To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 1245
- compare with another revision
- download diff
- download tarball
- view history from revision 1245
- Committer: Teddy Hogeborn
- Date: 2022-04-23 20:39:28 UTC
- Revision ID: teddy@recompile.se-20220423203928-q2ngppp3pt7cfv4x
Makefile: Add comment about phase out of -lpthread
* Makefile (dracut-module/password-agent): Add comment about -lpthread
being unnecessary in GNU C library 2.34 and later.
* Makefile (dracut-module/password-agent): Add comment about -lpthread
being unnecessary in GNU C library 2.34 and later.
- files added:
- bugs.xml
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python2.7
2
# -*- mode: python; coding: utf-8 -*-
3
#
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2020 Teddy Hogeborn
15
# Copyright © 2008-2020 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
#
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
#
33
#
33
34
34
35
from __future__ import (division, absolute_import, print_function,
35
36
unicode_literals)
36
37
37
from future_builtins import *
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
38
42
39
43
try:
40
44
import SocketServer as socketserver
44
48
import argparse
45
49
import datetime
46
50
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
53
51
try:
54
52
import ConfigParser as configparser
55
53
except ImportError:
79
77
import itertools
80
78
import collections
81
79
import codecs
80
import unittest
81
import random
82
import shlex
82
83
83
84
import dbus
84
85
import dbus.service
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
86
import gi
87
from gi.repository import GLib
90
88
from dbus.mainloop.glib import DBusGMainLoop
91
89
import ctypes
92
90
import ctypes.util
93
91
import xml.dom.minidom
94
92
import inspect
95
93
96
try:
94
if sys.version_info.major == 2:
95
__metaclass__ = type
96
str = unicode
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
118
# Try to find the value of SO_BINDTODEVICE:
119
try:
120
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
121
# newer, and it is also the most natural place for it:
97
122
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
98
123
except AttributeError:
99
124
try:
125
# This is where SO_BINDTODEVICE was up to and including Python
126
# 2.6, and also 3.2:
100
127
from IN import SO_BINDTODEVICE
101
128
except ImportError:
102
SO_BINDTODEVICE = None
103
104
if sys.version_info.major == 2:
105
str = unicode
106
107
version = "1.7.1"
129
# In Python 2.7 it seems to have been removed entirely.
130
# Try running the C preprocessor:
131
try:
132
cc = subprocess.Popen(["cc", "--language=c", "-E",
133
"/dev/stdin"],
134
stdin=subprocess.PIPE,
135
stdout=subprocess.PIPE)
136
stdout = cc.communicate(
137
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
138
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
139
except (OSError, ValueError, IndexError):
140
# No value found
141
SO_BINDTODEVICE = None
142
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
145
146
version = "1.8.14"
108
147
stored_state_file = "clients.pickle"
109
148
110
149
logger = logging.getLogger()
150
logging.captureWarnings(True) # Show warnings via the logging system
111
151
syslogger = None
112
152
113
153
try:
114
154
if_nametoindex = ctypes.cdll.LoadLibrary(
115
155
ctypes.util.find_library("c")).if_nametoindex
116
156
except (OSError, AttributeError):
117
157
118
158
def if_nametoindex(interface):
119
159
"Get an interface index the hard way, i.e. using fcntl()"
120
160
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
125
165
return interface_index
126
166
127
167
168
def copy_function(func):
169
"""Make a copy of a function"""
170
if sys.version_info.major == 2:
171
return types.FunctionType(func.func_code,
172
func.func_globals,
173
func.func_name,
174
func.func_defaults,
175
func.func_closure)
176
else:
177
return types.FunctionType(func.__code__,
178
func.__globals__,
179
func.__name__,
180
func.__defaults__,
181
func.__closure__)
182
183
128
184
def initlogger(debug, level=logging.WARNING):
129
185
"""init logger and add loglevel"""
130
186
131
187
global syslogger
132
188
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
189
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
190
address="/dev/log"))
135
191
syslogger.setFormatter(logging.Formatter
136
192
('Mandos [%(process)d]: %(levelname)s:'
137
193
' %(message)s'))
138
194
logger.addHandler(syslogger)
139
195
140
196
if debug:
141
197
console = logging.StreamHandler()
142
198
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
152
208
pass
153
209
154
210
155
class PGPEngine(object):
211
class PGPEngine:
156
212
"""A simple class for OpenPGP symmetric encryption & decryption"""
157
213
158
214
def __init__(self):
159
215
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
216
self.gpg = "gpg"
217
try:
218
output = subprocess.check_output(["gpgconf"])
219
for line in output.splitlines():
220
name, text, path = line.split(b":")
221
if name == b"gpg":
222
self.gpg = path
223
break
224
except OSError as e:
225
if e.errno != errno.ENOENT:
226
raise
160
227
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
228
'--homedir', self.tempdir,
162
229
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
165
230
'--quiet']
231
# Only GPG version 1 has the --no-use-agent option.
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
233
self.gnupgargs.append("--no-use-agent")
234
166
235
def __enter__(self):
167
236
return self
168
237
169
238
def __exit__(self, exc_type, exc_value, traceback):
170
239
self._cleanup()
171
240
return False
172
241
173
242
def __del__(self):
174
243
self._cleanup()
175
244
176
245
def _cleanup(self):
177
246
if self.tempdir is not None:
178
247
# Delete contents of tempdir
179
248
for root, dirs, files in os.walk(self.tempdir,
180
topdown = False):
249
topdown=False):
181
250
for filename in files:
182
251
os.remove(os.path.join(root, filename))
183
252
for dirname in dirs:
185
254
# Remove tempdir
186
255
os.rmdir(self.tempdir)
187
256
self.tempdir = None
188
257
189
258
def password_encode(self, password):
190
259
# Passphrase can not be empty and can not contain newlines or
191
260
# NUL bytes. So we prefix it and hex encode it.
196
265
.replace(b"\n", b"\\n")
197
266
.replace(b"\0", b"\\x00"))
198
267
return encoded
199
268
200
269
def encrypt(self, data, password):
201
270
passphrase = self.password_encode(password)
202
271
with tempfile.NamedTemporaryFile(
203
272
dir=self.tempdir) as passfile:
204
273
passfile.write(passphrase)
205
274
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
275
proc = subprocess.Popen([self.gpg, '--symmetric',
207
276
'--passphrase-file',
208
277
passfile.name]
209
278
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
279
stdin=subprocess.PIPE,
280
stdout=subprocess.PIPE,
281
stderr=subprocess.PIPE)
282
ciphertext, err = proc.communicate(input=data)
214
283
if proc.returncode != 0:
215
284
raise PGPError(err)
216
285
return ciphertext
217
286
218
287
def decrypt(self, data, password):
219
288
passphrase = self.password_encode(password)
220
289
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
290
dir=self.tempdir) as passfile:
222
291
passfile.write(passphrase)
223
292
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
293
proc = subprocess.Popen([self.gpg, '--decrypt',
225
294
'--passphrase-file',
226
295
passfile.name]
227
296
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
297
stdin=subprocess.PIPE,
298
stdout=subprocess.PIPE,
299
stderr=subprocess.PIPE)
300
decrypted_plaintext, err = proc.communicate(input=data)
232
301
if proc.returncode != 0:
233
302
raise PGPError(err)
234
303
return decrypted_plaintext
235
304
236
305
306
# Pretend that we have an Avahi module
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
309
IF_UNSPEC = -1 # avahi-common/address.h
310
PROTO_UNSPEC = -1 # avahi-common/address.h
311
PROTO_INET = 0 # avahi-common/address.h
312
PROTO_INET6 = 1 # avahi-common/address.h
313
DBUS_NAME = "org.freedesktop.Avahi"
314
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
DBUS_PATH_SERVER = "/"
317
318
@staticmethod
319
def string_array_to_txt_array(t):
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
for s in t), signature="ay")
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
323
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
324
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
325
SERVER_INVALID = 0 # avahi-common/defs.h
326
SERVER_REGISTERING = 1 # avahi-common/defs.h
327
SERVER_RUNNING = 2 # avahi-common/defs.h
328
SERVER_COLLISION = 3 # avahi-common/defs.h
329
SERVER_FAILURE = 4 # avahi-common/defs.h
330
331
237
332
class AvahiError(Exception):
238
333
def __init__(self, value, *args, **kwargs):
239
334
self.value = value
249
344
pass
250
345
251
346
252
class AvahiService(object):
347
class AvahiService:
253
348
"""An Avahi (Zeroconf) service.
254
349
255
350
Attributes:
256
351
interface: integer; avahi.IF_UNSPEC or an interface index.
257
352
Used to optionally bind to the specified interface.
269
364
server: D-Bus Server
270
365
bus: dbus.SystemBus()
271
366
"""
272
367
273
368
def __init__(self,
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
369
interface=avahi.IF_UNSPEC,
370
name=None,
371
servicetype=None,
372
port=None,
373
TXT=None,
374
domain="",
375
host="",
376
max_renames=32768,
377
protocol=avahi.PROTO_UNSPEC,
378
bus=None):
284
379
self.interface = interface
285
380
self.name = name
286
381
self.type = servicetype
295
390
self.server = None
296
391
self.bus = bus
297
392
self.entry_group_state_changed_match = None
298
393
299
394
def rename(self, remove=True):
300
395
"""Derived from the Avahi example code"""
301
396
if self.rename_count >= self.max_renames:
321
416
logger.critical("D-Bus Exception", exc_info=error)
322
417
self.cleanup()
323
418
os._exit(1)
324
419
325
420
def remove(self):
326
421
"""Derived from the Avahi example code"""
327
422
if self.entry_group_state_changed_match is not None:
329
424
self.entry_group_state_changed_match = None
330
425
if self.group is not None:
331
426
self.group.Reset()
332
427
333
428
def add(self):
334
429
"""Derived from the Avahi example code"""
335
430
self.remove()
352
447
dbus.UInt16(self.port),
353
448
avahi.string_array_to_txt_array(self.TXT))
354
449
self.group.Commit()
355
450
356
451
def entry_group_state_changed(self, state, error):
357
452
"""Derived from the Avahi example code"""
358
453
logger.debug("Avahi entry group state change: %i", state)
359
454
360
455
if state == avahi.ENTRY_GROUP_ESTABLISHED:
361
456
logger.debug("Zeroconf service established.")
362
457
elif state == avahi.ENTRY_GROUP_COLLISION:
366
461
logger.critical("Avahi: Error in group state changed %s",
367
462
str(error))
368
463
raise AvahiGroupError("State changed: {!s}".format(error))
369
464
370
465
def cleanup(self):
371
466
"""Derived from the Avahi example code"""
372
467
if self.group is not None:
377
472
pass
378
473
self.group = None
379
474
self.remove()
380
475
381
476
def server_state_changed(self, state, error=None):
382
477
"""Derived from the Avahi example code"""
383
478
logger.debug("Avahi server state change: %i", state)
412
507
logger.debug("Unknown state: %r", state)
413
508
else:
414
509
logger.debug("Unknown state: %r: %r", state, error)
415
510
416
511
def activate(self):
417
512
"""Derived from the Avahi example code"""
418
513
if self.server is None:
429
524
class AvahiServiceToSyslog(AvahiService):
430
525
def rename(self, *args, **kwargs):
431
526
"""Add the new name to the syslog messages"""
432
ret = AvahiService.rename(self, *args, **kwargs)
527
ret = super(AvahiServiceToSyslog, self).rename(*args,
528
**kwargs)
433
529
syslogger.setFormatter(logging.Formatter(
434
530
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
435
531
.format(self.name)))
436
532
return ret
437
533
534
535
# Pretend that we have a GnuTLS module
536
class gnutls:
537
"""This isn't so much a class as it is a module-like namespace."""
538
539
library = ctypes.util.find_library("gnutls")
540
if library is None:
541
library = ctypes.util.find_library("gnutls-deb0")
542
_library = ctypes.cdll.LoadLibrary(library)
