To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 1194
- compare with another revision
- download diff
- download tarball
- view history from revision 1194
- Committer: teddy at recompile
- Date: 2019-12-05 03:38:07 UTC
- Revision ID: teddy@recompile.se-20191205033807-6awt45zpgp194vl1
From: Frans Spiesschaert <Frans.Spiesschaert@yucom.be>
Add Dutch debconf translation
* debian/po/nl.po: New.
Acked-by: Teddy Hogeborn <teddy@recompile.se>
Add Dutch debconf translation
* debian/po/nl.po: New.
Acked-by: Teddy Hogeborn <teddy@recompile.se>
- files added:
- bugs.xml
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python2.7
2
# -*- mode: python; coding: utf-8 -*-
3
#
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
#
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
#
33
#
33
34
34
35
from __future__ import (division, absolute_import, print_function,
35
36
unicode_literals)
36
37
37
from future_builtins import *
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
38
42
39
43
try:
40
44
import SocketServer as socketserver
44
48
import argparse
45
49
import datetime
46
50
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
53
51
try:
54
52
import ConfigParser as configparser
55
53
except ImportError:
79
77
import itertools
80
78
import collections
81
79
import codecs
80
import unittest
82
81
83
82
import dbus
84
83
import dbus.service
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
84
import gi
85
from gi.repository import GLib
90
86
from dbus.mainloop.glib import DBusGMainLoop
91
87
import ctypes
92
88
import ctypes.util
93
89
import xml.dom.minidom
94
90
import inspect
95
91
92
if sys.version_info.major == 2:
93
__metaclass__ = type
94
str = unicode
95
96
# Show warnings by default
97
if not sys.warnoptions:
98
import warnings
99
warnings.simplefilter("default")
100
101
# Try to find the value of SO_BINDTODEVICE:
96
102
try:
103
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
104
# newer, and it is also the most natural place for it:
97
105
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
98
106
except AttributeError:
99
107
try:
108
# This is where SO_BINDTODEVICE was up to and including Python
109
# 2.6, and also 3.2:
100
110
from IN import SO_BINDTODEVICE
101
111
except ImportError:
102
SO_BINDTODEVICE = None
103
104
if sys.version_info.major == 2:
105
str = unicode
106
107
version = "1.7.0"
112
# In Python 2.7 it seems to have been removed entirely.
113
# Try running the C preprocessor:
114
try:
115
cc = subprocess.Popen(["cc", "--language=c", "-E",
116
"/dev/stdin"],
117
stdin=subprocess.PIPE,
118
stdout=subprocess.PIPE)
119
stdout = cc.communicate(
120
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
121
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
122
except (OSError, ValueError, IndexError):
123
# No value found
124
SO_BINDTODEVICE = None
125
126
if sys.version_info < (3, 2):
127
configparser.Configparser = configparser.SafeConfigParser
128
129
version = "1.8.9"
108
130
stored_state_file = "clients.pickle"
109
131
110
132
logger = logging.getLogger()
133
logging.captureWarnings(True) # Show warnings via the logging system
111
134
syslogger = None
112
135
113
136
try:
114
137
if_nametoindex = ctypes.cdll.LoadLibrary(
115
138
ctypes.util.find_library("c")).if_nametoindex
116
139
except (OSError, AttributeError):
117
140
118
141
def if_nametoindex(interface):
119
142
"Get an interface index the hard way, i.e. using fcntl()"
120
143
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
125
148
return interface_index
126
149
127
150
151
def copy_function(func):
152
"""Make a copy of a function"""
153
if sys.version_info.major == 2:
154
return types.FunctionType(func.func_code,
155
func.func_globals,
156
func.func_name,
157
func.func_defaults,
158
func.func_closure)
159
else:
160
return types.FunctionType(func.__code__,
161
func.__globals__,
162
func.__name__,
163
func.__defaults__,
164
func.__closure__)
165
166
128
167
def initlogger(debug, level=logging.WARNING):
129
168
"""init logger and add loglevel"""
130
169
131
170
global syslogger
132
171
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
172
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
173
address="/dev/log"))
135
174
syslogger.setFormatter(logging.Formatter
136
175
('Mandos [%(process)d]: %(levelname)s:'
137
176
' %(message)s'))
138
177
logger.addHandler(syslogger)
139
178
140
179
if debug:
141
180
console = logging.StreamHandler()
142
181
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
152
191
pass
153
192
154
193
155
class PGPEngine(object):
194
class PGPEngine:
156
195
"""A simple class for OpenPGP symmetric encryption & decryption"""
157
196
158
197
def __init__(self):
159
198
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
199
self.gpg = "gpg"
200
try:
201
output = subprocess.check_output(["gpgconf"])
202
for line in output.splitlines():
203
name, text, path = line.split(b":")
204
if name == b"gpg":
205
self.gpg = path
206
break
207
except OSError as e:
208
if e.errno != errno.ENOENT:
209
raise
160
210
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
211
'--homedir', self.tempdir,
162
212
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
165
213
'--quiet']
214
# Only GPG version 1 has the --no-use-agent option.
215
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
216
self.gnupgargs.append("--no-use-agent")
217
166
218
def __enter__(self):
167
219
return self
168
220
169
221
def __exit__(self, exc_type, exc_value, traceback):
170
222
self._cleanup()
171
223
return False
172
224
173
225
def __del__(self):
174
226
self._cleanup()
175
227
176
228
def _cleanup(self):
177
229
if self.tempdir is not None:
178
230
# Delete contents of tempdir
179
231
for root, dirs, files in os.walk(self.tempdir,
180
topdown = False):
232
topdown=False):
181
233
for filename in files:
182
234
os.remove(os.path.join(root, filename))
183
235
for dirname in dirs:
185
237
# Remove tempdir
186
238
os.rmdir(self.tempdir)
187
239
self.tempdir = None
188
240
189
241
def password_encode(self, password):
190
242
# Passphrase can not be empty and can not contain newlines or
191
243
# NUL bytes. So we prefix it and hex encode it.
196
248
.replace(b"\n", b"\\n")
197
249
.replace(b"\0", b"\\x00"))
198
250
return encoded
199
251
200
252
def encrypt(self, data, password):
201
253
passphrase = self.password_encode(password)
202
254
with tempfile.NamedTemporaryFile(
203
255
dir=self.tempdir) as passfile:
204
256
passfile.write(passphrase)
205
257
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
258
proc = subprocess.Popen([self.gpg, '--symmetric',
207
259
'--passphrase-file',
208
260
passfile.name]
209
261
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
262
stdin=subprocess.PIPE,
263
stdout=subprocess.PIPE,
264
stderr=subprocess.PIPE)
265
ciphertext, err = proc.communicate(input=data)
214
266
if proc.returncode != 0:
215
267
raise PGPError(err)
216
268
return ciphertext
217
269
218
270
def decrypt(self, data, password):
219
271
passphrase = self.password_encode(password)
220
272
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
273
dir=self.tempdir) as passfile:
222
274
passfile.write(passphrase)
223
275
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
276
proc = subprocess.Popen([self.gpg, '--decrypt',
225
277
'--passphrase-file',
226
278
passfile.name]
227
279
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
280
stdin=subprocess.PIPE,
281
stdout=subprocess.PIPE,
282
stderr=subprocess.PIPE)
283
decrypted_plaintext, err = proc.communicate(input=data)
232
284
if proc.returncode != 0:
233
285
raise PGPError(err)
234
286
return decrypted_plaintext
235
287
236
288
289
# Pretend that we have an Avahi module
290
class avahi:
291
"""This isn't so much a class as it is a module-like namespace."""
292
IF_UNSPEC = -1 # avahi-common/address.h
293
PROTO_UNSPEC = -1 # avahi-common/address.h
294
PROTO_INET = 0 # avahi-common/address.h
295
PROTO_INET6 = 1 # avahi-common/address.h
296
DBUS_NAME = "org.freedesktop.Avahi"
297
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
298
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
299
DBUS_PATH_SERVER = "/"
300
301
@staticmethod
302
def string_array_to_txt_array(t):
303
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
304
for s in t), signature="ay")
305
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
306
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
307
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
308
SERVER_INVALID = 0 # avahi-common/defs.h
309
SERVER_REGISTERING = 1 # avahi-common/defs.h
310
SERVER_RUNNING = 2 # avahi-common/defs.h
311
SERVER_COLLISION = 3 # avahi-common/defs.h
312
SERVER_FAILURE = 4 # avahi-common/defs.h
313
314
237
315
class AvahiError(Exception):
238
316
def __init__(self, value, *args, **kwargs):
239
317
self.value = value
249
327
pass
250
328
251
329
252
class AvahiService(object):
330
class AvahiService:
253
331
"""An Avahi (Zeroconf) service.
254
332
255
333
Attributes:
256
334
interface: integer; avahi.IF_UNSPEC or an interface index.
257
335
Used to optionally bind to the specified interface.
269
347
server: D-Bus Server
270
348
bus: dbus.SystemBus()
271
349
"""
272
350
273
351
def __init__(self,
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
352
interface=avahi.IF_UNSPEC,
353
name=None,
354
servicetype=None,
355
port=None,
356
TXT=None,
357
domain="",
358
host="",
359
max_renames=32768,
360
protocol=avahi.PROTO_UNSPEC,
361
bus=None):
284
362
self.interface = interface
285
363
self.name = name
286
364
self.type = servicetype
295
373
self.server = None
296
374
self.bus = bus
297
375
self.entry_group_state_changed_match = None
298
376
299
377
def rename(self, remove=True):
300
378
"""Derived from the Avahi example code"""
301
379
if self.rename_count >= self.max_renames:
321
399
logger.critical("D-Bus Exception", exc_info=error)
322
400
self.cleanup()
323
401
os._exit(1)
324
402
325
403
def remove(self):
326
404
"""Derived from the Avahi example code"""
327
405
if self.entry_group_state_changed_match is not None:
329
407
self.entry_group_state_changed_match = None
330
408
if self.group is not None:
331
409
self.group.Reset()
332
410
333
411
def add(self):
334
412
"""Derived from the Avahi example code"""
335
413
self.remove()
352
430
dbus.UInt16(self.port),
353
431
avahi.string_array_to_txt_array(self.TXT))
354
432
self.group.Commit()
355
433
356
434
def entry_group_state_changed(self, state, error):
357
435
"""Derived from the Avahi example code"""
358
436
logger.debug("Avahi entry group state change: %i", state)
359
437
360
438
if state == avahi.ENTRY_GROUP_ESTABLISHED:
361
439
logger.debug("Zeroconf service established.")
362
440
elif state == avahi.ENTRY_GROUP_COLLISION:
366
444
logger.critical("Avahi: Error in group state changed %s",
367
445
str(error))
368
446
raise AvahiGroupError("State changed: {!s}".format(error))
369
447
370
448
def cleanup(self):
371
449
"""Derived from the Avahi example code"""
372
450
if self.group is not None:
377
455
pass
378
456
self.group = None
379
457
self.remove()
380
458
381
459
def server_state_changed(self, state, error=None):
382
460
"""Derived from the Avahi example code"""
383
461
logger.debug("Avahi server state change: %i", state)
412
490
logger.debug("Unknown state: %r", state)
413
491
else:
414
492
logger.debug("Unknown state: %r: %r", state, error)
415
493
416
494
def activate(self):
417
495
"""Derived from the Avahi example code"""
418
496
if self.server is None:
429
507
class AvahiServiceToSyslog(AvahiService):
430
508
def rename(self, *args, **kwargs):
431
509
"""Add the new name to the syslog messages"""
432
ret = AvahiService.rename(self, *args, **kwargs)
510
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
433
511
syslogger.setFormatter(logging.Formatter(
434
512
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
435
513
.format(self.name)))
436
514
return ret
437
515
516
517
# Pretend that we have a GnuTLS module
518
class gnutls:
519
"""This isn't so much a class as it is a module-like namespace."""
