To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 1156
- compare with another revision
- download diff
- download tarball
- view history from revision 1156
- Committer: Teddy Hogeborn
- Date: 2019-08-16 19:32:47 UTC
- Revision ID: teddy@recompile.se-20190816193247-3swy47ofqe7cr1i0
From: Grégoire Scano <gregoire.scano@malloc.fr>
Add French debconf translation
* debian/po/fr.po: New.
Acked-by: Teddy Hogeborn <teddy@recompile.se>
Add French debconf translation
* debian/po/fr.po: New.
Acked-by: Teddy Hogeborn <teddy@recompile.se>
- files added:
- bugs.xml
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python2.7
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
#
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
#
33
#
33
34
34
35
from __future__ import (division, absolute_import, print_function,
35
36
unicode_literals)
36
37
37
from future_builtins import *
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
38
42
39
43
try:
40
44
import SocketServer as socketserver
44
48
import argparse
45
49
import datetime
46
50
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
53
51
try:
54
52
import ConfigParser as configparser
55
53
except ImportError:
82
80
83
81
import dbus
84
82
import dbus.service
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
83
import gi
84
from gi.repository import GLib
90
85
from dbus.mainloop.glib import DBusGMainLoop
91
86
import ctypes
92
87
import ctypes.util
93
88
import xml.dom.minidom
94
89
import inspect
95
90
91
if sys.version_info.major == 2:
92
__metaclass__ = type
93
94
# Try to find the value of SO_BINDTODEVICE:
96
95
try:
96
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
97
# newer, and it is also the most natural place for it:
97
98
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
98
99
except AttributeError:
99
100
try:
101
# This is where SO_BINDTODEVICE was up to and including Python
102
# 2.6, and also 3.2:
100
103
from IN import SO_BINDTODEVICE
101
104
except ImportError:
102
SO_BINDTODEVICE = None
105
# In Python 2.7 it seems to have been removed entirely.
106
# Try running the C preprocessor:
107
try:
108
cc = subprocess.Popen(["cc", "--language=c", "-E",
109
"/dev/stdin"],
110
stdin=subprocess.PIPE,
111
stdout=subprocess.PIPE)
112
stdout = cc.communicate(
113
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
114
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
115
except (OSError, ValueError, IndexError):
116
# No value found
117
SO_BINDTODEVICE = None
103
118
104
119
if sys.version_info.major == 2:
105
120
str = unicode
106
121
107
version = "1.7.0"
122
if sys.version_info < (3, 2):
123
configparser.Configparser = configparser.SafeConfigParser
124
125
version = "1.8.7"
108
126
stored_state_file = "clients.pickle"
109
127
110
128
logger = logging.getLogger()
114
132
if_nametoindex = ctypes.cdll.LoadLibrary(
115
133
ctypes.util.find_library("c")).if_nametoindex
116
134
except (OSError, AttributeError):
117
135
118
136
def if_nametoindex(interface):
119
137
"Get an interface index the hard way, i.e. using fcntl()"
120
138
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
125
143
return interface_index
126
144
127
145
146
def copy_function(func):
147
"""Make a copy of a function"""
148
if sys.version_info.major == 2:
149
return types.FunctionType(func.func_code,
150
func.func_globals,
151
func.func_name,
152
func.func_defaults,
153
func.func_closure)
154
else:
155
return types.FunctionType(func.__code__,
156
func.__globals__,
157
func.__name__,
158
func.__defaults__,
159
func.__closure__)
160
161
128
162
def initlogger(debug, level=logging.WARNING):
129
163
"""init logger and add loglevel"""
130
164
131
165
global syslogger
132
166
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
167
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
168
address="/dev/log"))
135
169
syslogger.setFormatter(logging.Formatter
136
170
('Mandos [%(process)d]: %(levelname)s:'
137
171
' %(message)s'))
138
172
logger.addHandler(syslogger)
139
173
140
174
if debug:
141
175
console = logging.StreamHandler()
142
176
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
152
186
pass
153
187
154
188
155
class PGPEngine(object):
189
class PGPEngine:
156
190
"""A simple class for OpenPGP symmetric encryption & decryption"""
157
191
158
192
def __init__(self):
159
193
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
194
self.gpg = "gpg"
195
try:
196
output = subprocess.check_output(["gpgconf"])
197
for line in output.splitlines():
198
name, text, path = line.split(b":")
199
if name == "gpg":
200
self.gpg = path
201
break
202
except OSError as e:
203
if e.errno != errno.ENOENT:
204
raise
160
205
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
206
'--homedir', self.tempdir,
162
207
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
165
208
'--quiet']
209
# Only GPG version 1 has the --no-use-agent option.
210
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
211
self.gnupgargs.append("--no-use-agent")
212
166
213
def __enter__(self):
167
214
return self
168
215
169
216
def __exit__(self, exc_type, exc_value, traceback):
170
217
self._cleanup()
171
218
return False
172
219
173
220
def __del__(self):
174
221
self._cleanup()
175
222
176
223
def _cleanup(self):
177
224
if self.tempdir is not None:
178
225
# Delete contents of tempdir
179
226
for root, dirs, files in os.walk(self.tempdir,
180
topdown = False):
227
topdown=False):
181
228
for filename in files:
182
229
os.remove(os.path.join(root, filename))
183
230
for dirname in dirs:
185
232
# Remove tempdir
186
233
os.rmdir(self.tempdir)
187
234
self.tempdir = None
188
235
189
236
def password_encode(self, password):
190
237
# Passphrase can not be empty and can not contain newlines or
191
238
# NUL bytes. So we prefix it and hex encode it.
196
243
.replace(b"\n", b"\\n")
197
244
.replace(b"\0", b"\\x00"))
198
245
return encoded
199
246
200
247
def encrypt(self, data, password):
201
248
passphrase = self.password_encode(password)
202
249
with tempfile.NamedTemporaryFile(
203
250
dir=self.tempdir) as passfile:
204
251
passfile.write(passphrase)
205
252
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
253
proc = subprocess.Popen([self.gpg, '--symmetric',
207
254
'--passphrase-file',
208
255
passfile.name]
209
256
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
257
stdin=subprocess.PIPE,
258
stdout=subprocess.PIPE,
259
stderr=subprocess.PIPE)
260
ciphertext, err = proc.communicate(input=data)
214
261
if proc.returncode != 0:
215
262
raise PGPError(err)
216
263
return ciphertext
217
264
218
265
def decrypt(self, data, password):
219
266
passphrase = self.password_encode(password)
220
267
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
268
dir=self.tempdir) as passfile:
222
269
passfile.write(passphrase)
223
270
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
271
proc = subprocess.Popen([self.gpg, '--decrypt',
225
272
'--passphrase-file',
226
273
passfile.name]
227
274
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
275
stdin=subprocess.PIPE,
276
stdout=subprocess.PIPE,
277
stderr=subprocess.PIPE)
278
decrypted_plaintext, err = proc.communicate(input=data)
232
279
if proc.returncode != 0:
233
280
raise PGPError(err)
234
281
return decrypted_plaintext
235
282
236
283
284
# Pretend that we have an Avahi module
285
class avahi:
286
"""This isn't so much a class as it is a module-like namespace."""
287
IF_UNSPEC = -1 # avahi-common/address.h
288
PROTO_UNSPEC = -1 # avahi-common/address.h
289
PROTO_INET = 0 # avahi-common/address.h
290
PROTO_INET6 = 1 # avahi-common/address.h
291
DBUS_NAME = "org.freedesktop.Avahi"
292
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
293
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
294
DBUS_PATH_SERVER = "/"
295
296
@staticmethod
297
def string_array_to_txt_array(t):
298
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
299
for s in t), signature="ay")
300
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
301
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
302
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
303
SERVER_INVALID = 0 # avahi-common/defs.h
304
SERVER_REGISTERING = 1 # avahi-common/defs.h
305
SERVER_RUNNING = 2 # avahi-common/defs.h
306
SERVER_COLLISION = 3 # avahi-common/defs.h
307
SERVER_FAILURE = 4 # avahi-common/defs.h
308
309
237
310
class AvahiError(Exception):
238
311
def __init__(self, value, *args, **kwargs):
239
312
self.value = value
249
322
pass
250
323
251
324
252
class AvahiService(object):
325
class AvahiService:
253
326
"""An Avahi (Zeroconf) service.
254
327
255
328
Attributes:
256
329
interface: integer; avahi.IF_UNSPEC or an interface index.
257
330
Used to optionally bind to the specified interface.
269
342
server: D-Bus Server
270
343
bus: dbus.SystemBus()
271
344
"""
272
345
273
346
def __init__(self,
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
347
interface=avahi.IF_UNSPEC,
348
name=None,
349
servicetype=None,
350
port=None,
351
TXT=None,
352
domain="",
353
host="",
354
max_renames=32768,
355
protocol=avahi.PROTO_UNSPEC,
356
bus=None):
284
357
self.interface = interface
285
358
self.name = name
286
359
self.type = servicetype
295
368
self.server = None
296
369
self.bus = bus
297
370
self.entry_group_state_changed_match = None
298
371
299
372
def rename(self, remove=True):
300
373
"""Derived from the Avahi example code"""
301
374
if self.rename_count >= self.max_renames:
321
394
logger.critical("D-Bus Exception", exc_info=error)
322
395
self.cleanup()
323
396
os._exit(1)
324
397
325
398
def remove(self):
326
399
"""Derived from the Avahi example code"""
327
400
if self.entry_group_state_changed_match is not None:
329
402
self.entry_group_state_changed_match = None
330
403
if self.group is not None:
331
404
self.group.Reset()
332
405
333
406
def add(self):
334
407
"""Derived from the Avahi example code"""
335
408
self.remove()
352
425
dbus.UInt16(self.port),
353
426
avahi.string_array_to_txt_array(self.TXT))
354
427
self.group.Commit()
355
428
356
429
def entry_group_state_changed(self, state, error):
357
430
"""Derived from the Avahi example code"""
358
431
logger.debug("Avahi entry group state change: %i", state)
359
432
360
433
if state == avahi.ENTRY_GROUP_ESTABLISHED:
361
434
logger.debug("Zeroconf service established.")
362
435
elif state == avahi.ENTRY_GROUP_COLLISION:
366
439
logger.critical("Avahi: Error in group state changed %s",
367
440
str(error))
368
441
raise AvahiGroupError("State changed: {!s}".format(error))
369
442
370
443
def cleanup(self):
371
444
"""Derived from the Avahi example code"""
372
445
if self.group is not None:
377
450
pass
378
451
self.group = None
379
452
self.remove()
380
453
381
454
def server_state_changed(self, state, error=None):
382
455
"""Derived from the Avahi example code"""
383
456
logger.debug("Avahi server state change: %i", state)
412
485
logger.debug("Unknown state: %r", state)
413
486
else:
414
487
logger.debug("Unknown state: %r: %r", state, error)
415
488
416
489
def activate(self):
417
490
"""Derived from the Avahi example code"""
418
491
if self.server is None:
429
502
class AvahiServiceToSyslog(AvahiService):
430
503
def rename(self, *args, **kwargs):
431
504
"""Add the new name to the syslog messages"""
432
ret = AvahiService.rename(self, *args, **kwargs)
505
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
433
506
syslogger.setFormatter(logging.Formatter(
434
507
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
435
508
.format(self.name)))
436
509
return ret
437
510
511
512
# Pretend that we have a GnuTLS module
513
class gnutls:
514
"""This isn't so much a class as it is a module-like namespace."""