543
del library
544
545
# Unless otherwise indicated, the constants and types below are
546
# all from the gnutls/gnutls.h C header file.
547
548
# Constants
549
E_SUCCESS = 0
550
E_INTERRUPTED = -52
551
E_AGAIN = -28
552
CRT_OPENPGP = 2
553
CRT_RAWPK = 3
554
CLIENT = 2
555
SHUT_RDWR = 0
556
CRD_CERTIFICATE = 1
557
E_NO_CERTIFICATE_FOUND = -49
558
X509_FMT_DER = 0
559
NO_TICKETS = 1<<10
560
ENABLE_RAWPK = 1<<18
561
CTYPE_PEERS = 3
562
KEYID_USE_SHA256 = 1 # gnutls/x509.h
563
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
564
565
# Types
566
class _session_int(ctypes.Structure):
567
_fields_ = []
568
session_t = ctypes.POINTER(_session_int)
569
570
class certificate_credentials_st(ctypes.Structure):
571
_fields_ = []
572
certificate_credentials_t = ctypes.POINTER(
573
certificate_credentials_st)
574
certificate_type_t = ctypes.c_int
575
576
class datum_t(ctypes.Structure):
577
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
578
('size', ctypes.c_uint)]
579
580
class _openpgp_crt_int(ctypes.Structure):
581
_fields_ = []
582
openpgp_crt_t = ctypes.POINTER(_openpgp_crt_int)
583
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
584
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
585
credentials_type_t = ctypes.c_int
586
transport_ptr_t = ctypes.c_void_p
587
close_request_t = ctypes.c_int
588
589
# Exceptions
590
class Error(Exception):
591
def __init__(self, message=None, code=None, args=()):
592
# Default usage is by a message string, but if a return
593
# code is passed, convert it to a string with
594
# gnutls.strerror()
595
self.code = code
596
if message is None and code is not None:
597
message = gnutls.strerror(code).decode(
598
"utf-8", errors="replace")
599
return super(gnutls.Error, self).__init__(
600
message, *args)
601
602
class CertificateSecurityError(Error):
603
pass
604
605
class PointerTo:
606
def __init__(self, cls):
607
self.cls = cls
608
609
def from_param(self, obj):
610
if not isinstance(obj, self.cls):
611
raise TypeError("Not of type {}: {!r}"
612
.format(self.cls.__name__, obj))
613
return ctypes.byref(obj.from_param(obj))
614
615
class CastToVoidPointer:
616
def __init__(self, cls):
617
self.cls = cls
618
619
def from_param(self, obj):
620
if not isinstance(obj, self.cls):
621
raise TypeError("Not of type {}: {!r}"
622
.format(self.cls.__name__, obj))
623
return ctypes.cast(obj.from_param(obj), ctypes.c_void_p)
624
625
class With_from_param:
626
@classmethod
627
def from_param(cls, obj):
628
return obj._as_parameter_
629
630
# Classes
631
class Credentials(With_from_param):
632
def __init__(self):
633
self._as_parameter_ = gnutls.certificate_credentials_t()
634
gnutls.certificate_allocate_credentials(self)
635
self.type = gnutls.CRD_CERTIFICATE
636
637
def __del__(self):
638
gnutls.certificate_free_credentials(self)
639
640
class ClientSession(With_from_param):
641
def __init__(self, socket, credentials=None):
642
self._as_parameter_ = gnutls.session_t()
643
gnutls_flags = gnutls.CLIENT
644
if gnutls.check_version(b"3.5.6"):
645
gnutls_flags |= gnutls.NO_TICKETS
646
if gnutls.has_rawpk:
647
gnutls_flags |= gnutls.ENABLE_RAWPK
648
gnutls.init(self, gnutls_flags)
649
del gnutls_flags
650
gnutls.set_default_priority(self)
651
gnutls.transport_set_ptr(self, socket.fileno())
652
gnutls.handshake_set_private_extensions(self, True)
653
self.socket = socket
654
if credentials is None:
655
credentials = gnutls.Credentials()
656
gnutls.credentials_set(self, credentials.type,
657
credentials)
658
self.credentials = credentials
659
660
def __del__(self):
661
gnutls.deinit(self)
662
663
def handshake(self):
664
return gnutls.handshake(self)
665
666
def send(self, data):
667
data = bytes(data)
668
data_len = len(data)
669
while data_len > 0:
670
data_len -= gnutls.record_send(self, data[-data_len:],
671
data_len)
672
673
def bye(self):
674
return gnutls.bye(self, gnutls.SHUT_RDWR)
675
676
# Error handling functions
677
def _error_code(result):
678
"""A function to raise exceptions on errors, suitable
679
for the 'restype' attribute on ctypes functions"""
680
if result >= gnutls.E_SUCCESS:
681
return result
682
if result == gnutls.E_NO_CERTIFICATE_FOUND:
683
raise gnutls.CertificateSecurityError(code=result)
684
raise gnutls.Error(code=result)
685
686
def _retry_on_error(result, func, arguments,
687
_error_code=_error_code):
688
"""A function to retry on some errors, suitable
689
for the 'errcheck' attribute on ctypes functions"""
690
while result < gnutls.E_SUCCESS:
691
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
692
return _error_code(result)
693
result = func(*arguments)
694
return result
695
696
# Unless otherwise indicated, the function declarations below are
697
# all from the gnutls/gnutls.h C header file.
698
699
# Functions
700
priority_set_direct = _library.gnutls_priority_set_direct
701
priority_set_direct.argtypes = [ClientSession, ctypes.c_char_p,
702
ctypes.POINTER(ctypes.c_char_p)]
703
priority_set_direct.restype = _error_code
704
705
init = _library.gnutls_init
706
init.argtypes = [PointerTo(ClientSession), ctypes.c_int]
707
init.restype = _error_code
708
709
set_default_priority = _library.gnutls_set_default_priority
710
set_default_priority.argtypes = [ClientSession]
711
set_default_priority.restype = _error_code
712
713
record_send = _library.gnutls_record_send
714
record_send.argtypes = [ClientSession, ctypes.c_void_p,
715
ctypes.c_size_t]
716
record_send.restype = ctypes.c_ssize_t
717
record_send.errcheck = _retry_on_error
718
719
certificate_allocate_credentials = (
720
_library.gnutls_certificate_allocate_credentials)
721
certificate_allocate_credentials.argtypes = [
722
PointerTo(Credentials)]
723
certificate_allocate_credentials.restype = _error_code
724
725
certificate_free_credentials = (
726
_library.gnutls_certificate_free_credentials)
727
certificate_free_credentials.argtypes = [Credentials]
728
certificate_free_credentials.restype = None
729
730
handshake_set_private_extensions = (
731
_library.gnutls_handshake_set_private_extensions)
732
handshake_set_private_extensions.argtypes = [ClientSession,
733
ctypes.c_int]
734
handshake_set_private_extensions.restype = None
735
736
credentials_set = _library.gnutls_credentials_set
737
credentials_set.argtypes = [ClientSession, credentials_type_t,
738
CastToVoidPointer(Credentials)]
739
credentials_set.restype = _error_code
740
741
strerror = _library.gnutls_strerror
742
strerror.argtypes = [ctypes.c_int]
743
strerror.restype = ctypes.c_char_p
744
745
certificate_type_get = _library.gnutls_certificate_type_get
746
certificate_type_get.argtypes = [ClientSession]
747
certificate_type_get.restype = _error_code
748
749
certificate_get_peers = _library.gnutls_certificate_get_peers
750
certificate_get_peers.argtypes = [ClientSession,
751
ctypes.POINTER(ctypes.c_uint)]
752
certificate_get_peers.restype = ctypes.POINTER(datum_t)
753
754
global_set_log_level = _library.gnutls_global_set_log_level
755
global_set_log_level.argtypes = [ctypes.c_int]
756
global_set_log_level.restype = None
757
758
global_set_log_function = _library.gnutls_global_set_log_function
759
global_set_log_function.argtypes = [log_func]
760
global_set_log_function.restype = None
761
762
deinit = _library.gnutls_deinit
763
deinit.argtypes = [ClientSession]
764
deinit.restype = None
765
766
handshake = _library.gnutls_handshake
767
handshake.argtypes = [ClientSession]
768
handshake.restype = ctypes.c_int
769
handshake.errcheck = _retry_on_error
770
771
transport_set_ptr = _library.gnutls_transport_set_ptr
772
transport_set_ptr.argtypes = [ClientSession, transport_ptr_t]
773
transport_set_ptr.restype = None
774
775
bye = _library.gnutls_bye
776
bye.argtypes = [ClientSession, close_request_t]
777
bye.restype = ctypes.c_int
778
bye.errcheck = _retry_on_error
779
780
check_version = _library.gnutls_check_version
781
check_version.argtypes = [ctypes.c_char_p]
782
check_version.restype = ctypes.c_char_p
783
784
_need_version = b"3.3.0"
785
if check_version(_need_version) is None:
786
raise self.Error("Needs GnuTLS {} or later"
787
.format(_need_version))
788
789
_tls_rawpk_version = b"3.6.6"
790
has_rawpk = bool(check_version(_tls_rawpk_version))
791
792
if has_rawpk:
793
# Types
794
class pubkey_st(ctypes.Structure):
795
_fields = []
796
pubkey_t = ctypes.POINTER(pubkey_st)
797
798
x509_crt_fmt_t = ctypes.c_int
799
800
# All the function declarations below are from
801
# gnutls/abstract.h
802
pubkey_init = _library.gnutls_pubkey_init
803
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
804
pubkey_init.restype = _error_code
805
806
pubkey_import = _library.gnutls_pubkey_import
807
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
808
x509_crt_fmt_t]
809
pubkey_import.restype = _error_code
810
811
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
812
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
813
ctypes.POINTER(ctypes.c_ubyte),
814
ctypes.POINTER(ctypes.c_size_t)]
815
pubkey_get_key_id.restype = _error_code
816
817
pubkey_deinit = _library.gnutls_pubkey_deinit
818
pubkey_deinit.argtypes = [pubkey_t]
819
pubkey_deinit.restype = None
820
else:
821
# All the function declarations below are from
822
# gnutls/openpgp.h
823
824
openpgp_crt_init = _library.gnutls_openpgp_crt_init
825
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
826
openpgp_crt_init.restype = _error_code
827
828
openpgp_crt_import = _library.gnutls_openpgp_crt_import
829
openpgp_crt_import.argtypes = [openpgp_crt_t,
830
ctypes.POINTER(datum_t),
831
openpgp_crt_fmt_t]
832
openpgp_crt_import.restype = _error_code
833
834
openpgp_crt_verify_self = \
835
_library.gnutls_openpgp_crt_verify_self
836
openpgp_crt_verify_self.argtypes = [
837
openpgp_crt_t,
838
ctypes.c_uint,
839
ctypes.POINTER(ctypes.c_uint),
840
]
841
openpgp_crt_verify_self.restype = _error_code
842
843
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
844
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
845
openpgp_crt_deinit.restype = None
846
847
openpgp_crt_get_fingerprint = (
848
_library.gnutls_openpgp_crt_get_fingerprint)
849
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
850
ctypes.c_void_p,
851
ctypes.POINTER(
852
ctypes.c_size_t)]
853
openpgp_crt_get_fingerprint.restype = _error_code
854
855
if check_version(b"3.6.4"):
856
certificate_type_get2 = _library.gnutls_certificate_type_get2
857
certificate_type_get2.argtypes = [ClientSession, ctypes.c_int]
858
certificate_type_get2.restype = _error_code
859
860
# Remove non-public functions
861
del _error_code, _retry_on_error
862
863
438
864
def call_pipe(connection, # : multiprocessing.Connection
439
865
func, *args, **kwargs):
440
866
"""This function is meant to be called by multiprocessing.Process
441
867
442
868
This function runs func(*args, **kwargs), and writes the resulting
443
869
return value on the provided multiprocessing.Connection.
444
870
"""
445
871
connection.send(func(*args, **kwargs))
446
872
connection.close()
447
873
448
class Client(object):
874
875
class Client:
449
876
"""A representation of a client host served by this server.
450
877
451
878
Attributes:
452
879
approved: bool(); 'None' if not yet approved/disapproved
453
880
approval_delay: datetime.timedelta(); Time to wait for approval
454
881
approval_duration: datetime.timedelta(); Duration of one approval
455
checker: subprocess.Popen(); a running checker process used
456
to see if the client lives.
457
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
882
checker: multiprocessing.Process(); a running checker process used
883
to see if the client lives. 'None' if no process is
884
running.
885
checker_callback_tag: a GLib event source tag, or None
459
886
checker_command: string; External command which is run to check
460
887
if client lives. %() expansions are done at
461
888
runtime with vars(self) as dict, so that for
462
889
instance %(name)s can be used in the command.
463
checker_initiator_tag: a gobject event source tag, or None
890
checker_initiator_tag: a GLib event source tag, or None
464
891
created: datetime.datetime(); (UTC) object creation
465
892
client_structure: Object describing what attributes a client has
466
893
and is used for storing the client at exit
467
894
current_checker_command: string; current running checker_command
468
disable_initiator_tag: a gobject event source tag, or None
895
disable_initiator_tag: a GLib event source tag, or None
469
896
enabled: bool()
470
897
fingerprint: string (40 or 32 hexadecimal digits); used to
471
uniquely identify the client
898
uniquely identify an OpenPGP client
899
key_id: string (64 hexadecimal digits); used to uniquely identify
900
a client using raw public keys
472
901
host: string; available for use by the checker command
473
902
interval: datetime.timedelta(); How often to start a new checker
474
903
last_approval_request: datetime.datetime(); (UTC) or None
490
919
disabled, or None
491
920
server_settings: The server_settings dict from main()
492
921
"""
493
922
494
923
runtime_expansions = ("approval_delay", "approval_duration",
495
"created", "enabled", "expires",
924
"created", "enabled", "expires", "key_id",
496
925
"fingerprint", "host", "interval",
497
926
"last_approval_request", "last_checked_ok",
498
927
"last_enabled", "name", "timeout")
507
936
"approved_by_default": "True",
508
937
"enabled": "True",
509
938
}
510
939
511
940
@staticmethod
512
941
def config_parser(config):
513
942
"""Construct a new dict of client settings of this form:
520
949
for client_name in config.sections():
521
950
section = dict(config.items(client_name))
522
951
client = settings[client_name] = {}
523
952
524
953
client["host"] = section["host"]
525
954
# Reformat values from string types to Python types
526
955
client["approved_by_default"] = config.getboolean(
527
956
client_name, "approved_by_default")
528
957
client["enabled"] = config.getboolean(client_name,
529
958
"enabled")
530
531
# Uppercase and remove spaces from fingerprint for later
532
# comparison purposes with return value from the
533
# fingerprint() function
959
960
# Uppercase and remove spaces from key_id and fingerprint
961
# for later comparison purposes with return value from the
962
# key_id() and fingerprint() functions
963
client["key_id"] = (section.get("key_id", "").upper()
964
.replace(" ", ""))
534
965
client["fingerprint"] = (section["fingerprint"].upper()
535
966
.replace(" ", ""))
536
967
if "secret" in section:
537
client["secret"] = section["secret"].decode("base64")
968
client["secret"] = codecs.decode(section["secret"]
969
.encode("utf-8"),
970
"base64")
538
971
elif "secfile" in section:
539
972
with open(os.path.expanduser(os.path.expandvars
540
973
(section["secfile"])),
555
988
client["last_approval_request"] = None
556
989
client["last_checked_ok"] = None
557
990
client["last_checker_status"] = -2
558
991
559
992
return settings
560
561
def __init__(self, settings, name = None, server_settings=None):
993
994
def __init__(self, settings, name=None, server_settings=None):
562
995
self.name = name
563
996
if server_settings is None:
564
997
server_settings = {}
566
999
# adding all client settings
567
1000
for setting, value in settings.items():
568
1001
setattr(self, setting, value)
569
1002
570
1003
if self.enabled:
571
1004
if not hasattr(self, "last_enabled"):
572
1005
self.last_enabled = datetime.datetime.utcnow()
576
1009
else:
577
1010
self.last_enabled = None
578
1011
self.expires = None
579
1012
580
1013
logger.debug("Creating client %r", self.name)
1014
logger.debug(" Key ID: %s", self.key_id)
581
1015
logger.debug(" Fingerprint: %s", self.fingerprint)
582
1016
self.created = settings.get("created",
583
1017
datetime.datetime.utcnow())
584
1018
585
1019
# attributes specific for this server instance
586
1020
self.checker = None
587
1021
self.checker_initiator_tag = None
593
1027
self.changedstate = multiprocessing_manager.Condition(
594
1028
multiprocessing_manager.Lock())
595
1029
self.client_structure = [attr
596
for attr in self.__dict__.iterkeys()
1030
for attr in self.__dict__.keys()
597
1031
if not attr.startswith("_")]
598
1032
self.client_structure.append("client_structure")
599
1033
600
1034
for name, t in inspect.getmembers(
601
1035
type(self), lambda obj: isinstance(obj, property)):
602
1036
if not name.startswith("_"):
603
1037
self.client_structure.append(name)
604
1038
605
1039
# Send notice to process children that client state has changed
606
1040
def send_changedstate(self):
607
1041
with self.changedstate:
608
1042
self.changedstate.notify_all()
609
1043
610
1044
def enable(self):
611
1045
"""Start this client's checker and timeout hooks"""
612
1046
if getattr(self, "enabled", False):
617
1051
self.last_enabled = datetime.datetime.utcnow()
618
1052
self.init_checker()
619
1053
self.send_changedstate()
620
1054
621
1055
def disable(self, quiet=True):
622
1056
"""Disable this client."""