520
521
library = ctypes.util.find_library("gnutls")
522
if library is None:
523
library = ctypes.util.find_library("gnutls-deb0")
524
_library = ctypes.cdll.LoadLibrary(library)
525
del library
526
527
# Unless otherwise indicated, the constants and types below are
528
# all from the gnutls/gnutls.h C header file.
529
530
# Constants
531
E_SUCCESS = 0
532
E_INTERRUPTED = -52
533
E_AGAIN = -28
534
CRT_OPENPGP = 2
535
CRT_RAWPK = 3
536
CLIENT = 2
537
SHUT_RDWR = 0
538
CRD_CERTIFICATE = 1
539
E_NO_CERTIFICATE_FOUND = -49
540
X509_FMT_DER = 0
541
NO_TICKETS = 1<<10
542
ENABLE_RAWPK = 1<<18
543
CTYPE_PEERS = 3
544
KEYID_USE_SHA256 = 1 # gnutls/x509.h
545
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
546
547
# Types
548
class session_int(ctypes.Structure):
549
_fields_ = []
550
session_t = ctypes.POINTER(session_int)
551
552
class certificate_credentials_st(ctypes.Structure):
553
_fields_ = []
554
certificate_credentials_t = ctypes.POINTER(
555
certificate_credentials_st)
556
certificate_type_t = ctypes.c_int
557
558
class datum_t(ctypes.Structure):
559
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
560
('size', ctypes.c_uint)]
561
562
class openpgp_crt_int(ctypes.Structure):
563
_fields_ = []
564
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
565
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
566
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
567
credentials_type_t = ctypes.c_int
568
transport_ptr_t = ctypes.c_void_p
569
close_request_t = ctypes.c_int
570
571
# Exceptions
572
class Error(Exception):
573
def __init__(self, message=None, code=None, args=()):
574
# Default usage is by a message string, but if a return
575
# code is passed, convert it to a string with
576
# gnutls.strerror()
577
self.code = code
578
if message is None and code is not None:
579
message = gnutls.strerror(code)
580
return super(gnutls.Error, self).__init__(
581
message, *args)
582
583
class CertificateSecurityError(Error):
584
pass
585
586
# Classes
587
class Credentials:
588
def __init__(self):
589
self._c_object = gnutls.certificate_credentials_t()
590
gnutls.certificate_allocate_credentials(
591
ctypes.byref(self._c_object))
592
self.type = gnutls.CRD_CERTIFICATE
593
594
def __del__(self):
595
gnutls.certificate_free_credentials(self._c_object)
596
597
class ClientSession:
598
def __init__(self, socket, credentials=None):
599
self._c_object = gnutls.session_t()
600
gnutls_flags = gnutls.CLIENT
601
if gnutls.check_version(b"3.5.6"):
602
gnutls_flags |= gnutls.NO_TICKETS
603
if gnutls.has_rawpk:
604
gnutls_flags |= gnutls.ENABLE_RAWPK
605
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
606
del gnutls_flags
607
gnutls.set_default_priority(self._c_object)
608
gnutls.transport_set_ptr(self._c_object, socket.fileno())
609
gnutls.handshake_set_private_extensions(self._c_object,
610
True)
611
self.socket = socket
612
if credentials is None:
613
credentials = gnutls.Credentials()
614
gnutls.credentials_set(self._c_object, credentials.type,
615
ctypes.cast(credentials._c_object,
616
ctypes.c_void_p))
617
self.credentials = credentials
618
619
def __del__(self):
620
gnutls.deinit(self._c_object)
621
622
def handshake(self):
623
return gnutls.handshake(self._c_object)
624
625
def send(self, data):
626
data = bytes(data)
627
data_len = len(data)
628
while data_len > 0:
629
data_len -= gnutls.record_send(self._c_object,
630
data[-data_len:],
631
data_len)
632
633
def bye(self):
634
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
635
636
# Error handling functions
637
def _error_code(result):
638
"""A function to raise exceptions on errors, suitable
639
for the 'restype' attribute on ctypes functions"""
640
if result >= 0:
641
return result
642
if result == gnutls.E_NO_CERTIFICATE_FOUND:
643
raise gnutls.CertificateSecurityError(code=result)
644
raise gnutls.Error(code=result)
645
646
def _retry_on_error(result, func, arguments):
647
"""A function to retry on some errors, suitable
648
for the 'errcheck' attribute on ctypes functions"""
649
while result < 0:
650
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
651
return _error_code(result)
652
result = func(*arguments)
653
return result
654
655
# Unless otherwise indicated, the function declarations below are
656
# all from the gnutls/gnutls.h C header file.
657
658
# Functions
659
priority_set_direct = _library.gnutls_priority_set_direct
660
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
661
ctypes.POINTER(ctypes.c_char_p)]
662
priority_set_direct.restype = _error_code
663
664
init = _library.gnutls_init
665
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
666
init.restype = _error_code
667
668
set_default_priority = _library.gnutls_set_default_priority
669
set_default_priority.argtypes = [session_t]
670
set_default_priority.restype = _error_code
671
672
record_send = _library.gnutls_record_send
673
record_send.argtypes = [session_t, ctypes.c_void_p,
674
ctypes.c_size_t]
675
record_send.restype = ctypes.c_ssize_t
676
record_send.errcheck = _retry_on_error
677
678
certificate_allocate_credentials = (
679
_library.gnutls_certificate_allocate_credentials)
680
certificate_allocate_credentials.argtypes = [
681
ctypes.POINTER(certificate_credentials_t)]
682
certificate_allocate_credentials.restype = _error_code
683
684
certificate_free_credentials = (
685
_library.gnutls_certificate_free_credentials)
686
certificate_free_credentials.argtypes = [
687
certificate_credentials_t]
688
certificate_free_credentials.restype = None
689
690
handshake_set_private_extensions = (
691
_library.gnutls_handshake_set_private_extensions)
692
handshake_set_private_extensions.argtypes = [session_t,
693
ctypes.c_int]
694
handshake_set_private_extensions.restype = None
695
696
credentials_set = _library.gnutls_credentials_set
697
credentials_set.argtypes = [session_t, credentials_type_t,
698
ctypes.c_void_p]
699
credentials_set.restype = _error_code
700
701
strerror = _library.gnutls_strerror
702
strerror.argtypes = [ctypes.c_int]
703
strerror.restype = ctypes.c_char_p
704
705
certificate_type_get = _library.gnutls_certificate_type_get
706
certificate_type_get.argtypes = [session_t]
707
certificate_type_get.restype = _error_code
708
709
certificate_get_peers = _library.gnutls_certificate_get_peers
710
certificate_get_peers.argtypes = [session_t,
711
ctypes.POINTER(ctypes.c_uint)]
712
certificate_get_peers.restype = ctypes.POINTER(datum_t)
713
714
global_set_log_level = _library.gnutls_global_set_log_level
715
global_set_log_level.argtypes = [ctypes.c_int]
716
global_set_log_level.restype = None
717
718
global_set_log_function = _library.gnutls_global_set_log_function
719
global_set_log_function.argtypes = [log_func]
720
global_set_log_function.restype = None
721
722
deinit = _library.gnutls_deinit
723
deinit.argtypes = [session_t]
724
deinit.restype = None
725
726
handshake = _library.gnutls_handshake
727
handshake.argtypes = [session_t]
728
handshake.restype = _error_code
729
handshake.errcheck = _retry_on_error
730
731
transport_set_ptr = _library.gnutls_transport_set_ptr
732
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
733
transport_set_ptr.restype = None
734
735
bye = _library.gnutls_bye
736
bye.argtypes = [session_t, close_request_t]
737
bye.restype = _error_code
738
bye.errcheck = _retry_on_error
739
740
check_version = _library.gnutls_check_version
741
check_version.argtypes = [ctypes.c_char_p]
742
check_version.restype = ctypes.c_char_p
743
744
_need_version = b"3.3.0"
745
if check_version(_need_version) is None:
746
raise self.Error("Needs GnuTLS {} or later"
747
.format(_need_version))
748
749
_tls_rawpk_version = b"3.6.6"
750
has_rawpk = bool(check_version(_tls_rawpk_version))
751
752
if has_rawpk:
753
# Types
754
class pubkey_st(ctypes.Structure):
755
_fields = []
756
pubkey_t = ctypes.POINTER(pubkey_st)
757
758
x509_crt_fmt_t = ctypes.c_int
759
760
# All the function declarations below are from gnutls/abstract.h
761
pubkey_init = _library.gnutls_pubkey_init
762
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
763
pubkey_init.restype = _error_code
764
765
pubkey_import = _library.gnutls_pubkey_import
766
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
767
x509_crt_fmt_t]
768
pubkey_import.restype = _error_code
769
770
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
771
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
772
ctypes.POINTER(ctypes.c_ubyte),
773
ctypes.POINTER(ctypes.c_size_t)]
774
pubkey_get_key_id.restype = _error_code
775
776
pubkey_deinit = _library.gnutls_pubkey_deinit
777
pubkey_deinit.argtypes = [pubkey_t]
778
pubkey_deinit.restype = None
779
else:
780
# All the function declarations below are from gnutls/openpgp.h
781
782
openpgp_crt_init = _library.gnutls_openpgp_crt_init
783
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
784
openpgp_crt_init.restype = _error_code
785
786
openpgp_crt_import = _library.gnutls_openpgp_crt_import
787
openpgp_crt_import.argtypes = [openpgp_crt_t,
788
ctypes.POINTER(datum_t),
789
openpgp_crt_fmt_t]
790
openpgp_crt_import.restype = _error_code
791
792
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
793
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
794
ctypes.POINTER(ctypes.c_uint)]
795
openpgp_crt_verify_self.restype = _error_code
796
797
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
798
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
799
openpgp_crt_deinit.restype = None
800
801
openpgp_crt_get_fingerprint = (
802
_library.gnutls_openpgp_crt_get_fingerprint)
803
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
804
ctypes.c_void_p,
805
ctypes.POINTER(
806
ctypes.c_size_t)]
807
openpgp_crt_get_fingerprint.restype = _error_code
808
809
if check_version(b"3.6.4"):
810
certificate_type_get2 = _library.gnutls_certificate_type_get2
811
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
812
certificate_type_get2.restype = _error_code
813
814
# Remove non-public functions
815
del _error_code, _retry_on_error
816
817
438
818
def call_pipe(connection, # : multiprocessing.Connection
439
819
func, *args, **kwargs):
440
820
"""This function is meant to be called by multiprocessing.Process
441
821
442
822
This function runs func(*args, **kwargs), and writes the resulting
443
823
return value on the provided multiprocessing.Connection.
444
824
"""
445
825
connection.send(func(*args, **kwargs))
446
826
connection.close()
447
827
448
class Client(object):
828
829
class Client:
449
830
"""A representation of a client host served by this server.
450
831
451
832
Attributes:
452
833
approved: bool(); 'None' if not yet approved/disapproved
453
834
approval_delay: datetime.timedelta(); Time to wait for approval
454
835
approval_duration: datetime.timedelta(); Duration of one approval
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
836
checker: multiprocessing.Process(); a running checker process used
837
to see if the client lives. 'None' if no process is
838
running.
839
checker_callback_tag: a GLib event source tag, or None
459
840
checker_command: string; External command which is run to check
460
841
if client lives. %() expansions are done at
461
842
runtime with vars(self) as dict, so that for
462
843
instance %(name)s can be used in the command.
463
checker_initiator_tag: a gobject event source tag, or None
844
checker_initiator_tag: a GLib event source tag, or None
464
845
created: datetime.datetime(); (UTC) object creation
465
846
client_structure: Object describing what attributes a client has
466
847
and is used for storing the client at exit
467
848
current_checker_command: string; current running checker_command
468
disable_initiator_tag: a gobject event source tag, or None
849
disable_initiator_tag: a GLib event source tag, or None
469
850
enabled: bool()
470
851
fingerprint: string (40 or 32 hexadecimal digits); used to
471
uniquely identify the client
852
uniquely identify an OpenPGP client
853
key_id: string (64 hexadecimal digits); used to uniquely identify
854
a client using raw public keys
472
855
host: string; available for use by the checker command
473
856
interval: datetime.timedelta(); How often to start a new checker
474
857
last_approval_request: datetime.datetime(); (UTC) or None
490
873
disabled, or None
491
874
server_settings: The server_settings dict from main()
492
875
"""
493
876
494
877
runtime_expansions = ("approval_delay", "approval_duration",
495
"created", "enabled", "expires",
878
"created", "enabled", "expires", "key_id",
496
879
"fingerprint", "host", "interval",
497
880
"last_approval_request", "last_checked_ok",
498
881
"last_enabled", "name", "timeout")
507
890
"approved_by_default": "True",
508
891
"enabled": "True",
509
892
}
510
893
511
894
@staticmethod
512
895
def config_parser(config):
513
896
"""Construct a new dict of client settings of this form:
520
903
for client_name in config.sections():
521
904
section = dict(config.items(client_name))
522
905
client = settings[client_name] = {}
523
906
524
907
client["host"] = section["host"]
525
908
# Reformat values from string types to Python types
526
909
client["approved_by_default"] = config.getboolean(
527
910
client_name, "approved_by_default")
528
911
client["enabled"] = config.getboolean(client_name,
529
912
"enabled")
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
913
914
# Uppercase and remove spaces from key_id and fingerprint
915
# for later comparison purposes with return value from the
916
# key_id() and fingerprint() functions
917
client["key_id"] = (section.get("key_id", "").upper()
918
.replace(" ", ""))
534
919
client["fingerprint"] = (section["fingerprint"].upper()
535
920
.replace(" ", ""))
536
921
if "secret" in section:
537
client["secret"] = section["secret"].decode("base64")
922
client["secret"] = codecs.decode(section["secret"]
923
.encode("utf-8"),
924
"base64")
538
925
elif "secfile" in section:
539
926
with open(os.path.expanduser(os.path.expandvars
540
927
(section["secfile"])),
555
942
client["last_approval_request"] = None
556
943
client["last_checked_ok"] = None
557
944
client["last_checker_status"] = -2
558
945
559
946
return settings
560
561
def __init__(self, settings, name = None, server_settings=None):
947
948
def __init__(self, settings, name=None, server_settings=None):
562
949
self.name = name
563
950
if server_settings is None:
564
951
server_settings = {}
566
953
# adding all client settings
567
954
for setting, value in settings.items():
568
955
setattr(self, setting, value)
569
956
570
957
if self.enabled:
571
958
if not hasattr(self, "last_enabled"):
572
959
self.last_enabled = datetime.datetime.utcnow()
576
963
else:
577
964
self.last_enabled = None
578
965
self.expires = None
579
966
580
967
logger.debug("Creating client %r", self.name)
968
logger.debug(" Key ID: %s", self.key_id)
581
969
logger.debug(" Fingerprint: %s", self.fingerprint)
582
970
self.created = settings.get("created",
583
971
datetime.datetime.utcnow())
584
972
585
973
# attributes specific for this server instance
586
974
self.checker = None
587
975
self.checker_initiator_tag = None
593
981
self.changedstate = multiprocessing_manager.Condition(
594
982
multiprocessing_manager.Lock())
595
983
self.client_structure = [attr
596
for attr in self.__dict__.iterkeys()
984
for attr in self.__dict__.keys()
597
985
if not attr.startswith("_")]
598
986
self.client_structure.append("client_structure")
599
987
600
988
for name, t in inspect.getmembers(
601
989
type(self), lambda obj: isinstance(obj, property)):
602
990
if not name.startswith("_"):
603
991
self.client_structure.append(name)
604
992
605
993
# Send notice to process children that client state has changed
606
994
def send_changedstate(self):
607
995
with self.changedstate:
608
996
self.changedstate.notify_all()
609
997
610
998
def enable(self):
611
999
"""Start this client's checker and timeout hooks"""
612
1000
if getattr(self, "enabled", False):
617
1005
self.last_enabled = datetime.datetime.utcnow()
618
1006
self.init_checker()
619
1007
self.send_changedstate()
620
1008
621
1009
def disable(self, quiet=True):
622
1010
"""Disable this client."""
