To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 1250
- compare with another revision
- download diff
- download tarball
- view history from revision 1250
- Committer: Teddy Hogeborn
- Date: 2022-04-23 23:58:39 UTC
- Revision ID: teddy@recompile.se-20220423235839-cnt9aq1kjveqaydc
Bug fix in mandos-ctl: handle backslashes in password
* mandos-ctl (mode=password): When sending the password to gpg, use
"printf" instead of "echo -n". This avoids the behavior of the
"echo" builtin in "dash", which always interprets backslash escape
codes.
Reported-By: Jesse Norell <jesse@kci.net>
* mandos-ctl (mode=password): When sending the password to gpg, use
"printf" instead of "echo -n". This avoids the behavior of the
"echo" builtin in "dash", which always interprets backslash escape
codes.
Reported-By: Jesse Norell <jesse@kci.net>
- files added:
- bugs.xml
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python2.7
2
# -*- mode: python; coding: utf-8 -*-
3
#
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2020 Teddy Hogeborn
15
# Copyright © 2008-2020 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
#
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
#
33
#
33
34
34
35
from __future__ import (division, absolute_import, print_function,
35
36
unicode_literals)
36
37
37
from future_builtins import *
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
38
42
39
43
try:
40
44
import SocketServer as socketserver
44
48
import argparse
45
49
import datetime
46
50
import errno
47
import gnutls.connection
48
import gnutls.errors
49
import gnutls.library.functions
50
import gnutls.library.constants
51
import gnutls.library.types
52
51
try:
53
52
import ConfigParser as configparser
54
53
except ImportError:
78
77
import itertools
79
78
import collections
80
79
import codecs
80
import unittest
81
import random
82
import shlex
81
83
82
84
import dbus
83
85
import dbus.service
84
try:
85
import gobject
86
except ImportError:
87
from gi.repository import GObject as gobject
88
import avahi
86
import gi
87
from gi.repository import GLib
89
88
from dbus.mainloop.glib import DBusGMainLoop
90
89
import ctypes
91
90
import ctypes.util
92
91
import xml.dom.minidom
93
92
import inspect
94
93
95
try:
94
if sys.version_info.major == 2:
95
__metaclass__ = type
96
str = unicode
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
118
# Try to find the value of SO_BINDTODEVICE:
119
try:
120
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
121
# newer, and it is also the most natural place for it:
96
122
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
97
123
except AttributeError:
98
124
try:
125
# This is where SO_BINDTODEVICE was up to and including Python
126
# 2.6, and also 3.2:
99
127
from IN import SO_BINDTODEVICE
100
128
except ImportError:
101
SO_BINDTODEVICE = None
102
103
if sys.version_info.major == 2:
104
str = unicode
105
106
version = "1.7.1"
129
# In Python 2.7 it seems to have been removed entirely.
130
# Try running the C preprocessor:
131
try:
132
cc = subprocess.Popen(["cc", "--language=c", "-E",
133
"/dev/stdin"],
134
stdin=subprocess.PIPE,
135
stdout=subprocess.PIPE)
136
stdout = cc.communicate(
137
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
138
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
139
except (OSError, ValueError, IndexError):
140
# No value found
141
SO_BINDTODEVICE = None
142
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
145
146
version = "1.8.14"
107
147
stored_state_file = "clients.pickle"
108
148
109
149
logger = logging.getLogger()
150
logging.captureWarnings(True) # Show warnings via the logging system
110
151
syslogger = None
111
152
112
153
try:
113
154
if_nametoindex = ctypes.cdll.LoadLibrary(
114
155
ctypes.util.find_library("c")).if_nametoindex
115
156
except (OSError, AttributeError):
116
157
117
158
def if_nametoindex(interface):
118
159
"Get an interface index the hard way, i.e. using fcntl()"
119
160
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
124
165
return interface_index
125
166
126
167
168
def copy_function(func):
169
"""Make a copy of a function"""
170
if sys.version_info.major == 2:
171
return types.FunctionType(func.func_code,
172
func.func_globals,
173
func.func_name,
174
func.func_defaults,
175
func.func_closure)
176
else:
177
return types.FunctionType(func.__code__,
178
func.__globals__,
179
func.__name__,
180
func.__defaults__,
181
func.__closure__)
182
183
127
184
def initlogger(debug, level=logging.WARNING):
128
185
"""init logger and add loglevel"""
129
186
130
187
global syslogger
131
188
syslogger = (logging.handlers.SysLogHandler(
132
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
133
address = "/dev/log"))
189
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
190
address="/dev/log"))
134
191
syslogger.setFormatter(logging.Formatter
135
('Mandos [%(process)d]: %(levelname)s:'
136
' %(message)s'))
192
("Mandos [%(process)d]: %(levelname)s:"
193
" %(message)s"))
137
194
logger.addHandler(syslogger)
138
195
139
196
if debug:
140
197
console = logging.StreamHandler()
141
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
142
' [%(process)d]:'
143
' %(levelname)s:'
144
' %(message)s'))
198
console.setFormatter(logging.Formatter("%(asctime)s %(name)s"
199
" [%(process)d]:"
200
" %(levelname)s:"
201
" %(message)s"))
145
202
logger.addHandler(console)
146
203
logger.setLevel(level)
147
204
151
208
pass
152
209
153
210
154
class PGPEngine(object):
211
class PGPEngine:
155
212
"""A simple class for OpenPGP symmetric encryption & decryption"""
156
213
157
214
def __init__(self):
158
215
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
159
self.gnupgargs = ['--batch',
160
'--home', self.tempdir,
161
'--force-mdc',
162
'--quiet',
163
'--no-use-agent']
164
216
self.gpg = "gpg"
217
try:
218
output = subprocess.check_output(["gpgconf"])
219
for line in output.splitlines():
220
name, text, path = line.split(b":")
221
if name == b"gpg":
222
self.gpg = path
223
break
224
except OSError as e:
225
if e.errno != errno.ENOENT:
226
raise
227
self.gnupgargs = ["--batch",
228
"--homedir", self.tempdir,
229
"--force-mdc",
230
"--quiet"]
231
# Only GPG version 1 has the --no-use-agent option.
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
233
self.gnupgargs.append("--no-use-agent")
234
165
235
def __enter__(self):
166
236
return self
167
237
168
238
def __exit__(self, exc_type, exc_value, traceback):
169
239
self._cleanup()
170
240
return False
171
241
172
242
def __del__(self):
173
243
self._cleanup()
174
244
175
245
def _cleanup(self):
176
246
if self.tempdir is not None:
177
247
# Delete contents of tempdir
178
248
for root, dirs, files in os.walk(self.tempdir,
179
topdown = False):
249
topdown=False):
180
250
for filename in files:
181
251
os.remove(os.path.join(root, filename))
182
252
for dirname in dirs:
184
254
# Remove tempdir
185
255
os.rmdir(self.tempdir)
186
256
self.tempdir = None
187
257
188
258
def password_encode(self, password):
189
259
# Passphrase can not be empty and can not contain newlines or
190
260
# NUL bytes. So we prefix it and hex encode it.
195
265
.replace(b"\n", b"\\n")
196
266
.replace(b"\0", b"\\x00"))
197
267
return encoded
198
268
199
269
def encrypt(self, data, password):
200
270
passphrase = self.password_encode(password)
201
271
with tempfile.NamedTemporaryFile(
202
272
dir=self.tempdir) as passfile:
203
273
passfile.write(passphrase)
204
274
passfile.flush()
205
proc = subprocess.Popen(['gpg', '--symmetric',
206
'--passphrase-file',
275
proc = subprocess.Popen([self.gpg, "--symmetric",
276
"--passphrase-file",
207
277
passfile.name]
208
278
+ self.gnupgargs,
209
stdin = subprocess.PIPE,
210
stdout = subprocess.PIPE,
211
stderr = subprocess.PIPE)
212
ciphertext, err = proc.communicate(input = data)
279
stdin=subprocess.PIPE,
280
stdout=subprocess.PIPE,
281
stderr=subprocess.PIPE)
282
ciphertext, err = proc.communicate(input=data)
213
283
if proc.returncode != 0:
214
284
raise PGPError(err)
215
285
return ciphertext
216
286
217
287
def decrypt(self, data, password):
218
288
passphrase = self.password_encode(password)
219
289
with tempfile.NamedTemporaryFile(
220
dir = self.tempdir) as passfile:
290
dir=self.tempdir) as passfile:
221
291
passfile.write(passphrase)
222
292
passfile.flush()
223
proc = subprocess.Popen(['gpg', '--decrypt',
224
'--passphrase-file',
293
proc = subprocess.Popen([self.gpg, "--decrypt",
294
"--passphrase-file",
225
295
passfile.name]
226
296
+ self.gnupgargs,
227
stdin = subprocess.PIPE,
228
stdout = subprocess.PIPE,
229
stderr = subprocess.PIPE)
230
decrypted_plaintext, err = proc.communicate(input = data)
297
stdin=subprocess.PIPE,
298
stdout=subprocess.PIPE,
299
stderr=subprocess.PIPE)
300
decrypted_plaintext, err = proc.communicate(input=data)
231
301
if proc.returncode != 0:
232
302
raise PGPError(err)
233
303
return decrypted_plaintext
234
304
235
305
306
# Pretend that we have an Avahi module
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
309
IF_UNSPEC = -1 # avahi-common/address.h
310
PROTO_UNSPEC = -1 # avahi-common/address.h
311
PROTO_INET = 0 # avahi-common/address.h
312
PROTO_INET6 = 1 # avahi-common/address.h
313
DBUS_NAME = "org.freedesktop.Avahi"
314
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
DBUS_PATH_SERVER = "/"
317
318
@staticmethod
319
def string_array_to_txt_array(t):
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
for s in t), signature="ay")
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
323
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
324
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
325
SERVER_INVALID = 0 # avahi-common/defs.h
326
SERVER_REGISTERING = 1 # avahi-common/defs.h
327
SERVER_RUNNING = 2 # avahi-common/defs.h
328
SERVER_COLLISION = 3 # avahi-common/defs.h
329
SERVER_FAILURE = 4 # avahi-common/defs.h
330
331
236
332
class AvahiError(Exception):
237
333
def __init__(self, value, *args, **kwargs):
238
334
self.value = value
248
344
pass
249
345
250
346
251
class AvahiService(object):
347
class AvahiService:
252
348
"""An Avahi (Zeroconf) service.
253
349
254
350
Attributes:
255
351
interface: integer; avahi.IF_UNSPEC or an interface index.
256
352
Used to optionally bind to the specified interface.
257
name: string; Example: 'Mandos'
258
type: string; Example: '_mandos._tcp'.
353
name: string; Example: "Mandos"
354
type: string; Example: "_mandos._tcp".
259
355
See <https://www.iana.org/assignments/service-names-port-numbers>
260
356
port: integer; what port to announce
261
357
TXT: list of strings; TXT record for the service
268
364
server: D-Bus Server
269
365
bus: dbus.SystemBus()
270
366
"""
271
367
272
368
def __init__(self,
273
interface = avahi.IF_UNSPEC,
274
name = None,
275
servicetype = None,
276
port = None,
277
TXT = None,
278
domain = "",
279
host = "",
280
max_renames = 32768,
281
protocol = avahi.PROTO_UNSPEC,
282
bus = None):
369
interface=avahi.IF_UNSPEC,
370
name=None,
371
servicetype=None,
372
port=None,
373
TXT=None,
374
domain="",
375
host="",
376
max_renames=32768,
377
protocol=avahi.PROTO_UNSPEC,
378
bus=None):
283
379
self.interface = interface
284
380
self.name = name
285
381
self.type = servicetype
294
390
self.server = None
295
391
self.bus = bus
296
392
self.entry_group_state_changed_match = None
297
393
298
394
def rename(self, remove=True):
299
395
"""Derived from the Avahi example code"""
300
396
if self.rename_count >= self.max_renames:
320
416
logger.critical("D-Bus Exception", exc_info=error)
321
417
self.cleanup()
322
418
os._exit(1)
323
419
324
420
def remove(self):
325
421
"""Derived from the Avahi example code"""
326
422
if self.entry_group_state_changed_match is not None:
328
424
self.entry_group_state_changed_match = None
329
425
if self.group is not None:
330
426
self.group.Reset()
331
427
332
428
def add(self):
333
429
"""Derived from the Avahi example code"""
334
430
self.remove()
339
435
avahi.DBUS_INTERFACE_ENTRY_GROUP)
340
436
self.entry_group_state_changed_match = (
341
437
self.group.connect_to_signal(
342
'StateChanged', self.entry_group_state_changed))
438
"StateChanged", self.entry_group_state_changed))
343
439
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
344
440
self.name, self.type)
345
441
self.group.AddService(
351
447
dbus.UInt16(self.port),
352
448
avahi.string_array_to_txt_array(self.TXT))
353
449
self.group.Commit()
354
450
355
451
def entry_group_state_changed(self, state, error):
356
452
"""Derived from the Avahi example code"""
357
453
logger.debug("Avahi entry group state change: %i", state)
358
454
359
455
if state == avahi.ENTRY_GROUP_ESTABLISHED:
360
456
logger.debug("Zeroconf service established.")
361
457
elif state == avahi.ENTRY_GROUP_COLLISION:
365
461
logger.critical("Avahi: Error in group state changed %s",
366
462
str(error))
367
463
raise AvahiGroupError("State changed: {!s}".format(error))
368
464
369
465
def cleanup(self):
370
466
"""Derived from the Avahi example code"""
371
467
if self.group is not None:
376
472
pass
377
473
self.group = None
378
474
self.remove()
379
475
380
476
def server_state_changed(self, state, error=None):
381
477
"""Derived from the Avahi example code"""
382
478
logger.debug("Avahi server state change: %i", state)
411
507
logger.debug("Unknown state: %r", state)
412
508
else:
413
509
logger.debug("Unknown state: %r: %r", state, error)
414
510
415
511
def activate(self):
416
512
"""Derived from the Avahi example code"""
417
513
if self.server is None:
428
524
class AvahiServiceToSyslog(AvahiService):
429
525
def rename(self, *args, **kwargs):
430
526
"""Add the new name to the syslog messages"""
431
ret = AvahiService.rename(self, *args, **kwargs)
527
ret = super(AvahiServiceToSyslog, self).rename(*args,
528
**kwargs)
432
529
syslogger.setFormatter(logging.Formatter(
433
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
530
"Mandos ({}) [%(process)d]: %(levelname)s: %(message)s"
434
531
.format(self.name)))
435
532
return ret
436
533
534
535
# Pretend that we have a GnuTLS module
536
class gnutls:
537
"""This isn't so much a class as it is a module-like namespace."""
