To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 1127
- compare with another revision
- download diff
- download tarball
- view history from revision 1127
- Committer: Teddy Hogeborn
- Date: 2019-07-27 10:11:45 UTC
- Revision ID: teddy@recompile.se-20190727101145-jnpbpf8220gldbcd
Add dracut(8) support
Add support for the dracut(8) system for generating initramfs image
files; dracut is an alternative to the "initramfs-tools" package.
* .bzrignore (dracut-module/password-agent): Ignore new binary file.
* dracut-module: New directory for the dracut module.
* INSTALL (Prerequisites/Libraries/Mandos Client): Add dracut as an
alternative to
initramfs-tools,
and also add GLib.
* Makefile (DRACUTMODULE, GLIB_CFLAGS, GLIB_LIBS): New.
(CPROGS): Add "dracut-module/password-agent".
(DOCS): Add "dracut-module/password-agent.8mandos".
(dracut-module/password-agent.8mandos): New.
(dracut-module/password-agent.8mandos.xhtml): - '' -
(dracut-module/password-agent): - '' -
(check): Add command to run tests of password-agent(8mandos).
(install-client-nokey): Also install the dracut module directory,
its files, and the password-agent(8mandos)
manual page.
(install-client): To update the initramfs image file, run
update-initramfs or dracut depending on what is
installed.
(uninstall-client): - '' - and also uninstall the the files in the
dracut module directory, that directory itself,
and the password-agent(8mandos) manual page.
* debian/control (Build-Depends): Add "libglib2.0-dev (>=2.40)".
(Package: mandos-client/Depends): Add "dracut (>= 044+241-3)" as an
alternative dependency to
initramfs-tools.
(Package: mandos-client/Conflicts): New; set to
"dracut-config-generic".
(debian/mandos-client.README.Debian): Document alternative commands
to update the initramfs image
for when dracut is used.
* debian/mandos-client.postinst (update_initramfs): Use alternative
commands to update
the initramfs
image for when
dracut is used.
* debian/tests/control (password-agent, password-agent-suid): Add two
new tests.
* dracut-module/ask-password-mandos.path: New.
* dracut-module/ask-password-mandos.service: - '' -
* dracut-module/cmdline-mandos.sh: - '' -
* dracut-module/module-setup.sh: - '' -
* dracut-module/password-agent.c: - '' -
* dracut-module/password-agent.xml: - '' -
* initramfs-unpack: Use the dracut "skipcpio" command, if available.
Also be more flexible and try hard to detect where
compressed data starts.
* plugins.d/mandos-client.xml (SECURITY): Be more precise that the
mandos-client binary might
not always be setuid, but
that the program assumes
that it has been started
that way.
* plugins.d/password-prompt.c: Add new "--prompt" option.
(conflict_detection): First try to detect the new PID file of
plymouth.
(main): Define and use new "prompt" variable.
* plugins.d/password-prompt.xml (SYNOPSIS): Show new --prompt option.
(DESCRIPTION): Describe new behavior of looking for plymouth PID
file.
(OPTIONS): Document new "--prompt" option.
(ENVIRONMENT): Clarify that the CRYPTTAB_SOURCE and CRYPTTAB_NAME
environment variables are not used if the --prompt
option is used. Remove unnecessarily specific
details about where the CRYPTTAB_SOURCE and
CRYPTTAB_NAME comes from, since this can now be
either initramfs-tools or dracut.
(SEE ALSO): Remove superfluous crypttab(5) reference, and add commas
to separate the other references.
* plugins.d/plymouth.c: Add new "--prompt" and "--debug" options.
(debug): New global flag.
(fprintf_plus): New function, used for debug output.
(exec_and_wait): Add extra "const" to "argv" argument.
(main): Define and use new "prompt" variable. Add debug output.
(main/options, main/parse_opt): New; used to parse options.
* plugins.d/plymouth.xml (SYNOPSIS): Show new options.
(OPTIONS): Document new options.
(ENVIRONMENT): Clarify that the cryptsource and crypttarget
environment variables are not used if the --prompt
option is used. Remove unnecessarily specific
details about where the cryptsource and crypttarget
comes from, since this can now be either
initramfs-tools or dracut.
(EXAMPLE): Add an example using an option.
(SEE ALSO): Remove superfluous crypttab(5) reference.
* plugins.d/splashy.xml (ENVIRONMENT): Clarify that the cryptsource
and crypttarget environment
variables are not used if the
--prompt option is used.
Remove unnecessarily specific
details about where the
cryptsource and crypttarget
comes from, since this can now
be either initramfs-tools or
dracut.
(SEE ALSO): Remove superfluous crypttab(5) reference.
* plugins.d/usplash.xml (ENVIRONMENT): Clarify that the cryptsource
and crypttarget environment
variables are not used if the
--prompt option is used.
Remove unnecessarily specific
details about where the
cryptsource and crypttarget
comes from, since this can now
be either initramfs-tools or
dracut.
(SEE ALSO): Remove superfluous crypttab(5) reference.
Add support for the dracut(8) system for generating initramfs image
files; dracut is an alternative to the "initramfs-tools" package.
* .bzrignore (dracut-module/password-agent): Ignore new binary file.
* dracut-module: New directory for the dracut module.
* INSTALL (Prerequisites/Libraries/Mandos Client): Add dracut as an
alternative to
initramfs-tools,
and also add GLib.
* Makefile (DRACUTMODULE, GLIB_CFLAGS, GLIB_LIBS): New.
(CPROGS): Add "dracut-module/password-agent".
(DOCS): Add "dracut-module/password-agent.8mandos".
(dracut-module/password-agent.8mandos): New.
(dracut-module/password-agent.8mandos.xhtml): - '' -
(dracut-module/password-agent): - '' -
(check): Add command to run tests of password-agent(8mandos).
(install-client-nokey): Also install the dracut module directory,
its files, and the password-agent(8mandos)
manual page.
(install-client): To update the initramfs image file, run
update-initramfs or dracut depending on what is
installed.
(uninstall-client): - '' - and also uninstall the the files in the
dracut module directory, that directory itself,
and the password-agent(8mandos) manual page.
* debian/control (Build-Depends): Add "libglib2.0-dev (>=2.40)".
(Package: mandos-client/Depends): Add "dracut (>= 044+241-3)" as an
alternative dependency to
initramfs-tools.
(Package: mandos-client/Conflicts): New; set to
"dracut-config-generic".
(debian/mandos-client.README.Debian): Document alternative commands
to update the initramfs image
for when dracut is used.
* debian/mandos-client.postinst (update_initramfs): Use alternative
commands to update
the initramfs
image for when
dracut is used.
* debian/tests/control (password-agent, password-agent-suid): Add two
new tests.
* dracut-module/ask-password-mandos.path: New.
* dracut-module/ask-password-mandos.service: - '' -
* dracut-module/cmdline-mandos.sh: - '' -
* dracut-module/module-setup.sh: - '' -
* dracut-module/password-agent.c: - '' -
* dracut-module/password-agent.xml: - '' -
* initramfs-unpack: Use the dracut "skipcpio" command, if available.
Also be more flexible and try hard to detect where
compressed data starts.
* plugins.d/mandos-client.xml (SECURITY): Be more precise that the
mandos-client binary might
not always be setuid, but
that the program assumes
that it has been started
that way.
* plugins.d/password-prompt.c: Add new "--prompt" option.
(conflict_detection): First try to detect the new PID file of
plymouth.
(main): Define and use new "prompt" variable.
* plugins.d/password-prompt.xml (SYNOPSIS): Show new --prompt option.
(DESCRIPTION): Describe new behavior of looking for plymouth PID
file.
(OPTIONS): Document new "--prompt" option.
(ENVIRONMENT): Clarify that the CRYPTTAB_SOURCE and CRYPTTAB_NAME
environment variables are not used if the --prompt
option is used. Remove unnecessarily specific
details about where the CRYPTTAB_SOURCE and
CRYPTTAB_NAME comes from, since this can now be
either initramfs-tools or dracut.
(SEE ALSO): Remove superfluous crypttab(5) reference, and add commas
to separate the other references.
* plugins.d/plymouth.c: Add new "--prompt" and "--debug" options.
(debug): New global flag.
(fprintf_plus): New function, used for debug output.
(exec_and_wait): Add extra "const" to "argv" argument.
(main): Define and use new "prompt" variable. Add debug output.
(main/options, main/parse_opt): New; used to parse options.
* plugins.d/plymouth.xml (SYNOPSIS): Show new options.
(OPTIONS): Document new options.
(ENVIRONMENT): Clarify that the cryptsource and crypttarget
environment variables are not used if the --prompt
option is used. Remove unnecessarily specific
details about where the cryptsource and crypttarget
comes from, since this can now be either
initramfs-tools or dracut.
(EXAMPLE): Add an example using an option.
(SEE ALSO): Remove superfluous crypttab(5) reference.
* plugins.d/splashy.xml (ENVIRONMENT): Clarify that the cryptsource
and crypttarget environment
variables are not used if the
--prompt option is used.
Remove unnecessarily specific
details about where the
cryptsource and crypttarget
comes from, since this can now
be either initramfs-tools or
dracut.
(SEE ALSO): Remove superfluous crypttab(5) reference.
* plugins.d/usplash.xml (ENVIRONMENT): Clarify that the cryptsource
and crypttarget environment
variables are not used if the
--prompt option is used.
Remove unnecessarily specific
details about where the
cryptsource and crypttarget
comes from, since this can now
be either initramfs-tools or
dracut.
(SEE ALSO): Remove superfluous crypttab(5) reference.
- files added:
- bugs.xml
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python2.7
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
#
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
#
33
#
33
34
34
35
from __future__ import (division, absolute_import, print_function,
35
36
unicode_literals)
36
37
37
from future_builtins import *
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
38
42
39
43
try:
40
44
import SocketServer as socketserver
44
48
import argparse
45
49
import datetime
46
50
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
53
51
try:
54
52
import ConfigParser as configparser
55
53
except ImportError:
82
80
83
81
import dbus
84
82
import dbus.service
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
83
from gi.repository import GLib
90
84
from dbus.mainloop.glib import DBusGMainLoop
91
85
import ctypes
92
86
import ctypes.util
93
87
import xml.dom.minidom
94
88
import inspect
95
89
90
# Try to find the value of SO_BINDTODEVICE:
96
91
try:
92
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
93
# newer, and it is also the most natural place for it:
97
94
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
98
95
except AttributeError:
99
96
try:
97
# This is where SO_BINDTODEVICE was up to and including Python
98
# 2.6, and also 3.2:
100
99
from IN import SO_BINDTODEVICE
101
100
except ImportError:
102
SO_BINDTODEVICE = None
101
# In Python 2.7 it seems to have been removed entirely.
102
# Try running the C preprocessor:
103
try:
104
cc = subprocess.Popen(["cc", "--language=c", "-E",
105
"/dev/stdin"],
106
stdin=subprocess.PIPE,
107
stdout=subprocess.PIPE)
108
stdout = cc.communicate(
109
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
110
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
111
except (OSError, ValueError, IndexError):
112
# No value found
113
SO_BINDTODEVICE = None
103
114
104
115
if sys.version_info.major == 2:
105
116
str = unicode
106
117
107
version = "1.7.1"
118
version = "1.8.4"
108
119
stored_state_file = "clients.pickle"
109
120
110
121
logger = logging.getLogger()
114
125
if_nametoindex = ctypes.cdll.LoadLibrary(
115
126
ctypes.util.find_library("c")).if_nametoindex
116
127
except (OSError, AttributeError):
117
128
118
129
def if_nametoindex(interface):
119
130
"Get an interface index the hard way, i.e. using fcntl()"
120
131
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
125
136
return interface_index
126
137
127
138
139
def copy_function(func):
140
"""Make a copy of a function"""
141
if sys.version_info.major == 2:
142
return types.FunctionType(func.func_code,
143
func.func_globals,
144
func.func_name,
145
func.func_defaults,
146
func.func_closure)
147
else:
148
return types.FunctionType(func.__code__,
149
func.__globals__,
150
func.__name__,
151
func.__defaults__,
152
func.__closure__)
153
154
128
155
def initlogger(debug, level=logging.WARNING):
129
156
"""init logger and add loglevel"""
130
157
131
158
global syslogger
132
159
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
160
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
161
address="/dev/log"))
135
162
syslogger.setFormatter(logging.Formatter
136
163
('Mandos [%(process)d]: %(levelname)s:'
137
164
' %(message)s'))
138
165
logger.addHandler(syslogger)
139
166
140
167
if debug:
141
168
console = logging.StreamHandler()
142
169
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
154
181
155
182
class PGPEngine(object):
156
183
"""A simple class for OpenPGP symmetric encryption & decryption"""
157
184
158
185
def __init__(self):
159
186
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
187
self.gpg = "gpg"
188
try:
189
output = subprocess.check_output(["gpgconf"])
190
for line in output.splitlines():
191
name, text, path = line.split(b":")
192
if name == "gpg":
193
self.gpg = path
194
break
195
except OSError as e:
196
if e.errno != errno.ENOENT:
197
raise
160
198
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
199
'--homedir', self.tempdir,
162
200
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
165
201
'--quiet']
202
# Only GPG version 1 has the --no-use-agent option.
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
204
self.gnupgargs.append("--no-use-agent")
205
166
206
def __enter__(self):
167
207
return self
168
208
169
209
def __exit__(self, exc_type, exc_value, traceback):
170
210
self._cleanup()
171
211
return False
172
212
173
213
def __del__(self):
174
214
self._cleanup()
175
215
176
216
def _cleanup(self):
177
217
if self.tempdir is not None:
178
218
# Delete contents of tempdir
179
219
for root, dirs, files in os.walk(self.tempdir,
180
topdown = False):
220
topdown=False):
181
221
for filename in files:
182
222
os.remove(os.path.join(root, filename))
183
223
for dirname in dirs:
185
225
# Remove tempdir
186
226
os.rmdir(self.tempdir)
187
227
self.tempdir = None
188
228
189
229
def password_encode(self, password):
190
230
# Passphrase can not be empty and can not contain newlines or
191
231
# NUL bytes. So we prefix it and hex encode it.
196
236
.replace(b"\n", b"\\n")
197
237
.replace(b"\0", b"\\x00"))
198
238
return encoded
199
239
200
240
def encrypt(self, data, password):
201
241
passphrase = self.password_encode(password)
202
242
with tempfile.NamedTemporaryFile(
203
243
dir=self.tempdir) as passfile:
204
244
passfile.write(passphrase)
205
245
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
246
proc = subprocess.Popen([self.gpg, '--symmetric',
207
247
'--passphrase-file',
208
248
passfile.name]
209
249
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
250
stdin=subprocess.PIPE,
251
stdout=subprocess.PIPE,
252
stderr=subprocess.PIPE)
253
ciphertext, err = proc.communicate(input=data)
214
254
if proc.returncode != 0:
215
255
raise PGPError(err)
216
256
return ciphertext
217
257
218
258
def decrypt(self, data, password):
219
259
passphrase = self.password_encode(password)
220
260
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
261
dir=self.tempdir) as passfile:
222
262
passfile.write(passphrase)
223
263
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
264
proc = subprocess.Popen([self.gpg, '--decrypt',
225
265
'--passphrase-file',
226
266
passfile.name]
227
267
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
268
stdin=subprocess.PIPE,
269
stdout=subprocess.PIPE,
270
stderr=subprocess.PIPE)
271
decrypted_plaintext, err = proc.communicate(input=data)
232
272
if proc.returncode != 0:
233
273
raise PGPError(err)
234
274
return decrypted_plaintext
235
275
236
276
277
# Pretend that we have an Avahi module
278
class avahi(object):
279
"""This isn't so much a class as it is a module-like namespace."""
