To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 1024
- compare with another revision
- download diff
- download tarball
- view history from revision 1024
- Committer: Teddy Hogeborn
- Date: 2019-03-05 21:39:15 UTC
- Revision ID: teddy@recompile.se-20190305213915-xm1vw00jyy3a5tfn
mandos-ctl: Add more tests, including tests for all commands
* mandos-ctl (Test_string_to_delta.test_handles_basic_rfc3339): Add a
few more test cases.
(TestCmd.setUp.MockClient.Set, TestCmd.setUp.MockClient.Get): Don't
append to self.calls, since nobody should use it to check for Set()
or Get() calls; instead, the return value of Get() should be
inspected, and the MockClient.attributes dict should be inspected
after (implicitly) calling Set().
(Unique): New; stand-in for unittest.mock.sentinel.
(TestPropertyCmd): New; abstract class testing PropertyCmd classes.
(TestBumpTimeoutCmd, TestStartCheckerCmd, TestStopCheckerCmd,
TestApproveByDefaultCmd, TestDenyByDefaultCmd): New.
(TestValueArgumentPropertyCmd): New; abstract class for testing
those PropertyCmd classes which also
inherit from ValueArgumentMixIn.
(TestSetCheckerCmd, TestSetHostCmd, TestSetSecretCmd,
TestSetTimeoutCmd, TestSetExtendedTimeoutCmd, TestSetIntervalCmd,
TestSetApprovalDelayCmd, TestSetApprovalDurationCmd): New.
* mandos-ctl (Test_string_to_delta.test_handles_basic_rfc3339): Add a
few more test cases.
(TestCmd.setUp.MockClient.Set, TestCmd.setUp.MockClient.Get): Don't
append to self.calls, since nobody should use it to check for Set()
or Get() calls; instead, the return value of Get() should be
inspected, and the MockClient.attributes dict should be inspected
after (implicitly) calling Set().
(Unique): New; stand-in for unittest.mock.sentinel.
(TestPropertyCmd): New; abstract class testing PropertyCmd classes.
(TestBumpTimeoutCmd, TestStartCheckerCmd, TestStopCheckerCmd,
TestApproveByDefaultCmd, TestDenyByDefaultCmd): New.
(TestValueArgumentPropertyCmd): New; abstract class for testing
those PropertyCmd classes which also
inherit from ValueArgumentMixIn.
(TestSetCheckerCmd, TestSetHostCmd, TestSetSecretCmd,
TestSetTimeoutCmd, TestSetExtendedTimeoutCmd, TestSetIntervalCmd,
TestSetApprovalDelayCmd, TestSetApprovalDurationCmd): New.
- files added:
- bugs.xml
- files removed:
- initramfs-tools-hook-conf
- files modified:
- DBUS-API
added
removed
mandos
1
#!/usr/bin/python2.7
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
#
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
#
33
#
33
34
34
35
from __future__ import (division, absolute_import, print_function,
35
36
unicode_literals)
36
37
37
from future_builtins import *
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
38
42
39
43
try:
40
44
import SocketServer as socketserver
44
48
import argparse
45
49
import datetime
46
50
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
53
51
try:
54
52
import ConfigParser as configparser
55
53
except ImportError:
82
80
83
81
import dbus
84
82
import dbus.service
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
83
from gi.repository import GLib
90
84
from dbus.mainloop.glib import DBusGMainLoop
91
85
import ctypes
92
86
import ctypes.util
93
87
import xml.dom.minidom
94
88
import inspect
95
89
90
# Try to find the value of SO_BINDTODEVICE:
96
91
try:
92
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
93
# newer, and it is also the most natural place for it:
97
94
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
98
95
except AttributeError:
99
96
try:
97
# This is where SO_BINDTODEVICE was up to and including Python
98
# 2.6, and also 3.2:
100
99
from IN import SO_BINDTODEVICE
101
100
except ImportError:
102
SO_BINDTODEVICE = None
101
# In Python 2.7 it seems to have been removed entirely.
102
# Try running the C preprocessor:
103
try:
104
cc = subprocess.Popen(["cc", "--language=c", "-E",
105
"/dev/stdin"],
106
stdin=subprocess.PIPE,
107
stdout=subprocess.PIPE)
108
stdout = cc.communicate(
109
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
110
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
111
except (OSError, ValueError, IndexError):
112
# No value found
113
SO_BINDTODEVICE = None
103
114
104
115
if sys.version_info.major == 2:
105
116
str = unicode
106
117
107
version = "1.7.0"
118
version = "1.8.3"
108
119
stored_state_file = "clients.pickle"
109
120
110
121
logger = logging.getLogger()
114
125
if_nametoindex = ctypes.cdll.LoadLibrary(
115
126
ctypes.util.find_library("c")).if_nametoindex
116
127
except (OSError, AttributeError):
117
128
118
129
def if_nametoindex(interface):
119
130
"Get an interface index the hard way, i.e. using fcntl()"
120
131
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
125
136
return interface_index
126
137
127
138
139
def copy_function(func):
140
"""Make a copy of a function"""
141
if sys.version_info.major == 2:
142
return types.FunctionType(func.func_code,
143
func.func_globals,
144
func.func_name,
145
func.func_defaults,
146
func.func_closure)
147
else:
148
return types.FunctionType(func.__code__,
149
func.__globals__,
150
func.__name__,
151
func.__defaults__,
152
func.__closure__)
153
154
128
155
def initlogger(debug, level=logging.WARNING):
129
156
"""init logger and add loglevel"""
130
157
131
158
global syslogger
132
159
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
160
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
161
address="/dev/log"))
135
162
syslogger.setFormatter(logging.Formatter
136
163
('Mandos [%(process)d]: %(levelname)s:'
137
164
' %(message)s'))
138
165
logger.addHandler(syslogger)
139
166
140
167
if debug:
141
168
console = logging.StreamHandler()
142
169
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
154
181
155
182
class PGPEngine(object):
156
183
"""A simple class for OpenPGP symmetric encryption & decryption"""
157
184
158
185
def __init__(self):
159
186
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
187
self.gpg = "gpg"
188
try:
189
output = subprocess.check_output(["gpgconf"])
190
for line in output.splitlines():
191
name, text, path = line.split(b":")
192
if name == "gpg":
193
self.gpg = path
194
break
195
except OSError as e:
196
if e.errno != errno.ENOENT:
197
raise
160
198
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
199
'--homedir', self.tempdir,
162
200
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
165
201
'--quiet']
202
# Only GPG version 1 has the --no-use-agent option.
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
204
self.gnupgargs.append("--no-use-agent")
205
166
206
def __enter__(self):
167
207
return self
168
208
169
209
def __exit__(self, exc_type, exc_value, traceback):
170
210
self._cleanup()
171
211
return False
172
212
173
213
def __del__(self):
174
214
self._cleanup()
175
215
176
216
def _cleanup(self):
177
217
if self.tempdir is not None:
178
218
# Delete contents of tempdir
179
219
for root, dirs, files in os.walk(self.tempdir,
180
topdown = False):
220
topdown=False):
181
221
for filename in files:
182
222
os.remove(os.path.join(root, filename))
183
223
for dirname in dirs:
185
225
# Remove tempdir
186
226
os.rmdir(self.tempdir)
187
227
self.tempdir = None
188
228
189
229
def password_encode(self, password):
190
230
# Passphrase can not be empty and can not contain newlines or
191
231
# NUL bytes. So we prefix it and hex encode it.
196
236
.replace(b"\n", b"\\n")
197
237
.replace(b"\0", b"\\x00"))
198
238
return encoded
199
239
200
240
def encrypt(self, data, password):
201
241
passphrase = self.password_encode(password)
202
242
with tempfile.NamedTemporaryFile(
203
243
dir=self.tempdir) as passfile:
204
244
passfile.write(passphrase)
205
245
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
246
proc = subprocess.Popen([self.gpg, '--symmetric',
207
247
'--passphrase-file',
208
248
passfile.name]
209
249
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
250
stdin=subprocess.PIPE,
251
stdout=subprocess.PIPE,
252
stderr=subprocess.PIPE)
253
ciphertext, err = proc.communicate(input=data)
214
254
if proc.returncode != 0:
215
255
raise PGPError(err)
216
256
return ciphertext
217
257
218
258
def decrypt(self, data, password):
219
259
passphrase = self.password_encode(password)
220
260
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
261
dir=self.tempdir) as passfile:
222
262
passfile.write(passphrase)
223
263
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
264
proc = subprocess.Popen([self.gpg, '--decrypt',
225
265
'--passphrase-file',
226
266
passfile.name]
227
267
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
268
stdin=subprocess.PIPE,
269
stdout=subprocess.PIPE,
270
stderr=subprocess.PIPE)
271
decrypted_plaintext, err = proc.communicate(input=data)
232
272
if proc.returncode != 0:
233
273
raise PGPError(err)
234
274
return decrypted_plaintext
235
275
236
276
277
# Pretend that we have an Avahi module
278
class Avahi(object):
279
"""This isn't so much a class as it is a module-like namespace.
280
It is instantiated once, and simulates having an Avahi module."""
281
IF_UNSPEC = -1 # avahi-common/address.h
282
PROTO_UNSPEC = -1 # avahi-common/address.h
283
PROTO_INET = 0 # avahi-common/address.h
284
PROTO_INET6 = 1 # avahi-common/address.h
285
DBUS_NAME = "org.freedesktop.Avahi"
286
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
287
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
288
DBUS_PATH_SERVER = "/"
289
290
def string_array_to_txt_array(self, t):
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
for s in t), signature="ay")
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
294
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
295
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
296
SERVER_INVALID = 0 # avahi-common/defs.h
297
SERVER_REGISTERING = 1 # avahi-common/defs.h
298
SERVER_RUNNING = 2 # avahi-common/defs.h
299
SERVER_COLLISION = 3 # avahi-common/defs.h
300
SERVER_FAILURE = 4 # avahi-common/defs.h
301
avahi = Avahi()
302
303
237
304
class AvahiError(Exception):
238
305
def __init__(self, value, *args, **kwargs):
239
306
self.value = value
251
318
252
319
class AvahiService(object):
253
320
"""An Avahi (Zeroconf) service.
254
321
255
322
Attributes:
256
323
interface: integer; avahi.IF_UNSPEC or an interface index.
257
324
Used to optionally bind to the specified interface.
269
336
server: D-Bus Server
270
337
bus: dbus.SystemBus()
271
338
"""
272
339
273
340
def __init__(self,
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
341
interface=avahi.IF_UNSPEC,
342
name=None,
343
servicetype=None,
344
port=None,
345
TXT=None,
346
domain="",
347
host="",
348
max_renames=32768,
349
protocol=avahi.PROTO_UNSPEC,
350
bus=None):
284
351
self.interface = interface
285
352
self.name = name
286
353
self.type = servicetype
295
362
self.server = None
296
363
self.bus = bus
297
364
self.entry_group_state_changed_match = None
298
365
299
366
def rename(self, remove=True):
300
367
"""Derived from the Avahi example code"""
301
368
if self.rename_count >= self.max_renames:
321
388
logger.critical("D-Bus Exception", exc_info=error)
322
389
self.cleanup()
323
390
os._exit(1)
324
391
325
392
def remove(self):
326
393
"""Derived from the Avahi example code"""
327
394
if self.entry_group_state_changed_match is not None:
329
396
self.entry_group_state_changed_match = None
330
397
if self.group is not None:
331
398
self.group.Reset()
332
399
333
400
def add(self):
334
401
"""Derived from the Avahi example code"""
335
402
self.remove()
352
419
dbus.UInt16(self.port),
353
420
avahi.string_array_to_txt_array(self.TXT))
354
421
self.group.Commit()
355
422
356
423
def entry_group_state_changed(self, state, error):
357
424
"""Derived from the Avahi example code"""
358
425
logger.debug("Avahi entry group state change: %i", state)
359
426
360
427
if state == avahi.ENTRY_GROUP_ESTABLISHED:
361
428
logger.debug("Zeroconf service established.")
362
429
elif state == avahi.ENTRY_GROUP_COLLISION:
366
433
logger.critical("Avahi: Error in group state changed %s",
367
434
str(error))
368
435
raise AvahiGroupError("State changed: {!s}".format(error))
369
436
370
437
def cleanup(self):
371
438
"""Derived from the Avahi example code"""
372
439
if self.group is not None:
377
444
pass
378
445
self.group = None
379
446
self.remove()
380
447
381
448
def server_state_changed(self, state, error=None):
382
449
"""Derived from the Avahi example code"""
383
450
logger.debug("Avahi server state change: %i", state)
412
479
logger.debug("Unknown state: %r", state)
413
480
else:
414
481
logger.debug("Unknown state: %r: %r", state, error)
415
482
416
483
def activate(self):
417
484
"""Derived from the Avahi example code"""
418
485
if self.server is None:
429
496
class AvahiServiceToSyslog(AvahiService):
430
497
def rename(self, *args, **kwargs):
431
498
"""Add the new name to the syslog messages"""
432
ret = AvahiService.rename(self, *args, **kwargs)
499
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
433
500
syslogger.setFormatter(logging.Formatter(
434
501
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
435
502
.format(self.name)))
436
503
return ret
437
504
505
506
# Pretend that we have a GnuTLS module
507
class GnuTLS(object):
508
"""This isn't so much a class as it is a module-like namespace.
509
It is instantiated once, and simulates having a GnuTLS module."""
