To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 1193
- compare with another revision
- download diff
- download tarball
- view history from revision 1193
- Committer: teddy at recompile
- Date: 2019-12-04 23:52:20 UTC
- Revision ID: teddy@recompile.se-20191204235220-yn88brp0scmqwy2t
Remove non-project-specific pattern from .bzrignore
Only project-specific patterns should be in the .bzrignore file.
Other generic patterns should be in the ~/.config/breezy/ignore and
~/.bazaar/ignore files.
* .bzrignore (.tramp_history): Remove.
Only project-specific patterns should be in the .bzrignore file.
Other generic patterns should be in the ~/.config/breezy/ignore and
~/.bazaar/ignore files.
* .bzrignore (.tramp_history): Remove.
- files added:
- debian/mandos-client.templates
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
3
#
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
#
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
#
33
#
33
34
34
35
from __future__ import (division, absolute_import, print_function,
35
36
unicode_literals)
76
77
import itertools
77
78
import collections
78
79
import codecs
80
import unittest
79
81
80
82
import dbus
81
83
import dbus.service
82
try:
83
from gi.repository import GObject
84
except ImportError:
85
import gobject as GObject
84
import gi
85
from gi.repository import GLib
86
86
from dbus.mainloop.glib import DBusGMainLoop
87
87
import ctypes
88
88
import ctypes.util
89
89
import xml.dom.minidom
90
90
import inspect
91
91
92
if sys.version_info.major == 2:
93
__metaclass__ = type
94
str = unicode
95
96
# Show warnings by default
97
if not sys.warnoptions:
98
import warnings
99
warnings.simplefilter("default")
100
101
# Try to find the value of SO_BINDTODEVICE:
92
102
try:
103
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
104
# newer, and it is also the most natural place for it:
93
105
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
94
106
except AttributeError:
95
107
try:
108
# This is where SO_BINDTODEVICE was up to and including Python
109
# 2.6, and also 3.2:
96
110
from IN import SO_BINDTODEVICE
97
111
except ImportError:
98
SO_BINDTODEVICE = None
99
100
if sys.version_info.major == 2:
101
str = unicode
102
103
version = "1.7.5"
112
# In Python 2.7 it seems to have been removed entirely.
113
# Try running the C preprocessor:
114
try:
115
cc = subprocess.Popen(["cc", "--language=c", "-E",
116
"/dev/stdin"],
117
stdin=subprocess.PIPE,
118
stdout=subprocess.PIPE)
119
stdout = cc.communicate(
120
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
121
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
122
except (OSError, ValueError, IndexError):
123
# No value found
124
SO_BINDTODEVICE = None
125
126
if sys.version_info < (3, 2):
127
configparser.Configparser = configparser.SafeConfigParser
128
129
version = "1.8.9"
104
130
stored_state_file = "clients.pickle"
105
131
106
132
logger = logging.getLogger()
133
logging.captureWarnings(True) # Show warnings via the logging system
107
134
syslogger = None
108
135
109
136
try:
110
137
if_nametoindex = ctypes.cdll.LoadLibrary(
111
138
ctypes.util.find_library("c")).if_nametoindex
112
139
except (OSError, AttributeError):
113
140
114
141
def if_nametoindex(interface):
115
142
"Get an interface index the hard way, i.e. using fcntl()"
116
143
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
139
166
140
167
def initlogger(debug, level=logging.WARNING):
141
168
"""init logger and add loglevel"""
142
169
143
170
global syslogger
144
171
syslogger = (logging.handlers.SysLogHandler(
145
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
146
address = "/dev/log"))
172
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
173
address="/dev/log"))
147
174
syslogger.setFormatter(logging.Formatter
148
175
('Mandos [%(process)d]: %(levelname)s:'
149
176
' %(message)s'))
150
177
logger.addHandler(syslogger)
151
178
152
179
if debug:
153
180
console = logging.StreamHandler()
154
181
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
164
191
pass
165
192
166
193
167
class PGPEngine(object):
194
class PGPEngine:
168
195
"""A simple class for OpenPGP symmetric encryption & decryption"""
169
196
170
197
def __init__(self):
171
198
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
172
199
self.gpg = "gpg"
174
201
output = subprocess.check_output(["gpgconf"])
175
202
for line in output.splitlines():
176
203
name, text, path = line.split(b":")
177
if name == "gpg":
204
if name == b"gpg":
178
205
self.gpg = path
179
206
break
180
207
except OSError as e:
183
210
self.gnupgargs = ['--batch',
184
211
'--homedir', self.tempdir,
185
212
'--force-mdc',
186
'--quiet',
187
'--no-use-agent']
188
213
'--quiet']
214
# Only GPG version 1 has the --no-use-agent option.
215
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
216
self.gnupgargs.append("--no-use-agent")
217
189
218
def __enter__(self):
190
219
return self
191
220
192
221
def __exit__(self, exc_type, exc_value, traceback):
193
222
self._cleanup()
194
223
return False
195
224
196
225
def __del__(self):
197
226
self._cleanup()
198
227
199
228
def _cleanup(self):
200
229
if self.tempdir is not None:
201
230
# Delete contents of tempdir
202
231
for root, dirs, files in os.walk(self.tempdir,
203
topdown = False):
232
topdown=False):
204
233
for filename in files:
205
234
os.remove(os.path.join(root, filename))
206
235
for dirname in dirs:
208
237
# Remove tempdir
209
238
os.rmdir(self.tempdir)
210
239
self.tempdir = None
211
240
212
241
def password_encode(self, password):
213
242
# Passphrase can not be empty and can not contain newlines or
214
243
# NUL bytes. So we prefix it and hex encode it.
219
248
.replace(b"\n", b"\\n")
220
249
.replace(b"\0", b"\\x00"))
221
250
return encoded
222
251
223
252
def encrypt(self, data, password):
224
253
passphrase = self.password_encode(password)
225
254
with tempfile.NamedTemporaryFile(
230
259
'--passphrase-file',
231
260
passfile.name]
232
261
+ self.gnupgargs,
233
stdin = subprocess.PIPE,
234
stdout = subprocess.PIPE,
235
stderr = subprocess.PIPE)
236
ciphertext, err = proc.communicate(input = data)
262
stdin=subprocess.PIPE,
263
stdout=subprocess.PIPE,
264
stderr=subprocess.PIPE)
265
ciphertext, err = proc.communicate(input=data)
237
266
if proc.returncode != 0:
238
267
raise PGPError(err)
239
268
return ciphertext
240
269
241
270
def decrypt(self, data, password):
242
271
passphrase = self.password_encode(password)
243
272
with tempfile.NamedTemporaryFile(
244
dir = self.tempdir) as passfile:
273
dir=self.tempdir) as passfile:
245
274
passfile.write(passphrase)
246
275
passfile.flush()
247
276
proc = subprocess.Popen([self.gpg, '--decrypt',
248
277
'--passphrase-file',
249
278
passfile.name]
250
279
+ self.gnupgargs,
251
stdin = subprocess.PIPE,
252
stdout = subprocess.PIPE,
253
stderr = subprocess.PIPE)
254
decrypted_plaintext, err = proc.communicate(input = data)
280
stdin=subprocess.PIPE,
281
stdout=subprocess.PIPE,
282
stderr=subprocess.PIPE)
283
decrypted_plaintext, err = proc.communicate(input=data)
255
284
if proc.returncode != 0:
256
285
raise PGPError(err)
257
286
return decrypted_plaintext
258
287
288
259
289
# Pretend that we have an Avahi module
260
class Avahi(object):
261
"""This isn't so much a class as it is a module-like namespace.
262
It is instantiated once, and simulates having an Avahi module."""
263
IF_UNSPEC = -1 # avahi-common/address.h
264
PROTO_UNSPEC = -1 # avahi-common/address.h
265
PROTO_INET = 0 # avahi-common/address.h
266
PROTO_INET6 = 1 # avahi-common/address.h
290
class avahi:
291
"""This isn't so much a class as it is a module-like namespace."""
292
IF_UNSPEC = -1 # avahi-common/address.h
293
PROTO_UNSPEC = -1 # avahi-common/address.h
294
PROTO_INET = 0 # avahi-common/address.h
295
PROTO_INET6 = 1 # avahi-common/address.h
267
296
DBUS_NAME = "org.freedesktop.Avahi"
268
297
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
269
298
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
270
299
DBUS_PATH_SERVER = "/"
271
def string_array_to_txt_array(self, t):
300
301
@staticmethod
302
def string_array_to_txt_array(t):
272
303
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
273
304
for s in t), signature="ay")
274
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
275
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
276
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
277
SERVER_INVALID = 0 # avahi-common/defs.h
278
SERVER_REGISTERING = 1 # avahi-common/defs.h
279
SERVER_RUNNING = 2 # avahi-common/defs.h
280
SERVER_COLLISION = 3 # avahi-common/defs.h
281
SERVER_FAILURE = 4 # avahi-common/defs.h
282
avahi = Avahi()
305
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
306
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
307
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
308
SERVER_INVALID = 0 # avahi-common/defs.h
309
SERVER_REGISTERING = 1 # avahi-common/defs.h
310
SERVER_RUNNING = 2 # avahi-common/defs.h
311
SERVER_COLLISION = 3 # avahi-common/defs.h
312
SERVER_FAILURE = 4 # avahi-common/defs.h
313
283
314
284
315
class AvahiError(Exception):
285
316
def __init__(self, value, *args, **kwargs):
296
327
pass
297
328
298
329
299
class AvahiService(object):
330
class AvahiService:
300
331
"""An Avahi (Zeroconf) service.
301
332
302
333
Attributes:
303
334
interface: integer; avahi.IF_UNSPEC or an interface index.
304
335
Used to optionally bind to the specified interface.
316
347
server: D-Bus Server
317
348
bus: dbus.SystemBus()
318
349
"""
319
350
320
351
def __init__(self,
321
interface = avahi.IF_UNSPEC,
322
name = None,
323
servicetype = None,
324
port = None,
325
TXT = None,
326
domain = "",
327
host = "",
328
max_renames = 32768,
329
protocol = avahi.PROTO_UNSPEC,
330
bus = None):
352
interface=avahi.IF_UNSPEC,
353
name=None,
354
servicetype=None,
355
port=None,
356
TXT=None,
357
domain="",
358
host="",
359
max_renames=32768,
360
protocol=avahi.PROTO_UNSPEC,
361
bus=None):
331
362
self.interface = interface
332
363
self.name = name
333
364
self.type = servicetype
342
373
self.server = None
343
374
self.bus = bus
344
375
self.entry_group_state_changed_match = None
345
376
346
377
def rename(self, remove=True):
347
378
"""Derived from the Avahi example code"""
348
379
if self.rename_count >= self.max_renames:
368
399
logger.critical("D-Bus Exception", exc_info=error)
369
400
self.cleanup()
370
401
os._exit(1)
371
402
372
403
def remove(self):
373
404
"""Derived from the Avahi example code"""
374
405
if self.entry_group_state_changed_match is not None:
376
407
self.entry_group_state_changed_match = None
377
408
if self.group is not None:
378
409
self.group.Reset()
379
410
380
411
def add(self):
381
412
"""Derived from the Avahi example code"""
382
413
self.remove()
399
430
dbus.UInt16(self.port),
400
431
avahi.string_array_to_txt_array(self.TXT))
401
432
self.group.Commit()
402
433
403
434
def entry_group_state_changed(self, state, error):
404
435
"""Derived from the Avahi example code"""
405
436
logger.debug("Avahi entry group state change: %i", state)
406
437
407
438
if state == avahi.ENTRY_GROUP_ESTABLISHED:
408
439
logger.debug("Zeroconf service established.")
409
440
elif state == avahi.ENTRY_GROUP_COLLISION:
413
444
logger.critical("Avahi: Error in group state changed %s",
414
445
str(error))
415
446
raise AvahiGroupError("State changed: {!s}".format(error))
416
447
417
448
def cleanup(self):
418
449
"""Derived from the Avahi example code"""
419
450
if self.group is not None:
424
455
pass
425
456
self.group = None
426
457
self.remove()
427
458
428
459
def server_state_changed(self, state, error=None):
429
460
"""Derived from the Avahi example code"""
430
461
logger.debug("Avahi server state change: %i", state)
459
490
logger.debug("Unknown state: %r", state)
460
491
else:
461
492
logger.debug("Unknown state: %r: %r", state, error)
462
493
463
494
def activate(self):
464
495
"""Derived from the Avahi example code"""
465
496
if self.server is None:
476
507
class AvahiServiceToSyslog(AvahiService):
477
508
def rename(self, *args, **kwargs):
478
509
"""Add the new name to the syslog messages"""
479
ret = AvahiService.rename(self, *args, **kwargs)
510
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
480
511
syslogger.setFormatter(logging.Formatter(
481
512
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
482
513
.format(self.name)))
483
514
return ret
484
515
516
485
517
# Pretend that we have a GnuTLS module
486
class GnuTLS(object):
487
"""This isn't so much a class as it is a module-like namespace.
488
It is instantiated once, and simulates having a GnuTLS module."""
489
490
_library = ctypes.cdll.LoadLibrary(
491
ctypes.util.find_library("gnutls"))
492
_need_version = b"3.3.0"
493
def __init__(self):
494
# Need to use class name "GnuTLS" here, since this method is
495
# called before the assignment to the "gnutls" global variable
496
# happens.
497
if GnuTLS.check_version(self._need_version) is None:
498
raise GnuTLS.Error("Needs GnuTLS {} or later"
499
.format(self._need_version))
500
518
class gnutls:
519
"""This isn't so much a class as it is a module-like namespace."""
