except AttributeError:
1133
1535
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1134
1536
1537
1135
1538
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1136
1539
"""A D-Bus object with an ObjectManager.
1137
1540
1138
1541
Classes inheriting from this exposes the standard
1139
1542
GetManagedObjects call and the InterfacesAdded and
1140
1543
InterfacesRemoved signals on the standard
1141
1544
"org.freedesktop.DBus.ObjectManager" interface.
1142
1545
1143
1546
Note: No signals are sent automatically; they must be sent
1144
1547
manually.
1145
1548
"""
1146
1549
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1147
out_signature = "a{oa{sa{sv}}}")
1550
out_signature="a{oa{sa{sv}}}")
1148
1551
def GetManagedObjects(self):
1149
1552
"""This function must be overridden"""
1150
1553
raise NotImplementedError()
1151
1554
1152
1555
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1153
signature = "oa{sa{sv}}")
1556
signature="oa{sa{sv}}")
1154
1557
def InterfacesAdded(self, object_path, interfaces_and_properties):
1155
1558
pass
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1559
1560
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1158
1561
def InterfacesRemoved(self, object_path, interfaces):
1159
1562
pass
1160
1563
1161
1564
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1565
out_signature="s",
1566
path_keyword='object_path',
1567
connection_keyword='connection')
1165
1568
def Introspect(self, object_path, connection):
1166
1569
"""Overloading of standard D-Bus method.
1167
1570
1168
1571
Override return argument name of GetManagedObjects to be
1169
1572
"objpath_interfaces_and_properties"
1170
1573
"""
1173
1576
connection)
1174
1577
try:
1175
1578
document = xml.dom.minidom.parseString(xmlstring)
1176
1579
1177
1580
for if_tag in document.getElementsByTagName("interface"):
1178
1581
# Fix argument name for the GetManagedObjects method
1179
1582
if (if_tag.getAttribute("name")
1180
== dbus.OBJECT_MANAGER_IFACE):
1583
== dbus.OBJECT_MANAGER_IFACE):
1181
1584
for cn in if_tag.getElementsByTagName("method"):
1182
1585
if (cn.getAttribute("name")
1183
1586
== "GetManagedObjects"):
1193
1596
except (AttributeError, xml.dom.DOMException,
1194
1597
xml.parsers.expat.ExpatError) as error:
1195
1598
logger.error("Failed to override Introspection method",
1196
exc_info = error)
1599
exc_info=error)
1197
1600
return xmlstring
1198
1601
1602
1199
1603
def datetime_to_dbus(dt, variant_level=0):
1200
1604
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1201
1605
if dt is None:
1202
return dbus.String("", variant_level = variant_level)
1606
return dbus.String("", variant_level=variant_level)
1203
1607
return dbus.String(dt.isoformat(), variant_level=variant_level)
1204
1608
1205
1609
1208
1612
dbus.service.Object, it will add alternate D-Bus attributes with
1209
1613
interface names according to the "alt_interface_names" mapping.
1210
1614
Usage:
1211
1615
1212
1616
@alternate_dbus_interfaces({"org.example.Interface":
1213
1617
"net.example.AlternateInterface"})
1214
1618
class SampleDBusObject(dbus.service.Object):
1215
1619
@dbus.service.method("org.example.Interface")
1216
1620
def SampleDBusMethod():
1217
1621
pass
1218
1622
1219
1623
The above "SampleDBusMethod" on "SampleDBusObject" will be
1220
1624
reachable via two interfaces: "org.example.Interface" and
1221
1625
"net.example.AlternateInterface", the latter of which will have
1222
1626
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1223
1627
"true", unless "deprecate" is passed with a False value.
1224
1628
1225
1629
This works for methods and signals, and also for D-Bus properties
1226
1630
(from DBusObjectWithProperties) and interfaces (from the
1227
1631
dbus_interface_annotations decorator).
1228
1632
"""
1229
1633
1230
1634
def wrapper(cls):
1231
1635
for orig_interface_name, alt_interface_name in (
1232
1636
alt_interface_names.items()):
1247
1651
interface_names.add(alt_interface)
1248
1652
# Is this a D-Bus signal?
1249
1653
if getattr(attribute, "_dbus_is_signal", False):
1654
# Extract the original non-method undecorated
1655
# function by black magic
1250
1656
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1253
1657
nonmethod_func = (dict(
1254
1658
zip(attribute.func_code.co_freevars,
1255
1659
attribute.__closure__))
1256
1660
["func"].cell_contents)
1257
1661
else:
1258
nonmethod_func = attribute
1662
nonmethod_func = (dict(
1663
zip(attribute.__code__.co_freevars,
1664
attribute.__closure__))
1665
["func"].cell_contents)
1259
1666
# Create a new, but exactly alike, function
1260
1667
# object, and decorate it to be a new D-Bus signal
1261
1668
# with the alternate D-Bus interface name
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1669
new_function = copy_function(nonmethod_func)
1276
1670
new_function = (dbus.service.signal(
1277
1671
alt_interface,
1278
1672
attribute._dbus_signature)(new_function))
1282
1676
attribute._dbus_annotations)
1283
1677
except AttributeError:
1284
1678
pass
1679
1285
1680
# Define a creator of a function to call both the
1286
1681
# original and alternate functions, so both the
1287
1682
# original and alternate signals gets sent when
1290
1685
"""This function is a scope container to pass
1291
1686
func1 and func2 to the "call_both" function
1292
1687
outside of its arguments"""
1293
1688
1294
1689
@functools.wraps(func2)
1295
1690
def call_both(*args, **kwargs):
1296
1691
"""This function will emit two D-Bus
1297
1692
signals by calling func1 and func2"""
1298
1693
func1(*args, **kwargs)
1299
1694
func2(*args, **kwargs)
1300
# Make wrapper function look like a D-Bus signal
1695
# Make wrapper function look like a D-Bus
1696
# signal
1301
1697
for name, attr in inspect.getmembers(func2):
1302
1698
if name.startswith("_dbus_"):
1303
1699
setattr(call_both, name, attr)
1304
1700
1305
1701
return call_both
1306
1702
# Create the "call_both" function and add it to
1307
1703
# the class
1317
1713
alt_interface,
1318
1714
attribute._dbus_in_signature,
1319
1715
attribute._dbus_out_signature)
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1716
(copy_function(attribute)))
1325
1717
# Copy annotations, if any
1326
1718
try:
1327
1719
attr[attrname]._dbus_annotations = dict(
1339
1731
attribute._dbus_access,
1340
1732
attribute._dbus_get_args_options
1341
1733
["byte_arrays"])
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1734
(copy_function(attribute)))
1348
1735
# Copy annotations, if any
1349
1736
try:
1350
1737
attr[attrname]._dbus_annotations = dict(
1359
1746
# to the class.
1360
1747
attr[attrname] = (
1361
1748
dbus_interface_annotations(alt_interface)
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1749
(copy_function(attribute)))
1367
1750
if deprecate:
1368
1751
# Deprecate all alternate interfaces
1369
iname="_AlternateDBusNames_interface_annotation{}"
1752
iname = "_AlternateDBusNames_interface_annotation{}"
1370
1753
for interface_name in interface_names:
1371
1754
1372
1755
@dbus_interface_annotations(interface_name)
1373
1756
def func(self):
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1757
return {"org.freedesktop.DBus.Deprecated":
1758
"true"}
1376
1759
# Find an unused name
1377
1760
for aname in (iname.format(i)
1378
1761
for i in itertools.count()):
1382
1765
if interface_names:
1383
1766
# Replace the class with a new subclass of it with
1384
1767
# methods, signals, etc. as created above.
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1768
if sys.version_info.major == 2:
1769
cls = type(b"{}Alternate".format(cls.__name__),
1770
(cls, ), attr)
1771
else:
1772
cls = type("{}Alternate".format(cls.__name__),
1773
(cls, ), attr)
1387
1774
return cls
1388
1775
1389
1776
return wrapper
1390
1777
1391
1778
1393
1780
"se.bsnet.fukt.Mandos"})
1394
1781
class ClientDBus(Client, DBusObjectWithProperties):
1395
1782
"""A Client class using D-Bus
1396
1783
1397
1784
Attributes:
1398
1785
dbus_object_path: dbus.ObjectPath
1399
1786
bus: dbus.SystemBus()
1400
1787
"""
1401
1788
1402
1789
runtime_expansions = (Client.runtime_expansions
1403
1790
+ ("dbus_object_path", ))
1404
1791
1405
1792
_interface = "se.recompile.Mandos.Client"
1406
1793
1407
1794
# dbus.service.Object doesn't use super(), so we can't either.
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1795
1796
def __init__(self, bus=None, *args, **kwargs):
1410
1797
self.bus = bus
1411
1798
Client.__init__(self, *args, **kwargs)
1412
1799
# Only now, when this client is initialized, can it show up on
1418
1805
"/clients/" + client_object_name)
1419
1806
DBusObjectWithProperties.__init__(self, self.bus,
1420
1807
self.dbus_object_path)
1421
1808
1422
1809
def notifychangeproperty(transform_func, dbus_name,
1423
1810
type_func=lambda x: x,
1424
1811
variant_level=1,
1426
1813
_interface=_interface):
1427
1814
""" Modify a variable so that it's a property which announces
1428
1815
its changes to DBus.