623
1011
if not getattr(self, "enabled", False):
625
1013
if not quiet:
626
1014
logger.info("Disabling client %s", self.name)
627
1015
if getattr(self, "disable_initiator_tag", None) is not None:
628
gobject.source_remove(self.disable_initiator_tag)
1016
GLib.source_remove(self.disable_initiator_tag)
629
1017
self.disable_initiator_tag = None
630
1018
self.expires = None
631
1019
if getattr(self, "checker_initiator_tag", None) is not None:
632
gobject.source_remove(self.checker_initiator_tag)
1020
GLib.source_remove(self.checker_initiator_tag)
633
1021
self.checker_initiator_tag = None
634
1022
self.stop_checker()
635
1023
self.enabled = False
636
1024
if not quiet:
637
1025
self.send_changedstate()
638
# Do not run this again if called by a gobject.timeout_add
1026
# Do not run this again if called by a GLib.timeout_add
639
1027
return False
640
1028
641
1029
def __del__(self):
642
1030
self.disable()
643
1031
644
1032
def init_checker(self):
645
1033
# Schedule a new checker to be started an 'interval' from now,
646
1034
# and every interval from then on.
647
1035
if self.checker_initiator_tag is not None:
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
1036
GLib.source_remove(self.checker_initiator_tag)
1037
self.checker_initiator_tag = GLib.timeout_add(
650
1038
int(self.interval.total_seconds() * 1000),
651
1039
self.start_checker)
652
1040
# Schedule a disable() when 'timeout' has passed
653
1041
if self.disable_initiator_tag is not None:
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1042
GLib.source_remove(self.disable_initiator_tag)
1043
self.disable_initiator_tag = GLib.timeout_add(
656
1044
int(self.timeout.total_seconds() * 1000), self.disable)
657
1045
# Also start a new checker *right now*.
658
1046
self.start_checker()
659
1047
660
1048
def checker_callback(self, source, condition, connection,
661
1049
command):
662
1050
"""The checker has completed, so take appropriate actions."""
663
self.checker_callback_tag = None
664
self.checker = None
665
1051
# Read return code from connection (see call_pipe)
666
1052
returncode = connection.recv()
667
1053
connection.close()
668
1054
if self.checker is not None:
1055
self.checker.join()
1056
self.checker_callback_tag = None
1057
self.checker = None
1058
669
1059
if returncode >= 0:
670
1060
self.last_checker_status = returncode
671
1061
self.last_checker_signal = None
681
1071
logger.warning("Checker for %(name)s crashed?",
682
1072
vars(self))
683
1073
return False
684
1074
685
1075
def checked_ok(self):
686
1076
"""Assert that the client has been seen, alive and well."""
687
1077
self.last_checked_ok = datetime.datetime.utcnow()
688
1078
self.last_checker_status = 0
689
1079
self.last_checker_signal = None
690
1080
self.bump_timeout()
691
1081
692
1082
def bump_timeout(self, timeout=None):
693
1083
"""Bump up the timeout for this client."""
694
1084
if timeout is None:
695
1085
timeout = self.timeout
696
1086
if self.disable_initiator_tag is not None:
697
gobject.source_remove(self.disable_initiator_tag)
1087
GLib.source_remove(self.disable_initiator_tag)
698
1088
self.disable_initiator_tag = None
699
1089
if getattr(self, "enabled", False):
700
self.disable_initiator_tag = gobject.timeout_add(
1090
self.disable_initiator_tag = GLib.timeout_add(
701
1091
int(timeout.total_seconds() * 1000), self.disable)
702
1092
self.expires = datetime.datetime.utcnow() + timeout
703
1093
704
1094
def need_approval(self):
705
1095
self.last_approval_request = datetime.datetime.utcnow()
706
1096
707
1097
def start_checker(self):
708
1098
"""Start a new checker subprocess if one is not running.
709
1099
710
1100
If a checker already exists, leave it running and do
711
1101
nothing."""
712
1102
# The reason for not killing a running checker is that if we
717
1107
# checkers alone, the checker would have to take more time
718
1108
# than 'timeout' for the client to be disabled, which is as it
719
1109
# should be.
720
1110
721
1111
if self.checker is not None and not self.checker.is_alive():
722
1112
logger.warning("Checker was not alive; joining")
723
1113
self.checker.join()
727
1117
# Escape attributes for the shell
728
1118
escaped_attrs = {
729
1119
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
1120
for attr in self.runtime_expansions}
731
1121
try:
732
1122
command = self.checker_command % escaped_attrs
733
1123
except TypeError as error:
745
1135
# The exception is when not debugging but nevertheless
746
1136
# running in the foreground; use the previously
747
1137
# created wnull.
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1138
popen_args = {"close_fds": True,
1139
"shell": True,
1140
"cwd": "/"}
751
1141
if (not self.server_settings["debug"]
752
1142
and self.server_settings["foreground"]):
753
1143
popen_args.update({"stdout": wnull,
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1144
"stderr": wnull})
1145
pipe = multiprocessing.Pipe(duplex=False)
756
1146
self.checker = multiprocessing.Process(
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1147
target=call_pipe,
1148
args=(pipe[1], subprocess.call, command),
1149
kwargs=popen_args)
760
1150
self.checker.start()
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1151
self.checker_callback_tag = GLib.io_add_watch(
1152
GLib.IOChannel.unix_new(pipe[0].fileno()),
1153
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
763
1154
self.checker_callback, pipe[0], command)
764
# Re-run this periodically if run by gobject.timeout_add
1155
# Re-run this periodically if run by GLib.timeout_add
765
1156
return True
766
1157
767
1158
def stop_checker(self):
768
1159
"""Force the checker process, if any, to stop."""
769
1160
if self.checker_callback_tag:
770
gobject.source_remove(self.checker_callback_tag)
1161
GLib.source_remove(self.checker_callback_tag)
771
1162
self.checker_callback_tag = None
772
1163
if getattr(self, "checker", None) is None:
773
1164
return
782
1173
byte_arrays=False):
783
1174
"""Decorators for marking methods of a DBusObjectWithProperties to
784
1175
become properties on the D-Bus.
785
1176
786
1177
The decorated method will be called with no arguments by "Get"
787
1178
and with one argument by "Set".
788
1179
789
1180
The parameters, where they are supported, are the same as
790
1181
dbus.service.method, except there is only "signature", since the
791
1182
type from Get() and the type sent to Set() is the same.
795
1186
if byte_arrays and signature != "ay":
796
1187
raise ValueError("Byte arrays not supported for non-'ay'"
797
1188
" signature {!r}".format(signature))
798
1189
799
1190
def decorator(func):
800
1191
func._dbus_is_property = True
801
1192
func._dbus_interface = dbus_interface
804
1195
func._dbus_name = func.__name__
805
1196
if func._dbus_name.endswith("_dbus_property"):
806
1197
func._dbus_name = func._dbus_name[:-14]
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1198
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
808
1199
return func
809
1200
810
1201
return decorator
811
1202
812
1203
813
1204
def dbus_interface_annotations(dbus_interface):
814
1205
"""Decorator for marking functions returning interface annotations
815
1206
816
1207
Usage:
817
1208
818
1209
@dbus_interface_annotations("org.example.Interface")
819
1210
def _foo(self): # Function name does not matter
820
1211
return {"org.freedesktop.DBus.Deprecated": "true",
821
1212
"org.freedesktop.DBus.Property.EmitsChangedSignal":
822
1213
"false"}
823
1214
"""
824
1215
825
1216
def decorator(func):
826
1217
func._dbus_is_interface = True
827
1218
func._dbus_interface = dbus_interface
828
1219
func._dbus_name = dbus_interface
829
1220
return func
830
1221
831
1222
return decorator
832
1223
833
1224
834
1225
def dbus_annotations(annotations):
835
1226
"""Decorator to annotate D-Bus methods, signals or properties
836
1227
Usage:
837
1228
838
1229
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
839
1230
"org.freedesktop.DBus.Property."
840
1231
"EmitsChangedSignal": "false"})
842
1233
access="r")
843
1234
def Property_dbus_property(self):
844
1235
return dbus.Boolean(False)
845
1236
846
1237
See also the DBusObjectWithAnnotations class.
847
1238
"""
848
1239
849
1240
def decorator(func):
850
1241
func._dbus_annotations = annotations
851
1242
return func
852
1243
853
1244
return decorator
854
1245
855
1246
873
1264
874
1265
class DBusObjectWithAnnotations(dbus.service.Object):
875
1266
"""A D-Bus object with annotations.
876
1267
877
1268
Classes inheriting from this can use the dbus_annotations
878
1269
decorator to add annotations to methods or signals.
879
1270
"""
880
1271
881
1272
@staticmethod
882
1273
def _is_dbus_thing(thing):
883
1274
"""Returns a function testing if an attribute is a D-Bus thing
884
1275
885
1276
If called like _is_dbus_thing("method") it returns a function
886
1277
suitable for use as predicate to inspect.getmembers().
887
1278
"""
888
1279
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
889
1280
False)
890
1281
891
1282
def _get_all_dbus_things(self, thing):
892
1283
"""Returns a generator of (name, attribute) pairs
893
1284
"""
896
1287
for cls in self.__class__.__mro__
897
1288
for name, athing in
898
1289
inspect.getmembers(cls, self._is_dbus_thing(thing)))
899
1290
900
1291
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1292
out_signature="s",
1293
path_keyword='object_path',
1294
connection_keyword='connection')
904
1295
def Introspect(self, object_path, connection):
905
1296
"""Overloading of standard D-Bus method.
906
1297
907
1298
Inserts annotation tags on methods and signals.
908
1299
"""
909
1300
xmlstring = dbus.service.Object.Introspect(self, object_path,
910
1301
connection)
911
1302
try:
912
1303
document = xml.dom.minidom.parseString(xmlstring)
913
1304
914
1305
for if_tag in document.getElementsByTagName("interface"):
915
1306
# Add annotation tags
916
1307
for typ in ("method", "signal"):
943
1334
if_tag.appendChild(ann_tag)
944
1335
# Fix argument name for the Introspect method itself
945
1336
if (if_tag.getAttribute("name")
946
== dbus.INTROSPECTABLE_IFACE):
1337
== dbus.INTROSPECTABLE_IFACE):
947
1338
for cn in if_tag.getElementsByTagName("method"):
948
1339
if cn.getAttribute("name") == "Introspect":
949
1340
for arg in cn.getElementsByTagName("arg"):
962
1353
963
1354
class DBusObjectWithProperties(DBusObjectWithAnnotations):
964
1355
"""A D-Bus object with properties.
965
1356
966
1357
Classes inheriting from this can use the dbus_service_property
967
1358
decorator to expose methods as D-Bus properties. It exposes the
968
1359
standard Get(), Set(), and GetAll() methods on the D-Bus.
969
1360
"""
970
1361
971
1362
def _get_dbus_property(self, interface_name, property_name):
972
1363
"""Returns a bound method if one exists which is a D-Bus
973
1364
property with the specified name and interface.
978
1369
if (value._dbus_name == property_name
979
1370
and value._dbus_interface == interface_name):
980
1371
return value.__get__(self)
981
1372
982
1373
# No such property
983
1374
raise DBusPropertyNotFound("{}:{}.{}".format(
984
1375
self.dbus_object_path, interface_name, property_name))
985
1376
986
1377
@classmethod
987
1378
def _get_all_interface_names(cls):
988
1379
"""Get a sequence of all interfaces supported by an object"""
991
1382
for x in (inspect.getmro(cls))
992
1383
for attr in dir(x))
993
1384
if name is not None)
994
1385
995
1386
@dbus.service.method(dbus.PROPERTIES_IFACE,
996
1387
in_signature="ss",
997
1388
out_signature="v")
1005
1396
if not hasattr(value, "variant_level"):
1006
1397
return value
1007
1398
return type(value)(value, variant_level=value.variant_level+1)
1008
1399
1009
1400
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1010
1401
def Set(self, interface_name, property_name, value):
1011
1402
"""Standard D-Bus property Set() method, see D-Bus standard.
1020
1411
raise ValueError("Byte arrays not supported for non-"
1021
1412
"'ay' signature {!r}"
1022
1413
.format(prop._dbus_signature))
1023
value = dbus.ByteArray(b''.join(chr(byte)
1024
for byte in value))
1414
value = dbus.ByteArray(bytes(value))
1025
1415
prop(value)
1026
1416
1027
1417
@dbus.service.method(dbus.PROPERTIES_IFACE,
1028
1418
in_signature="s",
1029
1419
out_signature="a{sv}")
1030
1420
def GetAll(self, interface_name):
1031
1421
"""Standard D-Bus property GetAll() method, see D-Bus
1032
1422
standard.
1033
1423
1034
1424
Note: Will not include properties with access="write".
1035
1425
"""
1036
1426
properties = {}
1047
1437
properties[name] = value
1048
1438
continue
1049
1439
properties[name] = type(value)(
1050
value, variant_level = value.variant_level + 1)
1440
value, variant_level=value.variant_level + 1)
1051
1441
return dbus.Dictionary(properties, signature="sv")
1052
1442
1053
1443
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1054
1444
def PropertiesChanged(self, interface_name, changed_properties,
1055
1445
invalidated_properties):
1057
1447
standard.
