To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 1229
- compare with another revision
- download diff
- download tarball
- view history from revision 1229
- Committer: teddy at recompile
- Date: 2020-12-03 20:30:45 UTC
- Revision ID: teddy@recompile.se-20201203203045-iqd6nq9y5nwalh1x
Minor fix of a test function
In dracut-module/password-agent, the test function
test_send_password_to_socket_EMSGSIZE() (which tests that the
send_password_to_socket() task function aborts properly when getting
EMSGSIZE when writing to the password socket), part of the test code
is supposed to find a message size which definitely does trigger
EMSGSIZE when send()ing to a socket. Without a "break" in the proper
place, however, the size given is always exactly 1024 bytes too large.
This is very probably not a problem, since a too large message will
still be too large if it is increased by 1024 bytes, and send(2) in
practice checks the size before reading the buffer. The biggest issue
would be if some version of send(2) would try to look at the last 1024
bytes of the message buffer before checking the message size; this
would then lead to a buffer over-read when running this test function.
(But even then there would be no security implications since the tests
are not run in the normal operation of the program.)
* dracut-module/password-agent.c
(test_send_password_to_socket_EMSGSIZE): Break out early when ssret
< 0 and errno == EMSGSIZE; don't allow loop to increase message_size
again.
In dracut-module/password-agent, the test function
test_send_password_to_socket_EMSGSIZE() (which tests that the
send_password_to_socket() task function aborts properly when getting
EMSGSIZE when writing to the password socket), part of the test code
is supposed to find a message size which definitely does trigger
EMSGSIZE when send()ing to a socket. Without a "break" in the proper
place, however, the size given is always exactly 1024 bytes too large.
This is very probably not a problem, since a too large message will
still be too large if it is increased by 1024 bytes, and send(2) in
practice checks the size before reading the buffer. The biggest issue
would be if some version of send(2) would try to look at the last 1024
bytes of the message buffer before checking the message size; this
would then lead to a buffer over-read when running this test function.
(But even then there would be no security implications since the tests
are not run in the normal operation of the program.)
* dracut-module/password-agent.c
(test_send_password_to_socket_EMSGSIZE): Break out early when ssret
< 0 and errno == EMSGSIZE; don't allow loop to increase message_size
again.
- files added:
- bugs.xml
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python2.7
2
# -*- mode: python; coding: utf-8 -*-
3
#
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2020 Teddy Hogeborn
15
# Copyright © 2008-2020 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
#
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
#
33
#
33
34
34
35
from __future__ import (division, absolute_import, print_function,
35
36
unicode_literals)
36
37
37
from future_builtins import *
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
38
42
39
43
try:
40
44
import SocketServer as socketserver
44
48
import argparse
45
49
import datetime
46
50
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
53
51
try:
54
52
import ConfigParser as configparser
55
53
except ImportError:
79
77
import itertools
80
78
import collections
81
79
import codecs
80
import unittest
81
import random
82
import shlex
82
83
83
84
import dbus
84
85
import dbus.service
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
86
import gi
87
from gi.repository import GLib
90
88
from dbus.mainloop.glib import DBusGMainLoop
91
89
import ctypes
92
90
import ctypes.util
93
91
import xml.dom.minidom
94
92
import inspect
95
93
96
try:
94
if sys.version_info.major == 2:
95
__metaclass__ = type
96
str = unicode
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
118
# Try to find the value of SO_BINDTODEVICE:
119
try:
120
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
121
# newer, and it is also the most natural place for it:
97
122
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
98
123
except AttributeError:
99
124
try:
125
# This is where SO_BINDTODEVICE was up to and including Python
126
# 2.6, and also 3.2:
100
127
from IN import SO_BINDTODEVICE
101
128
except ImportError:
102
SO_BINDTODEVICE = None
103
104
if sys.version_info.major == 2:
105
str = unicode
106
107
version = "1.6.9"
129
# In Python 2.7 it seems to have been removed entirely.
130
# Try running the C preprocessor:
131
try:
132
cc = subprocess.Popen(["cc", "--language=c", "-E",
133
"/dev/stdin"],
134
stdin=subprocess.PIPE,
135
stdout=subprocess.PIPE)
136
stdout = cc.communicate(
137
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
138
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
139
except (OSError, ValueError, IndexError):
140
# No value found
141
SO_BINDTODEVICE = None
142
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
145
146
version = "1.8.13"
108
147
stored_state_file = "clients.pickle"
109
148
110
149
logger = logging.getLogger()
150
logging.captureWarnings(True) # Show warnings via the logging system
111
151
syslogger = None
112
152
113
153
try:
114
154
if_nametoindex = ctypes.cdll.LoadLibrary(
115
155
ctypes.util.find_library("c")).if_nametoindex
116
156
except (OSError, AttributeError):
117
157
118
158
def if_nametoindex(interface):
119
159
"Get an interface index the hard way, i.e. using fcntl()"
120
160
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
125
165
return interface_index
126
166
127
167
168
def copy_function(func):
169
"""Make a copy of a function"""
170
if sys.version_info.major == 2:
171
return types.FunctionType(func.func_code,
172
func.func_globals,
173
func.func_name,
174
func.func_defaults,
175
func.func_closure)
176
else:
177
return types.FunctionType(func.__code__,
178
func.__globals__,
179
func.__name__,
180
func.__defaults__,
181
func.__closure__)
182
183
128
184
def initlogger(debug, level=logging.WARNING):
129
185
"""init logger and add loglevel"""
130
186
131
187
global syslogger
132
188
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
189
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
190
address="/dev/log"))
135
191
syslogger.setFormatter(logging.Formatter
136
192
('Mandos [%(process)d]: %(levelname)s:'
137
193
' %(message)s'))
138
194
logger.addHandler(syslogger)
139
195
140
196
if debug:
141
197
console = logging.StreamHandler()
142
198
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
152
208
pass
153
209
154
210
155
class PGPEngine(object):
211
class PGPEngine:
156
212
"""A simple class for OpenPGP symmetric encryption & decryption"""
157
213
158
214
def __init__(self):
159
215
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
216
self.gpg = "gpg"
217
try:
218
output = subprocess.check_output(["gpgconf"])
219
for line in output.splitlines():
220
name, text, path = line.split(b":")
221
if name == b"gpg":
222
self.gpg = path
223
break
224
except OSError as e:
225
if e.errno != errno.ENOENT:
226
raise
160
227
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
228
'--homedir', self.tempdir,
162
229
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
165
230
'--quiet']
231
# Only GPG version 1 has the --no-use-agent option.
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
233
self.gnupgargs.append("--no-use-agent")
234
166
235
def __enter__(self):
167
236
return self
168
237
169
238
def __exit__(self, exc_type, exc_value, traceback):
170
239
self._cleanup()
171
240
return False
172
241
173
242
def __del__(self):
174
243
self._cleanup()
175
244
176
245
def _cleanup(self):
177
246
if self.tempdir is not None:
178
247
# Delete contents of tempdir
179
248
for root, dirs, files in os.walk(self.tempdir,
180
topdown = False):
249
topdown=False):
181
250
for filename in files:
182
251
os.remove(os.path.join(root, filename))
183
252
for dirname in dirs:
185
254
# Remove tempdir
186
255
os.rmdir(self.tempdir)
187
256
self.tempdir = None
188
257
189
258
def password_encode(self, password):
190
259
# Passphrase can not be empty and can not contain newlines or
191
260
# NUL bytes. So we prefix it and hex encode it.
196
265
.replace(b"\n", b"\\n")
197
266
.replace(b"\0", b"\\x00"))
198
267
return encoded
199
268
200
269
def encrypt(self, data, password):
201
270
passphrase = self.password_encode(password)
202
271
with tempfile.NamedTemporaryFile(
203
272
dir=self.tempdir) as passfile:
204
273
passfile.write(passphrase)
205
274
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
275
proc = subprocess.Popen([self.gpg, '--symmetric',
207
276
'--passphrase-file',
208
277
passfile.name]
209
278
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
279
stdin=subprocess.PIPE,
280
stdout=subprocess.PIPE,
281
stderr=subprocess.PIPE)
282
ciphertext, err = proc.communicate(input=data)
214
283
if proc.returncode != 0:
215
284
raise PGPError(err)
216
285
return ciphertext
217
286
218
287
def decrypt(self, data, password):
219
288
passphrase = self.password_encode(password)
220
289
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
290
dir=self.tempdir) as passfile:
222
291
passfile.write(passphrase)
223
292
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
293
proc = subprocess.Popen([self.gpg, '--decrypt',
225
294
'--passphrase-file',
226
295
passfile.name]
227
296
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
297
stdin=subprocess.PIPE,
298
stdout=subprocess.PIPE,
299
stderr=subprocess.PIPE)
300
decrypted_plaintext, err = proc.communicate(input=data)
232
301
if proc.returncode != 0:
233
302
raise PGPError(err)
234
303
return decrypted_plaintext
235
304
236
305
306
# Pretend that we have an Avahi module
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
309
IF_UNSPEC = -1 # avahi-common/address.h
310
PROTO_UNSPEC = -1 # avahi-common/address.h
311
PROTO_INET = 0 # avahi-common/address.h
312
PROTO_INET6 = 1 # avahi-common/address.h
313
DBUS_NAME = "org.freedesktop.Avahi"
314
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
DBUS_PATH_SERVER = "/"
317
318
@staticmethod
319
def string_array_to_txt_array(t):
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
for s in t), signature="ay")
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
323
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
324
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
325
SERVER_INVALID = 0 # avahi-common/defs.h
326
SERVER_REGISTERING = 1 # avahi-common/defs.h
327
SERVER_RUNNING = 2 # avahi-common/defs.h
328
SERVER_COLLISION = 3 # avahi-common/defs.h
329
SERVER_FAILURE = 4 # avahi-common/defs.h
330
331
237
332
class AvahiError(Exception):
238
333
def __init__(self, value, *args, **kwargs):
239
334
self.value = value
249
344
pass
250
345
251
346
252
class AvahiService(object):
347
class AvahiService:
253
348
"""An Avahi (Zeroconf) service.
254
349
255
350
Attributes:
256
351
interface: integer; avahi.IF_UNSPEC or an interface index.
257
352
Used to optionally bind to the specified interface.
269
364
server: D-Bus Server
270
365
bus: dbus.SystemBus()
271
366
"""
272
367
273
368
def __init__(self,
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
369
interface=avahi.IF_UNSPEC,
370
name=None,
371
servicetype=None,
372
port=None,
373
TXT=None,
374
domain="",
375
host="",
376
max_renames=32768,
377
protocol=avahi.PROTO_UNSPEC,
378
bus=None):
284
379
self.interface = interface
285
380
self.name = name
286
381
self.type = servicetype
295
390
self.server = None
296
391
self.bus = bus
297
392
self.entry_group_state_changed_match = None
298
393
299
394
def rename(self, remove=True):
300
395
"""Derived from the Avahi example code"""
301
396
if self.rename_count >= self.max_renames:
321
416
logger.critical("D-Bus Exception", exc_info=error)
322
417
self.cleanup()
323
418
os._exit(1)
324
419
325
420
def remove(self):
326
421
"""Derived from the Avahi example code"""
327
422
if self.entry_group_state_changed_match is not None:
329
424
self.entry_group_state_changed_match = None
330
425
if self.group is not None:
331
426
self.group.Reset()
332
427
333
428
def add(self):
334
429
"""Derived from the Avahi example code"""
335
430
self.remove()
352
447
dbus.UInt16(self.port),
353
448
avahi.string_array_to_txt_array(self.TXT))
354
449
self.group.Commit()
355
450
356
451
def entry_group_state_changed(self, state, error):
357
452
"""Derived from the Avahi example code"""
358
453
logger.debug("Avahi entry group state change: %i", state)
359
454
360
455
if state == avahi.ENTRY_GROUP_ESTABLISHED:
361
456
logger.debug("Zeroconf service established.")
362
457
elif state == avahi.ENTRY_GROUP_COLLISION:
366
461
logger.critical("Avahi: Error in group state changed %s",
367
462
str(error))
368
463
raise AvahiGroupError("State changed: {!s}".format(error))
369
464
370
465
def cleanup(self):
371
466
"""Derived from the Avahi example code"""
372
467
if self.group is not None:
377
472
pass
378
473
self.group = None
379
474
self.remove()
380
475
381
476
def server_state_changed(self, state, error=None):
382
477
"""Derived from the Avahi example code"""
383
478
logger.debug("Avahi server state change: %i", state)
412
507
logger.debug("Unknown state: %r", state)
413
508
else:
414
509
logger.debug("Unknown state: %r: %r", state, error)
415
510
416
511
def activate(self):
417
512
"""Derived from the Avahi example code"""
418
513
if self.server is None:
429
524
class AvahiServiceToSyslog(AvahiService):
430
525
def rename(self, *args, **kwargs):
431
526
"""Add the new name to the syslog messages"""
432
ret = AvahiService.rename(self, *args, **kwargs)
527
ret = super(AvahiServiceToSyslog, self).rename(*args,
528
**kwargs)
433
529
syslogger.setFormatter(logging.Formatter(
434
530
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
435
531
.format(self.name)))
436
532
return ret
437
533
534
535
# Pretend that we have a GnuTLS module
536
class gnutls:
537
"""This isn't so much a class as it is a module-like namespace."""