515
516
library = ctypes.util.find_library("gnutls")
517
if library is None:
518
library = ctypes.util.find_library("gnutls-deb0")
519
_library = ctypes.cdll.LoadLibrary(library)
520
del library
521
522
# Unless otherwise indicated, the constants and types below are
523
# all from the gnutls/gnutls.h C header file.
524
525
# Constants
526
E_SUCCESS = 0
527
E_INTERRUPTED = -52
528
E_AGAIN = -28
529
CRT_OPENPGP = 2
530
CRT_RAWPK = 3
531
CLIENT = 2
532
SHUT_RDWR = 0
533
CRD_CERTIFICATE = 1
534
E_NO_CERTIFICATE_FOUND = -49
535
X509_FMT_DER = 0
536
NO_TICKETS = 1<<10
537
ENABLE_RAWPK = 1<<18
538
CTYPE_PEERS = 3
539
KEYID_USE_SHA256 = 1 # gnutls/x509.h
540
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
541
542
# Types
543
class session_int(ctypes.Structure):
544
_fields_ = []
545
session_t = ctypes.POINTER(session_int)
546
547
class certificate_credentials_st(ctypes.Structure):
548
_fields_ = []
549
certificate_credentials_t = ctypes.POINTER(
550
certificate_credentials_st)
551
certificate_type_t = ctypes.c_int
552
553
class datum_t(ctypes.Structure):
554
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
555
('size', ctypes.c_uint)]
556
557
class openpgp_crt_int(ctypes.Structure):
558
_fields_ = []
559
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
560
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
561
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
562
credentials_type_t = ctypes.c_int
563
transport_ptr_t = ctypes.c_void_p
564
close_request_t = ctypes.c_int
565
566
# Exceptions
567
class Error(Exception):
568
def __init__(self, message=None, code=None, args=()):
569
# Default usage is by a message string, but if a return
570
# code is passed, convert it to a string with
571
# gnutls.strerror()
572
self.code = code
573
if message is None and code is not None:
574
message = gnutls.strerror(code)
575
return super(gnutls.Error, self).__init__(
576
message, *args)
577
578
class CertificateSecurityError(Error):
579
pass
580
581
# Classes
582
class Credentials:
583
def __init__(self):
584
self._c_object = gnutls.certificate_credentials_t()
585
gnutls.certificate_allocate_credentials(
586
ctypes.byref(self._c_object))
587
self.type = gnutls.CRD_CERTIFICATE
588
589
def __del__(self):
590
gnutls.certificate_free_credentials(self._c_object)
591
592
class ClientSession:
593
def __init__(self, socket, credentials=None):
594
self._c_object = gnutls.session_t()
595
gnutls_flags = gnutls.CLIENT
596
if gnutls.check_version(b"3.5.6"):
597
gnutls_flags |= gnutls.NO_TICKETS
598
if gnutls.has_rawpk:
599
gnutls_flags |= gnutls.ENABLE_RAWPK
600
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
601
del gnutls_flags
602
gnutls.set_default_priority(self._c_object)
603
gnutls.transport_set_ptr(self._c_object, socket.fileno())
604
gnutls.handshake_set_private_extensions(self._c_object,
605
True)
606
self.socket = socket
607
if credentials is None:
608
credentials = gnutls.Credentials()
609
gnutls.credentials_set(self._c_object, credentials.type,
610
ctypes.cast(credentials._c_object,
611
ctypes.c_void_p))
612
self.credentials = credentials
613
614
def __del__(self):
615
gnutls.deinit(self._c_object)
616
617
def handshake(self):
618
return gnutls.handshake(self._c_object)
619
620
def send(self, data):
621
data = bytes(data)
622
data_len = len(data)
623
while data_len > 0:
624
data_len -= gnutls.record_send(self._c_object,
625
data[-data_len:],
626
data_len)
627
628
def bye(self):
629
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
630
631
# Error handling functions
632
def _error_code(result):
633
"""A function to raise exceptions on errors, suitable
634
for the 'restype' attribute on ctypes functions"""
635
if result >= 0:
636
return result
637
if result == gnutls.E_NO_CERTIFICATE_FOUND:
638
raise gnutls.CertificateSecurityError(code=result)
639
raise gnutls.Error(code=result)
640
641
def _retry_on_error(result, func, arguments):
642
"""A function to retry on some errors, suitable
643
for the 'errcheck' attribute on ctypes functions"""
644
while result < 0:
645
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
646
return _error_code(result)
647
result = func(*arguments)
648
return result
649
650
# Unless otherwise indicated, the function declarations below are
651
# all from the gnutls/gnutls.h C header file.
652
653
# Functions
654
priority_set_direct = _library.gnutls_priority_set_direct
655
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
656
ctypes.POINTER(ctypes.c_char_p)]
657
priority_set_direct.restype = _error_code
658
659
init = _library.gnutls_init
660
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
661
init.restype = _error_code
662
663
set_default_priority = _library.gnutls_set_default_priority
664
set_default_priority.argtypes = [session_t]
665
set_default_priority.restype = _error_code
666
667
record_send = _library.gnutls_record_send
668
record_send.argtypes = [session_t, ctypes.c_void_p,
669
ctypes.c_size_t]
670
record_send.restype = ctypes.c_ssize_t
671
record_send.errcheck = _retry_on_error
672
673
certificate_allocate_credentials = (
674
_library.gnutls_certificate_allocate_credentials)
675
certificate_allocate_credentials.argtypes = [
676
ctypes.POINTER(certificate_credentials_t)]
677
certificate_allocate_credentials.restype = _error_code
678
679
certificate_free_credentials = (
680
_library.gnutls_certificate_free_credentials)
681
certificate_free_credentials.argtypes = [
682
certificate_credentials_t]
683
certificate_free_credentials.restype = None
684
685
handshake_set_private_extensions = (
686
_library.gnutls_handshake_set_private_extensions)
687
handshake_set_private_extensions.argtypes = [session_t,
688
ctypes.c_int]
689
handshake_set_private_extensions.restype = None
690
691
credentials_set = _library.gnutls_credentials_set
692
credentials_set.argtypes = [session_t, credentials_type_t,
693
ctypes.c_void_p]
694
credentials_set.restype = _error_code
695
696
strerror = _library.gnutls_strerror
697
strerror.argtypes = [ctypes.c_int]
698
strerror.restype = ctypes.c_char_p
699
700
certificate_type_get = _library.gnutls_certificate_type_get
701
certificate_type_get.argtypes = [session_t]
702
certificate_type_get.restype = _error_code
703
704
certificate_get_peers = _library.gnutls_certificate_get_peers
705
certificate_get_peers.argtypes = [session_t,
706
ctypes.POINTER(ctypes.c_uint)]
707
certificate_get_peers.restype = ctypes.POINTER(datum_t)
708
709
global_set_log_level = _library.gnutls_global_set_log_level
710
global_set_log_level.argtypes = [ctypes.c_int]
711
global_set_log_level.restype = None
712
713
global_set_log_function = _library.gnutls_global_set_log_function
714
global_set_log_function.argtypes = [log_func]
715
global_set_log_function.restype = None
716
717
deinit = _library.gnutls_deinit
718
deinit.argtypes = [session_t]
719
deinit.restype = None
720
721
handshake = _library.gnutls_handshake
722
handshake.argtypes = [session_t]
723
handshake.restype = _error_code
724
handshake.errcheck = _retry_on_error
725
726
transport_set_ptr = _library.gnutls_transport_set_ptr
727
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
728
transport_set_ptr.restype = None
729
730
bye = _library.gnutls_bye
731
bye.argtypes = [session_t, close_request_t]
732
bye.restype = _error_code
733
bye.errcheck = _retry_on_error
734
735
check_version = _library.gnutls_check_version
736
check_version.argtypes = [ctypes.c_char_p]
737
check_version.restype = ctypes.c_char_p
738
739
_need_version = b"3.3.0"
740
if check_version(_need_version) is None:
741
raise self.Error("Needs GnuTLS {} or later"
742
.format(_need_version))
743
744
_tls_rawpk_version = b"3.6.6"
745
has_rawpk = bool(check_version(_tls_rawpk_version))
746
747
if has_rawpk:
748
# Types
749
class pubkey_st(ctypes.Structure):
750
_fields = []
751
pubkey_t = ctypes.POINTER(pubkey_st)
752
753
x509_crt_fmt_t = ctypes.c_int
754
755
# All the function declarations below are from gnutls/abstract.h
756
pubkey_init = _library.gnutls_pubkey_init
757
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
758
pubkey_init.restype = _error_code
759
760
pubkey_import = _library.gnutls_pubkey_import
761
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
762
x509_crt_fmt_t]
763
pubkey_import.restype = _error_code
764
765
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
766
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
767
ctypes.POINTER(ctypes.c_ubyte),
768
ctypes.POINTER(ctypes.c_size_t)]
769
pubkey_get_key_id.restype = _error_code
770
771
pubkey_deinit = _library.gnutls_pubkey_deinit
772
pubkey_deinit.argtypes = [pubkey_t]
773
pubkey_deinit.restype = None
774
else:
775
# All the function declarations below are from gnutls/openpgp.h
776
777
openpgp_crt_init = _library.gnutls_openpgp_crt_init
778
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
779
openpgp_crt_init.restype = _error_code
780
781
openpgp_crt_import = _library.gnutls_openpgp_crt_import
782
openpgp_crt_import.argtypes = [openpgp_crt_t,
783
ctypes.POINTER(datum_t),
784
openpgp_crt_fmt_t]
785
openpgp_crt_import.restype = _error_code
786
787
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
788
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
789
ctypes.POINTER(ctypes.c_uint)]
790
openpgp_crt_verify_self.restype = _error_code
791
792
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
793
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
794
openpgp_crt_deinit.restype = None
795
796
openpgp_crt_get_fingerprint = (
797
_library.gnutls_openpgp_crt_get_fingerprint)
798
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
799
ctypes.c_void_p,
800
ctypes.POINTER(
801
ctypes.c_size_t)]
802
openpgp_crt_get_fingerprint.restype = _error_code
803
804
if check_version(b"3.6.4"):
805
certificate_type_get2 = _library.gnutls_certificate_type_get2
806
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
807
certificate_type_get2.restype = _error_code
808
809
# Remove non-public functions
810
del _error_code, _retry_on_error
811
812
438
813
def call_pipe(connection, # : multiprocessing.Connection
439
814
func, *args, **kwargs):
440
815
"""This function is meant to be called by multiprocessing.Process
441
816
442
817
This function runs func(*args, **kwargs), and writes the resulting
443
818
return value on the provided multiprocessing.Connection.
444
819
"""
445
820
connection.send(func(*args, **kwargs))
446
821
connection.close()
447
822
448
class Client(object):
823
824
class Client:
449
825
"""A representation of a client host served by this server.
450
826
451
827
Attributes:
452
828
approved: bool(); 'None' if not yet approved/disapproved
453
829
approval_delay: datetime.timedelta(); Time to wait for approval
454
830
approval_duration: datetime.timedelta(); Duration of one approval
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
831
checker: multiprocessing.Process(); a running checker process used
832
to see if the client lives. 'None' if no process is
833
running.
834
checker_callback_tag: a GLib event source tag, or None
459
835
checker_command: string; External command which is run to check
460
836
if client lives. %() expansions are done at
461
837
runtime with vars(self) as dict, so that for
462
838
instance %(name)s can be used in the command.
463
checker_initiator_tag: a gobject event source tag, or None
839
checker_initiator_tag: a GLib event source tag, or None
464
840
created: datetime.datetime(); (UTC) object creation
465
841
client_structure: Object describing what attributes a client has
466
842
and is used for storing the client at exit
467
843
current_checker_command: string; current running checker_command
468
disable_initiator_tag: a gobject event source tag, or None
844
disable_initiator_tag: a GLib event source tag, or None
469
845
enabled: bool()
470
846
fingerprint: string (40 or 32 hexadecimal digits); used to
471
uniquely identify the client
847
uniquely identify an OpenPGP client
848
key_id: string (64 hexadecimal digits); used to uniquely identify
849
a client using raw public keys
472
850
host: string; available for use by the checker command
473
851
interval: datetime.timedelta(); How often to start a new checker
474
852
last_approval_request: datetime.datetime(); (UTC) or None
490
868
disabled, or None
491
869
server_settings: The server_settings dict from main()
492
870
"""
493
871
494
872
runtime_expansions = ("approval_delay", "approval_duration",
495
"created", "enabled", "expires",
873
"created", "enabled", "expires", "key_id",
496
874
"fingerprint", "host", "interval",
497
875
"last_approval_request", "last_checked_ok",
498
876
"last_enabled", "name", "timeout")
507
885
"approved_by_default": "True",
508
886
"enabled": "True",
509
887
}
510
888
511
889
@staticmethod
512
890
def config_parser(config):
513
891
"""Construct a new dict of client settings of this form:
520
898
for client_name in config.sections():
521
899
section = dict(config.items(client_name))
522
900
client = settings[client_name] = {}
523
901
524
902
client["host"] = section["host"]
525
903
# Reformat values from string types to Python types
526
904
client["approved_by_default"] = config.getboolean(
527
905
client_name, "approved_by_default")
528
906
client["enabled"] = config.getboolean(client_name,
529
907
"enabled")
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
908
909
# Uppercase and remove spaces from key_id and fingerprint
910
# for later comparison purposes with return value from the
911
# key_id() and fingerprint() functions
912
client["key_id"] = (section.get("key_id", "").upper()
913
.replace(" ", ""))
534
914
client["fingerprint"] = (section["fingerprint"].upper()
535
915
.replace(" ", ""))
536
916
if "secret" in section:
537
client["secret"] = section["secret"].decode("base64")
917
client["secret"] = codecs.decode(section["secret"]
918
.encode("utf-8"),
919
"base64")
538
920
elif "secfile" in section:
539
921
with open(os.path.expanduser(os.path.expandvars
540
922
(section["secfile"])),
555
937
client["last_approval_request"] = None
556
938
client["last_checked_ok"] = None
557
939
client["last_checker_status"] = -2
558
940
559
941
return settings
560
561
def __init__(self, settings, name = None, server_settings=None):
942
943
def __init__(self, settings, name=None, server_settings=None):
562
944
self.name = name
563
945
if server_settings is None:
564
946
server_settings = {}
566
948
# adding all client settings
567
949
for setting, value in settings.items():
568
950
setattr(self, setting, value)
569
951
570
952
if self.enabled:
571
953
if not hasattr(self, "last_enabled"):
572
954
self.last_enabled = datetime.datetime.utcnow()
576
958
else:
577
959
self.last_enabled = None
578
960
self.expires = None
579
961
580
962
logger.debug("Creating client %r", self.name)
963
logger.debug(" Key ID: %s", self.key_id)
581
964
logger.debug(" Fingerprint: %s", self.fingerprint)
582
965
self.created = settings.get("created",
583
966
datetime.datetime.utcnow())
584
967
585
968
# attributes specific for this server instance
586
969
self.checker = None
587
970
self.checker_initiator_tag = None
593
976
self.changedstate = multiprocessing_manager.Condition(
594
977
multiprocessing_manager.Lock())
595
978
self.client_structure = [attr
596
for attr in self.__dict__.iterkeys()
979
for attr in self.__dict__.keys()
597
980
if not attr.startswith("_")]
598
981
self.client_structure.append("client_structure")
599
982
600
983
for name, t in inspect.getmembers(
601
984
type(self), lambda obj: isinstance(obj, property)):
602
985
if not name.startswith("_"):
603
986
self.client_structure.append(name)
604
987
605
988
# Send notice to process children that client state has changed
606
989
def send_changedstate(self):
607
990
with self.changedstate:
608
991
self.changedstate.notify_all()
609
992
610
993
def enable(self):
611
994
"""Start this client's checker and timeout hooks"""
612
995
if getattr(self, "enabled", False):
617
1000
self.last_enabled = datetime.datetime.utcnow()
618
1001
self.init_checker()
619
1002
self.send_changedstate()
620
1003
621
1004
def disable(self, quiet=True):
622
1005
"""Disable this client."""