1058
1448
"""
1059
1449
pass
1060
1450
1061
1451
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1062
1452
out_signature="s",
1063
1453
path_keyword='object_path',
1064
1454
connection_keyword='connection')
1065
1455
def Introspect(self, object_path, connection):
1066
1456
"""Overloading of standard D-Bus method.
1067
1457
1068
1458
Inserts property tags and interface annotation tags.
1069
1459
"""
1070
1460
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1072
1462
connection)
1073
1463
try:
1074
1464
document = xml.dom.minidom.parseString(xmlstring)
1075
1465
1076
1466
def make_tag(document, name, prop):
1077
1467
e = document.createElement("property")
1078
1468
e.setAttribute("name", name)
1079
1469
e.setAttribute("type", prop._dbus_signature)
1080
1470
e.setAttribute("access", prop._dbus_access)
1081
1471
return e
1082
1472
1083
1473
for if_tag in document.getElementsByTagName("interface"):
1084
1474
# Add property tags
1085
1475
for tag in (make_tag(document, name, prop)
1127
1517
exc_info=error)
1128
1518
return xmlstring
1129
1519
1520
1130
1521
try:
1131
1522
dbus.OBJECT_MANAGER_IFACE
1132
1523
except AttributeError:
1133
1524
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1134
1525
1526
1135
1527
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1136
1528
"""A D-Bus object with an ObjectManager.
1137
1529
1138
1530
Classes inheriting from this exposes the standard
1139
1531
GetManagedObjects call and the InterfacesAdded and
1140
1532
InterfacesRemoved signals on the standard
1141
1533
"org.freedesktop.DBus.ObjectManager" interface.
1142
1534
1143
1535
Note: No signals are sent automatically; they must be sent
1144
1536
manually.
1145
1537
"""
1146
1538
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1147
out_signature = "a{oa{sa{sv}}}")
1539
out_signature="a{oa{sa{sv}}}")
1148
1540
def GetManagedObjects(self):
1149
1541
"""This function must be overridden"""
1150
1542
raise NotImplementedError()
1151
1543
1152
1544
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1153
signature = "oa{sa{sv}}")
1545
signature="oa{sa{sv}}")
1154
1546
def InterfacesAdded(self, object_path, interfaces_and_properties):
1155
1547
pass
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1548
1549
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1158
1550
def InterfacesRemoved(self, object_path, interfaces):
1159
1551
pass
1160
1552
1161
1553
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1554
out_signature="s",
1555
path_keyword='object_path',
1556
connection_keyword='connection')
1165
1557
def Introspect(self, object_path, connection):
1166
1558
"""Overloading of standard D-Bus method.
1167
1559
1168
1560
Override return argument name of GetManagedObjects to be
1169
1561
"objpath_interfaces_and_properties"
1170
1562
"""
1173
1565
connection)
1174
1566
try:
1175
1567
document = xml.dom.minidom.parseString(xmlstring)
1176
1568
1177
1569
for if_tag in document.getElementsByTagName("interface"):
1178
1570
# Fix argument name for the GetManagedObjects method
1179
1571
if (if_tag.getAttribute("name")
1180
== dbus.OBJECT_MANAGER_IFACE):
1572
== dbus.OBJECT_MANAGER_IFACE):
1181
1573
for cn in if_tag.getElementsByTagName("method"):
1182
1574
if (cn.getAttribute("name")
1183
1575
== "GetManagedObjects"):
1193
1585
except (AttributeError, xml.dom.DOMException,
1194
1586
xml.parsers.expat.ExpatError) as error:
1195
1587
logger.error("Failed to override Introspection method",
1196
exc_info = error)
1588
exc_info=error)
1197
1589
return xmlstring
1198
1590
1591
1199
1592
def datetime_to_dbus(dt, variant_level=0):
1200
1593
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1201
1594
if dt is None:
1202
return dbus.String("", variant_level = variant_level)
1595
return dbus.String("", variant_level=variant_level)
1203
1596
return dbus.String(dt.isoformat(), variant_level=variant_level)
1204
1597
1205
1598
1208
1601
dbus.service.Object, it will add alternate D-Bus attributes with
1209
1602
interface names according to the "alt_interface_names" mapping.
1210
1603
Usage:
1211
1604
1212
1605
@alternate_dbus_interfaces({"org.example.Interface":
1213
1606
"net.example.AlternateInterface"})
1214
1607
class SampleDBusObject(dbus.service.Object):
1215
1608
@dbus.service.method("org.example.Interface")
1216
1609
def SampleDBusMethod():
1217
1610
pass
1218
1611
1219
1612
The above "SampleDBusMethod" on "SampleDBusObject" will be
1220
1613
reachable via two interfaces: "org.example.Interface" and
1221
1614
"net.example.AlternateInterface", the latter of which will have
1222
1615
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1223
1616
"true", unless "deprecate" is passed with a False value.
1224
1617
1225
1618
This works for methods and signals, and also for D-Bus properties
1226
1619
(from DBusObjectWithProperties) and interfaces (from the
1227
1620
dbus_interface_annotations decorator).
1228
1621
"""
1229
1622
1230
1623
def wrapper(cls):
1231
1624
for orig_interface_name, alt_interface_name in (
1232
1625
alt_interface_names.items()):
1247
1640
interface_names.add(alt_interface)
1248
1641
# Is this a D-Bus signal?
1249
1642
if getattr(attribute, "_dbus_is_signal", False):
1643
# Extract the original non-method undecorated
1644
# function by black magic
1250
1645
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1253
1646
nonmethod_func = (dict(
1254
1647
zip(attribute.func_code.co_freevars,
1255
1648
attribute.__closure__))
1256
1649
["func"].cell_contents)
1257
1650
else:
1258
nonmethod_func = attribute
1651
nonmethod_func = (dict(
1652
zip(attribute.__code__.co_freevars,
1653
attribute.__closure__))
1654
["func"].cell_contents)
1259
1655
# Create a new, but exactly alike, function
1260
1656
# object, and decorate it to be a new D-Bus signal
1261
1657
# with the alternate D-Bus interface name
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1658
new_function = copy_function(nonmethod_func)
1276
1659
new_function = (dbus.service.signal(
1277
1660
alt_interface,
1278
1661
attribute._dbus_signature)(new_function))
1282
1665
attribute._dbus_annotations)
1283
1666
except AttributeError:
1284
1667
pass
1668
1285
1669
# Define a creator of a function to call both the
1286
1670
# original and alternate functions, so both the
1287
1671
# original and alternate signals gets sent when
1290
1674
"""This function is a scope container to pass
1291
1675
func1 and func2 to the "call_both" function
1292
1676
outside of its arguments"""
1293
1677
1294
1678
@functools.wraps(func2)
1295
1679
def call_both(*args, **kwargs):
1296
1680
"""This function will emit two D-Bus
1297
1681
signals by calling func1 and func2"""
1298
1682
func1(*args, **kwargs)
1299
1683
func2(*args, **kwargs)
1300
# Make wrapper function look like a D-Bus signal
1684
# Make wrapper function look like a D-Bus
1685
# signal
1301
1686
for name, attr in inspect.getmembers(func2):
1302
1687
if name.startswith("_dbus_"):
1303
1688
setattr(call_both, name, attr)
1304
1689
1305
1690
return call_both
1306
1691
# Create the "call_both" function and add it to
1307
1692
# the class
1317
1702
alt_interface,
1318
1703
attribute._dbus_in_signature,
1319
1704
attribute._dbus_out_signature)
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1705
(copy_function(attribute)))
1325
1706
# Copy annotations, if any
1326
1707
try:
1327
1708
attr[attrname]._dbus_annotations = dict(
1339
1720
attribute._dbus_access,
1340
1721
attribute._dbus_get_args_options
1341
1722
["byte_arrays"])
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1723
(copy_function(attribute)))
1348
1724
# Copy annotations, if any
1349
1725
try:
1350
1726
attr[attrname]._dbus_annotations = dict(
1359
1735
# to the class.
1360
1736
attr[attrname] = (
1361
1737
dbus_interface_annotations(alt_interface)
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1738
(copy_function(attribute)))
1367
1739
if deprecate:
1368
1740
# Deprecate all alternate interfaces
1369
iname="_AlternateDBusNames_interface_annotation{}"
1741
iname = "_AlternateDBusNames_interface_annotation{}"
1370
1742
for interface_name in interface_names:
1371
1743
1372
1744
@dbus_interface_annotations(interface_name)
1373
1745
def func(self):
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1746
return {"org.freedesktop.DBus.Deprecated":
1747
"true"}
1376
1748
# Find an unused name
1377
1749
for aname in (iname.format(i)
1378
1750
for i in itertools.count()):
1382
1754
if interface_names:
1383
1755
# Replace the class with a new subclass of it with
1384
1756
# methods, signals, etc. as created above.
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1757
if sys.version_info.major == 2:
1758
cls = type(b"{}Alternate".format(cls.__name__),
1759
(cls, ), attr)
1760
else:
1761
cls = type("{}Alternate".format(cls.__name__),
1762
(cls, ), attr)
1387
1763
return cls
1388
1764
1389
1765
return wrapper
1390
1766
1391
1767
1393
1769
"se.bsnet.fukt.Mandos"})
1394
1770
class ClientDBus(Client, DBusObjectWithProperties):
1395
1771
"""A Client class using D-Bus
1396
1772
1397
1773
Attributes:
1398
1774
dbus_object_path: dbus.ObjectPath
1399
1775
bus: dbus.SystemBus()
1400
1776
"""
1401
1777
1402
1778
runtime_expansions = (Client.runtime_expansions
1403
1779
+ ("dbus_object_path", ))
1404
1780
1405
1781
_interface = "se.recompile.Mandos.Client"
1406
1782
1407
1783
# dbus.service.Object doesn't use super(), so we can't either.
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1784
1785
def __init__(self, bus=None, *args, **kwargs):
1410
1786
self.bus = bus
1411
1787
Client.__init__(self, *args, **kwargs)
1412
1788
# Only now, when this client is initialized, can it show up on
1418
1794
"/clients/" + client_object_name)
1419
1795
DBusObjectWithProperties.__init__(self, self.bus,
1420
1796
self.dbus_object_path)
1421
1797
1422
1798
def notifychangeproperty(transform_func, dbus_name,
1423
1799
type_func=lambda x: x,
1424
1800
variant_level=1,
1426
1802
_interface=_interface):
1427
1803
""" Modify a variable so that it's a property which announces
1428
1804
its changes to DBus.
1429
1805
1430
1806
transform_fun: Function that takes a value and a variant_level
1431
1807
and transforms it to a D-Bus type.