623
1057
if not getattr(self, "enabled", False):
625
1059
if not quiet:
626
1060
logger.info("Disabling client %s", self.name)
627
1061
if getattr(self, "disable_initiator_tag", None) is not None:
628
gobject.source_remove(self.disable_initiator_tag)
1062
GLib.source_remove(self.disable_initiator_tag)
629
1063
self.disable_initiator_tag = None
630
1064
self.expires = None
631
1065
if getattr(self, "checker_initiator_tag", None) is not None:
632
gobject.source_remove(self.checker_initiator_tag)
1066
GLib.source_remove(self.checker_initiator_tag)
633
1067
self.checker_initiator_tag = None
634
1068
self.stop_checker()
635
1069
self.enabled = False
636
1070
if not quiet:
637
1071
self.send_changedstate()
638
# Do not run this again if called by a gobject.timeout_add
1072
# Do not run this again if called by a GLib.timeout_add
639
1073
return False
640
1074
641
1075
def __del__(self):
642
1076
self.disable()
643
1077
644
1078
def init_checker(self):
645
1079
# Schedule a new checker to be started an 'interval' from now,
646
1080
# and every interval from then on.
647
1081
if self.checker_initiator_tag is not None:
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
650
int(self.interval.total_seconds() * 1000),
1082
GLib.source_remove(self.checker_initiator_tag)
1083
self.checker_initiator_tag = GLib.timeout_add(
1084
random.randrange(int(self.interval.total_seconds() * 1000
1085
+ 1)),
651
1086
self.start_checker)
652
1087
# Schedule a disable() when 'timeout' has passed
653
1088
if self.disable_initiator_tag is not None:
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
1089
GLib.source_remove(self.disable_initiator_tag)
1090
self.disable_initiator_tag = GLib.timeout_add(
656
1091
int(self.timeout.total_seconds() * 1000), self.disable)
657
1092
# Also start a new checker *right now*.
658
1093
self.start_checker()
659
1094
660
1095
def checker_callback(self, source, condition, connection,
661
1096
command):
662
1097
"""The checker has completed, so take appropriate actions."""
663
self.checker_callback_tag = None
664
self.checker = None
665
1098
# Read return code from connection (see call_pipe)
666
1099
returncode = connection.recv()
667
1100
connection.close()
668
1101
if self.checker is not None:
1102
self.checker.join()
1103
self.checker_callback_tag = None
1104
self.checker = None
1105
669
1106
if returncode >= 0:
670
1107
self.last_checker_status = returncode
671
1108
self.last_checker_signal = None
681
1118
logger.warning("Checker for %(name)s crashed?",
682
1119
vars(self))
683
1120
return False
684
1121
685
1122
def checked_ok(self):
686
1123
"""Assert that the client has been seen, alive and well."""
687
1124
self.last_checked_ok = datetime.datetime.utcnow()
688
1125
self.last_checker_status = 0
689
1126
self.last_checker_signal = None
690
1127
self.bump_timeout()
691
1128
692
1129
def bump_timeout(self, timeout=None):
693
1130
"""Bump up the timeout for this client."""
694
1131
if timeout is None:
695
1132
timeout = self.timeout
696
1133
if self.disable_initiator_tag is not None:
697
gobject.source_remove(self.disable_initiator_tag)
1134
GLib.source_remove(self.disable_initiator_tag)
698
1135
self.disable_initiator_tag = None
699
1136
if getattr(self, "enabled", False):
700
self.disable_initiator_tag = gobject.timeout_add(
1137
self.disable_initiator_tag = GLib.timeout_add(
701
1138
int(timeout.total_seconds() * 1000), self.disable)
702
1139
self.expires = datetime.datetime.utcnow() + timeout
703
1140
704
1141
def need_approval(self):
705
1142
self.last_approval_request = datetime.datetime.utcnow()
706
1143
707
1144
def start_checker(self):
708
1145
"""Start a new checker subprocess if one is not running.
709
1146
710
1147
If a checker already exists, leave it running and do
711
1148
nothing."""
712
1149
# The reason for not killing a running checker is that if we
717
1154
# checkers alone, the checker would have to take more time
718
1155
# than 'timeout' for the client to be disabled, which is as it
719
1156
# should be.
720
1157
721
1158
if self.checker is not None and not self.checker.is_alive():
722
1159
logger.warning("Checker was not alive; joining")
723
1160
self.checker.join()
726
1163
if self.checker is None:
727
1164
# Escape attributes for the shell
728
1165
escaped_attrs = {
729
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
1166
attr: shlex.quote(str(getattr(self, attr)))
1167
for attr in self.runtime_expansions}
731
1168
try:
732
1169
command = self.checker_command % escaped_attrs
733
1170
except TypeError as error:
745
1182
# The exception is when not debugging but nevertheless
746
1183
# running in the foreground; use the previously
747
1184
# created wnull.
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1185
popen_args = {"close_fds": True,
1186
"shell": True,
1187
"cwd": "/"}
751
1188
if (not self.server_settings["debug"]
752
1189
and self.server_settings["foreground"]):
753
1190
popen_args.update({"stdout": wnull,
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1191
"stderr": wnull})
1192
pipe = multiprocessing.Pipe(duplex=False)
756
1193
self.checker = multiprocessing.Process(
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1194
target=call_pipe,
1195
args=(pipe[1], subprocess.call, command),
1196
kwargs=popen_args)
760
1197
self.checker.start()
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1198
self.checker_callback_tag = GLib.io_add_watch(
1199
GLib.IOChannel.unix_new(pipe[0].fileno()),
1200
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
763
1201
self.checker_callback, pipe[0], command)
764
# Re-run this periodically if run by gobject.timeout_add
1202
# Re-run this periodically if run by GLib.timeout_add
765
1203
return True
766
1204
767
1205
def stop_checker(self):
768
1206
"""Force the checker process, if any, to stop."""
769
1207
if self.checker_callback_tag:
770
gobject.source_remove(self.checker_callback_tag)
1208
GLib.source_remove(self.checker_callback_tag)
771
1209
self.checker_callback_tag = None
772
1210
if getattr(self, "checker", None) is None:
773
1211
return
782
1220
byte_arrays=False):
783
1221
"""Decorators for marking methods of a DBusObjectWithProperties to
784
1222
become properties on the D-Bus.
785
1223
786
1224
The decorated method will be called with no arguments by "Get"
787
1225
and with one argument by "Set".
788
1226
789
1227
The parameters, where they are supported, are the same as
790
1228
dbus.service.method, except there is only "signature", since the
791
1229
type from Get() and the type sent to Set() is the same.
795
1233
if byte_arrays and signature != "ay":
796
1234
raise ValueError("Byte arrays not supported for non-'ay'"
797
1235
" signature {!r}".format(signature))
798
1236
799
1237
def decorator(func):
800
1238
func._dbus_is_property = True
801
1239
func._dbus_interface = dbus_interface
804
1242
func._dbus_name = func.__name__
805
1243
if func._dbus_name.endswith("_dbus_property"):
806
1244
func._dbus_name = func._dbus_name[:-14]
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1245
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
808
1246
return func
809
1247
810
1248
return decorator
811
1249
812
1250
813
1251
def dbus_interface_annotations(dbus_interface):
814
1252
"""Decorator for marking functions returning interface annotations
815
1253
816
1254
Usage:
817
1255
818
1256
@dbus_interface_annotations("org.example.Interface")
819
1257
def _foo(self): # Function name does not matter
820
1258
return {"org.freedesktop.DBus.Deprecated": "true",
821
1259
"org.freedesktop.DBus.Property.EmitsChangedSignal":
822
1260
"false"}
823
1261
"""
824
1262
825
1263
def decorator(func):
826
1264
func._dbus_is_interface = True
827
1265
func._dbus_interface = dbus_interface
828
1266
func._dbus_name = dbus_interface
829
1267
return func
830
1268
831
1269
return decorator
832
1270
833
1271
834
1272
def dbus_annotations(annotations):
835
1273
"""Decorator to annotate D-Bus methods, signals or properties
836
1274
Usage:
837
1275
838
1276
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
839
1277
"org.freedesktop.DBus.Property."
840
1278
"EmitsChangedSignal": "false"})
842
1280
access="r")
843
1281
def Property_dbus_property(self):
844
1282
return dbus.Boolean(False)
845
1283
846
1284
See also the DBusObjectWithAnnotations class.
847
1285
"""
848
1286
849
1287
def decorator(func):
850
1288
func._dbus_annotations = annotations
851
1289
return func
852
1290
853
1291
return decorator
854
1292
855
1293
873
1311
874
1312
class DBusObjectWithAnnotations(dbus.service.Object):
875
1313
"""A D-Bus object with annotations.
876
1314
877
1315
Classes inheriting from this can use the dbus_annotations
878
1316
decorator to add annotations to methods or signals.
879
1317
"""
880
1318
881
1319
@staticmethod
882
1320
def _is_dbus_thing(thing):
883
1321
"""Returns a function testing if an attribute is a D-Bus thing
884
1322
885
1323
If called like _is_dbus_thing("method") it returns a function
886
1324
suitable for use as predicate to inspect.getmembers().
887
1325
"""
888
1326
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
889
1327
False)
890
1328
891
1329
def _get_all_dbus_things(self, thing):
892
1330
"""Returns a generator of (name, attribute) pairs
893
1331
"""
896
1334
for cls in self.__class__.__mro__
897
1335
for name, athing in
898
1336
inspect.getmembers(cls, self._is_dbus_thing(thing)))
899
1337
900
1338
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1339
out_signature="s",
1340
path_keyword='object_path',
1341
connection_keyword='connection')
904
1342
def Introspect(self, object_path, connection):
905
1343
"""Overloading of standard D-Bus method.
906
1344
907
1345
Inserts annotation tags on methods and signals.
908
1346
"""
909
1347
xmlstring = dbus.service.Object.Introspect(self, object_path,
910
1348
connection)
911
1349
try:
912
1350
document = xml.dom.minidom.parseString(xmlstring)
913
1351
914
1352
for if_tag in document.getElementsByTagName("interface"):
915
1353
# Add annotation tags
916
1354
for typ in ("method", "signal"):
943
1381
if_tag.appendChild(ann_tag)
944
1382
# Fix argument name for the Introspect method itself
945
1383
if (if_tag.getAttribute("name")
946
== dbus.INTROSPECTABLE_IFACE):
1384
== dbus.INTROSPECTABLE_IFACE):
947
1385
for cn in if_tag.getElementsByTagName("method"):
948
1386
if cn.getAttribute("name") == "Introspect":
949
1387
for arg in cn.getElementsByTagName("arg"):
962
1400
963
1401
class DBusObjectWithProperties(DBusObjectWithAnnotations):
964
1402
"""A D-Bus object with properties.
965
1403
966
1404
Classes inheriting from this can use the dbus_service_property
967
1405
decorator to expose methods as D-Bus properties. It exposes the
968
1406
standard Get(), Set(), and GetAll() methods on the D-Bus.
969
1407
"""
970
1408
971
1409
def _get_dbus_property(self, interface_name, property_name):
972
1410
"""Returns a bound method if one exists which is a D-Bus
973
1411
property with the specified name and interface.
978
1416
if (value._dbus_name == property_name
979
1417
and value._dbus_interface == interface_name):
980
1418
return value.__get__(self)
981
1419
982
1420
# No such property
983
1421
raise DBusPropertyNotFound("{}:{}.{}".format(
984
1422
self.dbus_object_path, interface_name, property_name))
985
1423
986
1424
@classmethod
987
1425
def _get_all_interface_names(cls):
988
1426
"""Get a sequence of all interfaces supported by an object"""
991
1429
for x in (inspect.getmro(cls))
992
1430
for attr in dir(x))
993
1431
if name is not None)
994
1432
995
1433
@dbus.service.method(dbus.PROPERTIES_IFACE,
996
1434
in_signature="ss",
997
1435
out_signature="v")
1005
1443
if not hasattr(value, "variant_level"):
1006
1444
return value
1007
1445
return type(value)(value, variant_level=value.variant_level+1)
1008
1446
1009
1447
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1010
1448
def Set(self, interface_name, property_name, value):
1011
1449
"""Standard D-Bus property Set() method, see D-Bus standard.
