To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 394
- compare with another revision
- download diff
- download tarball
- view history from revision 394
- Committer: Teddy Hogeborn
- Date: 2019-09-04 21:12:32 UTC
- mfrom: (237.7.726 trunk)
- Revision ID: teddy@recompile.se-20190904211232-qwuiramck8i8wmhe
Merge from trunk
- files added:
- bugs.xml
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python2.7
2
# -*- mode: python; coding: utf-8 -*-
3
#
1
#!/usr/bin/python3 -b
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
#
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
#
33
#
33
34
34
35
from __future__ import (division, absolute_import, print_function,
35
36
unicode_literals)
36
37
37
from future_builtins import *
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
38
42
39
43
try:
40
44
import SocketServer as socketserver
44
48
import argparse
45
49
import datetime
46
50
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
53
51
try:
54
52
import ConfigParser as configparser
55
53
except ImportError:
79
77
import itertools
80
78
import collections
81
79
import codecs
80
import unittest
82
81
83
82
import dbus
84
83
import dbus.service
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
84
import gi
85
from gi.repository import GLib
90
86
from dbus.mainloop.glib import DBusGMainLoop
91
87
import ctypes
92
88
import ctypes.util
93
89
import xml.dom.minidom
94
90
import inspect
95
91
92
if sys.version_info.major == 2:
93
__metaclass__ = type
94
95
# Show warnings by default
96
if not sys.warnoptions:
97
import warnings
98
warnings.simplefilter("default")
99
100
# Try to find the value of SO_BINDTODEVICE:
96
101
try:
102
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
103
# newer, and it is also the most natural place for it:
97
104
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
98
105
except AttributeError:
99
106
try:
107
# This is where SO_BINDTODEVICE was up to and including Python
108
# 2.6, and also 3.2:
100
109
from IN import SO_BINDTODEVICE
101
110
except ImportError:
102
SO_BINDTODEVICE = None
111
# In Python 2.7 it seems to have been removed entirely.
112
# Try running the C preprocessor:
113
try:
114
cc = subprocess.Popen(["cc", "--language=c", "-E",
115
"/dev/stdin"],
116
stdin=subprocess.PIPE,
117
stdout=subprocess.PIPE)
118
stdout = cc.communicate(
119
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
120
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
121
except (OSError, ValueError, IndexError):
122
# No value found
123
SO_BINDTODEVICE = None
103
124
104
125
if sys.version_info.major == 2:
105
126
str = unicode
106
127
107
version = "1.7.1"
128
if sys.version_info < (3, 2):
129
configparser.Configparser = configparser.SafeConfigParser
130
131
version = "1.8.9"
108
132
stored_state_file = "clients.pickle"
109
133
110
134
logger = logging.getLogger()
135
logging.captureWarnings(True) # Show warnings via the logging system
111
136
syslogger = None
112
137
113
138
try:
114
139
if_nametoindex = ctypes.cdll.LoadLibrary(
115
140
ctypes.util.find_library("c")).if_nametoindex
116
141
except (OSError, AttributeError):
117
142
118
143
def if_nametoindex(interface):
119
144
"Get an interface index the hard way, i.e. using fcntl()"
120
145
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
125
150
return interface_index
126
151
127
152
153
def copy_function(func):
154
"""Make a copy of a function"""
155
if sys.version_info.major == 2:
156
return types.FunctionType(func.func_code,
157
func.func_globals,
158
func.func_name,
159
func.func_defaults,
160
func.func_closure)
161
else:
162
return types.FunctionType(func.__code__,
163
func.__globals__,
164
func.__name__,
165
func.__defaults__,
166
func.__closure__)
167
168
128
169
def initlogger(debug, level=logging.WARNING):
129
170
"""init logger and add loglevel"""
130
171
131
172
global syslogger
132
173
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
174
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
175
address="/dev/log"))
135
176
syslogger.setFormatter(logging.Formatter
136
177
('Mandos [%(process)d]: %(levelname)s:'
137
178
' %(message)s'))
138
179
logger.addHandler(syslogger)
139
180
140
181
if debug:
141
182
console = logging.StreamHandler()
142
183
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
152
193
pass
153
194
154
195
155
class PGPEngine(object):
196
class PGPEngine:
156
197
"""A simple class for OpenPGP symmetric encryption & decryption"""
157
198
158
199
def __init__(self):
159
200
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
201
self.gpg = "gpg"
202
try:
203
output = subprocess.check_output(["gpgconf"])
204
for line in output.splitlines():
205
name, text, path = line.split(b":")
206
if name == b"gpg":
207
self.gpg = path
208
break
209
except OSError as e:
210
if e.errno != errno.ENOENT:
211
raise
160
212
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
213
'--homedir', self.tempdir,
162
214
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
165
215
'--quiet']
216
# Only GPG version 1 has the --no-use-agent option.
217
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
218
self.gnupgargs.append("--no-use-agent")
219
166
220
def __enter__(self):
167
221
return self
168
222
169
223
def __exit__(self, exc_type, exc_value, traceback):
170
224
self._cleanup()
171
225
return False
172
226
173
227
def __del__(self):
174
228
self._cleanup()
175
229
176
230
def _cleanup(self):
177
231
if self.tempdir is not None:
178
232
# Delete contents of tempdir
179
233
for root, dirs, files in os.walk(self.tempdir,
180
topdown = False):
234
topdown=False):
181
235
for filename in files:
182
236
os.remove(os.path.join(root, filename))
183
237
for dirname in dirs:
185
239
# Remove tempdir
186
240
os.rmdir(self.tempdir)
187
241
self.tempdir = None
188
242
189
243
def password_encode(self, password):
190
244
# Passphrase can not be empty and can not contain newlines or
191
245
# NUL bytes. So we prefix it and hex encode it.
196
250
.replace(b"\n", b"\\n")
197
251
.replace(b"\0", b"\\x00"))
198
252
return encoded
199
253
200
254
def encrypt(self, data, password):
201
255
passphrase = self.password_encode(password)
202
256
with tempfile.NamedTemporaryFile(
203
257
dir=self.tempdir) as passfile:
204
258
passfile.write(passphrase)
205
259
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
260
proc = subprocess.Popen([self.gpg, '--symmetric',
207
261
'--passphrase-file',
208
262
passfile.name]
209
263
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
264
stdin=subprocess.PIPE,
265
stdout=subprocess.PIPE,
266
stderr=subprocess.PIPE)
267
ciphertext, err = proc.communicate(input=data)
214
268
if proc.returncode != 0:
215
269
raise PGPError(err)
216
270
return ciphertext
217
271
218
272
def decrypt(self, data, password):
219
273
passphrase = self.password_encode(password)
220
274
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
275
dir=self.tempdir) as passfile:
222
276
passfile.write(passphrase)
223
277
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
278
proc = subprocess.Popen([self.gpg, '--decrypt',
225
279
'--passphrase-file',
226
280
passfile.name]
227
281
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
282
stdin=subprocess.PIPE,
283
stdout=subprocess.PIPE,
284
stderr=subprocess.PIPE)
285
decrypted_plaintext, err = proc.communicate(input=data)
232
286
if proc.returncode != 0:
233
287
raise PGPError(err)
234
288
return decrypted_plaintext
235
289
236
290
291
# Pretend that we have an Avahi module
292
class avahi:
293
"""This isn't so much a class as it is a module-like namespace."""
294
IF_UNSPEC = -1 # avahi-common/address.h
295
PROTO_UNSPEC = -1 # avahi-common/address.h
296
PROTO_INET = 0 # avahi-common/address.h
297
PROTO_INET6 = 1 # avahi-common/address.h
298
DBUS_NAME = "org.freedesktop.Avahi"
299
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
300
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
301
DBUS_PATH_SERVER = "/"
302
303
@staticmethod
304
def string_array_to_txt_array(t):
305
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
306
for s in t), signature="ay")
307
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
308
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
309
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
310
SERVER_INVALID = 0 # avahi-common/defs.h
311
SERVER_REGISTERING = 1 # avahi-common/defs.h
312
SERVER_RUNNING = 2 # avahi-common/defs.h
313
SERVER_COLLISION = 3 # avahi-common/defs.h
314
SERVER_FAILURE = 4 # avahi-common/defs.h
315
316
237
317
class AvahiError(Exception):
238
318
def __init__(self, value, *args, **kwargs):
239
319
self.value = value
249
329
pass
250
330
251
331
252
class AvahiService(object):
332
class AvahiService:
253
333
"""An Avahi (Zeroconf) service.
254
334
255
335
Attributes:
256
336
interface: integer; avahi.IF_UNSPEC or an interface index.
257
337
Used to optionally bind to the specified interface.
269
349
server: D-Bus Server
270
350
bus: dbus.SystemBus()
271
351
"""
272
352
273
353
def __init__(self,
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
354
interface=avahi.IF_UNSPEC,
355
name=None,
356
servicetype=None,
357
port=None,
358
TXT=None,
359
domain="",
360
host="",
361
max_renames=32768,
362
protocol=avahi.PROTO_UNSPEC,
363
bus=None):
284
364
self.interface = interface
285
365
self.name = name
286
366
self.type = servicetype
295
375
self.server = None
296
376
self.bus = bus
297
377
self.entry_group_state_changed_match = None
298
378
299
379
def rename(self, remove=True):
300
380
"""Derived from the Avahi example code"""
301
381
if self.rename_count >= self.max_renames:
321
401
logger.critical("D-Bus Exception", exc_info=error)
322
402
self.cleanup()
323
403
os._exit(1)
324
404
325
405
def remove(self):
326
406
"""Derived from the Avahi example code"""
327
407
if self.entry_group_state_changed_match is not None:
329
409
self.entry_group_state_changed_match = None
330
410
if self.group is not None:
331
411
self.group.Reset()
332
412
333
413
def add(self):
334
414
"""Derived from the Avahi example code"""
335
415
self.remove()
352
432
dbus.UInt16(self.port),
353
433
avahi.string_array_to_txt_array(self.TXT))
354
434
self.group.Commit()
355
435
356
436
def entry_group_state_changed(self, state, error):
357
437
"""Derived from the Avahi example code"""
358
438
logger.debug("Avahi entry group state change: %i", state)
359
439
360
440
if state == avahi.ENTRY_GROUP_ESTABLISHED:
361
441
logger.debug("Zeroconf service established.")
362
442
elif state == avahi.ENTRY_GROUP_COLLISION:
366
446
logger.critical("Avahi: Error in group state changed %s",
367
447
str(error))
368
448
raise AvahiGroupError("State changed: {!s}".format(error))
369
449
370
450
def cleanup(self):
371
451
"""Derived from the Avahi example code"""
372
452
if self.group is not None:
377
457
pass
378
458
self.group = None
379
459
self.remove()
380
460
381
461
def server_state_changed(self, state, error=None):
382
462
"""Derived from the Avahi example code"""
383
463
logger.debug("Avahi server state change: %i", state)
412
492
logger.debug("Unknown state: %r", state)
413
493
else:
414
494
logger.debug("Unknown state: %r: %r", state, error)
415
495
416
496
def activate(self):
417
497
"""Derived from the Avahi example code"""
418
498
if self.server is None:
429
509
class AvahiServiceToSyslog(AvahiService):
430
510
def rename(self, *args, **kwargs):
431
511
"""Add the new name to the syslog messages"""
432
ret = AvahiService.rename(self, *args, **kwargs)
512
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
433
513
syslogger.setFormatter(logging.Formatter(
434
514
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
435
515
.format(self.name)))
436
516
return ret
437
517
518
519
# Pretend that we have a GnuTLS module
520
class gnutls:
521
"""This isn't so much a class as it is a module-like namespace."""
522
523
library = ctypes.util.find_library("gnutls")
524
if library is None:
525
library = ctypes.util.find_library("gnutls-deb0")
526
_library = ctypes.cdll.LoadLibrary(library)