623
1006
if not getattr(self, "enabled", False):
625
1008
if not quiet:
626
1009
logger.info("Disabling client %s", self.name)
627
1010
if getattr(self, "disable_initiator_tag", None) is not None:
628
gobject.source_remove(self.disable_initiator_tag)
1011
GLib.source_remove(self.disable_initiator_tag)
629
1012
self.disable_initiator_tag = None
630
1013
self.expires = None
631
1014
if getattr(self, "checker_initiator_tag", None) is not None:
632
gobject.source_remove(self.checker_initiator_tag)
1015
GLib.source_remove(self.checker_initiator_tag)
633
1016
self.checker_initiator_tag = None
634
1017
self.stop_checker()
635
1018
self.enabled = False
636
1019
if not quiet:
637
1020
self.send_changedstate()
638
# Do not run this again if called by a gobject.timeout_add
1021
# Do not run this again if called by a GLib.timeout_add
639
1022
return False
640
1023
641
1024
def __del__(self):
642
1025
self.disable()
643
1026
644
1027
def init_checker(self):
645
1028
# Schedule a new checker to be started an 'interval' from now,
646
1029
# and every interval from then on.
647
1030
if self.checker_initiator_tag is not None:
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
1031
GLib.source_remove(self.checker_initiator_tag)
1032
self.checker_initiator_tag = GLib.timeout_add(
650
1033
int(self.interval.total_seconds() * 1000),
651
1034
self.start_checker)
652
1035
# Schedule a disable() when 'timeout' has passed
653
1036
if self.disable_initiator_tag is not None:
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1037
GLib.source_remove(self.disable_initiator_tag)
1038
self.disable_initiator_tag = GLib.timeout_add(
656
1039
int(self.timeout.total_seconds() * 1000), self.disable)
657
1040
# Also start a new checker *right now*.
658
1041
self.start_checker()
659
1042
660
1043
def checker_callback(self, source, condition, connection,
661
1044
command):
662
1045
"""The checker has completed, so take appropriate actions."""
663
self.checker_callback_tag = None
664
self.checker = None
665
1046
# Read return code from connection (see call_pipe)
666
1047
returncode = connection.recv()
667
1048
connection.close()
668
1049
self.checker.join()
1050
self.checker_callback_tag = None
1051
self.checker = None
1052
669
1053
if returncode >= 0:
670
1054
self.last_checker_status = returncode
671
1055
self.last_checker_signal = None
681
1065
logger.warning("Checker for %(name)s crashed?",
682
1066
vars(self))
683
1067
return False
684
1068
685
1069
def checked_ok(self):
686
1070
"""Assert that the client has been seen, alive and well."""
687
1071
self.last_checked_ok = datetime.datetime.utcnow()
688
1072
self.last_checker_status = 0
689
1073
self.last_checker_signal = None
690
1074
self.bump_timeout()
691
1075
692
1076
def bump_timeout(self, timeout=None):
693
1077
"""Bump up the timeout for this client."""
694
1078
if timeout is None:
695
1079
timeout = self.timeout
696
1080
if self.disable_initiator_tag is not None:
697
gobject.source_remove(self.disable_initiator_tag)
1081
GLib.source_remove(self.disable_initiator_tag)
698
1082
self.disable_initiator_tag = None
699
1083
if getattr(self, "enabled", False):
700
self.disable_initiator_tag = gobject.timeout_add(
1084
self.disable_initiator_tag = GLib.timeout_add(
701
1085
int(timeout.total_seconds() * 1000), self.disable)
702
1086
self.expires = datetime.datetime.utcnow() + timeout
703
1087
704
1088
def need_approval(self):
705
1089
self.last_approval_request = datetime.datetime.utcnow()
706
1090
707
1091
def start_checker(self):
708
1092
"""Start a new checker subprocess if one is not running.
709
1093
710
1094
If a checker already exists, leave it running and do
711
1095
nothing."""
712
1096
# The reason for not killing a running checker is that if we
717
1101
# checkers alone, the checker would have to take more time
718
1102
# than 'timeout' for the client to be disabled, which is as it
719
1103
# should be.
720
1104
721
1105
if self.checker is not None and not self.checker.is_alive():
722
1106
logger.warning("Checker was not alive; joining")
723
1107
self.checker.join()
727
1111
# Escape attributes for the shell
728
1112
escaped_attrs = {
729
1113
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
1114
for attr in self.runtime_expansions}
731
1115
try:
732
1116
command = self.checker_command % escaped_attrs
733
1117
except TypeError as error:
745
1129
# The exception is when not debugging but nevertheless
746
1130
# running in the foreground; use the previously
747
1131
# created wnull.
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1132
popen_args = {"close_fds": True,
1133
"shell": True,
1134
"cwd": "/"}
751
1135
if (not self.server_settings["debug"]
752
1136
and self.server_settings["foreground"]):
753
1137
popen_args.update({"stdout": wnull,
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1138
"stderr": wnull})
1139
pipe = multiprocessing.Pipe(duplex=False)
756
1140
self.checker = multiprocessing.Process(
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1141
target=call_pipe,
1142
args=(pipe[1], subprocess.call, command),
1143
kwargs=popen_args)
760
1144
self.checker.start()
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1145
self.checker_callback_tag = GLib.io_add_watch(
1146
pipe[0].fileno(), GLib.IO_IN,
763
1147
self.checker_callback, pipe[0], command)
764
# Re-run this periodically if run by gobject.timeout_add
1148
# Re-run this periodically if run by GLib.timeout_add
765
1149
return True
766
1150
767
1151
def stop_checker(self):
768
1152
"""Force the checker process, if any, to stop."""
769
1153
if self.checker_callback_tag:
770
gobject.source_remove(self.checker_callback_tag)
1154
GLib.source_remove(self.checker_callback_tag)
771
1155
self.checker_callback_tag = None
772
1156
if getattr(self, "checker", None) is None:
773
1157
return
782
1166
byte_arrays=False):
783
1167
"""Decorators for marking methods of a DBusObjectWithProperties to
784
1168
become properties on the D-Bus.
785
1169
786
1170
The decorated method will be called with no arguments by "Get"
787
1171
and with one argument by "Set".
788
1172
789
1173
The parameters, where they are supported, are the same as
790
1174
dbus.service.method, except there is only "signature", since the
791
1175
type from Get() and the type sent to Set() is the same.
795
1179
if byte_arrays and signature != "ay":
796
1180
raise ValueError("Byte arrays not supported for non-'ay'"
797
1181
" signature {!r}".format(signature))
798
1182
799
1183
def decorator(func):
800
1184
func._dbus_is_property = True
801
1185
func._dbus_interface = dbus_interface
804
1188
func._dbus_name = func.__name__
805
1189
if func._dbus_name.endswith("_dbus_property"):
806
1190
func._dbus_name = func._dbus_name[:-14]
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1191
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
808
1192
return func
809
1193
810
1194
return decorator
811
1195
812
1196
813
1197
def dbus_interface_annotations(dbus_interface):
814
1198
"""Decorator for marking functions returning interface annotations
815
1199
816
1200
Usage:
817
1201
818
1202
@dbus_interface_annotations("org.example.Interface")
819
1203
def _foo(self): # Function name does not matter
820
1204
return {"org.freedesktop.DBus.Deprecated": "true",
821
1205
"org.freedesktop.DBus.Property.EmitsChangedSignal":
822
1206
"false"}
823
1207
"""
824
1208
825
1209
def decorator(func):
826
1210
func._dbus_is_interface = True
827
1211
func._dbus_interface = dbus_interface
828
1212
func._dbus_name = dbus_interface
829
1213
return func
830
1214
831
1215
return decorator
832
1216
833
1217
834
1218
def dbus_annotations(annotations):
835
1219
"""Decorator to annotate D-Bus methods, signals or properties
836
1220
Usage:
837
1221
838
1222
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
839
1223
"org.freedesktop.DBus.Property."
840
1224
"EmitsChangedSignal": "false"})
842
1226
access="r")
843
1227
def Property_dbus_property(self):
844
1228
return dbus.Boolean(False)
845
1229
846
1230
See also the DBusObjectWithAnnotations class.
847
1231
"""
848
1232
849
1233
def decorator(func):
850
1234
func._dbus_annotations = annotations
851
1235
return func
852
1236
853
1237
return decorator
854
1238
855
1239
873
1257
874
1258
class DBusObjectWithAnnotations(dbus.service.Object):
875
1259
"""A D-Bus object with annotations.
876
1260
877
1261
Classes inheriting from this can use the dbus_annotations
878
1262
decorator to add annotations to methods or signals.
879
1263
"""
880
1264
881
1265
@staticmethod
882
1266
def _is_dbus_thing(thing):
883
1267
"""Returns a function testing if an attribute is a D-Bus thing
884
1268
885
1269
If called like _is_dbus_thing("method") it returns a function
886
1270
suitable for use as predicate to inspect.getmembers().
887
1271
"""
888
1272
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
889
1273
False)
890
1274
891
1275
def _get_all_dbus_things(self, thing):
892
1276
"""Returns a generator of (name, attribute) pairs
893
1277
"""
896
1280
for cls in self.__class__.__mro__
897
1281
for name, athing in
898
1282
inspect.getmembers(cls, self._is_dbus_thing(thing)))
899
1283
900
1284
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1285
out_signature="s",
1286
path_keyword='object_path',
1287
connection_keyword='connection')
904
1288
def Introspect(self, object_path, connection):
905
1289
"""Overloading of standard D-Bus method.
906
1290
907
1291
Inserts annotation tags on methods and signals.
908
1292
"""
909
1293
xmlstring = dbus.service.Object.Introspect(self, object_path,
910
1294
connection)
911
1295
try:
912
1296
document = xml.dom.minidom.parseString(xmlstring)
913
1297
914
1298
for if_tag in document.getElementsByTagName("interface"):
915
1299
# Add annotation tags
916
1300
for typ in ("method", "signal"):
943
1327
if_tag.appendChild(ann_tag)
944
1328
# Fix argument name for the Introspect method itself
945
1329
if (if_tag.getAttribute("name")
946
== dbus.INTROSPECTABLE_IFACE):
1330
== dbus.INTROSPECTABLE_IFACE):
947
1331
for cn in if_tag.getElementsByTagName("method"):
948
1332
if cn.getAttribute("name") == "Introspect":
949
1333
for arg in cn.getElementsByTagName("arg"):
962
1346
963
1347
class DBusObjectWithProperties(DBusObjectWithAnnotations):
964
1348
"""A D-Bus object with properties.
965
1349
966
1350
Classes inheriting from this can use the dbus_service_property
967
1351
decorator to expose methods as D-Bus properties. It exposes the
968
1352
standard Get(), Set(), and GetAll() methods on the D-Bus.
969
1353
"""
970
1354
971
1355
def _get_dbus_property(self, interface_name, property_name):
972
1356
"""Returns a bound method if one exists which is a D-Bus
973
1357
property with the specified name and interface.
978
1362
if (value._dbus_name == property_name
979
1363
and value._dbus_interface == interface_name):
980
1364
return value.__get__(self)
981
1365
982
1366
# No such property
983
1367
raise DBusPropertyNotFound("{}:{}.{}".format(
984
1368
self.dbus_object_path, interface_name, property_name))
985
1369
986
1370
@classmethod
987
1371
def _get_all_interface_names(cls):
988
1372
"""Get a sequence of all interfaces supported by an object"""
991
1375
for x in (inspect.getmro(cls))
992
1376
for attr in dir(x))
993
1377
if name is not None)
994
1378
995
1379
@dbus.service.method(dbus.PROPERTIES_IFACE,
996
1380
in_signature="ss",
997
1381
out_signature="v")
1005
1389
if not hasattr(value, "variant_level"):
1006
1390
return value
1007
1391
return type(value)(value, variant_level=value.variant_level+1)
1008
1392
1009
1393
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1010
1394
def Set(self, interface_name, property_name, value):
1011
1395
"""Standard D-Bus property Set() method, see D-Bus standard.
1023
1407
value = dbus.ByteArray(b''.join(chr(byte)
1024
1408
for byte in value))
1025
1409
prop(value)
1026
1410
1027
1411
@dbus.service.method(dbus.PROPERTIES_IFACE,
1028
1412
in_signature="s",
1029
1413
out_signature="a{sv}")
1030
1414
def GetAll(self, interface_name):
1031
1415
"""Standard D-Bus property GetAll() method, see D-Bus
1032
1416
standard.
1033
1417
1034
1418
Note: Will not include properties with access="write".