520
521
library = ctypes.util.find_library("gnutls")
522
if library is None:
523
library = ctypes.util.find_library("gnutls-deb0")
524
_library = ctypes.cdll.LoadLibrary(library)
525
del library
526
501
527
# Unless otherwise indicated, the constants and types below are
502
528
# all from the gnutls/gnutls.h C header file.
503
529
504
530
# Constants
505
531
E_SUCCESS = 0
506
532
E_INTERRUPTED = -52
507
533
E_AGAIN = -28
508
534
CRT_OPENPGP = 2
535
CRT_RAWPK = 3
509
536
CLIENT = 2
510
537
SHUT_RDWR = 0
511
538
CRD_CERTIFICATE = 1
512
539
E_NO_CERTIFICATE_FOUND = -49
540
X509_FMT_DER = 0
541
NO_TICKETS = 1<<10
542
ENABLE_RAWPK = 1<<18
543
CTYPE_PEERS = 3
544
KEYID_USE_SHA256 = 1 # gnutls/x509.h
513
545
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
514
546
515
547
# Types
516
548
class session_int(ctypes.Structure):
517
549
_fields_ = []
518
550
session_t = ctypes.POINTER(session_int)
551
519
552
class certificate_credentials_st(ctypes.Structure):
520
553
_fields_ = []
521
554
certificate_credentials_t = ctypes.POINTER(
522
555
certificate_credentials_st)
523
556
certificate_type_t = ctypes.c_int
557
524
558
class datum_t(ctypes.Structure):
525
559
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
526
560
('size', ctypes.c_uint)]
561
527
562
class openpgp_crt_int(ctypes.Structure):
528
563
_fields_ = []
529
564
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
530
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
565
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
531
566
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
532
567
credentials_type_t = ctypes.c_int
533
568
transport_ptr_t = ctypes.c_void_p
534
569
close_request_t = ctypes.c_int
535
570
536
571
# Exceptions
537
572
class Error(Exception):
538
# We need to use the class name "GnuTLS" here, since this
539
# exception might be raised from within GnuTLS.__init__,
540
# which is called before the assignment to the "gnutls"
541
# global variable has happened.
542
def __init__(self, message = None, code = None, args=()):
573
def __init__(self, message=None, code=None, args=()):
543
574
# Default usage is by a message string, but if a return
544
575
# code is passed, convert it to a string with
545
576
# gnutls.strerror()
546
577
self.code = code
547
578
if message is None and code is not None:
548
message = GnuTLS.strerror(code)
549
return super(GnuTLS.Error, self).__init__(
579
message = gnutls.strerror(code)
580
return super(gnutls.Error, self).__init__(
550
581
message, *args)
551
582
552
583
class CertificateSecurityError(Error):
553
584
pass
554
585
555
586
# Classes
556
class Credentials(object):
587
class Credentials:
557
588
def __init__(self):
558
589
self._c_object = gnutls.certificate_credentials_t()
559
590
gnutls.certificate_allocate_credentials(
560
591
ctypes.byref(self._c_object))
561
592
self.type = gnutls.CRD_CERTIFICATE
562
593
563
594
def __del__(self):
564
595
gnutls.certificate_free_credentials(self._c_object)
565
566
class ClientSession(object):
567
def __init__(self, socket, credentials = None):
596
597
class ClientSession:
598
def __init__(self, socket, credentials=None):
568
599
self._c_object = gnutls.session_t()
569
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
600
gnutls_flags = gnutls.CLIENT
601
if gnutls.check_version(b"3.5.6"):
602
gnutls_flags |= gnutls.NO_TICKETS
603
if gnutls.has_rawpk:
604
gnutls_flags |= gnutls.ENABLE_RAWPK
605
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
606
del gnutls_flags
570
607
gnutls.set_default_priority(self._c_object)
571
608
gnutls.transport_set_ptr(self._c_object, socket.fileno())
572
609
gnutls.handshake_set_private_extensions(self._c_object,
578
615
ctypes.cast(credentials._c_object,
579
616
ctypes.c_void_p))
580
617
self.credentials = credentials
581
618
582
619
def __del__(self):
583
620
gnutls.deinit(self._c_object)
584
621
585
622
def handshake(self):
586
623
return gnutls.handshake(self._c_object)
587
624
588
625
def send(self, data):
589
626
data = bytes(data)
590
627
data_len = len(data)
592
629
data_len -= gnutls.record_send(self._c_object,
593
630
data[-data_len:],
594
631
data_len)
595
632
596
633
def bye(self):
597
634
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
598
635
599
636
# Error handling functions
600
637
def _error_code(result):
601
638
"""A function to raise exceptions on errors, suitable
603
640
if result >= 0:
604
641
return result
605
642
if result == gnutls.E_NO_CERTIFICATE_FOUND:
606
raise gnutls.CertificateSecurityError(code = result)
607
raise gnutls.Error(code = result)
608
643
raise gnutls.CertificateSecurityError(code=result)
644
raise gnutls.Error(code=result)
645
609
646
def _retry_on_error(result, func, arguments):
610
647
"""A function to retry on some errors, suitable
611
648
for the 'errcheck' attribute on ctypes functions"""
614
651
return _error_code(result)
615
652
result = func(*arguments)
616
653
return result
617
654
618
655
# Unless otherwise indicated, the function declarations below are
619
656
# all from the gnutls/gnutls.h C header file.
620
657
621
658
# Functions
622
659
priority_set_direct = _library.gnutls_priority_set_direct
623
660
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
624
661
ctypes.POINTER(ctypes.c_char_p)]
625
662
priority_set_direct.restype = _error_code
626
663
627
664
init = _library.gnutls_init
628
665
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
629
666
init.restype = _error_code
630
667
631
668
set_default_priority = _library.gnutls_set_default_priority
632
669
set_default_priority.argtypes = [session_t]
633
670
set_default_priority.restype = _error_code
634
671
635
672
record_send = _library.gnutls_record_send
636
673
record_send.argtypes = [session_t, ctypes.c_void_p,
637
674
ctypes.c_size_t]
638
675
record_send.restype = ctypes.c_ssize_t
639
676
record_send.errcheck = _retry_on_error
640
677
641
678
certificate_allocate_credentials = (
642
679
_library.gnutls_certificate_allocate_credentials)
643
680
certificate_allocate_credentials.argtypes = [
644
681
ctypes.POINTER(certificate_credentials_t)]
645
682
certificate_allocate_credentials.restype = _error_code
646
683
647
684
certificate_free_credentials = (
648
685
_library.gnutls_certificate_free_credentials)
649
certificate_free_credentials.argtypes = [certificate_credentials_t]
686
certificate_free_credentials.argtypes = [
687
certificate_credentials_t]
650
688
certificate_free_credentials.restype = None
651
689
652
690
handshake_set_private_extensions = (
653
691
_library.gnutls_handshake_set_private_extensions)
654
692
handshake_set_private_extensions.argtypes = [session_t,
655
693
ctypes.c_int]
656
694
handshake_set_private_extensions.restype = None
657
695
658
696
credentials_set = _library.gnutls_credentials_set
659
697
credentials_set.argtypes = [session_t, credentials_type_t,
660
698
ctypes.c_void_p]
661
699
credentials_set.restype = _error_code
662
700
663
701
strerror = _library.gnutls_strerror
664
702
strerror.argtypes = [ctypes.c_int]
665
703
strerror.restype = ctypes.c_char_p
666
704
667
705
certificate_type_get = _library.gnutls_certificate_type_get
668
706
certificate_type_get.argtypes = [session_t]
669
707
certificate_type_get.restype = _error_code
670
708
671
709
certificate_get_peers = _library.gnutls_certificate_get_peers
672
710
certificate_get_peers.argtypes = [session_t,
673
711
ctypes.POINTER(ctypes.c_uint)]
674
712
certificate_get_peers.restype = ctypes.POINTER(datum_t)
675
713
676
714
global_set_log_level = _library.gnutls_global_set_log_level
677
715
global_set_log_level.argtypes = [ctypes.c_int]
678
716
global_set_log_level.restype = None
679
717
680
718
global_set_log_function = _library.gnutls_global_set_log_function
681
719
global_set_log_function.argtypes = [log_func]
682
720
global_set_log_function.restype = None
683
721
684
722
deinit = _library.gnutls_deinit
685
723
deinit.argtypes = [session_t]
686
724
deinit.restype = None
687
725
688
726
handshake = _library.gnutls_handshake
689
727
handshake.argtypes = [session_t]
690
728
handshake.restype = _error_code
691
729
handshake.errcheck = _retry_on_error
692
730
693
731
transport_set_ptr = _library.gnutls_transport_set_ptr
694
732
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
695
733
transport_set_ptr.restype = None
696
734
697
735
bye = _library.gnutls_bye
698
736
bye.argtypes = [session_t, close_request_t]
699
737
bye.restype = _error_code
700
738
bye.errcheck = _retry_on_error
701
739
702
740
check_version = _library.gnutls_check_version
703
741
check_version.argtypes = [ctypes.c_char_p]
704
742
check_version.restype = ctypes.c_char_p
705
706
# All the function declarations below are from gnutls/openpgp.h
707
708
openpgp_crt_init = _library.gnutls_openpgp_crt_init
709
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
710
openpgp_crt_init.restype = _error_code
711
712
openpgp_crt_import = _library.gnutls_openpgp_crt_import
713
openpgp_crt_import.argtypes = [openpgp_crt_t,
714
ctypes.POINTER(datum_t),
715
openpgp_crt_fmt_t]
716
openpgp_crt_import.restype = _error_code
717
718
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
719
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
720
ctypes.POINTER(ctypes.c_uint)]
721
openpgp_crt_verify_self.restype = _error_code
722
723
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
724
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
725
openpgp_crt_deinit.restype = None
726
727
openpgp_crt_get_fingerprint = (
728
_library.gnutls_openpgp_crt_get_fingerprint)
729
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
730
ctypes.c_void_p,
731
ctypes.POINTER(
732
ctypes.c_size_t)]
733
openpgp_crt_get_fingerprint.restype = _error_code
734
743
744
_need_version = b"3.3.0"
745
if check_version(_need_version) is None:
746
raise self.Error("Needs GnuTLS {} or later"
747
.format(_need_version))
748
749
_tls_rawpk_version = b"3.6.6"
750
has_rawpk = bool(check_version(_tls_rawpk_version))
751
752
if has_rawpk:
753
# Types
754
class pubkey_st(ctypes.Structure):
755
_fields = []
756
pubkey_t = ctypes.POINTER(pubkey_st)
757
758
x509_crt_fmt_t = ctypes.c_int
759
760
# All the function declarations below are from gnutls/abstract.h
761
pubkey_init = _library.gnutls_pubkey_init
762
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
763
pubkey_init.restype = _error_code
764
765
pubkey_import = _library.gnutls_pubkey_import
766
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
767
x509_crt_fmt_t]
768
pubkey_import.restype = _error_code
769
770
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
771
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
772
ctypes.POINTER(ctypes.c_ubyte),
773
ctypes.POINTER(ctypes.c_size_t)]
774
pubkey_get_key_id.restype = _error_code
775
776
pubkey_deinit = _library.gnutls_pubkey_deinit
777
pubkey_deinit.argtypes = [pubkey_t]
778
pubkey_deinit.restype = None
779
else:
780
# All the function declarations below are from gnutls/openpgp.h
781
782
openpgp_crt_init = _library.gnutls_openpgp_crt_init
783
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
784
openpgp_crt_init.restype = _error_code
785
786
openpgp_crt_import = _library.gnutls_openpgp_crt_import
787
openpgp_crt_import.argtypes = [openpgp_crt_t,
788
ctypes.POINTER(datum_t),
789
openpgp_crt_fmt_t]
790
openpgp_crt_import.restype = _error_code
791
792
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
793
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
794
ctypes.POINTER(ctypes.c_uint)]
795
openpgp_crt_verify_self.restype = _error_code
796
797
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
798
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
799
openpgp_crt_deinit.restype = None
800
801
openpgp_crt_get_fingerprint = (
802
_library.gnutls_openpgp_crt_get_fingerprint)
803
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
804
ctypes.c_void_p,
805
ctypes.POINTER(
806
ctypes.c_size_t)]
807
openpgp_crt_get_fingerprint.restype = _error_code
808
809
if check_version(b"3.6.4"):
810
certificate_type_get2 = _library.gnutls_certificate_type_get2
811
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
812
certificate_type_get2.restype = _error_code
813
735
814
# Remove non-public functions
736
815
del _error_code, _retry_on_error
737
# Create the global "gnutls" object, simulating a module
738
gnutls = GnuTLS()
816
739
817
740
818
def call_pipe(connection, # : multiprocessing.Connection
741
819
func, *args, **kwargs):
742
820
"""This function is meant to be called by multiprocessing.Process
743
821
744
822
This function runs func(*args, **kwargs), and writes the resulting
745
823
return value on the provided multiprocessing.Connection.
746
824
"""
747
825
connection.send(func(*args, **kwargs))
748
826
connection.close()
749
827
750
class Client(object):
828
829
class Client:
751
830
"""A representation of a client host served by this server.
752
831
753
832
Attributes:
754
833
approved: bool(); 'None' if not yet approved/disapproved
755
834
approval_delay: datetime.timedelta(); Time to wait for approval
756
835
approval_duration: datetime.timedelta(); Duration of one approval
757
checker: subprocess.Popen(); a running checker process used
758
to see if the client lives.
759
'None' if no process is running.
760
checker_callback_tag: a GObject event source tag, or None
836
checker: multiprocessing.Process(); a running checker process used
837
to see if the client lives. 'None' if no process is
838
running.
839
checker_callback_tag: a GLib event source tag, or None
761
840
checker_command: string; External command which is run to check
762
841
if client lives. %() expansions are done at
763
842
runtime with vars(self) as dict, so that for
764
843
instance %(name)s can be used in the command.