527
del library
528
529
# Unless otherwise indicated, the constants and types below are
530
# all from the gnutls/gnutls.h C header file.
531
532
# Constants
533
E_SUCCESS = 0
534
E_INTERRUPTED = -52
535
E_AGAIN = -28
536
CRT_OPENPGP = 2
537
CRT_RAWPK = 3
538
CLIENT = 2
539
SHUT_RDWR = 0
540
CRD_CERTIFICATE = 1
541
E_NO_CERTIFICATE_FOUND = -49
542
X509_FMT_DER = 0
543
NO_TICKETS = 1<<10
544
ENABLE_RAWPK = 1<<18
545
CTYPE_PEERS = 3
546
KEYID_USE_SHA256 = 1 # gnutls/x509.h
547
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
548
549
# Types
550
class session_int(ctypes.Structure):
551
_fields_ = []
552
session_t = ctypes.POINTER(session_int)
553
554
class certificate_credentials_st(ctypes.Structure):
555
_fields_ = []
556
certificate_credentials_t = ctypes.POINTER(
557
certificate_credentials_st)
558
certificate_type_t = ctypes.c_int
559
560
class datum_t(ctypes.Structure):
561
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
562
('size', ctypes.c_uint)]
563
564
class openpgp_crt_int(ctypes.Structure):
565
_fields_ = []
566
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
567
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
568
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
569
credentials_type_t = ctypes.c_int
570
transport_ptr_t = ctypes.c_void_p
571
close_request_t = ctypes.c_int
572
573
# Exceptions
574
class Error(Exception):
575
def __init__(self, message=None, code=None, args=()):
576
# Default usage is by a message string, but if a return
577
# code is passed, convert it to a string with
578
# gnutls.strerror()
579
self.code = code
580
if message is None and code is not None:
581
message = gnutls.strerror(code)
582
return super(gnutls.Error, self).__init__(
583
message, *args)
584
585
class CertificateSecurityError(Error):
586
pass
587
588
# Classes
589
class Credentials:
590
def __init__(self):
591
self._c_object = gnutls.certificate_credentials_t()
592
gnutls.certificate_allocate_credentials(
593
ctypes.byref(self._c_object))
594
self.type = gnutls.CRD_CERTIFICATE
595
596
def __del__(self):
597
gnutls.certificate_free_credentials(self._c_object)
598
599
class ClientSession:
600
def __init__(self, socket, credentials=None):
601
self._c_object = gnutls.session_t()
602
gnutls_flags = gnutls.CLIENT
603
if gnutls.check_version(b"3.5.6"):
604
gnutls_flags |= gnutls.NO_TICKETS
605
if gnutls.has_rawpk:
606
gnutls_flags |= gnutls.ENABLE_RAWPK
607
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
608
del gnutls_flags
609
gnutls.set_default_priority(self._c_object)
610
gnutls.transport_set_ptr(self._c_object, socket.fileno())
611
gnutls.handshake_set_private_extensions(self._c_object,
612
True)
613
self.socket = socket
614
if credentials is None:
615
credentials = gnutls.Credentials()
616
gnutls.credentials_set(self._c_object, credentials.type,
617
ctypes.cast(credentials._c_object,
618
ctypes.c_void_p))
619
self.credentials = credentials
620
621
def __del__(self):
622
gnutls.deinit(self._c_object)
623
624
def handshake(self):
625
return gnutls.handshake(self._c_object)
626
627
def send(self, data):
628
data = bytes(data)
629
data_len = len(data)
630
while data_len > 0:
631
data_len -= gnutls.record_send(self._c_object,
632
data[-data_len:],
633
data_len)
634
635
def bye(self):
636
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
637
638
# Error handling functions
639
def _error_code(result):
640
"""A function to raise exceptions on errors, suitable
641
for the 'restype' attribute on ctypes functions"""
642
if result >= 0:
643
return result
644
if result == gnutls.E_NO_CERTIFICATE_FOUND:
645
raise gnutls.CertificateSecurityError(code=result)
646
raise gnutls.Error(code=result)
647
648
def _retry_on_error(result, func, arguments):
649
"""A function to retry on some errors, suitable
650
for the 'errcheck' attribute on ctypes functions"""
651
while result < 0:
652
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
653
return _error_code(result)
654
result = func(*arguments)
655
return result
656
657
# Unless otherwise indicated, the function declarations below are
658
# all from the gnutls/gnutls.h C header file.
659
660
# Functions
661
priority_set_direct = _library.gnutls_priority_set_direct
662
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
663
ctypes.POINTER(ctypes.c_char_p)]
664
priority_set_direct.restype = _error_code
665
666
init = _library.gnutls_init
667
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
668
init.restype = _error_code
669
670
set_default_priority = _library.gnutls_set_default_priority
671
set_default_priority.argtypes = [session_t]
672
set_default_priority.restype = _error_code
673
674
record_send = _library.gnutls_record_send
675
record_send.argtypes = [session_t, ctypes.c_void_p,
676
ctypes.c_size_t]
677
record_send.restype = ctypes.c_ssize_t
678
record_send.errcheck = _retry_on_error
679
680
certificate_allocate_credentials = (
681
_library.gnutls_certificate_allocate_credentials)
682
certificate_allocate_credentials.argtypes = [
683
ctypes.POINTER(certificate_credentials_t)]
684
certificate_allocate_credentials.restype = _error_code
685
686
certificate_free_credentials = (
687
_library.gnutls_certificate_free_credentials)
688
certificate_free_credentials.argtypes = [
689
certificate_credentials_t]
690
certificate_free_credentials.restype = None
691
692
handshake_set_private_extensions = (
693
_library.gnutls_handshake_set_private_extensions)
694
handshake_set_private_extensions.argtypes = [session_t,
695
ctypes.c_int]
696
handshake_set_private_extensions.restype = None
697
698
credentials_set = _library.gnutls_credentials_set
699
credentials_set.argtypes = [session_t, credentials_type_t,
700
ctypes.c_void_p]
701
credentials_set.restype = _error_code
702
703
strerror = _library.gnutls_strerror
704
strerror.argtypes = [ctypes.c_int]
705
strerror.restype = ctypes.c_char_p
706
707
certificate_type_get = _library.gnutls_certificate_type_get
708
certificate_type_get.argtypes = [session_t]
709
certificate_type_get.restype = _error_code
710
711
certificate_get_peers = _library.gnutls_certificate_get_peers
712
certificate_get_peers.argtypes = [session_t,
713
ctypes.POINTER(ctypes.c_uint)]
714
certificate_get_peers.restype = ctypes.POINTER(datum_t)
715
716
global_set_log_level = _library.gnutls_global_set_log_level
717
global_set_log_level.argtypes = [ctypes.c_int]
718
global_set_log_level.restype = None
719
720
global_set_log_function = _library.gnutls_global_set_log_function
721
global_set_log_function.argtypes = [log_func]
722
global_set_log_function.restype = None
723
724
deinit = _library.gnutls_deinit
725
deinit.argtypes = [session_t]
726
deinit.restype = None
727
728
handshake = _library.gnutls_handshake
729
handshake.argtypes = [session_t]
730
handshake.restype = _error_code
731
handshake.errcheck = _retry_on_error
732
733
transport_set_ptr = _library.gnutls_transport_set_ptr
734
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
735
transport_set_ptr.restype = None
736
737
bye = _library.gnutls_bye
738
bye.argtypes = [session_t, close_request_t]
739
bye.restype = _error_code
740
bye.errcheck = _retry_on_error
741
742
check_version = _library.gnutls_check_version
743
check_version.argtypes = [ctypes.c_char_p]
744
check_version.restype = ctypes.c_char_p
745
746
_need_version = b"3.3.0"
747
if check_version(_need_version) is None:
748
raise self.Error("Needs GnuTLS {} or later"
749
.format(_need_version))
750
751
_tls_rawpk_version = b"3.6.6"
752
has_rawpk = bool(check_version(_tls_rawpk_version))
753
754
if has_rawpk:
755
# Types
756
class pubkey_st(ctypes.Structure):
757
_fields = []
758
pubkey_t = ctypes.POINTER(pubkey_st)
759
760
x509_crt_fmt_t = ctypes.c_int
761
762
# All the function declarations below are from gnutls/abstract.h
763
pubkey_init = _library.gnutls_pubkey_init
764
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
765
pubkey_init.restype = _error_code
766
767
pubkey_import = _library.gnutls_pubkey_import
768
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
769
x509_crt_fmt_t]
770
pubkey_import.restype = _error_code
771
772
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
773
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
774
ctypes.POINTER(ctypes.c_ubyte),
775
ctypes.POINTER(ctypes.c_size_t)]
776
pubkey_get_key_id.restype = _error_code
777
778
pubkey_deinit = _library.gnutls_pubkey_deinit
779
pubkey_deinit.argtypes = [pubkey_t]
780
pubkey_deinit.restype = None
781
else:
782
# All the function declarations below are from gnutls/openpgp.h
783
784
openpgp_crt_init = _library.gnutls_openpgp_crt_init
785
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
786
openpgp_crt_init.restype = _error_code
787
788
openpgp_crt_import = _library.gnutls_openpgp_crt_import
789
openpgp_crt_import.argtypes = [openpgp_crt_t,
790
ctypes.POINTER(datum_t),
791
openpgp_crt_fmt_t]
792
openpgp_crt_import.restype = _error_code
793
794
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
795
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
796
ctypes.POINTER(ctypes.c_uint)]
797
openpgp_crt_verify_self.restype = _error_code
798
799
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
800
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
801
openpgp_crt_deinit.restype = None
802
803
openpgp_crt_get_fingerprint = (
804
_library.gnutls_openpgp_crt_get_fingerprint)
805
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
806
ctypes.c_void_p,
807
ctypes.POINTER(
808
ctypes.c_size_t)]
809
openpgp_crt_get_fingerprint.restype = _error_code
810
811
if check_version(b"3.6.4"):
812
certificate_type_get2 = _library.gnutls_certificate_type_get2
813
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
814
certificate_type_get2.restype = _error_code
815
816
# Remove non-public functions
817
del _error_code, _retry_on_error
818
819
438
820
def call_pipe(connection, # : multiprocessing.Connection
439
821
func, *args, **kwargs):
440
822
"""This function is meant to be called by multiprocessing.Process
441
823
442
824
This function runs func(*args, **kwargs), and writes the resulting
443
825
return value on the provided multiprocessing.Connection.
444
826
"""
445
827
connection.send(func(*args, **kwargs))
446
828
connection.close()
447
829
448
class Client(object):
830
831
class Client:
449
832
"""A representation of a client host served by this server.
450
833
451
834
Attributes:
452
835
approved: bool(); 'None' if not yet approved/disapproved
453
836
approval_delay: datetime.timedelta(); Time to wait for approval
454
837
approval_duration: datetime.timedelta(); Duration of one approval
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
838
checker: multiprocessing.Process(); a running checker process used
839
to see if the client lives. 'None' if no process is
840
running.
841
checker_callback_tag: a GLib event source tag, or None
459
842
checker_command: string; External command which is run to check
460
843
if client lives. %() expansions are done at
461
844
runtime with vars(self) as dict, so that for
462
845
instance %(name)s can be used in the command.
463
checker_initiator_tag: a gobject event source tag, or None
846
checker_initiator_tag: a GLib event source tag, or None
464
847
created: datetime.datetime(); (UTC) object creation
465
848
client_structure: Object describing what attributes a client has
466
849
and is used for storing the client at exit
467
850
current_checker_command: string; current running checker_command
468
disable_initiator_tag: a gobject event source tag, or None
851
disable_initiator_tag: a GLib event source tag, or None
469
852
enabled: bool()
470
853
fingerprint: string (40 or 32 hexadecimal digits); used to
471
uniquely identify the client
854
uniquely identify an OpenPGP client
855
key_id: string (64 hexadecimal digits); used to uniquely identify
856
a client using raw public keys
472
857
host: string; available for use by the checker command
473
858
interval: datetime.timedelta(); How often to start a new checker
474
859
last_approval_request: datetime.datetime(); (UTC) or None
490
875
disabled, or None
491
876
server_settings: The server_settings dict from main()
492
877
"""
493
878
494
879
runtime_expansions = ("approval_delay", "approval_duration",
495
"created", "enabled", "expires",
880
"created", "enabled", "expires", "key_id",
496
881
"fingerprint", "host", "interval",
497
882
"last_approval_request", "last_checked_ok",
498
883
"last_enabled", "name", "timeout")
507
892
"approved_by_default": "True",
508
893
"enabled": "True",
509
894
}
510
895
511
896
@staticmethod
512
897
def config_parser(config):
513
898
"""Construct a new dict of client settings of this form:
520
905
for client_name in config.sections():
521
906
section = dict(config.items(client_name))
522
907
client = settings[client_name] = {}
523
908
524
909
client["host"] = section["host"]
525
910
# Reformat values from string types to Python types
526
911
client["approved_by_default"] = config.getboolean(
527
912
client_name, "approved_by_default")
528
913
client["enabled"] = config.getboolean(client_name,
529
914
"enabled")
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
915
916
# Uppercase and remove spaces from key_id and fingerprint
917
# for later comparison purposes with return value from the
918
# key_id() and fingerprint() functions
919
client["key_id"] = (section.get("key_id", "").upper()
920
.replace(" ", ""))
534
921
client["fingerprint"] = (section["fingerprint"].upper()
535
922
.replace(" ", ""))
536
923
if "secret" in section:
537
client["secret"] = section["secret"].decode("base64")
924
client["secret"] = codecs.decode(section["secret"]
925
.encode("utf-8"),
926
"base64")
538
927
elif "secfile" in section:
539
928
with open(os.path.expanduser(os.path.expandvars
540
929
(section["secfile"])),
555
944
client["last_approval_request"] = None
556
945
client["last_checked_ok"] = None
557
946
client["last_checker_status"] = -2
558
947
559
948
return settings
560
561
def __init__(self, settings, name = None, server_settings=None):
949
950
def __init__(self, settings, name=None, server_settings=None):
562
951
self.name = name
563
952
if server_settings is None:
564
953
server_settings = {}
566
955
# adding all client settings
567
956
for setting, value in settings.items():
568
957
setattr(self, setting, value)
569
958
570
959
if self.enabled:
571
960
if not hasattr(self, "last_enabled"):
572
961
self.last_enabled = datetime.datetime.utcnow()
576
965
else:
577
966
self.last_enabled = None
578
967
self.expires = None
579
968
580
969
logger.debug("Creating client %r", self.name)
970
logger.debug(" Key ID: %s", self.key_id)
581
971
logger.debug(" Fingerprint: %s", self.fingerprint)
582
972
self.created = settings.get("created",
583
973
datetime.datetime.utcnow())
584
974
585
975
# attributes specific for this server instance
586
976
self.checker = None
587
977
self.checker_initiator_tag = None
593
983
self.changedstate = multiprocessing_manager.Condition(
594
984
multiprocessing_manager.Lock())
595
985
self.client_structure = [attr
596
for attr in self.__dict__.iterkeys()
986
for attr in self.__dict__.keys()
597
987
if not attr.startswith("_")]
598
988
self.client_structure.append("client_structure")
599
989
600
990
for name, t in inspect.getmembers(
601
991
type(self), lambda obj: isinstance(obj, property)):
602
992
if not name.startswith("_"):
603
993
self.client_structure.append(name)
604
994
605
995
# Send notice to process children that client state has changed
606
996
def send_changedstate(self):
607
997
with self.changedstate:
608
998
self.changedstate.notify_all()
609
999
610
1000
def enable(self):
611
1001
"""Start this client's checker and timeout hooks"""
612
1002
if getattr(self, "enabled", False):
617
1007
self.last_enabled = datetime.datetime.utcnow()
618
1008
self.init_checker()
619
1009
self.send_changedstate()
620
1010
621
1011
def disable(self, quiet=True):
622
1012
"""Disable this client."""
