To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 1218
- compare with another revision
- download diff
- download tarball
- view history from revision 1218
- Committer: teddy at recompile
- Date: 2020-07-04 11:58:52 UTC
- Revision ID: teddy@recompile.se-20200704115852-oquhnmng3zom4ldl
Update copyright year
* DBUS-API: Update copyright year to 2020
* debian/copyright: - '' -
* dracut-module/ask-password-mandos.service: - '' -
* dracut-module/password-agent.c: - '' -
* mandos: - '' -
* mandos-ctl: - '' -
* plugin-runner.c: - '' -
* plugins.d/mandos-client.c: - '' -
* plugins.d/plymouth.c: - '' -
* mandos-to-cryptroot-unlock: Update copyright year to 2019.
* DBUS-API: Update copyright year to 2020
* debian/copyright: - '' -
* dracut-module/ask-password-mandos.service: - '' -
* dracut-module/password-agent.c: - '' -
* mandos: - '' -
* mandos-ctl: - '' -
* plugin-runner.c: - '' -
* plugins.d/mandos-client.c: - '' -
* plugins.d/plymouth.c: - '' -
* mandos-to-cryptroot-unlock: Update copyright year to 2019.
- files added:
- bugs.xml
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python2.7
2
# -*- mode: python; coding: utf-8 -*-
3
#
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2020 Teddy Hogeborn
15
# Copyright © 2008-2020 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
#
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
#
33
#
33
34
34
35
from __future__ import (division, absolute_import, print_function,
35
36
unicode_literals)
36
37
37
from future_builtins import *
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
38
42
39
43
try:
40
44
import SocketServer as socketserver
44
48
import argparse
45
49
import datetime
46
50
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
53
51
try:
54
52
import ConfigParser as configparser
55
53
except ImportError:
79
77
import itertools
80
78
import collections
81
79
import codecs
80
import unittest
81
import random
82
import shlex
82
83
83
84
import dbus
84
85
import dbus.service
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
86
import gi
87
from gi.repository import GLib
90
88
from dbus.mainloop.glib import DBusGMainLoop
91
89
import ctypes
92
90
import ctypes.util
93
91
import xml.dom.minidom
94
92
import inspect
95
93
96
try:
94
if sys.version_info.major == 2:
95
__metaclass__ = type
96
str = unicode
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
118
# Try to find the value of SO_BINDTODEVICE:
119
try:
120
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
121
# newer, and it is also the most natural place for it:
97
122
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
98
123
except AttributeError:
99
124
try:
125
# This is where SO_BINDTODEVICE was up to and including Python
126
# 2.6, and also 3.2:
100
127
from IN import SO_BINDTODEVICE
101
128
except ImportError:
102
SO_BINDTODEVICE = None
103
104
if sys.version_info.major == 2:
105
str = unicode
106
107
version = "1.6.9"
129
# In Python 2.7 it seems to have been removed entirely.
130
# Try running the C preprocessor:
131
try:
132
cc = subprocess.Popen(["cc", "--language=c", "-E",
133
"/dev/stdin"],
134
stdin=subprocess.PIPE,
135
stdout=subprocess.PIPE)
136
stdout = cc.communicate(
137
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
138
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
139
except (OSError, ValueError, IndexError):
140
# No value found
141
SO_BINDTODEVICE = None
142
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
145
146
version = "1.8.11"
108
147
stored_state_file = "clients.pickle"
109
148
110
149
logger = logging.getLogger()
150
logging.captureWarnings(True) # Show warnings via the logging system
111
151
syslogger = None
112
152
113
153
try:
114
154
if_nametoindex = ctypes.cdll.LoadLibrary(
115
155
ctypes.util.find_library("c")).if_nametoindex
116
156
except (OSError, AttributeError):
117
157
118
158
def if_nametoindex(interface):
119
159
"Get an interface index the hard way, i.e. using fcntl()"
120
160
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
125
165
return interface_index
126
166
127
167
168
def copy_function(func):
169
"""Make a copy of a function"""
170
if sys.version_info.major == 2:
171
return types.FunctionType(func.func_code,
172
func.func_globals,
173
func.func_name,
174
func.func_defaults,
175
func.func_closure)
176
else:
177
return types.FunctionType(func.__code__,
178
func.__globals__,
179
func.__name__,
180
func.__defaults__,
181
func.__closure__)
182
183
128
184
def initlogger(debug, level=logging.WARNING):
129
185
"""init logger and add loglevel"""
130
186
131
187
global syslogger
132
188
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
189
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
190
address="/dev/log"))
135
191
syslogger.setFormatter(logging.Formatter
136
192
('Mandos [%(process)d]: %(levelname)s:'
137
193
' %(message)s'))
138
194
logger.addHandler(syslogger)
139
195
140
196
if debug:
141
197
console = logging.StreamHandler()
142
198
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
152
208
pass
153
209
154
210
155
class PGPEngine(object):
211
class PGPEngine:
156
212
"""A simple class for OpenPGP symmetric encryption & decryption"""
157
213
158
214
def __init__(self):
159
215
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
216
self.gpg = "gpg"
217
try:
218
output = subprocess.check_output(["gpgconf"])
219
for line in output.splitlines():
220
name, text, path = line.split(b":")
221
if name == b"gpg":
222
self.gpg = path
223
break
224
except OSError as e:
225
if e.errno != errno.ENOENT:
226
raise
160
227
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
228
'--homedir', self.tempdir,
162
229
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
165
230
'--quiet']
231
# Only GPG version 1 has the --no-use-agent option.
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
233
self.gnupgargs.append("--no-use-agent")
234
166
235
def __enter__(self):
167
236
return self
168
237
169
238
def __exit__(self, exc_type, exc_value, traceback):
170
239
self._cleanup()
171
240
return False
172
241
173
242
def __del__(self):
174
243
self._cleanup()
175
244
176
245
def _cleanup(self):
177
246
if self.tempdir is not None:
178
247
# Delete contents of tempdir
179
248
for root, dirs, files in os.walk(self.tempdir,
180
topdown = False):
249
topdown=False):
181
250
for filename in files:
182
251
os.remove(os.path.join(root, filename))
183
252
for dirname in dirs:
185
254
# Remove tempdir
186
255
os.rmdir(self.tempdir)
187
256
self.tempdir = None
188
257
189
258
def password_encode(self, password):
190
259
# Passphrase can not be empty and can not contain newlines or
191
260
# NUL bytes. So we prefix it and hex encode it.
196
265
.replace(b"\n", b"\\n")
197
266
.replace(b"\0", b"\\x00"))
198
267
return encoded
199
268
200
269
def encrypt(self, data, password):
201
270
passphrase = self.password_encode(password)
202
271
with tempfile.NamedTemporaryFile(
203
272
dir=self.tempdir) as passfile:
204
273
passfile.write(passphrase)
205
274
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
275
proc = subprocess.Popen([self.gpg, '--symmetric',
207
276
'--passphrase-file',
208
277
passfile.name]
209
278
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
279
stdin=subprocess.PIPE,
280
stdout=subprocess.PIPE,
281
stderr=subprocess.PIPE)
282
ciphertext, err = proc.communicate(input=data)
214
283
if proc.returncode != 0:
215
284
raise PGPError(err)
216
285
return ciphertext
217
286
218
287
def decrypt(self, data, password):
219
288
passphrase = self.password_encode(password)
220
289
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
290
dir=self.tempdir) as passfile:
222
291
passfile.write(passphrase)
223
292
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
293
proc = subprocess.Popen([self.gpg, '--decrypt',
225
294
'--passphrase-file',
226
295
passfile.name]
227
296
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
297
stdin=subprocess.PIPE,
298
stdout=subprocess.PIPE,
299
stderr=subprocess.PIPE)
300
decrypted_plaintext, err = proc.communicate(input=data)
232
301
if proc.returncode != 0:
233
302
raise PGPError(err)
234
303
return decrypted_plaintext
235
304
236
305
306
# Pretend that we have an Avahi module
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
309
IF_UNSPEC = -1 # avahi-common/address.h
310
PROTO_UNSPEC = -1 # avahi-common/address.h
311
PROTO_INET = 0 # avahi-common/address.h
312
PROTO_INET6 = 1 # avahi-common/address.h
313
DBUS_NAME = "org.freedesktop.Avahi"
314
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
DBUS_PATH_SERVER = "/"
317
318
@staticmethod
319
def string_array_to_txt_array(t):
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
for s in t), signature="ay")
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
323
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
324
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
325
SERVER_INVALID = 0 # avahi-common/defs.h
326
SERVER_REGISTERING = 1 # avahi-common/defs.h
327
SERVER_RUNNING = 2 # avahi-common/defs.h
328
SERVER_COLLISION = 3 # avahi-common/defs.h
329
SERVER_FAILURE = 4 # avahi-common/defs.h
330
331
237
332
class AvahiError(Exception):
238
333
def __init__(self, value, *args, **kwargs):
239
334
self.value = value
249
344
pass
250
345
251
346
252
class AvahiService(object):
347
class AvahiService:
253
348
"""An Avahi (Zeroconf) service.
254
349
255
350
Attributes:
256
351
interface: integer; avahi.IF_UNSPEC or an interface index.
257
352
Used to optionally bind to the specified interface.
269
364
server: D-Bus Server
270
365
bus: dbus.SystemBus()
271
366
"""
272
367
273
368
def __init__(self,
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
369
interface=avahi.IF_UNSPEC,
370
name=None,
371
servicetype=None,
372
port=None,
373
TXT=None,
374
domain="",
375
host="",
376
max_renames=32768,
377
protocol=avahi.PROTO_UNSPEC,
378
bus=None):
284
379
self.interface = interface
285
380
self.name = name
286
381
self.type = servicetype
295
390
self.server = None
296
391
self.bus = bus
297
392
self.entry_group_state_changed_match = None
298
393
299
394
def rename(self, remove=True):
300
395
"""Derived from the Avahi example code"""
301
396
if self.rename_count >= self.max_renames:
321
416
logger.critical("D-Bus Exception", exc_info=error)
322
417
self.cleanup()
323
418
os._exit(1)
324
419
325
420
def remove(self):
326
421
"""Derived from the Avahi example code"""
327
422
if self.entry_group_state_changed_match is not None:
329
424
self.entry_group_state_changed_match = None
330
425
if self.group is not None:
331
426
self.group.Reset()
332
427
333
428
def add(self):
334
429
"""Derived from the Avahi example code"""
335
430
self.remove()
352
447
dbus.UInt16(self.port),
353
448
avahi.string_array_to_txt_array(self.TXT))
354
449
self.group.Commit()
355
450
356
451
def entry_group_state_changed(self, state, error):
357
452
"""Derived from the Avahi example code"""
358
453
logger.debug("Avahi entry group state change: %i", state)
359
454
360
455
if state == avahi.ENTRY_GROUP_ESTABLISHED:
361
456
logger.debug("Zeroconf service established.")
362
457
elif state == avahi.ENTRY_GROUP_COLLISION:
366
461
logger.critical("Avahi: Error in group state changed %s",
367
462
str(error))
368
463
raise AvahiGroupError("State changed: {!s}".format(error))
369
464
370
465
def cleanup(self):
371
466
"""Derived from the Avahi example code"""
372
467
if self.group is not None:
377
472
pass
378
473
self.group = None
379
474
self.remove()
380
475
381
476
def server_state_changed(self, state, error=None):
382
477
"""Derived from the Avahi example code"""
383
478
logger.debug("Avahi server state change: %i", state)
412
507
logger.debug("Unknown state: %r", state)
413
508
else:
414
509
logger.debug("Unknown state: %r: %r", state, error)
415
510
416
511
def activate(self):
417
512
"""Derived from the Avahi example code"""
418
513
if self.server is None:
429
524
class AvahiServiceToSyslog(AvahiService):
430
525
def rename(self, *args, **kwargs):
431
526
"""Add the new name to the syslog messages"""
432
ret = AvahiService.rename(self, *args, **kwargs)
527
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
433
528
syslogger.setFormatter(logging.Formatter(
434
529
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
435
530
.format(self.name)))
436
531
return ret
437
532
533
534
# Pretend that we have a GnuTLS module
535
class gnutls:
536
"""This isn't so much a class as it is a module-like namespace."""
537
538
library = ctypes.util.find_library("gnutls")
539
if library is None:
540
library = ctypes.util.find_library("gnutls-deb0")
541
_library = ctypes.cdll.LoadLibrary(library)
542
del library
543
544
# Unless otherwise indicated, the constants and types below are
545
# all from the gnutls/gnutls.h C header file.
546
547
# Constants
548
E_SUCCESS = 0
549
E_INTERRUPTED = -52
550
E_AGAIN = -28
551
CRT_OPENPGP = 2
552
CRT_RAWPK = 3
553
CLIENT = 2
554
SHUT_RDWR = 0
555
CRD_CERTIFICATE = 1
556
E_NO_CERTIFICATE_FOUND = -49
557
X509_FMT_DER = 0
558
NO_TICKETS = 1<<10
559
ENABLE_RAWPK = 1<<18
560
CTYPE_PEERS = 3
561
KEYID_USE_SHA256 = 1 # gnutls/x509.h
562
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
563
564
# Types
565
class session_int(ctypes.Structure):
566
_fields_ = []
567
session_t = ctypes.POINTER(session_int)
568
569
class certificate_credentials_st(ctypes.Structure):
570
_fields_ = []
571
certificate_credentials_t = ctypes.POINTER(
572
certificate_credentials_st)
573
certificate_type_t = ctypes.c_int
574
575
class datum_t(ctypes.Structure):
576
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
577
('size', ctypes.c_uint)]
578
579
class openpgp_crt_int(ctypes.Structure):
580
_fields_ = []
581
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
582
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
583
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
584
credentials_type_t = ctypes.c_int
585
transport_ptr_t = ctypes.c_void_p
586
close_request_t = ctypes.c_int
587
588
# Exceptions
589
class Error(Exception):
590
def __init__(self, message=None, code=None, args=()):
591
# Default usage is by a message string, but if a return
592
# code is passed, convert it to a string with
593
# gnutls.strerror()
594
self.code = code
595
if message is None and code is not None:
596
message = gnutls.strerror(code)
597
return super(gnutls.Error, self).__init__(
598
message, *args)
599
600
class CertificateSecurityError(Error):
601
pass
602
603
# Classes
604
class Credentials:
605
def __init__(self):
606
self._c_object = gnutls.certificate_credentials_t()
607
gnutls.certificate_allocate_credentials(
608
ctypes.byref(self._c_object))
609
self.type = gnutls.CRD_CERTIFICATE
610
611
def __del__(self):
612
gnutls.certificate_free_credentials(self._c_object)
613
614
class ClientSession:
615
def __init__(self, socket, credentials=None):
616
self._c_object = gnutls.session_t()
617
gnutls_flags = gnutls.CLIENT
618
if gnutls.check_version(b"3.5.6"):
619
gnutls_flags |= gnutls.NO_TICKETS
620
if gnutls.has_rawpk:
621
gnutls_flags |= gnutls.ENABLE_RAWPK
622
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
623
del gnutls_flags
624
gnutls.set_default_priority(self._c_object)
625
gnutls.transport_set_ptr(self._c_object, socket.fileno())
626
gnutls.handshake_set_private_extensions(self._c_object,
627
True)
628
self.socket = socket
629
if credentials is None:
630
credentials = gnutls.Credentials()
631
gnutls.credentials_set(self._c_object, credentials.type,
632
ctypes.cast(credentials._c_object,
633
ctypes.c_void_p))
634
self.credentials = credentials
635
636
def __del__(self):
637
gnutls.deinit(self._c_object)
638
639
def handshake(self):
640
return gnutls.handshake(self._c_object)
641
642
def send(self, data):
643
data = bytes(data)
644
data_len = len(data)
645
while data_len > 0:
646
data_len -= gnutls.record_send(self._c_object,
647
data[-data_len:],
648
data_len)
649
650
def bye(self):
651
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
652
653
# Error handling functions
654
def _error_code(result):
655
"""A function to raise exceptions on errors, suitable
656
for the 'restype' attribute on ctypes functions"""
657
if result >= 0:
658
return result
659
if result == gnutls.E_NO_CERTIFICATE_FOUND:
660
raise gnutls.CertificateSecurityError(code=result)
661
raise gnutls.Error(code=result)
662
663
def _retry_on_error(result, func, arguments):
664
"""A function to retry on some errors, suitable
665
for the 'errcheck' attribute on ctypes functions"""
666
while result < 0:
667
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
668
return _error_code(result)
669
result = func(*arguments)