1429
1816
1430
1817
transform_fun: Function that takes a value and a variant_level
1431
1818
and transforms it to a D-Bus type.
1432
1819
dbus_name: D-Bus name of the variable
1435
1822
variant_level: D-Bus variant level. Default: 1
1436
1823
"""
1437
1824
attrname = "_{}".format(dbus_name)
1438
1825
1439
1826
def setter(self, value):
1440
1827
if hasattr(self, "dbus_object_path"):
1441
1828
if (not hasattr(self, attrname) or
1448
1835
else:
1449
1836
dbus_value = transform_func(
1450
1837
type_func(value),
1451
variant_level = variant_level)
1838
variant_level=variant_level)
1452
1839
self.PropertyChanged(dbus.String(dbus_name),
1453
1840
dbus_value)
1454
1841
self.PropertiesChanged(
1455
1842
_interface,
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1843
dbus.Dictionary({dbus.String(dbus_name):
1844
dbus_value}),
1458
1845
dbus.Array())
1459
1846
setattr(self, attrname, value)
1460
1847
1461
1848
return property(lambda self: getattr(self, attrname), setter)
1462
1849
1463
1850
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1464
1851
approvals_pending = notifychangeproperty(dbus.Boolean,
1465
1852
"ApprovalPending",
1466
type_func = bool)
1853
type_func=bool)
1467
1854
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1468
1855
last_enabled = notifychangeproperty(datetime_to_dbus,
1469
1856
"LastEnabled")
1470
1857
checker = notifychangeproperty(
1471
1858
dbus.Boolean, "CheckerRunning",
1472
type_func = lambda checker: checker is not None)
1859
type_func=lambda checker: checker is not None)
1473
1860
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1474
1861
"LastCheckedOK")
1475
1862
last_checker_status = notifychangeproperty(dbus.Int16,
1480
1867
"ApprovedByDefault")
1481
1868
approval_delay = notifychangeproperty(
1482
1869
dbus.UInt64, "ApprovalDelay",
1483
type_func = lambda td: td.total_seconds() * 1000)
1870
type_func=lambda td: td.total_seconds() * 1000)
1484
1871
approval_duration = notifychangeproperty(
1485
1872
dbus.UInt64, "ApprovalDuration",
1486
type_func = lambda td: td.total_seconds() * 1000)
1873
type_func=lambda td: td.total_seconds() * 1000)
1487
1874
host = notifychangeproperty(dbus.String, "Host")
1488
1875
timeout = notifychangeproperty(
1489
1876
dbus.UInt64, "Timeout",
1490
type_func = lambda td: td.total_seconds() * 1000)
1877
type_func=lambda td: td.total_seconds() * 1000)
1491
1878
extended_timeout = notifychangeproperty(
1492
1879
dbus.UInt64, "ExtendedTimeout",
1493
type_func = lambda td: td.total_seconds() * 1000)
1880
type_func=lambda td: td.total_seconds() * 1000)
1494
1881
interval = notifychangeproperty(
1495
1882
dbus.UInt64, "Interval",
1496
type_func = lambda td: td.total_seconds() * 1000)
1883
type_func=lambda td: td.total_seconds() * 1000)
1497
1884
checker_command = notifychangeproperty(dbus.String, "Checker")
1498
1885
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1499
1886
invalidate_only=True)
1500
1887
1501
1888
del notifychangeproperty
1502
1889
1503
1890
def __del__(self, *args, **kwargs):
1504
1891
try:
1505
1892
self.remove_from_connection()
1508
1895
if hasattr(DBusObjectWithProperties, "__del__"):
1509
1896
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1510
1897
Client.__del__(self, *args, **kwargs)
1511
1898
1512
1899
def checker_callback(self, source, condition,
1513
1900
connection, command, *args, **kwargs):
1514
1901
ret = Client.checker_callback(self, source, condition,
1530
1917
| self.last_checker_signal),
1531
1918
dbus.String(command))
1532
1919
return ret
1533
1920
1534
1921
def start_checker(self, *args, **kwargs):
1535
1922
old_checker_pid = getattr(self.checker, "pid", None)
1536
1923
r = Client.start_checker(self, *args, **kwargs)
1540
1927
# Emit D-Bus signal
1541
1928
self.CheckerStarted(self.current_checker_command)
1542
1929
return r
1543
1930
1544
1931
def _reset_approved(self):
1545
1932
self.approved = None
1546
1933
return False
1547
1934
1548
1935
def approve(self, value=True):
1549
1936
self.approved = value
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1937
GLib.timeout_add(int(self.approval_duration.total_seconds()
1938
* 1000), self._reset_approved)
1552
1939
self.send_changedstate()
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1940
1941
# D-Bus methods, signals & properties
1942
1943
# Interfaces
1944
1945
# Signals
1946
1560
1947
# CheckerCompleted - signal
1561
1948
@dbus.service.signal(_interface, signature="nxs")
1562
1949
def CheckerCompleted(self, exitcode, waitstatus, command):
1563
1950
"D-Bus signal"
1564
1951
pass
1565
1952
1566
1953
# CheckerStarted - signal
1567
1954
@dbus.service.signal(_interface, signature="s")
1568
1955
def CheckerStarted(self, command):
1569
1956
"D-Bus signal"
1570
1957
pass
1571
1958
1572
1959
# PropertyChanged - signal
1573
1960
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1574
1961
@dbus.service.signal(_interface, signature="sv")
1575
1962
def PropertyChanged(self, property, value):
1576
1963
"D-Bus signal"
1577
1964
pass
1578
1965
1579
1966
# GotSecret - signal
1580
1967
@dbus.service.signal(_interface)
1581
1968
def GotSecret(self):
1584
1971
server to mandos-client
1585
1972
"""
1586
1973
pass
1587
1974
1588
1975
# Rejected - signal
1589
1976
@dbus.service.signal(_interface, signature="s")
1590
1977
def Rejected(self, reason):
1591
1978
"D-Bus signal"
1592
1979
pass
1593
1980
1594
1981
# NeedApproval - signal
1595
1982
@dbus.service.signal(_interface, signature="tb")
1596
1983
def NeedApproval(self, timeout, default):
1597
1984
"D-Bus signal"
1598
1985
return self.need_approval()
1599
1600
## Methods
1601
1986
1987
# Methods
1988
1602
1989
# Approve - method
1603
1990
@dbus.service.method(_interface, in_signature="b")
1604
1991
def Approve(self, value):
1605
1992
self.approve(value)
1606
1993
1607
1994
# CheckedOK - method
1608
1995
@dbus.service.method(_interface)
1609
1996
def CheckedOK(self):
1610
1997
self.checked_ok()
1611
1998
1612
1999
# Enable - method
1613
2000
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1614
2001
@dbus.service.method(_interface)
1615
2002
def Enable(self):
1616
2003
"D-Bus method"
1617
2004
self.enable()
1618
2005
1619
2006
# StartChecker - method
1620
2007
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1621
2008
@dbus.service.method(_interface)
1622
2009
def StartChecker(self):
1623
2010
"D-Bus method"
1624
2011
self.start_checker()
1625
2012
1626
2013
# Disable - method
1627
2014
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1628
2015
@dbus.service.method(_interface)
1629
2016
def Disable(self):
1630
2017
"D-Bus method"
1631
2018
self.disable()
1632
2019
1633
2020
# StopChecker - method
1634
2021
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1635
2022
@dbus.service.method(_interface)
1636
2023
def StopChecker(self):
1637
2024
self.stop_checker()
1638
1639
## Properties
1640
2025
2026
# Properties
2027
1641
2028
# ApprovalPending - property
1642
2029
@dbus_service_property(_interface, signature="b", access="read")
1643
2030
def ApprovalPending_dbus_property(self):
1644
2031