623
1013
if not getattr(self, "enabled", False):
625
1015
if not quiet:
626
1016
logger.info("Disabling client %s", self.name)
627
1017
if getattr(self, "disable_initiator_tag", None) is not None:
628
gobject.source_remove(self.disable_initiator_tag)
1018
GLib.source_remove(self.disable_initiator_tag)
629
1019
self.disable_initiator_tag = None
630
1020
self.expires = None
631
1021
if getattr(self, "checker_initiator_tag", None) is not None:
632
gobject.source_remove(self.checker_initiator_tag)
1022
GLib.source_remove(self.checker_initiator_tag)
633
1023
self.checker_initiator_tag = None
634
1024
self.stop_checker()
635
1025
self.enabled = False
636
1026
if not quiet:
637
1027
self.send_changedstate()
638
# Do not run this again if called by a gobject.timeout_add
1028
# Do not run this again if called by a GLib.timeout_add
639
1029
return False
640
1030
641
1031
def __del__(self):
642
1032
self.disable()
643
1033
644
1034
def init_checker(self):
645
1035
# Schedule a new checker to be started an 'interval' from now,
646
1036
# and every interval from then on.
647
1037
if self.checker_initiator_tag is not None:
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
1038
GLib.source_remove(self.checker_initiator_tag)
1039
self.checker_initiator_tag = GLib.timeout_add(
650
1040
int(self.interval.total_seconds() * 1000),
651
1041
self.start_checker)
652
1042
# Schedule a disable() when 'timeout' has passed
653
1043
if self.disable_initiator_tag is not None:
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1044
GLib.source_remove(self.disable_initiator_tag)
1045
self.disable_initiator_tag = GLib.timeout_add(
656
1046
int(self.timeout.total_seconds() * 1000), self.disable)
657
1047
# Also start a new checker *right now*.
658
1048
self.start_checker()
659
1049
660
1050
def checker_callback(self, source, condition, connection,
661
1051
command):
662
1052
"""The checker has completed, so take appropriate actions."""
663
self.checker_callback_tag = None
664
self.checker = None
665
1053
# Read return code from connection (see call_pipe)
666
1054
returncode = connection.recv()
667
1055
connection.close()
668
1056
if self.checker is not None:
1057
self.checker.join()
1058
self.checker_callback_tag = None
1059
self.checker = None
1060
669
1061
if returncode >= 0:
670
1062
self.last_checker_status = returncode
671
1063
self.last_checker_signal = None
681
1073
logger.warning("Checker for %(name)s crashed?",
682
1074
vars(self))
683
1075
return False
684
1076
685
1077
def checked_ok(self):
686
1078
"""Assert that the client has been seen, alive and well."""
687
1079
self.last_checked_ok = datetime.datetime.utcnow()
688
1080
self.last_checker_status = 0
689
1081
self.last_checker_signal = None
690
1082
self.bump_timeout()
691
1083
692
1084
def bump_timeout(self, timeout=None):
693
1085
"""Bump up the timeout for this client."""
694
1086
if timeout is None:
695
1087
timeout = self.timeout
696
1088
if self.disable_initiator_tag is not None:
697
gobject.source_remove(self.disable_initiator_tag)
1089
GLib.source_remove(self.disable_initiator_tag)
698
1090
self.disable_initiator_tag = None
699
1091
if getattr(self, "enabled", False):
700
self.disable_initiator_tag = gobject.timeout_add(
1092
self.disable_initiator_tag = GLib.timeout_add(
701
1093
int(timeout.total_seconds() * 1000), self.disable)
702
1094
self.expires = datetime.datetime.utcnow() + timeout
703
1095
704
1096
def need_approval(self):
705
1097
self.last_approval_request = datetime.datetime.utcnow()
706
1098
707
1099
def start_checker(self):
708
1100
"""Start a new checker subprocess if one is not running.
709
1101
710
1102
If a checker already exists, leave it running and do
711
1103
nothing."""
712
1104
# The reason for not killing a running checker is that if we
717
1109
# checkers alone, the checker would have to take more time
718
1110
# than 'timeout' for the client to be disabled, which is as it
719
1111
# should be.
720
1112
721
1113
if self.checker is not None and not self.checker.is_alive():
722
1114
logger.warning("Checker was not alive; joining")
723
1115
self.checker.join()
727
1119
# Escape attributes for the shell
728
1120
escaped_attrs = {
729
1121
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
1122
for attr in self.runtime_expansions}
731
1123
try:
732
1124
command = self.checker_command % escaped_attrs
733
1125
except TypeError as error:
745
1137
# The exception is when not debugging but nevertheless
746
1138
# running in the foreground; use the previously
747
1139
# created wnull.
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1140
popen_args = {"close_fds": True,
1141
"shell": True,
1142
"cwd": "/"}
751
1143
if (not self.server_settings["debug"]
752
1144
and self.server_settings["foreground"]):
753
1145
popen_args.update({"stdout": wnull,
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1146
"stderr": wnull})
1147
pipe = multiprocessing.Pipe(duplex=False)
756
1148
self.checker = multiprocessing.Process(
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1149
target=call_pipe,
1150
args=(pipe[1], subprocess.call, command),
1151
kwargs=popen_args)
760
1152
self.checker.start()
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1153
self.checker_callback_tag = GLib.io_add_watch(
1154
GLib.IOChannel.unix_new(pipe[0].fileno()),
1155
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
763
1156
self.checker_callback, pipe[0], command)
764
# Re-run this periodically if run by gobject.timeout_add
1157
# Re-run this periodically if run by GLib.timeout_add
765
1158
return True
766
1159
767
1160
def stop_checker(self):
768
1161
"""Force the checker process, if any, to stop."""
769
1162
if self.checker_callback_tag:
770
gobject.source_remove(self.checker_callback_tag)
1163
GLib.source_remove(self.checker_callback_tag)
771
1164
self.checker_callback_tag = None
772
1165
if getattr(self, "checker", None) is None:
773
1166
return
782
1175
byte_arrays=False):
783
1176
"""Decorators for marking methods of a DBusObjectWithProperties to
784
1177
become properties on the D-Bus.
785
1178
786
1179
The decorated method will be called with no arguments by "Get"
787
1180
and with one argument by "Set".
788
1181
789
1182
The parameters, where they are supported, are the same as
790
1183
dbus.service.method, except there is only "signature", since the
791
1184
type from Get() and the type sent to Set() is the same.
795
1188
if byte_arrays and signature != "ay":
796
1189
raise ValueError("Byte arrays not supported for non-'ay'"
797
1190
" signature {!r}".format(signature))
798
1191
799
1192
def decorator(func):
800
1193
func._dbus_is_property = True
801
1194
func._dbus_interface = dbus_interface
804
1197
func._dbus_name = func.__name__
805
1198
if func._dbus_name.endswith("_dbus_property"):
806
1199
func._dbus_name = func._dbus_name[:-14]
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1200
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
808
1201
return func
809
1202
810
1203
return decorator
811
1204
812
1205
813
1206
def dbus_interface_annotations(dbus_interface):
814
1207
"""Decorator for marking functions returning interface annotations
815
1208
816
1209
Usage:
817
1210
818
1211
@dbus_interface_annotations("org.example.Interface")
819
1212
def _foo(self): # Function name does not matter
820
1213
return {"org.freedesktop.DBus.Deprecated": "true",
821
1214
"org.freedesktop.DBus.Property.EmitsChangedSignal":
822
1215
"false"}
823
1216
"""
824
1217
825
1218
def decorator(func):
826
1219
func._dbus_is_interface = True
827
1220
func._dbus_interface = dbus_interface
828
1221
func._dbus_name = dbus_interface
829
1222
return func
830
1223
831
1224
return decorator
832
1225
833
1226
834
1227
def dbus_annotations(annotations):
835
1228
"""Decorator to annotate D-Bus methods, signals or properties
836
1229
Usage:
837
1230
838
1231
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
839
1232
"org.freedesktop.DBus.Property."
840
1233
"EmitsChangedSignal": "false"})
842
1235
access="r")
843
1236
def Property_dbus_property(self):
844
1237
return dbus.Boolean(False)
845
1238
846
1239
See also the DBusObjectWithAnnotations class.
847
1240
"""
848
1241
849
1242
def decorator(func):
850
1243
func._dbus_annotations = annotations
851
1244
return func
852
1245
853
1246
return decorator
854
1247
855
1248
873
1266
874
1267
class DBusObjectWithAnnotations(dbus.service.Object):
875
1268
"""A D-Bus object with annotations.
876
1269
877
1270
Classes inheriting from this can use the dbus_annotations
878
1271
decorator to add annotations to methods or signals.
879
1272
"""
880
1273
881
1274
@staticmethod
882
1275
def _is_dbus_thing(thing):
883
1276
"""Returns a function testing if an attribute is a D-Bus thing
884
1277
885
1278
If called like _is_dbus_thing("method") it returns a function
886
1279
suitable for use as predicate to inspect.getmembers().
887
1280
"""
888
1281
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
889
1282
False)
890
1283
891
1284
def _get_all_dbus_things(self, thing):
892
1285
"""Returns a generator of (name, attribute) pairs
893
1286
"""
896
1289
for cls in self.__class__.__mro__
897
1290
for name, athing in
898
1291
inspect.getmembers(cls, self._is_dbus_thing(thing)))
899
1292
900
1293
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1294
out_signature="s",
1295
path_keyword='object_path',
1296
connection_keyword='connection')
904
1297
def Introspect(self, object_path, connection):
905
1298
"""Overloading of standard D-Bus method.
906
1299
907
1300
Inserts annotation tags on methods and signals.
908
1301
"""
909
1302
xmlstring = dbus.service.Object.Introspect(self, object_path,
910
1303
connection)
911
1304
try:
912
1305
document = xml.dom.minidom.parseString(xmlstring)
913
1306
914
1307
for if_tag in document.getElementsByTagName("interface"):
915
1308
# Add annotation tags
916
1309
for typ in ("method", "signal"):
943
1336
if_tag.appendChild(ann_tag)
944
1337
# Fix argument name for the Introspect method itself
945
1338
if (if_tag.getAttribute("name")
946
== dbus.INTROSPECTABLE_IFACE):
1339
== dbus.INTROSPECTABLE_IFACE):
947
1340
for cn in if_tag.getElementsByTagName("method"):
948
1341
if cn.getAttribute("name") == "Introspect":
949
1342
for arg in cn.getElementsByTagName("arg"):
962
1355
963
1356
class DBusObjectWithProperties(DBusObjectWithAnnotations):
964
1357
"""A D-Bus object with properties.
965
1358
966
1359
Classes inheriting from this can use the dbus_service_property
967
1360
decorator to expose methods as D-Bus properties. It exposes the
968
1361
standard Get(), Set(), and GetAll() methods on the D-Bus.
969
1362
"""
970
1363
971
1364
def _get_dbus_property(self, interface_name, property_name):
972
1365
"""Returns a bound method if one exists which is a D-Bus
973
1366
property with the specified name and interface.
978
1371
if (value._dbus_name == property_name
979
1372
and value._dbus_interface == interface_name):
980
1373
return value.__get__(self)
981
1374
982
1375
# No such property
983
1376
raise DBusPropertyNotFound("{}:{}.{}".format(
984
1377
self.dbus_object_path, interface_name, property_name))
985
1378
986
1379
@classmethod
987
1380
def _get_all_interface_names(cls):
988
1381
"""Get a sequence of all interfaces supported by an object"""
991
1384
for x in (inspect.getmro(cls))
992
1385
for attr in dir(x))
993
1386
if name is not None)
994
1387
995
1388
@dbus.service.method(dbus.PROPERTIES_IFACE,
996
1389
in_signature="ss",
997
1390
out_signature="v")
1005
1398
if not hasattr(value, "variant_level"):
1006
1399
return value
1007
1400
return type(value)(value, variant_level=value.variant_level+1)
1008
1401
1009
1402
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1010
1403
def Set(self, interface_name, property_name, value):
1011
1404
"""Standard D-Bus property Set() method, see D-Bus standard.
1023
1416
value = dbus.ByteArray(b''.join(chr(byte)
1024
1417
for byte in value))
1025
1418
prop(value)
1026
1419
1027
1420
@dbus.service.method(dbus.PROPERTIES_IFACE,
1028
1421
in_signature="s",
1029
1422
out_signature="a{sv}")
1030
1423
def GetAll(self, interface_name):
1031
1424
"""Standard D-Bus property GetAll() method, see D-Bus
1032
1425
standard.
1033
1426
1034
1427
Note: Will not include properties with access="write".
1035
1428
"""
1036
1429
properties = {}
1047
1440
properties[name] = value
1048
1441
continue
1049
1442
properties[name] = type(value)(
1050
value, variant_level = value.variant_level + 1)
1443
value, variant_level=value.variant_level + 1)
1051
1444
return dbus.Dictionary(properties, signature="sv")
1052
1445
1053
1446
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1054
1447
def PropertiesChanged(self, interface_name, changed_properties,
1055
1448
invalidated_properties):
1057
1450
standard.
1058
1451
"""
1059
1452
pass
1060
1453
1061
1454
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1062
1455
out_signature="s",
1063
1456
path_keyword='object_path',
1064
1457
connection_keyword='connection')
1065
1458
def Introspect(self, object_path, connection):
1066
1459
"""Overloading of standard D-Bus method.