538
539
library = ctypes.util.find_library("gnutls")
540
if library is None:
541
library = ctypes.util.find_library("gnutls-deb0")
542
_library = ctypes.cdll.LoadLibrary(library)
543
del library
544
545
# Unless otherwise indicated, the constants and types below are
546
# all from the gnutls/gnutls.h C header file.
547
548
# Constants
549
E_SUCCESS = 0
550
E_INTERRUPTED = -52
551
E_AGAIN = -28
552
CRT_OPENPGP = 2
553
CRT_RAWPK = 3
554
CLIENT = 2
555
SHUT_RDWR = 0
556
CRD_CERTIFICATE = 1
557
E_NO_CERTIFICATE_FOUND = -49
558
X509_FMT_DER = 0
559
NO_TICKETS = 1<<10
560
ENABLE_RAWPK = 1<<18
561
CTYPE_PEERS = 3
562
KEYID_USE_SHA256 = 1 # gnutls/x509.h
563
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
564
565
# Types
566
class _session_int(ctypes.Structure):
567
_fields_ = []
568
session_t = ctypes.POINTER(_session_int)
569
570
class certificate_credentials_st(ctypes.Structure):
571
_fields_ = []
572
certificate_credentials_t = ctypes.POINTER(
573
certificate_credentials_st)
574
certificate_type_t = ctypes.c_int
575
576
class datum_t(ctypes.Structure):
577
_fields_ = [("data", ctypes.POINTER(ctypes.c_ubyte)),
578
("size", ctypes.c_uint)]
579
580
class _openpgp_crt_int(ctypes.Structure):
581
_fields_ = []
582
openpgp_crt_t = ctypes.POINTER(_openpgp_crt_int)
583
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
584
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
585
credentials_type_t = ctypes.c_int
586
transport_ptr_t = ctypes.c_void_p
587
close_request_t = ctypes.c_int
588
589
# Exceptions
590
class Error(Exception):
591
def __init__(self, message=None, code=None, args=()):
592
# Default usage is by a message string, but if a return
593
# code is passed, convert it to a string with
594
# gnutls.strerror()
595
self.code = code
596
if message is None and code is not None:
597
message = gnutls.strerror(code).decode(
598
"utf-8", errors="replace")
599
return super(gnutls.Error, self).__init__(
600
message, *args)
601
602
class CertificateSecurityError(Error):
603
pass
604
605
class PointerTo:
606
def __init__(self, cls):
607
self.cls = cls
608
609
def from_param(self, obj):
610
if not isinstance(obj, self.cls):
611
raise TypeError("Not of type {}: {!r}"
612
.format(self.cls.__name__, obj))
613
return ctypes.byref(obj.from_param(obj))
614
615
class CastToVoidPointer:
616
def __init__(self, cls):
617
self.cls = cls
618
619
def from_param(self, obj):
620
if not isinstance(obj, self.cls):
621
raise TypeError("Not of type {}: {!r}"
622
.format(self.cls.__name__, obj))
623
return ctypes.cast(obj.from_param(obj), ctypes.c_void_p)
624
625
class With_from_param:
626
@classmethod
627
def from_param(cls, obj):
628
return obj._as_parameter_
629
630
# Classes
631
class Credentials(With_from_param):
632
def __init__(self):
633
self._as_parameter_ = gnutls.certificate_credentials_t()
634
gnutls.certificate_allocate_credentials(self)
635
self.type = gnutls.CRD_CERTIFICATE
636
637
def __del__(self):
638
gnutls.certificate_free_credentials(self)
639
640
class ClientSession(With_from_param):
641
def __init__(self, socket, credentials=None):
642
self._as_parameter_ = gnutls.session_t()
643
gnutls_flags = gnutls.CLIENT
644
if gnutls.check_version(b"3.5.6"):
645
gnutls_flags |= gnutls.NO_TICKETS
646
if gnutls.has_rawpk:
647
gnutls_flags |= gnutls.ENABLE_RAWPK
648
gnutls.init(self, gnutls_flags)
649
del gnutls_flags
650
gnutls.set_default_priority(self)
651
gnutls.transport_set_ptr(self, socket.fileno())
652
gnutls.handshake_set_private_extensions(self, True)
653
self.socket = socket
654
if credentials is None:
655
credentials = gnutls.Credentials()
656
gnutls.credentials_set(self, credentials.type,
657
credentials)
658
self.credentials = credentials
659
660
def __del__(self):
661
gnutls.deinit(self)
662
663
def handshake(self):
664
return gnutls.handshake(self)
665
666
def send(self, data):
667
data = bytes(data)
668
data_len = len(data)
669
while data_len > 0:
670
data_len -= gnutls.record_send(self, data[-data_len:],
671
data_len)
672
673
def bye(self):
674
return gnutls.bye(self, gnutls.SHUT_RDWR)
675
676
# Error handling functions
677
def _error_code(result):
678
"""A function to raise exceptions on errors, suitable
679
for the "restype" attribute on ctypes functions"""
680
if result >= gnutls.E_SUCCESS:
681
return result
682
if result == gnutls.E_NO_CERTIFICATE_FOUND:
683
raise gnutls.CertificateSecurityError(code=result)
684
raise gnutls.Error(code=result)
685
686
def _retry_on_error(result, func, arguments,
687
_error_code=_error_code):
688
"""A function to retry on some errors, suitable
689
for the "errcheck" attribute on ctypes functions"""
690
while result < gnutls.E_SUCCESS:
691
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
692
return _error_code(result)
693
result = func(*arguments)
694
return result
695
696
# Unless otherwise indicated, the function declarations below are
697
# all from the gnutls/gnutls.h C header file.
698
699
# Functions
700
priority_set_direct = _library.gnutls_priority_set_direct
701
priority_set_direct.argtypes = [ClientSession, ctypes.c_char_p,
702
ctypes.POINTER(ctypes.c_char_p)]
703
priority_set_direct.restype = _error_code
704
705
init = _library.gnutls_init
706
init.argtypes = [PointerTo(ClientSession), ctypes.c_int]
707
init.restype = _error_code
708
709
set_default_priority = _library.gnutls_set_default_priority
710
set_default_priority.argtypes = [ClientSession]
711
set_default_priority.restype = _error_code
712
713
record_send = _library.gnutls_record_send
714
record_send.argtypes = [ClientSession, ctypes.c_void_p,
715
ctypes.c_size_t]
716
record_send.restype = ctypes.c_ssize_t
717
record_send.errcheck = _retry_on_error
718
719
certificate_allocate_credentials = (
720
_library.gnutls_certificate_allocate_credentials)
721
certificate_allocate_credentials.argtypes = [
722
PointerTo(Credentials)]
723
certificate_allocate_credentials.restype = _error_code
724
725
certificate_free_credentials = (
726
_library.gnutls_certificate_free_credentials)
727
certificate_free_credentials.argtypes = [Credentials]
728
certificate_free_credentials.restype = None
729
730
handshake_set_private_extensions = (
731
_library.gnutls_handshake_set_private_extensions)
732
handshake_set_private_extensions.argtypes = [ClientSession,
733
ctypes.c_int]
734
handshake_set_private_extensions.restype = None
735
736
credentials_set = _library.gnutls_credentials_set
737
credentials_set.argtypes = [ClientSession, credentials_type_t,
738
CastToVoidPointer(Credentials)]
739
credentials_set.restype = _error_code
740
741
strerror = _library.gnutls_strerror
742
strerror.argtypes = [ctypes.c_int]
743
strerror.restype = ctypes.c_char_p
744
745
certificate_type_get = _library.gnutls_certificate_type_get
746
certificate_type_get.argtypes = [ClientSession]
747
certificate_type_get.restype = _error_code
748
749
certificate_get_peers = _library.gnutls_certificate_get_peers
750
certificate_get_peers.argtypes = [ClientSession,
751
ctypes.POINTER(ctypes.c_uint)]
752
certificate_get_peers.restype = ctypes.POINTER(datum_t)
753
754
global_set_log_level = _library.gnutls_global_set_log_level
755
global_set_log_level.argtypes = [ctypes.c_int]
756
global_set_log_level.restype = None
757
758
global_set_log_function = _library.gnutls_global_set_log_function
759
global_set_log_function.argtypes = [log_func]
760
global_set_log_function.restype = None
761
762
deinit = _library.gnutls_deinit
763
deinit.argtypes = [ClientSession]
764
deinit.restype = None
765
766
handshake = _library.gnutls_handshake
767
handshake.argtypes = [ClientSession]
768
handshake.restype = ctypes.c_int
769
handshake.errcheck = _retry_on_error
770
771
transport_set_ptr = _library.gnutls_transport_set_ptr
772
transport_set_ptr.argtypes = [ClientSession, transport_ptr_t]
773
transport_set_ptr.restype = None
774
775
bye = _library.gnutls_bye
776
bye.argtypes = [ClientSession, close_request_t]
777
bye.restype = ctypes.c_int
778
bye.errcheck = _retry_on_error
779
780
check_version = _library.gnutls_check_version
781
check_version.argtypes = [ctypes.c_char_p]
782
check_version.restype = ctypes.c_char_p
783
784
_need_version = b"3.3.0"
785
if check_version(_need_version) is None:
786
raise self.Error("Needs GnuTLS {} or later"
787
.format(_need_version))
788
789
_tls_rawpk_version = b"3.6.6"
790
has_rawpk = bool(check_version(_tls_rawpk_version))
791
792
if has_rawpk:
793
# Types
794
class pubkey_st(ctypes.Structure):
795
_fields = []
796
pubkey_t = ctypes.POINTER(pubkey_st)
797
798
x509_crt_fmt_t = ctypes.c_int
799
800
# All the function declarations below are from
801
# gnutls/abstract.h
802
pubkey_init = _library.gnutls_pubkey_init
803
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
804
pubkey_init.restype = _error_code
805
806
pubkey_import = _library.gnutls_pubkey_import
807
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
808
x509_crt_fmt_t]
809
pubkey_import.restype = _error_code
810
811
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
812
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
813
ctypes.POINTER(ctypes.c_ubyte),
814
ctypes.POINTER(ctypes.c_size_t)]
815
pubkey_get_key_id.restype = _error_code
816
817
pubkey_deinit = _library.gnutls_pubkey_deinit
818
pubkey_deinit.argtypes = [pubkey_t]
819
pubkey_deinit.restype = None
820
else:
821
# All the function declarations below are from
822
# gnutls/openpgp.h
823
824
openpgp_crt_init = _library.gnutls_openpgp_crt_init
825
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
826
openpgp_crt_init.restype = _error_code
827
828
openpgp_crt_import = _library.gnutls_openpgp_crt_import
829
openpgp_crt_import.argtypes = [openpgp_crt_t,
830
ctypes.POINTER(datum_t),
831
openpgp_crt_fmt_t]
832
openpgp_crt_import.restype = _error_code
833
834
openpgp_crt_verify_self = \
835
_library.gnutls_openpgp_crt_verify_self
836
openpgp_crt_verify_self.argtypes = [
837
openpgp_crt_t,
838
ctypes.c_uint,
839
ctypes.POINTER(ctypes.c_uint),
840
]
841
openpgp_crt_verify_self.restype = _error_code
842
843
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
844
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
845
openpgp_crt_deinit.restype = None
846
847
openpgp_crt_get_fingerprint = (
848
_library.gnutls_openpgp_crt_get_fingerprint)
849
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
850
ctypes.c_void_p,
851
ctypes.POINTER(
852
ctypes.c_size_t)]
853
openpgp_crt_get_fingerprint.restype = _error_code
854
855
if check_version(b"3.6.4"):
856
certificate_type_get2 = _library.gnutls_certificate_type_get2
857
certificate_type_get2.argtypes = [ClientSession, ctypes.c_int]
858
certificate_type_get2.restype = _error_code
859
860
# Remove non-public functions
861
del _error_code, _retry_on_error
862
863
437
864
def call_pipe(connection, # : multiprocessing.Connection
438
865
func, *args, **kwargs):
439
866
"""This function is meant to be called by multiprocessing.Process
440
867
441
868
This function runs func(*args, **kwargs), and writes the resulting
442
869
return value on the provided multiprocessing.Connection.
443
870
"""
444
871
connection.send(func(*args, **kwargs))
445
872
connection.close()
446
873
447
class Client(object):
874
875
class Client:
448
876
"""A representation of a client host served by this server.
449
877
450
878
Attributes:
451
approved: bool(); 'None' if not yet approved/disapproved
879
approved: bool(); None if not yet approved/disapproved
452
880
approval_delay: datetime.timedelta(); Time to wait for approval
453
881
approval_duration: datetime.timedelta(); Duration of one approval
454
checker: subprocess.Popen(); a running checker process used
455
to see if the client lives.
456
'None' if no process is running.
457
checker_callback_tag: a gobject event source tag, or None
882
checker: multiprocessing.Process(); a running checker process used
883
to see if the client lives. None if no process is
884
running.
885
checker_callback_tag: a GLib event source tag, or None
458
886
checker_command: string; External command which is run to check
459
887
if client lives. %() expansions are done at
460
888
runtime with vars(self) as dict, so that for
461
889
instance %(name)s can be used in the command.
462
checker_initiator_tag: a gobject event source tag, or None
890
checker_initiator_tag: a GLib event source tag, or None
463
891
created: datetime.datetime(); (UTC) object creation
464
892
client_structure: Object describing what attributes a client has
465
893
and is used for storing the client at exit
466
894
current_checker_command: string; current running checker_command
467
disable_initiator_tag: a gobject event source tag, or None
895
disable_initiator_tag: a GLib event source tag, or None
468
896
enabled: bool()
469
897
fingerprint: string (40 or 32 hexadecimal digits); used to
470
uniquely identify the client
898
uniquely identify an OpenPGP client
899
key_id: string (64 hexadecimal digits); used to uniquely identify
900
a client using raw public keys
471
901
host: string; available for use by the checker command
472
902
interval: datetime.timedelta(); How often to start a new checker
473
903
last_approval_request: datetime.datetime(); (UTC) or None
489
919
disabled, or None
490
920
server_settings: The server_settings dict from main()
491
921
"""
492
922
493
923
runtime_expansions = ("approval_delay", "approval_duration",
494
"created", "enabled", "expires",
924
"created", "enabled", "expires", "key_id",
495
925
"fingerprint", "host", "interval",
496
926
"last_approval_request", "last_checked_ok",
497
927
"last_enabled", "name", "timeout")
506
936
"approved_by_default": "True",
507
937
"enabled": "True",
508
938
}
509
939
510
940
@staticmethod
511
941
def config_parser(config):
512
942
"""Construct a new dict of client settings of this form:
519
949
for client_name in config.sections():
520
950
section = dict(config.items(client_name))
521
951
client = settings[client_name] = {}
522
952
523
953
client["host"] = section["host"]
524
954
# Reformat values from string types to Python types
525
955
client["approved_by_default"] = config.getboolean(
526
956
client_name, "approved_by_default")
527
957
client["enabled"] = config.getboolean(client_name,
528
958
"enabled")
529
530
# Uppercase and remove spaces from fingerprint for later
531
# comparison purposes with return value from the
532
# fingerprint() function
959
960
# Uppercase and remove spaces from key_id and fingerprint
961
# for later comparison purposes with return value from the
962
# key_id() and fingerprint() functions
963
client["key_id"] = (section.get("key_id", "").upper()
964
.replace(" ", ""))
533
965
client["fingerprint"] = (section["fingerprint"].upper()
534
966
.replace(" ", ""))
535
967
if "secret" in section:
536
client["secret"] = section["secret"].decode("base64")
968
client["secret"] = codecs.decode(section["secret"]
969
.encode("utf-8"),
970
"base64")
537
971
elif "secfile" in section:
538
972
with open(os.path.expanduser(os.path.expandvars
539
973
(section["secfile"])),
554
988
client["last_approval_request"] = None
555
989
client["last_checked_ok"] = None
556
990
client["last_checker_status"] = -2
557
991
558
992
return settings
559
560
def __init__(self, settings, name = None, server_settings=None):
993
994
def __init__(self, settings, name=None, server_settings=None):
561
995
self.name = name
562
996
if server_settings is None:
563
997
server_settings = {}
565
999
# adding all client settings
566
1000
for setting, value in settings.items():
567
1001
setattr(self, setting, value)
568
1002
569
1003
if self.enabled:
570
1004
if not hasattr(self, "last_enabled"):
571
1005
self.last_enabled = datetime.datetime.utcnow()
575
1009
else:
576
1010
self.last_enabled = None
577
1011
self.expires = None
578
1012
579
1013
logger.debug("Creating client %r", self.name)
1014
logger.debug(" Key ID: %s", self.key_id)
580
1015
logger.debug(" Fingerprint: %s", self.fingerprint)
581
1016
self.created = settings.get("created",
582
1017
datetime.datetime.utcnow())
583
1018
584
1019
# attributes specific for this server instance
585
1020
self.checker = None
586
1021
self.checker_initiator_tag = None
592
1027
self.changedstate = multiprocessing_manager.Condition(
593
1028
multiprocessing_manager.Lock())
594
1029
self.client_structure = [attr
595
for attr in self.__dict__.iterkeys()
1030
for attr in self.__dict__.keys()
596
1031
if not attr.startswith("_")]
597
1032
self.client_structure.append("client_structure")
598
1033
599
1034
for name, t in inspect.getmembers(
600
1035
type(self), lambda obj: isinstance(obj, property)):
601
1036
if not name.startswith("_"):
602
1037
self.client_structure.append(name)
603
1038
604
1039
# Send notice to process children that client state has changed
605
1040
def send_changedstate(self):
606
1041
with self.changedstate:
607
1042
self.changedstate.notify_all()
608
1043
609
1044
def enable(self):
610
1045
"""Start this client's checker and timeout hooks"""
611
1046
if getattr(self, "enabled", False):
616
1051
self.last_enabled = datetime.datetime.utcnow()
617
1052
self.init_checker()
618
1053
self.send_changedstate()
619
1054
620
1055
def disable(self, quiet=True):
621
1056
"""Disable this client."""