1020
1458
raise ValueError("Byte arrays not supported for non-"
1021
1459
"'ay' signature {!r}"
1022
1460
.format(prop._dbus_signature))
1023
value = dbus.ByteArray(b''.join(chr(byte)
1024
for byte in value))
1461
value = dbus.ByteArray(bytes(value))
1025
1462
prop(value)
1026
1463
1027
1464
@dbus.service.method(dbus.PROPERTIES_IFACE,
1028
1465
in_signature="s",
1029
1466
out_signature="a{sv}")
1030
1467
def GetAll(self, interface_name):
1031
1468
"""Standard D-Bus property GetAll() method, see D-Bus
1032
1469
standard.
1033
1470
1034
1471
Note: Will not include properties with access="write".
1035
1472
"""
1036
1473
properties = {}
1047
1484
properties[name] = value
1048
1485
continue
1049
1486
properties[name] = type(value)(
1050
value, variant_level = value.variant_level + 1)
1487
value, variant_level=value.variant_level + 1)
1051
1488
return dbus.Dictionary(properties, signature="sv")
1052
1489
1053
1490
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1054
1491
def PropertiesChanged(self, interface_name, changed_properties,
1055
1492
invalidated_properties):
1057
1494
standard.
1058
1495
"""
1059
1496
pass
1060
1497
1061
1498
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1062
1499
out_signature="s",
1063
1500
path_keyword='object_path',
1064
1501
connection_keyword='connection')
1065
1502
def Introspect(self, object_path, connection):
1066
1503
"""Overloading of standard D-Bus method.
1067
1504
1068
1505
Inserts property tags and interface annotation tags.
1069
1506
"""
1070
1507
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1072
1509
connection)
1073
1510
try:
1074
1511
document = xml.dom.minidom.parseString(xmlstring)
1075
1512
1076
1513
def make_tag(document, name, prop):
1077
1514
e = document.createElement("property")
1078
1515
e.setAttribute("name", name)
1079
1516
e.setAttribute("type", prop._dbus_signature)
1080
1517
e.setAttribute("access", prop._dbus_access)
1081
1518
return e
1082
1519
1083
1520
for if_tag in document.getElementsByTagName("interface"):
1084
1521
# Add property tags
1085
1522
for tag in (make_tag(document, name, prop)
1127
1564
exc_info=error)
1128
1565
return xmlstring
1129
1566
1567
1130
1568
try:
1131
1569
dbus.OBJECT_MANAGER_IFACE
1132
1570
except AttributeError:
1133
1571
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1134
1572
1573
1135
1574
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1136
1575
"""A D-Bus object with an ObjectManager.
1137
1576
1138
1577
Classes inheriting from this exposes the standard
1139
1578
GetManagedObjects call and the InterfacesAdded and
1140
1579
InterfacesRemoved signals on the standard
1141
1580
"org.freedesktop.DBus.ObjectManager" interface.
1142
1581
1143
1582
Note: No signals are sent automatically; they must be sent
1144
1583
manually.
1145
1584
"""
1146
1585
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1147
out_signature = "a{oa{sa{sv}}}")
1586
out_signature="a{oa{sa{sv}}}")
1148
1587
def GetManagedObjects(self):
1149
1588
"""This function must be overridden"""
1150
1589
raise NotImplementedError()
1151
1590
1152
1591
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1153
signature = "oa{sa{sv}}")
1592
signature="oa{sa{sv}}")
1154
1593
def InterfacesAdded(self, object_path, interfaces_and_properties):
1155
1594
pass
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1595
1596
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1158
1597
def InterfacesRemoved(self, object_path, interfaces):
1159
1598
pass
1160
1599
1161
1600
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1601
out_signature="s",
1602
path_keyword='object_path',
1603
connection_keyword='connection')
1165
1604
def Introspect(self, object_path, connection):
1166
1605
"""Overloading of standard D-Bus method.
1167
1606
1168
1607
Override return argument name of GetManagedObjects to be
1169
1608
"objpath_interfaces_and_properties"
1170
1609
"""
1173
1612
connection)
1174
1613
try:
1175
1614
document = xml.dom.minidom.parseString(xmlstring)
1176
1615
1177
1616
for if_tag in document.getElementsByTagName("interface"):
1178
1617
# Fix argument name for the GetManagedObjects method
1179
1618
if (if_tag.getAttribute("name")
1180
== dbus.OBJECT_MANAGER_IFACE):
1619
== dbus.OBJECT_MANAGER_IFACE):
1181
1620
for cn in if_tag.getElementsByTagName("method"):
1182
1621
if (cn.getAttribute("name")
1183
1622
== "GetManagedObjects"):
1193
1632
except (AttributeError, xml.dom.DOMException,
1194
1633
xml.parsers.expat.ExpatError) as error:
1195
1634
logger.error("Failed to override Introspection method",
1196
exc_info = error)
1635
exc_info=error)
1197
1636
return xmlstring
1198
1637
1638
1199
1639
def datetime_to_dbus(dt, variant_level=0):
1200
1640
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1201
1641
if dt is None:
1202
return dbus.String("", variant_level = variant_level)
1642
return dbus.String("", variant_level=variant_level)
1203
1643
return dbus.String(dt.isoformat(), variant_level=variant_level)
1204
1644
1205
1645
1208
1648
dbus.service.Object, it will add alternate D-Bus attributes with
1209
1649
interface names according to the "alt_interface_names" mapping.
1210
1650
Usage:
1211
1651
1212
1652
@alternate_dbus_interfaces({"org.example.Interface":
1213
1653
"net.example.AlternateInterface"})
1214
1654
class SampleDBusObject(dbus.service.Object):
1215
1655
@dbus.service.method("org.example.Interface")
1216
1656
def SampleDBusMethod():
1217
1657
pass
1218
1658
1219
1659
The above "SampleDBusMethod" on "SampleDBusObject" will be
1220
1660
reachable via two interfaces: "org.example.Interface" and
1221
1661
"net.example.AlternateInterface", the latter of which will have
1222
1662
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1223
1663
"true", unless "deprecate" is passed with a False value.
1224
1664
1225
1665
This works for methods and signals, and also for D-Bus properties
1226
1666
(from DBusObjectWithProperties) and interfaces (from the
1227
1667
dbus_interface_annotations decorator).
1228
1668
"""
1229
1669
1230
1670
def wrapper(cls):
1231
1671
for orig_interface_name, alt_interface_name in (
1232
1672
alt_interface_names.items()):
1247
1687
interface_names.add(alt_interface)
1248
1688
# Is this a D-Bus signal?
1249
1689
if getattr(attribute, "_dbus_is_signal", False):
1690
# Extract the original non-method undecorated
1691
# function by black magic
1250
1692
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1253
1693
nonmethod_func = (dict(
1254
1694
zip(attribute.func_code.co_freevars,
1255
1695
attribute.__closure__))
1256
1696
["func"].cell_contents)
1257
1697
else:
1258
nonmethod_func = attribute
1698
nonmethod_func = (dict(
1699
zip(attribute.__code__.co_freevars,
1700
attribute.__closure__))
1701
["func"].cell_contents)
1259
1702
# Create a new, but exactly alike, function
1260
1703
# object, and decorate it to be a new D-Bus signal
1261
1704
# with the alternate D-Bus interface name
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1705
new_function = copy_function(nonmethod_func)
1276
1706
new_function = (dbus.service.signal(
1277
1707
alt_interface,
1278
1708
attribute._dbus_signature)(new_function))
1282
1712
attribute._dbus_annotations)
1283
1713
except AttributeError:
1284
1714
pass
1715
1285
1716
# Define a creator of a function to call both the
1286
1717
# original and alternate functions, so both the
1287
1718
# original and alternate signals gets sent when
1290
1721
"""This function is a scope container to pass
1291
1722
func1 and func2 to the "call_both" function
1292
1723
outside of its arguments"""
1293
1724
1294
1725
@functools.wraps(func2)
1295
1726
def call_both(*args, **kwargs):
1296
1727
"""This function will emit two D-Bus
1297
1728
signals by calling func1 and func2"""
1298
1729
func1(*args, **kwargs)
1299
1730
func2(*args, **kwargs)
1300
# Make wrapper function look like a D-Bus signal
1731
# Make wrapper function look like a D-Bus
1732
# signal
1301
1733
for name, attr in inspect.getmembers(func2):
1302
1734
if name.startswith("_dbus_"):
1303
1735
setattr(call_both, name, attr)
1304
1736
1305
1737
return call_both
1306
1738
# Create the "call_both" function and add it to
1307
1739
# the class
1317
1749
alt_interface,
1318
1750
attribute._dbus_in_signature,
1319
1751
attribute._dbus_out_signature)
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1752
(copy_function(attribute)))
1325
1753
# Copy annotations, if any
1326
1754
try:
1327
1755
attr[attrname]._dbus_annotations = dict(
1339
1767
attribute._dbus_access,
1340
1768
attribute._dbus_get_args_options
1341
1769
["byte_arrays"])
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1770
(copy_function(attribute)))
1348
1771
# Copy annotations, if any
1349
1772
try:
1350
1773
attr[attrname]._dbus_annotations = dict(
1359
1782
# to the class.
1360
1783
attr[attrname] = (
1361
1784
dbus_interface_annotations(alt_interface)
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1785
(copy_function(attribute)))
1367
1786
if deprecate:
1368
1787
# Deprecate all alternate interfaces
1369
iname="_AlternateDBusNames_interface_annotation{}"
1788
iname = "_AlternateDBusNames_interface_annotation{}"
1370
1789
for interface_name in interface_names:
1371
1790
1372
1791
@dbus_interface_annotations(interface_name)
1373
1792
def func(self):
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1793
return {"org.freedesktop.DBus.Deprecated":
1794
"true"}
1376
1795
# Find an unused name
1377
1796
for aname in (iname.format(i)
1378
1797
for i in itertools.count()):
1382
1801
if interface_names:
1383
1802
# Replace the class with a new subclass of it with
1384
1803
# methods, signals, etc. as created above.
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1804
if sys.version_info.major == 2:
1805
cls = type(b"{}Alternate".format(cls.__name__),
1806
(cls, ), attr)
1807
else:
1808
cls = type("{}Alternate".format(cls.__name__),
1809
(cls, ), attr)
1387
1810
return cls
1388
1811
1389
1812
return wrapper
1390
1813
1391
1814
1393
1816
"se.bsnet.fukt.Mandos"})
1394
1817
class ClientDBus(Client, DBusObjectWithProperties):
1395
1818
"""A Client class using D-Bus
1396
1819
1397
1820
Attributes:
1398
1821
dbus_object_path: dbus.ObjectPath
1399
1822
bus: dbus.SystemBus()
1400
1823
"""
1401
1824
1402
1825
runtime_expansions = (Client.runtime_expansions
1403
1826
+ ("dbus_object_path", ))
1404
1827
1405
1828
_interface = "se.recompile.Mandos.Client"
1406
1829
1407
1830
# dbus.service.Object doesn't use super(), so we can't either.
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1831
1832
def __init__(self, bus=None, *args, **kwargs):
1410
1833
self.bus = bus
1411
1834
Client.__init__(self, *args, **kwargs)
1412
1835
# Only now, when this client is initialized, can it show up on
1418
1841
"/clients/" + client_object_name)
1419
1842
DBusObjectWithProperties.__init__(self, self.bus,
1420
1843
self.dbus_object_path)
1421
1844
1422
1845
def notifychangeproperty(transform_func, dbus_name,
1423
1846
type_func=lambda x: x,
1424
1847
variant_level=1,
1426
1849
_interface=_interface):
1427
1850
""" Modify a variable so that it's a property which announces
1428
1851
its changes to DBus.
1429
1852
1430
1853
transform_fun: Function that takes a value and a variant_level
1431
1854
and transforms it to a D-Bus type.