1035
1419
"""
1036
1420
properties = {}
1047
1431
properties[name] = value
1048
1432
continue
1049
1433
properties[name] = type(value)(
1050
value, variant_level = value.variant_level + 1)
1434
value, variant_level=value.variant_level + 1)
1051
1435
return dbus.Dictionary(properties, signature="sv")
1052
1436
1053
1437
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1054
1438
def PropertiesChanged(self, interface_name, changed_properties,
1055
1439
invalidated_properties):
1057
1441
standard.
1058
1442
"""
1059
1443
pass
1060
1444
1061
1445
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1062
1446
out_signature="s",
1063
1447
path_keyword='object_path',
1064
1448
connection_keyword='connection')
1065
1449
def Introspect(self, object_path, connection):
1066
1450
"""Overloading of standard D-Bus method.
1067
1451
1068
1452
Inserts property tags and interface annotation tags.
1069
1453
"""
1070
1454
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1072
1456
connection)
1073
1457
try:
1074
1458
document = xml.dom.minidom.parseString(xmlstring)
1075
1459
1076
1460
def make_tag(document, name, prop):
1077
1461
e = document.createElement("property")
1078
1462
e.setAttribute("name", name)
1079
1463
e.setAttribute("type", prop._dbus_signature)
1080
1464
e.setAttribute("access", prop._dbus_access)
1081
1465
return e
1082
1466
1083
1467
for if_tag in document.getElementsByTagName("interface"):
1084
1468
# Add property tags
1085
1469
for tag in (make_tag(document, name, prop)
1127
1511
exc_info=error)
1128
1512
return xmlstring
1129
1513
1514
1130
1515
try:
1131
1516
dbus.OBJECT_MANAGER_IFACE
1132
1517
except AttributeError:
1133
1518
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1134
1519
1520
1135
1521
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1136
1522
"""A D-Bus object with an ObjectManager.
1137
1523
1138
1524
Classes inheriting from this exposes the standard
1139
1525
GetManagedObjects call and the InterfacesAdded and
1140
1526
InterfacesRemoved signals on the standard
1141
1527
"org.freedesktop.DBus.ObjectManager" interface.
1142
1528
1143
1529
Note: No signals are sent automatically; they must be sent
1144
1530
manually.
1145
1531
"""
1146
1532
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1147
out_signature = "a{oa{sa{sv}}}")
1533
out_signature="a{oa{sa{sv}}}")
1148
1534
def GetManagedObjects(self):
1149
1535
"""This function must be overridden"""
1150
1536
raise NotImplementedError()
1151
1537
1152
1538
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1153
signature = "oa{sa{sv}}")
1539
signature="oa{sa{sv}}")
1154
1540
def InterfacesAdded(self, object_path, interfaces_and_properties):
1155
1541
pass
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1542
1543
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1158
1544
def InterfacesRemoved(self, object_path, interfaces):
1159
1545
pass
1160
1546
1161
1547
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1548
out_signature="s",
1549
path_keyword='object_path',
1550
connection_keyword='connection')
1165
1551
def Introspect(self, object_path, connection):
1166
1552
"""Overloading of standard D-Bus method.
1167
1553
1168
1554
Override return argument name of GetManagedObjects to be
1169
1555
"objpath_interfaces_and_properties"
1170
1556
"""
1173
1559
connection)
1174
1560
try:
1175
1561
document = xml.dom.minidom.parseString(xmlstring)
1176
1562
1177
1563
for if_tag in document.getElementsByTagName("interface"):
1178
1564
# Fix argument name for the GetManagedObjects method
1179
1565
if (if_tag.getAttribute("name")
1180
== dbus.OBJECT_MANAGER_IFACE):
1566
== dbus.OBJECT_MANAGER_IFACE):
1181
1567
for cn in if_tag.getElementsByTagName("method"):
1182
1568
if (cn.getAttribute("name")
1183
1569
== "GetManagedObjects"):
1193
1579
except (AttributeError, xml.dom.DOMException,
1194
1580
xml.parsers.expat.ExpatError) as error:
1195
1581
logger.error("Failed to override Introspection method",
1196
exc_info = error)
1582
exc_info=error)
1197
1583
return xmlstring
1198
1584
1585
1199
1586
def datetime_to_dbus(dt, variant_level=0):
1200
1587
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1201
1588
if dt is None:
1202
return dbus.String("", variant_level = variant_level)
1589
return dbus.String("", variant_level=variant_level)
1203
1590
return dbus.String(dt.isoformat(), variant_level=variant_level)
1204
1591
1205
1592
1208
1595
dbus.service.Object, it will add alternate D-Bus attributes with
1209
1596
interface names according to the "alt_interface_names" mapping.
1210
1597
Usage:
1211
1598
1212
1599
@alternate_dbus_interfaces({"org.example.Interface":
1213
1600
"net.example.AlternateInterface"})
1214
1601
class SampleDBusObject(dbus.service.Object):
1215
1602
@dbus.service.method("org.example.Interface")
1216
1603
def SampleDBusMethod():
1217
1604
pass
1218
1605
1219
1606
The above "SampleDBusMethod" on "SampleDBusObject" will be
1220
1607
reachable via two interfaces: "org.example.Interface" and
1221
1608
"net.example.AlternateInterface", the latter of which will have
1222
1609
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1223
1610
"true", unless "deprecate" is passed with a False value.
1224
1611
1225
1612
This works for methods and signals, and also for D-Bus properties
1226
1613
(from DBusObjectWithProperties) and interfaces (from the
1227
1614
dbus_interface_annotations decorator).
1228
1615
"""
1229
1616
1230
1617
def wrapper(cls):
1231
1618
for orig_interface_name, alt_interface_name in (
1232
1619
alt_interface_names.items()):
1247
1634
interface_names.add(alt_interface)
1248
1635
# Is this a D-Bus signal?
1249
1636
if getattr(attribute, "_dbus_is_signal", False):
1637
# Extract the original non-method undecorated
1638
# function by black magic
1250
1639
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1253
1640
nonmethod_func = (dict(
1254
1641
zip(attribute.func_code.co_freevars,
1255
1642
attribute.__closure__))
1256
1643
["func"].cell_contents)
1257
1644
else:
1258
nonmethod_func = attribute
1645
nonmethod_func = (dict(
1646
zip(attribute.__code__.co_freevars,
1647
attribute.__closure__))
1648
["func"].cell_contents)
1259
1649
# Create a new, but exactly alike, function
1260
1650
# object, and decorate it to be a new D-Bus signal
1261
1651
# with the alternate D-Bus interface name
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1652
new_function = copy_function(nonmethod_func)
1276
1653
new_function = (dbus.service.signal(
1277
1654
alt_interface,
1278
1655
attribute._dbus_signature)(new_function))
1282
1659
attribute._dbus_annotations)
1283
1660
except AttributeError:
1284
1661
pass
1662
1285
1663
# Define a creator of a function to call both the
1286
1664
# original and alternate functions, so both the
1287
1665
# original and alternate signals gets sent when
1290
1668
"""This function is a scope container to pass
1291
1669
func1 and func2 to the "call_both" function
1292
1670
outside of its arguments"""
1293
1671
1294
1672
@functools.wraps(func2)
1295
1673
def call_both(*args, **kwargs):
1296
1674
"""This function will emit two D-Bus
1297
1675
signals by calling func1 and func2"""
1298
1676
func1(*args, **kwargs)
1299
1677
func2(*args, **kwargs)
1300
# Make wrapper function look like a D-Bus signal
1678
# Make wrapper function look like a D-Bus
1679
# signal
1301
1680
for name, attr in inspect.getmembers(func2):
1302
1681
if name.startswith("_dbus_"):
1303
1682
setattr(call_both, name, attr)
1304
1683
1305
1684
return call_both
1306
1685
# Create the "call_both" function and add it to
1307
1686
# the class
1317
1696
alt_interface,
1318
1697
attribute._dbus_in_signature,
1319
1698
attribute._dbus_out_signature)
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1699
(copy_function(attribute)))
1325
1700
# Copy annotations, if any
1326
1701
try:
1327
1702
attr[attrname]._dbus_annotations = dict(
1339
1714
attribute._dbus_access,
1340
1715
attribute._dbus_get_args_options
1341
1716
["byte_arrays"])
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1717
(copy_function(attribute)))
1348
1718
# Copy annotations, if any
1349
1719
try:
1350
1720
attr[attrname]._dbus_annotations = dict(
1359
1729
# to the class.
1360
1730
attr[attrname] = (
1361
1731
dbus_interface_annotations(alt_interface)
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1732
(copy_function(attribute)))
1367
1733
if deprecate:
1368
1734
# Deprecate all alternate interfaces
1369
iname="_AlternateDBusNames_interface_annotation{}"
1735
iname = "_AlternateDBusNames_interface_annotation{}"
1370
1736
for interface_name in interface_names:
1371
1737
1372
1738
@dbus_interface_annotations(interface_name)
1373
1739
def func(self):
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1740
return {"org.freedesktop.DBus.Deprecated":
1741
"true"}
1376
1742
# Find an unused name
1377
1743
for aname in (iname.format(i)
1378
1744
for i in itertools.count()):
1382
1748
if interface_names:
1383
1749
# Replace the class with a new subclass of it with
1384
1750
# methods, signals, etc. as created above.
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1751
if sys.version_info.major == 2:
1752
cls = type(b"{}Alternate".format(cls.__name__),
1753
(cls, ), attr)
1754
else:
1755
cls = type("{}Alternate".format(cls.__name__),
1756
(cls, ), attr)
1387
1757
return cls
1388
1758
1389
1759
return wrapper
1390
1760
1391
1761
1393
1763
"se.bsnet.fukt.Mandos"})
1394
1764
class ClientDBus(Client, DBusObjectWithProperties):
1395
1765
"""A Client class using D-Bus
1396
1766
1397
1767
Attributes:
1398
1768
dbus_object_path: dbus.ObjectPath
1399
1769
bus: dbus.SystemBus()
1400
1770
"""
1401
1771
1402
1772
runtime_expansions = (Client.runtime_expansions
1403
1773
+ ("dbus_object_path", ))
1404
1774
1405
1775
_interface = "se.recompile.Mandos.Client"
1406
1776
1407
1777
# dbus.service.Object doesn't use super(), so we can't either.
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1778
1779
def __init__(self, bus=None, *args, **kwargs):
1410
1780
self.bus = bus
1411
1781
Client.__init__(self, *args, **kwargs)
1412
1782
# Only now, when this client is initialized, can it show up on
1418
1788
"/clients/" + client_object_name)
1419
1789
DBusObjectWithProperties.__init__(self, self.bus,
1420
1790
self.dbus_object_path)
1421
1791
1422
1792
def notifychangeproperty(transform_func, dbus_name,
1423
1793
type_func=lambda x: x,
1424
1794
variant_level=1,
1426
1796
_interface=_interface):
1427
1797
""" Modify a variable so that it's a property which announces
1428
1798
its changes to DBus.
1429
1799
1430
1800
transform_fun: Function that takes a value and a variant_level
1431
1801
and transforms it to a D-Bus type.