765
checker_initiator_tag: a GObject event source tag, or None
844
checker_initiator_tag: a GLib event source tag, or None
766
845
created: datetime.datetime(); (UTC) object creation
767
846
client_structure: Object describing what attributes a client has
768
847
and is used for storing the client at exit
769
848
current_checker_command: string; current running checker_command
770
disable_initiator_tag: a GObject event source tag, or None
849
disable_initiator_tag: a GLib event source tag, or None
771
850
enabled: bool()
772
851
fingerprint: string (40 or 32 hexadecimal digits); used to
773
uniquely identify the client
852
uniquely identify an OpenPGP client
853
key_id: string (64 hexadecimal digits); used to uniquely identify
854
a client using raw public keys
774
855
host: string; available for use by the checker command
775
856
interval: datetime.timedelta(); How often to start a new checker
776
857
last_approval_request: datetime.datetime(); (UTC) or None
792
873
disabled, or None
793
874
server_settings: The server_settings dict from main()
794
875
"""
795
876
796
877
runtime_expansions = ("approval_delay", "approval_duration",
797
"created", "enabled", "expires",
878
"created", "enabled", "expires", "key_id",
798
879
"fingerprint", "host", "interval",
799
880
"last_approval_request", "last_checked_ok",
800
881
"last_enabled", "name", "timeout")
809
890
"approved_by_default": "True",
810
891
"enabled": "True",
811
892
}
812
893
813
894
@staticmethod
814
895
def config_parser(config):
815
896
"""Construct a new dict of client settings of this form:
822
903
for client_name in config.sections():
823
904
section = dict(config.items(client_name))
824
905
client = settings[client_name] = {}
825
906
826
907
client["host"] = section["host"]
827
908
# Reformat values from string types to Python types
828
909
client["approved_by_default"] = config.getboolean(
829
910
client_name, "approved_by_default")
830
911
client["enabled"] = config.getboolean(client_name,
831
912
"enabled")
832
833
# Uppercase and remove spaces from fingerprint for later
834
# comparison purposes with return value from the
835
# fingerprint() function
913
914
# Uppercase and remove spaces from key_id and fingerprint
915
# for later comparison purposes with return value from the
916
# key_id() and fingerprint() functions
917
client["key_id"] = (section.get("key_id", "").upper()
918
.replace(" ", ""))
836
919
client["fingerprint"] = (section["fingerprint"].upper()
837
920
.replace(" ", ""))
838
921
if "secret" in section:
859
942
client["last_approval_request"] = None
860
943
client["last_checked_ok"] = None
861
944
client["last_checker_status"] = -2
862
945
863
946
return settings
864
865
def __init__(self, settings, name = None, server_settings=None):
947
948
def __init__(self, settings, name=None, server_settings=None):
866
949
self.name = name
867
950
if server_settings is None:
868
951
server_settings = {}
870
953
# adding all client settings
871
954
for setting, value in settings.items():
872
955
setattr(self, setting, value)
873
956
874
957
if self.enabled:
875
958
if not hasattr(self, "last_enabled"):
876
959
self.last_enabled = datetime.datetime.utcnow()
880
963
else:
881
964
self.last_enabled = None
882
965
self.expires = None
883
966
884
967
logger.debug("Creating client %r", self.name)
968
logger.debug(" Key ID: %s", self.key_id)
885
969
logger.debug(" Fingerprint: %s", self.fingerprint)
886
970
self.created = settings.get("created",
887
971
datetime.datetime.utcnow())
888
972
889
973
# attributes specific for this server instance
890
974
self.checker = None
891
975
self.checker_initiator_tag = None
900
984
for attr in self.__dict__.keys()
901
985
if not attr.startswith("_")]
902
986
self.client_structure.append("client_structure")
903
987
904
988
for name, t in inspect.getmembers(
905
989
type(self), lambda obj: isinstance(obj, property)):
906
990
if not name.startswith("_"):
907
991
self.client_structure.append(name)
908
992
909
993
# Send notice to process children that client state has changed
910
994
def send_changedstate(self):
911
995
with self.changedstate:
912
996
self.changedstate.notify_all()
913
997
914
998
def enable(self):
915
999
"""Start this client's checker and timeout hooks"""
916
1000
if getattr(self, "enabled", False):
921
1005
self.last_enabled = datetime.datetime.utcnow()
922
1006
self.init_checker()
923
1007
self.send_changedstate()
924
1008
925
1009
def disable(self, quiet=True):
926
1010
"""Disable this client."""
927
1011
if not getattr(self, "enabled", False):
929
1013
if not quiet:
930
1014
logger.info("Disabling client %s", self.name)
931
1015
if getattr(self, "disable_initiator_tag", None) is not None:
932
GObject.source_remove(self.disable_initiator_tag)
1016
GLib.source_remove(self.disable_initiator_tag)
933
1017
self.disable_initiator_tag = None
934
1018
self.expires = None
935
1019
if getattr(self, "checker_initiator_tag", None) is not None:
936
GObject.source_remove(self.checker_initiator_tag)
1020
GLib.source_remove(self.checker_initiator_tag)
937
1021
self.checker_initiator_tag = None
938
1022
self.stop_checker()
939
1023
self.enabled = False
940
1024
if not quiet:
941
1025
self.send_changedstate()
942
# Do not run this again if called by a GObject.timeout_add
1026
# Do not run this again if called by a GLib.timeout_add
943
1027
return False
944
1028
945
1029
def __del__(self):
946
1030
self.disable()
947
1031
948
1032
def init_checker(self):
949
1033
# Schedule a new checker to be started an 'interval' from now,
950
1034
# and every interval from then on.
951
1035
if self.checker_initiator_tag is not None:
952
GObject.source_remove(self.checker_initiator_tag)
953
self.checker_initiator_tag = GObject.timeout_add(
1036
GLib.source_remove(self.checker_initiator_tag)
1037
self.checker_initiator_tag = GLib.timeout_add(
954
1038
int(self.interval.total_seconds() * 1000),
955
1039
self.start_checker)
956
1040
# Schedule a disable() when 'timeout' has passed
957
1041
if self.disable_initiator_tag is not None:
958
GObject.source_remove(self.disable_initiator_tag)
959
self.disable_initiator_tag = GObject.timeout_add(
1042
GLib.source_remove(self.disable_initiator_tag)
1043
self.disable_initiator_tag = GLib.timeout_add(
960
1044
int(self.timeout.total_seconds() * 1000), self.disable)
961
1045
# Also start a new checker *right now*.
962
1046
self.start_checker()
963
1047
964
1048
def checker_callback(self, source, condition, connection,
965
1049
command):
966
1050
"""The checker has completed, so take appropriate actions."""
967
self.checker_callback_tag = None
968
self.checker = None
969
1051
# Read return code from connection (see call_pipe)
970
1052
returncode = connection.recv()
971
1053
connection.close()
972
1054
if self.checker is not None:
1055
self.checker.join()
1056
self.checker_callback_tag = None
1057
self.checker = None
1058
973
1059
if returncode >= 0:
974
1060
self.last_checker_status = returncode
975
1061
self.last_checker_signal = None
985
1071
logger.warning("Checker for %(name)s crashed?",
986
1072
vars(self))
987
1073
return False
988
1074
989
1075
def checked_ok(self):
990
1076
"""Assert that the client has been seen, alive and well."""
991
1077
self.last_checked_ok = datetime.datetime.utcnow()
992
1078
self.last_checker_status = 0
993
1079
self.last_checker_signal = None
994
1080
self.bump_timeout()
995
1081
996
1082
def bump_timeout(self, timeout=None):
997
1083
"""Bump up the timeout for this client."""
998
1084
if timeout is None:
999
1085
timeout = self.timeout
1000
1086
if self.disable_initiator_tag is not None:
1001
GObject.source_remove(self.disable_initiator_tag)
1087
GLib.source_remove(self.disable_initiator_tag)
1002
1088
self.disable_initiator_tag = None
1003
1089
if getattr(self, "enabled", False):
1004
self.disable_initiator_tag = GObject.timeout_add(
1090
self.disable_initiator_tag = GLib.timeout_add(
1005
1091
int(timeout.total_seconds() * 1000), self.disable)
1006
1092
self.expires = datetime.datetime.utcnow() + timeout
1007
1093
1008
1094
def need_approval(self):
1009
1095
self.last_approval_request = datetime.datetime.utcnow()
1010
1096
1011
1097
def start_checker(self):
1012
1098
"""Start a new checker subprocess if one is not running.
1013
1099
1014
1100
If a checker already exists, leave it running and do
1015
1101
nothing."""
1016
1102
# The reason for not killing a running checker is that if we
1021
1107
# checkers alone, the checker would have to take more time
1022
1108
# than 'timeout' for the client to be disabled, which is as it
1023
1109
# should be.
1024
1110
1025
1111
if self.checker is not None and not self.checker.is_alive():
1026
1112
logger.warning("Checker was not alive; joining")
1027
1113
self.checker.join()
1031
1117
# Escape attributes for the shell
1032
1118
escaped_attrs = {
1033
1119
attr: re.escape(str(getattr(self, attr)))
1034
for attr in self.runtime_expansions }
1120
for attr in self.runtime_expansions}
1035
1121
try:
1036
1122
command = self.checker_command % escaped_attrs
1037
1123
except TypeError as error:
1049
1135
# The exception is when not debugging but nevertheless
1050
1136
# running in the foreground; use the previously
1051
1137
# created wnull.
1052
popen_args = { "close_fds": True,
1053
"shell": True,
1054
"cwd": "/" }
1138
popen_args = {"close_fds": True,
1139
"shell": True,
1140
"cwd": "/"}
1055
1141
if (not self.server_settings["debug"]
1056
1142
and self.server_settings["foreground"]):
1057
1143
popen_args.update({"stdout": wnull,
1058
"stderr": wnull })
1059
pipe = multiprocessing.Pipe(duplex = False)
1144
"stderr": wnull})
1145
pipe = multiprocessing.Pipe(duplex=False)
1060
1146
self.checker = multiprocessing.Process(
1061
target = call_pipe,
1062
args = (pipe[1], subprocess.call, command),
1063
kwargs = popen_args)
1147
target=call_pipe,
1148
args=(pipe[1], subprocess.call, command),
1149
kwargs=popen_args)
1064
1150
self.checker.start()
1065
self.checker_callback_tag = GObject.io_add_watch(
1066
pipe[0].fileno(), GObject.IO_IN,
1151
self.checker_callback_tag = GLib.io_add_watch(
1152
GLib.IOChannel.unix_new(pipe[0].fileno()),
1153
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1067
1154
self.checker_callback, pipe[0], command)
1068
# Re-run this periodically if run by GObject.timeout_add
1155
# Re-run this periodically if run by GLib.timeout_add
1069
1156
return True
1070
1157
1071
1158
def stop_checker(self):
1072
1159
"""Force the checker process, if any, to stop."""
1073
1160
if self.checker_callback_tag:
1074
GObject.source_remove(self.checker_callback_tag)
1161
GLib.source_remove(self.checker_callback_tag)
1075
1162
self.checker_callback_tag = None
1076
1163
if getattr(self, "checker", None) is None:
1077
1164
return
1086
1173
byte_arrays=False):
1087
1174
"""Decorators for marking methods of a DBusObjectWithProperties to
1088
1175
become properties on the D-Bus.
1089
1176
1090
1177
The decorated method will be called with no arguments by "Get"
1091
1178
and with one argument by "Set".
1092
1179
1093
1180
The parameters, where they are supported, are the same as
1094
1181
dbus.service.method, except there is only "signature", since the
1095
1182
type from Get() and the type sent to Set() is the same.
1099
1186
if byte_arrays and signature != "ay":
1100
1187
raise ValueError("Byte arrays not supported for non-'ay'"
1101
1188
" signature {!r}".format(signature))
1102
1189
1103
1190
def decorator(func):
1104
1191
func._dbus_is_property = True
1105
1192
func._dbus_interface = dbus_interface
1108
1195
func._dbus_name = func.__name__
1109
1196
if func._dbus_name.endswith("_dbus_property"):
1110
1197
func._dbus_name = func._dbus_name[:-14]
1111
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1198
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
1112
1199
return func
1113
1200
1114
1201
return decorator
1115
1202
1116
1203
1117
1204
def dbus_interface_annotations(dbus_interface):
1118
1205
"""Decorator for marking functions returning interface annotations
1119
1206
1120
1207
Usage:
1121
1208
1122
1209
@dbus_interface_annotations("org.example.Interface")
1123
1210
def _foo(self): # Function name does not matter
1124
1211
return {"org.freedesktop.DBus.Deprecated": "true",
1125
1212
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1126
1213
"false"}
1127
1214
"""
1128
1215
1129
1216
def decorator(func):
1130
1217
func._dbus_is_interface = True
1131
1218
func._dbus_interface = dbus_interface
1132
1219
func._dbus_name = dbus_interface
1133
1220
return func
1134
1221
1135
1222
return decorator
1136
1223
1137
1224
1138
1225
def dbus_annotations(annotations):
1139
1226
"""Decorator to annotate D-Bus methods, signals or properties
1140
1227
Usage:
1141
1228
1142
1229
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1143
1230
"org.freedesktop.DBus.Property."
1144
1231
"EmitsChangedSignal": "false"})
1146
1233
access="r")
1147
1234
def Property_dbus_property(self):
1148
1235
return dbus.Boolean(False)
1149
1236
1150
1237
See also the DBusObjectWithAnnotations class.
1151
1238
"""
1152
1239
1153
1240
def decorator(func):
1154
1241
func._dbus_annotations = annotations
1155
1242
return func
1156
1243
1157
1244
return decorator
1158
1245
1159
1246
1177
1264
1178
1265
class DBusObjectWithAnnotations(dbus.service.Object):
1179
1266
"""A D-Bus object with annotations.
1180
1267
1181
1268
Classes inheriting from this can use the dbus_annotations
1182
1269
decorator to add annotations to methods or signals.
1183
1270
"""
1184
1271
1185
1272
@staticmethod
1186
1273
def _is_dbus_thing(thing):
1187
1274
"""Returns a function testing if an attribute is a D-Bus thing
1188
1275
1189
1276
If called like _is_dbus_thing("method") it returns a function
1190
1277
suitable for use as predicate to inspect.getmembers().
1191
1278
"""
1192
1279
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1193
1280
False)
1194
1281
1195
1282
def _get_all_dbus_things(self, thing):
1196
1283
"""Returns a generator of (name, attribute) pairs
1197
1284
"""
1200
1287
for cls in self.__class__.__mro__
1201
1288
for name, athing in
1202
1289
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1203
1290
1204
1291
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1205
out_signature = "s",
1206
path_keyword = 'object_path',
1207
connection_keyword = 'connection')
1292
out_signature="s",
1293
path_keyword='object_path',
1294
connection_keyword='connection')
1208
1295
def Introspect(self, object_path, connection):
1209
1296
"""Overloading of standard D-Bus method.
1210
1297
1211
1298
Inserts annotation tags on methods and signals.
1212
1299
"""
1213
1300
xmlstring = dbus.service.Object.Introspect(self, object_path,
1214
1301
connection)
1215
1302
try:
1216
1303
document = xml.dom.minidom.parseString(xmlstring)
1217
1304
1218
1305
for if_tag in document.getElementsByTagName("interface"):
1219
1306
# Add annotation tags
1220
1307
for typ in ("method", "signal"):
1247
1334
if_tag.appendChild(ann_tag)
1248
1335
# Fix argument name for the Introspect method itself
1249
1336
if (if_tag.getAttribute("name")
1250
== dbus.INTROSPECTABLE_IFACE):
1337
== dbus.INTROSPECTABLE_IFACE):
1251
1338
for cn in if_tag.getElementsByTagName("method"):
1252
1339
if cn.getAttribute("name") == "Introspect":
1253
1340
for arg in cn.getElementsByTagName("arg"):
1266
1353
1267
1354
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1268
1355
"""A D-Bus object with properties.
