To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 1149
- compare with another revision
- download diff
- download tarball
- view history from revision 1149
- Committer: Teddy Hogeborn
- Date: 2019-08-05 14:31:51 UTC
- Revision ID: teddy@recompile.se-20190805143151-lt5d97wqif3t8250
Client: Debian package fix: Make uninstall when using dracut(8) work
Use the same logic to rebuild the initramfs image when uninstalling as
when installing the package.
* debian/mandos-client.postrm (update_initramfs): Use the same logic
as the update_initramfs function in debian/mandos-client.postinst.
Use the same logic to rebuild the initramfs image when uninstalling as
when installing the package.
* debian/mandos-client.postrm (update_initramfs): Use the same logic
as the update_initramfs function in debian/mandos-client.postinst.
- files added:
- bugs.xml
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python2.7
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
#
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
#
33
#
33
34
34
35
from __future__ import (division, absolute_import, print_function,
35
36
unicode_literals)
36
37
37
from future_builtins import *
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
38
42
39
43
try:
40
44
import SocketServer as socketserver
44
48
import argparse
45
49
import datetime
46
50
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
53
51
try:
54
52
import ConfigParser as configparser
55
53
except ImportError:
82
80
83
81
import dbus
84
82
import dbus.service
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
83
import gi
84
from gi.repository import GLib
90
85
from dbus.mainloop.glib import DBusGMainLoop
91
86
import ctypes
92
87
import ctypes.util
93
88
import xml.dom.minidom
94
89
import inspect
95
90
91
# Try to find the value of SO_BINDTODEVICE:
96
92
try:
93
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
94
# newer, and it is also the most natural place for it:
97
95
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
98
96
except AttributeError:
99
97
try:
98
# This is where SO_BINDTODEVICE was up to and including Python
99
# 2.6, and also 3.2:
100
100
from IN import SO_BINDTODEVICE
101
101
except ImportError:
102
SO_BINDTODEVICE = None
102
# In Python 2.7 it seems to have been removed entirely.
103
# Try running the C preprocessor:
104
try:
105
cc = subprocess.Popen(["cc", "--language=c", "-E",
106
"/dev/stdin"],
107
stdin=subprocess.PIPE,
108
stdout=subprocess.PIPE)
109
stdout = cc.communicate(
110
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
111
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
112
except (OSError, ValueError, IndexError):
113
# No value found
114
SO_BINDTODEVICE = None
103
115
104
116
if sys.version_info.major == 2:
105
117
str = unicode
106
118
107
version = "1.6.9"
119
if sys.version_info < (3, 2):
120
configparser.Configparser = configparser.SafeConfigParser
121
122
version = "1.8.6"
108
123
stored_state_file = "clients.pickle"
109
124
110
125
logger = logging.getLogger()
114
129
if_nametoindex = ctypes.cdll.LoadLibrary(
115
130
ctypes.util.find_library("c")).if_nametoindex
116
131
except (OSError, AttributeError):
117
132
118
133
def if_nametoindex(interface):
119
134
"Get an interface index the hard way, i.e. using fcntl()"
120
135
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
125
140
return interface_index
126
141
127
142
143
def copy_function(func):
144
"""Make a copy of a function"""
145
if sys.version_info.major == 2:
146
return types.FunctionType(func.func_code,
147
func.func_globals,
148
func.func_name,
149
func.func_defaults,
150
func.func_closure)
151
else:
152
return types.FunctionType(func.__code__,
153
func.__globals__,
154
func.__name__,
155
func.__defaults__,
156
func.__closure__)
157
158
128
159
def initlogger(debug, level=logging.WARNING):
129
160
"""init logger and add loglevel"""
130
161
131
162
global syslogger
132
163
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
164
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
165
address="/dev/log"))
135
166
syslogger.setFormatter(logging.Formatter
136
167
('Mandos [%(process)d]: %(levelname)s:'
137
168
' %(message)s'))
138
169
logger.addHandler(syslogger)
139
170
140
171
if debug:
141
172
console = logging.StreamHandler()
142
173
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
154
185
155
186
class PGPEngine(object):
156
187
"""A simple class for OpenPGP symmetric encryption & decryption"""
157
188
158
189
def __init__(self):
159
190
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
191
self.gpg = "gpg"
192
try:
193
output = subprocess.check_output(["gpgconf"])
194
for line in output.splitlines():
195
name, text, path = line.split(b":")
196
if name == "gpg":
197
self.gpg = path
198
break
199
except OSError as e:
200
if e.errno != errno.ENOENT:
201
raise
160
202
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
203
'--homedir', self.tempdir,
162
204
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
165
205
'--quiet']
206
# Only GPG version 1 has the --no-use-agent option.
207
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
208
self.gnupgargs.append("--no-use-agent")
209
166
210
def __enter__(self):
167
211
return self
168
212
169
213
def __exit__(self, exc_type, exc_value, traceback):
170
214
self._cleanup()
171
215
return False
172
216
173
217
def __del__(self):
174
218
self._cleanup()
175
219
176
220
def _cleanup(self):
177
221
if self.tempdir is not None:
178
222
# Delete contents of tempdir
179
223
for root, dirs, files in os.walk(self.tempdir,
180
topdown = False):
224
topdown=False):
181
225
for filename in files:
182
226
os.remove(os.path.join(root, filename))
183
227
for dirname in dirs:
185
229
# Remove tempdir
186
230
os.rmdir(self.tempdir)
187
231
self.tempdir = None
188
232
189
233
def password_encode(self, password):
190
234
# Passphrase can not be empty and can not contain newlines or
191
235
# NUL bytes. So we prefix it and hex encode it.
196
240
.replace(b"\n", b"\\n")
197
241
.replace(b"\0", b"\\x00"))
198
242
return encoded
199
243
200
244
def encrypt(self, data, password):
201
245
passphrase = self.password_encode(password)
202
246
with tempfile.NamedTemporaryFile(
203
247
dir=self.tempdir) as passfile:
204
248
passfile.write(passphrase)
205
249
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
250
proc = subprocess.Popen([self.gpg, '--symmetric',
207
251
'--passphrase-file',
208
252
passfile.name]
209
253
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
254
stdin=subprocess.PIPE,
255
stdout=subprocess.PIPE,
256
stderr=subprocess.PIPE)
257
ciphertext, err = proc.communicate(input=data)
214
258
if proc.returncode != 0:
215
259
raise PGPError(err)
216
260
return ciphertext
217
261
218
262
def decrypt(self, data, password):
219
263
passphrase = self.password_encode(password)
220
264
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
265
dir=self.tempdir) as passfile:
222
266
passfile.write(passphrase)
223
267
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
268
proc = subprocess.Popen([self.gpg, '--decrypt',
225
269
'--passphrase-file',
226
270
passfile.name]
227
271
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
272
stdin=subprocess.PIPE,
273
stdout=subprocess.PIPE,
274
stderr=subprocess.PIPE)
275
decrypted_plaintext, err = proc.communicate(input=data)
232
276
if proc.returncode != 0:
233
277
raise PGPError(err)
234
278
return decrypted_plaintext
235
279
236
280
281
# Pretend that we have an Avahi module
282
class avahi(object):
283
"""This isn't so much a class as it is a module-like namespace."""
284
IF_UNSPEC = -1 # avahi-common/address.h
285
PROTO_UNSPEC = -1 # avahi-common/address.h
286
PROTO_INET = 0 # avahi-common/address.h
287
PROTO_INET6 = 1 # avahi-common/address.h
288
DBUS_NAME = "org.freedesktop.Avahi"
289
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
290
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
291
DBUS_PATH_SERVER = "/"
292
293
@staticmethod
294
def string_array_to_txt_array(t):
295
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
296
for s in t), signature="ay")
297
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
298
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
299
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
300
SERVER_INVALID = 0 # avahi-common/defs.h
301
SERVER_REGISTERING = 1 # avahi-common/defs.h
302
SERVER_RUNNING = 2 # avahi-common/defs.h
303
SERVER_COLLISION = 3 # avahi-common/defs.h
304
SERVER_FAILURE = 4 # avahi-common/defs.h
305
306
237
307
class AvahiError(Exception):
238
308
def __init__(self, value, *args, **kwargs):
239
309
self.value = value
251
321
252
322
class AvahiService(object):
253
323
"""An Avahi (Zeroconf) service.
254
324
255
325
Attributes:
256
326
interface: integer; avahi.IF_UNSPEC or an interface index.
257
327
Used to optionally bind to the specified interface.
269
339
server: D-Bus Server
270
340
bus: dbus.SystemBus()
271
341
"""
272
342
273
343
def __init__(self,
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
344
interface=avahi.IF_UNSPEC,
345
name=None,
346
servicetype=None,
347
port=None,
348
TXT=None,
349
domain="",
350
host="",
351
max_renames=32768,
352
protocol=avahi.PROTO_UNSPEC,
353
bus=None):
284
354
self.interface = interface
285
355
self.name = name
286
356
self.type = servicetype
295
365
self.server = None
296
366
self.bus = bus
297
367
self.entry_group_state_changed_match = None
298
368
299
369
def rename(self, remove=True):
300
370
"""Derived from the Avahi example code"""
301
371
if self.rename_count >= self.max_renames:
321
391
logger.critical("D-Bus Exception", exc_info=error)
322
392
self.cleanup()
323
393
os._exit(1)
324
394
325
395
def remove(self):
326
396
"""Derived from the Avahi example code"""
327
397
if self.entry_group_state_changed_match is not None:
329
399
self.entry_group_state_changed_match = None
330
400
if self.group is not None:
331
401
self.group.Reset()
332
402
333
403
def add(self):
334
404
"""Derived from the Avahi example code"""
335
405
self.remove()
352
422
dbus.UInt16(self.port),
353
423
avahi.string_array_to_txt_array(self.TXT))
354
424
self.group.Commit()
355
425
356
426
def entry_group_state_changed(self, state, error):
357
427
"""Derived from the Avahi example code"""
358
428
logger.debug("Avahi entry group state change: %i", state)
359
429
360
430
if state == avahi.ENTRY_GROUP_ESTABLISHED:
361
431
logger.debug("Zeroconf service established.")
362
432
elif state == avahi.ENTRY_GROUP_COLLISION:
366
436
logger.critical("Avahi: Error in group state changed %s",
367
437
str(error))
368
438
raise AvahiGroupError("State changed: {!s}".format(error))
369
439
370
440
def cleanup(self):
371
441
"""Derived from the Avahi example code"""
372
442
if self.group is not None:
377
447
pass
378
448
self.group = None
379
449
self.remove()
380
450
381
451
def server_state_changed(self, state, error=None):
382
452
"""Derived from the Avahi example code"""
383
453
logger.debug("Avahi server state change: %i", state)
412
482
logger.debug("Unknown state: %r", state)
413
483
else:
414
484
logger.debug("Unknown state: %r: %r", state, error)
415
485
416
486
def activate(self):
417
487
"""Derived from the Avahi example code"""
418
488
if self.server is None:
429
499
class AvahiServiceToSyslog(AvahiService):
430
500
def rename(self, *args, **kwargs):
431
501
"""Add the new name to the syslog messages"""
432
ret = AvahiService.rename(self, *args, **kwargs)
502
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
433
503
syslogger.setFormatter(logging.Formatter(
434
504
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
435
505
.format(self.name)))
436
506
return ret
437
507
508
509
# Pretend that we have a GnuTLS module
510
class gnutls(object):
511
"""This isn't so much a class as it is a module-like namespace."""