1432
1802
dbus_name: D-Bus name of the variable
1435
1805
variant_level: D-Bus variant level. Default: 1
1436
1806
"""
1437
1807
attrname = "_{}".format(dbus_name)
1438
1808
1439
1809
def setter(self, value):
1440
1810
if hasattr(self, "dbus_object_path"):
1441
1811
if (not hasattr(self, attrname) or
1448
1818
else:
1449
1819
dbus_value = transform_func(
1450
1820
type_func(value),
1451
variant_level = variant_level)
1821
variant_level=variant_level)
1452
1822
self.PropertyChanged(dbus.String(dbus_name),
1453
1823
dbus_value)
1454
1824
self.PropertiesChanged(
1455
1825
_interface,
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1826
dbus.Dictionary({dbus.String(dbus_name):
1827
dbus_value}),
1458
1828
dbus.Array())
1459
1829
setattr(self, attrname, value)
1460
1830
1461
1831
return property(lambda self: getattr(self, attrname), setter)
1462
1832
1463
1833
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1464
1834
approvals_pending = notifychangeproperty(dbus.Boolean,
1465
1835
"ApprovalPending",
1466
type_func = bool)
1836
type_func=bool)
1467
1837
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1468
1838
last_enabled = notifychangeproperty(datetime_to_dbus,
1469
1839
"LastEnabled")
1470
1840
checker = notifychangeproperty(
1471
1841
dbus.Boolean, "CheckerRunning",
1472
type_func = lambda checker: checker is not None)
1842
type_func=lambda checker: checker is not None)
1473
1843
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1474
1844
"LastCheckedOK")
1475
1845
last_checker_status = notifychangeproperty(dbus.Int16,
1480
1850
"ApprovedByDefault")
1481
1851
approval_delay = notifychangeproperty(
1482
1852
dbus.UInt64, "ApprovalDelay",
1483
type_func = lambda td: td.total_seconds() * 1000)
1853
type_func=lambda td: td.total_seconds() * 1000)
1484
1854
approval_duration = notifychangeproperty(
1485
1855
dbus.UInt64, "ApprovalDuration",
1486
type_func = lambda td: td.total_seconds() * 1000)
1856
type_func=lambda td: td.total_seconds() * 1000)
1487
1857
host = notifychangeproperty(dbus.String, "Host")
1488
1858
timeout = notifychangeproperty(
1489
1859
dbus.UInt64, "Timeout",
1490
type_func = lambda td: td.total_seconds() * 1000)
1860
type_func=lambda td: td.total_seconds() * 1000)
1491
1861
extended_timeout = notifychangeproperty(
1492
1862
dbus.UInt64, "ExtendedTimeout",
1493
type_func = lambda td: td.total_seconds() * 1000)
1863
type_func=lambda td: td.total_seconds() * 1000)
1494
1864
interval = notifychangeproperty(
1495
1865
dbus.UInt64, "Interval",
1496
type_func = lambda td: td.total_seconds() * 1000)
1866
type_func=lambda td: td.total_seconds() * 1000)
1497
1867
checker_command = notifychangeproperty(dbus.String, "Checker")
1498
1868
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1499
1869
invalidate_only=True)
1500
1870
1501
1871
del notifychangeproperty
1502
1872
1503
1873
def __del__(self, *args, **kwargs):
1504
1874
try:
1505
1875
self.remove_from_connection()
1508
1878
if hasattr(DBusObjectWithProperties, "__del__"):
1509
1879
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1510
1880
Client.__del__(self, *args, **kwargs)
1511
1881
1512
1882
def checker_callback(self, source, condition,
1513
1883
connection, command, *args, **kwargs):
1514
1884
ret = Client.checker_callback(self, source, condition,
1530
1900
| self.last_checker_signal),
1531
1901
dbus.String(command))
1532
1902
return ret
1533
1903
1534
1904
def start_checker(self, *args, **kwargs):
1535
1905
old_checker_pid = getattr(self.checker, "pid", None)
1536
1906
r = Client.start_checker(self, *args, **kwargs)
1540
1910
# Emit D-Bus signal
1541
1911
self.CheckerStarted(self.current_checker_command)
1542
1912
return r
1543
1913
1544
1914
def _reset_approved(self):
1545
1915
self.approved = None
1546
1916
return False
1547
1917
1548
1918
def approve(self, value=True):
1549
1919
self.approved = value
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1920
GLib.timeout_add(int(self.approval_duration.total_seconds()
1921
* 1000), self._reset_approved)
1552
1922
self.send_changedstate()
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1923
1924
# D-Bus methods, signals & properties
1925
1926
# Interfaces
1927
1928
# Signals
1929
1560
1930
# CheckerCompleted - signal
1561
1931
@dbus.service.signal(_interface, signature="nxs")
1562
1932
def CheckerCompleted(self, exitcode, waitstatus, command):
1563
1933
"D-Bus signal"
1564
1934
pass
1565
1935
1566
1936
# CheckerStarted - signal
1567
1937
@dbus.service.signal(_interface, signature="s")
1568
1938
def CheckerStarted(self, command):
1569
1939
"D-Bus signal"
1570
1940
pass
1571
1941
1572
1942
# PropertyChanged - signal
1573
1943
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1574
1944
@dbus.service.signal(_interface, signature="sv")
1575
1945
def PropertyChanged(self, property, value):
1576
1946
"D-Bus signal"
1577
1947
pass
1578
1948
1579
1949
# GotSecret - signal
1580
1950
@dbus.service.signal(_interface)
1581
1951
def GotSecret(self):
1584
1954
server to mandos-client
1585
1955
"""
1586
1956
pass
1587
1957
1588
1958
# Rejected - signal
1589
1959
@dbus.service.signal(_interface, signature="s")
1590
1960
def Rejected(self, reason):
1591
1961
"D-Bus signal"
1592
1962
pass
1593
1963
1594
1964
# NeedApproval - signal
1595
1965
@dbus.service.signal(_interface, signature="tb")
1596
1966
def NeedApproval(self, timeout, default):
1597
1967
"D-Bus signal"
1598
1968
return self.need_approval()
1599
1600
## Methods
1601
1969
1970
# Methods
1971
1602
1972
# Approve - method
1603
1973
@dbus.service.method(_interface, in_signature="b")
1604
1974
def Approve(self, value):
1605
1975
self.approve(value)
1606
1976
1607
1977
# CheckedOK - method
1608
1978
@dbus.service.method(_interface)
1609
1979
def CheckedOK(self):
1610
1980
self.checked_ok()
1611
1981
1612
1982
# Enable - method
1613
1983
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1614
1984
@dbus.service.method(_interface)
1615
1985
def Enable(self):
1616
1986
"D-Bus method"
1617
1987
self.enable()
1618
1988
1619
1989
# StartChecker - method
1620
1990
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1621
1991
@dbus.service.method(_interface)
1622
1992
def StartChecker(self):
1623
1993
"D-Bus method"
1624
1994
self.start_checker()
1625
1995
1626
1996
# Disable - method
1627
1997
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1628
1998
@dbus.service.method(_interface)
1629
1999
def Disable(self):
1630
2000
"D-Bus method"
1631
2001
self.disable()
1632
2002
1633
2003
# StopChecker - method
1634
2004
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1635
2005
@dbus.service.method(_interface)
1636
2006
def StopChecker(self):
1637
2007
self.stop_checker()
1638
1639
## Properties
1640
2008
2009
# Properties
2010
1641
2011
# ApprovalPending - property
1642
2012
@dbus_service_property(_interface, signature="b", access="read")
1643
2013
def ApprovalPending_dbus_property(self):
1644
2014
return dbus.Boolean(bool(self.approvals_pending))
1645
2015
1646
2016
# ApprovedByDefault - property
1647
2017
@dbus_service_property(_interface,
1648
2018
signature="b",
1651
2021
if value is None: # get
1652
2022
return dbus.Boolean(self.approved_by_default)
1653
2023
self.approved_by_default = bool(value)
1654
2024
1655
2025
# ApprovalDelay - property
1656
2026
@dbus_service_property(_interface,
1657
2027
signature="t",
1661
2031
return dbus.UInt64(self.approval_delay.total_seconds()
1662
2032
* 1000)
1663
2033
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1664
2034
1665
2035
# ApprovalDuration - property
1666
2036
@dbus_service_property(_interface,
1667
2037
signature="t",
1671
2041
return dbus.UInt64(self.approval_duration.total_seconds()
1672
2042
* 1000)
1673
2043
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1674
2044
1675
2045
# Name - property
1676
2046
@dbus_annotations(
1677
2047
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1678
2048
@dbus_service_property(_interface, signature="s", access="read")
1679
2049
def Name_dbus_property(self):
1680
2050
return dbus.String(self.name)
1681
2051
2052
# KeyID - property
2053
@dbus_annotations(
2054
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2055
@dbus_service_property(_interface, signature="s", access="read")
2056
def KeyID_dbus_property(self):
2057
return dbus.String(self.key_id)
2058
1682
2059
# Fingerprint - property
1683
2060
@dbus_annotations(
1684
2061
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1685
2062
@dbus_service_property(_interface, signature="s", access="read")
1686
2063
def Fingerprint_dbus_property(self):
1687
2064
return dbus.String(self.fingerprint)
1688
2065
1689
2066
# Host - property
1690
2067
@dbus_service_property(_interface,
1691
2068
signature="s",
1694
2071
if value is None: # get
1695
2072
return dbus.String(self.host)
1696
2073
self.host = str(value)
1697
2074
1698
2075
# Created - property
1699
2076
@dbus_annotations(
1700
2077
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1701
2078
@dbus_service_property(_interface, signature="s", access="read")
1702
2079
def Created_dbus_property(self):
1703
2080
return datetime_to_dbus(self.created)
1704
2081
1705
2082
# LastEnabled - property
1706
2083
@dbus_service_property(_interface, signature="s", access="read")
1707
2084
def LastEnabled_dbus_property(self):
1708
2085
return datetime_to_dbus(self.last_enabled)
1709
2086
1710
2087
# Enabled - property
1711
2088
@dbus_service_property(_interface,
1712
2089
signature="b",
1718
2095
self.enable()
1719
2096
else:
1720
2097
self.disable()
1721
2098
1722
2099
# LastCheckedOK - property
1723
2100
@dbus_service_property(_interface,
1724
2101
signature="s",
1728
2105
self.checked_ok()
1729
2106
return
1730
2107
return datetime_to_dbus(self.last_checked_ok)
1731
2108
1732
2109
# LastCheckerStatus - property
1733
2110
@dbus_service_property(_interface, signature="n", access="read")
1734
2111
def LastCheckerStatus_dbus_property(self):
1735
2112
return dbus.Int16(self.last_checker_status)
1736
2113
1737
2114
# Expires - property
1738
2115
@dbus_service_property(_interface, signature="s", access="read")
1739
2116
def Expires_dbus_property(self):
1740
2117
return datetime_to_dbus(self.expires)
1741
2118
1742
2119
# LastApprovalRequest - property
1743
2120
@dbus_service_property(_interface, signature="s", access="read")
1744
2121
def LastApprovalRequest_dbus_property(self):
1745
2122
return datetime_to_dbus(self.last_approval_request)
1746
2123
1747
2124
# Timeout - property
1748
2125
@dbus_service_property(_interface,
1749
2126
signature="t",
1764
2141
if (getattr(self, "disable_initiator_tag", None)
1765
2142
is None):
1766
2143
return
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2144
GLib.source_remove(self.disable_initiator_tag)
2145
self.disable_initiator_tag = GLib.timeout_add(
1769
2146
int((self.expires - now).total_seconds() * 1000),
1770
2147
self.disable)
1771
2148
1772
2149
# ExtendedTimeout - property
1773
2150
@dbus_service_property(_interface,
1774
2151
signature="t",
1778
2155
return dbus.UInt64(self.extended_timeout.total_seconds()
1779
2156
* 1000)
1780
2157
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1781
2158
1782
2159
# Interval - property
1783
2160
@dbus_service_property(_interface,
1784
2161
signature="t",
1791
2168
return
1792
2169
if self.enabled:
1793
2170
# Reschedule checker run
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2171
GLib.source_remove(self.checker_initiator_tag)
2172
self.checker_initiator_tag = GLib.timeout_add(
1796
2173
value, self.start_checker)
1797
self.start_checker() # Start one now, too
1798
2174
self.start_checker() # Start one now, too
2175
1799
2176
# Checker - property
1800
2177
@dbus_service_property(_interface,
1801
2178
signature="s",
1804
2181
if value is None: # get
1805
2182
return dbus.String(self.checker_command)
1806
2183
self.checker_command = str(value)
1807
2184
1808
2185
# CheckerRunning - property
1809
2186
@dbus_service_property(_interface,
1810
2187
signature="b",
1816
2193
self.start_checker()
1817
2194
else:
1818
2195
self.stop_checker()
1819
2196
1820
2197
# ObjectPath - property
1821
2198
@dbus_annotations(
1822
2199
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
1823
2200
"org.freedesktop.DBus.Deprecated": "true"})
1824
2201
@dbus_service_property(_interface, signature="o", access="read")
1825
2202
def ObjectPath_dbus_property(self):
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2203
return self.dbus_object_path # is already a dbus.ObjectPath
2204
1828
2205
# Secret = property
1829
2206
@dbus_annotations(
1830
2207
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
1835
2212
byte_arrays=True)
1836
2213
def Secret_dbus_property(self, value):
1837
2214
self.secret = bytes(value)
1838
2215
1839
2216
del _interface
1840
2217
1841
2218
1842
class ProxyClient(object):
1843
def __init__(self, child_pipe, fpr, address):
2219
class ProxyClient:
2220
def __init__(self, child_pipe, key_id, fpr, address):
1844
2221
self._pipe = child_pipe
1845
self._pipe.send(('init', fpr, address))
2222
self._pipe.send(('init', key_id, fpr, address))
1846
2223
if not self._pipe.recv():
1847
raise KeyError(fpr)
1848
2224
raise KeyError(key_id or fpr)
2225
1849
2226
def __getattribute__(self, name):
1850
2227
if name == '_pipe':
1851
2228
return super(ProxyClient, self).__getattribute__(name)
1854
2231
if data[0] == 'data':
1855
2232
return data[1]
1856
2233
if data[0] == 'function':
1857
2234
1858
2235
def func(*args, **kwargs):
1859
2236
self._pipe.send(('funcall', name, args, kwargs))
1860
2237
return self._pipe.recv()[1]
1861
2238
1862
2239
return func
1863
2240
1864
2241
def __setattr__(self, name, value):
1865
2242
if name == '_pipe':
1866
2243
return super(ProxyClient, self).__setattr__(name, value)
1869
2246
1870
2247
class ClientHandler(socketserver.BaseRequestHandler, object):
1871
2248
"""A class to handle client connections.
1872
2249
1873
2250
Instantiated once for each connection to handle it.
1874
2251
Note: This will run in its own forked process."""