1269
1356
1270
1357
Classes inheriting from this can use the dbus_service_property
1271
1358
decorator to expose methods as D-Bus properties. It exposes the
1272
1359
standard Get(), Set(), and GetAll() methods on the D-Bus.
1273
1360
"""
1274
1361
1275
1362
def _get_dbus_property(self, interface_name, property_name):
1276
1363
"""Returns a bound method if one exists which is a D-Bus
1277
1364
property with the specified name and interface.
1282
1369
if (value._dbus_name == property_name
1283
1370
and value._dbus_interface == interface_name):
1284
1371
return value.__get__(self)
1285
1372
1286
1373
# No such property
1287
1374
raise DBusPropertyNotFound("{}:{}.{}".format(
1288
1375
self.dbus_object_path, interface_name, property_name))
1289
1376
1290
1377
@classmethod
1291
1378
def _get_all_interface_names(cls):
1292
1379
"""Get a sequence of all interfaces supported by an object"""
1295
1382
for x in (inspect.getmro(cls))
1296
1383
for attr in dir(x))
1297
1384
if name is not None)
1298
1385
1299
1386
@dbus.service.method(dbus.PROPERTIES_IFACE,
1300
1387
in_signature="ss",
1301
1388
out_signature="v")
1309
1396
if not hasattr(value, "variant_level"):
1310
1397
return value
1311
1398
return type(value)(value, variant_level=value.variant_level+1)
1312
1399
1313
1400
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1314
1401
def Set(self, interface_name, property_name, value):
1315
1402
"""Standard D-Bus property Set() method, see D-Bus standard.
1324
1411
raise ValueError("Byte arrays not supported for non-"
1325
1412
"'ay' signature {!r}"
1326
1413
.format(prop._dbus_signature))
1327
value = dbus.ByteArray(b''.join(chr(byte)
1328
for byte in value))
1414
value = dbus.ByteArray(bytes(value))
1329
1415
prop(value)
1330
1416
1331
1417
@dbus.service.method(dbus.PROPERTIES_IFACE,
1332
1418
in_signature="s",
1333
1419
out_signature="a{sv}")
1334
1420
def GetAll(self, interface_name):
1335
1421
"""Standard D-Bus property GetAll() method, see D-Bus
1336
1422
standard.
1337
1423
1338
1424
Note: Will not include properties with access="write".
1339
1425
"""
1340
1426
properties = {}
1351
1437
properties[name] = value
1352
1438
continue
1353
1439
properties[name] = type(value)(
1354
value, variant_level = value.variant_level + 1)
1440
value, variant_level=value.variant_level + 1)
1355
1441
return dbus.Dictionary(properties, signature="sv")
1356
1442
1357
1443
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1358
1444
def PropertiesChanged(self, interface_name, changed_properties,
1359
1445
invalidated_properties):
1361
1447
standard.
1362
1448
"""
1363
1449
pass
1364
1450
1365
1451
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1366
1452
out_signature="s",
1367
1453
path_keyword='object_path',
1368
1454
connection_keyword='connection')
1369
1455
def Introspect(self, object_path, connection):
1370
1456
"""Overloading of standard D-Bus method.
1371
1457
1372
1458
Inserts property tags and interface annotation tags.
1373
1459
"""
1374
1460
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1376
1462
connection)
1377
1463
try:
1378
1464
document = xml.dom.minidom.parseString(xmlstring)
1379
1465
1380
1466
def make_tag(document, name, prop):
1381
1467
e = document.createElement("property")
1382
1468
e.setAttribute("name", name)
1383
1469
e.setAttribute("type", prop._dbus_signature)
1384
1470
e.setAttribute("access", prop._dbus_access)
1385
1471
return e
1386
1472
1387
1473
for if_tag in document.getElementsByTagName("interface"):
1388
1474
# Add property tags
1389
1475
for tag in (make_tag(document, name, prop)
1431
1517
exc_info=error)
1432
1518
return xmlstring
1433
1519
1520
1434
1521
try:
1435
1522
dbus.OBJECT_MANAGER_IFACE
1436
1523
except AttributeError:
1437
1524
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1438
1525
1526
1439
1527
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1440
1528
"""A D-Bus object with an ObjectManager.
1441
1529
1442
1530
Classes inheriting from this exposes the standard
1443
1531
GetManagedObjects call and the InterfacesAdded and
1444
1532
InterfacesRemoved signals on the standard
1445
1533
"org.freedesktop.DBus.ObjectManager" interface.
1446
1534
1447
1535
Note: No signals are sent automatically; they must be sent
1448
1536
manually.
1449
1537
"""
1450
1538
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1451
out_signature = "a{oa{sa{sv}}}")
1539
out_signature="a{oa{sa{sv}}}")
1452
1540
def GetManagedObjects(self):
1453
1541
"""This function must be overridden"""
1454
1542
raise NotImplementedError()
1455
1543
1456
1544
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1457
signature = "oa{sa{sv}}")
1545
signature="oa{sa{sv}}")
1458
1546
def InterfacesAdded(self, object_path, interfaces_and_properties):
1459
1547
pass
1460
1461
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1548
1549
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1462
1550
def InterfacesRemoved(self, object_path, interfaces):
1463
1551
pass
1464
1552
1465
1553
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1466
out_signature = "s",
1467
path_keyword = 'object_path',
1468
connection_keyword = 'connection')
1554
out_signature="s",
1555
path_keyword='object_path',
1556
connection_keyword='connection')
1469
1557
def Introspect(self, object_path, connection):
1470
1558
"""Overloading of standard D-Bus method.
1471
1559
1472
1560
Override return argument name of GetManagedObjects to be
1473
1561
"objpath_interfaces_and_properties"
1474
1562
"""
1477
1565
connection)
1478
1566
try:
1479
1567
document = xml.dom.minidom.parseString(xmlstring)
1480
1568
1481
1569
for if_tag in document.getElementsByTagName("interface"):
1482
1570
# Fix argument name for the GetManagedObjects method
1483
1571
if (if_tag.getAttribute("name")
1484
== dbus.OBJECT_MANAGER_IFACE):
1572
== dbus.OBJECT_MANAGER_IFACE):
1485
1573
for cn in if_tag.getElementsByTagName("method"):
1486
1574
if (cn.getAttribute("name")
1487
1575
== "GetManagedObjects"):
1497
1585
except (AttributeError, xml.dom.DOMException,
1498
1586
xml.parsers.expat.ExpatError) as error:
1499
1587
logger.error("Failed to override Introspection method",
1500
exc_info = error)
1588
exc_info=error)
1501
1589
return xmlstring
1502
1590
1591
1503
1592
def datetime_to_dbus(dt, variant_level=0):
1504
1593
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1505
1594
if dt is None:
1506
return dbus.String("", variant_level = variant_level)
1595
return dbus.String("", variant_level=variant_level)
1507
1596
return dbus.String(dt.isoformat(), variant_level=variant_level)
1508
1597
1509
1598
1512
1601
dbus.service.Object, it will add alternate D-Bus attributes with
1513
1602
interface names according to the "alt_interface_names" mapping.
1514
1603
Usage:
1515
1604
1516
1605
@alternate_dbus_interfaces({"org.example.Interface":
1517
1606
"net.example.AlternateInterface"})
1518
1607
class SampleDBusObject(dbus.service.Object):
1519
1608
@dbus.service.method("org.example.Interface")
1520
1609
def SampleDBusMethod():
1521
1610
pass
1522
1611
1523
1612
The above "SampleDBusMethod" on "SampleDBusObject" will be
1524
1613
reachable via two interfaces: "org.example.Interface" and
1525
1614
"net.example.AlternateInterface", the latter of which will have
1526
1615
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1527
1616
"true", unless "deprecate" is passed with a False value.
1528
1617
1529
1618
This works for methods and signals, and also for D-Bus properties
1530
1619
(from DBusObjectWithProperties) and interfaces (from the
1531
1620
dbus_interface_annotations decorator).
1532
1621
"""
1533
1622
1534
1623
def wrapper(cls):
1535
1624
for orig_interface_name, alt_interface_name in (
1536
1625
alt_interface_names.items()):
1576
1665
attribute._dbus_annotations)
1577
1666
except AttributeError:
1578
1667
pass
1668
1579
1669
# Define a creator of a function to call both the
1580
1670
# original and alternate functions, so both the
1581
1671
# original and alternate signals gets sent when
1584
1674
"""This function is a scope container to pass
1585
1675
func1 and func2 to the "call_both" function
1586
1676
outside of its arguments"""
1587
1677
1588
1678
@functools.wraps(func2)
1589
1679
def call_both(*args, **kwargs):
1590
1680
"""This function will emit two D-Bus
1591
1681
signals by calling func1 and func2"""
1592
1682
func1(*args, **kwargs)
1593
1683
func2(*args, **kwargs)
1594
# Make wrapper function look like a D-Bus signal
1684
# Make wrapper function look like a D-Bus
1685
# signal
1595
1686
for name, attr in inspect.getmembers(func2):
1596
1687
if name.startswith("_dbus_"):
1597
1688
setattr(call_both, name, attr)
1598
1689
1599
1690
return call_both
1600
1691
# Create the "call_both" function and add it to
1601
1692
# the class
1647
1738
(copy_function(attribute)))
1648
1739
if deprecate:
1649
1740
# Deprecate all alternate interfaces
1650
iname="_AlternateDBusNames_interface_annotation{}"
1741
iname = "_AlternateDBusNames_interface_annotation{}"
1651
1742
for interface_name in interface_names:
1652
1743
1653
1744
@dbus_interface_annotations(interface_name)
1654
1745
def func(self):
1655
return { "org.freedesktop.DBus.Deprecated":
1656
"true" }
1746
return {"org.freedesktop.DBus.Deprecated":
1747
"true"}
1657
1748
# Find an unused name
1658
1749
for aname in (iname.format(i)
1659
1750
for i in itertools.count()):
1670
1761
cls = type("{}Alternate".format(cls.__name__),
1671
1762
(cls, ), attr)
1672
1763
return cls
1673
1764
1674
1765
return wrapper
1675
1766
1676
1767
1678
1769
"se.bsnet.fukt.Mandos"})
1679
1770
class ClientDBus(Client, DBusObjectWithProperties):
1680
1771
"""A Client class using D-Bus
1681
1772
1682
1773
Attributes:
1683
1774
dbus_object_path: dbus.ObjectPath
1684
1775
bus: dbus.SystemBus()
1685
1776
"""
1686
1777
1687
1778
runtime_expansions = (Client.runtime_expansions
1688
1779
+ ("dbus_object_path", ))
1689
1780
1690
1781
_interface = "se.recompile.Mandos.Client"
1691
1782
1692
1783
# dbus.service.Object doesn't use super(), so we can't either.
1693
1694
def __init__(self, bus = None, *args, **kwargs):
1784
1785
def __init__(self, bus=None, *args, **kwargs):
1695
1786
self.bus = bus
1696
1787
Client.__init__(self, *args, **kwargs)
1697
1788
# Only now, when this client is initialized, can it show up on
1703
1794
"/clients/" + client_object_name)
1704
1795
DBusObjectWithProperties.__init__(self, self.bus,
1705
1796
self.dbus_object_path)
1706
1797
1707
1798
def notifychangeproperty(transform_func, dbus_name,
1708
1799
type_func=lambda x: x,
1709
1800
variant_level=1,
1711
1802
_interface=_interface):
1712
1803
""" Modify a variable so that it's a property which announces
1713
1804
its changes to DBus.
1714
1805
1715
1806
transform_fun: Function that takes a value and a variant_level
1716
1807
and transforms it to a D-Bus type.