1067
1460
1068
1461
Inserts property tags and interface annotation tags.
1069
1462
"""
1070
1463
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1072
1465
connection)
1073
1466
try:
1074
1467
document = xml.dom.minidom.parseString(xmlstring)
1075
1468
1076
1469
def make_tag(document, name, prop):
1077
1470
e = document.createElement("property")
1078
1471
e.setAttribute("name", name)
1079
1472
e.setAttribute("type", prop._dbus_signature)
1080
1473
e.setAttribute("access", prop._dbus_access)
1081
1474
return e
1082
1475
1083
1476
for if_tag in document.getElementsByTagName("interface"):
1084
1477
# Add property tags
1085
1478
for tag in (make_tag(document, name, prop)
1127
1520
exc_info=error)
1128
1521
return xmlstring
1129
1522
1523
1130
1524
try:
1131
1525
dbus.OBJECT_MANAGER_IFACE
1132
1526
except AttributeError:
1133
1527
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1134
1528
1529
1135
1530
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1136
1531
"""A D-Bus object with an ObjectManager.
1137
1532
1138
1533
Classes inheriting from this exposes the standard
1139
1534
GetManagedObjects call and the InterfacesAdded and
1140
1535
InterfacesRemoved signals on the standard
1141
1536
"org.freedesktop.DBus.ObjectManager" interface.
1142
1537
1143
1538
Note: No signals are sent automatically; they must be sent
1144
1539
manually.
1145
1540
"""
1146
1541
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1147
out_signature = "a{oa{sa{sv}}}")
1542
out_signature="a{oa{sa{sv}}}")
1148
1543
def GetManagedObjects(self):
1149
1544
"""This function must be overridden"""
1150
1545
raise NotImplementedError()
1151
1546
1152
1547
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1153
signature = "oa{sa{sv}}")
1548
signature="oa{sa{sv}}")
1154
1549
def InterfacesAdded(self, object_path, interfaces_and_properties):
1155
1550
pass
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1551
1552
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1158
1553
def InterfacesRemoved(self, object_path, interfaces):
1159
1554
pass
1160
1555
1161
1556
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1557
out_signature="s",
1558
path_keyword='object_path',
1559
connection_keyword='connection')
1165
1560
def Introspect(self, object_path, connection):
1166
1561
"""Overloading of standard D-Bus method.
1167
1562
1168
1563
Override return argument name of GetManagedObjects to be
1169
1564
"objpath_interfaces_and_properties"
1170
1565
"""
1173
1568
connection)
1174
1569
try:
1175
1570
document = xml.dom.minidom.parseString(xmlstring)
1176
1571
1177
1572
for if_tag in document.getElementsByTagName("interface"):
1178
1573
# Fix argument name for the GetManagedObjects method
1179
1574
if (if_tag.getAttribute("name")
1180
== dbus.OBJECT_MANAGER_IFACE):
1575
== dbus.OBJECT_MANAGER_IFACE):
1181
1576
for cn in if_tag.getElementsByTagName("method"):
1182
1577
if (cn.getAttribute("name")
1183
1578
== "GetManagedObjects"):
1193
1588
except (AttributeError, xml.dom.DOMException,
1194
1589
xml.parsers.expat.ExpatError) as error:
1195
1590
logger.error("Failed to override Introspection method",
1196
exc_info = error)
1591
exc_info=error)
1197
1592
return xmlstring
1198
1593
1594
1199
1595
def datetime_to_dbus(dt, variant_level=0):
1200
1596
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1201
1597
if dt is None:
1202
return dbus.String("", variant_level = variant_level)
1598
return dbus.String("", variant_level=variant_level)
1203
1599
return dbus.String(dt.isoformat(), variant_level=variant_level)
1204
1600
1205
1601
1208
1604
dbus.service.Object, it will add alternate D-Bus attributes with
1209
1605
interface names according to the "alt_interface_names" mapping.
1210
1606
Usage:
1211
1607
1212
1608
@alternate_dbus_interfaces({"org.example.Interface":
1213
1609
"net.example.AlternateInterface"})
1214
1610
class SampleDBusObject(dbus.service.Object):
1215
1611
@dbus.service.method("org.example.Interface")
1216
1612
def SampleDBusMethod():
1217
1613
pass
1218
1614
1219
1615
The above "SampleDBusMethod" on "SampleDBusObject" will be
1220
1616
reachable via two interfaces: "org.example.Interface" and
1221
1617
"net.example.AlternateInterface", the latter of which will have
1222
1618
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1223
1619
"true", unless "deprecate" is passed with a False value.
1224
1620
1225
1621
This works for methods and signals, and also for D-Bus properties
1226
1622
(from DBusObjectWithProperties) and interfaces (from the
1227
1623
dbus_interface_annotations decorator).
1228
1624
"""
1229
1625
1230
1626
def wrapper(cls):
1231
1627
for orig_interface_name, alt_interface_name in (
1232
1628
alt_interface_names.items()):
1247
1643
interface_names.add(alt_interface)
1248
1644
# Is this a D-Bus signal?
1249
1645
if getattr(attribute, "_dbus_is_signal", False):
1646
# Extract the original non-method undecorated
1647
# function by black magic
1250
1648
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1253
1649
nonmethod_func = (dict(
1254
1650
zip(attribute.func_code.co_freevars,
1255
1651
attribute.__closure__))
1256
1652
["func"].cell_contents)
1257
1653
else:
1258
nonmethod_func = attribute
1654
nonmethod_func = (dict(
1655
zip(attribute.__code__.co_freevars,
1656
attribute.__closure__))
1657
["func"].cell_contents)
1259
1658
# Create a new, but exactly alike, function
1260
1659
# object, and decorate it to be a new D-Bus signal
1261
1660
# with the alternate D-Bus interface name
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1661
new_function = copy_function(nonmethod_func)
1276
1662
new_function = (dbus.service.signal(
1277
1663
alt_interface,
1278
1664
attribute._dbus_signature)(new_function))
1282
1668
attribute._dbus_annotations)
1283
1669
except AttributeError:
1284
1670
pass
1671
1285
1672
# Define a creator of a function to call both the
1286
1673
# original and alternate functions, so both the
1287
1674
# original and alternate signals gets sent when
1290
1677
"""This function is a scope container to pass
1291
1678
func1 and func2 to the "call_both" function
1292
1679
outside of its arguments"""
1293
1680
1294
1681
@functools.wraps(func2)
1295
1682
def call_both(*args, **kwargs):
1296
1683
"""This function will emit two D-Bus
1297
1684
signals by calling func1 and func2"""
1298
1685
func1(*args, **kwargs)
1299
1686
func2(*args, **kwargs)
1300
# Make wrapper function look like a D-Bus signal
1687
# Make wrapper function look like a D-Bus
1688
# signal
1301
1689
for name, attr in inspect.getmembers(func2):
1302
1690
if name.startswith("_dbus_"):
1303
1691
setattr(call_both, name, attr)
1304
1692
1305
1693
return call_both
1306
1694
# Create the "call_both" function and add it to
1307
1695
# the class
1317
1705
alt_interface,
1318
1706
attribute._dbus_in_signature,
1319
1707
attribute._dbus_out_signature)
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1708
(copy_function(attribute)))
1325
1709
# Copy annotations, if any
1326
1710
try:
1327
1711
attr[attrname]._dbus_annotations = dict(
1339
1723
attribute._dbus_access,
1340
1724
attribute._dbus_get_args_options
1341
1725
["byte_arrays"])
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1726
(copy_function(attribute)))
1348
1727
# Copy annotations, if any
1349
1728
try:
1350
1729
attr[attrname]._dbus_annotations = dict(
1359
1738
# to the class.
1360
1739
attr[attrname] = (
1361
1740
dbus_interface_annotations(alt_interface)
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1741
(copy_function(attribute)))
1367
1742
if deprecate:
1368
1743
# Deprecate all alternate interfaces
1369
iname="_AlternateDBusNames_interface_annotation{}"
1744
iname = "_AlternateDBusNames_interface_annotation{}"
1370
1745
for interface_name in interface_names:
1371
1746
1372
1747
@dbus_interface_annotations(interface_name)
1373
1748
def func(self):
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1749
return {"org.freedesktop.DBus.Deprecated":
1750
"true"}
1376
1751
# Find an unused name
1377
1752
for aname in (iname.format(i)
1378
1753
for i in itertools.count()):
1382
1757
if interface_names:
1383
1758
# Replace the class with a new subclass of it with
1384
1759
# methods, signals, etc. as created above.
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1760
if sys.version_info.major == 2:
1761
cls = type(b"{}Alternate".format(cls.__name__),
1762
(cls, ), attr)
1763
else:
1764
cls = type("{}Alternate".format(cls.__name__),
1765
(cls, ), attr)
1387
1766
return cls
1388
1767
1389
1768
return wrapper
1390
1769
1391
1770
1393
1772
"se.bsnet.fukt.Mandos"})
1394
1773
class ClientDBus(Client, DBusObjectWithProperties):
1395
1774
"""A Client class using D-Bus
1396
1775
1397
1776
Attributes:
1398
1777
dbus_object_path: dbus.ObjectPath
1399
1778
bus: dbus.SystemBus()
1400
1779
"""
1401
1780
1402
1781
runtime_expansions = (Client.runtime_expansions
1403
1782
+ ("dbus_object_path", ))
1404
1783
1405
1784
_interface = "se.recompile.Mandos.Client"
1406
1785
1407
1786
# dbus.service.Object doesn't use super(), so we can't either.
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1787
1788
def __init__(self, bus=None, *args, **kwargs):
1410
1789
self.bus = bus
1411
1790
Client.__init__(self, *args, **kwargs)
1412
1791
# Only now, when this client is initialized, can it show up on
1418
1797
"/clients/" + client_object_name)
1419
1798
DBusObjectWithProperties.__init__(self, self.bus,
1420
1799
self.dbus_object_path)
1421
1800
1422
1801
def notifychangeproperty(transform_func, dbus_name,
1423
1802
type_func=lambda x: x,
1424
1803
variant_level=1,
1426
1805
_interface=_interface):
1427
1806
""" Modify a variable so that it's a property which announces
1428
1807
its changes to DBus.
1429
1808
1430
1809
transform_fun: Function that takes a value and a variant_level
1431
1810
and transforms it to a D-Bus type.
