To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 1221
- compare with another revision
- download diff
- download tarball
- view history from revision 1221
- Committer: teddy at recompile
- Date: 2020-11-29 21:54:00 UTC
- Revision ID: teddy@recompile.se-20201129215400-1zkzmiadisa8whx2
Change URL of systemd "Password Agents" specification
The URL of the systemd "Password Agents" specification changed from
<https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents> to
<https://systemd.io/PASSWORD_AGENTS/>.
* dracut-module/password-agent.c: Change URL in code comments.
* dracut-module/password-agent.xml: Change URL.
* intro.xml (SYSTEMD): - '' -
The URL of the systemd "Password Agents" specification changed from
<https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents> to
<https://systemd.io/PASSWORD_AGENTS/>.
* dracut-module/password-agent.c: Change URL in code comments.
* dracut-module/password-agent.xml: Change URL.
* intro.xml (SYSTEMD): - '' -
- files added:
- bugs.xml
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python2.7
2
# -*- mode: python; coding: utf-8 -*-
3
#
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2020 Teddy Hogeborn
15
# Copyright © 2008-2020 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
#
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
#
33
#
33
34
34
35
from __future__ import (division, absolute_import, print_function,
35
36
unicode_literals)
36
37
37
from future_builtins import *
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
38
42
39
43
try:
40
44
import SocketServer as socketserver
44
48
import argparse
45
49
import datetime
46
50
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
53
51
try:
54
52
import ConfigParser as configparser
55
53
except ImportError:
79
77
import itertools
80
78
import collections
81
79
import codecs
80
import unittest
81
import random
82
import shlex
82
83
83
84
import dbus
84
85
import dbus.service
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
86
import gi
87
from gi.repository import GLib
90
88
from dbus.mainloop.glib import DBusGMainLoop
91
89
import ctypes
92
90
import ctypes.util
93
91
import xml.dom.minidom
94
92
import inspect
95
93
96
try:
94
if sys.version_info.major == 2:
95
__metaclass__ = type
96
str = unicode
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
118
# Try to find the value of SO_BINDTODEVICE:
119
try:
120
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
121
# newer, and it is also the most natural place for it:
97
122
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
98
123
except AttributeError:
99
124
try:
125
# This is where SO_BINDTODEVICE was up to and including Python
126
# 2.6, and also 3.2:
100
127
from IN import SO_BINDTODEVICE
101
128
except ImportError:
102
SO_BINDTODEVICE = None
103
104
if sys.version_info.major == 2:
105
str = unicode
106
107
version = "1.6.9"
129
# In Python 2.7 it seems to have been removed entirely.
130
# Try running the C preprocessor:
131
try:
132
cc = subprocess.Popen(["cc", "--language=c", "-E",
133
"/dev/stdin"],
134
stdin=subprocess.PIPE,
135
stdout=subprocess.PIPE)
136
stdout = cc.communicate(
137
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
138
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
139
except (OSError, ValueError, IndexError):
140
# No value found
141
SO_BINDTODEVICE = None
142
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
145
146
version = "1.8.12"
108
147
stored_state_file = "clients.pickle"
109
148
110
149
logger = logging.getLogger()
150
logging.captureWarnings(True) # Show warnings via the logging system
111
151
syslogger = None
112
152
113
153
try:
114
154
if_nametoindex = ctypes.cdll.LoadLibrary(
115
155
ctypes.util.find_library("c")).if_nametoindex
116
156
except (OSError, AttributeError):
117
157
118
158
def if_nametoindex(interface):
119
159
"Get an interface index the hard way, i.e. using fcntl()"
120
160
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
125
165
return interface_index
126
166
127
167
168
def copy_function(func):
169
"""Make a copy of a function"""
170
if sys.version_info.major == 2:
171
return types.FunctionType(func.func_code,
172
func.func_globals,
173
func.func_name,
174
func.func_defaults,
175
func.func_closure)
176
else:
177
return types.FunctionType(func.__code__,
178
func.__globals__,
179
func.__name__,
180
func.__defaults__,
181
func.__closure__)
182
183
128
184
def initlogger(debug, level=logging.WARNING):
129
185
"""init logger and add loglevel"""
130
186
131
187
global syslogger
132
188
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
189
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
190
address="/dev/log"))
135
191
syslogger.setFormatter(logging.Formatter
136
192
('Mandos [%(process)d]: %(levelname)s:'
137
193
' %(message)s'))
138
194
logger.addHandler(syslogger)
139
195
140
196
if debug:
141
197
console = logging.StreamHandler()
142
198
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
152
208
pass
153
209
154
210
155
class PGPEngine(object):
211
class PGPEngine:
156
212
"""A simple class for OpenPGP symmetric encryption & decryption"""
157
213
158
214
def __init__(self):
159
215
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
216
self.gpg = "gpg"
217
try:
218
output = subprocess.check_output(["gpgconf"])
219
for line in output.splitlines():
220
name, text, path = line.split(b":")
221
if name == b"gpg":
222
self.gpg = path
223
break
224
except OSError as e:
225
if e.errno != errno.ENOENT:
226
raise
160
227
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
228
'--homedir', self.tempdir,
162
229
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
165
230
'--quiet']
231
# Only GPG version 1 has the --no-use-agent option.
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
233
self.gnupgargs.append("--no-use-agent")
234
166
235
def __enter__(self):
167
236
return self
168
237
169
238
def __exit__(self, exc_type, exc_value, traceback):
170
239
self._cleanup()
171
240
return False
172
241
173
242
def __del__(self):
174
243
self._cleanup()
175
244
176
245
def _cleanup(self):
177
246
if self.tempdir is not None:
178
247
# Delete contents of tempdir
179
248
for root, dirs, files in os.walk(self.tempdir,
180
topdown = False):
249
topdown=False):
181
250
for filename in files:
182
251
os.remove(os.path.join(root, filename))
183
252
for dirname in dirs:
185
254
# Remove tempdir
186
255
os.rmdir(self.tempdir)
187
256
self.tempdir = None
188
257
189
258
def password_encode(self, password):
190
259
# Passphrase can not be empty and can not contain newlines or
191
260
# NUL bytes. So we prefix it and hex encode it.
196
265
.replace(b"\n", b"\\n")
197
266
.replace(b"\0", b"\\x00"))
198
267
return encoded
199
268
200
269
def encrypt(self, data, password):
201
270
passphrase = self.password_encode(password)
202
271
with tempfile.NamedTemporaryFile(
203
272
dir=self.tempdir) as passfile:
204
273
passfile.write(passphrase)
205
274
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
275
proc = subprocess.Popen([self.gpg, '--symmetric',
207
276
'--passphrase-file',
208
277
passfile.name]
209
278
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
279
stdin=subprocess.PIPE,
280
stdout=subprocess.PIPE,
281
stderr=subprocess.PIPE)
282
ciphertext, err = proc.communicate(input=data)
214
283
if proc.returncode != 0:
215
284
raise PGPError(err)
216
285
return ciphertext
217
286
218
287
def decrypt(self, data, password):
219
288
passphrase = self.password_encode(password)
220
289
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
290
dir=self.tempdir) as passfile:
222
291
passfile.write(passphrase)
223
292
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
293
proc = subprocess.Popen([self.gpg, '--decrypt',
225
294
'--passphrase-file',
226
295
passfile.name]
227
296
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
297
stdin=subprocess.PIPE,
298
stdout=subprocess.PIPE,
299
stderr=subprocess.PIPE)
300
decrypted_plaintext, err = proc.communicate(input=data)
232
301
if proc.returncode != 0:
233
302
raise PGPError(err)
234
303
return decrypted_plaintext
235
304
236
305
306
# Pretend that we have an Avahi module
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
309
IF_UNSPEC = -1 # avahi-common/address.h
310
PROTO_UNSPEC = -1 # avahi-common/address.h
311
PROTO_INET = 0 # avahi-common/address.h
312
PROTO_INET6 = 1 # avahi-common/address.h
313
DBUS_NAME = "org.freedesktop.Avahi"
314
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
DBUS_PATH_SERVER = "/"
317
318
@staticmethod
319
def string_array_to_txt_array(t):
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
for s in t), signature="ay")
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
323
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
324
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
325
SERVER_INVALID = 0 # avahi-common/defs.h
326
SERVER_REGISTERING = 1 # avahi-common/defs.h
327
SERVER_RUNNING = 2 # avahi-common/defs.h
328
SERVER_COLLISION = 3 # avahi-common/defs.h
329
SERVER_FAILURE = 4 # avahi-common/defs.h
330
331
237
332
class AvahiError(Exception):
238
333
def __init__(self, value, *args, **kwargs):
239
334
self.value = value
249
344
pass
250
345
251
346
252
class AvahiService(object):
347
class AvahiService:
253
348
"""An Avahi (Zeroconf) service.
254
349
255
350
Attributes:
256
351
interface: integer; avahi.IF_UNSPEC or an interface index.
257
352
Used to optionally bind to the specified interface.
269
364
server: D-Bus Server
270
365
bus: dbus.SystemBus()
271
366
"""
272
367
273
368
def __init__(self,
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
369
interface=avahi.IF_UNSPEC,
370
name=None,
371
servicetype=None,
372
port=None,
373
TXT=None,
374
domain="",
375
host="",
376
max_renames=32768,
377
protocol=avahi.PROTO_UNSPEC,
378
bus=None):
284
379
self.interface = interface
285
380
self.name = name
286
381
self.type = servicetype
295
390
self.server = None
296
391
self.bus = bus
297
392
self.entry_group_state_changed_match = None
298
393
299
394
def rename(self, remove=True):
300
395
"""Derived from the Avahi example code"""
301
396
if self.rename_count >= self.max_renames:
321
416
logger.critical("D-Bus Exception", exc_info=error)
322
417
self.cleanup()
323
418
os._exit(1)
324
419
325
420
def remove(self):
326
421
"""Derived from the Avahi example code"""
327
422
if self.entry_group_state_changed_match is not None:
329
424
self.entry_group_state_changed_match = None
330
425
if self.group is not None:
331
426
self.group.Reset()
332
427
333
428
def add(self):
334
429
"""Derived from the Avahi example code"""
335
430
self.remove()
352
447
dbus.UInt16(self.port),
353
448
avahi.string_array_to_txt_array(self.TXT))
354
449
self.group.Commit()
355
450
356
451
def entry_group_state_changed(self, state, error):
357
452
"""Derived from the Avahi example code"""
358
453
logger.debug("Avahi entry group state change: %i", state)
359
454
360
455
if state == avahi.ENTRY_GROUP_ESTABLISHED:
361
456
logger.debug("Zeroconf service established.")
362
457
elif state == avahi.ENTRY_GROUP_COLLISION:
366
461
logger.critical("Avahi: Error in group state changed %s",
367
462
str(error))
368
463
raise AvahiGroupError("State changed: {!s}".format(error))
369
464
370
465
def cleanup(self):
371
466
"""Derived from the Avahi example code"""
372
467
if self.group is not None:
377
472
pass
378
473
self.group = None
379
474
self.remove()
380
475
381
476
def server_state_changed(self, state, error=None):
382
477
"""Derived from the Avahi example code"""
383
478
logger.debug("Avahi server state change: %i", state)
395
490
logger.error(bad_states[state] + ": %r", error)
396
491
self.cleanup()
397
492
elif state == avahi.SERVER_RUNNING:
398
self.add()
493
try:
494
self.add()
495
except dbus.exceptions.DBusException as error:
496
if (error.get_dbus_name()
497
== "org.freedesktop.Avahi.CollisionError"):
498
logger.info("Local Zeroconf service name"
499
" collision.")
500
return self.rename(remove=False)
501
else:
502
logger.critical("D-Bus Exception", exc_info=error)
503
self.cleanup()
504
os._exit(1)
399
505
else:
400
506
if error is None:
401
507
logger.debug("Unknown state: %r", state)
402
508
else:
403
509
logger.debug("Unknown state: %r: %r", state, error)
404
510
405
511
def activate(self):
406
512
"""Derived from the Avahi example code"""
407
513
if self.server is None:
418
524
class AvahiServiceToSyslog(AvahiService):
419
525
def rename(self, *args, **kwargs):
420
526
"""Add the new name to the syslog messages"""
421
ret = AvahiService.rename(self, *args, **kwargs)
527
ret = super(AvahiServiceToSyslog, self).rename(*args,
528
**kwargs)
422
529
syslogger.setFormatter(logging.Formatter(
423
530
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
424
531
.format(self.name)))
425
532
return ret
426
533
534
535
# Pretend that we have a GnuTLS module
536
class gnutls:
537
"""This isn't so much a class as it is a module-like namespace."""
538
539
library = ctypes.util.find_library("gnutls")
540
if library is None:
541
library = ctypes.util.find_library("gnutls-deb0")
542
_library = ctypes.cdll.LoadLibrary(library)
543
del library
544
545
# Unless otherwise indicated, the constants and types below are
546
# all from the gnutls/gnutls.h C header file.
547
548
# Constants
549
E_SUCCESS = 0
550
E_INTERRUPTED = -52
551
E_AGAIN = -28
552
CRT_OPENPGP = 2
553
CRT_RAWPK = 3
554
CLIENT = 2
555
SHUT_RDWR = 0
556
CRD_CERTIFICATE = 1
557
E_NO_CERTIFICATE_FOUND = -49
558
X509_FMT_DER = 0
559
NO_TICKETS = 1<<10
560
ENABLE_RAWPK = 1<<18
561
CTYPE_PEERS = 3
562
KEYID_USE_SHA256 = 1 # gnutls/x509.h
563
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
564
565
# Types
566
class session_int(ctypes.Structure):
567
_fields_ = []
568
session_t = ctypes.POINTER(session_int)
569
570
class certificate_credentials_st(ctypes.Structure):
571
_fields_ = []
572
certificate_credentials_t = ctypes.POINTER(
573
certificate_credentials_st)
574
certificate_type_t = ctypes.c_int
575
576
class datum_t(ctypes.Structure):
577
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
578
('size', ctypes.c_uint)]
579
580
class openpgp_crt_int(ctypes.Structure):
581
_fields_ = []
582
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
583
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
584
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
585
credentials_type_t = ctypes.c_int
586
transport_ptr_t = ctypes.c_void_p
587
close_request_t = ctypes.c_int
588
589
# Exceptions
590
class Error(Exception):
591
def __init__(self, message=None, code=None, args=()):
592
# Default usage is by a message string, but if a return
593
# code is passed, convert it to a string with
594
# gnutls.strerror()
595
self.code = code
596
if message is None and code is not None:
597
message = gnutls.strerror(code)
598
return super(gnutls.Error, self).__init__(
599
message, *args)
600
601
class CertificateSecurityError(Error):
602
pass
603
604
# Classes
605
class Credentials:
606
def __init__(self):
607
self._c_object = gnutls.certificate_credentials_t()
608
gnutls.certificate_allocate_credentials(
609
ctypes.byref(self._c_object))
610
self.type = gnutls.CRD_CERTIFICATE
611
612
def __del__(self):
613
gnutls.certificate_free_credentials(self._c_object)
614
615
class ClientSession:
616
def __init__(self, socket, credentials=None):
617
self._c_object = gnutls.session_t()
618
gnutls_flags = gnutls.CLIENT
619
if gnutls.check_version(b"3.5.6"):
620
gnutls_flags |= gnutls.NO_TICKETS
621
if gnutls.has_rawpk:
622
gnutls_flags |= gnutls.ENABLE_RAWPK
623
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
624
del gnutls_flags
625
gnutls.set_default_priority(self._c_object)
626
gnutls.transport_set_ptr(self._c_object, socket.fileno())
627
gnutls.handshake_set_private_extensions(self._c_object,
628
True)
629
self.socket = socket
630
if credentials is None:
631
credentials = gnutls.Credentials()
632
gnutls.credentials_set(self._c_object, credentials.type,
633
ctypes.cast(credentials._c_object,
634
ctypes.c_void_p))
635
self.credentials = credentials
636
637
def __del__(self):
638
gnutls.deinit(self._c_object)
639
640
def handshake(self):
641
return gnutls.handshake(self._c_object)
642
643
def send(self, data):
644
data = bytes(data)
645
data_len = len(data)
646
while data_len > 0:
647
data_len -= gnutls.record_send(self._c_object,
648
data[-data_len:],
649
data_len)
650
651
def bye(self):
652
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
653
654
# Error handling functions
655
def _error_code(result):
656
"""A function to raise exceptions on errors, suitable
657
for the 'restype' attribute on ctypes functions"""
658
if result >= 0:
659
return result
660
if result == gnutls.E_NO_CERTIFICATE_FOUND:
661
raise gnutls.CertificateSecurityError(code=result)
662
raise gnutls.Error(code=result)
663
664
def _retry_on_error(result, func, arguments):
665
"""A function to retry on some errors, suitable
666
for the 'errcheck' attribute on ctypes functions"""
667
while result < 0:
668
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
669
return _error_code(result)
670
result = func(*arguments)