1717
1808
dbus_name: D-Bus name of the variable
1720
1811
variant_level: D-Bus variant level. Default: 1
1721
1812
"""
1722
1813
attrname = "_{}".format(dbus_name)
1723
1814
1724
1815
def setter(self, value):
1725
1816
if hasattr(self, "dbus_object_path"):
1726
1817
if (not hasattr(self, attrname) or
1733
1824
else:
1734
1825
dbus_value = transform_func(
1735
1826
type_func(value),
1736
variant_level = variant_level)
1827
variant_level=variant_level)
1737
1828
self.PropertyChanged(dbus.String(dbus_name),
1738
1829
dbus_value)
1739
1830
self.PropertiesChanged(
1740
1831
_interface,
1741
dbus.Dictionary({ dbus.String(dbus_name):
1742
dbus_value }),
1832
dbus.Dictionary({dbus.String(dbus_name):
1833
dbus_value}),
1743
1834
dbus.Array())
1744
1835
setattr(self, attrname, value)
1745
1836
1746
1837
return property(lambda self: getattr(self, attrname), setter)
1747
1838
1748
1839
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1749
1840
approvals_pending = notifychangeproperty(dbus.Boolean,
1750
1841
"ApprovalPending",
1751
type_func = bool)
1842
type_func=bool)
1752
1843
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1753
1844
last_enabled = notifychangeproperty(datetime_to_dbus,
1754
1845
"LastEnabled")
1755
1846
checker = notifychangeproperty(
1756
1847
dbus.Boolean, "CheckerRunning",
1757
type_func = lambda checker: checker is not None)
1848
type_func=lambda checker: checker is not None)
1758
1849
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1759
1850
"LastCheckedOK")
1760
1851
last_checker_status = notifychangeproperty(dbus.Int16,
1765
1856
"ApprovedByDefault")
1766
1857
approval_delay = notifychangeproperty(
1767
1858
dbus.UInt64, "ApprovalDelay",
1768
type_func = lambda td: td.total_seconds() * 1000)
1859
type_func=lambda td: td.total_seconds() * 1000)
1769
1860
approval_duration = notifychangeproperty(
1770
1861
dbus.UInt64, "ApprovalDuration",
1771
type_func = lambda td: td.total_seconds() * 1000)
1862
type_func=lambda td: td.total_seconds() * 1000)
1772
1863
host = notifychangeproperty(dbus.String, "Host")
1773
1864
timeout = notifychangeproperty(
1774
1865
dbus.UInt64, "Timeout",
1775
type_func = lambda td: td.total_seconds() * 1000)
1866
type_func=lambda td: td.total_seconds() * 1000)
1776
1867
extended_timeout = notifychangeproperty(
1777
1868
dbus.UInt64, "ExtendedTimeout",
1778
type_func = lambda td: td.total_seconds() * 1000)
1869
type_func=lambda td: td.total_seconds() * 1000)
1779
1870
interval = notifychangeproperty(
1780
1871
dbus.UInt64, "Interval",
1781
type_func = lambda td: td.total_seconds() * 1000)
1872
type_func=lambda td: td.total_seconds() * 1000)
1782
1873
checker_command = notifychangeproperty(dbus.String, "Checker")
1783
1874
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1784
1875
invalidate_only=True)
1785
1876
1786
1877
del notifychangeproperty
1787
1878
1788
1879
def __del__(self, *args, **kwargs):
1789
1880
try:
1790
1881
self.remove_from_connection()
1793
1884
if hasattr(DBusObjectWithProperties, "__del__"):
1794
1885
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1795
1886
Client.__del__(self, *args, **kwargs)
1796
1887
1797
1888
def checker_callback(self, source, condition,
1798
1889
connection, command, *args, **kwargs):
1799
1890
ret = Client.checker_callback(self, source, condition,
1815
1906
| self.last_checker_signal),
1816
1907
dbus.String(command))
1817
1908
return ret
1818
1909
1819
1910
def start_checker(self, *args, **kwargs):
1820
1911
old_checker_pid = getattr(self.checker, "pid", None)
1821
1912
r = Client.start_checker(self, *args, **kwargs)
1825
1916
# Emit D-Bus signal
1826
1917
self.CheckerStarted(self.current_checker_command)
1827
1918
return r
1828
1919
1829
1920
def _reset_approved(self):
1830
1921
self.approved = None
1831
1922
return False
1832
1923
1833
1924
def approve(self, value=True):
1834
1925
self.approved = value
1835
GObject.timeout_add(int(self.approval_duration.total_seconds()
1836
* 1000), self._reset_approved)
1926
GLib.timeout_add(int(self.approval_duration.total_seconds()
1927
* 1000), self._reset_approved)
1837
1928
self.send_changedstate()
1838
1839
## D-Bus methods, signals & properties
1840
1841
## Interfaces
1842
1843
## Signals
1844
1929
1930
# D-Bus methods, signals & properties
1931
1932
# Interfaces
1933
1934
# Signals
1935
1845
1936
# CheckerCompleted - signal
1846
1937
@dbus.service.signal(_interface, signature="nxs")
1847
1938
def CheckerCompleted(self, exitcode, waitstatus, command):
1848
1939
"D-Bus signal"
1849
1940
pass
1850
1941
1851
1942
# CheckerStarted - signal
1852
1943
@dbus.service.signal(_interface, signature="s")
1853
1944
def CheckerStarted(self, command):
1854
1945
"D-Bus signal"
1855
1946
pass
1856
1947
1857
1948
# PropertyChanged - signal
1858
1949
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1859
1950
@dbus.service.signal(_interface, signature="sv")
1860
1951
def PropertyChanged(self, property, value):
1861
1952
"D-Bus signal"
1862
1953
pass
1863
1954
1864
1955
# GotSecret - signal
1865
1956
@dbus.service.signal(_interface)
1866
1957
def GotSecret(self):
1869
1960
server to mandos-client
1870
1961
"""
1871
1962
pass
1872
1963
1873
1964
# Rejected - signal
1874
1965
@dbus.service.signal(_interface, signature="s")
1875
1966
def Rejected(self, reason):
1876
1967
"D-Bus signal"
1877
1968
pass
1878
1969
1879
1970
# NeedApproval - signal
1880
1971
@dbus.service.signal(_interface, signature="tb")
1881
1972
def NeedApproval(self, timeout, default):
1882
1973
"D-Bus signal"
1883
1974
return self.need_approval()
1884
1885
## Methods
1886
1975
1976
# Methods
1977
1887
1978
# Approve - method
1888
1979
@dbus.service.method(_interface, in_signature="b")
1889
1980
def Approve(self, value):
1890
1981
self.approve(value)
1891
1982
1892
1983
# CheckedOK - method
1893
1984
@dbus.service.method(_interface)
1894
1985
def CheckedOK(self):
1895
1986
self.checked_ok()
1896
1987
1897
1988
# Enable - method
1898
1989
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1899
1990
@dbus.service.method(_interface)
1900
1991
def Enable(self):
1901
1992
"D-Bus method"
1902
1993
self.enable()
1903
1994
1904
1995
# StartChecker - method
1905
1996
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1906
1997
@dbus.service.method(_interface)
1907
1998
def StartChecker(self):
1908
1999
"D-Bus method"
1909
2000
self.start_checker()
1910
2001
1911
2002
# Disable - method
1912
2003
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1913
2004
@dbus.service.method(_interface)
1914
2005
def Disable(self):
1915
2006
"D-Bus method"
1916
2007
self.disable()
1917
2008
1918
2009
# StopChecker - method
1919
2010
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1920
2011
@dbus.service.method(_interface)
1921
2012
def StopChecker(self):
1922
2013
self.stop_checker()
1923
1924
## Properties
1925
2014
2015
# Properties
2016
1926
2017
# ApprovalPending - property
1927
2018
@dbus_service_property(_interface, signature="b", access="read")
1928
2019
def ApprovalPending_dbus_property(self):
1929
2020
return dbus.Boolean(bool(self.approvals_pending))
1930
2021
1931
2022
# ApprovedByDefault - property
1932
2023
@dbus_service_property(_interface,
1933
2024
signature="b",
1936
2027
if value is None: # get
1937
2028
return dbus.Boolean(self.approved_by_default)
1938
2029
self.approved_by_default = bool(value)
1939
2030
1940
2031
# ApprovalDelay - property
1941
2032
@dbus_service_property(_interface,
1942
2033
signature="t",
1946
2037
return dbus.UInt64(self.approval_delay.total_seconds()
1947
2038
* 1000)
1948
2039
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1949
2040
1950
2041
# ApprovalDuration - property
1951
2042
@dbus_service_property(_interface,
1952
2043
signature="t",
1956
2047
return dbus.UInt64(self.approval_duration.total_seconds()
1957
2048
* 1000)
1958
2049
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1959
2050
1960
2051
# Name - property
1961
2052
@dbus_annotations(
1962
2053
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1963
2054
@dbus_service_property(_interface, signature="s", access="read")
1964
2055
def Name_dbus_property(self):
1965
2056
return dbus.String(self.name)
1966
2057
2058
# KeyID - property
2059
@dbus_annotations(
2060
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2061
@dbus_service_property(_interface, signature="s", access="read")
2062
def KeyID_dbus_property(self):
2063
return dbus.String(self.key_id)
2064
1967
2065
# Fingerprint - property
1968
2066
@dbus_annotations(
1969
2067
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1970
2068
@dbus_service_property(_interface, signature="s", access="read")
1971
2069
def Fingerprint_dbus_property(self):
1972
2070
return dbus.String(self.fingerprint)
1973
2071
1974
2072
# Host - property
1975
2073
@dbus_service_property(_interface,
1976
2074
signature="s",
1979
2077
if value is None: # get
1980
2078
return dbus.String(self.host)
1981
2079
self.host = str(value)
1982
2080
1983
2081
# Created - property
1984
2082
@dbus_annotations(
1985
2083
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1986
2084
@dbus_service_property(_interface, signature="s", access="read")
1987
2085
def Created_dbus_property(self):
1988
2086
return datetime_to_dbus(self.created)
1989
2087
1990
2088
# LastEnabled - property
1991
2089
@dbus_service_property(_interface, signature="s", access="read")
1992
2090
def LastEnabled_dbus_property(self):
1993
2091
return datetime_to_dbus(self.last_enabled)
1994
2092
1995
2093
# Enabled - property
1996
2094
@dbus_service_property(_interface,
1997
2095
signature="b",
2003
2101
self.enable()
2004
2102
else:
2005
2103
self.disable()
2006
2104
2007
2105
# LastCheckedOK - property
2008
2106
@dbus_service_property(_interface,
2009
2107
signature="s",
2013
2111
self.checked_ok()
2014
2112
return
2015
2113
return datetime_to_dbus(self.last_checked_ok)
2016
2114
2017
2115
# LastCheckerStatus - property
2018
2116
@dbus_service_property(_interface, signature="n", access="read")
2019
2117
def LastCheckerStatus_dbus_property(self):
2020
2118
return dbus.Int16(self.last_checker_status)
2021
2119
2022
2120
# Expires - property
2023
2121
@dbus_service_property(_interface, signature="s", access="read")
2024
2122
def Expires_dbus_property(self):
2025
2123
return datetime_to_dbus(self.expires)
2026
2124
2027
2125
# LastApprovalRequest - property
2028
2126
@dbus_service_property(_interface, signature="s", access="read")
2029
2127
def LastApprovalRequest_dbus_property(self):
2030
2128
return datetime_to_dbus(self.last_approval_request)
2031
2129
2032
2130
# Timeout - property
2033
2131
@dbus_service_property(_interface,
2034
2132
signature="t",
2049
2147
if (getattr(self, "disable_initiator_tag", None)
2050
2148
is None):
2051
2149
return
2052
GObject.source_remove(self.disable_initiator_tag)
2053
self.disable_initiator_tag = GObject.timeout_add(
2150
GLib.source_remove(self.disable_initiator_tag)
2151
self.disable_initiator_tag = GLib.timeout_add(
2054
2152
int((self.expires - now).total_seconds() * 1000),
2055
2153
self.disable)
2056
2154
2057
2155
# ExtendedTimeout - property
2058
2156
@dbus_service_property(_interface,
2059
2157
signature="t",
2063
2161
return dbus.UInt64(self.extended_timeout.total_seconds()
2064
2162
* 1000)
2065
2163
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2066
2164
2067
2165
# Interval - property
2068
2166
@dbus_service_property(_interface,
2069
2167
signature="t",
2076
2174
return
2077
2175
if self.enabled:
2078
2176
# Reschedule checker run
2079
GObject.source_remove(self.checker_initiator_tag)
2080
self.checker_initiator_tag = GObject.timeout_add(
2177
GLib.source_remove(self.checker_initiator_tag)
2178
self.checker_initiator_tag = GLib.timeout_add(
2081
2179
value, self.start_checker)
2082
self.start_checker() # Start one now, too
2083
2180
self.start_checker() # Start one now, too
2181
2084
2182
# Checker - property
2085
2183
@dbus_service_property(_interface,
2086
2184
signature="s",
2089
2187
if value is None: # get
2090
2188
return dbus.String(self.checker_command)
2091
2189
self.checker_command = str(value)
2092
2190
2093
2191
# CheckerRunning - property
2094
2192
@dbus_service_property(_interface,
2095
2193
signature="b",
2101
2199
self.start_checker()
2102
2200
else:
2103
2201
self.stop_checker()
2104
2202
2105
2203
# ObjectPath - property
2106
2204
@dbus_annotations(
2107
2205
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2108
2206
"org.freedesktop.DBus.Deprecated": "true"})
2109
2207
@dbus_service_property(_interface, signature="o", access="read")
2110
2208
def ObjectPath_dbus_property(self):
2111
return self.dbus_object_path # is already a dbus.ObjectPath
2112
2209
return self.dbus_object_path # is already a dbus.ObjectPath
2210
2113
2211
# Secret = property
2114
2212
@dbus_annotations(
2115
2213
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2120
2218
byte_arrays=True)
2121
2219
def Secret_dbus_property(self, value):
2122
2220
self.secret = bytes(value)
2123
2221
2124
2222
del _interface
2125
2223
2126
2224
2127
class ProxyClient(object):
2128
def __init__(self, child_pipe, fpr, address):
2225
class ProxyClient:
2226
def __init__(self, child_pipe, key_id, fpr, address):
2129
2227
self._pipe = child_pipe
2130
self._pipe.send(('init', fpr, address))
2228
self._pipe.send(('init', key_id, fpr, address))
2131
2229
if not self._pipe.recv():
2132
raise KeyError(fpr)
2133
2230
raise KeyError(key_id or fpr)
2231
2134
2232
def __getattribute__(self, name):
2135
2233
if name == '_pipe':
2136
2234
return super(ProxyClient, self).__getattribute__(name)
2139
2237
if data[0] == 'data':
2140
2238
return data[1]
2141
2239
if data[0] == 'function':
2142
2240
2143
2241
def func(*args, **kwargs):
2144
2242
self._pipe.send(('funcall', name, args, kwargs))
2145
2243
return self._pipe.recv()[1]
2146
2244
2147
2245
return func
2148
2246
2149
2247
def __setattr__(self, name, value):
2150
2248
if name == '_pipe':
2151
2249
return super(ProxyClient, self).__setattr__(name, value)
2154
2252
2155
2253
class ClientHandler(socketserver.BaseRequestHandler, object):
2156
2254
"""A class to handle client connections.
2157
2255
2158
2256
Instantiated once for each connection to handle it.
2159
2257
Note: This will run in its own forked process."""