538
539
library = ctypes.util.find_library("gnutls")
540
if library is None:
541
library = ctypes.util.find_library("gnutls-deb0")
542
_library = ctypes.cdll.LoadLibrary(library)
543
del library
544
545
# Unless otherwise indicated, the constants and types below are
546
# all from the gnutls/gnutls.h C header file.
547
548
# Constants
549
E_SUCCESS = 0
550
E_INTERRUPTED = -52
551
E_AGAIN = -28
552
CRT_OPENPGP = 2
553
CRT_RAWPK = 3
554
CLIENT = 2
555
SHUT_RDWR = 0
556
CRD_CERTIFICATE = 1
557
E_NO_CERTIFICATE_FOUND = -49
558
X509_FMT_DER = 0
559
NO_TICKETS = 1<<10
560
ENABLE_RAWPK = 1<<18
561
CTYPE_PEERS = 3
562
KEYID_USE_SHA256 = 1 # gnutls/x509.h
563
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
564
565
# Types
566
class session_int(ctypes.Structure):
567
_fields_ = []
568
session_t = ctypes.POINTER(session_int)
569
570
class certificate_credentials_st(ctypes.Structure):
571
_fields_ = []
572
certificate_credentials_t = ctypes.POINTER(
573
certificate_credentials_st)
574
certificate_type_t = ctypes.c_int
575
576
class datum_t(ctypes.Structure):
577
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
578
('size', ctypes.c_uint)]
579
580
class openpgp_crt_int(ctypes.Structure):
581
_fields_ = []
582
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
583
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
584
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
585
credentials_type_t = ctypes.c_int
586
transport_ptr_t = ctypes.c_void_p
587
close_request_t = ctypes.c_int
588
589
# Exceptions
590
class Error(Exception):
591
def __init__(self, message=None, code=None, args=()):
592
# Default usage is by a message string, but if a return
593
# code is passed, convert it to a string with
594
# gnutls.strerror()
595
self.code = code
596
if message is None and code is not None:
597
message = gnutls.strerror(code)
598
return super(gnutls.Error, self).__init__(
599
message, *args)
600
601
class CertificateSecurityError(Error):
602
pass
603
604
# Classes
605
class Credentials:
606
def __init__(self):
607
self._c_object = gnutls.certificate_credentials_t()
608
gnutls.certificate_allocate_credentials(
609
ctypes.byref(self._c_object))
610
self.type = gnutls.CRD_CERTIFICATE
611
612
def __del__(self):
613
gnutls.certificate_free_credentials(self._c_object)
614
615
class ClientSession:
616
def __init__(self, socket, credentials=None):
617
self._c_object = gnutls.session_t()
618
gnutls_flags = gnutls.CLIENT
619
if gnutls.check_version(b"3.5.6"):
620
gnutls_flags |= gnutls.NO_TICKETS
621
if gnutls.has_rawpk:
622
gnutls_flags |= gnutls.ENABLE_RAWPK
623
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
624
del gnutls_flags
625
gnutls.set_default_priority(self._c_object)
626
gnutls.transport_set_ptr(self._c_object, socket.fileno())
627
gnutls.handshake_set_private_extensions(self._c_object,
628
True)
629
self.socket = socket
630
if credentials is None:
631
credentials = gnutls.Credentials()
632
gnutls.credentials_set(self._c_object, credentials.type,
633
ctypes.cast(credentials._c_object,
634
ctypes.c_void_p))
635
self.credentials = credentials
636
637
def __del__(self):
638
gnutls.deinit(self._c_object)
639
640
def handshake(self):
641
return gnutls.handshake(self._c_object)
642
643
def send(self, data):
644
data = bytes(data)
645
data_len = len(data)
646
while data_len > 0:
647
data_len -= gnutls.record_send(self._c_object,
648
data[-data_len:],
649
data_len)
650
651
def bye(self):
652
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
653
654
# Error handling functions
655
def _error_code(result):
656
"""A function to raise exceptions on errors, suitable
657
for the 'restype' attribute on ctypes functions"""
658
if result >= 0:
659
return result
660
if result == gnutls.E_NO_CERTIFICATE_FOUND:
661
raise gnutls.CertificateSecurityError(code=result)
662
raise gnutls.Error(code=result)
663
664
def _retry_on_error(result, func, arguments):
665
"""A function to retry on some errors, suitable
666
for the 'errcheck' attribute on ctypes functions"""
667
while result < 0:
668
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
669
return _error_code(result)
670
result = func(*arguments)
671
return result
672
673
# Unless otherwise indicated, the function declarations below are
674
# all from the gnutls/gnutls.h C header file.
675
676
# Functions
677
priority_set_direct = _library.gnutls_priority_set_direct
678
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
679
ctypes.POINTER(ctypes.c_char_p)]
680
priority_set_direct.restype = _error_code
681
682
init = _library.gnutls_init
683
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
684
init.restype = _error_code
685
686
set_default_priority = _library.gnutls_set_default_priority
687
set_default_priority.argtypes = [session_t]
688
set_default_priority.restype = _error_code
689
690
record_send = _library.gnutls_record_send
691
record_send.argtypes = [session_t, ctypes.c_void_p,
692
ctypes.c_size_t]
693
record_send.restype = ctypes.c_ssize_t
694
record_send.errcheck = _retry_on_error
695
696
certificate_allocate_credentials = (
697
_library.gnutls_certificate_allocate_credentials)
698
certificate_allocate_credentials.argtypes = [
699
ctypes.POINTER(certificate_credentials_t)]
700
certificate_allocate_credentials.restype = _error_code
701
702
certificate_free_credentials = (
703
_library.gnutls_certificate_free_credentials)
704
certificate_free_credentials.argtypes = [
705
certificate_credentials_t]
706
certificate_free_credentials.restype = None
707
708
handshake_set_private_extensions = (
709
_library.gnutls_handshake_set_private_extensions)
710
handshake_set_private_extensions.argtypes = [session_t,
711
ctypes.c_int]
712
handshake_set_private_extensions.restype = None
713
714
credentials_set = _library.gnutls_credentials_set
715
credentials_set.argtypes = [session_t, credentials_type_t,
716
ctypes.c_void_p]
717
credentials_set.restype = _error_code
718
719
strerror = _library.gnutls_strerror
720
strerror.argtypes = [ctypes.c_int]
721
strerror.restype = ctypes.c_char_p
722
723
certificate_type_get = _library.gnutls_certificate_type_get
724
certificate_type_get.argtypes = [session_t]
725
certificate_type_get.restype = _error_code
726
727
certificate_get_peers = _library.gnutls_certificate_get_peers
728
certificate_get_peers.argtypes = [session_t,
729
ctypes.POINTER(ctypes.c_uint)]
730
certificate_get_peers.restype = ctypes.POINTER(datum_t)
731
732
global_set_log_level = _library.gnutls_global_set_log_level
733
global_set_log_level.argtypes = [ctypes.c_int]
734
global_set_log_level.restype = None
735
736
global_set_log_function = _library.gnutls_global_set_log_function
737
global_set_log_function.argtypes = [log_func]
738
global_set_log_function.restype = None
739
740
deinit = _library.gnutls_deinit
741
deinit.argtypes = [session_t]
742
deinit.restype = None
743
744
handshake = _library.gnutls_handshake
745
handshake.argtypes = [session_t]
746
handshake.restype = _error_code
747
handshake.errcheck = _retry_on_error
748
749
transport_set_ptr = _library.gnutls_transport_set_ptr
750
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
751
transport_set_ptr.restype = None
752
753
bye = _library.gnutls_bye
754
bye.argtypes = [session_t, close_request_t]
755
bye.restype = _error_code
756
bye.errcheck = _retry_on_error
757
758
check_version = _library.gnutls_check_version
759
check_version.argtypes = [ctypes.c_char_p]
760
check_version.restype = ctypes.c_char_p
761
762
_need_version = b"3.3.0"
763
if check_version(_need_version) is None:
764
raise self.Error("Needs GnuTLS {} or later"
765
.format(_need_version))
766
767
_tls_rawpk_version = b"3.6.6"
768
has_rawpk = bool(check_version(_tls_rawpk_version))
769
770
if has_rawpk:
771
# Types
772
class pubkey_st(ctypes.Structure):
773
_fields = []
774
pubkey_t = ctypes.POINTER(pubkey_st)
775
776
x509_crt_fmt_t = ctypes.c_int
777
778
# All the function declarations below are from
779
# gnutls/abstract.h
780
pubkey_init = _library.gnutls_pubkey_init
781
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
782
pubkey_init.restype = _error_code
783
784
pubkey_import = _library.gnutls_pubkey_import
785
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
786
x509_crt_fmt_t]
787
pubkey_import.restype = _error_code
788
789
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
790
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
791
ctypes.POINTER(ctypes.c_ubyte),
792
ctypes.POINTER(ctypes.c_size_t)]
793
pubkey_get_key_id.restype = _error_code
794
795
pubkey_deinit = _library.gnutls_pubkey_deinit
796
pubkey_deinit.argtypes = [pubkey_t]
797
pubkey_deinit.restype = None
798
else:
799
# All the function declarations below are from
800
# gnutls/openpgp.h
801
802
openpgp_crt_init = _library.gnutls_openpgp_crt_init
803
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
804
openpgp_crt_init.restype = _error_code
805
806
openpgp_crt_import = _library.gnutls_openpgp_crt_import
807
openpgp_crt_import.argtypes = [openpgp_crt_t,
808
ctypes.POINTER(datum_t),
809
openpgp_crt_fmt_t]
810
openpgp_crt_import.restype = _error_code
811
812
openpgp_crt_verify_self = \
813
_library.gnutls_openpgp_crt_verify_self
814
openpgp_crt_verify_self.argtypes = [
815
openpgp_crt_t,
816
ctypes.c_uint,
817
ctypes.POINTER(ctypes.c_uint),
818
]
819
openpgp_crt_verify_self.restype = _error_code
820
821
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
822
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
823
openpgp_crt_deinit.restype = None
824
825
openpgp_crt_get_fingerprint = (
826
_library.gnutls_openpgp_crt_get_fingerprint)
827
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
828
ctypes.c_void_p,
829
ctypes.POINTER(
830
ctypes.c_size_t)]
831
openpgp_crt_get_fingerprint.restype = _error_code
832
833
if check_version(b"3.6.4"):
834
certificate_type_get2 = _library.gnutls_certificate_type_get2
835
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
836
certificate_type_get2.restype = _error_code
837
838
# Remove non-public functions
839
del _error_code, _retry_on_error
840
841
438
842
def call_pipe(connection, # : multiprocessing.Connection
439
843
func, *args, **kwargs):
440
844
"""This function is meant to be called by multiprocessing.Process
441
845
442
846
This function runs func(*args, **kwargs), and writes the resulting
443
847
return value on the provided multiprocessing.Connection.
444
848
"""
445
849
connection.send(func(*args, **kwargs))
446
850
connection.close()
447
851
448
class Client(object):
852
853
class Client:
449
854
"""A representation of a client host served by this server.
450
855
451
856
Attributes:
452
857
approved: bool(); 'None' if not yet approved/disapproved
453
858
approval_delay: datetime.timedelta(); Time to wait for approval
454
859
approval_duration: datetime.timedelta(); Duration of one approval
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
860
checker: multiprocessing.Process(); a running checker process used
861
to see if the client lives. 'None' if no process is
862
running.
863
checker_callback_tag: a GLib event source tag, or None
459
864
checker_command: string; External command which is run to check
460
865
if client lives. %() expansions are done at
461
866
runtime with vars(self) as dict, so that for
462
867
instance %(name)s can be used in the command.
463
checker_initiator_tag: a gobject event source tag, or None
868
checker_initiator_tag: a GLib event source tag, or None
464
869
created: datetime.datetime(); (UTC) object creation
465
870
client_structure: Object describing what attributes a client has
466
871
and is used for storing the client at exit
467
872
current_checker_command: string; current running checker_command
468
disable_initiator_tag: a gobject event source tag, or None
873
disable_initiator_tag: a GLib event source tag, or None
469
874
enabled: bool()
470
875
fingerprint: string (40 or 32 hexadecimal digits); used to
471
uniquely identify the client
876
uniquely identify an OpenPGP client
877
key_id: string (64 hexadecimal digits); used to uniquely identify
878
a client using raw public keys
472
879
host: string; available for use by the checker command
473
880
interval: datetime.timedelta(); How often to start a new checker
474
881
last_approval_request: datetime.datetime(); (UTC) or None
490
897
disabled, or None
491
898
server_settings: The server_settings dict from main()
492
899
"""
493
900
494
901
runtime_expansions = ("approval_delay", "approval_duration",
495
"created", "enabled", "expires",
902
"created", "enabled", "expires", "key_id",
496
903
"fingerprint", "host", "interval",
497
904
"last_approval_request", "last_checked_ok",
498
905
"last_enabled", "name", "timeout")
507
914
"approved_by_default": "True",
508
915
"enabled": "True",
509
916
}
510
917
511
918
@staticmethod
512
919
def config_parser(config):
513
920
"""Construct a new dict of client settings of this form:
520
927
for client_name in config.sections():
521
928
section = dict(config.items(client_name))
522
929
client = settings[client_name] = {}
523
930
524
931
client["host"] = section["host"]
525
932
# Reformat values from string types to Python types
526
933
client["approved_by_default"] = config.getboolean(
527
934
client_name, "approved_by_default")
528
935
client["enabled"] = config.getboolean(client_name,
529
936
"enabled")
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
937
938
# Uppercase and remove spaces from key_id and fingerprint
939
# for later comparison purposes with return value from the
940
# key_id() and fingerprint() functions
941
client["key_id"] = (section.get("key_id", "").upper()
942
.replace(" ", ""))
534
943
client["fingerprint"] = (section["fingerprint"].upper()
535
944
.replace(" ", ""))
536
945
if "secret" in section:
537
client["secret"] = section["secret"].decode("base64")
946
client["secret"] = codecs.decode(section["secret"]
947
.encode("utf-8"),
948
"base64")
538
949
elif "secfile" in section:
539
950
with open(os.path.expanduser(os.path.expandvars
540
951
(section["secfile"])),
555
966
client["last_approval_request"] = None
556
967
client["last_checked_ok"] = None
557
968
client["last_checker_status"] = -2
558
969
559
970
return settings
560
561
def __init__(self, settings, name = None, server_settings=None):
971
972
def __init__(self, settings, name=None, server_settings=None):
562
973
self.name = name
563
974
if server_settings is None:
564
975
server_settings = {}
566
977
# adding all client settings
567
978
for setting, value in settings.items():
568
979
setattr(self, setting, value)
569
980
570
981
if self.enabled:
571
982
if not hasattr(self, "last_enabled"):
572
983
self.last_enabled = datetime.datetime.utcnow()
576
987
else:
577
988
self.last_enabled = None
578
989
self.expires = None
579
990
580
991
logger.debug("Creating client %r", self.name)
992
logger.debug(" Key ID: %s", self.key_id)
581
993
logger.debug(" Fingerprint: %s", self.fingerprint)
582
994
self.created = settings.get("created",
583
995
datetime.datetime.utcnow())
584
996
585
997
# attributes specific for this server instance
586
998
self.checker = None
587
999
self.checker_initiator_tag = None
593
1005
self.changedstate = multiprocessing_manager.Condition(
594
1006
multiprocessing_manager.Lock())
595
1007
self.client_structure = [attr
596
for attr in self.__dict__.iterkeys()
1008
for attr in self.__dict__.keys()
597
1009
if not attr.startswith("_")]
598
1010
self.client_structure.append("client_structure")
599
1011
600
1012
for name, t in inspect.getmembers(
601
1013
type(self), lambda obj: isinstance(obj, property)):
602
1014
if not name.startswith("_"):
603
1015
self.client_structure.append(name)
604
1016
605
1017
# Send notice to process children that client state has changed
606
1018
def send_changedstate(self):
607
1019
with self.changedstate:
608
1020
self.changedstate.notify_all()
609
1021
610
1022
def enable(self):
611
1023
"""Start this client's checker and timeout hooks"""
612
1024
if getattr(self, "enabled", False):
617
1029
self.last_enabled = datetime.datetime.utcnow()
618
1030
self.init_checker()
619
1031
self.send_changedstate()
620
1032
621
1033
def disable(self, quiet=True):
622
1034
"""Disable this client."""
