To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 1127
- compare with another revision
- download diff
- download tarball
- view history from revision 1127
- Committer: Teddy Hogeborn
- Date: 2019-07-27 10:11:45 UTC
- Revision ID: teddy@recompile.se-20190727101145-jnpbpf8220gldbcd
Add dracut(8) support
Add support for the dracut(8) system for generating initramfs image
files; dracut is an alternative to the "initramfs-tools" package.
* .bzrignore (dracut-module/password-agent): Ignore new binary file.
* dracut-module: New directory for the dracut module.
* INSTALL (Prerequisites/Libraries/Mandos Client): Add dracut as an
alternative to
initramfs-tools,
and also add GLib.
* Makefile (DRACUTMODULE, GLIB_CFLAGS, GLIB_LIBS): New.
(CPROGS): Add "dracut-module/password-agent".
(DOCS): Add "dracut-module/password-agent.8mandos".
(dracut-module/password-agent.8mandos): New.
(dracut-module/password-agent.8mandos.xhtml): - '' -
(dracut-module/password-agent): - '' -
(check): Add command to run tests of password-agent(8mandos).
(install-client-nokey): Also install the dracut module directory,
its files, and the password-agent(8mandos)
manual page.
(install-client): To update the initramfs image file, run
update-initramfs or dracut depending on what is
installed.
(uninstall-client): - '' - and also uninstall the the files in the
dracut module directory, that directory itself,
and the password-agent(8mandos) manual page.
* debian/control (Build-Depends): Add "libglib2.0-dev (>=2.40)".
(Package: mandos-client/Depends): Add "dracut (>= 044+241-3)" as an
alternative dependency to
initramfs-tools.
(Package: mandos-client/Conflicts): New; set to
"dracut-config-generic".
(debian/mandos-client.README.Debian): Document alternative commands
to update the initramfs image
for when dracut is used.
* debian/mandos-client.postinst (update_initramfs): Use alternative
commands to update
the initramfs
image for when
dracut is used.
* debian/tests/control (password-agent, password-agent-suid): Add two
new tests.
* dracut-module/ask-password-mandos.path: New.
* dracut-module/ask-password-mandos.service: - '' -
* dracut-module/cmdline-mandos.sh: - '' -
* dracut-module/module-setup.sh: - '' -
* dracut-module/password-agent.c: - '' -
* dracut-module/password-agent.xml: - '' -
* initramfs-unpack: Use the dracut "skipcpio" command, if available.
Also be more flexible and try hard to detect where
compressed data starts.
* plugins.d/mandos-client.xml (SECURITY): Be more precise that the
mandos-client binary might
not always be setuid, but
that the program assumes
that it has been started
that way.
* plugins.d/password-prompt.c: Add new "--prompt" option.
(conflict_detection): First try to detect the new PID file of
plymouth.
(main): Define and use new "prompt" variable.
* plugins.d/password-prompt.xml (SYNOPSIS): Show new --prompt option.
(DESCRIPTION): Describe new behavior of looking for plymouth PID
file.
(OPTIONS): Document new "--prompt" option.
(ENVIRONMENT): Clarify that the CRYPTTAB_SOURCE and CRYPTTAB_NAME
environment variables are not used if the --prompt
option is used. Remove unnecessarily specific
details about where the CRYPTTAB_SOURCE and
CRYPTTAB_NAME comes from, since this can now be
either initramfs-tools or dracut.
(SEE ALSO): Remove superfluous crypttab(5) reference, and add commas
to separate the other references.
* plugins.d/plymouth.c: Add new "--prompt" and "--debug" options.
(debug): New global flag.
(fprintf_plus): New function, used for debug output.
(exec_and_wait): Add extra "const" to "argv" argument.
(main): Define and use new "prompt" variable. Add debug output.
(main/options, main/parse_opt): New; used to parse options.
* plugins.d/plymouth.xml (SYNOPSIS): Show new options.
(OPTIONS): Document new options.
(ENVIRONMENT): Clarify that the cryptsource and crypttarget
environment variables are not used if the --prompt
option is used. Remove unnecessarily specific
details about where the cryptsource and crypttarget
comes from, since this can now be either
initramfs-tools or dracut.
(EXAMPLE): Add an example using an option.
(SEE ALSO): Remove superfluous crypttab(5) reference.
* plugins.d/splashy.xml (ENVIRONMENT): Clarify that the cryptsource
and crypttarget environment
variables are not used if the
--prompt option is used.
Remove unnecessarily specific
details about where the
cryptsource and crypttarget
comes from, since this can now
be either initramfs-tools or
dracut.
(SEE ALSO): Remove superfluous crypttab(5) reference.
* plugins.d/usplash.xml (ENVIRONMENT): Clarify that the cryptsource
and crypttarget environment
variables are not used if the
--prompt option is used.
Remove unnecessarily specific
details about where the
cryptsource and crypttarget
comes from, since this can now
be either initramfs-tools or
dracut.
(SEE ALSO): Remove superfluous crypttab(5) reference.
Add support for the dracut(8) system for generating initramfs image
files; dracut is an alternative to the "initramfs-tools" package.
* .bzrignore (dracut-module/password-agent): Ignore new binary file.
* dracut-module: New directory for the dracut module.
* INSTALL (Prerequisites/Libraries/Mandos Client): Add dracut as an
alternative to
initramfs-tools,
and also add GLib.
* Makefile (DRACUTMODULE, GLIB_CFLAGS, GLIB_LIBS): New.
(CPROGS): Add "dracut-module/password-agent".
(DOCS): Add "dracut-module/password-agent.8mandos".
(dracut-module/password-agent.8mandos): New.
(dracut-module/password-agent.8mandos.xhtml): - '' -
(dracut-module/password-agent): - '' -
(check): Add command to run tests of password-agent(8mandos).
(install-client-nokey): Also install the dracut module directory,
its files, and the password-agent(8mandos)
manual page.
(install-client): To update the initramfs image file, run
update-initramfs or dracut depending on what is
installed.
(uninstall-client): - '' - and also uninstall the the files in the
dracut module directory, that directory itself,
and the password-agent(8mandos) manual page.
* debian/control (Build-Depends): Add "libglib2.0-dev (>=2.40)".
(Package: mandos-client/Depends): Add "dracut (>= 044+241-3)" as an
alternative dependency to
initramfs-tools.
(Package: mandos-client/Conflicts): New; set to
"dracut-config-generic".
(debian/mandos-client.README.Debian): Document alternative commands
to update the initramfs image
for when dracut is used.
* debian/mandos-client.postinst (update_initramfs): Use alternative
commands to update
the initramfs
image for when
dracut is used.
* debian/tests/control (password-agent, password-agent-suid): Add two
new tests.
* dracut-module/ask-password-mandos.path: New.
* dracut-module/ask-password-mandos.service: - '' -
* dracut-module/cmdline-mandos.sh: - '' -
* dracut-module/module-setup.sh: - '' -
* dracut-module/password-agent.c: - '' -
* dracut-module/password-agent.xml: - '' -
* initramfs-unpack: Use the dracut "skipcpio" command, if available.
Also be more flexible and try hard to detect where
compressed data starts.
* plugins.d/mandos-client.xml (SECURITY): Be more precise that the
mandos-client binary might
not always be setuid, but
that the program assumes
that it has been started
that way.
* plugins.d/password-prompt.c: Add new "--prompt" option.
(conflict_detection): First try to detect the new PID file of
plymouth.
(main): Define and use new "prompt" variable.
* plugins.d/password-prompt.xml (SYNOPSIS): Show new --prompt option.
(DESCRIPTION): Describe new behavior of looking for plymouth PID
file.
(OPTIONS): Document new "--prompt" option.
(ENVIRONMENT): Clarify that the CRYPTTAB_SOURCE and CRYPTTAB_NAME
environment variables are not used if the --prompt
option is used. Remove unnecessarily specific
details about where the CRYPTTAB_SOURCE and
CRYPTTAB_NAME comes from, since this can now be
either initramfs-tools or dracut.
(SEE ALSO): Remove superfluous crypttab(5) reference, and add commas
to separate the other references.
* plugins.d/plymouth.c: Add new "--prompt" and "--debug" options.
(debug): New global flag.
(fprintf_plus): New function, used for debug output.
(exec_and_wait): Add extra "const" to "argv" argument.
(main): Define and use new "prompt" variable. Add debug output.
(main/options, main/parse_opt): New; used to parse options.
* plugins.d/plymouth.xml (SYNOPSIS): Show new options.
(OPTIONS): Document new options.
(ENVIRONMENT): Clarify that the cryptsource and crypttarget
environment variables are not used if the --prompt
option is used. Remove unnecessarily specific
details about where the cryptsource and crypttarget
comes from, since this can now be either
initramfs-tools or dracut.
(EXAMPLE): Add an example using an option.
(SEE ALSO): Remove superfluous crypttab(5) reference.
* plugins.d/splashy.xml (ENVIRONMENT): Clarify that the cryptsource
and crypttarget environment
variables are not used if the
--prompt option is used.
Remove unnecessarily specific
details about where the
cryptsource and crypttarget
comes from, since this can now
be either initramfs-tools or
dracut.
(SEE ALSO): Remove superfluous crypttab(5) reference.
* plugins.d/usplash.xml (ENVIRONMENT): Clarify that the cryptsource
and crypttarget environment
variables are not used if the
--prompt option is used.
Remove unnecessarily specific
details about where the
cryptsource and crypttarget
comes from, since this can now
be either initramfs-tools or
dracut.
(SEE ALSO): Remove superfluous crypttab(5) reference.
- files added:
- bugs.xml
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python2.7
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
#
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
#
33
#
33
34
34
35
from __future__ import (division, absolute_import, print_function,
35
36
unicode_literals)
36
37
37
from future_builtins import *
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
38
42
39
43
try:
40
44
import SocketServer as socketserver
76
80
77
81
import dbus
78
82
import dbus.service
79
try:
80
import gobject
81
except ImportError:
82
from gi.repository import GObject as gobject
83
import avahi
83
from gi.repository import GLib
84
84
from dbus.mainloop.glib import DBusGMainLoop
85
85
import ctypes
86
86
import ctypes.util
87
87
import xml.dom.minidom
88
88
import inspect
89
89
90
# Try to find the value of SO_BINDTODEVICE:
90
91
try:
92
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
93
# newer, and it is also the most natural place for it:
91
94
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
92
95
except AttributeError:
93
96
try:
97
# This is where SO_BINDTODEVICE was up to and including Python
98
# 2.6, and also 3.2:
94
99
from IN import SO_BINDTODEVICE
95
100
except ImportError:
96
SO_BINDTODEVICE = None
101
# In Python 2.7 it seems to have been removed entirely.
102
# Try running the C preprocessor:
103
try:
104
cc = subprocess.Popen(["cc", "--language=c", "-E",
105
"/dev/stdin"],
106
stdin=subprocess.PIPE,
107
stdout=subprocess.PIPE)
108
stdout = cc.communicate(
109
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
110
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
111
except (OSError, ValueError, IndexError):
112
# No value found
113
SO_BINDTODEVICE = None
97
114
98
115
if sys.version_info.major == 2:
99
116
str = unicode
100
117
101
version = "1.7.1"
118
version = "1.8.4"
102
119
stored_state_file = "clients.pickle"
103
120
104
121
logger = logging.getLogger()
108
125
if_nametoindex = ctypes.cdll.LoadLibrary(
109
126
ctypes.util.find_library("c")).if_nametoindex
110
127
except (OSError, AttributeError):
111
128
112
129
def if_nametoindex(interface):
113
130
"Get an interface index the hard way, i.e. using fcntl()"
114
131
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
119
136
return interface_index
120
137
121
138
139
def copy_function(func):
140
"""Make a copy of a function"""
141
if sys.version_info.major == 2:
142
return types.FunctionType(func.func_code,
143
func.func_globals,
144
func.func_name,
145
func.func_defaults,
146
func.func_closure)
147
else:
148
return types.FunctionType(func.__code__,
149
func.__globals__,
150
func.__name__,
151
func.__defaults__,
152
func.__closure__)
153
154
122
155
def initlogger(debug, level=logging.WARNING):
123
156
"""init logger and add loglevel"""
124
157
125
158
global syslogger
126
159
syslogger = (logging.handlers.SysLogHandler(
127
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
128
address = "/dev/log"))
160
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
161
address="/dev/log"))
129
162
syslogger.setFormatter(logging.Formatter
130
163
('Mandos [%(process)d]: %(levelname)s:'
131
164
' %(message)s'))
132
165
logger.addHandler(syslogger)
133
166
134
167
if debug:
135
168
console = logging.StreamHandler()
136
169
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
148
181
149
182
class PGPEngine(object):
150
183
"""A simple class for OpenPGP symmetric encryption & decryption"""
151
184
152
185
def __init__(self):
153
186
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
187
self.gpg = "gpg"
188
try:
189
output = subprocess.check_output(["gpgconf"])
190
for line in output.splitlines():
191
name, text, path = line.split(b":")
192
if name == "gpg":
193
self.gpg = path
194
break
195
except OSError as e:
196
if e.errno != errno.ENOENT:
197
raise
154
198
self.gnupgargs = ['--batch',
155
'--home', self.tempdir,
199
'--homedir', self.tempdir,
156
200
'--force-mdc',
157
'--quiet',
158
'--no-use-agent']
159
201
'--quiet']
202
# Only GPG version 1 has the --no-use-agent option.
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
204
self.gnupgargs.append("--no-use-agent")
205
160
206
def __enter__(self):
161
207
return self
162
208
163
209
def __exit__(self, exc_type, exc_value, traceback):
164
210
self._cleanup()
165
211
return False
166
212
167
213
def __del__(self):
168
214
self._cleanup()
169
215
170
216
def _cleanup(self):
171
217
if self.tempdir is not None:
172
218
# Delete contents of tempdir
173
219
for root, dirs, files in os.walk(self.tempdir,
174
topdown = False):
220
topdown=False):
175
221
for filename in files:
176
222
os.remove(os.path.join(root, filename))
177
223
for dirname in dirs:
179
225
# Remove tempdir
180
226
os.rmdir(self.tempdir)
181
227
self.tempdir = None
182
228
183
229
def password_encode(self, password):
184
230
# Passphrase can not be empty and can not contain newlines or
185
231
# NUL bytes. So we prefix it and hex encode it.
190
236
.replace(b"\n", b"\\n")
191
237
.replace(b"\0", b"\\x00"))
192
238
return encoded
193
239
194
240
def encrypt(self, data, password):
195
241
passphrase = self.password_encode(password)
196
242
with tempfile.NamedTemporaryFile(
197
243
dir=self.tempdir) as passfile:
198
244
passfile.write(passphrase)
199
245
passfile.flush()
200
proc = subprocess.Popen(['gpg', '--symmetric',
246
proc = subprocess.Popen([self.gpg, '--symmetric',
201
247
'--passphrase-file',
202
248
passfile.name]
203
249
+ self.gnupgargs,
204
stdin = subprocess.PIPE,
205
stdout = subprocess.PIPE,
206
stderr = subprocess.PIPE)
207
ciphertext, err = proc.communicate(input = data)
250
stdin=subprocess.PIPE,
251
stdout=subprocess.PIPE,
252
stderr=subprocess.PIPE)
253
ciphertext, err = proc.communicate(input=data)
208
254
if proc.returncode != 0:
209
255
raise PGPError(err)
210
256
return ciphertext
211
257
212
258
def decrypt(self, data, password):
213
259
passphrase = self.password_encode(password)
214
260
with tempfile.NamedTemporaryFile(
215
dir = self.tempdir) as passfile:
261
dir=self.tempdir) as passfile:
216
262
passfile.write(passphrase)
217
263
passfile.flush()
218
proc = subprocess.Popen(['gpg', '--decrypt',
264
proc = subprocess.Popen([self.gpg, '--decrypt',
219
265
'--passphrase-file',
220
266
passfile.name]
221
267
+ self.gnupgargs,
222
stdin = subprocess.PIPE,
223
stdout = subprocess.PIPE,
224
stderr = subprocess.PIPE)
225
decrypted_plaintext, err = proc.communicate(input = data)
268
stdin=subprocess.PIPE,
269
stdout=subprocess.PIPE,
270
stderr=subprocess.PIPE)
271
decrypted_plaintext, err = proc.communicate(input=data)
226
272
if proc.returncode != 0:
227
273
raise PGPError(err)
228
274
return decrypted_plaintext
229
275
230
276
277
# Pretend that we have an Avahi module
278
class avahi(object):
279
"""This isn't so much a class as it is a module-like namespace."""