1432
1811
dbus_name: D-Bus name of the variable
1435
1814
variant_level: D-Bus variant level. Default: 1
1436
1815
"""
1437
1816
attrname = "_{}".format(dbus_name)
1438
1817
1439
1818
def setter(self, value):
1440
1819
if hasattr(self, "dbus_object_path"):
1441
1820
if (not hasattr(self, attrname) or
1448
1827
else:
1449
1828
dbus_value = transform_func(
1450
1829
type_func(value),
1451
variant_level = variant_level)
1830
variant_level=variant_level)
1452
1831
self.PropertyChanged(dbus.String(dbus_name),
1453
1832
dbus_value)
1454
1833
self.PropertiesChanged(
1455
1834
_interface,
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1835
dbus.Dictionary({dbus.String(dbus_name):
1836
dbus_value}),
1458
1837
dbus.Array())
1459
1838
setattr(self, attrname, value)
1460
1839
1461
1840
return property(lambda self: getattr(self, attrname), setter)
1462
1841
1463
1842
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1464
1843
approvals_pending = notifychangeproperty(dbus.Boolean,
1465
1844
"ApprovalPending",
1466
type_func = bool)
1845
type_func=bool)
1467
1846
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1468
1847
last_enabled = notifychangeproperty(datetime_to_dbus,
1469
1848
"LastEnabled")
1470
1849
checker = notifychangeproperty(
1471
1850
dbus.Boolean, "CheckerRunning",
1472
type_func = lambda checker: checker is not None)
1851
type_func=lambda checker: checker is not None)
1473
1852
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1474
1853
"LastCheckedOK")
1475
1854
last_checker_status = notifychangeproperty(dbus.Int16,
1480
1859
"ApprovedByDefault")
1481
1860
approval_delay = notifychangeproperty(
1482
1861
dbus.UInt64, "ApprovalDelay",
1483
type_func = lambda td: td.total_seconds() * 1000)
1862
type_func=lambda td: td.total_seconds() * 1000)
1484
1863
approval_duration = notifychangeproperty(
1485
1864
dbus.UInt64, "ApprovalDuration",
1486
type_func = lambda td: td.total_seconds() * 1000)
1865
type_func=lambda td: td.total_seconds() * 1000)
1487
1866
host = notifychangeproperty(dbus.String, "Host")
1488
1867
timeout = notifychangeproperty(
1489
1868
dbus.UInt64, "Timeout",
1490
type_func = lambda td: td.total_seconds() * 1000)
1869
type_func=lambda td: td.total_seconds() * 1000)
1491
1870
extended_timeout = notifychangeproperty(
1492
1871
dbus.UInt64, "ExtendedTimeout",
1493
type_func = lambda td: td.total_seconds() * 1000)
1872
type_func=lambda td: td.total_seconds() * 1000)
1494
1873
interval = notifychangeproperty(
1495
1874
dbus.UInt64, "Interval",
1496
type_func = lambda td: td.total_seconds() * 1000)
1875
type_func=lambda td: td.total_seconds() * 1000)
1497
1876
checker_command = notifychangeproperty(dbus.String, "Checker")
1498
1877
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1499
1878
invalidate_only=True)
1500
1879
1501
1880
del notifychangeproperty
1502
1881
1503
1882
def __del__(self, *args, **kwargs):
1504
1883
try:
1505
1884
self.remove_from_connection()
1508
1887
if hasattr(DBusObjectWithProperties, "__del__"):
1509
1888
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1510
1889
Client.__del__(self, *args, **kwargs)
1511
1890
1512
1891
def checker_callback(self, source, condition,
1513
1892
connection, command, *args, **kwargs):
1514
1893
ret = Client.checker_callback(self, source, condition,
1530
1909
| self.last_checker_signal),
1531
1910
dbus.String(command))
1532
1911
return ret
1533
1912
1534
1913
def start_checker(self, *args, **kwargs):
1535
1914
old_checker_pid = getattr(self.checker, "pid", None)
1536
1915
r = Client.start_checker(self, *args, **kwargs)
1540
1919
# Emit D-Bus signal
1541
1920
self.CheckerStarted(self.current_checker_command)
1542
1921
return r
1543
1922
1544
1923
def _reset_approved(self):
1545
1924
self.approved = None
1546
1925
return False
1547
1926
1548
1927
def approve(self, value=True):
1549
1928
self.approved = value
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1929
GLib.timeout_add(int(self.approval_duration.total_seconds()
1930
* 1000), self._reset_approved)
1552
1931
self.send_changedstate()
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1932
1933
# D-Bus methods, signals & properties
1934
1935
# Interfaces
1936
1937
# Signals
1938
1560
1939
# CheckerCompleted - signal
1561
1940
@dbus.service.signal(_interface, signature="nxs")
1562
1941
def CheckerCompleted(self, exitcode, waitstatus, command):
1563
1942
"D-Bus signal"
1564
1943
pass
1565
1944
1566
1945
# CheckerStarted - signal
1567
1946
@dbus.service.signal(_interface, signature="s")
1568
1947
def CheckerStarted(self, command):
1569
1948
"D-Bus signal"
1570
1949
pass
1571
1950
1572
1951
# PropertyChanged - signal
1573
1952
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1574
1953
@dbus.service.signal(_interface, signature="sv")
1575
1954
def PropertyChanged(self, property, value):
1576
1955
"D-Bus signal"
1577
1956
pass
1578
1957
1579
1958
# GotSecret - signal
1580
1959
@dbus.service.signal(_interface)
1581
1960
def GotSecret(self):
1584
1963
server to mandos-client
1585
1964
"""
1586
1965
pass
1587
1966
1588
1967
# Rejected - signal
1589
1968
@dbus.service.signal(_interface, signature="s")
1590
1969
def Rejected(self, reason):
1591
1970
"D-Bus signal"
1592
1971
pass
1593
1972
1594
1973
# NeedApproval - signal
1595
1974
@dbus.service.signal(_interface, signature="tb")
1596
1975
def NeedApproval(self, timeout, default):
1597
1976
"D-Bus signal"
1598
1977
return self.need_approval()
1599
1600
## Methods
1601
1978
1979
# Methods
1980
1602
1981
# Approve - method
1603
1982
@dbus.service.method(_interface, in_signature="b")
1604
1983
def Approve(self, value):
1605
1984
self.approve(value)
1606
1985
1607
1986
# CheckedOK - method
1608
1987
@dbus.service.method(_interface)
1609
1988
def CheckedOK(self):
1610
1989
self.checked_ok()
1611
1990
1612
1991
# Enable - method
1613
1992
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1614
1993
@dbus.service.method(_interface)
1615
1994
def Enable(self):
1616
1995
"D-Bus method"
1617
1996
self.enable()
1618
1997
1619
1998
# StartChecker - method
1620
1999
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1621
2000
@dbus.service.method(_interface)
1622
2001
def StartChecker(self):
1623
2002
"D-Bus method"
1624
2003
self.start_checker()
1625
2004
1626
2005
# Disable - method
1627
2006
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1628
2007
@dbus.service.method(_interface)
1629
2008
def Disable(self):
1630
2009
"D-Bus method"
1631
2010
self.disable()
1632
2011
1633
2012
# StopChecker - method
1634
2013
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1635
2014
@dbus.service.method(_interface)
1636
2015
def StopChecker(self):
1637
2016
self.stop_checker()
1638
1639
## Properties
1640
2017
2018
# Properties
2019
1641
2020
# ApprovalPending - property
1642
2021
@dbus_service_property(_interface, signature="b", access="read")
1643
2022
def ApprovalPending_dbus_property(self):
1644
2023
return dbus.Boolean(bool(self.approvals_pending))
1645
2024
1646
2025
# ApprovedByDefault - property
1647
2026
@dbus_service_property(_interface,
1648
2027
signature="b",
1651
2030
if value is None: # get
1652
2031
return dbus.Boolean(self.approved_by_default)
1653
2032
self.approved_by_default = bool(value)
1654
2033
1655
2034
# ApprovalDelay - property
1656
2035
@dbus_service_property(_interface,
1657
2036
signature="t",
1661
2040
return dbus.UInt64(self.approval_delay.total_seconds()
1662
2041
* 1000)
1663
2042
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1664
2043
1665
2044
# ApprovalDuration - property
1666
2045
@dbus_service_property(_interface,
1667
2046
signature="t",
1671
2050
return dbus.UInt64(self.approval_duration.total_seconds()
1672
2051
* 1000)
1673
2052
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1674
2053
1675
2054
# Name - property
1676
2055
@dbus_annotations(
1677
2056
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1678
2057
@dbus_service_property(_interface, signature="s", access="read")
1679
2058
def Name_dbus_property(self):
1680
2059
return dbus.String(self.name)
1681
2060
2061
# KeyID - property
2062
@dbus_annotations(
2063
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2064
@dbus_service_property(_interface, signature="s", access="read")
2065
def KeyID_dbus_property(self):
2066
return dbus.String(self.key_id)
2067
1682
2068
# Fingerprint - property
1683
2069
@dbus_annotations(
1684
2070
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1685
2071
@dbus_service_property(_interface, signature="s", access="read")
1686
2072
def Fingerprint_dbus_property(self):
1687
2073
return dbus.String(self.fingerprint)
1688
2074
1689
2075
# Host - property
1690
2076
@dbus_service_property(_interface,
1691
2077
signature="s",
1694
2080
if value is None: # get
1695
2081
return dbus.String(self.host)
1696
2082
self.host = str(value)
1697
2083
1698
2084
# Created - property
1699
2085
@dbus_annotations(
1700
2086
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1701
2087
@dbus_service_property(_interface, signature="s", access="read")
1702
2088
def Created_dbus_property(self):
1703
2089
return datetime_to_dbus(self.created)
1704
2090
1705
2091
# LastEnabled - property
1706
2092
@dbus_service_property(_interface, signature="s", access="read")
1707
2093
def LastEnabled_dbus_property(self):
1708
2094
return datetime_to_dbus(self.last_enabled)
1709
2095
1710
2096
# Enabled - property
1711
2097
@dbus_service_property(_interface,
1712
2098
signature="b",
1718
2104
self.enable()
1719
2105
else:
1720
2106
self.disable()
1721
2107
1722
2108
# LastCheckedOK - property
1723
2109
@dbus_service_property(_interface,
1724
2110
signature="s",
1728
2114
self.checked_ok()
1729
2115
return
1730
2116
return datetime_to_dbus(self.last_checked_ok)
1731
2117
1732
2118
# LastCheckerStatus - property
1733
2119
@dbus_service_property(_interface, signature="n", access="read")
1734
2120
def LastCheckerStatus_dbus_property(self):
1735
2121
return dbus.Int16(self.last_checker_status)
1736
2122
1737
2123
# Expires - property
1738
2124
@dbus_service_property(_interface, signature="s", access="read")
1739
2125
def Expires_dbus_property(self):
1740
2126
return datetime_to_dbus(self.expires)
1741
2127
1742
2128
# LastApprovalRequest - property
1743
2129
@dbus_service_property(_interface, signature="s", access="read")
1744
2130
def LastApprovalRequest_dbus_property(self):
1745
2131
return datetime_to_dbus(self.last_approval_request)
1746
2132
1747
2133
# Timeout - property
1748
2134
@dbus_service_property(_interface,
1749
2135
signature="t",
1764
2150
if (getattr(self, "disable_initiator_tag", None)
1765
2151
is None):
1766
2152
return
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2153
GLib.source_remove(self.disable_initiator_tag)
2154
self.disable_initiator_tag = GLib.timeout_add(
1769
2155
int((self.expires - now).total_seconds() * 1000),
1770
2156
self.disable)
1771
2157
1772
2158
# ExtendedTimeout - property
1773
2159
@dbus_service_property(_interface,
1774
2160
signature="t",
1778
2164
return dbus.UInt64(self.extended_timeout.total_seconds()
1779
2165
* 1000)
1780
2166
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1781
2167
1782
2168
# Interval - property
1783
2169
@dbus_service_property(_interface,
1784
2170
signature="t",
1791
2177
return
1792
2178
if self.enabled:
1793
2179
# Reschedule checker run
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2180
GLib.source_remove(self.checker_initiator_tag)
2181
self.checker_initiator_tag = GLib.timeout_add(
1796
2182
value, self.start_checker)
1797
self.start_checker() # Start one now, too
1798
2183
self.start_checker() # Start one now, too
2184
1799
2185
# Checker - property
1800
2186
@dbus_service_property(_interface,
1801
2187
signature="s",
1804
2190
if value is None: # get
1805
2191
return dbus.String(self.checker_command)
1806
2192
self.checker_command = str(value)
1807
2193
1808
2194
# CheckerRunning - property
1809
2195
@dbus_service_property(_interface,
1810
2196
signature="b",
1816
2202
self.start_checker()
1817
2203
else:
1818
2204
self.stop_checker()
1819
2205
1820
2206
# ObjectPath - property
1821
2207
@dbus_annotations(
1822
2208
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
1823
2209
"org.freedesktop.DBus.Deprecated": "true"})
1824
2210
@dbus_service_property(_interface, signature="o", access="read")
1825
2211
def ObjectPath_dbus_property(self):
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2212
return self.dbus_object_path # is already a dbus.ObjectPath
2213
1828
2214
# Secret = property
1829
2215
@dbus_annotations(
1830
2216
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
1835
2221
byte_arrays=True)
1836
2222
def Secret_dbus_property(self, value):
1837
2223
self.secret = bytes(value)
1838
2224
1839
2225
del _interface
1840
2226
1841
2227
1842
class ProxyClient(object):
1843
def __init__(self, child_pipe, fpr, address):
2228
class ProxyClient:
2229
def __init__(self, child_pipe, key_id, fpr, address):
1844
2230
self._pipe = child_pipe
1845
self._pipe.send(('init', fpr, address))
2231
self._pipe.send(('init', key_id, fpr, address))
1846
2232
if not self._pipe.recv():
1847
raise KeyError(fpr)
1848
2233
raise KeyError(key_id or fpr)
2234
1849
2235
def __getattribute__(self, name):
1850
2236
if name == '_pipe':
1851
2237
return super(ProxyClient, self).__getattribute__(name)
1854
2240
if data[0] == 'data':
1855
2241
return data[1]
1856
2242
if data[0] == 'function':
1857
2243
1858
2244
def func(*args, **kwargs):
1859
2245
self._pipe.send(('funcall', name, args, kwargs))
1860
2246
return self._pipe.recv()[1]
1861
2247
1862
2248
return func
1863
2249
1864
2250
def __setattr__(self, name, value):
1865
2251
if name == '_pipe':
1866
2252
return super(ProxyClient, self).__setattr__(name, value)
1869
2255
1870
2256
class ClientHandler(socketserver.BaseRequestHandler, object):
1871
2257
"""A class to handle client connections.
1872
2258
1873
2259
Instantiated once for each connection to handle it.
1874
2260
Note: This will run in its own forked process."""
1875
2261
1876
2262
def handle(self):
1877
2263
with contextlib.closing(self.server.child_pipe) as child_pipe:
1878
2264
logger.info("TCP connection from: %s",
1879
2265
str(self.client_address))
1880
2266
logger.debug("Pipe FD: %d",
1881
2267
self.server.child_pipe.fileno())
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2268
2269
session = gnutls.ClientSession(self.request)
2270
2271
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2272
# "+AES-256-CBC", "+SHA1",
2273
# "+COMP-NULL", "+CTYPE-OPENPGP",
2274
# "+DHE-DSS"))
1895
2275
# Use a fallback default, since this MUST be set.
1896
2276
priority = self.server.gnutls_priority
1897
2277
if priority is None:
1898
2278
priority = "NORMAL"
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2279
gnutls.priority_set_direct(session._c_object,
2280
priority.encode("utf-8"),
2281
None)
2282
1902
2283
# Start communication using the Mandos protocol
1903
2284
# Get protocol number
1904
2285
line = self.request.makefile().readline()
1909
2290
except (ValueError, IndexError, RuntimeError) as error:
1910
2291
logger.error("Unknown protocol version: %s", error)
1911
2292
return
1912
2293
1913
2294
# Start GnuTLS connection
1914
2295
try:
1915
2296
session.handshake()
1916
except gnutls.errors.GNUTLSError as error:
2297
except gnutls.Error as error:
1917
2298
logger.warning("Handshake failed: %s", error)