512
513
library = ctypes.util.find_library("gnutls")
514
if library is None:
515
library = ctypes.util.find_library("gnutls-deb0")
516
_library = ctypes.cdll.LoadLibrary(library)
517
del library
518
519
# Unless otherwise indicated, the constants and types below are
520
# all from the gnutls/gnutls.h C header file.
521
522
# Constants
523
E_SUCCESS = 0
524
E_INTERRUPTED = -52
525
E_AGAIN = -28
526
CRT_OPENPGP = 2
527
CRT_RAWPK = 3
528
CLIENT = 2
529
SHUT_RDWR = 0
530
CRD_CERTIFICATE = 1
531
E_NO_CERTIFICATE_FOUND = -49
532
X509_FMT_DER = 0
533
NO_TICKETS = 1<<10
534
ENABLE_RAWPK = 1<<18
535
CTYPE_PEERS = 3
536
KEYID_USE_SHA256 = 1 # gnutls/x509.h
537
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
538
539
# Types
540
class session_int(ctypes.Structure):
541
_fields_ = []
542
session_t = ctypes.POINTER(session_int)
543
544
class certificate_credentials_st(ctypes.Structure):
545
_fields_ = []
546
certificate_credentials_t = ctypes.POINTER(
547
certificate_credentials_st)
548
certificate_type_t = ctypes.c_int
549
550
class datum_t(ctypes.Structure):
551
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
552
('size', ctypes.c_uint)]
553
554
class openpgp_crt_int(ctypes.Structure):
555
_fields_ = []
556
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
557
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
558
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
559
credentials_type_t = ctypes.c_int
560
transport_ptr_t = ctypes.c_void_p
561
close_request_t = ctypes.c_int
562
563
# Exceptions
564
class Error(Exception):
565
def __init__(self, message=None, code=None, args=()):
566
# Default usage is by a message string, but if a return
567
# code is passed, convert it to a string with
568
# gnutls.strerror()
569
self.code = code
570
if message is None and code is not None:
571
message = gnutls.strerror(code)
572
return super(gnutls.Error, self).__init__(
573
message, *args)
574
575
class CertificateSecurityError(Error):
576
pass
577
578
# Classes
579
class Credentials(object):
580
def __init__(self):
581
self._c_object = gnutls.certificate_credentials_t()
582
gnutls.certificate_allocate_credentials(
583
ctypes.byref(self._c_object))
584
self.type = gnutls.CRD_CERTIFICATE
585
586
def __del__(self):
587
gnutls.certificate_free_credentials(self._c_object)
588
589
class ClientSession(object):
590
def __init__(self, socket, credentials=None):
591
self._c_object = gnutls.session_t()
592
gnutls_flags = gnutls.CLIENT
593
if gnutls.check_version(b"3.5.6"):
594
gnutls_flags |= gnutls.NO_TICKETS
595
if gnutls.has_rawpk:
596
gnutls_flags |= gnutls.ENABLE_RAWPK
597
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
598
del gnutls_flags
599
gnutls.set_default_priority(self._c_object)
600
gnutls.transport_set_ptr(self._c_object, socket.fileno())
601
gnutls.handshake_set_private_extensions(self._c_object,
602
True)
603
self.socket = socket
604
if credentials is None:
605
credentials = gnutls.Credentials()
606
gnutls.credentials_set(self._c_object, credentials.type,
607
ctypes.cast(credentials._c_object,
608
ctypes.c_void_p))
609
self.credentials = credentials
610
611
def __del__(self):
612
gnutls.deinit(self._c_object)
613
614
def handshake(self):
615
return gnutls.handshake(self._c_object)
616
617
def send(self, data):
618
data = bytes(data)
619
data_len = len(data)
620
while data_len > 0:
621
data_len -= gnutls.record_send(self._c_object,
622
data[-data_len:],
623
data_len)
624
625
def bye(self):
626
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
627
628
# Error handling functions
629
def _error_code(result):
630
"""A function to raise exceptions on errors, suitable
631
for the 'restype' attribute on ctypes functions"""
632
if result >= 0:
633
return result
634
if result == gnutls.E_NO_CERTIFICATE_FOUND:
635
raise gnutls.CertificateSecurityError(code=result)
636
raise gnutls.Error(code=result)
637
638
def _retry_on_error(result, func, arguments):
639
"""A function to retry on some errors, suitable
640
for the 'errcheck' attribute on ctypes functions"""
641
while result < 0:
642
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
643
return _error_code(result)
644
result = func(*arguments)
645
return result
646
647
# Unless otherwise indicated, the function declarations below are
648
# all from the gnutls/gnutls.h C header file.
649
650
# Functions
651
priority_set_direct = _library.gnutls_priority_set_direct
652
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
653
ctypes.POINTER(ctypes.c_char_p)]
654
priority_set_direct.restype = _error_code
655
656
init = _library.gnutls_init
657
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
658
init.restype = _error_code
659
660
set_default_priority = _library.gnutls_set_default_priority
661
set_default_priority.argtypes = [session_t]
662
set_default_priority.restype = _error_code
663
664
record_send = _library.gnutls_record_send
665
record_send.argtypes = [session_t, ctypes.c_void_p,
666
ctypes.c_size_t]
667
record_send.restype = ctypes.c_ssize_t
668
record_send.errcheck = _retry_on_error
669
670
certificate_allocate_credentials = (
671
_library.gnutls_certificate_allocate_credentials)
672
certificate_allocate_credentials.argtypes = [
673
ctypes.POINTER(certificate_credentials_t)]
674
certificate_allocate_credentials.restype = _error_code
675
676
certificate_free_credentials = (
677
_library.gnutls_certificate_free_credentials)
678
certificate_free_credentials.argtypes = [
679
certificate_credentials_t]
680
certificate_free_credentials.restype = None
681
682
handshake_set_private_extensions = (
683
_library.gnutls_handshake_set_private_extensions)
684
handshake_set_private_extensions.argtypes = [session_t,
685
ctypes.c_int]
686
handshake_set_private_extensions.restype = None
687
688
credentials_set = _library.gnutls_credentials_set
689
credentials_set.argtypes = [session_t, credentials_type_t,
690
ctypes.c_void_p]
691
credentials_set.restype = _error_code
692
693
strerror = _library.gnutls_strerror
694
strerror.argtypes = [ctypes.c_int]
695
strerror.restype = ctypes.c_char_p
696
697
certificate_type_get = _library.gnutls_certificate_type_get
698
certificate_type_get.argtypes = [session_t]
699
certificate_type_get.restype = _error_code
700
701
certificate_get_peers = _library.gnutls_certificate_get_peers
702
certificate_get_peers.argtypes = [session_t,
703
ctypes.POINTER(ctypes.c_uint)]
704
certificate_get_peers.restype = ctypes.POINTER(datum_t)
705
706
global_set_log_level = _library.gnutls_global_set_log_level
707
global_set_log_level.argtypes = [ctypes.c_int]
708
global_set_log_level.restype = None
709
710
global_set_log_function = _library.gnutls_global_set_log_function
711
global_set_log_function.argtypes = [log_func]
712
global_set_log_function.restype = None
713
714
deinit = _library.gnutls_deinit
715
deinit.argtypes = [session_t]
716
deinit.restype = None
717
718
handshake = _library.gnutls_handshake
719
handshake.argtypes = [session_t]
720
handshake.restype = _error_code
721
handshake.errcheck = _retry_on_error
722
723
transport_set_ptr = _library.gnutls_transport_set_ptr
724
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
725
transport_set_ptr.restype = None
726
727
bye = _library.gnutls_bye
728
bye.argtypes = [session_t, close_request_t]
729
bye.restype = _error_code
730
bye.errcheck = _retry_on_error
731
732
check_version = _library.gnutls_check_version
733
check_version.argtypes = [ctypes.c_char_p]
734
check_version.restype = ctypes.c_char_p
735
736
_need_version = b"3.3.0"
737
if check_version(_need_version) is None:
738
raise self.Error("Needs GnuTLS {} or later"
739
.format(_need_version))
740
741
_tls_rawpk_version = b"3.6.6"
742
has_rawpk = bool(check_version(_tls_rawpk_version))
743
744
if has_rawpk:
745
# Types
746
class pubkey_st(ctypes.Structure):
747
_fields = []
748
pubkey_t = ctypes.POINTER(pubkey_st)
749
750
x509_crt_fmt_t = ctypes.c_int
751
752
# All the function declarations below are from gnutls/abstract.h
753
pubkey_init = _library.gnutls_pubkey_init
754
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
755
pubkey_init.restype = _error_code
756
757
pubkey_import = _library.gnutls_pubkey_import
758
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
759
x509_crt_fmt_t]
760
pubkey_import.restype = _error_code
761
762
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
763
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
764
ctypes.POINTER(ctypes.c_ubyte),
765
ctypes.POINTER(ctypes.c_size_t)]
766
pubkey_get_key_id.restype = _error_code
767
768
pubkey_deinit = _library.gnutls_pubkey_deinit
769
pubkey_deinit.argtypes = [pubkey_t]
770
pubkey_deinit.restype = None
771
else:
772
# All the function declarations below are from gnutls/openpgp.h
773
774
openpgp_crt_init = _library.gnutls_openpgp_crt_init
775
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
776
openpgp_crt_init.restype = _error_code
777
778
openpgp_crt_import = _library.gnutls_openpgp_crt_import
779
openpgp_crt_import.argtypes = [openpgp_crt_t,
780
ctypes.POINTER(datum_t),
781
openpgp_crt_fmt_t]
782
openpgp_crt_import.restype = _error_code
783
784
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
785
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
786
ctypes.POINTER(ctypes.c_uint)]
787
openpgp_crt_verify_self.restype = _error_code
788
789
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
790
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
791
openpgp_crt_deinit.restype = None
792
793
openpgp_crt_get_fingerprint = (
794
_library.gnutls_openpgp_crt_get_fingerprint)
795
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
796
ctypes.c_void_p,
797
ctypes.POINTER(
798
ctypes.c_size_t)]
799
openpgp_crt_get_fingerprint.restype = _error_code
800
801
if check_version(b"3.6.4"):
802
certificate_type_get2 = _library.gnutls_certificate_type_get2
803
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
804
certificate_type_get2.restype = _error_code
805
806
# Remove non-public functions
807
del _error_code, _retry_on_error
808
809
438
810
def call_pipe(connection, # : multiprocessing.Connection
439
811
func, *args, **kwargs):
440
812
"""This function is meant to be called by multiprocessing.Process
441
813
442
814
This function runs func(*args, **kwargs), and writes the resulting
443
815
return value on the provided multiprocessing.Connection.
444
816
"""
445
817
connection.send(func(*args, **kwargs))
446
818
connection.close()
447
819
820
448
821
class Client(object):
449
822
"""A representation of a client host served by this server.
450
823
451
824
Attributes:
452
825
approved: bool(); 'None' if not yet approved/disapproved
453
826
approval_delay: datetime.timedelta(); Time to wait for approval
454
827
approval_duration: datetime.timedelta(); Duration of one approval
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
828
checker: multiprocessing.Process(); a running checker process used
829
to see if the client lives. 'None' if no process is
830
running.
831
checker_callback_tag: a GLib event source tag, or None
459
832
checker_command: string; External command which is run to check
460
833
if client lives. %() expansions are done at
461
834
runtime with vars(self) as dict, so that for
462
835
instance %(name)s can be used in the command.
463
checker_initiator_tag: a gobject event source tag, or None
836
checker_initiator_tag: a GLib event source tag, or None
464
837
created: datetime.datetime(); (UTC) object creation
465
838
client_structure: Object describing what attributes a client has
466
839
and is used for storing the client at exit
467
840
current_checker_command: string; current running checker_command
468
disable_initiator_tag: a gobject event source tag, or None
841
disable_initiator_tag: a GLib event source tag, or None
469
842
enabled: bool()
470
843
fingerprint: string (40 or 32 hexadecimal digits); used to
471
uniquely identify the client
844
uniquely identify an OpenPGP client
845
key_id: string (64 hexadecimal digits); used to uniquely identify
846
a client using raw public keys
472
847
host: string; available for use by the checker command
473
848
interval: datetime.timedelta(); How often to start a new checker
474
849
last_approval_request: datetime.datetime(); (UTC) or None
490
865
disabled, or None
491
866
server_settings: The server_settings dict from main()
492
867
"""
493
868
494
869
runtime_expansions = ("approval_delay", "approval_duration",
495
"created", "enabled", "expires",
870
"created", "enabled", "expires", "key_id",
496
871
"fingerprint", "host", "interval",
497
872
"last_approval_request", "last_checked_ok",
498
873
"last_enabled", "name", "timeout")
507
882
"approved_by_default": "True",
508
883
"enabled": "True",
509
884
}
510
885
511
886
@staticmethod
512
887
def config_parser(config):
513
888
"""Construct a new dict of client settings of this form:
520
895
for client_name in config.sections():
521
896
section = dict(config.items(client_name))
522
897
client = settings[client_name] = {}
523
898
524
899
client["host"] = section["host"]
525
900
# Reformat values from string types to Python types
526
901
client["approved_by_default"] = config.getboolean(
527
902
client_name, "approved_by_default")
528
903
client["enabled"] = config.getboolean(client_name,
529
904
"enabled")
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
905
906
# Uppercase and remove spaces from key_id and fingerprint
907
# for later comparison purposes with return value from the
908
# key_id() and fingerprint() functions
909
client["key_id"] = (section.get("key_id", "").upper()
910
.replace(" ", ""))
534
911
client["fingerprint"] = (section["fingerprint"].upper()
535
912
.replace(" ", ""))
536
913
if "secret" in section:
537
client["secret"] = section["secret"].decode("base64")
914
client["secret"] = codecs.decode(section["secret"]
915
.encode("utf-8"),
916
"base64")
538
917
elif "secfile" in section:
539
918
with open(os.path.expanduser(os.path.expandvars
540
919
(section["secfile"])),
555
934
client["last_approval_request"] = None
556
935
client["last_checked_ok"] = None
557
936
client["last_checker_status"] = -2
558
937
559
938
return settings
560
561
def __init__(self, settings, name = None, server_settings=None):
939
940
def __init__(self, settings, name=None, server_settings=None):
562
941
self.name = name
563
942
if server_settings is None:
564
943
server_settings = {}
566
945
# adding all client settings
567
946
for setting, value in settings.items():
568
947
setattr(self, setting, value)
569
948
570
949
if self.enabled:
571
950
if not hasattr(self, "last_enabled"):
572
951
self.last_enabled = datetime.datetime.utcnow()
576
955
else:
577
956
self.last_enabled = None
578
957
self.expires = None
579
958
580
959
logger.debug("Creating client %r", self.name)
960
logger.debug(" Key ID: %s", self.key_id)
581
961
logger.debug(" Fingerprint: %s", self.fingerprint)
582
962
self.created = settings.get("created",
583
963
datetime.datetime.utcnow())
584
964
585
965
# attributes specific for this server instance
586
966
self.checker = None
587
967
self.checker_initiator_tag = None
593
973
self.changedstate = multiprocessing_manager.Condition(
594
974
multiprocessing_manager.Lock())
595
975
self.client_structure = [attr
596
for attr in self.__dict__.iterkeys()
976
for attr in self.__dict__.keys()
597
977
if not attr.startswith("_")]
598
978
self.client_structure.append("client_structure")
599
979
600
980
for name, t in inspect.getmembers(
601
981
type(self), lambda obj: isinstance(obj, property)):
602
982
if not name.startswith("_"):
603
983
self.client_structure.append(name)
604
984
605
985
# Send notice to process children that client state has changed
606
986
def send_changedstate(self):
607
987
with self.changedstate:
608
988
self.changedstate.notify_all()
609
989
610
990
def enable(self):
611
991
"""Start this client's checker and timeout hooks"""
612
992
if getattr(self, "enabled", False):
617
997
self.last_enabled = datetime.datetime.utcnow()
618
998
self.init_checker()
619
999
self.send_changedstate()
620
1000
621
1001
def disable(self, quiet=True):
622
1002
"""Disable this client."""