280
IF_UNSPEC = -1 # avahi-common/address.h
281
PROTO_UNSPEC = -1 # avahi-common/address.h
282
PROTO_INET = 0 # avahi-common/address.h
283
PROTO_INET6 = 1 # avahi-common/address.h
284
DBUS_NAME = "org.freedesktop.Avahi"
285
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
286
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
DBUS_PATH_SERVER = "/"
288
289
@staticmethod
290
def string_array_to_txt_array(t):
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
for s in t), signature="ay")
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
294
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
295
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
296
SERVER_INVALID = 0 # avahi-common/defs.h
297
SERVER_REGISTERING = 1 # avahi-common/defs.h
298
SERVER_RUNNING = 2 # avahi-common/defs.h
299
SERVER_COLLISION = 3 # avahi-common/defs.h
300
SERVER_FAILURE = 4 # avahi-common/defs.h
301
302
237
303
class AvahiError(Exception):
238
304
def __init__(self, value, *args, **kwargs):
239
305
self.value = value
251
317
252
318
class AvahiService(object):
253
319
"""An Avahi (Zeroconf) service.
254
320
255
321
Attributes:
256
322
interface: integer; avahi.IF_UNSPEC or an interface index.
257
323
Used to optionally bind to the specified interface.
269
335
server: D-Bus Server
270
336
bus: dbus.SystemBus()
271
337
"""
272
338
273
339
def __init__(self,
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
340
interface=avahi.IF_UNSPEC,
341
name=None,
342
servicetype=None,
343
port=None,
344
TXT=None,
345
domain="",
346
host="",
347
max_renames=32768,
348
protocol=avahi.PROTO_UNSPEC,
349
bus=None):
284
350
self.interface = interface
285
351
self.name = name
286
352
self.type = servicetype
295
361
self.server = None
296
362
self.bus = bus
297
363
self.entry_group_state_changed_match = None
298
364
299
365
def rename(self, remove=True):
300
366
"""Derived from the Avahi example code"""
301
367
if self.rename_count >= self.max_renames:
321
387
logger.critical("D-Bus Exception", exc_info=error)
322
388
self.cleanup()
323
389
os._exit(1)
324
390
325
391
def remove(self):
326
392
"""Derived from the Avahi example code"""
327
393
if self.entry_group_state_changed_match is not None:
329
395
self.entry_group_state_changed_match = None
330
396
if self.group is not None:
331
397
self.group.Reset()
332
398
333
399
def add(self):
334
400
"""Derived from the Avahi example code"""
335
401
self.remove()
352
418
dbus.UInt16(self.port),
353
419
avahi.string_array_to_txt_array(self.TXT))
354
420
self.group.Commit()
355
421
356
422
def entry_group_state_changed(self, state, error):
357
423
"""Derived from the Avahi example code"""
358
424
logger.debug("Avahi entry group state change: %i", state)
359
425
360
426
if state == avahi.ENTRY_GROUP_ESTABLISHED:
361
427
logger.debug("Zeroconf service established.")
362
428
elif state == avahi.ENTRY_GROUP_COLLISION:
366
432
logger.critical("Avahi: Error in group state changed %s",
367
433
str(error))
368
434
raise AvahiGroupError("State changed: {!s}".format(error))
369
435
370
436
def cleanup(self):
371
437
"""Derived from the Avahi example code"""
372
438
if self.group is not None:
377
443
pass
378
444
self.group = None
379
445
self.remove()
380
446
381
447
def server_state_changed(self, state, error=None):
382
448
"""Derived from the Avahi example code"""
383
449
logger.debug("Avahi server state change: %i", state)
412
478
logger.debug("Unknown state: %r", state)
413
479
else:
414
480
logger.debug("Unknown state: %r: %r", state, error)
415
481
416
482
def activate(self):
417
483
"""Derived from the Avahi example code"""
418
484
if self.server is None:
429
495
class AvahiServiceToSyslog(AvahiService):
430
496
def rename(self, *args, **kwargs):
431
497
"""Add the new name to the syslog messages"""
432
ret = AvahiService.rename(self, *args, **kwargs)
498
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
433
499
syslogger.setFormatter(logging.Formatter(
434
500
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
435
501
.format(self.name)))
436
502
return ret
437
503
504
505
# Pretend that we have a GnuTLS module
506
class gnutls(object):
507
"""This isn't so much a class as it is a module-like namespace."""
508
509
library = ctypes.util.find_library("gnutls")
510
if library is None:
511
library = ctypes.util.find_library("gnutls-deb0")
512
_library = ctypes.cdll.LoadLibrary(library)
513
del library
514
515
# Unless otherwise indicated, the constants and types below are
516
# all from the gnutls/gnutls.h C header file.
517
518
# Constants
519
E_SUCCESS = 0
520
E_INTERRUPTED = -52
521
E_AGAIN = -28
522
CRT_OPENPGP = 2
523
CRT_RAWPK = 3
524
CLIENT = 2
525
SHUT_RDWR = 0
526
CRD_CERTIFICATE = 1
527
E_NO_CERTIFICATE_FOUND = -49
528
X509_FMT_DER = 0
529
NO_TICKETS = 1<<10
530
ENABLE_RAWPK = 1<<18
531
CTYPE_PEERS = 3
532
KEYID_USE_SHA256 = 1 # gnutls/x509.h
533
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
534
535
# Types
536
class session_int(ctypes.Structure):
537
_fields_ = []
538
session_t = ctypes.POINTER(session_int)
539
540
class certificate_credentials_st(ctypes.Structure):
541
_fields_ = []
542
certificate_credentials_t = ctypes.POINTER(
543
certificate_credentials_st)
544
certificate_type_t = ctypes.c_int
545
546
class datum_t(ctypes.Structure):
547
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
548
('size', ctypes.c_uint)]
549
550
class openpgp_crt_int(ctypes.Structure):
551
_fields_ = []
552
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
553
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
554
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
555
credentials_type_t = ctypes.c_int
556
transport_ptr_t = ctypes.c_void_p
557
close_request_t = ctypes.c_int
558
559
# Exceptions
560
class Error(Exception):
561
def __init__(self, message=None, code=None, args=()):
562
# Default usage is by a message string, but if a return
563
# code is passed, convert it to a string with
564
# gnutls.strerror()
565
self.code = code
566
if message is None and code is not None:
567
message = gnutls.strerror(code)
568
return super(gnutls.Error, self).__init__(
569
message, *args)
570
571
class CertificateSecurityError(Error):
572
pass
573
574
# Classes
575
class Credentials(object):
576
def __init__(self):
577
self._c_object = gnutls.certificate_credentials_t()
578
gnutls.certificate_allocate_credentials(
579
ctypes.byref(self._c_object))
580
self.type = gnutls.CRD_CERTIFICATE
581
582
def __del__(self):
583
gnutls.certificate_free_credentials(self._c_object)
584
585
class ClientSession(object):
586
def __init__(self, socket, credentials=None):
587
self._c_object = gnutls.session_t()
588
gnutls_flags = gnutls.CLIENT
589
if gnutls.check_version("3.5.6"):
590
gnutls_flags |= gnutls.NO_TICKETS
591
if gnutls.has_rawpk:
592
gnutls_flags |= gnutls.ENABLE_RAWPK
593
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
594
del gnutls_flags
595
gnutls.set_default_priority(self._c_object)
596
gnutls.transport_set_ptr(self._c_object, socket.fileno())
597
gnutls.handshake_set_private_extensions(self._c_object,
598
True)
599
self.socket = socket
600
if credentials is None:
601
credentials = gnutls.Credentials()
602
gnutls.credentials_set(self._c_object, credentials.type,
603
ctypes.cast(credentials._c_object,
604
ctypes.c_void_p))
605
self.credentials = credentials
606
607
def __del__(self):
608
gnutls.deinit(self._c_object)
609
610
def handshake(self):
611
return gnutls.handshake(self._c_object)
612
613
def send(self, data):
614
data = bytes(data)
615
data_len = len(data)
616
while data_len > 0:
617
data_len -= gnutls.record_send(self._c_object,
618
data[-data_len:],
619
data_len)
620
621
def bye(self):
622
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
623
624
# Error handling functions
625
def _error_code(result):
626
"""A function to raise exceptions on errors, suitable
627
for the 'restype' attribute on ctypes functions"""
628
if result >= 0:
629
return result
630
if result == gnutls.E_NO_CERTIFICATE_FOUND:
631
raise gnutls.CertificateSecurityError(code=result)
632
raise gnutls.Error(code=result)
633
634
def _retry_on_error(result, func, arguments):
635
"""A function to retry on some errors, suitable
636
for the 'errcheck' attribute on ctypes functions"""
637
while result < 0:
638
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
639
return _error_code(result)
640
result = func(*arguments)
641
return result
642
643
# Unless otherwise indicated, the function declarations below are
644
# all from the gnutls/gnutls.h C header file.
645
646
# Functions
647
priority_set_direct = _library.gnutls_priority_set_direct
648
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
649
ctypes.POINTER(ctypes.c_char_p)]
650
priority_set_direct.restype = _error_code
651
652
init = _library.gnutls_init
653
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
654
init.restype = _error_code
655
656
set_default_priority = _library.gnutls_set_default_priority
657
set_default_priority.argtypes = [session_t]
658
set_default_priority.restype = _error_code
659
660
record_send = _library.gnutls_record_send
661
record_send.argtypes = [session_t, ctypes.c_void_p,
662
ctypes.c_size_t]
663
record_send.restype = ctypes.c_ssize_t
664
record_send.errcheck = _retry_on_error
665
666
certificate_allocate_credentials = (
667
_library.gnutls_certificate_allocate_credentials)
668
certificate_allocate_credentials.argtypes = [
669
ctypes.POINTER(certificate_credentials_t)]
670
certificate_allocate_credentials.restype = _error_code
671
672
certificate_free_credentials = (
673
_library.gnutls_certificate_free_credentials)
674
certificate_free_credentials.argtypes = [
675
certificate_credentials_t]
676
certificate_free_credentials.restype = None
677
678
handshake_set_private_extensions = (
679
_library.gnutls_handshake_set_private_extensions)
680
handshake_set_private_extensions.argtypes = [session_t,
681
ctypes.c_int]
682
handshake_set_private_extensions.restype = None
683
684
credentials_set = _library.gnutls_credentials_set
685
credentials_set.argtypes = [session_t, credentials_type_t,
686
ctypes.c_void_p]
687
credentials_set.restype = _error_code
688
689
strerror = _library.gnutls_strerror
690
strerror.argtypes = [ctypes.c_int]
691
strerror.restype = ctypes.c_char_p
692
693
certificate_type_get = _library.gnutls_certificate_type_get
694
certificate_type_get.argtypes = [session_t]
695
certificate_type_get.restype = _error_code
696
697
certificate_get_peers = _library.gnutls_certificate_get_peers
698
certificate_get_peers.argtypes = [session_t,
699
ctypes.POINTER(ctypes.c_uint)]
700
certificate_get_peers.restype = ctypes.POINTER(datum_t)
701
702
global_set_log_level = _library.gnutls_global_set_log_level
703
global_set_log_level.argtypes = [ctypes.c_int]
704
global_set_log_level.restype = None
705
706
global_set_log_function = _library.gnutls_global_set_log_function
707
global_set_log_function.argtypes = [log_func]
708
global_set_log_function.restype = None
709
710
deinit = _library.gnutls_deinit
711
deinit.argtypes = [session_t]
712
deinit.restype = None
713
714
handshake = _library.gnutls_handshake
715
handshake.argtypes = [session_t]
716
handshake.restype = _error_code
717
handshake.errcheck = _retry_on_error
718
719
transport_set_ptr = _library.gnutls_transport_set_ptr
720
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
721
transport_set_ptr.restype = None
722
723
bye = _library.gnutls_bye
724
bye.argtypes = [session_t, close_request_t]
725
bye.restype = _error_code
726
bye.errcheck = _retry_on_error
727
728
check_version = _library.gnutls_check_version
729
check_version.argtypes = [ctypes.c_char_p]
730
check_version.restype = ctypes.c_char_p
731
732
_need_version = b"3.3.0"
733
if check_version(_need_version) is None:
734
raise self.Error("Needs GnuTLS {} or later"
735
.format(_need_version))
736
737
_tls_rawpk_version = b"3.6.6"
738
has_rawpk = bool(check_version(_tls_rawpk_version))
739
740
if has_rawpk:
741
# Types
742
class pubkey_st(ctypes.Structure):
743
_fields = []
744
pubkey_t = ctypes.POINTER(pubkey_st)
745
746
x509_crt_fmt_t = ctypes.c_int
747
748
# All the function declarations below are from gnutls/abstract.h
749
pubkey_init = _library.gnutls_pubkey_init
750
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
751
pubkey_init.restype = _error_code
752
753
pubkey_import = _library.gnutls_pubkey_import
754
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
755
x509_crt_fmt_t]
756
pubkey_import.restype = _error_code
757
758
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
759
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
760
ctypes.POINTER(ctypes.c_ubyte),
761
ctypes.POINTER(ctypes.c_size_t)]
762
pubkey_get_key_id.restype = _error_code
763
764
pubkey_deinit = _library.gnutls_pubkey_deinit
765
pubkey_deinit.argtypes = [pubkey_t]
766
pubkey_deinit.restype = None
767
else:
768
# All the function declarations below are from gnutls/openpgp.h
769
770
openpgp_crt_init = _library.gnutls_openpgp_crt_init
771
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
772
openpgp_crt_init.restype = _error_code
773
774
openpgp_crt_import = _library.gnutls_openpgp_crt_import
775
openpgp_crt_import.argtypes = [openpgp_crt_t,
776
ctypes.POINTER(datum_t),
777
openpgp_crt_fmt_t]
778
openpgp_crt_import.restype = _error_code
779
780
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
781
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
782
ctypes.POINTER(ctypes.c_uint)]
783
openpgp_crt_verify_self.restype = _error_code
784
785
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
786
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
787
openpgp_crt_deinit.restype = None
788
789
openpgp_crt_get_fingerprint = (
790
_library.gnutls_openpgp_crt_get_fingerprint)
791
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
792
ctypes.c_void_p,
793
ctypes.POINTER(
794
ctypes.c_size_t)]
795
openpgp_crt_get_fingerprint.restype = _error_code
796
797
if check_version("3.6.4"):
798
certificate_type_get2 = _library.gnutls_certificate_type_get2
799
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
800
certificate_type_get2.restype = _error_code
801
802
# Remove non-public functions
803
del _error_code, _retry_on_error
804
805
438
806
def call_pipe(connection, # : multiprocessing.Connection
439
807
func, *args, **kwargs):
440
808
"""This function is meant to be called by multiprocessing.Process
441
809
442
810
This function runs func(*args, **kwargs), and writes the resulting
443
811
return value on the provided multiprocessing.Connection.