1875
2252
1876
2253
def handle(self):
1877
2254
with contextlib.closing(self.server.child_pipe) as child_pipe:
1878
2255
logger.info("TCP connection from: %s",
1879
2256
str(self.client_address))
1880
2257
logger.debug("Pipe FD: %d",
1881
2258
self.server.child_pipe.fileno())
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2259
2260
session = gnutls.ClientSession(self.request)
2261
2262
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2263
# "+AES-256-CBC", "+SHA1",
2264
# "+COMP-NULL", "+CTYPE-OPENPGP",
2265
# "+DHE-DSS"))
1895
2266
# Use a fallback default, since this MUST be set.
1896
2267
priority = self.server.gnutls_priority
1897
2268
if priority is None:
1898
2269
priority = "NORMAL"
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2270
gnutls.priority_set_direct(session._c_object,
2271
priority.encode("utf-8"),
2272
None)
2273
1902
2274
# Start communication using the Mandos protocol
1903
2275
# Get protocol number
1904
2276
line = self.request.makefile().readline()
1909
2281
except (ValueError, IndexError, RuntimeError) as error:
1910
2282
logger.error("Unknown protocol version: %s", error)
1911
2283
return
1912
2284
1913
2285
# Start GnuTLS connection
1914
2286
try:
1915
2287
session.handshake()
1916
except gnutls.errors.GNUTLSError as error:
2288
except gnutls.Error as error:
1917
2289
logger.warning("Handshake failed: %s", error)
1918
2290
# Do not run session.bye() here: the session is not
1919
2291
# established. Just abandon the request.
1920
2292
return
1921
2293
logger.debug("Handshake succeeded")
1922
2294
1923
2295
approval_required = False
1924
2296
try:
1925
try:
1926
fpr = self.fingerprint(
1927
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
1930
logger.warning("Bad certificate: %s", error)
1931
return
1932
logger.debug("Fingerprint: %s", fpr)
1933
1934
try:
1935
client = ProxyClient(child_pipe, fpr,
2297
if gnutls.has_rawpk:
2298
fpr = b""
2299
try:
2300
key_id = self.key_id(
2301
self.peer_certificate(session))
2302
except (TypeError, gnutls.Error) as error:
2303
logger.warning("Bad certificate: %s", error)
2304
return
2305
logger.debug("Key ID: %s", key_id)
2306
2307
else:
2308
key_id = b""
2309
try:
2310
fpr = self.fingerprint(
2311
self.peer_certificate(session))
2312
except (TypeError, gnutls.Error) as error:
2313
logger.warning("Bad certificate: %s", error)
2314
return
2315
logger.debug("Fingerprint: %s", fpr)
2316
2317
try:
2318
client = ProxyClient(child_pipe, key_id, fpr,
1936
2319
self.client_address)
1937
2320
except KeyError:
1938
2321
return
1939
2322
1940
2323
if client.approval_delay:
1941
2324
delay = client.approval_delay
1942
2325
client.approvals_pending += 1
1943
2326
approval_required = True
1944
2327
1945
2328
while True:
1946
2329
if not client.enabled:
1947
2330
logger.info("Client %s is disabled",
1950
2333
# Emit D-Bus signal
1951
2334
client.Rejected("Disabled")
1952
2335
return
1953
2336
1954
2337
if client.approved or not client.approval_delay:
1955
#We are approved or approval is disabled
2338
# We are approved or approval is disabled
1956
2339
break
1957
2340
elif client.approved is None:
1958
2341
logger.info("Client %s needs approval",
1969
2352
# Emit D-Bus signal
1970
2353
client.Rejected("Denied")
1971
2354
return
1972
1973
#wait until timeout or approved
2355
2356
# wait until timeout or approved
1974
2357
time = datetime.datetime.now()
1975
2358
client.changedstate.acquire()
1976
2359
client.changedstate.wait(delay.total_seconds())
1989
2372
break
1990
2373
else:
1991
2374
delay -= time2 - time
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2375
2376
try:
2377
session.send(client.secret)
2378
except gnutls.Error as error:
2379
logger.warning("gnutls send failed",
2380
exc_info=error)
2381
return
2382
2006
2383
logger.info("Sending secret to %s", client.name)
2007
2384
# bump the timeout using extended_timeout
2008
2385
client.bump_timeout(client.extended_timeout)
2009
2386
if self.server.use_dbus:
2010
2387
# Emit D-Bus signal
2011
2388
client.GotSecret()
2012
2389
2013
2390
finally:
2014
2391
if approval_required:
2015
2392
client.approvals_pending -= 1
2016
2393
try:
2017
2394
session.bye()
2018
except gnutls.errors.GNUTLSError as error:
2395
except gnutls.Error as error:
2019
2396
logger.warning("GnuTLS bye failed",
2020
2397
exc_info=error)
2021
2398
2022
2399
@staticmethod
2023
2400
def peer_certificate(session):
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2401
"Return the peer's certificate as a bytestring"
2402
try:
2403
cert_type = gnutls.certificate_type_get2(session._c_object,
2404
gnutls.CTYPE_PEERS)
2405
except AttributeError:
2406
cert_type = gnutls.certificate_type_get(session._c_object)
2407
if gnutls.has_rawpk:
2408
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2409
else:
2410
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2411
# If not a valid certificate type...
2412
if cert_type not in valid_cert_types:
2413
logger.info("Cert type %r not in %r", cert_type,
2414
valid_cert_types)
2415
# ...return invalid data
2416
return b""
2031
2417
list_size = ctypes.c_uint(1)
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2418
cert_list = (gnutls.certificate_get_peers
2034
2419
(session._c_object, ctypes.byref(list_size)))
2035
2420
if not bool(cert_list) and list_size.value != 0:
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2421
raise gnutls.Error("error getting peer certificate")
2038
2422
if list_size.value == 0:
2039
2423
return None
2040
2424
cert = cert_list[0]
2041
2425
return ctypes.string_at(cert.data, cert.size)
2042
2426
2427
@staticmethod
2428
def key_id(certificate):
2429
"Convert a certificate bytestring to a hexdigit key ID"
2430
# New GnuTLS "datum" with the public key
2431
datum = gnutls.datum_t(
2432
ctypes.cast(ctypes.c_char_p(certificate),
2433
ctypes.POINTER(ctypes.c_ubyte)),
2434
ctypes.c_uint(len(certificate)))
2435
# XXX all these need to be created in the gnutls "module"
2436
# New empty GnuTLS certificate
2437
pubkey = gnutls.pubkey_t()
2438
gnutls.pubkey_init(ctypes.byref(pubkey))
2439
# Import the raw public key into the certificate
2440
gnutls.pubkey_import(pubkey,
2441
ctypes.byref(datum),
2442
gnutls.X509_FMT_DER)
2443
# New buffer for the key ID
2444
buf = ctypes.create_string_buffer(32)
2445
buf_len = ctypes.c_size_t(len(buf))
2446
# Get the key ID from the raw public key into the buffer
2447
gnutls.pubkey_get_key_id(pubkey,
2448
gnutls.KEYID_USE_SHA256,
2449
ctypes.cast(ctypes.byref(buf),
2450
ctypes.POINTER(ctypes.c_ubyte)),
2451
ctypes.byref(buf_len))
2452
# Deinit the certificate
2453
gnutls.pubkey_deinit(pubkey)
2454
2455
# Convert the buffer to a Python bytestring
2456
key_id = ctypes.string_at(buf, buf_len.value)
2457
# Convert the bytestring to hexadecimal notation
2458
hex_key_id = binascii.hexlify(key_id).upper()
2459
return hex_key_id
2460
2043
2461
@staticmethod
2044
2462
def fingerprint(openpgp):
2045
2463
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2046
2464
# New GnuTLS "datum" with the OpenPGP public key
2047
datum = gnutls.library.types.gnutls_datum_t(
2465
datum = gnutls.datum_t(
2048
2466
ctypes.cast(ctypes.c_char_p(openpgp),
2049
2467
ctypes.POINTER(ctypes.c_ubyte)),
2050
2468
ctypes.c_uint(len(openpgp)))
2051
2469
# New empty GnuTLS certificate
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2470
crt = gnutls.openpgp_crt_t()
2471
gnutls.openpgp_crt_init(ctypes.byref(crt))
2055
2472
# Import the OpenPGP public key into the certificate
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2473
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2474
gnutls.OPENPGP_FMT_RAW)
2059
2475
# Verify the self signature in the key
2060
2476
crtverify = ctypes.c_uint()
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2477
gnutls.openpgp_crt_verify_self(crt, 0,
2478
ctypes.byref(crtverify))
2063
2479
if crtverify.value != 0:
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2480
gnutls.openpgp_crt_deinit(crt)
2481
raise gnutls.CertificateSecurityError(code
2482
=crtverify.value)
2067
2483
# New buffer for the fingerprint
2068
2484
buf = ctypes.create_string_buffer(20)
2069
2485
buf_len = ctypes.c_size_t()
2070
2486
# Get the fingerprint from the certificate into the buffer
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2487
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2488
ctypes.byref(buf_len))
2073
2489
# Deinit the certificate
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2490
gnutls.openpgp_crt_deinit(crt)
2075
2491
# Convert the buffer to a Python bytestring
2076
2492
fpr = ctypes.string_at(buf, buf_len.value)
2077
2493
# Convert the bytestring to hexadecimal notation
2079
2495
return hex_fpr
2080
2496
2081
2497
2082
class MultiprocessingMixIn(object):
2498
class MultiprocessingMixIn:
2083
2499
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2084
2500
2085
2501
def sub_process_main(self, request, address):
2086
2502
try:
2087
2503
self.finish_request(request, address)
2088
2504
except Exception:
2089
2505
self.handle_error(request, address)
2090
2506
self.close_request(request)
2091
2507
2092
2508
def process_request(self, request, address):
2093
2509
"""Start a new process to process the request."""
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2510
proc = multiprocessing.Process(target=self.sub_process_main,
2511
args=(request, address))
2096
2512
proc.start()
2097
2513
return proc
2098
2514
2099
2515
2100
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2516
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2101
2517
""" adds a pipe to the MixIn """
2102
2518
2103
2519
def process_request(self, request, client_address):
2104
2520
"""Overrides and wraps the original process_request().
2105
2521
2106
2522
This function creates a new pipe in self.pipe
2107
2523
"""
2108
2524
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2109
2525
2110
2526
proc = MultiprocessingMixIn.process_request(self, request,
2111
2527
client_address)
2112
2528
self.child_pipe.close()
2113
2529
self.add_pipe(parent_pipe, proc)
2114
2530
2115
2531
def add_pipe(self, parent_pipe, proc):
2116
2532
"""Dummy function; override as necessary"""
2117
2533
raise NotImplementedError()
2118
2534
2119
2535
2120
2536
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2121
socketserver.TCPServer, object):
2537
socketserver.TCPServer):
2122
2538
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2123
2539
2124
2540
Attributes:
2125
2541
enabled: Boolean; whether this server is activated yet
2126
2542
interface: None or a network interface name (string)
2127
2543
use_ipv6: Boolean; to use IPv6 or not
2128
2544
"""
2129
2545
2130
2546
def __init__(self, server_address, RequestHandlerClass,
2131
2547
interface=None,
2132
2548
use_ipv6=True,
2142
2558
self.socketfd = socketfd
2143
2559
# Save the original socket.socket() function
2144
2560
self.socket_socket = socket.socket
2561
2145
2562
# To implement --socket, we monkey patch socket.socket.
2146
#
2563
#
2147
2564
# (When socketserver.TCPServer is a new-style class, we
2148
2565
# could make self.socket into a property instead of monkey
2149
2566
# patching socket.socket.)
2150
#
2567
#
2151
2568
# Create a one-time-only replacement for socket.socket()
2152
2569
@functools.wraps(socket.socket)
2153
2570
def socket_wrapper(*args, **kwargs):
2165
2582
# socket_wrapper(), if socketfd was set.
2166
2583
socketserver.TCPServer.__init__(self, server_address,
2167
2584
RequestHandlerClass)
2168
2585
2169
2586
def server_bind(self):
2170
2587
"""This overrides the normal server_bind() function
2171
2588
to bind to an interface if one was specified, and also NOT to
2172
2589
bind to an address or port if they were not specified."""
2590
global SO_BINDTODEVICE
2173
2591
if self.interface is not None:
2174
2592
if SO_BINDTODEVICE is None:
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2593
# Fall back to a hard-coded value which seems to be
2594
# common enough.
2595
logger.warning("SO_BINDTODEVICE not found, trying 25")
2596
SO_BINDTODEVICE = 25
2597
try:
2598
self.socket.setsockopt(
2599
socket.SOL_SOCKET, SO_BINDTODEVICE,
2600
(self.interface + "\0").encode("utf-8"))
2601
except socket.error as error:
2602
if error.errno == errno.EPERM:
2603
logger.error("No permission to bind to"
2604
" interface %s", self.interface)
2605
elif error.errno == errno.ENOPROTOOPT:
2606
logger.error("SO_BINDTODEVICE not available;"
2607
" cannot bind to interface %s",
2608
self.interface)
2609
elif error.errno == errno.ENODEV:
2610
logger.error("Interface %s does not exist,"
2611
" cannot bind", self.interface)
2612
else:
2613
raise
2196
2614
# Only bind(2) the socket if we really need to.
2197
2615
if self.server_address[0] or self.server_address[1]:
2616
if self.server_address[1]:
2617
self.allow_reuse_address = True
2198
2618
if not self.server_address[0]:
2199
2619
if self.address_family == socket.AF_INET6:
2200
any_address = "::" # in6addr_any
2620
any_address = "::" # in6addr_any
2201
2621
else:
2202
any_address = "0.0.0.0" # INADDR_ANY
2622
any_address = "0.0.0.0" # INADDR_ANY
2203
2623
self.server_address = (any_address,
2204
2624
self.server_address[1])
2205
2625
elif not self.server_address[1]:
2215
2635
2216
2636
class MandosServer(IPv6_TCPServer):
2217
2637
"""Mandos server.
2218
2638
2219
2639
Attributes:
2220
2640
clients: set of Client objects
2221
2641
gnutls_priority GnuTLS priority string
2222
2642
use_dbus: Boolean; to emit D-Bus signals or not
2223
2224
Assumes a gobject.MainLoop event loop.