622
1057
if not getattr(self, "enabled", False):
624
1059
if not quiet:
625
1060
logger.info("Disabling client %s", self.name)
626
1061
if getattr(self, "disable_initiator_tag", None) is not None:
627
gobject.source_remove(self.disable_initiator_tag)
1062
GLib.source_remove(self.disable_initiator_tag)
628
1063
self.disable_initiator_tag = None
629
1064
self.expires = None
630
1065
if getattr(self, "checker_initiator_tag", None) is not None:
631
gobject.source_remove(self.checker_initiator_tag)
1066
GLib.source_remove(self.checker_initiator_tag)
632
1067
self.checker_initiator_tag = None
633
1068
self.stop_checker()
634
1069
self.enabled = False
635
1070
if not quiet:
636
1071
self.send_changedstate()
637
# Do not run this again if called by a gobject.timeout_add
1072
# Do not run this again if called by a GLib.timeout_add
638
1073
return False
639
1074
640
1075
def __del__(self):
641
1076
self.disable()
642
1077
643
1078
def init_checker(self):
644
1079
# Schedule a new checker to be started an 'interval' from now,
645
1080
# and every interval from then on.
646
1081
if self.checker_initiator_tag is not None:
647
gobject.source_remove(self.checker_initiator_tag)
648
self.checker_initiator_tag = gobject.timeout_add(
649
int(self.interval.total_seconds() * 1000),
1082
GLib.source_remove(self.checker_initiator_tag)
1083
self.checker_initiator_tag = GLib.timeout_add(
1084
random.randrange(int(self.interval.total_seconds() * 1000
1085
+ 1)),
650
1086
self.start_checker)
651
1087
# Schedule a disable() when 'timeout' has passed
652
1088
if self.disable_initiator_tag is not None:
653
gobject.source_remove(self.disable_initiator_tag)
654
self.disable_initiator_tag = gobject.timeout_add(
1089
GLib.source_remove(self.disable_initiator_tag)
1090
self.disable_initiator_tag = GLib.timeout_add(
655
1091
int(self.timeout.total_seconds() * 1000), self.disable)
656
1092
# Also start a new checker *right now*.
657
1093
self.start_checker()
658
1094
659
1095
def checker_callback(self, source, condition, connection,
660
1096
command):
661
1097
"""The checker has completed, so take appropriate actions."""
662
self.checker_callback_tag = None
663
self.checker = None
664
1098
# Read return code from connection (see call_pipe)
665
1099
returncode = connection.recv()
666
1100
connection.close()
667
1101
if self.checker is not None:
1102
self.checker.join()
1103
self.checker_callback_tag = None
1104
self.checker = None
1105
668
1106
if returncode >= 0:
669
1107
self.last_checker_status = returncode
670
1108
self.last_checker_signal = None
680
1118
logger.warning("Checker for %(name)s crashed?",
681
1119
vars(self))
682
1120
return False
683
1121
684
1122
def checked_ok(self):
685
1123
"""Assert that the client has been seen, alive and well."""
686
1124
self.last_checked_ok = datetime.datetime.utcnow()
687
1125
self.last_checker_status = 0
688
1126
self.last_checker_signal = None
689
1127
self.bump_timeout()
690
1128
691
1129
def bump_timeout(self, timeout=None):
692
1130
"""Bump up the timeout for this client."""
693
1131
if timeout is None:
694
1132
timeout = self.timeout
695
1133
if self.disable_initiator_tag is not None:
696
gobject.source_remove(self.disable_initiator_tag)
1134
GLib.source_remove(self.disable_initiator_tag)
697
1135
self.disable_initiator_tag = None
698
1136
if getattr(self, "enabled", False):
699
self.disable_initiator_tag = gobject.timeout_add(
1137
self.disable_initiator_tag = GLib.timeout_add(
700
1138
int(timeout.total_seconds() * 1000), self.disable)
701
1139
self.expires = datetime.datetime.utcnow() + timeout
702
1140
703
1141
def need_approval(self):
704
1142
self.last_approval_request = datetime.datetime.utcnow()
705
1143
706
1144
def start_checker(self):
707
1145
"""Start a new checker subprocess if one is not running.
708
1146
709
1147
If a checker already exists, leave it running and do
710
1148
nothing."""
711
1149
# The reason for not killing a running checker is that if we
716
1154
# checkers alone, the checker would have to take more time
717
1155
# than 'timeout' for the client to be disabled, which is as it
718
1156
# should be.
719
1157
720
1158
if self.checker is not None and not self.checker.is_alive():
721
1159
logger.warning("Checker was not alive; joining")
722
1160
self.checker.join()
725
1163
if self.checker is None:
726
1164
# Escape attributes for the shell
727
1165
escaped_attrs = {
728
attr: re.escape(str(getattr(self, attr)))
729
for attr in self.runtime_expansions }
1166
attr: shlex.quote(str(getattr(self, attr)))
1167
for attr in self.runtime_expansions}
730
1168
try:
731
1169
command = self.checker_command % escaped_attrs
732
1170
except TypeError as error:
744
1182
# The exception is when not debugging but nevertheless
745
1183
# running in the foreground; use the previously
746
1184
# created wnull.
747
popen_args = { "close_fds": True,
748
"shell": True,
749
"cwd": "/" }
1185
popen_args = {"close_fds": True,
1186
"shell": True,
1187
"cwd": "/"}
750
1188
if (not self.server_settings["debug"]
751
1189
and self.server_settings["foreground"]):
752
1190
popen_args.update({"stdout": wnull,
753
"stderr": wnull })
754
pipe = multiprocessing.Pipe(duplex = False)
1191
"stderr": wnull})
1192
pipe = multiprocessing.Pipe(duplex=False)
755
1193
self.checker = multiprocessing.Process(
756
target = call_pipe,
757
args = (pipe[1], subprocess.call, command),
758
kwargs = popen_args)
1194
target=call_pipe,
1195
args=(pipe[1], subprocess.call, command),
1196
kwargs=popen_args)
759
1197
self.checker.start()
760
self.checker_callback_tag = gobject.io_add_watch(
761
pipe[0].fileno(), gobject.IO_IN,
1198
self.checker_callback_tag = GLib.io_add_watch(
1199
GLib.IOChannel.unix_new(pipe[0].fileno()),
1200
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
762
1201
self.checker_callback, pipe[0], command)
763
# Re-run this periodically if run by gobject.timeout_add
1202
# Re-run this periodically if run by GLib.timeout_add
764
1203
return True
765
1204
766
1205
def stop_checker(self):
767
1206
"""Force the checker process, if any, to stop."""
768
1207
if self.checker_callback_tag:
769
gobject.source_remove(self.checker_callback_tag)
1208
GLib.source_remove(self.checker_callback_tag)
770
1209
self.checker_callback_tag = None
771
1210
if getattr(self, "checker", None) is None:
772
1211
return
781
1220
byte_arrays=False):
782
1221
"""Decorators for marking methods of a DBusObjectWithProperties to
783
1222
become properties on the D-Bus.
784
1223
785
1224
The decorated method will be called with no arguments by "Get"
786
1225
and with one argument by "Set".
787
1226
788
1227
The parameters, where they are supported, are the same as
789
1228
dbus.service.method, except there is only "signature", since the
790
1229
type from Get() and the type sent to Set() is the same.
794
1233
if byte_arrays and signature != "ay":
795
1234
raise ValueError("Byte arrays not supported for non-'ay'"
796
1235
" signature {!r}".format(signature))
797
1236
798
1237
def decorator(func):
799
1238
func._dbus_is_property = True
800
1239
func._dbus_interface = dbus_interface
803
1242
func._dbus_name = func.__name__
804
1243
if func._dbus_name.endswith("_dbus_property"):
805
1244
func._dbus_name = func._dbus_name[:-14]
806
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1245
func._dbus_get_args_options = {"byte_arrays": byte_arrays}
807
1246
return func
808
1247
809
1248
return decorator
810
1249
811
1250
812
1251
def dbus_interface_annotations(dbus_interface):
813
1252
"""Decorator for marking functions returning interface annotations
814
1253
815
1254
Usage:
816
1255
817
1256
@dbus_interface_annotations("org.example.Interface")
818
1257
def _foo(self): # Function name does not matter
819
1258
return {"org.freedesktop.DBus.Deprecated": "true",
820
1259
"org.freedesktop.DBus.Property.EmitsChangedSignal":
821
1260
"false"}
822
1261
"""
823
1262
824
1263
def decorator(func):
825
1264
func._dbus_is_interface = True
826
1265
func._dbus_interface = dbus_interface
827
1266
func._dbus_name = dbus_interface
828
1267
return func
829
1268
830
1269
return decorator
831
1270
832
1271
833
1272
def dbus_annotations(annotations):
834
1273
"""Decorator to annotate D-Bus methods, signals or properties
835
1274
Usage:
836
1275
837
1276
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
838
1277
"org.freedesktop.DBus.Property."
839
1278
"EmitsChangedSignal": "false"})
841
1280
access="r")
842
1281
def Property_dbus_property(self):
843
1282
return dbus.Boolean(False)
844
1283
845
1284
See also the DBusObjectWithAnnotations class.
846
1285
"""
847
1286
848
1287
def decorator(func):
849
1288
func._dbus_annotations = annotations
850
1289
return func
851
1290
852
1291
return decorator
853
1292
854
1293
872
1311
873
1312
class DBusObjectWithAnnotations(dbus.service.Object):
874
1313
"""A D-Bus object with annotations.
875
1314
876
1315
Classes inheriting from this can use the dbus_annotations
877
1316
decorator to add annotations to methods or signals.
878
1317
"""
879
1318
880
1319
@staticmethod
881
1320
def _is_dbus_thing(thing):
882
1321
"""Returns a function testing if an attribute is a D-Bus thing
883
1322
884
1323
If called like _is_dbus_thing("method") it returns a function
885
1324
suitable for use as predicate to inspect.getmembers().
886
1325
"""
887
1326
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
888
1327
False)
889
1328
890
1329
def _get_all_dbus_things(self, thing):
891
1330
"""Returns a generator of (name, attribute) pairs
892
1331
"""
895
1334
for cls in self.__class__.__mro__
896
1335
for name, athing in
897
1336
inspect.getmembers(cls, self._is_dbus_thing(thing)))
898
1337
899
1338
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
900
out_signature = "s",
901
path_keyword = 'object_path',
902
connection_keyword = 'connection')
1339
out_signature="s",
1340
path_keyword="object_path",
1341
connection_keyword="connection")
903
1342
def Introspect(self, object_path, connection):
904
1343
"""Overloading of standard D-Bus method.
905
1344
906
1345
Inserts annotation tags on methods and signals.
907
1346
"""
908
1347
xmlstring = dbus.service.Object.Introspect(self, object_path,
909
1348
connection)
910
1349
try:
911
1350
document = xml.dom.minidom.parseString(xmlstring)
912
1351
913
1352
for if_tag in document.getElementsByTagName("interface"):
914
1353
# Add annotation tags
915
1354
for typ in ("method", "signal"):
942
1381
if_tag.appendChild(ann_tag)
943
1382
# Fix argument name for the Introspect method itself
944
1383
if (if_tag.getAttribute("name")
945
== dbus.INTROSPECTABLE_IFACE):
1384
== dbus.INTROSPECTABLE_IFACE):
946
1385
for cn in if_tag.getElementsByTagName("method"):
947
1386
if cn.getAttribute("name") == "Introspect":
948
1387
for arg in cn.getElementsByTagName("arg"):
961
1400
962
1401
class DBusObjectWithProperties(DBusObjectWithAnnotations):
963
1402
"""A D-Bus object with properties.
964
1403
965
1404
Classes inheriting from this can use the dbus_service_property
966
1405
decorator to expose methods as D-Bus properties. It exposes the
967
1406
standard Get(), Set(), and GetAll() methods on the D-Bus.
968
1407
"""
969
1408
970
1409
def _get_dbus_property(self, interface_name, property_name):
971
1410
"""Returns a bound method if one exists which is a D-Bus
972
1411
property with the specified name and interface.
977
1416
if (value._dbus_name == property_name
978
1417
and value._dbus_interface == interface_name):
979
1418
return value.__get__(self)
980
1419
981
1420
# No such property
982
1421
raise DBusPropertyNotFound("{}:{}.{}".format(
983
1422
self.dbus_object_path, interface_name, property_name))
984
1423
985
1424
@classmethod
986
1425
def _get_all_interface_names(cls):
987
1426
"""Get a sequence of all interfaces supported by an object"""
990
1429
for x in (inspect.getmro(cls))
991
1430
for attr in dir(x))
992
1431
if name is not None)
993
1432
994
1433
@dbus.service.method(dbus.PROPERTIES_IFACE,
995
1434
in_signature="ss",
996
1435
out_signature="v")
1004
1443
if not hasattr(value, "variant_level"):
1005
1444
return value
1006
1445
return type(value)(value, variant_level=value.variant_level+1)
1007
1446
1008
1447
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1009
1448
def Set(self, interface_name, property_name, value):
1010
1449
"""Standard D-Bus property Set() method, see D-Bus standard.
1019
1458
raise ValueError("Byte arrays not supported for non-"
1020
1459
"'ay' signature {!r}"
1021
1460
.format(prop._dbus_signature))
1022
value = dbus.ByteArray(b''.join(chr(byte)
1023
for byte in value))
1461
value = dbus.ByteArray(bytes(value))
1024
1462
prop(value)
1025
1463
1026
1464
@dbus.service.method(dbus.PROPERTIES_IFACE,
1027
1465
in_signature="s",
1028
1466
out_signature="a{sv}")
1029
1467
def GetAll(self, interface_name):
1030
1468
"""Standard D-Bus property GetAll() method, see D-Bus
1031
1469
standard.
1032
1470
1033
1471
Note: Will not include properties with access="write".
1034
1472
"""
1035
1473
properties = {}
1046
1484
properties[name] = value
1047
1485
continue
1048
1486
properties[name] = type(value)(
1049
value, variant_level = value.variant_level + 1)
1487
value, variant_level=value.variant_level + 1)
1050
1488
return dbus.Dictionary(properties, signature="sv")
1051
1489
1052
1490
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1053
1491
def PropertiesChanged(self, interface_name, changed_properties,
1054
1492
invalidated_properties):
1056
1494
standard.