1432
1808
dbus_name: D-Bus name of the variable
1435
1811
variant_level: D-Bus variant level. Default: 1
1436
1812
"""
1437
1813
attrname = "_{}".format(dbus_name)
1438
1814
1439
1815
def setter(self, value):
1440
1816
if hasattr(self, "dbus_object_path"):
1441
1817
if (not hasattr(self, attrname) or
1448
1824
else:
1449
1825
dbus_value = transform_func(
1450
1826
type_func(value),
1451
variant_level = variant_level)
1827
variant_level=variant_level)
1452
1828
self.PropertyChanged(dbus.String(dbus_name),
1453
1829
dbus_value)
1454
1830
self.PropertiesChanged(
1455
1831
_interface,
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1832
dbus.Dictionary({dbus.String(dbus_name):
1833
dbus_value}),
1458
1834
dbus.Array())
1459
1835
setattr(self, attrname, value)
1460
1836
1461
1837
return property(lambda self: getattr(self, attrname), setter)
1462
1838
1463
1839
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1464
1840
approvals_pending = notifychangeproperty(dbus.Boolean,
1465
1841
"ApprovalPending",
1466
type_func = bool)
1842
type_func=bool)
1467
1843
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1468
1844
last_enabled = notifychangeproperty(datetime_to_dbus,
1469
1845
"LastEnabled")
1470
1846
checker = notifychangeproperty(
1471
1847
dbus.Boolean, "CheckerRunning",
1472
type_func = lambda checker: checker is not None)
1848
type_func=lambda checker: checker is not None)
1473
1849
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1474
1850
"LastCheckedOK")
1475
1851
last_checker_status = notifychangeproperty(dbus.Int16,
1480
1856
"ApprovedByDefault")
1481
1857
approval_delay = notifychangeproperty(
1482
1858
dbus.UInt64, "ApprovalDelay",
1483
type_func = lambda td: td.total_seconds() * 1000)
1859
type_func=lambda td: td.total_seconds() * 1000)
1484
1860
approval_duration = notifychangeproperty(
1485
1861
dbus.UInt64, "ApprovalDuration",
1486
type_func = lambda td: td.total_seconds() * 1000)
1862
type_func=lambda td: td.total_seconds() * 1000)
1487
1863
host = notifychangeproperty(dbus.String, "Host")
1488
1864
timeout = notifychangeproperty(
1489
1865
dbus.UInt64, "Timeout",
1490
type_func = lambda td: td.total_seconds() * 1000)
1866
type_func=lambda td: td.total_seconds() * 1000)
1491
1867
extended_timeout = notifychangeproperty(
1492
1868
dbus.UInt64, "ExtendedTimeout",
1493
type_func = lambda td: td.total_seconds() * 1000)
1869
type_func=lambda td: td.total_seconds() * 1000)
1494
1870
interval = notifychangeproperty(
1495
1871
dbus.UInt64, "Interval",
1496
type_func = lambda td: td.total_seconds() * 1000)
1872
type_func=lambda td: td.total_seconds() * 1000)
1497
1873
checker_command = notifychangeproperty(dbus.String, "Checker")
1498
1874
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1499
1875
invalidate_only=True)
1500
1876
1501
1877
del notifychangeproperty
1502
1878
1503
1879
def __del__(self, *args, **kwargs):
1504
1880
try:
1505
1881
self.remove_from_connection()
1508
1884
if hasattr(DBusObjectWithProperties, "__del__"):
1509
1885
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1510
1886
Client.__del__(self, *args, **kwargs)
1511
1887
1512
1888
def checker_callback(self, source, condition,
1513
1889
connection, command, *args, **kwargs):
1514
1890
ret = Client.checker_callback(self, source, condition,
1530
1906
| self.last_checker_signal),
1531
1907
dbus.String(command))
1532
1908
return ret
1533
1909
1534
1910
def start_checker(self, *args, **kwargs):
1535
1911
old_checker_pid = getattr(self.checker, "pid", None)
1536
1912
r = Client.start_checker(self, *args, **kwargs)
1540
1916
# Emit D-Bus signal
1541
1917
self.CheckerStarted(self.current_checker_command)
1542
1918
return r
1543
1919
1544
1920
def _reset_approved(self):
1545
1921
self.approved = None
1546
1922
return False
1547
1923
1548
1924
def approve(self, value=True):
1549
1925
self.approved = value
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1926
GLib.timeout_add(int(self.approval_duration.total_seconds()
1927
* 1000), self._reset_approved)
1552
1928
self.send_changedstate()
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1929
1930
# D-Bus methods, signals & properties
1931
1932
# Interfaces
1933
1934
# Signals
1935
1560
1936
# CheckerCompleted - signal
1561
1937
@dbus.service.signal(_interface, signature="nxs")
1562
1938
def CheckerCompleted(self, exitcode, waitstatus, command):
1563
1939
"D-Bus signal"
1564
1940
pass
1565
1941
1566
1942
# CheckerStarted - signal
1567
1943
@dbus.service.signal(_interface, signature="s")
1568
1944
def CheckerStarted(self, command):
1569
1945
"D-Bus signal"
1570
1946
pass
1571
1947
1572
1948
# PropertyChanged - signal
1573
1949
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1574
1950
@dbus.service.signal(_interface, signature="sv")
1575
1951
def PropertyChanged(self, property, value):
1576
1952
"D-Bus signal"
1577
1953
pass
1578
1954
1579
1955
# GotSecret - signal
1580
1956
@dbus.service.signal(_interface)
1581
1957
def GotSecret(self):
1584
1960
server to mandos-client
1585
1961
"""
1586
1962
pass
1587
1963
1588
1964
# Rejected - signal
1589
1965
@dbus.service.signal(_interface, signature="s")
1590
1966
def Rejected(self, reason):
1591
1967
"D-Bus signal"
1592
1968
pass
1593
1969
1594
1970
# NeedApproval - signal
1595
1971
@dbus.service.signal(_interface, signature="tb")
1596
1972
def NeedApproval(self, timeout, default):
1597
1973
"D-Bus signal"
1598
1974
return self.need_approval()
1599
1600
## Methods
1601
1975
1976
# Methods
1977
1602
1978
# Approve - method
1603
1979
@dbus.service.method(_interface, in_signature="b")
1604
1980
def Approve(self, value):
1605
1981
self.approve(value)
1606
1982
1607
1983
# CheckedOK - method
1608
1984
@dbus.service.method(_interface)
1609
1985
def CheckedOK(self):
1610
1986
self.checked_ok()
1611
1987
1612
1988
# Enable - method
1613
1989
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1614
1990
@dbus.service.method(_interface)
1615
1991
def Enable(self):
1616
1992
"D-Bus method"
1617
1993
self.enable()
1618
1994
1619
1995
# StartChecker - method
1620
1996
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1621
1997
@dbus.service.method(_interface)
1622
1998
def StartChecker(self):
1623
1999
"D-Bus method"
1624
2000
self.start_checker()
1625
2001
1626
2002
# Disable - method
1627
2003
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1628
2004
@dbus.service.method(_interface)
1629
2005
def Disable(self):
1630
2006
"D-Bus method"
1631
2007
self.disable()
1632
2008
1633
2009
# StopChecker - method
1634
2010
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1635
2011
@dbus.service.method(_interface)
1636
2012
def StopChecker(self):
1637
2013
self.stop_checker()
1638
1639
## Properties
1640
2014
2015
# Properties
2016
1641
2017
# ApprovalPending - property
1642
2018
@dbus_service_property(_interface, signature="b", access="read")
1643
2019
def ApprovalPending_dbus_property(self):
1644
2020
return dbus.Boolean(bool(self.approvals_pending))
1645
2021
1646
2022
# ApprovedByDefault - property
1647
2023
@dbus_service_property(_interface,
1648
2024
signature="b",
1651
2027
if value is None: # get
1652
2028
return dbus.Boolean(self.approved_by_default)
1653
2029
self.approved_by_default = bool(value)
1654
2030
1655
2031
# ApprovalDelay - property
1656
2032
@dbus_service_property(_interface,
1657
2033
signature="t",
1661
2037
return dbus.UInt64(self.approval_delay.total_seconds()
1662
2038
* 1000)
1663
2039
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1664
2040
1665
2041
# ApprovalDuration - property
1666
2042
@dbus_service_property(_interface,
1667
2043
signature="t",
1671
2047
return dbus.UInt64(self.approval_duration.total_seconds()
1672
2048
* 1000)
1673
2049
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1674
2050
1675
2051
# Name - property
1676
2052
@dbus_annotations(
1677
2053
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1678
2054
@dbus_service_property(_interface, signature="s", access="read")
1679
2055
def Name_dbus_property(self):
1680
2056
return dbus.String(self.name)
1681
2057
2058
# KeyID - property
2059
@dbus_annotations(
2060
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2061
@dbus_service_property(_interface, signature="s", access="read")
2062
def KeyID_dbus_property(self):
2063
return dbus.String(self.key_id)
2064
1682
2065
# Fingerprint - property
1683
2066
@dbus_annotations(
1684
2067
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1685
2068
@dbus_service_property(_interface, signature="s", access="read")
1686
2069
def Fingerprint_dbus_property(self):
1687
2070
return dbus.String(self.fingerprint)
1688
2071
1689
2072
# Host - property
1690
2073
@dbus_service_property(_interface,
1691
2074
signature="s",
1694
2077
if value is None: # get
1695
2078
return dbus.String(self.host)
1696
2079
self.host = str(value)
1697
2080
1698
2081
# Created - property
1699
2082
@dbus_annotations(
1700
2083
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1701
2084
@dbus_service_property(_interface, signature="s", access="read")
1702
2085
def Created_dbus_property(self):
1703
2086
return datetime_to_dbus(self.created)
1704
2087
1705
2088
# LastEnabled - property
1706
2089
@dbus_service_property(_interface, signature="s", access="read")
1707
2090
def LastEnabled_dbus_property(self):
1708
2091
return datetime_to_dbus(self.last_enabled)
1709
2092
1710
2093
# Enabled - property
1711
2094
@dbus_service_property(_interface,
1712
2095
signature="b",
1718
2101
self.enable()
1719
2102
else:
1720
2103
self.disable()
1721
2104
1722
2105
# LastCheckedOK - property
1723
2106
@dbus_service_property(_interface,
1724
2107
signature="s",
1728
2111
self.checked_ok()
1729
2112
return
1730
2113
return datetime_to_dbus(self.last_checked_ok)
1731
2114
1732
2115
# LastCheckerStatus - property
1733
2116
@dbus_service_property(_interface, signature="n", access="read")
1734
2117
def LastCheckerStatus_dbus_property(self):
1735
2118
return dbus.Int16(self.last_checker_status)
1736
2119
1737
2120
# Expires - property
1738
2121
@dbus_service_property(_interface, signature="s", access="read")
1739
2122
def Expires_dbus_property(self):
1740
2123
return datetime_to_dbus(self.expires)
1741
2124
1742
2125
# LastApprovalRequest - property
1743
2126
@dbus_service_property(_interface, signature="s", access="read")
1744
2127
def LastApprovalRequest_dbus_property(self):
1745
2128
return datetime_to_dbus(self.last_approval_request)
1746
2129
1747
2130
# Timeout - property
1748
2131
@dbus_service_property(_interface,
1749
2132
signature="t",
1764
2147
if (getattr(self, "disable_initiator_tag", None)
1765
2148
is None):
1766
2149
return
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2150
GLib.source_remove(self.disable_initiator_tag)
2151
self.disable_initiator_tag = GLib.timeout_add(
1769
2152
int((self.expires - now).total_seconds() * 1000),
1770
2153
self.disable)
1771
2154
1772
2155
# ExtendedTimeout - property
1773
2156
@dbus_service_property(_interface,
1774
2157
signature="t",
1778
2161
return dbus.UInt64(self.extended_timeout.total_seconds()
1779
2162
* 1000)
1780
2163
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1781
2164
1782
2165
# Interval - property
1783
2166
@dbus_service_property(_interface,
1784
2167
signature="t",
1791
2174
return
1792
2175
if self.enabled:
1793
2176
# Reschedule checker run
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2177
GLib.source_remove(self.checker_initiator_tag)
2178
self.checker_initiator_tag = GLib.timeout_add(
1796
2179
value, self.start_checker)
1797
self.start_checker() # Start one now, too
1798
2180
self.start_checker() # Start one now, too
2181
1799
2182
# Checker - property
1800
2183
@dbus_service_property(_interface,
1801
2184
signature="s",
1804
2187
if value is None: # get
1805
2188
return dbus.String(self.checker_command)
1806
2189
self.checker_command = str(value)
1807
2190
1808
2191
# CheckerRunning - property
1809
2192
@dbus_service_property(_interface,
1810
2193
signature="b",
1816
2199
self.start_checker()
1817
2200
else:
1818
2201
self.stop_checker()
1819
2202
1820
2203
# ObjectPath - property
1821
2204
@dbus_annotations(
1822
2205
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
1823
2206
"org.freedesktop.DBus.Deprecated": "true"})
1824
2207
@dbus_service_property(_interface, signature="o", access="read")
1825
2208
def ObjectPath_dbus_property(self):
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2209
return self.dbus_object_path # is already a dbus.ObjectPath
2210
1828
2211
# Secret = property
1829
2212
@dbus_annotations(
1830
2213
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
1835
2218
byte_arrays=True)
1836
2219
def Secret_dbus_property(self, value):
1837
2220
self.secret = bytes(value)
1838
2221
1839
2222
del _interface
1840
2223
1841
2224
1842
class ProxyClient(object):
1843
def __init__(self, child_pipe, fpr, address):
2225
class ProxyClient:
2226
def __init__(self, child_pipe, key_id, fpr, address):
1844
2227
self._pipe = child_pipe
1845
self._pipe.send(('init', fpr, address))
2228
self._pipe.send(('init', key_id, fpr, address))
1846
2229
if not self._pipe.recv():
1847
raise KeyError(fpr)
1848
2230
raise KeyError(key_id or fpr)
2231
1849
2232
def __getattribute__(self, name):
1850
2233
if name == '_pipe':
1851
2234
return super(ProxyClient, self).__getattribute__(name)
1854
2237
if data[0] == 'data':
1855
2238
return data[1]
1856
2239
if data[0] == 'function':
1857
2240
1858
2241
def func(*args, **kwargs):
1859
2242
self._pipe.send(('funcall', name, args, kwargs))
1860
2243
return self._pipe.recv()[1]
1861
2244
1862
2245
return func
1863
2246
1864
2247
def __setattr__(self, name, value):
1865
2248
if name == '_pipe':
1866
2249
return super(ProxyClient, self).__setattr__(name, value)
1869
2252
1870
2253
class ClientHandler(socketserver.BaseRequestHandler, object):
1871
2254
"""A class to handle client connections.
1872
2255
1873
2256
Instantiated once for each connection to handle it.
1874
2257
Note: This will run in its own forked process."""