return dbus.Boolean(bool(self.approvals_pending))
1645
2032
1646
2033
# ApprovedByDefault - property
1647
2034
@dbus_service_property(_interface,
1648
2035
signature="b",
1651
2038
if value is None: # get
1652
2039
return dbus.Boolean(self.approved_by_default)
1653
2040
self.approved_by_default = bool(value)
1654
2041
1655
2042
# ApprovalDelay - property
1656
2043
@dbus_service_property(_interface,
1657
2044
signature="t",
1661
2048
return dbus.UInt64(self.approval_delay.total_seconds()
1662
2049
* 1000)
1663
2050
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1664
2051
1665
2052
# ApprovalDuration - property
1666
2053
@dbus_service_property(_interface,
1667
2054
signature="t",
1671
2058
return dbus.UInt64(self.approval_duration.total_seconds()
1672
2059
* 1000)
1673
2060
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1674
2061
1675
2062
# Name - property
1676
2063
@dbus_annotations(
1677
2064
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1678
2065
@dbus_service_property(_interface, signature="s", access="read")
1679
2066
def Name_dbus_property(self):
1680
2067
return dbus.String(self.name)
1681
2068
2069
# KeyID - property
2070
@dbus_annotations(
2071
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2072
@dbus_service_property(_interface, signature="s", access="read")
2073
def KeyID_dbus_property(self):
2074
return dbus.String(self.key_id)
2075
1682
2076
# Fingerprint - property
1683
2077
@dbus_annotations(
1684
2078
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1685
2079
@dbus_service_property(_interface, signature="s", access="read")
1686
2080
def Fingerprint_dbus_property(self):
1687
2081
return dbus.String(self.fingerprint)
1688
2082
1689
2083
# Host - property
1690
2084
@dbus_service_property(_interface,
1691
2085
signature="s",
1694
2088
if value is None: # get
1695
2089
return dbus.String(self.host)
1696
2090
self.host = str(value)
1697
2091
1698
2092
# Created - property
1699
2093
@dbus_annotations(
1700
2094
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1701
2095
@dbus_service_property(_interface, signature="s", access="read")
1702
2096
def Created_dbus_property(self):
1703
2097
return datetime_to_dbus(self.created)
1704
2098
1705
2099
# LastEnabled - property
1706
2100
@dbus_service_property(_interface, signature="s", access="read")
1707
2101
def LastEnabled_dbus_property(self):
1708
2102
return datetime_to_dbus(self.last_enabled)
1709
2103
1710
2104
# Enabled - property
1711
2105
@dbus_service_property(_interface,
1712
2106
signature="b",
1718
2112
self.enable()
1719
2113
else:
1720
2114
self.disable()
1721
2115
1722
2116
# LastCheckedOK - property
1723
2117
@dbus_service_property(_interface,
1724
2118
signature="s",
1728
2122
self.checked_ok()
1729
2123
return
1730
2124
return datetime_to_dbus(self.last_checked_ok)
1731
2125
1732
2126
# LastCheckerStatus - property
1733
2127
@dbus_service_property(_interface, signature="n", access="read")
1734
2128
def LastCheckerStatus_dbus_property(self):
1735
2129
return dbus.Int16(self.last_checker_status)
1736
2130
1737
2131
# Expires - property
1738
2132
@dbus_service_property(_interface, signature="s", access="read")
1739
2133
def Expires_dbus_property(self):
1740
2134
return datetime_to_dbus(self.expires)
1741
2135
1742
2136
# LastApprovalRequest - property
1743
2137
@dbus_service_property(_interface, signature="s", access="read")
1744
2138
def LastApprovalRequest_dbus_property(self):
1745
2139
return datetime_to_dbus(self.last_approval_request)
1746
2140
1747
2141
# Timeout - property
1748
2142
@dbus_service_property(_interface,
1749
2143
signature="t",
1764
2158
if (getattr(self, "disable_initiator_tag", None)
1765
2159
is None):
1766
2160
return
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2161
GLib.source_remove(self.disable_initiator_tag)
2162
self.disable_initiator_tag = GLib.timeout_add(
1769
2163
int((self.expires - now).total_seconds() * 1000),
1770
2164
self.disable)
1771
2165
1772
2166
# ExtendedTimeout - property
1773
2167
@dbus_service_property(_interface,
1774
2168
signature="t",
1778
2172
return dbus.UInt64(self.extended_timeout.total_seconds()
1779
2173
* 1000)
1780
2174
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1781
2175
1782
2176
# Interval - property
1783
2177
@dbus_service_property(_interface,
1784
2178
signature="t",
1791
2185
return
1792
2186
if self.enabled:
1793
2187
# Reschedule checker run
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2188
GLib.source_remove(self.checker_initiator_tag)
2189
self.checker_initiator_tag = GLib.timeout_add(
1796
2190
value, self.start_checker)
1797
self.start_checker() # Start one now, too
1798
2191
self.start_checker() # Start one now, too
2192
1799
2193
# Checker - property
1800
2194
@dbus_service_property(_interface,
1801
2195
signature="s",
1804
2198
if value is None: # get
1805
2199
return dbus.String(self.checker_command)
1806
2200
self.checker_command = str(value)
1807
2201
1808
2202
# CheckerRunning - property
1809
2203
@dbus_service_property(_interface,
1810
2204
signature="b",
1816
2210
self.start_checker()
1817
2211
else:
1818
2212
self.stop_checker()
1819
2213
1820
2214
# ObjectPath - property
1821
2215
@dbus_annotations(
1822
2216
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
1823
2217
"org.freedesktop.DBus.Deprecated": "true"})
1824
2218
@dbus_service_property(_interface, signature="o", access="read")
1825
2219
def ObjectPath_dbus_property(self):
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2220
return self.dbus_object_path # is already a dbus.ObjectPath
2221
1828
2222
# Secret = property
1829
2223
@dbus_annotations(
1830
2224
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
1835
2229
byte_arrays=True)
1836
2230
def Secret_dbus_property(self, value):
1837
2231
self.secret = bytes(value)
1838
2232
1839
2233
del _interface
1840
2234
1841
2235
1842
class ProxyClient(object):
1843
def __init__(self, child_pipe, fpr, address):
2236
class ProxyClient:
2237
def __init__(self, child_pipe, key_id, fpr, address):
1844
2238
self._pipe = child_pipe
1845
self._pipe.send(('init', fpr, address))
2239
self._pipe.send(('init', key_id, fpr, address))
1846
2240
if not self._pipe.recv():
1847
raise KeyError(fpr)
1848
2241
raise KeyError(key_id or fpr)
2242
1849
2243
def __getattribute__(self, name):
1850
2244
if name == '_pipe':
1851
2245
return super(ProxyClient, self).__getattribute__(name)
1854
2248
if data[0] == 'data':
1855
2249
return data[1]
1856
2250
if data[0] == 'function':
1857
2251
1858
2252
def func(*args, **kwargs):
1859
2253
self._pipe.send(('funcall', name, args, kwargs))
1860
2254
return self._pipe.recv()[1]
1861
2255
1862
2256
return func
1863
2257
1864
2258
def __setattr__(self, name, value):
1865
2259
if name == '_pipe':
1866
2260
return super(ProxyClient, self).__setattr__(name, value)
1869
2263
1870
2264
class ClientHandler(socketserver.BaseRequestHandler, object):
1871
2265
"""A class to handle client connections.
1872
2266
1873
2267
Instantiated once for each connection to handle it.
1874
2268
Note: This will run in its own forked process."""