670
return result
671
672
# Unless otherwise indicated, the function declarations below are
673
# all from the gnutls/gnutls.h C header file.
674
675
# Functions
676
priority_set_direct = _library.gnutls_priority_set_direct
677
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
678
ctypes.POINTER(ctypes.c_char_p)]
679
priority_set_direct.restype = _error_code
680
681
init = _library.gnutls_init
682
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
683
init.restype = _error_code
684
685
set_default_priority = _library.gnutls_set_default_priority
686
set_default_priority.argtypes = [session_t]
687
set_default_priority.restype = _error_code
688
689
record_send = _library.gnutls_record_send
690
record_send.argtypes = [session_t, ctypes.c_void_p,
691
ctypes.c_size_t]
692
record_send.restype = ctypes.c_ssize_t
693
record_send.errcheck = _retry_on_error
694
695
certificate_allocate_credentials = (
696
_library.gnutls_certificate_allocate_credentials)
697
certificate_allocate_credentials.argtypes = [
698
ctypes.POINTER(certificate_credentials_t)]
699
certificate_allocate_credentials.restype = _error_code
700
701
certificate_free_credentials = (
702
_library.gnutls_certificate_free_credentials)
703
certificate_free_credentials.argtypes = [
704
certificate_credentials_t]
705
certificate_free_credentials.restype = None
706
707
handshake_set_private_extensions = (
708
_library.gnutls_handshake_set_private_extensions)
709
handshake_set_private_extensions.argtypes = [session_t,
710
ctypes.c_int]
711
handshake_set_private_extensions.restype = None
712
713
credentials_set = _library.gnutls_credentials_set
714
credentials_set.argtypes = [session_t, credentials_type_t,
715
ctypes.c_void_p]
716
credentials_set.restype = _error_code
717
718
strerror = _library.gnutls_strerror
719
strerror.argtypes = [ctypes.c_int]
720
strerror.restype = ctypes.c_char_p
721
722
certificate_type_get = _library.gnutls_certificate_type_get
723
certificate_type_get.argtypes = [session_t]
724
certificate_type_get.restype = _error_code
725
726
certificate_get_peers = _library.gnutls_certificate_get_peers
727
certificate_get_peers.argtypes = [session_t,
728
ctypes.POINTER(ctypes.c_uint)]
729
certificate_get_peers.restype = ctypes.POINTER(datum_t)
730
731
global_set_log_level = _library.gnutls_global_set_log_level
732
global_set_log_level.argtypes = [ctypes.c_int]
733
global_set_log_level.restype = None
734
735
global_set_log_function = _library.gnutls_global_set_log_function
736
global_set_log_function.argtypes = [log_func]
737
global_set_log_function.restype = None
738
739
deinit = _library.gnutls_deinit
740
deinit.argtypes = [session_t]
741
deinit.restype = None
742
743
handshake = _library.gnutls_handshake
744
handshake.argtypes = [session_t]
745
handshake.restype = _error_code
746
handshake.errcheck = _retry_on_error
747
748
transport_set_ptr = _library.gnutls_transport_set_ptr
749
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
750
transport_set_ptr.restype = None
751
752
bye = _library.gnutls_bye
753
bye.argtypes = [session_t, close_request_t]
754
bye.restype = _error_code
755
bye.errcheck = _retry_on_error
756
757
check_version = _library.gnutls_check_version
758
check_version.argtypes = [ctypes.c_char_p]
759
check_version.restype = ctypes.c_char_p
760
761
_need_version = b"3.3.0"
762
if check_version(_need_version) is None:
763
raise self.Error("Needs GnuTLS {} or later"
764
.format(_need_version))
765
766
_tls_rawpk_version = b"3.6.6"
767
has_rawpk = bool(check_version(_tls_rawpk_version))
768
769
if has_rawpk:
770
# Types
771
class pubkey_st(ctypes.Structure):
772
_fields = []
773
pubkey_t = ctypes.POINTER(pubkey_st)
774
775
x509_crt_fmt_t = ctypes.c_int
776
777
# All the function declarations below are from gnutls/abstract.h
778
pubkey_init = _library.gnutls_pubkey_init
779
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
780
pubkey_init.restype = _error_code
781
782
pubkey_import = _library.gnutls_pubkey_import
783
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
784
x509_crt_fmt_t]
785
pubkey_import.restype = _error_code
786
787
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
788
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
789
ctypes.POINTER(ctypes.c_ubyte),
790
ctypes.POINTER(ctypes.c_size_t)]
791
pubkey_get_key_id.restype = _error_code
792
793
pubkey_deinit = _library.gnutls_pubkey_deinit
794
pubkey_deinit.argtypes = [pubkey_t]
795
pubkey_deinit.restype = None
796
else:
797
# All the function declarations below are from gnutls/openpgp.h
798
799
openpgp_crt_init = _library.gnutls_openpgp_crt_init
800
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
801
openpgp_crt_init.restype = _error_code
802
803
openpgp_crt_import = _library.gnutls_openpgp_crt_import
804
openpgp_crt_import.argtypes = [openpgp_crt_t,
805
ctypes.POINTER(datum_t),
806
openpgp_crt_fmt_t]
807
openpgp_crt_import.restype = _error_code
808
809
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
810
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
811
ctypes.POINTER(ctypes.c_uint)]
812
openpgp_crt_verify_self.restype = _error_code
813
814
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
815
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
816
openpgp_crt_deinit.restype = None
817
818
openpgp_crt_get_fingerprint = (
819
_library.gnutls_openpgp_crt_get_fingerprint)
820
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
821
ctypes.c_void_p,
822
ctypes.POINTER(
823
ctypes.c_size_t)]
824
openpgp_crt_get_fingerprint.restype = _error_code
825
826
if check_version(b"3.6.4"):
827
certificate_type_get2 = _library.gnutls_certificate_type_get2
828
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
829
certificate_type_get2.restype = _error_code
830
831
# Remove non-public functions
832
del _error_code, _retry_on_error
833
834
438
835
def call_pipe(connection, # : multiprocessing.Connection
439
836
func, *args, **kwargs):
440
837
"""This function is meant to be called by multiprocessing.Process
441
838
442
839
This function runs func(*args, **kwargs), and writes the resulting
443
840
return value on the provided multiprocessing.Connection.
444
841
"""
445
842
connection.send(func(*args, **kwargs))
446
843
connection.close()
447
844
448
class Client(object):
845
846
class Client:
449
847
"""A representation of a client host served by this server.
450
848
451
849
Attributes:
452
850
approved: bool(); 'None' if not yet approved/disapproved
453
851
approval_delay: datetime.timedelta(); Time to wait for approval
454
852
approval_duration: datetime.timedelta(); Duration of one approval
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
853
checker: multiprocessing.Process(); a running checker process used
854
to see if the client lives. 'None' if no process is
855
running.
856
checker_callback_tag: a GLib event source tag, or None
459
857
checker_command: string; External command which is run to check
460
858
if client lives. %() expansions are done at
461
859
runtime with vars(self) as dict, so that for
462
860
instance %(name)s can be used in the command.
463
checker_initiator_tag: a gobject event source tag, or None
861
checker_initiator_tag: a GLib event source tag, or None
464
862
created: datetime.datetime(); (UTC) object creation
465
863
client_structure: Object describing what attributes a client has
466
864
and is used for storing the client at exit
467
865
current_checker_command: string; current running checker_command
468
disable_initiator_tag: a gobject event source tag, or None
866
disable_initiator_tag: a GLib event source tag, or None
469
867
enabled: bool()
470
868
fingerprint: string (40 or 32 hexadecimal digits); used to
471
uniquely identify the client
869
uniquely identify an OpenPGP client
870
key_id: string (64 hexadecimal digits); used to uniquely identify
871
a client using raw public keys
472
872
host: string; available for use by the checker command
473
873
interval: datetime.timedelta(); How often to start a new checker
474
874
last_approval_request: datetime.datetime(); (UTC) or None
490
890
disabled, or None
491
891
server_settings: The server_settings dict from main()
492
892
"""
493
893
494
894
runtime_expansions = ("approval_delay", "approval_duration",
495
"created", "enabled", "expires",
895
"created", "enabled", "expires", "key_id",
496
896
"fingerprint", "host", "interval",
497
897
"last_approval_request", "last_checked_ok",
498
898
"last_enabled", "name", "timeout")
507
907
"approved_by_default": "True",
508
908
"enabled": "True",
509
909
}
510
910
511
911
@staticmethod
512
912
def config_parser(config):
513
913
"""Construct a new dict of client settings of this form:
520
920
for client_name in config.sections():
521
921
section = dict(config.items(client_name))
522
922
client = settings[client_name] = {}
523
923
524
924
client["host"] = section["host"]
525
925
# Reformat values from string types to Python types
526
926
client["approved_by_default"] = config.getboolean(
527
927
client_name, "approved_by_default")
528
928
client["enabled"] = config.getboolean(client_name,
529
929
"enabled")
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
930
931
# Uppercase and remove spaces from key_id and fingerprint
932
# for later comparison purposes with return value from the
933
# key_id() and fingerprint() functions
934
client["key_id"] = (section.get("key_id", "").upper()
935
.replace(" ", ""))
534
936
client["fingerprint"] = (section["fingerprint"].upper()
535
937
.replace(" ", ""))
536
938
if "secret" in section:
537
client["secret"] = section["secret"].decode("base64")
939
client["secret"] = codecs.decode(section["secret"]
940
.encode("utf-8"),
941
"base64")
538
942
elif "secfile" in section:
539
943
with open(os.path.expanduser(os.path.expandvars
540
944
(section["secfile"])),
555
959
client["last_approval_request"] = None
556
960
client["last_checked_ok"] = None
557
961
client["last_checker_status"] = -2
558
962
559
963
return settings
560
561
def __init__(self, settings, name = None, server_settings=None):
964
965
def __init__(self, settings, name=None, server_settings=None):
562
966
self.name = name
563
967
if server_settings is None:
564
968
server_settings = {}
566
970
# adding all client settings
567
971
for setting, value in settings.items():
568
972
setattr(self, setting, value)
569
973
570
974
if self.enabled:
571
975
if not hasattr(self, "last_enabled"):
572
976
self.last_enabled = datetime.datetime.utcnow()
576
980
else:
577
981
self.last_enabled = None
578
982
self.expires = None
579
983
580
984
logger.debug("Creating client %r", self.name)
985
logger.debug(" Key ID: %s", self.key_id)
581
986
logger.debug(" Fingerprint: %s", self.fingerprint)
582
987
self.created = settings.get("created",
583
988
datetime.datetime.utcnow())
584
989
585
990
# attributes specific for this server instance
586
991
self.checker = None
587
992
self.checker_initiator_tag = None
593
998
self.changedstate = multiprocessing_manager.Condition(
594
999
multiprocessing_manager.Lock())
595
1000
self.client_structure = [attr
596
for attr in self.__dict__.iterkeys()
1001
for attr in self.__dict__.keys()
597
1002
if not attr.startswith("_")]
598
1003
self.client_structure.append("client_structure")
599
1004
600
1005
for name, t in inspect.getmembers(
601
1006
type(self), lambda obj: isinstance(obj, property)):
602
1007
if not name.startswith("_"):
603
1008
self.client_structure.append(name)
604
1009
605
1010
# Send notice to process children that client state has changed
606
1011
def send_changedstate(self):
607
1012
with self.changedstate:
608
1013
self.changedstate.notify_all()
609
1014
610
1015
def enable(self):
611
1016
"""Start this client's checker and timeout hooks"""
612
1017
if getattr(self, "enabled", False):
617
1022
self.last_enabled = datetime.datetime.utcnow()
618
1023
self.init_checker()
619
1024
self.send_changedstate()
620
1025
621
1026
def disable(self, quiet=True):
622
1027
"""Disable this client."""
623
1028
if not getattr(self, "enabled", False):
625
1030
if not quiet:
626
1031
logger.info("Disabling client %s", self.name)
627
1032
if getattr(self, "disable_initiator_tag", None) is not None:
628
gobject.source_remove(self.disable_initiator_tag)
1033
GLib.source_remove(self.disable_initiator_tag)
629
1034
self.disable_initiator_tag = None
630
1035
self.expires = None
631
1036
if getattr(self, "checker_initiator_tag", None) is not None:
632
gobject.source_remove(self.checker_initiator_tag)
1037
GLib.source_remove(self.checker_initiator_tag)
633
1038
self.checker_initiator_tag = None
634
1039
self.stop_checker()
635
1040
self.enabled = False
636
1041
if not quiet:
637
1042
self.send_changedstate()
638
# Do not run this again if called by a gobject.timeout_add
1043
# Do not run this again if called by a GLib.timeout_add
639
1044
return False
640
1045
641
1046
def __del__(self):
642
1047
self.disable()
643
1048
644
1049
def init_checker(self):
645
1050
# Schedule a new checker to be started an 'interval' from now,
646
1051
# and every interval from then on.
647
1052
if self.checker_initiator_tag is not None:
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
650
int(self.interval.total_seconds() * 1000),
1053
GLib.source_remove(self.checker_initiator_tag)
1054
self.checker_initiator_tag = GLib.timeout_add(
1055
random.randrange(int(self.interval.total_seconds() * 1000
1056
+ 1)),
651
1057
self.start_checker)
652
1058
# Schedule a disable() when 'timeout' has passed
653
1059
if self.disable_initiator_tag is not None:
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1060
GLib.source_remove(self.disable_initiator_tag)
1061
self.disable_initiator_tag = GLib.timeout_add(
656
1062
int(self.timeout.total_seconds() * 1000), self.disable)
657
1063
# Also start a new checker *right now*.
658
1064
self.start_checker()
659
1065
660
1066
def checker_callback(self, source, condition, connection,
661
1067
command):
662
1068
"""The checker has completed, so take appropriate actions."""