2160
2258
2161
2259
def handle(self):
2162
2260
with contextlib.closing(self.server.child_pipe) as child_pipe:
2163
2261
logger.info("TCP connection from: %s",
2164
2262
str(self.client_address))
2165
2263
logger.debug("Pipe FD: %d",
2166
2264
self.server.child_pipe.fileno())
2167
2265
2168
2266
session = gnutls.ClientSession(self.request)
2169
2170
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
2171
# "+AES-256-CBC", "+SHA1",
2172
# "+COMP-NULL", "+CTYPE-OPENPGP",
2173
# "+DHE-DSS"))
2267
2268
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2269
# "+AES-256-CBC", "+SHA1",
2270
# "+COMP-NULL", "+CTYPE-OPENPGP",
2271
# "+DHE-DSS"))
2174
2272
# Use a fallback default, since this MUST be set.
2175
2273
priority = self.server.gnutls_priority
2176
2274
if priority is None:
2177
2275
priority = "NORMAL"
2178
gnutls.priority_set_direct(session._c_object, priority,
2276
gnutls.priority_set_direct(session._c_object,
2277
priority.encode("utf-8"),
2179
2278
None)
2180
2279
2181
2280
# Start communication using the Mandos protocol
2182
2281
# Get protocol number
2183
2282
line = self.request.makefile().readline()
2188
2287
except (ValueError, IndexError, RuntimeError) as error:
2189
2288
logger.error("Unknown protocol version: %s", error)
2190
2289
return
2191
2290
2192
2291
# Start GnuTLS connection
2193
2292
try:
2194
2293
session.handshake()
2198
2297
# established. Just abandon the request.
2199
2298
return
2200
2299
logger.debug("Handshake succeeded")
2201
2300
2202
2301
approval_required = False
2203
2302
try:
2204
try:
2205
fpr = self.fingerprint(
2206
self.peer_certificate(session))
2207
except (TypeError, gnutls.Error) as error:
2208
logger.warning("Bad certificate: %s", error)
2209
return
2210
logger.debug("Fingerprint: %s", fpr)
2211
2212
try:
2213
client = ProxyClient(child_pipe, fpr,
2303
if gnutls.has_rawpk:
2304
fpr = b""
2305
try:
2306
key_id = self.key_id(
2307
self.peer_certificate(session))
2308
except (TypeError, gnutls.Error) as error:
2309
logger.warning("Bad certificate: %s", error)
2310
return
2311
logger.debug("Key ID: %s", key_id)
2312
2313
else:
2314
key_id = b""
2315
try:
2316
fpr = self.fingerprint(
2317
self.peer_certificate(session))
2318
except (TypeError, gnutls.Error) as error:
2319
logger.warning("Bad certificate: %s", error)
2320
return
2321
logger.debug("Fingerprint: %s", fpr)
2322
2323
try:
2324
client = ProxyClient(child_pipe, key_id, fpr,
2214
2325
self.client_address)
2215
2326
except KeyError:
2216
2327
return
2217
2328
2218
2329
if client.approval_delay:
2219
2330
delay = client.approval_delay
2220
2331
client.approvals_pending += 1
2221
2332
approval_required = True
2222
2333
2223
2334
while True:
2224
2335
if not client.enabled:
2225
2336
logger.info("Client %s is disabled",
2228
2339
# Emit D-Bus signal
2229
2340
client.Rejected("Disabled")
2230
2341
return
2231
2342
2232
2343
if client.approved or not client.approval_delay:
2233
#We are approved or approval is disabled
2344
# We are approved or approval is disabled
2234
2345
break
2235
2346
elif client.approved is None:
2236
2347
logger.info("Client %s needs approval",
2247
2358
# Emit D-Bus signal
2248
2359
client.Rejected("Denied")
2249
2360
return
2250
2251
#wait until timeout or approved
2361
2362
# wait until timeout or approved
2252
2363
time = datetime.datetime.now()
2253
2364
client.changedstate.acquire()
2254
2365
client.changedstate.wait(delay.total_seconds())
2267
2378
break
2268
2379
else:
2269
2380
delay -= time2 - time
2270
2381
2271
2382
try:
2272
2383
session.send(client.secret)
2273
2384
except gnutls.Error as error:
2274
2385
logger.warning("gnutls send failed",
2275
exc_info = error)
2386
exc_info=error)
2276
2387
return
2277
2388
2278
2389
logger.info("Sending secret to %s", client.name)
2279
2390
# bump the timeout using extended_timeout
2280
2391
client.bump_timeout(client.extended_timeout)
2281
2392
if self.server.use_dbus:
2282
2393
# Emit D-Bus signal
2283
2394
client.GotSecret()
2284
2395
2285
2396
finally:
2286
2397
if approval_required:
2287
2398
client.approvals_pending -= 1
2290
2401
except gnutls.Error as error:
2291
2402
logger.warning("GnuTLS bye failed",
2292
2403
exc_info=error)
2293
2404
2294
2405
@staticmethod
2295
2406
def peer_certificate(session):
2296
"Return the peer's OpenPGP certificate as a bytestring"
2297
# If not an OpenPGP certificate...
2298
if (gnutls.certificate_type_get(session._c_object)
2299
!= gnutls.CRT_OPENPGP):
2407
"Return the peer's certificate as a bytestring"
2408
try:
2409
cert_type = gnutls.certificate_type_get2(session._c_object,
2410
gnutls.CTYPE_PEERS)
2411
except AttributeError:
2412
cert_type = gnutls.certificate_type_get(session._c_object)
2413
if gnutls.has_rawpk:
2414
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2415
else:
2416
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2417
# If not a valid certificate type...
2418
if cert_type not in valid_cert_types:
2419
logger.info("Cert type %r not in %r", cert_type,
2420
valid_cert_types)
2300
2421
# ...return invalid data
2301
2422
return b""
2302
2423
list_size = ctypes.c_uint(1)
2308
2429
return None
2309
2430
cert = cert_list[0]
2310
2431
return ctypes.string_at(cert.data, cert.size)
2311
2432
2433
@staticmethod
2434
def key_id(certificate):
2435
"Convert a certificate bytestring to a hexdigit key ID"
2436
# New GnuTLS "datum" with the public key
2437
datum = gnutls.datum_t(
2438
ctypes.cast(ctypes.c_char_p(certificate),
2439
ctypes.POINTER(ctypes.c_ubyte)),
2440
ctypes.c_uint(len(certificate)))
2441
# XXX all these need to be created in the gnutls "module"
2442
# New empty GnuTLS certificate
2443
pubkey = gnutls.pubkey_t()
2444
gnutls.pubkey_init(ctypes.byref(pubkey))
2445
# Import the raw public key into the certificate
2446
gnutls.pubkey_import(pubkey,
2447
ctypes.byref(datum),
2448
gnutls.X509_FMT_DER)
2449
# New buffer for the key ID
2450
buf = ctypes.create_string_buffer(32)
2451
buf_len = ctypes.c_size_t(len(buf))
2452
# Get the key ID from the raw public key into the buffer
2453
gnutls.pubkey_get_key_id(pubkey,
2454
gnutls.KEYID_USE_SHA256,
2455
ctypes.cast(ctypes.byref(buf),
2456
ctypes.POINTER(ctypes.c_ubyte)),
2457
ctypes.byref(buf_len))
2458
# Deinit the certificate
2459
gnutls.pubkey_deinit(pubkey)
2460
2461
# Convert the buffer to a Python bytestring
2462
key_id = ctypes.string_at(buf, buf_len.value)
2463
# Convert the bytestring to hexadecimal notation
2464
hex_key_id = binascii.hexlify(key_id).upper()
2465
return hex_key_id
2466
2312
2467
@staticmethod
2313
2468
def fingerprint(openpgp):
2314
2469
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2329
2484
ctypes.byref(crtverify))
2330
2485
if crtverify.value != 0:
2331
2486
gnutls.openpgp_crt_deinit(crt)
2332
raise gnutls.CertificateSecurityError("Verify failed")
2487
raise gnutls.CertificateSecurityError(code
2488
=crtverify.value)
2333
2489
# New buffer for the fingerprint
2334
2490
buf = ctypes.create_string_buffer(20)
2335
2491
buf_len = ctypes.c_size_t()
2345
2501
return hex_fpr
2346
2502
2347
2503
2348
class MultiprocessingMixIn(object):
2504
class MultiprocessingMixIn:
2349
2505
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2350
2506
2351
2507
def sub_process_main(self, request, address):
2352
2508
try:
2353
2509
self.finish_request(request, address)
2354
2510
except Exception:
2355
2511
self.handle_error(request, address)
2356
2512
self.close_request(request)
2357
2513
2358
2514
def process_request(self, request, address):
2359
2515
"""Start a new process to process the request."""
2360
proc = multiprocessing.Process(target = self.sub_process_main,
2361
args = (request, address))
2516
proc = multiprocessing.Process(target=self.sub_process_main,
2517
args=(request, address))
2362
2518
proc.start()
2363
2519
return proc
2364
2520
2365
2521
2366
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2522
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2367
2523
""" adds a pipe to the MixIn """
2368
2524
2369
2525
def process_request(self, request, client_address):
2370
2526
"""Overrides and wraps the original process_request().
2371
2527
2372
2528
This function creates a new pipe in self.pipe
2373
2529
"""
2374
2530
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2375
2531
2376
2532
proc = MultiprocessingMixIn.process_request(self, request,
2377
2533
client_address)
2378
2534
self.child_pipe.close()
2379
2535
self.add_pipe(parent_pipe, proc)
2380
2536
2381
2537
def add_pipe(self, parent_pipe, proc):
2382
2538
"""Dummy function; override as necessary"""
2383
2539
raise NotImplementedError()
2384
2540
2385
2541
2386
2542
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2387
socketserver.TCPServer, object):
2543
socketserver.TCPServer):
2388
2544
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2389
2545
2390
2546
Attributes:
2391
2547
enabled: Boolean; whether this server is activated yet
2392
2548
interface: None or a network interface name (string)
2393
2549
use_ipv6: Boolean; to use IPv6 or not
2394
2550
"""
2395
2551
2396
2552
def __init__(self, server_address, RequestHandlerClass,
2397
2553
interface=None,
2398
2554
use_ipv6=True,
2408
2564
self.socketfd = socketfd
2409
2565
# Save the original socket.socket() function
2410
2566
self.socket_socket = socket.socket
2567
2411
2568
# To implement --socket, we monkey patch socket.socket.
2412
#
2569
#
2413
2570
# (When socketserver.TCPServer is a new-style class, we
2414
2571
# could make self.socket into a property instead of monkey
2415
2572
# patching socket.socket.)
2416
#
2573
#
2417
2574
# Create a one-time-only replacement for socket.socket()
2418
2575
@functools.wraps(socket.socket)
2419
2576
def socket_wrapper(*args, **kwargs):
2431
2588
# socket_wrapper(), if socketfd was set.
2432
2589
socketserver.TCPServer.__init__(self, server_address,
2433
2590
RequestHandlerClass)
2434
2591
2435
2592
def server_bind(self):
2436
2593
"""This overrides the normal server_bind() function
2437
2594
to bind to an interface if one was specified, and also NOT to
2438
2595
bind to an address or port if they were not specified."""
2596
global SO_BINDTODEVICE
2439
2597
if self.interface is not None:
2440
2598
if SO_BINDTODEVICE is None:
2441
logger.error("SO_BINDTODEVICE does not exist;"
2442
" cannot bind to interface %s",
2443
self.interface)
2444
else:
2445
try:
2446
self.socket.setsockopt(
2447
socket.SOL_SOCKET, SO_BINDTODEVICE,
2448
(self.interface + "\0").encode("utf-8"))
2449
except socket.error as error:
2450
if error.errno == errno.EPERM:
2451
logger.error("No permission to bind to"
2452
" interface %s", self.interface)
2453
elif error.errno == errno.ENOPROTOOPT:
2454
logger.error("SO_BINDTODEVICE not available;"
2455
" cannot bind to interface %s",
2456
self.interface)
2457
elif error.errno == errno.ENODEV:
2458
logger.error("Interface %s does not exist,"
2459
" cannot bind", self.interface)
2460
else:
2461
raise
2599
# Fall back to a hard-coded value which seems to be
2600
# common enough.
2601
logger.warning("SO_BINDTODEVICE not found, trying 25")
2602
SO_BINDTODEVICE = 25
2603
try:
2604
self.socket.setsockopt(
2605
socket.SOL_SOCKET, SO_BINDTODEVICE,
2606
(self.interface + "\0").encode("utf-8"))
2607
except socket.error as error:
2608
if error.errno == errno.EPERM:
2609
logger.error("No permission to bind to"
2610
" interface %s", self.interface)
2611
elif error.errno == errno.ENOPROTOOPT:
2612
logger.error("SO_BINDTODEVICE not available;"
2613
" cannot bind to interface %s",
2614
self.interface)
2615
elif error.errno == errno.ENODEV:
2616
logger.error("Interface %s does not exist,"
2617
" cannot bind", self.interface)
2618
else:
2619
raise
2462
2620
# Only bind(2) the socket if we really need to.
2463
2621
if self.server_address[0] or self.server_address[1]:
2622
if self.server_address[1]:
2623
self.allow_reuse_address = True
2464
2624
if not self.server_address[0]:
2465
2625
if self.address_family == socket.AF_INET6:
2466
any_address = "::" # in6addr_any
2626
any_address = "::" # in6addr_any
2467
2627
else:
2468
any_address = "0.0.0.0" # INADDR_ANY
2628
any_address = "0.0.0.0" # INADDR_ANY
2469
2629
self.server_address = (any_address,
2470
2630
self.server_address[1])
2471
2631
elif not self.server_address[1]:
2481
2641
2482
2642
class MandosServer(IPv6_TCPServer):
2483
2643
"""Mandos server.
2484
2644
2485
2645
Attributes:
2486
2646
clients: set of Client objects
2487
2647
gnutls_priority GnuTLS priority string
2488
2648
use_dbus: Boolean; to emit D-Bus signals or not
2489
2490
Assumes a GObject.MainLoop event loop.
2649
2650
Assumes a GLib.MainLoop event loop.