1918
2299
# Do not run session.bye() here: the session is not
1919
2300
# established. Just abandon the request.
1920
2301
return
1921
2302
logger.debug("Handshake succeeded")
1922
2303
1923
2304
approval_required = False
1924
2305
try:
1925
try:
1926
fpr = self.fingerprint(
1927
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
1930
logger.warning("Bad certificate: %s", error)
1931
return
1932
logger.debug("Fingerprint: %s", fpr)
1933
1934
try:
1935
client = ProxyClient(child_pipe, fpr,
2306
if gnutls.has_rawpk:
2307
fpr = b""
2308
try:
2309
key_id = self.key_id(
2310
self.peer_certificate(session))
2311
except (TypeError, gnutls.Error) as error:
2312
logger.warning("Bad certificate: %s", error)
2313
return
2314
logger.debug("Key ID: %s", key_id)
2315
2316
else:
2317
key_id = b""
2318
try:
2319
fpr = self.fingerprint(
2320
self.peer_certificate(session))
2321
except (TypeError, gnutls.Error) as error:
2322
logger.warning("Bad certificate: %s", error)
2323
return
2324
logger.debug("Fingerprint: %s", fpr)
2325
2326
try:
2327
client = ProxyClient(child_pipe, key_id, fpr,
1936
2328
self.client_address)
1937
2329
except KeyError:
1938
2330
return
1939
2331
1940
2332
if client.approval_delay:
1941
2333
delay = client.approval_delay
1942
2334
client.approvals_pending += 1
1943
2335
approval_required = True
1944
2336
1945
2337
while True:
1946
2338
if not client.enabled:
1947
2339
logger.info("Client %s is disabled",
1950
2342
# Emit D-Bus signal
1951
2343
client.Rejected("Disabled")
1952
2344
return
1953
2345
1954
2346
if client.approved or not client.approval_delay:
1955
#We are approved or approval is disabled
2347
# We are approved or approval is disabled
1956
2348
break
1957
2349
elif client.approved is None:
1958
2350
logger.info("Client %s needs approval",
1969
2361
# Emit D-Bus signal
1970
2362
client.Rejected("Denied")
1971
2363
return
1972
1973
#wait until timeout or approved
2364
2365
# wait until timeout or approved
1974
2366
time = datetime.datetime.now()
1975
2367
client.changedstate.acquire()
1976
2368
client.changedstate.wait(delay.total_seconds())
1989
2381
break
1990
2382
else:
1991
2383
delay -= time2 - time
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2384
2385
try:
2386
session.send(client.secret)
2387
except gnutls.Error as error:
2388
logger.warning("gnutls send failed",
2389
exc_info=error)
2390
return
2391
2006
2392
logger.info("Sending secret to %s", client.name)
2007
2393
# bump the timeout using extended_timeout
2008
2394
client.bump_timeout(client.extended_timeout)
2009
2395
if self.server.use_dbus:
2010
2396
# Emit D-Bus signal
2011
2397
client.GotSecret()
2012
2398
2013
2399
finally:
2014
2400
if approval_required:
2015
2401
client.approvals_pending -= 1
2016
2402
try:
2017
2403
session.bye()
2018
except gnutls.errors.GNUTLSError as error:
2404
except gnutls.Error as error:
2019
2405
logger.warning("GnuTLS bye failed",
2020
2406
exc_info=error)
2021
2407
2022
2408
@staticmethod
2023
2409
def peer_certificate(session):
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2410
"Return the peer's certificate as a bytestring"
2411
try:
2412
cert_type = gnutls.certificate_type_get2(session._c_object,
2413
gnutls.CTYPE_PEERS)
2414
except AttributeError:
2415
cert_type = gnutls.certificate_type_get(session._c_object)
2416
if gnutls.has_rawpk:
2417
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2418
else:
2419
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2420
# If not a valid certificate type...
2421
if cert_type not in valid_cert_types:
2422
logger.info("Cert type %r not in %r", cert_type,
2423
valid_cert_types)
2424
# ...return invalid data
2425
return b""
2031
2426
list_size = ctypes.c_uint(1)
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2427
cert_list = (gnutls.certificate_get_peers
2034
2428
(session._c_object, ctypes.byref(list_size)))
2035
2429
if not bool(cert_list) and list_size.value != 0:
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2430
raise gnutls.Error("error getting peer certificate")
2038
2431
if list_size.value == 0:
2039
2432
return None
2040
2433
cert = cert_list[0]
2041
2434
return ctypes.string_at(cert.data, cert.size)
2042
2435
2436
@staticmethod
2437
def key_id(certificate):
2438
"Convert a certificate bytestring to a hexdigit key ID"
2439
# New GnuTLS "datum" with the public key
2440
datum = gnutls.datum_t(
2441
ctypes.cast(ctypes.c_char_p(certificate),
2442
ctypes.POINTER(ctypes.c_ubyte)),
2443
ctypes.c_uint(len(certificate)))
2444
# XXX all these need to be created in the gnutls "module"
2445
# New empty GnuTLS certificate
2446
pubkey = gnutls.pubkey_t()
2447
gnutls.pubkey_init(ctypes.byref(pubkey))
2448
# Import the raw public key into the certificate
2449
gnutls.pubkey_import(pubkey,
2450
ctypes.byref(datum),
2451
gnutls.X509_FMT_DER)
2452
# New buffer for the key ID
2453
buf = ctypes.create_string_buffer(32)
2454
buf_len = ctypes.c_size_t(len(buf))
2455
# Get the key ID from the raw public key into the buffer
2456
gnutls.pubkey_get_key_id(pubkey,
2457
gnutls.KEYID_USE_SHA256,
2458
ctypes.cast(ctypes.byref(buf),
2459
ctypes.POINTER(ctypes.c_ubyte)),
2460
ctypes.byref(buf_len))
2461
# Deinit the certificate
2462
gnutls.pubkey_deinit(pubkey)
2463
2464
# Convert the buffer to a Python bytestring
2465
key_id = ctypes.string_at(buf, buf_len.value)
2466
# Convert the bytestring to hexadecimal notation
2467
hex_key_id = binascii.hexlify(key_id).upper()
2468
return hex_key_id
2469
2043
2470
@staticmethod
2044
2471
def fingerprint(openpgp):
2045
2472
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2046
2473
# New GnuTLS "datum" with the OpenPGP public key
2047
datum = gnutls.library.types.gnutls_datum_t(
2474
datum = gnutls.datum_t(
2048
2475
ctypes.cast(ctypes.c_char_p(openpgp),
2049
2476
ctypes.POINTER(ctypes.c_ubyte)),
2050
2477
ctypes.c_uint(len(openpgp)))
2051
2478
# New empty GnuTLS certificate
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2479
crt = gnutls.openpgp_crt_t()
2480
gnutls.openpgp_crt_init(ctypes.byref(crt))
2055
2481
# Import the OpenPGP public key into the certificate
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2482
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2483
gnutls.OPENPGP_FMT_RAW)
2059
2484
# Verify the self signature in the key
2060
2485
crtverify = ctypes.c_uint()
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2486
gnutls.openpgp_crt_verify_self(crt, 0,
2487
ctypes.byref(crtverify))
2063
2488
if crtverify.value != 0:
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2489
gnutls.openpgp_crt_deinit(crt)
2490
raise gnutls.CertificateSecurityError(code
2491
=crtverify.value)
2067
2492
# New buffer for the fingerprint
2068
2493
buf = ctypes.create_string_buffer(20)
2069
2494
buf_len = ctypes.c_size_t()
2070
2495
# Get the fingerprint from the certificate into the buffer
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2496
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2497
ctypes.byref(buf_len))
2073
2498
# Deinit the certificate
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2499
gnutls.openpgp_crt_deinit(crt)
2075
2500
# Convert the buffer to a Python bytestring
2076
2501
fpr = ctypes.string_at(buf, buf_len.value)
2077
2502
# Convert the bytestring to hexadecimal notation
2079
2504
return hex_fpr
2080
2505
2081
2506
2082
class MultiprocessingMixIn(object):
2507
class MultiprocessingMixIn:
2083
2508
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2084
2509
2085
2510
def sub_process_main(self, request, address):
2086
2511
try:
2087
2512
self.finish_request(request, address)
2088
2513
except Exception:
2089
2514
self.handle_error(request, address)
2090
2515
self.close_request(request)
2091
2516
2092
2517
def process_request(self, request, address):
2093
2518
"""Start a new process to process the request."""
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2519
proc = multiprocessing.Process(target=self.sub_process_main,
2520
args=(request, address))
2096
2521
proc.start()
2097
2522
return proc
2098
2523
2099
2524
2100
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2525
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2101
2526
""" adds a pipe to the MixIn """
2102
2527
2103
2528
def process_request(self, request, client_address):
2104
2529
"""Overrides and wraps the original process_request().
2105
2530
2106
2531
This function creates a new pipe in self.pipe
2107
2532
"""
2108
2533
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2109
2534
2110
2535
proc = MultiprocessingMixIn.process_request(self, request,
2111
2536
client_address)
2112
2537
self.child_pipe.close()
2113
2538
self.add_pipe(parent_pipe, proc)
2114
2539
2115
2540
def add_pipe(self, parent_pipe, proc):
2116
2541
"""Dummy function; override as necessary"""
2117
2542
raise NotImplementedError()
2118
2543
2119
2544
2120
2545
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2121
socketserver.TCPServer, object):
2546
socketserver.TCPServer):
2122
2547
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2123
2548
2124
2549
Attributes:
2125
2550
enabled: Boolean; whether this server is activated yet
2126
2551
interface: None or a network interface name (string)
2127
2552
use_ipv6: Boolean; to use IPv6 or not
2128
2553
"""
2129
2554
2130
2555
def __init__(self, server_address, RequestHandlerClass,
2131
2556
interface=None,
2132
2557
use_ipv6=True,
2142
2567
self.socketfd = socketfd
2143
2568
# Save the original socket.socket() function
2144
2569
self.socket_socket = socket.socket
2570
2145
2571
# To implement --socket, we monkey patch socket.socket.
2146
#
2572
#
2147
2573
# (When socketserver.TCPServer is a new-style class, we
2148
2574
# could make self.socket into a property instead of monkey
2149
2575
# patching socket.socket.)
2150
#
2576
#
2151
2577
# Create a one-time-only replacement for socket.socket()
2152
2578
@functools.wraps(socket.socket)
2153
2579
def socket_wrapper(*args, **kwargs):
2165
2591
# socket_wrapper(), if socketfd was set.
2166
2592
socketserver.TCPServer.__init__(self, server_address,
2167
2593
RequestHandlerClass)
2168
2594
2169
2595
def server_bind(self):
2170
2596
"""This overrides the normal server_bind() function
2171
2597
to bind to an interface if one was specified, and also NOT to
2172
2598
bind to an address or port if they were not specified."""
2599
global SO_BINDTODEVICE
2173
2600
if self.interface is not None:
2174
2601
if SO_BINDTODEVICE is None:
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2602
# Fall back to a hard-coded value which seems to be
2603
# common enough.
2604
logger.warning("SO_BINDTODEVICE not found, trying 25")
2605
SO_BINDTODEVICE = 25
2606
try:
2607
self.socket.setsockopt(
2608
socket.SOL_SOCKET, SO_BINDTODEVICE,
2609
(self.interface + "\0").encode("utf-8"))
2610
except socket.error as error:
2611
if error.errno == errno.EPERM:
2612
logger.error("No permission to bind to"
2613
" interface %s", self.interface)
2614
elif error.errno == errno.ENOPROTOOPT:
2615
logger.error("SO_BINDTODEVICE not available;"
2616
" cannot bind to interface %s",
2617
self.interface)
2618
elif error.errno == errno.ENODEV:
2619
logger.error("Interface %s does not exist,"
2620
" cannot bind", self.interface)
2621
else:
2622
raise
2196
2623
# Only bind(2) the socket if we really need to.
2197
2624
if self.server_address[0] or self.server_address[1]:
2625
if self.server_address[1]:
2626
self.allow_reuse_address = True
2198
2627
if not self.server_address[0]:
2199
2628
if self.address_family == socket.AF_INET6:
2200
any_address = "::" # in6addr_any
2629
any_address = "::" # in6addr_any
2201
2630
else:
2202
any_address = "0.0.0.0" # INADDR_ANY
2631
any_address = "0.0.0.0" # INADDR_ANY
2203
2632
self.server_address = (any_address,
2204
2633
self.server_address[1])
2205
2634
elif not self.server_address[1]:
2215
2644
2216
2645
class MandosServer(IPv6_TCPServer):
2217
2646
"""Mandos server.
2218
2647
2219
2648
Attributes:
2220
2649
clients: set of Client objects
2221
2650
gnutls_priority GnuTLS priority string
2222
2651
use_dbus: Boolean; to emit D-Bus signals or not
2223
2224
Assumes a gobject.MainLoop event loop.
2652
2653
Assumes a GLib.MainLoop event loop.