663
self.checker_callback_tag = None
664
self.checker = None
665
1069
# Read return code from connection (see call_pipe)
666
1070
returncode = connection.recv()
667
1071
connection.close()
668
1072
if self.checker is not None:
1073
self.checker.join()
1074
self.checker_callback_tag = None
1075
self.checker = None
1076
669
1077
if returncode >= 0:
670
1078
self.last_checker_status = returncode
671
1079
self.last_checker_signal = None
681
1089
logger.warning("Checker for %(name)s crashed?",
682
1090
vars(self))
683
1091
return False
684
1092
685
1093
def checked_ok(self):
686
1094
"""Assert that the client has been seen, alive and well."""
687
1095
self.last_checked_ok = datetime.datetime.utcnow()
688
1096
self.last_checker_status = 0
689
1097
self.last_checker_signal = None
690
1098
self.bump_timeout()
691
1099
692
1100
def bump_timeout(self, timeout=None):
693
1101
"""Bump up the timeout for this client."""
694
1102
if timeout is None:
695
1103
timeout = self.timeout
696
1104
if self.disable_initiator_tag is not None:
697
gobject.source_remove(self.disable_initiator_tag)
1105
GLib.source_remove(self.disable_initiator_tag)
698
1106
self.disable_initiator_tag = None
699
1107
if getattr(self, "enabled", False):
700
self.disable_initiator_tag = gobject.timeout_add(
1108
self.disable_initiator_tag = GLib.timeout_add(
701
1109
int(timeout.total_seconds() * 1000), self.disable)
702
1110
self.expires = datetime.datetime.utcnow() + timeout
703
1111
704
1112
def need_approval(self):
705
1113
self.last_approval_request = datetime.datetime.utcnow()
706
1114
707
1115
def start_checker(self):
708
1116
"""Start a new checker subprocess if one is not running.
709
1117
710
1118
If a checker already exists, leave it running and do
711
1119
nothing."""
712
1120
# The reason for not killing a running checker is that if we
717
1125
# checkers alone, the checker would have to take more time
718
1126
# than 'timeout' for the client to be disabled, which is as it
719
1127
# should be.
720
1128
721
1129
if self.checker is not None and not self.checker.is_alive():
722
1130
logger.warning("Checker was not alive; joining")
723
1131
self.checker.join()
726
1134
if self.checker is None:
727
1135
# Escape attributes for the shell
728
1136
escaped_attrs = {
729
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
1137
attr: shlex.quote(str(getattr(self, attr)))
1138
for attr in self.runtime_expansions}
731
1139
try:
732
1140
command = self.checker_command % escaped_attrs
733
1141
except TypeError as error:
745
1153
# The exception is when not debugging but nevertheless
746
1154
# running in the foreground; use the previously
747
1155
# created wnull.
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1156
popen_args = {"close_fds": True,
1157
"shell": True,
1158
"cwd": "/"}
751
1159
if (not self.server_settings["debug"]
752
1160
and self.server_settings["foreground"]):
753
1161
popen_args.update({"stdout": wnull,
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1162
"stderr": wnull})
1163
pipe = multiprocessing.Pipe(duplex=False)
756
1164
self.checker = multiprocessing.Process(
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1165
target=call_pipe,
1166
args=(pipe[1], subprocess.call, command),
1167
kwargs=popen_args)
760
1168
self.checker.start()
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1169
self.checker_callback_tag = GLib.io_add_watch(
1170
GLib.IOChannel.unix_new(pipe[0].fileno()),
1171
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
763
1172
self.checker_callback, pipe[0], command)
764
# Re-run this periodically if run by gobject.timeout_add
1173
# Re-run this periodically if run by GLib.timeout_add
765
1174
return True
766
1175
767
1176
def stop_checker(self):
768
1177
"""Force the checker process, if any, to stop."""
769
1178
if self.checker_callback_tag:
770
gobject.source_remove(self.checker_callback_tag)
1179
GLib.source_remove(self.checker_callback_tag)
771
1180
self.checker_callback_tag = None
772
1181
if getattr(self, "checker", None) is None:
773
1182
return
782
1191
byte_arrays=False):
783
1192
"""Decorators for marking methods of a DBusObjectWithProperties to
784
1193
become properties on the D-Bus.
785
1194
786
1195
The decorated method will be called with no arguments by "Get"
787
1196
and with one argument by "Set".
788
1197
789
1198
The parameters, where they are supported, are the same as
790
1199
dbus.service.method, except there is only "signature", since the
791
1200
type from Get() and the type sent to Set() is the same.
795
1204
if byte_arrays and signature != "ay":
796
1205
raise ValueError("Byte arrays not supported for non-'ay'"
797
1206
" signature {!r}".format(signature))
798
1207
799
1208
def decorator(func):
800
1209
func._dbus_is_property = True
801
1210
func._dbus_interface = dbus_interface
804
1213
func._dbus_name = func.__name__
805
1214
if func._dbus_name.endswith("_dbus_property"):
806
1215
func._dbus_name = func._dbus_name[:-14]
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1216
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
808
1217
return func
809
1218
810
1219
return decorator
811
1220
812
1221
813
1222
def dbus_interface_annotations(dbus_interface):
814
1223
"""Decorator for marking functions returning interface annotations
815
1224
816
1225
Usage:
817
1226
818
1227
@dbus_interface_annotations("org.example.Interface")
819
1228
def _foo(self): # Function name does not matter
820
1229
return {"org.freedesktop.DBus.Deprecated": "true",
821
1230
"org.freedesktop.DBus.Property.EmitsChangedSignal":
822
1231
"false"}
823
1232
"""
824
1233
825
1234
def decorator(func):
826
1235
func._dbus_is_interface = True
827
1236
func._dbus_interface = dbus_interface
828
1237
func._dbus_name = dbus_interface
829
1238
return func
830
1239
831
1240
return decorator
832
1241
833
1242
834
1243
def dbus_annotations(annotations):
835
1244
"""Decorator to annotate D-Bus methods, signals or properties
836
1245
Usage:
837
1246
838
1247
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
839
1248
"org.freedesktop.DBus.Property."
840
1249
"EmitsChangedSignal": "false"})
842
1251
access="r")
843
1252
def Property_dbus_property(self):
844
1253
return dbus.Boolean(False)
845
1254
846
1255
See also the DBusObjectWithAnnotations class.
847
1256
"""
848
1257
849
1258
def decorator(func):
850
1259
func._dbus_annotations = annotations
851
1260
return func
852
1261
853
1262
return decorator
854
1263
855
1264
873
1282
874
1283
class DBusObjectWithAnnotations(dbus.service.Object):
875
1284
"""A D-Bus object with annotations.
876
1285
877
1286
Classes inheriting from this can use the dbus_annotations
878
1287
decorator to add annotations to methods or signals.
879
1288
"""
880
1289
881
1290
@staticmethod
882
1291
def _is_dbus_thing(thing):
883
1292
"""Returns a function testing if an attribute is a D-Bus thing
884
1293
885
1294
If called like _is_dbus_thing("method") it returns a function
886
1295
suitable for use as predicate to inspect.getmembers().
887
1296
"""
888
1297
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
889
1298
False)
890
1299
891
1300
def _get_all_dbus_things(self, thing):
892
1301
"""Returns a generator of (name, attribute) pairs
893
1302
"""
896
1305
for cls in self.__class__.__mro__
897
1306
for name, athing in
898
1307
inspect.getmembers(cls, self._is_dbus_thing(thing)))
899
1308
900
1309
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1310
out_signature="s",
1311
path_keyword='object_path',
1312
connection_keyword='connection')
904
1313
def Introspect(self, object_path, connection):
905
1314
"""Overloading of standard D-Bus method.
906
1315
907
1316
Inserts annotation tags on methods and signals.
908
1317
"""
909
1318
xmlstring = dbus.service.Object.Introspect(self, object_path,
910
1319
connection)
911
1320
try:
912
1321
document = xml.dom.minidom.parseString(xmlstring)
913
1322
914
1323
for if_tag in document.getElementsByTagName("interface"):
915
1324
# Add annotation tags
916
1325
for typ in ("method", "signal"):
943
1352
if_tag.appendChild(ann_tag)
944
1353
# Fix argument name for the Introspect method itself
945
1354
if (if_tag.getAttribute("name")
946
== dbus.INTROSPECTABLE_IFACE):
1355
== dbus.INTROSPECTABLE_IFACE):
947
1356
for cn in if_tag.getElementsByTagName("method"):
948
1357
if cn.getAttribute("name") == "Introspect":
949
1358
for arg in cn.getElementsByTagName("arg"):
962
1371
963
1372
class DBusObjectWithProperties(DBusObjectWithAnnotations):
964
1373
"""A D-Bus object with properties.
965
1374
966
1375
Classes inheriting from this can use the dbus_service_property
967
1376
decorator to expose methods as D-Bus properties. It exposes the
968
1377
standard Get(), Set(), and GetAll() methods on the D-Bus.
969
1378
"""
970
1379
971
1380
def _get_dbus_property(self, interface_name, property_name):
972
1381
"""Returns a bound method if one exists which is a D-Bus
973
1382
property with the specified name and interface.
978
1387
if (value._dbus_name == property_name
979
1388
and value._dbus_interface == interface_name):
980
1389
return value.__get__(self)
981
1390
982
1391
# No such property
983
1392
raise DBusPropertyNotFound("{}:{}.{}".format(
984
1393
self.dbus_object_path, interface_name, property_name))
985
1394
986
1395
@classmethod
987
1396
def _get_all_interface_names(cls):
988
1397
"""Get a sequence of all interfaces supported by an object"""
991
1400
for x in (inspect.getmro(cls))
992
1401
for attr in dir(x))
993
1402
if name is not None)
994
1403
995
1404
@dbus.service.method(dbus.PROPERTIES_IFACE,
996
1405
in_signature="ss",
997
1406
out_signature="v")
1005
1414
if not hasattr(value, "variant_level"):
1006
1415
return value
1007
1416
return type(value)(value, variant_level=value.variant_level+1)
1008
1417
1009
1418
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1010
1419
def Set(self, interface_name, property_name, value):
1011
1420
"""Standard D-Bus property Set() method, see D-Bus standard.
1020
1429
raise ValueError("Byte arrays not supported for non-"
1021
1430
"'ay' signature {!r}"
1022
1431
.format(prop._dbus_signature))
1023
value = dbus.ByteArray(b''.join(chr(byte)
1024
for byte in value))
1432
value = dbus.ByteArray(bytes(value))
1025
1433
prop(value)
1026
1434
1027
1435
@dbus.service.method(dbus.PROPERTIES_IFACE,
1028
1436
in_signature="s",
1029
1437
out_signature="a{sv}")
1030
1438
def GetAll(self, interface_name):
1031
1439
"""Standard D-Bus property GetAll() method, see D-Bus
1032
1440
standard.
1033
1441
1034
1442
Note: Will not include properties with access="write".
1035
1443
"""
1036
1444
properties = {}
1047
1455
properties[name] = value
1048
1456
continue
1049
1457
properties[name] = type(value)(
1050
value, variant_level = value.variant_level + 1)
1458
value, variant_level=value.variant_level + 1)
1051
1459
return dbus.Dictionary(properties, signature="sv")
1052
1460
1053
1461
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1054
1462
def PropertiesChanged(self, interface_name, changed_properties,
1055
1463
invalidated_properties):
1057
1465
standard.
1058
1466
"""
1059
1467
pass
1060
1468
1061
1469
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1062
1470
out_signature="s",
1063
1471
path_keyword='object_path',
1064
1472
connection_keyword='connection')
1065
1473
def Introspect(self, object_path, connection):
1066
1474
"""Overloading of standard D-Bus method.
1067
1475
1068
1476
Inserts property tags and interface annotation tags.
1069
1477
"""
1070
1478
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1072
1480
connection)
1073
1481
try:
1074
1482
document = xml.dom.minidom.parseString(xmlstring)
1075
1483
1076
1484
def make_tag(document, name, prop):
1077
1485
e = document.createElement("property")
1078
1486
e.setAttribute("name", name)
1079
1487
e.setAttribute("type", prop._dbus_signature)
1080
1488
e.setAttribute("access", prop._dbus_access)
1081
1489
return e
1082
1490
1083
1491
for if_tag in document.getElementsByTagName("interface"):
1084
1492
# Add property tags
1085
1493
for tag in (make_tag(document, name, prop)
1127
1535
exc_info=error)
1128
1536
return xmlstring
1129
1537
1538
1130
1539
try:
1131
1540
dbus.OBJECT_MANAGER_IFACE
1132
1541
except AttributeError:
1133
1542
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1134
1543
1544
1135
1545
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1136
1546
"""A D-Bus object with an ObjectManager.
1137
1547
1138
1548
Classes inheriting from this exposes the standard
1139
1549
GetManagedObjects call and the InterfacesAdded and
1140
1550
InterfacesRemoved signals on the standard
1141
1551
"org.freedesktop.DBus.ObjectManager" interface.
1142
1552
1143
1553
Note: No signals are sent automatically; they must be sent
1144
1554
manually.
1145
1555
"""
1146
1556
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1147
out_signature = "a{oa{sa{sv}}}")
1557
out_signature="a{oa{sa{sv}}}")
1148
1558
def GetManagedObjects(self):
1149
1559
"""This function must be overridden"""
1150
1560
raise NotImplementedError()
1151
1561
1152
1562
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1153
signature = "oa{sa{sv}}")
1563
signature="oa{sa{sv}}")
1154
1564
def InterfacesAdded(self, object_path, interfaces_and_properties):
1155
1565
pass
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1158
signature = "oas")
1566
1567
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1159
1568
def InterfacesRemoved(self, object_path, interfaces):
1160
1569
pass
1161
1570
1162
1571
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1163
out_signature = "s",
1164
path_keyword = 'object_path',
1165
connection_keyword = 'connection')
1572
out_signature="s",
1573
path_keyword='object_path',
1574
connection_keyword='connection')
1166
1575
def Introspect(self, object_path, connection):
1167
1576
"""Overloading of standard D-Bus method.