444
812
"""
445
813
connection.send(func(*args, **kwargs))
446
814
connection.close()
447
815
816
448
817
class Client(object):
449
818
"""A representation of a client host served by this server.
450
819
451
820
Attributes:
452
821
approved: bool(); 'None' if not yet approved/disapproved
453
822
approval_delay: datetime.timedelta(); Time to wait for approval
455
824
checker: subprocess.Popen(); a running checker process used
456
825
to see if the client lives.
457
826
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
827
checker_callback_tag: a GLib event source tag, or None
459
828
checker_command: string; External command which is run to check
460
829
if client lives. %() expansions are done at
461
830
runtime with vars(self) as dict, so that for
462
831
instance %(name)s can be used in the command.
463
checker_initiator_tag: a gobject event source tag, or None
832
checker_initiator_tag: a GLib event source tag, or None
464
833
created: datetime.datetime(); (UTC) object creation
465
834
client_structure: Object describing what attributes a client has
466
835
and is used for storing the client at exit
467
836
current_checker_command: string; current running checker_command
468
disable_initiator_tag: a gobject event source tag, or None
837
disable_initiator_tag: a GLib event source tag, or None
469
838
enabled: bool()
470
839
fingerprint: string (40 or 32 hexadecimal digits); used to
471
uniquely identify the client
840
uniquely identify an OpenPGP client
841
key_id: string (64 hexadecimal digits); used to uniquely identify
842
a client using raw public keys
472
843
host: string; available for use by the checker command
473
844
interval: datetime.timedelta(); How often to start a new checker
474
845
last_approval_request: datetime.datetime(); (UTC) or None
490
861
disabled, or None
491
862
server_settings: The server_settings dict from main()
492
863
"""
493
864
494
865
runtime_expansions = ("approval_delay", "approval_duration",
495
"created", "enabled", "expires",
866
"created", "enabled", "expires", "key_id",
496
867
"fingerprint", "host", "interval",
497
868
"last_approval_request", "last_checked_ok",
498
869
"last_enabled", "name", "timeout")
507
878
"approved_by_default": "True",
508
879
"enabled": "True",
509
880
}
510
881
511
882
@staticmethod
512
883
def config_parser(config):
513
884
"""Construct a new dict of client settings of this form:
520
891
for client_name in config.sections():
521
892
section = dict(config.items(client_name))
522
893
client = settings[client_name] = {}
523
894
524
895
client["host"] = section["host"]
525
896
# Reformat values from string types to Python types
526
897
client["approved_by_default"] = config.getboolean(
527
898
client_name, "approved_by_default")
528
899
client["enabled"] = config.getboolean(client_name,
529
900
"enabled")
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
901
902
# Uppercase and remove spaces from key_id and fingerprint
903
# for later comparison purposes with return value from the
904
# key_id() and fingerprint() functions
905
client["key_id"] = (section.get("key_id", "").upper()
906
.replace(" ", ""))
534
907
client["fingerprint"] = (section["fingerprint"].upper()
535
908
.replace(" ", ""))
536
909
if "secret" in section:
537
client["secret"] = section["secret"].decode("base64")
910
client["secret"] = codecs.decode(section["secret"]
911
.encode("utf-8"),
912
"base64")
538
913
elif "secfile" in section:
539
914
with open(os.path.expanduser(os.path.expandvars
540
915
(section["secfile"])),
555
930
client["last_approval_request"] = None
556
931
client["last_checked_ok"] = None
557
932
client["last_checker_status"] = -2
558
933
559
934
return settings
560
561
def __init__(self, settings, name = None, server_settings=None):
935
936
def __init__(self, settings, name=None, server_settings=None):
562
937
self.name = name
563
938
if server_settings is None:
564
939
server_settings = {}
566
941
# adding all client settings
567
942
for setting, value in settings.items():
568
943
setattr(self, setting, value)
569
944
570
945
if self.enabled:
571
946
if not hasattr(self, "last_enabled"):
572
947
self.last_enabled = datetime.datetime.utcnow()
576
951
else:
577
952
self.last_enabled = None
578
953
self.expires = None
579
954
580
955
logger.debug("Creating client %r", self.name)
956
logger.debug(" Key ID: %s", self.key_id)
581
957
logger.debug(" Fingerprint: %s", self.fingerprint)
582
958
self.created = settings.get("created",
583
959
datetime.datetime.utcnow())
584
960
585
961
# attributes specific for this server instance
586
962
self.checker = None
587
963
self.checker_initiator_tag = None
593
969
self.changedstate = multiprocessing_manager.Condition(
594
970
multiprocessing_manager.Lock())
595
971
self.client_structure = [attr
596
for attr in self.__dict__.iterkeys()
972
for attr in self.__dict__.keys()
597
973
if not attr.startswith("_")]
598
974
self.client_structure.append("client_structure")
599
975
600
976
for name, t in inspect.getmembers(
601
977
type(self), lambda obj: isinstance(obj, property)):
602
978
if not name.startswith("_"):
603
979
self.client_structure.append(name)
604
980
605
981
# Send notice to process children that client state has changed
606
982
def send_changedstate(self):
607
983
with self.changedstate:
608
984
self.changedstate.notify_all()
609
985
610
986
def enable(self):
611
987
"""Start this client's checker and timeout hooks"""
612
988
if getattr(self, "enabled", False):
617
993
self.last_enabled = datetime.datetime.utcnow()
618
994
self.init_checker()
619
995
self.send_changedstate()
620
996
621
997
def disable(self, quiet=True):
622
998
"""Disable this client."""
623
999
if not getattr(self, "enabled", False):
625
1001
if not quiet:
626
1002
logger.info("Disabling client %s", self.name)
627
1003
if getattr(self, "disable_initiator_tag", None) is not None:
628
gobject.source_remove(self.disable_initiator_tag)
1004
GLib.source_remove(self.disable_initiator_tag)
629
1005
self.disable_initiator_tag = None
630
1006
self.expires = None
631
1007
if getattr(self, "checker_initiator_tag", None) is not None:
632
gobject.source_remove(self.checker_initiator_tag)
1008
GLib.source_remove(self.checker_initiator_tag)
633
1009
self.checker_initiator_tag = None
634
1010
self.stop_checker()
635
1011
self.enabled = False
636
1012
if not quiet:
637
1013
self.send_changedstate()
638
# Do not run this again if called by a gobject.timeout_add
1014
# Do not run this again if called by a GLib.timeout_add
639
1015
return False
640
1016
641
1017
def __del__(self):
642
1018
self.disable()
643
1019
644
1020
def init_checker(self):
645
1021
# Schedule a new checker to be started an 'interval' from now,
646
1022
# and every interval from then on.
647
1023
if self.checker_initiator_tag is not None:
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
1024
GLib.source_remove(self.checker_initiator_tag)
1025
self.checker_initiator_tag = GLib.timeout_add(
650
1026
int(self.interval.total_seconds() * 1000),
651
1027
self.start_checker)
652
1028
# Schedule a disable() when 'timeout' has passed
653
1029
if self.disable_initiator_tag is not None:
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1030
GLib.source_remove(self.disable_initiator_tag)
1031
self.disable_initiator_tag = GLib.timeout_add(
656
1032
int(self.timeout.total_seconds() * 1000), self.disable)
657
1033
# Also start a new checker *right now*.
658
1034
self.start_checker()
659
1035
660
1036
def checker_callback(self, source, condition, connection,
661
1037
command):
662
1038
"""The checker has completed, so take appropriate actions."""
665
1041
# Read return code from connection (see call_pipe)
666
1042
returncode = connection.recv()
667
1043
connection.close()
668
1044
669
1045
if returncode >= 0:
670
1046
self.last_checker_status = returncode
671
1047
self.last_checker_signal = None
681
1057
logger.warning("Checker for %(name)s crashed?",
682
1058
vars(self))
683
1059
return False
684
1060
685
1061
def checked_ok(self):
686
1062
"""Assert that the client has been seen, alive and well."""
687
1063
self.last_checked_ok = datetime.datetime.utcnow()
688
1064
self.last_checker_status = 0
689
1065
self.last_checker_signal = None
690
1066
self.bump_timeout()
691
1067
692
1068
def bump_timeout(self, timeout=None):
693
1069
"""Bump up the timeout for this client."""
694
1070
if timeout is None:
695
1071
timeout = self.timeout
696
1072
if self.disable_initiator_tag is not None:
697
gobject.source_remove(self.disable_initiator_tag)
1073
GLib.source_remove(self.disable_initiator_tag)
698
1074
self.disable_initiator_tag = None
699
1075
if getattr(self, "enabled", False):
700
self.disable_initiator_tag = gobject.timeout_add(
1076
self.disable_initiator_tag = GLib.timeout_add(
701
1077
int(timeout.total_seconds() * 1000), self.disable)
702
1078
self.expires = datetime.datetime.utcnow() + timeout
703
1079
704
1080
def need_approval(self):
705
1081
self.last_approval_request = datetime.datetime.utcnow()
706
1082
707
1083
def start_checker(self):
708
1084
"""Start a new checker subprocess if one is not running.
709
1085
710
1086
If a checker already exists, leave it running and do
711
1087
nothing."""
712
1088
# The reason for not killing a running checker is that if we
717
1093
# checkers alone, the checker would have to take more time
718
1094
# than 'timeout' for the client to be disabled, which is as it
719
1095
# should be.
720
1096
721
1097
if self.checker is not None and not self.checker.is_alive():
722
1098
logger.warning("Checker was not alive; joining")
723
1099
self.checker.join()
727
1103
# Escape attributes for the shell
728
1104
escaped_attrs = {
729
1105
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
1106
for attr in self.runtime_expansions}
731
1107
try:
732
1108
command = self.checker_command % escaped_attrs
733
1109
except TypeError as error:
745
1121
# The exception is when not debugging but nevertheless
746
1122
# running in the foreground; use the previously
747
1123
# created wnull.
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1124
popen_args = {"close_fds": True,
1125
"shell": True,
1126
"cwd": "/"}
751
1127
if (not self.server_settings["debug"]
752
1128
and self.server_settings["foreground"]):
753
1129
popen_args.update({"stdout": wnull,
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1130
"stderr": wnull})
1131
pipe = multiprocessing.Pipe(duplex=False)
756
1132
self.checker = multiprocessing.Process(
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1133
target=call_pipe,
1134
args=(pipe[1], subprocess.call, command),
1135
kwargs=popen_args)
760
1136
self.checker.start()
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1137
self.checker_callback_tag = GLib.io_add_watch(
1138
pipe[0].fileno(), GLib.IO_IN,
763
1139
self.checker_callback, pipe[0], command)
764
# Re-run this periodically if run by gobject.timeout_add
1140
# Re-run this periodically if run by GLib.timeout_add
765
1141
return True
766
1142
767
1143
def stop_checker(self):
768
1144
"""Force the checker process, if any, to stop."""
769
1145
if self.checker_callback_tag:
770
gobject.source_remove(self.checker_callback_tag)
1146
GLib.source_remove(self.checker_callback_tag)
771
1147
self.checker_callback_tag = None
772
1148
if getattr(self, "checker", None) is None:
773
1149
return
782
1158
byte_arrays=False):
783
1159
"""Decorators for marking methods of a DBusObjectWithProperties to
784
1160
become properties on the D-Bus.
785
1161
786
1162
The decorated method will be called with no arguments by "Get"
787
1163
and with one argument by "Set".
788
1164
789
1165
The parameters, where they are supported, are the same as
790
1166
dbus.service.method, except there is only "signature", since the
791
1167
type from Get() and the type sent to Set() is the same.
795
1171
if byte_arrays and signature != "ay":
796
1172
raise ValueError("Byte arrays not supported for non-'ay'"
797
1173
" signature {!r}".format(signature))
798
1174
799
1175
def decorator(func):
800
1176
func._dbus_is_property = True
801
1177
func._dbus_interface = dbus_interface
804
1180
func._dbus_name = func.__name__
805
1181
if func._dbus_name.endswith("_dbus_property"):
806
1182
func._dbus_name = func._dbus_name[:-14]
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1183
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
808
1184
return func
809
1185
810
1186
return decorator
811
1187
812
1188
813
1189
def dbus_interface_annotations(dbus_interface):
814
1190
"""Decorator for marking functions returning interface annotations
815
1191
816
1192
Usage:
817
1193
818
1194
@dbus_interface_annotations("org.example.Interface")
819
1195
def _foo(self): # Function name does not matter
820
1196
return {"org.freedesktop.DBus.Deprecated": "true",
821
1197
"org.freedesktop.DBus.Property.EmitsChangedSignal":
822
1198
"false"}
823
1199
"""
824
1200
825
1201
def decorator(func):
826
1202
func._dbus_is_interface = True
827
1203
func._dbus_interface = dbus_interface
828
1204
func._dbus_name = dbus_interface
829
1205
return func
830
1206
831
1207
return decorator
832
1208
833
1209
834
1210
def dbus_annotations(annotations):
835
1211
"""Decorator to annotate D-Bus methods, signals or properties
836
1212
Usage:
837
1213
838
1214
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
839
1215
"org.freedesktop.DBus.Property."