623
1035
if not getattr(self, "enabled", False):
625
1037
if not quiet:
626
1038
logger.info("Disabling client %s", self.name)
627
1039
if getattr(self, "disable_initiator_tag", None) is not None:
628
gobject.source_remove(self.disable_initiator_tag)
1040
GLib.source_remove(self.disable_initiator_tag)
629
1041
self.disable_initiator_tag = None
630
1042
self.expires = None
631
1043
if getattr(self, "checker_initiator_tag", None) is not None:
632
gobject.source_remove(self.checker_initiator_tag)
1044
GLib.source_remove(self.checker_initiator_tag)
633
1045
self.checker_initiator_tag = None
634
1046
self.stop_checker()
635
1047
self.enabled = False
636
1048
if not quiet:
637
1049
self.send_changedstate()
638
# Do not run this again if called by a gobject.timeout_add
1050
# Do not run this again if called by a GLib.timeout_add
639
1051
return False
640
1052
641
1053
def __del__(self):
642
1054
self.disable()
643
1055
644
1056
def init_checker(self):
645
1057
# Schedule a new checker to be started an 'interval' from now,
646
1058
# and every interval from then on.
647
1059
if self.checker_initiator_tag is not None:
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
650
int(self.interval.total_seconds() * 1000),
1060
GLib.source_remove(self.checker_initiator_tag)
1061
self.checker_initiator_tag = GLib.timeout_add(
1062
random.randrange(int(self.interval.total_seconds() * 1000
1063
+ 1)),
651
1064
self.start_checker)
652
1065
# Schedule a disable() when 'timeout' has passed
653
1066
if self.disable_initiator_tag is not None:
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1067
GLib.source_remove(self.disable_initiator_tag)
1068
self.disable_initiator_tag = GLib.timeout_add(
656
1069
int(self.timeout.total_seconds() * 1000), self.disable)
657
1070
# Also start a new checker *right now*.
658
1071
self.start_checker()
659
1072
660
1073
def checker_callback(self, source, condition, connection,
661
1074
command):
662
1075
"""The checker has completed, so take appropriate actions."""
663
self.checker_callback_tag = None
664
self.checker = None
665
1076
# Read return code from connection (see call_pipe)
666
1077
returncode = connection.recv()
667
1078
connection.close()
668
1079
if self.checker is not None:
1080
self.checker.join()
1081
self.checker_callback_tag = None
1082
self.checker = None
1083
669
1084
if returncode >= 0:
670
1085
self.last_checker_status = returncode
671
1086
self.last_checker_signal = None
681
1096
logger.warning("Checker for %(name)s crashed?",
682
1097
vars(self))
683
1098
return False
684
1099
685
1100
def checked_ok(self):
686
1101
"""Assert that the client has been seen, alive and well."""
687
1102
self.last_checked_ok = datetime.datetime.utcnow()
688
1103
self.last_checker_status = 0
689
1104
self.last_checker_signal = None
690
1105
self.bump_timeout()
691
1106
692
1107
def bump_timeout(self, timeout=None):
693
1108
"""Bump up the timeout for this client."""
694
1109
if timeout is None:
695
1110
timeout = self.timeout
696
1111
if self.disable_initiator_tag is not None:
697
gobject.source_remove(self.disable_initiator_tag)
1112
GLib.source_remove(self.disable_initiator_tag)
698
1113
self.disable_initiator_tag = None
699
1114
if getattr(self, "enabled", False):
700
self.disable_initiator_tag = gobject.timeout_add(
1115
self.disable_initiator_tag = GLib.timeout_add(
701
1116
int(timeout.total_seconds() * 1000), self.disable)
702
1117
self.expires = datetime.datetime.utcnow() + timeout
703
1118
704
1119
def need_approval(self):
705
1120
self.last_approval_request = datetime.datetime.utcnow()
706
1121
707
1122
def start_checker(self):
708
1123
"""Start a new checker subprocess if one is not running.
709
1124
710
1125
If a checker already exists, leave it running and do
711
1126
nothing."""
712
1127
# The reason for not killing a running checker is that if we
717
1132
# checkers alone, the checker would have to take more time
718
1133
# than 'timeout' for the client to be disabled, which is as it
719
1134
# should be.
720
1135
721
1136
if self.checker is not None and not self.checker.is_alive():
722
1137
logger.warning("Checker was not alive; joining")
723
1138
self.checker.join()
726
1141
if self.checker is None:
727
1142
# Escape attributes for the shell
728
1143
escaped_attrs = {
729
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
1144
attr: shlex.quote(str(getattr(self, attr)))
1145
for attr in self.runtime_expansions}
731
1146
try:
732
1147
command = self.checker_command % escaped_attrs
733
1148
except TypeError as error:
745
1160
# The exception is when not debugging but nevertheless
746
1161
# running in the foreground; use the previously
747
1162
# created wnull.
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1163
popen_args = {"close_fds": True,
1164
"shell": True,
1165
"cwd": "/"}
751
1166
if (not self.server_settings["debug"]
752
1167
and self.server_settings["foreground"]):
753
1168
popen_args.update({"stdout": wnull,
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1169
"stderr": wnull})
1170
pipe = multiprocessing.Pipe(duplex=False)
756
1171
self.checker = multiprocessing.Process(
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1172
target=call_pipe,
1173
args=(pipe[1], subprocess.call, command),
1174
kwargs=popen_args)
760
1175
self.checker.start()
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1176
self.checker_callback_tag = GLib.io_add_watch(
1177
GLib.IOChannel.unix_new(pipe[0].fileno()),
1178
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
763
1179
self.checker_callback, pipe[0], command)
764
# Re-run this periodically if run by gobject.timeout_add
1180
# Re-run this periodically if run by GLib.timeout_add
765
1181
return True
766
1182
767
1183
def stop_checker(self):
768
1184
"""Force the checker process, if any, to stop."""
769
1185
if self.checker_callback_tag:
770
gobject.source_remove(self.checker_callback_tag)
1186
GLib.source_remove(self.checker_callback_tag)
771
1187
self.checker_callback_tag = None
772
1188
if getattr(self, "checker", None) is None:
773
1189
return
782
1198
byte_arrays=False):
783
1199
"""Decorators for marking methods of a DBusObjectWithProperties to
784
1200
become properties on the D-Bus.
785
1201
786
1202
The decorated method will be called with no arguments by "Get"
787
1203
and with one argument by "Set".
788
1204
789
1205
The parameters, where they are supported, are the same as
790
1206
dbus.service.method, except there is only "signature", since the
791
1207
type from Get() and the type sent to Set() is the same.
795
1211
if byte_arrays and signature != "ay":
796
1212
raise ValueError("Byte arrays not supported for non-'ay'"
797
1213
" signature {!r}".format(signature))
798
1214
799
1215
def decorator(func):
800
1216
func._dbus_is_property = True
801
1217
func._dbus_interface = dbus_interface
804
1220
func._dbus_name = func.__name__
805
1221
if func._dbus_name.endswith("_dbus_property"):
806
1222
func._dbus_name = func._dbus_name[:-14]
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1223
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
808
1224
return func
809
1225
810
1226
return decorator
811
1227
812
1228
813
1229
def dbus_interface_annotations(dbus_interface):
814
1230
"""Decorator for marking functions returning interface annotations
815
1231
816
1232
Usage:
817
1233
818
1234
@dbus_interface_annotations("org.example.Interface")
819
1235
def _foo(self): # Function name does not matter
820
1236
return {"org.freedesktop.DBus.Deprecated": "true",
821
1237
"org.freedesktop.DBus.Property.EmitsChangedSignal":
822
1238
"false"}
823
1239
"""
824
1240
825
1241
def decorator(func):
826
1242
func._dbus_is_interface = True
827
1243
func._dbus_interface = dbus_interface
828
1244
func._dbus_name = dbus_interface
829
1245
return func
830
1246
831
1247
return decorator
832
1248
833
1249
834
1250
def dbus_annotations(annotations):
835
1251
"""Decorator to annotate D-Bus methods, signals or properties
836
1252
Usage:
837
1253
838
1254
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
839
1255
"org.freedesktop.DBus.Property."
840
1256
"EmitsChangedSignal": "false"})
842
1258
access="r")
843
1259
def Property_dbus_property(self):
844
1260
return dbus.Boolean(False)
845
1261
846
1262
See also the DBusObjectWithAnnotations class.
847
1263
"""
848
1264
849
1265
def decorator(func):
850
1266
func._dbus_annotations = annotations
851
1267
return func
852
1268
853
1269
return decorator
854
1270
855
1271
873
1289
874
1290
class DBusObjectWithAnnotations(dbus.service.Object):
875
1291
"""A D-Bus object with annotations.
876
1292
877
1293
Classes inheriting from this can use the dbus_annotations
878
1294
decorator to add annotations to methods or signals.
879
1295
"""
880
1296
881
1297
@staticmethod
882
1298
def _is_dbus_thing(thing):
883
1299
"""Returns a function testing if an attribute is a D-Bus thing
884
1300
885
1301
If called like _is_dbus_thing("method") it returns a function
886
1302
suitable for use as predicate to inspect.getmembers().
887
1303
"""
888
1304
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
889
1305
False)
890
1306
891
1307
def _get_all_dbus_things(self, thing):
892
1308
"""Returns a generator of (name, attribute) pairs
893
1309
"""
896
1312
for cls in self.__class__.__mro__
897
1313
for name, athing in
898
1314
inspect.getmembers(cls, self._is_dbus_thing(thing)))
899
1315
900
1316
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1317
out_signature="s",
1318
path_keyword='object_path',
1319
connection_keyword='connection')
904
1320
def Introspect(self, object_path, connection):
905
1321
"""Overloading of standard D-Bus method.
906
1322
907
1323
Inserts annotation tags on methods and signals.
908
1324
"""
909
1325
xmlstring = dbus.service.Object.Introspect(self, object_path,
910
1326
connection)
911
1327
try:
912
1328
document = xml.dom.minidom.parseString(xmlstring)
913
1329
914
1330
for if_tag in document.getElementsByTagName("interface"):
915
1331
# Add annotation tags
916
1332
for typ in ("method", "signal"):
943
1359
if_tag.appendChild(ann_tag)
944
1360
# Fix argument name for the Introspect method itself
945
1361
if (if_tag.getAttribute("name")
946
== dbus.INTROSPECTABLE_IFACE):
1362
== dbus.INTROSPECTABLE_IFACE):
947
1363
for cn in if_tag.getElementsByTagName("method"):
948
1364
if cn.getAttribute("name") == "Introspect":
949
1365
for arg in cn.getElementsByTagName("arg"):
962
1378
963
1379
class DBusObjectWithProperties(DBusObjectWithAnnotations):
964
1380
"""A D-Bus object with properties.
965
1381
966
1382
Classes inheriting from this can use the dbus_service_property
967
1383
decorator to expose methods as D-Bus properties. It exposes the
968
1384
standard Get(), Set(), and GetAll() methods on the D-Bus.
969
1385
"""
970
1386
971
1387
def _get_dbus_property(self, interface_name, property_name):
972
1388
"""Returns a bound method if one exists which is a D-Bus
973
1389
property with the specified name and interface.
978
1394
if (value._dbus_name == property_name
979
1395
and value._dbus_interface == interface_name):
980
1396
return value.__get__(self)
981
1397
982
1398
# No such property
983
1399
raise DBusPropertyNotFound("{}:{}.{}".format(
984
1400
self.dbus_object_path, interface_name, property_name))
985
1401
986
1402
@classmethod
987
1403
def _get_all_interface_names(cls):
988
1404
"""Get a sequence of all interfaces supported by an object"""
991
1407
for x in (inspect.getmro(cls))
992
1408
for attr in dir(x))
993
1409
if name is not None)
994
1410
995
1411
@dbus.service.method(dbus.PROPERTIES_IFACE,
996
1412
in_signature="ss",
997
1413
out_signature="v")
1005
1421
if not hasattr(value, "variant_level"):
1006
1422
return value
1007
1423
return type(value)(value, variant_level=value.variant_level+1)
1008
1424
1009
1425
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1010
1426
def Set(self, interface_name, property_name, value):
1011
1427
"""Standard D-Bus property Set() method, see D-Bus standard.