2491
2651
"""
2492
2652
2493
2653
def __init__(self, server_address, RequestHandlerClass,
2494
2654
interface=None,
2495
2655
use_ipv6=True,
2505
2665
self.gnutls_priority = gnutls_priority
2506
2666
IPv6_TCPServer.__init__(self, server_address,
2507
2667
RequestHandlerClass,
2508
interface = interface,
2509
use_ipv6 = use_ipv6,
2510
socketfd = socketfd)
2511
2668
interface=interface,
2669
use_ipv6=use_ipv6,
2670
socketfd=socketfd)
2671
2512
2672
def server_activate(self):
2513
2673
if self.enabled:
2514
2674
return socketserver.TCPServer.server_activate(self)
2515
2675
2516
2676
def enable(self):
2517
2677
self.enabled = True
2518
2678
2519
2679
def add_pipe(self, parent_pipe, proc):
2520
2680
# Call "handle_ipc" for both data and EOF events
2521
GObject.io_add_watch(
2522
parent_pipe.fileno(),
2523
GObject.IO_IN | GObject.IO_HUP,
2681
GLib.io_add_watch(
2682
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2683
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2524
2684
functools.partial(self.handle_ipc,
2525
parent_pipe = parent_pipe,
2526
proc = proc))
2527
2685
parent_pipe=parent_pipe,
2686
proc=proc))
2687
2528
2688
def handle_ipc(self, source, condition,
2529
2689
parent_pipe=None,
2530
proc = None,
2690
proc=None,
2531
2691
client_object=None):
2532
2692
# error, or the other end of multiprocessing.Pipe has closed
2533
if condition & (GObject.IO_ERR | GObject.IO_HUP):
2693
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2534
2694
# Wait for other process to exit
2535
2695
proc.join()
2536
2696
return False
2537
2697
2538
2698
# Read a request from the child
2539
2699
request = parent_pipe.recv()
2540
2700
command = request[0]
2541
2701
2542
2702
if command == 'init':
2543
fpr = request[1]
2544
address = request[2]
2545
2703
key_id = request[1].decode("ascii")
2704
fpr = request[2].decode("ascii")
2705
address = request[3]
2706
2546
2707
for c in self.clients.values():
2547
if c.fingerprint == fpr:
2708
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2709
continue
2710
if key_id and c.key_id == key_id:
2711
client = c
2712
break
2713
if fpr and c.fingerprint == fpr:
2548
2714
client = c
2549
2715
break
2550
2716
else:
2551
logger.info("Client not found for fingerprint: %s, ad"
2552
"dress: %s", fpr, address)
2717
logger.info("Client not found for key ID: %s, address"
2718
": %s", key_id or fpr, address)
2553
2719
if self.use_dbus:
2554
2720
# Emit D-Bus signal
2555
mandos_dbus_service.ClientNotFound(fpr,
2721
mandos_dbus_service.ClientNotFound(key_id or fpr,
2556
2722
address[0])
2557
2723
parent_pipe.send(False)
2558
2724
return False
2559
2560
GObject.io_add_watch(
2561
parent_pipe.fileno(),
2562
GObject.IO_IN | GObject.IO_HUP,
2725
2726
GLib.io_add_watch(
2727
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2728
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2563
2729
functools.partial(self.handle_ipc,
2564
parent_pipe = parent_pipe,
2565
proc = proc,
2566
client_object = client))
2730
parent_pipe=parent_pipe,
2731
proc=proc,
2732
client_object=client))
2567
2733
parent_pipe.send(True)
2568
2734
# remove the old hook in favor of the new above hook on
2569
2735
# same fileno
2572
2738
funcname = request[1]
2573
2739
args = request[2]
2574
2740
kwargs = request[3]
2575
2741
2576
2742
parent_pipe.send(('data', getattr(client_object,
2577
2743
funcname)(*args,
2578
2744
**kwargs)))
2579
2745
2580
2746
if command == 'getattr':
2581
2747
attrname = request[1]
2582
2748
if isinstance(client_object.__getattribute__(attrname),
2585
2751
else:
2586
2752
parent_pipe.send((
2587
2753
'data', client_object.__getattribute__(attrname)))
2588
2754
2589
2755
if command == 'setattr':
2590
2756
attrname = request[1]
2591
2757
value = request[2]
2592
2758
setattr(client_object, attrname, value)
2593
2759
2594
2760
return True
2595
2761
2596
2762
2597
2763
def rfc3339_duration_to_delta(duration):
2598
2764
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2599
2600
>>> rfc3339_duration_to_delta("P7D")
2601
datetime.timedelta(7)
2602
>>> rfc3339_duration_to_delta("PT60S")
2603
datetime.timedelta(0, 60)
2604
>>> rfc3339_duration_to_delta("PT60M")
2605
datetime.timedelta(0, 3600)
2606
>>> rfc3339_duration_to_delta("PT24H")
2607
datetime.timedelta(1)
2608
>>> rfc3339_duration_to_delta("P1W")
2609
datetime.timedelta(7)
2610
>>> rfc3339_duration_to_delta("PT5M30S")
2611
datetime.timedelta(0, 330)
2612
>>> rfc3339_duration_to_delta("P1DT3M20S")
2613
datetime.timedelta(1, 200)
2765
2766
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2767
True
2768
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2769
True
2770
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2771
True
2772
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2773
True
2774
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2775
True
2776
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2777
True
2778
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2779
True
2614
2780
"""
2615
2781
2616
2782
# Parsing an RFC 3339 duration with regular expressions is not
2617
2783
# possible - there would have to be multiple places for the same
2618
2784
# values, like seconds. The current code, while more esoteric, is
2619
2785
# cleaner without depending on a parsing library. If Python had a
2620
2786
# built-in library for parsing we would use it, but we'd like to
2621
2787
# avoid excessive use of external libraries.
2622
2788
2623
2789
# New type for defining tokens, syntax, and semantics all-in-one
2624
2790
Token = collections.namedtuple("Token", (
2625
2791
"regexp", # To match token; if "value" is not None, must have
2658
2824
frozenset((token_year, token_month,
2659
2825
token_day, token_time,
2660
2826
token_week)))
2661
# Define starting values
2662
value = datetime.timedelta() # Value so far
2827
# Define starting values:
2828
# Value so far
2829
value = datetime.timedelta()
2663
2830
found_token = None
2664
followers = frozenset((token_duration, )) # Following valid tokens
2665
s = duration # String left to parse
2831
# Following valid tokens
2832
followers = frozenset((token_duration, ))
2833
# String left to parse
2834
s = duration
2666
2835
# Loop until end token is found
2667
2836
while found_token is not token_end:
2668
2837
# Search for any currently valid tokens
2692
2861
2693
2862
def string_to_delta(interval):
2694
2863
"""Parse a string and return a datetime.timedelta
2695
2696
>>> string_to_delta('7d')
2697
datetime.timedelta(7)
2698
>>> string_to_delta('60s')
2699
datetime.timedelta(0, 60)
2700
>>> string_to_delta('60m')
2701
datetime.timedelta(0, 3600)
2702
>>> string_to_delta('24h')
2703
datetime.timedelta(1)
2704
>>> string_to_delta('1w')
2705
datetime.timedelta(7)
2706
>>> string_to_delta('5m 30s')
2707
datetime.timedelta(0, 330)
2864
2865
>>> string_to_delta('7d') == datetime.timedelta(7)
2866
True
2867
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2868
True
2869
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2870
True
2871
>>> string_to_delta('24h') == datetime.timedelta(1)
2872
True
2873
>>> string_to_delta('1w') == datetime.timedelta(7)
2874
True
2875
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2876
True
2708
2877
"""
2709
2878
2710
2879
try:
2711
2880
return rfc3339_duration_to_delta(interval)
2712
2881
except ValueError:
2713
2882
pass
2714
2883
2715
2884
timevalue = datetime.timedelta(0)
2716
2885
for s in interval.split():
2717
2886
try:
2735
2904
return timevalue
2736
2905
2737
2906
2738
def daemon(nochdir = False, noclose = False):
2907
def daemon(nochdir=False, noclose=False):
2739
2908
"""See daemon(3). Standard BSD Unix function.
2740
2909
2741
2910
This should really exist as os.daemon, but it doesn't (yet)."""
2742
2911
if os.fork():
2743
2912
sys.exit()
2761
2930
2762
2931
2763
2932
def main():
2764
2933
2765
2934
##################################################################
2766
2935
# Parsing of options, both command line and config file
2767
2936
2768
2937
parser = argparse.ArgumentParser()
2769
2938
parser.add_argument("-v", "--version", action="version",
2770
version = "%(prog)s {}".format(version),
2939
version="%(prog)s {}".format(version),
2771
2940
help="show version number and exit")
2772
2941
parser.add_argument("-i", "--interface", metavar="IF",
2773
2942
help="Bind to interface IF")
2809
2978
parser.add_argument("--no-zeroconf", action="store_false",
2810
2979
dest="zeroconf", help="Do not use Zeroconf",
2811
2980
default=None)
2812
2981
2813
2982
options = parser.parse_args()
2814
2815
if options.check:
2816
import doctest
2817
fail_count, test_count = doctest.testmod()
2818
sys.exit(os.EX_OK if fail_count == 0 else 1)
2819
2983
2820
2984
# Default values for config file for server-global settings
2821
server_defaults = { "interface": "",
2822
"address": "",
2823
"port": "",
2824
"debug": "False",
2825
"priority":
2826
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2827
":+SIGN-DSA-SHA256",
2828
"servicename": "Mandos",
2829
"use_dbus": "True",
2830
"use_ipv6": "True",
2831
"debuglevel": "",
2832
"restore": "True",
2833
"socket": "",
2834
"statedir": "/var/lib/mandos",
2835
"foreground": "False",
2836
"zeroconf": "True",
2837
}
2838
2985
if gnutls.has_rawpk:
2986
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2987
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2988
else:
2989
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2990
":+SIGN-DSA-SHA256")
2991
server_defaults = {"interface": "",
2992
"address": "",
2993
"port": "",
2994
"debug": "False",
2995
"priority": priority,
2996
"servicename": "Mandos",
2997
"use_dbus": "True",
2998
"use_ipv6": "True",
2999
"debuglevel": "",
3000
"restore": "True",
3001
"socket": "",
3002
"statedir": "/var/lib/mandos",
3003
"foreground": "False",
3004
"zeroconf": "True",
3005
}
3006
del priority
3007
2839
3008
# Parse config file for server-global settings
2840
server_config = configparser.SafeConfigParser(server_defaults)
3009
server_config = configparser.ConfigParser(server_defaults)
2841
3010
del server_defaults
2842
3011
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2843
# Convert the SafeConfigParser object to a dict
3012
# Convert the ConfigParser object to a dict
2844
3013
server_settings = server_config.defaults()
2845
3014
# Use the appropriate methods on the non-string config options
2846
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3015
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3016
"foreground", "zeroconf"):
2847
3017
server_settings[option] = server_config.getboolean("DEFAULT",
2848
3018
option)
2849
3019
if server_settings["port"]:
2859
3029
server_settings["socket"] = os.dup(server_settings
2860
3030
["socket"])
2861
3031
del server_config
2862
3032
2863
3033
# Override the settings from the config file with command line
2864
3034
# options, if set.
2865
3035
for option in ("interface", "address", "port", "debug",
2883
3053
if server_settings["debug"]:
2884
3054
server_settings["foreground"] = True
2885
3055
# Now we have our good server settings in "server_settings"
2886
3056
2887
3057
##################################################################
2888
3058
2889
3059
if (not server_settings["zeroconf"]
2890
3060
and not (server_settings["port"]
2891
3061
or server_settings["socket"] != "")):
2892
3062
parser.error("Needs port or socket to work without Zeroconf")
2893
3063
2894
3064
# For convenience
2895
3065
debug = server_settings["debug"]
2896
3066
debuglevel = server_settings["debuglevel"]
2900
3070
stored_state_file)
2901
3071
foreground = server_settings["foreground"]
2902
3072
zeroconf = server_settings["zeroconf"]
2903
3073
2904
3074
if debug:
2905
3075
initlogger(debug, logging.DEBUG)
2906
3076
else:
2909
3079
else:
2910
3080
level = getattr(logging, debuglevel.upper())
2911
3081
initlogger(debug, level)
2912
3082
2913
3083
if server_settings["servicename"] != "Mandos":
2914
3084
syslogger.setFormatter(
2915
3085
logging.Formatter('Mandos ({}) [%(process)d]:'
2916
3086
' %(levelname)s: %(message)s'.format(
2917
3087
server_settings["servicename"])))
2918
3088
2919
3089
# Parse config file with clients
2920
client_config = configparser.SafeConfigParser(Client
2921
.client_defaults)
3090
client_config = configparser.ConfigParser(Client.client_defaults)
2922
3091
client_config.read(os.path.join(server_settings["configdir"],
2923
3092
"clients.conf"))
2924
3093
2925
3094
global mandos_dbus_service
2926
3095
mandos_dbus_service = None
2927
3096
2928
3097
socketfd = None
2929
3098
if server_settings["socket"] != "":
2930
3099
socketfd = server_settings["socket"]
2946
3115
except IOError as e:
2947
3116
logger.error("Could not open file %r", pidfilename,
2948
3117
exc_info=e)
2949
3118
2950
3119
for name, group in (("_mandos", "_mandos"),
2951
3120
("mandos", "mandos"),
2952
3121
("nobody", "nogroup")):
2970
3139
.format(uid, gid, os.strerror(error.errno)))
2971
3140
if error.errno != errno.EPERM:
2972
3141
raise
2973
3142
2974
3143
if debug:
2975
3144
# Enable all possible GnuTLS debugging
2976
3145
2977
3146
# "Use a log level over 10 to enable all debugging options."
2978
3147
# - GnuTLS manual
2979
3148
gnutls.global_set_log_level(11)
2980
3149
2981
3150
@gnutls.log_func
2982
3151
def debug_gnutls(level, string):
2983
3152
logger.debug("GnuTLS: %s", string[:-1])
2984
3153
2985
3154
gnutls.global_set_log_function(debug_gnutls)
2986
3155
2987
3156
# Redirect stdin so all checkers get /dev/null
2988
3157
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2989
3158
os.dup2(null, sys.stdin.fileno())
2990
3159
if null > 2:
2991
3160
os.close(null)
2992
3161
2993
3162
# Need to fork before connecting to D-Bus
2994
3163
if not foreground:
2995
3164
# Close all input and output, do double fork, etc.
2996
3165
daemon()
2997
2998
# multiprocessing will use threads, so before we use GObject we
2999
# need to inform GObject that threads will be used.
3000
GObject.threads_init()
3001
3166
3167
if gi.version_info < (3, 10, 2):
3168
# multiprocessing will use threads, so before we use GLib we
3169
# need to inform GLib that threads will be used.
3170
GLib.threads_init()
3171
3002
3172
global main_loop
3003
3173
# From the Avahi example code
3004
3174
DBusGMainLoop(set_as_default=True)
3005
main_loop = GObject.MainLoop()
3175
main_loop = GLib.MainLoop()
3006
3176
bus = dbus.SystemBus()
3007
3177
# End of Avahi example code
3008
3178
if use_dbus:
3021
3191
if zeroconf:
3022
3192
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3023
3193
service = AvahiServiceToSyslog(
3024
name = server_settings["servicename"],
3025
servicetype = "_mandos._tcp",
3026
protocol = protocol,
3027
bus = bus)
3194
name=server_settings["servicename"],
3195
servicetype="_mandos._tcp",
3196
protocol=protocol,
3197
bus=bus)
3028
3198
if server_settings["interface"]:
3029
3199
service.interface = if_nametoindex(
3030
3200
server_settings["interface"].encode("utf-8"))
3031
3201
3032
3202
global multiprocessing_manager
3033
3203
multiprocessing_manager = multiprocessing.Manager()
3034
3204
3035
3205
client_class = Client
3036
3206
if use_dbus:
3037
client_class = functools.partial(ClientDBus, bus = bus)
3038
3207
client_class = functools.partial(ClientDBus, bus=bus)
3208
3039
3209
client_settings = Client.config_parser(client_config)
3040
3210
old_client_settings = {}
3041
3211
clients_data = {}
3042
3212
3043
3213
# This is used to redirect stdout and stderr for checker processes
3044
3214
global wnull
3045
wnull = open(os.devnull, "w") # A writable /dev/null
3215
wnull = open(os.devnull, "w") # A writable /dev/null
3046
3216
# Only used if server is running in foreground but not in debug
3047
3217
# mode
3048
3218
if debug or not foreground:
3049
3219
wnull.close()