1057
1495
"""
1058
1496
pass
1059
1497
1060
1498
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1061
1499
out_signature="s",
1062
path_keyword='object_path',
1063
connection_keyword='connection')
1500
path_keyword="object_path",
1501
connection_keyword="connection")
1064
1502
def Introspect(self, object_path, connection):
1065
1503
"""Overloading of standard D-Bus method.
1066
1504
1067
1505
Inserts property tags and interface annotation tags.
1068
1506
"""
1069
1507
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1071
1509
connection)
1072
1510
try:
1073
1511
document = xml.dom.minidom.parseString(xmlstring)
1074
1512
1075
1513
def make_tag(document, name, prop):
1076
1514
e = document.createElement("property")
1077
1515
e.setAttribute("name", name)
1078
1516
e.setAttribute("type", prop._dbus_signature)
1079
1517
e.setAttribute("access", prop._dbus_access)
1080
1518
return e
1081
1519
1082
1520
for if_tag in document.getElementsByTagName("interface"):
1083
1521
# Add property tags
1084
1522
for tag in (make_tag(document, name, prop)
1126
1564
exc_info=error)
1127
1565
return xmlstring
1128
1566
1567
1129
1568
try:
1130
1569
dbus.OBJECT_MANAGER_IFACE
1131
1570
except AttributeError:
1132
1571
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1133
1572
1573
1134
1574
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1135
1575
"""A D-Bus object with an ObjectManager.
1136
1576
1137
1577
Classes inheriting from this exposes the standard
1138
1578
GetManagedObjects call and the InterfacesAdded and
1139
1579
InterfacesRemoved signals on the standard
1140
1580
"org.freedesktop.DBus.ObjectManager" interface.
1141
1581
1142
1582
Note: No signals are sent automatically; they must be sent
1143
1583
manually.
1144
1584
"""
1145
1585
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1146
out_signature = "a{oa{sa{sv}}}")
1586
out_signature="a{oa{sa{sv}}}")
1147
1587
def GetManagedObjects(self):
1148
1588
"""This function must be overridden"""
1149
1589
raise NotImplementedError()
1150
1590
1151
1591
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1152
signature = "oa{sa{sv}}")
1592
signature="oa{sa{sv}}")
1153
1593
def InterfacesAdded(self, object_path, interfaces_and_properties):
1154
1594
pass
1155
1156
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1595
1596
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1157
1597
def InterfacesRemoved(self, object_path, interfaces):
1158
1598
pass
1159
1599
1160
1600
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1161
out_signature = "s",
1162
path_keyword = 'object_path',
1163
connection_keyword = 'connection')
1601
out_signature="s",
1602
path_keyword="object_path",
1603
connection_keyword="connection")
1164
1604
def Introspect(self, object_path, connection):
1165
1605
"""Overloading of standard D-Bus method.
1166
1606
1167
1607
Override return argument name of GetManagedObjects to be
1168
1608
"objpath_interfaces_and_properties"
1169
1609
"""
1172
1612
connection)
1173
1613
try:
1174
1614
document = xml.dom.minidom.parseString(xmlstring)
1175
1615
1176
1616
for if_tag in document.getElementsByTagName("interface"):
1177
1617
# Fix argument name for the GetManagedObjects method
1178
1618
if (if_tag.getAttribute("name")
1179
== dbus.OBJECT_MANAGER_IFACE):
1619
== dbus.OBJECT_MANAGER_IFACE):
1180
1620
for cn in if_tag.getElementsByTagName("method"):
1181
1621
if (cn.getAttribute("name")
1182
1622
== "GetManagedObjects"):
1192
1632
except (AttributeError, xml.dom.DOMException,
1193
1633
xml.parsers.expat.ExpatError) as error:
1194
1634
logger.error("Failed to override Introspection method",
1195
exc_info = error)
1635
exc_info=error)
1196
1636
return xmlstring
1197
1637
1638
1198
1639
def datetime_to_dbus(dt, variant_level=0):
1199
1640
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1200
1641
if dt is None:
1201
return dbus.String("", variant_level = variant_level)
1642
return dbus.String("", variant_level=variant_level)
1202
1643
return dbus.String(dt.isoformat(), variant_level=variant_level)
1203
1644
1204
1645
1207
1648
dbus.service.Object, it will add alternate D-Bus attributes with
1208
1649
interface names according to the "alt_interface_names" mapping.
1209
1650
Usage:
1210
1651
1211
1652
@alternate_dbus_interfaces({"org.example.Interface":
1212
1653
"net.example.AlternateInterface"})
1213
1654
class SampleDBusObject(dbus.service.Object):
1214
1655
@dbus.service.method("org.example.Interface")
1215
1656
def SampleDBusMethod():
1216
1657
pass
1217
1658
1218
1659
The above "SampleDBusMethod" on "SampleDBusObject" will be
1219
1660
reachable via two interfaces: "org.example.Interface" and
1220
1661
"net.example.AlternateInterface", the latter of which will have
1221
1662
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1222
1663
"true", unless "deprecate" is passed with a False value.
1223
1664
1224
1665
This works for methods and signals, and also for D-Bus properties
1225
1666
(from DBusObjectWithProperties) and interfaces (from the
1226
1667
dbus_interface_annotations decorator).
1227
1668
"""
1228
1669
1229
1670
def wrapper(cls):
1230
1671
for orig_interface_name, alt_interface_name in (
1231
1672
alt_interface_names.items()):
1246
1687
interface_names.add(alt_interface)
1247
1688
# Is this a D-Bus signal?
1248
1689
if getattr(attribute, "_dbus_is_signal", False):
1690
# Extract the original non-method undecorated
1691
# function by black magic
1249
1692
if sys.version_info.major == 2:
1250
# Extract the original non-method undecorated
1251
# function by black magic
1252
1693
nonmethod_func = (dict(
1253
1694
zip(attribute.func_code.co_freevars,
1254
1695
attribute.__closure__))
1255
1696
["func"].cell_contents)
1256
1697
else:
1257
nonmethod_func = attribute
1698
nonmethod_func = (dict(
1699
zip(attribute.__code__.co_freevars,
1700
attribute.__closure__))
1701
["func"].cell_contents)
1258
1702
# Create a new, but exactly alike, function
1259
1703
# object, and decorate it to be a new D-Bus signal
1260
1704
# with the alternate D-Bus interface name
1261
if sys.version_info.major == 2:
1262
new_function = types.FunctionType(
1263
nonmethod_func.func_code,
1264
nonmethod_func.func_globals,
1265
nonmethod_func.func_name,
1266
nonmethod_func.func_defaults,
1267
nonmethod_func.func_closure)
1268
else:
1269
new_function = types.FunctionType(
1270
nonmethod_func.__code__,
1271
nonmethod_func.__globals__,
1272
nonmethod_func.__name__,
1273
nonmethod_func.__defaults__,
1274
nonmethod_func.__closure__)
1705
new_function = copy_function(nonmethod_func)
1275
1706
new_function = (dbus.service.signal(
1276
1707
alt_interface,
1277
1708
attribute._dbus_signature)(new_function))
1281
1712
attribute._dbus_annotations)
1282
1713
except AttributeError:
1283
1714
pass
1715
1284
1716
# Define a creator of a function to call both the
1285
1717
# original and alternate functions, so both the
1286
1718
# original and alternate signals gets sent when
1289
1721
"""This function is a scope container to pass
1290
1722
func1 and func2 to the "call_both" function
1291
1723
outside of its arguments"""
1292
1724
1293
1725
@functools.wraps(func2)
1294
1726
def call_both(*args, **kwargs):
1295
1727
"""This function will emit two D-Bus
1296
1728
signals by calling func1 and func2"""
1297
1729
func1(*args, **kwargs)
1298
1730
func2(*args, **kwargs)
1299
# Make wrapper function look like a D-Bus signal
1731
# Make wrapper function look like a D-Bus
1732
# signal
1300
1733
for name, attr in inspect.getmembers(func2):
1301
1734
if name.startswith("_dbus_"):
1302
1735
setattr(call_both, name, attr)
1303
1736
1304
1737
return call_both
1305
1738
# Create the "call_both" function and add it to
1306
1739
# the class
1316
1749
alt_interface,
1317
1750
attribute._dbus_in_signature,
1318
1751
attribute._dbus_out_signature)
1319
(types.FunctionType(attribute.func_code,
1320
attribute.func_globals,
1321
attribute.func_name,
1322
attribute.func_defaults,
1323
attribute.func_closure)))
1752
(copy_function(attribute)))
1324
1753
# Copy annotations, if any
1325
1754
try:
1326
1755
attr[attrname]._dbus_annotations = dict(
1338
1767
attribute._dbus_access,
1339
1768
attribute._dbus_get_args_options
1340
1769
["byte_arrays"])
1341
(types.FunctionType(
1342
attribute.func_code,
1343
attribute.func_globals,
1344
attribute.func_name,
1345
attribute.func_defaults,
1346
attribute.func_closure)))
1770
(copy_function(attribute)))
1347
1771
# Copy annotations, if any
1348
1772
try:
1349
1773
attr[attrname]._dbus_annotations = dict(
1358
1782
# to the class.
1359
1783
attr[attrname] = (
1360
1784
dbus_interface_annotations(alt_interface)
1361
(types.FunctionType(attribute.func_code,
1362
attribute.func_globals,
1363
attribute.func_name,
1364
attribute.func_defaults,
1365
attribute.func_closure)))
1785
(copy_function(attribute)))
1366
1786
if deprecate:
1367
1787
# Deprecate all alternate interfaces
1368
iname="_AlternateDBusNames_interface_annotation{}"
1788
iname = "_AlternateDBusNames_interface_annotation{}"
1369
1789
for interface_name in interface_names:
1370
1790
1371
1791
@dbus_interface_annotations(interface_name)
1372
1792
def func(self):
1373
return { "org.freedesktop.DBus.Deprecated":
1374
"true" }
1793
return {"org.freedesktop.DBus.Deprecated":
1794
"true"}
1375
1795
# Find an unused name
1376
1796
for aname in (iname.format(i)
1377
1797
for i in itertools.count()):
1381
1801
if interface_names:
1382
1802
# Replace the class with a new subclass of it with
1383
1803
# methods, signals, etc. as created above.
1384
cls = type(b"{}Alternate".format(cls.__name__),
1385
(cls, ), attr)
1804
if sys.version_info.major == 2:
1805
cls = type(b"{}Alternate".format(cls.__name__),
1806
(cls, ), attr)
1807
else:
1808
cls = type("{}Alternate".format(cls.__name__),
1809
(cls, ), attr)
1386
1810
return cls
1387
1811
1388
1812
return wrapper
1389
1813
1390
1814
1392
1816
"se.bsnet.fukt.Mandos"})
1393
1817
class ClientDBus(Client, DBusObjectWithProperties):
1394
1818
"""A Client class using D-Bus
1395
1819
1396
1820
Attributes:
1397
1821
dbus_object_path: dbus.ObjectPath
1398
1822
bus: dbus.SystemBus()
1399
1823
"""
1400
1824
1401
1825
runtime_expansions = (Client.runtime_expansions
1402
1826
+ ("dbus_object_path", ))
1403
1827
1404
1828
_interface = "se.recompile.Mandos.Client"
1405
1829
1406
1830
# dbus.service.Object doesn't use super(), so we can't either.
1407
1408
def __init__(self, bus = None, *args, **kwargs):
1831
1832
def __init__(self, bus=None, *args, **kwargs):
1409
1833
self.bus = bus
1410
1834
Client.__init__(self, *args, **kwargs)
1411
1835
# Only now, when this client is initialized, can it show up on
1417
1841
"/clients/" + client_object_name)
1418
1842
DBusObjectWithProperties.__init__(self, self.bus,
1419
1843
self.dbus_object_path)
1420
1844
1421
1845
def notifychangeproperty(transform_func, dbus_name,
1422
1846
type_func=lambda x: x,
1423
1847
variant_level=1,
1425
1849
_interface=_interface):
1426
1850
""" Modify a variable so that it's a property which announces
1427
1851
its changes to DBus.
1428
1852
1429
1853
transform_fun: Function that takes a value and a variant_level
1430
1854
and transforms it to a D-Bus type.