1875
2269
1876
2270
def handle(self):
1877
2271
with contextlib.closing(self.server.child_pipe) as child_pipe:
1878
2272
logger.info("TCP connection from: %s",
1879
2273
str(self.client_address))
1880
2274
logger.debug("Pipe FD: %d",
1881
2275
self.server.child_pipe.fileno())
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2276
2277
session = gnutls.ClientSession(self.request)
2278
2279
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2280
# "+AES-256-CBC", "+SHA1",
2281
# "+COMP-NULL", "+CTYPE-OPENPGP",
2282
# "+DHE-DSS"))
1895
2283
# Use a fallback default, since this MUST be set.
1896
2284
priority = self.server.gnutls_priority
1897
2285
if priority is None:
1898
2286
priority = "NORMAL"
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2287
gnutls.priority_set_direct(session._c_object,
2288
priority.encode("utf-8"),
2289
None)
2290
1902
2291
# Start communication using the Mandos protocol
1903
2292
# Get protocol number
1904
2293
line = self.request.makefile().readline()
1909
2298
except (ValueError, IndexError, RuntimeError) as error:
1910
2299
logger.error("Unknown protocol version: %s", error)
1911
2300
return
1912
2301
1913
2302
# Start GnuTLS connection
1914
2303
try:
1915
2304
session.handshake()
1916
except gnutls.errors.GNUTLSError as error:
2305
except gnutls.Error as error:
1917
2306
logger.warning("Handshake failed: %s", error)
1918
2307
# Do not run session.bye() here: the session is not
1919
2308
# established. Just abandon the request.
1920
2309
return
1921
2310
logger.debug("Handshake succeeded")
1922
2311
1923
2312
approval_required = False
1924
2313
try:
1925
try:
1926
fpr = self.fingerprint(
1927
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
1930
logger.warning("Bad certificate: %s", error)
1931
return
1932
logger.debug("Fingerprint: %s", fpr)
1933
1934
try:
1935
client = ProxyClient(child_pipe, fpr,
2314
if gnutls.has_rawpk:
2315
fpr = b""
2316
try:
2317
key_id = self.key_id(
2318
self.peer_certificate(session))
2319
except (TypeError, gnutls.Error) as error:
2320
logger.warning("Bad certificate: %s", error)
2321
return
2322
logger.debug("Key ID: %s", key_id)
2323
2324
else:
2325
key_id = b""
2326
try:
2327
fpr = self.fingerprint(
2328
self.peer_certificate(session))
2329
except (TypeError, gnutls.Error) as error:
2330
logger.warning("Bad certificate: %s", error)
2331
return
2332
logger.debug("Fingerprint: %s", fpr)
2333
2334
try:
2335
client = ProxyClient(child_pipe, key_id, fpr,
1936
2336
self.client_address)
1937
2337
except KeyError:
1938
2338
return
1939
2339
1940
2340
if client.approval_delay:
1941
2341
delay = client.approval_delay
1942
2342
client.approvals_pending += 1
1943
2343
approval_required = True
1944
2344
1945
2345
while True:
1946
2346
if not client.enabled:
1947
2347
logger.info("Client %s is disabled",
1950
2350
# Emit D-Bus signal
1951
2351
client.Rejected("Disabled")
1952
2352
return
1953
2353
1954
2354
if client.approved or not client.approval_delay:
1955
#We are approved or approval is disabled
2355
# We are approved or approval is disabled
1956
2356
break
1957
2357
elif client.approved is None:
1958
2358
logger.info("Client %s needs approval",
1969
2369
# Emit D-Bus signal
1970
2370
client.Rejected("Denied")
1971
2371
return
1972
1973
#wait until timeout or approved
2372
2373
# wait until timeout or approved
1974
2374
time = datetime.datetime.now()
1975
2375
client.changedstate.acquire()
1976
2376
client.changedstate.wait(delay.total_seconds())
1989
2389
break
1990
2390
else:
1991
2391
delay -= time2 - time
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2392
2393
try:
2394
session.send(client.secret)
2395
except gnutls.Error as error:
2396
logger.warning("gnutls send failed",
2397
exc_info=error)
2398
return
2399
2006
2400
logger.info("Sending secret to %s", client.name)
2007
2401
# bump the timeout using extended_timeout
2008
2402
client.bump_timeout(client.extended_timeout)
2009
2403
if self.server.use_dbus:
2010
2404
# Emit D-Bus signal
2011
2405
client.GotSecret()
2012
2406
2013
2407
finally:
2014
2408
if approval_required:
2015
2409
client.approvals_pending -= 1
2016
2410
try:
2017
2411
session.bye()
2018
except gnutls.errors.GNUTLSError as error:
2412
except gnutls.Error as error:
2019
2413
logger.warning("GnuTLS bye failed",
2020
2414
exc_info=error)
2021
2415
2022
2416
@staticmethod
2023
2417
def peer_certificate(session):
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2418
"Return the peer's certificate as a bytestring"
2419
try:
2420
cert_type = gnutls.certificate_type_get2(session._c_object,
2421
gnutls.CTYPE_PEERS)
2422
except AttributeError:
2423
cert_type = gnutls.certificate_type_get(session._c_object)
2424
if gnutls.has_rawpk:
2425
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2426
else:
2427
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2428
# If not a valid certificate type...
2429
if cert_type not in valid_cert_types:
2430
logger.info("Cert type %r not in %r", cert_type,
2431
valid_cert_types)
2432
# ...return invalid data
2433
return b""
2031
2434
list_size = ctypes.c_uint(1)
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2435
cert_list = (gnutls.certificate_get_peers
2034
2436
(session._c_object, ctypes.byref(list_size)))
2035
2437
if not bool(cert_list) and list_size.value != 0:
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2438
raise gnutls.Error("error getting peer certificate")
2038
2439
if list_size.value == 0:
2039
2440
return None
2040
2441
cert = cert_list[0]
2041
2442
return ctypes.string_at(cert.data, cert.size)
2042
2443
2444
@staticmethod
2445
def key_id(certificate):
2446
"Convert a certificate bytestring to a hexdigit key ID"
2447
# New GnuTLS "datum" with the public key
2448
datum = gnutls.datum_t(
2449
ctypes.cast(ctypes.c_char_p(certificate),
2450
ctypes.POINTER(ctypes.c_ubyte)),
2451
ctypes.c_uint(len(certificate)))
2452
# XXX all these need to be created in the gnutls "module"
2453
# New empty GnuTLS certificate
2454
pubkey = gnutls.pubkey_t()
2455
gnutls.pubkey_init(ctypes.byref(pubkey))
2456
# Import the raw public key into the certificate
2457
gnutls.pubkey_import(pubkey,
2458
ctypes.byref(datum),
2459
gnutls.X509_FMT_DER)
2460
# New buffer for the key ID
2461
buf = ctypes.create_string_buffer(32)
2462
buf_len = ctypes.c_size_t(len(buf))
2463
# Get the key ID from the raw public key into the buffer
2464
gnutls.pubkey_get_key_id(pubkey,
2465
gnutls.KEYID_USE_SHA256,
2466
ctypes.cast(ctypes.byref(buf),
2467
ctypes.POINTER(ctypes.c_ubyte)),
2468
ctypes.byref(buf_len))
2469
# Deinit the certificate
2470
gnutls.pubkey_deinit(pubkey)
2471
2472
# Convert the buffer to a Python bytestring
2473
key_id = ctypes.string_at(buf, buf_len.value)
2474
# Convert the bytestring to hexadecimal notation
2475
hex_key_id = binascii.hexlify(key_id).upper()
2476
return hex_key_id
2477
2043
2478
@staticmethod
2044
2479
def fingerprint(openpgp):
2045
2480
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2046
2481
# New GnuTLS "datum" with the OpenPGP public key
2047
datum = gnutls.library.types.gnutls_datum_t(
2482
datum = gnutls.datum_t(
2048
2483
ctypes.cast(ctypes.c_char_p(openpgp),
2049
2484
ctypes.POINTER(ctypes.c_ubyte)),
2050
2485
ctypes.c_uint(len(openpgp)))
2051
2486
# New empty GnuTLS certificate
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2487
crt = gnutls.openpgp_crt_t()
2488
gnutls.openpgp_crt_init(ctypes.byref(crt))
2055
2489
# Import the OpenPGP public key into the certificate
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2490
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2491
gnutls.OPENPGP_FMT_RAW)
2059
2492
# Verify the self signature in the key
2060
2493
crtverify = ctypes.c_uint()
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2494
gnutls.openpgp_crt_verify_self(crt, 0,
2495
ctypes.byref(crtverify))
2063
2496
if crtverify.value != 0:
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2497
gnutls.openpgp_crt_deinit(crt)
2498
raise gnutls.CertificateSecurityError(code
2499
=crtverify.value)
2067
2500
# New buffer for the fingerprint
2068
2501
buf = ctypes.create_string_buffer(20)
2069
2502
buf_len = ctypes.c_size_t()
2070
2503
# Get the fingerprint from the certificate into the buffer
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2504
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2505
ctypes.byref(buf_len))
2073
2506
# Deinit the certificate
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2507
gnutls.openpgp_crt_deinit(crt)
2075
2508
# Convert the buffer to a Python bytestring
2076
2509
fpr = ctypes.string_at(buf, buf_len.value)
2077
2510
# Convert the bytestring to hexadecimal notation
2079
2512
return hex_fpr
2080
2513
2081
2514
2082
class MultiprocessingMixIn(object):
2515
class MultiprocessingMixIn:
2083
2516
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2084
2517
2085
2518
def sub_process_main(self, request, address):
2086
2519
try:
2087
2520
self.finish_request(request, address)
2088
2521
except Exception:
2089
2522
self.handle_error(request, address)
2090
2523
self.close_request(request)
2091
2524
2092
2525
def process_request(self, request, address):
2093
2526
"""Start a new process to process the request."""