1168
1577
1169
1578
Override return argument name of GetManagedObjects to be
1170
1579
"objpath_interfaces_and_properties"
1171
1580
"""
1172
xmlstring = DBusObjectWithAnnotations(self, object_path,
1173
connection)
1581
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1582
object_path,
1583
connection)
1174
1584
try:
1175
1585
document = xml.dom.minidom.parseString(xmlstring)
1176
1586
1177
1587
for if_tag in document.getElementsByTagName("interface"):
1178
1588
# Fix argument name for the GetManagedObjects method
1179
1589
if (if_tag.getAttribute("name")
1180
== dbus.OBJECT_MANAGER_IFACE):
1590
== dbus.OBJECT_MANAGER_IFACE):
1181
1591
for cn in if_tag.getElementsByTagName("method"):
1182
1592
if (cn.getAttribute("name")
1183
1593
== "GetManagedObjects"):
1193
1603
except (AttributeError, xml.dom.DOMException,
1194
1604
xml.parsers.expat.ExpatError) as error:
1195
1605
logger.error("Failed to override Introspection method",
1196
exc_info = error)
1606
exc_info=error)
1197
1607
return xmlstring
1198
1608
1609
1199
1610
def datetime_to_dbus(dt, variant_level=0):
1200
1611
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1201
1612
if dt is None:
1202
return dbus.String("", variant_level = variant_level)
1613
return dbus.String("", variant_level=variant_level)
1203
1614
return dbus.String(dt.isoformat(), variant_level=variant_level)
1204
1615
1205
1616
1208
1619
dbus.service.Object, it will add alternate D-Bus attributes with
1209
1620
interface names according to the "alt_interface_names" mapping.
1210
1621
Usage:
1211
1622
1212
1623
@alternate_dbus_interfaces({"org.example.Interface":
1213
1624
"net.example.AlternateInterface"})
1214
1625
class SampleDBusObject(dbus.service.Object):
1215
1626
@dbus.service.method("org.example.Interface")
1216
1627
def SampleDBusMethod():
1217
1628
pass
1218
1629
1219
1630
The above "SampleDBusMethod" on "SampleDBusObject" will be
1220
1631
reachable via two interfaces: "org.example.Interface" and
1221
1632
"net.example.AlternateInterface", the latter of which will have
1222
1633
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1223
1634
"true", unless "deprecate" is passed with a False value.
1224
1635
1225
1636
This works for methods and signals, and also for D-Bus properties
1226
1637
(from DBusObjectWithProperties) and interfaces (from the
1227
1638
dbus_interface_annotations decorator).
1228
1639
"""
1229
1640
1230
1641
def wrapper(cls):
1231
1642
for orig_interface_name, alt_interface_name in (
1232
1643
alt_interface_names.items()):
1247
1658
interface_names.add(alt_interface)
1248
1659
# Is this a D-Bus signal?
1249
1660
if getattr(attribute, "_dbus_is_signal", False):
1661
# Extract the original non-method undecorated
1662
# function by black magic
1250
1663
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1253
1664
nonmethod_func = (dict(
1254
1665
zip(attribute.func_code.co_freevars,
1255
1666
attribute.__closure__))
1256
1667
["func"].cell_contents)
1257
1668
else:
1258
nonmethod_func = attribute
1669
nonmethod_func = (dict(
1670
zip(attribute.__code__.co_freevars,
1671
attribute.__closure__))
1672
["func"].cell_contents)
1259
1673
# Create a new, but exactly alike, function
1260
1674
# object, and decorate it to be a new D-Bus signal
1261
1675
# with the alternate D-Bus interface name
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1676
new_function = copy_function(nonmethod_func)
1276
1677
new_function = (dbus.service.signal(
1277
1678
alt_interface,
1278
1679
attribute._dbus_signature)(new_function))
1282
1683
attribute._dbus_annotations)
1283
1684
except AttributeError:
1284
1685
pass
1686
1285
1687
# Define a creator of a function to call both the
1286
1688
# original and alternate functions, so both the
1287
1689
# original and alternate signals gets sent when
1290
1692
"""This function is a scope container to pass
1291
1693
func1 and func2 to the "call_both" function
1292
1694
outside of its arguments"""
1293
1695
1696
@functools.wraps(func2)
1294
1697
def call_both(*args, **kwargs):
1295
1698
"""This function will emit two D-Bus
1296
1699
signals by calling func1 and func2"""
1297
1700
func1(*args, **kwargs)
1298
1701
func2(*args, **kwargs)
1299
1702
# Make wrapper function look like a D-Bus
1703
# signal
1704
for name, attr in inspect.getmembers(func2):
1705
if name.startswith("_dbus_"):
1706
setattr(call_both, name, attr)
1707
1300
1708
return call_both
1301
1709
# Create the "call_both" function and add it to
1302
1710
# the class
1312
1720
alt_interface,
1313
1721
attribute._dbus_in_signature,
1314
1722
attribute._dbus_out_signature)
1315
(types.FunctionType(attribute.func_code,
1316
attribute.func_globals,
1317
attribute.func_name,
1318
attribute.func_defaults,
1319
attribute.func_closure)))
1723
(copy_function(attribute)))
1320
1724
# Copy annotations, if any
1321
1725
try:
1322
1726
attr[attrname]._dbus_annotations = dict(
1334
1738
attribute._dbus_access,
1335
1739
attribute._dbus_get_args_options
1336
1740
["byte_arrays"])
1337
(types.FunctionType(
1338
attribute.func_code,
1339
attribute.func_globals,
1340
attribute.func_name,
1341
attribute.func_defaults,
1342
attribute.func_closure)))
1741
(copy_function(attribute)))
1343
1742
# Copy annotations, if any
1344
1743
try:
1345
1744
attr[attrname]._dbus_annotations = dict(
1354
1753
# to the class.
1355
1754
attr[attrname] = (
1356
1755
dbus_interface_annotations(alt_interface)
1357
(types.FunctionType(attribute.func_code,
1358
attribute.func_globals,
1359
attribute.func_name,
1360
attribute.func_defaults,
1361
attribute.func_closure)))
1756
(copy_function(attribute)))
1362
1757
if deprecate:
1363
1758
# Deprecate all alternate interfaces
1364
iname="_AlternateDBusNames_interface_annotation{}"
1759
iname = "_AlternateDBusNames_interface_annotation{}"
1365
1760
for interface_name in interface_names:
1366
1761
1367
1762
@dbus_interface_annotations(interface_name)
1368
1763
def func(self):
1369
return { "org.freedesktop.DBus.Deprecated":
1370
"true" }
1764
return {"org.freedesktop.DBus.Deprecated":
1765
"true"}
1371
1766
# Find an unused name
1372
1767
for aname in (iname.format(i)
1373
1768
for i in itertools.count()):
1377
1772
if interface_names:
1378
1773
# Replace the class with a new subclass of it with
1379
1774
# methods, signals, etc. as created above.
1380
cls = type(b"{}Alternate".format(cls.__name__),
1381
(cls, ), attr)
1775
if sys.version_info.major == 2:
1776
cls = type(b"{}Alternate".format(cls.__name__),
1777
(cls, ), attr)
1778
else:
1779
cls = type("{}Alternate".format(cls.__name__),
1780
(cls, ), attr)
1382
1781
return cls
1383
1782
1384
1783
return wrapper
1385
1784
1386
1785
1388
1787
"se.bsnet.fukt.Mandos"})
1389
1788
class ClientDBus(Client, DBusObjectWithProperties):
1390
1789
"""A Client class using D-Bus
1391
1790
1392
1791
Attributes:
1393
1792
dbus_object_path: dbus.ObjectPath
1394
1793
bus: dbus.SystemBus()
1395
1794
"""
1396
1795
1397
1796
runtime_expansions = (Client.runtime_expansions
1398
1797
+ ("dbus_object_path", ))
1399
1798
1400
1799
_interface = "se.recompile.Mandos.Client"
1401
1800
1402
1801
# dbus.service.Object doesn't use super(), so we can't either.
1403
1404
def __init__(self, bus = None, *args, **kwargs):
1802
1803
def __init__(self, bus=None, *args, **kwargs):
1405
1804
self.bus = bus
1406
1805
Client.__init__(self, *args, **kwargs)
1407
1806
# Only now, when this client is initialized, can it show up on
1413
1812
"/clients/" + client_object_name)
1414
1813
DBusObjectWithProperties.__init__(self, self.bus,
1415
1814
self.dbus_object_path)
1416
1815
1417
1816
def notifychangeproperty(transform_func, dbus_name,
1418
1817
type_func=lambda x: x,
1419
1818
variant_level=1,
1421
1820
_interface=_interface):
1422
1821
""" Modify a variable so that it's a property which announces
1423
1822
its changes to DBus.
1424
1823
1425
1824
transform_fun: Function that takes a value and a variant_level
1426
1825
and transforms it to a D-Bus type.
1427
1826
dbus_name: D-Bus name of the variable
1430
1829
variant_level: D-Bus variant level. Default: 1
1431
1830
"""
1432
1831
attrname = "_{}".format(dbus_name)
1433
1832
1434
1833
def setter(self, value):
1435
1834
if hasattr(self, "dbus_object_path"):
1436
1835
if (not hasattr(self, attrname) or
1443
1842
else:
1444
1843
dbus_value = transform_func(
1445
1844
type_func(value),
1446
variant_level = variant_level)
1845
variant_level=variant_level)
1447
1846
self.PropertyChanged(dbus.String(dbus_name),
1448
1847
dbus_value)
1449
1848
self.PropertiesChanged(
1450
1849
_interface,
1451
dbus.Dictionary({ dbus.String(dbus_name):
1452
dbus_value }),
1850
dbus.Dictionary({dbus.String(dbus_name):
1851
dbus_value}),
1453
1852
dbus.Array())
1454
1853
setattr(self, attrname, value)
1455
1854
1456
1855
return property(lambda self: getattr(self, attrname), setter)
1457
1856
1458
1857
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1459
1858
approvals_pending = notifychangeproperty(dbus.Boolean,
1460
1859
"ApprovalPending",
1461
type_func = bool)
1860
type_func=bool)
1462
1861
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1463
1862
last_enabled = notifychangeproperty(datetime_to_dbus,
1464
1863
"LastEnabled")
1465
1864
checker = notifychangeproperty(
1466
1865
dbus.Boolean, "CheckerRunning",
1467
type_func = lambda checker: checker is not None)
1866
type_func=lambda checker: checker is not None)
1468
1867
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1469
1868
"LastCheckedOK")
1470
1869
last_checker_status = notifychangeproperty(dbus.Int16,
1475
1874
"ApprovedByDefault")
1476
1875
approval_delay = notifychangeproperty(
1477
1876
dbus.UInt64, "ApprovalDelay",
1478
type_func = lambda td: td.total_seconds() * 1000)
1877
type_func=lambda td: td.total_seconds() * 1000)
1479
1878
approval_duration = notifychangeproperty(
1480
1879
dbus.UInt64, "ApprovalDuration",
1481
type_func = lambda td: td.total_seconds() * 1000)
1880
type_func=lambda td: td.total_seconds() * 1000)
1482
1881
host = notifychangeproperty(dbus.String, "Host")
1483
1882
timeout = notifychangeproperty(
1484
1883
dbus.UInt64, "Timeout",
1485
type_func = lambda td: td.total_seconds() * 1000)
1884
type_func=lambda td: td.total_seconds() * 1000)
1486
1885
extended_timeout = notifychangeproperty(
1487
1886
dbus.UInt64, "ExtendedTimeout",
1488
type_func = lambda td: td.total_seconds() * 1000)
1887
type_func=lambda td: td.total_seconds() * 1000)
1489
1888
interval = notifychangeproperty(
1490
1889
dbus.UInt64, "Interval",
1491
type_func = lambda td: td.total_seconds() * 1000)
1890
type_func=lambda td: td.total_seconds() * 1000)
1492
1891
checker_command = notifychangeproperty(dbus.String, "Checker")
1493
1892
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1494
1893
invalidate_only=True)
1495
1894
1496
1895
del notifychangeproperty
1497
1896
1498
1897
def __del__(self, *args, **kwargs):
1499
1898
try:
1500
1899
self.remove_from_connection()
1503
1902
if hasattr(DBusObjectWithProperties, "__del__"):
1504
1903
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1505
1904
Client.__del__(self, *args, **kwargs)
1506
1905
1507
1906
def checker_callback(self, source, condition,
1508
1907
connection, command, *args, **kwargs):
1509
1908
ret = Client.checker_callback(self, source, condition,
1525
1924
| self.last_checker_signal),
1526
1925
dbus.String(command))
1527
1926
return ret
1528
1927
1529
1928
def start_checker(self, *args, **kwargs):
1530
1929
old_checker_pid = getattr(self.checker, "pid", None)
1531
1930
r = Client.start_checker(self, *args, **kwargs)
1535
1934
# Emit D-Bus signal
1536
1935
self.CheckerStarted(self.current_checker_command)
1537
1936
return r
1538
1937
1539
1938
def _reset_approved(self):
1540
1939
self.approved = None
1541
1940
return False
1542
1941
1543
1942
def approve(self, value=True):
1544
1943
self.approved = value
1545
gobject.timeout_add(int(self.approval_duration.total_seconds()
1546
* 1000), self._reset_approved)
1944
GLib.timeout_add(int(self.approval_duration.total_seconds()
1945
* 1000), self._reset_approved)
1547
1946
self.send_changedstate()
1548
1549
## D-Bus methods, signals & properties
1550
1551
## Interfaces
1552
1553
## Signals
1554
1947
1948
# D-Bus methods, signals & properties
1949
1950
# Interfaces
1951
1952
# Signals
1953
1555
1954
# CheckerCompleted - signal
1556
1955
@dbus.service.signal(_interface, signature="nxs")
1557
1956
def CheckerCompleted(self, exitcode, waitstatus, command):
1558
1957
"D-Bus signal"
1559
1958
pass
1560
1959
1561
1960
# CheckerStarted - signal
1562
1961
@dbus.service.signal(_interface, signature="s")
1563
1962
def CheckerStarted(self, command):
1564
1963
"D-Bus signal"
1565
1964
pass
1566
1965
1567
1966
# PropertyChanged - signal
1568
1967
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1569
1968
@dbus.service.signal(_interface, signature="sv")
1570
1969
def PropertyChanged(self, property, value):
1571
1970
"D-Bus signal"
1572
1971
pass
1573
1972
1574
1973
# GotSecret - signal
1575
1974
@dbus.service.signal(_interface)
1576
1975
def GotSecret(self):
1579
1978
server to mandos-client
1580
1979
"""
1581
1980
pass
1582
1981
1583
1982
# Rejected - signal
1584
1983
@dbus.service.signal(_interface, signature="s")
1585
1984
def Rejected(self, reason):
1586
1985
"D-Bus signal"
1587
1986
pass
1588
1987
1589
1988
# NeedApproval - signal
1590
1989
@dbus.service.signal(_interface, signature="tb")
1591
1990
def NeedApproval(self, timeout, default):
1592
1991
"D-Bus signal"
1593
1992
return self.need_approval()
1594
1595
## Methods
1596
1993
1994
# Methods
1995
1597
1996
# Approve - method
1598
1997
@dbus.service.method(_interface, in_signature="b")
1599
1998
def Approve(self, value):
1600
1999
self.approve(value)
1601
2000
1602
2001
# CheckedOK - method
1603
2002