1431
1855
dbus_name: D-Bus name of the variable
1434
1858
variant_level: D-Bus variant level. Default: 1
1435
1859
"""
1436
1860
attrname = "_{}".format(dbus_name)
1437
1861
1438
1862
def setter(self, value):
1439
1863
if hasattr(self, "dbus_object_path"):
1440
1864
if (not hasattr(self, attrname) or
1447
1871
else:
1448
1872
dbus_value = transform_func(
1449
1873
type_func(value),
1450
variant_level = variant_level)
1874
variant_level=variant_level)
1451
1875
self.PropertyChanged(dbus.String(dbus_name),
1452
1876
dbus_value)
1453
1877
self.PropertiesChanged(
1454
1878
_interface,
1455
dbus.Dictionary({ dbus.String(dbus_name):
1456
dbus_value }),
1879
dbus.Dictionary({dbus.String(dbus_name):
1880
dbus_value}),
1457
1881
dbus.Array())
1458
1882
setattr(self, attrname, value)
1459
1883
1460
1884
return property(lambda self: getattr(self, attrname), setter)
1461
1885
1462
1886
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1463
1887
approvals_pending = notifychangeproperty(dbus.Boolean,
1464
1888
"ApprovalPending",
1465
type_func = bool)
1889
type_func=bool)
1466
1890
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1467
1891
last_enabled = notifychangeproperty(datetime_to_dbus,
1468
1892
"LastEnabled")
1469
1893
checker = notifychangeproperty(
1470
1894
dbus.Boolean, "CheckerRunning",
1471
type_func = lambda checker: checker is not None)
1895
type_func=lambda checker: checker is not None)
1472
1896
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1473
1897
"LastCheckedOK")
1474
1898
last_checker_status = notifychangeproperty(dbus.Int16,
1479
1903
"ApprovedByDefault")
1480
1904
approval_delay = notifychangeproperty(
1481
1905
dbus.UInt64, "ApprovalDelay",
1482
type_func = lambda td: td.total_seconds() * 1000)
1906
type_func=lambda td: td.total_seconds() * 1000)
1483
1907
approval_duration = notifychangeproperty(
1484
1908
dbus.UInt64, "ApprovalDuration",
1485
type_func = lambda td: td.total_seconds() * 1000)
1909
type_func=lambda td: td.total_seconds() * 1000)
1486
1910
host = notifychangeproperty(dbus.String, "Host")
1487
1911
timeout = notifychangeproperty(
1488
1912
dbus.UInt64, "Timeout",
1489
type_func = lambda td: td.total_seconds() * 1000)
1913
type_func=lambda td: td.total_seconds() * 1000)
1490
1914
extended_timeout = notifychangeproperty(
1491
1915
dbus.UInt64, "ExtendedTimeout",
1492
type_func = lambda td: td.total_seconds() * 1000)
1916
type_func=lambda td: td.total_seconds() * 1000)
1493
1917
interval = notifychangeproperty(
1494
1918
dbus.UInt64, "Interval",
1495
type_func = lambda td: td.total_seconds() * 1000)
1919
type_func=lambda td: td.total_seconds() * 1000)
1496
1920
checker_command = notifychangeproperty(dbus.String, "Checker")
1497
1921
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1498
1922
invalidate_only=True)
1499
1923
1500
1924
del notifychangeproperty
1501
1925
1502
1926
def __del__(self, *args, **kwargs):
1503
1927
try:
1504
1928
self.remove_from_connection()
1507
1931
if hasattr(DBusObjectWithProperties, "__del__"):
1508
1932
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1509
1933
Client.__del__(self, *args, **kwargs)
1510
1934
1511
1935
def checker_callback(self, source, condition,
1512
1936
connection, command, *args, **kwargs):
1513
1937
ret = Client.checker_callback(self, source, condition,
1529
1953
| self.last_checker_signal),
1530
1954
dbus.String(command))
1531
1955
return ret
1532
1956
1533
1957
def start_checker(self, *args, **kwargs):
1534
1958
old_checker_pid = getattr(self.checker, "pid", None)
1535
1959
r = Client.start_checker(self, *args, **kwargs)
1539
1963
# Emit D-Bus signal
1540
1964
self.CheckerStarted(self.current_checker_command)
1541
1965
return r
1542
1966
1543
1967
def _reset_approved(self):
1544
1968
self.approved = None
1545
1969
return False
1546
1970
1547
1971
def approve(self, value=True):
1548
1972
self.approved = value
1549
gobject.timeout_add(int(self.approval_duration.total_seconds()
1550
* 1000), self._reset_approved)
1973
GLib.timeout_add(int(self.approval_duration.total_seconds()
1974
* 1000), self._reset_approved)
1551
1975
self.send_changedstate()
1552
1553
## D-Bus methods, signals & properties
1554
1555
## Interfaces
1556
1557
## Signals
1558
1976
1977
# D-Bus methods, signals & properties
1978
1979
# Interfaces
1980
1981
# Signals
1982
1559
1983
# CheckerCompleted - signal
1560
1984
@dbus.service.signal(_interface, signature="nxs")
1561
1985
def CheckerCompleted(self, exitcode, waitstatus, command):
1562
1986
"D-Bus signal"
1563
1987
pass
1564
1988
1565
1989
# CheckerStarted - signal
1566
1990
@dbus.service.signal(_interface, signature="s")
1567
1991
def CheckerStarted(self, command):
1568
1992
"D-Bus signal"
1569
1993
pass
1570
1994
1571
1995
# PropertyChanged - signal
1572
1996
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1573
1997
@dbus.service.signal(_interface, signature="sv")
1574
1998
def PropertyChanged(self, property, value):
1575
1999
"D-Bus signal"
1576
2000
pass
1577
2001
1578
2002
# GotSecret - signal
1579
2003
@dbus.service.signal(_interface)
1580
2004
def GotSecret(self):
1583
2007
server to mandos-client
1584
2008
"""
1585
2009
pass
1586
2010
1587
2011
# Rejected - signal
1588
2012
@dbus.service.signal(_interface, signature="s")
1589
2013
def Rejected(self, reason):
1590
2014
"D-Bus signal"
1591
2015
pass
1592
2016
1593
2017
# NeedApproval - signal
1594
2018
@dbus.service.signal(_interface, signature="tb")
1595
2019
def NeedApproval(self, timeout, default):
1596
2020
"D-Bus signal"
1597
2021
return self.need_approval()
1598
1599
## Methods
1600
2022
2023
# Methods
2024
1601
2025
# Approve - method
1602
2026
@dbus.service.method(_interface, in_signature="b")
1603
2027
def Approve(self, value):
1604
2028
self.approve(value)
1605
2029
1606
2030
# CheckedOK - method
1607
2031
@dbus.service.method(_interface)
1608
2032
def CheckedOK(self):
1609
2033
self.checked_ok()
1610
2034
1611
2035
# Enable - method
1612
2036
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1613
2037
@dbus.service.method(_interface)
1614
2038
def Enable(self):
1615
2039
"D-Bus method"
1616
2040
self.enable()
1617
2041
1618
2042
# StartChecker - method
1619
2043
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1620
2044
@dbus.service.method(_interface)
1621
2045
def StartChecker(self):
1622
2046
"D-Bus method"
1623
2047
self.start_checker()
1624
2048
1625
2049
# Disable - method
1626
2050
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1627
2051
@dbus.service.method(_interface)
1628
2052
def Disable(self):
1629
2053
"D-Bus method"
1630
2054
self.disable()
1631
2055
1632
2056
# StopChecker - method
1633
2057
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1634
2058
@dbus.service.method(_interface)
1635
2059
def StopChecker(self):
1636
2060
self.stop_checker()
1637
1638
## Properties
1639
2061
2062
# Properties
2063
1640
2064
# ApprovalPending - property
1641
2065
@dbus_service_property(_interface, signature="b", access="read")
1642
2066
def ApprovalPending_dbus_property(self):
1643
2067
return dbus.Boolean(bool(self.approvals_pending))
1644
2068
1645
2069
# ApprovedByDefault - property
1646
2070
@dbus_service_property(_interface,
1647
2071
signature="b",
1650
2074
if value is None: # get
1651
2075
return dbus.Boolean(self.approved_by_default)
1652
2076
self.approved_by_default = bool(value)
1653
2077
1654
2078
# ApprovalDelay - property
1655
2079
@dbus_service_property(_interface,
1656
2080
signature="t",
1660
2084
return dbus.UInt64(self.approval_delay.total_seconds()
1661
2085
* 1000)
1662
2086
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1663
2087
1664
2088
# ApprovalDuration - property
1665
2089
@dbus_service_property(_interface,
1666
2090
signature="t",
1670
2094
return dbus.UInt64(self.approval_duration.total_seconds()
1671
2095
* 1000)
1672
2096
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1673
2097
1674
2098
# Name - property
1675
2099
@dbus_annotations(
1676
2100
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1677
2101
@dbus_service_property(_interface, signature="s", access="read")
1678
2102
def Name_dbus_property(self):
1679
2103
return dbus.String(self.name)
1680
2104
2105
# KeyID - property
2106
@dbus_annotations(
2107
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2108
@dbus_service_property(_interface, signature="s", access="read")
2109
def KeyID_dbus_property(self):
2110
return dbus.String(self.key_id)
2111
1681
2112
# Fingerprint - property
1682
2113
@dbus_annotations(
1683
2114
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1684
2115
@dbus_service_property(_interface, signature="s", access="read")
1685
2116
def Fingerprint_dbus_property(self):
1686
2117
return dbus.String(self.fingerprint)
1687
2118
1688
2119
# Host - property
1689
2120
@dbus_service_property(_interface,
1690
2121
signature="s",
1693
2124
if value is None: # get
1694
2125
return dbus.String(self.host)
1695
2126
self.host = str(value)
1696
2127
1697
2128
# Created - property
1698
2129
@dbus_annotations(
1699
2130
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1700
2131
@dbus_service_property(_interface, signature="s", access="read")
1701
2132
def Created_dbus_property(self):
1702
2133
return datetime_to_dbus(self.created)
1703
2134
1704
2135
# LastEnabled - property
1705
2136
@dbus_service_property(_interface, signature="s", access="read")
1706
2137
def LastEnabled_dbus_property(self):
1707
2138
return datetime_to_dbus(self.last_enabled)
1708
2139
1709
2140
# Enabled - property
1710
2141
@dbus_service_property(_interface,
1711
2142
signature="b",
1717
2148
self.enable()
1718
2149
else:
1719
2150
self.disable()
1720
2151
1721
2152
# LastCheckedOK - property
1722
2153
@dbus_service_property(_interface,
1723
2154
signature="s",
1727
2158
self.checked_ok()
1728
2159
return
1729
2160
return datetime_to_dbus(self.last_checked_ok)
1730
2161
1731
2162
# LastCheckerStatus - property
1732
2163
@dbus_service_property(_interface, signature="n", access="read")
1733
2164
def LastCheckerStatus_dbus_property(self):
1734
2165
return dbus.Int16(self.last_checker_status)
1735
2166
1736
2167
# Expires - property
1737
2168
@dbus_service_property(_interface, signature="s", access="read")
1738
2169
def Expires_dbus_property(self):
1739
2170
return datetime_to_dbus(self.expires)
1740
2171
1741
2172
# LastApprovalRequest - property
1742
2173
@dbus_service_property(_interface, signature="s", access="read")
1743
2174
def LastApprovalRequest_dbus_property(self):
1744
2175
return datetime_to_dbus(self.last_approval_request)
1745
2176
1746
2177
# Timeout - property
1747
2178
@dbus_service_property(_interface,
1748
2179
signature="t",
1763
2194
if (getattr(self, "disable_initiator_tag", None)
1764
2195
is None):
1765
2196
return
1766
gobject.source_remove(self.disable_initiator_tag)
1767
self.disable_initiator_tag = gobject.timeout_add(
2197
GLib.source_remove(self.disable_initiator_tag)
2198
self.disable_initiator_tag = GLib.timeout_add(
1768
2199
int((self.expires - now).total_seconds() * 1000),
1769
2200
self.disable)
1770
2201
1771
2202
# ExtendedTimeout - property
1772
2203
@dbus_service_property(_interface,
1773
2204
signature="t",
1777
2208
return dbus.UInt64(self.extended_timeout.total_seconds()
1778
2209
* 1000)
1779
2210
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1780
2211
1781
2212
# Interval - property
1782
2213
@dbus_service_property(_interface,
1783
2214
signature="t",
1790
2221
return
1791
2222
if self.enabled:
1792
2223
# Reschedule checker run
1793
gobject.source_remove(self.checker_initiator_tag)
1794
self.checker_initiator_tag = gobject.timeout_add(
2224
GLib.source_remove(self.checker_initiator_tag)
2225
self.checker_initiator_tag = GLib.timeout_add(
1795
2226
value, self.start_checker)
1796
self.start_checker() # Start one now, too
1797
2227
self.start_checker() # Start one now, too
2228
1798
2229
# Checker - property
1799
2230
@dbus_service_property(_interface,
1800
2231
signature="s",
1803
2234
if value is None: # get
1804
2235
return dbus.String(self.checker_command)
1805
2236
self.checker_command = str(value)
1806
2237
1807
2238
# CheckerRunning - property
1808
2239
@dbus_service_property(_interface,
1809
2240
signature="b",
1815
2246
self.start_checker()
1816
2247
else:
1817
2248
self.stop_checker()
1818
2249
1819
2250
# ObjectPath - property
1820
2251
@dbus_annotations(
1821
2252
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
1822
2253
"org.freedesktop.DBus.Deprecated": "true"})
1823
2254
@dbus_service_property(_interface, signature="o", access="read")
1824
2255
def ObjectPath_dbus_property(self):
1825
return self.dbus_object_path # is already a dbus.ObjectPath
1826
2256
return self.dbus_object_path # is already a dbus.ObjectPath
2257
1827
2258
# Secret = property
1828
2259
@dbus_annotations(
1829
2260
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
1834
2265
byte_arrays=True)
1835
2266
def Secret_dbus_property(self, value):
1836
2267
self.secret = bytes(value)
1837
2268
1838
2269
del _interface
1839
2270
1840
2271
1841
class ProxyClient(object):
1842
def __init__(self, child_pipe, fpr, address):
2272
class ProxyClient:
2273
def __init__(self, child_pipe, key_id, fpr, address):
1843
2274
self._pipe = child_pipe
1844
self._pipe.send(('init', fpr, address))
2275
self._pipe.send(("init", key_id, fpr, address))
1845
2276
if not self._pipe.recv():
1846
raise KeyError(fpr)
1847
2277
raise KeyError(key_id or fpr)
2278
1848
2279
def __getattribute__(self, name):
1849
if name == '_pipe':
2280
if name == "_pipe":
1850
2281
return super(ProxyClient, self).__getattribute__(name)
1851
self._pipe.send(('getattr', name))
2282
self._pipe.send(("getattr", name))
1852
2283
data = self._pipe.recv()
1853
if data[0] == 'data':
2284
if data[0] == "data":
1854
2285
return data[1]
1855
if data[0] == 'function':
1856
2286
if data[0] == "function":
2287
1857
2288
def func(*args, **kwargs):
1858
self._pipe.send(('funcall', name, args, kwargs))
2289
self._pipe.send(("funcall", name, args, kwargs))
1859
2290
return self._pipe.recv()[1]
1860
2291
1861
2292
return func
1862
2293
1863
2294
def __setattr__(self, name, value):
1864
if name == '_pipe':
2295
if name == "_pipe":
1865
2296
return super(ProxyClient, self).__setattr__(name, value)
1866
self._pipe.send(('setattr', name, value))
2297
self._pipe.send(("setattr", name, value))
1867
2298
1868
2299
1869
2300
class ClientHandler(socketserver.BaseRequestHandler, object):
1870
2301
"""A class to handle client connections.
1871
2302
1872
2303
Instantiated once for each connection to handle it.
1873
2304
Note: This will run in its own forked process."""
1874
2305
1875
2306
def handle(self):
1876
2307
with contextlib.closing(self.server.child_pipe) as child_pipe:
1877
2308
logger.info("TCP connection from: %s",
1878
2309
str(self.client_address))
1879
2310
logger.debug("Pipe FD: %d",
1880
2311
self.server.child_pipe.fileno())
1881
1882
session = gnutls.connection.ClientSession(
1883
self.request, gnutls.connection.X509Credentials())
1884
1885
# Note: gnutls.connection.X509Credentials is really a
1886
# generic GnuTLS certificate credentials object so long as
1887
# no X.509 keys are added to it. Therefore, we can use it
1888
# here despite using OpenPGP certificates.
1889
1890
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1891
# "+AES-256-CBC", "+SHA1",
1892
# "+COMP-NULL", "+CTYPE-OPENPGP",
1893
# "+DHE-DSS"))
2312
2313
session = gnutls.ClientSession(self.request)
2314
2315
# priority = ":".join(("NONE", "+VERS-TLS1.1",
2316
# "+AES-256-CBC", "+SHA1",
2317
# "+COMP-NULL", "+CTYPE-OPENPGP",
2318
# "+DHE-DSS"))
1894
2319
# Use a fallback default, since this MUST be set.
1895
2320
priority = self.server.gnutls_priority
1896
2321
if priority is None:
1897
2322
priority = "NORMAL"
1898
gnutls.library.functions.gnutls_priority_set_direct(
1899
session._c_object, priority, None)
1900
2323
gnutls.priority_set_direct(session,
2324
priority.encode("utf-8"), None)
2325
1901
2326
# Start communication using the Mandos protocol
1902
2327
# Get protocol number
1903
2328
line = self.request.makefile().readline()
1908
2333
except (ValueError, IndexError, RuntimeError) as error:
1909
2334
logger.error("Unknown protocol version: %s", error)
1910
2335
return
1911
2336
1912
2337
# Start GnuTLS connection
1913
2338
try:
1914
2339
session.handshake()
1915
except gnutls.errors.GNUTLSError as error:
2340
except gnutls.Error as error:
1916
2341
logger.warning("Handshake failed: %s", error)