1875
2258
1876
2259
def handle(self):
1877
2260
with contextlib.closing(self.server.child_pipe) as child_pipe:
1878
2261
logger.info("TCP connection from: %s",
1879
2262
str(self.client_address))
1880
2263
logger.debug("Pipe FD: %d",
1881
2264
self.server.child_pipe.fileno())
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2265
2266
session = gnutls.ClientSession(self.request)
2267
2268
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2269
# "+AES-256-CBC", "+SHA1",
2270
# "+COMP-NULL", "+CTYPE-OPENPGP",
2271
# "+DHE-DSS"))
1895
2272
# Use a fallback default, since this MUST be set.
1896
2273
priority = self.server.gnutls_priority
1897
2274
if priority is None:
1898
2275
priority = "NORMAL"
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2276
gnutls.priority_set_direct(session._c_object,
2277
priority.encode("utf-8"),
2278
None)
2279
1902
2280
# Start communication using the Mandos protocol
1903
2281
# Get protocol number
1904
2282
line = self.request.makefile().readline()
1909
2287
except (ValueError, IndexError, RuntimeError) as error:
1910
2288
logger.error("Unknown protocol version: %s", error)
1911
2289
return
1912
2290
1913
2291
# Start GnuTLS connection
1914
2292
try:
1915
2293
session.handshake()
1916
except gnutls.errors.GNUTLSError as error:
2294
except gnutls.Error as error:
1917
2295
logger.warning("Handshake failed: %s", error)
1918
2296
# Do not run session.bye() here: the session is not
1919
2297
# established. Just abandon the request.
1920
2298
return
1921
2299
logger.debug("Handshake succeeded")
1922
2300
1923
2301
approval_required = False
1924
2302
try:
1925
try:
1926
fpr = self.fingerprint(
1927
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
1930
logger.warning("Bad certificate: %s", error)
1931
return
1932
logger.debug("Fingerprint: %s", fpr)
1933
1934
try:
1935
client = ProxyClient(child_pipe, fpr,
2303
if gnutls.has_rawpk:
2304
fpr = b""
2305
try:
2306
key_id = self.key_id(
2307
self.peer_certificate(session))
2308
except (TypeError, gnutls.Error) as error:
2309
logger.warning("Bad certificate: %s", error)
2310
return
2311
logger.debug("Key ID: %s", key_id)
2312
2313
else:
2314
key_id = b""
2315
try:
2316
fpr = self.fingerprint(
2317
self.peer_certificate(session))
2318
except (TypeError, gnutls.Error) as error:
2319
logger.warning("Bad certificate: %s", error)
2320
return
2321
logger.debug("Fingerprint: %s", fpr)
2322
2323
try:
2324
client = ProxyClient(child_pipe, key_id, fpr,
1936
2325
self.client_address)
1937
2326
except KeyError:
1938
2327
return
1939
2328
1940
2329
if client.approval_delay:
1941
2330
delay = client.approval_delay
1942
2331
client.approvals_pending += 1
1943
2332
approval_required = True
1944
2333
1945
2334
while True:
1946
2335
if not client.enabled:
1947
2336
logger.info("Client %s is disabled",
1950
2339
# Emit D-Bus signal
1951
2340
client.Rejected("Disabled")
1952
2341
return
1953
2342
1954
2343
if client.approved or not client.approval_delay:
1955
#We are approved or approval is disabled
2344
# We are approved or approval is disabled
1956
2345
break
1957
2346
elif client.approved is None:
1958
2347
logger.info("Client %s needs approval",
1969
2358
# Emit D-Bus signal
1970
2359
client.Rejected("Denied")
1971
2360
return
1972
1973
#wait until timeout or approved
2361
2362
# wait until timeout or approved
1974
2363
time = datetime.datetime.now()
1975
2364
client.changedstate.acquire()
1976
2365
client.changedstate.wait(delay.total_seconds())
1989
2378
break
1990
2379
else:
1991
2380
delay -= time2 - time
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2381
2382
try:
2383
session.send(client.secret)
2384
except gnutls.Error as error:
2385
logger.warning("gnutls send failed",
2386
exc_info=error)
2387
return
2388
2006
2389
logger.info("Sending secret to %s", client.name)
2007
2390
# bump the timeout using extended_timeout
2008
2391
client.bump_timeout(client.extended_timeout)
2009
2392
if self.server.use_dbus:
2010
2393
# Emit D-Bus signal
2011
2394
client.GotSecret()
2012
2395
2013
2396
finally:
2014
2397
if approval_required:
2015
2398
client.approvals_pending -= 1
2016
2399
try:
2017
2400
session.bye()
2018
except gnutls.errors.GNUTLSError as error:
2401
except gnutls.Error as error:
2019
2402
logger.warning("GnuTLS bye failed",
2020
2403
exc_info=error)
2021
2404
2022
2405
@staticmethod
2023
2406
def peer_certificate(session):
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2407
"Return the peer's certificate as a bytestring"
2408
try:
2409
cert_type = gnutls.certificate_type_get2(session._c_object,
2410
gnutls.CTYPE_PEERS)
2411
except AttributeError:
2412
cert_type = gnutls.certificate_type_get(session._c_object)
2413
if gnutls.has_rawpk:
2414
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2415
else:
2416
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2417
# If not a valid certificate type...
2418
if cert_type not in valid_cert_types:
2419
logger.info("Cert type %r not in %r", cert_type,
2420
valid_cert_types)
2421
# ...return invalid data
2422
return b""
2031
2423
list_size = ctypes.c_uint(1)
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2424
cert_list = (gnutls.certificate_get_peers
2034
2425
(session._c_object, ctypes.byref(list_size)))
2035
2426
if not bool(cert_list) and list_size.value != 0:
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2427
raise gnutls.Error("error getting peer certificate")
2038
2428
if list_size.value == 0:
2039
2429
return None
2040
2430
cert = cert_list[0]
2041
2431
return ctypes.string_at(cert.data, cert.size)
2042
2432
2433
@staticmethod
2434
def key_id(certificate):
2435
"Convert a certificate bytestring to a hexdigit key ID"
2436
# New GnuTLS "datum" with the public key
2437
datum = gnutls.datum_t(
2438
ctypes.cast(ctypes.c_char_p(certificate),
2439
ctypes.POINTER(ctypes.c_ubyte)),
2440
ctypes.c_uint(len(certificate)))
2441
# XXX all these need to be created in the gnutls "module"
2442
# New empty GnuTLS certificate
2443
pubkey = gnutls.pubkey_t()
2444
gnutls.pubkey_init(ctypes.byref(pubkey))
2445
# Import the raw public key into the certificate
2446
gnutls.pubkey_import(pubkey,
2447
ctypes.byref(datum),
2448
gnutls.X509_FMT_DER)
2449
# New buffer for the key ID
2450
buf = ctypes.create_string_buffer(32)
2451
buf_len = ctypes.c_size_t(len(buf))
2452
# Get the key ID from the raw public key into the buffer
2453
gnutls.pubkey_get_key_id(pubkey,
2454
gnutls.KEYID_USE_SHA256,
2455
ctypes.cast(ctypes.byref(buf),
2456
ctypes.POINTER(ctypes.c_ubyte)),
2457
ctypes.byref(buf_len))
2458
# Deinit the certificate
2459
gnutls.pubkey_deinit(pubkey)
2460
2461
# Convert the buffer to a Python bytestring
2462
key_id = ctypes.string_at(buf, buf_len.value)
2463
# Convert the bytestring to hexadecimal notation
2464
hex_key_id = binascii.hexlify(key_id).upper()
2465
return hex_key_id
2466
2043
2467
@staticmethod
2044
2468
def fingerprint(openpgp):
2045
2469
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2046
2470
# New GnuTLS "datum" with the OpenPGP public key
2047
datum = gnutls.library.types.gnutls_datum_t(
2471
datum = gnutls.datum_t(
2048
2472
ctypes.cast(ctypes.c_char_p(openpgp),
2049
2473
ctypes.POINTER(ctypes.c_ubyte)),
2050
2474
ctypes.c_uint(len(openpgp)))
2051
2475
# New empty GnuTLS certificate
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2476
crt = gnutls.openpgp_crt_t()
2477
gnutls.openpgp_crt_init(ctypes.byref(crt))
2055
2478
# Import the OpenPGP public key into the certificate
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2479
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2480
gnutls.OPENPGP_FMT_RAW)
2059
2481
# Verify the self signature in the key
2060
2482
crtverify = ctypes.c_uint()
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2483
gnutls.openpgp_crt_verify_self(crt, 0,
2484
ctypes.byref(crtverify))
2063
2485
if crtverify.value != 0:
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2486
gnutls.openpgp_crt_deinit(crt)
2487
raise gnutls.CertificateSecurityError(code
2488
=crtverify.value)
2067
2489
# New buffer for the fingerprint
2068
2490
buf = ctypes.create_string_buffer(20)
2069
2491
buf_len = ctypes.c_size_t()
2070
2492
# Get the fingerprint from the certificate into the buffer
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2493
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2494
ctypes.byref(buf_len))
2073
2495
# Deinit the certificate
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2496
gnutls.openpgp_crt_deinit(crt)
2075
2497
# Convert the buffer to a Python bytestring
2076
2498
fpr = ctypes.string_at(buf, buf_len.value)
2077
2499
# Convert the bytestring to hexadecimal notation
2079
2501
return hex_fpr
2080
2502
2081
2503
2082
class MultiprocessingMixIn(object):
2504
class MultiprocessingMixIn:
2083
2505
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2084
2506
2085
2507
def sub_process_main(self, request, address):
2086
2508
try:
2087
2509
self.finish_request(request, address)
2088
2510
except Exception:
2089
2511
self.handle_error(request, address)
2090
2512
self.close_request(request)
2091
2513
2092
2514
def process_request(self, request, address):
2093
2515
"""Start a new process to process the request."""
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2516
proc = multiprocessing.Process(target=self.sub_process_main,
2517
args=(request, address))
2096
2518
proc.start()
2097
2519
return proc
2098
2520
2099
2521
2100
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2522
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2101
2523
""" adds a pipe to the MixIn """
2102
2524
2103
2525
def process_request(self, request, client_address):
2104
2526
"""Overrides and wraps the original process_request().
2105
2527
2106
2528
This function creates a new pipe in self.pipe
2107
2529
"""
2108
2530
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2109
2531
2110
2532
proc = MultiprocessingMixIn.process_request(self, request,
2111
2533
client_address)
2112
2534
self.child_pipe.close()
2113
2535
self.add_pipe(parent_pipe, proc)
2114
2536
2115
2537
def add_pipe(self, parent_pipe, proc):
2116
2538
"""Dummy function; override as necessary"""
2117
2539
raise NotImplementedError()
2118
2540
2119
2541
2120
2542
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2121
socketserver.TCPServer, object):
2543
socketserver.TCPServer):
2122
2544
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2123
2545
2124
2546
Attributes:
2125
2547
enabled: Boolean; whether this server is activated yet
2126
2548
interface: None or a network interface name (string)
2127
2549
use_ipv6: Boolean; to use IPv6 or not
2128
2550
"""
2129
2551
2130
2552
def __init__(self, server_address, RequestHandlerClass,
2131
2553
interface=None,
2132
2554
use_ipv6=True,
2142
2564
self.socketfd = socketfd
2143
2565
# Save the original socket.socket() function
2144
2566
self.socket_socket = socket.socket
2567
2145
2568
# To implement --socket, we monkey patch socket.socket.
2146
#
2569
#
2147
2570
# (When socketserver.TCPServer is a new-style class, we
2148
2571
# could make self.socket into a property instead of monkey
2149
2572
# patching socket.socket.)
2150
#
2573
#
2151
2574
# Create a one-time-only replacement for socket.socket()
2152
2575
@functools.wraps(socket.socket)
2153
2576
def socket_wrapper(*args, **kwargs):
2165
2588
# socket_wrapper(), if socketfd was set.
2166
2589
socketserver.TCPServer.__init__(self, server_address,
2167
2590
RequestHandlerClass)
2168
2591
2169
2592
def server_bind(self):
2170
2593
"""This overrides the normal server_bind() function
2171
2594
to bind to an interface if one was specified, and also NOT to
2172
2595
bind to an address or port if they were not specified."""
2596
global SO_BINDTODEVICE
2173
2597
if self.interface is not None:
2174
2598
if SO_BINDTODEVICE is None:
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2599
# Fall back to a hard-coded value which seems to be
2600
# common enough.
2601
logger.warning("SO_BINDTODEVICE not found, trying 25")
2602
SO_BINDTODEVICE = 25
2603
try:
2604
self.socket.setsockopt(
2605
socket.SOL_SOCKET, SO_BINDTODEVICE,
2606
(self.interface + "\0").encode("utf-8"))
2607
except socket.error as error:
2608
if error.errno == errno.EPERM:
2609
logger.error("No permission to bind to"
2610
" interface %s", self.interface)
2611
elif error.errno == errno.ENOPROTOOPT:
2612
logger.error("SO_BINDTODEVICE not available;"
2613
" cannot bind to interface %s",
2614
self.interface)
2615
elif error.errno == errno.ENODEV:
2616
logger.error("Interface %s does not exist,"
2617
" cannot bind", self.interface)
2618
else:
2619
raise
2196
2620
# Only bind(2) the socket if we really need to.
2197
2621
if self.server_address[0] or self.server_address[1]:
2622
if self.server_address[1]:
2623
self.allow_reuse_address = True
2198
2624
if not self.server_address[0]:
2199
2625
if self.address_family == socket.AF_INET6:
2200
any_address = "::" # in6addr_any
2626
any_address = "::" # in6addr_any
2201
2627
else:
2202
any_address = "0.0.0.0" # INADDR_ANY
2628
any_address = "0.0.0.0" # INADDR_ANY
2203
2629
self.server_address = (any_address,
2204
2630
self.server_address[1])
2205
2631
elif not self.server_address[1]:
2215
2641
2216
2642
class MandosServer(IPv6_TCPServer):
2217
2643
"""Mandos server.
2218
2644
2219
2645
Attributes:
2220
2646
clients: set of Client objects
2221
2647
gnutls_priority GnuTLS priority string
2222
2648
use_dbus: Boolean; to emit D-Bus signals or not
2223
2224
Assumes a gobject.MainLoop event loop.
2649
2650
Assumes a GLib.MainLoop event loop.