840
1216
"EmitsChangedSignal": "false"})
842
1218
access="r")
843
1219
def Property_dbus_property(self):
844
1220
return dbus.Boolean(False)
845
1221
846
1222
See also the DBusObjectWithAnnotations class.
847
1223
"""
848
1224
849
1225
def decorator(func):
850
1226
func._dbus_annotations = annotations
851
1227
return func
852
1228
853
1229
return decorator
854
1230
855
1231
873
1249
874
1250
class DBusObjectWithAnnotations(dbus.service.Object):
875
1251
"""A D-Bus object with annotations.
876
1252
877
1253
Classes inheriting from this can use the dbus_annotations
878
1254
decorator to add annotations to methods or signals.
879
1255
"""
880
1256
881
1257
@staticmethod
882
1258
def _is_dbus_thing(thing):
883
1259
"""Returns a function testing if an attribute is a D-Bus thing
884
1260
885
1261
If called like _is_dbus_thing("method") it returns a function
886
1262
suitable for use as predicate to inspect.getmembers().
887
1263
"""
888
1264
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
889
1265
False)
890
1266
891
1267
def _get_all_dbus_things(self, thing):
892
1268
"""Returns a generator of (name, attribute) pairs
893
1269
"""
896
1272
for cls in self.__class__.__mro__
897
1273
for name, athing in
898
1274
inspect.getmembers(cls, self._is_dbus_thing(thing)))
899
1275
900
1276
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1277
out_signature="s",
1278
path_keyword='object_path',
1279
connection_keyword='connection')
904
1280
def Introspect(self, object_path, connection):
905
1281
"""Overloading of standard D-Bus method.
906
1282
907
1283
Inserts annotation tags on methods and signals.
908
1284
"""
909
1285
xmlstring = dbus.service.Object.Introspect(self, object_path,
910
1286
connection)
911
1287
try:
912
1288
document = xml.dom.minidom.parseString(xmlstring)
913
1289
914
1290
for if_tag in document.getElementsByTagName("interface"):
915
1291
# Add annotation tags
916
1292
for typ in ("method", "signal"):
943
1319
if_tag.appendChild(ann_tag)
944
1320
# Fix argument name for the Introspect method itself
945
1321
if (if_tag.getAttribute("name")
946
== dbus.INTROSPECTABLE_IFACE):
1322
== dbus.INTROSPECTABLE_IFACE):
947
1323
for cn in if_tag.getElementsByTagName("method"):
948
1324
if cn.getAttribute("name") == "Introspect":
949
1325
for arg in cn.getElementsByTagName("arg"):
962
1338
963
1339
class DBusObjectWithProperties(DBusObjectWithAnnotations):
964
1340
"""A D-Bus object with properties.
965
1341
966
1342
Classes inheriting from this can use the dbus_service_property
967
1343
decorator to expose methods as D-Bus properties. It exposes the
968
1344
standard Get(), Set(), and GetAll() methods on the D-Bus.
969
1345
"""
970
1346
971
1347
def _get_dbus_property(self, interface_name, property_name):
972
1348
"""Returns a bound method if one exists which is a D-Bus
973
1349
property with the specified name and interface.
978
1354
if (value._dbus_name == property_name
979
1355
and value._dbus_interface == interface_name):
980
1356
return value.__get__(self)
981
1357
982
1358
# No such property
983
1359
raise DBusPropertyNotFound("{}:{}.{}".format(
984
1360
self.dbus_object_path, interface_name, property_name))
985
1361
986
1362
@classmethod
987
1363
def _get_all_interface_names(cls):
988
1364
"""Get a sequence of all interfaces supported by an object"""
991
1367
for x in (inspect.getmro(cls))
992
1368
for attr in dir(x))
993
1369
if name is not None)
994
1370
995
1371
@dbus.service.method(dbus.PROPERTIES_IFACE,
996
1372
in_signature="ss",
997
1373
out_signature="v")
1005
1381
if not hasattr(value, "variant_level"):
1006
1382
return value
1007
1383
return type(value)(value, variant_level=value.variant_level+1)
1008
1384
1009
1385
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1010
1386
def Set(self, interface_name, property_name, value):
1011
1387
"""Standard D-Bus property Set() method, see D-Bus standard.
1023
1399
value = dbus.ByteArray(b''.join(chr(byte)
1024
1400
for byte in value))
1025
1401
prop(value)
1026
1402
1027
1403
@dbus.service.method(dbus.PROPERTIES_IFACE,
1028
1404
in_signature="s",
1029
1405
out_signature="a{sv}")
1030
1406
def GetAll(self, interface_name):
1031
1407
"""Standard D-Bus property GetAll() method, see D-Bus
1032
1408
standard.
1033
1409
1034
1410
Note: Will not include properties with access="write".
1035
1411
"""
1036
1412
properties = {}
1047
1423
properties[name] = value
1048
1424
continue
1049
1425
properties[name] = type(value)(
1050
value, variant_level = value.variant_level + 1)
1426
value, variant_level=value.variant_level + 1)
1051
1427
return dbus.Dictionary(properties, signature="sv")
1052
1428
1053
1429
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1054
1430
def PropertiesChanged(self, interface_name, changed_properties,
1055
1431
invalidated_properties):
1057
1433
standard.
1058
1434
"""
1059
1435
pass
1060
1436
1061
1437
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1062
1438
out_signature="s",
1063
1439
path_keyword='object_path',
1064
1440
connection_keyword='connection')
1065
1441
def Introspect(self, object_path, connection):
1066
1442
"""Overloading of standard D-Bus method.
1067
1443
1068
1444
Inserts property tags and interface annotation tags.
1069
1445
"""
1070
1446
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1072
1448
connection)
1073
1449
try:
1074
1450
document = xml.dom.minidom.parseString(xmlstring)
1075
1451
1076
1452
def make_tag(document, name, prop):
1077
1453
e = document.createElement("property")
1078
1454
e.setAttribute("name", name)
1079
1455
e.setAttribute("type", prop._dbus_signature)
1080
1456
e.setAttribute("access", prop._dbus_access)
1081
1457
return e
1082
1458
1083
1459
for if_tag in document.getElementsByTagName("interface"):
1084
1460
# Add property tags
1085
1461
for tag in (make_tag(document, name, prop)
1127
1503
exc_info=error)
1128
1504
return xmlstring
1129
1505
1506
1130
1507
try:
1131
1508
dbus.OBJECT_MANAGER_IFACE
1132
1509
except AttributeError:
1133
1510
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1134
1511
1512
1135
1513
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1136
1514
"""A D-Bus object with an ObjectManager.
1137
1515
1138
1516
Classes inheriting from this exposes the standard
1139
1517
GetManagedObjects call and the InterfacesAdded and
1140
1518
InterfacesRemoved signals on the standard
1141
1519
"org.freedesktop.DBus.ObjectManager" interface.
1142
1520
1143
1521
Note: No signals are sent automatically; they must be sent
1144
1522
manually.
1145
1523
"""
1146
1524
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1147
out_signature = "a{oa{sa{sv}}}")
1525
out_signature="a{oa{sa{sv}}}")
1148
1526
def GetManagedObjects(self):
1149
1527
"""This function must be overridden"""
1150
1528
raise NotImplementedError()
1151
1529
1152
1530
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1153
signature = "oa{sa{sv}}")
1531
signature="oa{sa{sv}}")
1154
1532
def InterfacesAdded(self, object_path, interfaces_and_properties):
1155
1533
pass
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1534
1535
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1158
1536
def InterfacesRemoved(self, object_path, interfaces):
1159
1537
pass
1160
1538
1161
1539
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1540
out_signature="s",
1541
path_keyword='object_path',
1542
connection_keyword='connection')
1165
1543
def Introspect(self, object_path, connection):
1166
1544
"""Overloading of standard D-Bus method.
1167
1545
1168
1546
Override return argument name of GetManagedObjects to be
1169
1547
"objpath_interfaces_and_properties"
1170
1548
"""
1173
1551
connection)
1174
1552
try:
1175
1553
document = xml.dom.minidom.parseString(xmlstring)
1176
1554
1177
1555
for if_tag in document.getElementsByTagName("interface"):
1178
1556
# Fix argument name for the GetManagedObjects method
1179
1557
if (if_tag.getAttribute("name")
1180
== dbus.OBJECT_MANAGER_IFACE):
1558
== dbus.OBJECT_MANAGER_IFACE):
1181
1559
for cn in if_tag.getElementsByTagName("method"):
1182
1560
if (cn.getAttribute("name")
1183
1561
== "GetManagedObjects"):
1193
1571
except (AttributeError, xml.dom.DOMException,
1194
1572
xml.parsers.expat.ExpatError) as error:
1195
1573
logger.error("Failed to override Introspection method",
1196
exc_info = error)
1574
exc_info=error)
1197
1575
return xmlstring
1198
1576
1577
1199
1578
def datetime_to_dbus(dt, variant_level=0):
1200
1579
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1201
1580
if dt is None:
1202
return dbus.String("", variant_level = variant_level)
1581
return dbus.String("", variant_level=variant_level)
1203
1582
return dbus.String(dt.isoformat(), variant_level=variant_level)
1204
1583
1205
1584
1208
1587
dbus.service.Object, it will add alternate D-Bus attributes with
1209
1588
interface names according to the "alt_interface_names" mapping.
1210
1589
Usage:
1211
1590
1212
1591
@alternate_dbus_interfaces({"org.example.Interface":
1213
1592
"net.example.AlternateInterface"})
1214
1593
class SampleDBusObject(dbus.service.Object):
1215
1594
@dbus.service.method("org.example.Interface")
1216
1595
def SampleDBusMethod():
1217
1596
pass
1218
1597
1219
1598
The above "SampleDBusMethod" on "SampleDBusObject" will be
1220
1599
reachable via two interfaces: "org.example.Interface" and
1221
1600
"net.example.AlternateInterface", the latter of which will have
1222
1601
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1223
1602
"true", unless "deprecate" is passed with a False value.
1224
1603
1225
1604
This works for methods and signals, and also for D-Bus properties
1226
1605
(from DBusObjectWithProperties) and interfaces (from the
1227
1606
dbus_interface_annotations decorator).
1228
1607
"""
1229
1608
1230
1609
def wrapper(cls):
1231
1610
for orig_interface_name, alt_interface_name in (
1232
1611
alt_interface_names.items()):
1247
1626
interface_names.add(alt_interface)
1248
1627
# Is this a D-Bus signal?
1249
1628
if getattr(attribute, "_dbus_is_signal", False):
1629
# Extract the original non-method undecorated
1630
# function by black magic
1250
1631
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1253
1632
nonmethod_func = (dict(
1254
1633
zip(attribute.func_code.co_freevars,
1255
1634
attribute.__closure__))
1256
1635
["func"].cell_contents)
1257
1636
else:
1258
nonmethod_func = attribute
1637
nonmethod_func = (dict(
1638
zip(attribute.__code__.co_freevars,
1639
attribute.__closure__))
1640
["func"].cell_contents)
1259
1641
# Create a new, but exactly alike, function
1260
1642
# object, and decorate it to be a new D-Bus signal
1261
1643
# with the alternate D-Bus interface name
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1644
new_function = copy_function(nonmethod_func)
1276
1645
new_function = (dbus.service.signal(
1277
1646
alt_interface,
1278
1647
attribute._dbus_signature)(new_function))
1282
1651
attribute._dbus_annotations)
1283
1652
except AttributeError:
1284
1653
pass
1654
1285
1655
# Define a creator of a function to call both the
1286
1656
# original and alternate functions, so both the
1287
1657
# original and alternate signals gets sent when
1290
1660
"""This function is a scope container to pass
1291
1661
func1 and func2 to the "call_both" function
1292
1662
outside of its arguments"""
1293
1663
1294
1664
@functools.wraps(func2)
1295
1665
def call_both(*args, **kwargs):
1296
1666
"""This function will emit two D-Bus
1297
1667
signals by calling func1 and func2"""
1298
1668
func1(*args, **kwargs)
1299
1669
func2(*args, **kwargs)
1300
# Make wrapper function look like a D-Bus signal
1670
# Make wrapper function look like a D-Bus
1671
# signal
1301
1672
for name, attr in inspect.getmembers(func2):
1302
1673
if name.startswith("_dbus_"):
1303
1674
setattr(call_both, name, attr)
1304
1675
1305
1676
return call_both
1306
1677
# Create the "call_both" function and add it to
1307
1678
# the class
1317
1688
alt_interface,
1318
1689
attribute._dbus_in_signature,
1319
1690
attribute._dbus_out_signature)
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1691
(copy_function(attribute)))
1325
1692
# Copy annotations, if any
1326
1693
try:
1327
1694
attr[attrname]._dbus_annotations = dict(
1339
1706
attribute._dbus_access,
1340
1707
attribute._dbus_get_args_options
1341
1708
["byte_arrays"])
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1709
(copy_function(attribute)))
1348
1710
# Copy annotations, if any
1349
1711
try:
1350
1712
attr[attrname]._dbus_annotations = dict(
1359
1721
# to the class.
1360
1722
attr[attrname] = (
1361
1723
dbus_interface_annotations(alt_interface)
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1724
(copy_function(attribute)))
1367
1725
if deprecate:
1368
1726
# Deprecate all alternate interfaces
1369
iname="_AlternateDBusNames_interface_annotation{}"
1727
iname = "_AlternateDBusNames_interface_annotation{}"
1370
1728
for interface_name in interface_names:
1371
1729
1372
1730
@dbus_interface_annotations(interface_name)
1373
1731
def func(self):
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1732
return {"org.freedesktop.DBus.Deprecated":
1733
"true"}
1376
1734
# Find an unused name
1377
1735
for aname in (iname.format(i)
1378
1736
for i in itertools.count()):
1382
1740
if interface_names:
1383
1741
# Replace the class with a new subclass of it with
1384
1742
# methods, signals, etc. as created above.
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1743
if sys.version_info.major == 2:
1744
cls = type(b"{}Alternate".format(cls.__name__),
1745
(cls, ), attr)
1746
else:
1747
cls = type("{}Alternate".format(cls.__name__),
1748
(cls, ), attr)
1387
1749
return cls
1388
1750
1389
1751
return wrapper
1390
1752
1391
1753
1393
1755
"se.bsnet.fukt.Mandos"})
1394
1756
class ClientDBus(Client, DBusObjectWithProperties):
1395
1757
"""A Client class using D-Bus
1396
1758
1397
1759
Attributes:
1398
1760
dbus_object_path: dbus.ObjectPath
1399
1761
bus: dbus.SystemBus()
1400
1762
"""
1401
1763
1402
1764
runtime_expansions = (Client.runtime_expansions
1403
1765
+ ("dbus_object_path", ))
1404
1766
1405
1767
_interface = "se.recompile.Mandos.Client"
1406
1768
1407
1769
# dbus.service.Object doesn't use super(), so we can't either.
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1770
1771
def __init__(self, bus=None, *args, **kwargs):
1410
1772
self.bus = bus
1411
1773
Client.__init__(self, *args, **kwargs)
1412
1774
# Only now, when this client is initialized, can it show up on
1418
1780
"/clients/" + client_object_name)
1419
1781
DBusObjectWithProperties.__init__(self, self.bus,
1420
1782
self.dbus_object_path)
1421
1783
1422
1784
def notifychangeproperty(transform_func, dbus_name,
1423
1785
type_func=lambda x: x,
1424
1786
variant_level=1,
1426
1788
_interface=_interface):
1427
1789
""" Modify a variable so that it's a property which announces
1428
1790
its changes to DBus.