510
511
library = ctypes.util.find_library("gnutls")
512
if library is None:
513
library = ctypes.util.find_library("gnutls-deb0")
514
_library = ctypes.cdll.LoadLibrary(library)
515
del library
516
_need_version = b"3.3.0"
517
_tls_rawpk_version = b"3.6.6"
518
519
def __init__(self):
520
# Need to use "self" here, since this method is called before
521
# the assignment to the "gnutls" global variable happens.
522
if self.check_version(self._need_version) is None:
523
raise self.Error("Needs GnuTLS {} or later"
524
.format(self._need_version))
525
526
# Unless otherwise indicated, the constants and types below are
527
# all from the gnutls/gnutls.h C header file.
528
529
# Constants
530
E_SUCCESS = 0
531
E_INTERRUPTED = -52
532
E_AGAIN = -28
533
CRT_OPENPGP = 2
534
CRT_RAWPK = 3
535
CLIENT = 2
536
SHUT_RDWR = 0
537
CRD_CERTIFICATE = 1
538
E_NO_CERTIFICATE_FOUND = -49
539
X509_FMT_DER = 0
540
NO_TICKETS = 1<<10
541
ENABLE_RAWPK = 1<<18
542
CTYPE_PEERS = 3
543
KEYID_USE_SHA256 = 1 # gnutls/x509.h
544
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
545
546
# Types
547
class session_int(ctypes.Structure):
548
_fields_ = []
549
session_t = ctypes.POINTER(session_int)
550
551
class certificate_credentials_st(ctypes.Structure):
552
_fields_ = []
553
certificate_credentials_t = ctypes.POINTER(
554
certificate_credentials_st)
555
certificate_type_t = ctypes.c_int
556
557
class datum_t(ctypes.Structure):
558
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
559
('size', ctypes.c_uint)]
560
561
class openpgp_crt_int(ctypes.Structure):
562
_fields_ = []
563
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
564
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
565
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
566
credentials_type_t = ctypes.c_int
567
transport_ptr_t = ctypes.c_void_p
568
close_request_t = ctypes.c_int
569
570
# Exceptions
571
class Error(Exception):
572
# We need to use the class name "GnuTLS" here, since this
573
# exception might be raised from within GnuTLS.__init__,
574
# which is called before the assignment to the "gnutls"
575
# global variable has happened.
576
def __init__(self, message=None, code=None, args=()):
577
# Default usage is by a message string, but if a return
578
# code is passed, convert it to a string with
579
# gnutls.strerror()
580
self.code = code
581
if message is None and code is not None:
582
message = GnuTLS.strerror(code)
583
return super(GnuTLS.Error, self).__init__(
584
message, *args)
585
586
class CertificateSecurityError(Error):
587
pass
588
589
# Classes
590
class Credentials(object):
591
def __init__(self):
592
self._c_object = gnutls.certificate_credentials_t()
593
gnutls.certificate_allocate_credentials(
594
ctypes.byref(self._c_object))
595
self.type = gnutls.CRD_CERTIFICATE
596
597
def __del__(self):
598
gnutls.certificate_free_credentials(self._c_object)
599
600
class ClientSession(object):
601
def __init__(self, socket, credentials=None):
602
self._c_object = gnutls.session_t()
603
gnutls_flags = gnutls.CLIENT
604
if gnutls.check_version("3.5.6"):
605
gnutls_flags |= gnutls.NO_TICKETS
606
if gnutls.has_rawpk:
607
gnutls_flags |= gnutls.ENABLE_RAWPK
608
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
609
del gnutls_flags
610
gnutls.set_default_priority(self._c_object)
611
gnutls.transport_set_ptr(self._c_object, socket.fileno())
612
gnutls.handshake_set_private_extensions(self._c_object,
613
True)
614
self.socket = socket
615
if credentials is None:
616
credentials = gnutls.Credentials()
617
gnutls.credentials_set(self._c_object, credentials.type,
618
ctypes.cast(credentials._c_object,
619
ctypes.c_void_p))
620
self.credentials = credentials
621
622
def __del__(self):
623
gnutls.deinit(self._c_object)
624
625
def handshake(self):
626
return gnutls.handshake(self._c_object)
627
628
def send(self, data):
629
data = bytes(data)
630
data_len = len(data)
631
while data_len > 0:
632
data_len -= gnutls.record_send(self._c_object,
633
data[-data_len:],
634
data_len)
635
636
def bye(self):
637
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
638
639
# Error handling functions
640
def _error_code(result):
641
"""A function to raise exceptions on errors, suitable
642
for the 'restype' attribute on ctypes functions"""
643
if result >= 0:
644
return result
645
if result == gnutls.E_NO_CERTIFICATE_FOUND:
646
raise gnutls.CertificateSecurityError(code=result)
647
raise gnutls.Error(code=result)
648
649
def _retry_on_error(result, func, arguments):
650
"""A function to retry on some errors, suitable
651
for the 'errcheck' attribute on ctypes functions"""
652
while result < 0:
653
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
654
return _error_code(result)
655
result = func(*arguments)
656
return result
657
658
# Unless otherwise indicated, the function declarations below are
659
# all from the gnutls/gnutls.h C header file.
660
661
# Functions
662
priority_set_direct = _library.gnutls_priority_set_direct
663
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
664
ctypes.POINTER(ctypes.c_char_p)]
665
priority_set_direct.restype = _error_code
666
667
init = _library.gnutls_init
668
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
669
init.restype = _error_code
670
671
set_default_priority = _library.gnutls_set_default_priority
672
set_default_priority.argtypes = [session_t]
673
set_default_priority.restype = _error_code
674
675
record_send = _library.gnutls_record_send
676
record_send.argtypes = [session_t, ctypes.c_void_p,
677
ctypes.c_size_t]
678
record_send.restype = ctypes.c_ssize_t
679
record_send.errcheck = _retry_on_error
680
681
certificate_allocate_credentials = (
682
_library.gnutls_certificate_allocate_credentials)
683
certificate_allocate_credentials.argtypes = [
684
ctypes.POINTER(certificate_credentials_t)]
685
certificate_allocate_credentials.restype = _error_code
686
687
certificate_free_credentials = (
688
_library.gnutls_certificate_free_credentials)
689
certificate_free_credentials.argtypes = [
690
certificate_credentials_t]
691
certificate_free_credentials.restype = None
692
693
handshake_set_private_extensions = (
694
_library.gnutls_handshake_set_private_extensions)
695
handshake_set_private_extensions.argtypes = [session_t,
696
ctypes.c_int]
697
handshake_set_private_extensions.restype = None
698
699
credentials_set = _library.gnutls_credentials_set
700
credentials_set.argtypes = [session_t, credentials_type_t,
701
ctypes.c_void_p]
702
credentials_set.restype = _error_code
703
704
strerror = _library.gnutls_strerror
705
strerror.argtypes = [ctypes.c_int]
706
strerror.restype = ctypes.c_char_p
707
708
certificate_type_get = _library.gnutls_certificate_type_get
709
certificate_type_get.argtypes = [session_t]
710
certificate_type_get.restype = _error_code
711
712
certificate_get_peers = _library.gnutls_certificate_get_peers
713
certificate_get_peers.argtypes = [session_t,
714
ctypes.POINTER(ctypes.c_uint)]
715
certificate_get_peers.restype = ctypes.POINTER(datum_t)
716
717
global_set_log_level = _library.gnutls_global_set_log_level
718
global_set_log_level.argtypes = [ctypes.c_int]
719
global_set_log_level.restype = None
720
721
global_set_log_function = _library.gnutls_global_set_log_function
722
global_set_log_function.argtypes = [log_func]
723
global_set_log_function.restype = None
724
725
deinit = _library.gnutls_deinit
726
deinit.argtypes = [session_t]
727
deinit.restype = None
728
729
handshake = _library.gnutls_handshake
730
handshake.argtypes = [session_t]
731
handshake.restype = _error_code
732
handshake.errcheck = _retry_on_error
733
734
transport_set_ptr = _library.gnutls_transport_set_ptr
735
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
736
transport_set_ptr.restype = None
737
738
bye = _library.gnutls_bye
739
bye.argtypes = [session_t, close_request_t]
740
bye.restype = _error_code
741
bye.errcheck = _retry_on_error
742
743
check_version = _library.gnutls_check_version
744
check_version.argtypes = [ctypes.c_char_p]
745
check_version.restype = ctypes.c_char_p
746
747
has_rawpk = bool(check_version(_tls_rawpk_version))
748
749
if has_rawpk:
750
# Types
751
class pubkey_st(ctypes.Structure):
752
_fields = []
753
pubkey_t = ctypes.POINTER(pubkey_st)
754
755
x509_crt_fmt_t = ctypes.c_int
756
757
# All the function declarations below are from gnutls/abstract.h
758
pubkey_init = _library.gnutls_pubkey_init
759
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
760
pubkey_init.restype = _error_code
761
762
pubkey_import = _library.gnutls_pubkey_import
763
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
764
x509_crt_fmt_t]
765
pubkey_import.restype = _error_code
766
767
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
768
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
769
ctypes.POINTER(ctypes.c_ubyte),
770
ctypes.POINTER(ctypes.c_size_t)]
771
pubkey_get_key_id.restype = _error_code
772
773
pubkey_deinit = _library.gnutls_pubkey_deinit
774
pubkey_deinit.argtypes = [pubkey_t]
775
pubkey_deinit.restype = None
776
else:
777
# All the function declarations below are from gnutls/openpgp.h
778
779
openpgp_crt_init = _library.gnutls_openpgp_crt_init
780
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
781
openpgp_crt_init.restype = _error_code
782
783
openpgp_crt_import = _library.gnutls_openpgp_crt_import
784
openpgp_crt_import.argtypes = [openpgp_crt_t,
785
ctypes.POINTER(datum_t),
786
openpgp_crt_fmt_t]
787
openpgp_crt_import.restype = _error_code
788
789
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
790
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
791
ctypes.POINTER(ctypes.c_uint)]
792
openpgp_crt_verify_self.restype = _error_code
793
794
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
795
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
796
openpgp_crt_deinit.restype = None
797
798
openpgp_crt_get_fingerprint = (
799
_library.gnutls_openpgp_crt_get_fingerprint)
800
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
801
ctypes.c_void_p,
802
ctypes.POINTER(
803
ctypes.c_size_t)]
804
openpgp_crt_get_fingerprint.restype = _error_code
805
806
if check_version("3.6.4"):
807
certificate_type_get2 = _library.gnutls_certificate_type_get2
808
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
809
certificate_type_get2.restype = _error_code
810
811
# Remove non-public functions
812
del _error_code, _retry_on_error
813
# Create the global "gnutls" object, simulating a module
814
gnutls = GnuTLS()
815
816
438
817
def call_pipe(connection, # : multiprocessing.Connection
439
818
func, *args, **kwargs):
440
819
"""This function is meant to be called by multiprocessing.Process
441
820
442
821
This function runs func(*args, **kwargs), and writes the resulting
443
822
return value on the provided multiprocessing.Connection.
444
823
"""
445
824
connection.send(func(*args, **kwargs))
446
825
connection.close()
447
826
827
448
828
class Client(object):
449
829
"""A representation of a client host served by this server.
450
830
451
831
Attributes:
452
832
approved: bool(); 'None' if not yet approved/disapproved
453
833
approval_delay: datetime.timedelta(); Time to wait for approval
455
835
checker: subprocess.Popen(); a running checker process used
456
836
to see if the client lives.
457
837
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
838
checker_callback_tag: a GLib event source tag, or None
459
839
checker_command: string; External command which is run to check
460
840
if client lives. %() expansions are done at
461
841
runtime with vars(self) as dict, so that for
462
842
instance %(name)s can be used in the command.