@dbus.service.method(_interface)
1604
2003
def CheckedOK(self):
1605
2004
self.checked_ok()
1606
2005
1607
2006
# Enable - method
1608
2007
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1609
2008
@dbus.service.method(_interface)
1610
2009
def Enable(self):
1611
2010
"D-Bus method"
1612
2011
self.enable()
1613
2012
1614
2013
# StartChecker - method
1615
2014
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1616
2015
@dbus.service.method(_interface)
1617
2016
def StartChecker(self):
1618
2017
"D-Bus method"
1619
2018
self.start_checker()
1620
2019
1621
2020
# Disable - method
1622
2021
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1623
2022
@dbus.service.method(_interface)
1624
2023
def Disable(self):
1625
2024
"D-Bus method"
1626
2025
self.disable()
1627
2026
1628
2027
# StopChecker - method
1629
2028
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1630
2029
@dbus.service.method(_interface)
1631
2030
def StopChecker(self):
1632
2031
self.stop_checker()
1633
1634
## Properties
1635
2032
2033
# Properties
2034
1636
2035
# ApprovalPending - property
1637
2036
@dbus_service_property(_interface, signature="b", access="read")
1638
2037
def ApprovalPending_dbus_property(self):
1639
2038
return dbus.Boolean(bool(self.approvals_pending))
1640
2039
1641
2040
# ApprovedByDefault - property
1642
2041
@dbus_service_property(_interface,
1643
2042
signature="b",
1646
2045
if value is None: # get
1647
2046
return dbus.Boolean(self.approved_by_default)
1648
2047
self.approved_by_default = bool(value)
1649
2048
1650
2049
# ApprovalDelay - property
1651
2050
@dbus_service_property(_interface,
1652
2051
signature="t",
1656
2055
return dbus.UInt64(self.approval_delay.total_seconds()
1657
2056
* 1000)
1658
2057
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1659
2058
1660
2059
# ApprovalDuration - property
1661
2060
@dbus_service_property(_interface,
1662
2061
signature="t",
1666
2065
return dbus.UInt64(self.approval_duration.total_seconds()
1667
2066
* 1000)
1668
2067
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1669
2068
1670
2069
# Name - property
1671
2070
@dbus_annotations(
1672
2071
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1673
2072
@dbus_service_property(_interface, signature="s", access="read")
1674
2073
def Name_dbus_property(self):
1675
2074
return dbus.String(self.name)
1676
2075
2076
# KeyID - property
2077
@dbus_annotations(
2078
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2079
@dbus_service_property(_interface, signature="s", access="read")
2080
def KeyID_dbus_property(self):
2081
return dbus.String(self.key_id)
2082
1677
2083
# Fingerprint - property
1678
2084
@dbus_annotations(
1679
2085
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1680
2086
@dbus_service_property(_interface, signature="s", access="read")
1681
2087
def Fingerprint_dbus_property(self):
1682
2088
return dbus.String(self.fingerprint)
1683
2089
1684
2090
# Host - property
1685
2091
@dbus_service_property(_interface,
1686
2092
signature="s",
1689
2095
if value is None: # get
1690
2096
return dbus.String(self.host)
1691
2097
self.host = str(value)
1692
2098
1693
2099
# Created - property
1694
2100
@dbus_annotations(
1695
2101
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1696
2102
@dbus_service_property(_interface, signature="s", access="read")
1697
2103
def Created_dbus_property(self):
1698
2104
return datetime_to_dbus(self.created)
1699
2105
1700
2106
# LastEnabled - property
1701
2107
@dbus_service_property(_interface, signature="s", access="read")
1702
2108
def LastEnabled_dbus_property(self):
1703
2109
return datetime_to_dbus(self.last_enabled)
1704
2110
1705
2111
# Enabled - property
1706
2112
@dbus_service_property(_interface,
1707
2113
signature="b",
1713
2119
self.enable()
1714
2120
else:
1715
2121
self.disable()
1716
2122
1717
2123
# LastCheckedOK - property
1718
2124
@dbus_service_property(_interface,
1719
2125
signature="s",
1723
2129
self.checked_ok()
1724
2130
return
1725
2131
return datetime_to_dbus(self.last_checked_ok)
1726
2132
1727
2133
# LastCheckerStatus - property
1728
2134
@dbus_service_property(_interface, signature="n", access="read")
1729
2135
def LastCheckerStatus_dbus_property(self):
1730
2136
return dbus.Int16(self.last_checker_status)
1731
2137
1732
2138
# Expires - property
1733
2139
@dbus_service_property(_interface, signature="s", access="read")
1734
2140
def Expires_dbus_property(self):
1735
2141
return datetime_to_dbus(self.expires)
1736
2142
1737
2143
# LastApprovalRequest - property
1738
2144
@dbus_service_property(_interface, signature="s", access="read")
1739
2145
def LastApprovalRequest_dbus_property(self):
1740
2146
return datetime_to_dbus(self.last_approval_request)
1741
2147
1742
2148
# Timeout - property
1743
2149
@dbus_service_property(_interface,
1744
2150
signature="t",
1759
2165
if (getattr(self, "disable_initiator_tag", None)
1760
2166
is None):
1761
2167
return
1762
gobject.source_remove(self.disable_initiator_tag)
1763
self.disable_initiator_tag = gobject.timeout_add(
2168
GLib.source_remove(self.disable_initiator_tag)
2169
self.disable_initiator_tag = GLib.timeout_add(
1764
2170
int((self.expires - now).total_seconds() * 1000),
1765
2171
self.disable)
1766
2172
1767
2173
# ExtendedTimeout - property
1768
2174
@dbus_service_property(_interface,
1769
2175
signature="t",
1773
2179
return dbus.UInt64(self.extended_timeout.total_seconds()
1774
2180
* 1000)
1775
2181
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1776
2182
1777
2183
# Interval - property
1778
2184
@dbus_service_property(_interface,
1779
2185
signature="t",
1786
2192
return
1787
2193
if self.enabled:
1788
2194
# Reschedule checker run
1789
gobject.source_remove(self.checker_initiator_tag)
1790
self.checker_initiator_tag = gobject.timeout_add(
2195
GLib.source_remove(self.checker_initiator_tag)
2196
self.checker_initiator_tag = GLib.timeout_add(
1791
2197
value, self.start_checker)
1792
self.start_checker() # Start one now, too
1793
2198
self.start_checker() # Start one now, too
2199
1794
2200
# Checker - property
1795
2201
@dbus_service_property(_interface,
1796
2202
signature="s",
1799
2205
if value is None: # get
1800
2206
return dbus.String(self.checker_command)
1801
2207
self.checker_command = str(value)
1802
2208
1803
2209
# CheckerRunning - property
1804
2210
@dbus_service_property(_interface,
1805
2211
signature="b",
1811
2217
self.start_checker()
1812
2218
else:
1813
2219
self.stop_checker()
1814
2220
1815
2221
# ObjectPath - property
1816
2222
@dbus_annotations(
1817
2223
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
1818
2224
"org.freedesktop.DBus.Deprecated": "true"})
1819
2225
@dbus_service_property(_interface, signature="o", access="read")
1820
2226
def ObjectPath_dbus_property(self):
1821
return self.dbus_object_path # is already a dbus.ObjectPath
1822
2227
return self.dbus_object_path # is already a dbus.ObjectPath
2228
1823
2229
# Secret = property
1824
2230
@dbus_annotations(
1825
2231
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
1830
2236
byte_arrays=True)
1831
2237
def Secret_dbus_property(self, value):
1832
2238
self.secret = bytes(value)
1833
2239
1834
2240
del _interface
1835
2241
1836
2242
1837
class ProxyClient(object):
1838
def __init__(self, child_pipe, fpr, address):
2243
class ProxyClient:
2244
def __init__(self, child_pipe, key_id, fpr, address):
1839
2245
self._pipe = child_pipe
1840
self._pipe.send(('init', fpr, address))
2246
self._pipe.send(('init', key_id, fpr, address))
1841
2247
if not self._pipe.recv():
1842
raise KeyError(fpr)
1843
2248
raise KeyError(key_id or fpr)
2249
1844
2250
def __getattribute__(self, name):
1845
2251
if name == '_pipe':
1846
2252
return super(ProxyClient, self).__getattribute__(name)
1849
2255
if data[0] == 'data':
1850
2256
return data[1]
1851
2257
if data[0] == 'function':
1852
2258
1853
2259
def func(*args, **kwargs):
1854
2260
self._pipe.send(('funcall', name, args, kwargs))
1855
2261
return self._pipe.recv()[1]
1856
2262
1857
2263
return func
1858
2264
1859
2265
def __setattr__(self, name, value):
1860
2266
if name == '_pipe':
1861
2267
return super(ProxyClient, self).__setattr__(name, value)
1864
2270
1865
2271
class ClientHandler(socketserver.BaseRequestHandler, object):
1866
2272
"""A class to handle client connections.
1867
2273
1868
2274
Instantiated once for each connection to handle it.
1869
2275
Note: This will run in its own forked process."""
1870
2276
1871
2277
def handle(self):
1872
2278
with contextlib.closing(self.server.child_pipe) as child_pipe:
1873
2279
logger.info("TCP connection from: %s",
1874
2280
str(self.client_address))
1875
2281
logger.debug("Pipe FD: %d",
1876
2282
self.server.child_pipe.fileno())
1877
1878
session = gnutls.connection.ClientSession(
1879
self.request, gnutls.connection .X509Credentials())
1880
1881
# Note: gnutls.connection.X509Credentials is really a
1882
# generic GnuTLS certificate credentials object so long as
1883
# no X.509 keys are added to it. Therefore, we can use it
1884
# here despite using OpenPGP certificates.
1885
1886
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1887
# "+AES-256-CBC", "+SHA1",
1888
# "+COMP-NULL", "+CTYPE-OPENPGP",
1889
# "+DHE-DSS"))
2283
2284
session = gnutls.ClientSession(self.request)
2285
2286
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2287
# "+AES-256-CBC", "+SHA1",
2288
# "+COMP-NULL", "+CTYPE-OPENPGP",
2289
# "+DHE-DSS"))
1890
2290
# Use a fallback default, since this MUST be set.
1891
2291
priority = self.server.gnutls_priority
1892
2292
if priority is None:
1893
2293
priority = "NORMAL"
1894
gnutls.library.functions.gnutls_priority_set_direct(
1895
session._c_object, priority, None)
1896
2294
gnutls.priority_set_direct(session._c_object,
2295
priority.encode("utf-8"),
2296
None)
2297
1897
2298
# Start communication using the Mandos protocol
1898
2299
# Get protocol number
1899
2300
line = self.request.makefile().readline()
1904
2305
except (ValueError, IndexError, RuntimeError) as error:
1905
2306
logger.error("Unknown protocol version: %s", error)
1906
2307
return
1907
2308
1908
2309
# Start GnuTLS connection
1909
2310
try:
1910
2311
session.handshake()
1911
except gnutls.errors.GNUTLSError as error:
2312
except gnutls.Error as error:
1912
2313
logger.warning("Handshake failed: %s", error)
1913
2314
# Do not run session.bye() here: the session is not
1914
2315
# established. Just abandon the request.
1915
2316
return
1916
2317
logger.debug("Handshake succeeded")
1917
2318
1918
2319
approval_required = False
1919
2320
try:
1920
try:
1921
fpr = self.fingerprint(
1922
self.peer_certificate(session))
1923
except (TypeError,
1924
gnutls.errors.GNUTLSError) as error:
1925
logger.warning("Bad certificate: %s", error)
1926
return
1927
logger.debug("Fingerprint: %s", fpr)
1928
1929
try:
1930
client = ProxyClient(child_pipe, fpr,
2321
if gnutls.has_rawpk:
2322
fpr = b""
2323
try:
2324
key_id = self.key_id(
2325
self.peer_certificate(session))
2326
except (TypeError, gnutls.Error) as error:
2327
logger.warning("Bad certificate: %s", error)
2328
return
2329
logger.debug("Key ID: %s", key_id)
2330
2331
else:
2332
key_id = b""
2333
try:
2334
fpr = self.fingerprint(
2335
self.peer_certificate(session))
2336
except (TypeError, gnutls.Error) as error:
2337
logger.warning("Bad certificate: %s", error)
2338
return
2339
logger.debug("Fingerprint: %s", fpr)
2340
2341
try:
2342
client = ProxyClient(child_pipe, key_id, fpr,
1931
2343
self.client_address)
1932
2344
except KeyError:
1933
2345
return
1934
2346
1935
2347
if client.approval_delay:
1936
2348
delay = client.approval_delay
1937
2349
client.approvals_pending += 1
1938
2350
approval_required = True
1939
2351
1940
2352
while True:
1941
2353
if not client.enabled:
1942
2354
logger.info("Client %s is disabled",
1945
2357
# Emit D-Bus signal
1946
2358
client.Rejected("Disabled")
1947
2359
return
1948
2360
1949
2361
if client.approved or not client.approval_delay:
1950
#We are approved or approval is disabled
2362
# We are approved or approval is disabled
1951
2363
break
1952
2364
elif client.approved is None:
1953
2365
logger.info("Client %s needs approval",
1964
2376
# Emit D-Bus signal
1965
2377
client.Rejected("Denied")
1966
2378
return
1967
1968
#wait until timeout or approved
2379
2380
# wait until timeout or approved
1969
2381
time = datetime.datetime.now()
1970
2382
client.changedstate.acquire()
1971
2383
client.changedstate.wait(delay.total_seconds())
1984
2396
break
1985
2397
else:
1986
2398
delay -= time2 - time
1987
1988
sent_size = 0
1989
while sent_size < len(client.secret):
1990
try:
1991
sent = session.send(client.secret[sent_size:])
1992
except gnutls.errors.GNUTLSError as error:
1993
logger.warning("gnutls send failed",
1994
exc_info=error)
1995
return
1996
logger.debug("Sent: %d, remaining: %d", sent,
1997
len(client.secret) - (sent_size
1998
+ sent))
1999
sent_size += sent
2000
2399
2400
try:
2401
session.send(client.secret)
2402
except gnutls.Error as error:
2403
logger.warning("gnutls send failed",
2404
exc_info=error)
2405
return
2406
2001
2407
logger.info("Sending secret to %s", client.name)
2002
2408
# bump the timeout using extended_timeout
2003
2409
client.bump_timeout(client.extended_timeout)
2004
2410
if self.server.use_dbus:
2005
2411
# Emit D-Bus signal
2006
2412
client.GotSecret()
2007
2413
2008
2414
finally:
2009
2415
if approval_required:
2010
2416
client.approvals_pending -= 1
2011
2417
try:
2012
2418
session.bye()
2013
except gnutls.errors.GNUTLSError as error:
2419
except gnutls.Error as error:
2014
2420
logger.warning("GnuTLS bye failed",
2015
2421
exc_info=error)
2016
2422
2017
2423
@staticmethod
2018
2424
def peer_certificate(session):
2019
"Return the peer's OpenPGP certificate as a bytestring"