1429
1791
1430
1792
transform_fun: Function that takes a value and a variant_level
1431
1793
and transforms it to a D-Bus type.
1432
1794
dbus_name: D-Bus name of the variable
1435
1797
variant_level: D-Bus variant level. Default: 1
1436
1798
"""
1437
1799
attrname = "_{}".format(dbus_name)
1438
1800
1439
1801
def setter(self, value):
1440
1802
if hasattr(self, "dbus_object_path"):
1441
1803
if (not hasattr(self, attrname) or
1448
1810
else:
1449
1811
dbus_value = transform_func(
1450
1812
type_func(value),
1451
variant_level = variant_level)
1813
variant_level=variant_level)
1452
1814
self.PropertyChanged(dbus.String(dbus_name),
1453
1815
dbus_value)
1454
1816
self.PropertiesChanged(
1455
1817
_interface,
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1818
dbus.Dictionary({dbus.String(dbus_name):
1819
dbus_value}),
1458
1820
dbus.Array())
1459
1821
setattr(self, attrname, value)
1460
1822
1461
1823
return property(lambda self: getattr(self, attrname), setter)
1462
1824
1463
1825
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1464
1826
approvals_pending = notifychangeproperty(dbus.Boolean,
1465
1827
"ApprovalPending",
1466
type_func = bool)
1828
type_func=bool)
1467
1829
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1468
1830
last_enabled = notifychangeproperty(datetime_to_dbus,
1469
1831
"LastEnabled")
1470
1832
checker = notifychangeproperty(
1471
1833
dbus.Boolean, "CheckerRunning",
1472
type_func = lambda checker: checker is not None)
1834
type_func=lambda checker: checker is not None)
1473
1835
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1474
1836
"LastCheckedOK")
1475
1837
last_checker_status = notifychangeproperty(dbus.Int16,
1480
1842
"ApprovedByDefault")
1481
1843
approval_delay = notifychangeproperty(
1482
1844
dbus.UInt64, "ApprovalDelay",
1483
type_func = lambda td: td.total_seconds() * 1000)
1845
type_func=lambda td: td.total_seconds() * 1000)
1484
1846
approval_duration = notifychangeproperty(
1485
1847
dbus.UInt64, "ApprovalDuration",
1486
type_func = lambda td: td.total_seconds() * 1000)
1848
type_func=lambda td: td.total_seconds() * 1000)
1487
1849
host = notifychangeproperty(dbus.String, "Host")
1488
1850
timeout = notifychangeproperty(
1489
1851
dbus.UInt64, "Timeout",
1490
type_func = lambda td: td.total_seconds() * 1000)
1852
type_func=lambda td: td.total_seconds() * 1000)
1491
1853
extended_timeout = notifychangeproperty(
1492
1854
dbus.UInt64, "ExtendedTimeout",
1493
type_func = lambda td: td.total_seconds() * 1000)
1855
type_func=lambda td: td.total_seconds() * 1000)
1494
1856
interval = notifychangeproperty(
1495
1857
dbus.UInt64, "Interval",
1496
type_func = lambda td: td.total_seconds() * 1000)
1858
type_func=lambda td: td.total_seconds() * 1000)
1497
1859
checker_command = notifychangeproperty(dbus.String, "Checker")
1498
1860
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1499
1861
invalidate_only=True)
1500
1862
1501
1863
del notifychangeproperty
1502
1864
1503
1865
def __del__(self, *args, **kwargs):
1504
1866
try:
1505
1867
self.remove_from_connection()
1508
1870
if hasattr(DBusObjectWithProperties, "__del__"):
1509
1871
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1510
1872
Client.__del__(self, *args, **kwargs)
1511
1873
1512
1874
def checker_callback(self, source, condition,
1513
1875
connection, command, *args, **kwargs):
1514
1876
ret = Client.checker_callback(self, source, condition,
1530
1892
| self.last_checker_signal),
1531
1893
dbus.String(command))
1532
1894
return ret
1533
1895
1534
1896
def start_checker(self, *args, **kwargs):
1535
1897
old_checker_pid = getattr(self.checker, "pid", None)
1536
1898
r = Client.start_checker(self, *args, **kwargs)
1540
1902
# Emit D-Bus signal
1541
1903
self.CheckerStarted(self.current_checker_command)
1542
1904
return r
1543
1905
1544
1906
def _reset_approved(self):
1545
1907
self.approved = None
1546
1908
return False
1547
1909
1548
1910
def approve(self, value=True):
1549
1911
self.approved = value
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1912
GLib.timeout_add(int(self.approval_duration.total_seconds()
1913
* 1000), self._reset_approved)
1552
1914
self.send_changedstate()
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1915
1916
# D-Bus methods, signals & properties
1917
1918
# Interfaces
1919
1920
# Signals
1921
1560
1922
# CheckerCompleted - signal
1561
1923
@dbus.service.signal(_interface, signature="nxs")
1562
1924
def CheckerCompleted(self, exitcode, waitstatus, command):
1563
1925
"D-Bus signal"
1564
1926
pass
1565
1927
1566
1928
# CheckerStarted - signal
1567
1929
@dbus.service.signal(_interface, signature="s")
1568
1930
def CheckerStarted(self, command):
1569
1931
"D-Bus signal"
1570
1932
pass
1571
1933
1572
1934
# PropertyChanged - signal
1573
1935
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1574
1936
@dbus.service.signal(_interface, signature="sv")
1575
1937
def PropertyChanged(self, property, value):
1576
1938
"D-Bus signal"
1577
1939
pass
1578
1940
1579
1941
# GotSecret - signal
1580
1942
@dbus.service.signal(_interface)
1581
1943
def GotSecret(self):
1584
1946
server to mandos-client
1585
1947
"""
1586
1948
pass
1587
1949
1588
1950
# Rejected - signal
1589
1951
@dbus.service.signal(_interface, signature="s")
1590
1952
def Rejected(self, reason):
1591
1953
"D-Bus signal"
1592
1954
pass
1593
1955
1594
1956
# NeedApproval - signal
1595
1957
@dbus.service.signal(_interface, signature="tb")
1596
1958
def NeedApproval(self, timeout, default):
1597
1959
"D-Bus signal"
1598
1960
return self.need_approval()
1599
1600
## Methods
1601
1961
1962
# Methods
1963
1602
1964
# Approve - method
1603
1965
@dbus.service.method(_interface, in_signature="b")
1604
1966
def Approve(self, value):
1605
1967
self.approve(value)
1606
1968
1607
1969
# CheckedOK - method
1608
1970
@dbus.service.method(_interface)
1609
1971
def CheckedOK(self):
1610
1972
self.checked_ok()
1611
1973
1612
1974
# Enable - method
1613
1975
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1614
1976
@dbus.service.method(_interface)
1615
1977
def Enable(self):
1616
1978
"D-Bus method"
1617
1979
self.enable()
1618
1980
1619
1981
# StartChecker - method
1620
1982
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1621
1983
@dbus.service.method(_interface)
1622
1984
def StartChecker(self):
1623
1985
"D-Bus method"
1624
1986
self.start_checker()
1625
1987
1626
1988
# Disable - method
1627
1989
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1628
1990
@dbus.service.method(_interface)
1629
1991
def Disable(self):
1630
1992
"D-Bus method"
1631
1993
self.disable()
1632
1994
1633
1995
# StopChecker - method
1634
1996
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1635
1997
@dbus.service.method(_interface)
1636
1998
def StopChecker(self):
1637
1999
self.stop_checker()
1638
1639
## Properties
1640
2000
2001
# Properties
2002
1641
2003
# ApprovalPending - property
1642
2004
@dbus_service_property(_interface, signature="b", access="read")
1643
2005
def ApprovalPending_dbus_property(self):
1644
2006
return dbus.Boolean(bool(self.approvals_pending))
1645
2007
1646
2008
# ApprovedByDefault - property
1647
2009
@dbus_service_property(_interface,
1648
2010
signature="b",
1651
2013
if value is None: # get
1652
2014
return dbus.Boolean(self.approved_by_default)
1653
2015
self.approved_by_default = bool(value)
1654
2016
1655
2017
# ApprovalDelay - property
1656
2018
@dbus_service_property(_interface,
1657
2019
signature="t",
1661
2023
return dbus.UInt64(self.approval_delay.total_seconds()
1662
2024
* 1000)
1663
2025
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1664
2026
1665
2027
# ApprovalDuration - property
1666
2028
@dbus_service_property(_interface,
1667
2029
signature="t",
1671
2033
return dbus.UInt64(self.approval_duration.total_seconds()
1672
2034
* 1000)
1673
2035
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1674
2036
1675
2037
# Name - property
1676
2038
@dbus_annotations(
1677
2039
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1678
2040
@dbus_service_property(_interface, signature="s", access="read")
1679
2041
def Name_dbus_property(self):
1680
2042
return dbus.String(self.name)
1681
2043
2044
# KeyID - property
2045
@dbus_annotations(
2046
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2047
@dbus_service_property(_interface, signature="s", access="read")
2048
def KeyID_dbus_property(self):
2049
return dbus.String(self.key_id)
2050
1682
2051
# Fingerprint - property
1683
2052
@dbus_annotations(
1684
2053
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1685
2054
@dbus_service_property(_interface, signature="s", access="read")
1686
2055
def Fingerprint_dbus_property(self):
1687
2056
return dbus.String(self.fingerprint)
1688
2057
1689
2058
# Host - property
1690
2059
@dbus_service_property(_interface,
1691
2060
signature="s",
1694
2063
if value is None: # get
1695
2064
return dbus.String(self.host)
1696
2065
self.host = str(value)
1697
2066
1698
2067
# Created - property
1699
2068
@dbus_annotations(
1700
2069
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1701
2070
@dbus_service_property(_interface, signature="s", access="read")
1702
2071
def Created_dbus_property(self):
1703
2072
return datetime_to_dbus(self.created)
1704
2073
1705
2074
# LastEnabled - property
1706
2075
@dbus_service_property(_interface, signature="s", access="read")
1707
2076
def LastEnabled_dbus_property(self):
1708
2077
return datetime_to_dbus(self.last_enabled)
1709
2078
1710
2079
# Enabled - property
1711
2080
@dbus_service_property(_interface,
1712
2081
signature="b",
1718
2087
self.enable()
1719
2088
else:
1720
2089
self.disable()
1721
2090
1722
2091
# LastCheckedOK - property
1723
2092
@dbus_service_property(_interface,
1724
2093
signature="s",
1728
2097
self.checked_ok()
1729
2098
return
1730
2099
return datetime_to_dbus(self.last_checked_ok)
1731
2100
1732
2101
# LastCheckerStatus - property
1733
2102
@dbus_service_property(_interface, signature="n", access="read")
1734
2103
def LastCheckerStatus_dbus_property(self):
1735
2104
return dbus.Int16(self.last_checker_status)
1736
2105
1737
2106
# Expires - property
1738
2107
@dbus_service_property(_interface, signature="s", access="read")
1739
2108
def Expires_dbus_property(self):
1740
2109
return datetime_to_dbus(self.expires)
1741
2110
1742
2111
# LastApprovalRequest - property
1743
2112
@dbus_service_property(_interface, signature="s", access="read")
1744
2113
def LastApprovalRequest_dbus_property(self):
1745
2114
return datetime_to_dbus(self.last_approval_request)
1746
2115
1747
2116
# Timeout - property
1748
2117
@dbus_service_property(_interface,
1749
2118
signature="t",
1764
2133
if (getattr(self, "disable_initiator_tag", None)
1765
2134
is None):
1766
2135
return
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2136
GLib.source_remove(self.disable_initiator_tag)
2137
self.disable_initiator_tag = GLib.timeout_add(
1769
2138
int((self.expires - now).total_seconds() * 1000),
1770
2139
self.disable)
1771
2140
1772
2141
# ExtendedTimeout - property
1773
2142
@dbus_service_property(_interface,
1774
2143
signature="t",
1778
2147
return dbus.UInt64(self.extended_timeout.total_seconds()
1779
2148
* 1000)
1780
2149
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1781
2150
1782
2151
# Interval - property
1783
2152
@dbus_service_property(_interface,
1784
2153
signature="t",
1791
2160
return
1792
2161
if self.enabled:
1793
2162
# Reschedule checker run
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2163
GLib.source_remove(self.checker_initiator_tag)
2164
self.checker_initiator_tag = GLib.timeout_add(
1796
2165
value, self.start_checker)
1797
self.start_checker() # Start one now, too
1798
2166
self.start_checker() # Start one now, too
2167
1799
2168
# Checker - property
1800
2169
@dbus_service_property(_interface,
1801
2170
signature="s",
1804
2173
if value is None: # get
1805
2174
return dbus.String(self.checker_command)
1806
2175
self.checker_command = str(value)
1807
2176
1808
2177
# CheckerRunning - property
1809
2178
@dbus_service_property(_interface,
1810
2179
signature="b",
1816
2185
self.start_checker()
1817
2186
else:
1818
2187
self.stop_checker()
1819
2188
1820
2189
# ObjectPath - property
1821
2190
@dbus_annotations(
1822
2191
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
1823
2192
"org.freedesktop.DBus.Deprecated": "true"})
1824
2193
@dbus_service_property(_interface, signature="o", access="read")
1825
2194
def ObjectPath_dbus_property(self):
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2195
return self.dbus_object_path # is already a dbus.ObjectPath
2196
1828
2197
# Secret = property
1829
2198
@dbus_annotations(
1830
2199
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
1835
2204
byte_arrays=True)
1836
2205
def Secret_dbus_property(self, value):
1837
2206
self.secret = bytes(value)
1838
2207
1839
2208
del _interface
1840
2209
1841
2210
1842
2211
class ProxyClient(object):
1843
def __init__(self, child_pipe, fpr, address):
2212
def __init__(self, child_pipe, key_id, fpr, address):
1844
2213
self._pipe = child_pipe
1845
self._pipe.send(('init', fpr, address))
2214
self._pipe.send(('init', key_id, fpr, address))
1846
2215
if not self._pipe.recv():
1847
raise KeyError(fpr)
1848
2216
raise KeyError(key_id or fpr)
2217
1849
2218
def __getattribute__(self, name):
1850
2219
if name == '_pipe':
1851
2220
return super(ProxyClient, self).__getattribute__(name)
1854
2223
if data[0] == 'data':
1855
2224
return data[1]
1856
2225
if data[0] == 'function':
1857
2226
1858
2227
def func(*args, **kwargs):
1859
2228
self._pipe.send(('funcall', name, args, kwargs))
1860
2229
return self._pipe.recv()[1]
1861
2230
1862
2231
return func
1863
2232
1864
2233
def __setattr__(self, name, value):
1865
2234
if name == '_pipe':
1866
2235
return super(ProxyClient, self).__setattr__(name, value)
1869
2238
1870
2239
class ClientHandler(socketserver.BaseRequestHandler, object):
1871
2240
"""A class to handle client connections.