463
checker_initiator_tag: a gobject event source tag, or None
843
checker_initiator_tag: a GLib event source tag, or None
464
844
created: datetime.datetime(); (UTC) object creation
465
845
client_structure: Object describing what attributes a client has
466
846
and is used for storing the client at exit
467
847
current_checker_command: string; current running checker_command
468
disable_initiator_tag: a gobject event source tag, or None
848
disable_initiator_tag: a GLib event source tag, or None
469
849
enabled: bool()
470
850
fingerprint: string (40 or 32 hexadecimal digits); used to
471
uniquely identify the client
851
uniquely identify an OpenPGP client
852
key_id: string (64 hexadecimal digits); used to uniquely identify
853
a client using raw public keys
472
854
host: string; available for use by the checker command
473
855
interval: datetime.timedelta(); How often to start a new checker
474
856
last_approval_request: datetime.datetime(); (UTC) or None
490
872
disabled, or None
491
873
server_settings: The server_settings dict from main()
492
874
"""
493
875
494
876
runtime_expansions = ("approval_delay", "approval_duration",
495
"created", "enabled", "expires",
877
"created", "enabled", "expires", "key_id",
496
878
"fingerprint", "host", "interval",
497
879
"last_approval_request", "last_checked_ok",
498
880
"last_enabled", "name", "timeout")
507
889
"approved_by_default": "True",
508
890
"enabled": "True",
509
891
}
510
892
511
893
@staticmethod
512
894
def config_parser(config):
513
895
"""Construct a new dict of client settings of this form:
520
902
for client_name in config.sections():
521
903
section = dict(config.items(client_name))
522
904
client = settings[client_name] = {}
523
905
524
906
client["host"] = section["host"]
525
907
# Reformat values from string types to Python types
526
908
client["approved_by_default"] = config.getboolean(
527
909
client_name, "approved_by_default")
528
910
client["enabled"] = config.getboolean(client_name,
529
911
"enabled")
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
912
913
# Uppercase and remove spaces from key_id and fingerprint
914
# for later comparison purposes with return value from the
915
# key_id() and fingerprint() functions
916
client["key_id"] = (section.get("key_id", "").upper()
917
.replace(" ", ""))
534
918
client["fingerprint"] = (section["fingerprint"].upper()
535
919
.replace(" ", ""))
536
920
if "secret" in section:
537
client["secret"] = section["secret"].decode("base64")
921
client["secret"] = codecs.decode(section["secret"]
922
.encode("utf-8"),
923
"base64")
538
924
elif "secfile" in section:
539
925
with open(os.path.expanduser(os.path.expandvars
540
926
(section["secfile"])),
555
941
client["last_approval_request"] = None
556
942
client["last_checked_ok"] = None
557
943
client["last_checker_status"] = -2
558
944
559
945
return settings
560
561
def __init__(self, settings, name = None, server_settings=None):
946
947
def __init__(self, settings, name=None, server_settings=None):
562
948
self.name = name
563
949
if server_settings is None:
564
950
server_settings = {}
566
952
# adding all client settings
567
953
for setting, value in settings.items():
568
954
setattr(self, setting, value)
569
955
570
956
if self.enabled:
571
957
if not hasattr(self, "last_enabled"):
572
958
self.last_enabled = datetime.datetime.utcnow()
576
962
else:
577
963
self.last_enabled = None
578
964
self.expires = None
579
965
580
966
logger.debug("Creating client %r", self.name)
967
logger.debug(" Key ID: %s", self.key_id)
581
968
logger.debug(" Fingerprint: %s", self.fingerprint)
582
969
self.created = settings.get("created",
583
970
datetime.datetime.utcnow())
584
971
585
972
# attributes specific for this server instance
586
973
self.checker = None
587
974
self.checker_initiator_tag = None
593
980
self.changedstate = multiprocessing_manager.Condition(
594
981
multiprocessing_manager.Lock())
595
982
self.client_structure = [attr
596
for attr in self.__dict__.iterkeys()
983
for attr in self.__dict__.keys()
597
984
if not attr.startswith("_")]
598
985
self.client_structure.append("client_structure")
599
986
600
987
for name, t in inspect.getmembers(
601
988
type(self), lambda obj: isinstance(obj, property)):
602
989
if not name.startswith("_"):
603
990
self.client_structure.append(name)
604
991
605
992
# Send notice to process children that client state has changed
606
993
def send_changedstate(self):
607
994
with self.changedstate:
608
995
self.changedstate.notify_all()
609
996
610
997
def enable(self):
611
998
"""Start this client's checker and timeout hooks"""
612
999
if getattr(self, "enabled", False):
617
1004
self.last_enabled = datetime.datetime.utcnow()
618
1005
self.init_checker()
619
1006
self.send_changedstate()
620
1007
621
1008
def disable(self, quiet=True):
622
1009
"""Disable this client."""
623
1010
if not getattr(self, "enabled", False):
625
1012
if not quiet:
626
1013
logger.info("Disabling client %s", self.name)
627
1014
if getattr(self, "disable_initiator_tag", None) is not None:
628
gobject.source_remove(self.disable_initiator_tag)
1015
GLib.source_remove(self.disable_initiator_tag)
629
1016
self.disable_initiator_tag = None
630
1017
self.expires = None
631
1018
if getattr(self, "checker_initiator_tag", None) is not None:
632
gobject.source_remove(self.checker_initiator_tag)
1019
GLib.source_remove(self.checker_initiator_tag)
633
1020
self.checker_initiator_tag = None
634
1021
self.stop_checker()
635
1022
self.enabled = False
636
1023
if not quiet:
637
1024
self.send_changedstate()
638
# Do not run this again if called by a gobject.timeout_add
1025
# Do not run this again if called by a GLib.timeout_add
639
1026
return False
640
1027
641
1028
def __del__(self):
642
1029
self.disable()
643
1030
644
1031
def init_checker(self):
645
1032
# Schedule a new checker to be started an 'interval' from now,
646
1033
# and every interval from then on.
647
1034
if self.checker_initiator_tag is not None:
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
1035
GLib.source_remove(self.checker_initiator_tag)
1036
self.checker_initiator_tag = GLib.timeout_add(
650
1037
int(self.interval.total_seconds() * 1000),
651
1038
self.start_checker)
652
1039
# Schedule a disable() when 'timeout' has passed
653
1040
if self.disable_initiator_tag is not None:
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1041
GLib.source_remove(self.disable_initiator_tag)
1042
self.disable_initiator_tag = GLib.timeout_add(
656
1043
int(self.timeout.total_seconds() * 1000), self.disable)
657
1044
# Also start a new checker *right now*.
658
1045
self.start_checker()
659
1046
660
1047
def checker_callback(self, source, condition, connection,
661
1048
command):
662
1049
"""The checker has completed, so take appropriate actions."""
665
1052
# Read return code from connection (see call_pipe)
666
1053
returncode = connection.recv()
667
1054
connection.close()
668
1055
669
1056
if returncode >= 0:
670
1057
self.last_checker_status = returncode
671
1058
self.last_checker_signal = None
681
1068
logger.warning("Checker for %(name)s crashed?",
682
1069
vars(self))
683
1070
return False
684
1071
685
1072
def checked_ok(self):
686
1073
"""Assert that the client has been seen, alive and well."""
687
1074
self.last_checked_ok = datetime.datetime.utcnow()
688
1075
self.last_checker_status = 0
689
1076
self.last_checker_signal = None
690
1077
self.bump_timeout()
691
1078
692
1079
def bump_timeout(self, timeout=None):
693
1080
"""Bump up the timeout for this client."""
694
1081
if timeout is None:
695
1082
timeout = self.timeout
696
1083
if self.disable_initiator_tag is not None:
697
gobject.source_remove(self.disable_initiator_tag)
1084
GLib.source_remove(self.disable_initiator_tag)
698
1085
self.disable_initiator_tag = None
699
1086
if getattr(self, "enabled", False):
700
self.disable_initiator_tag = gobject.timeout_add(
1087
self.disable_initiator_tag = GLib.timeout_add(
701
1088
int(timeout.total_seconds() * 1000), self.disable)
702
1089
self.expires = datetime.datetime.utcnow() + timeout
703
1090
704
1091
def need_approval(self):
705
1092
self.last_approval_request = datetime.datetime.utcnow()
706
1093
707
1094
def start_checker(self):
708
1095
"""Start a new checker subprocess if one is not running.
709
1096
710
1097
If a checker already exists, leave it running and do
711
1098
nothing."""
712
1099
# The reason for not killing a running checker is that if we
717
1104
# checkers alone, the checker would have to take more time
718
1105
# than 'timeout' for the client to be disabled, which is as it
719
1106
# should be.
720
1107
721
1108
if self.checker is not None and not self.checker.is_alive():
722
1109
logger.warning("Checker was not alive; joining")
723
1110
self.checker.join()
727
1114
# Escape attributes for the shell
728
1115
escaped_attrs = {
729
1116
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
1117
for attr in self.runtime_expansions}
731
1118
try:
732
1119
command = self.checker_command % escaped_attrs
733
1120
except TypeError as error:
745
1132
# The exception is when not debugging but nevertheless
746
1133
# running in the foreground; use the previously
747
1134
# created wnull.
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1135
popen_args = {"close_fds": True,
1136
"shell": True,
1137
"cwd": "/"}
751
1138
if (not self.server_settings["debug"]
752
1139
and self.server_settings["foreground"]):
753
1140
popen_args.update({"stdout": wnull,
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1141
"stderr": wnull})
1142
pipe = multiprocessing.Pipe(duplex=False)
756
1143
self.checker = multiprocessing.Process(
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1144
target=call_pipe,
1145
args=(pipe[1], subprocess.call, command),
1146
kwargs=popen_args)
760
1147
self.checker.start()
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1148
self.checker_callback_tag = GLib.io_add_watch(
1149
pipe[0].fileno(), GLib.IO_IN,
763
1150
self.checker_callback, pipe[0], command)
764
# Re-run this periodically if run by gobject.timeout_add
1151
# Re-run this periodically if run by GLib.timeout_add
765
1152
return True
766
1153
767
1154
def stop_checker(self):
768
1155
"""Force the checker process, if any, to stop."""
769
1156
if self.checker_callback_tag:
770
gobject.source_remove(self.checker_callback_tag)
1157
GLib.source_remove(self.checker_callback_tag)
771
1158
self.checker_callback_tag = None
772
1159
if getattr(self, "checker", None) is None:
773
1160
return
782
1169
byte_arrays=False):
783
1170
"""Decorators for marking methods of a DBusObjectWithProperties to
784
1171
become properties on the D-Bus.
785
1172
786
1173
The decorated method will be called with no arguments by "Get"
787
1174
and with one argument by "Set".
788
1175
789
1176
The parameters, where they are supported, are the same as
790
1177
dbus.service.method, except there is only "signature", since the
791
1178
type from Get() and the type sent to Set() is the same.
795
1182
if byte_arrays and signature != "ay":
796
1183
raise ValueError("Byte arrays not supported for non-'ay'"
797
1184
" signature {!r}".format(signature))
798
1185
799
1186
def decorator(func):
800
1187
func._dbus_is_property = True
801
1188
func._dbus_interface = dbus_interface
804
1191
func._dbus_name = func.__name__
805
1192
if func._dbus_name.endswith("_dbus_property"):
806
1193
func._dbus_name = func._dbus_name[:-14]
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1194
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
808
1195
return func
809
1196
810
1197
return decorator
811
1198
812
1199
813
1200
def dbus_interface_annotations(dbus_interface):
814
1201
"""Decorator for marking functions returning interface annotations
815
1202
816
1203
Usage:
817
1204
818
1205
@dbus_interface_annotations("org.example.Interface")
819
1206
def _foo(self): # Function name does not matter
820
1207
return {"org.freedesktop.DBus.Deprecated": "true",
821
1208
"org.freedesktop.DBus.Property.EmitsChangedSignal":
822
1209
"false"}
823
1210
"""
824
1211
825
1212
def decorator(func):
826
1213
func._dbus_is_interface = True
827
1214
func._dbus_interface = dbus_interface
828
1215
func._dbus_name = dbus_interface
829
1216
return func
830
1217
831
1218
return decorator
832
1219
833
1220
834
1221
def dbus_annotations(annotations):
835
1222
"""Decorator to annotate D-Bus methods, signals or properties
836
1223
Usage:
837
1224
838
1225
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
839
1226
"org.freedesktop.DBus.Property."
840
1227
"EmitsChangedSignal": "false"})
842
1229
access="r")
843
1230
def Property_dbus_property(self):
844
1231
return dbus.Boolean(False)
845
1232
846
1233
See also the DBusObjectWithAnnotations class.
847
1234
"""
848
1235
849
1236
def decorator(func):
850
1237
func._dbus_annotations = annotations
851
1238
return func
852
1239
853
1240
return decorator
854
1241
855
1242
873
1260
874
1261
class DBusObjectWithAnnotations(dbus.service.Object):
875
1262
"""A D-Bus object with annotations.
876
1263
877
1264
Classes inheriting from this can use the dbus_annotations
878
1265
decorator to add annotations to methods or signals.
879
1266
"""
880
1267
881
1268
@staticmethod
882
1269
def _is_dbus_thing(thing):
883
1270
"""Returns a function testing if an attribute is a D-Bus thing
884
1271
885
1272
If called like _is_dbus_thing("method") it returns a function
886
1273
suitable for use as predicate to inspect.getmembers().
887
1274
"""
888
1275
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
889
1276
False)
890
1277
891
1278
def _get_all_dbus_things(self, thing):
892
1279
"""Returns a generator of (name, attribute) pairs
893
1280
"""
896
1283
for cls in self.__class__.__mro__
897
1284
for name, athing in
898
1285
inspect.getmembers(cls, self._is_dbus_thing(thing)))
899
1286
900
1287
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1288
out_signature="s",
1289
path_keyword='object_path',
1290
connection_keyword='connection')
904
1291
def Introspect(self, object_path, connection):
905
1292
"""Overloading of standard D-Bus method.
906
1293
907
1294
Inserts annotation tags on methods and signals.
908
1295
"""
909
1296
xmlstring = dbus.service.Object.Introspect(self, object_path,
910
1297
connection)
911
1298
try:
912
1299
document = xml.dom.minidom.parseString(xmlstring)
913
1300
914
1301
for if_tag in document.getElementsByTagName("interface"):
915
1302
# Add annotation tags
916
1303
for typ in ("method", "signal"):
943
1330
if_tag.appendChild(ann_tag)
944
1331
# Fix argument name for the Introspect method itself
945
1332
if (if_tag.getAttribute("name")
946
== dbus.INTROSPECTABLE_IFACE):
1333
== dbus.INTROSPECTABLE_IFACE):
947
1334
for cn in if_tag.getElementsByTagName("method"):
948
1335
if cn.getAttribute("name") == "Introspect":
949
1336
for arg in cn.getElementsByTagName("arg"):
962
1349
963
1350
class DBusObjectWithProperties(DBusObjectWithAnnotations):
964
1351
"""A D-Bus object with properties.
965
1352
966
1353
Classes inheriting from this can use the dbus_service_property
967
1354
decorator to expose methods as D-Bus properties. It exposes the
968
1355
standard Get(), Set(), and GetAll() methods on the D-Bus.
969
1356
"""
970
1357
971
1358
def _get_dbus_property(self, interface_name, property_name):
972
1359
"""Returns a bound method if one exists which is a D-Bus
973
1360
property with the specified name and interface.