2225
2654
"""
2226
2655
2227
2656
def __init__(self, server_address, RequestHandlerClass,
2228
2657
interface=None,
2229
2658
use_ipv6=True,
2239
2668
self.gnutls_priority = gnutls_priority
2240
2669
IPv6_TCPServer.__init__(self, server_address,
2241
2670
RequestHandlerClass,
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2671
interface=interface,
2672
use_ipv6=use_ipv6,
2673
socketfd=socketfd)
2674
2246
2675
def server_activate(self):
2247
2676
if self.enabled:
2248
2677
return socketserver.TCPServer.server_activate(self)
2249
2678
2250
2679
def enable(self):
2251
2680
self.enabled = True
2252
2681
2253
2682
def add_pipe(self, parent_pipe, proc):
2254
2683
# Call "handle_ipc" for both data and EOF events
2255
gobject.io_add_watch(
2256
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2684
GLib.io_add_watch(
2685
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2686
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2258
2687
functools.partial(self.handle_ipc,
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2688
parent_pipe=parent_pipe,
2689
proc=proc))
2690
2262
2691
def handle_ipc(self, source, condition,
2263
2692
parent_pipe=None,
2264
proc = None,
2693
proc=None,
2265
2694
client_object=None):
2266
2695
# error, or the other end of multiprocessing.Pipe has closed
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2696
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2268
2697
# Wait for other process to exit
2269
2698
proc.join()
2270
2699
return False
2271
2700
2272
2701
# Read a request from the child
2273
2702
request = parent_pipe.recv()
2274
2703
command = request[0]
2275
2704
2276
2705
if command == 'init':
2277
fpr = request[1]
2278
address = request[2]
2279
2280
for c in self.clients.itervalues():
2281
if c.fingerprint == fpr:
2706
key_id = request[1].decode("ascii")
2707
fpr = request[2].decode("ascii")
2708
address = request[3]
2709
2710
for c in self.clients.values():
2711
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2712
continue
2713
if key_id and c.key_id == key_id:
2714
client = c
2715
break
2716
if fpr and c.fingerprint == fpr:
2282
2717
client = c
2283
2718
break
2284
2719
else:
2285
logger.info("Client not found for fingerprint: %s, ad"
2286
"dress: %s", fpr, address)
2720
logger.info("Client not found for key ID: %s, address"
2721
": %s", key_id or fpr, address)
2287
2722
if self.use_dbus:
2288
2723
# Emit D-Bus signal
2289
mandos_dbus_service.ClientNotFound(fpr,
2724
mandos_dbus_service.ClientNotFound(key_id or fpr,
2290
2725
address[0])
2291
2726
parent_pipe.send(False)
2292
2727
return False
2293
2294
gobject.io_add_watch(
2295
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2728
2729
GLib.io_add_watch(
2730
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2731
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2297
2732
functools.partial(self.handle_ipc,
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2733
parent_pipe=parent_pipe,
2734
proc=proc,
2735
client_object=client))
2301
2736
parent_pipe.send(True)
2302
2737
# remove the old hook in favor of the new above hook on
2303
2738
# same fileno
2306
2741
funcname = request[1]
2307
2742
args = request[2]
2308
2743
kwargs = request[3]
2309
2744
2310
2745
parent_pipe.send(('data', getattr(client_object,
2311
2746
funcname)(*args,
2312
2747
**kwargs)))
2313
2748
2314
2749
if command == 'getattr':
2315
2750
attrname = request[1]
2316
2751
if isinstance(client_object.__getattribute__(attrname),
2319
2754
else:
2320
2755
parent_pipe.send((
2321
2756
'data', client_object.__getattribute__(attrname)))
2322
2757
2323
2758
if command == 'setattr':
2324
2759
attrname = request[1]
2325
2760
value = request[2]
2326
2761
setattr(client_object, attrname, value)
2327
2762
2328
2763
return True
2329
2764
2330
2765
2331
2766
def rfc3339_duration_to_delta(duration):
2332
2767
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2333
2334
>>> rfc3339_duration_to_delta("P7D")
2335
datetime.timedelta(7)
2336
>>> rfc3339_duration_to_delta("PT60S")
2337
datetime.timedelta(0, 60)
2338
>>> rfc3339_duration_to_delta("PT60M")
2339
datetime.timedelta(0, 3600)
2340
>>> rfc3339_duration_to_delta("PT24H")
2341
datetime.timedelta(1)
2342
>>> rfc3339_duration_to_delta("P1W")
2343
datetime.timedelta(7)
2344
>>> rfc3339_duration_to_delta("PT5M30S")
2345
datetime.timedelta(0, 330)
2346
>>> rfc3339_duration_to_delta("P1DT3M20S")
2347
datetime.timedelta(1, 200)
2768
2769
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2770
True
2771
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2772
True
2773
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2774
True
2775
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2776
True
2777
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2778
True
2779
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2780
True
2781
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2782
True
2348
2783
"""
2349
2784
2350
2785
# Parsing an RFC 3339 duration with regular expressions is not
2351
2786
# possible - there would have to be multiple places for the same
2352
2787
# values, like seconds. The current code, while more esoteric, is
2353
2788
# cleaner without depending on a parsing library. If Python had a
2354
2789
# built-in library for parsing we would use it, but we'd like to
2355
2790
# avoid excessive use of external libraries.
2356
2791
2357
2792
# New type for defining tokens, syntax, and semantics all-in-one
2358
2793
Token = collections.namedtuple("Token", (
2359
2794
"regexp", # To match token; if "value" is not None, must have
2392
2827
frozenset((token_year, token_month,
2393
2828
token_day, token_time,
2394
2829
token_week)))
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2830
# Define starting values:
2831
# Value so far
2832
value = datetime.timedelta()
2397
2833
found_token = None
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2834
# Following valid tokens
2835
followers = frozenset((token_duration, ))
2836
# String left to parse
2837
s = duration
2400
2838
# Loop until end token is found
2401
2839
while found_token is not token_end:
2402
2840
# Search for any currently valid tokens
2426
2864
2427
2865
def string_to_delta(interval):
2428
2866
"""Parse a string and return a datetime.timedelta
2429
2430
>>> string_to_delta('7d')
2431
datetime.timedelta(7)
2432
>>> string_to_delta('60s')
2433
datetime.timedelta(0, 60)
2434
>>> string_to_delta('60m')
2435
datetime.timedelta(0, 3600)
2436
>>> string_to_delta('24h')
2437
datetime.timedelta(1)
2438
>>> string_to_delta('1w')
2439
datetime.timedelta(7)
2440
>>> string_to_delta('5m 30s')
2441
datetime.timedelta(0, 330)
2867
2868
>>> string_to_delta('7d') == datetime.timedelta(7)
2869
True
2870
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2871
True
2872
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2873
True
2874
>>> string_to_delta('24h') == datetime.timedelta(1)
2875
True
2876
>>> string_to_delta('1w') == datetime.timedelta(7)
2877
True
2878
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2879
True
2442
2880
"""
2443
2881
2444
2882
try:
2445
2883
return rfc3339_duration_to_delta(interval)
2446
2884
except ValueError:
2447
2885
pass
2448
2886
2449
2887
timevalue = datetime.timedelta(0)
2450
2888
for s in interval.split():
2451
2889
try:
2469
2907
return timevalue
2470
2908
2471
2909
2472
def daemon(nochdir = False, noclose = False):
2910
def daemon(nochdir=False, noclose=False):
2473
2911
"""See daemon(3). Standard BSD Unix function.
2474
2912
2475
2913
This should really exist as os.daemon, but it doesn't (yet)."""
2476
2914
if os.fork():
2477
2915
sys.exit()
2495
2933
2496
2934
2497
2935
def main():
2498
2936
2499
2937
##################################################################
2500
2938
# Parsing of options, both command line and config file
2501
2939
2502
2940
parser = argparse.ArgumentParser()
2503
2941
parser.add_argument("-v", "--version", action="version",
2504
version = "%(prog)s {}".format(version),
2942
version="%(prog)s {}".format(version),
2505
2943
help="show version number and exit")
2506
2944
parser.add_argument("-i", "--interface", metavar="IF",
2507
2945
help="Bind to interface IF")
2543
2981
parser.add_argument("--no-zeroconf", action="store_false",
2544
2982
dest="zeroconf", help="Do not use Zeroconf",
2545
2983
default=None)
2546
2984
2547
2985
options = parser.parse_args()
2548
2549
if options.check:
2550
import doctest
2551
fail_count, test_count = doctest.testmod()
2552
sys.exit(os.EX_OK if fail_count == 0 else 1)
2553
2986
2554
2987
# Default values for config file for server-global settings
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
2988
if gnutls.has_rawpk:
2989
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2990
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2991
else:
2992
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2993
":+SIGN-DSA-SHA256")
2994
server_defaults = {"interface": "",
2995
"address": "",
2996
"port": "",
2997
"debug": "False",
2998
"priority": priority,
2999
"servicename": "Mandos",
3000
"use_dbus": "True",
3001
"use_ipv6": "True",
3002
"debuglevel": "",
3003
"restore": "True",
3004
"socket": "",
3005
"statedir": "/var/lib/mandos",
3006
"foreground": "False",
3007
"zeroconf": "True",
3008
}
3009
del priority
3010
2573
3011
# Parse config file for server-global settings
2574
server_config = configparser.SafeConfigParser(server_defaults)
3012
server_config = configparser.ConfigParser(server_defaults)
2575
3013
del server_defaults
2576
3014
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2577
# Convert the SafeConfigParser object to a dict
3015
# Convert the ConfigParser object to a dict
2578
3016
server_settings = server_config.defaults()
2579
3017
# Use the appropriate methods on the non-string config options
2580
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3018
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3019
"foreground", "zeroconf"):
2581
3020
server_settings[option] = server_config.getboolean("DEFAULT",
2582
3021
option)
2583
3022
if server_settings["port"]:
2593
3032
server_settings["socket"] = os.dup(server_settings
2594
3033
["socket"])
2595
3034
del server_config
2596
3035
2597
3036
# Override the settings from the config file with command line
2598
3037
# options, if set.
2599
3038
for option in ("interface", "address", "port", "debug",
2617
3056
if server_settings["debug"]:
2618
3057
server_settings["foreground"] = True
2619
3058
# Now we have our good server settings in "server_settings"
2620
3059
2621
3060
##################################################################
2622
3061
2623
3062
if (not server_settings["zeroconf"]
2624
3063
and not (server_settings["port"]
2625
3064
or server_settings["socket"] != "")):
2626
3065
parser.error("Needs port or socket to work without Zeroconf")
2627
3066
2628
3067
# For convenience
2629
3068
debug = server_settings["debug"]
2630
3069
debuglevel = server_settings["debuglevel"]
2634
3073
stored_state_file)
2635
3074
foreground = server_settings["foreground"]
2636
3075
zeroconf = server_settings["zeroconf"]
2637
3076
2638
3077
if debug:
2639
3078
initlogger(debug, logging.DEBUG)
2640
3079
else:
2643
3082
else:
2644
3083
level = getattr(logging, debuglevel.upper())
2645
3084
initlogger(debug, level)
2646
3085
2647
3086
if server_settings["servicename"] != "Mandos":
2648
3087
syslogger.setFormatter(
2649
3088
logging.Formatter('Mandos ({}) [%(process)d]:'
2650
3089
' %(levelname)s: %(message)s'.format(
2651
3090
server_settings["servicename"])))
2652
3091
2653
3092
# Parse config file with clients
2654
client_config = configparser.SafeConfigParser(Client
2655
.client_defaults)
3093
client_config = configparser.ConfigParser(Client.client_defaults)
2656
3094
client_config.read(os.path.join(server_settings["configdir"],
2657
3095
"clients.conf"))
2658
3096
2659
3097
global mandos_dbus_service
2660
3098
mandos_dbus_service = None
2661
3099
2662
3100
socketfd = None
2663
3101
if server_settings["socket"] != "":
2664
3102
socketfd = server_settings["socket"]
2680
3118
except IOError as e:
2681
3119
logger.error("Could not open file %r", pidfilename,
2682
3120
exc_info=e)
2683
2684
for name in ("_mandos", "mandos", "nobody"):
3121
3122
for name, group in (("_mandos", "_mandos"),
3123
("mandos", "mandos"),
3124
("nobody", "nogroup")):
2685
3125
try:
2686
3126
uid = pwd.getpwnam(name).pw_uid
2687
gid = pwd.getpwnam(name).pw_gid
3127
gid = pwd.getpwnam(group).pw_gid
2688
3128
break
2689
3129
except KeyError:
2690
3130
continue
2694
3134
try:
2695
3135
os.setgid(gid)
2696
3136
os.setuid(uid)
3137
if debug:
3138
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3139
gid))
2697
3140
except OSError as error:
3141
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3142
.format(uid, gid, os.strerror(error.errno)))
2698
3143
if error.errno != errno.EPERM:
2699
3144
raise
2700
3145
2701
3146
if debug:
2702
3147
# Enable all possible GnuTLS debugging
2703
3148
2704
3149
# "Use a log level over 10 to enable all debugging options."
2705
3150
# - GnuTLS manual
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3151
gnutls.global_set_log_level(11)
3152
3153
@gnutls.log_func
2709
3154
def debug_gnutls(level, string):
2710
3155
logger.debug("GnuTLS: %s", string[:-1])
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3156
3157
gnutls.global_set_log_function(debug_gnutls)
3158
2715
3159
# Redirect stdin so all checkers get /dev/null
2716
3160
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2717
3161
os.dup2(null, sys.stdin.fileno())
2718
3162
if null > 2:
2719
3163
os.close(null)
2720
3164
2721
3165
# Need to fork before connecting to D-Bus
2722
3166
if not foreground:
2723
3167
# Close all input and output, do double fork, etc.
2724
3168
daemon()
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3169
3170
if gi.version_info < (3, 10, 2):
3171
# multiprocessing will use threads, so before we use GLib we
3172
# need to inform GLib that threads will be used.
3173
GLib.threads_init()
3174
2730
3175
global main_loop
2731
3176
# From the Avahi example code
2732
3177
DBusGMainLoop(set_as_default=True)
2733
main_loop = gobject.MainLoop()
3178
main_loop = GLib.MainLoop()
2734
3179
bus = dbus.SystemBus()
2735
3180
# End of Avahi example code
2736
3181
if use_dbus:
2749
3194
if zeroconf:
2750
3195
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2751
3196
service = AvahiServiceToSyslog(
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3197
name=server_settings["servicename"],
3198
servicetype="_mandos._tcp",
3199
protocol=protocol,
3200
bus=bus)
2756
3201
if server_settings["interface"]:
2757
3202
service.interface = if_nametoindex(
2758
3203
server_settings["interface"].encode("utf-8"))
2759
3204
2760
3205
global multiprocessing_manager
2761
3206
multiprocessing_manager = multiprocessing.Manager()
2762
3207
2763
3208
client_class = Client
2764
3209
if use_dbus:
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3210
client_class = functools.partial(ClientDBus, bus=bus)
3211
2767
3212
client_settings = Client.config_parser(client_config)
2768
3213
old_client_settings = {}
2769
3214
clients_data = {}
2770
3215
2771
3216
# This is used to redirect stdout and stderr for checker processes
2772
3217
global wnull
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3218
wnull = open(os.devnull, "w") # A writable /dev/null
2774
3219
# Only used if server is running in foreground but not in debug
2775
3220
# mode
2776
3221
if debug or not foreground:
2777
3222
wnull.close()