671
return result
672
673
# Unless otherwise indicated, the function declarations below are
674
# all from the gnutls/gnutls.h C header file.
675
676
# Functions
677
priority_set_direct = _library.gnutls_priority_set_direct
678
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
679
ctypes.POINTER(ctypes.c_char_p)]
680
priority_set_direct.restype = _error_code
681
682
init = _library.gnutls_init
683
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
684
init.restype = _error_code
685
686
set_default_priority = _library.gnutls_set_default_priority
687
set_default_priority.argtypes = [session_t]
688
set_default_priority.restype = _error_code
689
690
record_send = _library.gnutls_record_send
691
record_send.argtypes = [session_t, ctypes.c_void_p,
692
ctypes.c_size_t]
693
record_send.restype = ctypes.c_ssize_t
694
record_send.errcheck = _retry_on_error
695
696
certificate_allocate_credentials = (
697
_library.gnutls_certificate_allocate_credentials)
698
certificate_allocate_credentials.argtypes = [
699
ctypes.POINTER(certificate_credentials_t)]
700
certificate_allocate_credentials.restype = _error_code
701
702
certificate_free_credentials = (
703
_library.gnutls_certificate_free_credentials)
704
certificate_free_credentials.argtypes = [
705
certificate_credentials_t]
706
certificate_free_credentials.restype = None
707
708
handshake_set_private_extensions = (
709
_library.gnutls_handshake_set_private_extensions)
710
handshake_set_private_extensions.argtypes = [session_t,
711
ctypes.c_int]
712
handshake_set_private_extensions.restype = None
713
714
credentials_set = _library.gnutls_credentials_set
715
credentials_set.argtypes = [session_t, credentials_type_t,
716
ctypes.c_void_p]
717
credentials_set.restype = _error_code
718
719
strerror = _library.gnutls_strerror
720
strerror.argtypes = [ctypes.c_int]
721
strerror.restype = ctypes.c_char_p
722
723
certificate_type_get = _library.gnutls_certificate_type_get
724
certificate_type_get.argtypes = [session_t]
725
certificate_type_get.restype = _error_code
726
727
certificate_get_peers = _library.gnutls_certificate_get_peers
728
certificate_get_peers.argtypes = [session_t,
729
ctypes.POINTER(ctypes.c_uint)]
730
certificate_get_peers.restype = ctypes.POINTER(datum_t)
731
732
global_set_log_level = _library.gnutls_global_set_log_level
733
global_set_log_level.argtypes = [ctypes.c_int]
734
global_set_log_level.restype = None
735
736
global_set_log_function = _library.gnutls_global_set_log_function
737
global_set_log_function.argtypes = [log_func]
738
global_set_log_function.restype = None
739
740
deinit = _library.gnutls_deinit
741
deinit.argtypes = [session_t]
742
deinit.restype = None
743
744
handshake = _library.gnutls_handshake
745
handshake.argtypes = [session_t]
746
handshake.restype = _error_code
747
handshake.errcheck = _retry_on_error
748
749
transport_set_ptr = _library.gnutls_transport_set_ptr
750
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
751
transport_set_ptr.restype = None
752
753
bye = _library.gnutls_bye
754
bye.argtypes = [session_t, close_request_t]
755
bye.restype = _error_code
756
bye.errcheck = _retry_on_error
757
758
check_version = _library.gnutls_check_version
759
check_version.argtypes = [ctypes.c_char_p]
760
check_version.restype = ctypes.c_char_p
761
762
_need_version = b"3.3.0"
763
if check_version(_need_version) is None:
764
raise self.Error("Needs GnuTLS {} or later"
765
.format(_need_version))
766
767
_tls_rawpk_version = b"3.6.6"
768
has_rawpk = bool(check_version(_tls_rawpk_version))
769
770
if has_rawpk:
771
# Types
772
class pubkey_st(ctypes.Structure):
773
_fields = []
774
pubkey_t = ctypes.POINTER(pubkey_st)
775
776
x509_crt_fmt_t = ctypes.c_int
777
778
# All the function declarations below are from
779
# gnutls/abstract.h
780
pubkey_init = _library.gnutls_pubkey_init
781
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
782
pubkey_init.restype = _error_code
783
784
pubkey_import = _library.gnutls_pubkey_import
785
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
786
x509_crt_fmt_t]
787
pubkey_import.restype = _error_code
788
789
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
790
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
791
ctypes.POINTER(ctypes.c_ubyte),
792
ctypes.POINTER(ctypes.c_size_t)]
793
pubkey_get_key_id.restype = _error_code
794
795
pubkey_deinit = _library.gnutls_pubkey_deinit
796
pubkey_deinit.argtypes = [pubkey_t]
797
pubkey_deinit.restype = None
798
else:
799
# All the function declarations below are from
800
# gnutls/openpgp.h
801
802
openpgp_crt_init = _library.gnutls_openpgp_crt_init
803
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
804
openpgp_crt_init.restype = _error_code
805
806
openpgp_crt_import = _library.gnutls_openpgp_crt_import
807
openpgp_crt_import.argtypes = [openpgp_crt_t,
808
ctypes.POINTER(datum_t),
809
openpgp_crt_fmt_t]
810
openpgp_crt_import.restype = _error_code
811
812
openpgp_crt_verify_self = \
813
_library.gnutls_openpgp_crt_verify_self
814
openpgp_crt_verify_self.argtypes = [
815
openpgp_crt_t,
816
ctypes.c_uint,
817
ctypes.POINTER(ctypes.c_uint),
818
]
819
openpgp_crt_verify_self.restype = _error_code
820
821
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
822
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
823
openpgp_crt_deinit.restype = None
824
825
openpgp_crt_get_fingerprint = (
826
_library.gnutls_openpgp_crt_get_fingerprint)
827
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
828
ctypes.c_void_p,
829
ctypes.POINTER(
830
ctypes.c_size_t)]
831
openpgp_crt_get_fingerprint.restype = _error_code
832
833
if check_version(b"3.6.4"):
834
certificate_type_get2 = _library.gnutls_certificate_type_get2
835
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
836
certificate_type_get2.restype = _error_code
837
838
# Remove non-public functions
839
del _error_code, _retry_on_error
840
841
427
842
def call_pipe(connection, # : multiprocessing.Connection
428
843
func, *args, **kwargs):
429
844
"""This function is meant to be called by multiprocessing.Process
430
845
431
846
This function runs func(*args, **kwargs), and writes the resulting
432
847
return value on the provided multiprocessing.Connection.
433
848
"""
434
849
connection.send(func(*args, **kwargs))
435
850
connection.close()
436
851
437
class Client(object):
852
853
class Client:
438
854
"""A representation of a client host served by this server.
439
855
440
856
Attributes:
441
857
approved: bool(); 'None' if not yet approved/disapproved
442
858
approval_delay: datetime.timedelta(); Time to wait for approval
443
859
approval_duration: datetime.timedelta(); Duration of one approval
444
checker: subprocess.Popen(); a running checker process used
445
to see if the client lives.
446
'None' if no process is running.
447
checker_callback_tag: a gobject event source tag, or None
860
checker: multiprocessing.Process(); a running checker process used
861
to see if the client lives. 'None' if no process is
862
running.
863
checker_callback_tag: a GLib event source tag, or None
448
864
checker_command: string; External command which is run to check
449
865
if client lives. %() expansions are done at
450
866
runtime with vars(self) as dict, so that for
451
867
instance %(name)s can be used in the command.
452
checker_initiator_tag: a gobject event source tag, or None
868
checker_initiator_tag: a GLib event source tag, or None
453
869
created: datetime.datetime(); (UTC) object creation
454
870
client_structure: Object describing what attributes a client has
455
871
and is used for storing the client at exit
456
872
current_checker_command: string; current running checker_command
457
disable_initiator_tag: a gobject event source tag, or None
873
disable_initiator_tag: a GLib event source tag, or None
458
874
enabled: bool()
459
875
fingerprint: string (40 or 32 hexadecimal digits); used to
460
uniquely identify the client
876
uniquely identify an OpenPGP client
877
key_id: string (64 hexadecimal digits); used to uniquely identify
878
a client using raw public keys
461
879
host: string; available for use by the checker command
462
880
interval: datetime.timedelta(); How often to start a new checker
463
881
last_approval_request: datetime.datetime(); (UTC) or None
479
897
disabled, or None
480
898
server_settings: The server_settings dict from main()
481
899
"""
482
900
483
901
runtime_expansions = ("approval_delay", "approval_duration",
484
"created", "enabled", "expires",
902
"created", "enabled", "expires", "key_id",
485
903
"fingerprint", "host", "interval",
486
904
"last_approval_request", "last_checked_ok",
487
905
"last_enabled", "name", "timeout")
496
914
"approved_by_default": "True",
497
915
"enabled": "True",
498
916
}
499
917
500
918
@staticmethod
501
919
def config_parser(config):
502
920
"""Construct a new dict of client settings of this form:
509
927
for client_name in config.sections():
510
928
section = dict(config.items(client_name))
511
929
client = settings[client_name] = {}
512
930
513
931
client["host"] = section["host"]
514
932
# Reformat values from string types to Python types
515
933
client["approved_by_default"] = config.getboolean(
516
934
client_name, "approved_by_default")
517
935
client["enabled"] = config.getboolean(client_name,
518
936
"enabled")
519
520
# Uppercase and remove spaces from fingerprint for later
521
# comparison purposes with return value from the
522
# fingerprint() function
937
938
# Uppercase and remove spaces from key_id and fingerprint
939
# for later comparison purposes with return value from the
940
# key_id() and fingerprint() functions
941
client["key_id"] = (section.get("key_id", "").upper()
942
.replace(" ", ""))
523
943
client["fingerprint"] = (section["fingerprint"].upper()
524
944
.replace(" ", ""))
525
945
if "secret" in section:
526
client["secret"] = section["secret"].decode("base64")
946
client["secret"] = codecs.decode(section["secret"]
947
.encode("utf-8"),
948
"base64")
527
949
elif "secfile" in section:
528
950
with open(os.path.expanduser(os.path.expandvars
529
951
(section["secfile"])),
544
966
client["last_approval_request"] = None
545
967
client["last_checked_ok"] = None
546
968
client["last_checker_status"] = -2
547
969
548
970
return settings
549
550
def __init__(self, settings, name = None, server_settings=None):
971
972
def __init__(self, settings, name=None, server_settings=None):
551
973
self.name = name
552
974
if server_settings is None:
553
975
server_settings = {}
555
977
# adding all client settings
556
978
for setting, value in settings.items():
557
979
setattr(self, setting, value)
558
980
559
981
if self.enabled:
560
982
if not hasattr(self, "last_enabled"):
561
983
self.last_enabled = datetime.datetime.utcnow()
565
987
else:
566
988
self.last_enabled = None
567
989
self.expires = None
568
990
569
991
logger.debug("Creating client %r", self.name)
992
logger.debug(" Key ID: %s", self.key_id)
570
993
logger.debug(" Fingerprint: %s", self.fingerprint)
571
994
self.created = settings.get("created",
572
995
datetime.datetime.utcnow())
573
996
574
997
# attributes specific for this server instance
575
998
self.checker = None
576
999
self.checker_initiator_tag = None
582
1005
self.changedstate = multiprocessing_manager.Condition(
583
1006
multiprocessing_manager.Lock())
584
1007
self.client_structure = [attr
585
for attr in self.__dict__.iterkeys()
1008
for attr in self.__dict__.keys()
586
1009
if not attr.startswith("_")]
587
1010
self.client_structure.append("client_structure")
588
1011
589
1012
for name, t in inspect.getmembers(
590
1013
type(self), lambda obj: isinstance(obj, property)):
591
1014
if not name.startswith("_"):
592
1015
self.client_structure.append(name)
593
1016
594
1017
# Send notice to process children that client state has changed
595
1018
def send_changedstate(self):
596
1019
with self.changedstate:
597
1020
self.changedstate.notify_all()
598
1021
599
1022
def enable(self):
600
1023
"""Start this client's checker and timeout hooks"""
601
1024
if getattr(self, "enabled", False):
606
1029
self.last_enabled = datetime.datetime.utcnow()
607
1030
self.init_checker()
608
1031
self.send_changedstate()
609
1032
610
1033
def disable(self, quiet=True):
611
1034
"""Disable this client."""
612
1035
if not getattr(self, "enabled", False):
614
1037
if not quiet:
615
1038
logger.info("Disabling client %s", self.name)
616
1039
if getattr(self, "disable_initiator_tag", None) is not None:
617
gobject.source_remove(self.disable_initiator_tag)
1040
GLib.source_remove(self.disable_initiator_tag)
618
1041
self.disable_initiator_tag = None
619
1042
self.expires = None
620
1043
if getattr(self, "checker_initiator_tag", None) is not None:
621
gobject.source_remove(self.checker_initiator_tag)
1044
GLib.source_remove(self.checker_initiator_tag)
622
1045
self.checker_initiator_tag = None
623
1046
self.stop_checker()
624
1047
self.enabled = False
625
1048
if not quiet:
626
1049
self.send_changedstate()
627
# Do not run this again if called by a gobject.timeout_add
1050
# Do not run this again if called by a GLib.timeout_add
628
1051
return False
629
1052
630
1053
def __del__(self):
631
1054
self.disable()
632
1055
633
1056
def init_checker(self):
634
1057
# Schedule a new checker to be started an 'interval' from now,
635
1058
# and every interval from then on.
636
1059
if self.checker_initiator_tag is not None:
637
gobject.source_remove(self.checker_initiator_tag)
638
self.checker_initiator_tag = gobject.timeout_add(
639
int(self.interval.total_seconds() * 1000),
1060
GLib.source_remove(self.checker_initiator_tag)
1061
self.checker_initiator_tag = GLib.timeout_add(
1062
random.randrange(int(self.interval.total_seconds() * 1000
1063
+ 1)),
640
1064
self.start_checker)
641
1065
# Schedule a disable() when 'timeout' has passed
642
1066
if self.disable_initiator_tag is not None:
643
gobject.source_remove(self.disable_initiator_tag)
644
self.disable_initiator_tag = gobject.timeout_add(
1067
GLib.source_remove(self.disable_initiator_tag)
1068
self.disable_initiator_tag = GLib.timeout_add(
645
1069
int(self.timeout.total_seconds() * 1000), self.disable)
646
1070
# Also start a new checker *right now*.
647
1071
self.start_checker()
648
1072
649
1073
def checker_callback(self, source, condition, connection,
650
1074
command):
651
1075
"""The checker has completed, so take appropriate actions."""