1872
2241
1873
2242
Instantiated once for each connection to handle it.
1874
2243
Note: This will run in its own forked process."""
1875
2244
1876
2245
def handle(self):
1877
2246
with contextlib.closing(self.server.child_pipe) as child_pipe:
1878
2247
logger.info("TCP connection from: %s",
1879
2248
str(self.client_address))
1880
2249
logger.debug("Pipe FD: %d",
1881
2250
self.server.child_pipe.fileno())
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2251
2252
session = gnutls.ClientSession(self.request)
2253
2254
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2255
# "+AES-256-CBC", "+SHA1",
2256
# "+COMP-NULL", "+CTYPE-OPENPGP",
2257
# "+DHE-DSS"))
1895
2258
# Use a fallback default, since this MUST be set.
1896
2259
priority = self.server.gnutls_priority
1897
2260
if priority is None:
1898
2261
priority = "NORMAL"
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2262
gnutls.priority_set_direct(session._c_object,
2263
priority.encode("utf-8"),
2264
None)
2265
1902
2266
# Start communication using the Mandos protocol
1903
2267
# Get protocol number
1904
2268
line = self.request.makefile().readline()
1909
2273
except (ValueError, IndexError, RuntimeError) as error:
1910
2274
logger.error("Unknown protocol version: %s", error)
1911
2275
return
1912
2276
1913
2277
# Start GnuTLS connection
1914
2278
try:
1915
2279
session.handshake()
1916
except gnutls.errors.GNUTLSError as error:
2280
except gnutls.Error as error:
1917
2281
logger.warning("Handshake failed: %s", error)
1918
2282
# Do not run session.bye() here: the session is not
1919
2283
# established. Just abandon the request.
1920
2284
return
1921
2285
logger.debug("Handshake succeeded")
1922
2286
1923
2287
approval_required = False
1924
2288
try:
1925
try:
1926
fpr = self.fingerprint(
1927
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
1930
logger.warning("Bad certificate: %s", error)
1931
return
1932
logger.debug("Fingerprint: %s", fpr)
1933
1934
try:
1935
client = ProxyClient(child_pipe, fpr,
2289
if gnutls.has_rawpk:
2290
fpr = ""
2291
try:
2292
key_id = self.key_id(
2293
self.peer_certificate(session))
2294
except (TypeError, gnutls.Error) as error:
2295
logger.warning("Bad certificate: %s", error)
2296
return
2297
logger.debug("Key ID: %s", key_id)
2298
2299
else:
2300
key_id = ""
2301
try:
2302
fpr = self.fingerprint(
2303
self.peer_certificate(session))
2304
except (TypeError, gnutls.Error) as error:
2305
logger.warning("Bad certificate: %s", error)
2306
return
2307
logger.debug("Fingerprint: %s", fpr)
2308
2309
try:
2310
client = ProxyClient(child_pipe, key_id, fpr,
1936
2311
self.client_address)
1937
2312
except KeyError:
1938
2313
return
1939
2314
1940
2315
if client.approval_delay:
1941
2316
delay = client.approval_delay
1942
2317
client.approvals_pending += 1
1943
2318
approval_required = True
1944
2319
1945
2320
while True:
1946
2321
if not client.enabled:
1947
2322
logger.info("Client %s is disabled",
1950
2325
# Emit D-Bus signal
1951
2326
client.Rejected("Disabled")
1952
2327
return
1953
2328
1954
2329
if client.approved or not client.approval_delay:
1955
#We are approved or approval is disabled
2330
# We are approved or approval is disabled
1956
2331
break
1957
2332
elif client.approved is None:
1958
2333
logger.info("Client %s needs approval",
1969
2344
# Emit D-Bus signal
1970
2345
client.Rejected("Denied")
1971
2346
return
1972
1973
#wait until timeout or approved
2347
2348
# wait until timeout or approved
1974
2349
time = datetime.datetime.now()
1975
2350
client.changedstate.acquire()
1976
2351
client.changedstate.wait(delay.total_seconds())
1989
2364
break
1990
2365
else:
1991
2366
delay -= time2 - time
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2367
2368
try:
2369
session.send(client.secret)
2370
except gnutls.Error as error:
2371
logger.warning("gnutls send failed",
2372
exc_info=error)
2373
return
2374
2006
2375
logger.info("Sending secret to %s", client.name)
2007
2376
# bump the timeout using extended_timeout
2008
2377
client.bump_timeout(client.extended_timeout)
2009
2378
if self.server.use_dbus:
2010
2379
# Emit D-Bus signal
2011
2380
client.GotSecret()
2012
2381
2013
2382
finally:
2014
2383
if approval_required:
2015
2384
client.approvals_pending -= 1
2016
2385
try:
2017
2386
session.bye()
2018
except gnutls.errors.GNUTLSError as error:
2387
except gnutls.Error as error:
2019
2388
logger.warning("GnuTLS bye failed",
2020
2389
exc_info=error)
2021
2390
2022
2391
@staticmethod
2023
2392
def peer_certificate(session):
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2393
"Return the peer's certificate as a bytestring"
2394
try:
2395
cert_type = gnutls.certificate_type_get2(session._c_object,
2396
gnutls.CTYPE_PEERS)
2397
except AttributeError:
2398
cert_type = gnutls.certificate_type_get(session._c_object)
2399
if gnutls.has_rawpk:
2400
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2401
else:
2402
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2403
# If not a valid certificate type...
2404
if cert_type not in valid_cert_types:
2405
logger.info("Cert type %r not in %r", cert_type,
2406
valid_cert_types)
2407
# ...return invalid data
2408
return b""
2031
2409
list_size = ctypes.c_uint(1)
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2410
cert_list = (gnutls.certificate_get_peers
2034
2411
(session._c_object, ctypes.byref(list_size)))
2035
2412
if not bool(cert_list) and list_size.value != 0:
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2413
raise gnutls.Error("error getting peer certificate")
2038
2414
if list_size.value == 0:
2039
2415
return None
2040
2416
cert = cert_list[0]
2041
2417
return ctypes.string_at(cert.data, cert.size)
2042
2418
2419
@staticmethod
2420
def key_id(certificate):
2421
"Convert a certificate bytestring to a hexdigit key ID"
2422
# New GnuTLS "datum" with the public key
2423
datum = gnutls.datum_t(
2424
ctypes.cast(ctypes.c_char_p(certificate),
2425
ctypes.POINTER(ctypes.c_ubyte)),
2426
ctypes.c_uint(len(certificate)))
2427
# XXX all these need to be created in the gnutls "module"
2428
# New empty GnuTLS certificate
2429
pubkey = gnutls.pubkey_t()
2430
gnutls.pubkey_init(ctypes.byref(pubkey))
2431
# Import the raw public key into the certificate
2432
gnutls.pubkey_import(pubkey,
2433
ctypes.byref(datum),
2434
gnutls.X509_FMT_DER)
2435
# New buffer for the key ID
2436
buf = ctypes.create_string_buffer(32)
2437
buf_len = ctypes.c_size_t(len(buf))
2438
# Get the key ID from the raw public key into the buffer
2439
gnutls.pubkey_get_key_id(pubkey,
2440
gnutls.KEYID_USE_SHA256,
2441
ctypes.cast(ctypes.byref(buf),
2442
ctypes.POINTER(ctypes.c_ubyte)),
2443
ctypes.byref(buf_len))
2444
# Deinit the certificate
2445
gnutls.pubkey_deinit(pubkey)
2446
2447
# Convert the buffer to a Python bytestring
2448
key_id = ctypes.string_at(buf, buf_len.value)
2449
# Convert the bytestring to hexadecimal notation
2450
hex_key_id = binascii.hexlify(key_id).upper()
2451
return hex_key_id
2452
2043
2453
@staticmethod
2044
2454
def fingerprint(openpgp):
2045
2455
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2046
2456
# New GnuTLS "datum" with the OpenPGP public key
2047
datum = gnutls.library.types.gnutls_datum_t(
2457
datum = gnutls.datum_t(
2048
2458
ctypes.cast(ctypes.c_char_p(openpgp),
2049
2459
ctypes.POINTER(ctypes.c_ubyte)),
2050
2460
ctypes.c_uint(len(openpgp)))
2051
2461
# New empty GnuTLS certificate
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2462
crt = gnutls.openpgp_crt_t()
2463
gnutls.openpgp_crt_init(ctypes.byref(crt))
2055
2464
# Import the OpenPGP public key into the certificate
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2465
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2466
gnutls.OPENPGP_FMT_RAW)
2059
2467
# Verify the self signature in the key
2060
2468
crtverify = ctypes.c_uint()
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2469
gnutls.openpgp_crt_verify_self(crt, 0,
2470
ctypes.byref(crtverify))
2063
2471
if crtverify.value != 0:
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2472
gnutls.openpgp_crt_deinit(crt)
2473
raise gnutls.CertificateSecurityError(code
2474
=crtverify.value)
2067
2475
# New buffer for the fingerprint
2068
2476
buf = ctypes.create_string_buffer(20)
2069
2477
buf_len = ctypes.c_size_t()
2070
2478
# Get the fingerprint from the certificate into the buffer
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2479
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2480
ctypes.byref(buf_len))
2073
2481
# Deinit the certificate
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2482
gnutls.openpgp_crt_deinit(crt)
2075
2483
# Convert the buffer to a Python bytestring
2076
2484
fpr = ctypes.string_at(buf, buf_len.value)
2077
2485
# Convert the bytestring to hexadecimal notation
2081
2489
2082
2490
class MultiprocessingMixIn(object):
2083
2491
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2084
2492
2085
2493
def sub_process_main(self, request, address):
2086
2494
try:
2087
2495
self.finish_request(request, address)
2088
2496
except Exception:
2089
2497
self.handle_error(request, address)
2090
2498
self.close_request(request)
2091
2499
2092
2500
def process_request(self, request, address):
2093
2501
"""Start a new process to process the request."""
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2502
proc = multiprocessing.Process(target=self.sub_process_main,
2503
args=(request, address))
2096
2504
proc.start()
2097
2505
return proc
2098
2506
2099
2507
2100
2508
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2101
2509
""" adds a pipe to the MixIn """
2102
2510
2103
2511
def process_request(self, request, client_address):
2104
2512
"""Overrides and wraps the original process_request().
2105
2513
2106
2514
This function creates a new pipe in self.pipe
2107
2515
"""
2108
2516
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2109
2517
2110
2518
proc = MultiprocessingMixIn.process_request(self, request,
2111
2519
client_address)
2112
2520
self.child_pipe.close()
2113
2521
self.add_pipe(parent_pipe, proc)
2114
2522
2115
2523
def add_pipe(self, parent_pipe, proc):
2116
2524
"""Dummy function; override as necessary"""
2117
2525
raise NotImplementedError()
2120
2528
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2121
2529
socketserver.TCPServer, object):
2122
2530
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2123
2531
2124
2532
Attributes:
2125
2533
enabled: Boolean; whether this server is activated yet
2126
2534
interface: None or a network interface name (string)
2127
2535
use_ipv6: Boolean; to use IPv6 or not
2128
2536
"""
2129
2537
2130
2538
def __init__(self, server_address, RequestHandlerClass,
2131
2539
interface=None,
2132
2540
use_ipv6=True,
2142
2550
self.socketfd = socketfd
2143
2551
# Save the original socket.socket() function
2144
2552
self.socket_socket = socket.socket
2553
2145
2554
# To implement --socket, we monkey patch socket.socket.
2146
#
2555
#
2147
2556
# (When socketserver.TCPServer is a new-style class, we
2148
2557
# could make self.socket into a property instead of monkey
2149
2558
# patching socket.socket.)
2150
#
2559
#
2151
2560
# Create a one-time-only replacement for socket.socket()
2152
2561
@functools.wraps(socket.socket)
2153
2562
def socket_wrapper(*args, **kwargs):
2165
2574
# socket_wrapper(), if socketfd was set.
2166
2575
socketserver.TCPServer.__init__(self, server_address,
2167
2576
RequestHandlerClass)
2168
2577
2169
2578
def server_bind(self):
2170
2579
"""This overrides the normal server_bind() function
2171
2580
to bind to an interface if one was specified, and also NOT to
2172
2581
bind to an address or port if they were not specified."""