280
IF_UNSPEC = -1 # avahi-common/address.h
281
PROTO_UNSPEC = -1 # avahi-common/address.h
282
PROTO_INET = 0 # avahi-common/address.h
283
PROTO_INET6 = 1 # avahi-common/address.h
284
DBUS_NAME = "org.freedesktop.Avahi"
285
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
286
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
DBUS_PATH_SERVER = "/"
288
289
@staticmethod
290
def string_array_to_txt_array(t):
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
for s in t), signature="ay")
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
294
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
295
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
296
SERVER_INVALID = 0 # avahi-common/defs.h
297
SERVER_REGISTERING = 1 # avahi-common/defs.h
298
SERVER_RUNNING = 2 # avahi-common/defs.h
299
SERVER_COLLISION = 3 # avahi-common/defs.h
300
SERVER_FAILURE = 4 # avahi-common/defs.h
301
302
231
303
class AvahiError(Exception):
232
304
def __init__(self, value, *args, **kwargs):
233
305
self.value = value
245
317
246
318
class AvahiService(object):
247
319
"""An Avahi (Zeroconf) service.
248
320
249
321
Attributes:
250
322
interface: integer; avahi.IF_UNSPEC or an interface index.
251
323
Used to optionally bind to the specified interface.
263
335
server: D-Bus Server
264
336
bus: dbus.SystemBus()
265
337
"""
266
338
267
339
def __init__(self,
268
interface = avahi.IF_UNSPEC,
269
name = None,
270
servicetype = None,
271
port = None,
272
TXT = None,
273
domain = "",
274
host = "",
275
max_renames = 32768,
276
protocol = avahi.PROTO_UNSPEC,
277
bus = None):
340
interface=avahi.IF_UNSPEC,
341
name=None,
342
servicetype=None,
343
port=None,
344
TXT=None,
345
domain="",
346
host="",
347
max_renames=32768,
348
protocol=avahi.PROTO_UNSPEC,
349
bus=None):
278
350
self.interface = interface
279
351
self.name = name
280
352
self.type = servicetype
289
361
self.server = None
290
362
self.bus = bus
291
363
self.entry_group_state_changed_match = None
292
364
293
365
def rename(self, remove=True):
294
366
"""Derived from the Avahi example code"""
295
367
if self.rename_count >= self.max_renames:
315
387
logger.critical("D-Bus Exception", exc_info=error)
316
388
self.cleanup()
317
389
os._exit(1)
318
390
319
391
def remove(self):
320
392
"""Derived from the Avahi example code"""
321
393
if self.entry_group_state_changed_match is not None:
323
395
self.entry_group_state_changed_match = None
324
396
if self.group is not None:
325
397
self.group.Reset()
326
398
327
399
def add(self):
328
400
"""Derived from the Avahi example code"""
329
401
self.remove()
346
418
dbus.UInt16(self.port),
347
419
avahi.string_array_to_txt_array(self.TXT))
348
420
self.group.Commit()
349
421
350
422
def entry_group_state_changed(self, state, error):
351
423
"""Derived from the Avahi example code"""
352
424
logger.debug("Avahi entry group state change: %i", state)
353
425
354
426
if state == avahi.ENTRY_GROUP_ESTABLISHED:
355
427
logger.debug("Zeroconf service established.")
356
428
elif state == avahi.ENTRY_GROUP_COLLISION:
360
432
logger.critical("Avahi: Error in group state changed %s",
361
433
str(error))
362
434
raise AvahiGroupError("State changed: {!s}".format(error))
363
435
364
436
def cleanup(self):
365
437
"""Derived from the Avahi example code"""
366
438
if self.group is not None:
371
443
pass
372
444
self.group = None
373
445
self.remove()
374
446
375
447
def server_state_changed(self, state, error=None):
376
448
"""Derived from the Avahi example code"""
377
449
logger.debug("Avahi server state change: %i", state)
406
478
logger.debug("Unknown state: %r", state)
407
479
else:
408
480
logger.debug("Unknown state: %r: %r", state, error)
409
481
410
482
def activate(self):
411
483
"""Derived from the Avahi example code"""
412
484
if self.server is None:
423
495
class AvahiServiceToSyslog(AvahiService):
424
496
def rename(self, *args, **kwargs):
425
497
"""Add the new name to the syslog messages"""
426
ret = AvahiService.rename(self, *args, **kwargs)
498
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
427
499
syslogger.setFormatter(logging.Formatter(
428
500
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
429
501
.format(self.name)))
430
502
return ret
431
503
504
432
505
# Pretend that we have a GnuTLS module
433
class GnuTLS(object):
434
"""This isn't so much a class as it is a module-like namespace.
435
It is instantiated once, and simulates having a GnuTLS module."""
436
437
_library = ctypes.cdll.LoadLibrary(
438
ctypes.util.find_library("gnutls"))
439
_need_version = "3.3.0"
440
def __init__(self):
441
# Need to use class name "GnuTLS" here, since this method is
442
# called before the assignment to the "gnutls" global variable
443
# happens.
444
if GnuTLS.check_version(self._need_version) is None:
445
raise GnuTLS.Error("Needs GnuTLS {} or later"
446
.format(self._need_version))
447
506
class gnutls(object):
507
"""This isn't so much a class as it is a module-like namespace."""
508
509
library = ctypes.util.find_library("gnutls")
510
if library is None:
511
library = ctypes.util.find_library("gnutls-deb0")
512
_library = ctypes.cdll.LoadLibrary(library)
513
del library
514
448
515
# Unless otherwise indicated, the constants and types below are
449
516
# all from the gnutls/gnutls.h C header file.
450
517
451
518
# Constants
452
519
E_SUCCESS = 0
453
520
E_INTERRUPTED = -52
454
521
E_AGAIN = -28
455
522
CRT_OPENPGP = 2
523
CRT_RAWPK = 3
456
524
CLIENT = 2
457
525
SHUT_RDWR = 0
458
526
CRD_CERTIFICATE = 1
459
527
E_NO_CERTIFICATE_FOUND = -49
528
X509_FMT_DER = 0
529
NO_TICKETS = 1<<10
530
ENABLE_RAWPK = 1<<18
531
CTYPE_PEERS = 3
532
KEYID_USE_SHA256 = 1 # gnutls/x509.h
460
533
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
461
534
462
535
# Types
463
536
class session_int(ctypes.Structure):
464
537
_fields_ = []
465
538
session_t = ctypes.POINTER(session_int)
539
466
540
class certificate_credentials_st(ctypes.Structure):
467
541
_fields_ = []
468
542
certificate_credentials_t = ctypes.POINTER(
469
543
certificate_credentials_st)
470
544
certificate_type_t = ctypes.c_int
545
471
546
class datum_t(ctypes.Structure):
472
547
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
473
548
('size', ctypes.c_uint)]
549
474
550
class openpgp_crt_int(ctypes.Structure):
475
551
_fields_ = []
476
552
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
477
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
553
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
478
554
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
479
credentials_type_t = ctypes.c_int #
555
credentials_type_t = ctypes.c_int
480
556
transport_ptr_t = ctypes.c_void_p
481
557
close_request_t = ctypes.c_int
482
558
483
559
# Exceptions
484
560
class Error(Exception):
485
# We need to use the class name "GnuTLS" here, since this
486
# exception might be raised from within GnuTLS.__init__,
487
# which is called before the assignment to the "gnutls"
488
# global variable has happened.
489
def __init__(self, message = None, code = None, args=()):
561
def __init__(self, message=None, code=None, args=()):
490
562
# Default usage is by a message string, but if a return
491
563
# code is passed, convert it to a string with
492
564
# gnutls.strerror()
493
565
self.code = code
494
566
if message is None and code is not None:
495
message = GnuTLS.strerror(code)
496
return super(GnuTLS.Error, self).__init__(
567
message = gnutls.strerror(code)
568
return super(gnutls.Error, self).__init__(
497
569
message, *args)
498
570
499
571
class CertificateSecurityError(Error):
500
572
pass
501
573
502
574
# Classes
503
575
class Credentials(object):
504
576
def __init__(self):
506
578
gnutls.certificate_allocate_credentials(
507
579
ctypes.byref(self._c_object))
508
580
self.type = gnutls.CRD_CERTIFICATE
509
581
510
582
def __del__(self):
511
583
gnutls.certificate_free_credentials(self._c_object)
512
584
513
585
class ClientSession(object):
514
def __init__(self, socket, credentials = None):
586
def __init__(self, socket, credentials=None):
515
587
self._c_object = gnutls.session_t()
516
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
588
gnutls_flags = gnutls.CLIENT
589
if gnutls.check_version("3.5.6"):
590
gnutls_flags |= gnutls.NO_TICKETS
591
if gnutls.has_rawpk:
592
gnutls_flags |= gnutls.ENABLE_RAWPK
593
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
594
del gnutls_flags
517
595
gnutls.set_default_priority(self._c_object)
518
596
gnutls.transport_set_ptr(self._c_object, socket.fileno())
519
597
gnutls.handshake_set_private_extensions(self._c_object,
525
603
ctypes.cast(credentials._c_object,
526
604
ctypes.c_void_p))
527
605
self.credentials = credentials
528
606
529
607
def __del__(self):
530
608
gnutls.deinit(self._c_object)
531
609
532
610
def handshake(self):
533
611
return gnutls.handshake(self._c_object)
534
612
535
613
def send(self, data):
536
614
data = bytes(data)
537
615
data_len = len(data)
539
617
data_len -= gnutls.record_send(self._c_object,
540
618
data[-data_len:],
541
619
data_len)
542
620
543
621
def bye(self):
544
622
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
545
623
546
624
# Error handling functions
547
625
def _error_code(result):
548
626
"""A function to raise exceptions on errors, suitable
550
628
if result >= 0:
551
629
return result
552
630
if result == gnutls.E_NO_CERTIFICATE_FOUND:
553
raise gnutls.CertificateSecurityError(code = result)
554
raise gnutls.Error(code = result)
555
631
raise gnutls.CertificateSecurityError(code=result)
632
raise gnutls.Error(code=result)
633
556
634
def _retry_on_error(result, func, arguments):
557
635
"""A function to retry on some errors, suitable
558
636
for the 'errcheck' attribute on ctypes functions"""
561
639
return _error_code(result)
562
640
result = func(*arguments)
563
641
return result
564
642
565
643
# Unless otherwise indicated, the function declarations below are
566
644
# all from the gnutls/gnutls.h C header file.
567
645
568
646
# Functions
569
647
priority_set_direct = _library.gnutls_priority_set_direct
570
648
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
571
649
ctypes.POINTER(ctypes.c_char_p)]
572
650
priority_set_direct.restype = _error_code
573
651
574
652
init = _library.gnutls_init
575
653
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
576
654
init.restype = _error_code
577
655
578
656
set_default_priority = _library.gnutls_set_default_priority
579
657
set_default_priority.argtypes = [session_t]
580
658
set_default_priority.restype = _error_code
581
659
582
660
record_send = _library.gnutls_record_send
583
661
record_send.argtypes = [session_t, ctypes.c_void_p,
584
662
ctypes.c_size_t]
585
663
record_send.restype = ctypes.c_ssize_t
586
664
record_send.errcheck = _retry_on_error
587
665
588
666
certificate_allocate_credentials = (
589
667
_library.gnutls_certificate_allocate_credentials)
590
668
certificate_allocate_credentials.argtypes = [
591
669
ctypes.POINTER(certificate_credentials_t)]
592
670
certificate_allocate_credentials.restype = _error_code
593
671
594
672
certificate_free_credentials = (
595
673
_library.gnutls_certificate_free_credentials)
596
certificate_free_credentials.argtypes = [certificate_credentials_t]
674
certificate_free_credentials.argtypes = [
675
certificate_credentials_t]
597
676
certificate_free_credentials.restype = None
598
677
599
678
handshake_set_private_extensions = (
600
679
_library.gnutls_handshake_set_private_extensions)
601
680
handshake_set_private_extensions.argtypes = [session_t,
602
681
ctypes.c_int]
603
682
handshake_set_private_extensions.restype = None
604
683
605
684
credentials_set = _library.gnutls_credentials_set
606
685
credentials_set.argtypes = [session_t, credentials_type_t,
607
686
ctypes.c_void_p]
608
687
credentials_set.restype = _error_code
609
688
610
689
strerror = _library.gnutls_strerror
611
690
strerror.argtypes = [ctypes.c_int]
612
691
strerror.restype = ctypes.c_char_p
613
692
614
693
certificate_type_get = _library.gnutls_certificate_type_get
615
694
certificate_type_get.argtypes = [session_t]
616
695
certificate_type_get.restype = _error_code
617
696
618
697
certificate_get_peers = _library.gnutls_certificate_get_peers
619
698
certificate_get_peers.argtypes = [session_t,
620
699
ctypes.POINTER(ctypes.c_uint)]
621
700
certificate_get_peers.restype = ctypes.POINTER(datum_t)
622
701
623
702
global_set_log_level = _library.gnutls_global_set_log_level
624
703
global_set_log_level.argtypes = [ctypes.c_int]
625
704
global_set_log_level.restype = None
626
705
627
706
global_set_log_function = _library.gnutls_global_set_log_function
628
707
global_set_log_function.argtypes = [log_func]
629
708
global_set_log_function.restype = None
630
709
631
710
deinit = _library.gnutls_deinit
632
711
deinit.argtypes = [session_t]
633
712
deinit.restype = None
634
713
635
714
handshake = _library.gnutls_handshake
636
715
handshake.argtypes = [session_t]
637
716
handshake.restype = _error_code
638
717
handshake.errcheck = _retry_on_error
639
718
640
719
transport_set_ptr = _library.gnutls_transport_set_ptr
641
720
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
642
721
transport_set_ptr.restype = None
643
722
644
723
bye = _library.gnutls_bye
645
724
bye.argtypes = [session_t, close_request_t]
646
725
bye.restype = _error_code
647
726
bye.errcheck = _retry_on_error
648
727
649
728
check_version = _library.gnutls_check_version
650
729
check_version.argtypes = [ctypes.c_char_p]
651
730
check_version.restype = ctypes.c_char_p
652
653
# All the function declarations below are from gnutls/openpgp.h
654
655
openpgp_crt_init = _library.gnutls_openpgp_crt_init
656
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
657
openpgp_crt_init.restype = _error_code
658
659
openpgp_crt_import = _library.gnutls_openpgp_crt_import
660
openpgp_crt_import.argtypes = [openpgp_crt_t,
661
ctypes.POINTER(datum_t),
662
openpgp_crt_fmt_t]
663
openpgp_crt_import.restype = _error_code
664
665
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
666
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
667
ctypes.POINTER(ctypes.c_uint)]
668
openpgp_crt_verify_self.restype = _error_code
669
670
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
671
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
672
openpgp_crt_deinit.restype = None
673
674
openpgp_crt_get_fingerprint = (
675
_library.gnutls_openpgp_crt_get_fingerprint)
676
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
677
ctypes.c_void_p,
678
ctypes.POINTER(
679
ctypes.c_size_t)]
680
openpgp_crt_get_fingerprint.restype = _error_code
681
731
732
_need_version = b"3.3.0"
733
if check_version(_need_version) is None:
734
raise self.Error("Needs GnuTLS {} or later"
735
.format(_need_version))
736
737
_tls_rawpk_version = b"3.6.6"
738
has_rawpk = bool(check_version(_tls_rawpk_version))
739
740
if has_rawpk:
741
# Types
742
class pubkey_st(ctypes.Structure):
743
_fields = []
744
pubkey_t = ctypes.POINTER(pubkey_st)
745
746
x509_crt_fmt_t = ctypes.c_int
747
748
# All the function declarations below are from gnutls/abstract.h
749
pubkey_init = _library.gnutls_pubkey_init
750
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
751
pubkey_init.restype = _error_code
752
753
pubkey_import = _library.gnutls_pubkey_import
754
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
755
x509_crt_fmt_t]
756
pubkey_import.restype = _error_code
757
758
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
759
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
760
ctypes.POINTER(ctypes.c_ubyte),
761
ctypes.POINTER(ctypes.c_size_t)]
762
pubkey_get_key_id.restype = _error_code
763
764
pubkey_deinit = _library.gnutls_pubkey_deinit
765
pubkey_deinit.argtypes = [pubkey_t]
766
pubkey_deinit.restype = None
767
else:
768
# All the function declarations below are from gnutls/openpgp.h
769
770
openpgp_crt_init = _library.gnutls_openpgp_crt_init
771
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
772
openpgp_crt_init.restype = _error_code
773
774
openpgp_crt_import = _library.gnutls_openpgp_crt_import
775
openpgp_crt_import.argtypes = [openpgp_crt_t,
776
ctypes.POINTER(datum_t),
777
openpgp_crt_fmt_t]
778
openpgp_crt_import.restype = _error_code
779
780
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
781
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
782
ctypes.POINTER(ctypes.c_uint)]
783
openpgp_crt_verify_self.restype = _error_code
784
785
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
786
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
787
openpgp_crt_deinit.restype = None
788
789
openpgp_crt_get_fingerprint = (
790
_library.gnutls_openpgp_crt_get_fingerprint)
791
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
792
ctypes.c_void_p,
793
ctypes.POINTER(
794
ctypes.c_size_t)]
795
openpgp_crt_get_fingerprint.restype = _error_code
796
797
if check_version("3.6.4"):
798
certificate_type_get2 = _library.gnutls_certificate_type_get2
799
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
800
certificate_type_get2.restype = _error_code
801
682
802
# Remove non-public functions
683
803
del _error_code, _retry_on_error
684
# Create the global "gnutls" object, simulating a module
685
gnutls = GnuTLS()
804
686
805
687
806
def call_pipe(connection, # : multiprocessing.Connection
688
807
func, *args, **kwargs):
689
808
"""This function is meant to be called by multiprocessing.Process
690
809
691
810
This function runs func(*args, **kwargs), and writes the resulting
692
811
return value on the provided multiprocessing.Connection.