2020
# If not an OpenPGP certificate...
2021
if (gnutls.library.functions.gnutls_certificate_type_get(
2022
session._c_object)
2023
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2024
# ...do the normal thing
2025
return session.peer_certificate
2425
"Return the peer's certificate as a bytestring"
2426
try:
2427
cert_type = gnutls.certificate_type_get2(session._c_object,
2428
gnutls.CTYPE_PEERS)
2429
except AttributeError:
2430
cert_type = gnutls.certificate_type_get(session._c_object)
2431
if gnutls.has_rawpk:
2432
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2433
else:
2434
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2435
# If not a valid certificate type...
2436
if cert_type not in valid_cert_types:
2437
logger.info("Cert type %r not in %r", cert_type,
2438
valid_cert_types)
2439
# ...return invalid data
2440
return b""
2026
2441
list_size = ctypes.c_uint(1)
2027
cert_list = (gnutls.library.functions
2028
.gnutls_certificate_get_peers
2442
cert_list = (gnutls.certificate_get_peers
2029
2443
(session._c_object, ctypes.byref(list_size)))
2030
2444
if not bool(cert_list) and list_size.value != 0:
2031
raise gnutls.errors.GNUTLSError("error getting peer"
2032
" certificate")
2445
raise gnutls.Error("error getting peer certificate")
2033
2446
if list_size.value == 0:
2034
2447
return None
2035
2448
cert = cert_list[0]
2036
2449
return ctypes.string_at(cert.data, cert.size)
2037
2450
2451
@staticmethod
2452
def key_id(certificate):
2453
"Convert a certificate bytestring to a hexdigit key ID"
2454
# New GnuTLS "datum" with the public key
2455
datum = gnutls.datum_t(
2456
ctypes.cast(ctypes.c_char_p(certificate),
2457
ctypes.POINTER(ctypes.c_ubyte)),
2458
ctypes.c_uint(len(certificate)))
2459
# XXX all these need to be created in the gnutls "module"
2460
# New empty GnuTLS certificate
2461
pubkey = gnutls.pubkey_t()
2462
gnutls.pubkey_init(ctypes.byref(pubkey))
2463
# Import the raw public key into the certificate
2464
gnutls.pubkey_import(pubkey,
2465
ctypes.byref(datum),
2466
gnutls.X509_FMT_DER)
2467
# New buffer for the key ID
2468
buf = ctypes.create_string_buffer(32)
2469
buf_len = ctypes.c_size_t(len(buf))
2470
# Get the key ID from the raw public key into the buffer
2471
gnutls.pubkey_get_key_id(pubkey,
2472
gnutls.KEYID_USE_SHA256,
2473
ctypes.cast(ctypes.byref(buf),
2474
ctypes.POINTER(ctypes.c_ubyte)),
2475
ctypes.byref(buf_len))
2476
# Deinit the certificate
2477
gnutls.pubkey_deinit(pubkey)
2478
2479
# Convert the buffer to a Python bytestring
2480
key_id = ctypes.string_at(buf, buf_len.value)
2481
# Convert the bytestring to hexadecimal notation
2482
hex_key_id = binascii.hexlify(key_id).upper()
2483
return hex_key_id
2484
2038
2485
@staticmethod
2039
2486
def fingerprint(openpgp):
2040
2487
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2041
2488
# New GnuTLS "datum" with the OpenPGP public key
2042
datum = gnutls.library.types.gnutls_datum_t(
2489
datum = gnutls.datum_t(
2043
2490
ctypes.cast(ctypes.c_char_p(openpgp),
2044
2491
ctypes.POINTER(ctypes.c_ubyte)),
2045
2492
ctypes.c_uint(len(openpgp)))
2046
2493
# New empty GnuTLS certificate
2047
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2048
gnutls.library.functions.gnutls_openpgp_crt_init(
2049
ctypes.byref(crt))
2494
crt = gnutls.openpgp_crt_t()
2495
gnutls.openpgp_crt_init(ctypes.byref(crt))
2050
2496
# Import the OpenPGP public key into the certificate
2051
gnutls.library.functions.gnutls_openpgp_crt_import(
2052
crt, ctypes.byref(datum),
2053
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2497
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2498
gnutls.OPENPGP_FMT_RAW)
2054
2499
# Verify the self signature in the key
2055
2500
crtverify = ctypes.c_uint()
2056
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2057
crt, 0, ctypes.byref(crtverify))
2501
gnutls.openpgp_crt_verify_self(crt, 0,
2502
ctypes.byref(crtverify))
2058
2503
if crtverify.value != 0:
2059
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2060
raise gnutls.errors.CertificateSecurityError(
2061
"Verify failed")
2504
gnutls.openpgp_crt_deinit(crt)
2505
raise gnutls.CertificateSecurityError(code
2506
=crtverify.value)
2062
2507
# New buffer for the fingerprint
2063
2508
buf = ctypes.create_string_buffer(20)
2064
2509
buf_len = ctypes.c_size_t()
2065
2510
# Get the fingerprint from the certificate into the buffer
2066
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2067
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2511
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2512
ctypes.byref(buf_len))
2068
2513
# Deinit the certificate
2069
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2514
gnutls.openpgp_crt_deinit(crt)
2070
2515
# Convert the buffer to a Python bytestring
2071
2516
fpr = ctypes.string_at(buf, buf_len.value)
2072
2517
# Convert the bytestring to hexadecimal notation
2074
2519
return hex_fpr
2075
2520
2076
2521
2077
class MultiprocessingMixIn(object):
2522
class MultiprocessingMixIn:
2078
2523
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2079
2524
2080
2525
def sub_process_main(self, request, address):
2081
2526
try:
2082
2527
self.finish_request(request, address)
2083
2528
except Exception:
2084
2529
self.handle_error(request, address)
2085
2530
self.close_request(request)
2086
2531
2087
2532
def process_request(self, request, address):
2088
2533
"""Start a new process to process the request."""
2089
proc = multiprocessing.Process(target = self.sub_process_main,
2090
args = (request, address))
2534
proc = multiprocessing.Process(target=self.sub_process_main,
2535
args=(request, address))
2091
2536
proc.start()
2092
2537
return proc
2093
2538
2094
2539
2095
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2540
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2096
2541
""" adds a pipe to the MixIn """
2097
2542
2098
2543
def process_request(self, request, client_address):
2099
2544
"""Overrides and wraps the original process_request().
2100
2545
2101
2546
This function creates a new pipe in self.pipe
2102
2547
"""
2103
2548
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2104
2549
2105
2550
proc = MultiprocessingMixIn.process_request(self, request,
2106
2551
client_address)
2107
2552
self.child_pipe.close()
2108
2553
self.add_pipe(parent_pipe, proc)
2109
2554
2110
2555
def add_pipe(self, parent_pipe, proc):
2111
2556
"""Dummy function; override as necessary"""
2112
2557
raise NotImplementedError()
2113
2558
2114
2559
2115
2560
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2116
socketserver.TCPServer, object):
2561
socketserver.TCPServer):
2117
2562
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2118
2563
2119
2564
Attributes:
2120
2565
enabled: Boolean; whether this server is activated yet
2121
2566
interface: None or a network interface name (string)
2122
2567
use_ipv6: Boolean; to use IPv6 or not
2123
2568
"""
2124
2569
2125
2570
def __init__(self, server_address, RequestHandlerClass,
2126
2571
interface=None,
2127
2572
use_ipv6=True,
2137
2582
self.socketfd = socketfd
2138
2583
# Save the original socket.socket() function
2139
2584
self.socket_socket = socket.socket
2585
2140
2586
# To implement --socket, we monkey patch socket.socket.
2141
#
2587
#
2142
2588
# (When socketserver.TCPServer is a new-style class, we
2143
2589
# could make self.socket into a property instead of monkey
2144
2590
# patching socket.socket.)
2145
#
2591
#
2146
2592
# Create a one-time-only replacement for socket.socket()
2147
2593
@functools.wraps(socket.socket)
2148
2594
def socket_wrapper(*args, **kwargs):
2160
2606
# socket_wrapper(), if socketfd was set.
2161
2607
socketserver.TCPServer.__init__(self, server_address,
2162
2608
RequestHandlerClass)
2163
2609
2164
2610
def server_bind(self):
2165
2611
"""This overrides the normal server_bind() function
2166
2612
to bind to an interface if one was specified, and also NOT to
2167
2613
bind to an address or port if they were not specified."""
2614
global SO_BINDTODEVICE
2168
2615
if self.interface is not None:
2169
2616
if SO_BINDTODEVICE is None:
2170
logger.error("SO_BINDTODEVICE does not exist;"
2171
" cannot bind to interface %s",
2172
self.interface)
2173
else:
2174
try:
2175
self.socket.setsockopt(
2176
socket.SOL_SOCKET, SO_BINDTODEVICE,
2177
(self.interface + "\0").encode("utf-8"))
2178
except socket.error as error:
2179
if error.errno == errno.EPERM:
2180
logger.error("No permission to bind to"
2181
" interface %s", self.interface)
2182
elif error.errno == errno.ENOPROTOOPT:
2183
logger.error("SO_BINDTODEVICE not available;"
2184
" cannot bind to interface %s",
2185
self.interface)
2186
elif error.errno == errno.ENODEV:
2187
logger.error("Interface %s does not exist,"
2188
" cannot bind", self.interface)
2189
else:
2190
raise
2617
# Fall back to a hard-coded value which seems to be
2618
# common enough.
2619
logger.warning("SO_BINDTODEVICE not found, trying 25")
2620
SO_BINDTODEVICE = 25
2621
try:
2622
self.socket.setsockopt(
2623
socket.SOL_SOCKET, SO_BINDTODEVICE,
2624
(self.interface + "\0").encode("utf-8"))
2625
except socket.error as error:
2626
if error.errno == errno.EPERM:
2627
logger.error("No permission to bind to"
2628
" interface %s", self.interface)
2629
elif error.errno == errno.ENOPROTOOPT:
2630
logger.error("SO_BINDTODEVICE not available;"
2631
" cannot bind to interface %s",
2632
self.interface)
2633
elif error.errno == errno.ENODEV:
2634
logger.error("Interface %s does not exist,"
2635
" cannot bind", self.interface)
2636
else:
2637
raise
2191
2638
# Only bind(2) the socket if we really need to.
2192
2639
if self.server_address[0] or self.server_address[1]:
2640
if self.server_address[1]:
2641
self.allow_reuse_address = True
2193
2642
if not self.server_address[0]:
2194
2643
if self.address_family == socket.AF_INET6:
2195
any_address = "::" # in6addr_any
2644
any_address = "::" # in6addr_any
2196
2645
else:
2197
any_address = "0.0.0.0" # INADDR_ANY
2646
any_address = "0.0.0.0" # INADDR_ANY
2198
2647
self.server_address = (any_address,
2199
2648
self.server_address[1])
2200
2649
elif not self.server_address[1]:
2210
2659
2211
2660
class MandosServer(IPv6_TCPServer):
2212
2661
"""Mandos server.
2213
2662
2214
2663
Attributes:
2215
2664
clients: set of Client objects
2216
2665
gnutls_priority GnuTLS priority string
2217
2666
use_dbus: Boolean; to emit D-Bus signals or not
2218
2219
Assumes a gobject.MainLoop event loop.
2667
2668
Assumes a GLib.MainLoop event loop.