2225
2651
"""
2226
2652
2227
2653
def __init__(self, server_address, RequestHandlerClass,
2228
2654
interface=None,
2229
2655
use_ipv6=True,
2239
2665
self.gnutls_priority = gnutls_priority
2240
2666
IPv6_TCPServer.__init__(self, server_address,
2241
2667
RequestHandlerClass,
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2668
interface=interface,
2669
use_ipv6=use_ipv6,
2670
socketfd=socketfd)
2671
2246
2672
def server_activate(self):
2247
2673
if self.enabled:
2248
2674
return socketserver.TCPServer.server_activate(self)
2249
2675
2250
2676
def enable(self):
2251
2677
self.enabled = True
2252
2678
2253
2679
def add_pipe(self, parent_pipe, proc):
2254
2680
# Call "handle_ipc" for both data and EOF events
2255
gobject.io_add_watch(
2256
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2681
GLib.io_add_watch(
2682
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2683
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2258
2684
functools.partial(self.handle_ipc,
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2685
parent_pipe=parent_pipe,
2686
proc=proc))
2687
2262
2688
def handle_ipc(self, source, condition,
2263
2689
parent_pipe=None,
2264
proc = None,
2690
proc=None,
2265
2691
client_object=None):
2266
2692
# error, or the other end of multiprocessing.Pipe has closed
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2693
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2268
2694
# Wait for other process to exit
2269
2695
proc.join()
2270
2696
return False
2271
2697
2272
2698
# Read a request from the child
2273
2699
request = parent_pipe.recv()
2274
2700
command = request[0]
2275
2701
2276
2702
if command == 'init':
2277
fpr = request[1]
2278
address = request[2]
2279
2280
for c in self.clients.itervalues():
2281
if c.fingerprint == fpr:
2703
key_id = request[1].decode("ascii")
2704
fpr = request[2].decode("ascii")
2705
address = request[3]
2706
2707
for c in self.clients.values():
2708
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2709
continue
2710
if key_id and c.key_id == key_id:
2711
client = c
2712
break
2713
if fpr and c.fingerprint == fpr:
2282
2714
client = c
2283
2715
break
2284
2716
else:
2285
logger.info("Client not found for fingerprint: %s, ad"
2286
"dress: %s", fpr, address)
2717
logger.info("Client not found for key ID: %s, address"
2718
": %s", key_id or fpr, address)
2287
2719
if self.use_dbus:
2288
2720
# Emit D-Bus signal
2289
mandos_dbus_service.ClientNotFound(fpr,
2721
mandos_dbus_service.ClientNotFound(key_id or fpr,
2290
2722
address[0])
2291
2723
parent_pipe.send(False)
2292
2724
return False
2293
2294
gobject.io_add_watch(
2295
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2725
2726
GLib.io_add_watch(
2727
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2728
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2297
2729
functools.partial(self.handle_ipc,
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2730
parent_pipe=parent_pipe,
2731
proc=proc,
2732
client_object=client))
2301
2733
parent_pipe.send(True)
2302
2734
# remove the old hook in favor of the new above hook on
2303
2735
# same fileno
2306
2738
funcname = request[1]
2307
2739
args = request[2]
2308
2740
kwargs = request[3]
2309
2741
2310
2742
parent_pipe.send(('data', getattr(client_object,
2311
2743
funcname)(*args,
2312
2744
**kwargs)))
2313
2745
2314
2746
if command == 'getattr':
2315
2747
attrname = request[1]
2316
2748
if isinstance(client_object.__getattribute__(attrname),
2319
2751
else:
2320
2752
parent_pipe.send((
2321
2753
'data', client_object.__getattribute__(attrname)))
2322
2754
2323
2755
if command == 'setattr':
2324
2756
attrname = request[1]
2325
2757
value = request[2]
2326
2758
setattr(client_object, attrname, value)
2327
2759
2328
2760
return True
2329
2761
2330
2762
2331
2763
def rfc3339_duration_to_delta(duration):
2332
2764
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2333
2334
>>> rfc3339_duration_to_delta("P7D")
2335
datetime.timedelta(7)
2336
>>> rfc3339_duration_to_delta("PT60S")
2337
datetime.timedelta(0, 60)
2338
>>> rfc3339_duration_to_delta("PT60M")
2339
datetime.timedelta(0, 3600)
2340
>>> rfc3339_duration_to_delta("PT24H")
2341
datetime.timedelta(1)
2342
>>> rfc3339_duration_to_delta("P1W")
2343
datetime.timedelta(7)
2344
>>> rfc3339_duration_to_delta("PT5M30S")
2345
datetime.timedelta(0, 330)
2346
>>> rfc3339_duration_to_delta("P1DT3M20S")
2347
datetime.timedelta(1, 200)
2765
2766
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2767
True
2768
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2769
True
2770
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2771
True
2772
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2773
True
2774
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2775
True
2776
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2777
True
2778
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2779
True
2348
2780
"""
2349
2781
2350
2782
# Parsing an RFC 3339 duration with regular expressions is not
2351
2783
# possible - there would have to be multiple places for the same
2352
2784
# values, like seconds. The current code, while more esoteric, is
2353
2785
# cleaner without depending on a parsing library. If Python had a
2354
2786
# built-in library for parsing we would use it, but we'd like to
2355
2787
# avoid excessive use of external libraries.
2356
2788
2357
2789
# New type for defining tokens, syntax, and semantics all-in-one
2358
2790
Token = collections.namedtuple("Token", (
2359
2791
"regexp", # To match token; if "value" is not None, must have
2392
2824
frozenset((token_year, token_month,
2393
2825
token_day, token_time,
2394
2826
token_week)))
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2827
# Define starting values:
2828
# Value so far
2829
value = datetime.timedelta()
2397
2830
found_token = None
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2831
# Following valid tokens
2832
followers = frozenset((token_duration, ))
2833
# String left to parse
2834
s = duration
2400
2835
# Loop until end token is found
2401
2836
while found_token is not token_end:
2402
2837
# Search for any currently valid tokens
2426
2861
2427
2862
def string_to_delta(interval):
2428
2863
"""Parse a string and return a datetime.timedelta
2429
2430
>>> string_to_delta('7d')
2431
datetime.timedelta(7)
2432
>>> string_to_delta('60s')
2433
datetime.timedelta(0, 60)
2434
>>> string_to_delta('60m')
2435
datetime.timedelta(0, 3600)
2436
>>> string_to_delta('24h')
2437
datetime.timedelta(1)
2438
>>> string_to_delta('1w')
2439
datetime.timedelta(7)
2440
>>> string_to_delta('5m 30s')
2441
datetime.timedelta(0, 330)
2864
2865
>>> string_to_delta('7d') == datetime.timedelta(7)
2866
True
2867
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2868
True
2869
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2870
True
2871
>>> string_to_delta('24h') == datetime.timedelta(1)
2872
True
2873
>>> string_to_delta('1w') == datetime.timedelta(7)
2874
True
2875
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2876
True
2442
2877
"""
2443
2878
2444
2879
try:
2445
2880
return rfc3339_duration_to_delta(interval)
2446
2881
except ValueError:
2447
2882
pass
2448
2883
2449
2884
timevalue = datetime.timedelta(0)
2450
2885
for s in interval.split():
2451
2886
try:
2469
2904
return timevalue
2470
2905
2471
2906
2472
def daemon(nochdir = False, noclose = False):
2907
def daemon(nochdir=False, noclose=False):
2473
2908
"""See daemon(3). Standard BSD Unix function.
2474
2909
2475
2910
This should really exist as os.daemon, but it doesn't (yet)."""
2476
2911
if os.fork():
2477
2912
sys.exit()
2495
2930
2496
2931
2497
2932
def main():
2498
2933
2499
2934
##################################################################
2500
2935
# Parsing of options, both command line and config file
2501
2936
2502
2937
parser = argparse.ArgumentParser()
2503
2938
parser.add_argument("-v", "--version", action="version",
2504
version = "%(prog)s {}".format(version),
2939
version="%(prog)s {}".format(version),
2505
2940
help="show version number and exit")
2506
2941
parser.add_argument("-i", "--interface", metavar="IF",
2507
2942
help="Bind to interface IF")
2543
2978
parser.add_argument("--no-zeroconf", action="store_false",
2544
2979
dest="zeroconf", help="Do not use Zeroconf",
2545
2980
default=None)
2546
2981
2547
2982
options = parser.parse_args()
2548
2549
if options.check:
2550
import doctest
2551
fail_count, test_count = doctest.testmod()
2552
sys.exit(os.EX_OK if fail_count == 0 else 1)
2553
2983
2554
2984
# Default values for config file for server-global settings
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
2985
if gnutls.has_rawpk:
2986
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2987
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2988
else:
2989
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2990
":+SIGN-DSA-SHA256")
2991
server_defaults = {"interface": "",
2992
"address": "",
2993
"port": "",
2994
"debug": "False",
2995
"priority": priority,
2996
"servicename": "Mandos",
2997
"use_dbus": "True",
2998
"use_ipv6": "True",
2999
"debuglevel": "",
3000
"restore": "True",
3001
"socket": "",
3002
"statedir": "/var/lib/mandos",
3003
"foreground": "False",
3004
"zeroconf": "True",
3005
}
3006
del priority
3007
2573
3008
# Parse config file for server-global settings
2574
server_config = configparser.SafeConfigParser(server_defaults)
3009
server_config = configparser.ConfigParser(server_defaults)
2575
3010
del server_defaults
2576
3011
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2577
# Convert the SafeConfigParser object to a dict
3012
# Convert the ConfigParser object to a dict
2578
3013
server_settings = server_config.defaults()
2579
3014
# Use the appropriate methods on the non-string config options
2580
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3015
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3016
"foreground", "zeroconf"):
2581
3017
server_settings[option] = server_config.getboolean("DEFAULT",
2582
3018
option)
2583
3019
if server_settings["port"]:
2593
3029
server_settings["socket"] = os.dup(server_settings
2594
3030
["socket"])
2595
3031
del server_config
2596
3032
2597
3033
# Override the settings from the config file with command line
2598
3034
# options, if set.
2599
3035
for option in ("interface", "address", "port", "debug",
2617
3053
if server_settings["debug"]:
2618
3054
server_settings["foreground"] = True
2619
3055
# Now we have our good server settings in "server_settings"
2620
3056
2621
3057
##################################################################
2622
3058
2623
3059
if (not server_settings["zeroconf"]
2624
3060
and not (server_settings["port"]
2625
3061
or server_settings["socket"] != "")):
2626
3062
parser.error("Needs port or socket to work without Zeroconf")
2627
3063
2628
3064
# For convenience
2629
3065
debug = server_settings["debug"]
2630
3066
debuglevel = server_settings["debuglevel"]
2634
3070
stored_state_file)
2635
3071
foreground = server_settings["foreground"]
2636
3072
zeroconf = server_settings["zeroconf"]
2637
3073
2638
3074
if debug:
2639
3075
initlogger(debug, logging.DEBUG)
2640
3076
else:
2643
3079
else:
2644
3080
level = getattr(logging, debuglevel.upper())
2645
3081
initlogger(debug, level)
2646
3082
2647
3083
if server_settings["servicename"] != "Mandos":
2648
3084
syslogger.setFormatter(
2649
3085
logging.Formatter('Mandos ({}) [%(process)d]:'
2650
3086
' %(levelname)s: %(message)s'.format(
2651
3087
server_settings["servicename"])))
2652
3088
2653
3089
# Parse config file with clients
2654
client_config = configparser.SafeConfigParser(Client
2655
.client_defaults)
3090
client_config = configparser.ConfigParser(Client.client_defaults)
2656
3091
client_config.read(os.path.join(server_settings["configdir"],
2657
3092
"clients.conf"))
2658
3093
2659
3094
global mandos_dbus_service
2660
3095
mandos_dbus_service = None
2661
3096
2662
3097
socketfd = None
2663
3098
if server_settings["socket"] != "":
2664
3099
socketfd = server_settings["socket"]
2680
3115
except IOError as e:
2681
3116
logger.error("Could not open file %r", pidfilename,
2682
3117
exc_info=e)
2683
2684
for name in ("_mandos", "mandos", "nobody"):
3118
3119
for name, group in (("_mandos", "_mandos"),
3120
("mandos", "mandos"),
3121
("nobody", "nogroup")):
2685
3122
try:
2686
3123
uid = pwd.getpwnam(name).pw_uid
2687
gid = pwd.getpwnam(name).pw_gid
3124
gid = pwd.getpwnam(group).pw_gid
2688
3125
break
2689
3126
except KeyError:
2690
3127
continue
2694
3131
try:
2695
3132
os.setgid(gid)
2696
3133
os.setuid(uid)
3134
if debug:
3135
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3136
gid))
2697
3137
except OSError as error:
3138
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3139
.format(uid, gid, os.strerror(error.errno)))
2698
3140
if error.errno != errno.EPERM:
2699
3141
raise
2700
3142
2701
3143
if debug:
2702
3144
# Enable all possible GnuTLS debugging
2703
3145
2704
3146
# "Use a log level over 10 to enable all debugging options."
2705
3147
# - GnuTLS manual
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3148
gnutls.global_set_log_level(11)
3149
3150
@gnutls.log_func
2709
3151
def debug_gnutls(level, string):
2710
3152
logger.debug("GnuTLS: %s", string[:-1])
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3153
3154
gnutls.global_set_log_function(debug_gnutls)
3155
2715
3156
# Redirect stdin so all checkers get /dev/null
2716
3157
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2717
3158
os.dup2(null, sys.stdin.fileno())
2718
3159
if null > 2:
2719
3160
os.close(null)
2720
3161
2721
3162
# Need to fork before connecting to D-Bus
2722
3163
if not foreground:
2723
3164
# Close all input and output, do double fork, etc.
2724
3165
daemon()
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3166
3167
if gi.version_info < (3, 10, 2):
3168
# multiprocessing will use threads, so before we use GLib we
3169
# need to inform GLib that threads will be used.
3170
GLib.threads_init()
3171
2730
3172
global main_loop
2731
3173
# From the Avahi example code
2732
3174
DBusGMainLoop(set_as_default=True)
2733
main_loop = gobject.MainLoop()
3175
main_loop = GLib.MainLoop()
2734
3176
bus = dbus.SystemBus()
2735
3177
# End of Avahi example code
2736
3178
if use_dbus:
2749
3191
if zeroconf:
2750
3192
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2751
3193
service = AvahiServiceToSyslog(
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3194
name=server_settings["servicename"],
3195
servicetype="_mandos._tcp",
3196
protocol=protocol,
3197
bus=bus)
2756
3198
if server_settings["interface"]:
2757
3199
service.interface = if_nametoindex(
2758
3200
server_settings["interface"].encode("utf-8"))
2759
3201
2760
3202
global multiprocessing_manager
2761
3203
multiprocessing_manager = multiprocessing.Manager()
2762
3204
2763
3205
client_class = Client
2764
3206
if use_dbus:
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3207
client_class = functools.partial(ClientDBus, bus=bus)
3208
2767
3209
client_settings = Client.config_parser(client_config)
2768
3210
old_client_settings = {}
2769
3211
clients_data = {}
2770
3212
2771
3213
# This is used to redirect stdout and stderr for checker processes
2772
3214
global wnull
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3215
wnull = open(os.devnull, "w") # A writable /dev/null
2774
3216
# Only used if server is running in foreground but not in debug
2775
3217
# mode
2776
3218
if debug or not foreground:
2777
3219
wnull.close()