978
1365
if (value._dbus_name == property_name
979
1366
and value._dbus_interface == interface_name):
980
1367
return value.__get__(self)
981
1368
982
1369
# No such property
983
1370
raise DBusPropertyNotFound("{}:{}.{}".format(
984
1371
self.dbus_object_path, interface_name, property_name))
985
1372
986
1373
@classmethod
987
1374
def _get_all_interface_names(cls):
988
1375
"""Get a sequence of all interfaces supported by an object"""
991
1378
for x in (inspect.getmro(cls))
992
1379
for attr in dir(x))
993
1380
if name is not None)
994
1381
995
1382
@dbus.service.method(dbus.PROPERTIES_IFACE,
996
1383
in_signature="ss",
997
1384
out_signature="v")
1005
1392
if not hasattr(value, "variant_level"):
1006
1393
return value
1007
1394
return type(value)(value, variant_level=value.variant_level+1)
1008
1395
1009
1396
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1010
1397
def Set(self, interface_name, property_name, value):
1011
1398
"""Standard D-Bus property Set() method, see D-Bus standard.
1023
1410
value = dbus.ByteArray(b''.join(chr(byte)
1024
1411
for byte in value))
1025
1412
prop(value)
1026
1413
1027
1414
@dbus.service.method(dbus.PROPERTIES_IFACE,
1028
1415
in_signature="s",
1029
1416
out_signature="a{sv}")
1030
1417
def GetAll(self, interface_name):
1031
1418
"""Standard D-Bus property GetAll() method, see D-Bus
1032
1419
standard.
1033
1420
1034
1421
Note: Will not include properties with access="write".
1035
1422
"""
1036
1423
properties = {}
1047
1434
properties[name] = value
1048
1435
continue
1049
1436
properties[name] = type(value)(
1050
value, variant_level = value.variant_level + 1)
1437
value, variant_level=value.variant_level + 1)
1051
1438
return dbus.Dictionary(properties, signature="sv")
1052
1439
1053
1440
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1054
1441
def PropertiesChanged(self, interface_name, changed_properties,
1055
1442
invalidated_properties):
1057
1444
standard.
1058
1445
"""
1059
1446
pass
1060
1447
1061
1448
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1062
1449
out_signature="s",
1063
1450
path_keyword='object_path',
1064
1451
connection_keyword='connection')
1065
1452
def Introspect(self, object_path, connection):
1066
1453
"""Overloading of standard D-Bus method.
1067
1454
1068
1455
Inserts property tags and interface annotation tags.
1069
1456
"""
1070
1457
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1072
1459
connection)
1073
1460
try:
1074
1461
document = xml.dom.minidom.parseString(xmlstring)
1075
1462
1076
1463
def make_tag(document, name, prop):
1077
1464
e = document.createElement("property")
1078
1465
e.setAttribute("name", name)
1079
1466
e.setAttribute("type", prop._dbus_signature)
1080
1467
e.setAttribute("access", prop._dbus_access)
1081
1468
return e
1082
1469
1083
1470
for if_tag in document.getElementsByTagName("interface"):
1084
1471
# Add property tags
1085
1472
for tag in (make_tag(document, name, prop)
1127
1514
exc_info=error)
1128
1515
return xmlstring
1129
1516
1517
1130
1518
try:
1131
1519
dbus.OBJECT_MANAGER_IFACE
1132
1520
except AttributeError:
1133
1521
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1134
1522
1523
1135
1524
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1136
1525
"""A D-Bus object with an ObjectManager.
1137
1526
1138
1527
Classes inheriting from this exposes the standard
1139
1528
GetManagedObjects call and the InterfacesAdded and
1140
1529
InterfacesRemoved signals on the standard
1141
1530
"org.freedesktop.DBus.ObjectManager" interface.
1142
1531
1143
1532
Note: No signals are sent automatically; they must be sent
1144
1533
manually.
1145
1534
"""
1146
1535
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1147
out_signature = "a{oa{sa{sv}}}")
1536
out_signature="a{oa{sa{sv}}}")
1148
1537
def GetManagedObjects(self):
1149
1538
"""This function must be overridden"""
1150
1539
raise NotImplementedError()
1151
1540
1152
1541
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1153
signature = "oa{sa{sv}}")
1542
signature="oa{sa{sv}}")
1154
1543
def InterfacesAdded(self, object_path, interfaces_and_properties):
1155
1544
pass
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1545
1546
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1158
1547
def InterfacesRemoved(self, object_path, interfaces):
1159
1548
pass
1160
1549
1161
1550
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1551
out_signature="s",
1552
path_keyword='object_path',
1553
connection_keyword='connection')
1165
1554
def Introspect(self, object_path, connection):
1166
1555
"""Overloading of standard D-Bus method.
1167
1556
1168
1557
Override return argument name of GetManagedObjects to be
1169
1558
"objpath_interfaces_and_properties"
1170
1559
"""
1173
1562
connection)
1174
1563
try:
1175
1564
document = xml.dom.minidom.parseString(xmlstring)
1176
1565
1177
1566
for if_tag in document.getElementsByTagName("interface"):
1178
1567
# Fix argument name for the GetManagedObjects method
1179
1568
if (if_tag.getAttribute("name")
1180
== dbus.OBJECT_MANAGER_IFACE):
1569
== dbus.OBJECT_MANAGER_IFACE):
1181
1570
for cn in if_tag.getElementsByTagName("method"):
1182
1571
if (cn.getAttribute("name")
1183
1572
== "GetManagedObjects"):
1193
1582
except (AttributeError, xml.dom.DOMException,
1194
1583
xml.parsers.expat.ExpatError) as error:
1195
1584
logger.error("Failed to override Introspection method",
1196
exc_info = error)
1585
exc_info=error)
1197
1586
return xmlstring
1198
1587
1588
1199
1589
def datetime_to_dbus(dt, variant_level=0):
1200
1590
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1201
1591
if dt is None:
1202
return dbus.String("", variant_level = variant_level)
1592
return dbus.String("", variant_level=variant_level)
1203
1593
return dbus.String(dt.isoformat(), variant_level=variant_level)
1204
1594
1205
1595
1208
1598
dbus.service.Object, it will add alternate D-Bus attributes with
1209
1599
interface names according to the "alt_interface_names" mapping.
1210
1600
Usage:
1211
1601
1212
1602
@alternate_dbus_interfaces({"org.example.Interface":
1213
1603
"net.example.AlternateInterface"})
1214
1604
class SampleDBusObject(dbus.service.Object):
1215
1605
@dbus.service.method("org.example.Interface")
1216
1606
def SampleDBusMethod():
1217
1607
pass
1218
1608
1219
1609
The above "SampleDBusMethod" on "SampleDBusObject" will be
1220
1610
reachable via two interfaces: "org.example.Interface" and
1221
1611
"net.example.AlternateInterface", the latter of which will have
1222
1612
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1223
1613
"true", unless "deprecate" is passed with a False value.
1224
1614
1225
1615
This works for methods and signals, and also for D-Bus properties
1226
1616
(from DBusObjectWithProperties) and interfaces (from the
1227
1617
dbus_interface_annotations decorator).
1228
1618
"""
1229
1619
1230
1620
def wrapper(cls):
1231
1621
for orig_interface_name, alt_interface_name in (
1232
1622
alt_interface_names.items()):
1247
1637
interface_names.add(alt_interface)
1248
1638
# Is this a D-Bus signal?
1249
1639
if getattr(attribute, "_dbus_is_signal", False):
1640
# Extract the original non-method undecorated
1641
# function by black magic
1250
1642
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1253
1643
nonmethod_func = (dict(
1254
1644
zip(attribute.func_code.co_freevars,
1255
1645
attribute.__closure__))
1256
1646
["func"].cell_contents)
1257
1647
else:
1258
nonmethod_func = attribute
1648
nonmethod_func = (dict(
1649
zip(attribute.__code__.co_freevars,
1650
attribute.__closure__))
1651
["func"].cell_contents)
1259
1652
# Create a new, but exactly alike, function
1260
1653
# object, and decorate it to be a new D-Bus signal
1261
1654
# with the alternate D-Bus interface name
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1655
new_function = copy_function(nonmethod_func)
1276
1656
new_function = (dbus.service.signal(
1277
1657
alt_interface,
1278
1658
attribute._dbus_signature)(new_function))
1282
1662
attribute._dbus_annotations)
1283
1663
except AttributeError:
1284
1664
pass
1665
1285
1666
# Define a creator of a function to call both the
1286
1667
# original and alternate functions, so both the
1287
1668
# original and alternate signals gets sent when
1290
1671
"""This function is a scope container to pass
1291
1672
func1 and func2 to the "call_both" function
1292
1673
outside of its arguments"""
1293
1674
1294
1675
@functools.wraps(func2)
1295
1676
def call_both(*args, **kwargs):
1296
1677
"""This function will emit two D-Bus
1297
1678
signals by calling func1 and func2"""
1298
1679
func1(*args, **kwargs)
1299
1680
func2(*args, **kwargs)
1300
# Make wrapper function look like a D-Bus signal
1681
# Make wrapper function look like a D-Bus
1682
# signal
1301
1683
for name, attr in inspect.getmembers(func2):
1302
1684
if name.startswith("_dbus_"):
1303
1685
setattr(call_both, name, attr)
1304
1686
1305
1687
return call_both
1306
1688
# Create the "call_both" function and add it to
1307
1689
# the class
1317
1699
alt_interface,
1318
1700
attribute._dbus_in_signature,
1319
1701
attribute._dbus_out_signature)
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1702
(copy_function(attribute)))
1325
1703
# Copy annotations, if any
1326
1704
try:
1327
1705
attr[attrname]._dbus_annotations = dict(
1339
1717
attribute._dbus_access,
1340
1718
attribute._dbus_get_args_options
1341
1719
["byte_arrays"])
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1720
(copy_function(attribute)))
1348
1721
# Copy annotations, if any
1349
1722
try:
1350
1723
attr[attrname]._dbus_annotations = dict(
1359
1732
# to the class.
1360
1733
attr[attrname] = (
1361
1734
dbus_interface_annotations(alt_interface)
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1735
(copy_function(attribute)))
1367
1736
if deprecate:
1368
1737
# Deprecate all alternate interfaces
1369
iname="_AlternateDBusNames_interface_annotation{}"
1738
iname = "_AlternateDBusNames_interface_annotation{}"
1370
1739
for interface_name in interface_names:
1371
1740
1372
1741
@dbus_interface_annotations(interface_name)
1373
1742
def func(self):
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1743
return {"org.freedesktop.DBus.Deprecated":
1744
"true"}
1376
1745
# Find an unused name
1377
1746
for aname in (iname.format(i)
1378
1747
for i in itertools.count()):
1382
1751
if interface_names:
1383
1752
# Replace the class with a new subclass of it with
1384
1753
# methods, signals, etc. as created above.
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1754
if sys.version_info.major == 2:
1755
cls = type(b"{}Alternate".format(cls.__name__),
1756
(cls, ), attr)
1757
else:
1758
cls = type("{}Alternate".format(cls.__name__),
1759
(cls, ), attr)
1387
1760
return cls
1388
1761
1389
1762
return wrapper
1390
1763
1391
1764
1393
1766
"se.bsnet.fukt.Mandos"})
1394
1767
class ClientDBus(Client, DBusObjectWithProperties):
1395
1768
"""A Client class using D-Bus
1396
1769
1397
1770
Attributes:
1398
1771
dbus_object_path: dbus.ObjectPath
1399
1772
bus: dbus.SystemBus()
1400
1773
"""
1401
1774
1402
1775
runtime_expansions = (Client.runtime_expansions
1403
1776
+ ("dbus_object_path", ))
1404
1777
1405
1778
_interface = "se.recompile.Mandos.Client"
1406
1779
1407
1780
# dbus.service.Object doesn't use super(), so we can't either.
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1781
1782
def __init__(self, bus=None, *args, **kwargs):
1410
1783
self.bus = bus
1411
1784
Client.__init__(self, *args, **kwargs)
1412
1785
# Only now, when this client is initialized, can it show up on
1418
1791
"/clients/" + client_object_name)
1419
1792
DBusObjectWithProperties.__init__(self, self.bus,
1420
1793
self.dbus_object_path)
1421
1794
1422
1795
def notifychangeproperty(transform_func, dbus_name,
1423
1796
type_func=lambda x: x,
1424
1797
variant_level=1,
1426
1799
_interface=_interface):
1427
1800
""" Modify a variable so that it's a property which announces
1428
1801
its changes to DBus.
1429
1802
1430
1803
transform_fun: Function that takes a value and a variant_level
1431
1804
and transforms it to a D-Bus type.