652
self.checker_callback_tag = None
653
self.checker = None
654
1076
# Read return code from connection (see call_pipe)
655
1077
returncode = connection.recv()
656
1078
connection.close()
657
1079
if self.checker is not None:
1080
self.checker.join()
1081
self.checker_callback_tag = None
1082
self.checker = None
1083
658
1084
if returncode >= 0:
659
1085
self.last_checker_status = returncode
660
1086
self.last_checker_signal = None
670
1096
logger.warning("Checker for %(name)s crashed?",
671
1097
vars(self))
672
1098
return False
673
1099
674
1100
def checked_ok(self):
675
1101
"""Assert that the client has been seen, alive and well."""
676
1102
self.last_checked_ok = datetime.datetime.utcnow()
677
1103
self.last_checker_status = 0
678
1104
self.last_checker_signal = None
679
1105
self.bump_timeout()
680
1106
681
1107
def bump_timeout(self, timeout=None):
682
1108
"""Bump up the timeout for this client."""
683
1109
if timeout is None:
684
1110
timeout = self.timeout
685
1111
if self.disable_initiator_tag is not None:
686
gobject.source_remove(self.disable_initiator_tag)
1112
GLib.source_remove(self.disable_initiator_tag)
687
1113
self.disable_initiator_tag = None
688
1114
if getattr(self, "enabled", False):
689
self.disable_initiator_tag = gobject.timeout_add(
1115
self.disable_initiator_tag = GLib.timeout_add(
690
1116
int(timeout.total_seconds() * 1000), self.disable)
691
1117
self.expires = datetime.datetime.utcnow() + timeout
692
1118
693
1119
def need_approval(self):
694
1120
self.last_approval_request = datetime.datetime.utcnow()
695
1121
696
1122
def start_checker(self):
697
1123
"""Start a new checker subprocess if one is not running.
698
1124
699
1125
If a checker already exists, leave it running and do
700
1126
nothing."""
701
1127
# The reason for not killing a running checker is that if we
706
1132
# checkers alone, the checker would have to take more time
707
1133
# than 'timeout' for the client to be disabled, which is as it
708
1134
# should be.
709
1135
710
1136
if self.checker is not None and not self.checker.is_alive():
711
1137
logger.warning("Checker was not alive; joining")
712
1138
self.checker.join()
715
1141
if self.checker is None:
716
1142
# Escape attributes for the shell
717
1143
escaped_attrs = {
718
attr: re.escape(str(getattr(self, attr)))
719
for attr in self.runtime_expansions }
1144
attr: shlex.quote(str(getattr(self, attr)))
1145
for attr in self.runtime_expansions}
720
1146
try:
721
1147
command = self.checker_command % escaped_attrs
722
1148
except TypeError as error:
734
1160
# The exception is when not debugging but nevertheless
735
1161
# running in the foreground; use the previously
736
1162
# created wnull.
737
popen_args = { "close_fds": True,
738
"shell": True,
739
"cwd": "/" }
1163
popen_args = {"close_fds": True,
1164
"shell": True,
1165
"cwd": "/"}
740
1166
if (not self.server_settings["debug"]
741
1167
and self.server_settings["foreground"]):
742
1168
popen_args.update({"stdout": wnull,
743
"stderr": wnull })
744
pipe = multiprocessing.Pipe(duplex = False)
1169
"stderr": wnull})
1170
pipe = multiprocessing.Pipe(duplex=False)
745
1171
self.checker = multiprocessing.Process(
746
target = call_pipe,
747
args = (pipe[1], subprocess.call, command),
748
kwargs = popen_args)
1172
target=call_pipe,
1173
args=(pipe[1], subprocess.call, command),
1174
kwargs=popen_args)
749
1175
self.checker.start()
750
self.checker_callback_tag = gobject.io_add_watch(
751
pipe[0].fileno(), gobject.IO_IN,
1176
self.checker_callback_tag = GLib.io_add_watch(
1177
GLib.IOChannel.unix_new(pipe[0].fileno()),
1178
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
752
1179
self.checker_callback, pipe[0], command)
753
# Re-run this periodically if run by gobject.timeout_add
1180
# Re-run this periodically if run by GLib.timeout_add
754
1181
return True
755
1182
756
1183
def stop_checker(self):
757
1184
"""Force the checker process, if any, to stop."""
758
1185
if self.checker_callback_tag:
759
gobject.source_remove(self.checker_callback_tag)
1186
GLib.source_remove(self.checker_callback_tag)
760
1187
self.checker_callback_tag = None
761
1188
if getattr(self, "checker", None) is None:
762
1189
return
771
1198
byte_arrays=False):
772
1199
"""Decorators for marking methods of a DBusObjectWithProperties to
773
1200
become properties on the D-Bus.
774
1201
775
1202
The decorated method will be called with no arguments by "Get"
776
1203
and with one argument by "Set".
777
1204
778
1205
The parameters, where they are supported, are the same as
779
1206
dbus.service.method, except there is only "signature", since the
780
1207
type from Get() and the type sent to Set() is the same.
784
1211
if byte_arrays and signature != "ay":
785
1212
raise ValueError("Byte arrays not supported for non-'ay'"
786
1213
" signature {!r}".format(signature))
787
1214
788
1215
def decorator(func):
789
1216
func._dbus_is_property = True
790
1217
func._dbus_interface = dbus_interface
793
1220
func._dbus_name = func.__name__
794
1221
if func._dbus_name.endswith("_dbus_property"):
795
1222
func._dbus_name = func._dbus_name[:-14]
796
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1223
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
797
1224
return func
798
1225
799
1226
return decorator
800
1227
801
1228
802
1229
def dbus_interface_annotations(dbus_interface):
803
1230
"""Decorator for marking functions returning interface annotations
804
1231
805
1232
Usage:
806
1233
807
1234
@dbus_interface_annotations("org.example.Interface")
808
1235
def _foo(self): # Function name does not matter
809
1236
return {"org.freedesktop.DBus.Deprecated": "true",
810
1237
"org.freedesktop.DBus.Property.EmitsChangedSignal":
811
1238
"false"}
812
1239
"""
813
1240
814
1241
def decorator(func):
815
1242
func._dbus_is_interface = True
816
1243
func._dbus_interface = dbus_interface
817
1244
func._dbus_name = dbus_interface
818
1245
return func
819
1246
820
1247
return decorator
821
1248
822
1249
823
1250
def dbus_annotations(annotations):
824
1251
"""Decorator to annotate D-Bus methods, signals or properties
825
1252
Usage:
826
1253
827
1254
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
828
1255
"org.freedesktop.DBus.Property."
829
1256
"EmitsChangedSignal": "false"})
831
1258
access="r")
832
1259
def Property_dbus_property(self):
833
1260
return dbus.Boolean(False)
1261
1262
See also the DBusObjectWithAnnotations class.
834
1263
"""
835
1264
836
1265
def decorator(func):
837
1266
func._dbus_annotations = annotations
838
1267
return func
839
1268
840
1269
return decorator
841
1270
842
1271
858
1287
pass
859
1288
860
1289
861
class DBusObjectWithProperties(dbus.service.Object):
862
"""A D-Bus object with properties.
863
864
Classes inheriting from this can use the dbus_service_property
865
decorator to expose methods as D-Bus properties. It exposes the
866
standard Get(), Set(), and GetAll() methods on the D-Bus.
1290
class DBusObjectWithAnnotations(dbus.service.Object):
1291
"""A D-Bus object with annotations.
1292
1293
Classes inheriting from this can use the dbus_annotations
1294
decorator to add annotations to methods or signals.
867
1295
"""
868
1296
869
1297
@staticmethod
870
1298
def _is_dbus_thing(thing):
871
1299
"""Returns a function testing if an attribute is a D-Bus thing
872
1300
873
1301
If called like _is_dbus_thing("method") it returns a function
874
1302
suitable for use as predicate to inspect.getmembers().
875
1303
"""
876
1304
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
877
1305
False)
878
1306
879
1307
def _get_all_dbus_things(self, thing):
880
1308
"""Returns a generator of (name, attribute) pairs
881
1309
"""
884
1312
for cls in self.__class__.__mro__
885
1313
for name, athing in
886
1314
inspect.getmembers(cls, self._is_dbus_thing(thing)))
887
1315
1316
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1317
out_signature="s",
1318
path_keyword='object_path',
1319
connection_keyword='connection')
1320
def Introspect(self, object_path, connection):
1321
"""Overloading of standard D-Bus method.
1322
1323
Inserts annotation tags on methods and signals.
1324
"""
1325
xmlstring = dbus.service.Object.Introspect(self, object_path,
1326
connection)
1327
try:
1328
document = xml.dom.minidom.parseString(xmlstring)
1329
1330
for if_tag in document.getElementsByTagName("interface"):
1331
# Add annotation tags
1332
for typ in ("method", "signal"):
1333
for tag in if_tag.getElementsByTagName(typ):
1334
annots = dict()
1335
for name, prop in (self.
1336
_get_all_dbus_things(typ)):
1337
if (name == tag.getAttribute("name")
1338
and prop._dbus_interface
1339
== if_tag.getAttribute("name")):
1340
annots.update(getattr(
1341
prop, "_dbus_annotations", {}))
1342
for name, value in annots.items():
1343
ann_tag = document.createElement(
1344
"annotation")
1345
ann_tag.setAttribute("name", name)
1346
ann_tag.setAttribute("value", value)
1347
tag.appendChild(ann_tag)
1348
# Add interface annotation tags
1349
for annotation, value in dict(
1350
itertools.chain.from_iterable(
1351
annotations().items()
1352
for name, annotations
1353
in self._get_all_dbus_things("interface")
1354
if name == if_tag.getAttribute("name")
1355
)).items():
1356
ann_tag = document.createElement("annotation")
1357
ann_tag.setAttribute("name", annotation)
1358
ann_tag.setAttribute("value", value)
1359
if_tag.appendChild(ann_tag)
1360
# Fix argument name for the Introspect method itself
1361
if (if_tag.getAttribute("name")
1362
== dbus.INTROSPECTABLE_IFACE):
1363
for cn in if_tag.getElementsByTagName("method"):
1364
if cn.getAttribute("name") == "Introspect":
1365
for arg in cn.getElementsByTagName("arg"):
1366
if (arg.getAttribute("direction")
1367
== "out"):
1368
arg.setAttribute("name",
1369
"xml_data")
1370
xmlstring = document.toxml("utf-8")
1371
document.unlink()
1372
except (AttributeError, xml.dom.DOMException,
1373
xml.parsers.expat.ExpatError) as error:
1374
logger.error("Failed to override Introspection method",
1375
exc_info=error)
1376
return xmlstring
1377
1378
1379
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1380
"""A D-Bus object with properties.
1381
1382
Classes inheriting from this can use the dbus_service_property
1383
decorator to expose methods as D-Bus properties. It exposes the
1384
standard Get(), Set(), and GetAll() methods on the D-Bus.
1385
"""
1386
888
1387
def _get_dbus_property(self, interface_name, property_name):
889
1388
"""Returns a bound method if one exists which is a D-Bus
890
1389
property with the specified name and interface.
895
1394
if (value._dbus_name == property_name
896
1395
and value._dbus_interface == interface_name):
897
1396
return value.__get__(self)
898
1397
899
1398
# No such property
900
1399
raise DBusPropertyNotFound("{}:{}.{}".format(
901
1400
self.dbus_object_path, interface_name, property_name))
902
1401
1402
@classmethod
1403
def _get_all_interface_names(cls):
1404
"""Get a sequence of all interfaces supported by an object"""
1405
return (name for name in set(getattr(getattr(x, attr),
1406
"_dbus_interface", None)
1407
for x in (inspect.getmro(cls))
1408
for attr in dir(x))
1409
if name is not None)
1410
903
1411
@dbus.service.method(dbus.PROPERTIES_IFACE,
904
1412
in_signature="ss",
905
1413
out_signature="v")
913
1421
if not hasattr(value, "variant_level"):
914
1422
return value
915
1423
return type(value)(value, variant_level=value.variant_level+1)
916
1424
917
1425
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
918
1426
def Set(self, interface_name, property_name, value):
919
1427
"""Standard D-Bus property Set() method, see D-Bus standard.
928
1436
raise ValueError("Byte arrays not supported for non-"
929
1437
"'ay' signature {!r}"
930
1438
.format(prop._dbus_signature))
931
value = dbus.ByteArray(b''.join(chr(byte)
932
for byte in value))
1439
value = dbus.ByteArray(bytes(value))
933
1440
prop(value)
934
1441
935
1442
@dbus.service.method(dbus.PROPERTIES_IFACE,
936
1443
in_signature="s",
937
1444
out_signature="a{sv}")
938
1445
def GetAll(self, interface_name):
939
1446
"""Standard D-Bus property GetAll() method, see D-Bus
940
1447
standard.
941
1448
942
1449
Note: Will not include properties with access="write".
943
1450
"""
944
1451
properties = {}
955
1462
properties[name] = value
956
1463
continue
957
1464
properties[name] = type(value)(
958
value, variant_level = value.variant_level + 1)
1465
value, variant_level=value.variant_level + 1)
959
1466
return dbus.Dictionary(properties, signature="sv")
960
1467
961
1468
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
962
1469
def PropertiesChanged(self, interface_name, changed_properties,
963
1470
invalidated_properties):
965
1472
standard.
966
1473
"""
967
1474
pass
968
1475
969
1476
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
970
1477
out_signature="s",
971
1478
path_keyword='object_path',
972
1479
connection_keyword='connection')
973
1480
def Introspect(self, object_path, connection):
974
1481
"""Overloading of standard D-Bus method.
975
1482
976
1483
Inserts property tags and interface annotation tags.
977
1484
"""
978
xmlstring = dbus.service.Object.Introspect(self, object_path,
979
connection)
1485
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1486
object_path,
1487
connection)
980
1488
try:
981
1489
document = xml.dom.minidom.parseString(xmlstring)
982
1490
983
1491
def make_tag(document, name, prop):
984
1492
e = document.createElement("property")
985
1493
e.setAttribute("name", name)
986
1494
e.setAttribute("type", prop._dbus_signature)
987
1495
e.setAttribute("access", prop._dbus_access)
988
1496
return e
989
1497
990
1498
for if_tag in document.getElementsByTagName("interface"):
991
1499
# Add property tags
992
1500
for tag in (make_tag(document, name, prop)
995
1503
if prop._dbus_interface
996
1504
== if_tag.getAttribute("name")):
997
1505
if_tag.appendChild(tag)
998
# Add annotation tags
999
for typ in ("method", "signal", "property"):
1000
for tag in if_tag.getElementsByTagName(typ):
1001
annots = dict()
1002
for name, prop in (self.