623
1003
if not getattr(self, "enabled", False):
625
1005
if not quiet:
626
1006
logger.info("Disabling client %s", self.name)
627
1007
if getattr(self, "disable_initiator_tag", None) is not None:
628
gobject.source_remove(self.disable_initiator_tag)
1008
GLib.source_remove(self.disable_initiator_tag)
629
1009
self.disable_initiator_tag = None
630
1010
self.expires = None
631
1011
if getattr(self, "checker_initiator_tag", None) is not None:
632
gobject.source_remove(self.checker_initiator_tag)
1012
GLib.source_remove(self.checker_initiator_tag)
633
1013
self.checker_initiator_tag = None
634
1014
self.stop_checker()
635
1015
self.enabled = False
636
1016
if not quiet:
637
1017
self.send_changedstate()
638
# Do not run this again if called by a gobject.timeout_add
1018
# Do not run this again if called by a GLib.timeout_add
639
1019
return False
640
1020
641
1021
def __del__(self):
642
1022
self.disable()
643
1023
644
1024
def init_checker(self):
645
1025
# Schedule a new checker to be started an 'interval' from now,
646
1026
# and every interval from then on.
647
1027
if self.checker_initiator_tag is not None:
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
1028
GLib.source_remove(self.checker_initiator_tag)
1029
self.checker_initiator_tag = GLib.timeout_add(
650
1030
int(self.interval.total_seconds() * 1000),
651
1031
self.start_checker)
652
1032
# Schedule a disable() when 'timeout' has passed
653
1033
if self.disable_initiator_tag is not None:
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1034
GLib.source_remove(self.disable_initiator_tag)
1035
self.disable_initiator_tag = GLib.timeout_add(
656
1036
int(self.timeout.total_seconds() * 1000), self.disable)
657
1037
# Also start a new checker *right now*.
658
1038
self.start_checker()
659
1039
660
1040
def checker_callback(self, source, condition, connection,
661
1041
command):
662
1042
"""The checker has completed, so take appropriate actions."""
663
self.checker_callback_tag = None
664
self.checker = None
665
1043
# Read return code from connection (see call_pipe)
666
1044
returncode = connection.recv()
667
1045
connection.close()
668
1046
self.checker.join()
1047
self.checker_callback_tag = None
1048
self.checker = None
1049
669
1050
if returncode >= 0:
670
1051
self.last_checker_status = returncode
671
1052
self.last_checker_signal = None
681
1062
logger.warning("Checker for %(name)s crashed?",
682
1063
vars(self))
683
1064
return False
684
1065
685
1066
def checked_ok(self):
686
1067
"""Assert that the client has been seen, alive and well."""
687
1068
self.last_checked_ok = datetime.datetime.utcnow()
688
1069
self.last_checker_status = 0
689
1070
self.last_checker_signal = None
690
1071
self.bump_timeout()
691
1072
692
1073
def bump_timeout(self, timeout=None):
693
1074
"""Bump up the timeout for this client."""
694
1075
if timeout is None:
695
1076
timeout = self.timeout
696
1077
if self.disable_initiator_tag is not None:
697
gobject.source_remove(self.disable_initiator_tag)
1078
GLib.source_remove(self.disable_initiator_tag)
698
1079
self.disable_initiator_tag = None
699
1080
if getattr(self, "enabled", False):
700
self.disable_initiator_tag = gobject.timeout_add(
1081
self.disable_initiator_tag = GLib.timeout_add(
701
1082
int(timeout.total_seconds() * 1000), self.disable)
702
1083
self.expires = datetime.datetime.utcnow() + timeout
703
1084
704
1085
def need_approval(self):
705
1086
self.last_approval_request = datetime.datetime.utcnow()
706
1087
707
1088
def start_checker(self):
708
1089
"""Start a new checker subprocess if one is not running.
709
1090
710
1091
If a checker already exists, leave it running and do
711
1092
nothing."""
712
1093
# The reason for not killing a running checker is that if we
717
1098
# checkers alone, the checker would have to take more time
718
1099
# than 'timeout' for the client to be disabled, which is as it
719
1100
# should be.
720
1101
721
1102
if self.checker is not None and not self.checker.is_alive():
722
1103
logger.warning("Checker was not alive; joining")
723
1104
self.checker.join()
727
1108
# Escape attributes for the shell
728
1109
escaped_attrs = {
729
1110
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
1111
for attr in self.runtime_expansions}
731
1112
try:
732
1113
command = self.checker_command % escaped_attrs
733
1114
except TypeError as error:
745
1126
# The exception is when not debugging but nevertheless
746
1127
# running in the foreground; use the previously
747
1128
# created wnull.
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1129
popen_args = {"close_fds": True,
1130
"shell": True,
1131
"cwd": "/"}
751
1132
if (not self.server_settings["debug"]
752
1133
and self.server_settings["foreground"]):
753
1134
popen_args.update({"stdout": wnull,
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1135
"stderr": wnull})
1136
pipe = multiprocessing.Pipe(duplex=False)
756
1137
self.checker = multiprocessing.Process(
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1138
target=call_pipe,
1139
args=(pipe[1], subprocess.call, command),
1140
kwargs=popen_args)
760
1141
self.checker.start()
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1142
self.checker_callback_tag = GLib.io_add_watch(
1143
pipe[0].fileno(), GLib.IO_IN,
763
1144
self.checker_callback, pipe[0], command)
764
# Re-run this periodically if run by gobject.timeout_add
1145
# Re-run this periodically if run by GLib.timeout_add
765
1146
return True
766
1147
767
1148
def stop_checker(self):
768
1149
"""Force the checker process, if any, to stop."""
769
1150
if self.checker_callback_tag:
770
gobject.source_remove(self.checker_callback_tag)
1151
GLib.source_remove(self.checker_callback_tag)
771
1152
self.checker_callback_tag = None
772
1153
if getattr(self, "checker", None) is None:
773
1154
return
782
1163
byte_arrays=False):
783
1164
"""Decorators for marking methods of a DBusObjectWithProperties to
784
1165
become properties on the D-Bus.
785
1166
786
1167
The decorated method will be called with no arguments by "Get"
787
1168
and with one argument by "Set".
788
1169
789
1170
The parameters, where they are supported, are the same as
790
1171
dbus.service.method, except there is only "signature", since the
791
1172
type from Get() and the type sent to Set() is the same.
795
1176
if byte_arrays and signature != "ay":
796
1177
raise ValueError("Byte arrays not supported for non-'ay'"
797
1178
" signature {!r}".format(signature))
798
1179
799
1180
def decorator(func):
800
1181
func._dbus_is_property = True
801
1182
func._dbus_interface = dbus_interface
804
1185
func._dbus_name = func.__name__
805
1186
if func._dbus_name.endswith("_dbus_property"):
806
1187
func._dbus_name = func._dbus_name[:-14]
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1188
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
808
1189
return func
809
1190
810
1191
return decorator
811
1192
812
1193
813
1194
def dbus_interface_annotations(dbus_interface):
814
1195
"""Decorator for marking functions returning interface annotations
815
1196
816
1197
Usage:
817
1198
818
1199
@dbus_interface_annotations("org.example.Interface")
819
1200
def _foo(self): # Function name does not matter
820
1201
return {"org.freedesktop.DBus.Deprecated": "true",
821
1202
"org.freedesktop.DBus.Property.EmitsChangedSignal":
822
1203
"false"}
823
1204
"""
824
1205
825
1206
def decorator(func):
826
1207
func._dbus_is_interface = True
827
1208
func._dbus_interface = dbus_interface
828
1209
func._dbus_name = dbus_interface
829
1210
return func
830
1211
831
1212
return decorator
832
1213
833
1214
834
1215
def dbus_annotations(annotations):
835
1216
"""Decorator to annotate D-Bus methods, signals or properties
836
1217
Usage:
837
1218
838
1219
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
839
1220
"org.freedesktop.DBus.Property."
840
1221
"EmitsChangedSignal": "false"})
842
1223
access="r")
843
1224
def Property_dbus_property(self):
844
1225
return dbus.Boolean(False)
845
1226
846
1227
See also the DBusObjectWithAnnotations class.
847
1228
"""
848
1229
849
1230
def decorator(func):
850
1231
func._dbus_annotations = annotations
851
1232
return func
852
1233
853
1234
return decorator
854
1235
855
1236
873
1254
874
1255
class DBusObjectWithAnnotations(dbus.service.Object):
875
1256
"""A D-Bus object with annotations.
876
1257
877
1258
Classes inheriting from this can use the dbus_annotations
878
1259
decorator to add annotations to methods or signals.
879
1260
"""
880
1261
881
1262
@staticmethod
882
1263
def _is_dbus_thing(thing):
883
1264
"""Returns a function testing if an attribute is a D-Bus thing
884
1265
885
1266
If called like _is_dbus_thing("method") it returns a function
886
1267
suitable for use as predicate to inspect.getmembers().
887
1268
"""
888
1269
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
889
1270
False)
890
1271
891
1272
def _get_all_dbus_things(self, thing):
892
1273
"""Returns a generator of (name, attribute) pairs
893
1274
"""
896
1277
for cls in self.__class__.__mro__
897
1278
for name, athing in
898
1279
inspect.getmembers(cls, self._is_dbus_thing(thing)))
899
1280
900
1281
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1282
out_signature="s",
1283
path_keyword='object_path',
1284
connection_keyword='connection')
904
1285
def Introspect(self, object_path, connection):
905
1286
"""Overloading of standard D-Bus method.
906
1287
907
1288
Inserts annotation tags on methods and signals.
908
1289
"""
909
1290
xmlstring = dbus.service.Object.Introspect(self, object_path,
910
1291
connection)
911
1292
try:
912
1293
document = xml.dom.minidom.parseString(xmlstring)
913
1294
914
1295
for if_tag in document.getElementsByTagName("interface"):
915
1296
# Add annotation tags
916
1297
for typ in ("method", "signal"):
943
1324
if_tag.appendChild(ann_tag)
944
1325
# Fix argument name for the Introspect method itself
945
1326
if (if_tag.getAttribute("name")
946
== dbus.INTROSPECTABLE_IFACE):
1327
== dbus.INTROSPECTABLE_IFACE):
947
1328
for cn in if_tag.getElementsByTagName("method"):
948
1329
if cn.getAttribute("name") == "Introspect":
949
1330
for arg in cn.getElementsByTagName("arg"):
962
1343
963
1344
class DBusObjectWithProperties(DBusObjectWithAnnotations):
964
1345
"""A D-Bus object with properties.
965
1346
966
1347
Classes inheriting from this can use the dbus_service_property
967
1348
decorator to expose methods as D-Bus properties. It exposes the
968
1349
standard Get(), Set(), and GetAll() methods on the D-Bus.
969
1350
"""
970
1351
971
1352
def _get_dbus_property(self, interface_name, property_name):
972
1353
"""Returns a bound method if one exists which is a D-Bus
973
1354
property with the specified name and interface.
978
1359
if (value._dbus_name == property_name
979
1360
and value._dbus_interface == interface_name):
980
1361
return value.__get__(self)
981
1362
982
1363
# No such property
983
1364
raise DBusPropertyNotFound("{}:{}.{}".format(
984
1365
self.dbus_object_path, interface_name, property_name))
985
1366
986
1367
@classmethod
987
1368
def _get_all_interface_names(cls):
988
1369
"""Get a sequence of all interfaces supported by an object"""
991
1372
for x in (inspect.getmro(cls))
992
1373
for attr in dir(x))
993
1374
if name is not None)
994
1375
995
1376
@dbus.service.method(dbus.PROPERTIES_IFACE,
996
1377
in_signature="ss",
997
1378
out_signature="v")
1005
1386
if not hasattr(value, "variant_level"):
1006
1387
return value
1007
1388
return type(value)(value, variant_level=value.variant_level+1)
1008
1389
1009
1390
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1010
1391
def Set(self, interface_name, property_name, value):
1011
1392
"""Standard D-Bus property Set() method, see D-Bus standard.
1023
1404
value = dbus.ByteArray(b''.join(chr(byte)
1024
1405
for byte in value))
1025
1406
prop(value)
1026
1407
1027
1408
@dbus.service.method(dbus.PROPERTIES_IFACE,
1028
1409
in_signature="s",
1029
1410
out_signature="a{sv}")
1030
1411
def GetAll(self, interface_name):
1031
1412
"""Standard D-Bus property GetAll() method, see D-Bus
1032
1413
standard.
1033
1414
1034
1415
Note: Will not include properties with access="write".