693
812
"""
694
813
connection.send(func(*args, **kwargs))
695
814
connection.close()
696
815
816
697
817
class Client(object):
698
818
"""A representation of a client host served by this server.
699
819
700
820
Attributes:
701
821
approved: bool(); 'None' if not yet approved/disapproved
702
822
approval_delay: datetime.timedelta(); Time to wait for approval
704
824
checker: subprocess.Popen(); a running checker process used
705
825
to see if the client lives.
706
826
'None' if no process is running.
707
checker_callback_tag: a gobject event source tag, or None
827
checker_callback_tag: a GLib event source tag, or None
708
828
checker_command: string; External command which is run to check
709
829
if client lives. %() expansions are done at
710
830
runtime with vars(self) as dict, so that for
711
831
instance %(name)s can be used in the command.
712
checker_initiator_tag: a gobject event source tag, or None
832
checker_initiator_tag: a GLib event source tag, or None
713
833
created: datetime.datetime(); (UTC) object creation
714
834
client_structure: Object describing what attributes a client has
715
835
and is used for storing the client at exit
716
836
current_checker_command: string; current running checker_command
717
disable_initiator_tag: a gobject event source tag, or None
837
disable_initiator_tag: a GLib event source tag, or None
718
838
enabled: bool()
719
839
fingerprint: string (40 or 32 hexadecimal digits); used to
720
uniquely identify the client
840
uniquely identify an OpenPGP client
841
key_id: string (64 hexadecimal digits); used to uniquely identify
842
a client using raw public keys
721
843
host: string; available for use by the checker command
722
844
interval: datetime.timedelta(); How often to start a new checker
723
845
last_approval_request: datetime.datetime(); (UTC) or None
739
861
disabled, or None
740
862
server_settings: The server_settings dict from main()
741
863
"""
742
864
743
865
runtime_expansions = ("approval_delay", "approval_duration",
744
"created", "enabled", "expires",
866
"created", "enabled", "expires", "key_id",
745
867
"fingerprint", "host", "interval",
746
868
"last_approval_request", "last_checked_ok",
747
869
"last_enabled", "name", "timeout")
756
878
"approved_by_default": "True",
757
879
"enabled": "True",
758
880
}
759
881
760
882
@staticmethod
761
883
def config_parser(config):
762
884
"""Construct a new dict of client settings of this form:
769
891
for client_name in config.sections():
770
892
section = dict(config.items(client_name))
771
893
client = settings[client_name] = {}
772
894
773
895
client["host"] = section["host"]
774
896
# Reformat values from string types to Python types
775
897
client["approved_by_default"] = config.getboolean(
776
898
client_name, "approved_by_default")
777
899
client["enabled"] = config.getboolean(client_name,
778
900
"enabled")
779
780
# Uppercase and remove spaces from fingerprint for later
781
# comparison purposes with return value from the
782
# fingerprint() function
901
902
# Uppercase and remove spaces from key_id and fingerprint
903
# for later comparison purposes with return value from the
904
# key_id() and fingerprint() functions
905
client["key_id"] = (section.get("key_id", "").upper()
906
.replace(" ", ""))
783
907
client["fingerprint"] = (section["fingerprint"].upper()
784
908
.replace(" ", ""))
785
909
if "secret" in section:
786
client["secret"] = section["secret"].decode("base64")
910
client["secret"] = codecs.decode(section["secret"]
911
.encode("utf-8"),
912
"base64")
787
913
elif "secfile" in section:
788
914
with open(os.path.expanduser(os.path.expandvars
789
915
(section["secfile"])),
804
930
client["last_approval_request"] = None
805
931
client["last_checked_ok"] = None
806
932
client["last_checker_status"] = -2
807
933
808
934
return settings
809
810
def __init__(self, settings, name = None, server_settings=None):
935
936
def __init__(self, settings, name=None, server_settings=None):
811
937
self.name = name
812
938
if server_settings is None:
813
939
server_settings = {}
815
941
# adding all client settings
816
942
for setting, value in settings.items():
817
943
setattr(self, setting, value)
818
944
819
945
if self.enabled:
820
946
if not hasattr(self, "last_enabled"):
821
947
self.last_enabled = datetime.datetime.utcnow()
825
951
else:
826
952
self.last_enabled = None
827
953
self.expires = None
828
954
829
955
logger.debug("Creating client %r", self.name)
956
logger.debug(" Key ID: %s", self.key_id)
830
957
logger.debug(" Fingerprint: %s", self.fingerprint)
831
958
self.created = settings.get("created",
832
959
datetime.datetime.utcnow())
833
960
834
961
# attributes specific for this server instance
835
962
self.checker = None
836
963
self.checker_initiator_tag = None
842
969
self.changedstate = multiprocessing_manager.Condition(
843
970
multiprocessing_manager.Lock())
844
971
self.client_structure = [attr
845
for attr in self.__dict__.iterkeys()
972
for attr in self.__dict__.keys()
846
973
if not attr.startswith("_")]
847
974
self.client_structure.append("client_structure")
848
975
849
976
for name, t in inspect.getmembers(
850
977
type(self), lambda obj: isinstance(obj, property)):
851
978
if not name.startswith("_"):
852
979
self.client_structure.append(name)
853
980
854
981
# Send notice to process children that client state has changed
855
982
def send_changedstate(self):
856
983
with self.changedstate:
857
984
self.changedstate.notify_all()
858
985
859
986
def enable(self):
860
987
"""Start this client's checker and timeout hooks"""
861
988
if getattr(self, "enabled", False):
866
993
self.last_enabled = datetime.datetime.utcnow()
867
994
self.init_checker()
868
995
self.send_changedstate()
869
996
870
997
def disable(self, quiet=True):
871
998
"""Disable this client."""
872
999
if not getattr(self, "enabled", False):
874
1001
if not quiet:
875
1002
logger.info("Disabling client %s", self.name)
876
1003
if getattr(self, "disable_initiator_tag", None) is not None:
877
gobject.source_remove(self.disable_initiator_tag)
1004
GLib.source_remove(self.disable_initiator_tag)
878
1005
self.disable_initiator_tag = None
879
1006
self.expires = None
880
1007
if getattr(self, "checker_initiator_tag", None) is not None:
881
gobject.source_remove(self.checker_initiator_tag)
1008
GLib.source_remove(self.checker_initiator_tag)
882
1009
self.checker_initiator_tag = None
883
1010
self.stop_checker()
884
1011
self.enabled = False
885
1012
if not quiet:
886
1013
self.send_changedstate()
887
# Do not run this again if called by a gobject.timeout_add
1014
# Do not run this again if called by a GLib.timeout_add
888
1015
return False
889
1016
890
1017
def __del__(self):
891
1018
self.disable()
892
1019
893
1020
def init_checker(self):
894
1021
# Schedule a new checker to be started an 'interval' from now,
895
1022
# and every interval from then on.
896
1023
if self.checker_initiator_tag is not None:
897
gobject.source_remove(self.checker_initiator_tag)
898
self.checker_initiator_tag = gobject.timeout_add(
1024
GLib.source_remove(self.checker_initiator_tag)
1025
self.checker_initiator_tag = GLib.timeout_add(
899
1026
int(self.interval.total_seconds() * 1000),
900
1027
self.start_checker)
901
1028
# Schedule a disable() when 'timeout' has passed
902
1029
if self.disable_initiator_tag is not None:
903
gobject.source_remove(self.disable_initiator_tag)
904
self.disable_initiator_tag = gobject.timeout_add(
1030
GLib.source_remove(self.disable_initiator_tag)
1031
self.disable_initiator_tag = GLib.timeout_add(
905
1032
int(self.timeout.total_seconds() * 1000), self.disable)
906
1033
# Also start a new checker *right now*.
907
1034
self.start_checker()
908
1035
909
1036
def checker_callback(self, source, condition, connection,
910
1037
command):
911
1038
"""The checker has completed, so take appropriate actions."""
914
1041
# Read return code from connection (see call_pipe)
915
1042
returncode = connection.recv()
916
1043
connection.close()
917
1044
918
1045
if returncode >= 0:
919
1046
self.last_checker_status = returncode
920
1047
self.last_checker_signal = None
930
1057
logger.warning("Checker for %(name)s crashed?",
931
1058
vars(self))
932
1059
return False
933
1060
934
1061
def checked_ok(self):
935
1062
"""Assert that the client has been seen, alive and well."""
936
1063
self.last_checked_ok = datetime.datetime.utcnow()
937
1064
self.last_checker_status = 0
938
1065
self.last_checker_signal = None
939
1066
self.bump_timeout()
940
1067
941
1068
def bump_timeout(self, timeout=None):
942
1069
"""Bump up the timeout for this client."""
943
1070
if timeout is None:
944
1071
timeout = self.timeout
945
1072
if self.disable_initiator_tag is not None:
946
gobject.source_remove(self.disable_initiator_tag)
1073
GLib.source_remove(self.disable_initiator_tag)
947
1074
self.disable_initiator_tag = None
948
1075
if getattr(self, "enabled", False):
949
self.disable_initiator_tag = gobject.timeout_add(
1076
self.disable_initiator_tag = GLib.timeout_add(
950
1077
int(timeout.total_seconds() * 1000), self.disable)
951
1078
self.expires = datetime.datetime.utcnow() + timeout
952
1079
953
1080
def need_approval(self):
954
1081
self.last_approval_request = datetime.datetime.utcnow()
955
1082
956
1083
def start_checker(self):
957
1084
"""Start a new checker subprocess if one is not running.
958
1085
959
1086
If a checker already exists, leave it running and do
960
1087
nothing."""
961
1088
# The reason for not killing a running checker is that if we
966
1093
# checkers alone, the checker would have to take more time
967
1094
# than 'timeout' for the client to be disabled, which is as it
968
1095
# should be.
969
1096
970
1097
if self.checker is not None and not self.checker.is_alive():
971
1098
logger.warning("Checker was not alive; joining")
972
1099
self.checker.join()
976
1103
# Escape attributes for the shell
977
1104
escaped_attrs = {
978
1105
attr: re.escape(str(getattr(self, attr)))
979
for attr in self.runtime_expansions }
1106
for attr in self.runtime_expansions}
980
1107
try:
981
1108
command = self.checker_command % escaped_attrs
982
1109
except TypeError as error:
994
1121
# The exception is when not debugging but nevertheless
995
1122
# running in the foreground; use the previously
996
1123
# created wnull.
997
popen_args = { "close_fds": True,
998
"shell": True,
999
"cwd": "/" }
1124
popen_args = {"close_fds": True,
1125
"shell": True,
1126
"cwd": "/"}
1000
1127
if (not self.server_settings["debug"]
1001
1128
and self.server_settings["foreground"]):
1002
1129
popen_args.update({"stdout": wnull,
1003
"stderr": wnull })
1004
pipe = multiprocessing.Pipe(duplex = False)
1130
"stderr": wnull})
1131
pipe = multiprocessing.Pipe(duplex=False)
1005
1132
self.checker = multiprocessing.Process(
1006
target = call_pipe,
1007
args = (pipe[1], subprocess.call, command),
1008
kwargs = popen_args)
1133
target=call_pipe,
1134
args=(pipe[1], subprocess.call, command),
1135
kwargs=popen_args)
1009
1136
self.checker.start()
1010
self.checker_callback_tag = gobject.io_add_watch(
1011
pipe[0].fileno(), gobject.IO_IN,
1137
self.checker_callback_tag = GLib.io_add_watch(
1138
pipe[0].fileno(), GLib.IO_IN,
1012
1139
self.checker_callback, pipe[0], command)
1013
# Re-run this periodically if run by gobject.timeout_add
1140
# Re-run this periodically if run by GLib.timeout_add
1014
1141
return True
1015
1142
1016
1143
def stop_checker(self):
1017
1144
"""Force the checker process, if any, to stop."""
1018
1145
if self.checker_callback_tag:
1019
gobject.source_remove(self.checker_callback_tag)
1146
GLib.source_remove(self.checker_callback_tag)
1020
1147
self.checker_callback_tag = None
1021
1148
if getattr(self, "checker", None) is None:
1022
1149
return
1031
1158
byte_arrays=False):
1032
1159
"""Decorators for marking methods of a DBusObjectWithProperties to
1033
1160
become properties on the D-Bus.