1003
_get_all_dbus_things(typ)):
1004
if (name == tag.getAttribute("name")
1005
and prop._dbus_interface
1006
== if_tag.getAttribute("name")):
1007
annots.update(getattr(
1008
prop, "_dbus_annotations", {}))
1009
for name, value in annots.items():
1010
ann_tag = document.createElement(
1011
"annotation")
1012
ann_tag.setAttribute("name", name)
1013
ann_tag.setAttribute("value", value)
1014
tag.appendChild(ann_tag)
1015
# Add interface annotation tags
1016
for annotation, value in dict(
1017
itertools.chain.from_iterable(
1018
annotations().items()
1019
for name, annotations
1020
in self._get_all_dbus_things("interface")
1021
if name == if_tag.getAttribute("name")
1022
)).items():
1023
ann_tag = document.createElement("annotation")
1024
ann_tag.setAttribute("name", annotation)
1025
ann_tag.setAttribute("value", value)
1026
if_tag.appendChild(ann_tag)
1506
# Add annotation tags for properties
1507
for tag in if_tag.getElementsByTagName("property"):
1508
annots = dict()
1509
for name, prop in self._get_all_dbus_things(
1510
"property"):
1511
if (name == tag.getAttribute("name")
1512
and prop._dbus_interface
1513
== if_tag.getAttribute("name")):
1514
annots.update(getattr(
1515
prop, "_dbus_annotations", {}))
1516
for name, value in annots.items():
1517
ann_tag = document.createElement(
1518
"annotation")
1519
ann_tag.setAttribute("name", name)
1520
ann_tag.setAttribute("value", value)
1521
tag.appendChild(ann_tag)
1027
1522
# Add the names to the return values for the
1028
1523
# "org.freedesktop.DBus.Properties" methods
1029
1524
if (if_tag.getAttribute("name")
1048
1543
return xmlstring
1049
1544
1050
1545
1546
try:
1547
dbus.OBJECT_MANAGER_IFACE
1548
except AttributeError:
1549
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1550
1551
1552
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1553
"""A D-Bus object with an ObjectManager.
1554
1555
Classes inheriting from this exposes the standard
1556
GetManagedObjects call and the InterfacesAdded and
1557
InterfacesRemoved signals on the standard
1558
"org.freedesktop.DBus.ObjectManager" interface.
1559
1560
Note: No signals are sent automatically; they must be sent
1561
manually.
1562
"""
1563
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1564
out_signature="a{oa{sa{sv}}}")
1565
def GetManagedObjects(self):
1566
"""This function must be overridden"""
1567
raise NotImplementedError()
1568
1569
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1570
signature="oa{sa{sv}}")
1571
def InterfacesAdded(self, object_path, interfaces_and_properties):
1572
pass
1573
1574
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1575
def InterfacesRemoved(self, object_path, interfaces):
1576
pass
1577
1578
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1579
out_signature="s",
1580
path_keyword='object_path',
1581
connection_keyword='connection')
1582
def Introspect(self, object_path, connection):
1583
"""Overloading of standard D-Bus method.
1584
1585
Override return argument name of GetManagedObjects to be
1586
"objpath_interfaces_and_properties"
1587
"""
1588
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1589
object_path,
1590
connection)
1591
try:
1592
document = xml.dom.minidom.parseString(xmlstring)
1593
1594
for if_tag in document.getElementsByTagName("interface"):
1595
# Fix argument name for the GetManagedObjects method
1596
if (if_tag.getAttribute("name")
1597
== dbus.OBJECT_MANAGER_IFACE):
1598
for cn in if_tag.getElementsByTagName("method"):
1599
if (cn.getAttribute("name")
1600
== "GetManagedObjects"):
1601
for arg in cn.getElementsByTagName("arg"):
1602
if (arg.getAttribute("direction")
1603
== "out"):
1604
arg.setAttribute(
1605
"name",
1606
"objpath_interfaces"
1607
"_and_properties")
1608
xmlstring = document.toxml("utf-8")
1609
document.unlink()
1610
except (AttributeError, xml.dom.DOMException,
1611
xml.parsers.expat.ExpatError) as error:
1612
logger.error("Failed to override Introspection method",
1613
exc_info=error)
1614
return xmlstring
1615
1616
1051
1617
def datetime_to_dbus(dt, variant_level=0):
1052
1618
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1053
1619
if dt is None:
1054
return dbus.String("", variant_level = variant_level)
1620
return dbus.String("", variant_level=variant_level)
1055
1621
return dbus.String(dt.isoformat(), variant_level=variant_level)
1056
1622
1057
1623
1060
1626
dbus.service.Object, it will add alternate D-Bus attributes with
1061
1627
interface names according to the "alt_interface_names" mapping.
1062
1628
Usage:
1063
1629
1064
1630
@alternate_dbus_interfaces({"org.example.Interface":
1065
1631
"net.example.AlternateInterface"})
1066
1632
class SampleDBusObject(dbus.service.Object):
1067
1633
@dbus.service.method("org.example.Interface")
1068
1634
def SampleDBusMethod():
1069
1635
pass
1070
1636
1071
1637
The above "SampleDBusMethod" on "SampleDBusObject" will be
1072
1638
reachable via two interfaces: "org.example.Interface" and
1073
1639
"net.example.AlternateInterface", the latter of which will have
1074
1640
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1075
1641
"true", unless "deprecate" is passed with a False value.
1076
1642
1077
1643
This works for methods and signals, and also for D-Bus properties
1078
1644
(from DBusObjectWithProperties) and interfaces (from the
1079
1645
dbus_interface_annotations decorator).
1080
1646
"""
1081
1647
1082
1648
def wrapper(cls):
1083
1649
for orig_interface_name, alt_interface_name in (
1084
1650
alt_interface_names.items()):
1099
1665
interface_names.add(alt_interface)
1100
1666
# Is this a D-Bus signal?
1101
1667
if getattr(attribute, "_dbus_is_signal", False):
1668
# Extract the original non-method undecorated
1669
# function by black magic
1102
1670
if sys.version_info.major == 2:
1103
# Extract the original non-method undecorated
1104
# function by black magic
1105
1671
nonmethod_func = (dict(
1106
1672
zip(attribute.func_code.co_freevars,
1107
1673
attribute.__closure__))
1108
1674
["func"].cell_contents)
1109
1675
else:
1110
nonmethod_func = attribute
1676
nonmethod_func = (dict(
1677
zip(attribute.__code__.co_freevars,
1678
attribute.__closure__))
1679
["func"].cell_contents)
1111
1680
# Create a new, but exactly alike, function
1112
1681
# object, and decorate it to be a new D-Bus signal
1113
1682
# with the alternate D-Bus interface name
1114
if sys.version_info.major == 2:
1115
new_function = types.FunctionType(
1116
nonmethod_func.func_code,
1117
nonmethod_func.func_globals,
1118
nonmethod_func.func_name,
1119
nonmethod_func.func_defaults,
1120
nonmethod_func.func_closure)
1121
else:
1122
new_function = types.FunctionType(
1123
nonmethod_func.__code__,
1124
nonmethod_func.__globals__,
1125
nonmethod_func.__name__,
1126
nonmethod_func.__defaults__,
1127
nonmethod_func.__closure__)
1683
new_function = copy_function(nonmethod_func)
1128
1684
new_function = (dbus.service.signal(
1129
1685
alt_interface,
1130
1686
attribute._dbus_signature)(new_function))
1134
1690
attribute._dbus_annotations)
1135
1691
except AttributeError:
1136
1692
pass
1693
1137
1694
# Define a creator of a function to call both the
1138
1695
# original and alternate functions, so both the
1139
1696
# original and alternate signals gets sent when
1142
1699
"""This function is a scope container to pass
1143
1700
func1 and func2 to the "call_both" function
1144
1701
outside of its arguments"""
1145
1702
1703
@functools.wraps(func2)
1146
1704
def call_both(*args, **kwargs):
1147
1705
"""This function will emit two D-Bus
1148
1706
signals by calling func1 and func2"""
1149
1707
func1(*args, **kwargs)
1150
1708
func2(*args, **kwargs)
1151
1709
# Make wrapper function look like a D-Bus
1710
# signal
1711
for name, attr in inspect.getmembers(func2):
1712
if name.startswith("_dbus_"):
1713
setattr(call_both, name, attr)
1714
1152
1715
return call_both
1153
1716
# Create the "call_both" function and add it to
1154
1717
# the class
1164
1727
alt_interface,
1165
1728
attribute._dbus_in_signature,
1166
1729
attribute._dbus_out_signature)
1167
(types.FunctionType(attribute.func_code,
1168
attribute.func_globals,
1169
attribute.func_name,
1170
attribute.func_defaults,
1171
attribute.func_closure)))
1730
(copy_function(attribute)))
1172
1731
# Copy annotations, if any
1173
1732
try:
1174
1733
attr[attrname]._dbus_annotations = dict(
1186
1745
attribute._dbus_access,
1187
1746
attribute._dbus_get_args_options
1188
1747
["byte_arrays"])
1189
(types.FunctionType(
1190
attribute.func_code,
1191
attribute.func_globals,
1192
attribute.func_name,
1193
attribute.func_defaults,
1194
attribute.func_closure)))
1748
(copy_function(attribute)))
1195
1749
# Copy annotations, if any
1196
1750
try:
1197
1751
attr[attrname]._dbus_annotations = dict(
1206
1760
# to the class.
1207
1761
attr[attrname] = (
1208
1762
dbus_interface_annotations(alt_interface)
1209
(types.FunctionType(attribute.func_code,
1210
attribute.func_globals,
1211
attribute.func_name,
1212
attribute.func_defaults,
1213
attribute.func_closure)))
1763
(copy_function(attribute)))
1214
1764
if deprecate:
1215
1765
# Deprecate all alternate interfaces
1216
iname="_AlternateDBusNames_interface_annotation{}"
1766
iname = "_AlternateDBusNames_interface_annotation{}"
1217
1767
for interface_name in interface_names:
1218
1768
1219
1769
@dbus_interface_annotations(interface_name)
1220
1770
def func(self):
1221
return { "org.freedesktop.DBus.Deprecated":
1222
"true" }
1771
return {"org.freedesktop.DBus.Deprecated":
1772
"true"}
1223
1773
# Find an unused name
1224
1774
for aname in (iname.format(i)
1225
1775
for i in itertools.count()):
1229
1779
if interface_names:
1230
1780
# Replace the class with a new subclass of it with
1231
1781
# methods, signals, etc. as created above.
1232
cls = type(b"{}Alternate".format(cls.__name__),
1233
(cls, ), attr)
1782
if sys.version_info.major == 2:
1783
cls = type(b"{}Alternate".format(cls.__name__),
1784
(cls, ), attr)
1785
else:
1786
cls = type("{}Alternate".format(cls.__name__),
1787
(cls, ), attr)
1234
1788
return cls
1235
1789
1236
1790
return wrapper
1237
1791
1238
1792
1240
1794
"se.bsnet.fukt.Mandos"})
1241
1795
class ClientDBus(Client, DBusObjectWithProperties):
1242
1796
"""A Client class using D-Bus
1243
1797
1244
1798
Attributes:
1245
1799
dbus_object_path: dbus.ObjectPath
1246
1800
bus: dbus.SystemBus()
1247
1801
"""
1248
1802
1249
1803
runtime_expansions = (Client.runtime_expansions
1250
1804
+ ("dbus_object_path", ))
1251
1805
1252
1806
_interface = "se.recompile.Mandos.Client"
1253
1807
1254
1808
# dbus.service.Object doesn't use super(), so we can't either.
1255
1256
def __init__(self, bus = None, *args, **kwargs):
1809
1810
def __init__(self, bus=None, *args, **kwargs):
1257
1811
self.bus = bus
1258
1812
Client.__init__(self, *args, **kwargs)
1259
1813
# Only now, when this client is initialized, can it show up on
1265
1819
"/clients/" + client_object_name)
1266
1820
DBusObjectWithProperties.__init__(self, self.bus,
1267
1821
self.dbus_object_path)
1268
1822
1269
1823
def notifychangeproperty(transform_func, dbus_name,
1270
1824
type_func=lambda x: x,
1271
1825
variant_level=1,
1273
1827
_interface=_interface):
1274
1828
""" Modify a variable so that it's a property which announces
1275
1829
its changes to DBus.
1276
1830
1277
1831
transform_fun: Function that takes a value and a variant_level
1278
1832
and transforms it to a D-Bus type.