1035
1416
"""
1036
1417
properties = {}
1047
1428
properties[name] = value
1048
1429
continue
1049
1430
properties[name] = type(value)(
1050
value, variant_level = value.variant_level + 1)
1431
value, variant_level=value.variant_level + 1)
1051
1432
return dbus.Dictionary(properties, signature="sv")
1052
1433
1053
1434
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1054
1435
def PropertiesChanged(self, interface_name, changed_properties,
1055
1436
invalidated_properties):
1057
1438
standard.
1058
1439
"""
1059
1440
pass
1060
1441
1061
1442
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1062
1443
out_signature="s",
1063
1444
path_keyword='object_path',
1064
1445
connection_keyword='connection')
1065
1446
def Introspect(self, object_path, connection):
1066
1447
"""Overloading of standard D-Bus method.
1067
1448
1068
1449
Inserts property tags and interface annotation tags.
1069
1450
"""
1070
1451
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1072
1453
connection)
1073
1454
try:
1074
1455
document = xml.dom.minidom.parseString(xmlstring)
1075
1456
1076
1457
def make_tag(document, name, prop):
1077
1458
e = document.createElement("property")
1078
1459
e.setAttribute("name", name)
1079
1460
e.setAttribute("type", prop._dbus_signature)
1080
1461
e.setAttribute("access", prop._dbus_access)
1081
1462
return e
1082
1463
1083
1464
for if_tag in document.getElementsByTagName("interface"):
1084
1465
# Add property tags
1085
1466
for tag in (make_tag(document, name, prop)
1127
1508
exc_info=error)
1128
1509
return xmlstring
1129
1510
1511
1130
1512
try:
1131
1513
dbus.OBJECT_MANAGER_IFACE
1132
1514
except AttributeError:
1133
1515
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1134
1516
1517
1135
1518
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1136
1519
"""A D-Bus object with an ObjectManager.
1137
1520
1138
1521
Classes inheriting from this exposes the standard
1139
1522
GetManagedObjects call and the InterfacesAdded and
1140
1523
InterfacesRemoved signals on the standard
1141
1524
"org.freedesktop.DBus.ObjectManager" interface.
1142
1525
1143
1526
Note: No signals are sent automatically; they must be sent
1144
1527
manually.
1145
1528
"""
1146
1529
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1147
out_signature = "a{oa{sa{sv}}}")
1530
out_signature="a{oa{sa{sv}}}")
1148
1531
def GetManagedObjects(self):
1149
1532
"""This function must be overridden"""
1150
1533
raise NotImplementedError()
1151
1534
1152
1535
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1153
signature = "oa{sa{sv}}")
1536
signature="oa{sa{sv}}")
1154
1537
def InterfacesAdded(self, object_path, interfaces_and_properties):
1155
1538
pass
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1539
1540
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1158
1541
def InterfacesRemoved(self, object_path, interfaces):
1159
1542
pass
1160
1543
1161
1544
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1545
out_signature="s",
1546
path_keyword='object_path',
1547
connection_keyword='connection')
1165
1548
def Introspect(self, object_path, connection):
1166
1549
"""Overloading of standard D-Bus method.
1167
1550
1168
1551
Override return argument name of GetManagedObjects to be
1169
1552
"objpath_interfaces_and_properties"
1170
1553
"""
1173
1556
connection)
1174
1557
try:
1175
1558
document = xml.dom.minidom.parseString(xmlstring)
1176
1559
1177
1560
for if_tag in document.getElementsByTagName("interface"):
1178
1561
# Fix argument name for the GetManagedObjects method
1179
1562
if (if_tag.getAttribute("name")
1180
== dbus.OBJECT_MANAGER_IFACE):
1563
== dbus.OBJECT_MANAGER_IFACE):
1181
1564
for cn in if_tag.getElementsByTagName("method"):
1182
1565
if (cn.getAttribute("name")
1183
1566
== "GetManagedObjects"):
1193
1576
except (AttributeError, xml.dom.DOMException,
1194
1577
xml.parsers.expat.ExpatError) as error:
1195
1578
logger.error("Failed to override Introspection method",
1196
exc_info = error)
1579
exc_info=error)
1197
1580
return xmlstring
1198
1581
1582
1199
1583
def datetime_to_dbus(dt, variant_level=0):
1200
1584
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1201
1585
if dt is None:
1202
return dbus.String("", variant_level = variant_level)
1586
return dbus.String("", variant_level=variant_level)
1203
1587
return dbus.String(dt.isoformat(), variant_level=variant_level)
1204
1588
1205
1589
1208
1592
dbus.service.Object, it will add alternate D-Bus attributes with
1209
1593
interface names according to the "alt_interface_names" mapping.
1210
1594
Usage:
1211
1595
1212
1596
@alternate_dbus_interfaces({"org.example.Interface":
1213
1597
"net.example.AlternateInterface"})
1214
1598
class SampleDBusObject(dbus.service.Object):
1215
1599
@dbus.service.method("org.example.Interface")
1216
1600
def SampleDBusMethod():
1217
1601
pass
1218
1602
1219
1603
The above "SampleDBusMethod" on "SampleDBusObject" will be
1220
1604
reachable via two interfaces: "org.example.Interface" and
1221
1605
"net.example.AlternateInterface", the latter of which will have
1222
1606
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1223
1607
"true", unless "deprecate" is passed with a False value.
1224
1608
1225
1609
This works for methods and signals, and also for D-Bus properties
1226
1610
(from DBusObjectWithProperties) and interfaces (from the
1227
1611
dbus_interface_annotations decorator).
1228
1612
"""
1229
1613
1230
1614
def wrapper(cls):
1231
1615
for orig_interface_name, alt_interface_name in (
1232
1616
alt_interface_names.items()):
1247
1631
interface_names.add(alt_interface)
1248
1632
# Is this a D-Bus signal?
1249
1633
if getattr(attribute, "_dbus_is_signal", False):
1634
# Extract the original non-method undecorated
1635
# function by black magic
1250
1636
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1253
1637
nonmethod_func = (dict(
1254
1638
zip(attribute.func_code.co_freevars,
1255
1639
attribute.__closure__))
1256
1640
["func"].cell_contents)
1257
1641
else:
1258
nonmethod_func = attribute
1642
nonmethod_func = (dict(
1643
zip(attribute.__code__.co_freevars,
1644
attribute.__closure__))
1645
["func"].cell_contents)
1259
1646
# Create a new, but exactly alike, function
1260
1647
# object, and decorate it to be a new D-Bus signal
1261
1648
# with the alternate D-Bus interface name
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1649
new_function = copy_function(nonmethod_func)
1276
1650
new_function = (dbus.service.signal(
1277
1651
alt_interface,
1278
1652
attribute._dbus_signature)(new_function))
1282
1656
attribute._dbus_annotations)
1283
1657
except AttributeError:
1284
1658
pass
1659
1285
1660
# Define a creator of a function to call both the
1286
1661
# original and alternate functions, so both the
1287
1662
# original and alternate signals gets sent when
1290
1665
"""This function is a scope container to pass
1291
1666
func1 and func2 to the "call_both" function
1292
1667
outside of its arguments"""
1293
1668
1294
1669
@functools.wraps(func2)
1295
1670
def call_both(*args, **kwargs):
1296
1671
"""This function will emit two D-Bus
1297
1672
signals by calling func1 and func2"""
1298
1673
func1(*args, **kwargs)
1299
1674
func2(*args, **kwargs)
1300
# Make wrapper function look like a D-Bus signal
1675
# Make wrapper function look like a D-Bus
1676
# signal
1301
1677
for name, attr in inspect.getmembers(func2):
1302
1678
if name.startswith("_dbus_"):
1303
1679
setattr(call_both, name, attr)
1304
1680
1305
1681
return call_both
1306
1682
# Create the "call_both" function and add it to
1307
1683
# the class
1317
1693
alt_interface,
1318
1694
attribute._dbus_in_signature,
1319
1695
attribute._dbus_out_signature)
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1696
(copy_function(attribute)))
1325
1697
# Copy annotations, if any
1326
1698
try:
1327
1699
attr[attrname]._dbus_annotations = dict(
1339
1711
attribute._dbus_access,
1340
1712
attribute._dbus_get_args_options
1341
1713
["byte_arrays"])
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1714
(copy_function(attribute)))
1348
1715
# Copy annotations, if any
1349
1716
try:
1350
1717
attr[attrname]._dbus_annotations = dict(
1359
1726
# to the class.
1360
1727
attr[attrname] = (
1361
1728
dbus_interface_annotations(alt_interface)
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1729
(copy_function(attribute)))
1367
1730
if deprecate:
1368
1731
# Deprecate all alternate interfaces
1369
iname="_AlternateDBusNames_interface_annotation{}"
1732
iname = "_AlternateDBusNames_interface_annotation{}"
1370
1733
for interface_name in interface_names:
1371
1734
1372
1735
@dbus_interface_annotations(interface_name)
1373
1736
def func(self):
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1737
return {"org.freedesktop.DBus.Deprecated":
1738
"true"}
1376
1739
# Find an unused name
1377
1740
for aname in (iname.format(i)
1378
1741
for i in itertools.count()):
1382
1745
if interface_names:
1383
1746
# Replace the class with a new subclass of it with
1384
1747
# methods, signals, etc. as created above.
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1748
if sys.version_info.major == 2:
1749
cls = type(b"{}Alternate".format(cls.__name__),
1750
(cls, ), attr)
1751
else:
1752
cls = type("{}Alternate".format(cls.__name__),
1753
(cls, ), attr)
1387
1754
return cls
1388
1755
1389
1756
return wrapper
1390
1757
1391
1758
1393
1760
"se.bsnet.fukt.Mandos"})
1394
1761
class ClientDBus(Client, DBusObjectWithProperties):
1395
1762
"""A Client class using D-Bus
1396
1763
1397
1764
Attributes:
1398
1765
dbus_object_path: dbus.ObjectPath
1399
1766
bus: dbus.SystemBus()
1400
1767
"""
1401
1768
1402
1769
runtime_expansions = (Client.runtime_expansions
1403
1770
+ ("dbus_object_path", ))
1404
1771
1405
1772
_interface = "se.recompile.Mandos.Client"
1406
1773
1407
1774
# dbus.service.Object doesn't use super(), so we can't either.
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1775
1776
def __init__(self, bus=None, *args, **kwargs):
1410
1777
self.bus = bus
1411
1778
Client.__init__(self, *args, **kwargs)
1412
1779
# Only now, when this client is initialized, can it show up on
1418
1785
"/clients/" + client_object_name)
1419
1786
DBusObjectWithProperties.__init__(self, self.bus,
1420
1787
self.dbus_object_path)
1421
1788
1422
1789
def notifychangeproperty(transform_func, dbus_name,
1423
1790
type_func=lambda x: x,
1424
1791
variant_level=1,
1426
1793
_interface=_interface):
1427
1794
""" Modify a variable so that it's a property which announces
1428
1795
its changes to DBus.
1429
1796
1430
1797
transform_fun: Function that takes a value and a variant_level
1431
1798
and transforms it to a D-Bus type.