1034
1161
1035
1162
The decorated method will be called with no arguments by "Get"
1036
1163
and with one argument by "Set".
1037
1164
1038
1165
The parameters, where they are supported, are the same as
1039
1166
dbus.service.method, except there is only "signature", since the
1040
1167
type from Get() and the type sent to Set() is the same.
1044
1171
if byte_arrays and signature != "ay":
1045
1172
raise ValueError("Byte arrays not supported for non-'ay'"
1046
1173
" signature {!r}".format(signature))
1047
1174
1048
1175
def decorator(func):
1049
1176
func._dbus_is_property = True
1050
1177
func._dbus_interface = dbus_interface
1053
1180
func._dbus_name = func.__name__
1054
1181
if func._dbus_name.endswith("_dbus_property"):
1055
1182
func._dbus_name = func._dbus_name[:-14]
1056
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1183
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
1057
1184
return func
1058
1185
1059
1186
return decorator
1060
1187
1061
1188
1062
1189
def dbus_interface_annotations(dbus_interface):
1063
1190
"""Decorator for marking functions returning interface annotations
1064
1191
1065
1192
Usage:
1066
1193
1067
1194
@dbus_interface_annotations("org.example.Interface")
1068
1195
def _foo(self): # Function name does not matter
1069
1196
return {"org.freedesktop.DBus.Deprecated": "true",
1070
1197
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1071
1198
"false"}
1072
1199
"""
1073
1200
1074
1201
def decorator(func):
1075
1202
func._dbus_is_interface = True
1076
1203
func._dbus_interface = dbus_interface
1077
1204
func._dbus_name = dbus_interface
1078
1205
return func
1079
1206
1080
1207
return decorator
1081
1208
1082
1209
1083
1210
def dbus_annotations(annotations):
1084
1211
"""Decorator to annotate D-Bus methods, signals or properties
1085
1212
Usage:
1086
1213
1087
1214
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1088
1215
"org.freedesktop.DBus.Property."
1089
1216
"EmitsChangedSignal": "false"})
1091
1218
access="r")
1092
1219
def Property_dbus_property(self):
1093
1220
return dbus.Boolean(False)
1094
1221
1095
1222
See also the DBusObjectWithAnnotations class.
1096
1223
"""
1097
1224
1098
1225
def decorator(func):
1099
1226
func._dbus_annotations = annotations
1100
1227
return func
1101
1228
1102
1229
return decorator
1103
1230
1104
1231
1122
1249
1123
1250
class DBusObjectWithAnnotations(dbus.service.Object):
1124
1251
"""A D-Bus object with annotations.
1125
1252
1126
1253
Classes inheriting from this can use the dbus_annotations
1127
1254
decorator to add annotations to methods or signals.
1128
1255
"""
1129
1256
1130
1257
@staticmethod
1131
1258
def _is_dbus_thing(thing):
1132
1259
"""Returns a function testing if an attribute is a D-Bus thing
1133
1260
1134
1261
If called like _is_dbus_thing("method") it returns a function
1135
1262
suitable for use as predicate to inspect.getmembers().
1136
1263
"""
1137
1264
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1138
1265
False)
1139
1266
1140
1267
def _get_all_dbus_things(self, thing):
1141
1268
"""Returns a generator of (name, attribute) pairs
1142
1269
"""
1145
1272
for cls in self.__class__.__mro__
1146
1273
for name, athing in
1147
1274
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1148
1275
1149
1276
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1150
out_signature = "s",
1151
path_keyword = 'object_path',
1152
connection_keyword = 'connection')
1277
out_signature="s",
1278
path_keyword='object_path',
1279
connection_keyword='connection')
1153
1280
def Introspect(self, object_path, connection):
1154
1281
"""Overloading of standard D-Bus method.
1155
1282
1156
1283
Inserts annotation tags on methods and signals.
1157
1284
"""
1158
1285
xmlstring = dbus.service.Object.Introspect(self, object_path,
1159
1286
connection)
1160
1287
try:
1161
1288
document = xml.dom.minidom.parseString(xmlstring)
1162
1289
1163
1290
for if_tag in document.getElementsByTagName("interface"):
1164
1291
# Add annotation tags
1165
1292
for typ in ("method", "signal"):
1192
1319
if_tag.appendChild(ann_tag)
1193
1320
# Fix argument name for the Introspect method itself
1194
1321
if (if_tag.getAttribute("name")
1195
== dbus.INTROSPECTABLE_IFACE):
1322
== dbus.INTROSPECTABLE_IFACE):
1196
1323
for cn in if_tag.getElementsByTagName("method"):
1197
1324
if cn.getAttribute("name") == "Introspect":
1198
1325
for arg in cn.getElementsByTagName("arg"):
1211
1338
1212
1339
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1213
1340
"""A D-Bus object with properties.
1214
1341
1215
1342
Classes inheriting from this can use the dbus_service_property
1216
1343
decorator to expose methods as D-Bus properties. It exposes the
1217
1344
standard Get(), Set(), and GetAll() methods on the D-Bus.
1218
1345
"""
1219
1346
1220
1347
def _get_dbus_property(self, interface_name, property_name):
1221
1348
"""Returns a bound method if one exists which is a D-Bus
1222
1349
property with the specified name and interface.
1227
1354
if (value._dbus_name == property_name
1228
1355
and value._dbus_interface == interface_name):
1229
1356
return value.__get__(self)
1230
1357
1231
1358
# No such property
1232
1359
raise DBusPropertyNotFound("{}:{}.{}".format(
1233
1360
self.dbus_object_path, interface_name, property_name))
1234
1361
1235
1362
@classmethod
1236
1363
def _get_all_interface_names(cls):
1237
1364
"""Get a sequence of all interfaces supported by an object"""
1240
1367
for x in (inspect.getmro(cls))
1241
1368
for attr in dir(x))
1242
1369
if name is not None)
1243
1370
1244
1371
@dbus.service.method(dbus.PROPERTIES_IFACE,
1245
1372
in_signature="ss",
1246
1373
out_signature="v")
1254
1381
if not hasattr(value, "variant_level"):
1255
1382
return value
1256
1383
return type(value)(value, variant_level=value.variant_level+1)
1257
1384
1258
1385
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1259
1386
def Set(self, interface_name, property_name, value):
1260
1387
"""Standard D-Bus property Set() method, see D-Bus standard.
1272
1399
value = dbus.ByteArray(b''.join(chr(byte)
1273
1400
for byte in value))
1274
1401
prop(value)
1275
1402
1276
1403
@dbus.service.method(dbus.PROPERTIES_IFACE,
1277
1404
in_signature="s",
1278
1405
out_signature="a{sv}")
1279
1406
def GetAll(self, interface_name):
1280
1407
"""Standard D-Bus property GetAll() method, see D-Bus
1281
1408
standard.
1282
1409
1283
1410
Note: Will not include properties with access="write".
1284
1411
"""
1285
1412
properties = {}
1296
1423
properties[name] = value
1297
1424
continue
1298
1425
properties[name] = type(value)(
1299
value, variant_level = value.variant_level + 1)
1426
value, variant_level=value.variant_level + 1)
1300
1427
return dbus.Dictionary(properties, signature="sv")
1301
1428
1302
1429
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1303
1430
def PropertiesChanged(self, interface_name, changed_properties,
1304
1431
invalidated_properties):
1306
1433
standard.
1307
1434
"""
1308
1435
pass
1309
1436
1310
1437
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1311
1438
out_signature="s",
1312
1439
path_keyword='object_path',
1313
1440
connection_keyword='connection')
1314
1441
def Introspect(self, object_path, connection):
1315
1442
"""Overloading of standard D-Bus method.
1316
1443
1317
1444
Inserts property tags and interface annotation tags.
1318
1445
"""
1319
1446
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1321
1448
connection)
1322
1449
try:
1323
1450
document = xml.dom.minidom.parseString(xmlstring)
1324
1451
1325
1452
def make_tag(document, name, prop):
1326
1453
e = document.createElement("property")
1327
1454
e.setAttribute("name", name)
1328
1455
e.setAttribute("type", prop._dbus_signature)
1329
1456
e.setAttribute("access", prop._dbus_access)
1330
1457
return e
1331
1458
1332
1459
for if_tag in document.getElementsByTagName("interface"):
1333
1460
# Add property tags
1334
1461
for tag in (make_tag(document, name, prop)
1376
1503
exc_info=error)
1377
1504
return xmlstring
1378
1505
1506
1379
1507
try:
1380
1508
dbus.OBJECT_MANAGER_IFACE
1381
1509
except AttributeError:
1382
1510
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1383
1511
1512
1384
1513
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1385
1514
"""A D-Bus object with an ObjectManager.
1386
1515
1387
1516
Classes inheriting from this exposes the standard
1388
1517
GetManagedObjects call and the InterfacesAdded and
1389
1518
InterfacesRemoved signals on the standard
1390
1519
"org.freedesktop.DBus.ObjectManager" interface.
1391
1520
1392
1521
Note: No signals are sent automatically; they must be sent
1393
1522
manually.
1394
1523
"""
1395
1524
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1396
out_signature = "a{oa{sa{sv}}}")
1525
out_signature="a{oa{sa{sv}}}")
1397
1526
def GetManagedObjects(self):
1398
1527
"""This function must be overridden"""
1399
1528
raise NotImplementedError()
1400
1529
1401
1530
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1402
signature = "oa{sa{sv}}")
1531
signature="oa{sa{sv}}")
1403
1532
def InterfacesAdded(self, object_path, interfaces_and_properties):
1404
1533
pass
1405
1406
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1534
1535
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1407
1536
def InterfacesRemoved(self, object_path, interfaces):
1408
1537
pass
1409
1538
1410
1539
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1411
out_signature = "s",
1412
path_keyword = 'object_path',
1413
connection_keyword = 'connection')
1540
out_signature="s",
1541
path_keyword='object_path',
1542
connection_keyword='connection')
1414
1543
def Introspect(self, object_path, connection):
1415
1544
"""Overloading of standard D-Bus method.
1416
1545
1417
1546
Override return argument name of GetManagedObjects to be
1418
1547
"objpath_interfaces_and_properties"
1419
1548
"""
1422
1551
connection)
1423
1552
try:
1424
1553
document = xml.dom.minidom.parseString(xmlstring)
1425
1554
1426
1555
for if_tag in document.getElementsByTagName("interface"):
1427
1556
# Fix argument name for the GetManagedObjects method
1428
1557
if (if_tag.getAttribute("name")
1429
== dbus.OBJECT_MANAGER_IFACE):
1558
== dbus.OBJECT_MANAGER_IFACE):
1430
1559
for cn in if_tag.getElementsByTagName("method"):
1431
1560
if (cn.getAttribute("name")
1432
1561
== "GetManagedObjects"):
1442
1571
except (AttributeError, xml.dom.DOMException,
1443
1572
xml.parsers.expat.ExpatError) as error:
1444
1573
logger.error("Failed to override Introspection method",
1445
exc_info = error)
1574
exc_info=error)
1446
1575
return xmlstring
1447
1576
1577
1448
1578
def datetime_to_dbus(dt, variant_level=0):
1449
1579
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1450
1580
if dt is None:
1451
return dbus.String("", variant_level = variant_level)
1581
return dbus.String("", variant_level=variant_level)
1452
1582
return dbus.String(dt.isoformat(), variant_level=variant_level)
1453
1583
1454
1584
1457
1587
dbus.service.Object, it will add alternate D-Bus attributes with
1458
1588
interface names according to the "alt_interface_names" mapping.
1459
1589
Usage:
1460
1590
1461
1591
@alternate_dbus_interfaces({"org.example.Interface":
1462
1592
"net.example.AlternateInterface"})
1463
1593
class SampleDBusObject(dbus.service.Object):
1464
1594
@dbus.service.method("org.example.Interface")
1465
1595
def SampleDBusMethod():
1466
1596
pass
1467
1597
1468
1598
The above "SampleDBusMethod" on "SampleDBusObject" will be
1469
1599
reachable via two interfaces: "org.example.Interface" and
1470
1600
"net.example.AlternateInterface", the latter of which will have
1471
1601
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1472
1602
"true", unless "deprecate" is passed with a False value.
1473
1603
1474
1604
This works for methods and signals, and also for D-Bus properties
1475
1605
(from DBusObjectWithProperties) and interfaces (from the
1476
1606
dbus_interface_annotations decorator).
1477
1607
"""
1478
1608
1479
1609
def wrapper(cls):
1480
1610
for orig_interface_name, alt_interface_name in (
1481
1611
alt_interface_names.items()):
1496
1626
interface_names.add(alt_interface)
1497
1627
# Is this a D-Bus signal?
1498
1628
if getattr(attribute, "_dbus_is_signal", False):
1629
# Extract the original non-method undecorated
1630
# function by black magic
1499
1631
if sys.version_info.major == 2:
1500
# Extract the original non-method undecorated
1501
# function by black magic
1502
1632
nonmethod_func = (dict(
1503
1633
zip(attribute.func_code.co_freevars,
1504
1634
attribute.__closure__))
1505
1635
["func"].cell_contents)
1506
1636
else:
1507
nonmethod_func = attribute
1637
nonmethod_func = (dict(
1638
zip(attribute.__code__.co_freevars,
1639
attribute.__closure__))
1640
["func"].cell_contents)
1508
1641
# Create a new, but exactly alike, function
1509
1642
# object, and decorate it to be a new D-Bus signal
1510
1643
# with the alternate D-Bus interface name
1511
if sys.version_info.major == 2:
1512
new_function = types.FunctionType(
1513
nonmethod_func.func_code,
1514
nonmethod_func.func_globals,
1515
nonmethod_func.func_name,
1516
nonmethod_func.func_defaults,
1517
nonmethod_func.func_closure)
1518
else:
1519
new_function = types.FunctionType(
1520
nonmethod_func.__code__,
1521
nonmethod_func.__globals__,
1522
nonmethod_func.__name__,
1523
nonmethod_func.__defaults__,
1524
nonmethod_func.__closure__)
1644
new_function = copy_function(nonmethod_func)
1525
1645
new_function = (dbus.service.signal(
1526
1646
alt_interface,
1527
1647
attribute._dbus_signature)(new_function))
1531
1651
attribute._dbus_annotations)
1532
1652
except AttributeError:
1533
1653
pass
1654
1534
1655
# Define a creator of a function to call both the
1535
1656
# original and alternate functions, so both the
1536
1657
# original and alternate signals gets sent when
1539
1660
"""This function is a scope container to pass
1540
1661
func1 and func2 to the "call_both" function
1541
1662
outside of its arguments"""
1542
1663
1543
1664
@functools.wraps(func2)
1544
1665
def call_both(*args, **kwargs):
1545
1666
"""This function will emit two D-Bus
1546
1667
signals by calling func1 and func2"""
1547
1668
func1(*args, **kwargs)
1548
1669
func2(*args, **kwargs)
1549
# Make wrapper function look like a D-Bus signal
1670
# Make wrapper function look like a D-Bus
1671
# signal
1550
1672
for name, attr in inspect.getmembers(func2):
1551
1673
if name.startswith("_dbus_"):
1552
1674
setattr(call_both, name, attr)
1553
1675
1554
1676
return call_both
1555
1677
# Create the "call_both" function and add it to
1556
1678
# the class
1566
1688
alt_interface,
1567
1689
attribute._dbus_in_signature,
1568
1690
attribute._dbus_out_signature)
1569
(types.FunctionType(attribute.func_code,
1570
attribute.func_globals,
1571
attribute.func_name,
1572
attribute.func_defaults,
1573
attribute.func_closure)))
1691
(copy_function(attribute)))
1574
1692
# Copy annotations, if any
1575
1693
try:
1576
1694
attr[attrname]._dbus_annotations = dict(
1588
1706
attribute._dbus_access,
1589
1707
attribute._dbus_get_args_options
1590
1708
["byte_arrays"])
1591
(types.FunctionType(
1592
attribute.func_code,
1593
attribute.func_globals,
1594
attribute.func_name,
1595
attribute.func_defaults,
1596
attribute.func_closure)))
1709
(copy_function(attribute)))
1597
1710
# Copy annotations, if any
1598
1711
try:
1599
1712
attr[attrname]._dbus_annotations = dict(
1608
1721
# to the class.
1609
1722
attr[attrname] = (
1610
1723
dbus_interface_annotations(alt_interface)
1611
(types.FunctionType(attribute.func_code,
1612
attribute.func_globals,
1613
attribute.func_name,
1614
attribute.func_defaults,
1615
attribute.func_closure)))
1724
(copy_function(attribute)))
1616
1725
if deprecate:
1617
1726
# Deprecate all alternate interfaces
1618
iname="_AlternateDBusNames_interface_annotation{}"
1727
iname = "_AlternateDBusNames_interface_annotation{}"
1619
1728
for interface_name in interface_names:
1620
1729
1621
1730
@dbus_interface_annotations(interface_name)
1622
1731
def func(self):
1623
return { "org.freedesktop.DBus.Deprecated":
1624
"true" }
1732
return {"org.freedesktop.DBus.Deprecated":
1733
"true"}
1625
1734
# Find an unused name
1626
1735
for aname in (iname.format(i)
1627
1736
for i in itertools.count()):
1631
1740
if interface_names:
1632
1741
# Replace the class with a new subclass of it with
1633
1742
# methods, signals, etc. as created above.
1634
cls = type(b"{}Alternate".format(cls.__name__),
1635
(cls, ), attr)
1743
if sys.version_info.major == 2:
1744
cls = type(b"{}Alternate".format(cls.__name__),
1745
(cls, ), attr)
1746
else:
1747
cls = type("{}Alternate".format(cls.__name__),
1748
(cls, ), attr)
1636
1749
return cls
1637
1750
1638
1751
return wrapper
1639
1752
1640
1753
1642
1755
"se.bsnet.fukt.Mandos"})
1643
1756
class ClientDBus(Client, DBusObjectWithProperties):
1644
1757
"""A Client class using D-Bus
1645
1758
1646
1759
Attributes:
1647
1760
dbus_object_path: dbus.ObjectPath
1648
1761
bus: dbus.SystemBus()
1649
1762
"""
1650
1763
1651
1764
runtime_expansions = (Client.runtime_expansions
1652
1765
+ ("dbus_object_path", ))
1653
1766
1654
1767
_interface = "se.recompile.Mandos.Client"
1655
1768
1656
1769
# dbus.service.Object doesn't use super(), so we can't either.
1657
1658
def __init__(self, bus = None, *args, **kwargs):
1770
1771
def __init__(self, bus=None, *args, **kwargs):
1659
1772
self.bus = bus
1660
1773
Client.__init__(self, *args, **kwargs)
1661
1774
# Only now, when this client is initialized, can it show up on
1667
1780
"/clients/" + client_object_name)
1668
1781
DBusObjectWithProperties.__init__(self, self.bus,
1669
1782
self.dbus_object_path)
1670
1783
1671
1784
def notifychangeproperty(transform_func, dbus_name,
1672
1785
type_func=lambda x: x,
1673
1786
variant_level=1,
1675
1788
_interface=_interface):
1676
1789
""" Modify a variable so that it's a property which announces
1677
1790
its changes to DBus.
1678
1791
1679
1792
transform_fun: Function that takes a value and a variant_level
1680
1793
and transforms it to a D-Bus type.
1681
1794
dbus_name: D-Bus name of the variable
1684
1797
variant_level: D-Bus variant level. Default: 1
1685
1798
"""
1686
1799
attrname = "_{}".format(dbus_name)
1687
1800
1688
1801
def setter(self, value):
1689
1802
if hasattr(self, "dbus_object_path"):
1690
1803
if (not hasattr(self, attrname) or
1697
1810
else:
1698
1811
dbus_value = transform_func(
1699
1812
type_func(value),
1700
variant_level = variant_level)
1813
variant_level=variant_level)
1701
1814
self.PropertyChanged(dbus.String(dbus_name),
1702
1815
dbus_value)
1703
1816
self.PropertiesChanged(
1704
1817
_interface,
1705
dbus.Dictionary({ dbus.String(dbus_name):
1706
dbus_value }),
1818
dbus.Dictionary({dbus.String(dbus_name):
1819
dbus_value}),
1707
1820
dbus.Array())
1708
1821
setattr(self, attrname, value)
1709
1822
1710
1823
return property(lambda self: getattr(self, attrname), setter)
1711
1824
1712
1825
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1713
1826
approvals_pending = notifychangeproperty(dbus.Boolean,
1714
1827
"ApprovalPending",
1715
type_func = bool)
1828
type_func=bool)
1716
1829
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1717
1830
last_enabled = notifychangeproperty(datetime_to_dbus,
1718
1831
"LastEnabled")
1719
1832
checker = notifychangeproperty(
1720
1833
dbus.Boolean, "CheckerRunning",
1721
type_func = lambda checker: checker is not None)
1834
type_func=lambda checker: checker is not None)
1722
1835
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1723
1836
"LastCheckedOK")
1724
1837
last_checker_status = notifychangeproperty(dbus.Int16,
1729
1842
"ApprovedByDefault")
1730
1843
approval_delay = notifychangeproperty(
1731
1844
dbus.UInt64, "ApprovalDelay",
1732
type_func = lambda td: td.total_seconds() * 1000)
1845
type_func=lambda td: td.total_seconds() * 1000)
1733
1846
approval_duration = notifychangeproperty(
1734
1847
dbus.UInt64, "ApprovalDuration",
1735
type_func = lambda td: td.total_seconds() * 1000)
1848
type_func=lambda td: td.total_seconds() * 1000)
1736
1849
host = notifychangeproperty(dbus.String, "Host")
1737
1850
timeout = notifychangeproperty(
1738
1851
dbus.UInt64, "Timeout",
1739
type_func = lambda td: td.total_seconds() * 1000)
1852
type_func=lambda td: td.total_seconds() * 1000)
1740
1853
extended_timeout = notifychangeproperty(
1741
1854
dbus.UInt64, "ExtendedTimeout",
1742
type_func = lambda td: td.total_seconds() * 1000)
1855
type_func=lambda td: td.total_seconds() * 1000)
1743
1856
interval = notifychangeproperty(
1744
1857
dbus.UInt64, "Interval",
1745
type_func = lambda td: td.total_seconds() * 1000)
1858
type_func=lambda td: td.total_seconds() * 1000)
1746
1859
checker_command = notifychangeproperty(dbus.String, "Checker")
1747
1860
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1748
1861
invalidate_only=True)
1749
1862
1750
1863
del notifychangeproperty
1751
1864
1752
1865
def __del__(self, *args, **kwargs):
1753
1866
try:
1754
1867
self.remove_from_connection()
1757
1870
if hasattr(DBusObjectWithProperties, "__del__"):
1758
1871
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1759
1872
Client.__del__(self, *args, **kwargs)
1760
1873
1761
1874
def checker_callback(self, source, condition,
1762
1875
connection, command, *args, **kwargs):
1763
1876
ret = Client.checker_callback(self, source, condition,
1779
1892
| self.last_checker_signal),
1780
1893
dbus.String(command))
1781
1894
return ret
1782
1895
1783
1896
def start_checker(self, *args, **kwargs):
1784
1897
old_checker_pid = getattr(self.checker, "pid", None)
1785
1898
r = Client.start_checker(self, *args, **kwargs)
1789
1902
# Emit D-Bus signal
1790
1903
self.CheckerStarted(self.current_checker_command)
1791
1904
return r
1792
1905
1793
1906
def _reset_approved(self):
1794
1907
self.approved = None
1795
1908
return False
1796
1909
1797
1910
def approve(self, value=True):
1798
1911
self.approved = value
1799
gobject.timeout_add(int(self.approval_duration.total_seconds()
1800
* 1000), self._reset_approved)
1912
GLib.timeout_add(int(self.approval_duration.total_seconds()
1913
* 1000), self._reset_approved)
1801
1914
self.send_changedstate()
1802
1803
## D-Bus methods, signals & properties
1804
1805
## Interfaces
1806
1807
## Signals
1808
1915
1916
# D-Bus methods, signals & properties
1917
1918
# Interfaces
1919
1920
# Signals
1921
1809
1922
# CheckerCompleted - signal
1810
1923
@dbus.service.signal(_interface, signature="nxs")
1811
1924
def CheckerCompleted(self, exitcode, waitstatus, command):
1812
1925
"D-Bus signal"
1813
1926
pass
1814
1927
1815
1928
# CheckerStarted - signal
1816
1929
@dbus.service.signal(_interface, signature="s")
1817
1930
def CheckerStarted(self, command):
1818
1931
"D-Bus signal"
1819
1932
pass
1820
1933
1821
1934
# PropertyChanged - signal
1822
1935
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1823
1936
@dbus.service.signal(_interface, signature="sv")
1824
1937
def PropertyChanged(self, property, value):
1825
1938
"D-Bus signal"
1826
1939
pass
1827
1940
1828
1941
# GotSecret - signal
1829
1942
@dbus.service.signal(_interface)
1830
1943
def GotSecret(self):
1833
1946
server to mandos-client
1834
1947
"""
1835
1948
pass
1836
1949
1837
1950
# Rejected - signal
1838
1951
@dbus.service.signal(_interface, signature="s")
1839
1952
def Rejected(self, reason):
1840
1953
"D-Bus signal"
1841
1954
pass
1842
1955
1843
1956
# NeedApproval - signal
1844
1957
@dbus.service.signal(_interface, signature="tb")
1845
1958
def NeedApproval(self, timeout, default):
1846
1959
"D-Bus signal"
1847
1960
return self.need_approval()
1848
1849
## Methods
1850
1961
1962
# Methods
1963
1851
1964
# Approve - method
1852
1965
@dbus.service.method(_interface, in_signature="b")
1853
1966
def Approve(self, value):
1854
1967
self.approve(value)
1855
1968
1856
1969
# CheckedOK - method
1857
1970
@dbus.service.method(_interface)
1858
1971
def CheckedOK(self):
1859
1972
self.checked_ok()
1860
1973
1861
1974
# Enable - method
1862
1975
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1863
1976
@dbus.service.method(_interface)
1864
1977
def Enable(self):
1865
1978
"D-Bus method"
1866
1979
self.enable()
1867
1980
1868
1981
# StartChecker - method
1869
1982
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1870
1983
@dbus.service.method(_interface)
1871
1984
def StartChecker(self):
1872
1985
"D-Bus method"
1873
1986
self.start_checker()
1874
1987
1875
1988
# Disable - method
1876
1989
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1877
1990
@dbus.service.method(_interface)
1878
1991
def Disable(self):
1879
1992
"D-Bus method"
1880
1993
self.disable()
1881
1994
1882
1995
# StopChecker - method
1883
1996
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1884
1997
@dbus.service.method(_interface)
1885
1998
def StopChecker(self):
1886
1999
self.stop_checker()
1887
1888
## Properties
1889
2000
2001
# Properties
2002
1890
2003
# ApprovalPending - property
1891
2004
@dbus_service_property(_interface, signature="b", access="read")
1892
2005
def ApprovalPending_dbus_property(self):
1893
2006
return dbus.Boolean(bool(self.approvals_pending))
1894
2007
1895
2008
# ApprovedByDefault - property
1896
2009
@dbus_service_property(_interface,
1897
2010
signature="b",
1900
2013
if value is None: # get
1901
2014
return dbus.Boolean(self.approved_by_default)
1902
2015
self.approved_by_default = bool(value)
1903
2016
1904
2017
# ApprovalDelay - property
1905
2018
@dbus_service_property(_interface,
1906
2019
signature="t",
1910
2023
return dbus.UInt64(self.approval_delay.total_seconds()
1911
2024
* 1000)
1912
2025
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1913
2026
1914
2027
# ApprovalDuration - property
1915
2028
@dbus_service_property(_interface,
1916
2029
signature="t",
1920
2033
return dbus.UInt64(self.approval_duration.total_seconds()
1921
2034
* 1000)
1922
2035
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1923
2036
1924
2037
# Name - property
1925
2038
@dbus_annotations(
1926
2039
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1927
2040
@dbus_service_property(_interface, signature="s", access="read")
1928
2041
def Name_dbus_property(self):
1929
2042
return dbus.String(self.name)
1930
2043
2044
# KeyID - property
2045
@dbus_annotations(
2046
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2047
@dbus_service_property(_interface, signature="s", access="read")
2048
def KeyID_dbus_property(self):
2049
return dbus.String(self.key_id)
2050
1931
2051
# Fingerprint - property
1932
2052
@dbus_annotations(
1933
2053
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1934
2054
@dbus_service_property(_interface, signature="s", access="read")
1935
2055
def Fingerprint_dbus_property(self):
1936
2056
return dbus.String(self.fingerprint)
1937
2057
1938
2058
# Host - property
1939
2059
@dbus_service_property(_interface,
1940
2060
signature="s",
1943
2063
if value is None: # get
1944
2064
return dbus.String(self.host)
1945
2065
self.host = str(value)
1946
2066
1947
2067
# Created - property
1948
2068
@dbus_annotations(
1949
2069
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1950
2070
@dbus_service_property(_interface, signature="s", access="read")
1951
2071
def Created_dbus_property(self):
1952
2072
return datetime_to_dbus(self.created)
1953
2073
1954
2074
# LastEnabled - property
1955
2075
@dbus_service_property(_interface, signature="s", access="read")
1956
2076
def LastEnabled_dbus_property(self):
1957
2077
return datetime_to_dbus(self.last_enabled)
1958
2078
1959
2079
# Enabled - property
1960
2080
@dbus_service_property(_interface,
1961
2081
signature="b",
1967
2087
self.enable()
1968
2088
else:
1969
2089
self.disable()
1970
2090
1971
2091
# LastCheckedOK - property
1972
2092
@dbus_service_property(_interface,
1973
2093
signature="s",
1977
2097
self.checked_ok()
1978
2098
return
1979
2099
return datetime_to_dbus(self.last_checked_ok)
1980
2100
1981
2101
# LastCheckerStatus - property
1982
2102
@dbus_service_property(_interface, signature="n", access="read")
1983
2103
def LastCheckerStatus_dbus_property(self):
1984
2104
return dbus.Int16(self.last_checker_status)
1985
2105
1986
2106
# Expires - property
1987
2107
@dbus_service_property(_interface, signature="s", access="read")
1988
2108
def Expires_dbus_property(self):
1989
2109
return datetime_to_dbus(self.expires)
1990
2110
1991
2111
# LastApprovalRequest - property
1992
2112
@dbus_service_property(_interface, signature="s", access="read")
1993
2113
def LastApprovalRequest_dbus_property(self):
1994
2114
return datetime_to_dbus(self.last_approval_request)
1995
2115
1996
2116
# Timeout - property
1997
2117
@dbus_service_property(_interface,
1998
2118
signature="t",
2013
2133
if (getattr(self, "disable_initiator_tag", None)
2014
2134
is None):
2015
2135
return
2016
gobject.source_remove(self.disable_initiator_tag)
2017
self.disable_initiator_tag = gobject.timeout_add(
2136
GLib.source_remove(self.disable_initiator_tag)
2137
self.disable_initiator_tag = GLib.timeout_add(
2018
2138
int((self.expires - now).total_seconds() * 1000),
2019
2139
self.disable)
2020
2140
2021
2141
# ExtendedTimeout - property
2022
2142
@dbus_service_property(_interface,
2023
2143
signature="t",
2027
2147
return dbus.UInt64(self.extended_timeout.total_seconds()
2028
2148
* 1000)
2029
2149
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2030
2150
2031
2151
# Interval - property
2032
2152
@dbus_service_property(_interface,
2033
2153
signature="t",
2040
2160
return
2041
2161
if self.enabled:
2042
2162
# Reschedule checker run
2043
gobject.source_remove(self.checker_initiator_tag)
2044
self.checker_initiator_tag = gobject.timeout_add(
2163
GLib.source_remove(self.checker_initiator_tag)
2164
self.checker_initiator_tag = GLib.timeout_add(
2045
2165
value, self.start_checker)
2046
self.start_checker() # Start one now, too
2047
2166
self.start_checker() # Start one now, too
2167
2048
2168
# Checker - property
2049
2169
@dbus_service_property(_interface,
2050
2170
signature="s",
2053
2173
if value is None: # get
2054
2174
return dbus.String(self.checker_command)
2055
2175
self.checker_command = str(value)
2056
2176
2057
2177
# CheckerRunning - property
2058
2178
@dbus_service_property(_interface,
2059
2179
signature="b",
2065
2185
self.start_checker()
2066
2186
else:
2067
2187
self.stop_checker()
2068
2188
2069
2189
# ObjectPath - property
2070
2190
@dbus_annotations(
2071
2191
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2072
2192
"org.freedesktop.DBus.Deprecated": "true"})
2073
2193
@dbus_service_property(_interface, signature="o", access="read")
2074
2194
def ObjectPath_dbus_property(self):
2075
return self.dbus_object_path # is already a dbus.ObjectPath
2076
2195
return self.dbus_object_path # is already a dbus.ObjectPath
2196
2077
2197
# Secret = property
2078
2198
@dbus_annotations(
2079
2199
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2084
2204
byte_arrays=True)
2085
2205
def Secret_dbus_property(self, value):
2086
2206
self.secret = bytes(value)
2087
2207
2088
2208
del _interface
2089
2209
2090
2210
2091
2211
class ProxyClient(object):
2092
def __init__(self, child_pipe, fpr, address):
2212
def __init__(self, child_pipe, key_id, fpr, address):
2093
2213
self._pipe = child_pipe
2094
self._pipe.send(('init', fpr, address))
2214
self._pipe.send(('init', key_id, fpr, address))
2095
2215
if not self._pipe.recv():
2096
raise KeyError(fpr)
2097
2216
raise KeyError(key_id or fpr)
2217
2098
2218
def __getattribute__(self, name):
2099
2219
if name == '_pipe':
2100
2220
return super(ProxyClient, self).__getattribute__(name)
2103
2223
if data[0] == 'data':
2104
2224
return data[1]
2105
2225
if data[0] == 'function':
2106
2226
2107
2227
def func(*args, **kwargs):
2108
2228
self._pipe.send(('funcall', name, args, kwargs))
2109
2229
return self._pipe.recv()[1]
2110
2230
2111
2231
return func
2112
2232
2113
2233
def __setattr__(self, name, value):
2114
2234
if name == '_pipe':
2115
2235
return super(ProxyClient, self).__setattr__(name, value)
2118
2238
2119
2239
class ClientHandler(socketserver.BaseRequestHandler, object):
2120
2240
"""A class to handle client connections.