2778
3220
2779
3221
# Get client data and settings from last running state.
2780
3222
if server_settings["restore"]:
2781
3223
try:
2782
3224
with open(stored_state_path, "rb") as stored_state:
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3225
if sys.version_info.major == 2:
3226
clients_data, old_client_settings = pickle.load(
3227
stored_state)
3228
else:
3229
bytes_clients_data, bytes_old_client_settings = (
3230
pickle.load(stored_state, encoding="bytes"))
3231
# Fix bytes to strings
3232
# clients_data
3233
# .keys()
3234
clients_data = {(key.decode("utf-8")
3235
if isinstance(key, bytes)
3236
else key): value
3237
for key, value in
3238
bytes_clients_data.items()}
3239
del bytes_clients_data
3240
for key in clients_data:
3241
value = {(k.decode("utf-8")
3242
if isinstance(k, bytes) else k): v
3243
for k, v in
3244
clients_data[key].items()}
3245
clients_data[key] = value
3246
# .client_structure
3247
value["client_structure"] = [
3248
(s.decode("utf-8")
3249
if isinstance(s, bytes)
3250
else s) for s in
3251
value["client_structure"]]
3252
# .name, .host, and .checker_command
3253
for k in ("name", "host", "checker_command"):
3254
if isinstance(value[k], bytes):
3255
value[k] = value[k].decode("utf-8")
3256
if "key_id" not in value:
3257
value["key_id"] = ""
3258
elif "fingerprint" not in value:
3259
value["fingerprint"] = ""
3260
# old_client_settings
3261
# .keys()
3262
old_client_settings = {
3263
(key.decode("utf-8")
3264
if isinstance(key, bytes)
3265
else key): value
3266
for key, value in
3267
bytes_old_client_settings.items()}
3268
del bytes_old_client_settings
3269
# .host and .checker_command
3270
for value in old_client_settings.values():
3271
for attribute in ("host", "checker_command"):
3272
if isinstance(value[attribute], bytes):
3273
value[attribute] = (value[attribute]
3274
.decode("utf-8"))
2785
3275
os.remove(stored_state_path)
2786
3276
except IOError as e:
2787
3277
if e.errno == errno.ENOENT:
2795
3285
logger.warning("Could not load persistent state: "
2796
3286
"EOFError:",
2797
3287
exc_info=e)
2798
3288
2799
3289
with PGPEngine() as pgp:
2800
3290
for client_name, client in clients_data.items():
2801
3291
# Skip removed clients
2802
3292
if client_name not in client_settings:
2803
3293
continue
2804
3294
2805
3295
# Decide which value to use after restoring saved state.
2806
3296
# We have three different values: Old config file,
2807
3297
# new config file, and saved state.
2818
3308
client[name] = value
2819
3309
except KeyError:
2820
3310
pass
2821
3311
2822
3312
# Clients who has passed its expire date can still be
2823
3313
# enabled if its last checker was successful. A Client
2824
3314
# whose checker succeeded before we stored its state is
2857
3347
client_name))
2858
3348
client["secret"] = (client_settings[client_name]
2859
3349
["secret"])
2860
3350
2861
3351
# Add/remove clients based on new changes made to config
2862
3352
for client_name in (set(old_client_settings)
2863
3353
- set(client_settings)):
2865
3355
for client_name in (set(client_settings)
2866
3356
- set(old_client_settings)):
2867
3357
clients_data[client_name] = client_settings[client_name]
2868
3358
2869
3359
# Create all client objects
2870
3360
for client_name, client in clients_data.items():
2871
3361
tcp_server.clients[client_name] = client_class(
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3362
name=client_name,
3363
settings=client,
3364
server_settings=server_settings)
3365
2876
3366
if not tcp_server.clients:
2877
3367
logger.warning("No clients defined")
2878
3368
2879
3369
if not foreground:
2880
3370
if pidfile is not None:
2881
3371
pid = os.getpid()
2887
3377
pidfilename, pid)
2888
3378
del pidfile
2889
3379
del pidfilename
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3380
3381
for termsig in (signal.SIGHUP, signal.SIGTERM):
3382
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3383
lambda: main_loop.quit() and False)
3384
2894
3385
if use_dbus:
2895
3386
2896
3387
@alternate_dbus_interfaces(
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3388
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2898
3389
class MandosDBusService(DBusObjectWithObjectManager):
2899
3390
"""A D-Bus proxy object"""
2900
3391
2901
3392
def __init__(self):
2902
3393
dbus.service.Object.__init__(self, bus, "/")
2903
3394
2904
3395
_interface = "se.recompile.Mandos"
2905
3396
2906
3397
@dbus.service.signal(_interface, signature="o")
2907
3398
def ClientAdded(self, objpath):
2908
3399
"D-Bus signal"
2909
3400
pass
2910
3401
2911
3402
@dbus.service.signal(_interface, signature="ss")
2912
def ClientNotFound(self, fingerprint, address):
3403
def ClientNotFound(self, key_id, address):
2913
3404
"D-Bus signal"
2914
3405
pass
2915
3406
2916
3407
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2917
3408
"true"})
2918
3409
@dbus.service.signal(_interface, signature="os")
2919
3410
def ClientRemoved(self, objpath, name):
2920
3411
"D-Bus signal"
2921
3412
pass
2922
3413
2923
3414
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2924
3415
"true"})
2925
3416
@dbus.service.method(_interface, out_signature="ao")
2926
3417
def GetAllClients(self):
2927
3418
"D-Bus method"
2928
3419
return dbus.Array(c.dbus_object_path for c in
2929
tcp_server.clients.itervalues())
2930
3420
tcp_server.clients.values())
3421
2931
3422
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2932
3423
"true"})
2933
3424
@dbus.service.method(_interface,
2935
3426
def GetAllClientsWithProperties(self):
2936
3427
"D-Bus method"
2937
3428
return dbus.Dictionary(
2938
{ c.dbus_object_path: c.GetAll(
3429
{c.dbus_object_path: c.GetAll(
2939
3430
"se.recompile.Mandos.Client")
2940
for c in tcp_server.clients.itervalues() },
3431
for c in tcp_server.clients.values()},
2941
3432
signature="oa{sv}")
2942
3433
2943
3434
@dbus.service.method(_interface, in_signature="o")
2944
3435
def RemoveClient(self, object_path):
2945
3436
"D-Bus method"
2946
for c in tcp_server.clients.itervalues():
3437
for c in tcp_server.clients.values():
2947
3438
if c.dbus_object_path == object_path:
2948
3439
del tcp_server.clients[c.name]
2949
3440
c.remove_from_connection()
2953
3444
self.client_removed_signal(c)
2954
3445
return
2955
3446
raise KeyError(object_path)
2956
3447
2957
3448
del _interface
2958
3449
2959
3450
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
2960
out_signature = "a{oa{sa{sv}}}")
3451
out_signature="a{oa{sa{sv}}}")
2961
3452
def GetManagedObjects(self):
2962
3453
"""D-Bus method"""
2963
3454
return dbus.Dictionary(
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3455
{client.dbus_object_path:
3456
dbus.Dictionary(
3457
{interface: client.GetAll(interface)
3458
for interface in
3459
client._get_all_interface_names()})
3460
for client in tcp_server.clients.values()})
3461
2971
3462
def client_added_signal(self, client):
2972
3463
"""Send the new standard signal and the old signal"""
2973
3464
if use_dbus:
2975
3466
self.InterfacesAdded(
2976
3467
client.dbus_object_path,
2977
3468
dbus.Dictionary(
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3469
{interface: client.GetAll(interface)
3470
for interface in
3471
client._get_all_interface_names()}))
2981
3472
# Old signal
2982
3473
self.ClientAdded(client.dbus_object_path)
2983
3474
2984
3475
def client_removed_signal(self, client):
2985
3476
"""Send the new standard signal and the old signal"""
2986
3477
if use_dbus:
2991
3482
# Old signal
2992
3483
self.ClientRemoved(client.dbus_object_path,
2993
3484
client.name)
2994
3485
2995
3486
mandos_dbus_service = MandosDBusService()
2996
3487
3488
# Save modules to variables to exempt the modules from being
3489
# unloaded before the function registered with atexit() is run.
3490
mp = multiprocessing
3491
wn = wnull
3492
2997
3493
def cleanup():
2998
3494
"Cleanup function; run on exit"
2999
3495
if zeroconf:
3000
3496
service.cleanup()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3497
3498
mp.active_children()
3499
wn.close()
3004
3500
if not (tcp_server.clients or client_settings):
3005
3501
return
3006
3502
3007
3503
# Store client before exiting. Secrets are encrypted with key
3008
3504
# based on what config file has. If config file is
3009
3505
# removed/edited, old secret will thus be unrecovable.
3010
3506
clients = {}
3011
3507
with PGPEngine() as pgp:
3012
for client in tcp_server.clients.itervalues():
3508
for client in tcp_server.clients.values():
3013
3509
key = client_settings[client.name]["secret"]
3014
3510
client.encrypted_secret = pgp.encrypt(client.secret,
3015
3511
key)
3016
3512
client_dict = {}
3017
3513
3018
3514
# A list of attributes that can not be pickled
3019
3515
# + secret.
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3516
exclude = {"bus", "changedstate", "secret",
3517
"checker", "server_settings"}
3022
3518
for name, typ in inspect.getmembers(dbus.service
3023
3519
.Object):
3024
3520
exclude.add(name)
3025
3521
3026
3522
client_dict["encrypted_secret"] = (client
3027
3523
.encrypted_secret)
3028
3524
for attr in client.client_structure:
3029
3525
if attr not in exclude:
3030
3526
client_dict[attr] = getattr(client, attr)
3031
3527
3032
3528
clients[client.name] = client_dict
3033
3529
del client_settings[client.name]["secret"]
3034
3530
3035
3531
try:
3036
3532
with tempfile.NamedTemporaryFile(
3037
3533
mode='wb',
3039
3535
prefix='clients-',
3040
3536
dir=os.path.dirname(stored_state_path),
3041
3537
delete=False) as stored_state:
3042
pickle.dump((clients, client_settings), stored_state)
3538
pickle.dump((clients, client_settings), stored_state,
3539
protocol=2)
3043
3540
tempname = stored_state.name
3044
3541
os.rename(tempname, stored_state_path)
3045
3542
except (IOError, OSError) as e:
3055
3552
logger.warning("Could not save persistent state:",
3056
3553
exc_info=e)
3057
3554
raise
3058
3555
3059
3556
# Delete all clients, and settings from config
3060
3557
while tcp_server.clients:
3061
3558
name, client = tcp_server.clients.popitem()
3064
3561
# Don't signal the disabling
3065
3562
client.disable(quiet=True)
3066
3563
# Emit D-Bus signal for removal
3067
mandos_dbus_service.client_removed_signal(client)
3564
if use_dbus:
3565
mandos_dbus_service.client_removed_signal(client)
3068
3566
client_settings.clear()
3069
3567
3070
3568
atexit.register(cleanup)
3071
3072
for client in tcp_server.clients.itervalues():
3569
3570
for client in tcp_server.clients.values():
3073
3571
if use_dbus:
3074
3572
# Emit D-Bus signal for adding
3075
3573
mandos_dbus_service.client_added_signal(client)
3076
3574
# Need to initiate checking of clients
3077
3575
if client.enabled:
3078
3576
client.init_checker()
3079
3577
3080
3578
tcp_server.enable()
3081
3579
tcp_server.server_activate()
3082
3580
3083
3581
# Find out what port we got
3084
3582
if zeroconf:
3085
3583
service.port = tcp_server.socket.getsockname()[1]
3090
3588
else: # IPv4
3091
3589
logger.info("Now listening on address %r, port %d",
3092
3590
*tcp_server.socket.getsockname())
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3591
3592
# service.interface = tcp_server.socket.getsockname()[3]
3593
3096
3594
try:
3097
3595
if zeroconf:
3098
3596
# From the Avahi example code
3103
3601
cleanup()
3104
3602
sys.exit(1)
3105
3603
# End of Avahi example code
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3604
3605
GLib.io_add_watch(
3606
GLib.IOChannel.unix_new(tcp_server.fileno()),
3607
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3608
lambda *args, **kwargs: (tcp_server.handle_request
3609
(*args[2:], **kwargs) or True))
3610
3112
3611
logger.debug("Starting main loop")
3113
3612
main_loop.run()
3114
3613
except AvahiError as error:
3123
3622
# Must run before the D-Bus bus name gets deregistered
3124
3623
cleanup()
3125
3624
3625
3626
def should_only_run_tests():
3627
parser = argparse.ArgumentParser(add_help=False)
3628
parser.add_argument("--check", action='store_true')
3629
args, unknown_args = parser.parse_known_args()
3630
run_tests = args.check
3631
if run_tests:
3632
# Remove --check argument from sys.argv
3633
sys.argv[1:] = unknown_args
3634
return run_tests
3635
3636
# Add all tests from doctest strings
3637
def load_tests(loader, tests, none):
3638
import doctest
3639
tests.addTests(doctest.DocTestSuite())
3640
return tests
3126
3641
3127
3642
if __name__ == '__main__':
3128
main()
3643
try:
3644
if should_only_run_tests():
3645
# Call using ./mandos --check [--verbose]
3646
unittest.main()
3647
else:
3648
main()
3649
finally:
3650
logging.shutdown()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0