3050
3220
3051
3221
# Get client data and settings from last running state.
3052
3222
if server_settings["restore"]:
3053
3223
try:
3054
3224
with open(stored_state_path, "rb") as stored_state:
3055
if sys.version_info.major == 2:
3225
if sys.version_info.major == 2:
3056
3226
clients_data, old_client_settings = pickle.load(
3057
3227
stored_state)
3058
3228
else:
3059
3229
bytes_clients_data, bytes_old_client_settings = (
3060
pickle.load(stored_state, encoding = "bytes"))
3061
### Fix bytes to strings
3062
## clients_data
3230
pickle.load(stored_state, encoding="bytes"))
3231
# Fix bytes to strings
3232
# clients_data
3063
3233
# .keys()
3064
clients_data = { (key.decode("utf-8")
3065
if isinstance(key, bytes)
3066
else key): value
3067
for key, value in
3068
bytes_clients_data.items() }
3234
clients_data = {(key.decode("utf-8")
3235
if isinstance(key, bytes)
3236
else key): value
3237
for key, value in
3238
bytes_clients_data.items()}
3239
del bytes_clients_data
3069
3240
for key in clients_data:
3070
value = { (k.decode("utf-8")
3071
if isinstance(k, bytes) else k): v
3072
for k, v in
3073
clients_data[key].items() }
3241
value = {(k.decode("utf-8")
3242
if isinstance(k, bytes) else k): v
3243
for k, v in
3244
clients_data[key].items()}
3074
3245
clients_data[key] = value
3075
3246
# .client_structure
3076
3247
value["client_structure"] = [
3077
3248
(s.decode("utf-8")
3078
3249
if isinstance(s, bytes)
3079
3250
else s) for s in
3080
value["client_structure"] ]
3081
# .name & .host
3082
for k in ("name", "host"):
3251
value["client_structure"]]
3252
# .name, .host, and .checker_command
3253
for k in ("name", "host", "checker_command"):
3083
3254
if isinstance(value[k], bytes):
3084
3255
value[k] = value[k].decode("utf-8")
3085
## old_client_settings
3086
# .keys
3256
if "key_id" not in value:
3257
value["key_id"] = ""
3258
elif "fingerprint" not in value:
3259
value["fingerprint"] = ""
3260
# old_client_settings
3261
# .keys()
3087
3262
old_client_settings = {
3088
3263
(key.decode("utf-8")
3089
3264
if isinstance(key, bytes)
3090
3265
else key): value
3091
3266
for key, value in
3092
bytes_old_client_settings.items() }
3093
# .host
3267
bytes_old_client_settings.items()}
3268
del bytes_old_client_settings
3269
# .host and .checker_command
3094
3270
for value in old_client_settings.values():
3095
value["host"] = value["host"].decode("utf-8")
3271
for attribute in ("host", "checker_command"):
3272
if isinstance(value[attribute], bytes):
3273
value[attribute] = (value[attribute]
3274
.decode("utf-8"))
3096
3275
os.remove(stored_state_path)
3097
3276
except IOError as e:
3098
3277
if e.errno == errno.ENOENT:
3106
3285
logger.warning("Could not load persistent state: "
3107
3286
"EOFError:",
3108
3287
exc_info=e)
3109
3288
3110
3289
with PGPEngine() as pgp:
3111
3290
for client_name, client in clients_data.items():
3112
3291
# Skip removed clients
3113
3292
if client_name not in client_settings:
3114
3293
continue
3115
3294
3116
3295
# Decide which value to use after restoring saved state.
3117
3296
# We have three different values: Old config file,
3118
3297
# new config file, and saved state.
3129
3308
client[name] = value
3130
3309
except KeyError:
3131
3310
pass
3132
3311
3133
3312
# Clients who has passed its expire date can still be
3134
3313
# enabled if its last checker was successful. A Client
3135
3314
# whose checker succeeded before we stored its state is
3168
3347
client_name))
3169
3348
client["secret"] = (client_settings[client_name]
3170
3349
["secret"])
3171
3350
3172
3351
# Add/remove clients based on new changes made to config
3173
3352
for client_name in (set(old_client_settings)
3174
3353
- set(client_settings)):
3176
3355
for client_name in (set(client_settings)
3177
3356
- set(old_client_settings)):
3178
3357
clients_data[client_name] = client_settings[client_name]
3179
3358
3180
3359
# Create all client objects
3181
3360
for client_name, client in clients_data.items():
3182
3361
tcp_server.clients[client_name] = client_class(
3183
name = client_name,
3184
settings = client,
3185
server_settings = server_settings)
3186
3362
name=client_name,
3363
settings=client,
3364
server_settings=server_settings)
3365
3187
3366
if not tcp_server.clients:
3188
3367
logger.warning("No clients defined")
3189
3368
3190
3369
if not foreground:
3191
3370
if pidfile is not None:
3192
3371
pid = os.getpid()
3198
3377
pidfilename, pid)
3199
3378
del pidfile
3200
3379
del pidfilename
3201
3202
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
3203
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
3204
3380
3381
for termsig in (signal.SIGHUP, signal.SIGTERM):
3382
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3383
lambda: main_loop.quit() and False)
3384
3205
3385
if use_dbus:
3206
3386
3207
3387
@alternate_dbus_interfaces(
3208
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3388
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
3209
3389
class MandosDBusService(DBusObjectWithObjectManager):
3210
3390
"""A D-Bus proxy object"""
3211
3391
3212
3392
def __init__(self):
3213
3393
dbus.service.Object.__init__(self, bus, "/")
3214
3394
3215
3395
_interface = "se.recompile.Mandos"
3216
3396
3217
3397
@dbus.service.signal(_interface, signature="o")
3218
3398
def ClientAdded(self, objpath):
3219
3399
"D-Bus signal"
3220
3400
pass
3221
3401
3222
3402
@dbus.service.signal(_interface, signature="ss")
3223
def ClientNotFound(self, fingerprint, address):
3403
def ClientNotFound(self, key_id, address):
3224
3404
"D-Bus signal"
3225
3405
pass
3226
3406
3227
3407
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3228
3408
"true"})
3229
3409
@dbus.service.signal(_interface, signature="os")
3230
3410
def ClientRemoved(self, objpath, name):
3231
3411
"D-Bus signal"
3232
3412
pass
3233
3413
3234
3414
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3235
3415
"true"})
3236
3416
@dbus.service.method(_interface, out_signature="ao")
3238
3418
"D-Bus method"
3239
3419
return dbus.Array(c.dbus_object_path for c in
3240
3420
tcp_server.clients.values())
3241
3421
3242
3422
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3243
3423
"true"})
3244
3424
@dbus.service.method(_interface,
3246
3426
def GetAllClientsWithProperties(self):
3247
3427
"D-Bus method"
3248
3428
return dbus.Dictionary(
3249
{ c.dbus_object_path: c.GetAll(
3429
{c.dbus_object_path: c.GetAll(
3250
3430
"se.recompile.Mandos.Client")
3251
for c in tcp_server.clients.values() },
3431
for c in tcp_server.clients.values()},
3252
3432
signature="oa{sv}")
3253
3433
3254
3434
@dbus.service.method(_interface, in_signature="o")
3255
3435
def RemoveClient(self, object_path):
3256
3436
"D-Bus method"
3264
3444
self.client_removed_signal(c)
3265
3445
return
3266
3446
raise KeyError(object_path)
3267
3447
3268
3448
del _interface
3269
3449
3270
3450
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3271
out_signature = "a{oa{sa{sv}}}")
3451
out_signature="a{oa{sa{sv}}}")
3272
3452
def GetManagedObjects(self):
3273
3453
"""D-Bus method"""
3274
3454
return dbus.Dictionary(
3275
{ client.dbus_object_path:
3276
dbus.Dictionary(
3277
{ interface: client.GetAll(interface)
3278
for interface in
3279
client._get_all_interface_names()})
3280
for client in tcp_server.clients.values()})
3281
3455
{client.dbus_object_path:
3456
dbus.Dictionary(
3457
{interface: client.GetAll(interface)
3458
for interface in
3459
client._get_all_interface_names()})
3460
for client in tcp_server.clients.values()})
3461
3282
3462
def client_added_signal(self, client):
3283
3463
"""Send the new standard signal and the old signal"""
3284
3464
if use_dbus:
3286
3466
self.InterfacesAdded(
3287
3467
client.dbus_object_path,
3288
3468
dbus.Dictionary(
3289
{ interface: client.GetAll(interface)
3290
for interface in
3291
client._get_all_interface_names()}))
3469
{interface: client.GetAll(interface)
3470
for interface in
3471
client._get_all_interface_names()}))
3292
3472
# Old signal
3293
3473
self.ClientAdded(client.dbus_object_path)
3294
3474
3295
3475
def client_removed_signal(self, client):
3296
3476
"""Send the new standard signal and the old signal"""
3297
3477
if use_dbus:
3302
3482
# Old signal
3303
3483
self.ClientRemoved(client.dbus_object_path,
3304
3484
client.name)
3305
3485
3306
3486
mandos_dbus_service = MandosDBusService()
3307
3487
3488
# Save modules to variables to exempt the modules from being
3489
# unloaded before the function registered with atexit() is run.
3490
mp = multiprocessing
3491
wn = wnull
3492
3308
3493
def cleanup():
3309
3494
"Cleanup function; run on exit"
3310
3495
if zeroconf:
3311
3496
service.cleanup()
3312
3313
multiprocessing.active_children()
3314
wnull.close()
3497
3498
mp.active_children()
3499
wn.close()
3315
3500
if not (tcp_server.clients or client_settings):
3316
3501
return
3317
3502
3318
3503
# Store client before exiting. Secrets are encrypted with key
3319
3504
# based on what config file has. If config file is
3320
3505
# removed/edited, old secret will thus be unrecovable.
3325
3510
client.encrypted_secret = pgp.encrypt(client.secret,
3326
3511
key)
3327
3512
client_dict = {}
3328
3513
3329
3514
# A list of attributes that can not be pickled
3330
3515
# + secret.
3331
exclude = { "bus", "changedstate", "secret",
3332
"checker", "server_settings" }
3516
exclude = {"bus", "changedstate", "secret",
3517
"checker", "server_settings"}
3333
3518
for name, typ in inspect.getmembers(dbus.service
3334
3519
.Object):
3335
3520
exclude.add(name)
3336
3521
3337
3522
client_dict["encrypted_secret"] = (client
3338
3523
.encrypted_secret)
3339
3524
for attr in client.client_structure:
3340
3525
if attr not in exclude:
3341
3526
client_dict[attr] = getattr(client, attr)
3342
3527
3343
3528
clients[client.name] = client_dict
3344
3529
del client_settings[client.name]["secret"]
3345
3530
3346
3531
try:
3347
3532
with tempfile.NamedTemporaryFile(
3348
3533
mode='wb',
3351
3536
dir=os.path.dirname(stored_state_path),
3352
3537
delete=False) as stored_state:
3353
3538
pickle.dump((clients, client_settings), stored_state,
3354
protocol = 2)
3539
protocol=2)
3355
3540
tempname = stored_state.name
3356
3541
os.rename(tempname, stored_state_path)
3357
3542
except (IOError, OSError) as e:
3367
3552
logger.warning("Could not save persistent state:",
3368
3553
exc_info=e)
3369
3554
raise
3370
3555
3371
3556
# Delete all clients, and settings from config
3372
3557
while tcp_server.clients:
3373
3558
name, client = tcp_server.clients.popitem()
3379
3564
if use_dbus:
3380
3565
mandos_dbus_service.client_removed_signal(client)
3381
3566
client_settings.clear()
3382
3567
3383
3568
atexit.register(cleanup)
3384
3569
3385
3570
for client in tcp_server.clients.values():
3386
3571
if use_dbus:
3387
3572
# Emit D-Bus signal for adding
3389
3574
# Need to initiate checking of clients
3390
3575
if client.enabled:
3391
3576
client.init_checker()
3392
3577
3393
3578
tcp_server.enable()
3394
3579
tcp_server.server_activate()
3395
3580
3396
3581
# Find out what port we got
3397
3582
if zeroconf:
3398
3583
service.port = tcp_server.socket.getsockname()[1]
3403
3588
else: # IPv4
3404
3589
logger.info("Now listening on address %r, port %d",
3405
3590
*tcp_server.socket.getsockname())
3406
3407
#service.interface = tcp_server.socket.getsockname()[3]
3408
3591
3592
# service.interface = tcp_server.socket.getsockname()[3]
3593
3409
3594
try:
3410
3595
if zeroconf:
3411
3596
# From the Avahi example code
3416
3601
cleanup()
3417
3602
sys.exit(1)
3418
3603
# End of Avahi example code
3419
3420
GObject.io_add_watch(tcp_server.fileno(), GObject.IO_IN,
3421
lambda *args, **kwargs:
3422
(tcp_server.handle_request
3423
(*args[2:], **kwargs) or True))
3424
3604
3605
GLib.io_add_watch(
3606
GLib.IOChannel.unix_new(tcp_server.fileno()),
3607
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3608
lambda *args, **kwargs: (tcp_server.handle_request
3609
(*args[2:], **kwargs) or True))
3610
3425
3611
logger.debug("Starting main loop")
3426
3612
main_loop.run()
3427
3613
except AvahiError as error:
3436
3622
# Must run before the D-Bus bus name gets deregistered
3437
3623
cleanup()
3438
3624
3625
3626
def should_only_run_tests():
3627
parser = argparse.ArgumentParser(add_help=False)
3628
parser.add_argument("--check", action='store_true')
3629
args, unknown_args = parser.parse_known_args()
3630
run_tests = args.check
3631
if run_tests:
3632
# Remove --check argument from sys.argv
3633
sys.argv[1:] = unknown_args
3634
return run_tests
3635
3636
# Add all tests from doctest strings
3637
def load_tests(loader, tests, none):
3638
import doctest
3639
tests.addTests(doctest.DocTestSuite())
3640
return tests
3439
3641
3440
3642
if __name__ == '__main__':
3441
main()
3643
try:
3644
if should_only_run_tests():
3645
# Call using ./mandos --check [--verbose]
3646
unittest.main()
3647
else:
3648
main()
3649
finally:
3650
logging.shutdown()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0