1917
2342
# Do not run session.bye() here: the session is not
1918
2343
# established. Just abandon the request.
1919
2344
return
1920
2345
logger.debug("Handshake succeeded")
1921
2346
1922
2347
approval_required = False
1923
2348
try:
1924
try:
1925
fpr = self.fingerprint(
1926
self.peer_certificate(session))
1927
except (TypeError,
1928
gnutls.errors.GNUTLSError) as error:
1929
logger.warning("Bad certificate: %s", error)
1930
return
1931
logger.debug("Fingerprint: %s", fpr)
1932
1933
try:
1934
client = ProxyClient(child_pipe, fpr,
2349
if gnutls.has_rawpk:
2350
fpr = b""
2351
try:
2352
key_id = self.key_id(
2353
self.peer_certificate(session))
2354
except (TypeError, gnutls.Error) as error:
2355
logger.warning("Bad certificate: %s", error)
2356
return
2357
logger.debug("Key ID: %s",
2358
key_id.decode("utf-8",
2359
errors="replace"))
2360
2361
else:
2362
key_id = b""
2363
try:
2364
fpr = self.fingerprint(
2365
self.peer_certificate(session))
2366
except (TypeError, gnutls.Error) as error:
2367
logger.warning("Bad certificate: %s", error)
2368
return
2369
logger.debug("Fingerprint: %s", fpr)
2370
2371
try:
2372
client = ProxyClient(child_pipe, key_id, fpr,
1935
2373
self.client_address)
1936
2374
except KeyError:
1937
2375
return
1938
2376
1939
2377
if client.approval_delay:
1940
2378
delay = client.approval_delay
1941
2379
client.approvals_pending += 1
1942
2380
approval_required = True
1943
2381
1944
2382
while True:
1945
2383
if not client.enabled:
1946
2384
logger.info("Client %s is disabled",
1949
2387
# Emit D-Bus signal
1950
2388
client.Rejected("Disabled")
1951
2389
return
1952
2390
1953
2391
if client.approved or not client.approval_delay:
1954
#We are approved or approval is disabled
2392
# We are approved or approval is disabled
1955
2393
break
1956
2394
elif client.approved is None:
1957
2395
logger.info("Client %s needs approval",
1968
2406
# Emit D-Bus signal
1969
2407
client.Rejected("Denied")
1970
2408
return
1971
1972
#wait until timeout or approved
2409
2410
# wait until timeout or approved
1973
2411
time = datetime.datetime.now()
1974
2412
client.changedstate.acquire()
1975
2413
client.changedstate.wait(delay.total_seconds())
1988
2426
break
1989
2427
else:
1990
2428
delay -= time2 - time
1991
1992
sent_size = 0
1993
while sent_size < len(client.secret):
1994
try:
1995
sent = session.send(client.secret[sent_size:])
1996
except gnutls.errors.GNUTLSError as error:
1997
logger.warning("gnutls send failed",
1998
exc_info=error)
1999
return
2000
logger.debug("Sent: %d, remaining: %d", sent,
2001
len(client.secret) - (sent_size
2002
+ sent))
2003
sent_size += sent
2004
2429
2430
try:
2431
session.send(client.secret)
2432
except gnutls.Error as error:
2433
logger.warning("gnutls send failed",
2434
exc_info=error)
2435
return
2436
2005
2437
logger.info("Sending secret to %s", client.name)
2006
2438
# bump the timeout using extended_timeout
2007
2439
client.bump_timeout(client.extended_timeout)
2008
2440
if self.server.use_dbus:
2009
2441
# Emit D-Bus signal
2010
2442
client.GotSecret()
2011
2443
2012
2444
finally:
2013
2445
if approval_required:
2014
2446
client.approvals_pending -= 1
2015
2447
try:
2016
2448
session.bye()
2017
except gnutls.errors.GNUTLSError as error:
2449
except gnutls.Error as error:
2018
2450
logger.warning("GnuTLS bye failed",
2019
2451
exc_info=error)
2020
2452
2021
2453
@staticmethod
2022
2454
def peer_certificate(session):
2023
"Return the peer's OpenPGP certificate as a bytestring"
2024
# If not an OpenPGP certificate...
2025
if (gnutls.library.functions.gnutls_certificate_type_get(
2026
session._c_object)
2027
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2028
# ...do the normal thing
2029
return session.peer_certificate
2455
"Return the peer's certificate as a bytestring"
2456
try:
2457
cert_type = gnutls.certificate_type_get2(
2458
session, gnutls.CTYPE_PEERS)
2459
except AttributeError:
2460
cert_type = gnutls.certificate_type_get(session)
2461
if gnutls.has_rawpk:
2462
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2463
else:
2464
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2465
# If not a valid certificate type...
2466
if cert_type not in valid_cert_types:
2467
logger.info("Cert type %r not in %r", cert_type,
2468
valid_cert_types)
2469
# ...return invalid data
2470
return b""
2030
2471
list_size = ctypes.c_uint(1)
2031
cert_list = (gnutls.library.functions
2032
.gnutls_certificate_get_peers
2033
(session._c_object, ctypes.byref(list_size)))
2472
cert_list = (gnutls.certificate_get_peers
2473
(session, ctypes.byref(list_size)))
2034
2474
if not bool(cert_list) and list_size.value != 0:
2035
raise gnutls.errors.GNUTLSError("error getting peer"
2036
" certificate")
2475
raise gnutls.Error("error getting peer certificate")
2037
2476
if list_size.value == 0:
2038
2477
return None
2039
2478
cert = cert_list[0]
2040
2479
return ctypes.string_at(cert.data, cert.size)
2041
2480
2481
@staticmethod
2482
def key_id(certificate):
2483
"Convert a certificate bytestring to a hexdigit key ID"
2484
# New GnuTLS "datum" with the public key
2485
datum = gnutls.datum_t(
2486
ctypes.cast(ctypes.c_char_p(certificate),
2487
ctypes.POINTER(ctypes.c_ubyte)),
2488
ctypes.c_uint(len(certificate)))
2489
# XXX all these need to be created in the gnutls "module"
2490
# New empty GnuTLS certificate
2491
pubkey = gnutls.pubkey_t()
2492
gnutls.pubkey_init(ctypes.byref(pubkey))
2493
# Import the raw public key into the certificate
2494
gnutls.pubkey_import(pubkey,
2495
ctypes.byref(datum),
2496
gnutls.X509_FMT_DER)
2497
# New buffer for the key ID
2498
buf = ctypes.create_string_buffer(32)
2499
buf_len = ctypes.c_size_t(len(buf))
2500
# Get the key ID from the raw public key into the buffer
2501
gnutls.pubkey_get_key_id(
2502
pubkey,
2503
gnutls.KEYID_USE_SHA256,
2504
ctypes.cast(ctypes.byref(buf),
2505
ctypes.POINTER(ctypes.c_ubyte)),
2506
ctypes.byref(buf_len))
2507
# Deinit the certificate
2508
gnutls.pubkey_deinit(pubkey)
2509
2510
# Convert the buffer to a Python bytestring
2511
key_id = ctypes.string_at(buf, buf_len.value)
2512
# Convert the bytestring to hexadecimal notation
2513
hex_key_id = binascii.hexlify(key_id).upper()
2514
return hex_key_id
2515
2042
2516
@staticmethod
2043
2517
def fingerprint(openpgp):
2044
2518
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2045
2519
# New GnuTLS "datum" with the OpenPGP public key
2046
datum = gnutls.library.types.gnutls_datum_t(
2520
datum = gnutls.datum_t(
2047
2521
ctypes.cast(ctypes.c_char_p(openpgp),
2048
2522
ctypes.POINTER(ctypes.c_ubyte)),
2049
2523
ctypes.c_uint(len(openpgp)))
2050
2524
# New empty GnuTLS certificate
2051
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2052
gnutls.library.functions.gnutls_openpgp_crt_init(
2053
ctypes.byref(crt))
2525
crt = gnutls.openpgp_crt_t()
2526
gnutls.openpgp_crt_init(ctypes.byref(crt))
2054
2527
# Import the OpenPGP public key into the certificate
2055
gnutls.library.functions.gnutls_openpgp_crt_import(
2056
crt, ctypes.byref(datum),
2057
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2528
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2529
gnutls.OPENPGP_FMT_RAW)
2058
2530
# Verify the self signature in the key
2059
2531
crtverify = ctypes.c_uint()
2060
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2061
crt, 0, ctypes.byref(crtverify))
2532
gnutls.openpgp_crt_verify_self(crt, 0,
2533
ctypes.byref(crtverify))
2062
2534
if crtverify.value != 0:
2063
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2064
raise gnutls.errors.CertificateSecurityError(
2065
"Verify failed")
2535
gnutls.openpgp_crt_deinit(crt)
2536
raise gnutls.CertificateSecurityError(code
2537
=crtverify.value)
2066
2538
# New buffer for the fingerprint
2067
2539
buf = ctypes.create_string_buffer(20)
2068
2540
buf_len = ctypes.c_size_t()
2069
2541
# Get the fingerprint from the certificate into the buffer
2070
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2071
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2542
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2543
ctypes.byref(buf_len))
2072
2544
# Deinit the certificate
2073
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2545
gnutls.openpgp_crt_deinit(crt)
2074
2546
# Convert the buffer to a Python bytestring
2075
2547
fpr = ctypes.string_at(buf, buf_len.value)
2076
2548
# Convert the bytestring to hexadecimal notation
2078
2550
return hex_fpr
2079
2551
2080
2552
2081
class MultiprocessingMixIn(object):
2553
class MultiprocessingMixIn:
2082
2554
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2083
2555
2084
2556
def sub_process_main(self, request, address):
2085
2557
try:
2086
2558
self.finish_request(request, address)
2087
2559
except Exception:
2088
2560
self.handle_error(request, address)
2089
2561
self.close_request(request)
2090
2562
2091
2563
def process_request(self, request, address):
2092
2564
"""Start a new process to process the request."""
2093
proc = multiprocessing.Process(target = self.sub_process_main,
2094
args = (request, address))
2565
proc = multiprocessing.Process(target=self.sub_process_main,
2566
args=(request, address))
2095
2567
proc.start()
2096
2568
return proc
2097
2569
2098
2570
2099
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2571
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2100
2572
""" adds a pipe to the MixIn """
2101
2573
2102
2574
def process_request(self, request, client_address):
2103
2575
"""Overrides and wraps the original process_request().
2104
2576
2105
2577
This function creates a new pipe in self.pipe
2106
2578
"""
2107
2579
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2108
2580
2109
2581
proc = MultiprocessingMixIn.process_request(self, request,
2110
2582
client_address)
2111
2583
self.child_pipe.close()
2112
2584
self.add_pipe(parent_pipe, proc)
2113
2585
2114
2586
def add_pipe(self, parent_pipe, proc):
2115
2587
"""Dummy function; override as necessary"""
2116
2588
raise NotImplementedError()
2117
2589
2118
2590
2119
2591
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2120
socketserver.TCPServer, object):
2121
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2122
2592
socketserver.TCPServer):
2593
"""IPv6-capable TCP server. Accepts None as address and/or port
2594
2123
2595
Attributes:
2124
2596
enabled: Boolean; whether this server is activated yet
2125
2597
interface: None or a network interface name (string)
2126
2598
use_ipv6: Boolean; to use IPv6 or not
2127
2599
"""
2128
2600
2129
2601
def __init__(self, server_address, RequestHandlerClass,
2130
2602
interface=None,
2131
2603
use_ipv6=True,
2141
2613
self.socketfd = socketfd
2142
2614
# Save the original socket.socket() function
2143
2615
self.socket_socket = socket.socket
2616
2144
2617
# To implement --socket, we monkey patch socket.socket.
2145
#
2618
#
2146
2619
# (When socketserver.TCPServer is a new-style class, we
2147
2620
# could make self.socket into a property instead of monkey
2148
2621
# patching socket.socket.)
2149
#
2622
#
2150
2623
# Create a one-time-only replacement for socket.socket()
2151
2624
@functools.wraps(socket.socket)
2152
2625
def socket_wrapper(*args, **kwargs):
2164
2637
# socket_wrapper(), if socketfd was set.
2165
2638
socketserver.TCPServer.__init__(self, server_address,
2166
2639
RequestHandlerClass)
2167
2640
2168
2641
def server_bind(self):
2169
2642
"""This overrides the normal server_bind() function
2170
2643
to bind to an interface if one was specified, and also NOT to
2171
2644
bind to an address or port if they were not specified."""
2645
global SO_BINDTODEVICE
2172
2646
if self.interface is not None:
2173
2647
if SO_BINDTODEVICE is None:
2174
logger.error("SO_BINDTODEVICE does not exist;"
2175
" cannot bind to interface %s",
2176
self.interface)
2177
else:
2178
try:
2179
self.socket.setsockopt(
2180
socket.SOL_SOCKET, SO_BINDTODEVICE,
2181
(self.interface + "\0").encode("utf-8"))
2182
except socket.error as error:
2183
if error.errno == errno.EPERM:
2184
logger.error("No permission to bind to"
2185
" interface %s", self.interface)
2186
elif error.errno == errno.ENOPROTOOPT:
2187
logger.error("SO_BINDTODEVICE not available;"
2188
" cannot bind to interface %s",
2189
self.interface)
2190
elif error.errno == errno.ENODEV:
2191
logger.error("Interface %s does not exist,"
2192
" cannot bind", self.interface)
2193
else:
2194
raise
2648
# Fall back to a hard-coded value which seems to be
2649
# common enough.
2650
logger.warning("SO_BINDTODEVICE not found, trying 25")
2651
SO_BINDTODEVICE = 25
2652
try:
2653
self.socket.setsockopt(
2654
socket.SOL_SOCKET, SO_BINDTODEVICE,
2655
(self.interface + "\0").encode("utf-8"))
2656
except socket.error as error:
2657
if error.errno == errno.EPERM:
2658
logger.error("No permission to bind to"
2659
" interface %s", self.interface)
2660
elif error.errno == errno.ENOPROTOOPT:
2661
logger.error("SO_BINDTODEVICE not available;"
2662
" cannot bind to interface %s",
2663
self.interface)
2664
elif error.errno == errno.ENODEV:
2665
logger.error("Interface %s does not exist,"
2666
" cannot bind", self.interface)
2667
else:
2668
raise
2195
2669
# Only bind(2) the socket if we really need to.
2196
2670
if self.server_address[0] or self.server_address[1]:
2671
if self.server_address[1]:
2672
self.allow_reuse_address = True
2197
2673
if not self.server_address[0]:
2198
2674
if self.address_family == socket.AF_INET6:
2199
any_address = "::" # in6addr_any
2675
any_address = "::" # in6addr_any
2200
2676
else:
2201
any_address = "0.0.0.0" # INADDR_ANY
2677
any_address = "0.0.0.0" # INADDR_ANY
2202
2678
self.server_address = (any_address,
2203
2679
self.server_address[1])
2204
2680
elif not self.server_address[1]:
2214
2690
2215
2691
class MandosServer(IPv6_TCPServer):
2216
2692
"""Mandos server.
2217
2693
2218
2694
Attributes:
2219
2695
clients: set of Client objects
2220
2696
gnutls_priority GnuTLS priority string
2221
2697
use_dbus: Boolean; to emit D-Bus signals or not
2222
2223
Assumes a gobject.MainLoop event loop.
2698
2699
Assumes a GLib.MainLoop event loop.