1020
1436
raise ValueError("Byte arrays not supported for non-"
1021
1437
"'ay' signature {!r}"
1022
1438
.format(prop._dbus_signature))
1023
value = dbus.ByteArray(b''.join(chr(byte)
1024
for byte in value))
1439
value = dbus.ByteArray(bytes(value))
1025
1440
prop(value)
1026
1441
1027
1442
@dbus.service.method(dbus.PROPERTIES_IFACE,
1028
1443
in_signature="s",
1029
1444
out_signature="a{sv}")
1030
1445
def GetAll(self, interface_name):
1031
1446
"""Standard D-Bus property GetAll() method, see D-Bus
1032
1447
standard.
1033
1448
1034
1449
Note: Will not include properties with access="write".
1035
1450
"""
1036
1451
properties = {}
1047
1462
properties[name] = value
1048
1463
continue
1049
1464
properties[name] = type(value)(
1050
value, variant_level = value.variant_level + 1)
1465
value, variant_level=value.variant_level + 1)
1051
1466
return dbus.Dictionary(properties, signature="sv")
1052
1467
1053
1468
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1054
1469
def PropertiesChanged(self, interface_name, changed_properties,
1055
1470
invalidated_properties):
1057
1472
standard.
1058
1473
"""
1059
1474
pass
1060
1475
1061
1476
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1062
1477
out_signature="s",
1063
1478
path_keyword='object_path',
1064
1479
connection_keyword='connection')
1065
1480
def Introspect(self, object_path, connection):
1066
1481
"""Overloading of standard D-Bus method.
1067
1482
1068
1483
Inserts property tags and interface annotation tags.
1069
1484
"""
1070
1485
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1072
1487
connection)
1073
1488
try:
1074
1489
document = xml.dom.minidom.parseString(xmlstring)
1075
1490
1076
1491
def make_tag(document, name, prop):
1077
1492
e = document.createElement("property")
1078
1493
e.setAttribute("name", name)
1079
1494
e.setAttribute("type", prop._dbus_signature)
1080
1495
e.setAttribute("access", prop._dbus_access)
1081
1496
return e
1082
1497
1083
1498
for if_tag in document.getElementsByTagName("interface"):
1084
1499
# Add property tags
1085
1500
for tag in (make_tag(document, name, prop)
1127
1542
exc_info=error)
1128
1543
return xmlstring
1129
1544
1545
1130
1546
try:
1131
1547
dbus.OBJECT_MANAGER_IFACE
1132
1548
except AttributeError:
1133
1549
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1134
1550
1551
1135
1552
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1136
1553
"""A D-Bus object with an ObjectManager.
1137
1554
1138
1555
Classes inheriting from this exposes the standard
1139
1556
GetManagedObjects call and the InterfacesAdded and
1140
1557
InterfacesRemoved signals on the standard
1141
1558
"org.freedesktop.DBus.ObjectManager" interface.
1142
1559
1143
1560
Note: No signals are sent automatically; they must be sent
1144
1561
manually.
1145
1562
"""
1146
1563
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1147
out_signature = "a{oa{sa{sv}}}")
1564
out_signature="a{oa{sa{sv}}}")
1148
1565
def GetManagedObjects(self):
1149
1566
"""This function must be overridden"""
1150
1567
raise NotImplementedError()
1151
1568
1152
1569
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1153
signature = "oa{sa{sv}}")
1570
signature="oa{sa{sv}}")
1154
1571
def InterfacesAdded(self, object_path, interfaces_and_properties):
1155
1572
pass
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1573
1574
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1158
1575
def InterfacesRemoved(self, object_path, interfaces):
1159
1576
pass
1160
1577
1161
1578
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1579
out_signature="s",
1580
path_keyword='object_path',
1581
connection_keyword='connection')
1165
1582
def Introspect(self, object_path, connection):
1166
1583
"""Overloading of standard D-Bus method.
1167
1584
1168
1585
Override return argument name of GetManagedObjects to be
1169
1586
"objpath_interfaces_and_properties"
1170
1587
"""
1173
1590
connection)
1174
1591
try:
1175
1592
document = xml.dom.minidom.parseString(xmlstring)
1176
1593
1177
1594
for if_tag in document.getElementsByTagName("interface"):
1178
1595
# Fix argument name for the GetManagedObjects method
1179
1596
if (if_tag.getAttribute("name")
1180
== dbus.OBJECT_MANAGER_IFACE):
1597
== dbus.OBJECT_MANAGER_IFACE):
1181
1598
for cn in if_tag.getElementsByTagName("method"):
1182
1599
if (cn.getAttribute("name")
1183
1600
== "GetManagedObjects"):
1193
1610
except (AttributeError, xml.dom.DOMException,
1194
1611
xml.parsers.expat.ExpatError) as error:
1195
1612
logger.error("Failed to override Introspection method",
1196
exc_info = error)
1613
exc_info=error)
1197
1614
return xmlstring
1198
1615
1616
1199
1617
def datetime_to_dbus(dt, variant_level=0):
1200
1618
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1201
1619
if dt is None:
1202
return dbus.String("", variant_level = variant_level)
1620
return dbus.String("", variant_level=variant_level)
1203
1621
return dbus.String(dt.isoformat(), variant_level=variant_level)
1204
1622
1205
1623
1208
1626
dbus.service.Object, it will add alternate D-Bus attributes with
1209
1627
interface names according to the "alt_interface_names" mapping.
1210
1628
Usage:
1211
1629
1212
1630
@alternate_dbus_interfaces({"org.example.Interface":
1213
1631
"net.example.AlternateInterface"})
1214
1632
class SampleDBusObject(dbus.service.Object):
1215
1633
@dbus.service.method("org.example.Interface")
1216
1634
def SampleDBusMethod():
1217
1635
pass
1218
1636
1219
1637
The above "SampleDBusMethod" on "SampleDBusObject" will be
1220
1638
reachable via two interfaces: "org.example.Interface" and
1221
1639
"net.example.AlternateInterface", the latter of which will have
1222
1640
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1223
1641
"true", unless "deprecate" is passed with a False value.
1224
1642
1225
1643
This works for methods and signals, and also for D-Bus properties
1226
1644
(from DBusObjectWithProperties) and interfaces (from the
1227
1645
dbus_interface_annotations decorator).
1228
1646
"""
1229
1647
1230
1648
def wrapper(cls):
1231
1649
for orig_interface_name, alt_interface_name in (
1232
1650
alt_interface_names.items()):
1247
1665
interface_names.add(alt_interface)
1248
1666
# Is this a D-Bus signal?
1249
1667
if getattr(attribute, "_dbus_is_signal", False):
1668
# Extract the original non-method undecorated
1669
# function by black magic
1250
1670
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1253
1671
nonmethod_func = (dict(
1254
1672
zip(attribute.func_code.co_freevars,
1255
1673
attribute.__closure__))
1256
1674
["func"].cell_contents)
1257
1675
else:
1258
nonmethod_func = attribute
1676
nonmethod_func = (dict(
1677
zip(attribute.__code__.co_freevars,
1678
attribute.__closure__))
1679
["func"].cell_contents)
1259
1680
# Create a new, but exactly alike, function
1260
1681
# object, and decorate it to be a new D-Bus signal
1261
1682
# with the alternate D-Bus interface name
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1683
new_function = copy_function(nonmethod_func)
1276
1684
new_function = (dbus.service.signal(
1277
1685
alt_interface,
1278
1686
attribute._dbus_signature)(new_function))
1282
1690
attribute._dbus_annotations)
1283
1691
except AttributeError:
1284
1692
pass
1693
1285
1694
# Define a creator of a function to call both the
1286
1695
# original and alternate functions, so both the
1287
1696
# original and alternate signals gets sent when
1290
1699
"""This function is a scope container to pass
1291
1700
func1 and func2 to the "call_both" function
1292
1701
outside of its arguments"""
1293
1702
1294
1703
@functools.wraps(func2)
1295
1704
def call_both(*args, **kwargs):
1296
1705
"""This function will emit two D-Bus
1297
1706
signals by calling func1 and func2"""
1298
1707
func1(*args, **kwargs)
1299
1708
func2(*args, **kwargs)
1300
# Make wrapper function look like a D-Bus signal
1709
# Make wrapper function look like a D-Bus
1710
# signal
1301
1711
for name, attr in inspect.getmembers(func2):
1302
1712
if name.startswith("_dbus_"):
1303
1713
setattr(call_both, name, attr)
1304
1714
1305
1715
return call_both
1306
1716
# Create the "call_both" function and add it to
1307
1717
# the class
1317
1727
alt_interface,
1318
1728
attribute._dbus_in_signature,
1319
1729
attribute._dbus_out_signature)
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1730
(copy_function(attribute)))
1325
1731
# Copy annotations, if any
1326
1732
try:
1327
1733
attr[attrname]._dbus_annotations = dict(
1339
1745
attribute._dbus_access,
1340
1746
attribute._dbus_get_args_options
1341
1747
["byte_arrays"])
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1748
(copy_function(attribute)))
1348
1749
# Copy annotations, if any
1349
1750
try:
1350
1751
attr[attrname]._dbus_annotations = dict(
1359
1760
# to the class.
1360
1761
attr[attrname] = (
1361
1762
dbus_interface_annotations(alt_interface)
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1763
(copy_function(attribute)))
1367
1764
if deprecate:
1368
1765
# Deprecate all alternate interfaces
1369
iname="_AlternateDBusNames_interface_annotation{}"
1766
iname = "_AlternateDBusNames_interface_annotation{}"
1370
1767
for interface_name in interface_names:
1371
1768
1372
1769
@dbus_interface_annotations(interface_name)
1373
1770
def func(self):
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1771
return {"org.freedesktop.DBus.Deprecated":
1772
"true"}
1376
1773
# Find an unused name
1377
1774
for aname in (iname.format(i)
1378
1775
for i in itertools.count()):
1382
1779
if interface_names:
1383
1780
# Replace the class with a new subclass of it with
1384
1781
# methods, signals, etc. as created above.
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1782
if sys.version_info.major == 2:
1783
cls = type(b"{}Alternate".format(cls.__name__),
1784
(cls, ), attr)
1785
else:
1786
cls = type("{}Alternate".format(cls.__name__),
1787
(cls, ), attr)
1387
1788
return cls
1388
1789
1389
1790
return wrapper
1390
1791
1391
1792
1393
1794
"se.bsnet.fukt.Mandos"})
1394
1795
class ClientDBus(Client, DBusObjectWithProperties):
1395
1796
"""A Client class using D-Bus
1396
1797
1397
1798
Attributes:
1398
1799
dbus_object_path: dbus.ObjectPath
1399
1800
bus: dbus.SystemBus()
1400
1801
"""
1401
1802
1402
1803
runtime_expansions = (Client.runtime_expansions
1403
1804
+ ("dbus_object_path", ))
1404
1805
1405
1806
_interface = "se.recompile.Mandos.Client"
1406
1807
1407
1808
# dbus.service.Object doesn't use super(), so we can't either.
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1809
1810
def __init__(self, bus=None, *args, **kwargs):
1410
1811
self.bus = bus
1411
1812
Client.__init__(self, *args, **kwargs)
1412
1813
# Only now, when this client is initialized, can it show up on
1418
1819
"/clients/" + client_object_name)
1419
1820
DBusObjectWithProperties.__init__(self, self.bus,
1420
1821
self.dbus_object_path)
1421
1822
1422
1823
def notifychangeproperty(transform_func, dbus_name,
1423
1824
type_func=lambda x: x,
1424
1825
variant_level=1,
1426
1827
_interface=_interface):
1427
1828
""" Modify a variable so that it's a property which announces
1428
1829
its changes to DBus.
1429
1830
1430
1831
transform_fun: Function that takes a value and a variant_level
1431
1832
and transforms it to a D-Bus type.