1279
1833
dbus_name: D-Bus name of the variable
1282
1836
variant_level: D-Bus variant level. Default: 1
1283
1837
"""
1284
1838
attrname = "_{}".format(dbus_name)
1285
1839
1286
1840
def setter(self, value):
1287
1841
if hasattr(self, "dbus_object_path"):
1288
1842
if (not hasattr(self, attrname) or
1295
1849
else:
1296
1850
dbus_value = transform_func(
1297
1851
type_func(value),
1298
variant_level = variant_level)
1852
variant_level=variant_level)
1299
1853
self.PropertyChanged(dbus.String(dbus_name),
1300
1854
dbus_value)
1301
1855
self.PropertiesChanged(
1302
1856
_interface,
1303
dbus.Dictionary({ dbus.String(dbus_name):
1304
dbus_value }),
1857
dbus.Dictionary({dbus.String(dbus_name):
1858
dbus_value}),
1305
1859
dbus.Array())
1306
1860
setattr(self, attrname, value)
1307
1861
1308
1862
return property(lambda self: getattr(self, attrname), setter)
1309
1863
1310
1864
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1311
1865
approvals_pending = notifychangeproperty(dbus.Boolean,
1312
1866
"ApprovalPending",
1313
type_func = bool)
1867
type_func=bool)
1314
1868
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1315
1869
last_enabled = notifychangeproperty(datetime_to_dbus,
1316
1870
"LastEnabled")
1317
1871
checker = notifychangeproperty(
1318
1872
dbus.Boolean, "CheckerRunning",
1319
type_func = lambda checker: checker is not None)
1873
type_func=lambda checker: checker is not None)
1320
1874
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1321
1875
"LastCheckedOK")
1322
1876
last_checker_status = notifychangeproperty(dbus.Int16,
1327
1881
"ApprovedByDefault")
1328
1882
approval_delay = notifychangeproperty(
1329
1883
dbus.UInt64, "ApprovalDelay",
1330
type_func = lambda td: td.total_seconds() * 1000)
1884
type_func=lambda td: td.total_seconds() * 1000)
1331
1885
approval_duration = notifychangeproperty(
1332
1886
dbus.UInt64, "ApprovalDuration",
1333
type_func = lambda td: td.total_seconds() * 1000)
1887
type_func=lambda td: td.total_seconds() * 1000)
1334
1888
host = notifychangeproperty(dbus.String, "Host")
1335
1889
timeout = notifychangeproperty(
1336
1890
dbus.UInt64, "Timeout",
1337
type_func = lambda td: td.total_seconds() * 1000)
1891
type_func=lambda td: td.total_seconds() * 1000)
1338
1892
extended_timeout = notifychangeproperty(
1339
1893
dbus.UInt64, "ExtendedTimeout",
1340
type_func = lambda td: td.total_seconds() * 1000)
1894
type_func=lambda td: td.total_seconds() * 1000)
1341
1895
interval = notifychangeproperty(
1342
1896
dbus.UInt64, "Interval",
1343
type_func = lambda td: td.total_seconds() * 1000)
1897
type_func=lambda td: td.total_seconds() * 1000)
1344
1898
checker_command = notifychangeproperty(dbus.String, "Checker")
1345
1899
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1346
1900
invalidate_only=True)
1347
1901
1348
1902
del notifychangeproperty
1349
1903
1350
1904
def __del__(self, *args, **kwargs):
1351
1905
try:
1352
1906
self.remove_from_connection()
1355
1909
if hasattr(DBusObjectWithProperties, "__del__"):
1356
1910
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1357
1911
Client.__del__(self, *args, **kwargs)
1358
1912
1359
1913
def checker_callback(self, source, condition,
1360
1914
connection, command, *args, **kwargs):
1361
1915
ret = Client.checker_callback(self, source, condition,
1365
1919
if exitstatus >= 0:
1366
1920
# Emit D-Bus signal
1367
1921
self.CheckerCompleted(dbus.Int16(exitstatus),
1368
dbus.Int64(0),
1922
# This is specific to GNU libC
1923
dbus.Int64(exitstatus << 8),
1369
1924
dbus.String(command))
1370
1925
else:
1371
1926
# Emit D-Bus signal
1372
1927
self.CheckerCompleted(dbus.Int16(-1),
1373
1928
dbus.Int64(
1374
self.last_checker_signal),
1929
# This is specific to GNU libC
1930
(exitstatus << 8)
1931
| self.last_checker_signal),
1375
1932
dbus.String(command))
1376
1933
return ret
1377
1934
1378
1935
def start_checker(self, *args, **kwargs):
1379
1936
old_checker_pid = getattr(self.checker, "pid", None)
1380
1937
r = Client.start_checker(self, *args, **kwargs)
1384
1941
# Emit D-Bus signal
1385
1942
self.CheckerStarted(self.current_checker_command)
1386
1943
return r
1387
1944
1388
1945
def _reset_approved(self):
1389
1946
self.approved = None
1390
1947
return False
1391
1948
1392
1949
def approve(self, value=True):
1393
1950
self.approved = value
1394
gobject.timeout_add(int(self.approval_duration.total_seconds()
1395
* 1000), self._reset_approved)
1951
GLib.timeout_add(int(self.approval_duration.total_seconds()
1952
* 1000), self._reset_approved)
1396
1953
self.send_changedstate()
1397
1398
## D-Bus methods, signals & properties
1399
1400
## Interfaces
1401
1402
## Signals
1403
1954
1955
# D-Bus methods, signals & properties
1956
1957
# Interfaces
1958
1959
# Signals
1960
1404
1961
# CheckerCompleted - signal
1405
1962
@dbus.service.signal(_interface, signature="nxs")
1406
1963
def CheckerCompleted(self, exitcode, waitstatus, command):
1407
1964
"D-Bus signal"
1408
1965
pass
1409
1966
1410
1967
# CheckerStarted - signal
1411
1968
@dbus.service.signal(_interface, signature="s")
1412
1969
def CheckerStarted(self, command):
1413
1970
"D-Bus signal"
1414
1971
pass
1415
1972
1416
1973
# PropertyChanged - signal
1417
1974
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1418
1975
@dbus.service.signal(_interface, signature="sv")
1419
1976
def PropertyChanged(self, property, value):
1420
1977
"D-Bus signal"
1421
1978
pass
1422
1979
1423
1980
# GotSecret - signal
1424
1981
@dbus.service.signal(_interface)
1425
1982
def GotSecret(self):
1428
1985
server to mandos-client
1429
1986
"""
1430
1987
pass
1431
1988
1432
1989
# Rejected - signal
1433
1990
@dbus.service.signal(_interface, signature="s")
1434
1991
def Rejected(self, reason):
1435
1992
"D-Bus signal"
1436
1993
pass
1437
1994
1438
1995
# NeedApproval - signal
1439
1996
@dbus.service.signal(_interface, signature="tb")
1440
1997
def NeedApproval(self, timeout, default):
1441
1998
"D-Bus signal"
1442
1999
return self.need_approval()
1443
1444
## Methods
1445
2000
2001
# Methods
2002
1446
2003
# Approve - method
1447
2004
@dbus.service.method(_interface, in_signature="b")
1448
2005
def Approve(self, value):
1449
2006
self.approve(value)
1450
2007
1451
2008
# CheckedOK - method
1452
2009
@dbus.service.method(_interface)
1453
2010
def CheckedOK(self):
1454
2011
self.checked_ok()
1455
2012
1456
2013
# Enable - method
2014
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1457
2015
@dbus.service.method(_interface)
1458
2016
def Enable(self):
1459
2017
"D-Bus method"
1460
2018
self.enable()
1461
2019
1462
2020
# StartChecker - method
2021
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1463
2022
@dbus.service.method(_interface)
1464
2023
def StartChecker(self):
1465
2024
"D-Bus method"
1466
2025
self.start_checker()
1467
2026
1468
2027
# Disable - method
2028
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1469
2029
@dbus.service.method(_interface)
1470
2030
def Disable(self):
1471
2031
"D-Bus method"
1472
2032
self.disable()
1473
2033
1474
2034
# StopChecker - method
2035
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1475
2036
@dbus.service.method(_interface)
1476
2037
def StopChecker(self):
1477
2038
self.stop_checker()
1478
1479
## Properties
1480
2039
2040
# Properties
2041
1481
2042
# ApprovalPending - property
1482
2043
@dbus_service_property(_interface, signature="b", access="read")
1483
2044
def ApprovalPending_dbus_property(self):
1484
2045
return dbus.Boolean(bool(self.approvals_pending))
1485
2046
1486
2047
# ApprovedByDefault - property
1487
2048
@dbus_service_property(_interface,
1488
2049
signature="b",
1491
2052
if value is None: # get
1492
2053
return dbus.Boolean(self.approved_by_default)
1493
2054
self.approved_by_default = bool(value)
1494
2055
1495
2056
# ApprovalDelay - property
1496
2057
@dbus_service_property(_interface,
1497
2058
signature="t",
1501
2062
return dbus.UInt64(self.approval_delay.total_seconds()
1502
2063
* 1000)
1503
2064
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1504
2065
1505
2066
# ApprovalDuration - property
1506
2067
@dbus_service_property(_interface,
1507
2068
signature="t",
1511
2072
return dbus.UInt64(self.approval_duration.total_seconds()
1512
2073
* 1000)
1513
2074
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1514
2075
1515
2076
# Name - property
2077
@dbus_annotations(
2078
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1516
2079
@dbus_service_property(_interface, signature="s", access="read")
1517
2080
def Name_dbus_property(self):
1518
2081
return dbus.String(self.name)
1519
2082
2083
# KeyID - property
2084
@dbus_annotations(
2085
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2086
@dbus_service_property(_interface, signature="s", access="read")
2087
def KeyID_dbus_property(self):
2088
return dbus.String(self.key_id)
2089
1520
2090
# Fingerprint - property
2091
@dbus_annotations(
2092
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1521
2093
@dbus_service_property(_interface, signature="s", access="read")
1522
2094
def Fingerprint_dbus_property(self):
1523
2095
return dbus.String(self.fingerprint)
1524
2096
1525
2097
# Host - property
1526
2098
@dbus_service_property(_interface,
1527
2099
signature="s",
1530
2102
if value is None: # get
1531
2103
return dbus.String(self.host)
1532
2104
self.host = str(value)
1533
2105
1534
2106
# Created - property
2107
@dbus_annotations(
2108
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1535
2109
@dbus_service_property(_interface, signature="s", access="read")
1536
2110
def Created_dbus_property(self):
1537
2111
return datetime_to_dbus(self.created)
1538
2112
1539
2113
# LastEnabled - property
1540
2114
@dbus_service_property(_interface, signature="s", access="read")
1541
2115
def LastEnabled_dbus_property(self):
1542
2116
return datetime_to_dbus(self.last_enabled)
1543
2117
1544
2118
# Enabled - property
1545
2119
@dbus_service_property(_interface,
1546
2120
signature="b",
1552
2126
self.enable()
1553
2127
else:
1554
2128
self.disable()
1555
2129
1556
2130
# LastCheckedOK - property
1557
2131
@dbus_service_property(_interface,
1558
2132
signature="s",
1562
2136
self.checked_ok()
1563
2137
return
1564
2138
return datetime_to_dbus(self.last_checked_ok)
1565
2139
1566
2140
# LastCheckerStatus - property
1567
2141
@dbus_service_property(_interface, signature="n", access="read")
1568
2142
def LastCheckerStatus_dbus_property(self):
1569
2143
return dbus.Int16(self.last_checker_status)
1570
2144
1571
2145
# Expires - property
1572
2146
@dbus_service_property(_interface, signature="s", access="read")
1573
2147
def Expires_dbus_property(self):
1574
2148
return datetime_to_dbus(self.expires)
1575
2149
1576
2150
# LastApprovalRequest - property
1577
2151
@dbus_service_property(_interface, signature="s", access="read")
1578
2152
def LastApprovalRequest_dbus_property(self):
1579
2153
return datetime_to_dbus(self.last_approval_request)
1580
2154
1581
2155
# Timeout - property
1582
2156
@dbus_service_property(_interface,
1583
2157
signature="t",
1598
2172
if (getattr(self, "disable_initiator_tag", None)
1599
2173
is None):
1600
2174
return
1601
gobject.source_remove(self.disable_initiator_tag)
1602
self.disable_initiator_tag = gobject.timeout_add(
2175
GLib.source_remove(self.disable_initiator_tag)
2176
self.disable_initiator_tag = GLib.timeout_add(
1603
2177
int((self.expires - now).total_seconds() * 1000),
1604
2178
self.disable)
1605
2179
1606
2180
# ExtendedTimeout - property
1607
2181
@dbus_service_property(_interface,
1608
2182
signature="t",
1612
2186
return dbus.UInt64(self.extended_timeout.total_seconds()
1613
2187
* 1000)
1614
2188
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1615
2189
1616
2190
# Interval - property
1617
2191
@dbus_service_property(_interface,
1618
2192
signature="t",
1625
2199
return
1626
2200
if self.enabled:
1627
2201
# Reschedule checker run
1628
gobject.source_remove(self.checker_initiator_tag)
1629
self.checker_initiator_tag = gobject.timeout_add(
2202
GLib.source_remove(self.checker_initiator_tag)
2203
self.checker_initiator_tag = GLib.timeout_add(
1630
2204
value, self.start_checker)
1631
self.start_checker() # Start one now, too
1632
2205
self.start_checker() # Start one now, too
2206
1633
2207
# Checker - property
1634
2208
@dbus_service_property(_interface,
1635
2209
signature="s",
1638
2212
if value is None: # get
1639
2213
return dbus.String(self.checker_command)
1640
2214
self.checker_command = str(value)
1641
2215
1642
2216
# CheckerRunning - property
1643
2217
@dbus_service_property(_interface,
1644
2218
signature="b",
1650
2224
self.start_checker()
1651
2225
else:
1652
2226
self.stop_checker()
1653
2227
1654
2228
# ObjectPath - property
2229
@dbus_annotations(
2230
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2231
"org.freedesktop.DBus.Deprecated": "true"})
1655
2232
@dbus_service_property(_interface, signature="o", access="read")
1656
2233
def ObjectPath_dbus_property(self):
1657
return self.dbus_object_path # is already a dbus.ObjectPath
1658
2234
return self.dbus_object_path # is already a dbus.ObjectPath
2235
1659
2236
# Secret = property
2237
@dbus_annotations(
2238
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2239
"invalidates"})
1660
2240
@dbus_service_property(_interface,
1661
2241
signature="ay",
1662
2242
access="write",
1663
2243
byte_arrays=True)
1664
2244
def Secret_dbus_property(self, value):
1665
2245
self.secret = bytes(value)
1666
2246
1667
2247
del _interface
1668
2248
1669
2249
1670
class ProxyClient(object):
1671
def __init__(self, child_pipe, fpr, address):
2250
class ProxyClient:
2251
def __init__(self, child_pipe, key_id, fpr, address):
1672
2252
self._pipe = child_pipe
1673
self._pipe.send(('init', fpr, address))
2253
self._pipe.send(('init', key_id, fpr, address))
1674
2254
if not self._pipe.recv():
1675
raise KeyError(fpr)
1676
2255
raise KeyError(key_id or fpr)
2256
1677
2257
def __getattribute__(self, name):
1678
2258
if name == '_pipe':
1679
2259
return super(ProxyClient, self).__getattribute__(name)
1682
2262
if data[0] == 'data':
1683
2263
return data[1]
1684
2264
if data[0] == 'function':
1685
2265
1686
2266
def func(*args, **kwargs):
1687
2267
self._pipe.send(('funcall', name, args, kwargs))
1688
2268
return self._pipe.recv()[1]
1689
2269
1690
2270
return func
1691
2271
1692
2272
def __setattr__(self, name, value):
1693
2273
if name == '_pipe':
1694
2274
return super(ProxyClient, self).__setattr__(name, value)
1697
2277
1698
2278
class ClientHandler(socketserver.BaseRequestHandler, object):
1699
2279
"""A class to handle client connections.
1700
2280
1701
2281
Instantiated once for each connection to handle it.
1702
2282
Note: This will run in its own forked process."""
1703
2283
1704
2284
def handle(self):
1705
2285
with contextlib.closing(self.server.child_pipe) as child_pipe:
1706
2286
logger.info("TCP connection from: %s",
1707
2287
str(self.client_address))
1708
2288
logger.debug("Pipe FD: %d",
1709
2289
self.server.child_pipe.fileno())
1710
1711
session = gnutls.connection.ClientSession(
1712
self.request, gnutls.connection .X509Credentials())
1713
1714
# Note: gnutls.connection.X509Credentials is really a
1715
# generic GnuTLS certificate credentials object so long as
1716
# no X.509 keys are added to it. Therefore, we can use it
1717
# here despite using OpenPGP certificates.
1718
1719
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1720
# "+AES-256-CBC", "+SHA1",
1721
# "+COMP-NULL", "+CTYPE-OPENPGP",
1722
# "+DHE-DSS"))
2290
2291
session = gnutls.ClientSession(self.request)
2292
2293
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2294
# "+AES-256-CBC", "+SHA1",
2295
# "+COMP-NULL", "+CTYPE-OPENPGP",
2296
# "+DHE-DSS"))
1723
2297
# Use a fallback default, since this MUST be set.
1724
2298
priority = self.server.gnutls_priority
1725
2299
if priority is None:
1726
2300
priority = "NORMAL"
1727
gnutls.library.functions.gnutls_priority_set_direct(
1728
session._c_object, priority, None)
1729
2301
gnutls.priority_set_direct(session._c_object,
2302
priority.encode("utf-8"),
2303
None)
2304
1730
2305
# Start communication using the Mandos protocol
1731
2306
# Get protocol number
1732
2307
line = self.request.makefile().readline()
1737
2312
except (ValueError, IndexError, RuntimeError) as error:
1738
2313
logger.error("Unknown protocol version: %s", error)
1739
2314
return
1740
2315
1741
2316
# Start GnuTLS connection
1742
2317
try:
1743
2318
session.handshake()
1744
except gnutls.errors.GNUTLSError as error:
2319
except gnutls.Error as error:
1745
2320
logger.warning("Handshake failed: %s", error)