2224
2700
"""
2225
2701
2226
2702
def __init__(self, server_address, RequestHandlerClass,
2227
2703
interface=None,
2228
2704
use_ipv6=True,
2238
2714
self.gnutls_priority = gnutls_priority
2239
2715
IPv6_TCPServer.__init__(self, server_address,
2240
2716
RequestHandlerClass,
2241
interface = interface,
2242
use_ipv6 = use_ipv6,
2243
socketfd = socketfd)
2244
2717
interface=interface,
2718
use_ipv6=use_ipv6,
2719
socketfd=socketfd)
2720
2245
2721
def server_activate(self):
2246
2722
if self.enabled:
2247
2723
return socketserver.TCPServer.server_activate(self)
2248
2724
2249
2725
def enable(self):
2250
2726
self.enabled = True
2251
2727
2252
2728
def add_pipe(self, parent_pipe, proc):
2253
2729
# Call "handle_ipc" for both data and EOF events
2254
gobject.io_add_watch(
2255
parent_pipe.fileno(),
2256
gobject.IO_IN | gobject.IO_HUP,
2730
GLib.io_add_watch(
2731
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2732
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2257
2733
functools.partial(self.handle_ipc,
2258
parent_pipe = parent_pipe,
2259
proc = proc))
2260
2734
parent_pipe=parent_pipe,
2735
proc=proc))
2736
2261
2737
def handle_ipc(self, source, condition,
2262
2738
parent_pipe=None,
2263
proc = None,
2739
proc=None,
2264
2740
client_object=None):
2265
2741
# error, or the other end of multiprocessing.Pipe has closed
2266
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2742
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2267
2743
# Wait for other process to exit
2268
2744
proc.join()
2269
2745
return False
2270
2746
2271
2747
# Read a request from the child
2272
2748
request = parent_pipe.recv()
2273
2749
command = request[0]
2274
2275
if command == 'init':
2276
fpr = request[1]
2277
address = request[2]
2278
2279
for c in self.clients.itervalues():
2280
if c.fingerprint == fpr:
2750
2751
if command == "init":
2752
key_id = request[1].decode("ascii")
2753
fpr = request[2].decode("ascii")
2754
address = request[3]
2755
2756
for c in self.clients.values():
2757
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2758
"27AE41E4649B934CA495991B7852B855"):
2759
continue
2760
if key_id and c.key_id == key_id:
2761
client = c
2762
break
2763
if fpr and c.fingerprint == fpr:
2281
2764
client = c
2282
2765
break
2283
2766
else:
2284
logger.info("Client not found for fingerprint: %s, ad"
2285
"dress: %s", fpr, address)
2767
logger.info("Client not found for key ID: %s, address"
2768
": %s", key_id or fpr, address)
2286
2769
if self.use_dbus:
2287
2770
# Emit D-Bus signal
2288
mandos_dbus_service.ClientNotFound(fpr,
2771
mandos_dbus_service.ClientNotFound(key_id or fpr,
2289
2772
address[0])
2290
2773
parent_pipe.send(False)
2291
2774
return False
2292
2293
gobject.io_add_watch(
2294
parent_pipe.fileno(),
2295
gobject.IO_IN | gobject.IO_HUP,
2775
2776
GLib.io_add_watch(
2777
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2778
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2296
2779
functools.partial(self.handle_ipc,
2297
parent_pipe = parent_pipe,
2298
proc = proc,
2299
client_object = client))
2780
parent_pipe=parent_pipe,
2781
proc=proc,
2782
client_object=client))
2300
2783
parent_pipe.send(True)
2301
2784
# remove the old hook in favor of the new above hook on
2302
2785
# same fileno
2303
2786
return False
2304
if command == 'funcall':
2787
if command == "funcall":
2305
2788
funcname = request[1]
2306
2789
args = request[2]
2307
2790
kwargs = request[3]
2308
2309
parent_pipe.send(('data', getattr(client_object,
2791
2792
parent_pipe.send(("data", getattr(client_object,
2310
2793
funcname)(*args,
2311
2794
**kwargs)))
2312
2313
if command == 'getattr':
2795
2796
if command == "getattr":
2314
2797
attrname = request[1]
2315
2798
if isinstance(client_object.__getattribute__(attrname),
2316
collections.Callable):
2317
parent_pipe.send(('function', ))
2799
collections.abc.Callable):
2800
parent_pipe.send(("function", ))
2318
2801
else:
2319
2802
parent_pipe.send((
2320
'data', client_object.__getattribute__(attrname)))
2321
2322
if command == 'setattr':
2803
"data", client_object.__getattribute__(attrname)))
2804
2805
if command == "setattr":
2323
2806
attrname = request[1]
2324
2807
value = request[2]
2325
2808
setattr(client_object, attrname, value)
2326
2809
2327
2810
return True
2328
2811
2329
2812
2330
2813
def rfc3339_duration_to_delta(duration):
2331
2814
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2332
2333
>>> rfc3339_duration_to_delta("P7D")
2334
datetime.timedelta(7)
2335
>>> rfc3339_duration_to_delta("PT60S")
2336
datetime.timedelta(0, 60)
2337
>>> rfc3339_duration_to_delta("PT60M")
2338
datetime.timedelta(0, 3600)
2339
>>> rfc3339_duration_to_delta("PT24H")
2340
datetime.timedelta(1)
2341
>>> rfc3339_duration_to_delta("P1W")
2342
datetime.timedelta(7)
2343
>>> rfc3339_duration_to_delta("PT5M30S")
2344
datetime.timedelta(0, 330)
2345
>>> rfc3339_duration_to_delta("P1DT3M20S")
2346
datetime.timedelta(1, 200)
2815
2816
>>> timedelta = datetime.timedelta
2817
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2818
True
2819
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2820
True
2821
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2822
True
2823
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2824
True
2825
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2826
True
2827
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2828
True
2829
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2830
True
2831
>>> del timedelta
2347
2832
"""
2348
2833
2349
2834
# Parsing an RFC 3339 duration with regular expressions is not
2350
2835
# possible - there would have to be multiple places for the same
2351
2836
# values, like seconds. The current code, while more esoteric, is
2352
2837
# cleaner without depending on a parsing library. If Python had a
2353
2838
# built-in library for parsing we would use it, but we'd like to
2354
2839
# avoid excessive use of external libraries.
2355
2840
2356
2841
# New type for defining tokens, syntax, and semantics all-in-one
2357
2842
Token = collections.namedtuple("Token", (
2358
2843
"regexp", # To match token; if "value" is not None, must have
2391
2876
frozenset((token_year, token_month,
2392
2877
token_day, token_time,
2393
2878
token_week)))
2394
# Define starting values
2395
value = datetime.timedelta() # Value so far
2879
# Define starting values:
2880
# Value so far
2881
value = datetime.timedelta()
2396
2882
found_token = None
2397
followers = frozenset((token_duration, )) # Following valid tokens
2398
s = duration # String left to parse
2883
# Following valid tokens
2884
followers = frozenset((token_duration, ))
2885
# String left to parse
2886
s = duration
2399
2887
# Loop until end token is found
2400
2888
while found_token is not token_end:
2401
2889
# Search for any currently valid tokens
2425
2913
2426
2914
def string_to_delta(interval):
2427
2915
"""Parse a string and return a datetime.timedelta
2428
2429
>>> string_to_delta('7d')
2430
datetime.timedelta(7)
2431
>>> string_to_delta('60s')
2432
datetime.timedelta(0, 60)
2433
>>> string_to_delta('60m')
2434
datetime.timedelta(0, 3600)
2435
>>> string_to_delta('24h')
2436
datetime.timedelta(1)
2437
>>> string_to_delta('1w')
2438
datetime.timedelta(7)
2439
>>> string_to_delta('5m 30s')
2440
datetime.timedelta(0, 330)
2916
2917
>>> string_to_delta("7d") == datetime.timedelta(7)
2918
True
2919
>>> string_to_delta("60s") == datetime.timedelta(0, 60)
2920
True
2921
>>> string_to_delta("60m") == datetime.timedelta(0, 3600)
2922
True
2923
>>> string_to_delta("24h") == datetime.timedelta(1)
2924
True
2925
>>> string_to_delta("1w") == datetime.timedelta(7)
2926
True
2927
>>> string_to_delta("5m 30s") == datetime.timedelta(0, 330)
2928
True
2441
2929
"""
2442
2930
2443
2931
try:
2444
2932
return rfc3339_duration_to_delta(interval)
2445
2933
except ValueError:
2446
2934
pass
2447
2935
2448
2936
timevalue = datetime.timedelta(0)
2449
2937
for s in interval.split():
2450
2938
try:
2468
2956
return timevalue
2469
2957
2470
2958
2471
def daemon(nochdir = False, noclose = False):
2959
def daemon(nochdir=False, noclose=False):
2472
2960
"""See daemon(3). Standard BSD Unix function.
2473
2961
2474
2962
This should really exist as os.daemon, but it doesn't (yet)."""
2475
2963
if os.fork():
2476
2964
sys.exit()
2494
2982
2495
2983
2496
2984
def main():
2497
2985
2498
2986
##################################################################
2499
2987
# Parsing of options, both command line and config file
2500
2988
2501
2989
parser = argparse.ArgumentParser()
2502
2990
parser.add_argument("-v", "--version", action="version",
2503
version = "%(prog)s {}".format(version),
2991
version="%(prog)s {}".format(version),
2504
2992
help="show version number and exit")
2505
2993
parser.add_argument("-i", "--interface", metavar="IF",
2506
2994
help="Bind to interface IF")
2542
3030
parser.add_argument("--no-zeroconf", action="store_false",
2543
3031
dest="zeroconf", help="Do not use Zeroconf",
2544
3032
default=None)
2545
3033
2546
3034
options = parser.parse_args()
2547
2548
if options.check:
2549
import doctest
2550
fail_count, test_count = doctest.testmod()
2551
sys.exit(os.EX_OK if fail_count == 0 else 1)
2552
3035
2553
3036
# Default values for config file for server-global settings
2554
server_defaults = { "interface": "",
2555
"address": "",
2556
"port": "",
2557
"debug": "False",
2558
"priority":
2559
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2560
":+SIGN-DSA-SHA256",
2561
"servicename": "Mandos",
2562
"use_dbus": "True",
2563
"use_ipv6": "True",
2564
"debuglevel": "",
2565
"restore": "True",
2566
"socket": "",
2567
"statedir": "/var/lib/mandos",
2568
"foreground": "False",
2569
"zeroconf": "True",
2570
}
2571
3037
if gnutls.has_rawpk:
3038
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3039
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3040
else:
3041
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3042
":+SIGN-DSA-SHA256")
3043
server_defaults = {"interface": "",
3044
"address": "",
3045
"port": "",
3046
"debug": "False",
3047
"priority": priority,
3048
"servicename": "Mandos",
3049
"use_dbus": "True",
3050
"use_ipv6": "True",
3051
"debuglevel": "",
3052
"restore": "True",
3053
"socket": "",
3054
"statedir": "/var/lib/mandos",
3055
"foreground": "False",
3056
"zeroconf": "True",
3057
}
3058
del priority
3059
2572
3060
# Parse config file for server-global settings
2573
server_config = configparser.SafeConfigParser(server_defaults)
3061
server_config = configparser.ConfigParser(server_defaults)
2574
3062
del server_defaults
2575
3063
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2576
# Convert the SafeConfigParser object to a dict
3064
# Convert the ConfigParser object to a dict
2577
3065
server_settings = server_config.defaults()
2578
3066
# Use the appropriate methods on the non-string config options
2579
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3067
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3068
"foreground", "zeroconf"):
2580
3069
server_settings[option] = server_config.getboolean("DEFAULT",
2581
3070
option)
2582
3071
if server_settings["port"]:
2592
3081
server_settings["socket"] = os.dup(server_settings
2593
3082
["socket"])
2594
3083
del server_config
2595
3084
2596
3085
# Override the settings from the config file with command line
2597
3086
# options, if set.
2598
3087
for option in ("interface", "address", "port", "debug",
2616
3105
if server_settings["debug"]:
2617
3106
server_settings["foreground"] = True
2618
3107
# Now we have our good server settings in "server_settings"
2619
3108
2620
3109
##################################################################
2621
3110
2622
3111
if (not server_settings["zeroconf"]
2623
3112
and not (server_settings["port"]
2624
3113
or server_settings["socket"] != "")):
2625
3114
parser.error("Needs port or socket to work without Zeroconf")
2626
3115
2627
3116
# For convenience
2628
3117
debug = server_settings["debug"]
2629
3118
debuglevel = server_settings["debuglevel"]
2633
3122
stored_state_file)
2634
3123
foreground = server_settings["foreground"]
2635
3124
zeroconf = server_settings["zeroconf"]
2636
3125
2637
3126
if debug:
2638
3127
initlogger(debug, logging.DEBUG)
2639
3128
else:
2642
3131
else:
2643
3132
level = getattr(logging, debuglevel.upper())
2644
3133
initlogger(debug, level)
2645
3134
2646
3135
if server_settings["servicename"] != "Mandos":
2647
3136
syslogger.setFormatter(
2648
logging.Formatter('Mandos ({}) [%(process)d]:'
2649
' %(levelname)s: %(message)s'.format(
3137
logging.Formatter("Mandos ({}) [%(process)d]:"
3138
" %(levelname)s: %(message)s".format(
2650
3139
server_settings["servicename"])))
2651
3140
2652
3141
# Parse config file with clients
2653
client_config = configparser.SafeConfigParser(Client
2654
.client_defaults)
3142
client_config = configparser.ConfigParser(Client.client_defaults)
2655
3143
client_config.read(os.path.join(server_settings["configdir"],
2656
3144
"clients.conf"))
2657
3145
2658
3146
global mandos_dbus_service
2659
3147
mandos_dbus_service = None
2660
3148
2661
3149
socketfd = None
2662
3150
if server_settings["socket"] != "":
2663
3151
socketfd = server_settings["socket"]
2679
3167
except IOError as e:
2680
3168
logger.error("Could not open file %r", pidfilename,
2681
3169
exc_info=e)
2682
2683
for name in ("_mandos", "mandos", "nobody"):
3170
3171
for name, group in (("_mandos", "_mandos"),
3172
("mandos", "mandos"),
3173
("nobody", "nogroup")):
2684
3174
try:
2685
3175
uid = pwd.getpwnam(name).pw_uid
2686
gid = pwd.getpwnam(name).pw_gid
3176
gid = pwd.getpwnam(group).pw_gid
2687
3177
break
2688
3178
except KeyError:
2689
3179
continue
2693
3183
try:
2694
3184
os.setgid(gid)
2695
3185
os.setuid(uid)
3186
if debug:
3187
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3188
gid))
2696
3189
except OSError as error:
3190
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3191
.format(uid, gid, os.strerror(error.errno)))
2697
3192
if error.errno != errno.EPERM:
2698
3193
raise
2699
3194
2700
3195
if debug:
2701
3196
# Enable all possible GnuTLS debugging
2702
3197
2703
3198
# "Use a log level over 10 to enable all debugging options."
2704
3199
# - GnuTLS manual
2705
gnutls.library.functions.gnutls_global_set_log_level(11)
2706
2707
@gnutls.library.types.gnutls_log_func
3200
gnutls.global_set_log_level(11)
3201
3202
@gnutls.log_func
2708
3203
def debug_gnutls(level, string):
2709
logger.debug("GnuTLS: %s", string[:-1])
2710
2711
gnutls.library.functions.gnutls_global_set_log_function(
2712
debug_gnutls)
2713
3204
logger.debug("GnuTLS: %s",
3205
string[:-1].decode("utf-8",
3206
errors="replace"))
3207
3208
gnutls.global_set_log_function(debug_gnutls)
3209
2714
3210
# Redirect stdin so all checkers get /dev/null
2715
3211
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2716
3212
os.dup2(null, sys.stdin.fileno())
2717
3213
if null > 2:
2718
3214
os.close(null)
2719
3215
2720
3216
# Need to fork before connecting to D-Bus
2721
3217
if not foreground:
2722
3218
# Close all input and output, do double fork, etc.
2723
3219
daemon()
2724
2725
# multiprocessing will use threads, so before we use gobject we
2726
# need to inform gobject that threads will be used.
2727
gobject.threads_init()
2728
3220
3221
if gi.version_info < (3, 10, 2):