1432
1855
dbus_name: D-Bus name of the variable
1435
1858
variant_level: D-Bus variant level. Default: 1
1436
1859
"""
1437
1860
attrname = "_{}".format(dbus_name)
1438
1861
1439
1862
def setter(self, value):
1440
1863
if hasattr(self, "dbus_object_path"):
1441
1864
if (not hasattr(self, attrname) or
1448
1871
else:
1449
1872
dbus_value = transform_func(
1450
1873
type_func(value),
1451
variant_level = variant_level)
1874
variant_level=variant_level)
1452
1875
self.PropertyChanged(dbus.String(dbus_name),
1453
1876
dbus_value)
1454
1877
self.PropertiesChanged(
1455
1878
_interface,
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1879
dbus.Dictionary({dbus.String(dbus_name):
1880
dbus_value}),
1458
1881
dbus.Array())
1459
1882
setattr(self, attrname, value)
1460
1883
1461
1884
return property(lambda self: getattr(self, attrname), setter)
1462
1885
1463
1886
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1464
1887
approvals_pending = notifychangeproperty(dbus.Boolean,
1465
1888
"ApprovalPending",
1466
type_func = bool)
1889
type_func=bool)
1467
1890
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1468
1891
last_enabled = notifychangeproperty(datetime_to_dbus,
1469
1892
"LastEnabled")
1470
1893
checker = notifychangeproperty(
1471
1894
dbus.Boolean, "CheckerRunning",
1472
type_func = lambda checker: checker is not None)
1895
type_func=lambda checker: checker is not None)
1473
1896
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1474
1897
"LastCheckedOK")
1475
1898
last_checker_status = notifychangeproperty(dbus.Int16,
1480
1903
"ApprovedByDefault")
1481
1904
approval_delay = notifychangeproperty(
1482
1905
dbus.UInt64, "ApprovalDelay",
1483
type_func = lambda td: td.total_seconds() * 1000)
1906
type_func=lambda td: td.total_seconds() * 1000)
1484
1907
approval_duration = notifychangeproperty(
1485
1908
dbus.UInt64, "ApprovalDuration",
1486
type_func = lambda td: td.total_seconds() * 1000)
1909
type_func=lambda td: td.total_seconds() * 1000)
1487
1910
host = notifychangeproperty(dbus.String, "Host")
1488
1911
timeout = notifychangeproperty(
1489
1912
dbus.UInt64, "Timeout",
1490
type_func = lambda td: td.total_seconds() * 1000)
1913
type_func=lambda td: td.total_seconds() * 1000)
1491
1914
extended_timeout = notifychangeproperty(
1492
1915
dbus.UInt64, "ExtendedTimeout",
1493
type_func = lambda td: td.total_seconds() * 1000)
1916
type_func=lambda td: td.total_seconds() * 1000)
1494
1917
interval = notifychangeproperty(
1495
1918
dbus.UInt64, "Interval",
1496
type_func = lambda td: td.total_seconds() * 1000)
1919
type_func=lambda td: td.total_seconds() * 1000)
1497
1920
checker_command = notifychangeproperty(dbus.String, "Checker")
1498
1921
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1499
1922
invalidate_only=True)
1500
1923
1501
1924
del notifychangeproperty
1502
1925
1503
1926
def __del__(self, *args, **kwargs):
1504
1927
try:
1505
1928
self.remove_from_connection()
1508
1931
if hasattr(DBusObjectWithProperties, "__del__"):
1509
1932
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1510
1933
Client.__del__(self, *args, **kwargs)
1511
1934
1512
1935
def checker_callback(self, source, condition,
1513
1936
connection, command, *args, **kwargs):
1514
1937
ret = Client.checker_callback(self, source, condition,
1530
1953
| self.last_checker_signal),
1531
1954
dbus.String(command))
1532
1955
return ret
1533
1956
1534
1957
def start_checker(self, *args, **kwargs):
1535
1958
old_checker_pid = getattr(self.checker, "pid", None)
1536
1959
r = Client.start_checker(self, *args, **kwargs)
1540
1963
# Emit D-Bus signal
1541
1964
self.CheckerStarted(self.current_checker_command)
1542
1965
return r
1543
1966
1544
1967
def _reset_approved(self):
1545
1968
self.approved = None
1546
1969
return False
1547
1970
1548
1971
def approve(self, value=True):
1549
1972
self.approved = value
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1973
GLib.timeout_add(int(self.approval_duration.total_seconds()
1974
* 1000), self._reset_approved)
1552
1975
self.send_changedstate()
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1976
1977
# D-Bus methods, signals & properties
1978
1979
# Interfaces
1980
1981
# Signals
1982
1560
1983
# CheckerCompleted - signal
1561
1984
@dbus.service.signal(_interface, signature="nxs")
1562
1985
def CheckerCompleted(self, exitcode, waitstatus, command):
1563
1986
"D-Bus signal"
1564
1987
pass
1565
1988
1566
1989
# CheckerStarted - signal
1567
1990
@dbus.service.signal(_interface, signature="s")
1568
1991
def CheckerStarted(self, command):
1569
1992
"D-Bus signal"
1570
1993
pass
1571
1994
1572
1995
# PropertyChanged - signal
1573
1996
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1574
1997
@dbus.service.signal(_interface, signature="sv")
1575
1998
def PropertyChanged(self, property, value):
1576
1999
"D-Bus signal"
1577
2000
pass
1578
2001
1579
2002
# GotSecret - signal
1580
2003
@dbus.service.signal(_interface)
1581
2004
def GotSecret(self):
1584
2007
server to mandos-client
1585
2008
"""
1586
2009
pass
1587
2010
1588
2011
# Rejected - signal
1589
2012
@dbus.service.signal(_interface, signature="s")
1590
2013
def Rejected(self, reason):
1591
2014
"D-Bus signal"
1592
2015
pass
1593
2016
1594
2017
# NeedApproval - signal
1595
2018
@dbus.service.signal(_interface, signature="tb")
1596
2019
def NeedApproval(self, timeout, default):
1597
2020
"D-Bus signal"
1598
2021
return self.need_approval()
1599
1600
## Methods
1601
2022
2023
# Methods
2024
1602
2025
# Approve - method
1603
2026
@dbus.service.method(_interface, in_signature="b")
1604
2027
def Approve(self, value):
1605
2028
self.approve(value)
1606
2029
1607
2030
# CheckedOK - method
1608
2031
@dbus.service.method(_interface)
1609
2032
def CheckedOK(self):
1610
2033
self.checked_ok()
1611
2034
1612
2035
# Enable - method
1613
2036
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1614
2037
@dbus.service.method(_interface)
1615
2038
def Enable(self):
1616
2039
"D-Bus method"
1617
2040
self.enable()
1618
2041
1619
2042
# StartChecker - method
1620
2043
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1621
2044
@dbus.service.method(_interface)
1622
2045
def StartChecker(self):
1623
2046
"D-Bus method"
1624
2047
self.start_checker()
1625
2048
1626
2049
# Disable - method
1627
2050
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1628
2051
@dbus.service.method(_interface)
1629
2052
def Disable(self):
1630
2053
"D-Bus method"
1631
2054
self.disable()
1632
2055
1633
2056
# StopChecker - method
1634
2057
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1635
2058
@dbus.service.method(_interface)
1636
2059
def StopChecker(self):
1637
2060
self.stop_checker()
1638
1639
## Properties
1640
2061
2062
# Properties
2063
1641
2064
# ApprovalPending - property
1642
2065
@dbus_service_property(_interface, signature="b", access="read")
1643
2066
def ApprovalPending_dbus_property(self):
1644
2067
return dbus.Boolean(bool(self.approvals_pending))
1645
2068
1646
2069
# ApprovedByDefault - property
1647
2070
@dbus_service_property(_interface,
1648
2071
signature="b",
1651
2074
if value is None: # get
1652
2075
return dbus.Boolean(self.approved_by_default)
1653
2076
self.approved_by_default = bool(value)
1654
2077
1655
2078
# ApprovalDelay - property
1656
2079
@dbus_service_property(_interface,
1657
2080
signature="t",
1661
2084
return dbus.UInt64(self.approval_delay.total_seconds()
1662
2085
* 1000)
1663
2086
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1664
2087
1665
2088
# ApprovalDuration - property
1666
2089
@dbus_service_property(_interface,
1667
2090
signature="t",
1671
2094
return dbus.UInt64(self.approval_duration.total_seconds()
1672
2095
* 1000)
1673
2096
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1674
2097
1675
2098
# Name - property
1676
2099
@dbus_annotations(
1677
2100
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1678
2101
@dbus_service_property(_interface, signature="s", access="read")
1679
2102
def Name_dbus_property(self):
1680
2103
return dbus.String(self.name)
1681
2104
2105
# KeyID - property
2106
@dbus_annotations(
2107
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2108
@dbus_service_property(_interface, signature="s", access="read")
2109
def KeyID_dbus_property(self):
2110
return dbus.String(self.key_id)
2111
1682
2112
# Fingerprint - property
1683
2113
@dbus_annotations(
1684
2114
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1685
2115
@dbus_service_property(_interface, signature="s", access="read")
1686
2116
def Fingerprint_dbus_property(self):
1687
2117
return dbus.String(self.fingerprint)
1688
2118
1689
2119
# Host - property
1690
2120
@dbus_service_property(_interface,
1691
2121
signature="s",
1694
2124
if value is None: # get
1695
2125
return dbus.String(self.host)
1696
2126
self.host = str(value)
1697
2127
1698
2128
# Created - property
1699
2129
@dbus_annotations(
1700
2130
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1701
2131
@dbus_service_property(_interface, signature="s", access="read")
1702
2132
def Created_dbus_property(self):
1703
2133
return datetime_to_dbus(self.created)
1704
2134
1705
2135
# LastEnabled - property
1706
2136
@dbus_service_property(_interface, signature="s", access="read")
1707
2137
def LastEnabled_dbus_property(self):
1708
2138
return datetime_to_dbus(self.last_enabled)
1709
2139
1710
2140
# Enabled - property
1711
2141
@dbus_service_property(_interface,
1712
2142
signature="b",
1718
2148
self.enable()
1719
2149
else:
1720
2150
self.disable()
1721
2151
1722
2152
# LastCheckedOK - property
1723
2153
@dbus_service_property(_interface,
1724
2154
signature="s",
1728
2158
self.checked_ok()
1729
2159
return
1730
2160
return datetime_to_dbus(self.last_checked_ok)
1731
2161
1732
2162
# LastCheckerStatus - property
1733
2163
@dbus_service_property(_interface, signature="n", access="read")
1734
2164
def LastCheckerStatus_dbus_property(self):
1735
2165
return dbus.Int16(self.last_checker_status)
1736
2166
1737
2167
# Expires - property
1738
2168
@dbus_service_property(_interface, signature="s", access="read")
1739
2169
def Expires_dbus_property(self):
1740
2170
return datetime_to_dbus(self.expires)
1741
2171
1742
2172
# LastApprovalRequest - property
1743
2173
@dbus_service_property(_interface, signature="s", access="read")
1744
2174
def LastApprovalRequest_dbus_property(self):
1745
2175
return datetime_to_dbus(self.last_approval_request)
1746
2176
1747
2177
# Timeout - property
1748
2178
@dbus_service_property(_interface,
1749
2179
signature="t",
1764
2194
if (getattr(self, "disable_initiator_tag", None)
1765
2195
is None):
1766
2196
return
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2197
GLib.source_remove(self.disable_initiator_tag)
2198
self.disable_initiator_tag = GLib.timeout_add(
1769
2199
int((self.expires - now).total_seconds() * 1000),
1770
2200
self.disable)
1771
2201
1772
2202
# ExtendedTimeout - property
1773
2203
@dbus_service_property(_interface,
1774
2204
signature="t",
1778
2208
return dbus.UInt64(self.extended_timeout.total_seconds()
1779
2209
* 1000)
1780
2210
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1781
2211
1782
2212
# Interval - property
1783
2213
@dbus_service_property(_interface,
1784
2214
signature="t",
1791
2221
return
1792
2222
if self.enabled:
1793
2223
# Reschedule checker run
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2224
GLib.source_remove(self.checker_initiator_tag)
2225
self.checker_initiator_tag = GLib.timeout_add(
1796
2226
value, self.start_checker)
1797
self.start_checker() # Start one now, too
1798
2227
self.start_checker() # Start one now, too
2228
1799
2229
# Checker - property
1800
2230
@dbus_service_property(_interface,
1801
2231
signature="s",
1804
2234
if value is None: # get
1805
2235
return dbus.String(self.checker_command)
1806
2236
self.checker_command = str(value)
1807
2237
1808
2238
# CheckerRunning - property
1809
2239
@dbus_service_property(_interface,
1810
2240
signature="b",
1816
2246
self.start_checker()
1817
2247
else:
1818
2248
self.stop_checker()
1819
2249
1820
2250
# ObjectPath - property
1821
2251
@dbus_annotations(
1822
2252
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
1823
2253
"org.freedesktop.DBus.Deprecated": "true"})
1824
2254
@dbus_service_property(_interface, signature="o", access="read")
1825
2255
def ObjectPath_dbus_property(self):
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2256
return self.dbus_object_path # is already a dbus.ObjectPath
2257
1828
2258
# Secret = property
1829
2259
@dbus_annotations(
1830
2260
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
1835
2265
byte_arrays=True)
1836
2266
def Secret_dbus_property(self, value):
1837
2267
self.secret = bytes(value)
1838
2268
1839
2269
del _interface
1840
2270
1841
2271
1842
class ProxyClient(object):
1843
def __init__(self, child_pipe, fpr, address):
2272
class ProxyClient:
2273
def __init__(self, child_pipe, key_id, fpr, address):
1844
2274
self._pipe = child_pipe
1845
self._pipe.send(('init', fpr, address))
2275
self._pipe.send(('init', key_id, fpr, address))
1846
2276
if not self._pipe.recv():
1847
raise KeyError(fpr)
1848
2277
raise KeyError(key_id or fpr)
2278
1849
2279
def __getattribute__(self, name):
1850
2280
if name == '_pipe':
1851
2281
return super(ProxyClient, self).__getattribute__(name)
1854
2284
if data[0] == 'data':
1855
2285
return data[1]
1856
2286
if data[0] == 'function':
1857
2287
1858
2288
def func(*args, **kwargs):
1859
2289
self._pipe.send(('funcall', name, args, kwargs))
1860
2290
return self._pipe.recv()[1]
1861
2291
1862
2292
return func
1863
2293
1864
2294
def __setattr__(self, name, value):
1865
2295
if name == '_pipe':
1866
2296
return super(ProxyClient, self).__setattr__(name, value)
1869
2299
1870
2300
class ClientHandler(socketserver.BaseRequestHandler, object):
1871
2301
"""A class to handle client connections.
1872
2302
1873
2303
Instantiated once for each connection to handle it.
1874
2304
Note: This will run in its own forked process."""