1432
1805
dbus_name: D-Bus name of the variable
1435
1808
variant_level: D-Bus variant level. Default: 1
1436
1809
"""
1437
1810
attrname = "_{}".format(dbus_name)
1438
1811
1439
1812
def setter(self, value):
1440
1813
if hasattr(self, "dbus_object_path"):
1441
1814
if (not hasattr(self, attrname) or
1448
1821
else:
1449
1822
dbus_value = transform_func(
1450
1823
type_func(value),
1451
variant_level = variant_level)
1824
variant_level=variant_level)
1452
1825
self.PropertyChanged(dbus.String(dbus_name),
1453
1826
dbus_value)
1454
1827
self.PropertiesChanged(
1455
1828
_interface,
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1829
dbus.Dictionary({dbus.String(dbus_name):
1830
dbus_value}),
1458
1831
dbus.Array())
1459
1832
setattr(self, attrname, value)
1460
1833
1461
1834
return property(lambda self: getattr(self, attrname), setter)
1462
1835
1463
1836
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1464
1837
approvals_pending = notifychangeproperty(dbus.Boolean,
1465
1838
"ApprovalPending",
1466
type_func = bool)
1839
type_func=bool)
1467
1840
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1468
1841
last_enabled = notifychangeproperty(datetime_to_dbus,
1469
1842
"LastEnabled")
1470
1843
checker = notifychangeproperty(
1471
1844
dbus.Boolean, "CheckerRunning",
1472
type_func = lambda checker: checker is not None)
1845
type_func=lambda checker: checker is not None)
1473
1846
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1474
1847
"LastCheckedOK")
1475
1848
last_checker_status = notifychangeproperty(dbus.Int16,
1480
1853
"ApprovedByDefault")
1481
1854
approval_delay = notifychangeproperty(
1482
1855
dbus.UInt64, "ApprovalDelay",
1483
type_func = lambda td: td.total_seconds() * 1000)
1856
type_func=lambda td: td.total_seconds() * 1000)
1484
1857
approval_duration = notifychangeproperty(
1485
1858
dbus.UInt64, "ApprovalDuration",
1486
type_func = lambda td: td.total_seconds() * 1000)
1859
type_func=lambda td: td.total_seconds() * 1000)
1487
1860
host = notifychangeproperty(dbus.String, "Host")
1488
1861
timeout = notifychangeproperty(
1489
1862
dbus.UInt64, "Timeout",
1490
type_func = lambda td: td.total_seconds() * 1000)
1863
type_func=lambda td: td.total_seconds() * 1000)
1491
1864
extended_timeout = notifychangeproperty(
1492
1865
dbus.UInt64, "ExtendedTimeout",
1493
type_func = lambda td: td.total_seconds() * 1000)
1866
type_func=lambda td: td.total_seconds() * 1000)
1494
1867
interval = notifychangeproperty(
1495
1868
dbus.UInt64, "Interval",
1496
type_func = lambda td: td.total_seconds() * 1000)
1869
type_func=lambda td: td.total_seconds() * 1000)
1497
1870
checker_command = notifychangeproperty(dbus.String, "Checker")
1498
1871
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1499
1872
invalidate_only=True)
1500
1873
1501
1874
del notifychangeproperty
1502
1875
1503
1876
def __del__(self, *args, **kwargs):
1504
1877
try:
1505
1878
self.remove_from_connection()
1508
1881
if hasattr(DBusObjectWithProperties, "__del__"):
1509
1882
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1510
1883
Client.__del__(self, *args, **kwargs)
1511
1884
1512
1885
def checker_callback(self, source, condition,
1513
1886
connection, command, *args, **kwargs):
1514
1887
ret = Client.checker_callback(self, source, condition,
1530
1903
| self.last_checker_signal),
1531
1904
dbus.String(command))
1532
1905
return ret
1533
1906
1534
1907
def start_checker(self, *args, **kwargs):
1535
1908
old_checker_pid = getattr(self.checker, "pid", None)
1536
1909
r = Client.start_checker(self, *args, **kwargs)
1540
1913
# Emit D-Bus signal
1541
1914
self.CheckerStarted(self.current_checker_command)
1542
1915
return r
1543
1916
1544
1917
def _reset_approved(self):
1545
1918
self.approved = None
1546
1919
return False
1547
1920
1548
1921
def approve(self, value=True):
1549
1922
self.approved = value
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1923
GLib.timeout_add(int(self.approval_duration.total_seconds()
1924
* 1000), self._reset_approved)
1552
1925
self.send_changedstate()
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1926
1927
# D-Bus methods, signals & properties
1928
1929
# Interfaces
1930
1931
# Signals
1932
1560
1933
# CheckerCompleted - signal
1561
1934
@dbus.service.signal(_interface, signature="nxs")
1562
1935
def CheckerCompleted(self, exitcode, waitstatus, command):
1563
1936
"D-Bus signal"
1564
1937
pass
1565
1938
1566
1939
# CheckerStarted - signal
1567
1940
@dbus.service.signal(_interface, signature="s")
1568
1941
def CheckerStarted(self, command):
1569
1942
"D-Bus signal"
1570
1943
pass
1571
1944
1572
1945
# PropertyChanged - signal
1573
1946
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1574
1947
@dbus.service.signal(_interface, signature="sv")
1575
1948
def PropertyChanged(self, property, value):
1576
1949
"D-Bus signal"
1577
1950
pass
1578
1951
1579
1952
# GotSecret - signal
1580
1953
@dbus.service.signal(_interface)
1581
1954
def GotSecret(self):
1584
1957
server to mandos-client
1585
1958
"""
1586
1959
pass
1587
1960
1588
1961
# Rejected - signal
1589
1962
@dbus.service.signal(_interface, signature="s")
1590
1963
def Rejected(self, reason):
1591
1964
"D-Bus signal"
1592
1965
pass
1593
1966
1594
1967
# NeedApproval - signal
1595
1968
@dbus.service.signal(_interface, signature="tb")
1596
1969
def NeedApproval(self, timeout, default):
1597
1970
"D-Bus signal"
1598
1971
return self.need_approval()
1599
1600
## Methods
1601
1972
1973
# Methods
1974
1602
1975
# Approve - method
1603
1976
@dbus.service.method(_interface, in_signature="b")
1604
1977
def Approve(self, value):
1605
1978
self.approve(value)
1606
1979
1607
1980
# CheckedOK - method
1608
1981
@dbus.service.method(_interface)
1609
1982
def CheckedOK(self):
1610
1983
self.checked_ok()
1611
1984
1612
1985
# Enable - method
1613
1986
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1614
1987
@dbus.service.method(_interface)
1615
1988
def Enable(self):
1616
1989
"D-Bus method"
1617
1990
self.enable()
1618
1991
1619
1992
# StartChecker - method
1620
1993
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1621
1994
@dbus.service.method(_interface)
1622
1995
def StartChecker(self):
1623
1996
"D-Bus method"
1624
1997
self.start_checker()
1625
1998
1626
1999
# Disable - method
1627
2000
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1628
2001
@dbus.service.method(_interface)
1629
2002
def Disable(self):
1630
2003
"D-Bus method"
1631
2004
self.disable()
1632
2005
1633
2006
# StopChecker - method
1634
2007
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1635
2008
@dbus.service.method(_interface)
1636
2009
def StopChecker(self):
1637
2010
self.stop_checker()
1638
1639
## Properties
1640
2011
2012
# Properties
2013
1641
2014
# ApprovalPending - property
1642
2015
@dbus_service_property(_interface, signature="b", access="read")
1643
2016
def ApprovalPending_dbus_property(self):
1644
2017
return dbus.Boolean(bool(self.approvals_pending))
1645
2018
1646
2019
# ApprovedByDefault - property
1647
2020
@dbus_service_property(_interface,
1648
2021
signature="b",
1651
2024
if value is None: # get
1652
2025
return dbus.Boolean(self.approved_by_default)
1653
2026
self.approved_by_default = bool(value)
1654
2027
1655
2028
# ApprovalDelay - property
1656
2029
@dbus_service_property(_interface,
1657
2030
signature="t",
1661
2034
return dbus.UInt64(self.approval_delay.total_seconds()
1662
2035
* 1000)
1663
2036
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1664
2037
1665
2038
# ApprovalDuration - property
1666
2039
@dbus_service_property(_interface,
1667
2040
signature="t",
1671
2044
return dbus.UInt64(self.approval_duration.total_seconds()
1672
2045
* 1000)
1673
2046
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1674
2047
1675
2048
# Name - property
1676
2049
@dbus_annotations(
1677
2050
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1678
2051
@dbus_service_property(_interface, signature="s", access="read")
1679
2052
def Name_dbus_property(self):
1680
2053
return dbus.String(self.name)
1681
2054
2055
# KeyID - property
2056
@dbus_annotations(
2057
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2058
@dbus_service_property(_interface, signature="s", access="read")
2059
def KeyID_dbus_property(self):
2060
return dbus.String(self.key_id)
2061
1682
2062
# Fingerprint - property
1683
2063
@dbus_annotations(
1684
2064
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1685
2065
@dbus_service_property(_interface, signature="s", access="read")
1686
2066
def Fingerprint_dbus_property(self):
1687
2067
return dbus.String(self.fingerprint)
1688
2068
1689
2069
# Host - property
1690
2070
@dbus_service_property(_interface,
1691
2071
signature="s",
1694
2074
if value is None: # get
1695
2075
return dbus.String(self.host)
1696
2076
self.host = str(value)
1697
2077
1698
2078
# Created - property
1699
2079
@dbus_annotations(
1700
2080
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1701
2081
@dbus_service_property(_interface, signature="s", access="read")
1702
2082
def Created_dbus_property(self):
1703
2083
return datetime_to_dbus(self.created)
1704
2084
1705
2085
# LastEnabled - property
1706
2086
@dbus_service_property(_interface, signature="s", access="read")
1707
2087
def LastEnabled_dbus_property(self):
1708
2088
return datetime_to_dbus(self.last_enabled)
1709
2089
1710
2090
# Enabled - property
1711
2091
@dbus_service_property(_interface,
1712
2092
signature="b",
1718
2098
self.enable()
1719
2099
else:
1720
2100
self.disable()
1721
2101
1722
2102
# LastCheckedOK - property
1723
2103
@dbus_service_property(_interface,
1724
2104
signature="s",
1728
2108
self.checked_ok()
1729
2109
return
1730
2110
return datetime_to_dbus(self.last_checked_ok)
1731
2111
1732
2112
# LastCheckerStatus - property
1733
2113
@dbus_service_property(_interface, signature="n", access="read")
1734
2114
def LastCheckerStatus_dbus_property(self):
1735
2115
return dbus.Int16(self.last_checker_status)
1736
2116
1737
2117
# Expires - property
1738
2118
@dbus_service_property(_interface, signature="s", access="read")
1739
2119
def Expires_dbus_property(self):
1740
2120
return datetime_to_dbus(self.expires)
1741
2121
1742
2122
# LastApprovalRequest - property
1743
2123
@dbus_service_property(_interface, signature="s", access="read")
1744
2124
def LastApprovalRequest_dbus_property(self):
1745
2125
return datetime_to_dbus(self.last_approval_request)
1746
2126
1747
2127
# Timeout - property
1748
2128
@dbus_service_property(_interface,
1749
2129
signature="t",
1764
2144
if (getattr(self, "disable_initiator_tag", None)
1765
2145
is None):
1766
2146
return
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2147
GLib.source_remove(self.disable_initiator_tag)
2148
self.disable_initiator_tag = GLib.timeout_add(
1769
2149
int((self.expires - now).total_seconds() * 1000),
1770
2150
self.disable)
1771
2151
1772
2152
# ExtendedTimeout - property
1773
2153
@dbus_service_property(_interface,
1774
2154
signature="t",
1778
2158
return dbus.UInt64(self.extended_timeout.total_seconds()
1779
2159
* 1000)
1780
2160
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1781
2161
1782
2162
# Interval - property
1783
2163
@dbus_service_property(_interface,
1784
2164
signature="t",
1791
2171
return
1792
2172
if self.enabled:
1793
2173
# Reschedule checker run
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2174
GLib.source_remove(self.checker_initiator_tag)
2175
self.checker_initiator_tag = GLib.timeout_add(
1796
2176
value, self.start_checker)
1797
self.start_checker() # Start one now, too
1798
2177
self.start_checker() # Start one now, too
2178
1799
2179
# Checker - property
1800
2180
@dbus_service_property(_interface,
1801
2181
signature="s",
1804
2184
if value is None: # get
1805
2185
return dbus.String(self.checker_command)
1806
2186
self.checker_command = str(value)
1807
2187
1808
2188
# CheckerRunning - property
1809
2189
@dbus_service_property(_interface,
1810
2190
signature="b",
1816
2196
self.start_checker()
1817
2197
else:
1818
2198
self.stop_checker()
1819
2199
1820
2200
# ObjectPath - property
1821
2201
@dbus_annotations(
1822
2202
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
1823
2203
"org.freedesktop.DBus.Deprecated": "true"})
1824
2204
@dbus_service_property(_interface, signature="o", access="read")
1825
2205
def ObjectPath_dbus_property(self):
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2206
return self.dbus_object_path # is already a dbus.ObjectPath
2207
1828
2208
# Secret = property
1829
2209
@dbus_annotations(
1830
2210
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
1835
2215
byte_arrays=True)
1836
2216
def Secret_dbus_property(self, value):
1837
2217
self.secret = bytes(value)
1838
2218
1839
2219
del _interface
1840
2220
1841
2221
1842
2222
class ProxyClient(object):
1843
def __init__(self, child_pipe, fpr, address):
2223
def __init__(self, child_pipe, key_id, fpr, address):
1844
2224
self._pipe = child_pipe
1845
self._pipe.send(('init', fpr, address))
2225
self._pipe.send(('init', key_id, fpr, address))
1846
2226
if not self._pipe.recv():
1847
raise KeyError(fpr)
1848
2227
raise KeyError(key_id or fpr)
2228
1849
2229
def __getattribute__(self, name):
1850
2230
if name == '_pipe':
1851
2231
return super(ProxyClient, self).__getattribute__(name)
1854
2234
if data[0] == 'data':
1855
2235
return data[1]
1856
2236
if data[0] == 'function':
1857
2237
1858
2238
def func(*args, **kwargs):
1859
2239
self._pipe.send(('funcall', name, args, kwargs))
1860
2240
return self._pipe.recv()[1]
1861
2241
1862
2242
return func
1863
2243
1864
2244
def __setattr__(self, name, value):
1865
2245
if name == '_pipe':
1866
2246
return super(ProxyClient, self).__setattr__(name, value)
1869
2249
1870
2250
class ClientHandler(socketserver.BaseRequestHandler, object):
1871
2251
"""A class to handle client connections.