2220
2669
"""
2221
2670
2222
2671
def __init__(self, server_address, RequestHandlerClass,
2223
2672
interface=None,
2224
2673
use_ipv6=True,
2234
2683
self.gnutls_priority = gnutls_priority
2235
2684
IPv6_TCPServer.__init__(self, server_address,
2236
2685
RequestHandlerClass,
2237
interface = interface,
2238
use_ipv6 = use_ipv6,
2239
socketfd = socketfd)
2240
2686
interface=interface,
2687
use_ipv6=use_ipv6,
2688
socketfd=socketfd)
2689
2241
2690
def server_activate(self):
2242
2691
if self.enabled:
2243
2692
return socketserver.TCPServer.server_activate(self)
2244
2693
2245
2694
def enable(self):
2246
2695
self.enabled = True
2247
2696
2248
2697
def add_pipe(self, parent_pipe, proc):
2249
2698
# Call "handle_ipc" for both data and EOF events
2250
gobject.io_add_watch(
2251
parent_pipe.fileno(),
2252
gobject.IO_IN | gobject.IO_HUP,
2699
GLib.io_add_watch(
2700
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2701
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2253
2702
functools.partial(self.handle_ipc,
2254
parent_pipe = parent_pipe,
2255
proc = proc))
2256
2703
parent_pipe=parent_pipe,
2704
proc=proc))
2705
2257
2706
def handle_ipc(self, source, condition,
2258
2707
parent_pipe=None,
2259
proc = None,
2708
proc=None,
2260
2709
client_object=None):
2261
2710
# error, or the other end of multiprocessing.Pipe has closed
2262
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2711
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2263
2712
# Wait for other process to exit
2264
2713
proc.join()
2265
2714
return False
2266
2715
2267
2716
# Read a request from the child
2268
2717
request = parent_pipe.recv()
2269
2718
command = request[0]
2270
2719
2271
2720
if command == 'init':
2272
fpr = request[1]
2273
address = request[2]
2274
2275
for c in self.clients.itervalues():
2276
if c.fingerprint == fpr:
2721
key_id = request[1].decode("ascii")
2722
fpr = request[2].decode("ascii")
2723
address = request[3]
2724
2725
for c in self.clients.values():
2726
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2727
continue
2728
if key_id and c.key_id == key_id:
2729
client = c
2730
break
2731
if fpr and c.fingerprint == fpr:
2277
2732
client = c
2278
2733
break
2279
2734
else:
2280
logger.info("Client not found for fingerprint: %s, ad"
2281
"dress: %s", fpr, address)
2735
logger.info("Client not found for key ID: %s, address"
2736
": %s", key_id or fpr, address)
2282
2737
if self.use_dbus:
2283
2738
# Emit D-Bus signal
2284
mandos_dbus_service.ClientNotFound(fpr,
2739
mandos_dbus_service.ClientNotFound(key_id or fpr,
2285
2740
address[0])
2286
2741
parent_pipe.send(False)
2287
2742
return False
2288
2289
gobject.io_add_watch(
2290
parent_pipe.fileno(),
2291
gobject.IO_IN | gobject.IO_HUP,
2743
2744
GLib.io_add_watch(
2745
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2746
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2292
2747
functools.partial(self.handle_ipc,
2293
parent_pipe = parent_pipe,
2294
proc = proc,
2295
client_object = client))
2748
parent_pipe=parent_pipe,
2749
proc=proc,
2750
client_object=client))
2296
2751
parent_pipe.send(True)
2297
2752
# remove the old hook in favor of the new above hook on
2298
2753
# same fileno
2301
2756
funcname = request[1]
2302
2757
args = request[2]
2303
2758
kwargs = request[3]
2304
2759
2305
2760
parent_pipe.send(('data', getattr(client_object,
2306
2761
funcname)(*args,
2307
2762
**kwargs)))
2308
2763
2309
2764
if command == 'getattr':
2310
2765
attrname = request[1]
2311
2766
if isinstance(client_object.__getattribute__(attrname),
2312
collections.Callable):
2767
collections.abc.Callable):
2313
2768
parent_pipe.send(('function', ))
2314
2769
else:
2315
2770
parent_pipe.send((
2316
2771
'data', client_object.__getattribute__(attrname)))
2317
2772
2318
2773
if command == 'setattr':
2319
2774
attrname = request[1]
2320
2775
value = request[2]
2321
2776
setattr(client_object, attrname, value)
2322
2777
2323
2778
return True
2324
2779
2325
2780
2326
2781
def rfc3339_duration_to_delta(duration):
2327
2782
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2328
2329
>>> rfc3339_duration_to_delta("P7D")
2330
datetime.timedelta(7)
2331
>>> rfc3339_duration_to_delta("PT60S")
2332
datetime.timedelta(0, 60)
2333
>>> rfc3339_duration_to_delta("PT60M")
2334
datetime.timedelta(0, 3600)
2335
>>> rfc3339_duration_to_delta("PT24H")
2336
datetime.timedelta(1)
2337
>>> rfc3339_duration_to_delta("P1W")
2338
datetime.timedelta(7)
2339
>>> rfc3339_duration_to_delta("PT5M30S")
2340
datetime.timedelta(0, 330)
2341
>>> rfc3339_duration_to_delta("P1DT3M20S")
2342
datetime.timedelta(1, 200)
2783
2784
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2785
True
2786
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2787
True
2788
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2789
True
2790
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2791
True
2792
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2793
True
2794
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2795
True
2796
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2797
True
2343
2798
"""
2344
2799
2345
2800
# Parsing an RFC 3339 duration with regular expressions is not
2346
2801
# possible - there would have to be multiple places for the same
2347
2802
# values, like seconds. The current code, while more esoteric, is
2348
2803
# cleaner without depending on a parsing library. If Python had a
2349
2804
# built-in library for parsing we would use it, but we'd like to
2350
2805
# avoid excessive use of external libraries.
2351
2806
2352
2807
# New type for defining tokens, syntax, and semantics all-in-one
2353
2808
Token = collections.namedtuple("Token", (
2354
2809
"regexp", # To match token; if "value" is not None, must have
2387
2842
frozenset((token_year, token_month,
2388
2843
token_day, token_time,
2389
2844
token_week)))
2390
# Define starting values
2391
value = datetime.timedelta() # Value so far
2845
# Define starting values:
2846
# Value so far
2847
value = datetime.timedelta()
2392
2848
found_token = None
2393
followers = frozenset((token_duration, )) # Following valid tokens
2394
s = duration # String left to parse
2849
# Following valid tokens
2850
followers = frozenset((token_duration, ))
2851
# String left to parse
2852
s = duration
2395
2853
# Loop until end token is found
2396
2854
while found_token is not token_end:
2397
2855
# Search for any currently valid tokens
2421
2879
2422
2880
def string_to_delta(interval):
2423
2881
"""Parse a string and return a datetime.timedelta
2424
2425
>>> string_to_delta('7d')
2426
datetime.timedelta(7)
2427
>>> string_to_delta('60s')
2428
datetime.timedelta(0, 60)
2429
>>> string_to_delta('60m')
2430
datetime.timedelta(0, 3600)
2431
>>> string_to_delta('24h')
2432
datetime.timedelta(1)
2433
>>> string_to_delta('1w')
2434
datetime.timedelta(7)
2435
>>> string_to_delta('5m 30s')
2436
datetime.timedelta(0, 330)
2882
2883
>>> string_to_delta('7d') == datetime.timedelta(7)
2884
True
2885
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2886
True
2887
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2888
True
2889
>>> string_to_delta('24h') == datetime.timedelta(1)
2890
True
2891
>>> string_to_delta('1w') == datetime.timedelta(7)
2892
True
2893
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2894
True
2437
2895
"""
2438
2896
2439
2897
try:
2440
2898
return rfc3339_duration_to_delta(interval)
2441
2899
except ValueError:
2442
2900
pass
2443
2901
2444
2902
timevalue = datetime.timedelta(0)
2445
2903
for s in interval.split():
2446
2904
try:
2464
2922
return timevalue
2465
2923
2466
2924
2467
def daemon(nochdir = False, noclose = False):
2925
def daemon(nochdir=False, noclose=False):
2468
2926
"""See daemon(3). Standard BSD Unix function.
2469
2927
2470
2928
This should really exist as os.daemon, but it doesn't (yet)."""
2471
2929
if os.fork():
2472
2930
sys.exit()
2490
2948
2491
2949
2492
2950
def main():
2493
2951
2494
2952
##################################################################
2495
2953
# Parsing of options, both command line and config file
2496
2954
2497
2955
parser = argparse.ArgumentParser()
2498
2956
parser.add_argument("-v", "--version", action="version",
2499
version = "%(prog)s {}".format(version),
2957
version="%(prog)s {}".format(version),
2500
2958
help="show version number and exit")
2501
2959
parser.add_argument("-i", "--interface", metavar="IF",
2502
2960
help="Bind to interface IF")
2538
2996
parser.add_argument("--no-zeroconf", action="store_false",
2539
2997
dest="zeroconf", help="Do not use Zeroconf",
2540
2998
default=None)
2541
2999
2542
3000
options = parser.parse_args()
2543
2544
if options.check:
2545
import doctest
2546
fail_count, test_count = doctest.testmod()
2547
sys.exit(os.EX_OK if fail_count == 0 else 1)
2548
3001
2549
3002
# Default values for config file for server-global settings
2550
server_defaults = { "interface": "",
2551
"address": "",
2552
"port": "",
2553
"debug": "False",
2554
"priority":
2555
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2556
":+SIGN-DSA-SHA256",
2557
"servicename": "Mandos",
2558
"use_dbus": "True",
2559
"use_ipv6": "True",
2560
"debuglevel": "",
2561
"restore": "True",
2562
"socket": "",
2563
"statedir": "/var/lib/mandos",
2564
"foreground": "False",
2565
"zeroconf": "True",
2566
}
2567
3003
if gnutls.has_rawpk:
3004
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3005
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3006
else:
3007
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3008
":+SIGN-DSA-SHA256")
3009
server_defaults = {"interface": "",
3010
"address": "",
3011
"port": "",
3012
"debug": "False",
3013
"priority": priority,
3014
"servicename": "Mandos",
3015
"use_dbus": "True",
3016
"use_ipv6": "True",
3017
"debuglevel": "",
3018
"restore": "True",
3019
"socket": "",
3020
"statedir": "/var/lib/mandos",
3021
"foreground": "False",
3022
"zeroconf": "True",
3023
}
3024
del priority
3025
2568
3026
# Parse config file for server-global settings
2569
server_config = configparser.SafeConfigParser(server_defaults)
3027
server_config = configparser.ConfigParser(server_defaults)
2570
3028
del server_defaults
2571
3029
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2572
# Convert the SafeConfigParser object to a dict
3030
# Convert the ConfigParser object to a dict
2573
3031
server_settings = server_config.defaults()
2574
3032
# Use the appropriate methods on the non-string config options
2575
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3033
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3034
"foreground", "zeroconf"):
2576
3035
server_settings[option] = server_config.getboolean("DEFAULT",
2577
3036
option)
2578
3037
if server_settings["port"]:
2588
3047
server_settings["socket"] = os.dup(server_settings
2589
3048
["socket"])
2590
3049
del server_config
2591
3050
2592
3051
# Override the settings from the config file with command line
2593
3052
# options, if set.
2594
3053
for option in ("interface", "address", "port", "debug",
2612
3071
if server_settings["debug"]:
2613
3072
server_settings["foreground"] = True
2614
3073
# Now we have our good server settings in "server_settings"
2615
3074
2616
3075
##################################################################
2617
3076
2618
3077
if (not server_settings["zeroconf"]
2619
3078
and not (server_settings["port"]
2620
3079
or server_settings["socket"] != "")):
2621
3080
parser.error("Needs port or socket to work without Zeroconf")
2622
3081
2623
3082
# For convenience
2624
3083
debug = server_settings["debug"]
2625
3084
debuglevel = server_settings["debuglevel"]
2629
3088
stored_state_file)
2630
3089
foreground = server_settings["foreground"]
2631
3090
zeroconf = server_settings["zeroconf"]
2632
3091
2633
3092
if debug:
2634
3093
initlogger(debug, logging.DEBUG)
2635
3094
else:
2638
3097
else:
2639
3098
level = getattr(logging, debuglevel.upper())
2640
3099
initlogger(debug, level)
2641
3100
2642
3101
if server_settings["servicename"] != "Mandos":
2643
3102
syslogger.setFormatter(
2644
3103
logging.Formatter('Mandos ({}) [%(process)d]:'
2645
3104
' %(levelname)s: %(message)s'.format(
2646
3105
server_settings["servicename"])))
2647
3106
2648
3107
# Parse config file with clients
2649
client_config = configparser.SafeConfigParser(Client
2650
.client_defaults)
3108
client_config = configparser.ConfigParser(Client.client_defaults)
2651
3109
client_config.read(os.path.join(server_settings["configdir"],
2652
3110
"clients.conf"))
2653
3111
2654
3112
global mandos_dbus_service
2655
3113
mandos_dbus_service = None
2656
3114
2657
3115
socketfd = None
2658
3116
if server_settings["socket"] != "":
2659
3117
socketfd = server_settings["socket"]
2675
3133
except IOError as e:
2676
3134
logger.error("Could not open file %r", pidfilename,
2677
3135
exc_info=e)
2678
2679
for name in ("_mandos", "mandos", "nobody"):
3136
3137
for name, group in (("_mandos", "_mandos"),
3138
("mandos", "mandos"),
3139
("nobody", "nogroup")):
2680
3140
try:
2681
3141
uid = pwd.getpwnam(name).pw_uid
2682
gid = pwd.getpwnam(name).pw_gid
3142
gid = pwd.getpwnam(group).pw_gid
2683
3143
break
2684
3144
except KeyError:
2685
3145
continue
2689
3149
try:
2690
3150
os.setgid(gid)
2691
3151
os.setuid(uid)
3152
if debug:
3153
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3154
gid))
2692
3155
except OSError as error:
3156
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3157
.format(uid, gid, os.strerror(error.errno)))
2693
3158
if error.errno != errno.EPERM:
2694
3159
raise
2695
3160
2696
3161
if debug:
2697
3162
# Enable all possible GnuTLS debugging
2698
3163
2699
3164
# "Use a log level over 10 to enable all debugging options."
2700
3165
# - GnuTLS manual
2701
gnutls.library.functions.gnutls_global_set_log_level(11)
2702
2703
@gnutls.library.types.gnutls_log_func
3166
gnutls.global_set_log_level(11)
3167
3168
@gnutls.log_func
2704
3169
def debug_gnutls(level, string):
2705
3170
logger.debug("GnuTLS: %s", string[:-1])
2706
2707
gnutls.library.functions.gnutls_global_set_log_function(
2708
debug_gnutls)
2709
3171
3172
gnutls.global_set_log_function(debug_gnutls)
3173
2710
3174
# Redirect stdin so all checkers get /dev/null
2711
3175
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2712
3176
os.dup2(null, sys.stdin.fileno())
2713
3177
if null > 2:
2714
3178
os.close(null)
2715
3179
2716
3180
# Need to fork before connecting to D-Bus
2717
3181
if not foreground:
2718
3182
# Close all input and output, do double fork, etc.
2719
3183
daemon()
2720
2721
# multiprocessing will use threads, so before we use gobject we
2722
# need to inform gobject that threads will be used.
2723
gobject.threads_init()
2724
3184
3185
if gi.version_info < (3, 10, 2):
3186
# multiprocessing will use threads, so before we use GLib we
3187
# need to inform GLib that threads will be used.
3188
GLib.threads_init()
3189
2725
3190
global main_loop
2726
3191
# From the Avahi example code
2727
3192
DBusGMainLoop(set_as_default=True)
2728
main_loop = gobject.MainLoop()
3193
main_loop = GLib.MainLoop()
2729
3194
bus = dbus.SystemBus()
2730
3195
# End of Avahi example code
2731
3196
if use_dbus:
2744
3209
if zeroconf:
2745
3210
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2746
3211
service = AvahiServiceToSyslog(
2747
name = server_settings["servicename"],
2748
servicetype = "_mandos._tcp",
2749
protocol = protocol,
2750
bus = bus)
3212
name=server_settings["servicename"],
3213
servicetype="_mandos._tcp",
3214
protocol=protocol,
3215
bus=bus)
2751
3216
if server_settings["interface"]:
2752
3217
service.interface = if_nametoindex(
2753
3218
server_settings["interface"].encode("utf-8"))
2754
3219
2755
3220
global multiprocessing_manager
2756
3221
multiprocessing_manager = multiprocessing.Manager()
2757
3222
2758
3223
client_class = Client
2759
3224
if use_dbus:
2760
client_class = functools.partial(ClientDBus, bus = bus)
2761
3225
client_class = functools.partial(ClientDBus, bus=bus)
3226
2762
3227
client_settings = Client.config_parser(client_config)
2763
3228
old_client_settings = {}
2764
3229
clients_data = {}
2765
3230
2766
3231
# This is used to redirect stdout and stderr for checker processes
2767
3232
global wnull
2768
wnull = open(os.devnull, "w") # A writable /dev/null
3233
wnull = open(os.devnull, "w") # A writable /dev/null
2769
3234
# Only used if server is running in foreground but not in debug
2770
3235
# mode
2771
3236
if debug or not foreground:
2772
3237
wnull.close()