2582
global SO_BINDTODEVICE
2173
2583
if self.interface is not None:
2174
2584
if SO_BINDTODEVICE is None:
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2585
# Fall back to a hard-coded value which seems to be
2586
# common enough.
2587
logger.warning("SO_BINDTODEVICE not found, trying 25")
2588
SO_BINDTODEVICE = 25
2589
try:
2590
self.socket.setsockopt(
2591
socket.SOL_SOCKET, SO_BINDTODEVICE,
2592
(self.interface + "\0").encode("utf-8"))
2593
except socket.error as error:
2594
if error.errno == errno.EPERM:
2595
logger.error("No permission to bind to"
2596
" interface %s", self.interface)
2597
elif error.errno == errno.ENOPROTOOPT:
2598
logger.error("SO_BINDTODEVICE not available;"
2599
" cannot bind to interface %s",
2600
self.interface)
2601
elif error.errno == errno.ENODEV:
2602
logger.error("Interface %s does not exist,"
2603
" cannot bind", self.interface)
2604
else:
2605
raise
2196
2606
# Only bind(2) the socket if we really need to.
2197
2607
if self.server_address[0] or self.server_address[1]:
2608
if self.server_address[1]:
2609
self.allow_reuse_address = True
2198
2610
if not self.server_address[0]:
2199
2611
if self.address_family == socket.AF_INET6:
2200
any_address = "::" # in6addr_any
2612
any_address = "::" # in6addr_any
2201
2613
else:
2202
any_address = "0.0.0.0" # INADDR_ANY
2614
any_address = "0.0.0.0" # INADDR_ANY
2203
2615
self.server_address = (any_address,
2204
2616
self.server_address[1])
2205
2617
elif not self.server_address[1]:
2215
2627
2216
2628
class MandosServer(IPv6_TCPServer):
2217
2629
"""Mandos server.
2218
2630
2219
2631
Attributes:
2220
2632
clients: set of Client objects
2221
2633
gnutls_priority GnuTLS priority string
2222
2634
use_dbus: Boolean; to emit D-Bus signals or not
2223
2224
Assumes a gobject.MainLoop event loop.
2635
2636
Assumes a GLib.MainLoop event loop.
2225
2637
"""
2226
2638
2227
2639
def __init__(self, server_address, RequestHandlerClass,
2228
2640
interface=None,
2229
2641
use_ipv6=True,
2239
2651
self.gnutls_priority = gnutls_priority
2240
2652
IPv6_TCPServer.__init__(self, server_address,
2241
2653
RequestHandlerClass,
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2654
interface=interface,
2655
use_ipv6=use_ipv6,
2656
socketfd=socketfd)
2657
2246
2658
def server_activate(self):
2247
2659
if self.enabled:
2248
2660
return socketserver.TCPServer.server_activate(self)
2249
2661
2250
2662
def enable(self):
2251
2663
self.enabled = True
2252
2664
2253
2665
def add_pipe(self, parent_pipe, proc):
2254
2666
# Call "handle_ipc" for both data and EOF events
2255
gobject.io_add_watch(
2667
GLib.io_add_watch(
2256
2668
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2669
GLib.IO_IN | GLib.IO_HUP,
2258
2670
functools.partial(self.handle_ipc,
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2671
parent_pipe=parent_pipe,
2672
proc=proc))
2673
2262
2674
def handle_ipc(self, source, condition,
2263
2675
parent_pipe=None,
2264
proc = None,
2676
proc=None,
2265
2677
client_object=None):
2266
2678
# error, or the other end of multiprocessing.Pipe has closed
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2679
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2268
2680
# Wait for other process to exit
2269
2681
proc.join()
2270
2682
return False
2271
2683
2272
2684
# Read a request from the child
2273
2685
request = parent_pipe.recv()
2274
2686
command = request[0]
2275
2687
2276
2688
if command == 'init':
2277
fpr = request[1]
2278
address = request[2]
2279
2280
for c in self.clients.itervalues():
2281
if c.fingerprint == fpr:
2689
key_id = request[1].decode("ascii")
2690
fpr = request[2].decode("ascii")
2691
address = request[3]
2692
2693
for c in self.clients.values():
2694
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2695
continue
2696
if key_id and c.key_id == key_id:
2697
client = c
2698
break
2699
if fpr and c.fingerprint == fpr:
2282
2700
client = c
2283
2701
break
2284
2702
else:
2285
logger.info("Client not found for fingerprint: %s, ad"
2286
"dress: %s", fpr, address)
2703
logger.info("Client not found for key ID: %s, address"
2704
": %s", key_id or fpr, address)
2287
2705
if self.use_dbus:
2288
2706
# Emit D-Bus signal
2289
mandos_dbus_service.ClientNotFound(fpr,
2707
mandos_dbus_service.ClientNotFound(key_id or fpr,
2290
2708
address[0])
2291
2709
parent_pipe.send(False)
2292
2710
return False
2293
2294
gobject.io_add_watch(
2711
2712
GLib.io_add_watch(
2295
2713
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2714
GLib.IO_IN | GLib.IO_HUP,
2297
2715
functools.partial(self.handle_ipc,
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2716
parent_pipe=parent_pipe,
2717
proc=proc,
2718
client_object=client))
2301
2719
parent_pipe.send(True)
2302
2720
# remove the old hook in favor of the new above hook on
2303
2721
# same fileno
2306
2724
funcname = request[1]
2307
2725
args = request[2]
2308
2726
kwargs = request[3]
2309
2727
2310
2728
parent_pipe.send(('data', getattr(client_object,
2311
2729
funcname)(*args,
2312
2730
**kwargs)))
2313
2731
2314
2732
if command == 'getattr':
2315
2733
attrname = request[1]
2316
2734
if isinstance(client_object.__getattribute__(attrname),
2319
2737
else:
2320
2738
parent_pipe.send((
2321
2739
'data', client_object.__getattribute__(attrname)))
2322
2740
2323
2741
if command == 'setattr':
2324
2742
attrname = request[1]
2325
2743
value = request[2]
2326
2744
setattr(client_object, attrname, value)
2327
2745
2328
2746
return True
2329
2747
2330
2748
2331
2749
def rfc3339_duration_to_delta(duration):
2332
2750
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2333
2751
2334
2752
>>> rfc3339_duration_to_delta("P7D")
2335
2753
datetime.timedelta(7)
2336
2754
>>> rfc3339_duration_to_delta("PT60S")
2346
2764
>>> rfc3339_duration_to_delta("P1DT3M20S")
2347
2765
datetime.timedelta(1, 200)
2348
2766
"""
2349
2767
2350
2768
# Parsing an RFC 3339 duration with regular expressions is not
2351
2769
# possible - there would have to be multiple places for the same
2352
2770
# values, like seconds. The current code, while more esoteric, is
2353
2771
# cleaner without depending on a parsing library. If Python had a
2354
2772
# built-in library for parsing we would use it, but we'd like to
2355
2773
# avoid excessive use of external libraries.
2356
2774
2357
2775
# New type for defining tokens, syntax, and semantics all-in-one
2358
2776
Token = collections.namedtuple("Token", (
2359
2777
"regexp", # To match token; if "value" is not None, must have
2392
2810
frozenset((token_year, token_month,
2393
2811
token_day, token_time,
2394
2812
token_week)))
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2813
# Define starting values:
2814
# Value so far
2815
value = datetime.timedelta()
2397
2816
found_token = None
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2817
# Following valid tokens
2818
followers = frozenset((token_duration, ))
2819
# String left to parse
2820
s = duration
2400
2821
# Loop until end token is found
2401
2822
while found_token is not token_end:
2402
2823
# Search for any currently valid tokens
2426
2847
2427
2848
def string_to_delta(interval):
2428
2849
"""Parse a string and return a datetime.timedelta
2429
2850
2430
2851
>>> string_to_delta('7d')
2431
2852
datetime.timedelta(7)
2432
2853
>>> string_to_delta('60s')
2440
2861
>>> string_to_delta('5m 30s')
2441
2862
datetime.timedelta(0, 330)
2442
2863
"""
2443
2864
2444
2865
try:
2445
2866
return rfc3339_duration_to_delta(interval)
2446
2867
except ValueError:
2447
2868
pass
2448
2869
2449
2870
timevalue = datetime.timedelta(0)
2450
2871
for s in interval.split():
2451
2872
try:
2469
2890
return timevalue
2470
2891
2471
2892
2472
def daemon(nochdir = False, noclose = False):
2893
def daemon(nochdir=False, noclose=False):
2473
2894
"""See daemon(3). Standard BSD Unix function.
2474
2895
2475
2896
This should really exist as os.daemon, but it doesn't (yet)."""
2476
2897
if os.fork():
2477
2898
sys.exit()
2495
2916
2496
2917
2497
2918
def main():
2498
2919
2499
2920
##################################################################
2500
2921
# Parsing of options, both command line and config file
2501
2922
2502
2923
parser = argparse.ArgumentParser()
2503
2924
parser.add_argument("-v", "--version", action="version",
2504
version = "%(prog)s {}".format(version),
2925
version="%(prog)s {}".format(version),
2505
2926
help="show version number and exit")
2506
2927
parser.add_argument("-i", "--interface", metavar="IF",
2507
2928
help="Bind to interface IF")
2543
2964
parser.add_argument("--no-zeroconf", action="store_false",
2544
2965
dest="zeroconf", help="Do not use Zeroconf",
2545
2966
default=None)
2546
2967
2547
2968
options = parser.parse_args()
2548
2969
2549
2970
if options.check:
2550
2971
import doctest
2551
2972
fail_count, test_count = doctest.testmod()
2552
2973
sys.exit(os.EX_OK if fail_count == 0 else 1)
2553
2974
2554
2975
# Default values for config file for server-global settings
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
2976
if gnutls.has_rawpk:
2977
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2978
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2979
else:
2980
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2981
":+SIGN-DSA-SHA256")
2982
server_defaults = {"interface": "",
2983
"address": "",
2984
"port": "",
2985
"debug": "False",
2986
"priority": priority,
2987
"servicename": "Mandos",
2988
"use_dbus": "True",
2989
"use_ipv6": "True",
2990
"debuglevel": "",
2991
"restore": "True",
2992
"socket": "",
2993
"statedir": "/var/lib/mandos",
2994
"foreground": "False",
2995
"zeroconf": "True",
2996
}
2997
del priority
2998
2573
2999
# Parse config file for server-global settings
2574
3000
server_config = configparser.SafeConfigParser(server_defaults)
2575
3001
del server_defaults
2577
3003
# Convert the SafeConfigParser object to a dict
2578
3004
server_settings = server_config.defaults()
2579
3005
# Use the appropriate methods on the non-string config options
2580
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3006
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3007
"foreground", "zeroconf"):
2581
3008
server_settings[option] = server_config.getboolean("DEFAULT",
2582
3009
option)
2583
3010
if server_settings["port"]:
2593
3020
server_settings["socket"] = os.dup(server_settings
2594
3021
["socket"])
2595
3022
del server_config
2596
3023
2597
3024
# Override the settings from the config file with command line
2598
3025
# options, if set.
2599
3026
for option in ("interface", "address", "port", "debug",
2617
3044
if server_settings["debug"]:
2618
3045
server_settings["foreground"] = True
2619
3046
# Now we have our good server settings in "server_settings"
2620
3047
2621
3048
##################################################################
2622
3049
2623
3050
if (not server_settings["zeroconf"]
2624
3051
and not (server_settings["port"]
2625
3052
or server_settings["socket"] != "")):
2626
3053
parser.error("Needs port or socket to work without Zeroconf")
2627
3054
2628
3055
# For convenience
2629
3056
debug = server_settings["debug"]
2630
3057
debuglevel = server_settings["debuglevel"]
2634
3061
stored_state_file)
2635
3062
foreground = server_settings["foreground"]
2636
3063
zeroconf = server_settings["zeroconf"]
2637
3064
2638
3065
if debug:
2639
3066
initlogger(debug, logging.DEBUG)
2640
3067
else:
2643
3070
else:
2644
3071
level = getattr(logging, debuglevel.upper())
2645
3072
initlogger(debug, level)
2646
3073
2647
3074
if server_settings["servicename"] != "Mandos":
2648
3075
syslogger.setFormatter(
2649
3076
logging.Formatter('Mandos ({}) [%(process)d]:'
2650
3077
' %(levelname)s: %(message)s'.format(
2651
3078
server_settings["servicename"])))
2652
3079
2653
3080
# Parse config file with clients
2654
3081
client_config = configparser.SafeConfigParser(Client
2655
3082
.client_defaults)
2656
3083
client_config.read(os.path.join(server_settings["configdir"],
2657
3084
"clients.conf"))
2658
3085
2659
3086
global mandos_dbus_service
2660
3087
mandos_dbus_service = None
2661
3088
2662
3089
socketfd = None
2663
3090
if server_settings["socket"] != "":
2664
3091
socketfd = server_settings["socket"]
2680
3107
except IOError as e:
2681
3108
logger.error("Could not open file %r", pidfilename,
2682
3109
exc_info=e)
2683
2684
for name in ("_mandos", "mandos", "nobody"):
3110
3111
for name, group in (("_mandos", "_mandos"),
3112
("mandos", "mandos"),
3113
("nobody", "nogroup")):
2685
3114
try:
2686
3115
uid = pwd.getpwnam(name).pw_uid
2687
gid = pwd.getpwnam(name).pw_gid
3116
gid = pwd.getpwnam(group).pw_gid
2688
3117
break
2689
3118
except KeyError:
2690
3119
continue
2694
3123
try:
2695
3124
os.setgid(gid)
2696
3125
os.setuid(uid)
3126
if debug:
3127
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3128
gid))
2697
3129
except OSError as error:
3130
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3131
.format(uid, gid, os.strerror(error.errno)))
2698
3132
if error.errno != errno.EPERM:
2699
3133
raise
2700
3134
2701
3135
if debug:
2702
3136
# Enable all possible GnuTLS debugging
2703
3137
2704
3138
# "Use a log level over 10 to enable all debugging options."
2705
3139
# - GnuTLS manual
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3140
gnutls.global_set_log_level(11)
3141
3142
@gnutls.log_func
2709
3143
def debug_gnutls(level, string):
2710
3144
logger.debug("GnuTLS: %s", string[:-1])
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3145
3146
gnutls.global_set_log_function(debug_gnutls)
3147
2715
3148
# Redirect stdin so all checkers get /dev/null
2716
3149
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2717
3150
os.dup2(null, sys.stdin.fileno())
2718
3151
if null > 2:
2719
3152
os.close(null)
2720
3153
2721
3154
# Need to fork before connecting to D-Bus
2722
3155
if not foreground:
2723
3156
# Close all input and output, do double fork, etc.
2724
3157
daemon()
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3158
3159
# multiprocessing will use threads, so before we use GLib we need
3160
# to inform GLib that threads will be used.
3161
GLib.threads_init()
3162
2730
3163
global main_loop
2731
3164
# From the Avahi example code
2732
3165
DBusGMainLoop(set_as_default=True)
2733
main_loop = gobject.MainLoop()
3166
main_loop = GLib.MainLoop()
2734
3167
bus = dbus.SystemBus()
2735
3168
# End of Avahi example code
2736
3169
if use_dbus:
2749
3182
if zeroconf:
2750
3183
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2751
3184
service = AvahiServiceToSyslog(
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3185
name=server_settings["servicename"],
3186
servicetype="_mandos._tcp",
3187
protocol=protocol,
3188
bus=bus)
2756
3189
if server_settings["interface"]:
2757
3190
service.interface = if_nametoindex(
2758
3191
server_settings["interface"].encode("utf-8"))
2759
3192
2760
3193
global multiprocessing_manager
2761
3194
multiprocessing_manager = multiprocessing.Manager()
2762
3195
2763
3196
client_class = Client
2764
3197
if use_dbus:
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3198
client_class = functools.partial(ClientDBus, bus=bus)
3199
2767
3200
client_settings = Client.config_parser(client_config)
2768
3201
old_client_settings = {}
2769
3202
clients_data = {}
2770
3203
2771
3204
# This is used to redirect stdout and stderr for checker processes
2772
3205
global wnull
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3206
wnull = open(os.devnull, "w") # A writable /dev/null
2774
3207
# Only used if server is running in foreground but not in debug
2775
3208
# mode
2776
3209
if debug or not foreground:
2777
3210
wnull.close()
2778
3211
2779
3212
# Get client data and settings from last running state.
2780
3213
if server_settings["restore"]:
2781
3214
try:
2782
3215
with open(stored_state_path, "rb") as stored_state:
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3216
if sys.version_info.major == 2:
3217
clients_data, old_client_settings = pickle.load(
3218
stored_state)
3219
else:
3220
bytes_clients_data, bytes_old_client_settings = (
3221
pickle.load(stored_state, encoding="bytes"))
3222
# Fix bytes to strings
3223
# clients_data
3224
# .keys()
3225
clients_data = {(key.decode("utf-8")
3226
if isinstance(key, bytes)
3227
else key): value
3228
for key, value in
3229
bytes_clients_data.items()}
3230
del bytes_clients_data
3231
for key in clients_data:
3232
value = {(k.decode("utf-8")
3233
if isinstance(k, bytes) else k): v
3234
for k, v in
3235
clients_data[key].items()}
3236
clients_data[key] = value
3237
# .client_structure
3238
value["client_structure"] = [
3239
(s.decode("utf-8")
3240
if isinstance(s, bytes)
3241
else s) for s in
3242
value["client_structure"]]
3243
# .name & .host
3244
for k in ("name", "host"):
3245
if isinstance(value[k], bytes):
3246
value[k] = value[k].decode("utf-8")
3247
if not value.has_key("key_id"):
3248
value["key_id"] = ""
3249
elif not value.has_key("fingerprint"):
3250
value["fingerprint"] = ""
3251
# old_client_settings
3252
# .keys()
3253
old_client_settings = {
3254
(key.decode("utf-8")
3255
if isinstance(key, bytes)
3256
else key): value
3257
for key, value in
3258
bytes_old_client_settings.items()}
3259
del bytes_old_client_settings
3260
# .host
3261
for value in old_client_settings.values():
3262
if isinstance(value["host"], bytes):
3263
value["host"] = (value["host"]
3264
.decode("utf-8"))
2785
3265
os.remove(stored_state_path)
2786
3266
except IOError as e:
2787
3267
if e.errno == errno.ENOENT:
2795
3275
logger.warning("Could not load persistent state: "
2796
3276
"EOFError:",
2797
3277
exc_info=e)
2798
3278
2799
3279
with PGPEngine() as pgp:
2800
3280
for client_name, client in clients_data.items():
2801
3281
# Skip removed clients
2802
3282
if client_name not in client_settings:
2803
3283
continue
2804
3284
2805
3285
# Decide which value to use after restoring saved state.
2806
3286
# We have three different values: Old config file,
2807
3287
# new config file, and saved state.
2818
3298
client[name] = value
2819
3299
except KeyError:
2820
3300
pass
2821
3301
2822
3302
# Clients who has passed its expire date can still be
2823
3303
# enabled if its last checker was successful. A Client
2824
3304
# whose checker succeeded before we stored its state is
2857
3337
client_name))
2858
3338
client["secret"] = (client_settings[client_name]
2859
3339
["secret"])
2860
3340
2861
3341
# Add/remove clients based on new changes made to config
2862
3342
for client_name in (set(old_client_settings)
2863
3343
- set(client_settings)):
2865
3345
for client_name in (set(client_settings)
2866
3346
- set(old_client_settings)):
2867
3347
clients_data[client_name] = client_settings[client_name]
2868
3348
2869
3349
# Create all client objects
2870
3350
for client_name, client in clients_data.items():
2871
3351
tcp_server.clients[client_name] = client_class(
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3352
name=client_name,
3353
settings=client,
3354
server_settings=server_settings)
3355
2876
3356
if not tcp_server.clients:
2877
3357
logger.warning("No clients defined")
2878
3358
2879
3359
if not foreground:
2880
3360
if pidfile is not None:
2881
3361
pid = os.getpid()
2887
3367
pidfilename, pid)
2888
3368
del pidfile
2889
3369
del pidfilename
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3370
3371
for termsig in (signal.SIGHUP, signal.SIGTERM):
3372
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3373
lambda: main_loop.quit() and False)
3374
2894
3375
if use_dbus:
2895
3376
2896
3377
@alternate_dbus_interfaces(
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3378
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2898
3379
class MandosDBusService(DBusObjectWithObjectManager):
2899
3380
"""A D-Bus proxy object"""
2900
3381
2901
3382
def __init__(self):
2902
3383
dbus.service.Object.__init__(self, bus, "/")
2903
3384
2904
3385
_interface = "se.recompile.Mandos"
2905
3386
2906
3387
@dbus.service.signal(_interface, signature="o")
2907
3388
def ClientAdded(self, objpath):
2908
3389
"D-Bus signal"
2909
3390
pass
2910
3391
2911
3392
@dbus.service.signal(_interface, signature="ss")
2912
def ClientNotFound(self, fingerprint, address):
3393
def ClientNotFound(self, key_id, address):
2913
3394
"D-Bus signal"
2914
3395
pass
2915
3396
2916
3397
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2917
3398
"true"})
2918
3399
@dbus.service.signal(_interface, signature="os")
2919
3400
def ClientRemoved(self, objpath, name):
2920
3401
"D-Bus signal"
2921
3402
pass
2922
3403
2923
3404
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2924
3405
"true"})
2925
3406
@dbus.service.method(_interface, out_signature="ao")
2926
3407
def GetAllClients(self):
2927
3408
"D-Bus method"
2928
3409
return dbus.Array(c.dbus_object_path for c in
2929
tcp_server.clients.itervalues())
2930
3410
tcp_server.clients.values())
3411
2931
3412
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2932
3413
"true"})
2933
3414
@dbus.service.method(_interface,
2935
3416
def GetAllClientsWithProperties(self):
2936
3417
"D-Bus method"
2937
3418
return dbus.Dictionary(
2938
{ c.dbus_object_path: c.GetAll(
3419
{c.dbus_object_path: c.GetAll(
2939
3420
"se.recompile.Mandos.Client")
2940
for c in tcp_server.clients.itervalues() },
3421
for c in tcp_server.clients.values()},
2941
3422
signature="oa{sv}")
2942
3423
2943
3424
@dbus.service.method(_interface, in_signature="o")
2944
3425
def RemoveClient(self, object_path):
2945
3426
"D-Bus method"
2946
for c in tcp_server.clients.itervalues():
3427
for c in tcp_server.clients.values():
2947
3428
if c.dbus_object_path == object_path:
2948
3429
del tcp_server.clients[c.name]
2949
3430
c.remove_from_connection()
2953
3434
self.client_removed_signal(c)
2954
3435
return
2955
3436
raise KeyError(object_path)
2956
3437
2957
3438
del _interface
2958
3439
2959
3440
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
2960
out_signature = "a{oa{sa{sv}}}")
3441
out_signature="a{oa{sa{sv}}}")
2961
3442
def GetManagedObjects(self):
2962
3443
"""D-Bus method"""
2963
3444
return dbus.Dictionary(
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3445
{client.dbus_object_path:
3446
dbus.Dictionary(
3447
{interface: client.GetAll(interface)
3448
for interface in
3449
client._get_all_interface_names()})
3450
for client in tcp_server.clients.values()})
3451
2971
3452
def client_added_signal(self, client):
2972
3453
"""Send the new standard signal and the old signal"""
2973
3454
if use_dbus:
2975
3456
self.InterfacesAdded(
2976
3457
client.dbus_object_path,
2977
3458
dbus.Dictionary(
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3459
{interface: client.GetAll(interface)
3460
for interface in
3461
client._get_all_interface_names()}))
2981
3462
# Old signal
2982
3463
self.ClientAdded(client.dbus_object_path)
2983
3464
2984
3465
def client_removed_signal(self, client):
2985
3466
"""Send the new standard signal and the old signal"""
2986
3467
if use_dbus:
2991
3472
# Old signal
2992
3473
self.ClientRemoved(client.dbus_object_path,
2993
3474
client.name)
2994
3475
2995
3476
mandos_dbus_service = MandosDBusService()
2996
3477
3478
# Save modules to variables to exempt the modules from being
3479
# unloaded before the function registered with atexit() is run.
3480
mp = multiprocessing
3481
wn = wnull
3482
2997
3483
def cleanup():
2998
3484
"Cleanup function; run on exit"
2999
3485
if zeroconf:
3000
3486
service.cleanup()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3487
3488
mp.active_children()
3489
wn.close()
3004
3490
if not (tcp_server.clients or client_settings):
3005
3491
return
3006
3492
3007
3493
# Store client before exiting. Secrets are encrypted with key
3008
3494
# based on what config file has. If config file is
3009
3495
# removed/edited, old secret will thus be unrecovable.
3010
3496
clients = {}
3011
3497
with PGPEngine() as pgp:
3012
for client in tcp_server.clients.itervalues():
3498
for client in tcp_server.clients.values():
3013
3499
key = client_settings[client.name]["secret"]
3014
3500
client.encrypted_secret = pgp.encrypt(client.secret,
3015
3501
key)
3016
3502
client_dict = {}
3017
3503
3018
3504
# A list of attributes that can not be pickled
3019
3505
# + secret.
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3506
exclude = {"bus", "changedstate", "secret",
3507
"checker", "server_settings"}
3022
3508
for name, typ in inspect.getmembers(dbus.service
3023
3509
.Object):
3024
3510
exclude.add(name)
3025
3511
3026
3512
client_dict["encrypted_secret"] = (client
3027
3513
.encrypted_secret)
3028
3514
for attr in client.client_structure:
3029
3515
if attr not in exclude:
3030
3516
client_dict[attr] = getattr(client, attr)
3031
3517
3032
3518
clients[client.name] = client_dict
3033
3519
del client_settings[client.name]["secret"]
3034
3520
3035
3521
try:
3036
3522
with tempfile.NamedTemporaryFile(
3037
3523
mode='wb',
3039
3525
prefix='clients-',
3040
3526
dir=os.path.dirname(stored_state_path),
3041
3527
delete=False) as stored_state:
3042
pickle.dump((clients, client_settings), stored_state)
3528
pickle.dump((clients, client_settings), stored_state,
3529
protocol=2)
3043
3530
tempname = stored_state.name
3044
3531
os.rename(tempname, stored_state_path)
3045
3532
except (IOError, OSError) as e:
3055
3542
logger.warning("Could not save persistent state:",
3056
3543
exc_info=e)
3057
3544
raise
3058
3545
3059
3546
# Delete all clients, and settings from config
3060
3547
while tcp_server.clients:
3061
3548
name, client = tcp_server.clients.popitem()
3064
3551
# Don't signal the disabling
3065
3552
client.disable(quiet=True)
3066
3553
# Emit D-Bus signal for removal
3067
mandos_dbus_service.client_removed_signal(client)
3554
if use_dbus:
3555
mandos_dbus_service.client_removed_signal(client)
3068
3556
client_settings.clear()
3069
3557
3070
3558
atexit.register(cleanup)
3071
3072
for client in tcp_server.clients.itervalues():
3559
3560
for client in tcp_server.clients.values():
3073
3561
if use_dbus:
3074
3562
# Emit D-Bus signal for adding
3075
3563
mandos_dbus_service.client_added_signal(client)
3076
3564
# Need to initiate checking of clients
3077
3565
if client.enabled:
3078
3566
client.init_checker()
3079
3567
3080
3568
tcp_server.enable()
3081
3569
tcp_server.server_activate()
3082
3570
3083
3571
# Find out what port we got
3084
3572
if zeroconf:
3085
3573
service.port = tcp_server.socket.getsockname()[1]
3090
3578
else: # IPv4
3091
3579
logger.info("Now listening on address %r, port %d",
3092
3580
*tcp_server.socket.getsockname())
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3581
3582
# service.interface = tcp_server.socket.getsockname()[3]
3583
3096
3584
try:
3097
3585
if zeroconf:
3098
3586
# From the Avahi example code
3103
3591
cleanup()
3104
3592
sys.exit(1)
3105
3593
# End of Avahi example code
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3594
3595
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3596
lambda *args, **kwargs:
3597
(tcp_server.handle_request
3598
(*args[2:], **kwargs) or True))
3599
3112
3600
logger.debug("Starting main loop")
3113
3601
main_loop.run()
3114
3602
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0