1432
1799
dbus_name: D-Bus name of the variable
1435
1802
variant_level: D-Bus variant level. Default: 1
1436
1803
"""
1437
1804
attrname = "_{}".format(dbus_name)
1438
1805
1439
1806
def setter(self, value):
1440
1807
if hasattr(self, "dbus_object_path"):
1441
1808
if (not hasattr(self, attrname) or
1448
1815
else:
1449
1816
dbus_value = transform_func(
1450
1817
type_func(value),
1451
variant_level = variant_level)
1818
variant_level=variant_level)
1452
1819
self.PropertyChanged(dbus.String(dbus_name),
1453
1820
dbus_value)
1454
1821
self.PropertiesChanged(
1455
1822
_interface,
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1823
dbus.Dictionary({dbus.String(dbus_name):
1824
dbus_value}),
1458
1825
dbus.Array())
1459
1826
setattr(self, attrname, value)
1460
1827
1461
1828
return property(lambda self: getattr(self, attrname), setter)
1462
1829
1463
1830
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1464
1831
approvals_pending = notifychangeproperty(dbus.Boolean,
1465
1832
"ApprovalPending",
1466
type_func = bool)
1833
type_func=bool)
1467
1834
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1468
1835
last_enabled = notifychangeproperty(datetime_to_dbus,
1469
1836
"LastEnabled")
1470
1837
checker = notifychangeproperty(
1471
1838
dbus.Boolean, "CheckerRunning",
1472
type_func = lambda checker: checker is not None)
1839
type_func=lambda checker: checker is not None)
1473
1840
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1474
1841
"LastCheckedOK")
1475
1842
last_checker_status = notifychangeproperty(dbus.Int16,
1480
1847
"ApprovedByDefault")
1481
1848
approval_delay = notifychangeproperty(
1482
1849
dbus.UInt64, "ApprovalDelay",
1483
type_func = lambda td: td.total_seconds() * 1000)
1850
type_func=lambda td: td.total_seconds() * 1000)
1484
1851
approval_duration = notifychangeproperty(
1485
1852
dbus.UInt64, "ApprovalDuration",
1486
type_func = lambda td: td.total_seconds() * 1000)
1853
type_func=lambda td: td.total_seconds() * 1000)
1487
1854
host = notifychangeproperty(dbus.String, "Host")
1488
1855
timeout = notifychangeproperty(
1489
1856
dbus.UInt64, "Timeout",
1490
type_func = lambda td: td.total_seconds() * 1000)
1857
type_func=lambda td: td.total_seconds() * 1000)
1491
1858
extended_timeout = notifychangeproperty(
1492
1859
dbus.UInt64, "ExtendedTimeout",
1493
type_func = lambda td: td.total_seconds() * 1000)
1860
type_func=lambda td: td.total_seconds() * 1000)
1494
1861
interval = notifychangeproperty(
1495
1862
dbus.UInt64, "Interval",
1496
type_func = lambda td: td.total_seconds() * 1000)
1863
type_func=lambda td: td.total_seconds() * 1000)
1497
1864
checker_command = notifychangeproperty(dbus.String, "Checker")
1498
1865
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1499
1866
invalidate_only=True)
1500
1867
1501
1868
del notifychangeproperty
1502
1869
1503
1870
def __del__(self, *args, **kwargs):
1504
1871
try:
1505
1872
self.remove_from_connection()
1508
1875
if hasattr(DBusObjectWithProperties, "__del__"):
1509
1876
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1510
1877
Client.__del__(self, *args, **kwargs)
1511
1878
1512
1879
def checker_callback(self, source, condition,
1513
1880
connection, command, *args, **kwargs):
1514
1881
ret = Client.checker_callback(self, source, condition,
1530
1897
| self.last_checker_signal),
1531
1898
dbus.String(command))
1532
1899
return ret
1533
1900
1534
1901
def start_checker(self, *args, **kwargs):
1535
1902
old_checker_pid = getattr(self.checker, "pid", None)
1536
1903
r = Client.start_checker(self, *args, **kwargs)
1540
1907
# Emit D-Bus signal
1541
1908
self.CheckerStarted(self.current_checker_command)
1542
1909
return r
1543
1910
1544
1911
def _reset_approved(self):
1545
1912
self.approved = None
1546
1913
return False
1547
1914
1548
1915
def approve(self, value=True):
1549
1916
self.approved = value
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1917
GLib.timeout_add(int(self.approval_duration.total_seconds()
1918
* 1000), self._reset_approved)
1552
1919
self.send_changedstate()
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1920
1921
# D-Bus methods, signals & properties
1922
1923
# Interfaces
1924
1925
# Signals
1926
1560
1927
# CheckerCompleted - signal
1561
1928
@dbus.service.signal(_interface, signature="nxs")
1562
1929
def CheckerCompleted(self, exitcode, waitstatus, command):
1563
1930
"D-Bus signal"
1564
1931
pass
1565
1932
1566
1933
# CheckerStarted - signal
1567
1934
@dbus.service.signal(_interface, signature="s")
1568
1935
def CheckerStarted(self, command):
1569
1936
"D-Bus signal"
1570
1937
pass
1571
1938
1572
1939
# PropertyChanged - signal
1573
1940
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1574
1941
@dbus.service.signal(_interface, signature="sv")
1575
1942
def PropertyChanged(self, property, value):
1576
1943
"D-Bus signal"
1577
1944
pass
1578
1945
1579
1946
# GotSecret - signal
1580
1947
@dbus.service.signal(_interface)
1581
1948
def GotSecret(self):
1584
1951
server to mandos-client
1585
1952
"""
1586
1953
pass
1587
1954
1588
1955
# Rejected - signal
1589
1956
@dbus.service.signal(_interface, signature="s")
1590
1957
def Rejected(self, reason):
1591
1958
"D-Bus signal"
1592
1959
pass
1593
1960
1594
1961
# NeedApproval - signal
1595
1962
@dbus.service.signal(_interface, signature="tb")
1596
1963
def NeedApproval(self, timeout, default):
1597
1964
"D-Bus signal"
1598
1965
return self.need_approval()
1599
1600
## Methods
1601
1966
1967
# Methods
1968
1602
1969
# Approve - method
1603
1970
@dbus.service.method(_interface, in_signature="b")
1604
1971
def Approve(self, value):
1605
1972
self.approve(value)
1606
1973
1607
1974
# CheckedOK - method
1608
1975
@dbus.service.method(_interface)
1609
1976
def CheckedOK(self):
1610
1977
self.checked_ok()
1611
1978
1612
1979
# Enable - method
1613
1980
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1614
1981
@dbus.service.method(_interface)
1615
1982
def Enable(self):
1616
1983
"D-Bus method"
1617
1984
self.enable()
1618
1985
1619
1986
# StartChecker - method
1620
1987
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1621
1988
@dbus.service.method(_interface)
1622
1989
def StartChecker(self):
1623
1990
"D-Bus method"
1624
1991
self.start_checker()
1625
1992
1626
1993
# Disable - method
1627
1994
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1628
1995
@dbus.service.method(_interface)
1629
1996
def Disable(self):
1630
1997
"D-Bus method"
1631
1998
self.disable()
1632
1999
1633
2000
# StopChecker - method
1634
2001
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1635
2002
@dbus.service.method(_interface)
1636
2003
def StopChecker(self):
1637
2004
self.stop_checker()
1638
1639
## Properties
1640
2005
2006
# Properties
2007
1641
2008
# ApprovalPending - property
1642
2009
@dbus_service_property(_interface, signature="b", access="read")
1643
2010
def ApprovalPending_dbus_property(self):
1644
2011
return dbus.Boolean(bool(self.approvals_pending))
1645
2012
1646
2013
# ApprovedByDefault - property
1647
2014
@dbus_service_property(_interface,
1648
2015
signature="b",
1651
2018
if value is None: # get
1652
2019
return dbus.Boolean(self.approved_by_default)
1653
2020
self.approved_by_default = bool(value)
1654
2021
1655
2022
# ApprovalDelay - property
1656
2023
@dbus_service_property(_interface,
1657
2024
signature="t",
1661
2028
return dbus.UInt64(self.approval_delay.total_seconds()
1662
2029
* 1000)
1663
2030
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1664
2031
1665
2032
# ApprovalDuration - property
1666
2033
@dbus_service_property(_interface,
1667
2034
signature="t",
1671
2038
return dbus.UInt64(self.approval_duration.total_seconds()
1672
2039
* 1000)
1673
2040
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1674
2041
1675
2042
# Name - property
1676
2043
@dbus_annotations(
1677
2044
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1678
2045
@dbus_service_property(_interface, signature="s", access="read")
1679
2046
def Name_dbus_property(self):
1680
2047
return dbus.String(self.name)
1681
2048
2049
# KeyID - property
2050
@dbus_annotations(
2051
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2052
@dbus_service_property(_interface, signature="s", access="read")
2053
def KeyID_dbus_property(self):
2054
return dbus.String(self.key_id)
2055
1682
2056
# Fingerprint - property
1683
2057
@dbus_annotations(
1684
2058
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1685
2059
@dbus_service_property(_interface, signature="s", access="read")
1686
2060
def Fingerprint_dbus_property(self):
1687
2061
return dbus.String(self.fingerprint)
1688
2062
1689
2063
# Host - property
1690
2064
@dbus_service_property(_interface,
1691
2065
signature="s",
1694
2068
if value is None: # get
1695
2069
return dbus.String(self.host)
1696
2070
self.host = str(value)
1697
2071
1698
2072
# Created - property
1699
2073
@dbus_annotations(
1700
2074
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1701
2075
@dbus_service_property(_interface, signature="s", access="read")
1702
2076
def Created_dbus_property(self):
1703
2077
return datetime_to_dbus(self.created)
1704
2078
1705
2079
# LastEnabled - property
1706
2080
@dbus_service_property(_interface, signature="s", access="read")
1707
2081
def LastEnabled_dbus_property(self):
1708
2082
return datetime_to_dbus(self.last_enabled)
1709
2083
1710
2084
# Enabled - property
1711
2085
@dbus_service_property(_interface,
1712
2086
signature="b",
1718
2092
self.enable()
1719
2093
else:
1720
2094
self.disable()
1721
2095
1722
2096
# LastCheckedOK - property
1723
2097
@dbus_service_property(_interface,
1724
2098
signature="s",
1728
2102
self.checked_ok()
1729
2103
return
1730
2104
return datetime_to_dbus(self.last_checked_ok)
1731
2105
1732
2106
# LastCheckerStatus - property
1733
2107
@dbus_service_property(_interface, signature="n", access="read")
1734
2108
def LastCheckerStatus_dbus_property(self):
1735
2109
return dbus.Int16(self.last_checker_status)
1736
2110
1737
2111
# Expires - property
1738
2112
@dbus_service_property(_interface, signature="s", access="read")
1739
2113
def Expires_dbus_property(self):
1740
2114
return datetime_to_dbus(self.expires)
1741
2115
1742
2116
# LastApprovalRequest - property
1743
2117
@dbus_service_property(_interface, signature="s", access="read")
1744
2118
def LastApprovalRequest_dbus_property(self):
1745
2119
return datetime_to_dbus(self.last_approval_request)
1746
2120
1747
2121
# Timeout - property
1748
2122
@dbus_service_property(_interface,
1749
2123
signature="t",
1764
2138
if (getattr(self, "disable_initiator_tag", None)
1765
2139
is None):
1766
2140
return
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2141
GLib.source_remove(self.disable_initiator_tag)
2142
self.disable_initiator_tag = GLib.timeout_add(
1769
2143
int((self.expires - now).total_seconds() * 1000),
1770
2144
self.disable)
1771
2145
1772
2146
# ExtendedTimeout - property
1773
2147
@dbus_service_property(_interface,
1774
2148
signature="t",
1778
2152
return dbus.UInt64(self.extended_timeout.total_seconds()
1779
2153
* 1000)
1780
2154
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1781
2155
1782
2156
# Interval - property
1783
2157
@dbus_service_property(_interface,
1784
2158
signature="t",
1791
2165
return
1792
2166
if self.enabled:
1793
2167
# Reschedule checker run
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2168
GLib.source_remove(self.checker_initiator_tag)
2169
self.checker_initiator_tag = GLib.timeout_add(
1796
2170
value, self.start_checker)
1797
self.start_checker() # Start one now, too
1798
2171
self.start_checker() # Start one now, too
2172
1799
2173
# Checker - property
1800
2174
@dbus_service_property(_interface,
1801
2175
signature="s",
1804
2178
if value is None: # get
1805
2179
return dbus.String(self.checker_command)
1806
2180
self.checker_command = str(value)
1807
2181
1808
2182
# CheckerRunning - property
1809
2183
@dbus_service_property(_interface,
1810
2184
signature="b",
1816
2190
self.start_checker()
1817
2191
else:
1818
2192
self.stop_checker()
1819
2193
1820
2194
# ObjectPath - property
1821
2195
@dbus_annotations(
1822
2196
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
1823
2197
"org.freedesktop.DBus.Deprecated": "true"})
1824
2198
@dbus_service_property(_interface, signature="o", access="read")
1825
2199
def ObjectPath_dbus_property(self):
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2200
return self.dbus_object_path # is already a dbus.ObjectPath
2201
1828
2202
# Secret = property
1829
2203
@dbus_annotations(
1830
2204
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
1835
2209
byte_arrays=True)
1836
2210
def Secret_dbus_property(self, value):
1837
2211
self.secret = bytes(value)
1838
2212
1839
2213
del _interface
1840
2214
1841
2215
1842
2216
class ProxyClient(object):
1843
def __init__(self, child_pipe, fpr, address):
2217
def __init__(self, child_pipe, key_id, fpr, address):
1844
2218
self._pipe = child_pipe
1845
self._pipe.send(('init', fpr, address))
2219
self._pipe.send(('init', key_id, fpr, address))
1846
2220
if not self._pipe.recv():
1847
raise KeyError(fpr)
1848
2221
raise KeyError(key_id or fpr)
2222
1849
2223
def __getattribute__(self, name):
1850
2224
if name == '_pipe':
1851
2225
return super(ProxyClient, self).__getattribute__(name)
1854
2228
if data[0] == 'data':
1855
2229
return data[1]
1856
2230
if data[0] == 'function':
1857
2231
1858
2232
def func(*args, **kwargs):
1859
2233
self._pipe.send(('funcall', name, args, kwargs))
1860
2234
return self._pipe.recv()[1]
1861
2235
1862
2236
return func
1863
2237
1864
2238
def __setattr__(self, name, value):
1865
2239
if name == '_pipe':
1866
2240
return super(ProxyClient, self).__setattr__(name, value)
1869
2243
1870
2244
class ClientHandler(socketserver.BaseRequestHandler, object):
1871
2245
"""A class to handle client connections.
1872
2246
1873
2247
Instantiated once for each connection to handle it.
1874
2248
Note: This will run in its own forked process."""