2643
2644
Assumes a GLib.MainLoop event loop.
2225
2645
"""
2226
2646
2227
2647
def __init__(self, server_address, RequestHandlerClass,
2228
2648
interface=None,
2229
2649
use_ipv6=True,
2239
2659
self.gnutls_priority = gnutls_priority
2240
2660
IPv6_TCPServer.__init__(self, server_address,
2241
2661
RequestHandlerClass,
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2662
interface=interface,
2663
use_ipv6=use_ipv6,
2664
socketfd=socketfd)
2665
2246
2666
def server_activate(self):
2247
2667
if self.enabled:
2248
2668
return socketserver.TCPServer.server_activate(self)
2249
2669
2250
2670
def enable(self):
2251
2671
self.enabled = True
2252
2672
2253
2673
def add_pipe(self, parent_pipe, proc):
2254
2674
# Call "handle_ipc" for both data and EOF events
2255
gobject.io_add_watch(
2675
GLib.io_add_watch(
2256
2676
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2677
GLib.IO_IN | GLib.IO_HUP,
2258
2678
functools.partial(self.handle_ipc,
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2679
parent_pipe=parent_pipe,
2680
proc=proc))
2681
2262
2682
def handle_ipc(self, source, condition,
2263
2683
parent_pipe=None,
2264
proc = None,
2684
proc=None,
2265
2685
client_object=None):
2266
2686
# error, or the other end of multiprocessing.Pipe has closed
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2687
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2268
2688
# Wait for other process to exit
2269
2689
proc.join()
2270
2690
return False
2271
2691
2272
2692
# Read a request from the child
2273
2693
request = parent_pipe.recv()
2274
2694
command = request[0]
2275
2695
2276
2696
if command == 'init':
2277
fpr = request[1]
2278
address = request[2]
2279
2280
for c in self.clients.itervalues():
2281
if c.fingerprint == fpr:
2697
key_id = request[1].decode("ascii")
2698
fpr = request[2].decode("ascii")
2699
address = request[3]
2700
2701
for c in self.clients.values():
2702
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2703
continue
2704
if key_id and c.key_id == key_id:
2705
client = c
2706
break
2707
if fpr and c.fingerprint == fpr:
2282
2708
client = c
2283
2709
break
2284
2710
else:
2285
logger.info("Client not found for fingerprint: %s, ad"
2286
"dress: %s", fpr, address)
2711
logger.info("Client not found for key ID: %s, address"
2712
": %s", key_id or fpr, address)
2287
2713
if self.use_dbus:
2288
2714
# Emit D-Bus signal
2289
mandos_dbus_service.ClientNotFound(fpr,
2715
mandos_dbus_service.ClientNotFound(key_id or fpr,
2290
2716
address[0])
2291
2717
parent_pipe.send(False)
2292
2718
return False
2293
2294
gobject.io_add_watch(
2719
2720
GLib.io_add_watch(
2295
2721
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2722
GLib.IO_IN | GLib.IO_HUP,
2297
2723
functools.partial(self.handle_ipc,
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2724
parent_pipe=parent_pipe,
2725
proc=proc,
2726
client_object=client))
2301
2727
parent_pipe.send(True)
2302
2728
# remove the old hook in favor of the new above hook on
2303
2729
# same fileno
2306
2732
funcname = request[1]
2307
2733
args = request[2]
2308
2734
kwargs = request[3]
2309
2735
2310
2736
parent_pipe.send(('data', getattr(client_object,
2311
2737
funcname)(*args,
2312
2738
**kwargs)))
2313
2739
2314
2740
if command == 'getattr':
2315
2741
attrname = request[1]
2316
2742
if isinstance(client_object.__getattribute__(attrname),
2319
2745
else:
2320
2746
parent_pipe.send((
2321
2747
'data', client_object.__getattribute__(attrname)))
2322
2748
2323
2749
if command == 'setattr':
2324
2750
attrname = request[1]
2325
2751
value = request[2]
2326
2752
setattr(client_object, attrname, value)
2327
2753
2328
2754
return True
2329
2755
2330
2756
2331
2757
def rfc3339_duration_to_delta(duration):
2332
2758
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2333
2759
2334
2760
>>> rfc3339_duration_to_delta("P7D")
2335
2761
datetime.timedelta(7)
2336
2762
>>> rfc3339_duration_to_delta("PT60S")
2346
2772
>>> rfc3339_duration_to_delta("P1DT3M20S")
2347
2773
datetime.timedelta(1, 200)
2348
2774
"""
2349
2775
2350
2776
# Parsing an RFC 3339 duration with regular expressions is not
2351
2777
# possible - there would have to be multiple places for the same
2352
2778
# values, like seconds. The current code, while more esoteric, is
2353
2779
# cleaner without depending on a parsing library. If Python had a
2354
2780
# built-in library for parsing we would use it, but we'd like to
2355
2781
# avoid excessive use of external libraries.
2356
2782
2357
2783
# New type for defining tokens, syntax, and semantics all-in-one
2358
2784
Token = collections.namedtuple("Token", (
2359
2785
"regexp", # To match token; if "value" is not None, must have
2392
2818
frozenset((token_year, token_month,
2393
2819
token_day, token_time,
2394
2820
token_week)))
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2821
# Define starting values:
2822
# Value so far
2823
value = datetime.timedelta()
2397
2824
found_token = None
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2825
# Following valid tokens
2826
followers = frozenset((token_duration, ))
2827
# String left to parse
2828
s = duration
2400
2829
# Loop until end token is found
2401
2830
while found_token is not token_end:
2402
2831
# Search for any currently valid tokens
2426
2855
2427
2856
def string_to_delta(interval):
2428
2857
"""Parse a string and return a datetime.timedelta
2429
2858
2430
2859
>>> string_to_delta('7d')
2431
2860
datetime.timedelta(7)
2432
2861
>>> string_to_delta('60s')
2440
2869
>>> string_to_delta('5m 30s')
2441
2870
datetime.timedelta(0, 330)
2442
2871
"""
2443
2872
2444
2873
try:
2445
2874
return rfc3339_duration_to_delta(interval)
2446
2875
except ValueError:
2447
2876
pass
2448
2877
2449
2878
timevalue = datetime.timedelta(0)
2450
2879
for s in interval.split():
2451
2880
try:
2469
2898
return timevalue
2470
2899
2471
2900
2472
def daemon(nochdir = False, noclose = False):
2901
def daemon(nochdir=False, noclose=False):
2473
2902
"""See daemon(3). Standard BSD Unix function.
2474
2903
2475
2904
This should really exist as os.daemon, but it doesn't (yet)."""
2476
2905
if os.fork():
2477
2906
sys.exit()
2495
2924
2496
2925
2497
2926
def main():
2498
2927
2499
2928
##################################################################
2500
2929
# Parsing of options, both command line and config file
2501
2930
2502
2931
parser = argparse.ArgumentParser()
2503
2932
parser.add_argument("-v", "--version", action="version",
2504
version = "%(prog)s {}".format(version),
2933
version="%(prog)s {}".format(version),
2505
2934
help="show version number and exit")
2506
2935
parser.add_argument("-i", "--interface", metavar="IF",
2507
2936
help="Bind to interface IF")
2543
2972
parser.add_argument("--no-zeroconf", action="store_false",
2544
2973
dest="zeroconf", help="Do not use Zeroconf",
2545
2974
default=None)
2546
2975
2547
2976
options = parser.parse_args()
2548
2977
2549
2978
if options.check:
2550
2979
import doctest
2551
2980
fail_count, test_count = doctest.testmod()
2552
2981
sys.exit(os.EX_OK if fail_count == 0 else 1)
2553
2982
2554
2983
# Default values for config file for server-global settings
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
2984
if gnutls.has_rawpk:
2985
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2986
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2987
else:
2988
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2989
":+SIGN-DSA-SHA256")
2990
server_defaults = {"interface": "",
2991
"address": "",
2992
"port": "",
2993
"debug": "False",
2994
"priority": priority,
2995
"servicename": "Mandos",
2996
"use_dbus": "True",
2997
"use_ipv6": "True",
2998
"debuglevel": "",
2999
"restore": "True",
3000
"socket": "",
3001
"statedir": "/var/lib/mandos",
3002
"foreground": "False",
3003
"zeroconf": "True",
3004
}
3005
del priority
3006
2573
3007
# Parse config file for server-global settings
2574
server_config = configparser.SafeConfigParser(server_defaults)
3008
server_config = configparser.ConfigParser(server_defaults)
2575
3009
del server_defaults
2576
3010
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2577
# Convert the SafeConfigParser object to a dict
3011
# Convert the ConfigParser object to a dict
2578
3012
server_settings = server_config.defaults()
2579
3013
# Use the appropriate methods on the non-string config options
2580
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3014
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3015
"foreground", "zeroconf"):
2581
3016
server_settings[option] = server_config.getboolean("DEFAULT",
2582
3017
option)
2583
3018
if server_settings["port"]:
2593
3028
server_settings["socket"] = os.dup(server_settings
2594
3029
["socket"])
2595
3030
del server_config
2596
3031
2597
3032
# Override the settings from the config file with command line
2598
3033
# options, if set.
2599
3034
for option in ("interface", "address", "port", "debug",
2617
3052
if server_settings["debug"]:
2618
3053
server_settings["foreground"] = True
2619
3054
# Now we have our good server settings in "server_settings"
2620
3055
2621
3056
##################################################################
2622
3057
2623
3058
if (not server_settings["zeroconf"]
2624
3059
and not (server_settings["port"]
2625
3060
or server_settings["socket"] != "")):
2626
3061
parser.error("Needs port or socket to work without Zeroconf")
2627
3062
2628
3063
# For convenience
2629
3064
debug = server_settings["debug"]
2630
3065
debuglevel = server_settings["debuglevel"]
2634
3069
stored_state_file)
2635
3070
foreground = server_settings["foreground"]
2636
3071
zeroconf = server_settings["zeroconf"]
2637
3072
2638
3073
if debug:
2639
3074
initlogger(debug, logging.DEBUG)
2640
3075
else:
2643
3078
else:
2644
3079
level = getattr(logging, debuglevel.upper())
2645
3080
initlogger(debug, level)
2646
3081
2647
3082
if server_settings["servicename"] != "Mandos":
2648
3083
syslogger.setFormatter(
2649
3084
logging.Formatter('Mandos ({}) [%(process)d]:'
2650
3085
' %(levelname)s: %(message)s'.format(
2651
3086
server_settings["servicename"])))
2652
3087
2653
3088
# Parse config file with clients
2654
client_config = configparser.SafeConfigParser(Client
2655
.client_defaults)
3089
client_config = configparser.ConfigParser(Client.client_defaults)
2656
3090
client_config.read(os.path.join(server_settings["configdir"],
2657
3091
"clients.conf"))
2658
3092
2659
3093
global mandos_dbus_service
2660
3094
mandos_dbus_service = None
2661
3095
2662
3096
socketfd = None
2663
3097
if server_settings["socket"] != "":
2664
3098
socketfd = server_settings["socket"]
2680
3114
except IOError as e:
2681
3115
logger.error("Could not open file %r", pidfilename,
2682
3116
exc_info=e)
2683
2684
for name in ("_mandos", "mandos", "nobody"):
3117
3118
for name, group in (("_mandos", "_mandos"),
3119
("mandos", "mandos"),
3120
("nobody", "nogroup")):
2685
3121
try:
2686
3122
uid = pwd.getpwnam(name).pw_uid
2687
gid = pwd.getpwnam(name).pw_gid
3123
gid = pwd.getpwnam(group).pw_gid
2688
3124
break
2689
3125
except KeyError:
2690
3126
continue
2694
3130
try:
2695
3131
os.setgid(gid)
2696
3132
os.setuid(uid)
3133
if debug:
3134
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3135
gid))
2697
3136
except OSError as error:
3137
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3138
.format(uid, gid, os.strerror(error.errno)))
2698
3139
if error.errno != errno.EPERM:
2699
3140
raise
2700
3141
2701
3142
if debug:
2702
3143
# Enable all possible GnuTLS debugging
2703
3144
2704
3145
# "Use a log level over 10 to enable all debugging options."
2705
3146
# - GnuTLS manual
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3147
gnutls.global_set_log_level(11)
3148
3149
@gnutls.log_func
2709
3150
def debug_gnutls(level, string):
2710
3151
logger.debug("GnuTLS: %s", string[:-1])
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3152
3153
gnutls.global_set_log_function(debug_gnutls)
3154
2715
3155
# Redirect stdin so all checkers get /dev/null
2716
3156
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2717
3157
os.dup2(null, sys.stdin.fileno())
2718
3158
if null > 2:
2719
3159
os.close(null)
2720
3160
2721
3161
# Need to fork before connecting to D-Bus
2722
3162
if not foreground:
2723
3163
# Close all input and output, do double fork, etc.
2724
3164
daemon()
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3165
3166
if gi.version_info < (3, 10, 2):