2121
2241
2122
2242
Instantiated once for each connection to handle it.
2123
2243
Note: This will run in its own forked process."""
2124
2244
2125
2245
def handle(self):
2126
2246
with contextlib.closing(self.server.child_pipe) as child_pipe:
2127
2247
logger.info("TCP connection from: %s",
2128
2248
str(self.client_address))
2129
2249
logger.debug("Pipe FD: %d",
2130
2250
self.server.child_pipe.fileno())
2131
2251
2132
2252
session = gnutls.ClientSession(self.request)
2133
2134
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
2135
# "+AES-256-CBC", "+SHA1",
2136
# "+COMP-NULL", "+CTYPE-OPENPGP",
2137
# "+DHE-DSS"))
2253
2254
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2255
# "+AES-256-CBC", "+SHA1",
2256
# "+COMP-NULL", "+CTYPE-OPENPGP",
2257
# "+DHE-DSS"))
2138
2258
# Use a fallback default, since this MUST be set.
2139
2259
priority = self.server.gnutls_priority
2140
2260
if priority is None:
2141
2261
priority = "NORMAL"
2142
gnutls.priority_set_direct(session._c_object, priority,
2262
gnutls.priority_set_direct(session._c_object,
2263
priority.encode("utf-8"),
2143
2264
None)
2144
2265
2145
2266
# Start communication using the Mandos protocol
2146
2267
# Get protocol number
2147
2268
line = self.request.makefile().readline()
2152
2273
except (ValueError, IndexError, RuntimeError) as error:
2153
2274
logger.error("Unknown protocol version: %s", error)
2154
2275
return
2155
2276
2156
2277
# Start GnuTLS connection
2157
2278
try:
2158
2279
session.handshake()
2162
2283
# established. Just abandon the request.
2163
2284
return
2164
2285
logger.debug("Handshake succeeded")
2165
2286
2166
2287
approval_required = False
2167
2288
try:
2168
try:
2169
fpr = self.fingerprint(
2170
self.peer_certificate(session))
2171
except (TypeError, gnutls.Error) as error:
2172
logger.warning("Bad certificate: %s", error)
2173
return
2174
logger.debug("Fingerprint: %s", fpr)
2175
2176
try:
2177
client = ProxyClient(child_pipe, fpr,
2289
if gnutls.has_rawpk:
2290
fpr = ""
2291
try:
2292
key_id = self.key_id(
2293
self.peer_certificate(session))
2294
except (TypeError, gnutls.Error) as error:
2295
logger.warning("Bad certificate: %s", error)
2296
return
2297
logger.debug("Key ID: %s", key_id)
2298
2299
else:
2300
key_id = ""
2301
try:
2302
fpr = self.fingerprint(
2303
self.peer_certificate(session))
2304
except (TypeError, gnutls.Error) as error:
2305
logger.warning("Bad certificate: %s", error)
2306
return
2307
logger.debug("Fingerprint: %s", fpr)
2308
2309
try:
2310
client = ProxyClient(child_pipe, key_id, fpr,
2178
2311
self.client_address)
2179
2312
except KeyError:
2180
2313
return
2181
2314
2182
2315
if client.approval_delay:
2183
2316
delay = client.approval_delay
2184
2317
client.approvals_pending += 1
2185
2318
approval_required = True
2186
2319
2187
2320
while True:
2188
2321
if not client.enabled:
2189
2322
logger.info("Client %s is disabled",
2192
2325
# Emit D-Bus signal
2193
2326
client.Rejected("Disabled")
2194
2327
return
2195
2328
2196
2329
if client.approved or not client.approval_delay:
2197
#We are approved or approval is disabled
2330
# We are approved or approval is disabled
2198
2331
break
2199
2332
elif client.approved is None:
2200
2333
logger.info("Client %s needs approval",
2211
2344
# Emit D-Bus signal
2212
2345
client.Rejected("Denied")
2213
2346
return
2214
2215
#wait until timeout or approved
2347
2348
# wait until timeout or approved
2216
2349
time = datetime.datetime.now()
2217
2350
client.changedstate.acquire()
2218
2351
client.changedstate.wait(delay.total_seconds())
2231
2364
break
2232
2365
else:
2233
2366
delay -= time2 - time
2234
2367
2235
2368
try:
2236
2369
session.send(client.secret)
2237
2370
except gnutls.Error as error:
2238
2371
logger.warning("gnutls send failed",
2239
exc_info = error)
2372
exc_info=error)
2240
2373
return
2241
2374
2242
2375
logger.info("Sending secret to %s", client.name)
2243
2376
# bump the timeout using extended_timeout
2244
2377
client.bump_timeout(client.extended_timeout)
2245
2378
if self.server.use_dbus:
2246
2379
# Emit D-Bus signal
2247
2380
client.GotSecret()
2248
2381
2249
2382
finally:
2250
2383
if approval_required:
2251
2384
client.approvals_pending -= 1
2254
2387
except gnutls.Error as error:
2255
2388
logger.warning("GnuTLS bye failed",
2256
2389
exc_info=error)
2257
2390
2258
2391
@staticmethod
2259
2392
def peer_certificate(session):
2260
"Return the peer's OpenPGP certificate as a bytestring"
2261
# If not an OpenPGP certificate...
2262
if (gnutls.certificate_type_get(session._c_object)
2263
!= gnutls.CRT_OPENPGP):
2393
"Return the peer's certificate as a bytestring"
2394
try:
2395
cert_type = gnutls.certificate_type_get2(session._c_object,
2396
gnutls.CTYPE_PEERS)
2397
except AttributeError:
2398
cert_type = gnutls.certificate_type_get(session._c_object)
2399
if gnutls.has_rawpk:
2400
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2401
else:
2402
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2403
# If not a valid certificate type...
2404
if cert_type not in valid_cert_types:
2405
logger.info("Cert type %r not in %r", cert_type,
2406
valid_cert_types)
2264
2407
# ...return invalid data
2265
2408
return b""
2266
2409
list_size = ctypes.c_uint(1)
2272
2415
return None
2273
2416
cert = cert_list[0]
2274
2417
return ctypes.string_at(cert.data, cert.size)
2275
2418
2419
@staticmethod
2420
def key_id(certificate):
2421
"Convert a certificate bytestring to a hexdigit key ID"
2422
# New GnuTLS "datum" with the public key
2423
datum = gnutls.datum_t(
2424
ctypes.cast(ctypes.c_char_p(certificate),
2425
ctypes.POINTER(ctypes.c_ubyte)),
2426
ctypes.c_uint(len(certificate)))
2427
# XXX all these need to be created in the gnutls "module"
2428
# New empty GnuTLS certificate
2429
pubkey = gnutls.pubkey_t()
2430
gnutls.pubkey_init(ctypes.byref(pubkey))
2431
# Import the raw public key into the certificate
2432
gnutls.pubkey_import(pubkey,
2433
ctypes.byref(datum),
2434
gnutls.X509_FMT_DER)
2435
# New buffer for the key ID
2436
buf = ctypes.create_string_buffer(32)
2437
buf_len = ctypes.c_size_t(len(buf))
2438
# Get the key ID from the raw public key into the buffer
2439
gnutls.pubkey_get_key_id(pubkey,
2440
gnutls.KEYID_USE_SHA256,
2441
ctypes.cast(ctypes.byref(buf),
2442
ctypes.POINTER(ctypes.c_ubyte)),
2443
ctypes.byref(buf_len))
2444
# Deinit the certificate
2445
gnutls.pubkey_deinit(pubkey)
2446
2447
# Convert the buffer to a Python bytestring
2448
key_id = ctypes.string_at(buf, buf_len.value)
2449
# Convert the bytestring to hexadecimal notation
2450
hex_key_id = binascii.hexlify(key_id).upper()
2451
return hex_key_id
2452
2276
2453
@staticmethod
2277
2454
def fingerprint(openpgp):
2278
2455
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2293
2470
ctypes.byref(crtverify))
2294
2471
if crtverify.value != 0:
2295
2472
gnutls.openpgp_crt_deinit(crt)
2296
raise gnutls.CertificateSecurityError("Verify failed")
2473
raise gnutls.CertificateSecurityError(code
2474
=crtverify.value)
2297
2475
# New buffer for the fingerprint
2298
2476
buf = ctypes.create_string_buffer(20)
2299
2477
buf_len = ctypes.c_size_t()
2311
2489
2312
2490
class MultiprocessingMixIn(object):
2313
2491
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2314
2492
2315
2493
def sub_process_main(self, request, address):
2316
2494
try:
2317
2495
self.finish_request(request, address)
2318
2496
except Exception:
2319
2497
self.handle_error(request, address)
2320
2498
self.close_request(request)
2321
2499
2322
2500
def process_request(self, request, address):
2323
2501
"""Start a new process to process the request."""
2324
proc = multiprocessing.Process(target = self.sub_process_main,
2325
args = (request, address))
2502
proc = multiprocessing.Process(target=self.sub_process_main,
2503
args=(request, address))
2326
2504
proc.start()
2327
2505
return proc
2328
2506
2329
2507
2330
2508
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2331
2509
""" adds a pipe to the MixIn """
2332
2510
2333
2511
def process_request(self, request, client_address):
2334
2512
"""Overrides and wraps the original process_request().
2335
2513
2336
2514
This function creates a new pipe in self.pipe
2337
2515
"""
2338
2516
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2339
2517
2340
2518
proc = MultiprocessingMixIn.process_request(self, request,
2341
2519
client_address)
2342
2520
self.child_pipe.close()
2343
2521
self.add_pipe(parent_pipe, proc)
2344
2522
2345
2523
def add_pipe(self, parent_pipe, proc):
2346
2524
"""Dummy function; override as necessary"""
2347
2525
raise NotImplementedError()
2350
2528
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2351
2529
socketserver.TCPServer, object):
2352
2530
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2353
2531
2354
2532
Attributes:
2355
2533
enabled: Boolean; whether this server is activated yet
2356
2534
interface: None or a network interface name (string)
2357
2535
use_ipv6: Boolean; to use IPv6 or not
2358
2536
"""
2359
2537
2360
2538
def __init__(self, server_address, RequestHandlerClass,
2361
2539
interface=None,
2362
2540
use_ipv6=True,
2372
2550
self.socketfd = socketfd
2373
2551
# Save the original socket.socket() function
2374
2552
self.socket_socket = socket.socket
2553
2375
2554
# To implement --socket, we monkey patch socket.socket.
2376
#
2555
#
2377
2556
# (When socketserver.TCPServer is a new-style class, we
2378
2557
# could make self.socket into a property instead of monkey
2379
2558
# patching socket.socket.)
2380
#
2559
#
2381
2560
# Create a one-time-only replacement for socket.socket()
2382
2561
@functools.wraps(socket.socket)
2383
2562
def socket_wrapper(*args, **kwargs):
2395
2574
# socket_wrapper(), if socketfd was set.
2396
2575
socketserver.TCPServer.__init__(self, server_address,
2397
2576
RequestHandlerClass)
2398
2577
2399
2578
def server_bind(self):
2400
2579
"""This overrides the normal server_bind() function
2401
2580
to bind to an interface if one was specified, and also NOT to
2402
2581
bind to an address or port if they were not specified."""