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2527
proc = multiprocessing.Process(target=self.sub_process_main,
2528
args=(request, address))
2096
2529
proc.start()
2097
2530
return proc
2098
2531
2099
2532
2100
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2533
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2101
2534
""" adds a pipe to the MixIn """
2102
2535
2103
2536
def process_request(self, request, client_address):
2104
2537
"""Overrides and wraps the original process_request().
2105
2538
2106
2539
This function creates a new pipe in self.pipe
2107
2540
"""
2108
2541
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2109
2542
2110
2543
proc = MultiprocessingMixIn.process_request(self, request,
2111
2544
client_address)
2112
2545
self.child_pipe.close()
2113
2546
self.add_pipe(parent_pipe, proc)
2114
2547
2115
2548
def add_pipe(self, parent_pipe, proc):
2116
2549
"""Dummy function; override as necessary"""
2117
2550
raise NotImplementedError()
2118
2551
2119
2552
2120
2553
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2121
socketserver.TCPServer, object):
2554
socketserver.TCPServer):
2122
2555
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2123
2556
2124
2557
Attributes:
2125
2558
enabled: Boolean; whether this server is activated yet
2126
2559
interface: None or a network interface name (string)
2127
2560
use_ipv6: Boolean; to use IPv6 or not
2128
2561
"""
2129
2562
2130
2563
def __init__(self, server_address, RequestHandlerClass,
2131
2564
interface=None,
2132
2565
use_ipv6=True,
2142
2575
self.socketfd = socketfd
2143
2576
# Save the original socket.socket() function
2144
2577
self.socket_socket = socket.socket
2578
2145
2579
# To implement --socket, we monkey patch socket.socket.
2146
#
2580
#
2147
2581
# (When socketserver.TCPServer is a new-style class, we
2148
2582
# could make self.socket into a property instead of monkey
2149
2583
# patching socket.socket.)
2150
#
2584
#
2151
2585
# Create a one-time-only replacement for socket.socket()
2152
2586
@functools.wraps(socket.socket)
2153
2587
def socket_wrapper(*args, **kwargs):
2165
2599
# socket_wrapper(), if socketfd was set.
2166
2600
socketserver.TCPServer.__init__(self, server_address,
2167
2601
RequestHandlerClass)
2168
2602
2169
2603
def server_bind(self):
2170
2604
"""This overrides the normal server_bind() function
2171
2605
to bind to an interface if one was specified, and also NOT to
2172
2606
bind to an address or port if they were not specified."""
2607
global SO_BINDTODEVICE
2173
2608
if self.interface is not None:
2174
2609
if SO_BINDTODEVICE is None:
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2610
# Fall back to a hard-coded value which seems to be
2611
# common enough.
2612
logger.warning("SO_BINDTODEVICE not found, trying 25")
2613
SO_BINDTODEVICE = 25
2614
try:
2615
self.socket.setsockopt(
2616
socket.SOL_SOCKET, SO_BINDTODEVICE,
2617
(self.interface + "\0").encode("utf-8"))
2618
except socket.error as error:
2619
if error.errno == errno.EPERM:
2620
logger.error("No permission to bind to"
2621
" interface %s", self.interface)
2622
elif error.errno == errno.ENOPROTOOPT:
2623
logger.error("SO_BINDTODEVICE not available;"
2624
" cannot bind to interface %s",
2625
self.interface)
2626
elif error.errno == errno.ENODEV:
2627
logger.error("Interface %s does not exist,"
2628
" cannot bind", self.interface)
2629
else:
2630
raise
2196
2631
# Only bind(2) the socket if we really need to.
2197
2632
if self.server_address[0] or self.server_address[1]:
2633
if self.server_address[1]:
2634
self.allow_reuse_address = True
2198
2635
if not self.server_address[0]:
2199
2636
if self.address_family == socket.AF_INET6:
2200
any_address = "::" # in6addr_any
2637
any_address = "::" # in6addr_any
2201
2638
else:
2202
any_address = "0.0.0.0" # INADDR_ANY
2639
any_address = "0.0.0.0" # INADDR_ANY
2203
2640
self.server_address = (any_address,
2204
2641
self.server_address[1])
2205
2642
elif not self.server_address[1]:
2215
2652
2216
2653
class MandosServer(IPv6_TCPServer):
2217
2654
"""Mandos server.
2218
2655
2219
2656
Attributes:
2220
2657
clients: set of Client objects
2221
2658
gnutls_priority GnuTLS priority string
2222
2659
use_dbus: Boolean; to emit D-Bus signals or not
2223
2224
Assumes a gobject.MainLoop event loop.
2660
2661
Assumes a GLib.MainLoop event loop.
2225
2662
"""
2226
2663
2227
2664
def __init__(self, server_address, RequestHandlerClass,
2228
2665
interface=None,
2229
2666
use_ipv6=True,
2239
2676
self.gnutls_priority = gnutls_priority
2240
2677
IPv6_TCPServer.__init__(self, server_address,
2241
2678
RequestHandlerClass,
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2679
interface=interface,
2680
use_ipv6=use_ipv6,
2681
socketfd=socketfd)
2682
2246
2683
def server_activate(self):
2247
2684
if self.enabled:
2248
2685
return socketserver.TCPServer.server_activate(self)
2249
2686
2250
2687
def enable(self):
2251
2688
self.enabled = True
2252
2689
2253
2690
def add_pipe(self, parent_pipe, proc):
2254
2691
# Call "handle_ipc" for both data and EOF events
2255
gobject.io_add_watch(
2256
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2692
GLib.io_add_watch(
2693
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2694
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2258
2695
functools.partial(self.handle_ipc,
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2696
parent_pipe=parent_pipe,
2697
proc=proc))
2698
2262
2699
def handle_ipc(self, source, condition,
2263
2700
parent_pipe=None,
2264
proc = None,
2701
proc=None,
2265
2702
client_object=None):
2266
2703
# error, or the other end of multiprocessing.Pipe has closed
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2704
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2268
2705
# Wait for other process to exit
2269
2706
proc.join()
2270
2707
return False
2271
2708
2272
2709
# Read a request from the child
2273
2710
request = parent_pipe.recv()
2274
2711
command = request[0]
2275
2712
2276
2713
if command == 'init':
2277
fpr = request[1]
2278
address = request[2]
2279
2280
for c in self.clients.itervalues():
2281
if c.fingerprint == fpr:
2714
key_id = request[1].decode("ascii")
2715
fpr = request[2].decode("ascii")
2716
address = request[3]
2717
2718
for c in self.clients.values():
2719
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2720
continue
2721
if key_id and c.key_id == key_id:
2722
client = c
2723
break
2724
if fpr and c.fingerprint == fpr:
2282
2725
client = c
2283
2726
break
2284
2727
else:
2285
logger.info("Client not found for fingerprint: %s, ad"
2286
"dress: %s", fpr, address)
2728
logger.info("Client not found for key ID: %s, address"
2729
": %s", key_id or fpr, address)
2287
2730
if self.use_dbus:
2288
2731
# Emit D-Bus signal
2289
mandos_dbus_service.ClientNotFound(fpr,
2732
mandos_dbus_service.ClientNotFound(key_id or fpr,
2290
2733
address[0])
2291
2734
parent_pipe.send(False)
2292
2735
return False
2293
2294
gobject.io_add_watch(
2295
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2736
2737
GLib.io_add_watch(
2738
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2739
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2297
2740
functools.partial(self.handle_ipc,
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2741
parent_pipe=parent_pipe,
2742
proc=proc,
2743
client_object=client))
2301
2744
parent_pipe.send(True)
2302
2745
# remove the old hook in favor of the new above hook on
2303
2746
# same fileno
2306
2749
funcname = request[1]
2307
2750
args = request[2]
2308
2751
kwargs = request[3]
2309
2752
2310
2753
parent_pipe.send(('data', getattr(client_object,
2311
2754
funcname)(*args,
2312
2755
**kwargs)))
2313
2756
2314
2757
if command == 'getattr':
2315
2758
attrname = request[1]
2316
2759
if isinstance(client_object.__getattribute__(attrname),
2317
collections.Callable):
2760
collections.abc.Callable):
2318
2761
parent_pipe.send(('function', ))
2319
2762
else:
2320
2763
parent_pipe.send((
2321
2764
'data', client_object.__getattribute__(attrname)))
2322
2765
2323
2766
if command == 'setattr':
2324
2767
attrname = request[1]
2325
2768
value = request[2]
2326
2769
setattr(client_object, attrname, value)
2327
2770
2328
2771
return True
2329
2772
2330
2773
2331
2774
def rfc3339_duration_to_delta(duration):
2332
2775
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2333
2334
>>> rfc3339_duration_to_delta("P7D")
2335
datetime.timedelta(7)
2336
>>> rfc3339_duration_to_delta("PT60S")
2337
datetime.timedelta(0, 60)
2338
>>> rfc3339_duration_to_delta("PT60M")
2339
datetime.timedelta(0, 3600)
2340
>>> rfc3339_duration_to_delta("PT24H")
2341
datetime.timedelta(1)
2342
>>> rfc3339_duration_to_delta("P1W")
2343
datetime.timedelta(7)
2344
>>> rfc3339_duration_to_delta("PT5M30S")
2345
datetime.timedelta(0, 330)
2346
>>> rfc3339_duration_to_delta("P1DT3M20S")
2347
datetime.timedelta(1, 200)
2776
2777
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2778
True
2779
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2780
True
2781
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2782
True
2783
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2784
True
2785
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2786
True
2787
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2788
True
2789
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2790
True
2348
2791
"""