2778
3223
2779
3224
# Get client data and settings from last running state.
2780
3225
if server_settings["restore"]:
2781
3226
try:
2782
3227
with open(stored_state_path, "rb") as stored_state:
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3228
if sys.version_info.major == 2:
3229
clients_data, old_client_settings = pickle.load(
3230
stored_state)
3231
else:
3232
bytes_clients_data, bytes_old_client_settings = (
3233
pickle.load(stored_state, encoding="bytes"))
3234
# Fix bytes to strings
3235
# clients_data
3236
# .keys()
3237
clients_data = {(key.decode("utf-8")
3238
if isinstance(key, bytes)
3239
else key): value
3240
for key, value in
3241
bytes_clients_data.items()}
3242
del bytes_clients_data
3243
for key in clients_data:
3244
value = {(k.decode("utf-8")
3245
if isinstance(k, bytes) else k): v
3246
for k, v in
3247
clients_data[key].items()}
3248
clients_data[key] = value
3249
# .client_structure
3250
value["client_structure"] = [
3251
(s.decode("utf-8")
3252
if isinstance(s, bytes)
3253
else s) for s in
3254
value["client_structure"]]
3255
# .name, .host, and .checker_command
3256
for k in ("name", "host", "checker_command"):
3257
if isinstance(value[k], bytes):
3258
value[k] = value[k].decode("utf-8")
3259
if "key_id" not in value:
3260
value["key_id"] = ""
3261
elif "fingerprint" not in value:
3262
value["fingerprint"] = ""
3263
# old_client_settings
3264
# .keys()
3265
old_client_settings = {
3266
(key.decode("utf-8")
3267
if isinstance(key, bytes)
3268
else key): value
3269
for key, value in
3270
bytes_old_client_settings.items()}
3271
del bytes_old_client_settings
3272
# .host and .checker_command
3273
for value in old_client_settings.values():
3274
for attribute in ("host", "checker_command"):
3275
if isinstance(value[attribute], bytes):
3276
value[attribute] = (value[attribute]
3277
.decode("utf-8"))
2785
3278
os.remove(stored_state_path)
2786
3279
except IOError as e:
2787
3280
if e.errno == errno.ENOENT:
2795
3288
logger.warning("Could not load persistent state: "
2796
3289
"EOFError:",
2797
3290
exc_info=e)
2798
3291
2799
3292
with PGPEngine() as pgp:
2800
3293
for client_name, client in clients_data.items():
2801
3294
# Skip removed clients
2802
3295
if client_name not in client_settings:
2803
3296
continue
2804
3297
2805
3298
# Decide which value to use after restoring saved state.
2806
3299
# We have three different values: Old config file,
2807
3300
# new config file, and saved state.
2818
3311
client[name] = value
2819
3312
except KeyError:
2820
3313
pass
2821
3314
2822
3315
# Clients who has passed its expire date can still be
2823
3316
# enabled if its last checker was successful. A Client
2824
3317
# whose checker succeeded before we stored its state is
2857
3350
client_name))
2858
3351
client["secret"] = (client_settings[client_name]
2859
3352
["secret"])
2860
3353
2861
3354
# Add/remove clients based on new changes made to config
2862
3355
for client_name in (set(old_client_settings)
2863
3356
- set(client_settings)):
2865
3358
for client_name in (set(client_settings)
2866
3359
- set(old_client_settings)):
2867
3360
clients_data[client_name] = client_settings[client_name]
2868
3361
2869
3362
# Create all client objects
2870
3363
for client_name, client in clients_data.items():
2871
3364
tcp_server.clients[client_name] = client_class(
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3365
name=client_name,
3366
settings=client,
3367
server_settings=server_settings)
3368
2876
3369
if not tcp_server.clients:
2877
3370
logger.warning("No clients defined")
2878
3371
2879
3372
if not foreground:
2880
3373
if pidfile is not None:
2881
3374
pid = os.getpid()
2887
3380
pidfilename, pid)
2888
3381
del pidfile
2889
3382
del pidfilename
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3383
3384
for termsig in (signal.SIGHUP, signal.SIGTERM):
3385
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3386
lambda: main_loop.quit() and False)
3387
2894
3388
if use_dbus:
2895
3389
2896
3390
@alternate_dbus_interfaces(
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3391
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2898
3392
class MandosDBusService(DBusObjectWithObjectManager):
2899
3393
"""A D-Bus proxy object"""
2900
3394
2901
3395
def __init__(self):
2902
3396
dbus.service.Object.__init__(self, bus, "/")
2903
3397
2904
3398
_interface = "se.recompile.Mandos"
2905
3399
2906
3400
@dbus.service.signal(_interface, signature="o")
2907
3401
def ClientAdded(self, objpath):
2908
3402
"D-Bus signal"
2909
3403
pass
2910
3404
2911
3405
@dbus.service.signal(_interface, signature="ss")
2912
def ClientNotFound(self, fingerprint, address):
3406
def ClientNotFound(self, key_id, address):
2913
3407
"D-Bus signal"
2914
3408
pass
2915
3409
2916
3410
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2917
3411
"true"})
2918
3412
@dbus.service.signal(_interface, signature="os")
2919
3413
def ClientRemoved(self, objpath, name):
2920
3414
"D-Bus signal"
2921
3415
pass
2922
3416
2923
3417
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2924
3418
"true"})
2925
3419
@dbus.service.method(_interface, out_signature="ao")
2926
3420
def GetAllClients(self):
2927
3421
"D-Bus method"
2928
3422
return dbus.Array(c.dbus_object_path for c in
2929
tcp_server.clients.itervalues())
2930
3423
tcp_server.clients.values())
3424
2931
3425
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2932
3426
"true"})
2933
3427
@dbus.service.method(_interface,
2935
3429
def GetAllClientsWithProperties(self):
2936
3430
"D-Bus method"
2937
3431
return dbus.Dictionary(
2938
{ c.dbus_object_path: c.GetAll(
3432
{c.dbus_object_path: c.GetAll(
2939
3433
"se.recompile.Mandos.Client")
2940
for c in tcp_server.clients.itervalues() },
3434
for c in tcp_server.clients.values()},
2941
3435
signature="oa{sv}")
2942
3436
2943
3437
@dbus.service.method(_interface, in_signature="o")
2944
3438
def RemoveClient(self, object_path):
2945
3439
"D-Bus method"
2946
for c in tcp_server.clients.itervalues():
3440
for c in tcp_server.clients.values():
2947
3441
if c.dbus_object_path == object_path:
2948
3442
del tcp_server.clients[c.name]
2949
3443
c.remove_from_connection()
2953
3447
self.client_removed_signal(c)
2954
3448
return
2955
3449
raise KeyError(object_path)
2956
3450
2957
3451
del _interface
2958
3452
2959
3453
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
2960
out_signature = "a{oa{sa{sv}}}")
3454
out_signature="a{oa{sa{sv}}}")
2961
3455
def GetManagedObjects(self):
2962
3456
"""D-Bus method"""
2963
3457
return dbus.Dictionary(
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3458
{client.dbus_object_path:
3459
dbus.Dictionary(
3460
{interface: client.GetAll(interface)
3461
for interface in
3462
client._get_all_interface_names()})
3463
for client in tcp_server.clients.values()})
3464
2971
3465
def client_added_signal(self, client):
2972
3466
"""Send the new standard signal and the old signal"""
2973
3467
if use_dbus:
2975
3469
self.InterfacesAdded(
2976
3470
client.dbus_object_path,
2977
3471
dbus.Dictionary(
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3472
{interface: client.GetAll(interface)
3473
for interface in
3474
client._get_all_interface_names()}))
2981
3475
# Old signal
2982
3476
self.ClientAdded(client.dbus_object_path)
2983
3477
2984
3478
def client_removed_signal(self, client):
2985
3479
"""Send the new standard signal and the old signal"""
2986
3480
if use_dbus:
2991
3485
# Old signal
2992
3486
self.ClientRemoved(client.dbus_object_path,
2993
3487
client.name)
2994
3488
2995
3489
mandos_dbus_service = MandosDBusService()
2996
3490
3491
# Save modules to variables to exempt the modules from being
3492
# unloaded before the function registered with atexit() is run.
3493
mp = multiprocessing
3494
wn = wnull
3495
2997
3496
def cleanup():
2998
3497
"Cleanup function; run on exit"
2999
3498
if zeroconf:
3000
3499
service.cleanup()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3500
3501
mp.active_children()
3502
wn.close()
3004
3503
if not (tcp_server.clients or client_settings):
3005
3504
return
3006
3505
3007
3506
# Store client before exiting. Secrets are encrypted with key
3008
3507
# based on what config file has. If config file is
3009
3508
# removed/edited, old secret will thus be unrecovable.
3010
3509
clients = {}
3011
3510
with PGPEngine() as pgp:
3012
for client in tcp_server.clients.itervalues():
3511
for client in tcp_server.clients.values():
3013
3512
key = client_settings[client.name]["secret"]
3014
3513
client.encrypted_secret = pgp.encrypt(client.secret,
3015
3514
key)
3016
3515
client_dict = {}
3017
3516
3018
3517
# A list of attributes that can not be pickled
3019
3518
# + secret.
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3519
exclude = {"bus", "changedstate", "secret",
3520
"checker", "server_settings"}
3022
3521
for name, typ in inspect.getmembers(dbus.service
3023
3522
.Object):
3024
3523
exclude.add(name)
3025
3524
3026
3525
client_dict["encrypted_secret"] = (client
3027
3526
.encrypted_secret)
3028
3527
for attr in client.client_structure:
3029
3528
if attr not in exclude:
3030
3529
client_dict[attr] = getattr(client, attr)
3031
3530
3032
3531
clients[client.name] = client_dict
3033
3532
del client_settings[client.name]["secret"]
3034
3533
3035
3534
try:
3036
3535
with tempfile.NamedTemporaryFile(
3037
3536
mode='wb',
3039
3538
prefix='clients-',
3040
3539
dir=os.path.dirname(stored_state_path),
3041
3540
delete=False) as stored_state:
3042
pickle.dump((clients, client_settings), stored_state)
3541
pickle.dump((clients, client_settings), stored_state,
3542
protocol=2)
3043
3543
tempname = stored_state.name
3044
3544
os.rename(tempname, stored_state_path)
3045
3545
except (IOError, OSError) as e:
3055
3555
logger.warning("Could not save persistent state:",
3056
3556
exc_info=e)
3057
3557
raise
3058
3558
3059
3559
# Delete all clients, and settings from config
3060
3560
while tcp_server.clients:
3061
3561
name, client = tcp_server.clients.popitem()
3067
3567
if use_dbus:
3068
3568
mandos_dbus_service.client_removed_signal(client)
3069
3569
client_settings.clear()
3070
3570
3071
3571
atexit.register(cleanup)
3072
3073
for client in tcp_server.clients.itervalues():
3572
3573
for client in tcp_server.clients.values():
3074
3574
if use_dbus:
3075
3575
# Emit D-Bus signal for adding
3076
3576
mandos_dbus_service.client_added_signal(client)
3077
3577
# Need to initiate checking of clients
3078
3578
if client.enabled:
3079
3579
client.init_checker()
3080
3580
3081
3581
tcp_server.enable()
3082
3582
tcp_server.server_activate()
3083
3583
3084
3584
# Find out what port we got
3085
3585
if zeroconf:
3086
3586
service.port = tcp_server.socket.getsockname()[1]
3091
3591
else: # IPv4
3092
3592
logger.info("Now listening on address %r, port %d",
3093
3593
*tcp_server.socket.getsockname())
3094
3095
#service.interface = tcp_server.socket.getsockname()[3]
3096
3594
3595
# service.interface = tcp_server.socket.getsockname()[3]
3596
3097
3597
try:
3098
3598
if zeroconf:
3099
3599
# From the Avahi example code
3104
3604
cleanup()
3105
3605
sys.exit(1)
3106
3606
# End of Avahi example code
3107
3108
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3109
lambda *args, **kwargs:
3110
(tcp_server.handle_request
3111
(*args[2:], **kwargs) or True))
3112
3607
3608
GLib.io_add_watch(
3609
GLib.IOChannel.unix_new(tcp_server.fileno()),
3610
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3611
lambda *args, **kwargs: (tcp_server.handle_request
3612
(*args[2:], **kwargs) or True))
3613
3113
3614
logger.debug("Starting main loop")
3114
3615
main_loop.run()
3115
3616
except AvahiError as error:
3124
3625
# Must run before the D-Bus bus name gets deregistered
3125
3626
cleanup()
3126
3627
3628
3629
def should_only_run_tests():
3630
parser = argparse.ArgumentParser(add_help=False)
3631
parser.add_argument("--check", action='store_true')
3632
args, unknown_args = parser.parse_known_args()
3633
run_tests = args.check
3634
if run_tests:
3635
# Remove --check argument from sys.argv
3636
sys.argv[1:] = unknown_args
3637
return run_tests
3638
3639
# Add all tests from doctest strings
3640
def load_tests(loader, tests, none):
3641
import doctest
3642
tests.addTests(doctest.DocTestSuite())
3643
return tests
3127
3644
3128
3645
if __name__ == '__main__':
3129
main()
3646
try:
3647
if should_only_run_tests():
3648
# Call using ./mandos --check [--verbose]
3649
unittest.main()
3650
else:
3651
main()
3652
finally:
3653
logging.shutdown()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0