1875
2305
1876
2306
def handle(self):
1877
2307
with contextlib.closing(self.server.child_pipe) as child_pipe:
1878
2308
logger.info("TCP connection from: %s",
1879
2309
str(self.client_address))
1880
2310
logger.debug("Pipe FD: %d",
1881
2311
self.server.child_pipe.fileno())
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2312
2313
session = gnutls.ClientSession(self.request)
2314
2315
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2316
# "+AES-256-CBC", "+SHA1",
2317
# "+COMP-NULL", "+CTYPE-OPENPGP",
2318
# "+DHE-DSS"))
1895
2319
# Use a fallback default, since this MUST be set.
1896
2320
priority = self.server.gnutls_priority
1897
2321
if priority is None:
1898
2322
priority = "NORMAL"
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2323
gnutls.priority_set_direct(session,
2324
priority.encode("utf-8"), None)
2325
1902
2326
# Start communication using the Mandos protocol
1903
2327
# Get protocol number
1904
2328
line = self.request.makefile().readline()
1909
2333
except (ValueError, IndexError, RuntimeError) as error:
1910
2334
logger.error("Unknown protocol version: %s", error)
1911
2335
return
1912
2336
1913
2337
# Start GnuTLS connection
1914
2338
try:
1915
2339
session.handshake()
1916
except gnutls.errors.GNUTLSError as error:
2340
except gnutls.Error as error:
1917
2341
logger.warning("Handshake failed: %s", error)
1918
2342
# Do not run session.bye() here: the session is not
1919
2343
# established. Just abandon the request.
1920
2344
return
1921
2345
logger.debug("Handshake succeeded")
1922
2346
1923
2347
approval_required = False
1924
2348
try:
1925
try:
1926
fpr = self.fingerprint(
1927
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
1930
logger.warning("Bad certificate: %s", error)
1931
return
1932
logger.debug("Fingerprint: %s", fpr)
1933
1934
try:
1935
client = ProxyClient(child_pipe, fpr,
2349
if gnutls.has_rawpk:
2350
fpr = b""
2351
try:
2352
key_id = self.key_id(
2353
self.peer_certificate(session))
2354
except (TypeError, gnutls.Error) as error:
2355
logger.warning("Bad certificate: %s", error)
2356
return
2357
logger.debug("Key ID: %s",
2358
key_id.decode("utf-8",
2359
errors="replace"))
2360
2361
else:
2362
key_id = b""
2363
try:
2364
fpr = self.fingerprint(
2365
self.peer_certificate(session))
2366
except (TypeError, gnutls.Error) as error:
2367
logger.warning("Bad certificate: %s", error)
2368
return
2369
logger.debug("Fingerprint: %s", fpr)
2370
2371
try:
2372
client = ProxyClient(child_pipe, key_id, fpr,
1936
2373
self.client_address)
1937
2374
except KeyError:
1938
2375
return
1939
2376
1940
2377
if client.approval_delay:
1941
2378
delay = client.approval_delay
1942
2379
client.approvals_pending += 1
1943
2380
approval_required = True
1944
2381
1945
2382
while True:
1946
2383
if not client.enabled:
1947
2384
logger.info("Client %s is disabled",
1950
2387
# Emit D-Bus signal
1951
2388
client.Rejected("Disabled")
1952
2389
return
1953
2390
1954
2391
if client.approved or not client.approval_delay:
1955
#We are approved or approval is disabled
2392
# We are approved or approval is disabled
1956
2393
break
1957
2394
elif client.approved is None:
1958
2395
logger.info("Client %s needs approval",
1969
2406
# Emit D-Bus signal
1970
2407
client.Rejected("Denied")
1971
2408
return
1972
1973
#wait until timeout or approved
2409
2410
# wait until timeout or approved
1974
2411
time = datetime.datetime.now()
1975
2412
client.changedstate.acquire()
1976
2413
client.changedstate.wait(delay.total_seconds())
1989
2426
break
1990
2427
else:
1991
2428
delay -= time2 - time
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2429
2430
try:
2431
session.send(client.secret)
2432
except gnutls.Error as error:
2433
logger.warning("gnutls send failed",
2434
exc_info=error)
2435
return
2436
2006
2437
logger.info("Sending secret to %s", client.name)
2007
2438
# bump the timeout using extended_timeout
2008
2439
client.bump_timeout(client.extended_timeout)
2009
2440
if self.server.use_dbus:
2010
2441
# Emit D-Bus signal
2011
2442
client.GotSecret()
2012
2443
2013
2444
finally:
2014
2445
if approval_required:
2015
2446
client.approvals_pending -= 1
2016
2447
try:
2017
2448
session.bye()
2018
except gnutls.errors.GNUTLSError as error:
2449
except gnutls.Error as error:
2019
2450
logger.warning("GnuTLS bye failed",
2020
2451
exc_info=error)
2021
2452
2022
2453
@staticmethod
2023
2454
def peer_certificate(session):
2024
"Return the peer's OpenPGP certificate as a bytestring"
2025
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2455
"Return the peer's certificate as a bytestring"
2456
try:
2457
cert_type = gnutls.certificate_type_get2(
2458
session, gnutls.CTYPE_PEERS)
2459
except AttributeError:
2460
cert_type = gnutls.certificate_type_get(session)
2461
if gnutls.has_rawpk:
2462
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2463
else:
2464
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2465
# If not a valid certificate type...
2466
if cert_type not in valid_cert_types:
2467
logger.info("Cert type %r not in %r", cert_type,
2468
valid_cert_types)
2469
# ...return invalid data
2470
return b""
2031
2471
list_size = ctypes.c_uint(1)
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2034
(session._c_object, ctypes.byref(list_size)))
2472
cert_list = (gnutls.certificate_get_peers
2473
(session, ctypes.byref(list_size)))
2035
2474
if not bool(cert_list) and list_size.value != 0:
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2475
raise gnutls.Error("error getting peer certificate")
2038
2476
if list_size.value == 0:
2039
2477
return None
2040
2478
cert = cert_list[0]
2041
2479
return ctypes.string_at(cert.data, cert.size)
2042
2480
2481
@staticmethod
2482
def key_id(certificate):
2483
"Convert a certificate bytestring to a hexdigit key ID"
2484
# New GnuTLS "datum" with the public key
2485
datum = gnutls.datum_t(
2486
ctypes.cast(ctypes.c_char_p(certificate),
2487
ctypes.POINTER(ctypes.c_ubyte)),
2488
ctypes.c_uint(len(certificate)))
2489
# XXX all these need to be created in the gnutls "module"
2490
# New empty GnuTLS certificate
2491
pubkey = gnutls.pubkey_t()
2492
gnutls.pubkey_init(ctypes.byref(pubkey))
2493
# Import the raw public key into the certificate
2494
gnutls.pubkey_import(pubkey,
2495
ctypes.byref(datum),
2496
gnutls.X509_FMT_DER)
2497
# New buffer for the key ID
2498
buf = ctypes.create_string_buffer(32)
2499
buf_len = ctypes.c_size_t(len(buf))
2500
# Get the key ID from the raw public key into the buffer
2501
gnutls.pubkey_get_key_id(
2502
pubkey,
2503
gnutls.KEYID_USE_SHA256,
2504
ctypes.cast(ctypes.byref(buf),
2505
ctypes.POINTER(ctypes.c_ubyte)),
2506
ctypes.byref(buf_len))
2507
# Deinit the certificate
2508
gnutls.pubkey_deinit(pubkey)
2509
2510
# Convert the buffer to a Python bytestring
2511
key_id = ctypes.string_at(buf, buf_len.value)
2512
# Convert the bytestring to hexadecimal notation
2513
hex_key_id = binascii.hexlify(key_id).upper()
2514
return hex_key_id
2515
2043
2516
@staticmethod
2044
2517
def fingerprint(openpgp):
2045
2518
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2046
2519
# New GnuTLS "datum" with the OpenPGP public key
2047
datum = gnutls.library.types.gnutls_datum_t(
2520
datum = gnutls.datum_t(
2048
2521
ctypes.cast(ctypes.c_char_p(openpgp),
2049
2522
ctypes.POINTER(ctypes.c_ubyte)),
2050
2523
ctypes.c_uint(len(openpgp)))
2051
2524
# New empty GnuTLS certificate
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2525
crt = gnutls.openpgp_crt_t()
2526
gnutls.openpgp_crt_init(ctypes.byref(crt))
2055
2527
# Import the OpenPGP public key into the certificate
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2528
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2529
gnutls.OPENPGP_FMT_RAW)
2059
2530
# Verify the self signature in the key
2060
2531
crtverify = ctypes.c_uint()
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2532
gnutls.openpgp_crt_verify_self(crt, 0,
2533
ctypes.byref(crtverify))
2063
2534
if crtverify.value != 0:
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2535
gnutls.openpgp_crt_deinit(crt)
2536
raise gnutls.CertificateSecurityError(code
2537
=crtverify.value)
2067
2538
# New buffer for the fingerprint
2068
2539
buf = ctypes.create_string_buffer(20)
2069
2540
buf_len = ctypes.c_size_t()
2070
2541
# Get the fingerprint from the certificate into the buffer
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2542
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2543
ctypes.byref(buf_len))
2073
2544
# Deinit the certificate
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2545
gnutls.openpgp_crt_deinit(crt)
2075
2546
# Convert the buffer to a Python bytestring
2076
2547
fpr = ctypes.string_at(buf, buf_len.value)
2077
2548
# Convert the bytestring to hexadecimal notation
2079
2550
return hex_fpr
2080
2551
2081
2552
2082
class MultiprocessingMixIn(object):
2553
class MultiprocessingMixIn:
2083
2554
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2084
2555
2085
2556
def sub_process_main(self, request, address):
2086
2557
try:
2087
2558
self.finish_request(request, address)
2088
2559
except Exception:
2089
2560
self.handle_error(request, address)
2090
2561
self.close_request(request)
2091
2562
2092
2563
def process_request(self, request, address):
2093
2564
"""Start a new process to process the request."""
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2565
proc = multiprocessing.Process(target=self.sub_process_main,
2566
args=(request, address))
2096
2567
proc.start()
2097
2568
return proc
2098
2569
2099
2570
2100
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2571
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2101
2572
""" adds a pipe to the MixIn """
2102
2573
2103
2574
def process_request(self, request, client_address):
2104
2575
"""Overrides and wraps the original process_request().
2105
2576
2106
2577
This function creates a new pipe in self.pipe
2107
2578
"""
2108
2579
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2109
2580
2110
2581
proc = MultiprocessingMixIn.process_request(self, request,
2111
2582
client_address)
2112
2583
self.child_pipe.close()
2113
2584
self.add_pipe(parent_pipe, proc)
2114
2585
2115
2586
def add_pipe(self, parent_pipe, proc):
2116
2587
"""Dummy function; override as necessary"""
2117
2588
raise NotImplementedError()
2118
2589
2119
2590
2120
2591
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2121
socketserver.TCPServer, object):
2592
socketserver.TCPServer):
2122
2593
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2123
2594
2124
2595
Attributes:
2125
2596
enabled: Boolean; whether this server is activated yet
2126
2597
interface: None or a network interface name (string)
2127
2598
use_ipv6: Boolean; to use IPv6 or not
2128
2599
"""
2129
2600
2130
2601
def __init__(self, server_address, RequestHandlerClass,
2131
2602
interface=None,
2132
2603
use_ipv6=True,
2142
2613
self.socketfd = socketfd
2143
2614
# Save the original socket.socket() function
2144
2615
self.socket_socket = socket.socket
2616
2145
2617
# To implement --socket, we monkey patch socket.socket.
2146
#
2618
#
2147
2619
# (When socketserver.TCPServer is a new-style class, we
2148
2620
# could make self.socket into a property instead of monkey
2149
2621
# patching socket.socket.)
2150
#
2622
#
2151
2623
# Create a one-time-only replacement for socket.socket()
2152
2624
@functools.wraps(socket.socket)
2153
2625
def socket_wrapper(*args, **kwargs):
2165
2637
# socket_wrapper(), if socketfd was set.
2166
2638
socketserver.TCPServer.__init__(self, server_address,
2167
2639
RequestHandlerClass)
2168
2640
2169
2641
def server_bind(self):
2170
2642
"""This overrides the normal server_bind() function
2171
2643
to bind to an interface if one was specified, and also NOT to
2172
2644
bind to an address or port if they were not specified."""
2645
global SO_BINDTODEVICE
2173
2646
if self.interface is not None:
2174
2647
if SO_BINDTODEVICE is None:
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2648
# Fall back to a hard-coded value which seems to be
2649
# common enough.
2650
logger.warning("SO_BINDTODEVICE not found, trying 25")
2651
SO_BINDTODEVICE = 25
2652
try:
2653
self.socket.setsockopt(
2654
socket.SOL_SOCKET, SO_BINDTODEVICE,
2655
(self.interface + "\0").encode("utf-8"))
2656
except socket.error as error:
2657
if error.errno == errno.EPERM:
2658
logger.error("No permission to bind to"
2659
" interface %s", self.interface)
2660
elif error.errno == errno.ENOPROTOOPT:
2661
logger.error("SO_BINDTODEVICE not available;"
2662
" cannot bind to interface %s",
2663
self.interface)
2664
elif error.errno == errno.ENODEV:
2665
logger.error("Interface %s does not exist,"
2666
" cannot bind", self.interface)
2667
else:
2668
raise
2196
2669
# Only bind(2) the socket if we really need to.
2197
2670
if self.server_address[0] or self.server_address[1]:
2671
if self.server_address[1]:
2672
self.allow_reuse_address = True
2198
2673
if not self.server_address[0]:
2199
2674
if self.address_family == socket.AF_INET6:
2200
any_address = "::" # in6addr_any
2675
any_address = "::" # in6addr_any
2201
2676
else:
2202
any_address = "0.0.0.0" # INADDR_ANY
2677
any_address = "0.0.0.0" # INADDR_ANY
2203
2678
self.server_address = (any_address,
2204
2679
self.server_address[1])
2205
2680
elif not self.server_address[1]:
2215
2690
2216
2691
class MandosServer(IPv6_TCPServer):
2217
2692
"""Mandos server.
2218
2693
2219
2694
Attributes:
2220
2695
clients: set of Client objects
2221
2696
gnutls_priority GnuTLS priority string
2222
2697
use_dbus: Boolean; to emit D-Bus signals or not
2223
2224
Assumes a gobject.MainLoop event loop.
2698
2699
Assumes a GLib.MainLoop event loop.