1432
1833
dbus_name: D-Bus name of the variable
1435
1836
variant_level: D-Bus variant level. Default: 1
1436
1837
"""
1437
1838
attrname = "_{}".format(dbus_name)
1438
1839
1439
1840
def setter(self, value):
1440
1841
if hasattr(self, "dbus_object_path"):
1441
1842
if (not hasattr(self, attrname) or
1448
1849
else:
1449
1850
dbus_value = transform_func(
1450
1851
type_func(value),
1451
variant_level = variant_level)
1852
variant_level=variant_level)
1452
1853
self.PropertyChanged(dbus.String(dbus_name),
1453
1854
dbus_value)
1454
1855
self.PropertiesChanged(
1455
1856
_interface,
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1857
dbus.Dictionary({dbus.String(dbus_name):
1858
dbus_value}),
1458
1859
dbus.Array())
1459
1860
setattr(self, attrname, value)
1460
1861
1461
1862
return property(lambda self: getattr(self, attrname), setter)
1462
1863
1463
1864
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1464
1865
approvals_pending = notifychangeproperty(dbus.Boolean,
1465
1866
"ApprovalPending",
1466
type_func = bool)
1867
type_func=bool)
1467
1868
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1468
1869
last_enabled = notifychangeproperty(datetime_to_dbus,
1469
1870
"LastEnabled")
1470
1871
checker = notifychangeproperty(
1471
1872
dbus.Boolean, "CheckerRunning",
1472
type_func = lambda checker: checker is not None)
1873
type_func=lambda checker: checker is not None)
1473
1874
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1474
1875
"LastCheckedOK")
1475
1876
last_checker_status = notifychangeproperty(dbus.Int16,
1480
1881
"ApprovedByDefault")
1481
1882
approval_delay = notifychangeproperty(
1482
1883
dbus.UInt64, "ApprovalDelay",
1483
type_func = lambda td: td.total_seconds() * 1000)
1884
type_func=lambda td: td.total_seconds() * 1000)
1484
1885
approval_duration = notifychangeproperty(
1485
1886
dbus.UInt64, "ApprovalDuration",
1486
type_func = lambda td: td.total_seconds() * 1000)
1887
type_func=lambda td: td.total_seconds() * 1000)
1487
1888
host = notifychangeproperty(dbus.String, "Host")
1488
1889
timeout = notifychangeproperty(
1489
1890
dbus.UInt64, "Timeout",
1490
type_func = lambda td: td.total_seconds() * 1000)
1891
type_func=lambda td: td.total_seconds() * 1000)
1491
1892
extended_timeout = notifychangeproperty(
1492
1893
dbus.UInt64, "ExtendedTimeout",
1493
type_func = lambda td: td.total_seconds() * 1000)
1894
type_func=lambda td: td.total_seconds() * 1000)
1494
1895
interval = notifychangeproperty(
1495
1896
dbus.UInt64, "Interval",
1496
type_func = lambda td: td.total_seconds() * 1000)
1897
type_func=lambda td: td.total_seconds() * 1000)
1497
1898
checker_command = notifychangeproperty(dbus.String, "Checker")
1498
1899
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1499
1900
invalidate_only=True)
1500
1901
1501
1902
del notifychangeproperty
1502
1903
1503
1904
def __del__(self, *args, **kwargs):
1504
1905
try:
1505
1906
self.remove_from_connection()
1508
1909
if hasattr(DBusObjectWithProperties, "__del__"):
1509
1910
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1510
1911
Client.__del__(self, *args, **kwargs)
1511
1912
1512
1913
def checker_callback(self, source, condition,
1513
1914
connection, command, *args, **kwargs):
1514
1915
ret = Client.checker_callback(self, source, condition,
1530
1931
| self.last_checker_signal),
1531
1932
dbus.String(command))
1532
1933
return ret
1533
1934
1534
1935
def start_checker(self, *args, **kwargs):
1535
1936
old_checker_pid = getattr(self.checker, "pid", None)
1536
1937
r = Client.start_checker(self, *args, **kwargs)
1540
1941
# Emit D-Bus signal
1541
1942
self.CheckerStarted(self.current_checker_command)
1542
1943
return r
1543
1944
1544
1945
def _reset_approved(self):
1545
1946
self.approved = None
1546
1947
return False
1547
1948
1548
1949
def approve(self, value=True):
1549
1950
self.approved = value
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1951
GLib.timeout_add(int(self.approval_duration.total_seconds()
1952
* 1000), self._reset_approved)
1552
1953
self.send_changedstate()
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1954
1955
# D-Bus methods, signals & properties
1956
1957
# Interfaces
1958
1959
# Signals
1960
1560
1961
# CheckerCompleted - signal
1561
1962
@dbus.service.signal(_interface, signature="nxs")
1562
1963
def CheckerCompleted(self, exitcode, waitstatus, command):
1563
1964
"D-Bus signal"
1564
1965
pass
1565
1966
1566
1967
# CheckerStarted - signal
1567
1968
@dbus.service.signal(_interface, signature="s")
1568
1969
def CheckerStarted(self, command):
1569
1970
"D-Bus signal"
1570
1971
pass
1571
1972
1572
1973
# PropertyChanged - signal
1573
1974
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1574
1975
@dbus.service.signal(_interface, signature="sv")
1575
1976
def PropertyChanged(self, property, value):
1576
1977
"D-Bus signal"
1577
1978
pass
1578
1979
1579
1980
# GotSecret - signal
1580
1981
@dbus.service.signal(_interface)
1581
1982
def GotSecret(self):
1584
1985
server to mandos-client
1585
1986
"""
1586
1987
pass
1587
1988
1588
1989
# Rejected - signal
1589
1990
@dbus.service.signal(_interface, signature="s")
1590
1991
def Rejected(self, reason):
1591
1992
"D-Bus signal"
1592
1993
pass
1593
1994
1594
1995
# NeedApproval - signal
1595
1996
@dbus.service.signal(_interface, signature="tb")
1596
1997
def NeedApproval(self, timeout, default):
1597
1998
"D-Bus signal"
1598
1999
return self.need_approval()
1599
1600
## Methods
1601
2000
2001
# Methods
2002
1602
2003
# Approve - method
1603
2004
@dbus.service.method(_interface, in_signature="b")
1604
2005
def Approve(self, value):
1605
2006
self.approve(value)
1606
2007
1607
2008
# CheckedOK - method
1608
2009
@dbus.service.method(_interface)
1609
2010
def CheckedOK(self):
1610
2011
self.checked_ok()
1611
2012
1612
2013
# Enable - method
1613
2014
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1614
2015
@dbus.service.method(_interface)
1615
2016
def Enable(self):
1616
2017
"D-Bus method"
1617
2018
self.enable()
1618
2019
1619
2020
# StartChecker - method
1620
2021
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1621
2022
@dbus.service.method(_interface)
1622
2023
def StartChecker(self):
1623
2024
"D-Bus method"
1624
2025
self.start_checker()
1625
2026
1626
2027
# Disable - method
1627
2028
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1628
2029
@dbus.service.method(_interface)
1629
2030
def Disable(self):
1630
2031
"D-Bus method"
1631
2032
self.disable()
1632
2033
1633
2034
# StopChecker - method
1634
2035
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1635
2036
@dbus.service.method(_interface)
1636
2037
def StopChecker(self):
1637
2038
self.stop_checker()
1638
1639
## Properties
1640
2039
2040
# Properties
2041
1641
2042
# ApprovalPending - property
1642
2043
@dbus_service_property(_interface, signature="b", access="read")
1643
2044
def ApprovalPending_dbus_property(self):
1644
2045
return dbus.Boolean(bool(self.approvals_pending))
1645
2046
1646
2047
# ApprovedByDefault - property
1647
2048
@dbus_service_property(_interface,
1648
2049
signature="b",
1651
2052
if value is None: # get
1652
2053
return dbus.Boolean(self.approved_by_default)
1653
2054
self.approved_by_default = bool(value)
1654
2055
1655
2056
# ApprovalDelay - property
1656
2057
@dbus_service_property(_interface,
1657
2058
signature="t",
1661
2062
return dbus.UInt64(self.approval_delay.total_seconds()
1662
2063
* 1000)
1663
2064
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1664
2065
1665
2066
# ApprovalDuration - property
1666
2067
@dbus_service_property(_interface,
1667
2068
signature="t",
1671
2072
return dbus.UInt64(self.approval_duration.total_seconds()
1672
2073
* 1000)
1673
2074
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1674
2075
1675
2076
# Name - property
1676
2077
@dbus_annotations(
1677
2078
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1678
2079
@dbus_service_property(_interface, signature="s", access="read")
1679
2080
def Name_dbus_property(self):
1680
2081
return dbus.String(self.name)
1681
2082
2083
# KeyID - property
2084
@dbus_annotations(
2085
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2086
@dbus_service_property(_interface, signature="s", access="read")
2087
def KeyID_dbus_property(self):
2088
return dbus.String(self.key_id)
2089
1682
2090
# Fingerprint - property
1683
2091
@dbus_annotations(
1684
2092
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1685
2093
@dbus_service_property(_interface, signature="s", access="read")
1686
2094
def Fingerprint_dbus_property(self):
1687
2095
return dbus.String(self.fingerprint)
1688
2096
1689
2097
# Host - property
1690
2098
@dbus_service_property(_interface,
1691
2099
signature="s",
1694
2102
if value is None: # get
1695
2103
return dbus.String(self.host)
1696
2104
self.host = str(value)
1697
2105
1698
2106
# Created - property
1699
2107
@dbus_annotations(
1700
2108
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1701
2109
@dbus_service_property(_interface, signature="s", access="read")
1702
2110
def Created_dbus_property(self):
1703
2111
return datetime_to_dbus(self.created)
1704
2112
1705
2113
# LastEnabled - property
1706
2114
@dbus_service_property(_interface, signature="s", access="read")
1707
2115
def LastEnabled_dbus_property(self):
1708
2116
return datetime_to_dbus(self.last_enabled)
1709
2117
1710
2118
# Enabled - property
1711
2119
@dbus_service_property(_interface,
1712
2120
signature="b",
1718
2126
self.enable()
1719
2127
else:
1720
2128
self.disable()
1721
2129
1722
2130
# LastCheckedOK - property
1723
2131
@dbus_service_property(_interface,
1724
2132
signature="s",
1728
2136
self.checked_ok()
1729
2137
return
1730
2138
return datetime_to_dbus(self.last_checked_ok)
1731
2139
1732
2140
# LastCheckerStatus - property
1733
2141
@dbus_service_property(_interface, signature="n", access="read")
1734
2142
def LastCheckerStatus_dbus_property(self):
1735
2143
return dbus.Int16(self.last_checker_status)
1736
2144
1737
2145
# Expires - property
1738
2146
@dbus_service_property(_interface, signature="s", access="read")
1739
2147
def Expires_dbus_property(self):
1740
2148
return datetime_to_dbus(self.expires)
1741
2149
1742
2150
# LastApprovalRequest - property
1743
2151
@dbus_service_property(_interface, signature="s", access="read")
1744
2152
def LastApprovalRequest_dbus_property(self):
1745
2153
return datetime_to_dbus(self.last_approval_request)
1746
2154
1747
2155
# Timeout - property
1748
2156
@dbus_service_property(_interface,
1749
2157
signature="t",
1764
2172
if (getattr(self, "disable_initiator_tag", None)
1765
2173
is None):
1766
2174
return
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2175
GLib.source_remove(self.disable_initiator_tag)
2176
self.disable_initiator_tag = GLib.timeout_add(
1769
2177
int((self.expires - now).total_seconds() * 1000),
1770
2178
self.disable)
1771
2179
1772
2180
# ExtendedTimeout - property
1773
2181
@dbus_service_property(_interface,
1774
2182
signature="t",
1778
2186
return dbus.UInt64(self.extended_timeout.total_seconds()
1779
2187
* 1000)
1780
2188
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1781
2189
1782
2190
# Interval - property
1783
2191
@dbus_service_property(_interface,
1784
2192
signature="t",
1791
2199
return
1792
2200
if self.enabled:
1793
2201
# Reschedule checker run
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2202
GLib.source_remove(self.checker_initiator_tag)
2203
self.checker_initiator_tag = GLib.timeout_add(
1796
2204
value, self.start_checker)
1797
self.start_checker() # Start one now, too
1798
2205
self.start_checker() # Start one now, too
2206
1799
2207
# Checker - property
1800
2208
@dbus_service_property(_interface,
1801
2209
signature="s",
1804
2212
if value is None: # get
1805
2213
return dbus.String(self.checker_command)
1806
2214
self.checker_command = str(value)
1807
2215
1808
2216
# CheckerRunning - property
1809
2217
@dbus_service_property(_interface,
1810
2218
signature="b",
1816
2224
self.start_checker()
1817
2225
else:
1818
2226
self.stop_checker()
1819
2227
1820
2228
# ObjectPath - property
1821
2229
@dbus_annotations(
1822
2230
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
1823
2231
"org.freedesktop.DBus.Deprecated": "true"})
1824
2232
@dbus_service_property(_interface, signature="o", access="read")
1825
2233
def ObjectPath_dbus_property(self):
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2234
return self.dbus_object_path # is already a dbus.ObjectPath
2235
1828
2236
# Secret = property
1829
2237
@dbus_annotations(
1830
2238
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
1835
2243
byte_arrays=True)
1836
2244
def Secret_dbus_property(self, value):
1837
2245
self.secret = bytes(value)
1838
2246
1839
2247
del _interface
1840
2248
1841
2249
1842
class ProxyClient(object):
1843
def __init__(self, child_pipe, fpr, address):
2250
class ProxyClient:
2251
def __init__(self, child_pipe, key_id, fpr, address):
1844
2252
self._pipe = child_pipe
1845
self._pipe.send(('init', fpr, address))
2253
self._pipe.send(('init', key_id, fpr, address))
1846
2254
if not self._pipe.recv():
1847
raise KeyError(fpr)
1848
2255
raise KeyError(key_id or fpr)
2256
1849
2257
def __getattribute__(self, name):
1850
2258
if name == '_pipe':
1851
2259
return super(ProxyClient, self).__getattribute__(name)
1854
2262
if data[0] == 'data':
1855
2263
return data[1]
1856
2264
if data[0] == 'function':
1857
2265
1858
2266
def func(*args, **kwargs):
1859
2267
self._pipe.send(('funcall', name, args, kwargs))
1860
2268
return self._pipe.recv()[1]
1861
2269
1862
2270
return func
1863
2271
1864
2272
def __setattr__(self, name, value):
1865
2273
if name == '_pipe':
1866
2274
return super(ProxyClient, self).__setattr__(name, value)
1869
2277
1870
2278
class ClientHandler(socketserver.BaseRequestHandler, object):
1871
2279
"""A class to handle client connections.
1872
2280
1873
2281
Instantiated once for each connection to handle it.
1874
2282
Note: This will run in its own forked process."""