3222
# multiprocessing will use threads, so before we use GLib we
3223
# need to inform GLib that threads will be used.
3224
GLib.threads_init()
3225
2729
3226
global main_loop
2730
3227
# From the Avahi example code
2731
3228
DBusGMainLoop(set_as_default=True)
2732
main_loop = gobject.MainLoop()
3229
main_loop = GLib.MainLoop()
2733
3230
bus = dbus.SystemBus()
2734
3231
# End of Avahi example code
2735
3232
if use_dbus:
2748
3245
if zeroconf:
2749
3246
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2750
3247
service = AvahiServiceToSyslog(
2751
name = server_settings["servicename"],
2752
servicetype = "_mandos._tcp",
2753
protocol = protocol,
2754
bus = bus)
3248
name=server_settings["servicename"],
3249
servicetype="_mandos._tcp",
3250
protocol=protocol,
3251
bus=bus)
2755
3252
if server_settings["interface"]:
2756
3253
service.interface = if_nametoindex(
2757
3254
server_settings["interface"].encode("utf-8"))
2758
3255
2759
3256
global multiprocessing_manager
2760
3257
multiprocessing_manager = multiprocessing.Manager()
2761
3258
2762
3259
client_class = Client
2763
3260
if use_dbus:
2764
client_class = functools.partial(ClientDBus, bus = bus)
2765
3261
client_class = functools.partial(ClientDBus, bus=bus)
3262
2766
3263
client_settings = Client.config_parser(client_config)
2767
3264
old_client_settings = {}
2768
3265
clients_data = {}
2769
3266
2770
3267
# This is used to redirect stdout and stderr for checker processes
2771
3268
global wnull
2772
wnull = open(os.devnull, "w") # A writable /dev/null
3269
wnull = open(os.devnull, "w") # A writable /dev/null
2773
3270
# Only used if server is running in foreground but not in debug
2774
3271
# mode
2775
3272
if debug or not foreground:
2776
3273
wnull.close()
2777
3274
2778
3275
# Get client data and settings from last running state.
2779
3276
if server_settings["restore"]:
2780
3277
try:
2781
3278
with open(stored_state_path, "rb") as stored_state:
2782
clients_data, old_client_settings = pickle.load(
2783
stored_state)
3279
if sys.version_info.major == 2:
3280
clients_data, old_client_settings = pickle.load(
3281
stored_state)
3282
else:
3283
bytes_clients_data, bytes_old_client_settings = (
3284
pickle.load(stored_state, encoding="bytes"))
3285
# Fix bytes to strings
3286
# clients_data
3287
# .keys()
3288
clients_data = {(key.decode("utf-8")
3289
if isinstance(key, bytes)
3290
else key): value
3291
for key, value in
3292
bytes_clients_data.items()}
3293
del bytes_clients_data
3294
for key in clients_data:
3295
value = {(k.decode("utf-8")
3296
if isinstance(k, bytes) else k): v
3297
for k, v in
3298
clients_data[key].items()}
3299
clients_data[key] = value
3300
# .client_structure
3301
value["client_structure"] = [
3302
(s.decode("utf-8")
3303
if isinstance(s, bytes)
3304
else s) for s in
3305
value["client_structure"]]
3306
# .name, .host, and .checker_command
3307
for k in ("name", "host", "checker_command"):
3308
if isinstance(value[k], bytes):
3309
value[k] = value[k].decode("utf-8")
3310
if "key_id" not in value:
3311
value["key_id"] = ""
3312
elif "fingerprint" not in value:
3313
value["fingerprint"] = ""
3314
# old_client_settings
3315
# .keys()
3316
old_client_settings = {
3317
(key.decode("utf-8")
3318
if isinstance(key, bytes)
3319
else key): value
3320
for key, value in
3321
bytes_old_client_settings.items()}
3322
del bytes_old_client_settings
3323
# .host and .checker_command
3324
for value in old_client_settings.values():
3325
for attribute in ("host", "checker_command"):
3326
if isinstance(value[attribute], bytes):
3327
value[attribute] = (value[attribute]
3328
.decode("utf-8"))
2784
3329
os.remove(stored_state_path)
2785
3330
except IOError as e:
2786
3331
if e.errno == errno.ENOENT:
2794
3339
logger.warning("Could not load persistent state: "
2795
3340
"EOFError:",
2796
3341
exc_info=e)
2797
3342
2798
3343
with PGPEngine() as pgp:
2799
3344
for client_name, client in clients_data.items():
2800
3345
# Skip removed clients
2801
3346
if client_name not in client_settings:
2802
3347
continue
2803
3348
2804
3349
# Decide which value to use after restoring saved state.
2805
3350
# We have three different values: Old config file,
2806
3351
# new config file, and saved state.
2817
3362
client[name] = value
2818
3363
except KeyError:
2819
3364
pass
2820
3365
2821
3366
# Clients who has passed its expire date can still be
2822
3367
# enabled if its last checker was successful. A Client
2823
3368
# whose checker succeeded before we stored its state is
2856
3401
client_name))
2857
3402
client["secret"] = (client_settings[client_name]
2858
3403
["secret"])
2859
3404
2860
3405
# Add/remove clients based on new changes made to config
2861
3406
for client_name in (set(old_client_settings)
2862
3407
- set(client_settings)):
2864
3409
for client_name in (set(client_settings)
2865
3410
- set(old_client_settings)):
2866
3411
clients_data[client_name] = client_settings[client_name]
2867
3412
2868
3413
# Create all client objects
2869
3414
for client_name, client in clients_data.items():
2870
3415
tcp_server.clients[client_name] = client_class(
2871
name = client_name,
2872
settings = client,
2873
server_settings = server_settings)
2874
3416
name=client_name,
3417
settings=client,
3418
server_settings=server_settings)
3419
2875
3420
if not tcp_server.clients:
2876
3421
logger.warning("No clients defined")
2877
3422
2878
3423
if not foreground:
2879
3424
if pidfile is not None:
2880
3425
pid = os.getpid()
2886
3431
pidfilename, pid)
2887
3432
del pidfile
2888
3433
del pidfilename
2889
2890
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2891
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2892
3434
3435
for termsig in (signal.SIGHUP, signal.SIGTERM):
3436
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3437
lambda: main_loop.quit() and False)
3438
2893
3439
if use_dbus:
2894
3440
2895
3441
@alternate_dbus_interfaces(
2896
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3442
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2897
3443
class MandosDBusService(DBusObjectWithObjectManager):
2898
3444
"""A D-Bus proxy object"""
2899
3445
2900
3446
def __init__(self):
2901
3447
dbus.service.Object.__init__(self, bus, "/")
2902
3448
2903
3449
_interface = "se.recompile.Mandos"
2904
3450
2905
3451
@dbus.service.signal(_interface, signature="o")
2906
3452
def ClientAdded(self, objpath):
2907
3453
"D-Bus signal"
2908
3454
pass
2909
3455
2910
3456
@dbus.service.signal(_interface, signature="ss")
2911
def ClientNotFound(self, fingerprint, address):
3457
def ClientNotFound(self, key_id, address):
2912
3458
"D-Bus signal"
2913
3459
pass
2914
3460
2915
3461
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2916
3462
"true"})
2917
3463
@dbus.service.signal(_interface, signature="os")
2918
3464
def ClientRemoved(self, objpath, name):
2919
3465
"D-Bus signal"
2920
3466
pass
2921
3467
2922
3468
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2923
3469
"true"})
2924
3470
@dbus.service.method(_interface, out_signature="ao")
2925
3471
def GetAllClients(self):
2926
3472
"D-Bus method"
2927
3473
return dbus.Array(c.dbus_object_path for c in
2928
tcp_server.clients.itervalues())
2929
3474
tcp_server.clients.values())
3475
2930
3476
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2931
3477
"true"})
2932
3478
@dbus.service.method(_interface,
2934
3480
def GetAllClientsWithProperties(self):
2935
3481
"D-Bus method"
2936
3482
return dbus.Dictionary(
2937
{ c.dbus_object_path: c.GetAll(
3483
{c.dbus_object_path: c.GetAll(
2938
3484
"se.recompile.Mandos.Client")
2939
for c in tcp_server.clients.itervalues() },
3485
for c in tcp_server.clients.values()},
2940
3486
signature="oa{sv}")
2941
3487
2942
3488
@dbus.service.method(_interface, in_signature="o")
2943
3489
def RemoveClient(self, object_path):
2944
3490
"D-Bus method"
2945
for c in tcp_server.clients.itervalues():
3491
for c in tcp_server.clients.values():
2946
3492
if c.dbus_object_path == object_path:
2947
3493
del tcp_server.clients[c.name]
2948
3494
c.remove_from_connection()
2952
3498
self.client_removed_signal(c)
2953
3499
return
2954
3500
raise KeyError(object_path)
2955
3501
2956
3502
del _interface
2957
3503
2958
3504
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
2959
out_signature = "a{oa{sa{sv}}}")
3505
out_signature="a{oa{sa{sv}}}")
2960
3506
def GetManagedObjects(self):
2961
3507
"""D-Bus method"""
2962
3508
return dbus.Dictionary(
2963
{ client.dbus_object_path:
2964
dbus.Dictionary(
2965
{ interface: client.GetAll(interface)
2966
for interface in
2967
client._get_all_interface_names()})
2968
for client in tcp_server.clients.values()})
2969
3509
{client.dbus_object_path:
3510
dbus.Dictionary(
3511
{interface: client.GetAll(interface)
3512
for interface in
3513
client._get_all_interface_names()})
3514
for client in tcp_server.clients.values()})
3515
2970
3516
def client_added_signal(self, client):
2971
3517
"""Send the new standard signal and the old signal"""
2972
3518
if use_dbus:
2974
3520
self.InterfacesAdded(
2975
3521
client.dbus_object_path,
2976
3522
dbus.Dictionary(
2977
{ interface: client.GetAll(interface)
2978
for interface in
2979
client._get_all_interface_names()}))
3523
{interface: client.GetAll(interface)
3524
for interface in
3525
client._get_all_interface_names()}))
2980
3526
# Old signal
2981
3527
self.ClientAdded(client.dbus_object_path)
2982
3528
2983
3529
def client_removed_signal(self, client):
2984
3530
"""Send the new standard signal and the old signal"""
2985
3531
if use_dbus:
2990
3536
# Old signal
2991
3537
self.ClientRemoved(client.dbus_object_path,
2992
3538
client.name)
2993
3539
2994
3540
mandos_dbus_service = MandosDBusService()
2995
3541
3542
# Save modules to variables to exempt the modules from being
3543
# unloaded before the function registered with atexit() is run.
3544
mp = multiprocessing
3545
wn = wnull
3546
2996
3547
def cleanup():
2997
3548
"Cleanup function; run on exit"
2998
3549
if zeroconf:
2999
3550
service.cleanup()
3000
3001
multiprocessing.active_children()
3002
wnull.close()
3551
3552
mp.active_children()
3553
wn.close()
3003
3554
if not (tcp_server.clients or client_settings):
3004
3555
return
3005
3556
3006
3557
# Store client before exiting. Secrets are encrypted with key
3007
3558
# based on what config file has. If config file is
3008
3559
# removed/edited, old secret will thus be unrecovable.
3009
3560
clients = {}
3010
3561
with PGPEngine() as pgp:
3011
for client in tcp_server.clients.itervalues():
3562
for client in tcp_server.clients.values():
3012
3563
key = client_settings[client.name]["secret"]
3013
3564
client.encrypted_secret = pgp.encrypt(client.secret,
3014
3565
key)
3015
3566
client_dict = {}
3016
3567
3017
3568
# A list of attributes that can not be pickled
3018
3569
# + secret.
3019
exclude = { "bus", "changedstate", "secret",
3020
"checker", "server_settings" }
3570
exclude = {"bus", "changedstate", "secret",
3571
"checker", "server_settings"}
3021
3572
for name, typ in inspect.getmembers(dbus.service
3022
3573
.Object):
3023
3574
exclude.add(name)
3024
3575
3025
3576
client_dict["encrypted_secret"] = (client
3026
3577
.encrypted_secret)
3027
3578
for attr in client.client_structure:
3028
3579
if attr not in exclude:
3029
3580
client_dict[attr] = getattr(client, attr)
3030
3581
3031
3582
clients[client.name] = client_dict
3032
3583
del client_settings[client.name]["secret"]
3033
3584
3034
3585
try:
3035
3586
with tempfile.NamedTemporaryFile(
3036
mode='wb',
3587
mode="wb",
3037
3588
suffix=".pickle",
3038
prefix='clients-',
3589
prefix="clients-",
3039
3590
dir=os.path.dirname(stored_state_path),
3040
3591
delete=False) as stored_state:
3041
pickle.dump((clients, client_settings), stored_state)
3592
pickle.dump((clients, client_settings), stored_state,
3593
protocol=2)
3042
3594
tempname = stored_state.name
3043
3595
os.rename(tempname, stored_state_path)
3044
3596
except (IOError, OSError) as e:
3054
3606
logger.warning("Could not save persistent state:",
3055
3607
exc_info=e)
3056
3608
raise
3057
3609
3058
3610
# Delete all clients, and settings from config
3059
3611
while tcp_server.clients:
3060
3612
name, client = tcp_server.clients.popitem()
3066
3618
if use_dbus:
3067
3619
mandos_dbus_service.client_removed_signal(client)
3068
3620
client_settings.clear()
3069
3621
3070
3622
atexit.register(cleanup)
3071
3072
for client in tcp_server.clients.itervalues():
3623
3624
for client in tcp_server.clients.values():
3073
3625
if use_dbus:
3074
3626
# Emit D-Bus signal for adding
3075
3627
mandos_dbus_service.client_added_signal(client)
3076
3628
# Need to initiate checking of clients
3077
3629
if client.enabled:
3078
3630
client.init_checker()
3079
3631
3080
3632
tcp_server.enable()
3081
3633
tcp_server.server_activate()
3082
3634
3083
3635
# Find out what port we got
3084
3636
if zeroconf:
3085
3637
service.port = tcp_server.socket.getsockname()[1]
3090
3642
else: # IPv4
3091
3643
logger.info("Now listening on address %r, port %d",
3092
3644
*tcp_server.socket.getsockname())
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3645
3646
# service.interface = tcp_server.socket.getsockname()[3]
3647
3096
3648
try:
3097
3649
if zeroconf:
3098
3650
# From the Avahi example code
3103
3655
cleanup()
3104
3656
sys.exit(1)
3105
3657
# End of Avahi example code
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3658
3659
GLib.io_add_watch(
3660
GLib.IOChannel.unix_new(tcp_server.fileno()),
3661
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3662
lambda *args, **kwargs: (tcp_server.handle_request
3663
(*args[2:], **kwargs) or True))
3664
3112
3665
logger.debug("Starting main loop")
3113
3666
main_loop.run()
3114
3667
except AvahiError as error:
3123
3676
# Must run before the D-Bus bus name gets deregistered
3124
3677
cleanup()
3125
3678
3126
3127
if __name__ == '__main__':
3128
main()
3679
3680
def should_only_run_tests():
3681
parser = argparse.ArgumentParser(add_help=False)
3682
parser.add_argument("--check", action="store_true")
3683
args, unknown_args = parser.parse_known_args()
3684
run_tests = args.check
3685
if run_tests:
3686
# Remove --check argument from sys.argv
3687
sys.argv[1:] = unknown_args
3688
return run_tests
3689
3690
# Add all tests from doctest strings
3691
def load_tests(loader, tests, none):
3692
import doctest
3693
tests.addTests(doctest.DocTestSuite())
3694
return tests
3695
3696
if __name__ == "__main__":
3697
try:
3698
if should_only_run_tests():
3699
# Call using ./mandos --check [--verbose]
3700
unittest.main()
3701
else:
3702
main()
3703
finally:
3704
logging.shutdown()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0