2225
2700
"""
2226
2701
2227
2702
def __init__(self, server_address, RequestHandlerClass,
2228
2703
interface=None,
2229
2704
use_ipv6=True,
2239
2714
self.gnutls_priority = gnutls_priority
2240
2715
IPv6_TCPServer.__init__(self, server_address,
2241
2716
RequestHandlerClass,
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2717
interface=interface,
2718
use_ipv6=use_ipv6,
2719
socketfd=socketfd)
2720
2246
2721
def server_activate(self):
2247
2722
if self.enabled:
2248
2723
return socketserver.TCPServer.server_activate(self)
2249
2724
2250
2725
def enable(self):
2251
2726
self.enabled = True
2252
2727
2253
2728
def add_pipe(self, parent_pipe, proc):
2254
2729
# Call "handle_ipc" for both data and EOF events
2255
gobject.io_add_watch(
2256
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2730
GLib.io_add_watch(
2731
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2732
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2258
2733
functools.partial(self.handle_ipc,
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2734
parent_pipe=parent_pipe,
2735
proc=proc))
2736
2262
2737
def handle_ipc(self, source, condition,
2263
2738
parent_pipe=None,
2264
proc = None,
2739
proc=None,
2265
2740
client_object=None):
2266
2741
# error, or the other end of multiprocessing.Pipe has closed
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2742
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2268
2743
# Wait for other process to exit
2269
2744
proc.join()
2270
2745
return False
2271
2746
2272
2747
# Read a request from the child
2273
2748
request = parent_pipe.recv()
2274
2749
command = request[0]
2275
2750
2276
2751
if command == 'init':
2277
fpr = request[1]
2278
address = request[2]
2279
2280
for c in self.clients.itervalues():
2281
if c.fingerprint == fpr:
2752
key_id = request[1].decode("ascii")
2753
fpr = request[2].decode("ascii")
2754
address = request[3]
2755
2756
for c in self.clients.values():
2757
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2758
"27AE41E4649B934CA495991B7852B855"):
2759
continue
2760
if key_id and c.key_id == key_id:
2761
client = c
2762
break
2763
if fpr and c.fingerprint == fpr:
2282
2764
client = c
2283
2765
break
2284
2766
else:
2285
logger.info("Client not found for fingerprint: %s, ad"
2286
"dress: %s", fpr, address)
2767
logger.info("Client not found for key ID: %s, address"
2768
": %s", key_id or fpr, address)
2287
2769
if self.use_dbus:
2288
2770
# Emit D-Bus signal
2289
mandos_dbus_service.ClientNotFound(fpr,
2771
mandos_dbus_service.ClientNotFound(key_id or fpr,
2290
2772
address[0])
2291
2773
parent_pipe.send(False)
2292
2774
return False
2293
2294
gobject.io_add_watch(
2295
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2775
2776
GLib.io_add_watch(
2777
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2778
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2297
2779
functools.partial(self.handle_ipc,
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2780
parent_pipe=parent_pipe,
2781
proc=proc,
2782
client_object=client))
2301
2783
parent_pipe.send(True)
2302
2784
# remove the old hook in favor of the new above hook on
2303
2785
# same fileno
2306
2788
funcname = request[1]
2307
2789
args = request[2]
2308
2790
kwargs = request[3]
2309
2791
2310
2792
parent_pipe.send(('data', getattr(client_object,
2311
2793
funcname)(*args,
2312
2794
**kwargs)))
2313
2795
2314
2796
if command == 'getattr':
2315
2797
attrname = request[1]
2316
2798
if isinstance(client_object.__getattribute__(attrname),
2317
collections.Callable):
2799
collections.abc.Callable):
2318
2800
parent_pipe.send(('function', ))
2319
2801
else:
2320
2802
parent_pipe.send((
2321
2803
'data', client_object.__getattribute__(attrname)))
2322
2804
2323
2805
if command == 'setattr':
2324
2806
attrname = request[1]
2325
2807
value = request[2]
2326
2808
setattr(client_object, attrname, value)
2327
2809
2328
2810
return True
2329
2811
2330
2812
2331
2813
def rfc3339_duration_to_delta(duration):
2332
2814
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2333
2334
>>> rfc3339_duration_to_delta("P7D")
2335
datetime.timedelta(7)
2336
>>> rfc3339_duration_to_delta("PT60S")
2337
datetime.timedelta(0, 60)
2338
>>> rfc3339_duration_to_delta("PT60M")
2339
datetime.timedelta(0, 3600)
2340
>>> rfc3339_duration_to_delta("PT24H")
2341
datetime.timedelta(1)
2342
>>> rfc3339_duration_to_delta("P1W")
2343
datetime.timedelta(7)
2344
>>> rfc3339_duration_to_delta("PT5M30S")
2345
datetime.timedelta(0, 330)
2346
>>> rfc3339_duration_to_delta("P1DT3M20S")
2347
datetime.timedelta(1, 200)
2815
2816
>>> timedelta = datetime.timedelta
2817
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2818
True
2819
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2820
True
2821
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2822
True
2823
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2824
True
2825
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2826
True
2827
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2828
True
2829
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2830
True
2831
>>> del timedelta
2348
2832
"""
2349
2833
2350
2834
# Parsing an RFC 3339 duration with regular expressions is not
2351
2835
# possible - there would have to be multiple places for the same
2352
2836
# values, like seconds. The current code, while more esoteric, is
2353
2837
# cleaner without depending on a parsing library. If Python had a
2354
2838
# built-in library for parsing we would use it, but we'd like to
2355
2839
# avoid excessive use of external libraries.
2356
2840
2357
2841
# New type for defining tokens, syntax, and semantics all-in-one
2358
2842
Token = collections.namedtuple("Token", (
2359
2843
"regexp", # To match token; if "value" is not None, must have
2392
2876
frozenset((token_year, token_month,
2393
2877
token_day, token_time,
2394
2878
token_week)))
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2879
# Define starting values:
2880
# Value so far
2881
value = datetime.timedelta()
2397
2882
found_token = None
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2883
# Following valid tokens
2884
followers = frozenset((token_duration, ))
2885
# String left to parse
2886
s = duration
2400
2887
# Loop until end token is found
2401
2888
while found_token is not token_end:
2402
2889
# Search for any currently valid tokens
2426
2913
2427
2914
def string_to_delta(interval):
2428
2915
"""Parse a string and return a datetime.timedelta
2429
2430
>>> string_to_delta('7d')
2431
datetime.timedelta(7)
2432
>>> string_to_delta('60s')
2433
datetime.timedelta(0, 60)
2434
>>> string_to_delta('60m')
2435
datetime.timedelta(0, 3600)
2436
>>> string_to_delta('24h')
2437
datetime.timedelta(1)
2438
>>> string_to_delta('1w')
2439
datetime.timedelta(7)
2440
>>> string_to_delta('5m 30s')
2441
datetime.timedelta(0, 330)
2916
2917
>>> string_to_delta('7d') == datetime.timedelta(7)
2918
True
2919
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2920
True
2921
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2922
True
2923
>>> string_to_delta('24h') == datetime.timedelta(1)
2924
True
2925
>>> string_to_delta('1w') == datetime.timedelta(7)
2926
True
2927
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2928
True
2442
2929
"""
2443
2930
2444
2931
try:
2445
2932
return rfc3339_duration_to_delta(interval)
2446
2933
except ValueError:
2447
2934
pass
2448
2935
2449
2936
timevalue = datetime.timedelta(0)
2450
2937
for s in interval.split():
2451
2938
try:
2469
2956
return timevalue
2470
2957
2471
2958
2472
def daemon(nochdir = False, noclose = False):
2959
def daemon(nochdir=False, noclose=False):
2473
2960
"""See daemon(3). Standard BSD Unix function.
2474
2961
2475
2962
This should really exist as os.daemon, but it doesn't (yet)."""
2476
2963
if os.fork():
2477
2964
sys.exit()
2495
2982
2496
2983
2497
2984
def main():
2498
2985
2499
2986
##################################################################
2500
2987
# Parsing of options, both command line and config file
2501
2988
2502
2989
parser = argparse.ArgumentParser()
2503
2990
parser.add_argument("-v", "--version", action="version",
2504
version = "%(prog)s {}".format(version),
2991
version="%(prog)s {}".format(version),
2505
2992
help="show version number and exit")
2506
2993
parser.add_argument("-i", "--interface", metavar="IF",
2507
2994
help="Bind to interface IF")
2543
3030
parser.add_argument("--no-zeroconf", action="store_false",
2544
3031
dest="zeroconf", help="Do not use Zeroconf",
2545
3032
default=None)
2546
3033
2547
3034
options = parser.parse_args()
2548
2549
if options.check:
2550
import doctest
2551
fail_count, test_count = doctest.testmod()
2552
sys.exit(os.EX_OK if fail_count == 0 else 1)
2553
3035
2554
3036
# Default values for config file for server-global settings
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
3037
if gnutls.has_rawpk:
3038
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3039
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3040
else:
3041
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3042
":+SIGN-DSA-SHA256")
3043
server_defaults = {"interface": "",
3044
"address": "",
3045
"port": "",
3046
"debug": "False",
3047
"priority": priority,
3048
"servicename": "Mandos",
3049
"use_dbus": "True",
3050
"use_ipv6": "True",
3051
"debuglevel": "",
3052
"restore": "True",
3053
"socket": "",
3054
"statedir": "/var/lib/mandos",
3055
"foreground": "False",
3056
"zeroconf": "True",
3057
}
3058
del priority
3059
2573
3060
# Parse config file for server-global settings
2574
server_config = configparser.SafeConfigParser(server_defaults)
3061
server_config = configparser.ConfigParser(server_defaults)
2575
3062
del server_defaults
2576
3063
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2577
# Convert the SafeConfigParser object to a dict
3064
# Convert the ConfigParser object to a dict
2578
3065
server_settings = server_config.defaults()
2579
3066
# Use the appropriate methods on the non-string config options
2580
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3067
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3068
"foreground", "zeroconf"):
2581
3069
server_settings[option] = server_config.getboolean("DEFAULT",
2582
3070
option)
2583
3071
if server_settings["port"]:
2593
3081
server_settings["socket"] = os.dup(server_settings
2594
3082
["socket"])
2595
3083
del server_config
2596
3084
2597
3085
# Override the settings from the config file with command line
2598
3086
# options, if set.
2599
3087
for option in ("interface", "address", "port", "debug",
2617
3105
if server_settings["debug"]:
2618
3106
server_settings["foreground"] = True
2619
3107
# Now we have our good server settings in "server_settings"
2620
3108
2621
3109
##################################################################
2622
3110
2623
3111
if (not server_settings["zeroconf"]
2624
3112
and not (server_settings["port"]
2625
3113
or server_settings["socket"] != "")):
2626
3114
parser.error("Needs port or socket to work without Zeroconf")
2627
3115
2628
3116
# For convenience
2629
3117
debug = server_settings["debug"]
2630
3118
debuglevel = server_settings["debuglevel"]
2634
3122
stored_state_file)
2635
3123
foreground = server_settings["foreground"]
2636
3124
zeroconf = server_settings["zeroconf"]
2637
3125
2638
3126
if debug:
2639
3127
initlogger(debug, logging.DEBUG)
2640
3128
else:
2643
3131
else:
2644
3132
level = getattr(logging, debuglevel.upper())
2645
3133
initlogger(debug, level)
2646
3134
2647
3135
if server_settings["servicename"] != "Mandos":
2648
3136
syslogger.setFormatter(
2649
3137
logging.Formatter('Mandos ({}) [%(process)d]:'
2650
3138
' %(levelname)s: %(message)s'.format(
2651
3139
server_settings["servicename"])))
2652
3140
2653
3141
# Parse config file with clients
2654
client_config = configparser.SafeConfigParser(Client
2655
.client_defaults)
3142
client_config = configparser.ConfigParser(Client.client_defaults)
2656
3143
client_config.read(os.path.join(server_settings["configdir"],
2657
3144
"clients.conf"))
2658
3145
2659
3146
global mandos_dbus_service
2660
3147
mandos_dbus_service = None
2661
3148
2662
3149
socketfd = None
2663
3150
if server_settings["socket"] != "":
2664
3151
socketfd = server_settings["socket"]
2680
3167
except IOError as e:
2681
3168
logger.error("Could not open file %r", pidfilename,
2682
3169
exc_info=e)
2683
2684
for name in ("_mandos", "mandos", "nobody"):
3170
3171
for name, group in (("_mandos", "_mandos"),
3172
("mandos", "mandos"),
3173
("nobody", "nogroup")):
2685
3174
try:
2686
3175
uid = pwd.getpwnam(name).pw_uid
2687
gid = pwd.getpwnam(name).pw_gid
3176
gid = pwd.getpwnam(group).pw_gid
2688
3177
break
2689
3178
except KeyError:
2690
3179
continue
2694
3183
try:
2695
3184
os.setgid(gid)
2696
3185
os.setuid(uid)
3186
if debug:
3187
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3188
gid))
2697
3189
except OSError as error:
3190
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3191
.format(uid, gid, os.strerror(error.errno)))
2698
3192
if error.errno != errno.EPERM:
2699
3193
raise
2700
3194
2701
3195
if debug:
2702
3196
# Enable all possible GnuTLS debugging
2703
3197
2704
3198
# "Use a log level over 10 to enable all debugging options."
2705
3199
# - GnuTLS manual
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3200
gnutls.global_set_log_level(11)
3201
3202
@gnutls.log_func
2709
3203
def debug_gnutls(level, string):
2710
logger.debug("GnuTLS: %s", string[:-1])
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3204
logger.debug("GnuTLS: %s",
3205
string[:-1].decode("utf-8",
3206
errors="replace"))
3207
3208
gnutls.global_set_log_function(debug_gnutls)
3209
2715
3210
# Redirect stdin so all checkers get /dev/null
2716
3211
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2717
3212
os.dup2(null, sys.stdin.fileno())
2718
3213
if null > 2:
2719
3214
os.close(null)
2720
3215
2721
3216
# Need to fork before connecting to D-Bus
2722
3217
if not foreground:
2723
3218
# Close all input and output, do double fork, etc.
2724
3219
daemon()
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3220
3221
if gi.version_info < (3, 10, 2):
3222
# multiprocessing will use threads, so before we use GLib we
3223
# need to inform GLib that threads will be used.
3224
GLib.threads_init()
3225
2730
3226
global main_loop
2731
3227
# From the Avahi example code
2732
3228
DBusGMainLoop(set_as_default=True)
2733
main_loop = gobject.MainLoop()
3229
main_loop = GLib.MainLoop()
2734
3230
bus = dbus.SystemBus()
2735
3231
# End of Avahi example code
2736
3232
if use_dbus:
2749
3245
if zeroconf:
2750
3246
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2751
3247
service = AvahiServiceToSyslog(
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3248
name=server_settings["servicename"],
3249
servicetype="_mandos._tcp",
3250
protocol=protocol,
3251
bus=bus)
2756
3252
if server_settings["interface"]:
2757
3253
service.interface = if_nametoindex(
2758
3254
server_settings["interface"].encode("utf-8"))
2759
3255
2760
3256
global multiprocessing_manager
2761
3257
multiprocessing_manager = multiprocessing.Manager()
2762
3258
2763
3259
client_class = Client
2764
3260
if use_dbus:
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3261
client_class = functools.partial(ClientDBus, bus=bus)
3262
2767
3263
client_settings = Client.config_parser(client_config)
2768
3264
old_client_settings = {}
2769
3265
clients_data = {}
2770
3266
2771
3267
# This is used to redirect stdout and stderr for checker processes
2772
3268
global wnull
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3269
wnull = open(os.devnull, "w") # A writable /dev/null
2774
3270
# Only used if server is running in foreground but not in debug
2775
3271
# mode
2776
3272
if debug or not foreground:
2777
3273
wnull.close()