1872
2252
1873
2253
Instantiated once for each connection to handle it.
1874
2254
Note: This will run in its own forked process."""
1875
2255
1876
2256
def handle(self):
1877
2257
with contextlib.closing(self.server.child_pipe) as child_pipe:
1878
2258
logger.info("TCP connection from: %s",
1879
2259
str(self.client_address))
1880
2260
logger.debug("Pipe FD: %d",
1881
2261
self.server.child_pipe.fileno())
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2262
2263
session = gnutls.ClientSession(self.request)
2264
2265
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2266
# "+AES-256-CBC", "+SHA1",
2267
# "+COMP-NULL", "+CTYPE-OPENPGP",
2268
# "+DHE-DSS"))
1895
2269
# Use a fallback default, since this MUST be set.
1896
2270
priority = self.server.gnutls_priority
1897
2271
if priority is None:
1898
2272
priority = "NORMAL"
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2273
gnutls.priority_set_direct(session._c_object,
2274
priority.encode("utf-8"),
2275
None)
2276
1902
2277
# Start communication using the Mandos protocol
1903
2278
# Get protocol number
1904
2279
line = self.request.makefile().readline()
1909
2284
except (ValueError, IndexError, RuntimeError) as error:
1910
2285
logger.error("Unknown protocol version: %s", error)
1911
2286
return
1912
2287
1913
2288
# Start GnuTLS connection
1914
2289
try:
1915
2290
session.handshake()
1916
except gnutls.errors.GNUTLSError as error:
2291
except gnutls.Error as error:
1917
2292
logger.warning("Handshake failed: %s", error)
1918
2293
# Do not run session.bye() here: the session is not
1919
2294
# established. Just abandon the request.
1920
2295
return
1921
2296
logger.debug("Handshake succeeded")
1922
2297
1923
2298
approval_required = False
1924
2299
try:
1925
try:
1926
fpr = self.fingerprint(
1927
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
1930
logger.warning("Bad certificate: %s", error)
1931
return
1932
logger.debug("Fingerprint: %s", fpr)
1933
1934
try:
1935
client = ProxyClient(child_pipe, fpr,
2300
if gnutls.has_rawpk:
2301
fpr = ""
2302
try:
2303
key_id = self.key_id(
2304
self.peer_certificate(session))
2305
except (TypeError, gnutls.Error) as error:
2306
logger.warning("Bad certificate: %s", error)
2307
return
2308
logger.debug("Key ID: %s", key_id)
2309
2310
else:
2311
key_id = ""
2312
try:
2313
fpr = self.fingerprint(
2314
self.peer_certificate(session))
2315
except (TypeError, gnutls.Error) as error:
2316
logger.warning("Bad certificate: %s", error)
2317
return
2318
logger.debug("Fingerprint: %s", fpr)
2319
2320
try:
2321
client = ProxyClient(child_pipe, key_id, fpr,
1936
2322
self.client_address)
1937
2323
except KeyError:
1938
2324
return
1939
2325
1940
2326
if client.approval_delay:
1941
2327
delay = client.approval_delay
1942
2328
client.approvals_pending += 1
1943
2329
approval_required = True
1944
2330
1945
2331
while True:
1946
2332
if not client.enabled:
1947
2333
logger.info("Client %s is disabled",
1950
2336
# Emit D-Bus signal
1951
2337
client.Rejected("Disabled")
1952
2338
return
1953
2339
1954
2340
if client.approved or not client.approval_delay:
1955
#We are approved or approval is disabled
2341
# We are approved or approval is disabled
1956
2342
break
1957
2343
elif client.approved is None:
1958
2344
logger.info("Client %s needs approval",
1969
2355
# Emit D-Bus signal
1970
2356
client.Rejected("Denied")
1971
2357
return
1972
1973
#wait until timeout or approved
2358
2359
# wait until timeout or approved
1974
2360
time = datetime.datetime.now()
1975
2361
client.changedstate.acquire()
1976
2362
client.changedstate.wait(delay.total_seconds())
1989
2375
break
1990
2376
else:
1991
2377
delay -= time2 - time
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2378
2379
try:
2380
session.send(client.secret)
2381
except gnutls.Error as error:
2382
logger.warning("gnutls send failed",
2383
exc_info=error)
2384
return
2385
2006
2386
logger.info("Sending secret to %s", client.name)
2007
2387
# bump the timeout using extended_timeout
2008
2388
client.bump_timeout(client.extended_timeout)
2009
2389
if self.server.use_dbus:
2010
2390
# Emit D-Bus signal
2011
2391
client.GotSecret()
2012
2392
2013
2393
finally:
2014
2394
if approval_required:
2015
2395
client.approvals_pending -= 1
2016
2396
try:
2017
2397
session.bye()
2018
except gnutls.errors.GNUTLSError as error:
2398
except gnutls.Error as error:
2019
2399
logger.warning("GnuTLS bye failed",
2020
2400
exc_info=error)
2021
2401
2022
2402
@staticmethod
2023
2403
def peer_certificate(session):
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2404
"Return the peer's certificate as a bytestring"
2405
try:
2406
cert_type = gnutls.certificate_type_get2(session._c_object,
2407
gnutls.CTYPE_PEERS)
2408
except AttributeError:
2409
cert_type = gnutls.certificate_type_get(session._c_object)
2410
if gnutls.has_rawpk:
2411
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2412
else:
2413
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2414
# If not a valid certificate type...
2415
if cert_type not in valid_cert_types:
2416
logger.info("Cert type %r not in %r", cert_type,
2417
valid_cert_types)
2418
# ...return invalid data
2419
return b""
2031
2420
list_size = ctypes.c_uint(1)
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2421
cert_list = (gnutls.certificate_get_peers
2034
2422
(session._c_object, ctypes.byref(list_size)))
2035
2423
if not bool(cert_list) and list_size.value != 0:
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2424
raise gnutls.Error("error getting peer certificate")
2038
2425
if list_size.value == 0:
2039
2426
return None
2040
2427
cert = cert_list[0]
2041
2428
return ctypes.string_at(cert.data, cert.size)
2042
2429
2430
@staticmethod
2431
def key_id(certificate):
2432
"Convert a certificate bytestring to a hexdigit key ID"
2433
# New GnuTLS "datum" with the public key
2434
datum = gnutls.datum_t(
2435
ctypes.cast(ctypes.c_char_p(certificate),
2436
ctypes.POINTER(ctypes.c_ubyte)),
2437
ctypes.c_uint(len(certificate)))
2438
# XXX all these need to be created in the gnutls "module"
2439
# New empty GnuTLS certificate
2440
pubkey = gnutls.pubkey_t()
2441
gnutls.pubkey_init(ctypes.byref(pubkey))
2442
# Import the raw public key into the certificate
2443
gnutls.pubkey_import(pubkey,
2444
ctypes.byref(datum),
2445
gnutls.X509_FMT_DER)
2446
# New buffer for the key ID
2447
buf = ctypes.create_string_buffer(32)
2448
buf_len = ctypes.c_size_t(len(buf))
2449
# Get the key ID from the raw public key into the buffer
2450
gnutls.pubkey_get_key_id(pubkey,
2451
gnutls.KEYID_USE_SHA256,
2452
ctypes.cast(ctypes.byref(buf),
2453
ctypes.POINTER(ctypes.c_ubyte)),
2454
ctypes.byref(buf_len))
2455
# Deinit the certificate
2456
gnutls.pubkey_deinit(pubkey)
2457
2458
# Convert the buffer to a Python bytestring
2459
key_id = ctypes.string_at(buf, buf_len.value)
2460
# Convert the bytestring to hexadecimal notation
2461
hex_key_id = binascii.hexlify(key_id).upper()
2462
return hex_key_id
2463
2043
2464
@staticmethod
2044
2465
def fingerprint(openpgp):
2045
2466
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2046
2467
# New GnuTLS "datum" with the OpenPGP public key
2047
datum = gnutls.library.types.gnutls_datum_t(
2468
datum = gnutls.datum_t(
2048
2469
ctypes.cast(ctypes.c_char_p(openpgp),
2049
2470
ctypes.POINTER(ctypes.c_ubyte)),
2050
2471
ctypes.c_uint(len(openpgp)))
2051
2472
# New empty GnuTLS certificate
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2473
crt = gnutls.openpgp_crt_t()
2474
gnutls.openpgp_crt_init(ctypes.byref(crt))
2055
2475
# Import the OpenPGP public key into the certificate
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2476
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2477
gnutls.OPENPGP_FMT_RAW)
2059
2478
# Verify the self signature in the key
2060
2479
crtverify = ctypes.c_uint()
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2480
gnutls.openpgp_crt_verify_self(crt, 0,
2481
ctypes.byref(crtverify))
2063
2482
if crtverify.value != 0:
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2483
gnutls.openpgp_crt_deinit(crt)
2484
raise gnutls.CertificateSecurityError(code
2485
=crtverify.value)
2067
2486
# New buffer for the fingerprint
2068
2487
buf = ctypes.create_string_buffer(20)
2069
2488
buf_len = ctypes.c_size_t()
2070
2489
# Get the fingerprint from the certificate into the buffer
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2490
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2491
ctypes.byref(buf_len))
2073
2492
# Deinit the certificate
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2493
gnutls.openpgp_crt_deinit(crt)
2075
2494
# Convert the buffer to a Python bytestring
2076
2495
fpr = ctypes.string_at(buf, buf_len.value)
2077
2496
# Convert the bytestring to hexadecimal notation
2081
2500
2082
2501
class MultiprocessingMixIn(object):
2083
2502
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2084
2503
2085
2504
def sub_process_main(self, request, address):
2086
2505
try:
2087
2506
self.finish_request(request, address)
2088
2507
except Exception:
2089
2508
self.handle_error(request, address)
2090
2509
self.close_request(request)
2091
2510
2092
2511
def process_request(self, request, address):
2093
2512
"""Start a new process to process the request."""
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2513
proc = multiprocessing.Process(target=self.sub_process_main,
2514
args=(request, address))
2096
2515
proc.start()
2097
2516
return proc
2098
2517
2099
2518
2100
2519
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2101
2520
""" adds a pipe to the MixIn """
2102
2521
2103
2522
def process_request(self, request, client_address):
2104
2523
"""Overrides and wraps the original process_request().
2105
2524
2106
2525
This function creates a new pipe in self.pipe
2107
2526
"""
2108
2527
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2109
2528
2110
2529
proc = MultiprocessingMixIn.process_request(self, request,
2111
2530
client_address)
2112
2531
self.child_pipe.close()
2113
2532
self.add_pipe(parent_pipe, proc)
2114
2533
2115
2534
def add_pipe(self, parent_pipe, proc):
2116
2535
"""Dummy function; override as necessary"""
2117
2536
raise NotImplementedError()
2120
2539
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2121
2540
socketserver.TCPServer, object):
2122
2541
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2123
2542
2124
2543
Attributes:
2125
2544
enabled: Boolean; whether this server is activated yet
2126
2545
interface: None or a network interface name (string)
2127
2546
use_ipv6: Boolean; to use IPv6 or not
2128
2547
"""
2129
2548
2130
2549
def __init__(self, server_address, RequestHandlerClass,
2131
2550
interface=None,
2132
2551
use_ipv6=True,
2142
2561
self.socketfd = socketfd
2143
2562
# Save the original socket.socket() function
2144
2563
self.socket_socket = socket.socket
2564
2145
2565
# To implement --socket, we monkey patch socket.socket.
2146
#
2566
#
2147
2567
# (When socketserver.TCPServer is a new-style class, we
2148
2568
# could make self.socket into a property instead of monkey
2149
2569
# patching socket.socket.)
2150
#
2570
#
2151
2571
# Create a one-time-only replacement for socket.socket()
2152
2572
@functools.wraps(socket.socket)
2153
2573
def socket_wrapper(*args, **kwargs):
2165
2585
# socket_wrapper(), if socketfd was set.
2166
2586
socketserver.TCPServer.__init__(self, server_address,
2167
2587
RequestHandlerClass)
2168
2588
2169
2589
def server_bind(self):
2170
2590
"""This overrides the normal server_bind() function
2171
2591
to bind to an interface if one was specified, and also NOT to
2172
2592
bind to an address or port if they were not specified."""
2593
global SO_BINDTODEVICE
2173
2594
if self.interface is not None:
2174
2595
if SO_BINDTODEVICE is None:
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2596
# Fall back to a hard-coded value which seems to be
2597
# common enough.
2598
logger.warning("SO_BINDTODEVICE not found, trying 25")
2599
SO_BINDTODEVICE = 25
2600
try:
2601
self.socket.setsockopt(
2602
socket.SOL_SOCKET, SO_BINDTODEVICE,
2603
(self.interface + "\0").encode("utf-8"))
2604
except socket.error as error:
2605
if error.errno == errno.EPERM:
2606
logger.error("No permission to bind to"
2607
" interface %s", self.interface)
2608
elif error.errno == errno.ENOPROTOOPT:
2609
logger.error("SO_BINDTODEVICE not available;"
2610
" cannot bind to interface %s",
2611
self.interface)
2612
elif error.errno == errno.ENODEV:
2613
logger.error("Interface %s does not exist,"
2614
" cannot bind", self.interface)
2615
else:
2616
raise
2196
2617
# Only bind(2) the socket if we really need to.
2197
2618
if self.server_address[0] or self.server_address[1]:
2198
2619
if not self.server_address[0]:
2199
2620
if self.address_family == socket.AF_INET6:
2200
any_address = "::" # in6addr_any
2621
any_address = "::" # in6addr_any
2201
2622
else:
2202
any_address = "0.0.0.0" # INADDR_ANY
2623
any_address = "0.0.0.0" # INADDR_ANY
2203
2624
self.server_address = (any_address,
2204
2625
self.server_address[1])
2205
2626
elif not self.server_address[1]:
2215
2636
2216
2637
class MandosServer(IPv6_TCPServer):
2217
2638
"""Mandos server.