1875
2283
1876
2284
def handle(self):
1877
2285
with contextlib.closing(self.server.child_pipe) as child_pipe:
1878
2286
logger.info("TCP connection from: %s",
1879
2287
str(self.client_address))
1880
2288
logger.debug("Pipe FD: %d",
1881
2289
self.server.child_pipe.fileno())
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2290
2291
session = gnutls.ClientSession(self.request)
2292
2293
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2294
# "+AES-256-CBC", "+SHA1",
2295
# "+COMP-NULL", "+CTYPE-OPENPGP",
2296
# "+DHE-DSS"))
1895
2297
# Use a fallback default, since this MUST be set.
1896
2298
priority = self.server.gnutls_priority
1897
2299
if priority is None:
1898
2300
priority = "NORMAL"
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2301
gnutls.priority_set_direct(session._c_object,
2302
priority.encode("utf-8"),
2303
None)
2304
1902
2305
# Start communication using the Mandos protocol
1903
2306
# Get protocol number
1904
2307
line = self.request.makefile().readline()
1909
2312
except (ValueError, IndexError, RuntimeError) as error:
1910
2313
logger.error("Unknown protocol version: %s", error)
1911
2314
return
1912
2315
1913
2316
# Start GnuTLS connection
1914
2317
try:
1915
2318
session.handshake()
1916
except gnutls.errors.GNUTLSError as error:
2319
except gnutls.Error as error:
1917
2320
logger.warning("Handshake failed: %s", error)
1918
2321
# Do not run session.bye() here: the session is not
1919
2322
# established. Just abandon the request.
1920
2323
return
1921
2324
logger.debug("Handshake succeeded")
1922
2325
1923
2326
approval_required = False
1924
2327
try:
1925
try:
1926
fpr = self.fingerprint(
1927
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
1930
logger.warning("Bad certificate: %s", error)
1931
return
1932
logger.debug("Fingerprint: %s", fpr)
1933
1934
try:
1935
client = ProxyClient(child_pipe, fpr,
2328
if gnutls.has_rawpk:
2329
fpr = b""
2330
try:
2331
key_id = self.key_id(
2332
self.peer_certificate(session))
2333
except (TypeError, gnutls.Error) as error:
2334
logger.warning("Bad certificate: %s", error)
2335
return
2336
logger.debug("Key ID: %s", key_id)
2337
2338
else:
2339
key_id = b""
2340
try:
2341
fpr = self.fingerprint(
2342
self.peer_certificate(session))
2343
except (TypeError, gnutls.Error) as error:
2344
logger.warning("Bad certificate: %s", error)
2345
return
2346
logger.debug("Fingerprint: %s", fpr)
2347
2348
try:
2349
client = ProxyClient(child_pipe, key_id, fpr,
1936
2350
self.client_address)
1937
2351
except KeyError:
1938
2352
return
1939
2353
1940
2354
if client.approval_delay:
1941
2355
delay = client.approval_delay
1942
2356
client.approvals_pending += 1
1943
2357
approval_required = True
1944
2358
1945
2359
while True:
1946
2360
if not client.enabled:
1947
2361
logger.info("Client %s is disabled",
1950
2364
# Emit D-Bus signal
1951
2365
client.Rejected("Disabled")
1952
2366
return
1953
2367
1954
2368
if client.approved or not client.approval_delay:
1955
#We are approved or approval is disabled
2369
# We are approved or approval is disabled
1956
2370
break
1957
2371
elif client.approved is None:
1958
2372
logger.info("Client %s needs approval",
1969
2383
# Emit D-Bus signal
1970
2384
client.Rejected("Denied")
1971
2385
return
1972
1973
#wait until timeout or approved
2386
2387
# wait until timeout or approved
1974
2388
time = datetime.datetime.now()
1975
2389
client.changedstate.acquire()
1976
2390
client.changedstate.wait(delay.total_seconds())
1989
2403
break
1990
2404
else:
1991
2405
delay -= time2 - time
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2406
2407
try:
2408
session.send(client.secret)
2409
except gnutls.Error as error:
2410
logger.warning("gnutls send failed",
2411
exc_info=error)
2412
return
2413
2006
2414
logger.info("Sending secret to %s", client.name)
2007
2415
# bump the timeout using extended_timeout
2008
2416
client.bump_timeout(client.extended_timeout)
2009
2417
if self.server.use_dbus:
2010
2418
# Emit D-Bus signal
2011
2419
client.GotSecret()
2012
2420
2013
2421
finally:
2014
2422
if approval_required:
2015
2423
client.approvals_pending -= 1
2016
2424
try:
2017
2425
session.bye()
2018
except gnutls.errors.GNUTLSError as error:
2426
except gnutls.Error as error:
2019
2427
logger.warning("GnuTLS bye failed",
2020
2428
exc_info=error)
2021
2429
2022
2430
@staticmethod
2023
2431
def peer_certificate(session):
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2432
"Return the peer's certificate as a bytestring"
2433
try:
2434
cert_type = gnutls.certificate_type_get2(session._c_object,
2435
gnutls.CTYPE_PEERS)
2436
except AttributeError:
2437
cert_type = gnutls.certificate_type_get(session._c_object)
2438
if gnutls.has_rawpk:
2439
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2440
else:
2441
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2442
# If not a valid certificate type...
2443
if cert_type not in valid_cert_types:
2444
logger.info("Cert type %r not in %r", cert_type,
2445
valid_cert_types)
2446
# ...return invalid data
2447
return b""
2031
2448
list_size = ctypes.c_uint(1)
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2449
cert_list = (gnutls.certificate_get_peers
2034
2450
(session._c_object, ctypes.byref(list_size)))
2035
2451
if not bool(cert_list) and list_size.value != 0:
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2452
raise gnutls.Error("error getting peer certificate")
2038
2453
if list_size.value == 0:
2039
2454
return None
2040
2455
cert = cert_list[0]
2041
2456
return ctypes.string_at(cert.data, cert.size)
2042
2457
2458
@staticmethod
2459
def key_id(certificate):
2460
"Convert a certificate bytestring to a hexdigit key ID"
2461
# New GnuTLS "datum" with the public key
2462
datum = gnutls.datum_t(
2463
ctypes.cast(ctypes.c_char_p(certificate),
2464
ctypes.POINTER(ctypes.c_ubyte)),
2465
ctypes.c_uint(len(certificate)))
2466
# XXX all these need to be created in the gnutls "module"
2467
# New empty GnuTLS certificate
2468
pubkey = gnutls.pubkey_t()
2469
gnutls.pubkey_init(ctypes.byref(pubkey))
2470
# Import the raw public key into the certificate
2471
gnutls.pubkey_import(pubkey,
2472
ctypes.byref(datum),
2473
gnutls.X509_FMT_DER)
2474
# New buffer for the key ID
2475
buf = ctypes.create_string_buffer(32)
2476
buf_len = ctypes.c_size_t(len(buf))
2477
# Get the key ID from the raw public key into the buffer
2478
gnutls.pubkey_get_key_id(
2479
pubkey,
2480
gnutls.KEYID_USE_SHA256,
2481
ctypes.cast(ctypes.byref(buf),
2482
ctypes.POINTER(ctypes.c_ubyte)),
2483
ctypes.byref(buf_len))
2484
# Deinit the certificate
2485
gnutls.pubkey_deinit(pubkey)
2486
2487
# Convert the buffer to a Python bytestring
2488
key_id = ctypes.string_at(buf, buf_len.value)
2489
# Convert the bytestring to hexadecimal notation
2490
hex_key_id = binascii.hexlify(key_id).upper()
2491
return hex_key_id
2492
2043
2493
@staticmethod
2044
2494
def fingerprint(openpgp):
2045
2495
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2046
2496
# New GnuTLS "datum" with the OpenPGP public key
2047
datum = gnutls.library.types.gnutls_datum_t(
2497
datum = gnutls.datum_t(
2048
2498
ctypes.cast(ctypes.c_char_p(openpgp),
2049
2499
ctypes.POINTER(ctypes.c_ubyte)),
2050
2500
ctypes.c_uint(len(openpgp)))
2051
2501
# New empty GnuTLS certificate
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2502
crt = gnutls.openpgp_crt_t()
2503
gnutls.openpgp_crt_init(ctypes.byref(crt))
2055
2504
# Import the OpenPGP public key into the certificate
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2505
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2506
gnutls.OPENPGP_FMT_RAW)
2059
2507
# Verify the self signature in the key
2060
2508
crtverify = ctypes.c_uint()
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2509
gnutls.openpgp_crt_verify_self(crt, 0,
2510
ctypes.byref(crtverify))
2063
2511
if crtverify.value != 0:
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2512
gnutls.openpgp_crt_deinit(crt)
2513
raise gnutls.CertificateSecurityError(code
2514
=crtverify.value)
2067
2515
# New buffer for the fingerprint
2068
2516
buf = ctypes.create_string_buffer(20)
2069
2517
buf_len = ctypes.c_size_t()
2070
2518
# Get the fingerprint from the certificate into the buffer
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2519
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2520
ctypes.byref(buf_len))
2073
2521
# Deinit the certificate
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2522
gnutls.openpgp_crt_deinit(crt)
2075
2523
# Convert the buffer to a Python bytestring
2076
2524
fpr = ctypes.string_at(buf, buf_len.value)
2077
2525
# Convert the bytestring to hexadecimal notation
2079
2527
return hex_fpr
2080
2528
2081
2529
2082
class MultiprocessingMixIn(object):
2530
class MultiprocessingMixIn:
2083
2531
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2084
2532
2085
2533
def sub_process_main(self, request, address):
2086
2534
try:
2087
2535
self.finish_request(request, address)
2088
2536
except Exception:
2089
2537
self.handle_error(request, address)
2090
2538
self.close_request(request)
2091
2539
2092
2540
def process_request(self, request, address):
2093
2541
"""Start a new process to process the request."""
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2542
proc = multiprocessing.Process(target=self.sub_process_main,
2543
args=(request, address))
2096
2544
proc.start()
2097
2545
return proc
2098
2546
2099
2547
2100
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2548
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2101
2549
""" adds a pipe to the MixIn """
2102
2550
2103
2551
def process_request(self, request, client_address):
2104
2552
"""Overrides and wraps the original process_request().
2105
2553
2106
2554
This function creates a new pipe in self.pipe
2107
2555
"""
2108
2556
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2109
2557
2110
2558
proc = MultiprocessingMixIn.process_request(self, request,
2111
2559
client_address)
2112
2560
self.child_pipe.close()
2113
2561
self.add_pipe(parent_pipe, proc)
2114
2562
2115
2563
def add_pipe(self, parent_pipe, proc):
2116
2564
"""Dummy function; override as necessary"""
2117
2565
raise NotImplementedError()
2118
2566
2119
2567
2120
2568
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2121
socketserver.TCPServer, object):
2569
socketserver.TCPServer):
2122
2570
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2123
2571
2124
2572
Attributes:
2125
2573
enabled: Boolean; whether this server is activated yet
2126
2574
interface: None or a network interface name (string)
2127
2575
use_ipv6: Boolean; to use IPv6 or not
2128
2576
"""
2129
2577
2130
2578
def __init__(self, server_address, RequestHandlerClass,
2131
2579
interface=None,
2132
2580
use_ipv6=True,
2142
2590
self.socketfd = socketfd
2143
2591
# Save the original socket.socket() function
2144
2592
self.socket_socket = socket.socket
2593
2145
2594
# To implement --socket, we monkey patch socket.socket.
2146
#
2595
#
2147
2596
# (When socketserver.TCPServer is a new-style class, we
2148
2597
# could make self.socket into a property instead of monkey
2149
2598
# patching socket.socket.)
2150
#
2599
#
2151
2600
# Create a one-time-only replacement for socket.socket()
2152
2601
@functools.wraps(socket.socket)
2153
2602
def socket_wrapper(*args, **kwargs):
2165
2614
# socket_wrapper(), if socketfd was set.
2166
2615
socketserver.TCPServer.__init__(self, server_address,
2167
2616
RequestHandlerClass)
2168
2617
2169
2618
def server_bind(self):
2170
2619
"""This overrides the normal server_bind() function
2171
2620
to bind to an interface if one was specified, and also NOT to
2172
2621
bind to an address or port if they were not specified."""
2622
global SO_BINDTODEVICE
2173
2623
if self.interface is not None:
2174
2624
if SO_BINDTODEVICE is None:
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2625
# Fall back to a hard-coded value which seems to be
2626
# common enough.
2627
logger.warning("SO_BINDTODEVICE not found, trying 25")
2628
SO_BINDTODEVICE = 25
2629
try:
2630
self.socket.setsockopt(
2631
socket.SOL_SOCKET, SO_BINDTODEVICE,
2632
(self.interface + "\0").encode("utf-8"))
2633
except socket.error as error:
2634
if error.errno == errno.EPERM:
2635
logger.error("No permission to bind to"
2636
" interface %s", self.interface)
2637
elif error.errno == errno.ENOPROTOOPT:
2638
logger.error("SO_BINDTODEVICE not available;"
2639
" cannot bind to interface %s",
2640
self.interface)
2641
elif error.errno == errno.ENODEV:
2642
logger.error("Interface %s does not exist,"
2643
" cannot bind", self.interface)
2644
else:
2645
raise
2196
2646
# Only bind(2) the socket if we really need to.
2197
2647
if self.server_address[0] or self.server_address[1]:
2648
if self.server_address[1]:
2649
self.allow_reuse_address = True
2198
2650
if not self.server_address[0]:
2199
2651
if self.address_family == socket.AF_INET6:
2200
any_address = "::" # in6addr_any
2652
any_address = "::" # in6addr_any
2201
2653
else:
2202
any_address = "0.0.0.0" # INADDR_ANY
2654
any_address = "0.0.0.0" # INADDR_ANY
2203
2655
self.server_address = (any_address,
2204
2656
self.server_address[1])
2205
2657
elif not self.server_address[1]:
2215
2667
2216
2668
class MandosServer(IPv6_TCPServer):
2217
2669
"""Mandos server.
2218
2670
2219
2671
Attributes:
2220
2672
clients: set of Client objects
2221
2673
gnutls_priority GnuTLS priority string
2222
2674
use_dbus: Boolean; to emit D-Bus signals or not
2223
2224
Assumes a gobject.MainLoop event loop.
2675
2676
Assumes a GLib.MainLoop event loop.