1746
2321
# Do not run session.bye() here: the session is not
1747
2322
# established. Just abandon the request.
1748
2323
return
1749
2324
logger.debug("Handshake succeeded")
1750
2325
1751
2326
approval_required = False
1752
2327
try:
1753
try:
1754
fpr = self.fingerprint(
1755
self.peer_certificate(session))
1756
except (TypeError,
1757
gnutls.errors.GNUTLSError) as error:
1758
logger.warning("Bad certificate: %s", error)
1759
return
1760
logger.debug("Fingerprint: %s", fpr)
1761
1762
try:
1763
client = ProxyClient(child_pipe, fpr,
2328
if gnutls.has_rawpk:
2329
fpr = b""
2330
try:
2331
key_id = self.key_id(
2332
self.peer_certificate(session))
2333
except (TypeError, gnutls.Error) as error:
2334
logger.warning("Bad certificate: %s", error)
2335
return
2336
logger.debug("Key ID: %s", key_id)
2337
2338
else:
2339
key_id = b""
2340
try:
2341
fpr = self.fingerprint(
2342
self.peer_certificate(session))
2343
except (TypeError, gnutls.Error) as error:
2344
logger.warning("Bad certificate: %s", error)
2345
return
2346
logger.debug("Fingerprint: %s", fpr)
2347
2348
try:
2349
client = ProxyClient(child_pipe, key_id, fpr,
1764
2350
self.client_address)
1765
2351
except KeyError:
1766
2352
return
1767
2353
1768
2354
if client.approval_delay:
1769
2355
delay = client.approval_delay
1770
2356
client.approvals_pending += 1
1771
2357
approval_required = True
1772
2358
1773
2359
while True:
1774
2360
if not client.enabled:
1775
2361
logger.info("Client %s is disabled",
1778
2364
# Emit D-Bus signal
1779
2365
client.Rejected("Disabled")
1780
2366
return
1781
2367
1782
2368
if client.approved or not client.approval_delay:
1783
#We are approved or approval is disabled
2369
# We are approved or approval is disabled
1784
2370
break
1785
2371
elif client.approved is None:
1786
2372
logger.info("Client %s needs approval",
1797
2383
# Emit D-Bus signal
1798
2384
client.Rejected("Denied")
1799
2385
return
1800
1801
#wait until timeout or approved
2386
2387
# wait until timeout or approved
1802
2388
time = datetime.datetime.now()
1803
2389
client.changedstate.acquire()
1804
2390
client.changedstate.wait(delay.total_seconds())
1817
2403
break
1818
2404
else:
1819
2405
delay -= time2 - time
1820
1821
sent_size = 0
1822
while sent_size < len(client.secret):
1823
try:
1824
sent = session.send(client.secret[sent_size:])
1825
except gnutls.errors.GNUTLSError as error:
1826
logger.warning("gnutls send failed",
1827
exc_info=error)
1828
return
1829
logger.debug("Sent: %d, remaining: %d", sent,
1830
len(client.secret) - (sent_size
1831
+ sent))
1832
sent_size += sent
1833
2406
2407
try:
2408
session.send(client.secret)
2409
except gnutls.Error as error:
2410
logger.warning("gnutls send failed",
2411
exc_info=error)
2412
return
2413
1834
2414
logger.info("Sending secret to %s", client.name)
1835
2415
# bump the timeout using extended_timeout
1836
2416
client.bump_timeout(client.extended_timeout)
1837
2417
if self.server.use_dbus:
1838
2418
# Emit D-Bus signal
1839
2419
client.GotSecret()
1840
2420
1841
2421
finally:
1842
2422
if approval_required:
1843
2423
client.approvals_pending -= 1
1844
2424
try:
1845
2425
session.bye()
1846
except gnutls.errors.GNUTLSError as error:
2426
except gnutls.Error as error:
1847
2427
logger.warning("GnuTLS bye failed",
1848
2428
exc_info=error)
1849
2429
1850
2430
@staticmethod
1851
2431
def peer_certificate(session):
1852
"Return the peer's OpenPGP certificate as a bytestring"
1853
# If not an OpenPGP certificate...
1854
if (gnutls.library.functions.gnutls_certificate_type_get(
1855
session._c_object)
1856
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1857
# ...do the normal thing
1858
return session.peer_certificate
2432
"Return the peer's certificate as a bytestring"
2433
try:
2434
cert_type = gnutls.certificate_type_get2(session._c_object,
2435
gnutls.CTYPE_PEERS)
2436
except AttributeError:
2437
cert_type = gnutls.certificate_type_get(session._c_object)
2438
if gnutls.has_rawpk:
2439
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2440
else:
2441
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2442
# If not a valid certificate type...
2443
if cert_type not in valid_cert_types:
2444
logger.info("Cert type %r not in %r", cert_type,
2445
valid_cert_types)
2446
# ...return invalid data
2447
return b""
1859
2448
list_size = ctypes.c_uint(1)
1860
cert_list = (gnutls.library.functions
1861
.gnutls_certificate_get_peers
2449
cert_list = (gnutls.certificate_get_peers
1862
2450
(session._c_object, ctypes.byref(list_size)))
1863
2451
if not bool(cert_list) and list_size.value != 0:
1864
raise gnutls.errors.GNUTLSError("error getting peer"
1865
" certificate")
2452
raise gnutls.Error("error getting peer certificate")
1866
2453
if list_size.value == 0:
1867
2454
return None
1868
2455
cert = cert_list[0]
1869
2456
return ctypes.string_at(cert.data, cert.size)
1870
2457
2458
@staticmethod
2459
def key_id(certificate):
2460
"Convert a certificate bytestring to a hexdigit key ID"
2461
# New GnuTLS "datum" with the public key
2462
datum = gnutls.datum_t(
2463
ctypes.cast(ctypes.c_char_p(certificate),
2464
ctypes.POINTER(ctypes.c_ubyte)),
2465
ctypes.c_uint(len(certificate)))
2466
# XXX all these need to be created in the gnutls "module"
2467
# New empty GnuTLS certificate
2468
pubkey = gnutls.pubkey_t()
2469
gnutls.pubkey_init(ctypes.byref(pubkey))
2470
# Import the raw public key into the certificate
2471
gnutls.pubkey_import(pubkey,
2472
ctypes.byref(datum),
2473
gnutls.X509_FMT_DER)
2474
# New buffer for the key ID
2475
buf = ctypes.create_string_buffer(32)
2476
buf_len = ctypes.c_size_t(len(buf))
2477
# Get the key ID from the raw public key into the buffer
2478
gnutls.pubkey_get_key_id(
2479
pubkey,
2480
gnutls.KEYID_USE_SHA256,
2481
ctypes.cast(ctypes.byref(buf),
2482
ctypes.POINTER(ctypes.c_ubyte)),
2483
ctypes.byref(buf_len))
2484
# Deinit the certificate
2485
gnutls.pubkey_deinit(pubkey)
2486
2487
# Convert the buffer to a Python bytestring
2488
key_id = ctypes.string_at(buf, buf_len.value)
2489
# Convert the bytestring to hexadecimal notation
2490
hex_key_id = binascii.hexlify(key_id).upper()
2491
return hex_key_id
2492
1871
2493
@staticmethod
1872
2494
def fingerprint(openpgp):
1873
2495
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1874
2496
# New GnuTLS "datum" with the OpenPGP public key
1875
datum = gnutls.library.types.gnutls_datum_t(
2497
datum = gnutls.datum_t(
1876
2498
ctypes.cast(ctypes.c_char_p(openpgp),
1877
2499
ctypes.POINTER(ctypes.c_ubyte)),
1878
2500
ctypes.c_uint(len(openpgp)))
1879
2501
# New empty GnuTLS certificate
1880
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1881
gnutls.library.functions.gnutls_openpgp_crt_init(
1882
ctypes.byref(crt))
2502
crt = gnutls.openpgp_crt_t()
2503
gnutls.openpgp_crt_init(ctypes.byref(crt))
1883
2504
# Import the OpenPGP public key into the certificate
1884
gnutls.library.functions.gnutls_openpgp_crt_import(
1885
crt, ctypes.byref(datum),
1886
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2505
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2506
gnutls.OPENPGP_FMT_RAW)
1887
2507
# Verify the self signature in the key
1888
2508
crtverify = ctypes.c_uint()
1889
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
1890
crt, 0, ctypes.byref(crtverify))
2509
gnutls.openpgp_crt_verify_self(crt, 0,
2510
ctypes.byref(crtverify))
1891
2511
if crtverify.value != 0:
1892
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1893
raise gnutls.errors.CertificateSecurityError(
1894
"Verify failed")
2512
gnutls.openpgp_crt_deinit(crt)
2513
raise gnutls.CertificateSecurityError(code
2514
=crtverify.value)
1895
2515
# New buffer for the fingerprint
1896
2516
buf = ctypes.create_string_buffer(20)
1897
2517
buf_len = ctypes.c_size_t()
1898
2518
# Get the fingerprint from the certificate into the buffer
1899
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
1900
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2519
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2520
ctypes.byref(buf_len))
1901
2521
# Deinit the certificate
1902
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2522
gnutls.openpgp_crt_deinit(crt)
1903
2523
# Convert the buffer to a Python bytestring
1904
2524
fpr = ctypes.string_at(buf, buf_len.value)
1905
2525
# Convert the bytestring to hexadecimal notation
1907
2527
return hex_fpr
1908
2528
1909
2529
1910
class MultiprocessingMixIn(object):
2530
class MultiprocessingMixIn:
1911
2531
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
1912
2532
1913
2533
def sub_process_main(self, request, address):
1914
2534
try:
1915
2535
self.finish_request(request, address)
1916
2536
except Exception:
1917
2537
self.handle_error(request, address)
1918
2538
self.close_request(request)
1919
2539
1920
2540
def process_request(self, request, address):
1921
2541
"""Start a new process to process the request."""
1922
proc = multiprocessing.Process(target = self.sub_process_main,
1923
args = (request, address))
2542
proc = multiprocessing.Process(target=self.sub_process_main,
2543
args=(request, address))
1924
2544
proc.start()
1925
2545
return proc
1926
2546
1927
2547
1928
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2548
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
1929
2549
""" adds a pipe to the MixIn """
1930
2550
1931
2551
def process_request(self, request, client_address):
1932
2552
"""Overrides and wraps the original process_request().
1933
2553
1934
2554
This function creates a new pipe in self.pipe
1935
2555
"""
1936
2556
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1937
2557
1938
2558
proc = MultiprocessingMixIn.process_request(self, request,
1939
2559
client_address)
1940
2560
self.child_pipe.close()
1941
2561
self.add_pipe(parent_pipe, proc)
1942
2562
1943
2563
def add_pipe(self, parent_pipe, proc):
1944
2564
"""Dummy function; override as necessary"""
1945
2565
raise NotImplementedError()
1946
2566
1947
2567
1948
2568
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1949
socketserver.TCPServer, object):
2569
socketserver.TCPServer):
1950
2570
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1951
2571
1952
2572
Attributes:
1953
2573
enabled: Boolean; whether this server is activated yet
1954
2574
interface: None or a network interface name (string)
1955
2575
use_ipv6: Boolean; to use IPv6 or not
1956
2576
"""
1957
2577
1958
2578
def __init__(self, server_address, RequestHandlerClass,
1959
2579
interface=None,
1960
2580
use_ipv6=True,
1970
2590
self.socketfd = socketfd
1971
2591
# Save the original socket.socket() function
1972
2592
self.socket_socket = socket.socket
2593
1973
2594
# To implement --socket, we monkey patch socket.socket.
1974
#
2595
#
1975
2596
# (When socketserver.TCPServer is a new-style class, we
1976
2597
# could make self.socket into a property instead of monkey
1977
2598
# patching socket.socket.)
1978
#
2599
#
1979
2600
# Create a one-time-only replacement for socket.socket()
1980
2601
@functools.wraps(socket.socket)
1981
2602
def socket_wrapper(*args, **kwargs):
1993
2614
# socket_wrapper(), if socketfd was set.
1994
2615
socketserver.TCPServer.__init__(self, server_address,
1995
2616
RequestHandlerClass)
1996
2617
1997
2618
def server_bind(self):
1998
2619
"""This overrides the normal server_bind() function
1999
2620
to bind to an interface if one was specified, and also NOT to
2000
2621
bind to an address or port if they were not specified."""
2622
global SO_BINDTODEVICE
2001
2623
if self.interface is not None:
2002
2624
if SO_BINDTODEVICE is None:
2003
logger.error("SO_BINDTODEVICE does not exist;"
2004
" cannot bind to interface %s",
2005
self.interface)
2006
else:
2007
try:
2008
self.socket.setsockopt(
2009
socket.SOL_SOCKET, SO_BINDTODEVICE,
2010
(self.interface + "\0").encode("utf-8"))
2011
except socket.error as error:
2012
if error.errno == errno.EPERM:
2013
logger.error("No permission to bind to"
2014
" interface %s", self.interface)
2015
elif error.errno == errno.ENOPROTOOPT:
2016
logger.error("SO_BINDTODEVICE not available;"
2017
" cannot bind to interface %s",
2018
self.interface)
2019
elif error.errno == errno.ENODEV:
2020
logger.error("Interface %s does not exist,"
2021
" cannot bind", self.interface)
2022
else:
2023
raise
2625
# Fall back to a hard-coded value which seems to be
2626
# common enough.
2627
logger.warning("SO_BINDTODEVICE not found, trying 25")
2628
SO_BINDTODEVICE = 25
2629
try:
2630
self.socket.setsockopt(
2631
socket.SOL_SOCKET, SO_BINDTODEVICE,
2632
(self.interface + "\0").encode("utf-8"))
2633
except socket.error as error:
2634
if error.errno == errno.EPERM:
2635
logger.error("No permission to bind to"
2636
" interface %s", self.interface)
2637
elif error.errno == errno.ENOPROTOOPT:
2638
logger.error("SO_BINDTODEVICE not available;"
2639
" cannot bind to interface %s",
2640
self.interface)
2641
elif error.errno == errno.ENODEV:
2642
logger.error("Interface %s does not exist,"
2643
" cannot bind", self.interface)
2644
else:
2645
raise
2024
2646
# Only bind(2) the socket if we really need to.
2025
2647
if self.server_address[0] or self.server_address[1]:
2648
if self.server_address[1]:
2649
self.allow_reuse_address = True
2026
2650
if not self.server_address[0]:
2027
2651
if self.address_family == socket.AF_INET6:
2028
any_address = "::" # in6addr_any
2652
any_address = "::" # in6addr_any
2029
2653
else:
2030
any_address = "0.0.0.0" # INADDR_ANY
2654
any_address = "0.0.0.0" # INADDR_ANY
2031
2655
self.server_address = (any_address,
2032
2656
self.server_address[1])
2033
2657
elif not self.server_address[1]:
2043
2667
2044
2668
class MandosServer(IPv6_TCPServer):
2045
2669
"""Mandos server.
2046
2670
2047
2671
Attributes:
2048
2672
clients: set of Client objects
2049
2673
gnutls_priority GnuTLS priority string
2050
2674
use_dbus: Boolean; to emit D-Bus signals or not
2051
2052
Assumes a gobject.MainLoop event loop.
2675
2676
Assumes a GLib.MainLoop event loop.