2218
2639
2219
2640
Attributes:
2220
2641
clients: set of Client objects
2221
2642
gnutls_priority GnuTLS priority string
2222
2643
use_dbus: Boolean; to emit D-Bus signals or not
2223
2224
Assumes a gobject.MainLoop event loop.
2644
2645
Assumes a GLib.MainLoop event loop.
2225
2646
"""
2226
2647
2227
2648
def __init__(self, server_address, RequestHandlerClass,
2228
2649
interface=None,
2229
2650
use_ipv6=True,
2239
2660
self.gnutls_priority = gnutls_priority
2240
2661
IPv6_TCPServer.__init__(self, server_address,
2241
2662
RequestHandlerClass,
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2663
interface=interface,
2664
use_ipv6=use_ipv6,
2665
socketfd=socketfd)
2666
2246
2667
def server_activate(self):
2247
2668
if self.enabled:
2248
2669
return socketserver.TCPServer.server_activate(self)
2249
2670
2250
2671
def enable(self):
2251
2672
self.enabled = True
2252
2673
2253
2674
def add_pipe(self, parent_pipe, proc):
2254
2675
# Call "handle_ipc" for both data and EOF events
2255
gobject.io_add_watch(
2676
GLib.io_add_watch(
2256
2677
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2678
GLib.IO_IN | GLib.IO_HUP,
2258
2679
functools.partial(self.handle_ipc,
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2680
parent_pipe=parent_pipe,
2681
proc=proc))
2682
2262
2683
def handle_ipc(self, source, condition,
2263
2684
parent_pipe=None,
2264
proc = None,
2685
proc=None,
2265
2686
client_object=None):
2266
2687
# error, or the other end of multiprocessing.Pipe has closed
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2688
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2268
2689
# Wait for other process to exit
2269
2690
proc.join()
2270
2691
return False
2271
2692
2272
2693
# Read a request from the child
2273
2694
request = parent_pipe.recv()
2274
2695
command = request[0]
2275
2696
2276
2697
if command == 'init':
2277
fpr = request[1]
2278
address = request[2]
2279
2280
for c in self.clients.itervalues():
2281
if c.fingerprint == fpr:
2698
key_id = request[1].decode("ascii")
2699
fpr = request[2].decode("ascii")
2700
address = request[3]
2701
2702
for c in self.clients.values():
2703
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2704
continue
2705
if key_id and c.key_id == key_id:
2706
client = c
2707
break
2708
if fpr and c.fingerprint == fpr:
2282
2709
client = c
2283
2710
break
2284
2711
else:
2285
logger.info("Client not found for fingerprint: %s, ad"
2286
"dress: %s", fpr, address)
2712
logger.info("Client not found for key ID: %s, address"
2713
": %s", key_id or fpr, address)
2287
2714
if self.use_dbus:
2288
2715
# Emit D-Bus signal
2289
mandos_dbus_service.ClientNotFound(fpr,
2716
mandos_dbus_service.ClientNotFound(key_id or fpr,
2290
2717
address[0])
2291
2718
parent_pipe.send(False)
2292
2719
return False
2293
2294
gobject.io_add_watch(
2720
2721
GLib.io_add_watch(
2295
2722
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2723
GLib.IO_IN | GLib.IO_HUP,
2297
2724
functools.partial(self.handle_ipc,
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2725
parent_pipe=parent_pipe,
2726
proc=proc,
2727
client_object=client))
2301
2728
parent_pipe.send(True)
2302
2729
# remove the old hook in favor of the new above hook on
2303
2730
# same fileno
2306
2733
funcname = request[1]
2307
2734
args = request[2]
2308
2735
kwargs = request[3]
2309
2736
2310
2737
parent_pipe.send(('data', getattr(client_object,
2311
2738
funcname)(*args,
2312
2739
**kwargs)))
2313
2740
2314
2741
if command == 'getattr':
2315
2742
attrname = request[1]
2316
2743
if isinstance(client_object.__getattribute__(attrname),
2319
2746
else:
2320
2747
parent_pipe.send((
2321
2748
'data', client_object.__getattribute__(attrname)))
2322
2749
2323
2750
if command == 'setattr':
2324
2751
attrname = request[1]
2325
2752
value = request[2]
2326
2753
setattr(client_object, attrname, value)
2327
2754
2328
2755
return True
2329
2756
2330
2757
2331
2758
def rfc3339_duration_to_delta(duration):
2332
2759
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2333
2760
2334
2761
>>> rfc3339_duration_to_delta("P7D")
2335
2762
datetime.timedelta(7)
2336
2763
>>> rfc3339_duration_to_delta("PT60S")
2346
2773
>>> rfc3339_duration_to_delta("P1DT3M20S")
2347
2774
datetime.timedelta(1, 200)
2348
2775
"""
2349
2776
2350
2777
# Parsing an RFC 3339 duration with regular expressions is not
2351
2778
# possible - there would have to be multiple places for the same
2352
2779
# values, like seconds. The current code, while more esoteric, is
2353
2780
# cleaner without depending on a parsing library. If Python had a
2354
2781
# built-in library for parsing we would use it, but we'd like to
2355
2782
# avoid excessive use of external libraries.
2356
2783
2357
2784
# New type for defining tokens, syntax, and semantics all-in-one
2358
2785
Token = collections.namedtuple("Token", (
2359
2786
"regexp", # To match token; if "value" is not None, must have
2392
2819
frozenset((token_year, token_month,
2393
2820
token_day, token_time,
2394
2821
token_week)))
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2822
# Define starting values:
2823
# Value so far
2824
value = datetime.timedelta()
2397
2825
found_token = None
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2826
# Following valid tokens
2827
followers = frozenset((token_duration, ))
2828
# String left to parse
2829
s = duration
2400
2830
# Loop until end token is found
2401
2831
while found_token is not token_end:
2402
2832
# Search for any currently valid tokens
2426
2856
2427
2857
def string_to_delta(interval):
2428
2858
"""Parse a string and return a datetime.timedelta
2429
2859
2430
2860
>>> string_to_delta('7d')
2431
2861
datetime.timedelta(7)
2432
2862
>>> string_to_delta('60s')
2440
2870
>>> string_to_delta('5m 30s')
2441
2871
datetime.timedelta(0, 330)
2442
2872
"""
2443
2873
2444
2874
try:
2445
2875
return rfc3339_duration_to_delta(interval)
2446
2876
except ValueError:
2447
2877
pass
2448
2878
2449
2879
timevalue = datetime.timedelta(0)
2450
2880
for s in interval.split():
2451
2881
try:
2469
2899
return timevalue
2470
2900
2471
2901
2472
def daemon(nochdir = False, noclose = False):
2902
def daemon(nochdir=False, noclose=False):
2473
2903
"""See daemon(3). Standard BSD Unix function.
2474
2904
2475
2905
This should really exist as os.daemon, but it doesn't (yet)."""
2476
2906
if os.fork():
2477
2907
sys.exit()
2495
2925
2496
2926
2497
2927
def main():
2498
2928
2499
2929
##################################################################
2500
2930
# Parsing of options, both command line and config file
2501
2931
2502
2932
parser = argparse.ArgumentParser()
2503
2933
parser.add_argument("-v", "--version", action="version",
2504
version = "%(prog)s {}".format(version),
2934
version="%(prog)s {}".format(version),
2505
2935
help="show version number and exit")
2506
2936
parser.add_argument("-i", "--interface", metavar="IF",
2507
2937
help="Bind to interface IF")
2543
2973
parser.add_argument("--no-zeroconf", action="store_false",
2544
2974
dest="zeroconf", help="Do not use Zeroconf",
2545
2975
default=None)
2546
2976
2547
2977
options = parser.parse_args()
2548
2978
2549
2979
if options.check:
2550
2980
import doctest
2551
2981
fail_count, test_count = doctest.testmod()
2552
2982
sys.exit(os.EX_OK if fail_count == 0 else 1)
2553
2983
2554
2984
# Default values for config file for server-global settings
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
2985
if gnutls.has_rawpk:
2986
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2987
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2988
else:
2989
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2990
":+SIGN-DSA-SHA256")
2991
server_defaults = {"interface": "",
2992
"address": "",
2993
"port": "",
2994
"debug": "False",
2995
"priority": priority,
2996
"servicename": "Mandos",
2997
"use_dbus": "True",
2998
"use_ipv6": "True",
2999
"debuglevel": "",
3000
"restore": "True",
3001
"socket": "",
3002
"statedir": "/var/lib/mandos",
3003
"foreground": "False",
3004
"zeroconf": "True",
3005
}
3006
del priority
3007
2573
3008
# Parse config file for server-global settings
2574
3009
server_config = configparser.SafeConfigParser(server_defaults)
2575
3010
del server_defaults
2577
3012
# Convert the SafeConfigParser object to a dict
2578
3013
server_settings = server_config.defaults()
2579
3014
# Use the appropriate methods on the non-string config options
2580
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3015
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3016
"foreground", "zeroconf"):
2581
3017
server_settings[option] = server_config.getboolean("DEFAULT",
2582
3018
option)
2583
3019
if server_settings["port"]:
2593
3029
server_settings["socket"] = os.dup(server_settings
2594
3030
["socket"])
2595
3031
del server_config
2596
3032
2597
3033
# Override the settings from the config file with command line
2598
3034
# options, if set.
2599
3035
for option in ("interface", "address", "port", "debug",
2617
3053
if server_settings["debug"]:
2618
3054
server_settings["foreground"] = True
2619
3055
# Now we have our good server settings in "server_settings"
2620
3056
2621
3057
##################################################################
2622
3058
2623
3059
if (not server_settings["zeroconf"]
2624
3060
and not (server_settings["port"]
2625
3061
or server_settings["socket"] != "")):
2626
3062
parser.error("Needs port or socket to work without Zeroconf")
2627
3063
2628
3064
# For convenience
2629
3065
debug = server_settings["debug"]
2630
3066
debuglevel = server_settings["debuglevel"]
2634
3070
stored_state_file)
2635
3071
foreground = server_settings["foreground"]
2636
3072
zeroconf = server_settings["zeroconf"]
2637
3073
2638
3074
if debug:
2639
3075
initlogger(debug, logging.DEBUG)
2640
3076
else:
2643
3079
else:
2644
3080
level = getattr(logging, debuglevel.upper())
2645
3081
initlogger(debug, level)
2646
3082
2647
3083
if server_settings["servicename"] != "Mandos":
2648
3084
syslogger.setFormatter(
2649
3085
logging.Formatter('Mandos ({}) [%(process)d]:'
2650
3086
' %(levelname)s: %(message)s'.format(
2651
3087
server_settings["servicename"])))
2652
3088
2653
3089
# Parse config file with clients
2654
3090
client_config = configparser.SafeConfigParser(Client
2655
3091
.client_defaults)
2656
3092
client_config.read(os.path.join(server_settings["configdir"],
2657
3093
"clients.conf"))
2658
3094
2659
3095
global mandos_dbus_service
2660
3096
mandos_dbus_service = None
2661
3097
2662
3098
socketfd = None
2663
3099
if server_settings["socket"] != "":
2664
3100
socketfd = server_settings["socket"]
2680
3116
except IOError as e:
2681
3117
logger.error("Could not open file %r", pidfilename,
2682
3118
exc_info=e)
2683
2684
for name in ("_mandos", "mandos", "nobody"):
3119
3120
for name, group in (("_mandos", "_mandos"),
3121
("mandos", "mandos"),
3122
("nobody", "nogroup")):
2685
3123
try:
2686
3124
uid = pwd.getpwnam(name).pw_uid
2687
gid = pwd.getpwnam(name).pw_gid
3125
gid = pwd.getpwnam(group).pw_gid
2688
3126
break
2689
3127
except KeyError:
2690
3128
continue
2694
3132
try:
2695
3133
os.setgid(gid)
2696
3134
os.setuid(uid)
3135
if debug:
3136
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3137
gid))
2697
3138
except OSError as error:
3139
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3140
.format(uid, gid, os.strerror(error.errno)))
2698
3141
if error.errno != errno.EPERM:
2699
3142
raise
2700
3143
2701
3144
if debug:
2702
3145
# Enable all possible GnuTLS debugging
2703
3146
2704
3147
# "Use a log level over 10 to enable all debugging options."
2705
3148
# - GnuTLS manual
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3149
gnutls.global_set_log_level(11)
3150
3151
@gnutls.log_func
2709
3152
def debug_gnutls(level, string):
2710
3153
logger.debug("GnuTLS: %s", string[:-1])
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3154
3155
gnutls.global_set_log_function(debug_gnutls)
3156
2715
3157
# Redirect stdin so all checkers get /dev/null
2716
3158
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2717
3159
os.dup2(null, sys.stdin.fileno())
2718
3160
if null > 2:
2719
3161
os.close(null)
2720
3162
2721
3163
# Need to fork before connecting to D-Bus
2722
3164
if not foreground:
2723
3165
# Close all input and output, do double fork, etc.
2724
3166
daemon()