2349
2792
2350
2793
# Parsing an RFC 3339 duration with regular expressions is not
2351
2794
# possible - there would have to be multiple places for the same
2352
2795
# values, like seconds. The current code, while more esoteric, is
2353
2796
# cleaner without depending on a parsing library. If Python had a
2354
2797
# built-in library for parsing we would use it, but we'd like to
2355
2798
# avoid excessive use of external libraries.
2356
2799
2357
2800
# New type for defining tokens, syntax, and semantics all-in-one
2358
2801
Token = collections.namedtuple("Token", (
2359
2802
"regexp", # To match token; if "value" is not None, must have
2392
2835
frozenset((token_year, token_month,
2393
2836
token_day, token_time,
2394
2837
token_week)))
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2838
# Define starting values:
2839
# Value so far
2840
value = datetime.timedelta()
2397
2841
found_token = None
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2842
# Following valid tokens
2843
followers = frozenset((token_duration, ))
2844
# String left to parse
2845
s = duration
2400
2846
# Loop until end token is found
2401
2847
while found_token is not token_end:
2402
2848
# Search for any currently valid tokens
2426
2872
2427
2873
def string_to_delta(interval):
2428
2874
"""Parse a string and return a datetime.timedelta
2429
2430
>>> string_to_delta('7d')
2431
datetime.timedelta(7)
2432
>>> string_to_delta('60s')
2433
datetime.timedelta(0, 60)
2434
>>> string_to_delta('60m')
2435
datetime.timedelta(0, 3600)
2436
>>> string_to_delta('24h')
2437
datetime.timedelta(1)
2438
>>> string_to_delta('1w')
2439
datetime.timedelta(7)
2440
>>> string_to_delta('5m 30s')
2441
datetime.timedelta(0, 330)
2875
2876
>>> string_to_delta('7d') == datetime.timedelta(7)
2877
True
2878
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2879
True
2880
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2881
True
2882
>>> string_to_delta('24h') == datetime.timedelta(1)
2883
True
2884
>>> string_to_delta('1w') == datetime.timedelta(7)
2885
True
2886
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2887
True
2442
2888
"""
2443
2889
2444
2890
try:
2445
2891
return rfc3339_duration_to_delta(interval)
2446
2892
except ValueError:
2447
2893
pass
2448
2894
2449
2895
timevalue = datetime.timedelta(0)
2450
2896
for s in interval.split():
2451
2897
try:
2469
2915
return timevalue
2470
2916
2471
2917
2472
def daemon(nochdir = False, noclose = False):
2918
def daemon(nochdir=False, noclose=False):
2473
2919
"""See daemon(3). Standard BSD Unix function.
2474
2920
2475
2921
This should really exist as os.daemon, but it doesn't (yet)."""
2476
2922
if os.fork():
2477
2923
sys.exit()
2495
2941
2496
2942
2497
2943
def main():
2498
2944
2499
2945
##################################################################
2500
2946
# Parsing of options, both command line and config file
2501
2947
2502
2948
parser = argparse.ArgumentParser()
2503
2949
parser.add_argument("-v", "--version", action="version",
2504
version = "%(prog)s {}".format(version),
2950
version="%(prog)s {}".format(version),
2505
2951
help="show version number and exit")
2506
2952
parser.add_argument("-i", "--interface", metavar="IF",
2507
2953
help="Bind to interface IF")
2543
2989
parser.add_argument("--no-zeroconf", action="store_false",
2544
2990
dest="zeroconf", help="Do not use Zeroconf",
2545
2991
default=None)
2546
2992
2547
2993
options = parser.parse_args()
2548
2549
if options.check:
2550
import doctest
2551
fail_count, test_count = doctest.testmod()
2552
sys.exit(os.EX_OK if fail_count == 0 else 1)
2553
2994
2554
2995
# Default values for config file for server-global settings
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
2996
if gnutls.has_rawpk:
2997
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2998
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2999
else:
3000
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3001
":+SIGN-DSA-SHA256")
3002
server_defaults = {"interface": "",
3003
"address": "",
3004
"port": "",
3005
"debug": "False",
3006
"priority": priority,
3007
"servicename": "Mandos",
3008
"use_dbus": "True",
3009
"use_ipv6": "True",
3010
"debuglevel": "",
3011
"restore": "True",
3012
"socket": "",
3013
"statedir": "/var/lib/mandos",
3014
"foreground": "False",
3015
"zeroconf": "True",
3016
}
3017
del priority
3018
2573
3019
# Parse config file for server-global settings
2574
server_config = configparser.SafeConfigParser(server_defaults)
3020
server_config = configparser.ConfigParser(server_defaults)
2575
3021
del server_defaults
2576
3022
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2577
# Convert the SafeConfigParser object to a dict
3023
# Convert the ConfigParser object to a dict
2578
3024
server_settings = server_config.defaults()
2579
3025
# Use the appropriate methods on the non-string config options
2580
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3026
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3027
"foreground", "zeroconf"):
2581
3028
server_settings[option] = server_config.getboolean("DEFAULT",
2582
3029
option)
2583
3030
if server_settings["port"]:
2593
3040
server_settings["socket"] = os.dup(server_settings
2594
3041
["socket"])
2595
3042
del server_config
2596
3043
2597
3044
# Override the settings from the config file with command line
2598
3045
# options, if set.
2599
3046
for option in ("interface", "address", "port", "debug",
2617
3064
if server_settings["debug"]:
2618
3065
server_settings["foreground"] = True
2619
3066
# Now we have our good server settings in "server_settings"
2620
3067
2621
3068
##################################################################
2622
3069
2623
3070
if (not server_settings["zeroconf"]
2624
3071
and not (server_settings["port"]
2625
3072
or server_settings["socket"] != "")):
2626
3073
parser.error("Needs port or socket to work without Zeroconf")
2627
3074
2628
3075
# For convenience
2629
3076
debug = server_settings["debug"]
2630
3077
debuglevel = server_settings["debuglevel"]
2634
3081
stored_state_file)
2635
3082
foreground = server_settings["foreground"]
2636
3083
zeroconf = server_settings["zeroconf"]
2637
3084
2638
3085
if debug:
2639
3086
initlogger(debug, logging.DEBUG)
2640
3087
else:
2643
3090
else:
2644
3091
level = getattr(logging, debuglevel.upper())
2645
3092
initlogger(debug, level)
2646
3093
2647
3094
if server_settings["servicename"] != "Mandos":
2648
3095
syslogger.setFormatter(
2649
3096
logging.Formatter('Mandos ({}) [%(process)d]:'
2650
3097
' %(levelname)s: %(message)s'.format(
2651
3098
server_settings["servicename"])))
2652
3099
2653
3100
# Parse config file with clients
2654
client_config = configparser.SafeConfigParser(Client
2655
.client_defaults)
3101
client_config = configparser.ConfigParser(Client.client_defaults)
2656
3102
client_config.read(os.path.join(server_settings["configdir"],
2657
3103
"clients.conf"))
2658
3104
2659
3105
global mandos_dbus_service
2660
3106
mandos_dbus_service = None
2661
3107
2662
3108
socketfd = None
2663
3109
if server_settings["socket"] != "":
2664
3110
socketfd = server_settings["socket"]
2680
3126
except IOError as e:
2681
3127
logger.error("Could not open file %r", pidfilename,
2682
3128
exc_info=e)
2683
2684
for name in ("_mandos", "mandos", "nobody"):
3129
3130
for name, group in (("_mandos", "_mandos"),
3131
("mandos", "mandos"),
3132
("nobody", "nogroup")):
2685
3133
try:
2686
3134
uid = pwd.getpwnam(name).pw_uid
2687
gid = pwd.getpwnam(name).pw_gid
3135
gid = pwd.getpwnam(group).pw_gid
2688
3136
break
2689
3137
except KeyError:
2690
3138
continue
2694
3142
try:
2695
3143
os.setgid(gid)
2696
3144
os.setuid(uid)
3145
if debug:
3146
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3147
gid))
2697
3148
except OSError as error:
3149
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3150
.format(uid, gid, os.strerror(error.errno)))
2698
3151
if error.errno != errno.EPERM:
2699
3152
raise
2700
3153
2701
3154
if debug:
2702
3155
# Enable all possible GnuTLS debugging
2703
3156
2704
3157
# "Use a log level over 10 to enable all debugging options."
2705
3158
# - GnuTLS manual
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3159
gnutls.global_set_log_level(11)
3160
3161
@gnutls.log_func
2709
3162
def debug_gnutls(level, string):
2710
3163
logger.debug("GnuTLS: %s", string[:-1])
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3164
3165
gnutls.global_set_log_function(debug_gnutls)
3166
2715
3167
# Redirect stdin so all checkers get /dev/null
2716
3168
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2717
3169
os.dup2(null, sys.stdin.fileno())
2718
3170
if null > 2:
2719
3171
os.close(null)
2720
3172
2721
3173
# Need to fork before connecting to D-Bus
2722
3174
if not foreground:
2723
3175
# Close all input and output, do double fork, etc.
2724
3176
daemon()
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3177
3178
if gi.version_info < (3, 10, 2):
3179
# multiprocessing will use threads, so before we use GLib we
3180
# need to inform GLib that threads will be used.
3181
GLib.threads_init()
3182
2730
3183
global main_loop
2731
3184
# From the Avahi example code
2732
3185
DBusGMainLoop(set_as_default=True)
2733
main_loop = gobject.MainLoop()
3186
main_loop = GLib.MainLoop()
2734
3187
bus = dbus.SystemBus()
2735
3188
# End of Avahi example code
2736
3189
if use_dbus:
2749
3202
if zeroconf:
2750
3203
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2751
3204
service = AvahiServiceToSyslog(
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3205
name=server_settings["servicename"],
3206
servicetype="_mandos._tcp",
3207
protocol=protocol,
3208
bus=bus)
2756
3209
if server_settings["interface"]:
2757
3210
service.interface = if_nametoindex(
2758
3211
server_settings["interface"].encode("utf-8"))
2759
3212
2760
3213
global multiprocessing_manager
2761
3214
multiprocessing_manager = multiprocessing.Manager()
2762
3215
2763
3216
client_class = Client
2764
3217
if use_dbus:
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3218
client_class = functools.partial(ClientDBus, bus=bus)
3219
2767
3220
client_settings = Client.config_parser(client_config)
2768
3221
old_client_settings = {}
2769
3222
clients_data = {}
2770
3223
2771
3224
# This is used to redirect stdout and stderr for checker processes
2772
3225
global wnull
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3226
wnull = open(os.devnull, "w") # A writable /dev/null
2774
3227
# Only used if server is running in foreground but not in debug
2775
3228
# mode
2776
3229
if debug or not foreground:
2777
3230
wnull.close()
2778
3231
2779
3232
# Get client data and settings from last running state.
2780
3233
if server_settings["restore"]:
2781
3234
try:
2782
3235
with open(stored_state_path, "rb") as stored_state:
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3236
if sys.version_info.major == 2:
3237
clients_data, old_client_settings = pickle.load(
3238
stored_state)
3239
else:
3240
bytes_clients_data, bytes_old_client_settings = (
3241
pickle.load(stored_state, encoding="bytes"))
3242
# Fix bytes to strings
3243
# clients_data
3244
# .keys()
3245
clients_data = {(key.decode("utf-8")
3246
if isinstance(key, bytes)
3247
else key): value
3248
for key, value in
3249
bytes_clients_data.items()}
3250
del bytes_clients_data
3251
for key in clients_data:
3252
value = {(k.decode("utf-8")
3253
if isinstance(k, bytes) else k): v
3254
for k, v in
3255
clients_data[key].items()}
3256
clients_data[key] = value
3257
# .client_structure
3258
value["client_structure"] = [
3259
(s.decode("utf-8")
3260
if isinstance(s, bytes)
3261
else s) for s in
3262
value["client_structure"]]
3263
# .name, .host, and .checker_command
3264
for k in ("name", "host", "checker_command"):
3265
if isinstance(value[k], bytes):
3266
value[k] = value[k].decode("utf-8")
3267
if "key_id" not in value:
3268
value["key_id"] = ""
3269
elif "fingerprint" not in value:
3270
value["fingerprint"] = ""
3271
# old_client_settings
3272
# .keys()
3273
old_client_settings = {
3274
(key.decode("utf-8")
3275
if isinstance(key, bytes)
3276
else key): value
3277
for key, value in
3278
bytes_old_client_settings.items()}
3279
del bytes_old_client_settings
3280
# .host and .checker_command
3281
for value in old_client_settings.values():
3282
for attribute in ("host", "checker_command"):
3283
if isinstance(value[attribute], bytes):
3284
value[attribute] = (value[attribute]
3285
.decode("utf-8"))
2785
3286
os.remove(stored_state_path)
2786
3287
except IOError as e:
2787
3288
if e.errno == errno.ENOENT:
2795
3296
logger.warning("Could not load persistent state: "
2796
3297
"EOFError:",
2797
3298
exc_info=e)
2798
3299
2799
3300
with PGPEngine() as pgp:
2800
3301
for client_name, client in clients_data.items():
2801
3302
# Skip removed clients
2802
3303
if client_name not in client_settings:
2803
3304
continue
2804
3305
2805
3306
# Decide which value to use after restoring saved state.
2806
3307
# We have three different values: Old config file,
2807
3308
# new config file, and saved state.
2818
3319
client[name] = value
2819
3320
except KeyError:
2820
3321
pass
2821
3322
2822
3323
# Clients who has passed its expire date can still be
2823
3324
# enabled if its last checker was successful. A Client
2824
3325
# whose checker succeeded before we stored its state is
2857
3358
client_name))
2858
3359
client["secret"] = (client_settings[client_name]
2859
3360
["secret"])
2860
3361
2861
3362
# Add/remove clients based on new changes made to config
2862
3363
for client_name in (set(old_client_settings)
2863
3364
- set(client_settings)):
2865
3366
for client_name in (set(client_settings)
2866
3367
- set(old_client_settings)):
2867
3368
clients_data[client_name] = client_settings[client_name]
2868
3369
2869
3370
# Create all client objects
2870
3371
for client_name, client in clients_data.items():
2871
3372
tcp_server.clients[client_name] = client_class(
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3373
name=client_name,
3374
settings=client,
3375
server_settings=server_settings)
3376
2876
3377
if not tcp_server.clients:
2877
3378
logger.warning("No clients defined")
2878
3379
2879
3380
if not foreground:
2880
3381
if pidfile is not None:
2881
3382
pid = os.getpid()
2887
3388
pidfilename, pid)
2888
3389
del pidfile
2889
3390
del pidfilename
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3391
3392
for termsig in (signal.SIGHUP, signal.SIGTERM):
3393
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3394
lambda: main_loop.quit() and False)
3395
2894
3396
if use_dbus:
2895
3397
2896
3398
@alternate_dbus_interfaces(
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3399
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2898
3400
class MandosDBusService(DBusObjectWithObjectManager):
2899
3401
"""A D-Bus proxy object"""
2900
3402
2901
3403
def __init__(self):
2902
3404
dbus.service.Object.__init__(self, bus, "/")
2903
3405
2904
3406
_interface = "se.recompile.Mandos"
2905
3407
2906
3408
@dbus.service.signal(_interface, signature="o")
2907
3409
def ClientAdded(self, objpath):
2908
3410
"D-Bus signal"
2909
3411
pass
2910
3412
2911
3413
@dbus.service.signal(_interface, signature="ss")
2912
def ClientNotFound(self, fingerprint, address):
3414
def ClientNotFound(self, key_id, address):
2913
3415
"D-Bus signal"
2914
3416
pass
2915
3417
2916
3418
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2917
3419
"true"})
2918
3420
@dbus.service.signal(_interface, signature="os")
2919
3421
def ClientRemoved(self, objpath, name):
2920
3422
"D-Bus signal"
2921
3423
pass
2922
3424
2923
3425
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2924
3426
"true"})
2925
3427
@dbus.service.method(_interface, out_signature="ao")
2926
3428
def GetAllClients(self):
2927
3429
"D-Bus method"
2928
3430
return dbus.Array(c.dbus_object_path for c in
2929
tcp_server.clients.itervalues())
2930
3431
tcp_server.clients.values())
3432
2931
3433
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2932
3434
"true"})
2933
3435
@dbus.service.method(_interface,
2935
3437
def GetAllClientsWithProperties(self):
2936
3438
"D-Bus method"
2937
3439
return dbus.Dictionary(
2938
{ c.dbus_object_path: c.GetAll(
3440
{c.dbus_object_path: c.GetAll(
2939
3441
"se.recompile.Mandos.Client")
2940
for c in tcp_server.clients.itervalues() },
3442
for c in tcp_server.clients.values()},
2941
3443
signature="oa{sv}")
2942
3444
2943
3445
@dbus.service.method(_interface, in_signature="o")
2944
3446
def RemoveClient(self, object_path):
2945
3447
"D-Bus method"
2946
for c in tcp_server.clients.itervalues():
3448
for c in tcp_server.clients.values():
2947
3449
if c.dbus_object_path == object_path:
2948
3450
del tcp_server.clients[c.name]
2949
3451
c.remove_from_connection()
2953
3455
self.client_removed_signal(c)
2954
3456
return
2955
3457
raise KeyError(object_path)
2956
3458
2957
3459
del _interface
2958
3460
2959
3461
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
2960
out_signature = "a{oa{sa{sv}}}")
3462
out_signature="a{oa{sa{sv}}}")
2961
3463
def GetManagedObjects(self):
2962
3464
"""D-Bus method"""
2963
3465
return dbus.Dictionary(
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3466
{client.dbus_object_path:
3467
dbus.Dictionary(
3468
{interface: client.GetAll(interface)
3469
for interface in
3470
client._get_all_interface_names()})
3471
for client in tcp_server.clients.values()})
3472
2971
3473
def client_added_signal(self, client):
2972
3474
"""Send the new standard signal and the old signal"""
2973
3475
if use_dbus:
2975
3477
self.InterfacesAdded(
2976
3478
client.dbus_object_path,
2977
3479
dbus.Dictionary(
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3480
{interface: client.GetAll(interface)
3481
for interface in
3482
client._get_all_interface_names()}))
2981
3483
# Old signal
2982
3484
self.ClientAdded(client.dbus_object_path)
2983
3485
2984
3486
def client_removed_signal(self, client):
2985
3487
"""Send the new standard signal and the old signal"""
2986
3488
if use_dbus:
2991
3493
# Old signal
2992
3494
self.ClientRemoved(client.dbus_object_path,
2993
3495
client.name)
2994
3496
2995
3497
mandos_dbus_service = MandosDBusService()
2996
3498
3499
# Save modules to variables to exempt the modules from being
3500
# unloaded before the function registered with atexit() is run.
3501
mp = multiprocessing
3502
wn = wnull
3503
2997
3504
def cleanup():
2998
3505
"Cleanup function; run on exit"
2999
3506
if zeroconf:
3000
3507
service.cleanup()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3508
3509
mp.active_children()
3510
wn.close()
3004
3511
if not (tcp_server.clients or client_settings):
3005
3512
return
3006
3513
3007
3514
# Store client before exiting. Secrets are encrypted with key
3008
3515
# based on what config file has. If config file is
3009
3516
# removed/edited, old secret will thus be unrecovable.
3010
3517
clients = {}
3011
3518
with PGPEngine() as pgp:
3012
for client in tcp_server.clients.itervalues():
3519
for client in tcp_server.clients.values():
3013
3520
key = client_settings[client.name]["secret"]
3014
3521
client.encrypted_secret = pgp.encrypt(client.secret,
3015
3522
key)
3016
3523
client_dict = {}
3017
3524
3018
3525
# A list of attributes that can not be pickled
3019
3526
# + secret.
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3527
exclude = {"bus", "changedstate", "secret",
3528
"checker", "server_settings"}
3022
3529
for name, typ in inspect.getmembers(dbus.service
3023
3530
.Object):
3024
3531
exclude.add(name)
3025
3532
3026
3533
client_dict["encrypted_secret"] = (client
3027
3534
.encrypted_secret)
3028
3535
for attr in client.client_structure:
3029
3536
if attr not in exclude:
3030
3537
client_dict[attr] = getattr(client, attr)
3031
3538
3032
3539
clients[client.name] = client_dict
3033
3540
del client_settings[client.name]["secret"]
3034
3541
3035
3542
try:
3036
3543
with tempfile.NamedTemporaryFile(
3037
3544
mode='wb',
3039
3546
prefix='clients-',
3040
3547
dir=os.path.dirname(stored_state_path),
3041
3548
delete=False) as stored_state:
3042
pickle.dump((clients, client_settings), stored_state)
3549
pickle.dump((clients, client_settings), stored_state,
3550
protocol=2)
3043
3551
tempname = stored_state.name
3044
3552
os.rename(tempname, stored_state_path)
3045
3553
except (IOError, OSError) as e:
3055
3563
logger.warning("Could not save persistent state:",
3056
3564
exc_info=e)
3057
3565
raise
3058
3566
3059
3567
# Delete all clients, and settings from config
3060
3568
while tcp_server.clients:
3061
3569
name, client = tcp_server.clients.popitem()
3064
3572
# Don't signal the disabling
3065
3573
client.disable(quiet=True)
3066
3574
# Emit D-Bus signal for removal
3067
mandos_dbus_service.client_removed_signal(client)
3575
if use_dbus:
3576
mandos_dbus_service.client_removed_signal(client)
3068
3577
client_settings.clear()
3069
3578
3070
3579
atexit.register(cleanup)
3071
3072
for client in tcp_server.clients.itervalues():
3580
3581
for client in tcp_server.clients.values():
3073
3582
if use_dbus:
3074
3583
# Emit D-Bus signal for adding
3075
3584
mandos_dbus_service.client_added_signal(client)
3076
3585
# Need to initiate checking of clients
3077
3586
if client.enabled:
3078
3587
client.init_checker()
3079
3588
3080
3589
tcp_server.enable()
3081
3590
tcp_server.server_activate()
3082
3591
3083
3592
# Find out what port we got
3084
3593
if zeroconf:
3085
3594
service.port = tcp_server.socket.getsockname()[1]
3090
3599
else: # IPv4
3091
3600
logger.info("Now listening on address %r, port %d",
3092
3601
*tcp_server.socket.getsockname())
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3602
3603
# service.interface = tcp_server.socket.getsockname()[3]
3604
3096
3605
try:
3097
3606
if zeroconf:
3098
3607
# From the Avahi example code
3103
3612
cleanup()
3104
3613
sys.exit(1)
3105
3614
# End of Avahi example code
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3615
3616
GLib.io_add_watch(
3617
GLib.IOChannel.unix_new(tcp_server.fileno()),
3618
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3619
lambda *args, **kwargs: (tcp_server.handle_request
3620
(*args[2:], **kwargs) or True))
3621
3112
3622
logger.debug("Starting main loop")
3113
3623
main_loop.run()
3114
3624
except AvahiError as error:
3123
3633
# Must run before the D-Bus bus name gets deregistered
3124
3634
cleanup()
3125
3635
3636
3637
def should_only_run_tests():
3638
parser = argparse.ArgumentParser(add_help=False)
3639
parser.add_argument("--check", action='store_true')
3640
args, unknown_args = parser.parse_known_args()
3641
run_tests = args.check
3642
if run_tests:
3643
# Remove --check argument from sys.argv
3644
sys.argv[1:] = unknown_args
3645
return run_tests
3646
3647
# Add all tests from doctest strings
3648
def load_tests(loader, tests, none):
3649
import doctest
3650
tests.addTests(doctest.DocTestSuite())
3651
return tests
3126
3652
3127
3653
if __name__ == '__main__':
3128
main()
3654
try:
3655
if should_only_run_tests():
3656
# Call using ./mandos --check [--verbose]
3657
unittest.main()
3658
else:
3659
main()
3660
finally:
3661
logging.shutdown()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0