2778
3274
2779
3275
# Get client data and settings from last running state.
2780
3276
if server_settings["restore"]:
2781
3277
try:
2782
3278
with open(stored_state_path, "rb") as stored_state:
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3279
if sys.version_info.major == 2:
3280
clients_data, old_client_settings = pickle.load(
3281
stored_state)
3282
else:
3283
bytes_clients_data, bytes_old_client_settings = (
3284
pickle.load(stored_state, encoding="bytes"))
3285
# Fix bytes to strings
3286
# clients_data
3287
# .keys()
3288
clients_data = {(key.decode("utf-8")
3289
if isinstance(key, bytes)
3290
else key): value
3291
for key, value in
3292
bytes_clients_data.items()}
3293
del bytes_clients_data
3294
for key in clients_data:
3295
value = {(k.decode("utf-8")
3296
if isinstance(k, bytes) else k): v
3297
for k, v in
3298
clients_data[key].items()}
3299
clients_data[key] = value
3300
# .client_structure
3301
value["client_structure"] = [
3302
(s.decode("utf-8")
3303
if isinstance(s, bytes)
3304
else s) for s in
3305
value["client_structure"]]
3306
# .name, .host, and .checker_command
3307
for k in ("name", "host", "checker_command"):
3308
if isinstance(value[k], bytes):
3309
value[k] = value[k].decode("utf-8")
3310
if "key_id" not in value:
3311
value["key_id"] = ""
3312
elif "fingerprint" not in value:
3313
value["fingerprint"] = ""
3314
# old_client_settings
3315
# .keys()
3316
old_client_settings = {
3317
(key.decode("utf-8")
3318
if isinstance(key, bytes)
3319
else key): value
3320
for key, value in
3321
bytes_old_client_settings.items()}
3322
del bytes_old_client_settings
3323
# .host and .checker_command
3324
for value in old_client_settings.values():
3325
for attribute in ("host", "checker_command"):
3326
if isinstance(value[attribute], bytes):
3327
value[attribute] = (value[attribute]
3328
.decode("utf-8"))
2785
3329
os.remove(stored_state_path)
2786
3330
except IOError as e:
2787
3331
if e.errno == errno.ENOENT:
2795
3339
logger.warning("Could not load persistent state: "
2796
3340
"EOFError:",
2797
3341
exc_info=e)
2798
3342
2799
3343
with PGPEngine() as pgp:
2800
3344
for client_name, client in clients_data.items():
2801
3345
# Skip removed clients
2802
3346
if client_name not in client_settings:
2803
3347
continue
2804
3348
2805
3349
# Decide which value to use after restoring saved state.
2806
3350
# We have three different values: Old config file,
2807
3351
# new config file, and saved state.
2818
3362
client[name] = value
2819
3363
except KeyError:
2820
3364
pass
2821
3365
2822
3366
# Clients who has passed its expire date can still be
2823
3367
# enabled if its last checker was successful. A Client
2824
3368
# whose checker succeeded before we stored its state is
2857
3401
client_name))
2858
3402
client["secret"] = (client_settings[client_name]
2859
3403
["secret"])
2860
3404
2861
3405
# Add/remove clients based on new changes made to config
2862
3406
for client_name in (set(old_client_settings)
2863
3407
- set(client_settings)):
2865
3409
for client_name in (set(client_settings)
2866
3410
- set(old_client_settings)):
2867
3411
clients_data[client_name] = client_settings[client_name]
2868
3412
2869
3413
# Create all client objects
2870
3414
for client_name, client in clients_data.items():
2871
3415
tcp_server.clients[client_name] = client_class(
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3416
name=client_name,
3417
settings=client,
3418
server_settings=server_settings)
3419
2876
3420
if not tcp_server.clients:
2877
3421
logger.warning("No clients defined")
2878
3422
2879
3423
if not foreground:
2880
3424
if pidfile is not None:
2881
3425
pid = os.getpid()
2887
3431
pidfilename, pid)
2888
3432
del pidfile
2889
3433
del pidfilename
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3434
3435
for termsig in (signal.SIGHUP, signal.SIGTERM):
3436
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3437
lambda: main_loop.quit() and False)
3438
2894
3439
if use_dbus:
2895
3440
2896
3441
@alternate_dbus_interfaces(
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3442
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2898
3443
class MandosDBusService(DBusObjectWithObjectManager):
2899
3444
"""A D-Bus proxy object"""
2900
3445
2901
3446
def __init__(self):
2902
3447
dbus.service.Object.__init__(self, bus, "/")
2903
3448
2904
3449
_interface = "se.recompile.Mandos"
2905
3450
2906
3451
@dbus.service.signal(_interface, signature="o")
2907
3452
def ClientAdded(self, objpath):
2908
3453
"D-Bus signal"
2909
3454
pass
2910
3455
2911
3456
@dbus.service.signal(_interface, signature="ss")
2912
def ClientNotFound(self, fingerprint, address):
3457
def ClientNotFound(self, key_id, address):
2913
3458
"D-Bus signal"
2914
3459
pass
2915
3460
2916
3461
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2917
3462
"true"})
2918
3463
@dbus.service.signal(_interface, signature="os")
2919
3464
def ClientRemoved(self, objpath, name):
2920
3465
"D-Bus signal"
2921
3466
pass
2922
3467
2923
3468
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2924
3469
"true"})
2925
3470
@dbus.service.method(_interface, out_signature="ao")
2926
3471
def GetAllClients(self):
2927
3472
"D-Bus method"
2928
3473
return dbus.Array(c.dbus_object_path for c in
2929
tcp_server.clients.itervalues())
2930
3474
tcp_server.clients.values())
3475
2931
3476
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2932
3477
"true"})
2933
3478
@dbus.service.method(_interface,
2935
3480
def GetAllClientsWithProperties(self):
2936
3481
"D-Bus method"
2937
3482
return dbus.Dictionary(
2938
{ c.dbus_object_path: c.GetAll(
3483
{c.dbus_object_path: c.GetAll(
2939
3484
"se.recompile.Mandos.Client")
2940
for c in tcp_server.clients.itervalues() },
3485
for c in tcp_server.clients.values()},
2941
3486
signature="oa{sv}")
2942
3487
2943
3488
@dbus.service.method(_interface, in_signature="o")
2944
3489
def RemoveClient(self, object_path):
2945
3490
"D-Bus method"
2946
for c in tcp_server.clients.itervalues():
3491
for c in tcp_server.clients.values():
2947
3492
if c.dbus_object_path == object_path:
2948
3493
del tcp_server.clients[c.name]
2949
3494
c.remove_from_connection()
2953
3498
self.client_removed_signal(c)
2954
3499
return
2955
3500
raise KeyError(object_path)
2956
3501
2957
3502
del _interface
2958
3503
2959
3504
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
2960
out_signature = "a{oa{sa{sv}}}")
3505
out_signature="a{oa{sa{sv}}}")
2961
3506
def GetManagedObjects(self):
2962
3507
"""D-Bus method"""
2963
3508
return dbus.Dictionary(
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3509
{client.dbus_object_path:
3510
dbus.Dictionary(
3511
{interface: client.GetAll(interface)
3512
for interface in
3513
client._get_all_interface_names()})
3514
for client in tcp_server.clients.values()})
3515
2971
3516
def client_added_signal(self, client):
2972
3517
"""Send the new standard signal and the old signal"""
2973
3518
if use_dbus:
2975
3520
self.InterfacesAdded(
2976
3521
client.dbus_object_path,
2977
3522
dbus.Dictionary(
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3523
{interface: client.GetAll(interface)
3524
for interface in
3525
client._get_all_interface_names()}))
2981
3526
# Old signal
2982
3527
self.ClientAdded(client.dbus_object_path)
2983
3528
2984
3529
def client_removed_signal(self, client):
2985
3530
"""Send the new standard signal and the old signal"""
2986
3531
if use_dbus:
2991
3536
# Old signal
2992
3537
self.ClientRemoved(client.dbus_object_path,
2993
3538
client.name)
2994
3539
2995
3540
mandos_dbus_service = MandosDBusService()
2996
3541
3542
# Save modules to variables to exempt the modules from being
3543
# unloaded before the function registered with atexit() is run.
3544
mp = multiprocessing
3545
wn = wnull
3546
2997
3547
def cleanup():
2998
3548
"Cleanup function; run on exit"
2999
3549
if zeroconf:
3000
3550
service.cleanup()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3551
3552
mp.active_children()
3553
wn.close()
3004
3554
if not (tcp_server.clients or client_settings):
3005
3555
return
3006
3556
3007
3557
# Store client before exiting. Secrets are encrypted with key
3008
3558
# based on what config file has. If config file is
3009
3559
# removed/edited, old secret will thus be unrecovable.
3010
3560
clients = {}
3011
3561
with PGPEngine() as pgp:
3012
for client in tcp_server.clients.itervalues():
3562
for client in tcp_server.clients.values():
3013
3563
key = client_settings[client.name]["secret"]
3014
3564
client.encrypted_secret = pgp.encrypt(client.secret,
3015
3565
key)
3016
3566
client_dict = {}
3017
3567
3018
3568
# A list of attributes that can not be pickled
3019
3569
# + secret.
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3570
exclude = {"bus", "changedstate", "secret",
3571
"checker", "server_settings"}
3022
3572
for name, typ in inspect.getmembers(dbus.service
3023
3573
.Object):
3024
3574
exclude.add(name)
3025
3575
3026
3576
client_dict["encrypted_secret"] = (client
3027
3577
.encrypted_secret)
3028
3578
for attr in client.client_structure:
3029
3579
if attr not in exclude:
3030
3580
client_dict[attr] = getattr(client, attr)
3031
3581
3032
3582
clients[client.name] = client_dict
3033
3583
del client_settings[client.name]["secret"]
3034
3584
3035
3585
try:
3036
3586
with tempfile.NamedTemporaryFile(
3037
3587
mode='wb',
3039
3589
prefix='clients-',
3040
3590
dir=os.path.dirname(stored_state_path),
3041
3591
delete=False) as stored_state:
3042
pickle.dump((clients, client_settings), stored_state)
3592
pickle.dump((clients, client_settings), stored_state,
3593
protocol=2)
3043
3594
tempname = stored_state.name
3044
3595
os.rename(tempname, stored_state_path)
3045
3596
except (IOError, OSError) as e:
3055
3606
logger.warning("Could not save persistent state:",
3056
3607
exc_info=e)
3057
3608
raise
3058
3609
3059
3610
# Delete all clients, and settings from config
3060
3611
while tcp_server.clients:
3061
3612
name, client = tcp_server.clients.popitem()
3067
3618
if use_dbus:
3068
3619
mandos_dbus_service.client_removed_signal(client)
3069
3620
client_settings.clear()
3070
3621
3071
3622
atexit.register(cleanup)
3072
3073
for client in tcp_server.clients.itervalues():
3623
3624
for client in tcp_server.clients.values():
3074
3625
if use_dbus:
3075
3626
# Emit D-Bus signal for adding
3076
3627
mandos_dbus_service.client_added_signal(client)
3077
3628
# Need to initiate checking of clients
3078
3629
if client.enabled:
3079
3630
client.init_checker()
3080
3631
3081
3632
tcp_server.enable()
3082
3633
tcp_server.server_activate()
3083
3634
3084
3635
# Find out what port we got
3085
3636
if zeroconf:
3086
3637
service.port = tcp_server.socket.getsockname()[1]
3091
3642
else: # IPv4
3092
3643
logger.info("Now listening on address %r, port %d",
3093
3644
*tcp_server.socket.getsockname())
3094
3095
#service.interface = tcp_server.socket.getsockname()[3]
3096
3645
3646
# service.interface = tcp_server.socket.getsockname()[3]
3647
3097
3648
try:
3098
3649
if zeroconf:
3099
3650
# From the Avahi example code
3104
3655
cleanup()
3105
3656
sys.exit(1)
3106
3657
# End of Avahi example code
3107
3108
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3109
lambda *args, **kwargs:
3110
(tcp_server.handle_request
3111
(*args[2:], **kwargs) or True))
3112
3658
3659
GLib.io_add_watch(
3660
GLib.IOChannel.unix_new(tcp_server.fileno()),
3661
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3662
lambda *args, **kwargs: (tcp_server.handle_request
3663
(*args[2:], **kwargs) or True))
3664
3113
3665
logger.debug("Starting main loop")
3114
3666
main_loop.run()
3115
3667
except AvahiError as error:
3124
3676
# Must run before the D-Bus bus name gets deregistered
3125
3677
cleanup()
3126
3678
3679
3680
def should_only_run_tests():
3681
parser = argparse.ArgumentParser(add_help=False)
3682
parser.add_argument("--check", action='store_true')
3683
args, unknown_args = parser.parse_known_args()
3684
run_tests = args.check
3685
if run_tests:
3686
# Remove --check argument from sys.argv
3687
sys.argv[1:] = unknown_args
3688
return run_tests
3689
3690
# Add all tests from doctest strings
3691
def load_tests(loader, tests, none):
3692
import doctest
3693
tests.addTests(doctest.DocTestSuite())
3694
return tests
3127
3695
3128
3696
if __name__ == '__main__':
3129
main()
3697
try:
3698
if should_only_run_tests():
3699
# Call using ./mandos --check [--verbose]
3700
unittest.main()
3701
else:
3702
main()
3703
finally:
3704
logging.shutdown()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0