2582
global SO_BINDTODEVICE
2403
2583
if self.interface is not None:
2404
2584
if SO_BINDTODEVICE is None:
2405
logger.error("SO_BINDTODEVICE does not exist;"
2406
" cannot bind to interface %s",
2407
self.interface)
2408
else:
2409
try:
2410
self.socket.setsockopt(
2411
socket.SOL_SOCKET, SO_BINDTODEVICE,
2412
(self.interface + "\0").encode("utf-8"))
2413
except socket.error as error:
2414
if error.errno == errno.EPERM:
2415
logger.error("No permission to bind to"
2416
" interface %s", self.interface)
2417
elif error.errno == errno.ENOPROTOOPT:
2418
logger.error("SO_BINDTODEVICE not available;"
2419
" cannot bind to interface %s",
2420
self.interface)
2421
elif error.errno == errno.ENODEV:
2422
logger.error("Interface %s does not exist,"
2423
" cannot bind", self.interface)
2424
else:
2425
raise
2585
# Fall back to a hard-coded value which seems to be
2586
# common enough.
2587
logger.warning("SO_BINDTODEVICE not found, trying 25")
2588
SO_BINDTODEVICE = 25
2589
try:
2590
self.socket.setsockopt(
2591
socket.SOL_SOCKET, SO_BINDTODEVICE,
2592
(self.interface + "\0").encode("utf-8"))
2593
except socket.error as error:
2594
if error.errno == errno.EPERM:
2595
logger.error("No permission to bind to"
2596
" interface %s", self.interface)
2597
elif error.errno == errno.ENOPROTOOPT:
2598
logger.error("SO_BINDTODEVICE not available;"
2599
" cannot bind to interface %s",
2600
self.interface)
2601
elif error.errno == errno.ENODEV:
2602
logger.error("Interface %s does not exist,"
2603
" cannot bind", self.interface)
2604
else:
2605
raise
2426
2606
# Only bind(2) the socket if we really need to.
2427
2607
if self.server_address[0] or self.server_address[1]:
2608
if self.server_address[1]:
2609
self.allow_reuse_address = True
2428
2610
if not self.server_address[0]:
2429
2611
if self.address_family == socket.AF_INET6:
2430
any_address = "::" # in6addr_any
2612
any_address = "::" # in6addr_any
2431
2613
else:
2432
any_address = "0.0.0.0" # INADDR_ANY
2614
any_address = "0.0.0.0" # INADDR_ANY
2433
2615
self.server_address = (any_address,
2434
2616
self.server_address[1])
2435
2617
elif not self.server_address[1]:
2445
2627
2446
2628
class MandosServer(IPv6_TCPServer):
2447
2629
"""Mandos server.
2448
2630
2449
2631
Attributes:
2450
2632
clients: set of Client objects
2451
2633
gnutls_priority GnuTLS priority string
2452
2634
use_dbus: Boolean; to emit D-Bus signals or not
2453
2454
Assumes a gobject.MainLoop event loop.
2635
2636
Assumes a GLib.MainLoop event loop.
2455
2637
"""
2456
2638
2457
2639
def __init__(self, server_address, RequestHandlerClass,
2458
2640
interface=None,
2459
2641
use_ipv6=True,
2469
2651
self.gnutls_priority = gnutls_priority
2470
2652
IPv6_TCPServer.__init__(self, server_address,
2471
2653
RequestHandlerClass,
2472
interface = interface,
2473
use_ipv6 = use_ipv6,
2474
socketfd = socketfd)
2475
2654
interface=interface,
2655
use_ipv6=use_ipv6,
2656
socketfd=socketfd)
2657
2476
2658
def server_activate(self):
2477
2659
if self.enabled:
2478
2660
return socketserver.TCPServer.server_activate(self)
2479
2661
2480
2662
def enable(self):
2481
2663
self.enabled = True
2482
2664
2483
2665
def add_pipe(self, parent_pipe, proc):
2484
2666
# Call "handle_ipc" for both data and EOF events
2485
gobject.io_add_watch(
2667
GLib.io_add_watch(
2486
2668
parent_pipe.fileno(),
2487
gobject.IO_IN | gobject.IO_HUP,
2669
GLib.IO_IN | GLib.IO_HUP,
2488
2670
functools.partial(self.handle_ipc,
2489
parent_pipe = parent_pipe,
2490
proc = proc))
2491
2671
parent_pipe=parent_pipe,
2672
proc=proc))
2673
2492
2674
def handle_ipc(self, source, condition,
2493
2675
parent_pipe=None,
2494
proc = None,
2676
proc=None,
2495
2677
client_object=None):
2496
2678
# error, or the other end of multiprocessing.Pipe has closed
2497
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2679
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2498
2680
# Wait for other process to exit
2499
2681
proc.join()
2500
2682
return False
2501
2683
2502
2684
# Read a request from the child
2503
2685
request = parent_pipe.recv()
2504
2686
command = request[0]
2505
2687
2506
2688
if command == 'init':
2507
fpr = request[1]
2508
address = request[2]
2509
2510
for c in self.clients.itervalues():
2511
if c.fingerprint == fpr:
2689
key_id = request[1].decode("ascii")
2690
fpr = request[2].decode("ascii")
2691
address = request[3]
2692
2693
for c in self.clients.values():
2694
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2695
continue
2696
if key_id and c.key_id == key_id:
2697
client = c
2698
break
2699
if fpr and c.fingerprint == fpr:
2512
2700
client = c
2513
2701
break
2514
2702
else:
2515
logger.info("Client not found for fingerprint: %s, ad"
2516
"dress: %s", fpr, address)
2703
logger.info("Client not found for key ID: %s, address"
2704
": %s", key_id or fpr, address)
2517
2705
if self.use_dbus:
2518
2706
# Emit D-Bus signal
2519
mandos_dbus_service.ClientNotFound(fpr,
2707
mandos_dbus_service.ClientNotFound(key_id or fpr,
2520
2708
address[0])
2521
2709
parent_pipe.send(False)
2522
2710
return False
2523
2524
gobject.io_add_watch(
2711
2712
GLib.io_add_watch(
2525
2713
parent_pipe.fileno(),
2526
gobject.IO_IN | gobject.IO_HUP,
2714
GLib.IO_IN | GLib.IO_HUP,
2527
2715
functools.partial(self.handle_ipc,
2528
parent_pipe = parent_pipe,
2529
proc = proc,
2530
client_object = client))
2716
parent_pipe=parent_pipe,
2717
proc=proc,
2718
client_object=client))
2531
2719
parent_pipe.send(True)
2532
2720
# remove the old hook in favor of the new above hook on
2533
2721
# same fileno
2536
2724
funcname = request[1]
2537
2725
args = request[2]
2538
2726
kwargs = request[3]
2539
2727
2540
2728
parent_pipe.send(('data', getattr(client_object,
2541
2729
funcname)(*args,
2542
2730
**kwargs)))
2543
2731
2544
2732
if command == 'getattr':
2545
2733
attrname = request[1]
2546
2734
if isinstance(client_object.__getattribute__(attrname),
2549
2737
else:
2550
2738
parent_pipe.send((
2551
2739
'data', client_object.__getattribute__(attrname)))
2552
2740
2553
2741
if command == 'setattr':
2554
2742
attrname = request[1]
2555
2743
value = request[2]
2556
2744
setattr(client_object, attrname, value)
2557
2745
2558
2746
return True
2559
2747
2560
2748
2561
2749
def rfc3339_duration_to_delta(duration):
2562
2750
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2563
2751
2564
2752
>>> rfc3339_duration_to_delta("P7D")
2565
2753
datetime.timedelta(7)
2566
2754
>>> rfc3339_duration_to_delta("PT60S")
2576
2764
>>> rfc3339_duration_to_delta("P1DT3M20S")
2577
2765
datetime.timedelta(1, 200)
2578
2766
"""
2579
2767
2580
2768
# Parsing an RFC 3339 duration with regular expressions is not
2581
2769
# possible - there would have to be multiple places for the same
2582
2770
# values, like seconds. The current code, while more esoteric, is
2583
2771
# cleaner without depending on a parsing library. If Python had a
2584
2772
# built-in library for parsing we would use it, but we'd like to
2585
2773
# avoid excessive use of external libraries.
2586
2774
2587
2775
# New type for defining tokens, syntax, and semantics all-in-one
2588
2776
Token = collections.namedtuple("Token", (
2589
2777
"regexp", # To match token; if "value" is not None, must have
2622
2810
frozenset((token_year, token_month,
2623
2811
token_day, token_time,
2624
2812
token_week)))
2625
# Define starting values
2626
value = datetime.timedelta() # Value so far
2813
# Define starting values:
2814
# Value so far
2815
value = datetime.timedelta()
2627
2816
found_token = None
2628
followers = frozenset((token_duration, )) # Following valid tokens
2629
s = duration # String left to parse
2817
# Following valid tokens
2818
followers = frozenset((token_duration, ))
2819
# String left to parse
2820
s = duration
2630
2821
# Loop until end token is found
2631
2822
while found_token is not token_end:
2632
2823
# Search for any currently valid tokens
2656
2847
2657
2848
def string_to_delta(interval):
2658
2849
"""Parse a string and return a datetime.timedelta
2659
2850
2660
2851
>>> string_to_delta('7d')
2661
2852
datetime.timedelta(7)
2662
2853
>>> string_to_delta('60s')
2670
2861
>>> string_to_delta('5m 30s')
2671
2862
datetime.timedelta(0, 330)
2672
2863
"""
2673
2864
2674
2865
try:
2675
2866
return rfc3339_duration_to_delta(interval)
2676
2867
except ValueError:
2677
2868
pass
2678
2869
2679
2870
timevalue = datetime.timedelta(0)
2680
2871
for s in interval.split():
2681
2872
try:
2699
2890
return timevalue
2700
2891
2701
2892
2702
def daemon(nochdir = False, noclose = False):
2893
def daemon(nochdir=False, noclose=False):
2703
2894
"""See daemon(3). Standard BSD Unix function.
2704
2895
2705
2896
This should really exist as os.daemon, but it doesn't (yet)."""
2706
2897
if os.fork():
2707
2898
sys.exit()
2725
2916
2726
2917
2727
2918
def main():
2728
2919
2729
2920
##################################################################
2730
2921
# Parsing of options, both command line and config file
2731
2922
2732
2923
parser = argparse.ArgumentParser()
2733
2924
parser.add_argument("-v", "--version", action="version",
2734
version = "%(prog)s {}".format(version),
2925
version="%(prog)s {}".format(version),
2735
2926
help="show version number and exit")
2736
2927
parser.add_argument("-i", "--interface", metavar="IF",
2737
2928
help="Bind to interface IF")
2773
2964
parser.add_argument("--no-zeroconf", action="store_false",
2774
2965
dest="zeroconf", help="Do not use Zeroconf",
2775
2966
default=None)
2776
2967
2777
2968
options = parser.parse_args()
2778
2969
2779
2970
if options.check:
2780
2971
import doctest
2781
2972
fail_count, test_count = doctest.testmod()
2782
2973
sys.exit(os.EX_OK if fail_count == 0 else 1)
2783
2974
2784
2975
# Default values for config file for server-global settings
2785
server_defaults = { "interface": "",
2786
"address": "",
2787
"port": "",
2788
"debug": "False",
2789
"priority":
2790
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2791
":+SIGN-DSA-SHA256",
2792
"servicename": "Mandos",
2793
"use_dbus": "True",
2794
"use_ipv6": "True",
2795
"debuglevel": "",
2796
"restore": "True",
2797
"socket": "",
2798
"statedir": "/var/lib/mandos",
2799
"foreground": "False",
2800
"zeroconf": "True",
2801
}
2802
2976
if gnutls.has_rawpk:
2977
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2978
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2979
else:
2980
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2981
":+SIGN-DSA-SHA256")
2982
server_defaults = {"interface": "",
2983
"address": "",
2984
"port": "",
2985
"debug": "False",
2986
"priority": priority,
2987
"servicename": "Mandos",
2988
"use_dbus": "True",
2989
"use_ipv6": "True",
2990
"debuglevel": "",
2991
"restore": "True",
2992
"socket": "",
2993
"statedir": "/var/lib/mandos",
2994
"foreground": "False",
2995
"zeroconf": "True",
2996
}
2997
del priority
2998
2803
2999
# Parse config file for server-global settings
2804
3000
server_config = configparser.SafeConfigParser(server_defaults)
2805
3001
del server_defaults
2807
3003
# Convert the SafeConfigParser object to a dict
2808
3004
server_settings = server_config.defaults()
2809
3005
# Use the appropriate methods on the non-string config options
2810
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3006
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3007
"foreground", "zeroconf"):
2811
3008
server_settings[option] = server_config.getboolean("DEFAULT",
2812
3009
option)
2813
3010
if server_settings["port"]:
2823
3020
server_settings["socket"] = os.dup(server_settings
2824
3021
["socket"])
2825
3022
del server_config
2826
3023
2827
3024
# Override the settings from the config file with command line
2828
3025
# options, if set.
2829
3026
for option in ("interface", "address", "port", "debug",
2847
3044
if server_settings["debug"]:
2848
3045
server_settings["foreground"] = True
2849
3046
# Now we have our good server settings in "server_settings"
2850
3047
2851
3048
##################################################################
2852
3049
2853
3050
if (not server_settings["zeroconf"]
2854
3051
and not (server_settings["port"]
2855
3052
or server_settings["socket"] != "")):
2856
3053
parser.error("Needs port or socket to work without Zeroconf")
2857
3054
2858
3055
# For convenience
2859
3056
debug = server_settings["debug"]
2860
3057
debuglevel = server_settings["debuglevel"]
2864
3061
stored_state_file)
2865
3062
foreground = server_settings["foreground"]
2866
3063
zeroconf = server_settings["zeroconf"]
2867
3064
2868
3065
if debug:
2869
3066
initlogger(debug, logging.DEBUG)
2870
3067
else:
2873
3070
else:
2874
3071
level = getattr(logging, debuglevel.upper())
2875
3072
initlogger(debug, level)
2876
3073
2877
3074
if server_settings["servicename"] != "Mandos":
2878
3075
syslogger.setFormatter(
2879
3076
logging.Formatter('Mandos ({}) [%(process)d]:'
2880
3077
' %(levelname)s: %(message)s'.format(
2881
3078
server_settings["servicename"])))
2882
3079
2883
3080
# Parse config file with clients
2884
3081
client_config = configparser.SafeConfigParser(Client
2885
3082
.client_defaults)
2886
3083
client_config.read(os.path.join(server_settings["configdir"],
2887
3084
"clients.conf"))
2888
3085
2889
3086
global mandos_dbus_service
2890
3087
mandos_dbus_service = None
2891
3088
2892
3089
socketfd = None
2893
3090
if server_settings["socket"] != "":
2894
3091
socketfd = server_settings["socket"]
2910
3107
except IOError as e:
2911
3108
logger.error("Could not open file %r", pidfilename,
2912
3109
exc_info=e)
2913
2914
for name in ("_mandos", "mandos", "nobody"):
3110
3111
for name, group in (("_mandos", "_mandos"),
3112
("mandos", "mandos"),
3113
("nobody", "nogroup")):
2915
3114
try:
2916
3115
uid = pwd.getpwnam(name).pw_uid
2917
gid = pwd.getpwnam(name).pw_gid
3116
gid = pwd.getpwnam(group).pw_gid
2918
3117
break
2919
3118
except KeyError:
2920
3119
continue
2924
3123
try:
2925
3124
os.setgid(gid)
2926
3125
os.setuid(uid)
3126
if debug:
3127
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3128
gid))
2927
3129
except OSError as error:
3130
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3131
.format(uid, gid, os.strerror(error.errno)))
2928
3132
if error.errno != errno.EPERM:
2929
3133
raise
2930
3134
2931
3135
if debug:
2932
3136
# Enable all possible GnuTLS debugging
2933
3137
2934
3138
# "Use a log level over 10 to enable all debugging options."
2935
3139
# - GnuTLS manual
2936
3140
gnutls.global_set_log_level(11)
2937
3141
2938
3142
@gnutls.log_func
2939
3143
def debug_gnutls(level, string):
2940
3144
logger.debug("GnuTLS: %s", string[:-1])
2941
3145
2942
3146
gnutls.global_set_log_function(debug_gnutls)
2943
3147
2944
3148
# Redirect stdin so all checkers get /dev/null
2945
3149
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2946
3150
os.dup2(null, sys.stdin.fileno())
2947
3151
if null > 2:
2948
3152
os.close(null)
2949
3153
2950
3154
# Need to fork before connecting to D-Bus
2951
3155
if not foreground:
2952
3156
# Close all input and output, do double fork, etc.
2953
3157
daemon()
2954
2955
# multiprocessing will use threads, so before we use gobject we
2956
# need to inform gobject that threads will be used.
2957
gobject.threads_init()
2958
3158
3159
# multiprocessing will use threads, so before we use GLib we need
3160
# to inform GLib that threads will be used.
3161
GLib.threads_init()
3162
2959
3163
global main_loop
2960
3164
# From the Avahi example code
2961
3165
DBusGMainLoop(set_as_default=True)
2962
main_loop = gobject.MainLoop()
3166
main_loop = GLib.MainLoop()
2963
3167
bus = dbus.SystemBus()
2964
3168
# End of Avahi example code
2965
3169
if use_dbus:
2978
3182
if zeroconf:
2979
3183
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2980
3184
service = AvahiServiceToSyslog(
2981
name = server_settings["servicename"],
2982
servicetype = "_mandos._tcp",
2983
protocol = protocol,
2984
bus = bus)
3185
name=server_settings["servicename"],
3186
servicetype="_mandos._tcp",
3187
protocol=protocol,
3188
bus=bus)
2985
3189
if server_settings["interface"]:
2986
3190
service.interface = if_nametoindex(
2987
3191
server_settings["interface"].encode("utf-8"))
2988
3192
2989
3193
global multiprocessing_manager
2990
3194
multiprocessing_manager = multiprocessing.Manager()
2991
3195
2992
3196
client_class = Client
2993
3197
if use_dbus:
2994
client_class = functools.partial(ClientDBus, bus = bus)
2995
3198
client_class = functools.partial(ClientDBus, bus=bus)
3199
2996
3200
client_settings = Client.config_parser(client_config)
2997
3201
old_client_settings = {}
2998
3202
clients_data = {}
2999
3203
3000
3204
# This is used to redirect stdout and stderr for checker processes
3001
3205
global wnull
3002
wnull = open(os.devnull, "w") # A writable /dev/null
3206
wnull = open(os.devnull, "w") # A writable /dev/null
3003
3207
# Only used if server is running in foreground but not in debug
3004
3208
# mode
3005
3209
if debug or not foreground:
3006
3210
wnull.close()
3007
3211
3008
3212
# Get client data and settings from last running state.
3009
3213
if server_settings["restore"]:
3010
3214
try:
3011
3215
with open(stored_state_path, "rb") as stored_state:
3012
clients_data, old_client_settings = pickle.load(
3013
stored_state)
3216
if sys.version_info.major == 2:
3217
clients_data, old_client_settings = pickle.load(
3218
stored_state)
3219
else:
3220
bytes_clients_data, bytes_old_client_settings = (
3221
pickle.load(stored_state, encoding="bytes"))
3222
# Fix bytes to strings
3223
# clients_data
3224
# .keys()
3225
clients_data = {(key.decode("utf-8")
3226
if isinstance(key, bytes)
3227
else key): value
3228
for key, value in
3229
bytes_clients_data.items()}
3230
del bytes_clients_data
3231
for key in clients_data:
3232
value = {(k.decode("utf-8")
3233
if isinstance(k, bytes) else k): v
3234
for k, v in
3235
clients_data[key].items()}
3236
clients_data[key] = value
3237
# .client_structure
3238
value["client_structure"] = [
3239
(s.decode("utf-8")
3240
if isinstance(s, bytes)
3241
else s) for s in
3242
value["client_structure"]]
3243
# .name & .host
3244
for k in ("name", "host"):
3245
if isinstance(value[k], bytes):
3246
value[k] = value[k].decode("utf-8")
3247
if not value.has_key("key_id"):
3248
value["key_id"] = ""
3249
elif not value.has_key("fingerprint"):
3250
value["fingerprint"] = ""
3251
# old_client_settings
3252
# .keys()
3253
old_client_settings = {
3254
(key.decode("utf-8")
3255
if isinstance(key, bytes)
3256
else key): value
3257
for key, value in
3258
bytes_old_client_settings.items()}
3259
del bytes_old_client_settings
3260
# .host
3261
for value in old_client_settings.values():
3262
if isinstance(value["host"], bytes):
3263
value["host"] = (value["host"]
3264
.decode("utf-8"))
3014
3265
os.remove(stored_state_path)
3015
3266
except IOError as e:
3016
3267
if e.errno == errno.ENOENT:
3024
3275
logger.warning("Could not load persistent state: "
3025
3276
"EOFError:",
3026
3277
exc_info=e)
3027
3278
3028
3279
with PGPEngine() as pgp:
3029
3280
for client_name, client in clients_data.items():
3030
3281
# Skip removed clients
3031
3282
if client_name not in client_settings:
3032
3283
continue
3033
3284
3034
3285
# Decide which value to use after restoring saved state.
3035
3286
# We have three different values: Old config file,
3036
3287
# new config file, and saved state.
3047
3298
client[name] = value
3048
3299
except KeyError:
3049
3300
pass
3050
3301
3051
3302
# Clients who has passed its expire date can still be
3052
3303
# enabled if its last checker was successful. A Client
3053
3304
# whose checker succeeded before we stored its state is
3086
3337
client_name))
3087
3338
client["secret"] = (client_settings[client_name]
3088
3339
["secret"])
3089
3340
3090
3341
# Add/remove clients based on new changes made to config
3091
3342
for client_name in (set(old_client_settings)
3092
3343
- set(client_settings)):
3094
3345
for client_name in (set(client_settings)
3095
3346
- set(old_client_settings)):
3096
3347
clients_data[client_name] = client_settings[client_name]
3097
3348
3098
3349
# Create all client objects
3099
3350
for client_name, client in clients_data.items():
3100
3351
tcp_server.clients[client_name] = client_class(
3101
name = client_name,
3102
settings = client,
3103
server_settings = server_settings)
3104
3352
name=client_name,
3353
settings=client,
3354
server_settings=server_settings)
3355
3105
3356
if not tcp_server.clients:
3106
3357
logger.warning("No clients defined")
3107
3358
3108
3359
if not foreground:
3109
3360
if pidfile is not None:
3110
3361
pid = os.getpid()
3116
3367
pidfilename, pid)
3117
3368
del pidfile
3118
3369
del pidfilename
3119
3120
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
3121
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
3122
3370
3371
for termsig in (signal.SIGHUP, signal.SIGTERM):
3372
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3373
lambda: main_loop.quit() and False)
3374
3123
3375
if use_dbus:
3124
3376
3125
3377
@alternate_dbus_interfaces(
3126
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3378
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
3127
3379
class MandosDBusService(DBusObjectWithObjectManager):
3128
3380
"""A D-Bus proxy object"""
3129
3381
3130
3382
def __init__(self):
3131
3383
dbus.service.Object.__init__(self, bus, "/")
3132
3384
3133
3385
_interface = "se.recompile.Mandos"
3134
3386
3135
3387
@dbus.service.signal(_interface, signature="o")
3136
3388
def ClientAdded(self, objpath):
3137
3389
"D-Bus signal"
3138
3390
pass
3139
3391
3140
3392
@dbus.service.signal(_interface, signature="ss")
3141
def ClientNotFound(self, fingerprint, address):
3393
def ClientNotFound(self, key_id, address):
3142
3394
"D-Bus signal"
3143
3395
pass
3144
3396
3145
3397
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3146
3398
"true"})
3147
3399
@dbus.service.signal(_interface, signature="os")
3148
3400
def ClientRemoved(self, objpath, name):
3149
3401
"D-Bus signal"
3150
3402
pass
3151
3403
3152
3404
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3153
3405
"true"})
3154
3406
@dbus.service.method(_interface, out_signature="ao")
3155
3407
def GetAllClients(self):
3156
3408
"D-Bus method"
3157
3409
return dbus.Array(c.dbus_object_path for c in
3158
tcp_server.clients.itervalues())
3159
3410
tcp_server.clients.values())
3411
3160
3412
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3161
3413
"true"})
3162
3414
@dbus.service.method(_interface,
3164
3416
def GetAllClientsWithProperties(self):
3165
3417
"D-Bus method"
3166
3418
return dbus.Dictionary(
3167
{ c.dbus_object_path: c.GetAll(
3419
{c.dbus_object_path: c.GetAll(
3168
3420
"se.recompile.Mandos.Client")
3169
for c in tcp_server.clients.itervalues() },
3421
for c in tcp_server.clients.values()},
3170
3422
signature="oa{sv}")
3171
3423
3172
3424
@dbus.service.method(_interface, in_signature="o")
3173
3425
def RemoveClient(self, object_path):
3174
3426
"D-Bus method"
3175
for c in tcp_server.clients.itervalues():
3427
for c in tcp_server.clients.values():
3176
3428
if c.dbus_object_path == object_path:
3177
3429
del tcp_server.clients[c.name]
3178
3430
c.remove_from_connection()
3182
3434
self.client_removed_signal(c)
3183
3435
return
3184
3436
raise KeyError(object_path)
3185
3437
3186
3438
del _interface
3187
3439
3188
3440
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3189
out_signature = "a{oa{sa{sv}}}")
3441
out_signature="a{oa{sa{sv}}}")
3190
3442
def GetManagedObjects(self):
3191
3443
"""D-Bus method"""
3192
3444
return dbus.Dictionary(
3193
{ client.dbus_object_path:
3194
dbus.Dictionary(
3195
{ interface: client.GetAll(interface)
3196
for interface in
3197
client._get_all_interface_names()})
3198
for client in tcp_server.clients.values()})
3199
3445
{client.dbus_object_path:
3446
dbus.Dictionary(
3447
{interface: client.GetAll(interface)
3448
for interface in
3449
client._get_all_interface_names()})
3450
for client in tcp_server.clients.values()})
3451
3200
3452
def client_added_signal(self, client):
3201
3453
"""Send the new standard signal and the old signal"""
3202
3454
if use_dbus:
3204
3456
self.InterfacesAdded(
3205
3457
client.dbus_object_path,
3206
3458
dbus.Dictionary(
3207
{ interface: client.GetAll(interface)
3208
for interface in
3209
client._get_all_interface_names()}))
3459
{interface: client.GetAll(interface)
3460
for interface in
3461
client._get_all_interface_names()}))
3210
3462
# Old signal
3211
3463
self.ClientAdded(client.dbus_object_path)
3212
3464
3213
3465
def client_removed_signal(self, client):
3214
3466
"""Send the new standard signal and the old signal"""
3215
3467
if use_dbus:
3220
3472
# Old signal
3221
3473
self.ClientRemoved(client.dbus_object_path,
3222
3474
client.name)
3223
3475
3224
3476
mandos_dbus_service = MandosDBusService()
3225
3477
3478
# Save modules to variables to exempt the modules from being
3479
# unloaded before the function registered with atexit() is run.
3480
mp = multiprocessing
3481
wn = wnull
3482
3226
3483
def cleanup():
3227
3484
"Cleanup function; run on exit"
3228
3485
if zeroconf:
3229
3486
service.cleanup()
3230
3231
multiprocessing.active_children()
3232
wnull.close()
3487
3488
mp.active_children()
3489
wn.close()
3233
3490
if not (tcp_server.clients or client_settings):
3234
3491
return
3235
3492
3236
3493
# Store client before exiting. Secrets are encrypted with key
3237
3494
# based on what config file has. If config file is
3238
3495
# removed/edited, old secret will thus be unrecovable.
3239
3496
clients = {}
3240
3497
with PGPEngine() as pgp:
3241
for client in tcp_server.clients.itervalues():
3498
for client in tcp_server.clients.values():
3242
3499
key = client_settings[client.name]["secret"]
3243
3500
client.encrypted_secret = pgp.encrypt(client.secret,
3244
3501
key)
3245
3502
client_dict = {}
3246
3503
3247
3504
# A list of attributes that can not be pickled
3248
3505
# + secret.
3249
exclude = { "bus", "changedstate", "secret",
3250
"checker", "server_settings" }
3506
exclude = {"bus", "changedstate", "secret",
3507
"checker", "server_settings"}
3251
3508
for name, typ in inspect.getmembers(dbus.service
3252
3509
.Object):
3253
3510
exclude.add(name)
3254
3511
3255
3512
client_dict["encrypted_secret"] = (client
3256
3513
.encrypted_secret)
3257
3514
for attr in client.client_structure:
3258
3515
if attr not in exclude:
3259
3516
client_dict[attr] = getattr(client, attr)
3260
3517
3261
3518
clients[client.name] = client_dict
3262
3519
del client_settings[client.name]["secret"]
3263
3520
3264
3521
try:
3265
3522
with tempfile.NamedTemporaryFile(
3266
3523
mode='wb',
3268
3525
prefix='clients-',
3269
3526
dir=os.path.dirname(stored_state_path),
3270
3527
delete=False) as stored_state:
3271
pickle.dump((clients, client_settings), stored_state)
3528
pickle.dump((clients, client_settings), stored_state,
3529
protocol=2)
3272
3530
tempname = stored_state.name
3273
3531
os.rename(tempname, stored_state_path)
3274
3532
except (IOError, OSError) as e:
3284
3542
logger.warning("Could not save persistent state:",
3285
3543
exc_info=e)
3286
3544
raise
3287
3545
3288
3546
# Delete all clients, and settings from config
3289
3547
while tcp_server.clients:
3290
3548
name, client = tcp_server.clients.popitem()
3296
3554
if use_dbus:
3297
3555
mandos_dbus_service.client_removed_signal(client)
3298
3556
client_settings.clear()
3299
3557
3300
3558
atexit.register(cleanup)
3301
3302
for client in tcp_server.clients.itervalues():
3559
3560
for client in tcp_server.clients.values():
3303
3561
if use_dbus:
3304
3562
# Emit D-Bus signal for adding
3305
3563
mandos_dbus_service.client_added_signal(client)
3306
3564
# Need to initiate checking of clients
3307
3565
if client.enabled:
3308
3566
client.init_checker()
3309
3567
3310
3568
tcp_server.enable()
3311
3569
tcp_server.server_activate()
3312
3570
3313
3571
# Find out what port we got
3314
3572
if zeroconf:
3315
3573
service.port = tcp_server.socket.getsockname()[1]
3320
3578
else: # IPv4
3321
3579
logger.info("Now listening on address %r, port %d",
3322
3580
*tcp_server.socket.getsockname())
3323
3324
#service.interface = tcp_server.socket.getsockname()[3]
3325
3581
3582
# service.interface = tcp_server.socket.getsockname()[3]
3583
3326
3584
try:
3327
3585
if zeroconf:
3328
3586
# From the Avahi example code
3333
3591
cleanup()
3334
3592
sys.exit(1)
3335
3593
# End of Avahi example code
3336
3337
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3338
lambda *args, **kwargs:
3339
(tcp_server.handle_request
3340
(*args[2:], **kwargs) or True))
3341
3594
3595
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3596
lambda *args, **kwargs:
3597
(tcp_server.handle_request
3598
(*args[2:], **kwargs) or True))
3599
3342
3600
logger.debug("Starting main loop")
3343
3601
main_loop.run()
3344
3602
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0