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3167
3168
# multiprocessing will use threads, so before we use GLib we need
3169
# to inform GLib that threads will be used.
3170
GLib.threads_init()
3171
2730
3172
global main_loop
2731
3173
# From the Avahi example code
2732
3174
DBusGMainLoop(set_as_default=True)
2733
main_loop = gobject.MainLoop()
3175
main_loop = GLib.MainLoop()
2734
3176
bus = dbus.SystemBus()
2735
3177
# End of Avahi example code
2736
3178
if use_dbus:
2749
3191
if zeroconf:
2750
3192
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2751
3193
service = AvahiServiceToSyslog(
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3194
name=server_settings["servicename"],
3195
servicetype="_mandos._tcp",
3196
protocol=protocol,
3197
bus=bus)
2756
3198
if server_settings["interface"]:
2757
3199
service.interface = if_nametoindex(
2758
3200
server_settings["interface"].encode("utf-8"))
2759
3201
2760
3202
global multiprocessing_manager
2761
3203
multiprocessing_manager = multiprocessing.Manager()
2762
3204
2763
3205
client_class = Client
2764
3206
if use_dbus:
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3207
client_class = functools.partial(ClientDBus, bus=bus)
3208
2767
3209
client_settings = Client.config_parser(client_config)
2768
3210
old_client_settings = {}
2769
3211
clients_data = {}
2770
3212
2771
3213
# This is used to redirect stdout and stderr for checker processes
2772
3214
global wnull
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3215
wnull = open(os.devnull, "w") # A writable /dev/null
2774
3216
# Only used if server is running in foreground but not in debug
2775
3217
# mode
2776
3218
if debug or not foreground:
2777
3219
wnull.close()
2778
3220
2779
3221
# Get client data and settings from last running state.
2780
3222
if server_settings["restore"]:
2781
3223
try:
2782
3224
with open(stored_state_path, "rb") as stored_state:
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3225
if sys.version_info.major == 2:
3226
clients_data, old_client_settings = pickle.load(
3227
stored_state)
3228
else:
3229
bytes_clients_data, bytes_old_client_settings = (
3230
pickle.load(stored_state, encoding="bytes"))
3231
# Fix bytes to strings
3232
# clients_data
3233
# .keys()
3234
clients_data = {(key.decode("utf-8")
3235
if isinstance(key, bytes)
3236
else key): value
3237
for key, value in
3238
bytes_clients_data.items()}
3239
del bytes_clients_data
3240
for key in clients_data:
3241
value = {(k.decode("utf-8")
3242
if isinstance(k, bytes) else k): v
3243
for k, v in
3244
clients_data[key].items()}
3245
clients_data[key] = value
3246
# .client_structure
3247
value["client_structure"] = [
3248
(s.decode("utf-8")
3249
if isinstance(s, bytes)
3250
else s) for s in
3251
value["client_structure"]]
3252
# .name & .host
3253
for k in ("name", "host"):
3254
if isinstance(value[k], bytes):
3255
value[k] = value[k].decode("utf-8")
3256
if not value.has_key("key_id"):
3257
value["key_id"] = ""
3258
elif not value.has_key("fingerprint"):
3259
value["fingerprint"] = ""
3260
# old_client_settings
3261
# .keys()
3262
old_client_settings = {
3263
(key.decode("utf-8")
3264
if isinstance(key, bytes)
3265
else key): value
3266
for key, value in
3267
bytes_old_client_settings.items()}
3268
del bytes_old_client_settings
3269
# .host
3270
for value in old_client_settings.values():
3271
if isinstance(value["host"], bytes):
3272
value["host"] = (value["host"]
3273
.decode("utf-8"))
2785
3274
os.remove(stored_state_path)
2786
3275
except IOError as e:
2787
3276
if e.errno == errno.ENOENT:
2795
3284
logger.warning("Could not load persistent state: "
2796
3285
"EOFError:",
2797
3286
exc_info=e)
2798
3287
2799
3288
with PGPEngine() as pgp:
2800
3289
for client_name, client in clients_data.items():
2801
3290
# Skip removed clients
2802
3291
if client_name not in client_settings:
2803
3292
continue
2804
3293
2805
3294
# Decide which value to use after restoring saved state.
2806
3295
# We have three different values: Old config file,
2807
3296
# new config file, and saved state.
2818
3307
client[name] = value
2819
3308
except KeyError:
2820
3309
pass
2821
3310
2822
3311
# Clients who has passed its expire date can still be
2823
3312
# enabled if its last checker was successful. A Client
2824
3313
# whose checker succeeded before we stored its state is
2857
3346
client_name))
2858
3347
client["secret"] = (client_settings[client_name]
2859
3348
["secret"])
2860
3349
2861
3350
# Add/remove clients based on new changes made to config
2862
3351
for client_name in (set(old_client_settings)
2863
3352
- set(client_settings)):
2865
3354
for client_name in (set(client_settings)
2866
3355
- set(old_client_settings)):
2867
3356
clients_data[client_name] = client_settings[client_name]
2868
3357
2869
3358
# Create all client objects
2870
3359
for client_name, client in clients_data.items():
2871
3360
tcp_server.clients[client_name] = client_class(
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3361
name=client_name,
3362
settings=client,
3363
server_settings=server_settings)
3364
2876
3365
if not tcp_server.clients:
2877
3366
logger.warning("No clients defined")
2878
3367
2879
3368
if not foreground:
2880
3369
if pidfile is not None:
2881
3370
pid = os.getpid()
2887
3376
pidfilename, pid)
2888
3377
del pidfile
2889
3378
del pidfilename
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3379
3380
for termsig in (signal.SIGHUP, signal.SIGTERM):
3381
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3382
lambda: main_loop.quit() and False)
3383
2894
3384
if use_dbus:
2895
3385
2896
3386
@alternate_dbus_interfaces(
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3387
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2898
3388
class MandosDBusService(DBusObjectWithObjectManager):
2899
3389
"""A D-Bus proxy object"""
2900
3390
2901
3391
def __init__(self):
2902
3392
dbus.service.Object.__init__(self, bus, "/")
2903
3393
2904
3394
_interface = "se.recompile.Mandos"
2905
3395
2906
3396
@dbus.service.signal(_interface, signature="o")
2907
3397
def ClientAdded(self, objpath):
2908
3398
"D-Bus signal"
2909
3399
pass
2910
3400
2911
3401
@dbus.service.signal(_interface, signature="ss")
2912
def ClientNotFound(self, fingerprint, address):
3402
def ClientNotFound(self, key_id, address):
2913
3403
"D-Bus signal"
2914
3404
pass
2915
3405
2916
3406
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2917
3407
"true"})
2918
3408
@dbus.service.signal(_interface, signature="os")
2919
3409
def ClientRemoved(self, objpath, name):
2920
3410
"D-Bus signal"
2921
3411
pass
2922
3412
2923
3413
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2924
3414
"true"})
2925
3415
@dbus.service.method(_interface, out_signature="ao")
2926
3416
def GetAllClients(self):
2927
3417
"D-Bus method"
2928
3418
return dbus.Array(c.dbus_object_path for c in
2929
tcp_server.clients.itervalues())
2930
3419
tcp_server.clients.values())
3420
2931
3421
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2932
3422
"true"})
2933
3423
@dbus.service.method(_interface,
2935
3425
def GetAllClientsWithProperties(self):
2936
3426
"D-Bus method"
2937
3427
return dbus.Dictionary(
2938
{ c.dbus_object_path: c.GetAll(
3428
{c.dbus_object_path: c.GetAll(
2939
3429
"se.recompile.Mandos.Client")
2940
for c in tcp_server.clients.itervalues() },
3430
for c in tcp_server.clients.values()},
2941
3431
signature="oa{sv}")
2942
3432
2943
3433
@dbus.service.method(_interface, in_signature="o")
2944
3434
def RemoveClient(self, object_path):
2945
3435
"D-Bus method"
2946
for c in tcp_server.clients.itervalues():
3436
for c in tcp_server.clients.values():
2947
3437
if c.dbus_object_path == object_path:
2948
3438
del tcp_server.clients[c.name]
2949
3439
c.remove_from_connection()
2953
3443
self.client_removed_signal(c)
2954
3444
return
2955
3445
raise KeyError(object_path)
2956
3446
2957
3447
del _interface
2958
3448
2959
3449
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
2960
out_signature = "a{oa{sa{sv}}}")
3450
out_signature="a{oa{sa{sv}}}")
2961
3451
def GetManagedObjects(self):
2962
3452
"""D-Bus method"""
2963
3453
return dbus.Dictionary(
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3454
{client.dbus_object_path:
3455
dbus.Dictionary(
3456
{interface: client.GetAll(interface)
3457
for interface in
3458
client._get_all_interface_names()})
3459
for client in tcp_server.clients.values()})
3460
2971
3461
def client_added_signal(self, client):
2972
3462
"""Send the new standard signal and the old signal"""
2973
3463
if use_dbus:
2975
3465
self.InterfacesAdded(
2976
3466
client.dbus_object_path,
2977
3467
dbus.Dictionary(
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3468
{interface: client.GetAll(interface)
3469
for interface in
3470
client._get_all_interface_names()}))
2981
3471
# Old signal
2982
3472
self.ClientAdded(client.dbus_object_path)
2983
3473
2984
3474
def client_removed_signal(self, client):
2985
3475
"""Send the new standard signal and the old signal"""
2986
3476
if use_dbus:
2991
3481
# Old signal
2992
3482
self.ClientRemoved(client.dbus_object_path,
2993
3483
client.name)
2994
3484
2995
3485
mandos_dbus_service = MandosDBusService()
2996
3486
3487
# Save modules to variables to exempt the modules from being
3488
# unloaded before the function registered with atexit() is run.
3489
mp = multiprocessing
3490
wn = wnull
3491
2997
3492
def cleanup():
2998
3493
"Cleanup function; run on exit"
2999
3494
if zeroconf:
3000
3495
service.cleanup()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3496
3497
mp.active_children()
3498
wn.close()
3004
3499
if not (tcp_server.clients or client_settings):
3005
3500
return
3006
3501
3007
3502
# Store client before exiting. Secrets are encrypted with key
3008
3503
# based on what config file has. If config file is
3009
3504
# removed/edited, old secret will thus be unrecovable.
3010
3505
clients = {}
3011
3506
with PGPEngine() as pgp:
3012
for client in tcp_server.clients.itervalues():
3507
for client in tcp_server.clients.values():
3013
3508
key = client_settings[client.name]["secret"]
3014
3509
client.encrypted_secret = pgp.encrypt(client.secret,
3015
3510
key)
3016
3511
client_dict = {}
3017
3512
3018
3513
# A list of attributes that can not be pickled
3019
3514
# + secret.
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3515
exclude = {"bus", "changedstate", "secret",
3516
"checker", "server_settings"}
3022
3517
for name, typ in inspect.getmembers(dbus.service
3023
3518
.Object):
3024
3519
exclude.add(name)
3025
3520
3026
3521
client_dict["encrypted_secret"] = (client
3027
3522
.encrypted_secret)
3028
3523
for attr in client.client_structure:
3029
3524
if attr not in exclude:
3030
3525
client_dict[attr] = getattr(client, attr)
3031
3526
3032
3527
clients[client.name] = client_dict
3033
3528
del client_settings[client.name]["secret"]
3034
3529
3035
3530
try:
3036
3531
with tempfile.NamedTemporaryFile(
3037
3532
mode='wb',
3039
3534
prefix='clients-',
3040
3535
dir=os.path.dirname(stored_state_path),
3041
3536
delete=False) as stored_state:
3042
pickle.dump((clients, client_settings), stored_state)
3537
pickle.dump((clients, client_settings), stored_state,
3538
protocol=2)
3043
3539
tempname = stored_state.name
3044
3540
os.rename(tempname, stored_state_path)
3045
3541
except (IOError, OSError) as e:
3055
3551
logger.warning("Could not save persistent state:",
3056
3552
exc_info=e)
3057
3553
raise
3058
3554
3059
3555
# Delete all clients, and settings from config
3060
3556
while tcp_server.clients:
3061
3557
name, client = tcp_server.clients.popitem()
3064
3560
# Don't signal the disabling
3065
3561
client.disable(quiet=True)
3066
3562
# Emit D-Bus signal for removal
3067
mandos_dbus_service.client_removed_signal(client)
3563
if use_dbus:
3564
mandos_dbus_service.client_removed_signal(client)
3068
3565
client_settings.clear()
3069
3566
3070
3567
atexit.register(cleanup)
3071
3072
for client in tcp_server.clients.itervalues():
3568
3569
for client in tcp_server.clients.values():
3073
3570
if use_dbus:
3074
3571
# Emit D-Bus signal for adding
3075
3572
mandos_dbus_service.client_added_signal(client)
3076
3573
# Need to initiate checking of clients
3077
3574
if client.enabled:
3078
3575
client.init_checker()
3079
3576
3080
3577
tcp_server.enable()
3081
3578
tcp_server.server_activate()
3082
3579
3083
3580
# Find out what port we got
3084
3581
if zeroconf:
3085
3582
service.port = tcp_server.socket.getsockname()[1]
3090
3587
else: # IPv4
3091
3588
logger.info("Now listening on address %r, port %d",
3092
3589
*tcp_server.socket.getsockname())
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3590
3591
# service.interface = tcp_server.socket.getsockname()[3]
3592
3096
3593
try:
3097
3594
if zeroconf:
3098
3595
# From the Avahi example code
3103
3600
cleanup()
3104
3601
sys.exit(1)
3105
3602
# End of Avahi example code
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3603
3604
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3605
lambda *args, **kwargs:
3606
(tcp_server.handle_request
3607
(*args[2:], **kwargs) or True))
3608
3112
3609
logger.debug("Starting main loop")
3113
3610
main_loop.run()
3114
3611
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0