1875
2249
1876
2250
def handle(self):
1877
2251
with contextlib.closing(self.server.child_pipe) as child_pipe:
1878
2252
logger.info("TCP connection from: %s",
1879
2253
str(self.client_address))
1880
2254
logger.debug("Pipe FD: %d",
1881
2255
self.server.child_pipe.fileno())
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2256
2257
session = gnutls.ClientSession(self.request)
2258
2259
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2260
# "+AES-256-CBC", "+SHA1",
2261
# "+COMP-NULL", "+CTYPE-OPENPGP",
2262
# "+DHE-DSS"))
1895
2263
# Use a fallback default, since this MUST be set.
1896
2264
priority = self.server.gnutls_priority
1897
2265
if priority is None:
1898
2266
priority = "NORMAL"
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2267
gnutls.priority_set_direct(session._c_object,
2268
priority.encode("utf-8"),
2269
None)
2270
1902
2271
# Start communication using the Mandos protocol
1903
2272
# Get protocol number
1904
2273
line = self.request.makefile().readline()
1909
2278
except (ValueError, IndexError, RuntimeError) as error:
1910
2279
logger.error("Unknown protocol version: %s", error)
1911
2280
return
1912
2281
1913
2282
# Start GnuTLS connection
1914
2283
try:
1915
2284
session.handshake()
1916
except gnutls.errors.GNUTLSError as error:
2285
except gnutls.Error as error:
1917
2286
logger.warning("Handshake failed: %s", error)
1918
2287
# Do not run session.bye() here: the session is not
1919
2288
# established. Just abandon the request.
1920
2289
return
1921
2290
logger.debug("Handshake succeeded")
1922
2291
1923
2292
approval_required = False
1924
2293
try:
1925
try:
1926
fpr = self.fingerprint(
1927
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
1930
logger.warning("Bad certificate: %s", error)
1931
return
1932
logger.debug("Fingerprint: %s", fpr)
1933
1934
try:
1935
client = ProxyClient(child_pipe, fpr,
2294
if gnutls.has_rawpk:
2295
fpr = b""
2296
try:
2297
key_id = self.key_id(
2298
self.peer_certificate(session))
2299
except (TypeError, gnutls.Error) as error:
2300
logger.warning("Bad certificate: %s", error)
2301
return
2302
logger.debug("Key ID: %s", key_id)
2303
2304
else:
2305
key_id = b""
2306
try:
2307
fpr = self.fingerprint(
2308
self.peer_certificate(session))
2309
except (TypeError, gnutls.Error) as error:
2310
logger.warning("Bad certificate: %s", error)
2311
return
2312
logger.debug("Fingerprint: %s", fpr)
2313
2314
try:
2315
client = ProxyClient(child_pipe, key_id, fpr,
1936
2316
self.client_address)
1937
2317
except KeyError:
1938
2318
return
1939
2319
1940
2320
if client.approval_delay:
1941
2321
delay = client.approval_delay
1942
2322
client.approvals_pending += 1
1943
2323
approval_required = True
1944
2324
1945
2325
while True:
1946
2326
if not client.enabled:
1947
2327
logger.info("Client %s is disabled",
1950
2330
# Emit D-Bus signal
1951
2331
client.Rejected("Disabled")
1952
2332
return
1953
2333
1954
2334
if client.approved or not client.approval_delay:
1955
#We are approved or approval is disabled
2335
# We are approved or approval is disabled
1956
2336
break
1957
2337
elif client.approved is None:
1958
2338
logger.info("Client %s needs approval",
1969
2349
# Emit D-Bus signal
1970
2350
client.Rejected("Denied")
1971
2351
return
1972
1973
#wait until timeout or approved
2352
2353
# wait until timeout or approved
1974
2354
time = datetime.datetime.now()
1975
2355
client.changedstate.acquire()
1976
2356
client.changedstate.wait(delay.total_seconds())
1989
2369
break
1990
2370
else:
1991
2371
delay -= time2 - time
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2372
2373
try:
2374
session.send(client.secret)
2375
except gnutls.Error as error:
2376
logger.warning("gnutls send failed",
2377
exc_info=error)
2378
return
2379
2006
2380
logger.info("Sending secret to %s", client.name)
2007
2381
# bump the timeout using extended_timeout
2008
2382
client.bump_timeout(client.extended_timeout)
2009
2383
if self.server.use_dbus:
2010
2384
# Emit D-Bus signal
2011
2385
client.GotSecret()
2012
2386
2013
2387
finally:
2014
2388
if approval_required:
2015
2389
client.approvals_pending -= 1
2016
2390
try:
2017
2391
session.bye()
2018
except gnutls.errors.GNUTLSError as error:
2392
except gnutls.Error as error:
2019
2393
logger.warning("GnuTLS bye failed",
2020
2394
exc_info=error)
2021
2395
2022
2396
@staticmethod
2023
2397
def peer_certificate(session):
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2398
"Return the peer's certificate as a bytestring"
2399
try:
2400
cert_type = gnutls.certificate_type_get2(session._c_object,
2401
gnutls.CTYPE_PEERS)
2402
except AttributeError:
2403
cert_type = gnutls.certificate_type_get(session._c_object)
2404
if gnutls.has_rawpk:
2405
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2406
else:
2407
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2408
# If not a valid certificate type...
2409
if cert_type not in valid_cert_types:
2410
logger.info("Cert type %r not in %r", cert_type,
2411
valid_cert_types)
2412
# ...return invalid data
2413
return b""
2031
2414
list_size = ctypes.c_uint(1)
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2415
cert_list = (gnutls.certificate_get_peers
2034
2416
(session._c_object, ctypes.byref(list_size)))
2035
2417
if not bool(cert_list) and list_size.value != 0:
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2418
raise gnutls.Error("error getting peer certificate")
2038
2419
if list_size.value == 0:
2039
2420
return None
2040
2421
cert = cert_list[0]
2041
2422
return ctypes.string_at(cert.data, cert.size)
2042
2423
2424
@staticmethod
2425
def key_id(certificate):
2426
"Convert a certificate bytestring to a hexdigit key ID"
2427
# New GnuTLS "datum" with the public key
2428
datum = gnutls.datum_t(
2429
ctypes.cast(ctypes.c_char_p(certificate),
2430
ctypes.POINTER(ctypes.c_ubyte)),
2431
ctypes.c_uint(len(certificate)))
2432
# XXX all these need to be created in the gnutls "module"
2433
# New empty GnuTLS certificate
2434
pubkey = gnutls.pubkey_t()
2435
gnutls.pubkey_init(ctypes.byref(pubkey))
2436
# Import the raw public key into the certificate
2437
gnutls.pubkey_import(pubkey,
2438
ctypes.byref(datum),
2439
gnutls.X509_FMT_DER)
2440
# New buffer for the key ID
2441
buf = ctypes.create_string_buffer(32)
2442
buf_len = ctypes.c_size_t(len(buf))
2443
# Get the key ID from the raw public key into the buffer
2444
gnutls.pubkey_get_key_id(pubkey,
2445
gnutls.KEYID_USE_SHA256,
2446
ctypes.cast(ctypes.byref(buf),
2447
ctypes.POINTER(ctypes.c_ubyte)),
2448
ctypes.byref(buf_len))
2449
# Deinit the certificate
2450
gnutls.pubkey_deinit(pubkey)
2451
2452
# Convert the buffer to a Python bytestring
2453
key_id = ctypes.string_at(buf, buf_len.value)
2454
# Convert the bytestring to hexadecimal notation
2455
hex_key_id = binascii.hexlify(key_id).upper()
2456
return hex_key_id
2457
2043
2458
@staticmethod
2044
2459
def fingerprint(openpgp):
2045
2460
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2046
2461
# New GnuTLS "datum" with the OpenPGP public key
2047
datum = gnutls.library.types.gnutls_datum_t(
2462
datum = gnutls.datum_t(
2048
2463
ctypes.cast(ctypes.c_char_p(openpgp),
2049
2464
ctypes.POINTER(ctypes.c_ubyte)),
2050
2465
ctypes.c_uint(len(openpgp)))
2051
2466
# New empty GnuTLS certificate
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2467
crt = gnutls.openpgp_crt_t()
2468
gnutls.openpgp_crt_init(ctypes.byref(crt))
2055
2469
# Import the OpenPGP public key into the certificate
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2470
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2471
gnutls.OPENPGP_FMT_RAW)
2059
2472
# Verify the self signature in the key
2060
2473
crtverify = ctypes.c_uint()
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2474
gnutls.openpgp_crt_verify_self(crt, 0,
2475
ctypes.byref(crtverify))
2063
2476
if crtverify.value != 0:
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2477
gnutls.openpgp_crt_deinit(crt)
2478
raise gnutls.CertificateSecurityError(code
2479
=crtverify.value)
2067
2480
# New buffer for the fingerprint
2068
2481
buf = ctypes.create_string_buffer(20)
2069
2482
buf_len = ctypes.c_size_t()
2070
2483
# Get the fingerprint from the certificate into the buffer
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2484
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2485
ctypes.byref(buf_len))
2073
2486
# Deinit the certificate
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2487
gnutls.openpgp_crt_deinit(crt)
2075
2488
# Convert the buffer to a Python bytestring
2076
2489
fpr = ctypes.string_at(buf, buf_len.value)
2077
2490
# Convert the bytestring to hexadecimal notation
2081
2494
2082
2495
class MultiprocessingMixIn(object):
2083
2496
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2084
2497
2085
2498
def sub_process_main(self, request, address):
2086
2499
try:
2087
2500
self.finish_request(request, address)
2088
2501
except Exception:
2089
2502
self.handle_error(request, address)
2090
2503
self.close_request(request)
2091
2504
2092
2505
def process_request(self, request, address):
2093
2506
"""Start a new process to process the request."""
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2507
proc = multiprocessing.Process(target=self.sub_process_main,
2508
args=(request, address))
2096
2509
proc.start()
2097
2510
return proc
2098
2511
2099
2512
2100
2513
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2101
2514
""" adds a pipe to the MixIn """
2102
2515
2103
2516
def process_request(self, request, client_address):
2104
2517
"""Overrides and wraps the original process_request().
2105
2518
2106
2519
This function creates a new pipe in self.pipe
2107
2520
"""
2108
2521
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2109
2522
2110
2523
proc = MultiprocessingMixIn.process_request(self, request,
2111
2524
client_address)
2112
2525
self.child_pipe.close()
2113
2526
self.add_pipe(parent_pipe, proc)
2114
2527
2115
2528
def add_pipe(self, parent_pipe, proc):
2116
2529
"""Dummy function; override as necessary"""
2117
2530
raise NotImplementedError()
2120
2533
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2121
2534
socketserver.TCPServer, object):
2122
2535
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2123
2536
2124
2537
Attributes:
2125
2538
enabled: Boolean; whether this server is activated yet
2126
2539
interface: None or a network interface name (string)
2127
2540
use_ipv6: Boolean; to use IPv6 or not
2128
2541
"""
2129
2542
2130
2543
def __init__(self, server_address, RequestHandlerClass,
2131
2544
interface=None,
2132
2545
use_ipv6=True,
2142
2555
self.socketfd = socketfd
2143
2556
# Save the original socket.socket() function
2144
2557
self.socket_socket = socket.socket
2558
2145
2559
# To implement --socket, we monkey patch socket.socket.
2146
#
2560
#
2147
2561
# (When socketserver.TCPServer is a new-style class, we
2148
2562
# could make self.socket into a property instead of monkey
2149
2563
# patching socket.socket.)
2150
#
2564
#
2151
2565
# Create a one-time-only replacement for socket.socket()
2152
2566
@functools.wraps(socket.socket)
2153
2567
def socket_wrapper(*args, **kwargs):
2165
2579
# socket_wrapper(), if socketfd was set.
2166
2580
socketserver.TCPServer.__init__(self, server_address,
2167
2581
RequestHandlerClass)
2168
2582
2169
2583
def server_bind(self):
2170
2584
"""This overrides the normal server_bind() function
2171
2585
to bind to an interface if one was specified, and also NOT to
2172
2586
bind to an address or port if they were not specified."""
2587
global SO_BINDTODEVICE
2173
2588
if self.interface is not None:
2174
2589
if SO_BINDTODEVICE is None:
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2590
# Fall back to a hard-coded value which seems to be
2591
# common enough.
2592
logger.warning("SO_BINDTODEVICE not found, trying 25")
2593
SO_BINDTODEVICE = 25
2594
try:
2595
self.socket.setsockopt(
2596
socket.SOL_SOCKET, SO_BINDTODEVICE,
2597
(self.interface + "\0").encode("utf-8"))
2598
except socket.error as error:
2599
if error.errno == errno.EPERM:
2600
logger.error("No permission to bind to"
2601
" interface %s", self.interface)
2602
elif error.errno == errno.ENOPROTOOPT:
2603
logger.error("SO_BINDTODEVICE not available;"
2604
" cannot bind to interface %s",
2605
self.interface)
2606
elif error.errno == errno.ENODEV:
2607
logger.error("Interface %s does not exist,"
2608
" cannot bind", self.interface)
2609
else:
2610
raise
2196
2611
# Only bind(2) the socket if we really need to.
2197
2612
if self.server_address[0] or self.server_address[1]:
2613
if self.server_address[1]:
2614
self.allow_reuse_address = True
2198
2615
if not self.server_address[0]:
2199
2616
if self.address_family == socket.AF_INET6:
2200
any_address = "::" # in6addr_any
2617
any_address = "::" # in6addr_any
2201
2618
else:
2202
any_address = "0.0.0.0" # INADDR_ANY
2619
any_address = "0.0.0.0" # INADDR_ANY
2203
2620
self.server_address = (any_address,
2204
2621
self.server_address[1])
2205
2622
elif not self.server_address[1]:
2215
2632
2216
2633
class MandosServer(IPv6_TCPServer):
2217
2634
"""Mandos server.
2218
2635
2219
2636
Attributes:
2220
2637
clients: set of Client objects
2221
2638
gnutls_priority GnuTLS priority string
2222
2639
use_dbus: Boolean; to emit D-Bus signals or not
2223
2224
Assumes a gobject.MainLoop event loop.