2773
3238
2774
3239
# Get client data and settings from last running state.
2775
3240
if server_settings["restore"]:
2776
3241
try:
2777
3242
with open(stored_state_path, "rb") as stored_state:
2778
clients_data, old_client_settings = pickle.load(
2779
stored_state)
3243
if sys.version_info.major == 2:
3244
clients_data, old_client_settings = pickle.load(
3245
stored_state)
3246
else:
3247
bytes_clients_data, bytes_old_client_settings = (
3248
pickle.load(stored_state, encoding="bytes"))
3249
# Fix bytes to strings
3250
# clients_data
3251
# .keys()
3252
clients_data = {(key.decode("utf-8")
3253
if isinstance(key, bytes)
3254
else key): value
3255
for key, value in
3256
bytes_clients_data.items()}
3257
del bytes_clients_data
3258
for key in clients_data:
3259
value = {(k.decode("utf-8")
3260
if isinstance(k, bytes) else k): v
3261
for k, v in
3262
clients_data[key].items()}
3263
clients_data[key] = value
3264
# .client_structure
3265
value["client_structure"] = [
3266
(s.decode("utf-8")
3267
if isinstance(s, bytes)
3268
else s) for s in
3269
value["client_structure"]]
3270
# .name, .host, and .checker_command
3271
for k in ("name", "host", "checker_command"):
3272
if isinstance(value[k], bytes):
3273
value[k] = value[k].decode("utf-8")
3274
if "key_id" not in value:
3275
value["key_id"] = ""
3276
elif "fingerprint" not in value:
3277
value["fingerprint"] = ""
3278
# old_client_settings
3279
# .keys()
3280
old_client_settings = {
3281
(key.decode("utf-8")
3282
if isinstance(key, bytes)
3283
else key): value
3284
for key, value in
3285
bytes_old_client_settings.items()}
3286
del bytes_old_client_settings
3287
# .host and .checker_command
3288
for value in old_client_settings.values():
3289
for attribute in ("host", "checker_command"):
3290
if isinstance(value[attribute], bytes):
3291
value[attribute] = (value[attribute]
3292
.decode("utf-8"))
2780
3293
os.remove(stored_state_path)
2781
3294
except IOError as e:
2782
3295
if e.errno == errno.ENOENT:
2790
3303
logger.warning("Could not load persistent state: "
2791
3304
"EOFError:",
2792
3305
exc_info=e)
2793
3306
2794
3307
with PGPEngine() as pgp:
2795
3308
for client_name, client in clients_data.items():
2796
3309
# Skip removed clients
2797
3310
if client_name not in client_settings:
2798
3311
continue
2799
3312
2800
3313
# Decide which value to use after restoring saved state.
2801
3314
# We have three different values: Old config file,
2802
3315
# new config file, and saved state.
2813
3326
client[name] = value
2814
3327
except KeyError:
2815
3328
pass
2816
3329
2817
3330
# Clients who has passed its expire date can still be
2818
3331
# enabled if its last checker was successful. A Client
2819
3332
# whose checker succeeded before we stored its state is
2852
3365
client_name))
2853
3366
client["secret"] = (client_settings[client_name]
2854
3367
["secret"])
2855
3368
2856
3369
# Add/remove clients based on new changes made to config
2857
3370
for client_name in (set(old_client_settings)
2858
3371
- set(client_settings)):
2860
3373
for client_name in (set(client_settings)
2861
3374
- set(old_client_settings)):
2862
3375
clients_data[client_name] = client_settings[client_name]
2863
3376
2864
3377
# Create all client objects
2865
3378
for client_name, client in clients_data.items():
2866
3379
tcp_server.clients[client_name] = client_class(
2867
name = client_name,
2868
settings = client,
2869
server_settings = server_settings)
2870
3380
name=client_name,
3381
settings=client,
3382
server_settings=server_settings)
3383
2871
3384
if not tcp_server.clients:
2872
3385
logger.warning("No clients defined")
2873
3386
2874
3387
if not foreground:
2875
3388
if pidfile is not None:
2876
3389
pid = os.getpid()
2882
3395
pidfilename, pid)
2883
3396
del pidfile
2884
3397
del pidfilename
2885
2886
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2887
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2888
3398
3399
for termsig in (signal.SIGHUP, signal.SIGTERM):
3400
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3401
lambda: main_loop.quit() and False)
3402
2889
3403
if use_dbus:
2890
3404
2891
3405
@alternate_dbus_interfaces(
2892
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3406
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2893
3407
class MandosDBusService(DBusObjectWithObjectManager):
2894
3408
"""A D-Bus proxy object"""
2895
3409
2896
3410
def __init__(self):
2897
3411
dbus.service.Object.__init__(self, bus, "/")
2898
3412
2899
3413
_interface = "se.recompile.Mandos"
2900
3414
2901
3415
@dbus.service.signal(_interface, signature="o")
2902
3416
def ClientAdded(self, objpath):
2903
3417
"D-Bus signal"
2904
3418
pass
2905
3419
2906
3420
@dbus.service.signal(_interface, signature="ss")
2907
def ClientNotFound(self, fingerprint, address):
3421
def ClientNotFound(self, key_id, address):
2908
3422
"D-Bus signal"
2909
3423
pass
2910
3424
2911
3425
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2912
3426
"true"})
2913
3427
@dbus.service.signal(_interface, signature="os")
2914
3428
def ClientRemoved(self, objpath, name):
2915
3429
"D-Bus signal"
2916
3430
pass
2917
3431
2918
3432
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2919
3433
"true"})
2920
3434
@dbus.service.method(_interface, out_signature="ao")
2921
3435
def GetAllClients(self):
2922
3436
"D-Bus method"
2923
3437
return dbus.Array(c.dbus_object_path for c in
2924
tcp_server.clients.itervalues())
2925
3438
tcp_server.clients.values())
3439
2926
3440
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2927
3441
"true"})
2928
3442
@dbus.service.method(_interface,
2930
3444
def GetAllClientsWithProperties(self):
2931
3445
"D-Bus method"
2932
3446
return dbus.Dictionary(
2933
{ c.dbus_object_path: c.GetAll(
3447
{c.dbus_object_path: c.GetAll(
2934
3448
"se.recompile.Mandos.Client")
2935
for c in tcp_server.clients.itervalues() },
3449
for c in tcp_server.clients.values()},
2936
3450
signature="oa{sv}")
2937
3451
2938
3452
@dbus.service.method(_interface, in_signature="o")
2939
3453
def RemoveClient(self, object_path):
2940
3454
"D-Bus method"
2941
for c in tcp_server.clients.itervalues():
3455
for c in tcp_server.clients.values():
2942
3456
if c.dbus_object_path == object_path:
2943
3457
del tcp_server.clients[c.name]
2944
3458
c.remove_from_connection()
2948
3462
self.client_removed_signal(c)
2949
3463
return
2950
3464
raise KeyError(object_path)
2951
3465
2952
3466
del _interface
2953
3467
2954
3468
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
2955
out_signature = "a{oa{sa{sv}}}")
3469
out_signature="a{oa{sa{sv}}}")
2956
3470
def GetManagedObjects(self):
2957
3471
"""D-Bus method"""
2958
3472
return dbus.Dictionary(
2959
{ client.dbus_object_path:
2960
dbus.Dictionary(
2961
{ interface: client.GetAll(interface)
2962
for interface in
2963
client._get_all_interface_names()})
2964
for client in tcp_server.clients.values()})
2965
3473
{client.dbus_object_path:
3474
dbus.Dictionary(
3475
{interface: client.GetAll(interface)
3476
for interface in
3477
client._get_all_interface_names()})
3478
for client in tcp_server.clients.values()})
3479
2966
3480
def client_added_signal(self, client):
2967
3481
"""Send the new standard signal and the old signal"""
2968
3482
if use_dbus:
2970
3484
self.InterfacesAdded(
2971
3485
client.dbus_object_path,
2972
3486
dbus.Dictionary(
2973
{ interface: client.GetAll(interface)
2974
for interface in
2975
client._get_all_interface_names()}))
3487
{interface: client.GetAll(interface)
3488
for interface in
3489
client._get_all_interface_names()}))
2976
3490
# Old signal
2977
3491
self.ClientAdded(client.dbus_object_path)
2978
3492
2979
3493
def client_removed_signal(self, client):
2980
3494
"""Send the new standard signal and the old signal"""
2981
3495
if use_dbus:
2986
3500
# Old signal
2987
3501
self.ClientRemoved(client.dbus_object_path,
2988
3502
client.name)
2989
3503
2990
3504
mandos_dbus_service = MandosDBusService()
2991
3505
3506
# Save modules to variables to exempt the modules from being
3507
# unloaded before the function registered with atexit() is run.
3508
mp = multiprocessing
3509
wn = wnull
3510
2992
3511
def cleanup():
2993
3512
"Cleanup function; run on exit"
2994
3513
if zeroconf:
2995
3514
service.cleanup()
2996
2997
multiprocessing.active_children()
2998
wnull.close()
3515
3516
mp.active_children()
3517
wn.close()
2999
3518
if not (tcp_server.clients or client_settings):
3000
3519
return
3001
3520
3002
3521
# Store client before exiting. Secrets are encrypted with key
3003
3522
# based on what config file has. If config file is
3004
3523
# removed/edited, old secret will thus be unrecovable.
3005
3524
clients = {}
3006
3525
with PGPEngine() as pgp:
3007
for client in tcp_server.clients.itervalues():
3526
for client in tcp_server.clients.values():
3008
3527
key = client_settings[client.name]["secret"]
3009
3528
client.encrypted_secret = pgp.encrypt(client.secret,
3010
3529
key)
3011
3530
client_dict = {}
3012
3531
3013
3532
# A list of attributes that can not be pickled
3014
3533
# + secret.
3015
exclude = { "bus", "changedstate", "secret",
3016
"checker", "server_settings" }
3534
exclude = {"bus", "changedstate", "secret",
3535
"checker", "server_settings"}
3017
3536
for name, typ in inspect.getmembers(dbus.service
3018
3537
.Object):
3019
3538
exclude.add(name)
3020
3539
3021
3540
client_dict["encrypted_secret"] = (client
3022
3541
.encrypted_secret)
3023
3542
for attr in client.client_structure:
3024
3543
if attr not in exclude:
3025
3544
client_dict[attr] = getattr(client, attr)
3026
3545
3027
3546
clients[client.name] = client_dict
3028
3547
del client_settings[client.name]["secret"]
3029
3548
3030
3549
try:
3031
3550
with tempfile.NamedTemporaryFile(
3032
3551
mode='wb',
3034
3553
prefix='clients-',
3035
3554
dir=os.path.dirname(stored_state_path),
3036
3555
delete=False) as stored_state:
3037
pickle.dump((clients, client_settings), stored_state)
3556
pickle.dump((clients, client_settings), stored_state,
3557
protocol=2)
3038
3558
tempname = stored_state.name
3039
3559
os.rename(tempname, stored_state_path)
3040
3560
except (IOError, OSError) as e:
3050
3570
logger.warning("Could not save persistent state:",
3051
3571
exc_info=e)
3052
3572
raise
3053
3573
3054
3574
# Delete all clients, and settings from config
3055
3575
while tcp_server.clients:
3056
3576
name, client = tcp_server.clients.popitem()
3059
3579
# Don't signal the disabling
3060
3580
client.disable(quiet=True)
3061
3581
# Emit D-Bus signal for removal
3062
mandos_dbus_service.client_removed_signal(client)
3582
if use_dbus:
3583
mandos_dbus_service.client_removed_signal(client)
3063
3584
client_settings.clear()
3064
3585
3065
3586
atexit.register(cleanup)
3066
3067
for client in tcp_server.clients.itervalues():
3587
3588
for client in tcp_server.clients.values():
3068
3589
if use_dbus:
3069
3590
# Emit D-Bus signal for adding
3070
3591
mandos_dbus_service.client_added_signal(client)
3071
3592
# Need to initiate checking of clients
3072
3593
if client.enabled:
3073
3594
client.init_checker()
3074
3595
3075
3596
tcp_server.enable()
3076
3597
tcp_server.server_activate()
3077
3598
3078
3599
# Find out what port we got
3079
3600
if zeroconf:
3080
3601
service.port = tcp_server.socket.getsockname()[1]
3085
3606
else: # IPv4
3086
3607
logger.info("Now listening on address %r, port %d",
3087
3608
*tcp_server.socket.getsockname())
3088
3089
#service.interface = tcp_server.socket.getsockname()[3]
3090
3609
3610
# service.interface = tcp_server.socket.getsockname()[3]
3611
3091
3612
try:
3092
3613
if zeroconf:
3093
3614
# From the Avahi example code
3098
3619
cleanup()
3099
3620
sys.exit(1)
3100
3621
# End of Avahi example code
3101
3102
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3103
lambda *args, **kwargs:
3104
(tcp_server.handle_request
3105
(*args[2:], **kwargs) or True))
3106
3622
3623
GLib.io_add_watch(
3624
GLib.IOChannel.unix_new(tcp_server.fileno()),
3625
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3626
lambda *args, **kwargs: (tcp_server.handle_request
3627
(*args[2:], **kwargs) or True))
3628
3107
3629
logger.debug("Starting main loop")
3108
3630
main_loop.run()
3109
3631
except AvahiError as error:
3118
3640
# Must run before the D-Bus bus name gets deregistered
3119
3641
cleanup()
3120
3642
3643
3644
def should_only_run_tests():
3645
parser = argparse.ArgumentParser(add_help=False)
3646
parser.add_argument("--check", action='store_true')
3647
args, unknown_args = parser.parse_known_args()
3648
run_tests = args.check
3649
if run_tests:
3650
# Remove --check argument from sys.argv
3651
sys.argv[1:] = unknown_args
3652
return run_tests
3653
3654
# Add all tests from doctest strings
3655
def load_tests(loader, tests, none):
3656
import doctest
3657
tests.addTests(doctest.DocTestSuite())
3658
return tests
3121
3659
3122
3660
if __name__ == '__main__':
3123
main()
3661
try:
3662
if should_only_run_tests():
3663
# Call using ./mandos --check [--verbose]
3664
unittest.main()
3665
else:
3666
main()
3667
finally:
3668
logging.shutdown()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0