2225
2677
"""
2226
2678
2227
2679
def __init__(self, server_address, RequestHandlerClass,
2228
2680
interface=None,
2229
2681
use_ipv6=True,
2239
2691
self.gnutls_priority = gnutls_priority
2240
2692
IPv6_TCPServer.__init__(self, server_address,
2241
2693
RequestHandlerClass,
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2694
interface=interface,
2695
use_ipv6=use_ipv6,
2696
socketfd=socketfd)
2697
2246
2698
def server_activate(self):
2247
2699
if self.enabled:
2248
2700
return socketserver.TCPServer.server_activate(self)
2249
2701
2250
2702
def enable(self):
2251
2703
self.enabled = True
2252
2704
2253
2705
def add_pipe(self, parent_pipe, proc):
2254
2706
# Call "handle_ipc" for both data and EOF events
2255
gobject.io_add_watch(
2256
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2707
GLib.io_add_watch(
2708
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2709
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2258
2710
functools.partial(self.handle_ipc,
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2711
parent_pipe=parent_pipe,
2712
proc=proc))
2713
2262
2714
def handle_ipc(self, source, condition,
2263
2715
parent_pipe=None,
2264
proc = None,
2716
proc=None,
2265
2717
client_object=None):
2266
2718
# error, or the other end of multiprocessing.Pipe has closed
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2719
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2268
2720
# Wait for other process to exit
2269
2721
proc.join()
2270
2722
return False
2271
2723
2272
2724
# Read a request from the child
2273
2725
request = parent_pipe.recv()
2274
2726
command = request[0]
2275
2727
2276
2728
if command == 'init':
2277
fpr = request[1]
2278
address = request[2]
2279
2280
for c in self.clients.itervalues():
2281
if c.fingerprint == fpr:
2729
key_id = request[1].decode("ascii")
2730
fpr = request[2].decode("ascii")
2731
address = request[3]
2732
2733
for c in self.clients.values():
2734
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2735
"27AE41E4649B934CA495991B7852B855"):
2736
continue
2737
if key_id and c.key_id == key_id:
2738
client = c
2739
break
2740
if fpr and c.fingerprint == fpr:
2282
2741
client = c
2283
2742
break
2284
2743
else:
2285
logger.info("Client not found for fingerprint: %s, ad"
2286
"dress: %s", fpr, address)
2744
logger.info("Client not found for key ID: %s, address"
2745
": %s", key_id or fpr, address)
2287
2746
if self.use_dbus:
2288
2747
# Emit D-Bus signal
2289
mandos_dbus_service.ClientNotFound(fpr,
2748
mandos_dbus_service.ClientNotFound(key_id or fpr,
2290
2749
address[0])
2291
2750
parent_pipe.send(False)
2292
2751
return False
2293
2294
gobject.io_add_watch(
2295
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2752
2753
GLib.io_add_watch(
2754
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2755
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2297
2756
functools.partial(self.handle_ipc,
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2757
parent_pipe=parent_pipe,
2758
proc=proc,
2759
client_object=client))
2301
2760
parent_pipe.send(True)
2302
2761
# remove the old hook in favor of the new above hook on
2303
2762
# same fileno
2306
2765
funcname = request[1]
2307
2766
args = request[2]
2308
2767
kwargs = request[3]
2309
2768
2310
2769
parent_pipe.send(('data', getattr(client_object,
2311
2770
funcname)(*args,
2312
2771
**kwargs)))
2313
2772
2314
2773
if command == 'getattr':
2315
2774
attrname = request[1]
2316
2775
if isinstance(client_object.__getattribute__(attrname),
2317
collections.Callable):
2776
collections.abc.Callable):
2318
2777
parent_pipe.send(('function', ))
2319
2778
else:
2320
2779
parent_pipe.send((
2321
2780
'data', client_object.__getattribute__(attrname)))
2322
2781
2323
2782
if command == 'setattr':
2324
2783
attrname = request[1]
2325
2784
value = request[2]
2326
2785
setattr(client_object, attrname, value)
2327
2786
2328
2787
return True
2329
2788
2330
2789
2331
2790
def rfc3339_duration_to_delta(duration):
2332
2791
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2333
2334
>>> rfc3339_duration_to_delta("P7D")
2335
datetime.timedelta(7)
2336
>>> rfc3339_duration_to_delta("PT60S")
2337
datetime.timedelta(0, 60)
2338
>>> rfc3339_duration_to_delta("PT60M")
2339
datetime.timedelta(0, 3600)
2340
>>> rfc3339_duration_to_delta("PT24H")
2341
datetime.timedelta(1)
2342
>>> rfc3339_duration_to_delta("P1W")
2343
datetime.timedelta(7)
2344
>>> rfc3339_duration_to_delta("PT5M30S")
2345
datetime.timedelta(0, 330)
2346
>>> rfc3339_duration_to_delta("P1DT3M20S")
2347
datetime.timedelta(1, 200)
2792
2793
>>> timedelta = datetime.timedelta
2794
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2795
True
2796
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2797
True
2798
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2799
True
2800
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2801
True
2802
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2803
True
2804
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2805
True
2806
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2807
True
2808
>>> del timedelta
2348
2809
"""
2349
2810
2350
2811
# Parsing an RFC 3339 duration with regular expressions is not
2351
2812
# possible - there would have to be multiple places for the same
2352
2813
# values, like seconds. The current code, while more esoteric, is
2353
2814
# cleaner without depending on a parsing library. If Python had a
2354
2815
# built-in library for parsing we would use it, but we'd like to
2355
2816
# avoid excessive use of external libraries.
2356
2817
2357
2818
# New type for defining tokens, syntax, and semantics all-in-one
2358
2819
Token = collections.namedtuple("Token", (
2359
2820
"regexp", # To match token; if "value" is not None, must have
2392
2853
frozenset((token_year, token_month,
2393
2854
token_day, token_time,
2394
2855
token_week)))
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2856
# Define starting values:
2857
# Value so far
2858
value = datetime.timedelta()
2397
2859
found_token = None
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2860
# Following valid tokens
2861
followers = frozenset((token_duration, ))
2862
# String left to parse
2863
s = duration
2400
2864
# Loop until end token is found
2401
2865
while found_token is not token_end:
2402
2866
# Search for any currently valid tokens
2426
2890
2427
2891
def string_to_delta(interval):
2428
2892
"""Parse a string and return a datetime.timedelta
2429
2430
>>> string_to_delta('7d')
2431
datetime.timedelta(7)
2432
>>> string_to_delta('60s')
2433
datetime.timedelta(0, 60)
2434
>>> string_to_delta('60m')
2435
datetime.timedelta(0, 3600)
2436
>>> string_to_delta('24h')
2437
datetime.timedelta(1)
2438
>>> string_to_delta('1w')
2439
datetime.timedelta(7)
2440
>>> string_to_delta('5m 30s')
2441
datetime.timedelta(0, 330)
2893
2894
>>> string_to_delta('7d') == datetime.timedelta(7)
2895
True
2896
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2897
True
2898
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2899
True
2900
>>> string_to_delta('24h') == datetime.timedelta(1)
2901
True
2902
>>> string_to_delta('1w') == datetime.timedelta(7)
2903
True
2904
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2905
True
2442
2906
"""
2443
2907
2444
2908
try:
2445
2909
return rfc3339_duration_to_delta(interval)
2446
2910
except ValueError:
2447
2911
pass
2448
2912
2449
2913
timevalue = datetime.timedelta(0)
2450
2914
for s in interval.split():
2451
2915
try:
2469
2933
return timevalue
2470
2934
2471
2935
2472
def daemon(nochdir = False, noclose = False):
2936
def daemon(nochdir=False, noclose=False):
2473
2937
"""See daemon(3). Standard BSD Unix function.
2474
2938
2475
2939
This should really exist as os.daemon, but it doesn't (yet)."""
2476
2940
if os.fork():
2477
2941
sys.exit()
2495
2959
2496
2960
2497
2961
def main():
2498
2962
2499
2963
##################################################################
2500
2964
# Parsing of options, both command line and config file
2501
2965
2502
2966
parser = argparse.ArgumentParser()
2503
2967
parser.add_argument("-v", "--version", action="version",
2504
version = "%(prog)s {}".format(version),
2968
version="%(prog)s {}".format(version),
2505
2969
help="show version number and exit")
2506
2970
parser.add_argument("-i", "--interface", metavar="IF",
2507
2971
help="Bind to interface IF")
2543
3007
parser.add_argument("--no-zeroconf", action="store_false",
2544
3008
dest="zeroconf", help="Do not use Zeroconf",
2545
3009
default=None)
2546
3010
2547
3011
options = parser.parse_args()
2548
2549
if options.check:
2550
import doctest
2551
fail_count, test_count = doctest.testmod()
2552
sys.exit(os.EX_OK if fail_count == 0 else 1)
2553
3012
2554
3013
# Default values for config file for server-global settings
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
3014
if gnutls.has_rawpk:
3015
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3016
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3017
else:
3018
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3019
":+SIGN-DSA-SHA256")
3020
server_defaults = {"interface": "",
3021
"address": "",
3022
"port": "",
3023
"debug": "False",
3024
"priority": priority,
3025
"servicename": "Mandos",
3026
"use_dbus": "True",
3027
"use_ipv6": "True",
3028
"debuglevel": "",
3029
"restore": "True",
3030
"socket": "",
3031
"statedir": "/var/lib/mandos",
3032
"foreground": "False",
3033
"zeroconf": "True",
3034
}
3035
del priority
3036
2573
3037
# Parse config file for server-global settings
2574
server_config = configparser.SafeConfigParser(server_defaults)
3038
server_config = configparser.ConfigParser(server_defaults)
2575
3039
del server_defaults
2576
3040
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2577
# Convert the SafeConfigParser object to a dict
3041
# Convert the ConfigParser object to a dict
2578
3042
server_settings = server_config.defaults()
2579
3043
# Use the appropriate methods on the non-string config options
2580
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3044
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3045
"foreground", "zeroconf"):
2581
3046
server_settings[option] = server_config.getboolean("DEFAULT",
2582
3047
option)
2583
3048
if server_settings["port"]:
2593
3058
server_settings["socket"] = os.dup(server_settings
2594
3059
["socket"])
2595
3060
del server_config
2596
3061
2597
3062
# Override the settings from the config file with command line
2598
3063
# options, if set.
2599
3064
for option in ("interface", "address", "port", "debug",
2617
3082
if server_settings["debug"]:
2618
3083
server_settings["foreground"] = True
2619
3084
# Now we have our good server settings in "server_settings"
2620
3085
2621
3086
##################################################################
2622
3087
2623
3088
if (not server_settings["zeroconf"]
2624
3089
and not (server_settings["port"]
2625
3090
or server_settings["socket"] != "")):
2626
3091
parser.error("Needs port or socket to work without Zeroconf")
2627
3092
2628
3093
# For convenience
2629
3094
debug = server_settings["debug"]
2630
3095
debuglevel = server_settings["debuglevel"]
2634
3099
stored_state_file)
2635
3100
foreground = server_settings["foreground"]
2636
3101
zeroconf = server_settings["zeroconf"]
2637
3102
2638
3103
if debug:
2639
3104
initlogger(debug, logging.DEBUG)
2640
3105
else:
2643
3108
else:
2644
3109
level = getattr(logging, debuglevel.upper())
2645
3110
initlogger(debug, level)
2646
3111
2647
3112
if server_settings["servicename"] != "Mandos":
2648
3113
syslogger.setFormatter(
2649
3114
logging.Formatter('Mandos ({}) [%(process)d]:'
2650
3115
' %(levelname)s: %(message)s'.format(
2651
3116
server_settings["servicename"])))
2652
3117
2653
3118
# Parse config file with clients
2654
client_config = configparser.SafeConfigParser(Client
2655
.client_defaults)
3119
client_config = configparser.ConfigParser(Client.client_defaults)
2656
3120
client_config.read(os.path.join(server_settings["configdir"],
2657
3121
"clients.conf"))
2658
3122
2659
3123
global mandos_dbus_service
2660
3124
mandos_dbus_service = None
2661
3125
2662
3126
socketfd = None
2663
3127
if server_settings["socket"] != "":
2664
3128
socketfd = server_settings["socket"]
2680
3144
except IOError as e:
2681
3145
logger.error("Could not open file %r", pidfilename,
2682
3146
exc_info=e)
2683
2684
for name in ("_mandos", "mandos", "nobody"):
3147
3148
for name, group in (("_mandos", "_mandos"),
3149
("mandos", "mandos"),
3150
("nobody", "nogroup")):
2685
3151
try:
2686
3152
uid = pwd.getpwnam(name).pw_uid
2687
gid = pwd.getpwnam(name).pw_gid
3153
gid = pwd.getpwnam(group).pw_gid
2688
3154
break
2689
3155
except KeyError:
2690
3156
continue
2694
3160
try:
2695
3161
os.setgid(gid)
2696
3162
os.setuid(uid)
3163
if debug:
3164
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3165
gid))
2697
3166
except OSError as error:
3167
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3168
.format(uid, gid, os.strerror(error.errno)))
2698
3169
if error.errno != errno.EPERM:
2699
3170
raise
2700
3171
2701
3172
if debug:
2702
3173
# Enable all possible GnuTLS debugging
2703
3174
2704
3175
# "Use a log level over 10 to enable all debugging options."
2705
3176
# - GnuTLS manual
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3177
gnutls.global_set_log_level(11)
3178
3179
@gnutls.log_func
2709
3180
def debug_gnutls(level, string):
2710
3181
logger.debug("GnuTLS: %s", string[:-1])
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3182
3183
gnutls.global_set_log_function(debug_gnutls)
3184
2715
3185
# Redirect stdin so all checkers get /dev/null
2716
3186
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2717
3187
os.dup2(null, sys.stdin.fileno())
2718
3188
if null > 2:
2719
3189
os.close(null)
2720
3190
2721
3191
# Need to fork before connecting to D-Bus
2722
3192
if not foreground:
2723
3193
# Close all input and output, do double fork, etc.
2724
3194
daemon()
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3195
3196
if gi.version_info < (3, 10, 2):
3197
# multiprocessing will use threads, so before we use GLib we
3198
# need to inform GLib that threads will be used.
3199
GLib.threads_init()
3200
2730
3201
global main_loop
2731
3202
# From the Avahi example code
2732
3203
DBusGMainLoop(set_as_default=True)
2733
main_loop = gobject.MainLoop()
3204
main_loop = GLib.MainLoop()
2734
3205
bus = dbus.SystemBus()
2735
3206
# End of Avahi example code
2736
3207
if use_dbus:
2749
3220
if zeroconf:
2750
3221
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2751
3222
service = AvahiServiceToSyslog(
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3223
name=server_settings["servicename"],
3224
servicetype="_mandos._tcp",
3225
protocol=protocol,
3226
bus=bus)
2756
3227
if server_settings["interface"]:
2757
3228
service.interface = if_nametoindex(
2758
3229
server_settings["interface"].encode("utf-8"))
2759
3230
2760
3231
global multiprocessing_manager
2761
3232
multiprocessing_manager = multiprocessing.Manager()
2762
3233
2763
3234
client_class = Client
2764
3235
if use_dbus:
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3236
client_class = functools.partial(ClientDBus, bus=bus)
3237
2767
3238
client_settings = Client.config_parser(client_config)
2768
3239
old_client_settings = {}
2769
3240
clients_data = {}
2770
3241
2771
3242
# This is used to redirect stdout and stderr for checker processes
2772
3243
global wnull
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3244
wnull = open(os.devnull, "w") # A writable /dev/null
2774
3245
# Only used if server is running in foreground but not in debug
2775
3246
# mode
2776
3247
if debug or not foreground:
2777
3248
wnull.close()