2640
2641
Assumes a GLib.MainLoop event loop.
2225
2642
"""
2226
2643
2227
2644
def __init__(self, server_address, RequestHandlerClass,
2228
2645
interface=None,
2229
2646
use_ipv6=True,
2239
2656
self.gnutls_priority = gnutls_priority
2240
2657
IPv6_TCPServer.__init__(self, server_address,
2241
2658
RequestHandlerClass,
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2659
interface=interface,
2660
use_ipv6=use_ipv6,
2661
socketfd=socketfd)
2662
2246
2663
def server_activate(self):
2247
2664
if self.enabled:
2248
2665
return socketserver.TCPServer.server_activate(self)
2249
2666
2250
2667
def enable(self):
2251
2668
self.enabled = True
2252
2669
2253
2670
def add_pipe(self, parent_pipe, proc):
2254
2671
# Call "handle_ipc" for both data and EOF events
2255
gobject.io_add_watch(
2672
GLib.io_add_watch(
2256
2673
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2674
GLib.IO_IN | GLib.IO_HUP,
2258
2675
functools.partial(self.handle_ipc,
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2676
parent_pipe=parent_pipe,
2677
proc=proc))
2678
2262
2679
def handle_ipc(self, source, condition,
2263
2680
parent_pipe=None,
2264
proc = None,
2681
proc=None,
2265
2682
client_object=None):
2266
2683
# error, or the other end of multiprocessing.Pipe has closed
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2684
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2268
2685
# Wait for other process to exit
2269
2686
proc.join()
2270
2687
return False
2271
2688
2272
2689
# Read a request from the child
2273
2690
request = parent_pipe.recv()
2274
2691
command = request[0]
2275
2692
2276
2693
if command == 'init':
2277
fpr = request[1]
2278
address = request[2]
2279
2280
for c in self.clients.itervalues():
2281
if c.fingerprint == fpr:
2694
key_id = request[1].decode("ascii")
2695
fpr = request[2].decode("ascii")
2696
address = request[3]
2697
2698
for c in self.clients.values():
2699
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2700
continue
2701
if key_id and c.key_id == key_id:
2702
client = c
2703
break
2704
if fpr and c.fingerprint == fpr:
2282
2705
client = c
2283
2706
break
2284
2707
else:
2285
logger.info("Client not found for fingerprint: %s, ad"
2286
"dress: %s", fpr, address)
2708
logger.info("Client not found for key ID: %s, address"
2709
": %s", key_id or fpr, address)
2287
2710
if self.use_dbus:
2288
2711
# Emit D-Bus signal
2289
mandos_dbus_service.ClientNotFound(fpr,
2712
mandos_dbus_service.ClientNotFound(key_id or fpr,
2290
2713
address[0])
2291
2714
parent_pipe.send(False)
2292
2715
return False
2293
2294
gobject.io_add_watch(
2716
2717
GLib.io_add_watch(
2295
2718
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2719
GLib.IO_IN | GLib.IO_HUP,
2297
2720
functools.partial(self.handle_ipc,
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2721
parent_pipe=parent_pipe,
2722
proc=proc,
2723
client_object=client))
2301
2724
parent_pipe.send(True)
2302
2725
# remove the old hook in favor of the new above hook on
2303
2726
# same fileno
2306
2729
funcname = request[1]
2307
2730
args = request[2]
2308
2731
kwargs = request[3]
2309
2732
2310
2733
parent_pipe.send(('data', getattr(client_object,
2311
2734
funcname)(*args,
2312
2735
**kwargs)))
2313
2736
2314
2737
if command == 'getattr':
2315
2738
attrname = request[1]
2316
2739
if isinstance(client_object.__getattribute__(attrname),
2319
2742
else:
2320
2743
parent_pipe.send((
2321
2744
'data', client_object.__getattribute__(attrname)))
2322
2745
2323
2746
if command == 'setattr':
2324
2747
attrname = request[1]
2325
2748
value = request[2]
2326
2749
setattr(client_object, attrname, value)
2327
2750
2328
2751
return True
2329
2752
2330
2753
2331
2754
def rfc3339_duration_to_delta(duration):
2332
2755
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2333
2756
2334
2757
>>> rfc3339_duration_to_delta("P7D")
2335
2758
datetime.timedelta(7)
2336
2759
>>> rfc3339_duration_to_delta("PT60S")
2346
2769
>>> rfc3339_duration_to_delta("P1DT3M20S")
2347
2770
datetime.timedelta(1, 200)
2348
2771
"""
2349
2772
2350
2773
# Parsing an RFC 3339 duration with regular expressions is not
2351
2774
# possible - there would have to be multiple places for the same
2352
2775
# values, like seconds. The current code, while more esoteric, is
2353
2776
# cleaner without depending on a parsing library. If Python had a
2354
2777
# built-in library for parsing we would use it, but we'd like to
2355
2778
# avoid excessive use of external libraries.
2356
2779
2357
2780
# New type for defining tokens, syntax, and semantics all-in-one
2358
2781
Token = collections.namedtuple("Token", (
2359
2782
"regexp", # To match token; if "value" is not None, must have
2392
2815
frozenset((token_year, token_month,
2393
2816
token_day, token_time,
2394
2817
token_week)))
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2818
# Define starting values:
2819
# Value so far
2820
value = datetime.timedelta()
2397
2821
found_token = None
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2822
# Following valid tokens
2823
followers = frozenset((token_duration, ))
2824
# String left to parse
2825
s = duration
2400
2826
# Loop until end token is found
2401
2827
while found_token is not token_end:
2402
2828
# Search for any currently valid tokens
2426
2852
2427
2853
def string_to_delta(interval):
2428
2854
"""Parse a string and return a datetime.timedelta
2429
2855
2430
2856
>>> string_to_delta('7d')
2431
2857
datetime.timedelta(7)
2432
2858
>>> string_to_delta('60s')
2440
2866
>>> string_to_delta('5m 30s')
2441
2867
datetime.timedelta(0, 330)
2442
2868
"""
2443
2869
2444
2870
try:
2445
2871
return rfc3339_duration_to_delta(interval)
2446
2872
except ValueError:
2447
2873
pass
2448
2874
2449
2875
timevalue = datetime.timedelta(0)
2450
2876
for s in interval.split():
2451
2877
try:
2469
2895
return timevalue
2470
2896
2471
2897
2472
def daemon(nochdir = False, noclose = False):
2898
def daemon(nochdir=False, noclose=False):
2473
2899
"""See daemon(3). Standard BSD Unix function.
2474
2900
2475
2901
This should really exist as os.daemon, but it doesn't (yet)."""
2476
2902
if os.fork():
2477
2903
sys.exit()
2495
2921
2496
2922
2497
2923
def main():
2498
2924
2499
2925
##################################################################
2500
2926
# Parsing of options, both command line and config file
2501
2927
2502
2928
parser = argparse.ArgumentParser()
2503
2929
parser.add_argument("-v", "--version", action="version",
2504
version = "%(prog)s {}".format(version),
2930
version="%(prog)s {}".format(version),
2505
2931
help="show version number and exit")
2506
2932
parser.add_argument("-i", "--interface", metavar="IF",
2507
2933
help="Bind to interface IF")
2543
2969
parser.add_argument("--no-zeroconf", action="store_false",
2544
2970
dest="zeroconf", help="Do not use Zeroconf",
2545
2971
default=None)
2546
2972
2547
2973
options = parser.parse_args()
2548
2974
2549
2975
if options.check:
2550
2976
import doctest
2551
2977
fail_count, test_count = doctest.testmod()
2552
2978
sys.exit(os.EX_OK if fail_count == 0 else 1)
2553
2979
2554
2980
# Default values for config file for server-global settings
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
2981
if gnutls.has_rawpk:
2982
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2983
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2984
else:
2985
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2986
":+SIGN-DSA-SHA256")
2987
server_defaults = {"interface": "",
2988
"address": "",
2989
"port": "",
2990
"debug": "False",
2991
"priority": priority,
2992
"servicename": "Mandos",
2993
"use_dbus": "True",
2994
"use_ipv6": "True",
2995
"debuglevel": "",
2996
"restore": "True",
2997
"socket": "",
2998
"statedir": "/var/lib/mandos",
2999
"foreground": "False",
3000
"zeroconf": "True",
3001
}
3002
del priority
3003
2573
3004
# Parse config file for server-global settings
2574
server_config = configparser.SafeConfigParser(server_defaults)
3005
server_config = configparser.ConfigParser(server_defaults)
2575
3006
del server_defaults
2576
3007
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2577
# Convert the SafeConfigParser object to a dict
3008
# Convert the ConfigParser object to a dict
2578
3009
server_settings = server_config.defaults()
2579
3010
# Use the appropriate methods on the non-string config options
2580
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3011
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3012
"foreground", "zeroconf"):
2581
3013
server_settings[option] = server_config.getboolean("DEFAULT",
2582
3014
option)
2583
3015
if server_settings["port"]:
2593
3025
server_settings["socket"] = os.dup(server_settings
2594
3026
["socket"])
2595
3027
del server_config
2596
3028
2597
3029
# Override the settings from the config file with command line
2598
3030
# options, if set.
2599
3031
for option in ("interface", "address", "port", "debug",
2617
3049
if server_settings["debug"]:
2618
3050
server_settings["foreground"] = True
2619
3051
# Now we have our good server settings in "server_settings"
2620
3052
2621
3053
##################################################################
2622
3054
2623
3055
if (not server_settings["zeroconf"]
2624
3056
and not (server_settings["port"]
2625
3057
or server_settings["socket"] != "")):
2626
3058
parser.error("Needs port or socket to work without Zeroconf")
2627
3059
2628
3060
# For convenience
2629
3061
debug = server_settings["debug"]
2630
3062
debuglevel = server_settings["debuglevel"]
2634
3066
stored_state_file)
2635
3067
foreground = server_settings["foreground"]
2636
3068
zeroconf = server_settings["zeroconf"]
2637
3069
2638
3070
if debug:
2639
3071
initlogger(debug, logging.DEBUG)
2640
3072
else:
2643
3075
else:
2644
3076
level = getattr(logging, debuglevel.upper())
2645
3077
initlogger(debug, level)
2646
3078
2647
3079
if server_settings["servicename"] != "Mandos":
2648
3080
syslogger.setFormatter(
2649
3081
logging.Formatter('Mandos ({}) [%(process)d]:'
2650
3082
' %(levelname)s: %(message)s'.format(
2651
3083
server_settings["servicename"])))
2652
3084
2653
3085
# Parse config file with clients
2654
client_config = configparser.SafeConfigParser(Client
2655
.client_defaults)
3086
client_config = configparser.ConfigParser(Client.client_defaults)
2656
3087
client_config.read(os.path.join(server_settings["configdir"],
2657
3088
"clients.conf"))
2658
3089
2659
3090
global mandos_dbus_service
2660
3091
mandos_dbus_service = None
2661
3092
2662
3093
socketfd = None
2663
3094
if server_settings["socket"] != "":
2664
3095
socketfd = server_settings["socket"]
2680
3111
except IOError as e:
2681
3112
logger.error("Could not open file %r", pidfilename,
2682
3113
exc_info=e)
2683
2684
for name in ("_mandos", "mandos", "nobody"):
3114
3115
for name, group in (("_mandos", "_mandos"),
3116
("mandos", "mandos"),
3117
("nobody", "nogroup")):
2685
3118
try:
2686
3119
uid = pwd.getpwnam(name).pw_uid
2687
gid = pwd.getpwnam(name).pw_gid
3120
gid = pwd.getpwnam(group).pw_gid
2688
3121
break
2689
3122
except KeyError:
2690
3123
continue
2694
3127
try:
2695
3128
os.setgid(gid)
2696
3129
os.setuid(uid)
3130
if debug:
3131
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3132
gid))
2697
3133
except OSError as error:
3134
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3135
.format(uid, gid, os.strerror(error.errno)))
2698
3136
if error.errno != errno.EPERM:
2699
3137
raise
2700
3138
2701
3139
if debug:
2702
3140
# Enable all possible GnuTLS debugging
2703
3141
2704
3142
# "Use a log level over 10 to enable all debugging options."
2705
3143
# - GnuTLS manual
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3144
gnutls.global_set_log_level(11)
3145
3146
@gnutls.log_func
2709
3147
def debug_gnutls(level, string):
2710
3148
logger.debug("GnuTLS: %s", string[:-1])
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3149
3150
gnutls.global_set_log_function(debug_gnutls)
3151
2715
3152
# Redirect stdin so all checkers get /dev/null
2716
3153
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2717
3154
os.dup2(null, sys.stdin.fileno())
2718
3155
if null > 2:
2719
3156
os.close(null)
2720
3157
2721
3158
# Need to fork before connecting to D-Bus
2722
3159
if not foreground:
2723
3160
# Close all input and output, do double fork, etc.
2724
3161
daemon()
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3162
3163
if gi.version_info < (3, 10, 2):