3167
# multiprocessing will use threads, so before we use GLib we
3168
# need to inform GLib that threads will be used.
3169
GLib.threads_init()
3170
2730
3171
global main_loop
2731
3172
# From the Avahi example code
2732
3173
DBusGMainLoop(set_as_default=True)
2733
main_loop = gobject.MainLoop()
3174
main_loop = GLib.MainLoop()
2734
3175
bus = dbus.SystemBus()
2735
3176
# End of Avahi example code
2736
3177
if use_dbus:
2749
3190
if zeroconf:
2750
3191
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2751
3192
service = AvahiServiceToSyslog(
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3193
name=server_settings["servicename"],
3194
servicetype="_mandos._tcp",
3195
protocol=protocol,
3196
bus=bus)
2756
3197
if server_settings["interface"]:
2757
3198
service.interface = if_nametoindex(
2758
3199
server_settings["interface"].encode("utf-8"))
2759
3200
2760
3201
global multiprocessing_manager
2761
3202
multiprocessing_manager = multiprocessing.Manager()
2762
3203
2763
3204
client_class = Client
2764
3205
if use_dbus:
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3206
client_class = functools.partial(ClientDBus, bus=bus)
3207
2767
3208
client_settings = Client.config_parser(client_config)
2768
3209
old_client_settings = {}
2769
3210
clients_data = {}
2770
3211
2771
3212
# This is used to redirect stdout and stderr for checker processes
2772
3213
global wnull
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3214
wnull = open(os.devnull, "w") # A writable /dev/null
2774
3215
# Only used if server is running in foreground but not in debug
2775
3216
# mode
2776
3217
if debug or not foreground:
2777
3218
wnull.close()
2778
3219
2779
3220
# Get client data and settings from last running state.
2780
3221
if server_settings["restore"]:
2781
3222
try:
2782
3223
with open(stored_state_path, "rb") as stored_state:
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3224
if sys.version_info.major == 2:
3225
clients_data, old_client_settings = pickle.load(
3226
stored_state)
3227
else:
3228
bytes_clients_data, bytes_old_client_settings = (
3229
pickle.load(stored_state, encoding="bytes"))
3230
# Fix bytes to strings
3231
# clients_data
3232
# .keys()
3233
clients_data = {(key.decode("utf-8")
3234
if isinstance(key, bytes)
3235
else key): value
3236
for key, value in
3237
bytes_clients_data.items()}
3238
del bytes_clients_data
3239
for key in clients_data:
3240
value = {(k.decode("utf-8")
3241
if isinstance(k, bytes) else k): v
3242
for k, v in
3243
clients_data[key].items()}
3244
clients_data[key] = value
3245
# .client_structure
3246
value["client_structure"] = [
3247
(s.decode("utf-8")
3248
if isinstance(s, bytes)
3249
else s) for s in
3250
value["client_structure"]]
3251
# .name & .host
3252
for k in ("name", "host"):
3253
if isinstance(value[k], bytes):
3254
value[k] = value[k].decode("utf-8")
3255
if "key_id" not in value:
3256
value["key_id"] = ""
3257
elif "fingerprint" not in value:
3258
value["fingerprint"] = ""
3259
# old_client_settings
3260
# .keys()
3261
old_client_settings = {
3262
(key.decode("utf-8")
3263
if isinstance(key, bytes)
3264
else key): value
3265
for key, value in
3266
bytes_old_client_settings.items()}
3267
del bytes_old_client_settings
3268
# .host
3269
for value in old_client_settings.values():
3270
if isinstance(value["host"], bytes):
3271
value["host"] = (value["host"]
3272
.decode("utf-8"))
2785
3273
os.remove(stored_state_path)
2786
3274
except IOError as e:
2787
3275
if e.errno == errno.ENOENT:
2795
3283
logger.warning("Could not load persistent state: "
2796
3284
"EOFError:",
2797
3285
exc_info=e)
2798
3286
2799
3287
with PGPEngine() as pgp:
2800
3288
for client_name, client in clients_data.items():
2801
3289
# Skip removed clients
2802
3290
if client_name not in client_settings:
2803
3291
continue
2804
3292
2805
3293
# Decide which value to use after restoring saved state.
2806
3294
# We have three different values: Old config file,
2807
3295
# new config file, and saved state.
2818
3306
client[name] = value
2819
3307
except KeyError:
2820
3308
pass
2821
3309
2822
3310
# Clients who has passed its expire date can still be
2823
3311
# enabled if its last checker was successful. A Client
2824
3312
# whose checker succeeded before we stored its state is
2857
3345
client_name))
2858
3346
client["secret"] = (client_settings[client_name]
2859
3347
["secret"])
2860
3348
2861
3349
# Add/remove clients based on new changes made to config
2862
3350
for client_name in (set(old_client_settings)
2863
3351
- set(client_settings)):
2865
3353
for client_name in (set(client_settings)
2866
3354
- set(old_client_settings)):
2867
3355
clients_data[client_name] = client_settings[client_name]
2868
3356
2869
3357
# Create all client objects
2870
3358
for client_name, client in clients_data.items():
2871
3359
tcp_server.clients[client_name] = client_class(
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3360
name=client_name,
3361
settings=client,
3362
server_settings=server_settings)
3363
2876
3364
if not tcp_server.clients:
2877
3365
logger.warning("No clients defined")
2878
3366
2879
3367
if not foreground:
2880
3368
if pidfile is not None:
2881
3369
pid = os.getpid()
2887
3375
pidfilename, pid)
2888
3376
del pidfile
2889
3377
del pidfilename
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3378
3379
for termsig in (signal.SIGHUP, signal.SIGTERM):
3380
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3381
lambda: main_loop.quit() and False)
3382
2894
3383
if use_dbus:
2895
3384
2896
3385
@alternate_dbus_interfaces(
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3386
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2898
3387
class MandosDBusService(DBusObjectWithObjectManager):
2899
3388
"""A D-Bus proxy object"""
2900
3389
2901
3390
def __init__(self):
2902
3391
dbus.service.Object.__init__(self, bus, "/")
2903
3392
2904
3393
_interface = "se.recompile.Mandos"
2905
3394
2906
3395
@dbus.service.signal(_interface, signature="o")
2907
3396
def ClientAdded(self, objpath):
2908
3397
"D-Bus signal"
2909
3398
pass
2910
3399
2911
3400
@dbus.service.signal(_interface, signature="ss")
2912
def ClientNotFound(self, fingerprint, address):
3401
def ClientNotFound(self, key_id, address):
2913
3402
"D-Bus signal"
2914
3403
pass
2915
3404
2916
3405
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2917
3406
"true"})
2918
3407
@dbus.service.signal(_interface, signature="os")
2919
3408
def ClientRemoved(self, objpath, name):
2920
3409
"D-Bus signal"
2921
3410
pass
2922
3411
2923
3412
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2924
3413
"true"})
2925
3414
@dbus.service.method(_interface, out_signature="ao")
2926
3415
def GetAllClients(self):
2927
3416
"D-Bus method"
2928
3417
return dbus.Array(c.dbus_object_path for c in
2929
tcp_server.clients.itervalues())
2930
3418
tcp_server.clients.values())
3419
2931
3420
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2932
3421
"true"})
2933
3422
@dbus.service.method(_interface,
2935
3424
def GetAllClientsWithProperties(self):
2936
3425
"D-Bus method"
2937
3426
return dbus.Dictionary(
2938
{ c.dbus_object_path: c.GetAll(
3427
{c.dbus_object_path: c.GetAll(
2939
3428
"se.recompile.Mandos.Client")
2940
for c in tcp_server.clients.itervalues() },
3429
for c in tcp_server.clients.values()},
2941
3430
signature="oa{sv}")
2942
3431
2943
3432
@dbus.service.method(_interface, in_signature="o")
2944
3433
def RemoveClient(self, object_path):
2945
3434
"D-Bus method"
2946
for c in tcp_server.clients.itervalues():
3435
for c in tcp_server.clients.values():
2947
3436
if c.dbus_object_path == object_path:
2948
3437
del tcp_server.clients[c.name]
2949
3438
c.remove_from_connection()
2953
3442
self.client_removed_signal(c)
2954
3443
return
2955
3444
raise KeyError(object_path)
2956
3445
2957
3446
del _interface
2958
3447
2959
3448
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
2960
out_signature = "a{oa{sa{sv}}}")
3449
out_signature="a{oa{sa{sv}}}")
2961
3450
def GetManagedObjects(self):
2962
3451
"""D-Bus method"""
2963
3452
return dbus.Dictionary(
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3453
{client.dbus_object_path:
3454
dbus.Dictionary(
3455
{interface: client.GetAll(interface)
3456
for interface in
3457
client._get_all_interface_names()})
3458
for client in tcp_server.clients.values()})
3459
2971
3460
def client_added_signal(self, client):
2972
3461
"""Send the new standard signal and the old signal"""
2973
3462
if use_dbus:
2975
3464
self.InterfacesAdded(
2976
3465
client.dbus_object_path,
2977
3466
dbus.Dictionary(
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3467
{interface: client.GetAll(interface)
3468
for interface in
3469
client._get_all_interface_names()}))
2981
3470
# Old signal
2982
3471
self.ClientAdded(client.dbus_object_path)
2983
3472
2984
3473
def client_removed_signal(self, client):
2985
3474
"""Send the new standard signal and the old signal"""
2986
3475
if use_dbus:
2991
3480
# Old signal
2992
3481
self.ClientRemoved(client.dbus_object_path,
2993
3482
client.name)
2994
3483
2995
3484
mandos_dbus_service = MandosDBusService()
2996
3485
3486
# Save modules to variables to exempt the modules from being
3487
# unloaded before the function registered with atexit() is run.
3488
mp = multiprocessing
3489
wn = wnull
3490
2997
3491
def cleanup():
2998
3492
"Cleanup function; run on exit"
2999
3493
if zeroconf:
3000
3494
service.cleanup()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3495
3496
mp.active_children()
3497
wn.close()
3004
3498
if not (tcp_server.clients or client_settings):
3005
3499
return
3006
3500
3007
3501
# Store client before exiting. Secrets are encrypted with key
3008
3502
# based on what config file has. If config file is
3009
3503
# removed/edited, old secret will thus be unrecovable.
3010
3504
clients = {}
3011
3505
with PGPEngine() as pgp:
3012
for client in tcp_server.clients.itervalues():
3506
for client in tcp_server.clients.values():
3013
3507
key = client_settings[client.name]["secret"]
3014
3508
client.encrypted_secret = pgp.encrypt(client.secret,
3015
3509
key)
3016
3510
client_dict = {}
3017
3511
3018
3512
# A list of attributes that can not be pickled
3019
3513
# + secret.
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3514
exclude = {"bus", "changedstate", "secret",
3515
"checker", "server_settings"}
3022
3516
for name, typ in inspect.getmembers(dbus.service
3023
3517
.Object):
3024
3518
exclude.add(name)
3025
3519
3026
3520
client_dict["encrypted_secret"] = (client
3027
3521
.encrypted_secret)
3028
3522
for attr in client.client_structure:
3029
3523
if attr not in exclude:
3030
3524
client_dict[attr] = getattr(client, attr)
3031
3525
3032
3526
clients[client.name] = client_dict
3033
3527
del client_settings[client.name]["secret"]
3034
3528
3035
3529
try:
3036
3530
with tempfile.NamedTemporaryFile(
3037
3531
mode='wb',
3039
3533
prefix='clients-',
3040
3534
dir=os.path.dirname(stored_state_path),
3041
3535
delete=False) as stored_state:
3042
pickle.dump((clients, client_settings), stored_state)
3536
pickle.dump((clients, client_settings), stored_state,
3537
protocol=2)
3043
3538
tempname = stored_state.name
3044
3539
os.rename(tempname, stored_state_path)
3045
3540
except (IOError, OSError) as e:
3055
3550
logger.warning("Could not save persistent state:",
3056
3551
exc_info=e)
3057
3552
raise
3058
3553
3059
3554
# Delete all clients, and settings from config
3060
3555
while tcp_server.clients:
3061
3556
name, client = tcp_server.clients.popitem()
3064
3559
# Don't signal the disabling
3065
3560
client.disable(quiet=True)
3066
3561
# Emit D-Bus signal for removal
3067
mandos_dbus_service.client_removed_signal(client)
3562
if use_dbus:
3563
mandos_dbus_service.client_removed_signal(client)
3068
3564
client_settings.clear()
3069
3565
3070
3566
atexit.register(cleanup)
3071
3072
for client in tcp_server.clients.itervalues():
3567
3568
for client in tcp_server.clients.values():
3073
3569
if use_dbus:
3074
3570
# Emit D-Bus signal for adding
3075
3571
mandos_dbus_service.client_added_signal(client)
3076
3572
# Need to initiate checking of clients
3077
3573
if client.enabled:
3078
3574
client.init_checker()
3079
3575
3080
3576
tcp_server.enable()
3081
3577
tcp_server.server_activate()
3082
3578
3083
3579
# Find out what port we got
3084
3580
if zeroconf:
3085
3581
service.port = tcp_server.socket.getsockname()[1]
3090
3586
else: # IPv4
3091
3587
logger.info("Now listening on address %r, port %d",
3092
3588
*tcp_server.socket.getsockname())
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3589
3590
# service.interface = tcp_server.socket.getsockname()[3]
3591
3096
3592
try:
3097
3593
if zeroconf:
3098
3594
# From the Avahi example code
3103
3599
cleanup()
3104
3600
sys.exit(1)
3105
3601
# End of Avahi example code
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3602
3603
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3604
lambda *args, **kwargs:
3605
(tcp_server.handle_request
3606
(*args[2:], **kwargs) or True))
3607
3112
3608
logger.debug("Starting main loop")
3113
3609
main_loop.run()
3114
3610
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0