2778
3249
2779
3250
# Get client data and settings from last running state.
2780
3251
if server_settings["restore"]:
2781
3252
try:
2782
3253
with open(stored_state_path, "rb") as stored_state:
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3254
if sys.version_info.major == 2:
3255
clients_data, old_client_settings = pickle.load(
3256
stored_state)
3257
else:
3258
bytes_clients_data, bytes_old_client_settings = (
3259
pickle.load(stored_state, encoding="bytes"))
3260
# Fix bytes to strings
3261
# clients_data
3262
# .keys()
3263
clients_data = {(key.decode("utf-8")
3264
if isinstance(key, bytes)
3265
else key): value
3266
for key, value in
3267
bytes_clients_data.items()}
3268
del bytes_clients_data
3269
for key in clients_data:
3270
value = {(k.decode("utf-8")
3271
if isinstance(k, bytes) else k): v
3272
for k, v in
3273
clients_data[key].items()}
3274
clients_data[key] = value
3275
# .client_structure
3276
value["client_structure"] = [
3277
(s.decode("utf-8")
3278
if isinstance(s, bytes)
3279
else s) for s in
3280
value["client_structure"]]
3281
# .name, .host, and .checker_command
3282
for k in ("name", "host", "checker_command"):
3283
if isinstance(value[k], bytes):
3284
value[k] = value[k].decode("utf-8")
3285
if "key_id" not in value:
3286
value["key_id"] = ""
3287
elif "fingerprint" not in value:
3288
value["fingerprint"] = ""
3289
# old_client_settings
3290
# .keys()
3291
old_client_settings = {
3292
(key.decode("utf-8")
3293
if isinstance(key, bytes)
3294
else key): value
3295
for key, value in
3296
bytes_old_client_settings.items()}
3297
del bytes_old_client_settings
3298
# .host and .checker_command
3299
for value in old_client_settings.values():
3300
for attribute in ("host", "checker_command"):
3301
if isinstance(value[attribute], bytes):
3302
value[attribute] = (value[attribute]
3303
.decode("utf-8"))
2785
3304
os.remove(stored_state_path)
2786
3305
except IOError as e:
2787
3306
if e.errno == errno.ENOENT:
2795
3314
logger.warning("Could not load persistent state: "
2796
3315
"EOFError:",
2797
3316
exc_info=e)
2798
3317
2799
3318
with PGPEngine() as pgp:
2800
3319
for client_name, client in clients_data.items():
2801
3320
# Skip removed clients
2802
3321
if client_name not in client_settings:
2803
3322
continue
2804
3323
2805
3324
# Decide which value to use after restoring saved state.
2806
3325
# We have three different values: Old config file,
2807
3326
# new config file, and saved state.
2818
3337
client[name] = value
2819
3338
except KeyError:
2820
3339
pass
2821
3340
2822
3341
# Clients who has passed its expire date can still be
2823
3342
# enabled if its last checker was successful. A Client
2824
3343
# whose checker succeeded before we stored its state is
2857
3376
client_name))
2858
3377
client["secret"] = (client_settings[client_name]
2859
3378
["secret"])
2860
3379
2861
3380
# Add/remove clients based on new changes made to config
2862
3381
for client_name in (set(old_client_settings)
2863
3382
- set(client_settings)):
2865
3384
for client_name in (set(client_settings)
2866
3385
- set(old_client_settings)):
2867
3386
clients_data[client_name] = client_settings[client_name]
2868
3387
2869
3388
# Create all client objects
2870
3389
for client_name, client in clients_data.items():
2871
3390
tcp_server.clients[client_name] = client_class(
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3391
name=client_name,
3392
settings=client,
3393
server_settings=server_settings)
3394
2876
3395
if not tcp_server.clients:
2877
3396
logger.warning("No clients defined")
2878
3397
2879
3398
if not foreground:
2880
3399
if pidfile is not None:
2881
3400
pid = os.getpid()
2887
3406
pidfilename, pid)
2888
3407
del pidfile
2889
3408
del pidfilename
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3409
3410
for termsig in (signal.SIGHUP, signal.SIGTERM):
3411
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3412
lambda: main_loop.quit() and False)
3413
2894
3414
if use_dbus:
2895
3415
2896
3416
@alternate_dbus_interfaces(
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3417
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2898
3418
class MandosDBusService(DBusObjectWithObjectManager):
2899
3419
"""A D-Bus proxy object"""
2900
3420
2901
3421
def __init__(self):
2902
3422
dbus.service.Object.__init__(self, bus, "/")
2903
3423
2904
3424
_interface = "se.recompile.Mandos"
2905
3425
2906
3426
@dbus.service.signal(_interface, signature="o")
2907
3427
def ClientAdded(self, objpath):
2908
3428
"D-Bus signal"
2909
3429
pass
2910
3430
2911
3431
@dbus.service.signal(_interface, signature="ss")
2912
def ClientNotFound(self, fingerprint, address):
3432
def ClientNotFound(self, key_id, address):
2913
3433
"D-Bus signal"
2914
3434
pass
2915
3435
2916
3436
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2917
3437
"true"})
2918
3438
@dbus.service.signal(_interface, signature="os")
2919
3439
def ClientRemoved(self, objpath, name):
2920
3440
"D-Bus signal"
2921
3441
pass
2922
3442
2923
3443
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2924
3444
"true"})
2925
3445
@dbus.service.method(_interface, out_signature="ao")
2926
3446
def GetAllClients(self):
2927
3447
"D-Bus method"
2928
3448
return dbus.Array(c.dbus_object_path for c in
2929
tcp_server.clients.itervalues())
2930
3449
tcp_server.clients.values())
3450
2931
3451
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2932
3452
"true"})
2933
3453
@dbus.service.method(_interface,
2935
3455
def GetAllClientsWithProperties(self):
2936
3456
"D-Bus method"
2937
3457
return dbus.Dictionary(
2938
{ c.dbus_object_path: c.GetAll(
3458
{c.dbus_object_path: c.GetAll(
2939
3459
"se.recompile.Mandos.Client")
2940
for c in tcp_server.clients.itervalues() },
3460
for c in tcp_server.clients.values()},
2941
3461
signature="oa{sv}")
2942
3462
2943
3463
@dbus.service.method(_interface, in_signature="o")
2944
3464
def RemoveClient(self, object_path):
2945
3465
"D-Bus method"
2946
for c in tcp_server.clients.itervalues():
3466
for c in tcp_server.clients.values():
2947
3467
if c.dbus_object_path == object_path:
2948
3468
del tcp_server.clients[c.name]
2949
3469
c.remove_from_connection()
2953
3473
self.client_removed_signal(c)
2954
3474
return
2955
3475
raise KeyError(object_path)
2956
3476
2957
3477
del _interface
2958
3478
2959
3479
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
2960
out_signature = "a{oa{sa{sv}}}")
3480
out_signature="a{oa{sa{sv}}}")
2961
3481
def GetManagedObjects(self):
2962
3482
"""D-Bus method"""
2963
3483
return dbus.Dictionary(
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3484
{client.dbus_object_path:
3485
dbus.Dictionary(
3486
{interface: client.GetAll(interface)
3487
for interface in
3488
client._get_all_interface_names()})
3489
for client in tcp_server.clients.values()})
3490
2971
3491
def client_added_signal(self, client):
2972
3492
"""Send the new standard signal and the old signal"""
2973
3493
if use_dbus:
2975
3495
self.InterfacesAdded(
2976
3496
client.dbus_object_path,
2977
3497
dbus.Dictionary(
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3498
{interface: client.GetAll(interface)
3499
for interface in
3500
client._get_all_interface_names()}))
2981
3501
# Old signal
2982
3502
self.ClientAdded(client.dbus_object_path)
2983
3503
2984
3504
def client_removed_signal(self, client):
2985
3505
"""Send the new standard signal and the old signal"""
2986
3506
if use_dbus:
2991
3511
# Old signal
2992
3512
self.ClientRemoved(client.dbus_object_path,
2993
3513
client.name)
2994
3514
2995
3515
mandos_dbus_service = MandosDBusService()
2996
3516
3517
# Save modules to variables to exempt the modules from being
3518
# unloaded before the function registered with atexit() is run.
3519
mp = multiprocessing
3520
wn = wnull
3521
2997
3522
def cleanup():
2998
3523
"Cleanup function; run on exit"
2999
3524
if zeroconf:
3000
3525
service.cleanup()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3526
3527
mp.active_children()
3528
wn.close()
3004
3529
if not (tcp_server.clients or client_settings):
3005
3530
return
3006
3531
3007
3532
# Store client before exiting. Secrets are encrypted with key
3008
3533
# based on what config file has. If config file is
3009
3534
# removed/edited, old secret will thus be unrecovable.
3010
3535
clients = {}
3011
3536
with PGPEngine() as pgp:
3012
for client in tcp_server.clients.itervalues():
3537
for client in tcp_server.clients.values():
3013
3538
key = client_settings[client.name]["secret"]
3014
3539
client.encrypted_secret = pgp.encrypt(client.secret,
3015
3540
key)
3016
3541
client_dict = {}
3017
3542
3018
3543
# A list of attributes that can not be pickled
3019
3544
# + secret.
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3545
exclude = {"bus", "changedstate", "secret",
3546
"checker", "server_settings"}
3022
3547
for name, typ in inspect.getmembers(dbus.service
3023
3548
.Object):
3024
3549
exclude.add(name)
3025
3550
3026
3551
client_dict["encrypted_secret"] = (client
3027
3552
.encrypted_secret)
3028
3553
for attr in client.client_structure:
3029
3554
if attr not in exclude:
3030
3555
client_dict[attr] = getattr(client, attr)
3031
3556
3032
3557
clients[client.name] = client_dict
3033
3558
del client_settings[client.name]["secret"]
3034
3559
3035
3560
try:
3036
3561
with tempfile.NamedTemporaryFile(
3037
3562
mode='wb',
3039
3564
prefix='clients-',
3040
3565
dir=os.path.dirname(stored_state_path),
3041
3566
delete=False) as stored_state:
3042
pickle.dump((clients, client_settings), stored_state)
3567
pickle.dump((clients, client_settings), stored_state,
3568
protocol=2)
3043
3569
tempname = stored_state.name
3044
3570
os.rename(tempname, stored_state_path)
3045
3571
except (IOError, OSError) as e:
3055
3581
logger.warning("Could not save persistent state:",
3056
3582
exc_info=e)
3057
3583
raise
3058
3584
3059
3585
# Delete all clients, and settings from config
3060
3586
while tcp_server.clients:
3061
3587
name, client = tcp_server.clients.popitem()
3064
3590
# Don't signal the disabling
3065
3591
client.disable(quiet=True)
3066
3592
# Emit D-Bus signal for removal
3067
mandos_dbus_service.client_removed_signal(client)
3593
if use_dbus:
3594
mandos_dbus_service.client_removed_signal(client)
3068
3595
client_settings.clear()
3069
3596
3070
3597
atexit.register(cleanup)
3071
3072
for client in tcp_server.clients.itervalues():
3598
3599
for client in tcp_server.clients.values():
3073
3600
if use_dbus:
3074
3601
# Emit D-Bus signal for adding
3075
3602
mandos_dbus_service.client_added_signal(client)
3076
3603
# Need to initiate checking of clients
3077
3604
if client.enabled:
3078
3605
client.init_checker()
3079
3606
3080
3607
tcp_server.enable()
3081
3608
tcp_server.server_activate()
3082
3609
3083
3610
# Find out what port we got
3084
3611
if zeroconf:
3085
3612
service.port = tcp_server.socket.getsockname()[1]
3090
3617
else: # IPv4
3091
3618
logger.info("Now listening on address %r, port %d",
3092
3619
*tcp_server.socket.getsockname())
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3620
3621
# service.interface = tcp_server.socket.getsockname()[3]
3622
3096
3623
try:
3097
3624
if zeroconf:
3098
3625
# From the Avahi example code
3103
3630
cleanup()
3104
3631
sys.exit(1)
3105
3632
# End of Avahi example code
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3633
3634
GLib.io_add_watch(
3635
GLib.IOChannel.unix_new(tcp_server.fileno()),
3636
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3637
lambda *args, **kwargs: (tcp_server.handle_request
3638
(*args[2:], **kwargs) or True))
3639
3112
3640
logger.debug("Starting main loop")
3113
3641
main_loop.run()
3114
3642
except AvahiError as error:
3123
3651
# Must run before the D-Bus bus name gets deregistered
3124
3652
cleanup()
3125
3653
3654
3655
def should_only_run_tests():
3656
parser = argparse.ArgumentParser(add_help=False)
3657
parser.add_argument("--check", action='store_true')
3658
args, unknown_args = parser.parse_known_args()
3659
run_tests = args.check
3660
if run_tests:
3661
# Remove --check argument from sys.argv
3662
sys.argv[1:] = unknown_args
3663
return run_tests
3664
3665
# Add all tests from doctest strings
3666
def load_tests(loader, tests, none):
3667
import doctest
3668
tests.addTests(doctest.DocTestSuite())
3669
return tests
3126
3670
3127
3671
if __name__ == '__main__':
3128
main()
3672
try:
3673
if should_only_run_tests():
3674
# Call using ./mandos --check [--verbose]
3675
unittest.main()
3676
else:
3677
main()
3678
finally:
3679
logging.shutdown()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0