2053
2677
"""
2054
2678
2055
2679
def __init__(self, server_address, RequestHandlerClass,
2056
2680
interface=None,
2057
2681
use_ipv6=True,
2067
2691
self.gnutls_priority = gnutls_priority
2068
2692
IPv6_TCPServer.__init__(self, server_address,
2069
2693
RequestHandlerClass,
2070
interface = interface,
2071
use_ipv6 = use_ipv6,
2072
socketfd = socketfd)
2073
2694
interface=interface,
2695
use_ipv6=use_ipv6,
2696
socketfd=socketfd)
2697
2074
2698
def server_activate(self):
2075
2699
if self.enabled:
2076
2700
return socketserver.TCPServer.server_activate(self)
2077
2701
2078
2702
def enable(self):
2079
2703
self.enabled = True
2080
2704
2081
2705
def add_pipe(self, parent_pipe, proc):
2082
2706
# Call "handle_ipc" for both data and EOF events
2083
gobject.io_add_watch(
2084
parent_pipe.fileno(),
2085
gobject.IO_IN | gobject.IO_HUP,
2707
GLib.io_add_watch(
2708
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2709
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2086
2710
functools.partial(self.handle_ipc,
2087
parent_pipe = parent_pipe,
2088
proc = proc))
2089
2711
parent_pipe=parent_pipe,
2712
proc=proc))
2713
2090
2714
def handle_ipc(self, source, condition,
2091
2715
parent_pipe=None,
2092
proc = None,
2716
proc=None,
2093
2717
client_object=None):
2094
2718
# error, or the other end of multiprocessing.Pipe has closed
2095
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2719
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2096
2720
# Wait for other process to exit
2097
2721
proc.join()
2098
2722
return False
2099
2723
2100
2724
# Read a request from the child
2101
2725
request = parent_pipe.recv()
2102
2726
command = request[0]
2103
2727
2104
2728
if command == 'init':
2105
fpr = request[1]
2106
address = request[2]
2107
2108
for c in self.clients.itervalues():
2109
if c.fingerprint == fpr:
2729
key_id = request[1].decode("ascii")
2730
fpr = request[2].decode("ascii")
2731
address = request[3]
2732
2733
for c in self.clients.values():
2734
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2735
"27AE41E4649B934CA495991B7852B855"):
2736
continue
2737
if key_id and c.key_id == key_id:
2738
client = c
2739
break
2740
if fpr and c.fingerprint == fpr:
2110
2741
client = c
2111
2742
break
2112
2743
else:
2113
logger.info("Client not found for fingerprint: %s, ad"
2114
"dress: %s", fpr, address)
2744
logger.info("Client not found for key ID: %s, address"
2745
": %s", key_id or fpr, address)
2115
2746
if self.use_dbus:
2116
2747
# Emit D-Bus signal
2117
mandos_dbus_service.ClientNotFound(fpr,
2748
mandos_dbus_service.ClientNotFound(key_id or fpr,
2118
2749
address[0])
2119
2750
parent_pipe.send(False)
2120
2751
return False
2121
2122
gobject.io_add_watch(
2123
parent_pipe.fileno(),
2124
gobject.IO_IN | gobject.IO_HUP,
2752
2753
GLib.io_add_watch(
2754
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2755
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2125
2756
functools.partial(self.handle_ipc,
2126
parent_pipe = parent_pipe,
2127
proc = proc,
2128
client_object = client))
2757
parent_pipe=parent_pipe,
2758
proc=proc,
2759
client_object=client))
2129
2760
parent_pipe.send(True)
2130
2761
# remove the old hook in favor of the new above hook on
2131
2762
# same fileno
2134
2765
funcname = request[1]
2135
2766
args = request[2]
2136
2767
kwargs = request[3]
2137
2768
2138
2769
parent_pipe.send(('data', getattr(client_object,
2139
2770
funcname)(*args,
2140
2771
**kwargs)))
2141
2772
2142
2773
if command == 'getattr':
2143
2774
attrname = request[1]
2144
2775
if isinstance(client_object.__getattribute__(attrname),
2145
collections.Callable):
2776
collections.abc.Callable):
2146
2777
parent_pipe.send(('function', ))
2147
2778
else:
2148
2779
parent_pipe.send((
2149
2780
'data', client_object.__getattribute__(attrname)))
2150
2781
2151
2782
if command == 'setattr':
2152
2783
attrname = request[1]
2153
2784
value = request[2]
2154
2785
setattr(client_object, attrname, value)
2155
2786
2156
2787
return True
2157
2788
2158
2789
2159
2790
def rfc3339_duration_to_delta(duration):
2160
2791
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2161
2162
>>> rfc3339_duration_to_delta("P7D")
2163
datetime.timedelta(7)
2164
>>> rfc3339_duration_to_delta("PT60S")
2165
datetime.timedelta(0, 60)
2166
>>> rfc3339_duration_to_delta("PT60M")
2167
datetime.timedelta(0, 3600)
2168
>>> rfc3339_duration_to_delta("PT24H")
2169
datetime.timedelta(1)
2170
>>> rfc3339_duration_to_delta("P1W")
2171
datetime.timedelta(7)
2172
>>> rfc3339_duration_to_delta("PT5M30S")
2173
datetime.timedelta(0, 330)
2174
>>> rfc3339_duration_to_delta("P1DT3M20S")
2175
datetime.timedelta(1, 200)
2792
2793
>>> timedelta = datetime.timedelta
2794
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2795
True
2796
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2797
True
2798
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2799
True
2800
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2801
True
2802
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2803
True
2804
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2805
True
2806
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2807
True
2808
>>> del timedelta
2176
2809
"""
2177
2810
2178
2811
# Parsing an RFC 3339 duration with regular expressions is not
2179
2812
# possible - there would have to be multiple places for the same
2180
2813
# values, like seconds. The current code, while more esoteric, is
2181
2814
# cleaner without depending on a parsing library. If Python had a
2182
2815
# built-in library for parsing we would use it, but we'd like to
2183
2816
# avoid excessive use of external libraries.
2184
2817
2185
2818
# New type for defining tokens, syntax, and semantics all-in-one
2186
2819
Token = collections.namedtuple("Token", (
2187
2820
"regexp", # To match token; if "value" is not None, must have
2220
2853
frozenset((token_year, token_month,
2221
2854
token_day, token_time,
2222
2855
token_week)))
2223
# Define starting values
2224
value = datetime.timedelta() # Value so far
2856
# Define starting values:
2857
# Value so far
2858
value = datetime.timedelta()
2225
2859
found_token = None
2226
followers = frozenset((token_duration, )) # Following valid tokens
2227
s = duration # String left to parse
2860
# Following valid tokens
2861
followers = frozenset((token_duration, ))
2862
# String left to parse
2863
s = duration
2228
2864
# Loop until end token is found
2229
2865
while found_token is not token_end:
2230
2866
# Search for any currently valid tokens
2254
2890
2255
2891
def string_to_delta(interval):
2256
2892
"""Parse a string and return a datetime.timedelta
2257
2258
>>> string_to_delta('7d')
2259
datetime.timedelta(7)
2260
>>> string_to_delta('60s')
2261
datetime.timedelta(0, 60)
2262
>>> string_to_delta('60m')
2263
datetime.timedelta(0, 3600)
2264
>>> string_to_delta('24h')
2265
datetime.timedelta(1)
2266
>>> string_to_delta('1w')
2267
datetime.timedelta(7)
2268
>>> string_to_delta('5m 30s')
2269
datetime.timedelta(0, 330)
2893
2894
>>> string_to_delta('7d') == datetime.timedelta(7)
2895
True
2896
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2897
True
2898
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2899
True
2900
>>> string_to_delta('24h') == datetime.timedelta(1)
2901
True
2902
>>> string_to_delta('1w') == datetime.timedelta(7)
2903
True
2904
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2905
True
2270
2906
"""
2271
2907
2272
2908
try:
2273
2909
return rfc3339_duration_to_delta(interval)
2274
2910
except ValueError:
2275
2911
pass
2276
2912
2277
2913
timevalue = datetime.timedelta(0)
2278
2914
for s in interval.split():
2279
2915
try:
2297
2933
return timevalue
2298
2934
2299
2935
2300
def daemon(nochdir = False, noclose = False):
2936
def daemon(nochdir=False, noclose=False):
2301
2937
"""See daemon(3). Standard BSD Unix function.
2302
2938
2303
2939
This should really exist as os.daemon, but it doesn't (yet)."""
2304
2940
if os.fork():
2305
2941
sys.exit()
2323
2959
2324
2960
2325
2961
def main():
2326
2962
2327
2963
##################################################################
2328
2964
# Parsing of options, both command line and config file
2329
2965
2330
2966
parser = argparse.ArgumentParser()
2331
2967
parser.add_argument("-v", "--version", action="version",
2332
version = "%(prog)s {}".format(version),
2968
version="%(prog)s {}".format(version),
2333
2969
help="show version number and exit")
2334
2970
parser.add_argument("-i", "--interface", metavar="IF",
2335
2971
help="Bind to interface IF")
2371
3007
parser.add_argument("--no-zeroconf", action="store_false",
2372
3008
dest="zeroconf", help="Do not use Zeroconf",
2373
3009
default=None)
2374
3010
2375
3011
options = parser.parse_args()
2376
2377
if options.check:
2378
import doctest
2379
fail_count, test_count = doctest.testmod()
2380
sys.exit(os.EX_OK if fail_count == 0 else 1)
2381
3012
2382
3013
# Default values for config file for server-global settings
2383
server_defaults = { "interface": "",
2384
"address": "",
2385
"port": "",
2386
"debug": "False",
2387
"priority":
2388
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2389
":+SIGN-RSA-SHA224:+SIGN-RSA-RMD160",
2390
"servicename": "Mandos",
2391
"use_dbus": "True",
2392
"use_ipv6": "True",
2393
"debuglevel": "",
2394
"restore": "True",
2395
"socket": "",
2396
"statedir": "/var/lib/mandos",
2397
"foreground": "False",
2398
"zeroconf": "True",
2399
}
2400
3014
if gnutls.has_rawpk:
3015
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3016
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3017
else:
3018
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3019
":+SIGN-DSA-SHA256")
3020
server_defaults = {"interface": "",
3021
"address": "",
3022
"port": "",
3023
"debug": "False",
3024
"priority": priority,
3025
"servicename": "Mandos",
3026
"use_dbus": "True",
3027
"use_ipv6": "True",
3028
"debuglevel": "",
3029
"restore": "True",
3030
"socket": "",
3031
"statedir": "/var/lib/mandos",
3032
"foreground": "False",
3033
"zeroconf": "True",
3034
}
3035
del priority
3036
2401
3037
# Parse config file for server-global settings
2402
server_config = configparser.SafeConfigParser(server_defaults)
3038
server_config = configparser.ConfigParser(server_defaults)
2403
3039
del server_defaults
2404
3040
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2405
# Convert the SafeConfigParser object to a dict
3041
# Convert the ConfigParser object to a dict
2406
3042
server_settings = server_config.defaults()
2407
3043
# Use the appropriate methods on the non-string config options
2408
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3044
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3045
"foreground", "zeroconf"):
2409
3046
server_settings[option] = server_config.getboolean("DEFAULT",
2410
3047
option)
2411
3048
if server_settings["port"]:
2421
3058
server_settings["socket"] = os.dup(server_settings
2422
3059
["socket"])
2423
3060
del server_config
2424
3061
2425
3062
# Override the settings from the config file with command line
2426
3063
# options, if set.
2427
3064
for option in ("interface", "address", "port", "debug",
2445
3082
if server_settings["debug"]:
2446
3083
server_settings["foreground"] = True
2447
3084
# Now we have our good server settings in "server_settings"
2448
3085
2449
3086
##################################################################
2450
3087
2451
3088
if (not server_settings["zeroconf"]
2452
3089
and not (server_settings["port"]
2453
3090
or server_settings["socket"] != "")):
2454
3091
parser.error("Needs port or socket to work without Zeroconf")
2455
3092
2456
3093
# For convenience
2457
3094
debug = server_settings["debug"]
2458
3095
debuglevel = server_settings["debuglevel"]
2462
3099
stored_state_file)
2463
3100
foreground = server_settings["foreground"]
2464
3101
zeroconf = server_settings["zeroconf"]
2465
3102
2466
3103
if debug:
2467
3104
initlogger(debug, logging.DEBUG)
2468
3105
else:
2471
3108
else:
2472
3109
level = getattr(logging, debuglevel.upper())
2473
3110
initlogger(debug, level)
2474
3111
2475
3112
if server_settings["servicename"] != "Mandos":
2476
3113
syslogger.setFormatter(
2477
3114
logging.Formatter('Mandos ({}) [%(process)d]:'
2478
3115
' %(levelname)s: %(message)s'.format(
2479
3116
server_settings["servicename"])))
2480
3117
2481
3118
# Parse config file with clients
2482
client_config = configparser.SafeConfigParser(Client
2483
.client_defaults)
3119
client_config = configparser.ConfigParser(Client.client_defaults)
2484
3120
client_config.read(os.path.join(server_settings["configdir"],
2485
3121
"clients.conf"))
2486
3122
2487
3123
global mandos_dbus_service
2488
3124
mandos_dbus_service = None
2489
3125
2490
3126
socketfd = None
2491
3127
if server_settings["socket"] != "":
2492
3128
socketfd = server_settings["socket"]
2508
3144
except IOError as e:
2509
3145
logger.error("Could not open file %r", pidfilename,
2510
3146
exc_info=e)
2511
2512
for name in ("_mandos", "mandos", "nobody"):
3147
3148
for name, group in (("_mandos", "_mandos"),
3149
("mandos", "mandos"),
3150
("nobody", "nogroup")):
2513
3151
try:
2514
3152
uid = pwd.getpwnam(name).pw_uid
2515
gid = pwd.getpwnam(name).pw_gid
3153
gid = pwd.getpwnam(group).pw_gid
2516
3154
break
2517
3155
except KeyError:
2518
3156
continue
2522
3160
try:
2523
3161
os.setgid(gid)
2524
3162
os.setuid(uid)
3163
if debug:
3164
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3165
gid))
2525
3166
except OSError as error:
3167
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3168
.format(uid, gid, os.strerror(error.errno)))
2526
3169
if error.errno != errno.EPERM:
2527
3170
raise
2528
3171
2529
3172
if debug:
2530
3173
# Enable all possible GnuTLS debugging
2531
3174
2532
3175
# "Use a log level over 10 to enable all debugging options."
2533
3176
# - GnuTLS manual
2534
gnutls.library.functions.gnutls_global_set_log_level(11)
2535
2536
@gnutls.library.types.gnutls_log_func
3177
gnutls.global_set_log_level(11)
3178
3179
@gnutls.log_func
2537
3180
def debug_gnutls(level, string):
2538
3181
logger.debug("GnuTLS: %s", string[:-1])
2539
2540
gnutls.library.functions.gnutls_global_set_log_function(
2541
debug_gnutls)
2542
3182
3183
gnutls.global_set_log_function(debug_gnutls)
3184
2543
3185
# Redirect stdin so all checkers get /dev/null
2544
3186
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2545
3187
os.dup2(null, sys.stdin.fileno())
2546
3188
if null > 2:
2547
3189
os.close(null)
2548
3190
2549
3191
# Need to fork before connecting to D-Bus
2550
3192
if not foreground:
2551
3193
# Close all input and output, do double fork, etc.
2552
3194
daemon()
2553
2554
# multiprocessing will use threads, so before we use gobject we
2555
# need to inform gobject that threads will be used.
2556
gobject.threads_init()
2557
3195
3196
if gi.version_info < (3, 10, 2):