3164
# multiprocessing will use threads, so before we use GLib we
3165
# need to inform GLib that threads will be used.
3166
GLib.threads_init()
3167
2730
3168
global main_loop
2731
3169
# From the Avahi example code
2732
3170
DBusGMainLoop(set_as_default=True)
2733
main_loop = gobject.MainLoop()
3171
main_loop = GLib.MainLoop()
2734
3172
bus = dbus.SystemBus()
2735
3173
# End of Avahi example code
2736
3174
if use_dbus:
2749
3187
if zeroconf:
2750
3188
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2751
3189
service = AvahiServiceToSyslog(
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3190
name=server_settings["servicename"],
3191
servicetype="_mandos._tcp",
3192
protocol=protocol,
3193
bus=bus)
2756
3194
if server_settings["interface"]:
2757
3195
service.interface = if_nametoindex(
2758
3196
server_settings["interface"].encode("utf-8"))
2759
3197
2760
3198
global multiprocessing_manager
2761
3199
multiprocessing_manager = multiprocessing.Manager()
2762
3200
2763
3201
client_class = Client
2764
3202
if use_dbus:
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3203
client_class = functools.partial(ClientDBus, bus=bus)
3204
2767
3205
client_settings = Client.config_parser(client_config)
2768
3206
old_client_settings = {}
2769
3207
clients_data = {}
2770
3208
2771
3209
# This is used to redirect stdout and stderr for checker processes
2772
3210
global wnull
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3211
wnull = open(os.devnull, "w") # A writable /dev/null
2774
3212
# Only used if server is running in foreground but not in debug
2775
3213
# mode
2776
3214
if debug or not foreground:
2777
3215
wnull.close()
2778
3216
2779
3217
# Get client data and settings from last running state.
2780
3218
if server_settings["restore"]:
2781
3219
try:
2782
3220
with open(stored_state_path, "rb") as stored_state:
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3221
if sys.version_info.major == 2:
3222
clients_data, old_client_settings = pickle.load(
3223
stored_state)
3224
else:
3225
bytes_clients_data, bytes_old_client_settings = (
3226
pickle.load(stored_state, encoding="bytes"))
3227
# Fix bytes to strings
3228
# clients_data
3229
# .keys()
3230
clients_data = {(key.decode("utf-8")
3231
if isinstance(key, bytes)
3232
else key): value
3233
for key, value in
3234
bytes_clients_data.items()}
3235
del bytes_clients_data
3236
for key in clients_data:
3237
value = {(k.decode("utf-8")
3238
if isinstance(k, bytes) else k): v
3239
for k, v in
3240
clients_data[key].items()}
3241
clients_data[key] = value
3242
# .client_structure
3243
value["client_structure"] = [
3244
(s.decode("utf-8")
3245
if isinstance(s, bytes)
3246
else s) for s in
3247
value["client_structure"]]
3248
# .name & .host
3249
for k in ("name", "host"):
3250
if isinstance(value[k], bytes):
3251
value[k] = value[k].decode("utf-8")
3252
if "key_id" not in value:
3253
value["key_id"] = ""
3254
elif "fingerprint" not in value:
3255
value["fingerprint"] = ""
3256
# old_client_settings
3257
# .keys()
3258
old_client_settings = {
3259
(key.decode("utf-8")
3260
if isinstance(key, bytes)
3261
else key): value
3262
for key, value in
3263
bytes_old_client_settings.items()}
3264
del bytes_old_client_settings
3265
# .host
3266
for value in old_client_settings.values():
3267
if isinstance(value["host"], bytes):
3268
value["host"] = (value["host"]
3269
.decode("utf-8"))
2785
3270
os.remove(stored_state_path)
2786
3271
except IOError as e:
2787
3272
if e.errno == errno.ENOENT:
2795
3280
logger.warning("Could not load persistent state: "
2796
3281
"EOFError:",
2797
3282
exc_info=e)
2798
3283
2799
3284
with PGPEngine() as pgp:
2800
3285
for client_name, client in clients_data.items():
2801
3286
# Skip removed clients
2802
3287
if client_name not in client_settings:
2803
3288
continue
2804
3289
2805
3290
# Decide which value to use after restoring saved state.
2806
3291
# We have three different values: Old config file,
2807
3292
# new config file, and saved state.
2818
3303
client[name] = value
2819
3304
except KeyError:
2820
3305
pass
2821
3306
2822
3307
# Clients who has passed its expire date can still be
2823
3308
# enabled if its last checker was successful. A Client
2824
3309
# whose checker succeeded before we stored its state is
2857
3342
client_name))
2858
3343
client["secret"] = (client_settings[client_name]
2859
3344
["secret"])
2860
3345
2861
3346
# Add/remove clients based on new changes made to config
2862
3347
for client_name in (set(old_client_settings)
2863
3348
- set(client_settings)):
2865
3350
for client_name in (set(client_settings)
2866
3351
- set(old_client_settings)):
2867
3352
clients_data[client_name] = client_settings[client_name]
2868
3353
2869
3354
# Create all client objects
2870
3355
for client_name, client in clients_data.items():
2871
3356
tcp_server.clients[client_name] = client_class(
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3357
name=client_name,
3358
settings=client,
3359
server_settings=server_settings)
3360
2876
3361
if not tcp_server.clients:
2877
3362
logger.warning("No clients defined")
2878
3363
2879
3364
if not foreground:
2880
3365
if pidfile is not None:
2881
3366
pid = os.getpid()
2887
3372
pidfilename, pid)
2888
3373
del pidfile
2889
3374
del pidfilename
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3375
3376
for termsig in (signal.SIGHUP, signal.SIGTERM):
3377
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3378
lambda: main_loop.quit() and False)
3379
2894
3380
if use_dbus:
2895
3381
2896
3382
@alternate_dbus_interfaces(
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3383
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2898
3384
class MandosDBusService(DBusObjectWithObjectManager):
2899
3385
"""A D-Bus proxy object"""
2900
3386
2901
3387
def __init__(self):
2902
3388
dbus.service.Object.__init__(self, bus, "/")
2903
3389
2904
3390
_interface = "se.recompile.Mandos"
2905
3391
2906
3392
@dbus.service.signal(_interface, signature="o")
2907
3393
def ClientAdded(self, objpath):
2908
3394
"D-Bus signal"
2909
3395
pass
2910
3396
2911
3397
@dbus.service.signal(_interface, signature="ss")
2912
def ClientNotFound(self, fingerprint, address):
3398
def ClientNotFound(self, key_id, address):
2913
3399
"D-Bus signal"
2914
3400
pass
2915
3401
2916
3402
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2917
3403
"true"})
2918
3404
@dbus.service.signal(_interface, signature="os")
2919
3405
def ClientRemoved(self, objpath, name):
2920
3406
"D-Bus signal"
2921
3407
pass
2922
3408
2923
3409
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2924
3410
"true"})
2925
3411
@dbus.service.method(_interface, out_signature="ao")
2926
3412
def GetAllClients(self):
2927
3413
"D-Bus method"
2928
3414
return dbus.Array(c.dbus_object_path for c in
2929
tcp_server.clients.itervalues())
2930
3415
tcp_server.clients.values())
3416
2931
3417
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2932
3418
"true"})
2933
3419
@dbus.service.method(_interface,
2935
3421
def GetAllClientsWithProperties(self):
2936
3422
"D-Bus method"
2937
3423
return dbus.Dictionary(
2938
{ c.dbus_object_path: c.GetAll(
3424
{c.dbus_object_path: c.GetAll(
2939
3425
"se.recompile.Mandos.Client")
2940
for c in tcp_server.clients.itervalues() },
3426
for c in tcp_server.clients.values()},
2941
3427
signature="oa{sv}")
2942
3428
2943
3429
@dbus.service.method(_interface, in_signature="o")
2944
3430
def RemoveClient(self, object_path):
2945
3431
"D-Bus method"
2946
for c in tcp_server.clients.itervalues():
3432
for c in tcp_server.clients.values():
2947
3433
if c.dbus_object_path == object_path:
2948
3434
del tcp_server.clients[c.name]
2949
3435
c.remove_from_connection()
2953
3439
self.client_removed_signal(c)
2954
3440
return
2955
3441
raise KeyError(object_path)
2956
3442
2957
3443
del _interface
2958
3444
2959
3445
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
2960
out_signature = "a{oa{sa{sv}}}")
3446
out_signature="a{oa{sa{sv}}}")
2961
3447
def GetManagedObjects(self):
2962
3448
"""D-Bus method"""
2963
3449
return dbus.Dictionary(
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3450
{client.dbus_object_path:
3451
dbus.Dictionary(
3452
{interface: client.GetAll(interface)
3453
for interface in
3454
client._get_all_interface_names()})
3455
for client in tcp_server.clients.values()})
3456
2971
3457
def client_added_signal(self, client):
2972
3458
"""Send the new standard signal and the old signal"""
2973
3459
if use_dbus:
2975
3461
self.InterfacesAdded(
2976
3462
client.dbus_object_path,
2977
3463
dbus.Dictionary(
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3464
{interface: client.GetAll(interface)
3465
for interface in
3466
client._get_all_interface_names()}))
2981
3467
# Old signal
2982
3468
self.ClientAdded(client.dbus_object_path)
2983
3469
2984
3470
def client_removed_signal(self, client):
2985
3471
"""Send the new standard signal and the old signal"""
2986
3472
if use_dbus:
2991
3477
# Old signal
2992
3478
self.ClientRemoved(client.dbus_object_path,
2993
3479
client.name)
2994
3480
2995
3481
mandos_dbus_service = MandosDBusService()
2996
3482
3483
# Save modules to variables to exempt the modules from being
3484
# unloaded before the function registered with atexit() is run.
3485
mp = multiprocessing
3486
wn = wnull
3487
2997
3488
def cleanup():
2998
3489
"Cleanup function; run on exit"
2999
3490
if zeroconf:
3000
3491
service.cleanup()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3492
3493
mp.active_children()
3494
wn.close()
3004
3495
if not (tcp_server.clients or client_settings):
3005
3496
return
3006
3497
3007
3498
# Store client before exiting. Secrets are encrypted with key
3008
3499
# based on what config file has. If config file is
3009
3500
# removed/edited, old secret will thus be unrecovable.
3010
3501
clients = {}
3011
3502
with PGPEngine() as pgp:
3012
for client in tcp_server.clients.itervalues():
3503
for client in tcp_server.clients.values():
3013
3504
key = client_settings[client.name]["secret"]
3014
3505
client.encrypted_secret = pgp.encrypt(client.secret,
3015
3506
key)
3016
3507
client_dict = {}
3017
3508
3018
3509
# A list of attributes that can not be pickled
3019
3510
# + secret.
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3511
exclude = {"bus", "changedstate", "secret",
3512
"checker", "server_settings"}
3022
3513
for name, typ in inspect.getmembers(dbus.service
3023
3514
.Object):
3024
3515
exclude.add(name)
3025
3516
3026
3517
client_dict["encrypted_secret"] = (client
3027
3518
.encrypted_secret)
3028
3519
for attr in client.client_structure:
3029
3520
if attr not in exclude:
3030
3521
client_dict[attr] = getattr(client, attr)
3031
3522
3032
3523
clients[client.name] = client_dict
3033
3524
del client_settings[client.name]["secret"]
3034
3525
3035
3526
try:
3036
3527
with tempfile.NamedTemporaryFile(
3037
3528
mode='wb',
3039
3530
prefix='clients-',
3040
3531
dir=os.path.dirname(stored_state_path),
3041
3532
delete=False) as stored_state:
3042
pickle.dump((clients, client_settings), stored_state)
3533
pickle.dump((clients, client_settings), stored_state,
3534
protocol=2)
3043
3535
tempname = stored_state.name
3044
3536
os.rename(tempname, stored_state_path)
3045
3537
except (IOError, OSError) as e:
3055
3547
logger.warning("Could not save persistent state:",
3056
3548
exc_info=e)
3057
3549
raise
3058
3550
3059
3551
# Delete all clients, and settings from config
3060
3552
while tcp_server.clients:
3061
3553
name, client = tcp_server.clients.popitem()
3064
3556
# Don't signal the disabling
3065
3557
client.disable(quiet=True)
3066
3558
# Emit D-Bus signal for removal
3067
mandos_dbus_service.client_removed_signal(client)
3559
if use_dbus:
3560
mandos_dbus_service.client_removed_signal(client)
3068
3561
client_settings.clear()
3069
3562
3070
3563
atexit.register(cleanup)
3071
3072
for client in tcp_server.clients.itervalues():
3564
3565
for client in tcp_server.clients.values():
3073
3566
if use_dbus:
3074
3567
# Emit D-Bus signal for adding
3075
3568
mandos_dbus_service.client_added_signal(client)
3076
3569
# Need to initiate checking of clients
3077
3570
if client.enabled:
3078
3571
client.init_checker()
3079
3572
3080
3573
tcp_server.enable()
3081
3574
tcp_server.server_activate()
3082
3575
3083
3576
# Find out what port we got
3084
3577
if zeroconf:
3085
3578
service.port = tcp_server.socket.getsockname()[1]
3090
3583
else: # IPv4
3091
3584
logger.info("Now listening on address %r, port %d",
3092
3585
*tcp_server.socket.getsockname())
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3586
3587
# service.interface = tcp_server.socket.getsockname()[3]
3588
3096
3589
try:
3097
3590
if zeroconf:
3098
3591
# From the Avahi example code
3103
3596
cleanup()
3104
3597
sys.exit(1)
3105
3598
# End of Avahi example code
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3599
3600
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3601
lambda *args, **kwargs:
3602
(tcp_server.handle_request
3603
(*args[2:], **kwargs) or True))
3604
3112
3605
logger.debug("Starting main loop")
3113
3606
main_loop.run()
3114
3607
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0