3197
# multiprocessing will use threads, so before we use GLib we
3198
# need to inform GLib that threads will be used.
3199
GLib.threads_init()
3200
2558
3201
global main_loop
2559
3202
# From the Avahi example code
2560
3203
DBusGMainLoop(set_as_default=True)
2561
main_loop = gobject.MainLoop()
3204
main_loop = GLib.MainLoop()
2562
3205
bus = dbus.SystemBus()
2563
3206
# End of Avahi example code
2564
3207
if use_dbus:
2577
3220
if zeroconf:
2578
3221
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2579
3222
service = AvahiServiceToSyslog(
2580
name = server_settings["servicename"],
2581
servicetype = "_mandos._tcp",
2582
protocol = protocol,
2583
bus = bus)
3223
name=server_settings["servicename"],
3224
servicetype="_mandos._tcp",
3225
protocol=protocol,
3226
bus=bus)
2584
3227
if server_settings["interface"]:
2585
3228
service.interface = if_nametoindex(
2586
3229
server_settings["interface"].encode("utf-8"))
2587
3230
2588
3231
global multiprocessing_manager
2589
3232
multiprocessing_manager = multiprocessing.Manager()
2590
3233
2591
3234
client_class = Client
2592
3235
if use_dbus:
2593
client_class = functools.partial(ClientDBus, bus = bus)
2594
3236
client_class = functools.partial(ClientDBus, bus=bus)
3237
2595
3238
client_settings = Client.config_parser(client_config)
2596
3239
old_client_settings = {}
2597
3240
clients_data = {}
2598
3241
2599
3242
# This is used to redirect stdout and stderr for checker processes
2600
3243
global wnull
2601
wnull = open(os.devnull, "w") # A writable /dev/null
3244
wnull = open(os.devnull, "w") # A writable /dev/null
2602
3245
# Only used if server is running in foreground but not in debug
2603
3246
# mode
2604
3247
if debug or not foreground:
2605
3248
wnull.close()
2606
3249
2607
3250
# Get client data and settings from last running state.
2608
3251
if server_settings["restore"]:
2609
3252
try:
2610
3253
with open(stored_state_path, "rb") as stored_state:
2611
clients_data, old_client_settings = pickle.load(
2612
stored_state)
3254
if sys.version_info.major == 2:
3255
clients_data, old_client_settings = pickle.load(
3256
stored_state)
3257
else:
3258
bytes_clients_data, bytes_old_client_settings = (
3259
pickle.load(stored_state, encoding="bytes"))
3260
# Fix bytes to strings
3261
# clients_data
3262
# .keys()
3263
clients_data = {(key.decode("utf-8")
3264
if isinstance(key, bytes)
3265
else key): value
3266
for key, value in
3267
bytes_clients_data.items()}
3268
del bytes_clients_data
3269
for key in clients_data:
3270
value = {(k.decode("utf-8")
3271
if isinstance(k, bytes) else k): v
3272
for k, v in
3273
clients_data[key].items()}
3274
clients_data[key] = value
3275
# .client_structure
3276
value["client_structure"] = [
3277
(s.decode("utf-8")
3278
if isinstance(s, bytes)
3279
else s) for s in
3280
value["client_structure"]]
3281
# .name, .host, and .checker_command
3282
for k in ("name", "host", "checker_command"):
3283
if isinstance(value[k], bytes):
3284
value[k] = value[k].decode("utf-8")
3285
if "key_id" not in value:
3286
value["key_id"] = ""
3287
elif "fingerprint" not in value:
3288
value["fingerprint"] = ""
3289
# old_client_settings
3290
# .keys()
3291
old_client_settings = {
3292
(key.decode("utf-8")
3293
if isinstance(key, bytes)
3294
else key): value
3295
for key, value in
3296
bytes_old_client_settings.items()}
3297
del bytes_old_client_settings
3298
# .host and .checker_command
3299
for value in old_client_settings.values():
3300
for attribute in ("host", "checker_command"):
3301
if isinstance(value[attribute], bytes):
3302
value[attribute] = (value[attribute]
3303
.decode("utf-8"))
2613
3304
os.remove(stored_state_path)
2614
3305
except IOError as e:
2615
3306
if e.errno == errno.ENOENT:
2623
3314
logger.warning("Could not load persistent state: "
2624
3315
"EOFError:",
2625
3316
exc_info=e)
2626
3317
2627
3318
with PGPEngine() as pgp:
2628
3319
for client_name, client in clients_data.items():
2629
3320
# Skip removed clients
2630
3321
if client_name not in client_settings:
2631
3322
continue
2632
3323
2633
3324
# Decide which value to use after restoring saved state.
2634
3325
# We have three different values: Old config file,
2635
3326
# new config file, and saved state.
2646
3337
client[name] = value
2647
3338
except KeyError:
2648
3339
pass
2649
3340
2650
3341
# Clients who has passed its expire date can still be
2651
3342
# enabled if its last checker was successful. A Client
2652
3343
# whose checker succeeded before we stored its state is
2685
3376
client_name))
2686
3377
client["secret"] = (client_settings[client_name]
2687
3378
["secret"])
2688
3379
2689
3380
# Add/remove clients based on new changes made to config
2690
3381
for client_name in (set(old_client_settings)
2691
3382
- set(client_settings)):
2693
3384
for client_name in (set(client_settings)
2694
3385
- set(old_client_settings)):
2695
3386
clients_data[client_name] = client_settings[client_name]
2696
3387
2697
3388
# Create all client objects
2698
3389
for client_name, client in clients_data.items():
2699
3390
tcp_server.clients[client_name] = client_class(
2700
name = client_name,
2701
settings = client,
2702
server_settings = server_settings)
2703
3391
name=client_name,
3392
settings=client,
3393
server_settings=server_settings)
3394
2704
3395
if not tcp_server.clients:
2705
3396
logger.warning("No clients defined")
2706
3397
2707
3398
if not foreground:
2708
3399
if pidfile is not None:
2709
3400
pid = os.getpid()
2715
3406
pidfilename, pid)
2716
3407
del pidfile
2717
3408
del pidfilename
2718
2719
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2720
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2721
3409
3410
for termsig in (signal.SIGHUP, signal.SIGTERM):
3411
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3412
lambda: main_loop.quit() and False)
3413
2722
3414
if use_dbus:
2723
3415
2724
3416
@alternate_dbus_interfaces(
2725
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
2726
class MandosDBusService(DBusObjectWithProperties):
3417
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
3418
class MandosDBusService(DBusObjectWithObjectManager):
2727
3419
"""A D-Bus proxy object"""
2728
3420
2729
3421
def __init__(self):
2730
3422
dbus.service.Object.__init__(self, bus, "/")
2731
3423
2732
3424
_interface = "se.recompile.Mandos"
2733
2734
@dbus_interface_annotations(_interface)
2735
def _foo(self):
2736
return {
2737
"org.freedesktop.DBus.Property.EmitsChangedSignal":
2738
"false" }
2739
3425
2740
3426
@dbus.service.signal(_interface, signature="o")
2741
3427
def ClientAdded(self, objpath):
2742
3428
"D-Bus signal"
2743
3429
pass
2744
3430
2745
3431
@dbus.service.signal(_interface, signature="ss")
2746
def ClientNotFound(self, fingerprint, address):
3432
def ClientNotFound(self, key_id, address):
2747
3433
"D-Bus signal"
2748
3434
pass
2749
3435
3436
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3437
"true"})
2750
3438
@dbus.service.signal(_interface, signature="os")
2751
3439
def ClientRemoved(self, objpath, name):
2752
3440
"D-Bus signal"
2753
3441
pass
2754
3442
3443
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3444
"true"})
2755
3445
@dbus.service.method(_interface, out_signature="ao")
2756
3446
def GetAllClients(self):
2757
3447
"D-Bus method"
2758
3448
return dbus.Array(c.dbus_object_path for c in
2759
tcp_server.clients.itervalues())
2760
3449
tcp_server.clients.values())
3450
3451
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3452
"true"})
2761
3453
@dbus.service.method(_interface,
2762
3454
out_signature="a{oa{sv}}")
2763
3455
def GetAllClientsWithProperties(self):
2764
3456
"D-Bus method"
2765
3457
return dbus.Dictionary(
2766
{ c.dbus_object_path: c.GetAll("")
2767
for c in tcp_server.clients.itervalues() },
3458
{c.dbus_object_path: c.GetAll(
3459
"se.recompile.Mandos.Client")
3460
for c in tcp_server.clients.values()},
2768
3461
signature="oa{sv}")
2769
3462
2770
3463
@dbus.service.method(_interface, in_signature="o")
2771
3464
def RemoveClient(self, object_path):
2772
3465
"D-Bus method"
2773
for c in tcp_server.clients.itervalues():
3466
for c in tcp_server.clients.values():
2774
3467
if c.dbus_object_path == object_path:
2775
3468
del tcp_server.clients[c.name]
2776
3469
c.remove_from_connection()
2777
# Don't signal anything except ClientRemoved
3470
# Don't signal the disabling
2778
3471
c.disable(quiet=True)
2779
# Emit D-Bus signal
2780
self.ClientRemoved(object_path, c.name)
3472
# Emit D-Bus signal for removal
3473
self.client_removed_signal(c)
2781
3474
return
2782
3475
raise KeyError(object_path)
2783
3476
2784
3477
del _interface
2785
3478
3479
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3480
out_signature="a{oa{sa{sv}}}")
3481
def GetManagedObjects(self):
3482
"""D-Bus method"""
3483
return dbus.Dictionary(
3484
{client.dbus_object_path:
3485
dbus.Dictionary(
3486
{interface: client.GetAll(interface)
3487
for interface in
3488
client._get_all_interface_names()})
3489
for client in tcp_server.clients.values()})
3490
3491
def client_added_signal(self, client):
3492
"""Send the new standard signal and the old signal"""
3493
if use_dbus:
3494
# New standard signal
3495
self.InterfacesAdded(
3496
client.dbus_object_path,
3497
dbus.Dictionary(
3498
{interface: client.GetAll(interface)
3499
for interface in
3500
client._get_all_interface_names()}))
3501
# Old signal
3502
self.ClientAdded(client.dbus_object_path)
3503
3504
def client_removed_signal(self, client):
3505
"""Send the new standard signal and the old signal"""
3506
if use_dbus:
3507
# New standard signal
3508
self.InterfacesRemoved(
3509
client.dbus_object_path,
3510
client._get_all_interface_names())
3511
# Old signal
3512
self.ClientRemoved(client.dbus_object_path,
3513
client.name)
3514
2786
3515
mandos_dbus_service = MandosDBusService()
2787
3516
3517
# Save modules to variables to exempt the modules from being
3518
# unloaded before the function registered with atexit() is run.
3519
mp = multiprocessing
3520
wn = wnull
3521
2788
3522
def cleanup():
2789
3523
"Cleanup function; run on exit"
2790
3524
if zeroconf:
2791
3525
service.cleanup()
2792
2793
multiprocessing.active_children()
2794
wnull.close()
3526
3527
mp.active_children()
3528
wn.close()
2795
3529
if not (tcp_server.clients or client_settings):
2796
3530
return
2797
3531
2798
3532
# Store client before exiting. Secrets are encrypted with key
2799
3533
# based on what config file has. If config file is
2800
3534
# removed/edited, old secret will thus be unrecovable.
2801
3535
clients = {}
2802
3536
with PGPEngine() as pgp:
2803
for client in tcp_server.clients.itervalues():
3537
for client in tcp_server.clients.values():
2804
3538
key = client_settings[client.name]["secret"]
2805
3539
client.encrypted_secret = pgp.encrypt(client.secret,
2806
3540
key)
2807
3541
client_dict = {}
2808
3542
2809
3543
# A list of attributes that can not be pickled
2810
3544
# + secret.
2811
exclude = { "bus", "changedstate", "secret",
2812
"checker", "server_settings" }
3545
exclude = {"bus", "changedstate", "secret",
3546
"checker", "server_settings"}
2813
3547
for name, typ in inspect.getmembers(dbus.service
2814
3548
.Object):
2815
3549
exclude.add(name)
2816
3550
2817
3551
client_dict["encrypted_secret"] = (client
2818
3552
.encrypted_secret)
2819
3553
for attr in client.client_structure:
2820
3554
if attr not in exclude:
2821
3555
client_dict[attr] = getattr(client, attr)
2822
3556
2823
3557
clients[client.name] = client_dict
2824
3558
del client_settings[client.name]["secret"]
2825
3559
2826
3560
try:
2827
3561
with tempfile.NamedTemporaryFile(
2828
3562
mode='wb',
2830
3564
prefix='clients-',
2831
3565
dir=os.path.dirname(stored_state_path),
2832
3566
delete=False) as stored_state:
2833
pickle.dump((clients, client_settings), stored_state)
3567
pickle.dump((clients, client_settings), stored_state,
3568
protocol=2)
2834
3569
tempname = stored_state.name
2835
3570
os.rename(tempname, stored_state_path)
2836
3571
except (IOError, OSError) as e:
2846
3581
logger.warning("Could not save persistent state:",
2847
3582
exc_info=e)
2848
3583
raise
2849
3584
2850
3585
# Delete all clients, and settings from config
2851
3586
while tcp_server.clients:
2852
3587
name, client = tcp_server.clients.popitem()
2853
3588
if use_dbus:
2854
3589
client.remove_from_connection()
2855
# Don't signal anything except ClientRemoved
3590
# Don't signal the disabling
2856
3591
client.disable(quiet=True)
3592
# Emit D-Bus signal for removal
2857
3593
if use_dbus:
2858
# Emit D-Bus signal
2859
mandos_dbus_service.ClientRemoved(
2860
client.dbus_object_path, client.name)
3594
mandos_dbus_service.client_removed_signal(client)
2861
3595
client_settings.clear()
2862
3596
2863
3597
atexit.register(cleanup)
2864
2865
for client in tcp_server.clients.itervalues():
3598
3599
for client in tcp_server.clients.values():
2866
3600
if use_dbus:
2867
# Emit D-Bus signal
2868
mandos_dbus_service.ClientAdded(client.dbus_object_path)
3601
# Emit D-Bus signal for adding
3602
mandos_dbus_service.client_added_signal(client)
2869
3603
# Need to initiate checking of clients
2870
3604
if client.enabled:
2871
3605
client.init_checker()
2872
3606
2873
3607
tcp_server.enable()
2874
3608
tcp_server.server_activate()
2875
3609
2876
3610
# Find out what port we got
2877
3611
if zeroconf:
2878
3612
service.port = tcp_server.socket.getsockname()[1]
2883
3617
else: # IPv4
2884
3618
logger.info("Now listening on address %r, port %d",
2885
3619
*tcp_server.socket.getsockname())
2886
2887
#service.interface = tcp_server.socket.getsockname()[3]
2888
3620
3621
# service.interface = tcp_server.socket.getsockname()[3]
3622
2889
3623
try:
2890
3624
if zeroconf:
2891
3625
# From the Avahi example code
2896
3630
cleanup()
2897
3631
sys.exit(1)
2898
3632
# End of Avahi example code
2899
2900
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
2901
lambda *args, **kwargs:
2902
(tcp_server.handle_request
2903
(*args[2:], **kwargs) or True))
2904
3633
3634
GLib.io_add_watch(
3635
GLib.IOChannel.unix_new(tcp_server.fileno()),
3636
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3637
lambda *args, **kwargs: (tcp_server.handle_request
3638
(*args[2:], **kwargs) or True))
3639
2905
3640
logger.debug("Starting main loop")
2906
3641
main_loop.run()
2907
3642
except AvahiError as error:
2916
3651
# Must run before the D-Bus bus name gets deregistered
2917
3652
cleanup()
2918
3653
3654
3655
def should_only_run_tests():
3656
parser = argparse.ArgumentParser(add_help=False)
3657
parser.add_argument("--check", action='store_true')
3658
args, unknown_args = parser.parse_known_args()
3659
run_tests = args.check
3660
if run_tests:
3661
# Remove --check argument from sys.argv
3662
sys.argv[1:] = unknown_args
3663
return run_tests
3664
3665
# Add all tests from doctest strings
3666
def load_tests(loader, tests, none):
3667
import doctest
3668
tests.addTests(doctest.DocTestSuite())
3669
return tests
2919
3670
2920
3671
if __name__ == '__main__':
2921
main()
3672
try:
3673
if should_only_run_tests():
3674
# Call using ./mandos --check [--verbose]
3675
unittest.main()
3676
else:
3677
main()
3678
finally:
3679
logging.shutdown()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0